kasy-cli 1.32.0 → 1.34.0

package/lib/scaffold/CHANGELOG.json

@@ -1,4 +1,22 @@
 {
+  "1.34.0": {
+    "modules": {
+      "core": {
+        "pt": "Login com Facebook automatizado + Facebook na web (Firebase): novo comando `kasy facebook` guia os passos na Meta (abre o link), grava App ID + Client Token no iOS/Android e habilita o provedor no Firebase (Identity Toolkit) ou Supabase. No Firebase, o Facebook passa a funcionar na WEB (signInWithPopup) e o botão só aparece quando configurado (flag withFacebookWebSignin). Apple/Facebook na web no Supabase ficam como native-only (roadmap). Corrigido: o `kasy apple-web` agora liga o Apple web só no Firebase (não cria mais botão morto no Supabase). Credenciais ficam salvas e o `kasy new` aplica sozinho.",
+        "en": "Facebook Login automated + Facebook on web (Firebase): new `kasy facebook` command guides the Meta steps (opens the link), writes App ID + Client Token into iOS/Android and enables the provider on Firebase (Identity Toolkit) or Supabase. On Firebase, Facebook now works on the WEB (signInWithPopup) and the button only shows once configured (withFacebookWebSignin flag). Apple/Facebook on web for Supabase stay native-only (roadmap). Fixed: `kasy apple-web` now enables Apple web on Firebase only (no more dead button on Supabase). Credentials are cached and `kasy new` applies them automatically.",
+        "es": "Inicio de sesión con Facebook automatizado + Facebook en la web (Firebase): nuevo comando `kasy facebook` guía los pasos en Meta (abre el enlace), escribe App ID + Client Token en iOS/Android y habilita el proveedor en Firebase (Identity Toolkit) o Supabase. En Firebase, Facebook ahora funciona en la WEB (signInWithPopup) y el botón solo aparece cuando está configurado (flag withFacebookWebSignin). Apple/Facebook en la web para Supabase quedan como native-only (roadmap). Corregido: `kasy apple-web` ahora activa Apple web solo en Firebase (sin botón muerto en Supabase). Las credenciales se guardan y `kasy new` las aplica automáticamente."
+      }
+    }
+  },
+  "1.33.0": {
+    "modules": {
+      "core": {
+        "pt": "Login com Apple na WEB agora é automatizável (backend Firebase): novo comando `kasy apple-web` grava o codeFlowConfig (Service ID + Team ID + Key ID + .p8) no provedor Apple do Firebase, que re-assina o secret sozinho (não expira), reaproveitando suas credenciais salvas. Projetos Firebase novos já nascem com Apple web se você já configurou antes. O botão Apple na web só aparece quando funciona de verdade (sem botão morto); `kasy doctor` mostra se falta configurar. No Supabase, Apple na web é roadmap.",
+        "en": "Apple Sign-In on the WEB is now automatable (Firebase backend): new `kasy apple-web` command writes the codeFlowConfig (Service ID + Team ID + Key ID + .p8) into the Firebase Apple provider, which re-signs the secret itself (never expires), reusing your saved credentials. New Firebase projects ship web Apple ready if you configured it before. The web Apple button only shows when it actually works (no dead button); `kasy doctor` reports if it's pending. On Supabase, Apple on web is roadmap.",
+        "es": "El inicio de sesión con Apple en la WEB ahora es automatizable (backend Firebase): nuevo comando `kasy apple-web` escribe el codeFlowConfig (Service ID + Team ID + Key ID + .p8) en el proveedor Apple de Firebase, que vuelve a firmar el secret solo (no expira), reutilizando tus credenciales guardadas. Los proyectos Firebase nuevos vienen con Apple web listo si ya lo configuraste antes. El botón de Apple en la web solo aparece cuando funciona de verdad (sin botón muerto); `kasy doctor` indica si falta configurar. En Supabase, Apple en la web es roadmap."
+      }
+    }
+  },
   "1.32.0": {
     "modules": {
       "core": {

package/lib/scaffold/backends/firebase/setup-from-scratch.js

@@ -764,6 +764,168 @@ async function authorizeLocalhostForProject(projectId) {
   return ensureLocalhostAuthorizedDomains(projectId, token);
 }
 
