Add auth config export from keychain

[rudrankriyam]

Summary

• Add asc auth export-to-config to copy keychain-backed App Store Connect API credentials into JSON config storage.
• Export embedded keychain PEM material to secure .p8 files when the original private key path is missing.
• Support --local, --config, --private-key-dir, --remove-keychain, and JSON/table output for auditable migration workflows.
• Harden migration edge cases found during PR audit: active config path resolution, destination default preservation, keychain cleanup reporting, original keychain-name removal, private-key export filename collisions, and ambiguous trimmed profile-name collisions.

Validation

• asc auth export-to-config --help
• asc auth export-to-config exits 2 when --confirm is missing
• asc auth export-to-config --confirm --output yaml exits 2 for unsupported output
• asc auth export-to-config --confirm --local --config /tmp/asc-config.json exits 2 for mutually exclusive config targets
• Built /tmp/asc-pr-1615 and ran a live local migration drill:
  • Seeded keychain from the existing /Users/rudrank/.asc/config.json credential data
  • Temporarily moved the config aside
  • Ran /tmp/asc-pr-1615 auth export-to-config --confirm --output json
  • Verified ASC_BYPASS_KEYCHAIN=1 /tmp/asc-pr-1615 auth status --output json reads the migrated config credential
  • Restored the original config file and its uchg flag
• make format
• make check-command-docs
• make lint
• ASC_BYPASS_KEYCHAIN=1 make test
• Cursor Bugbot review threads resolved

Notes

The command was renamed from migrate-to-config to export-to-config during audit because the default behavior copies credentials to config while leaving keychain entries in place. Destructive cleanup remains explicit behind --remove-keychain.

  

[coderabbitai]

Warning

Review limit reached

@rudrankriyam, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 hour, 25 minutes, and 50 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 06aec3eb-44b9-4ba8-abc4-a63db2d538b3

📥 Commits

Reviewing files that changed from the base of the PR and between d65779b and fb9b352.

📒 Files selected for processing (5)

• internal/auth/keychain.go
• internal/auth/keychain_test.go
• internal/cli/auth/auth.go
• internal/cli/auth/auth_test.go
• internal/cli/auth/test_hooks.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/keychain-json-migration-825f

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
rudrankriyam-app-store-connect-cli-67	🟡 Building	–	Jun 4, 2026, 11:18 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 10d7c85. Configure here.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fb9b352025

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate docs for the new auth subcommand

AGENTS.md requires command/help text changes to run make generate-command-docs and commit docs/COMMANDS.md. This registers a new auth export-to-config subcommand and updates auth help, but rg "export-to-config|migrate-to-config" docs/COMMANDS.md internal/cli shows the generated command reference still has no entry for it, so users relying on the generated docs cannot discover the command and the command-docs check should fail until the docs are regenerated.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Clear stale keychain metadata when migrating profiles

When migrating into a config that already has keychain_metadata for the same profile, this upsert updates cfg.Keys but leaves the old keychain metadata in place. internal/cli/shared.configCredentialMetadataSummaries reads KeychainMetadata before Keys and skips duplicate key names, so metadata-only auth resolution can keep returning the stale key ID/issuer after the profile has been migrated to config storage; clear or replace metadata entries for migrated names before saving.

Useful? React with 👍 / 👎.