appium-xcuitest-driver 11.4.1 → 11.4.2

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [11.4.2](https://github.com/appium/appium-xcuitest-driver/compare/v11.4.1...v11.4.2) (2026-05-15)
+
+### Miscellaneous Chores
+
+* Refactor wda signer code ([#2839](https://github.com/appium/appium-xcuitest-driver/issues/2839)) ([3aafb36](https://github.com/appium/appium-xcuitest-driver/commit/3aafb3600a103a129d4b9dd4452e4c9c4e1223b1))
+
 ## [11.4.1](https://github.com/appium/appium-xcuitest-driver/compare/v11.4.0...v11.4.1) (2026-05-15)
 
 ### Bug Fixes

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "appium-xcuitest-driver",
-  "version": "11.4.1",
+  "version": "11.4.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "appium-xcuitest-driver",
-      "version": "11.4.1",
+      "version": "11.4.2",
       "license": "Apache-2.0",
       "dependencies": {
         "@appium/strongbox": "^1.0.0-rc.1",

package/package.json

@@ -8,7 +8,7 @@
     "xcuitest",
     "xctest"
   ],
-  "version": "11.4.1",
+  "version": "11.4.2",
   "author": "Appium Contributors",
   "license": "Apache-2.0",
   "repository": {

package/scripts/sign-wda.mjs

@@ -2,11 +2,12 @@ import {fs, logger} from 'appium/support.js';
 import {exec} from 'teen_process';
 import os from 'node:os';
 import path from 'node:path';
-import {pathToFileURL} from 'node:url';
+import {fileURLToPath, pathToFileURL} from 'node:url';
 import {mkdtemp, rm} from 'node:fs/promises';
 import {Command} from 'commander';
 
-const SCRIPT_NAME = 'sign-wda';
+const scriptFilePath = fileURLToPath(import.meta.url);
+const SCRIPT_NAME = path.basename(scriptFilePath, path.extname(scriptFilePath));
 const RESIGNER_BINARY_NAME = 'resigner';
 const MOBILEPROVISION_EXTENSION = '.mobileprovision';
 const DEFAULT_PROFILE_DIR_CANDIDATES = [
@@ -21,12 +22,76 @@ const DEFAULT_WDA_BUNDLE_IDS = [
 
 const log = logger.getLogger(SCRIPT_NAME);
 
-class RunCmd {
+class Resigner {
+  /** @type {string} */
+  _wdaPath;
+
+  /**
+   * @param {string} wdaPath Path to the WebDriverAgent `.app` bundle.
+   */
+  constructor(wdaPath) {
+    this._wdaPath = wdaPath;
+  }
+
+  /**
+   * @param {SignOptions} options
+   * @returns {Promise<void>}
+   */
+  async signWDA(options) {
+    await this._requireBinary();
+    const args = this._buildSignArgs(options);
+    log.info(`Running resigner to sign ${this._wdaPath}`);
+    await exec(RESIGNER_BINARY_NAME, args, {
+      env: {
+        ...process.env,
+        P12_PASSWORD: options.p12Password,
+      },
+    });
+    log.info('WDA signed successfully');
+  }
+
+  /**
+   * @returns {Promise<string>}
+   */
+  async inspectWDA() {
+    await this._requireBinary();
+    log.info(`Inspecting signed WDA at ${this._wdaPath}`);
+    const {stdout} = await exec(RESIGNER_BINARY_NAME, ['--inspect', this._wdaPath]);
+    return String(stdout || '').trim();
+  }
+
   /**
-   * Check if the resginer binary is available in the PATH.
-   * @returns {Promise<void>} Whether the resigner binary is available in the local environment
-  */
-  async requireResignerBinary() {
+   * @param {SignOptions} options
+   * @returns {string[]}
+   */
+  _buildSignArgs(options) {
+    const args = [
+      '--p12-file', options.p12File,
+      '--profile', options.profileDir,
+      '--force',
+    ];
+
+    if (options.bundleId) {
+      args.push(
+        ...[
+          // To re-apply the same mapping again for past failure cases for safety.
+          options.bundleId,
+          ...DEFAULT_WDA_BUNDLE_IDS,
+        ].flatMap((bundleId) => [
+          '--bundle-id-remap',
+          `${bundleId}=${options.bundleId}`,
+        ])
+      );
+    }
+
+    args.push(this._wdaPath);
+    return args;
+  }
+
+  /**
+   * @returns {Promise<void>}
+   */
+  async _requireBinary() {
     try {
       await fs.which(RESIGNER_BINARY_NAME);
     } catch {
@@ -35,275 +100,351 @@ class RunCmd {
   }
 }
 
