shippilot 0.0.1

package/CHANGELOG.md

@@ -0,0 +1,15 @@
+# Changelog
+
+All notable changes to ShipPilot will be documented in this file.
+
+## 0.0.1 - 2026-05-31
+
+### Added
+
+- Initial public npm release of the `shippilot` CLI.
+- Markdown QA case parsing with required environment variable checks.
+- Codex SDK execution path for agentic iOS QA runs.
+- XcodeBuildMCP-backed iOS simulator doctor and run support.
+- JSON, Markdown, and JUnit report output.
+- GitHub Actions and Bitrise usage examples.
+- npm release workflow for future trusted publishing releases.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mahmoud Ashraf
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,241 @@
+<p align="center">
+  <img src="assets/shippilot-icon.png" alt="ShipPilot icon" width="180">
+</p>
+
+# ShipPilot
+
+[![CI](https://github.com/mahmoudashraf93/ShipPilot/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/mahmoudashraf93/ShipPilot/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/shippilot.svg)](https://www.npmjs.com/package/shippilot)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+ShipPilot is an open-source agentic QA runner for mobile apps. v1 focuses on iOS simulator testing: teams write Markdown QA cases, run them from GitHub Actions, Bitrise, or local CI, and fail the pipeline when Codex cannot verify expected app behavior.
+
+ShipPilot is intentionally test-and-report only. It does not edit source files, create patches, commit, push, or open pull requests.
+
+## Quick Start
+
+Prerequisites:
+
+- macOS with Xcode for iOS simulator runs.
+- Node.js 20+.
+- One supported Codex auth mode.
+
+```bash
+npx shippilot init
+npx shippilot doctor
+npx shippilot run --case qa/login.md --verbose
+```
+
+## Usage Guide
+
+ShipPilot reads `shippilot.yml` by default.
+
+```yaml
+codex:
+  engine: sdk
+  auth: api_key # api_key | access_token | chatgpt_hosted_experimental
+  model: default
+  sandbox: danger-full-access
+  fail_on: failed_or_blocked
+  verbose: false
+  allow_experimental_personal_hosted_auth: false
+
+ios:
+  project: MyApp.xcodeproj
+  bundle_id:
+  scheme: MyApp
+  simulator: iPhone 17 Pro
+  backend: xcodebuildmcp
+  configuration: Debug
+
+reports:
+  output_dir: .shippilot
+  markdown: true
+  json: true
+  junit: true
+  screenshots: true
+  logs: true
+```
+
+Use either `ios.project` or `ios.workspace`, not both. Add `ios.bundle_id` when available; it avoids a separate bundle-id discovery step during CI.
+
+### QA Cases
+
+QA cases are Markdown files with YAML front matter:
+
+```md
+---
+id: login-happy-path
+title: Login happy path
+required_env:
+  - TEST_EMAIL
+  - TEST_PASSWORD
+tags:
+  - release
+  - smoke
+---
+
+Launch the app.
+Dismiss onboarding, permission prompts, or paywalls if they appear.
+Enter `${TEST_EMAIL}` and `${TEST_PASSWORD}`.
+Tap Log In.
+Expect the Home screen to be visible.
+```
+
+Environment placeholders are resolved at runtime and redacted from prompts, logs, reports, and artifacts. Declare every secret placeholder in `required_env`; missing required variables fail setup before the agent runs.
+
+### Running Cases
+
+```bash
+npx shippilot doctor
+npx shippilot run --case qa/login.md
+npx shippilot run --cases qa/
+```
+
+Use verbose mode while developing or debugging CI:
+
+```bash
+npx shippilot run --case qa/login.md --verbose
+```
+
+Verbose mode streams XcodeBuildMCP output and Codex SDK events, including progress, tool calls, command executions, reasoning summaries, errors, and token usage. It does not expose private model chain-of-thought.
+
+## Auth Modes
+
+Choose one auth mode:
+
