green-line-cli 1.0.2

package/dist/index.js

@@ -0,0 +1,2821 @@
+#!/usr/bin/env node
+import "dotenv/config";
+import { Buffer } from "node:buffer";
+import { spawn } from "node:child_process";
+import { randomBytes, randomUUID } from "node:crypto";
+import { copyFile, mkdir, mkdtemp, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
+import { existsSync, mkdirSync, readFileSync, readdirSync, writeFileSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
+import { basename, dirname, isAbsolute, join, resolve } from "node:path";
+import { createInterface } from "node:readline/promises";
+import { Command } from "commander";
+const CLI_CONFIG_PATH = join(homedir(), ".config", "green-line", "config.json");
+const CLI_STATE_PATH = join(homedir(), ".config", "green-line", "state.json");
+const CLI_STORAGE_DIR = join(homedir(), ".config", "green-line", "storage");
+const INITIAL_STATE = {
+    users: [],
+    sessions: [],
+    consents: [],
+    builds: [],
+    submissions: [],
+    appleConnections: [],
+    appleSigningAssets: []
+};
+function loadLocalState() {
+    if (!existsSync(CLI_STATE_PATH)) {
+        return structuredClone(INITIAL_STATE);
+    }
+    try {
+        const raw = readFileSync(CLI_STATE_PATH, "utf8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return structuredClone(INITIAL_STATE);
+    }
+}
+function saveLocalState(state) {
+    mkdirSync(dirname(CLI_STATE_PATH), { recursive: true });
+    writeFileSync(CLI_STATE_PATH, JSON.stringify(state, null, 2), "utf8");
+}
+const localState = loadLocalState();
+function nowIso() {
+    return new Date().toISOString();
+}
+function loadCliConfig() {
+    if (!existsSync(CLI_CONFIG_PATH)) {
+        return {};
+    }
+    try {
+        const raw = readFileSync(CLI_CONFIG_PATH, "utf8");
+        return JSON.parse(raw);
+    }
+    catch {
+        return {};
+    }
+}
+function saveCliConfig(config) {
+    mkdirSync(dirname(CLI_CONFIG_PATH), { recursive: true });
+    writeFileSync(CLI_CONFIG_PATH, JSON.stringify(config, null, 2), "utf8");
+}
+let cliConfig = loadCliConfig();
+function getApiBaseUrl(value) {
+    return value ?? process.env.API_BASE_URL ?? cliConfig.apiBaseUrl ?? "http://localhost:4000";
+}
+function getAuthToken() {
+    return process.env.GL_AUTH_TOKEN ?? cliConfig.authToken;
+}
+function requiresAuth(url) {
+    const pathname = new URL(url).pathname;
+    return pathname !== "/v1/auth/login";
+}
+function ensureSignedIn() {
+    if (!getAuthToken()) {
+        throw new Error("Please sign in first: `gl auth login --email <you@example.com>`.");
+    }
+}
+function withQuery(url, query) {
+    const parsed = new URL(url);
+    for (const [key, value] of Object.entries(query)) {
+        if (value !== undefined) {
+            parsed.searchParams.set(key, String(value));
+        }
+    }
+    return parsed.toString();
+}
+function authUserFromToken(token) {
+    if (!token) {
+        return null;
+    }
+    const session = localState.sessions.find((record) => record.token === token);
+    if (!session) {
+        return null;
+    }
+    session.lastUsedAt = nowIso();
+    saveLocalState(localState);
+    return localState.users.find((user) => user.id === session.userId) ?? null;
+}
+async function processBuild(buildId) {
+    const build = localState.builds.find((record) => record.id === buildId);
+    if (!build) {
+        return;
+    }
+    const logsBlobName = `${buildId}/build.log`;
+    const logsFilePath = join(CLI_STORAGE_DIR, "logs", logsBlobName);
+    await mkdir(dirname(logsFilePath), { recursive: true });
+    build.status = "running";
+    build.logsBlobName = logsBlobName;
+    build.errorMessage = null;
+    build.updatedAt = nowIso();
+    saveLocalState(localState);
+    const logLines = [
+        `[${nowIso()}] Build started`,
+        `[${nowIso()}] Working directory=${process.cwd()}`
+    ];
+    const appendLog = async (line) => {
+        logLines.push(`[${nowIso()}] ${line}`);
+        await writeFile(logsFilePath, `${logLines.join("\n")}\n`, "utf8");
+    };
+    try {
+        await appendLog("Checking fastlane installation");
+        await ensureFastlaneInstalled();
+        await appendLog("Checking xcodebuild availability");
+        await runCommand("xcodebuild", ["-version"]);
+        const iosDir = existsSync(join(process.cwd(), "ios")) ? join(process.cwd(), "ios") : process.cwd();
+        await appendLog(`Resolving iOS project in ${iosDir}`);
+        const entries = await readdir(iosDir, { withFileTypes: true });
+        const workspaces = entries
+            .filter((entry) => (entry.isDirectory() || entry.isFile()) && entry.name.endsWith(".xcworkspace") && !entry.name.toLowerCase().includes("pods"))
+            .map((entry) => join(iosDir, entry.name));
+        const projects = entries
+            .filter((entry) => (entry.isDirectory() || entry.isFile()) && entry.name.endsWith(".xcodeproj") && !entry.name.toLowerCase().includes("pods"))
+            .map((entry) => join(iosDir, entry.name));
+        const workspacePath = workspaces[0] ?? null;
+        const projectPath = workspacePath ? null : (projects[0] ?? null);
+        if (!workspacePath && !projectPath) {
+            throw new Error("No .xcworkspace or .xcodeproj found. Run this from your iOS app root.");
+        }
+        await appendLog(`Using ${workspacePath ? `workspace=${workspacePath}` : `project=${projectPath}`}`);
+        const listArgs = workspacePath
+            ? ["-list", "-json", "-workspace", workspacePath]
+            : ["-list", "-json", "-project", projectPath];
+        const listResult = await runCommand("xcodebuild", listArgs);
+        const parsed = JSON.parse(listResult.stdout);
+        const schemes = parsed.workspace?.schemes ?? parsed.project?.schemes ?? [];
+        const scheme = pickBestScheme(schemes, workspacePath, projectPath);
+        if (!scheme) {
+            throw new Error("No Xcode scheme found for build.");
+        }
+        await appendLog(`Using scheme=${scheme}`);
+        let signingProfileUuid = null;
+        let signingProfileName = null;
+        let signingTeamId = null;
+        let signingIdentityHash = null;
+        const signingAsset = localState.appleSigningAssets
+            .filter((item) => item.orgSlug === build.orgSlug && item.projectSlug === build.projectSlug)
+            .sort((a, b) => b.updatedAt.localeCompare(a.updatedAt))[0];
+        const expectedBundleId = signingAsset?.bundleId ?? `com.${bundleSegment(build.orgSlug)}.${bundleSegment(build.projectSlug)}`;
+        const newestLocalProfile = await findNewestLocalProvisioningProfile(expectedBundleId);
+        const profileBase64 = newestLocalProfile?.base64 ?? signingAsset?.provisioningProfileBase64;
+        if (newestLocalProfile) {
+            await appendLog(`Using newest local provisioning profile: ${newestLocalProfile.path}`);
+        }
+        if (profileBase64) {
+            const signingWorkspace = await mkdtemp(join(tmpdir(), "gl-signing-"));
+            try {
+                const profilePath = join(signingWorkspace, "profile.mobileprovision");
+                await writeFile(profilePath, Buffer.from(profileBase64, "base64"));
+                const profileDump = await runCommand("security", ["cms", "-D", "-i", profilePath]);
+                signingProfileUuid = /<key>UUID<\/key>\s*<string>([^<]+)<\/string>/m.exec(profileDump.stdout)?.[1] ?? null;
+                signingProfileName = /<key>Name<\/key>\s*<string>([^<]+)<\/string>/m.exec(profileDump.stdout)?.[1] ?? null;
+                signingTeamId = /<key>TeamIdentifier<\/key>\s*<array>\s*<string>([^<]+)<\/string>/m.exec(profileDump.stdout)?.[1] ?? null;
+                const identitiesOutput = await runCommand("security", ["find-identity", "-v", "-p", "codesigning"]);
+                const availableIdentityHashes = new Set(Array.from(identitiesOutput.stdout.matchAll(/\b([A-F0-9]{40})\b/g)).map((match) => match[1]));
+                const developerCertArrayMatch = /<key>DeveloperCertificates<\/key>\s*<array>([\s\S]*?)<\/array>/m.exec(profileDump.stdout);
+                if (developerCertArrayMatch?.[1]) {
+                    const certDataMatches = Array.from(developerCertArrayMatch[1].matchAll(/<data>([\s\S]*?)<\/data>/g));
+                    for (const certDataMatch of certDataMatches) {
+                        const certData = certDataMatch[1].replace(/\s+/g, "");
+                        if (!certData) {
+                            continue;
+                        }
+                        const certDerPath = join(signingWorkspace, `${randomUUID()}.cer`);
+                        await writeFile(certDerPath, Buffer.from(certData, "base64"));
+                        try {
+                            const certFingerprint = await runCommand("openssl", ["x509", "-inform", "DER", "-in", certDerPath, "-noout", "-fingerprint", "-sha1"]);
+                            const fingerprintMatch = /Fingerprint=([A-F0-9:]+)/i.exec(certFingerprint.stdout);
+                            const hash = fingerprintMatch?.[1]?.replace(/:/g, "").toUpperCase() ?? null;
+                            if (hash && availableIdentityHashes.has(hash)) {
+                                signingIdentityHash = hash;
+                                break;
+                            }
+                        }
+                        catch {
+                            continue;
+                        }
+                    }
+                }
+                const profileInstallDir = join(homedir(), "Library", "MobileDevice", "Provisioning Profiles");
+                await mkdir(profileInstallDir, { recursive: true });
+                const profileInstallPath = join(profileInstallDir, `${signingProfileUuid ?? randomUUID()}.mobileprovision`);
+                await copyFile(profilePath, profileInstallPath);
+                await appendLog(`Installed provisioning profile${signingProfileName ? ` (${signingProfileName})` : ""}`);
+                if (signingIdentityHash) {
+                    await appendLog(`Matched signing identity from profile: ${signingIdentityHash}`);
+                }
+                if (signingAsset.distributionCertP12Base64) {
+                    const p12Path = join(signingWorkspace, "distribution.p12");
+                    await writeFile(p12Path, Buffer.from(signingAsset.distributionCertP12Base64, "base64"));
+                    const importArgs = [
+                        "import",
+                        p12Path,
+                        "-k",
+                        join(homedir(), "Library", "Keychains", "login.keychain-db"),
+                        "-P",
+                        signingAsset.distributionCertPassword ?? "",
+                        "-T",
+                        "/usr/bin/codesign",
+                        "-T",
+                        "/usr/bin/security"
+                    ];
+                    try {
+                        await runCommand("security", importArgs);
+                        await appendLog("Imported distribution certificate into login keychain");
+                    }
+                    catch (error) {
+                        if (error instanceof CommandExecutionError) {
+                            const output = `${error.stdout}\n${error.stderr}`;
+                            if (!/already exists/i.test(output)) {
+                                throw error;
+                            }
+                            await appendLog("Distribution certificate already exists in keychain");
+                        }
+                        else {
+                            throw error;
+                        }
+                    }
+                }
+            }
+            finally {
+                await rm(signingWorkspace, { recursive: true, force: true });
+            }
+        }
+        const team = inferAppleTeamId();
+        const hasManualSigningInputs = Boolean(signingProfileUuid || signingProfileName);
+        const resolvedTeamId = hasManualSigningInputs
+            ? (signingTeamId ?? team.value)
+            : (team.value ?? signingTeamId);
+        if (resolvedTeamId) {
+            await appendLog(`Using Apple Team ID=${resolvedTeamId}${(hasManualSigningInputs && signingTeamId) ? " (provisioning profile)" : (team.value ? ` (${team.source})` : "")}`);
+        }
+        else {
+            await appendLog("No Apple Team ID configured; build may fail if project has no Development Team set.");
+        }
+        const artifactDir = join(CLI_STORAGE_DIR, "artifacts", buildId);
+        await mkdir(artifactDir, { recursive: true });
+        const artifactName = `${build.projectSlug || "app"}-${build.id.slice(0, 8)}.ipa`;
+        const gymArgs = [
+            "run",
+            "gym",
+            `scheme:${scheme}`,
+            `output_directory:${artifactDir}`,
+            `output_name:${artifactName}`,
+            "clean:true",
+            "skip_package_ipa:false",
+            "export_method:app-store"
+        ];
+        if (workspacePath) {
+            gymArgs.push(`workspace:${workspacePath}`);
+        }
+        else if (projectPath) {
+            gymArgs.push(`project:${projectPath}`);
+        }
+        if (hasManualSigningInputs && signingProfileName) {
+            const exportOptionsPath = join(artifactDir, "ExportOptions.plist");
+            const exportOptionsPlist = [
+                "<?xml version=\"1.0\" encoding=\"UTF-8\"?>",
+                "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">",
+                "<plist version=\"1.0\">",
+                "<dict>",
+                "  <key>method</key>",
+                "  <string>app-store-connect</string>",
+                "  <key>signingStyle</key>",
+                "  <string>manual</string>",
+                "  <key>provisioningProfiles</key>",
+                "  <dict>",
+                `    <key>${expectedBundleId}</key>`,
+                `    <string>${signingProfileName}</string>`,
+                "  </dict>",
+                "</dict>",
+                "</plist>"
+            ].join("\n");
+            await writeFile(exportOptionsPath, exportOptionsPlist, "utf8");
+            gymArgs.push(`export_options:${exportOptionsPath}`);
+            await appendLog(`Using export options plist: ${exportOptionsPath}`);
+        }
+        const xcargsParts = [
+            hasManualSigningInputs ? "CODE_SIGN_STYLE=Manual" : "CODE_SIGN_STYLE=Automatic"
+        ];
+        if (!hasManualSigningInputs) {
+            xcargsParts.unshift("-allowProvisioningUpdates");
+        }
+        if (resolvedTeamId) {
+            xcargsParts.push(`DEVELOPMENT_TEAM=${resolvedTeamId}`);
+        }
+        if (signingProfileUuid) {
+            xcargsParts.push(`PROVISIONING_PROFILE=${signingProfileUuid}`);
+        }
+        // Prefer UUID-only profile pinning; profile name can resolve to stale duplicates.