+class ProvisioningProfilesHelper {
+  /** @type {string | undefined} */
+  _profileDir;
 
-class RunInspectWDA extends RunCmd {
   /**
-   * Run resigner inspect on the signed WDA and return the output.
-   * @param {InspectWDAOptions} options
-   * @returns {Promise<void>}
+   * @param {string | undefined} profileDir Explicit directory, or `undefined` to auto-discover.
+   */
+  constructor(profileDir) {
+    this._profileDir = profileDir;
+  }
+
+  /**
+   * @returns {Promise<string>}
    */
-  async inspect(options) {
-    if (!(await fs.exists(options.wdaPath))) {
-      throw new Error(`WDA path does not exist: ${options.wdaPath}`);
+  async resolveRoot() {
+    const profileDir = this._profileDir;
+    if (profileDir) {
+      return await this._validate(profileDir, 'Provided');
     }
-    await this.requireResignerBinary();
-    const inspectResult = await inspectWDAWithResigner(options.wdaPath);
-    if (inspectResult) {
-      log.info(`Resigner inspect result:\n---\n${inspectResult}`);
-    } else {
-      log.info('Resigner inspect finished, but no output was returned.');
+
+    for (const candidate of DEFAULT_PROFILE_DIR_CANDIDATES) {
+      if (!(await fs.exists(candidate))) {
+        continue;
+      }
+      try {
+        await this._validate(candidate, 'Discovered');
+        log.info(`Using discovered provisioning profile directory: ${candidate}`);
+        return candidate;
+      } catch {
+        continue;
+      }
     }
+
+    throw new Error(
+      `No provisioning profile directory could be discovered. ` +
+        `Please provide --profile-dir explicitly. Checked: ${DEFAULT_PROFILE_DIR_CANDIDATES.join(', ')}`
+    );
   }
-}
 
-class RunSignWDA extends RunCmd {
   /**
-   * Run resigner to sign the WDA.
-   * @param {SignWDAOptions} options
-   * @returns {Promise<void>}
+   * @param {string} dir
+   * @param {string} source
+   * @returns {Promise<string>}
    */
-  async sign(options) {
-    if (!(await fs.exists(options.wdaPath))) {
-      throw new Error(`WDA path does not exist: ${options.wdaPath}`);
+  async _validate(dir, source) {
+    if (!(await fs.exists(dir))) {
+      throw new Error(`${source} provisioning profile directory does not exist: ${dir}`);
     }
-    await this.requireResignerBinary();
-    const resolvedProfileDir = await resolveProfileDir(options.profileDir);
-
-    let p12File = options.p12File;
-    let tempDir;
-    let p12Password = options.p12Password;
 
+    let entries;
     try {
-      // If cert and key provided, convert to p12 with auto-generated password
-      if (options.p12Cert && options.p12Key) {
-        const generatedPassword = generateRandomPassword();
-        const result = await convertCertAndKeyToP12(options.p12Cert, options.p12Key, generatedPassword);
-        p12File = result.p12File;
-        tempDir = result.tempDir;
-        p12Password = generatedPassword;
-      }
-
-      if (!p12File) {
-        throw new Error('No p12 file available for signing');
-      }
+      entries = await fs.readdir(dir);
+    } catch {
+      throw new Error(`${source} provisioning profile directory is not a readable directory: ${dir}`);
+    }
 