+- `api_key`: uses `OPENAI_API_KEY`. Recommended for hosted CI and open-source projects.
+- `access_token`: uses `CODEX_ACCESS_TOKEN`. Recommended for trusted Business/Enterprise automation.
+- `chatgpt_hosted_experimental`: restores a pre-authenticated Codex home from `CODEX_HOME_TGZ_BASE64`. This is only for experimental personal ChatGPT subscription use on trusted runners.
+
+The personal ChatGPT hosted-runner path is sensitive and fragile. Do not cache or upload restored auth directories, and do not run it on arbitrary fork PRs.
+
+## Simulator Access And Security
+
+For iOS simulator UI automation, use:
+
+```yaml
+codex:
+  sandbox: danger-full-access
+```
+
+XcodeBuildMCP needs access to CoreSimulator services outside the repository workspace. More restrictive sandbox modes can build the app but fail once the agent tries to inspect UI, tap controls, or capture screenshots.
+
+Run ShipPilot only in trusted workflows when secrets are present. For open-source repositories, prefer `workflow_dispatch`, releases, schedules, or maintainer-approved workflows. Use `actions/checkout` with `persist-credentials: false`.
+
+## GitHub Actions
+
+```yaml
+name: ShipPilot QA
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+jobs:
+  shippilot:
+    runs-on: macos-15
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Run ShipPilot
+        env:
+          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+          CODEX_ACCESS_TOKEN: ${{ secrets.CODEX_ACCESS_TOKEN }}
+          CODEX_HOME_TGZ_BASE64: ${{ secrets.CODEX_HOME_TGZ_BASE64 }}
+          TEST_EMAIL: ${{ secrets.TEST_EMAIL }}
+          TEST_PASSWORD: ${{ secrets.TEST_PASSWORD }}
+        run: |
+          npx shippilot doctor
+          npx shippilot run --case qa/login.md --verbose
+
+      - name: Upload ShipPilot report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: shippilot-report
+          path: .shippilot/
+          include-hidden-files: true
+```
+
+## Bitrise
+
+Use a macOS stack with Xcode and add a Script Step:
+
+```bash
+#!/usr/bin/env bash
+set -euo pipefail
+
+npm install -g shippilot
+shippilot doctor
+shippilot run --case qa/login.md --verbose
+```
+
+Upload `.shippilot/` as build artifacts so failed QA runs still leave reports and screenshots.
+
+## Reports And Exit Codes
+
+Reports are written to `.shippilot/`:
+
+```text
+.shippilot/
+  run.json
+  report.md
+  junit.xml
+  logs/
+  screenshots/
+```
+
+ShipPilot exits like a test runner:
+
+- `0`: all cases passed
+- `1`: at least one case failed
+- `2`: setup/auth/project/simulator/config error
+- `3`: at least one case was blocked or inconclusive
+
+Set `codex.fail_on: never` for report-only mode.
+
+## Contribution Guide
+
+Contributions should keep ShipPilot test-and-report focused. Avoid features that let the CI agent edit source, commit, push, or open PRs unless that behavior is explicitly designed behind a separate mode.
+
+Before opening a PR:
+
+```bash
+npm run build
+npm test
+```
+
+Useful areas to improve:
+
+- config validation and clearer doctor checks
+- QA case parsing and secret redaction
+- report quality and artifact collection
+- XcodeBuildMCP integration robustness
+- CI examples for common hosted runners
+
+## Roadmap
+
+- Add richer screenshot and log attachments to reports.
+- Add sample app integration tests.
+- Add Bitrise Step packaging.
+- Add Android support.
+
+## Documentation
+
+- [Full plan](docs/plan.md)
+- [Auth modes](docs/auth.md)
+- [GitHub Actions](docs/github-actions.md)
+- [Bitrise](docs/bitrise.md)
+- [Release process](docs/release.md)
+- [Personal ChatGPT subscription](docs/personal-chatgpt-subscription.md)
+- [Security](docs/security.md)