+/**
+ * Configure Apple Sign-In on Firebase for the WEB (and the OAuth code flow) by
+ * writing the Apple provider's codeFlowConfig (Service ID + Team ID + Key ID +
+ * `.p8`) via the Identity Toolkit Admin v2 API. Once stored, Firebase re-signs the
+ * short-lived client secret itself, so it never expires.
+ *
+ * Existing bundleIds (used by the native iOS flow) are preserved and the project's
+ * own bundleId is merged in, so configuring web never breaks native.
+ *
+ * @param {object} opts
+ * @param {string} opts.projectId
+ * @param {string} opts.serviceId  - Apple Service ID (becomes the provider clientId)
+ * @param {string} opts.teamId
+ * @param {string} opts.keyId
+ * @param {string} opts.privateKey - PEM contents of the .p8
+ * @param {string} [opts.bundleId] - app bundle id to keep allowed for native sign-in
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function configureFirebaseAppleWeb({ projectId, serviceId, teamId, keyId, privateKey, bundleId }) {
+  if (!serviceId || !teamId || !keyId || !privateKey) {
+    return { ok: false, error: 'serviceId, teamId, keyId and privateKey are required' };
+  }
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json',
+    'X-Goog-User-Project': projectId,
+  };
+  const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/defaultSupportedIdpConfigs`;
+
+  // Read the current Apple config (if any) so we preserve the native bundleIds.
+  let existing = null;
+  try {
+    const getRes = await fetch(`${base}/apple.com`, { headers });
+    if (getRes.ok) existing = await getRes.json();
+  } catch (_) {
+    // No existing config (or transient) — we'll create it below.
+  }
+
+  const bundleIds = Array.from(
+    new Set([...(existing?.appleSignInConfig?.bundleIds || []), bundleId].filter(Boolean)),
+  );
+
+  const body = {
+    name: `projects/${projectId}/defaultSupportedIdpConfigs/apple.com`,
+    enabled: true,
+    clientId: serviceId,
+    appleSignInConfig: {
+      codeFlowConfig: { teamId, keyId, privateKey },
+      ...(bundleIds.length ? { bundleIds } : {}),
+    },
+  };
+
+  try {
+    if (existing) {
+      const res = await fetch(`${base}/apple.com?updateMask=enabled,clientId,appleSignInConfig`, {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        return { ok: false, error: `PATCH failed (${res.status}): ${text.slice(0, 200)}` };
+      }
+    } else {
+      const res = await fetch(`${base}?idpId=apple.com`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        // Raced with another writer — fall back to PATCH.
+        if (res.status === 409 || text.includes('ALREADY_EXISTS')) {
+          const patchRes = await fetch(`${base}/apple.com?updateMask=enabled,clientId,appleSignInConfig`, {
+            method: 'PATCH',
+            headers,
+            body: JSON.stringify(body),
+          });
+          if (!patchRes.ok) {
+            const t2 = await patchRes.text();
+            return { ok: false, error: `PATCH failed (${patchRes.status}): ${t2.slice(0, 200)}` };
+          }
+        } else {
+          return { ok: false, error: `POST failed (${res.status}): ${text.slice(0, 200)}` };
+        }
+      }
+    }
+  } catch (err) {
+    return { ok: false, error: `Network error: ${err.message}` };
+  }
+
+  return { ok: true };
+}
+
+/**
+ * Enable the Facebook provider on Firebase via the Identity Toolkit Admin v2 API.
+ * Needs the Meta App ID (clientId) + App Secret (clientSecret). The native App ID /
+ * Client Token live in Info.plist / strings.xml and are written separately.
+ *
+ * @param {object} opts - { projectId, appId, appSecret }
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function configureFirebaseFacebook({ projectId, appId, appSecret }) {
+  if (!appId || !appSecret) {
+    return { ok: false, error: 'appId and appSecret are required' };
+  }
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json',
+    'X-Goog-User-Project': projectId,
+  };
+  const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/defaultSupportedIdpConfigs`;
+  const body = {
+    name: `projects/${projectId}/defaultSupportedIdpConfigs/facebook.com`,
+    enabled: true,
+    clientId: appId,
+    clientSecret: appSecret,
+  };
+
+  try {
+    let res = await fetch(`${base}?idpId=facebook.com`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      if (res.status === 409 || text.includes('ALREADY_EXISTS')) {
+        res = await fetch(`${base}/facebook.com?updateMask=enabled,clientId,clientSecret`, {
+          method: 'PATCH',
+          headers,
+          body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+          const t2 = await res.text();
+          return { ok: false, error: `PATCH failed (${res.status}): ${t2.slice(0, 200)}` };
+        }
+      } else {
+        return { ok: false, error: `POST failed (${res.status}): ${text.slice(0, 200)}` };
+      }
+    }
+  } catch (err) {
+    return { ok: false, error: `Network error: ${err.message}` };
+  }
+
+  return { ok: true };
+}
+
 /**
  * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
  * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
@@ -1299,6 +1461,8 @@ module.exports = {
   ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
   authorizeLocalhostForProject,
+  configureFirebaseAppleWeb,
+  configureFirebaseFacebook,
   listBillingAccounts,
   listGcpOrganizations,
   checkGcloudAuth,