-      await signWDAWithResigner(options.wdaPath, {
-        p12File,
-        p12Password,
-        profileDir: resolvedProfileDir,
-        bundleId: options.bundleId,
-      });
-    } finally {
-      // Clean up temp directory if it was created
-      if (tempDir) {
-        try {
-          await rm(tempDir, {recursive: true, force: true});
-          log.info(`Cleaned up temporary directory: ${tempDir}`);
-        } catch (err) {
-          log.warn(`Failed to clean up temporary directory ${tempDir}: ${err.message}`);
-        }
-      }
+    if (!entries.some((name) => name.toLowerCase().endsWith(MOBILEPROVISION_EXTENSION))) {
+      throw new Error(
+        `${source} provisioning profile directory does not contain any ${MOBILEPROVISION_EXTENSION} files: ${dir}`
+      );
     }
-  }
-}
 
-/**
- * Generate a random password for temporary .p12 files.
- * @returns {string} A random 12-character alphanumeric password
- */
-function generateRandomPassword() {
-  const chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
-  let password = '';
-  for (let i = 0; i < 12; i++) {
-    password += chars[Math.floor(Math.random() * chars.length)];
+    return dir;
   }
-  return password;
 }
 
-/**
- * Convert .cer and .key files to a .p12 file.
- * @param {string} certPath - Path to the .cer certificate file
- * @param {string} keyPath - Path to the .key private key file
- * @param {string} p12Password - Password to protect the .p12 file
- * @returns {Promise<{p12File: string, tempDir: string}>} Path to the generated .p12 and temp directory
- */
-async function convertCertAndKeyToP12(certPath, keyPath, p12Password) {
-  // Validate input files exist
-  if (!(await fs.exists(certPath))) {
-    throw new Error(`Certificate file does not exist: ${certPath}`);
+class P12Converter {
+  /** @type {string} */
+  _certPath;
+  /** @type {string} */
+  _keyPath;
+  /** @type {string} */
+  _p12Password;
+
+  /**
+   * @param {string} certPath
+   * @param {string} keyPath
+   * @param {string} p12Password
+   */
+  constructor(certPath, keyPath, p12Password) {
+    this._certPath = certPath;
+    this._keyPath = keyPath;
+    this._p12Password = p12Password;
   }
-  if (!(await fs.exists(keyPath))) {
-    throw new Error(`Private key file does not exist: ${keyPath}`);
+
+  /**
+   * @returns {string}
+   */
+  static generateRandomPassword() {
+    const chars = 'abcdefghijklmnopqrstuvwxyz0123456789';
+    let password = '';
+    for (let i = 0; i < 12; i++) {
+      password += chars[Math.floor(Math.random() * chars.length)];
+    }
+    return password;
   }
 
-  try {
-    await fs.which('openssl');
-  } catch {
-    throw new Error('OpenSSL binary is not available in the PATH. ' +
-      'It is required to convert .cer and .key files to .p12 format.');
+  /**
+   * @returns {Promise<{p12File: string, tempDir: string}>}
+   */
+  async convert() {
+    await this._assertCertAndKeyExist();
+    await this._requireOpenSsl();
+
+    const tempDir = await mkdtemp(path.join(os.tmpdir(), 'wda-sign-'));
+    const certPemPath = path.join(tempDir, 'certificate.pem');
+    const p12FilePath = path.join(tempDir, 'certificate.p12');
+
+    try {
+      await this._convertCerToPem(certPemPath);
+      await this._exportPkcs12(certPemPath, p12FilePath);
+      log.info(`Successfully created temporary .p12 file: ${p12FilePath}`);
+      return {p12File: p12FilePath, tempDir};
+    } catch (err) {
+      try {
+        await rm(tempDir, {recursive: true, force: true});
+      } catch {}
+      throw err;
+    }
   }
 
-  // Create temp directory
-  const tempDir = await mkdtemp(path.join(os.tmpdir(), 'wda-sign-'));
+  /**
+   * @returns {Promise<void>}
+   */
+  async _assertCertAndKeyExist() {
+    const certPath = this._certPath;
+    const keyPath = this._keyPath;
+    if (!(await fs.exists(certPath))) {
+      throw new Error(`Certificate file does not exist: ${certPath}`);
+    }
+    if (!(await fs.exists(keyPath))) {
+      throw new Error(`Private key file does not exist: ${keyPath}`);
+    }
+  }
 