+        if (hasManualSigningInputs && signingIdentityHash) {
+            xcargsParts.push(`CODE_SIGN_IDENTITY=${signingIdentityHash}`);
+        }
+        gymArgs.push(`xcargs:${xcargsParts.join(" ")}`);
+        await appendLog("Running fastlane gym (this may take several minutes)");
+        const gymResult = await runCommand("fastlane", gymArgs);
+        if (gymResult.stdout.trim()) {
+            await appendLog(gymResult.stdout.trim());
+        }
+        if (gymResult.stderr.trim()) {
+            await appendLog(gymResult.stderr.trim());
+        }
+        const ipaPath = join(artifactDir, artifactName);
+        if (!existsSync(ipaPath)) {
+            const discovered = await findFirstFileWithExtensions(artifactDir, [".ipa"]);
+            if (!discovered) {
+                throw new Error(`Build completed but no .ipa found in ${artifactDir}`);
+            }
+            build.artifactBlobName = `${buildId}/${basename(discovered)}`;
+            build.artifactUrl = `file://${discovered}`;
+        }
+        else {
+            build.artifactBlobName = `${buildId}/${artifactName}`;
+            build.artifactUrl = `file://${ipaPath}`;
+        }
+        build.status = "succeeded";
+        build.errorMessage = null;
+        build.updatedAt = nowIso();
+        saveLocalState(localState);
+        await appendLog("Build completed successfully");
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        let resolvedMessage = message;
+        if (error instanceof CommandExecutionError) {
+            const combined = `${error.stdout}\n${error.stderr}`;
+            if (/requires a provisioning profile with the Push Notifications feature/i.test(combined)) {
+                resolvedMessage = [
+                    message,
+                    "Build archive succeeded, but IPA export failed because the provisioning profile is missing Push Notifications capability.",
+                    "Enable Push Notifications for the App ID in Apple Developer, regenerate the App Store provisioning profile, download it, then rerun `gl apple setup --from-expo --apple-id <apple-id>` and `gl build ios start`."
+                ].join("\n");
+            }
+        }
+        build.status = "failed";
+        build.artifactBlobName = null;
+        build.artifactUrl = null;
+        build.errorMessage = resolvedMessage;
+        build.updatedAt = nowIso();
+        saveLocalState(localState);
+        await appendLog(`Build failed: ${resolvedMessage}`);
+        if (error instanceof CommandExecutionError) {
+            const stderr = error.stderr.trim();
+            const stdout = error.stdout.trim();
+            if (stderr) {
+                await appendLog(`fastlane stderr: ${stderr}`);
+            }
+            if (stdout) {
+                await appendLog(`fastlane stdout: ${stdout}`);
+            }
+        }
+    }
+}
+async function processSubmission(submissionId) {
+    const submission = localState.submissions.find((record) => record.id === submissionId);
+    if (!submission) {
+        return;
+    }
+    const build = localState.builds.find((record) => record.id === submission.buildId);
+    if (!build) {
+        submission.status = "failed";
+        submission.errorMessage = `Build ${submission.buildId} not found`;
+        submission.updatedAt = nowIso();
+        saveLocalState(localState);
+        return;
+    }
+    if (!build.artifactUrl?.startsWith("file://")) {
+        submission.status = "failed";
+        submission.errorMessage = "Submission requires a local IPA artifact URL (file://...).";
+        submission.updatedAt = nowIso();
+        saveLocalState(localState);
+        return;
+    }
+    const connection = localState.appleConnections.find((item) => (item.orgSlug === submission.orgSlug && item.projectSlug === submission.projectSlug));
+    if (!connection || !connection.privateKeyPem.includes("PRIVATE KEY")) {
+        submission.status = "failed";
+        submission.errorMessage = "Valid App Store Connect API key is not configured for this project.";
+        submission.updatedAt = nowIso();
+        saveLocalState(localState);
+        return;
+    }
+    const fileUrl = new URL(build.artifactUrl);
+    const ipaPath = decodeURIComponent(fileUrl.pathname);
+    if (!existsSync(ipaPath)) {
+        submission.status = "failed";
+        submission.errorMessage = `IPA not found at ${ipaPath}`;
+        submission.updatedAt = nowIso();
+        saveLocalState(localState);
+        return;
+    }
+    const logsBlobName = `${submissionId}/submit.log`;
+    const logsFilePath = join(CLI_STORAGE_DIR, "logs", logsBlobName);
+    await mkdir(dirname(logsFilePath), { recursive: true });
+    submission.status = "running";
+    submission.logsBlobName = logsBlobName;
+    submission.errorMessage = null;
+    submission.updatedAt = nowIso();
+    saveLocalState(localState);
+    const logLines = [
+        `[${nowIso()}] Submission started`,
+        `[${nowIso()}] Track=${submission.track}`,
+        `[${nowIso()}] IPA=${ipaPath}`
+    ];
+    const appendLog = async (line) => {
+        logLines.push(`[${nowIso()}] ${line}`);
+        await writeFile(logsFilePath, `${logLines.join("\n")}\n`, "utf8");
+    };
+    const tempDir = await mkdtemp(join(tmpdir(), "gl-asc-key-"));
+    const apiKeyPath = join(tempDir, "asc-api-key.json");
+    try {
+        await appendLog("Checking fastlane installation");
+        await ensureFastlaneInstalled();
+        await appendLog("Preparing App Store Connect API key payload");
+        await writeFile(apiKeyPath, JSON.stringify({
+            key_id: connection.keyId,
+            issuer_id: connection.issuerId,
+            key: connection.privateKeyPem,
+            in_house: false
+        }, null, 2), "utf8");
+        await appendLog("Uploading build to App Store Connect via fastlane pilot");
+        const { stdout, stderr } = await runCommand("fastlane", [
+            "run",
+            "pilot",
+            "upload",
+            `ipa:${ipaPath}`,
+            `api_key_path:${apiKeyPath}`,
+            "skip_waiting_for_build_processing:true"
+        ]);
+        if (stdout.trim()) {
+            await appendLog(stdout.trim());
+        }
+        if (stderr.trim()) {
+            await appendLog(stderr.trim());
+        }
+        submission.status = "succeeded";
+        submission.externalSubmissionId = `pilot-${submissionId.slice(0, 8)}-${Date.now()}`;
+        submission.errorMessage = null;
+        submission.updatedAt = nowIso();
+        saveLocalState(localState);
+        await appendLog("Submission upload command completed successfully");
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        let resolvedMessage = message;
+        if (error instanceof CommandExecutionError) {
+            const stderr = error.stderr.trim();
+            const stdout = error.stdout.trim();
+            resolvedMessage = [
+                message,
+                stderr ? `fastlane stderr:\n${stderr}` : "",
+                stdout ? `fastlane stdout:\n${stdout}` : ""
+            ].filter(Boolean).join("\n");
+        }
+        submission.status = "failed";
+        submission.externalSubmissionId = null;
+        submission.errorMessage = resolvedMessage;
+        submission.updatedAt = nowIso();
+        saveLocalState(localState);
+        await appendLog(`Submission failed: ${resolvedMessage}`);
+    }
+    finally {
+        await rm(tempDir, { recursive: true, force: true });
+    }
+}
+function parseRequestUrl(url) {
+    try {
+        return new URL(url);
+    }
+    catch {
+        return new URL(url, "http://localhost");
+    }
+}
+function formatDurationMs(ms) {
+    if (ms < 1000) {
+        return `${ms}ms`;
+    }
+    return `${(ms / 1000).toFixed(1)}s`;
+}
+class CliUi {
+    stepCounter = 0;
+    constructor(title) {
+        console.log(`\n${title}`);
+        console.log("=".repeat(title.length));
+    }
+    info(message) {
+        console.log(`- ${message}`);
+    }
+    async step(label, fn) {
+        this.stepCounter += 1;
+        const stepNumber = this.stepCounter;
+        const start = Date.now();
+        console.log(`[${stepNumber}] ${label}...`);
+        try {
+            const result = await fn();
+            const elapsed = Date.now() - start;
+            console.log(`    done (${formatDurationMs(elapsed)})`);
+            return result;
+        }
+        catch (error) {
+            const elapsed = Date.now() - start;
+            console.log(`    failed (${formatDurationMs(elapsed)})`);
+            throw error;
+        }
+    }
+    complete(message) {
+        console.log(`\n${message}`);
+    }
+}
+async function promptForYes(message) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        const answer = (await rl.question(`${message}\nType y to continue: `)).trim().toLowerCase();
+        return answer === "y";
+    }
+    finally {
+        rl.close();
+    }
+}
+async function promptForText(message) {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        return (await rl.question(message)).trim();
+    }
+    finally {
+        rl.close();
+    }
+}
+async function promptForBuildSelection(builds) {
+    if (builds.length === 0) {
+        throw new Error("No builds available for selection.");
+    }
+    console.log("Recent successful builds:");
+    for (const [index, build] of builds.entries()) {
+        console.log(`${index + 1}) ${build.id}\t${build.orgSlug}/${build.projectSlug}\t${build.profile}\t${build.commitSha}\t${build.createdAt}`);
+    }
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    try {
+        const answer = (await rl.question("Select build number (press Enter for most recent #1): ")).trim();
+        if (!answer) {
+            return builds[0];
+        }
+        const parsed = Number(answer);
+        if (!Number.isInteger(parsed) || parsed < 1 || parsed > builds.length) {
+            throw new Error(`Invalid selection: ${answer}`);
+        }
+        return builds[parsed - 1];
+    }
+    finally {
+        rl.close();
+    }
+}
+function listRecentSucceededBuilds(options) {
+    const limit = options?.limit ?? 25;
+    return localState.builds
+        .filter((build) => build.status === "succeeded")
+        .filter((build) => !options?.orgSlug || build.orgSlug === options.orgSlug)
+        .filter((build) => !options?.projectSlug || build.projectSlug === options.projectSlug)
+        .sort((a, b) => b.createdAt.localeCompare(a.createdAt))
+        .slice(0, limit);
+}
+function slugify(value) {
+    const slug = value
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "");
+    return slug || "default";
+}
+function bundleSegment(value) {
+    const cleaned = value.toLowerCase().replace(/[^a-z0-9]/g, "");
+    if (!cleaned) {
+        return "app";
+    }
+    if (/^[0-9]/.test(cleaned)) {
+        return `app${cleaned}`;
+    }
+    return cleaned;
+}
+function defaultProjectSlug() {
+    const cwdName = process.cwd().split("/").pop();
+    return slugify(cwdName ?? "ios-app");
+}
+function readJsonFileIfExists(filePath) {
+    if (!existsSync(filePath)) {
+        return null;
+    }
+    try {
+        const raw = readFileSync(filePath, "utf8");
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function stringFromRecord(record, key) {
+    const value = record[key];
+    return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function recordFromRecord(record, key) {
+    const value = record[key];
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        return undefined;
+    }
+    return value;
+}
+function detectExpoProjectHints(projectDir) {
+    const sourceFiles = [];
+    const hints = { sourceFiles };
+    const appJsonPath = join(projectDir, "app.json");
+    const appConfigJsonPath = join(projectDir, "app.config.json");
+    const packageJsonPath = join(projectDir, "package.json");
+    const appJson = readJsonFileIfExists(appJsonPath);
+    const appConfigJson = readJsonFileIfExists(appConfigJsonPath);
+    const packageJson = readJsonFileIfExists(packageJsonPath);
+    const expoNode = appJson
+        ? recordFromRecord(appJson, "expo")
+        : (appConfigJson ? recordFromRecord(appConfigJson, "expo") : undefined);
+    if (appJson && expoNode) {
+        sourceFiles.push("app.json");
+    }
+    else if (appConfigJson && expoNode) {
+        sourceFiles.push("app.config.json");
+    }
+    if (packageJson) {
+        sourceFiles.push("package.json");
+    }
+    if (expoNode) {
+        const iosNode = recordFromRecord(expoNode, "ios");
+        hints.bundleId = iosNode ? stringFromRecord(iosNode, "bundleIdentifier") : undefined;
+        hints.appleTeamId = iosNode ? stringFromRecord(iosNode, "appleTeamId") : undefined;
+        hints.appName = stringFromRecord(expoNode, "name");
+        const expoSlug = stringFromRecord(expoNode, "slug");
+        hints.projectSlug = expoSlug ? slugify(expoSlug) : undefined;
+        const owner = stringFromRecord(expoNode, "owner");
+        hints.ownerSlug = owner ? slugify(owner) : undefined;
+    }
+    if (!hints.projectSlug && packageJson) {
+        const packageName = stringFromRecord(packageJson, "name");
+        if (packageName) {
+            hints.projectSlug = slugify(packageName.replace(/^@[^/]+\//, ""));
+        }
+    }
+    return hints;
+}
+function detectExpoPluginPackages(projectDir) {
+    const appJsonPath = join(projectDir, "app.json");
+    const appConfigJsonPath = join(projectDir, "app.config.json");
+    const appJson = readJsonFileIfExists(appJsonPath);
+    const appConfigJson = readJsonFileIfExists(appConfigJsonPath);
+    const expoNode = appJson
+        ? recordFromRecord(appJson, "expo")
+        : (appConfigJson ? recordFromRecord(appConfigJson, "expo") : undefined);
+    if (!expoNode) {
+        return [];
+    }