package/lib/scaffold/backends/supabase/deploy.js

@@ -15,6 +15,7 @@ const path = require('node:path');
 const os = require('node:os');
 const fs = require('fs-extra');
 const { augmentedEnv } = require('../../../utils/env-tools');
+const { signAppleClientSecret } = require('../../../utils/apple-web');
 
 const execAsync = promisify(exec);
 
@@ -407,6 +408,95 @@ async function enableAppleSignIn(projectRef, bundleId) {
   return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
 
+/**
+ * GET the current Supabase auth config (read-only). Used to merge values we must
+ * not clobber (e.g. the native bundle id already in external_apple_client_id).
+ */
+async function getSupabaseAuthConfig(projectRef, token) {
+  try {
+    const res = await fetch(`https://api.supabase.com/v1/projects/${projectRef}/config/auth`, {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Enable Apple Sign-In on the WEB for Supabase.
+ *
+ * Unlike Firebase (which stores the .p8 and re-signs), Supabase stores a static,
+ * pre-signed client secret JWT that expires every ~6 months. We sign it here with
+ * the developer's `.p8` and write it as external_apple_secret. The Service ID is
+ * added to external_apple_client_id (the audience list) alongside the native bundle
+ * id, so both native iOS and the web OAuth flow validate.
+ *
+ * @param {string} projectRef
+ * @param {object} opts - { serviceId, teamId, keyId, privateKey, bundleId? }
+ * @returns {{ ok: boolean, error?: string, expiresAt?: number }}
+ */
+async function enableAppleWebSignIn(projectRef, { serviceId, teamId, keyId, privateKey, bundleId } = {}) {
+  if (!serviceId || !teamId || !keyId || !privateKey) {
+    return { ok: false, error: 'serviceId, teamId, keyId and privateKey are required' };
+  }
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+
+  let secret;
+  let expiresAt;
+  try {
+    ({ token: secret, expiresAt } = signAppleClientSecret({ serviceId, teamId, keyId, privateKey }));
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+
+  // Merge the Service ID into the existing audience list without dropping the
+  // native bundle id the CLI set at creation.
+  const current = await getSupabaseAuthConfig(projectRef, token);
+  const existingIds = String(current?.external_apple_client_id || '')
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const clientIds = Array.from(new Set([...existingIds, bundleId, serviceId].filter(Boolean))).join(',');
+
+  const result = await patchAuthConfig(projectRef, token, {
+    external_apple_enabled: true,
+    external_apple_client_id: clientIds,
+    external_apple_secret: secret,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  if (result.data.external_apple_enabled === true) return { ok: true, expiresAt };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
+}
+
+/**
+ * Enable the Facebook provider on Supabase via the Management API.
+ * Needs the Meta App ID (client_id) + App Secret (secret). The native App ID /
+ * Client Token live in Info.plist / strings.xml and are written separately.
+ *
+ * @param {string} projectRef
+ * @param {object} opts - { appId, appSecret }
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function enableFacebookSignIn(projectRef, { appId, appSecret } = {}) {
+  if (!appId || !appSecret) {
+    return { ok: false, error: 'appId and appSecret are required' };
+  }
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+
+  const result = await patchAuthConfig(projectRef, token, {
+    external_facebook_enabled: true,
+    external_facebook_client_id: appId,
+    external_facebook_secret: appSecret,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  if (result.data.external_facebook_enabled === true) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
+}
+
 /**
  * Configure auth settings via Supabase Management API:
  *  - Enable anonymous sign-in
@@ -717,6 +807,8 @@ module.exports = {
   enableAnonymousSignIn,
   enableGoogleSignIn,
   enableAppleSignIn,
+  enableAppleWebSignIn,
+  enableFacebookSignIn,
   checkLoggedIn,
   getOrgsList,
   getProjectsByOrg,