-  try {
-    const certPem = path.join(tempDir, 'certificate.pem');
-    const p12File = path.join(tempDir, 'certificate.p12');
+  /**
+   * @returns {Promise<void>}
+   */
+  async _requireOpenSsl() {
+    try {
+      await fs.which('openssl');
+    } catch {
+      throw new Error(
+        'OpenSSL binary is not available in the PATH. ' +
+          'It is required to convert .cer and .key files to .p12 format.'
+      );
+    }
+  }
 
-    // Convert .cer to .pem
+  /**
+   * @param {string} certPemPath
+   * @returns {Promise<void>}
+   */
+  async _convertCerToPem(certPemPath) {
+    const certPath = this._certPath;
     log.info(`Converting certificate from ${certPath} to PEM format`);
     await exec('openssl', [
       'x509',
       '-in', certPath,
       '-inform', 'DER',
-      '-out', certPem,
+      '-out', certPemPath,
     ]);
+  }
 
-    // Convert to .p12
+  /**
+   * @param {string} certPemPath
+   * @param {string} p12FilePath
+   * @returns {Promise<void>}
+   */
+  async _exportPkcs12(certPemPath, p12FilePath) {
+    const keyPath = this._keyPath;
+    const p12Password = this._p12Password;
     log.info(`Creating .p12 file from certificate and key`);
     await exec('openssl', [
       'pkcs12',
       '-export',
-      '-in', certPem,
+      '-in', certPemPath,
       '-inkey', keyPath,
-      '-out', p12File,
+      '-out', p12FilePath,
       '-passout', `pass:${p12Password}`,
     ]);
-
-    log.info(`Successfully created temporary .p12 file: ${p12File}`);
-    return {p12File, tempDir};
-  } catch (err) {
-    // Clean up temp dir on error
-    try {
-      await rm(tempDir, {recursive: true, force: true});
-    } catch {}
-    throw err;
   }
 }
 
 /**
- * Validate a provisioning profile directory.
- * @param {string} dir
- * @param {string} source
- * @returns {Promise<string>}
+ * Shared helpers for workflows that operate on a WDA `.app` bundle path.
  */
-async function validateProfileDir(dir, source) {
-  if (!(await fs.exists(dir))) {
-    throw new Error(`${source} provisioning profile directory does not exist: ${dir}`);
+class WdaBundleWorkflow {
+  /**
+   * @param {string} wdaPath
+   * @returns {Promise<void>}
+   */
+  async _assertWdaExists(wdaPath) {
+    if (!(await fs.exists(wdaPath))) {
+      throw new Error(`WDA path does not exist: ${wdaPath}`);
+    }
   }
+}
 
-  let entries;
-  try {
-    entries = await fs.readdir(dir);
-  } catch {
-    throw new Error(`${source} provisioning profile directory is not a readable directory: ${dir}`);
+class SignWdaWorkflow extends WdaBundleWorkflow {
+  /**
+   * @param {object} [deps]
+   * @param {(wdaPath: string) => Resigner} [deps.createResigner]
+   * @param {(profileDir: string | undefined) => ProvisioningProfilesHelper} [deps.createProvisioning]
+   * @param {(certPath: string, keyPath: string, p12Password: string) => P12Converter} [deps.createP12]
+   */
+  constructor(deps = {}) {
+    super();
+    this._createResigner = deps.createResigner ?? ((wdaPath) => new Resigner(wdaPath));
+    this._createProvisioning =
+      deps.createProvisioning ?? ((profileDir) => new ProvisioningProfilesHelper(profileDir));
+    this._createP12 =
+      deps.createP12 ?? ((certPath, keyPath, p12Password) => new P12Converter(certPath, keyPath, p12Password));
   }
 
-  if (!entries.some((name) => name.toLowerCase().endsWith(MOBILEPROVISION_EXTENSION))) {
-    throw new Error(
-      `${source} provisioning profile directory does not contain any ${MOBILEPROVISION_EXTENSION} files: ${dir}`
-    );
-  }
+  /**
+   * @param {SignWDAOptions} options
+   * @returns {Promise<void>}
+   */
+  async run(options) {
+    await this._assertWdaExists(options.wdaPath);
+    const resolvedProfileDir = await this._createProvisioning(options.profileDir).resolveRoot();
 