+    const pluginsNode = expoNode.plugins;
+    if (!Array.isArray(pluginsNode)) {
+        return [];
+    }
+    const packages = new Set();
+    for (const pluginEntry of pluginsNode) {
+        if (typeof pluginEntry === "string" && pluginEntry.trim()) {
+            const value = pluginEntry.trim();
+            if (!value.startsWith(".")) {
+                packages.add(value);
+            }
+            continue;
+        }
+        if (Array.isArray(pluginEntry) && typeof pluginEntry[0] === "string") {
+            const value = pluginEntry[0].trim();
+            if (value && !value.startsWith(".")) {
+                packages.add(value);
+            }
+        }
+    }
+    return Array.from(packages).sort((a, b) => a.localeCompare(b));
+}
+function readPackageDependencyNames(projectDir) {
+    const packageJsonPath = join(projectDir, "package.json");
+    const packageJson = readJsonFileIfExists(packageJsonPath);
+    if (!packageJson) {
+        return new Set();
+    }
+    const sections = ["dependencies", "devDependencies", "peerDependencies", "optionalDependencies"];
+    const deps = new Set();
+    for (const section of sections) {
+        const node = packageJson[section];
+        if (!node || typeof node !== "object" || Array.isArray(node)) {
+            continue;
+        }
+        for (const key of Object.keys(node)) {
+            deps.add(key);
+        }
+    }
+    return deps;
+}
+function listProjectSourceFiles(projectDir, maxDepth = 8) {
+    const files = [];
+    const excludedDirs = new Set([".git", "node_modules", "ios", "android", "dist", "build", ".expo", ".next"]);
+    const allowedExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
+    const visit = (currentDir, depth) => {
+        if (depth > maxDepth || !existsSync(currentDir)) {
+            return;
+        }
+        const entries = readdirSync(currentDir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = join(currentDir, entry.name);
+            if (entry.isDirectory()) {
+                if (excludedDirs.has(entry.name)) {
+                    continue;
+                }
+                visit(fullPath, depth + 1);
+                continue;
+            }
+            if (!entry.isFile()) {
+                continue;
+            }
+            const extension = `.${entry.name.split(".").pop() ?? ""}`;
+            if (allowedExtensions.has(extension)) {
+                files.push(fullPath);
+            }
+        }
+    };
+    visit(projectDir, 0);
+    return files;
+}
+function packageNameFromModuleSpecifier(specifier) {
+    const value = specifier.trim();
+    if (!value || value.startsWith(".") || value.startsWith("/") || value.startsWith("node:")) {
+        return null;
+    }
+    if (value.startsWith("@")) {
+        const segments = value.split("/");
+        return segments.length >= 2 ? `${segments[0]}/${segments[1]}` : null;
+    }
+    return value.split("/")[0] ?? null;
+}
+function isExpoRelatedPackage(packageName) {
+    return packageName.startsWith("expo")
+        || packageName.startsWith("@expo/")
+        || packageName.startsWith("@react-native-community/")
+        || packageName.startsWith("@react-native-async-storage/");
+}
+function detectPackagesFromSourceImports(projectDir) {
+    const sourceFiles = listProjectSourceFiles(projectDir);
+    const packages = new Set();
+    const patterns = [
+        /import\s+[^\n]*?\s+from\s+["']([^"']+)["']/g,
+        /import\s*\(\s*["']([^"']+)["']\s*\)/g,
+        /require\(\s*["']([^"']+)["']\s*\)/g,
+        /export\s+[^\n]*?\s+from\s+["']([^"']+)["']/g
+    ];
+    for (const filePath of sourceFiles) {
+        let content = "";
+        try {
+            content = readFileSync(filePath, "utf8");
+        }
+        catch {
+            continue;
+        }
+        for (const pattern of patterns) {
+            for (const match of content.matchAll(pattern)) {
+                const rawSpecifier = match[1];
+                if (typeof rawSpecifier !== "string") {
+                    continue;
+                }
+                const packageName = packageNameFromModuleSpecifier(rawSpecifier);
+                if (!packageName || !isExpoRelatedPackage(packageName)) {
+                    continue;
+                }
+                packages.add(packageName);
+            }
+        }
+    }
+    return Array.from(packages).sort((a, b) => a.localeCompare(b));
+}
+function detectAppleTeamIdFromXcodeProject(projectDir) {
+    const iosDir = existsSync(join(projectDir, "ios")) ? join(projectDir, "ios") : projectDir;
+    if (!existsSync(iosDir)) {
+        return null;
+    }
+    try {
+        const entries = readdirSync(iosDir, { withFileTypes: true });
+        for (const entry of entries) {
+            if (!entry.name.endsWith(".xcodeproj")) {
+                continue;
+            }
+            const pbxprojPath = join(iosDir, entry.name, "project.pbxproj");
+            if (!existsSync(pbxprojPath)) {
+                continue;
+            }
+            const pbxproj = readFileSync(pbxprojPath, "utf8");
+            const match = /DEVELOPMENT_TEAM\s*=\s*([A-Z0-9]{10})\s*;/m.exec(pbxproj);
+            if (match?.[1]) {
+                return match[1];
+            }
+        }
+    }
+    catch {
+        return null;
+    }
+    return null;
+}
+async function findNewestAuthKeyP8(downloadsDir) {
+    if (!existsSync(downloadsDir)) {
+        return null;
+    }
+    const entries = await readdir(downloadsDir, { withFileTypes: true });
+    const candidates = entries
+        .filter((entry) => entry.isFile() && /^AuthKey_.+\.p8$/i.test(entry.name))
+        .map((entry) => join(downloadsDir, entry.name));
+    if (candidates.length === 0) {
+        return null;
+    }
+    let newest = null;
+    for (const candidatePath of candidates) {
+        const fileStat = await stat(candidatePath);
+        if (!newest || fileStat.mtimeMs > newest.mtimeMs) {
+            newest = {
+                path: candidatePath,
+                mtimeMs: fileStat.mtimeMs
+            };
+        }
+    }
+    return newest;
+}
+async function waitForNewAuthKeyP8(downloadsDir, timeoutMs, baselineMtimeMs) {
+    const started = Date.now();
+    while (Date.now() - started < timeoutMs) {
+        const newest = await findNewestAuthKeyP8(downloadsDir);
+        if (newest && newest.mtimeMs > baselineMtimeMs) {
+            return newest;
+        }
+        await new Promise((resolve) => setTimeout(resolve, 1250));
+    }
+    return null;
+}
+function inferKeyIdFromP8Path(filePath) {
+    const fileName = basename(filePath);
+    const match = /^AuthKey_([A-Za-z0-9]+)\.p8$/i.exec(fileName);
+    return match?.[1] ?? null;
+}
+function extractUuid(value) {
+    const match = /\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b/i.exec(value);
+    return match?.[0] ?? null;
+}
+function isUuid(value) {
+    return /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i.test(value.trim());
+}
+function inferIssuerIdFromText(value) {
+    const lines = value
+        .split(/\r?\n/g)
+        .map((line) => line.trim())
+        .filter(Boolean);
+    for (const [index, line] of lines.entries()) {
+        if (!/issuer\s*id/i.test(line)) {
+            continue;
+        }
+        const sameLine = extractUuid(line);
+        if (sameLine) {
+            return sameLine;
+        }
+        for (const candidate of lines.slice(index + 1, index + 6)) {
+            const maybeUuid = extractUuid(candidate);
+            if (maybeUuid) {
+                return maybeUuid;
+            }
+        }
+    }
+    return extractUuid(value);
+}
+const ASC_PEM_BEGIN = ["-----BEGIN", "PRIVATE KEY-----"].join(" ");
+const ASC_PEM_END = ["-----END", "PRIVATE KEY-----"].join(" ");
+function isAscPrivateKeyPem(value) {
+    const normalized = value.replace(/\r\n/g, "\n").trim();
+    return normalized.includes(ASC_PEM_BEGIN) && normalized.includes(ASC_PEM_END);
+}
+async function tryReadIssuerIdFromClipboard() {
+    try {
+        const result = await runCommand("pbpaste", []);
+        const value = result.stdout.trim();
+        if (!value) {
+            return null;
+        }
+        return inferIssuerIdFromText(value);
+    }
+    catch {
+        return null;
+    }
+}
+async function tryReadIssuerIdFromBrowser() {
+    const scripts = [
+        [
+            "tell application \"Google Chrome\"",
+            "\tif (count of windows) = 0 then return \"\"",
+            "\tset activeTab to active tab of front window",
+            "\tset currentUrl to URL of activeTab",
+            "\tif currentUrl does not contain \"appstoreconnect.apple.com\" then return \"\"",
+            "\tset bodyText to execute activeTab javascript \"document && document.body ? document.body.innerText : ''\"",
+            "\treturn bodyText",
+            "end tell"
+        ].join("\n"),
+        [
+            "tell application \"Safari\"",
+            "\tif (count of windows) = 0 then return \"\"",
+            "\tset currentTab to current tab of front window",
+            "\tset currentUrl to URL of currentTab",
+            "\tif currentUrl does not contain \"appstoreconnect.apple.com\" then return \"\"",
+            "\tset bodyText to do JavaScript \"document && document.body ? document.body.innerText : ''\" in currentTab",
+            "\treturn bodyText",
+            "end tell"
+        ].join("\n")
+    ];
+    for (const script of scripts) {
+        try {
+            const result = await runCommand("osascript", ["-e", script]);
+            const candidate = inferIssuerIdFromText(result.stdout);
+            if (candidate) {
+                return candidate;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    return null;
+}
+function isManagedAscConnection(connection) {
+    return connection.keyId.startsWith("MANAGED-") || connection.issuerId.startsWith("managed-");
+}
+function titleCase(value) {
+    return value
+        .split(/[-_.\s]+/g)
+        .filter(Boolean)
+        .map((part) => `${part[0]?.toUpperCase() ?? ""}${part.slice(1)}`)
+        .join(" ");
+}
+function normalizeIpaPath(inputPath) {
+    const trimmed = inputPath.trim();
+    if (!trimmed) {
+        throw new Error("IPA path cannot be empty.");
+    }
+    const resolvedPath = isAbsolute(trimmed) ? trimmed : resolve(process.cwd(), trimmed);
+    if (!existsSync(resolvedPath)) {
+        throw new Error(`IPA file not found: ${resolvedPath}`);
+    }
+    if (!resolvedPath.toLowerCase().endsWith(".ipa")) {
+        throw new Error(`Expected an .ipa file: ${resolvedPath}`);
+    }
+    return resolvedPath;
+}
+function localArtifactPathFromBuild(build) {
+    if (!build.artifactUrl?.startsWith("file://")) {
+        return null;
+    }
+    try {
+        const fileUrl = new URL(build.artifactUrl);
+        return decodeURIComponent(fileUrl.pathname);
+    }
+    catch {
+        return null;
+    }
+}
+function findFirstDirectoryNamed(baseDir, targetDirName, maxDepth = 6) {
+    const visit = (currentDir, depth) => {
+        if (depth > maxDepth || !existsSync(currentDir)) {
+            return null;
+        }
+        const entries = readdirSync(currentDir, { withFileTypes: true });
+        for (const entry of entries) {
+            if (!entry.isDirectory()) {
+                continue;
+            }
+            const fullPath = join(currentDir, entry.name);
+            if (entry.name === targetDirName) {
+                return fullPath;
+            }
+            if (entry.name === "Pods" || entry.name === ".git" || entry.name === "node_modules") {
+                continue;
+            }
+            const nested = visit(fullPath, depth + 1);
+            if (nested) {
+                return nested;
+            }
+        }
+        return null;
+    };
+    return visit(baseDir, 0);
+}
+function findFirstFileNamed(baseDir, targetFileName, maxDepth = 6) {
+    const visit = (currentDir, depth) => {
+        if (depth > maxDepth || !existsSync(currentDir)) {
+            return null;
+        }
+        const entries = readdirSync(currentDir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = join(currentDir, entry.name);
+            if (entry.isFile() && entry.name === targetFileName) {
+                return fullPath;
+            }
+            if (!entry.isDirectory()) {
+                continue;
+            }
+            if (entry.name === "Pods" || entry.name === ".git" || entry.name === "node_modules") {
+                continue;
+            }
+            const nested = visit(fullPath, depth + 1);
+            if (nested) {
+                return nested;
+            }
+        }
+        return null;
+    };
+    return visit(baseDir, 0);
+}
+function findAppStoreIconPath(workingDirectory) {
+    const iosDir = existsSync(join(workingDirectory, "ios")) ? join(workingDirectory, "ios") : workingDirectory;
+    if (!existsSync(iosDir)) {
+        return null;
+    }
+    const appIconSetDir = findFirstDirectoryNamed(iosDir, "AppIcon.appiconset", 8);
+    if (!appIconSetDir) {
+        return null;
+    }
+    const contentsPath = join(appIconSetDir, "Contents.json");
+    if (existsSync(contentsPath)) {
+        try {
+            const contents = JSON.parse(readFileSync(contentsPath, "utf8"));
+            const image = contents.images?.find((item) => item.size === "1024x1024")
+                ?? contents.images?.find((item) => item.idiom === "ios-marketing")
+                ?? contents.images?.find((item) => item.filename?.includes("1024"));
+            if (image?.filename) {
+                const candidatePath = join(appIconSetDir, image.filename);
+                if (existsSync(candidatePath)) {
+                    return candidatePath;
+                }
+            }
+        }
+        catch {
+            // Fall through to filename scan.