package/lib/scaffold/backends/supabase/patch/lib/features/authentication/api/authentication_api.dart

@@ -192,6 +192,11 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
 
   @override
   Future<Credentials> signinWithFacebook() async {
+    // Facebook on web for Supabase is not wired yet (roadmap); the button is hidden
+    // on web, so this is a defensive guard.
+    if (kIsWeb) {
+      throw ApiError(code: 501, message: 'Facebook sign-in on web is not supported on Supabase.');
+    }
     final loginResult = await FacebookAuth.instance.login(
       permissions: ['email', 'public_profile'],
     );
@@ -439,6 +444,11 @@ Note: wait a minute after enabling anonymous sign-in before trying again. It tak
 
   @override
   Future<Credentials> signupFromAnonymousWithFacebook() async {
+    // Facebook on web for Supabase is not wired yet (roadmap); the button is hidden
+    // on web, so this is a defensive guard.
+    if (kIsWeb) {
+      throw ApiError(code: 501, message: 'Facebook sign-in on web is not supported on Supabase.');
+    }
     final loginResult = await FacebookAuth.instance.login(
       permissions: ['email', 'public_profile'],
     );

package/lib/scaffold/shared/generator-utils.js

@@ -340,6 +340,7 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
   lines.push(`import 'package:flutter_riverpod/flutter_riverpod.dart';`);
   lines.push(`import 'package:go_router/go_router.dart';`);
   lines.push(`import 'package:${pkg}/core/bottom_menu/bottom_menu.dart';`);
+  lines.push(`import 'package:${pkg}/core/chrome/chrome_visibility.dart';`);
   if (withAnalytics) {
     lines.push(`import 'package:${pkg}/core/data/api/analytics_api.dart';`);
   }
@@ -417,6 +418,7 @@ async function writeRouter(projectDir, modules, packageName, defaultPaywall = 'b
   if (withAnalytics) {
     lines.push(`      AnalyticsObserver(analyticsApi: MixpanelAnalyticsApi.instance()),`);
   }
+  lines.push(`      KasyChromeVisibilityObserver(),`);
   lines.push(`      ...?observers,`);
   lines.push(`    ],`);
   lines.push(`    routes: [`);
@@ -624,10 +626,15 @@ async function writeFeaturesConfig(projectDir, modules, answers = {}, language =
   const withStripe              = modules.includes('stripe');
   const withLocalReminders  = modules.includes('local_reminders');
   const withWeb                 = modules.includes('web');
-  // Apple sign-in on web only works on Firebase (signInWithPopup). Supabase/API
-  // throw on web (no Service ID + token exchange), so they must ship this false
-  // and hide the Apple button on web. Native always shows it.
-  const withAppleWebSignin = backend === 'firebase';
+  // Apple sign-in on web needs a Service ID + signed secret that don't exist until
+  // the developer configures it (`kasy apple-web`). Until then, showing the button
+  // means a dead button on web, so it ships false on every backend and the command
+  // flips it to true once web Apple actually works. Native always shows it.
+  const withAppleWebSignin = false;
+  // Facebook sign-in on web works on the Firebase backend (signInWithPopup) after
+  // `kasy facebook`; on Supabase the web flow isn't wired yet (roadmap). Ships false
+  // on every backend (the command flips it to true on Firebase). Native always shows.
+  const withFacebookWebSignin = false;
 