package/dist/auth/prepareCodexHome.d.ts

@@ -0,0 +1,7 @@
+import type { ShipPilotConfig } from "../config/schema.js";
+export type PreparedAuth = {
+    apiKey?: string;
+    env: Record<string, string>;
+    cleanup: () => void;
+};
+export declare function prepareCodexAuth(config: ShipPilotConfig, env?: NodeJS.ProcessEnv): PreparedAuth;

package/dist/auth/prepareCodexHome.js

@@ -0,0 +1,52 @@
+import { mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { spawnSync } from "node:child_process";
+function stringEnv(env = process.env) {
+    return Object.fromEntries(Object.entries(env).filter((entry) => typeof entry[1] === "string"));
+}
+function makeTempCodexHome() {
+    return mkdtempSync(path.join(os.tmpdir(), "shippilot-codex-home-"));
+}
+export function prepareCodexAuth(config, env = process.env) {
+    const baseEnv = stringEnv(env);
+    if (config.codex.auth === "api_key") {
+        return {
+            apiKey: env.OPENAI_API_KEY,
+            env: baseEnv,
+            cleanup: () => undefined,
+        };
+    }
+    if (config.codex.auth === "access_token") {
+        const codexHome = makeTempCodexHome();
+        const result = spawnSync("codex", ["login", "--with-access-token"], {
+            input: env.CODEX_ACCESS_TOKEN,
+            encoding: "utf8",
+            env: { ...baseEnv, CODEX_HOME: codexHome },
+        });
+        if (result.status !== 0) {
+            rmSync(codexHome, { recursive: true, force: true });
+            throw new Error(`codex login --with-access-token failed: ${result.stderr || result.stdout}`);
+        }
+        return {
+            env: { ...baseEnv, CODEX_HOME: codexHome },
+            cleanup: () => rmSync(codexHome, { recursive: true, force: true }),
+        };
+    }
+    const codexHome = makeTempCodexHome();
+    const archivePath = path.join(os.tmpdir(), `shippilot-codex-home-${Date.now()}.tgz`);
+    writeFileSync(archivePath, Buffer.from(String(env.CODEX_HOME_TGZ_BASE64), "base64"));
+    const result = spawnSync("tar", ["-xzf", archivePath, "-C", codexHome, "--strip-components=1"], {
+        encoding: "utf8",
+    });
+    rmSync(archivePath, { force: true });
+    if (result.status !== 0) {
+        rmSync(codexHome, { recursive: true, force: true });
+        throw new Error(`Failed to restore CODEX_HOME_TGZ_BASE64: ${result.stderr || result.stdout}`);
+    }
+    return {
+        env: { ...baseEnv, CODEX_HOME: codexHome },
+        cleanup: () => rmSync(codexHome, { recursive: true, force: true }),
+    };
+}
+//# sourceMappingURL=prepareCodexHome.js.map

package/dist/auth/prepareCodexHome.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prepareCodexHome.js","sourceRoot":"","sources":["../../src/auth/prepareCodexHome.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAC7D,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAS/C,SAAS,SAAS,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG;IAClC,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAA6B,EAAE,CAAC,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,CAC/F,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAuB,EAAE,GAAG,GAAG,OAAO,CAAC,GAAG;IACzE,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAE/B,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO;YACL,MAAM,EAAE,GAAG,CAAC,cAAc;YAC1B,GAAG,EAAE,OAAO;YACZ,OAAO,EAAE,GAAG,EAAE,CAAC,SAAS;SACzB,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;QACtC,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,OAAO,EAAE,qBAAqB,CAAC,EAAE;YAClE,KAAK,EAAE,GAAG,CAAC,kBAAkB;YAC7B,QAAQ,EAAE,MAAM;YAChB,GAAG,EAAE,EAAE,GAAG,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE;SAC3C,CAAC,CAAC;QAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,2CAA2C,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/F,CAAC;QAED,OAAO;YACL,GAAG,EAAE,EAAE,GAAG,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE;YAC1C,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;SACnE,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,iBAAiB,EAAE,CAAC;IACtC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,wBAAwB,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACrF,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC;IAErF,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,sBAAsB,CAAC,EAAE;QAC9F,QAAQ,EAAE,MAAM;KACjB,CAAC,CAAC;IAEH,MAAM,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAErC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,4CAA4C,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAChG,CAAC;IAED,OAAO;QACL,GAAG,EAAE,EAAE,GAAG,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE;QAC1C,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;KACnE,CAAC;AACJ,CAAC"}

package/dist/auth/validateAuth.d.ts

@@ -0,0 +1,2 @@
+import type { ShipPilotConfig } from "../config/schema.js";
+export declare function validateAuthConfig(config: ShipPilotConfig, env?: NodeJS.ProcessEnv): string[];