+        }
+    }
+    const files = readdirSync(appIconSetDir, { withFileTypes: true })
+        .filter((entry) => entry.isFile() && entry.name.toLowerCase().endsWith(".png"))
+        .map((entry) => join(appIconSetDir, entry.name));
+    const with1024 = files.find((filePath) => basename(filePath).includes("1024"));
+    return with1024 ?? files[0] ?? null;
+}
+function persistCliConfig(patch) {
+    cliConfig = {
+        ...cliConfig,
+        ...patch
+    };
+    saveCliConfig(cliConfig);
+}
+function persistProjectDefaults(orgSlug, projectSlug, buildProfile) {
+    persistCliConfig({
+        lastOrgSlug: orgSlug,
+        lastProjectSlug: projectSlug,
+        ...(buildProfile ? { lastBuildProfile: buildProfile } : {})
+    });
+}
+function inferAppleTeamId(optionValue, workingDirectory = process.cwd()) {
+    if (optionValue?.trim()) {
+        return { value: optionValue.trim(), source: "--team-id" };
+    }
+    if (process.env.GL_APPLE_TEAM_ID?.trim()) {
+        return { value: process.env.GL_APPLE_TEAM_ID.trim(), source: "GL_APPLE_TEAM_ID" };
+    }
+    if (process.env.APPLE_TEAM_ID?.trim()) {
+        return { value: process.env.APPLE_TEAM_ID.trim(), source: "APPLE_TEAM_ID" };
+    }
+    if (cliConfig.lastAppleTeamId?.trim()) {
+        return { value: cliConfig.lastAppleTeamId.trim(), source: "saved default" };
+    }
+    const detected = detectAppleTeamIdFromXcodeProject(workingDirectory);
+    if (detected) {
+        return { value: detected, source: "xcode project" };
+    }
+    return { value: null, source: "none" };
+}
+function pickBestScheme(schemes, workspacePath, projectPath) {
+    if (schemes.length === 0) {
+        return null;
+    }
+    const expectedName = workspacePath
+        ? basename(workspacePath, ".xcworkspace")
+        : (projectPath ? basename(projectPath, ".xcodeproj") : "");
+    if (expectedName) {
+        const exactMatch = schemes.find((item) => item === expectedName);
+        if (exactMatch) {
+            return exactMatch;
+        }
+    }
+    const nonPodNonExpo = schemes.find((item) => {
+        const lower = item.toLowerCase();
+        return !lower.includes("pods") && !lower.startsWith("ex");
+    });
+    if (nonPodNonExpo) {
+        return nonPodNonExpo;
+    }
+    return schemes.find((item) => !item.toLowerCase().includes("pods")) ?? schemes[0];
+}
+function inferOrgSlug(optionValue) {
+    if (optionValue) {
+        return { value: optionValue, source: "--org" };
+    }
+    if (process.env.GL_ORG) {
+        return { value: process.env.GL_ORG, source: "GL_ORG" };
+    }
+    if (cliConfig.lastOrgSlug) {
+        return { value: cliConfig.lastOrgSlug, source: "saved default" };
+    }
+    const emailLocal = cliConfig.userEmail?.split("@")[0];
+    if (emailLocal) {
+        return { value: slugify(emailLocal), source: "signed-in email" };
+    }
+    return { value: "personal", source: "fallback" };
+}
+function inferProjectSlug(optionValue) {
+    if (optionValue) {
+        return { value: optionValue, source: "--project" };
+    }
+    if (process.env.GL_PROJECT) {
+        return { value: process.env.GL_PROJECT, source: "GL_PROJECT" };
+    }
+    if (cliConfig.lastProjectSlug) {
+        return { value: cliConfig.lastProjectSlug, source: "saved default" };
+    }
+    return { value: defaultProjectSlug(), source: "current folder" };
+}
+function inferBuildProfile(optionValue) {
+    if (optionValue) {
+        return { value: optionValue, source: "--profile" };
+    }
+    if (process.env.GL_BUILD_PROFILE) {
+        return { value: process.env.GL_BUILD_PROFILE, source: "GL_BUILD_PROFILE" };
+    }
+    if (cliConfig.lastBuildProfile) {
+        return { value: cliConfig.lastBuildProfile, source: "saved default" };
+    }
+    return { value: "prod", source: "default" };
+}
+function inferBundleId(optionValue, orgSlug, projectSlug) {
+    if (optionValue) {
+        return { value: optionValue, source: "--bundle-id" };
+    }
+    if (process.env.IOS_BUNDLE_ID) {
+        return { value: process.env.IOS_BUNDLE_ID, source: "IOS_BUNDLE_ID" };
+    }
+    if (process.env.EXPO_IOS_BUNDLE_IDENTIFIER) {
+        return { value: process.env.EXPO_IOS_BUNDLE_IDENTIFIER, source: "EXPO_IOS_BUNDLE_IDENTIFIER" };
+    }
+    return {
+        value: `com.${bundleSegment(orgSlug)}.${bundleSegment(projectSlug)}`,
+        source: "derived from org/project"
+    };
+}
+async function inferCommitSha(optionValue) {
+    if (optionValue) {
+        return { value: optionValue, source: "--commit" };
+    }
+    if (process.env.GL_COMMIT_SHA) {
+        return { value: process.env.GL_COMMIT_SHA, source: "GL_COMMIT_SHA" };
+    }
+    try {
+        const { stdout } = await runCommand("git", ["rev-parse", "--short", "HEAD"]);
+        const commitSha = stdout.trim();
+        if (commitSha.length >= 7) {
+            return { value: commitSha, source: "git HEAD" };
+        }
+    }
+    catch {
+        // Fall through to non-git fallback.
+    }
+    return { value: "localdev", source: "fallback" };
+}
+class CommandExecutionError extends Error {
+    stdout;
+    stderr;
+    exitCode;
+    constructor(message, stdout, stderr, exitCode) {
+        super(message);
+        this.stdout = stdout;
+        this.stderr = stderr;
+        this.exitCode = exitCode;
+    }
+}
+async function postJson(url, payload) {
+    const token = getAuthToken();
+    if (requiresAuth(url) && !token) {
+        throw new Error("Not signed in. Run `gl auth login --email <you@example.com>` first.");
+    }
+    const parsed = parseRequestUrl(url);
+    const path = parsed.pathname;
+    const body = payload;
+    if (path === "/v1/auth/login") {
+        const email = String(body.email ?? "").trim().toLowerCase();
+        if (!email.includes("@")) {
+            throw new Error("Invalid email");
+        }
+        let user = localState.users.find((item) => item.email === email);
+        if (!user) {
+            user = {
+                id: randomUUID(),
+                email,
+                accountStatus: "active",
+                createdAt: nowIso(),
+                updatedAt: nowIso()
+            };
+            localState.users.push(user);
+        }
+        const authToken = randomBytes(32).toString("base64url");
+        localState.sessions.push({
+            userId: user.id,
+            token: authToken,
+            createdAt: nowIso(),
+            lastUsedAt: nowIso()
+        });
+        saveLocalState(localState);
+        return { token: authToken, user };
+    }
+    const user = authUserFromToken(token);
+    if (!user) {
+        throw new Error("Not authenticated");
+    }
+    if (path === "/v1/consents") {
+        localState.consents.push({
+            id: randomUUID(),
+            userId: user.id,
+            orgSlug: String(body.orgSlug ?? ""),
+            projectSlug: String(body.projectSlug ?? ""),
+            action: String(body.action ?? ""),
+            consentText: String(body.consentText ?? ""),
+            response: (body.response === "declined" ? "declined" : "accepted"),
+            createdAt: nowIso()
+        });
+        saveLocalState(localState);
+        return { consent: localState.consents.at(-1) };
+    }
+    if (path === "/v1/builds") {
+        const build = {
+            id: randomUUID(),
+            orgSlug: String(body.orgSlug ?? ""),
+            projectSlug: String(body.projectSlug ?? ""),
+            platform: "ios",
+            profile: String(body.profile ?? "prod"),
+            commitSha: String(body.commitSha ?? "localdev"),
+            status: "queued",
+            logsBlobName: null,
+            artifactBlobName: null,
+            artifactUrl: null,
+            errorMessage: null,
+            createdAt: nowIso(),
+            updatedAt: nowIso()
+        };
+        localState.builds.push(build);
+        saveLocalState(localState);
+        await processBuild(build.id);
+        return { build: localState.builds.find((item) => item.id === build.id) };
+    }
+    if (path === "/v1/apple/connections") {
+        const orgSlug = String(body.orgSlug ?? "");
+        const projectSlug = String(body.projectSlug ?? "");
+        const existing = localState.appleConnections.find((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug);
+        const connection = {
+            id: existing?.id ?? randomUUID(),
+            orgSlug,
+            projectSlug,
+            issuerId: String(body.issuerId ?? ""),
+            keyId: String(body.keyId ?? ""),
+            hasPrivateKey: true,
+            createdAt: existing?.createdAt ?? nowIso(),
+            updatedAt: nowIso(),
+            privateKeyPem: String(body.privateKeyPem ?? "")
+        };
+        localState.appleConnections = [
+            ...localState.appleConnections.filter((item) => !(item.orgSlug === orgSlug && item.projectSlug === projectSlug)),
+            connection
+        ];
+        saveLocalState(localState);
+        const { privateKeyPem: _privateKeyPem, ...publicConnection } = connection;
+        return { connection: publicConnection };
+    }
+    if (path === "/v1/apple/signing-assets") {
+        const orgSlug = String(body.orgSlug ?? "");
+        const projectSlug = String(body.projectSlug ?? "");
+        const bundleId = String(body.bundleId ?? "");
+        const distributionCertP12Base64 = String(body.distributionCertP12Base64 ?? "");
+        const distributionCertPassword = typeof body.distributionCertPassword === "string"
+            ? body.distributionCertPassword
+            : undefined;
+        const provisioningProfileBase64 = String(body.provisioningProfileBase64 ?? "");
+        const existing = localState.appleSigningAssets.find((item) => (item.orgSlug === orgSlug && item.projectSlug === projectSlug && item.bundleId === bundleId));
+        const signingAssets = {
+            id: existing?.id ?? randomUUID(),
+            orgSlug,
+            projectSlug,
+            bundleId,
+            hasDistributionCert: true,
+            hasProvisioningProfile: true,
+            distributionCertP12Base64: distributionCertP12Base64 || existing?.distributionCertP12Base64,
+            distributionCertPassword: distributionCertPassword ?? existing?.distributionCertPassword,
+            provisioningProfileBase64: provisioningProfileBase64 || existing?.provisioningProfileBase64,
+            createdAt: existing?.createdAt ?? nowIso(),
+            updatedAt: nowIso()
+        };
+        localState.appleSigningAssets = [
+            ...localState.appleSigningAssets.filter((item) => !(item.orgSlug === orgSlug && item.projectSlug === projectSlug && item.bundleId === bundleId)),
+            signingAssets
+        ];
+        saveLocalState(localState);
+        const { distributionCertP12Base64: _p12, distributionCertPassword: _pw, provisioningProfileBase64: _profile, ...publicSigningAssets } = signingAssets;
+        return { signingAssets: publicSigningAssets };
+    }
+    if (path === "/v1/submissions") {
+        let buildId = String(body.buildId ?? "");
+        let build = localState.builds.find((item) => item.id === buildId);
+        const ipaPathInput = typeof body.ipaPath === "string" ? body.ipaPath : null;
+        if (!build && ipaPathInput) {
+            const orgSlug = String(body.orgSlug ?? "").trim();
+            const projectSlug = String(body.projectSlug ?? "").trim();
+            if (!orgSlug || !projectSlug) {
+                throw new Error("orgSlug and projectSlug are required when submitting with --ipa");
+            }
+            const ipaPath = normalizeIpaPath(ipaPathInput);
+            const importedBuild = {
+                id: randomUUID(),
+                orgSlug,
+                projectSlug,
+                platform: "ios",
+                profile: "external",
+                commitSha: "external-ipa",
+                status: "succeeded",
+                logsBlobName: null,
+                artifactBlobName: basename(ipaPath),
+                artifactUrl: `file://${ipaPath}`,
+                errorMessage: null,
+                createdAt: nowIso(),
+                updatedAt: nowIso()
+            };
+            localState.builds.push(importedBuild);
+            saveLocalState(localState);
+            build = importedBuild;
+            buildId = importedBuild.id;
+        }
+        if (!build) {
+            throw new Error("Build not found (provide --build or --ipa)");
+        }
+        if (build.status !== "succeeded") {
+            throw new Error("Build must be in succeeded status before submission");
+        }
+        const hasConnection = localState.appleConnections.some((item) => item.orgSlug === build.orgSlug && item.projectSlug === build.projectSlug);
+        if (!hasConnection) {
+            throw new Error("Apple connection is not configured for this project");
+        }
+        const submission = {
+            id: randomUUID(),
+            buildId,
+            orgSlug: build.orgSlug,
+            projectSlug: build.projectSlug,
+            track: (body.track === "appstore" ? "appstore" : "testflight"),
+            status: "queued",
+            logsBlobName: null,
+            externalSubmissionId: null,
+            errorMessage: null,
+            createdAt: nowIso(),
+            updatedAt: nowIso()
+        };
+        localState.submissions.push(submission);
+        saveLocalState(localState);
+        await processSubmission(submission.id);
+        return { submission: localState.submissions.find((item) => item.id === submission.id) };
+    }
+    throw new Error(`Unsupported POST route: ${path}`);
+}
+async function getJson(url) {
+    const token = getAuthToken();
+    if (requiresAuth(url) && !token) {
+        throw new Error("Not signed in. Run `gl auth login --email <you@example.com>` first.");
+    }
+    const parsed = parseRequestUrl(url);
+    const path = parsed.pathname;
+    const params = parsed.searchParams;
+    const user = authUserFromToken(token);
+    if (requiresAuth(url) && !user) {
+        throw new Error("Not authenticated");
+    }
+    if (path === "/v1/auth/me") {
+        return { user };
+    }
+    if (path === "/v1/builds") {
+        const orgSlug = params.get("orgSlug") ?? "";
+        const projectSlug = params.get("projectSlug") ?? "";
+        const limit = Number(params.get("limit") ?? "20");
+        const builds = localState.builds
+            .filter((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug)
+            .sort((a, b) => b.createdAt.localeCompare(a.createdAt))
+            .slice(0, limit);
+        return { builds };
+    }
+    if (path.startsWith("/v1/builds/") && path.endsWith("/logs")) {
+        const buildId = path.replace("/v1/builds/", "").replace("/logs", "");
+        const build = localState.builds.find((item) => item.id === buildId);
+        if (!build) {
+            throw new Error("Build not found");
+        }
+        if (!build.logsBlobName) {
+            throw new Error("Logs not available yet");
+        }
+        const logs = await readFile(join(CLI_STORAGE_DIR, "logs", build.logsBlobName), "utf8");
+        return { buildId: build.id, logs };
+    }
+    if (path.startsWith("/v1/builds/")) {
+        const buildId = path.replace("/v1/builds/", "");
+        const build = localState.builds.find((item) => item.id === buildId);
+        if (!build) {
+            throw new Error("Build not found");
+        }
+        return { build };
+    }
+    if (path === "/v1/apple/connections") {
+        const orgSlug = params.get("orgSlug") ?? "";
+        const projectSlug = params.get("projectSlug") ?? "";
+        const connection = localState.appleConnections.find((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug);
+        if (!connection) {
+            throw new Error("Apple connection not found");
+        }
+        const { privateKeyPem: _privateKeyPem, ...publicConnection } = connection;
+        return { connection: publicConnection };
+    }
+    if (path === "/v1/apple/signing-assets") {
+        const orgSlug = params.get("orgSlug") ?? "";
+        const projectSlug = params.get("projectSlug") ?? "";
+        const bundleId = params.get("bundleId") ?? "";
+        const signingAssets = localState.appleSigningAssets.find((item) => (item.orgSlug === orgSlug && item.projectSlug === projectSlug && item.bundleId === bundleId));