-  return dir;
-}
+    let p12File = options.p12File;
+    let tempDir;
+    let p12Password = options.p12Password;
 
-/**
- * Resolve the provisioning profile directory.
- * If user provided --profile-dir, validate and use it.
- * Otherwise discover from known defaults in priority order.
- * @param {string | undefined} profileDir
- * @returns {Promise<string>}
- */
-async function resolveProfileDir(profileDir) {
-  if (profileDir) {
-    return await validateProfileDir(profileDir, 'Provided');
+    try {
+      if (options.p12Cert && options.p12Key) {
+        const generatedPassword = P12Converter.generateRandomPassword();
+        const result = await this._createP12(
+          options.p12Cert,
+          options.p12Key,
+          generatedPassword
+        ).convert();
+        p12File = result.p12File;
+        tempDir = result.tempDir;
+        p12Password = generatedPassword;
+      }
+
+      if (!p12File) {
+        throw new Error('No p12 file available for signing');
+      }
+
+      await this._createResigner(options.wdaPath).signWDA({
+        p12File,
+        p12Password,
+        profileDir: resolvedProfileDir,
+        bundleId: options.bundleId,
+      });
+    } finally {
+      await this._cleanupTempDir(tempDir);
+    }
   }
 
-  for (const candidate of DEFAULT_PROFILE_DIR_CANDIDATES) {
-    if (!(await fs.exists(candidate))) {
-      continue;
+  /**
+   * @param {string | undefined} tempDir
+   * @returns {Promise<void>}
+   */
+  async _cleanupTempDir(tempDir) {
+    if (!tempDir) {
+      return;
     }
     try {
-      await validateProfileDir(candidate, 'Discovered');
-      log.info(`Using discovered provisioning profile directory: ${candidate}`);
-      return candidate;
-    } catch {
-      continue;
+      await rm(tempDir, {recursive: true, force: true});
+      log.info(`Cleaned up temporary directory: ${tempDir}`);
+    } catch (err) {
+      log.warn(`Failed to clean up temporary directory ${tempDir}: ${err.message}`);
     }
   }
-
-  throw new Error(
-    `No provisioning profile directory could be discovered. ` +
-      `Please provide --profile-dir explicitly. Checked: ${DEFAULT_PROFILE_DIR_CANDIDATES.join(', ')}`
-  );
 }
 
-/**
- * Run resigner to sign WDA
- * @param {string} wdaPath
- * @param {SignOptions} options
- * @returns {Promise<void>}
- */
-async function signWDAWithResigner(wdaPath, options) {
-  const args = [
-    '--p12-file', options.p12File,
-    '--profile', options.profileDir,
-    '--force',
-  ];
-
-  if (options.bundleId) {
-    args.push(
-      ...[
-      // To re-apply the same mapping again for past failure cases for safe.
-      options.bundleId,
-      ...DEFAULT_WDA_BUNDLE_IDS,
-    ].flatMap((bundleId) => [
-        '--bundle-id-remap',
-        `${bundleId}=${options.bundleId}`,
-      ])
-    );
+class InspectWdaWorkflow extends WdaBundleWorkflow {
+  /**
+   * @param {object} [deps]
+   * @param {(wdaPath: string) => Resigner} [deps.createResigner]
+   */
+  constructor(deps = {}) {
+    super();
+    this._createResigner = deps.createResigner ?? ((wdaPath) => new Resigner(wdaPath));
   }
 
-  args.push(wdaPath);
-
-  log.info(`Running resigner to sign ${wdaPath}`);
-  await exec(RESIGNER_BINARY_NAME, args, {
-    env: {
-      ...process.env,
-      P12_PASSWORD: options.p12Password,
-    },
-  });
-  log.info('WDA signed successfully');
+  /**
+   * @param {InspectWDAOptions} options
+   * @returns {Promise<void>}
+   */
+  async run(options) {
+    await this._assertWdaExists(options.wdaPath);
+    const inspectResult = await this._createResigner(options.wdaPath).inspectWDA();
+    if (inspectResult) {
+      log.info(`Resigner inspect result:\n---\n${inspectResult}`);
+    } else {
+      log.info('Resigner inspect finished, but no output was returned.');
+    }
+  }
 }
 