package/dist/auth/validateAuth.js

@@ -0,0 +1,19 @@
+export function validateAuthConfig(config, env = process.env) {
+    const issues = [];
+    if (config.codex.auth === "api_key" && !env.OPENAI_API_KEY) {
+        issues.push("OPENAI_API_KEY is required for codex.auth: api_key.");
+    }
+    if (config.codex.auth === "access_token" && !env.CODEX_ACCESS_TOKEN) {
+        issues.push("CODEX_ACCESS_TOKEN is required for codex.auth: access_token.");
+    }
+    if (config.codex.auth === "chatgpt_hosted_experimental") {
+        if (!config.codex.allow_experimental_personal_hosted_auth) {
+            issues.push("chatgpt_hosted_experimental requires allow_experimental_personal_hosted_auth: true.");
+        }
+        if (!env.CODEX_HOME_TGZ_BASE64) {
+            issues.push("CODEX_HOME_TGZ_BASE64 is required for chatgpt_hosted_experimental.");
+        }
+    }
+    return issues;
+}
+//# sourceMappingURL=validateAuth.js.map

package/dist/auth/validateAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validateAuth.js","sourceRoot":"","sources":["../../src/auth/validateAuth.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,kBAAkB,CAAC,MAAuB,EAAE,GAAG,GAAG,OAAO,CAAC,GAAG;IAC3E,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACpE,MAAM,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,6BAA6B,EAAE,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,CAAC;YAC1D,MAAM,CAAC,IAAI,CACT,qFAAqF,CACtF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,qBAAqB,EAAE,CAAC;YAC/B,MAAM,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cases/parseCase.d.ts

@@ -0,0 +1,13 @@
+import { z } from "zod";
+declare const qaCaseFrontMatterSchema: z.ZodObject<{
+    id: z.ZodString;
+    title: z.ZodString;
+    required_env: z.ZodDefault<z.ZodArray<z.ZodString>>;
+    tags: z.ZodDefault<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export type QaCase = z.infer<typeof qaCaseFrontMatterSchema> & {
+    body: string;
+    path: string;
+};
+export declare function parseCase(casePath: string, cwd?: string): QaCase;
+export {};

package/dist/cases/parseCase.js

@@ -0,0 +1,21 @@
+import { readFileSync } from "node:fs";
+import path from "node:path";
+import matter from "gray-matter";
+import { z } from "zod";
+const qaCaseFrontMatterSchema = z.object({
+    id: z.string().min(1),
+    title: z.string().min(1),
+    required_env: z.array(z.string().min(1)).default([]),
+    tags: z.array(z.string()).default([]),
+});
+export function parseCase(casePath, cwd = process.cwd()) {
+    const absolutePath = path.resolve(cwd, casePath);
+    const parsed = matter(readFileSync(absolutePath, "utf8"));
+    const frontMatter = qaCaseFrontMatterSchema.parse(parsed.data);
+    return {
+        ...frontMatter,
+        body: parsed.content.trim(),
+        path: absolutePath,
+    };
+}
+//# sourceMappingURL=parseCase.js.map

package/dist/cases/parseCase.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parseCase.js","sourceRoot":"","sources":["../../src/cases/parseCase.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACpD,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;CACtC,CAAC,CAAC;AAOH,MAAM,UAAU,SAAS,CAAC,QAAgB,EAAE,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IAC7D,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,uBAAuB,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAE/D,OAAO;QACL,GAAG,WAAW;QACd,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE;QAC3B,IAAI,EAAE,YAAY;KACnB,CAAC;AACJ,CAAC"}

package/dist/cases/resolveEnv.d.ts

@@ -0,0 +1,6 @@
+import type { QaCase } from "./parseCase.js";
+export type ResolvedCase = QaCase & {
+    resolvedBody: string;
+    envValues: Record<string, string>;
+};
+export declare function resolveCaseEnv(qaCase: QaCase, env?: NodeJS.ProcessEnv): ResolvedCase;

package/dist/cases/resolveEnv.js

@@ -0,0 +1,19 @@
+export function resolveCaseEnv(qaCase, env = process.env) {
+    const missing = qaCase.required_env.filter((key) => !env[key]);
+    if (missing.length > 0) {
+        throw new Error(`Missing required env vars for ${qaCase.id}: ${missing.join(", ")}`);
+    }
+    const envValues = Object.fromEntries(qaCase.required_env.map((key) => [key, String(env[key] ?? "")]));
+    const resolvedBody = qaCase.body.replace(/\$\{([A-Z0-9_]+)\}/g, (match, key) => {
+        if (Object.prototype.hasOwnProperty.call(envValues, key)) {
+            return envValues[key];
+        }
+        return match;
+    });
+    return {
+        ...qaCase,
+        resolvedBody,
+        envValues,
+    };
+}
+//# sourceMappingURL=resolveEnv.js.map