   const f = getStrings(language).features;
   const content = `${f.comment1}
@@ -644,9 +651,14 @@ const bool withStripePromoCodes = true;
 // When true, the Stripe Customer Portal lets subscribers switch plans (upgrade / downgrade).
 const bool withStripePlanSwitching = true;
 const bool withLocalReminders  = ${withLocalReminders};
-// Apple sign-in on web: Firebase supports it (signInWithPopup); Supabase/API throw
-// on web, so they ship false. Native always shows the Apple button.
+// Apple sign-in on web: ships false until configured with \`kasy apple-web\` (needs a
+// paid Apple Service ID + signed secret). The command flips this to true once web
+// Apple actually works, so the button never appears dead. Native always shows it.
 const bool withAppleWebSignin = ${withAppleWebSignin};
+// Facebook sign-in on web: ships false until configured with \`kasy facebook\` on the
+// Firebase backend (signInWithPopup). On Supabase the web flow is roadmap, so it stays
+// false there. Native (iOS/Android) always shows the Facebook button.
+const bool withFacebookWebSignin = ${withFacebookWebSignin};
 ${f.comment3}
 ${f.comment4}
 ${f.comment5}

package/lib/utils/apple-web.js

@@ -0,0 +1,147 @@
+/**
+ * Apple "Sign in with Apple" WEB support helpers.
+ *
+ * The native iOS/macOS flow needs no secret — the CLI already enables it on both
+ * backends at project creation. The WEB (and Android, which we hide) flow uses
+ * Apple's OAuth, which requires a Service ID + a client secret that is a short-lived
+ * JWT signed with the developer's `.p8` private key.
+ *
+ * Apple offers NO API to create the Service ID or the `.p8` key — those stay manual
+ * on developer.apple.com (done once per Apple account). What we CAN automate is
+ * taking the four inputs the developer already created and pushing them to the
+ * backend:
+ *   - Firebase: store Service ID + Team ID + Key ID + `.p8` in the Apple provider
+ *     (Firebase re-signs the JWT itself, so it never expires).
+ *   - Supabase: sign the JWT here and store it as external_apple_secret (Supabase
+ *     cannot re-sign, so this expires every 6 months and must be regenerated).
+ *
+ * This module: (1) signs the Apple client-secret JWT with node:crypto (no extra
+ * dependency), and (2) caches the four inputs in ~/.kasy/apple-web.json so future
+ * projects (and the 6-month Supabase renewal) configure web Apple without re-asking.
+ */
+
+const os = require('node:os');
+const path = require('node:path');
+const crypto = require('node:crypto');
+const fs = require('fs-extra');
+
+// Apple caps the client-secret JWT lifetime at 6 months. We sign for 180 days to
+// stay safely under the limit. Firebase ignores this (it re-signs); Supabase stores
+// the JWT verbatim, so this is the value behind its "expires every 6 months" notice.
+const APPLE_SECRET_MAX_SECONDS = 180 * 24 * 60 * 60;
+
+const CONFIG_DIR = path.join(os.homedir(), '.kasy');
+const APPLE_WEB_CONFIG_PATH = path.join(CONFIG_DIR, 'apple-web.json');
+
+/** base64url-encode a string or Buffer (no padding, URL-safe alphabet). */
+function base64url(input) {
+  return Buffer.from(input)
+    .toString('base64')
+    .replace(/=+$/g, '')
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_');
+}
+
+/**
+ * Normalize a `.p8` private key that may arrive with literal "\n" sequences
+ * (common when pasted from a one-line env var) into real newlines so
+ * crypto.createPrivateKey can parse the PEM.