+        if (!signingAssets) {
+            throw new Error("Apple signing assets not found");
+        }
+        const { distributionCertP12Base64: _p12, distributionCertPassword: _pw, provisioningProfileBase64: _profile, ...publicSigningAssets } = signingAssets;
+        return { signingAssets: publicSigningAssets };
+    }
+    if (path === "/v1/submissions") {
+        const orgSlug = params.get("orgSlug") ?? "";
+        const projectSlug = params.get("projectSlug") ?? "";
+        const limit = Number(params.get("limit") ?? "20");
+        const submissions = localState.submissions
+            .filter((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug)
+            .sort((a, b) => b.createdAt.localeCompare(a.createdAt))
+            .slice(0, limit);
+        return { submissions };
+    }
+    if (path.startsWith("/v1/submissions/") && path.endsWith("/logs")) {
+        const submissionId = path.replace("/v1/submissions/", "").replace("/logs", "");
+        const submission = localState.submissions.find((item) => item.id === submissionId);
+        if (!submission) {
+            throw new Error("Submission not found");
+        }
+        if (!submission.logsBlobName) {
+            throw new Error("Logs not available yet");
+        }
+        const logs = await readFile(join(CLI_STORAGE_DIR, "logs", submission.logsBlobName), "utf8");
+        return { submissionId: submission.id, logs };
+    }
+    if (path.startsWith("/v1/submissions/")) {
+        const submissionId = path.replace("/v1/submissions/", "");
+        const submission = localState.submissions.find((item) => item.id === submissionId);
+        if (!submission) {
+            throw new Error("Submission not found");
+        }
+        return { submission };
+    }
+    throw new Error(`Unsupported GET route: ${path}`);
+}
+async function getBinary(url) {
+    const token = getAuthToken();
+    if (requiresAuth(url) && !token) {
+        throw new Error("Not signed in. Run `gl auth login --email <you@example.com>` first.");
+    }
+    const parsed = parseRequestUrl(url);
+    const path = parsed.pathname;
+    const user = authUserFromToken(token);
+    if (!user) {
+        throw new Error("Not authenticated");
+    }
+    if (path.startsWith("/v1/builds/") && path.endsWith("/artifact")) {
+        const buildId = path.replace("/v1/builds/", "").replace("/artifact", "");
+        const build = localState.builds.find((item) => item.id === buildId);
+        if (!build) {
+            throw new Error("Build not found");
+        }
+        if (!build.artifactBlobName) {
+            throw new Error("Artifact not available yet");
+        }
+        const artifactPath = join(CLI_STORAGE_DIR, "artifacts", build.artifactBlobName);
+        const content = await readFile(artifactPath);
+        return {
+            content,
+            contentType: "application/octet-stream",
+            contentDisposition: `attachment; filename=\"${basename(build.artifactBlobName)}\"`
+        };
+    }
+    throw new Error(`Unsupported binary route: ${path}`);
+}
+function fileNameFromContentDisposition(contentDisposition) {
+    if (!contentDisposition) {
+        return null;
+    }
+    const match = /filename=\"?([^\";]+)\"?/i.exec(contentDisposition);
+    if (!match?.[1]) {
+        return null;
+    }
+    return basename(match[1]);
+}
+async function handleAuthLogin(options) {
+    const ui = new CliUi("Sign In");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Email: ${options.email}`);
+    const result = await ui.step("Authenticating account", async () => postJson(`${apiBaseUrl}/v1/auth/login`, { email: options.email }));
+    await ui.step("Saving local session", async () => {
+        persistCliConfig({
+            apiBaseUrl,
+            authToken: result.token,
+            userEmail: result.user.email
+        });
+    });
+    ui.complete("Sign in complete.");
+    console.log(`signed_in_as=${result.user.email}`);
+    console.log(`account_status=${result.user.accountStatus}`);
+}
+async function handleAuthWhoami(options) {
+    const ui = new CliUi("Current User");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const result = await ui.step("Loading account", async () => getJson(`${apiBaseUrl}/v1/auth/me`));
+    ui.complete("Account loaded.");
+    console.log(`user_id=${result.user.id}`);
+    console.log(`email=${result.user.email}`);
+    console.log(`account_status=${result.user.accountStatus}`);
+}
+async function handleAuthLogout() {
+    const ui = new CliUi("Sign Out");
+    await ui.step("Clearing local session", async () => {
+        persistCliConfig({
+            authToken: undefined,
+            userEmail: undefined
+        });
+    });
+    ui.complete("Sign out complete.");
+    console.log("signed_out=true");
+}
+async function recordConsent(apiBaseUrl, input) {
+    await postJson(`${apiBaseUrl}/v1/consents`, input);
+}
+async function runCommand(command, args, options) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(command, args, {
+            cwd: options?.cwd,
+            env: options?.env,
+            stdio: options?.inherit ? "inherit" : "pipe"
+        });
+        let stdout = "";
+        let stderr = "";
+        if (!options?.inherit) {
+            if (!child.stdout || !child.stderr) {
+                reject(new Error("Child process streams are unavailable"));
+                return;
+            }
+            child.stdout.on("data", (chunk) => {
+                stdout += chunk.toString("utf8");
+            });
+            child.stderr.on("data", (chunk) => {
+                stderr += chunk.toString("utf8");
+            });
+        }
+        child.on("error", (error) => {
+            reject(error);
+        });
+        child.on("close", (code) => {
+            if (code === 0) {
+                resolve({ stdout, stderr });
+                return;
+            }
+            reject(new CommandExecutionError(`${command} ${args.join(" ")} failed with code ${code}`, stdout, stderr, code));
+        });
+    });
+}
+async function ensureFastlaneInstalled() {
+    try {
+        await runCommand("fastlane", ["--version"]);
+    }
+    catch {
+        throw new Error("fastlane is not installed or not on PATH. Install it first: https://docs.fastlane.tools/getting-started/ios/setup/");
+    }
+}
+async function hasLocalDistributionIdentity() {
+    try {
+        const result = await runCommand("security", ["find-identity", "-v", "-p", "codesigning"]);
+        return /Apple Distribution:/i.test(result.stdout);
+    }
+    catch {
+        return false;
+    }
+}
+async function findNewestLocalProvisioningProfile(bundleId) {
+    const searchDirs = [
+        join(homedir(), "Library", "MobileDevice", "Provisioning Profiles"),
+        join(homedir(), "Downloads")
+    ];
+    let bestPath = null;
+    let bestMtimeMs = 0;
+    for (const dirPath of searchDirs) {
+        if (!existsSync(dirPath)) {
+            continue;
+        }
+        const entries = await readdir(dirPath, { withFileTypes: true });
+        for (const entry of entries) {
+            if (!entry.isFile() || !entry.name.endsWith(".mobileprovision")) {
+                continue;
+            }
+            const profilePath = join(dirPath, entry.name);
+            try {
+                const profileDump = await runCommand("security", ["cms", "-D", "-i", profilePath]);
+                const appIdentifier = /<key>application-identifier<\/key>\s*<string>([^<]+)<\/string>/m.exec(profileDump.stdout)?.[1] ?? "";
+                if (!appIdentifier.endsWith(`.${bundleId}`)) {
+                    continue;
+                }
+                const fileStat = await stat(profilePath);
+                if (!bestPath || fileStat.mtimeMs > bestMtimeMs) {
+                    bestPath = profilePath;
+                    bestMtimeMs = fileStat.mtimeMs;
+                }
+            }
+            catch {
+                continue;
+            }
+        }
+    }
+    if (!bestPath) {
+        return null;
+    }
+    return {
+        path: bestPath,
+        base64: (await readFile(bestPath)).toString("base64")
+    };
+}
+async function findFirstFileWithExtensions(baseDir, extensions) {
+    const entries = await readdir(baseDir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = join(baseDir, entry.name);
+        if (entry.isDirectory()) {
+            const nested = await findFirstFileWithExtensions(fullPath, extensions);
+            if (nested) {
+                return nested;
+            }
+            continue;
+        }
+        for (const extension of extensions) {
+            if (entry.name.toLowerCase().endsWith(extension.toLowerCase())) {
+                return fullPath;
+            }
+        }
+    }
+    return null;
+}
+const program = new Command();
+program
+    .name("gl")
+    .description("Green Line build and submit CLI")
+    .version("1.0.0");
+const auth = program.command("auth").description("Authenticate CLI user");
+auth
+    .command("login")
+    .requiredOption("--email <email>", "account email")
+    .option("--api <baseUrl>", "API base URL")
+    .action(handleAuthLogin);
+auth
+    .command("whoami")
+    .option("--api <baseUrl>", "API base URL")
+    .action(handleAuthWhoami);
+auth
+    .command("logout")
+    .action(handleAuthLogout);
+program
+    .command("login")
+    .description("Sign in (friendly alias for `gl auth login`)")
+    .requiredOption("--email <email>", "account email")
+    .option("--api <baseUrl>", "API base URL")
+    .action(handleAuthLogin);
+program
+    .command("whoami")
+    .description("Show current signed-in account (alias for `gl auth whoami`)")
+    .option("--api <baseUrl>", "API base URL")
+    .action(handleAuthWhoami);
+program
+    .command("logout")
+    .description("Sign out (alias for `gl auth logout`)")
+    .action(handleAuthLogout);
+const build = program.command("build").description("Manage build jobs");
+const buildIos = build.command("ios").description("iOS build commands");
+buildIos
+    .command("start")
+    .option("--org <orgSlug>", "organization slug (auto-resolved if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-resolved if omitted)")
+    .option("--team-id <teamId>", "Apple Developer Team ID (saved for future builds)")
+    .option("--profile <profile>", "build profile (prod, preview, etc.; defaults to prod)")
+    .option("--commit <sha>", "git commit SHA (auto-resolved from current git HEAD)")
+    .option("--yes", "skip interactive permission confirmation")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    ensureSignedIn();
+    const ui = new CliUi("iOS Build Start");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const org = inferOrgSlug(options.org);
+    const project = inferProjectSlug(options.project);
+    const team = inferAppleTeamId(options.teamId);
+    const profile = inferBuildProfile(options.profile);
+    const commit = await ui.step("Resolving build inputs", async () => inferCommitSha(options.commit));
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Organization: ${org.value} (${org.source})`);
+    ui.info(`Project: ${project.value} (${project.source})`);
+    if (team.value) {
+        ui.info(`Apple Team ID: ${team.value} (${team.source})`);
+    }
+    ui.info(`Profile: ${profile.value} (${profile.source})`);
+    ui.info(`Commit: ${commit.value} (${commit.source})`);
+    ui.info("Build execution can take several minutes.");
+    const buildConsentText = `Allow Green Line to create an iOS build for ${org.value}/${project.value} using profile ${profile.value}?`;
+    const buildConsentAccepted = options.yes
+        ? true
+        : await ui.step("Requesting permission for build job", async () => promptForYes(buildConsentText));
+    await ui.step("Recording permission choice", async () => recordConsent(apiBaseUrl, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        action: "ios_build_start",
+        consentText: buildConsentText,
+        response: buildConsentAccepted ? "accepted" : "declined"
+    }));
+    if (!buildConsentAccepted) {
+        ui.complete("Build cancelled by user.");
+        console.log("build_aborted=true");
+        return;
+    }
+    if (team.value) {
+        persistCliConfig({
+            lastAppleTeamId: team.value
+        });
+    }
+    const result = await ui.step("Creating build job", async () => postJson(`${apiBaseUrl}/v1/builds`, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        profile: profile.value,
+        commitSha: commit.value
+    }));
+    await ui.step("Saving project defaults", async () => {
+        persistProjectDefaults(org.value, project.value, profile.value);
+        if (team.value) {
+            persistCliConfig({
+                lastAppleTeamId: team.value
+            });
+        }
+    });
+    ui.complete("Build job created.");
+    console.log(`build_id=${result.build.id}`);
+    console.log(`status=${result.build.status}`);
+    console.log(`created_at=${result.build.createdAt}`);
+});
+buildIos
+    .command("list")
+    .option("--org <orgSlug>", "organization slug (auto-resolved if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-resolved if omitted)")
+    .option("--limit <count>", "result limit", "20")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    const ui = new CliUi("iOS Build List");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const org = inferOrgSlug(options.org);
+    const project = inferProjectSlug(options.project);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Organization: ${org.value} (${org.source})`);
+    ui.info(`Project: ${project.value} (${project.source})`);
+    ui.info(`Limit: ${options.limit}`);
+    const url = withQuery(`${apiBaseUrl}/v1/builds`, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        limit: Number(options.limit)
+    });
+    const result = await ui.step("Loading builds", async () => getJson(url));
+    ui.complete("Build list loaded.");
+    for (const item of result.builds) {
+        console.log(`${item.id}\t${item.status}\t${item.profile}\t${item.commitSha}\t${item.createdAt}`);
+    }
+});
+buildIos
+    .command("status <buildId>")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (buildId, options) => {
+    const ui = new CliUi("iOS Build Status");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Build ID: ${buildId}`);
+    const result = await ui.step("Loading build status", async () => getJson(`${apiBaseUrl}/v1/builds/${buildId}`));
+    ui.complete("Build status loaded.");
+    console.log(`build_id=${result.build.id}`);
+    console.log(`status=${result.build.status}`);
+    if (result.build.artifactUrl) {
+        console.log(`artifact_url=${result.build.artifactUrl}`);
+    }
+    if (result.build.errorMessage) {
+        console.log(`error=${result.build.errorMessage}`);
+    }
+    console.log(`updated_at=${result.build.updatedAt}`);
+});
+buildIos
+    .command("logs <buildId>")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (buildId, options) => {
+    const ui = new CliUi("iOS Build Logs");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Build ID: ${buildId}`);
+    const result = await ui.step("Loading build logs", async () => getJson(`${apiBaseUrl}/v1/builds/${buildId}/logs`));
+    ui.complete("Build logs loaded.");
+    process.stdout.write(result.logs);
+});
+buildIos
+    .command("download <buildId>")
+    .option("--out <path>", "output file path")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (buildId, options) => {
+    const ui = new CliUi("iOS Build Artifact Download");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Build ID: ${buildId}`);
+    const buildResult = await ui.step("Loading build metadata", async () => getJson(`${apiBaseUrl}/v1/builds/${buildId}`));
+    if (!buildResult.build.artifactUrl) {
+        throw new Error("Artifact is not available yet. Wait for build status to be `succeeded`.");
+    }
+    const artifactResponse = await ui.step("Downloading artifact", async () => getBinary(`${apiBaseUrl}/v1/builds/${buildId}/artifact`));
+    const inferredName = fileNameFromContentDisposition(artifactResponse.contentDisposition)
+        ?? (() => {
+            try {
+                return basename(new URL(buildResult.build.artifactUrl).pathname);
+            }