package/dist/cases/resolveEnv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolveEnv.js","sourceRoot":"","sources":["../../src/cases/resolveEnv.ts"],"names":[],"mappings":"AAOA,MAAM,UAAU,cAAc,CAAC,MAAc,EAAE,GAAG,GAAG,OAAO,CAAC,GAAG;IAC9D,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,iCAAiC,MAAM,CAAC,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAClC,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAChE,CAAC;IAEF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC,KAAK,EAAE,GAAW,EAAE,EAAE;QACrF,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,EAAE,CAAC;YACzD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,GAAG,MAAM;QACT,YAAY;QACZ,SAAS;KACV,CAAC;AACJ,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,219 @@
+#!/usr/bin/env node
+import { mkdirSync, writeFileSync } from "node:fs";
+import { Command } from "commander";
+import fg from "fast-glob";
+import { loadConfig } from "./config/loadConfig.js";
+import { validateAuthConfig } from "./auth/validateAuth.js";
+import { parseCase } from "./cases/parseCase.js";
+import { resolveCaseEnv } from "./cases/resolveEnv.js";
+import { createRedactor } from "./security/redact.js";
+import { doctorXcode } from "./ios/doctorXcode.js";
+import { runCaseWithSdk } from "./codex/runWithSdk.js";
+import { writeJsonReport, readJsonReport } from "./reports/jsonReport.js";
+import { writeMarkdownReport } from "./reports/markdownReport.js";
+import { writeJunitReport } from "./reports/junitReport.js";
+import { ExitCodes } from "./exitCodes.js";
+function writeReports(configPath, report) {
+    const config = loadConfig(configPath);
+    if (config.reports.markdown)
+        writeMarkdownReport(config, report);
+    if (config.reports.junit)
+        writeJunitReport(config, report);
+}
+function exitCodeFor(report, failOn) {
+    if (failOn === "never")
+        return ExitCodes.success;
+    if (report.status === "failed")
+        return ExitCodes.failed;
+    if (report.status === "blocked")
+        return ExitCodes.blocked;
+    return ExitCodes.success;
+}
+function printCheck(name, ok, detail) {
+    const marker = ok ? "PASS" : "FAIL";
+    console.log(`${marker} ${name}${detail ? `: ${detail.split("\n")[0]}` : ""}`);
+}
+async function main() {
+    const program = new Command();
+    program
+        .name("shippilot")
+        .description("ShipPilot: agentic iOS QA runner for Codex")
+        .version("0.0.1")
+        .option("-c, --config <path>", "config file path", "shippilot.yml");
+    program.command("init").description("Scaffold ShipPilot config, sample case, and CI templates").action(() => {
+        mkdirSync("qa", { recursive: true });
+        mkdirSync(".github/workflows", { recursive: true });
+        mkdirSync("bitrise", { recursive: true });
+        writeFileSync("shippilot.yml", `codex:
+  engine: sdk
+  auth: api_key
+  model: default
+  sandbox: danger-full-access
+  fail_on: failed_or_blocked
+  allow_experimental_personal_hosted_auth: false
+  verbose: false
+
+ios:
+  project: MyApp.xcodeproj
+  bundle_id:
+  scheme: MyApp
+  simulator: iPhone 17 Pro
+  backend: xcodebuildmcp
+  configuration: Debug
+
+reports:
+  output_dir: .shippilot
+  markdown: true
+  json: true
+  junit: true
+  screenshots: true
+  logs: true
+`);
+        writeFileSync("qa/login.md", `---
+id: login-happy-path
+title: Login happy path
+required_env:
+  - TEST_EMAIL
+  - TEST_PASSWORD
+tags:
+  - release
+  - smoke
+---
+
+Launch the app.
+Enter \${TEST_EMAIL} and \${TEST_PASSWORD}.
+Tap Log In.
+Expect the Home screen to be visible.
+`);
+        writeFileSync(".github/workflows/shippilot.yml", `name: ShipPilot QA
+
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+jobs:
+  shippilot:
+    runs-on: macos-15
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - name: Run ShipPilot
+        env:
+          OPENAI_API_KEY: \${{ secrets.OPENAI_API_KEY }}
+          CODEX_ACCESS_TOKEN: \${{ secrets.CODEX_ACCESS_TOKEN }}
+          CODEX_HOME_TGZ_BASE64: \${{ secrets.CODEX_HOME_TGZ_BASE64 }}
+          TEST_EMAIL: \${{ secrets.TEST_EMAIL }}
+          TEST_PASSWORD: \${{ secrets.TEST_PASSWORD }}
+        run: |
+          npx shippilot doctor
+          npx shippilot run --case qa/login.md
+