+ */
+function normalizePrivateKey(privateKey) {
+  const key = String(privateKey || '').trim();
+  if (key.includes('-----BEGIN') && !key.includes('\n') && key.includes('\\n')) {
+    return key.replace(/\\n/g, '\n');
+  }
+  return key;
+}
+
+/**
+ * Sign the Apple "Sign in with Apple" client secret (an ES256 JWT).
+ *
+ * @param {object} opts
+ * @param {string} opts.serviceId   - Apple Service ID (the OAuth client_id), e.g. com.acme.app.signin
+ * @param {string} opts.teamId      - Apple Developer Team ID
+ * @param {string} opts.keyId       - Key ID of the .p8
+ * @param {string} opts.privateKey  - PEM contents of the .p8 (PKCS#8 EC P-256)
+ * @param {number} [opts.expiresInSeconds] - lifetime; clamped to Apple's 6-month max
+ * @returns {{ token: string, issuedAt: number, expiresAt: number }}
+ */
+function signAppleClientSecret({ serviceId, teamId, keyId, privateKey, expiresInSeconds = APPLE_SECRET_MAX_SECONDS } = {}) {
+  if (!serviceId) throw new Error('serviceId (Apple Service ID) is required');
+  if (!teamId) throw new Error('teamId (Apple Team ID) is required');
+  if (!keyId) throw new Error('keyId is required');
+  if (!privateKey) throw new Error('privateKey (.p8 contents) is required');
+
+  const issuedAt = Math.floor(Date.now() / 1000);
+  const expiresAt = issuedAt + Math.min(expiresInSeconds, APPLE_SECRET_MAX_SECONDS);
+
+  const header = { alg: 'ES256', kid: keyId };
+  const payload = {
+    iss: teamId,
+    iat: issuedAt,
+    exp: expiresAt,
+    aud: 'https://appleid.apple.com',
+    sub: serviceId,
+  };
+
+  const signingInput = `${base64url(JSON.stringify(header))}.${base64url(JSON.stringify(payload))}`;
+
+  let keyObject;
+  try {
+    keyObject = crypto.createPrivateKey(normalizePrivateKey(privateKey));
+  } catch (err) {
+    throw new Error(`Invalid Apple .p8 private key: ${err.message}`);
+  }
+
+  // ES256 JWTs need the raw r||s signature (IEEE P1363), not DER.
+  const signature = crypto.sign('sha256', Buffer.from(signingInput), {
+    key: keyObject,
+    dsaEncoding: 'ieee-p1363',
+  });
+
+  return { token: `${signingInput}.${base64url(signature)}`, issuedAt, expiresAt };
+}
+
+/**
+ * Load cached Apple web credentials from ~/.kasy/apple-web.json.
+ * Returns null if absent or incomplete.
+ */
+async function loadAppleWebCreds() {
+  try {
+    if (!(await fs.pathExists(APPLE_WEB_CONFIG_PATH))) return null;
+    const data = await fs.readJson(APPLE_WEB_CONFIG_PATH);
+    if (!data || !data.serviceId || !data.teamId || !data.keyId || !data.privateKey) return null;
+    return data;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Persist Apple web credentials to ~/.kasy/apple-web.json with 0600 perms so the
+ * 6-month Supabase renewal and future projects can reuse them without re-asking.
+ */
+async function saveAppleWebCreds({ serviceId, teamId, keyId, privateKey }) {
+  await fs.ensureDir(CONFIG_DIR);
+  await fs.writeJson(
+    APPLE_WEB_CONFIG_PATH,
+    { serviceId, teamId, keyId, privateKey: normalizePrivateKey(privateKey) },
+    { spaces: 2 },
+  );
+  // Best effort: restrict to the owner (no-op / unsupported on some Windows setups).
+  try {
+    await fs.chmod(APPLE_WEB_CONFIG_PATH, 0o600);
+  } catch {
+    /* ignore */
+  }
+}
+
+module.exports = {
+  APPLE_SECRET_MAX_SECONDS,
+  APPLE_WEB_CONFIG_PATH,
+  base64url,
+  normalizePrivateKey,
+  signAppleClientSecret,
+  loadAppleWebCreds,
+  saveAppleWebCreds,
+};