+            catch {
+                return null;
+            }
+        })()
+        ?? `build-${buildId}.bin`;
+    const outputPath = options.out ?? inferredName;
+    await ui.step("Writing artifact to disk", async () => {
+        await writeFile(outputPath, artifactResponse.content);
+    });
+    ui.complete("Artifact download complete.");
+    console.log(`build_id=${buildId}`);
+    console.log(`output_path=${outputPath}`);
+    if (artifactResponse.contentType) {
+        console.log(`content_type=${artifactResponse.contentType}`);
+    }
+    console.log(`bytes=${artifactResponse.content.byteLength}`);
+});
+const apple = program.command("apple").description("Manage Apple credentials and signing");
+const appleConnect = apple.command("connect").description("App Store Connect API key credentials");
+const appleSigning = apple.command("signing").description("iOS signing assets generated via fastlane");
+apple
+    .command("login")
+    .requiredOption("--apple-id <appleId>", "Apple ID email")
+    .action(async (options) => {
+    const ui = new CliUi("Apple Login");
+    await ui.step("Checking fastlane installation", async () => {
+        await ensureFastlaneInstalled();
+    });
+    ui.info(`Apple ID: ${options.appleId}`);
+    ui.info("If Apple asks for a verification code, enter it in this terminal and press Return.");
+    await ui.step("Starting interactive Apple sign-in (2FA may be required)", async () => {
+        await runCommand("fastlane", ["spaceauth", "-u", options.appleId], { inherit: true });
+    });
+    ui.complete("Apple login flow completed.");
+    console.log("If prompted with FASTLANE_SESSION export text, save it in your shell profile for CI reuse.");
+});
+apple
+    .command("bootstrap")
+    .alias("setup")
+    .option("--from-expo", "best-effort automatic migration from Expo project config and local credentials")
+    .option("--auto-key-timeout <seconds>", "wait time for automatic AuthKey_*.p8 import from Downloads", "180")
+    .option("--org <orgSlug>", "organization slug (auto-derived if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-derived if omitted)")
+    .option("--bundle-id <bundleId>", "iOS bundle identifier, e.g. com.acme.app (auto-generated if omitted)")
+    .requiredOption("--apple-id <appleId>", "Apple ID email")
+    .option("--team-id <teamId>", "Apple Developer Team ID")
+    .option("--issuer-id <issuerId>", "App Store Connect issuer ID (UUID)")
+    .option("--key-id <keyId>", "App Store Connect key ID (optional if .p8 file is named AuthKey_<KEY_ID>.p8)")
+    .option("--p8 <file>", "path to App Store Connect .p8 private key")
+    .option("--cert-password <password>", "password used to protect generated .p12 (optional)")
+    .option("--yes", "non-interactive mode: auto-accept Green Line prompts")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    ensureSignedIn();
+    const nonInteractive = Boolean(options.yes);
+    const ui = new CliUi("Apple Bootstrap");
+    await ui.step("Checking fastlane installation", async () => {
+        await ensureFastlaneInstalled();
+    });
+    const expoHints = options.fromExpo
+        ? await ui.step("Detecting Expo project metadata", async () => detectExpoProjectHints(process.cwd()))
+        : null;
+    if (expoHints) {
+        ui.info(`Expo migration mode: enabled`);
+        if (expoHints.sourceFiles.length > 0) {
+            ui.info(`Detected config sources: ${expoHints.sourceFiles.join(", ")}`);
+        }
+    }
+    const inferredTeamFromExpo = expoHints?.appleTeamId?.trim() || null;
+    const inferredTeamFromXcode = detectAppleTeamIdFromXcodeProject(process.cwd());
+    const resolvedTeamId = options.teamId?.trim()
+        || inferredTeamFromExpo
+        || inferredTeamFromXcode
+        || null;
+    const derivedOrg = resolvedTeamId
+        ? slugify(resolvedTeamId)
+        : slugify(options.appleId.split("@")[0] ?? "apple-org");
+    const derivedProject = expoHints?.projectSlug ?? defaultProjectSlug();
+    const orgSlug = options.org ?? expoHints?.ownerSlug ?? derivedOrg;
+    const projectSlug = options.project ?? derivedProject;
+    const autoBundleId = `com.${bundleSegment(orgSlug)}.${bundleSegment(projectSlug)}`;
+    const bundleId = options.bundleId
+        ?? process.env.IOS_BUNDLE_ID
+        ?? process.env.EXPO_IOS_BUNDLE_IDENTIFIER
+        ?? expoHints?.bundleId
+        ?? autoBundleId;
+    const appName = expoHints?.appName ?? titleCase(projectSlug);
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Apple ID: ${options.appleId}`);
+    if (resolvedTeamId) {
+        const teamSource = options.teamId?.trim()
+            ? "--team-id"
+            : inferredTeamFromExpo
+                ? "expo config"
+                : "xcode project";
+        ui.info(`Team ID: ${resolvedTeamId} (${teamSource})`);
+    }
+    ui.info(`Organization: ${orgSlug}`);
+    ui.info(`Project: ${projectSlug}`);
+    ui.info(`Bundle ID: ${bundleId}`);
+    ui.info(`App Name: ${appName}`);
+    ui.info("If Apple asks for a verification code, enter it in this terminal and press Return.");
+    console.log(`using_org=${orgSlug}`);
+    console.log(`using_project=${projectSlug}`);
+    console.log(`using_bundle_id=${bundleId}`);
+    console.log(`using_app_name=${appName}`);
+    if (expoHints) {
+        const pluginPackages = await ui.step("Inspecting Expo plugin package usage", async () => detectExpoPluginPackages(process.cwd()));
+        if (pluginPackages.length > 0) {
+            ui.info(`Expo plugin packages detected: ${pluginPackages.join(", ")}`);
+        }
+        const importPackages = await ui.step("Scanning source imports for Expo packages", async () => detectPackagesFromSourceImports(process.cwd()));
+        if (importPackages.length > 0) {
+            ui.info(`Expo packages detected from source imports: ${importPackages.join(", ")}`);
+        }
+        const requiredExpoPackages = Array.from(new Set([...pluginPackages, ...importPackages])).sort((a, b) => a.localeCompare(b));
+        if (requiredExpoPackages.length > 0) {
+            ui.info(`Total required Expo-related packages: ${requiredExpoPackages.length}`);
+        }
+        const installedDeps = readPackageDependencyNames(process.cwd());
+        const missingPluginPackages = requiredExpoPackages.filter((pkg) => !installedDeps.has(pkg));
+        if (missingPluginPackages.length > 0) {
+            ui.info(`Missing Expo plugin packages: ${missingPluginPackages.join(", ")}`);
+            const packageSyncConsentText = [
+                "Allow Green Line to install missing Expo-related packages detected from app config/imports and refresh iOS pods?",
+                `Packages: ${missingPluginPackages.join(", ")}`
+            ].join(" ");
+            const packageSyncAccepted = nonInteractive
+                ? true
+                : await ui.step("Requesting permission for Expo package sync", async () => promptForYes(packageSyncConsentText));
+            await ui.step("Recording permission choice", async () => recordConsent(apiBaseUrl, {
+                orgSlug,
+                projectSlug,
+                action: "expo_package_sync",
+                consentText: packageSyncConsentText,
+                response: packageSyncAccepted ? "accepted" : "declined"
+            }));
+            if (packageSyncAccepted) {
+                await ui.step("Installing missing Expo plugin packages", async () => {
+                    await runCommand("npx", ["expo", "install", ...missingPluginPackages], { inherit: true, cwd: process.cwd() });
+                });
+                if (existsSync(join(process.cwd(), "ios"))) {
+                    await ui.step("Refreshing CocoaPods for iOS project", async () => {
+                        await runCommand("npx", ["pod-install", "ios"], { inherit: true, cwd: process.cwd() });
+                    });
+                }
+            }
+            else {
+                ui.info("Continuing without Expo package sync. Build may fail if required native modules are missing.");
+            }
+        }
+    }
+    const consentText = [
+        `Allow Green Line to create/use Apple App ID (${bundleId}),`,
+        "generate signing certificate and provisioning profile,",
+        "and store encrypted signing assets for this project?"
+    ].join(" ");
+    const accepted = nonInteractive
+        ? true
+        : await ui.step("Requesting permission for Apple signing setup", async () => promptForYes(consentText));
+    await ui.step("Recording permission choice", async () => recordConsent(apiBaseUrl, {
+        orgSlug,
+        projectSlug,
+        action: "apple_signing_bootstrap",
+        consentText,
+        response: accepted ? "accepted" : "declined"
+    }));
+    if (!accepted) {
+        ui.complete("Apple bootstrap cancelled by user.");
+        console.log("bootstrap_aborted=true");
+        return;
+    }
+    const workspace = await ui.step("Preparing temporary workspace", async () => mkdtemp(join(tmpdir(), "gl-fastlane-")));
+    const certDir = join(workspace, "certs");
+    const profileDir = join(workspace, "profiles");
+    try {
+        let selectedDistributionCertId = null;
+        await ui.step("Creating workspace folders", async () => {
+            await mkdir(certDir, { recursive: true });
+            await mkdir(profileDir, { recursive: true });
+        });
+        const produceArgs = [
+            "run",
+            "produce",
+            `username:${options.appleId}`,
+            `app_identifier:${bundleId}`,
+            `app_name:${appName}`,
+            "skip_itc:true"
+        ];
+        if (resolvedTeamId) {
+            produceArgs.push(`team_id:${resolvedTeamId}`);
+        }
+        await ui.step("Ensuring Apple App ID exists", async () => {
+            try {
+                await runCommand("fastlane", produceArgs, { inherit: true });
+            }
+            catch (error) {
+                if (error instanceof CommandExecutionError) {
+                    const output = `${error.stdout}\n${error.stderr}`;
+                    if (/already exists/i.test(output)
+                        || /cannot be registered to your account/i.test(output)
+                        || /is not available/i.test(output)) {
+                        ui.info("App ID already exists, continuing.");
+                        return;
+                    }
+                    throw new Error(`${error.message}\n${output.trim()}`);
+                }
+                throw error;
+            }
+        });
+        const certArgs = [
+            "run",
+            "cert",
+            `username:${options.appleId}`,
+            "development:false",
+            "generate_apple_certs:true",
+            `output_path:${certDir}`,
+            "force:false"
+        ];
+        if (resolvedTeamId) {
+            certArgs.push(`team_id:${resolvedTeamId}`);
+        }
+        if (options.certPassword) {
+            certArgs.push(`keychain_password:${options.certPassword}`);
+        }
+        await ui.step("Generating or syncing distribution certificate", async () => {
+            try {
+                const certResult = await runCommand("fastlane", certArgs, { inherit: true });
+                const combinedOutput = `${certResult.stdout}\n${certResult.stderr}`;
+                selectedDistributionCertId = /Result:\s*([A-Z0-9]{8,})/m.exec(combinedOutput)?.[1] ?? null;
+            }
+            catch (error) {
+                if (error instanceof CommandExecutionError) {
+                    const output = `${error.stdout}\n${error.stderr}`;
+                    if (/maximum number of available Distribution certificates/i.test(output)) {
+                        if (await hasLocalDistributionIdentity()) {
+                            ui.info("Apple blocked creating another distribution certificate; using existing local distribution identity.");
+                            return;
+                        }
+                    }
+                }
+                throw error;
+            }
+        });
+        const sighArgs = [
+            "run",
+            "sigh",
+            `username:${options.appleId}`,
+            `app_identifier:${bundleId}`,
+            "skip_install:true",
+            "include_all_certificates:true",
+            `output_path:${profileDir}`,
+            "force:true"
+        ];
+        if (resolvedTeamId) {
+            sighArgs.push(`team_id:${resolvedTeamId}`);
+        }
+        if (selectedDistributionCertId) {
+            sighArgs.push(`cert_id:${selectedDistributionCertId}`);
+        }
+        await ui.step("Generating or syncing provisioning profile", async () => {
+            await runCommand("fastlane", sighArgs, { inherit: true });
+        });
+        const { p12Path, provisioningPath } = await ui.step("Finding generated signing files", async () => {
+            const p12FilePath = await findFirstFileWithExtensions(certDir, [".p12"]);
+            const profileFilePath = await findFirstFileWithExtensions(profileDir, [".mobileprovision", ".provisionprofile"]);
+            if (!profileFilePath) {
+                throw new Error(`No provisioning profile was generated in ${profileDir}`);
+            }
+            return {
+                p12Path: p12FilePath,
+                provisioningPath: profileFilePath
+            };
+        });
+        const { distributionCertP12Base64, provisioningProfileBase64 } = await ui.step("Reading signing files", async () => ({
+            distributionCertP12Base64: p12Path ? (await readFile(p12Path)).toString("base64") : undefined,
+            provisioningProfileBase64: (await readFile(provisioningPath)).toString("base64")
+        }));
+        const result = await ui.step("Uploading encrypted signing assets", async () => postJson(`${apiBaseUrl}/v1/apple/signing-assets`, {
+            orgSlug,
+            projectSlug,
+            bundleId,
+            distributionCertP12Base64,
+            distributionCertPassword: options.certPassword,
+            provisioningProfileBase64
+        }));
+        const managedConnection = await ui.step("Ensuring managed submission connection", async () => {
+            const existing = localState.appleConnections.find((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug);
+            if (existing) {
+                if (!isManagedAscConnection(existing)) {
+                    const { privateKeyPem: _privateKeyPem, ...publicConnection } = existing;
+                    return publicConnection;
+                }
+                ui.info("Existing App Store Connect key is placeholder-managed. Attempting to replace with your real key.");
+            }
+            const envP8Path = process.env.ASC_P8_PATH;
+            const envIssuerId = process.env.ASC_ISSUER_ID;
+            const envKeyId = process.env.ASC_KEY_ID;
+            let discoveredP8Path = options.p8?.trim() || null;
+            let discoveredIssuerId = options.issuerId?.trim() || (envIssuerId ?? null);
+            let discoveredKeyId = options.keyId?.trim() || (envKeyId ?? null);
+            if (discoveredP8Path && !existsSync(discoveredP8Path)) {
+                throw new Error(`Provided .p8 file does not exist: ${discoveredP8Path}`);
+            }
+            if (!discoveredP8Path && envP8Path && existsSync(envP8Path)) {
+                discoveredP8Path = envP8Path;
+            }
+            if (!discoveredP8Path && options.fromExpo) {
+                const downloadsDir = join(homedir(), "Downloads");
+                const currentNewest = await findNewestAuthKeyP8(downloadsDir);
+                if (currentNewest) {
+                    discoveredP8Path = currentNewest.path;
+                }
+                if (!discoveredP8Path) {
+                    const connectHomeUrl = "https://appstoreconnect.apple.com/";
+                    const connectApiUrl = "https://appstoreconnect.apple.com/access/api";
+                    if (!nonInteractive) {
+                        const alreadySignedIn = await ui.step("Confirming App Store Connect browser sign-in", async () => promptForYes([
+                            "Are you already signed in to App Store Connect in your browser?",
+                            "If not, choose n and Green Line will show the exact URLs and where to click."