-/**
- * Run resigner inspect on the signed WDA and return the output.
- * @param {string} wdaPath
- * @returns {Promise<string>}
- */
-async function inspectWDAWithResigner(wdaPath) {
-  log.info(`Inspecting signed WDA at ${wdaPath}`);
-  const {stdout} = await exec(RESIGNER_BINARY_NAME, ['--inspect', wdaPath]);
-  return String(stdout || '').trim();
-}
+class SignWdaCli {
+  /**
+   * @param {object} [deps]
+   * @param {SignWdaWorkflow} [deps.signWorkflow]
+   * @param {InspectWdaWorkflow} [deps.inspectWorkflow]
+   */
+  constructor(deps = {}) {
+    this._signWorkflow = deps.signWorkflow ?? new SignWdaWorkflow();
+    this._inspectWorkflow = deps.inspectWorkflow ?? new InspectWdaWorkflow();
+  }
 
-async function main() {
-  const program = new Command();
-
-  program
-    .name('appium driver run xcuitest sign-wda')
-    .description('Sign a WebDriverAgentRunner app bundle with code signing certificate')
-    .requiredOption('--wda-path <path>', 'Path to the WebDriverAgentRunner.app bundle to sign')
-    .option('--inspect', 'Run resigner inspect only (no signing)')
-    .option('--p12-file <path>', 'Path to the .p12 signing certificate file (requires P12_PASSWORD env var; mutually exclusive with --p12-cert/--p12-key)')
-    .option('--p12-cert <path>', 'Path to the .cer certificate file from Apple Developer portal (auto-converted to .p12 with generated password; mutually exclusive with --p12-file; must use with --p12-key)')
-    .option('--p12-key <path>', 'Path to the .key private key file from Apple Developer portal (auto-converted to .p12 with generated password; mutually exclusive with --p12-file; must use with --p12-cert)')
-    .option('--profile-dir <path>', 'Directory containing provisioning profiles (auto-discovered if omitted)')
-    .option('--bundle-id <id>', 'Target bundle ID for remapping (e.g., com.example.wda)')
-    .addHelpText(
-      'after',
-      `
+  /**
+   * @param {string[]} argv
+   * @returns {Promise<void>}
+   */
+  async run(argv) {
+    const program = this._createProgram();
+    await program.parseAsync(argv);
+  }
+
+  /**
+   * @returns {Command}
+   */
+  _createProgram() {
+    const program = new Command();
+
+    program
+      .name('appium driver run xcuitest sign-wda')
+      .description('Sign a WebDriverAgentRunner app bundle with code signing certificate')
+      .requiredOption('--wda-path <path>', 'Path to the WebDriverAgentRunner.app bundle to sign')
+      .option('--inspect', 'Run resigner inspect only (no signing)')
+      .option(
+        '--p12-file <path>',
+        'Path to the .p12 signing certificate file (requires P12_PASSWORD env var; mutually exclusive with --p12-cert/--p12-key)'
+      )
+      .option(
+        '--p12-cert <path>',
+        'Path to the .cer certificate file from Apple Developer portal (auto-converted to .p12 with generated password; mutually exclusive with --p12-file; must use with --p12-key)'
+      )
+      .option(
+        '--p12-key <path>',
+        'Path to the .key private key file from Apple Developer portal (auto-converted to .p12 with generated password; mutually exclusive with --p12-file; must use with --p12-cert)'
+      )
+      .option('--profile-dir <path>', 'Directory containing provisioning profiles (auto-discovered if omitted)')
+      .option('--bundle-id <id>', 'Target bundle ID for remapping (e.g., com.example.wda)')
+      .addHelpText(
+        'after',
+        `
 EXAMPLES:
   # Sign downloaded WDA with .p12 certificate (requires P12_PASSWORD)
   P12_PASSWORD=mypassword appium driver run xcuitest sign-wda -- --wda-path ./wda-real/WebDriverAgentRunner-Runner.app \
@@ -327,64 +468,79 @@ EXAMPLES:
 