+      - name: Upload ShipPilot report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: shippilot-report
+          path: .shippilot/
+`);
+        writeFileSync("bitrise/shippilot.sh", `#!/usr/bin/env bash
+set -euo pipefail
+
+npm install -g shippilot
+shippilot doctor
+shippilot run --case qa/login.md
+`, { mode: 0o755 });
+        console.log("Created shippilot.yml, qa/login.md, and CI templates.");
+    });
+    program.command("doctor").description("Validate config, auth, Xcode, XcodeBuildMCP, and project inputs").action(() => {
+        const options = program.opts();
+        try {
+            const config = loadConfig(options.config);
+            const authIssues = validateAuthConfig(config);
+            for (const issue of authIssues)
+                printCheck("auth", false, issue);
+            const checks = doctorXcode(config);
+            for (const check of checks)
+                printCheck(check.name, check.ok, check.detail);
+            if (authIssues.length > 0 || checks.some((check) => !check.ok)) {
+                process.exitCode = ExitCodes.setupError;
+                return;
+            }
+            printCheck("ShipPilot doctor", true, "ready");
+        }
+        catch (error) {
+            console.error(error instanceof Error ? error.message : String(error));
+            process.exitCode = ExitCodes.setupError;
+        }
+    });
+    program
+        .command("run")
+        .description("Run one or more ShipPilot QA cases")
+        .option("--case <path>", "single QA case Markdown file")
+        .option("--cases <glob>", "QA case glob or directory")
+        .option("--verbose", "stream XcodeBuildMCP and Codex SDK events")
+        .action(async (runOptions) => {
+        const options = program.opts();
+        const startedAt = new Date().toISOString();
+        try {
+            const config = loadConfig(options.config);
+            const authIssues = validateAuthConfig(config);
+            if (authIssues.length > 0)
+                throw new Error(authIssues.join("\n"));
+            const casePaths = runOptions.case
+                ? [runOptions.case]
+                : await fg(runOptions.cases ? `${runOptions.cases.replace(/\/$/, "")}/**/*.md` : "qa/**/*.md");
+            if (casePaths.length === 0)
+                throw new Error("No QA cases found.");
+            const records = [];
+            for (const casePath of casePaths) {
+                const qaCase = parseCase(casePath);
+                const resolved = resolveCaseEnv(qaCase);
+                const redactor = createRedactor(Object.values(resolved.envValues));
+                console.log(`Running ${qaCase.id}: ${qaCase.title}`);
+                records.push(await runCaseWithSdk(config, resolved, redactor, process.cwd(), runOptions.verbose ?? config.codex.verbose));
+            }
+            const report = writeJsonReport(config, records, startedAt);
+            if (config.reports.markdown)
+                writeMarkdownReport(config, report);
+            if (config.reports.junit)
+                writeJunitReport(config, report);
+            console.log(`ShipPilot completed with status: ${report.status}`);
+            process.exitCode = exitCodeFor(report, config.codex.fail_on);
+        }
+        catch (error) {
+            console.error(error instanceof Error ? error.message : String(error));
+            process.exitCode = ExitCodes.setupError;
+        }
+    });
+    program
+        .command("report")
+        .description("Regenerate reports from a saved run.json")
+        .requiredOption("--run <path>", "path to run.json")
+        .action((reportOptions) => {
+        const options = program.opts();
+        try {
+            const report = readJsonReport(reportOptions.run);
+            writeReports(options.config, report);
+            console.log("Regenerated ShipPilot reports.");
+        }
+        catch (error) {
+            console.error(error instanceof Error ? error.message : String(error));
+            process.exitCode = ExitCodes.setupError;
+        }
+    });
+    await program.parseAsync(process.argv);
+}
+main().catch((error) => {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = ExitCodes.setupError;
+});
+//# sourceMappingURL=cli.js.map