+                        ].join(" ")));
+                        if (!alreadySignedIn) {
+                            ui.info(`Sign in first at: ${connectHomeUrl}`);
+                            ui.info(`Then open: ${connectApiUrl}`);
+                            ui.info("Navigation: Users and Access > Integrations > App Store Connect API > Create API Key.");
+                        }
+                    }
+                    else {
+                        ui.info(`Ensure you are signed in to App Store Connect: ${connectHomeUrl}`);
+                        ui.info(`If needed, go directly to API Keys: ${connectApiUrl}`);
+                    }
+                    const allowKeyAssist = nonInteractive
+                        ? true
+                        : await promptForYes([
+                            "No existing App Store Connect key file was found.",
+                            "Green Line can open the Apple keys page and auto-import AuthKey_*.p8 from Downloads.",
+                            "Proceed with assisted automatic key import?"
+                        ].join(" "));
+                    if (allowKeyAssist) {
+                        try {
+                            await runCommand("open", [connectHomeUrl]);
+                            await new Promise((resolveDelay) => setTimeout(resolveDelay, 500));
+                            await runCommand("open", [connectApiUrl]);
+                            ui.info("Opened App Store Connect sign-in and API keys pages in browser.");
+                        }
+                        catch {
+                            ui.info("Could not auto-open browser.");
+                        }
+                        ui.info(`Fallback URL (sign-in): ${connectHomeUrl}`);
+                        ui.info(`Fallback URL (API keys): ${connectApiUrl}`);
+                        ui.info("Sign in to App Store Connect, open Users and Access > Integrations > App Store Connect API, create a key, and download AuthKey_*.p8.");
+                        ui.info("Waiting for downloaded AuthKey_*.p8 in ~/Downloads...");
+                        const timeoutSeconds = Math.max(30, Number(options.autoKeyTimeout ?? "180"));
+                        const awaited = await waitForNewAuthKeyP8(downloadsDir, timeoutSeconds * 1000, currentNewest?.mtimeMs ?? 0);
+                        if (awaited) {
+                            discoveredP8Path = awaited.path;
+                        }
+                    }
+                }
+            }
+            if (discoveredP8Path) {
+                const privateKeyPem = await readFile(discoveredP8Path, "utf8");
+                if (!isAscPrivateKeyPem(privateKeyPem)) {
+                    throw new Error([
+                        `The file passed as --p8 is not an App Store Connect API private key: ${discoveredP8Path}`,
+                        "Expected a file named like AuthKey_<KEY_ID>.p8 with PKCS#8 PEM private-key content.",
+                        "Do not pass a provisioning profile (.mobileprovision) or certificate file here."
+                    ].join("\n"));
+                }
+                const inferredKeyId = inferKeyIdFromP8Path(discoveredP8Path);
+                const keyId = discoveredKeyId ?? inferredKeyId;
+                if (!keyId) {
+                    throw new Error("Could not infer App Store Connect key ID from .p8 filename. Rename it to AuthKey_<KEY_ID>.p8 or pass ASC_KEY_ID.");
+                }
+                if (!discoveredIssuerId) {
+                    const fromExistingState = localState.appleConnections.find((item) => (item.orgSlug === orgSlug
+                        && item.projectSlug === projectSlug
+                        && !isManagedAscConnection(item)
+                        && extractUuid(item.issuerId)));
+                    if (fromExistingState) {
+                        discoveredIssuerId = fromExistingState.issuerId;
+                        ui.info("Reused issuer ID from existing local App Store Connect connection.");
+                    }
+                }
+                if (!discoveredIssuerId) {
+                    const clipboardIssuer = await tryReadIssuerIdFromClipboard();
+                    if (clipboardIssuer) {
+                        discoveredIssuerId = clipboardIssuer;
+                        ui.info("Detected issuer ID from clipboard.");
+                    }
+                }
+                if (!discoveredIssuerId) {
+                    const browserIssuer = await tryReadIssuerIdFromBrowser();
+                    if (browserIssuer) {
+                        discoveredIssuerId = browserIssuer;
+                        ui.info("Detected issuer ID from open App Store Connect browser tab.");
+                    }
+                }
+                if (!discoveredIssuerId) {
+                    ui.info("Issuer ID is required for App Store Connect API keys and was not detected from environment.");
+                    ui.info("Find it in App Store Connect > Users and Access > Integrations > App Store Connect API.");
+                    if (nonInteractive) {
+                        throw new Error("Missing Issuer ID in non-interactive mode. Provide --issuer-id or set ASC_ISSUER_ID.");
+                    }
+                    discoveredIssuerId = await promptForText("Enter Issuer ID (UUID): ");
+                }
+                if (!discoveredIssuerId) {
+                    throw new Error("Missing Issuer ID. Re-run and provide ASC_ISSUER_ID, or enter it when prompted.");
+                }
+                if (!isUuid(discoveredIssuerId)) {
+                    throw new Error("Issuer ID must be a UUID from App Store Connect (Users and Access > Integrations > App Store Connect API). Do not use the Key ID as Issuer ID.");
+                }
+                const imported = await postJson(`${apiBaseUrl}/v1/apple/connections`, {
+                    orgSlug,
+                    projectSlug,
+                    issuerId: discoveredIssuerId,
+                    keyId,
+                    privateKeyPem
+                });
+                ui.info(`Submission key configured from ${discoveredP8Path}`);
+                return imported.connection;
+            }
+            throw new Error([
+                "No App Store Connect API key (.p8) is configured.",
+                "To continue: sign in to https://appstoreconnect.apple.com/access/api, create a key, download AuthKey_*.p8, then run:",
+                "gl apple connect init --issuer-id <ISSUER_ID> --key-id <KEY_ID> --p8 <path-to-AuthKey_XXXX.p8>",
+                "Or rerun with --from-expo and answer y when prompted for assisted key import."
+            ].join("\n"));
+        });
+        await ui.step("Saving project defaults", async () => {
+            persistProjectDefaults(orgSlug, projectSlug);
+            if (resolvedTeamId) {
+                persistCliConfig({
+                    lastAppleTeamId: resolvedTeamId
+                });
+            }
+        });
+        ui.complete("Apple bootstrap complete.");
+        console.log(`signing_assets_id=${result.signingAssets.id}`);
+        console.log(`org=${result.signingAssets.orgSlug}`);
+        console.log(`project=${result.signingAssets.projectSlug}`);
+        console.log(`bundle_id=${result.signingAssets.bundleId}`);
+        console.log(`connection_id=${managedConnection.id}`);
+        console.log(`updated_at=${result.signingAssets.updatedAt}`);
+    }
+    finally {
+        await rm(workspace, { recursive: true, force: true });
+    }
+});
+appleConnect
+    .command("init")
+    .alias("save-key")
+    .option("--org <orgSlug>", "organization slug (auto-resolved if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-resolved if omitted)")
+    .requiredOption("--issuer-id <issuerId>", "App Store Connect issuer ID")
+    .requiredOption("--key-id <keyId>", "App Store Connect key ID")
+    .requiredOption("--p8 <file>", "path to .p8 private key")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    ensureSignedIn();
+    const ui = new CliUi("Apple Connect Key Setup");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const org = inferOrgSlug(options.org);
+    const project = inferProjectSlug(options.project);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Organization: ${org.value} (${org.source})`);
+    ui.info(`Project: ${project.value} (${project.source})`);
+    ui.info(`Key ID: ${options.keyId}`);
+    ui.info(`Issuer ID: ${options.issuerId}`);
+    if (!isUuid(options.issuerId)) {
+        throw new Error("--issuer-id must be a UUID from App Store Connect (Users and Access > Integrations > App Store Connect API). Do not pass the Key ID here.");
+    }
+    const consentText = [
+        `Allow Green Line to store an encrypted App Store Connect API key`,
+        `for ${org.value}/${project.value}?`
+    ].join(" ");
+    const accepted = await ui.step("Requesting permission for API key storage", async () => promptForYes(consentText));
+    await ui.step("Recording permission choice", async () => recordConsent(apiBaseUrl, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        action: "apple_connect_api_key_store",
+        consentText,
+        response: accepted ? "accepted" : "declined"
+    }));
+    if (!accepted) {
+        ui.complete("Apple Connect key setup cancelled by user.");
+        console.log("connect_init_aborted=true");
+        return;
+    }
+    const privateKeyPem = await ui.step("Reading App Store Connect private key", async () => {
+        const contents = await readFile(options.p8, "utf8");
+        if (!isAscPrivateKeyPem(contents)) {
+            throw new Error([
+                `--p8 must point to an App Store Connect API key file (AuthKey_<KEY_ID>.p8): ${options.p8}`,
+                "Expected PKCS#8 PEM content with standard private-key header and footer delimiters.",
+                "Do not pass provisioning profiles (.mobileprovision) or certificate files."
+            ].join("\n"));
+        }
+        return contents;
+    });
+    const result = await ui.step("Uploading encrypted App Store Connect credentials", async () => postJson(`${apiBaseUrl}/v1/apple/connections`, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        issuerId: options.issuerId,
+        keyId: options.keyId,
+        privateKeyPem
+    }));
+    await ui.step("Saving project defaults", async () => {
+        persistProjectDefaults(org.value, project.value);
+    });
+    ui.complete("Apple Connect key setup complete.");
+    console.log(`connection_id=${result.connection.id}`);
+    console.log(`org=${result.connection.orgSlug}`);
+    console.log(`project=${result.connection.projectSlug}`);
+    console.log(`key_id=${result.connection.keyId}`);
+    console.log(`updated_at=${result.connection.updatedAt}`);
+});
+appleConnect
+    .command("status")
+    .option("--org <orgSlug>", "organization slug (auto-resolved if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-resolved if omitted)")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const org = inferOrgSlug(options.org);
+    const project = inferProjectSlug(options.project);
+    const url = withQuery(`${apiBaseUrl}/v1/apple/connections`, {
+        orgSlug: org.value,
+        projectSlug: project.value
+    });
+    const result = await getJson(url);
+    console.log(`connection_id=${result.connection.id}`);
+    console.log(`issuer_id=${result.connection.issuerId}`);
+    console.log(`key_id=${result.connection.keyId}`);
+    console.log(`has_private_key=${result.connection.hasPrivateKey}`);
+    console.log(`updated_at=${result.connection.updatedAt}`);
+});
+appleSigning
+    .command("status")
+    .option("--org <orgSlug>", "organization slug (auto-resolved if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-resolved if omitted)")
+    .option("--bundle-id <bundleId>", "bundle identifier (auto-resolved if omitted)")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const org = inferOrgSlug(options.org);
+    const project = inferProjectSlug(options.project);
+    const bundleId = inferBundleId(options.bundleId, org.value, project.value);
+    const url = withQuery(`${apiBaseUrl}/v1/apple/signing-assets`, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        bundleId: bundleId.value
+    });
+    const result = await getJson(url);
+    console.log(`signing_assets_id=${result.signingAssets.id}`);
+    console.log(`bundle_id=${result.signingAssets.bundleId}`);
+    console.log(`has_distribution_cert=${result.signingAssets.hasDistributionCert}`);
+    console.log(`has_provisioning_profile=${result.signingAssets.hasProvisioningProfile}`);
+    console.log(`updated_at=${result.signingAssets.updatedAt}`);
+});
+const migrate = program.command("migrate").description("Migration helpers");
+migrate
+    .command("expo")
+    .description("best-effort automatic migration from Expo project config and local credentials")
+    .requiredOption("--apple-id <appleId>", "Apple ID email")
+    .option("--org <orgSlug>", "organization slug (optional override)")
+    .option("--project <projectSlug>", "project slug (optional override)")
+    .option("--bundle-id <bundleId>", "bundle identifier (optional override)")
+    .option("--team-id <teamId>", "Apple Developer Team ID")
+    .option("--issuer-id <issuerId>", "App Store Connect issuer ID (UUID)")
+    .option("--key-id <keyId>", "App Store Connect key ID")
+    .option("--p8 <file>", "path to App Store Connect .p8 private key")
+    .option("--cert-password <password>", "password used to protect generated .p12 (optional)")
+    .option("--auto-key-timeout <seconds>", "wait time for automatic AuthKey_*.p8 import from Downloads", "180")
+    .option("--yes", "non-interactive mode: auto-accept Green Line prompts")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    const args = [
+        process.argv[1],
+        "apple",
+        "setup",
+        "--from-expo",
+        "--apple-id",
+        options.appleId,
+        "--auto-key-timeout",
+        options.autoKeyTimeout
+    ];
+    if (options.org) {
+        args.push("--org", options.org);
+    }
+    if (options.project) {
+        args.push("--project", options.project);
+    }
+    if (options.bundleId) {
+        args.push("--bundle-id", options.bundleId);
+    }
+    if (options.teamId) {
+        args.push("--team-id", options.teamId);
+    }
+    if (options.issuerId) {
+        args.push("--issuer-id", options.issuerId);
+    }
+    if (options.keyId) {
+        args.push("--key-id", options.keyId);
+    }
+    if (options.p8) {
+        args.push("--p8", options.p8);
+    }
+    if (options.certPassword) {
+        args.push("--cert-password", options.certPassword);
+    }
+    if (options.yes) {
+        args.push("--yes");
+    }
+    if (options.api) {
+        args.push("--api", options.api);
+    }
+    await runCommand(process.execPath, args, { inherit: true });
+});
+const submit = program.command("submit").description("Manage submission jobs");
+const submitIos = submit.command("ios").description("iOS submission commands");
+submitIos
+    .command("preflight")
+    .description("run submission preflight checks before uploading")
+    .option("--build <buildId>", "build ID (omit to choose from recent successful builds)")