   # Inspect a WDA app without signing
   appium driver run xcuitest sign-wda -- --wda-path ./wda-real/WebDriverAgentRunner-Runner.app --inspect`,
-    )
-    .action(async (options) => {
-      if (options.inspect) {
-        new RunInspectWDA().inspect({
-          wdaPath: options.wdaPath,
-        });
-        return;
-      }
-
-      const p12Password = process.env.P12_PASSWORD;
+      )
+      .action(async (options) => {
+        await this._handleParsedOptions(options);
+      });
 
-      // Validate that either --p12-file OR (--p12-cert AND --p12-key) is provided
-      const hasP12File = !!options.p12File;
-      const hasCertAndKey = !!(options.p12Cert && options.p12Key);
+    return program;
+  }
 
-      if (!hasP12File && !hasCertAndKey) {
-        throw new Error(
-          `Must provide either --p12-file or both --p12-cert and --p12-key for signing mode`
-        );
-      }
+  /**
+   * @param {object} options
+   * @returns {Promise<void>}
+   */
+  async _handleParsedOptions(options) {
+    if (options.inspect) {
+      await this._inspectWorkflow.run({
+        wdaPath: options.wdaPath,
+      });
+      return;
+    }
 
-      if (hasP12File && hasCertAndKey) {
-        throw new Error(
-          `Cannot provide both --p12-file and --p12-cert/--p12-key; use one approach`
-        );
-      }
+    const p12Password = process.env.P12_PASSWORD;
+    this._checkSigningOptions(options, p12Password);
+
+    await this._signWorkflow.run({
+      wdaPath: options.wdaPath,
+      p12File: options.p12File,
+      p12Cert: options.p12Cert,
+      p12Key: options.p12Key,
+      p12Password: p12Password || '',
+      profileDir: options.profileDir,
+      bundleId: options.bundleId,
+    });
+  }
 
-      if ((options.p12Cert && !options.p12Key) || (!options.p12Cert && options.p12Key)) {
-        throw new Error(
-          `Both --p12-cert and --p12-key must be provided together`
-        );
-      }
+  /**
+   * @param {object} options
+   * @param {string | undefined} p12Password
+   * @returns {void}
+   */
+  _checkSigningOptions(options, p12Password) {
+    const hasP12File = !!options.p12File;
+    const hasCertAndKey = !!(options.p12Cert && options.p12Key);
+
+    if (!hasP12File && !hasCertAndKey) {
+      throw new Error(
+        `Must provide either --p12-file or both --p12-cert and --p12-key for signing mode`
+      );
+    }
 
-      // P12_PASSWORD is only required when using --p12-file
-      if (hasP12File && !p12Password) {
-        throw new Error(
-          `Missing required option for signing mode: P12_PASSWORD env var (required when using --p12-file)`
-        );
-      }
+    if (hasP12File && hasCertAndKey) {
+      throw new Error(
+        `Cannot provide both --p12-file and --p12-cert/--p12-key; use one approach`
+      );
+    }
 
-      await new RunSignWDA().sign({
-        wdaPath: options.wdaPath,
-        p12File: options.p12File,
-        p12Cert: options.p12Cert,
-        p12Key: options.p12Key,
-        p12Password: p12Password || '',
-        profileDir: options.profileDir,
-        bundleId: options.bundleId,
-      });
-    });
+    if ((options.p12Cert && !options.p12Key) || (!options.p12Cert && options.p12Key)) {
+      throw new Error(
+        `Both --p12-cert and --p12-key must be provided together`
+      );
+    }
 
-  await program.parseAsync(process.argv);
+    if (hasP12File && !p12Password) {
+      throw new Error(
+        `Missing required option for signing mode: P12_PASSWORD env var (required when using --p12-file)`
+      );
+    }
+  }
 }
 
 const isMainModule =
   Boolean(process.argv[1]) && import.meta.url === pathToFileURL(process.argv[1]).href;
 if (isMainModule) {
-  await main();
+  await new SignWdaCli().run(process.argv);
 }
 
 /**