+    .option("--ipa <path>", "path to an existing .ipa file to validate")
+    .option("--org <orgSlug>", "organization slug (used when selecting build)")
+    .option("--project <projectSlug>", "project slug (used when selecting build)")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    ensureSignedIn();
+    const ui = new CliUi("iOS Submission Preflight");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    let buildId = options.build;
+    let ipaPath;
+    let orgSlug = inferOrgSlug(options.org).value;
+    let projectSlug = inferProjectSlug(options.project).value;
+    const checks = [];
+    const addCheck = (name, ok, detail) => {
+        checks.push({ name, ok, detail });
+        ui.info(`${ok ? "PASS" : "FAIL"}: ${name} — ${detail}`);
+    };
+    ui.info(`API: ${apiBaseUrl}`);
+    if (options.ipa) {
+        ipaPath = await ui.step("Validating IPA path", async () => normalizeIpaPath(options.ipa));
+    }
+    if (!buildId && !ipaPath) {
+        const filterOrg = options.org;
+        const filterProject = options.project;
+        const succeededBuilds = await ui.step("Loading recent builds", async () => listRecentSucceededBuilds({
+            orgSlug: filterOrg,
+            projectSlug: filterProject,
+            limit: 25
+        }));
+        if (succeededBuilds.length === 0) {
+            throw new Error("No succeeded builds found. Run `gl build ios start` first.");
+        }
+        const selectedBuild = await ui.step("Selecting build", async () => promptForBuildSelection(succeededBuilds));
+        buildId = selectedBuild.id;
+        orgSlug = selectedBuild.orgSlug;
+        projectSlug = selectedBuild.projectSlug;
+    }
+    let buildRecord;
+    if (buildId) {
+        buildRecord = localState.builds.find((item) => item.id === buildId);
+        if (!buildRecord) {
+            throw new Error(`Build not found: ${buildId}`);
+        }
+        orgSlug = buildRecord.orgSlug;
+        projectSlug = buildRecord.projectSlug;
+        if (!ipaPath) {
+            const artifactPath = localArtifactPathFromBuild(buildRecord);
+            if (artifactPath) {
+                ipaPath = artifactPath;
+            }
+        }
+    }
+    ui.info(`Organization: ${orgSlug}`);
+    ui.info(`Project: ${projectSlug}`);
+    if (buildId) {
+        ui.info(`Build ID: ${buildId}`);
+    }
+    if (ipaPath) {
+        ui.info(`IPA Path: ${ipaPath}`);
+    }
+    await ui.step("Checking App Store Connect credentials", async () => {
+        const connection = localState.appleConnections.find((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug);
+        addCheck("ASC connection exists", Boolean(connection), connection
+            ? `key_id=${connection.keyId}`
+            : `Run: gl apple connect init --org ${orgSlug} --project ${projectSlug} --issuer-id <UUID> --key-id <KEY_ID> --p8 <AuthKey.p8>`);
+        if (!connection) {
+            return;
+        }
+        addCheck("Issuer ID format", isUuid(connection.issuerId), connection.issuerId);
+        addCheck("Private key PEM format", isAscPrivateKeyPem(connection.privateKeyPem), "Expected BEGIN/END PRIVATE KEY markers");
+        addCheck("Key ID format", !isUuid(connection.keyId), connection.keyId);
+    });
+    await ui.step("Checking IPA artifact", async () => {
+        addCheck("IPA path resolved", Boolean(ipaPath), ipaPath ?? "No IPA path found for selected build");
+        if (!ipaPath) {
+            return;
+        }
+        const exists = existsSync(ipaPath);
+        addCheck("IPA file exists", exists, ipaPath);
+        if (!exists) {
+            return;
+        }
+        const ipaStat = await stat(ipaPath);
+        addCheck("IPA file non-empty", ipaStat.size > 0, `${ipaStat.size} bytes`);
+    });
+    await ui.step("Checking app icon and iOS metadata", async () => {
+        const iconPath = findAppStoreIconPath(process.cwd());
+        addCheck("App Store icon found", Boolean(iconPath), iconPath ?? "Could not find AppIcon.appiconset (run from app root)");
+        if (iconPath) {
+            try {
+                const alphaResult = await runCommand("sips", ["-g", "hasAlpha", iconPath]);
+                const hasAlpha = /hasAlpha:\s*yes/i.test(alphaResult.stdout);
+                addCheck("App Store icon has no alpha", !hasAlpha, iconPath);
+            }
+            catch {
+                addCheck("App Store icon has no alpha", false, `Could not inspect icon alpha: ${iconPath}`);
+            }
+        }
+        const iosDir = existsSync(join(process.cwd(), "ios")) ? join(process.cwd(), "ios") : process.cwd();
+        const infoPlistPath = findFirstFileNamed(iosDir, "Info.plist", 8);
+        addCheck("Info.plist found", Boolean(infoPlistPath), infoPlistPath ?? "Could not locate Info.plist in iOS project");
+        if (!infoPlistPath) {
+            return;
+        }
+        try {
+            const version = (await runCommand("/usr/libexec/PlistBuddy", ["-c", "Print :CFBundleShortVersionString", infoPlistPath])).stdout.trim();
+            addCheck("CFBundleShortVersionString set", version.length > 0, version || "empty");
+        }
+        catch {
+            addCheck("CFBundleShortVersionString set", false, "Missing or unreadable");
+        }
+        try {
+            const buildNumber = (await runCommand("/usr/libexec/PlistBuddy", ["-c", "Print :CFBundleVersion", infoPlistPath])).stdout.trim();
+            addCheck("CFBundleVersion set", buildNumber.length > 0, buildNumber || "empty");
+        }
+        catch {
+            addCheck("CFBundleVersion set", false, "Missing or unreadable");
+        }
+    });
+    await ui.step("Checking provisioning profile freshness", async () => {
+        const signingAsset = localState.appleSigningAssets
+            .filter((item) => item.orgSlug === orgSlug && item.projectSlug === projectSlug)
+            .sort((a, b) => b.updatedAt.localeCompare(a.updatedAt))[0];
+        const expectedBundleId = signingAsset?.bundleId ?? inferBundleId(undefined, orgSlug, projectSlug).value;
+        const localProfile = await findNewestLocalProvisioningProfile(expectedBundleId);
+        addCheck("Provisioning profile present", Boolean(localProfile), localProfile?.path ?? `No local profile found for ${expectedBundleId}`);
+        if (!localProfile) {
+            return;
+        }
+        try {
+            const profileDump = await runCommand("security", ["cms", "-D", "-i", localProfile.path]);
+            const expirationRaw = /<key>ExpirationDate<\/key>\s*<date>([^<]+)<\/date>/m.exec(profileDump.stdout)?.[1] ?? null;
+            if (!expirationRaw) {
+                addCheck("Provisioning profile not expired", false, "Could not read ExpirationDate");
+                return;
+            }
+            const expirationDate = new Date(expirationRaw);
+            const valid = Number.isFinite(expirationDate.getTime()) && expirationDate.getTime() > Date.now();
+            addCheck("Provisioning profile not expired", valid, `expires ${expirationDate.toISOString()}`);
+        }
+        catch {
+            addCheck("Provisioning profile not expired", false, "Could not parse provisioning profile");
+        }
+    });
+    const failedChecks = checks.filter((item) => !item.ok);
+    const passedChecks = checks.length - failedChecks.length;
+    console.log(`checks_total=${checks.length}`);
+    console.log(`checks_passed=${passedChecks}`);
+    console.log(`checks_failed=${failedChecks.length}`);
+    if (failedChecks.length > 0) {
+        throw new Error(`Preflight failed (${failedChecks.length} check${failedChecks.length === 1 ? "" : "s"} failed). Fix the reported checks and rerun.`);
+    }
+    ui.complete("Preflight passed. Submission checks are green.");
+});
+submitIos
+    .command("start")
+    .option("--build <buildId>", "build ID (omit to choose from recent successful builds)")
+    .option("--ipa <path>", "path to an existing .ipa file to submit directly")
+    .option("--org <orgSlug>", "organization slug (used when selecting build)")
+    .option("--project <projectSlug>", "project slug (used when selecting build)")
+    .option("--skip-preflight", "skip automatic preflight checks before upload")
+    .option("--yes", "skip interactive permission confirmation")
+    .option("--track <track>", "testflight or appstore", "testflight")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    ensureSignedIn();
+    const ui = new CliUi("iOS Submission Start");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    let buildId = options.build;
+    let ipaPath;
+    let orgSlug = inferOrgSlug(options.org).value;
+    let projectSlug = inferProjectSlug(options.project).value;
+    if (options.ipa) {
+        ipaPath = await ui.step("Validating IPA path", async () => normalizeIpaPath(options.ipa));
+    }
+    if (!buildId && !ipaPath) {
+        const filterOrg = options.org;
+        const filterProject = options.project;
+        const succeededBuilds = await ui.step("Loading recent builds", async () => listRecentSucceededBuilds({
+            orgSlug: filterOrg,
+            projectSlug: filterProject,
+            limit: 25
+        }));
+        if (succeededBuilds.length === 0) {
+            throw new Error("No succeeded builds found. Run `gl build ios start` first.");
+        }
+        const selectedBuild = await ui.step("Selecting build", async () => promptForBuildSelection(succeededBuilds));
+        buildId = selectedBuild.id;
+        orgSlug = selectedBuild.orgSlug;
+        projectSlug = selectedBuild.projectSlug;
+    }
+    if (buildId) {
+        const selectedBuild = localState.builds.find((item) => item.id === buildId);
+        if (selectedBuild) {
+            orgSlug = selectedBuild.orgSlug;
+            projectSlug = selectedBuild.projectSlug;
+        }
+    }
+    ui.info(`API: ${apiBaseUrl}`);
+    if (buildId) {
+        ui.info(`Build ID: ${buildId}`);
+    }
+    ui.info(`Organization: ${orgSlug}`);
+    ui.info(`Project: ${projectSlug}`);
+    if (ipaPath) {
+        ui.info(`IPA Path: ${ipaPath}`);
+    }
+    ui.info(`Track: ${options.track}`);
+    ui.info("Submission upload can take several minutes.");
+    if (!options.skipPreflight) {
+        ui.info("Automatic preflight is enabled.");
+        await ui.step("Running preflight checks", async () => {
+            const args = [
+                process.argv[1],
+                "submit",
+                "ios",
+                "preflight",
+                "--api",
+                apiBaseUrl,
+                "--org",
+                orgSlug,
+                "--project",
+                projectSlug
+            ];
+            if (buildId) {
+                args.push("--build", buildId);
+            }
+            if (ipaPath) {
+                args.push("--ipa", ipaPath);
+            }
+            await runCommand(process.execPath, args, { inherit: true });
+        });
+    }
+    else {
+        ui.info("Skipping preflight checks (--skip-preflight).");
+    }
+    const submissionConsentText = buildId
+        ? `Allow Green Line to upload build ${buildId} to App Store Connect (${options.track}) for ${orgSlug}/${projectSlug}?`
+        : `Allow Green Line to upload the selected IPA to App Store Connect (${options.track}) for ${orgSlug}/${projectSlug}?`;
+    const submissionConsentAccepted = options.yes
+        ? true
+        : await ui.step("Requesting permission for submission upload", async () => promptForYes(submissionConsentText));
+    await ui.step("Recording permission choice", async () => recordConsent(apiBaseUrl, {
+        orgSlug,
+        projectSlug,
+        action: "ios_submission_start",
+        consentText: submissionConsentText,
+        response: submissionConsentAccepted ? "accepted" : "declined"
+    }));
+    if (!submissionConsentAccepted) {
+        ui.complete("Submission cancelled by user.");
+        console.log("submission_aborted=true");
+        return;
+    }
+    const result = await ui.step("Creating submission job", async () => postJson(`${apiBaseUrl}/v1/submissions`, {
+        buildId,
+        ipaPath,
+        orgSlug,
+        projectSlug,
+        track: options.track
+    }));
+    ui.complete("Submission job created.");
+    console.log(`submission_id=${result.submission.id}`);
+    console.log(`status=${result.submission.status}`);
+    console.log(`track=${result.submission.track}`);
+    console.log(`created_at=${result.submission.createdAt}`);
+});
+submitIos
+    .command("list")
+    .option("--org <orgSlug>", "organization slug (auto-resolved if omitted)")
+    .option("--project <projectSlug>", "project slug (auto-resolved if omitted)")
+    .option("--limit <count>", "result limit", "20")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (options) => {
+    const ui = new CliUi("iOS Submission List");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    const org = inferOrgSlug(options.org);
+    const project = inferProjectSlug(options.project);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Organization: ${org.value} (${org.source})`);
+    ui.info(`Project: ${project.value} (${project.source})`);
+    ui.info(`Limit: ${options.limit}`);
+    const url = withQuery(`${apiBaseUrl}/v1/submissions`, {
+        orgSlug: org.value,
+        projectSlug: project.value,
+        limit: Number(options.limit)
+    });
+    const result = await ui.step("Loading submissions", async () => getJson(url));
+    ui.complete("Submission list loaded.");
+    for (const item of result.submissions) {
+        console.log(`${item.id}\t${item.status}\t${item.track}\t${item.buildId}\t${item.createdAt}`);
+    }
+});
+submitIos
+    .command("status <submissionId>")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (submissionId, options) => {
+    const ui = new CliUi("iOS Submission Status");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Submission ID: ${submissionId}`);
+    const result = await ui.step("Loading submission status", async () => getJson(`${apiBaseUrl}/v1/submissions/${submissionId}`));
+    ui.complete("Submission status loaded.");
+    console.log(`submission_id=${result.submission.id}`);
+    console.log(`status=${result.submission.status}`);
+    console.log(`track=${result.submission.track}`);
+    if (result.submission.externalSubmissionId) {
+        console.log(`external_submission_id=${result.submission.externalSubmissionId}`);
+    }
+    if (result.submission.errorMessage) {
+        console.log(`error=${result.submission.errorMessage}`);
+    }
+    console.log(`updated_at=${result.submission.updatedAt}`);
+});
+submitIos
+    .command("logs <submissionId>")
+    .option("--api <baseUrl>", "API base URL")
+    .action(async (submissionId, options) => {
+    const ui = new CliUi("iOS Submission Logs");
+    const apiBaseUrl = getApiBaseUrl(options.api);
+    ui.info(`API: ${apiBaseUrl}`);
+    ui.info(`Submission ID: ${submissionId}`);
+    const result = await ui.step("Loading submission logs", async () => getJson(`${apiBaseUrl}/v1/submissions/${submissionId}/logs`));
+    ui.complete("Submission logs loaded.");
+    process.stdout.write(result.logs);
+});
+program.parseAsync(process.argv).catch((error) => {
+    console.error(error.message);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map