# Task — F2: Add "Sign in with Apple" entitlement via ASC API

## Context
Notes-rebase Phase 2 dev build failed: iOS provisioning profile `nanostreet-dev-ad-hoc` lacks the **Sign in with Apple** entitlement. Same problem will hit staging when its first iOS build runs (staging shares bundle `ai.nanostreet.app.preview`).

Cause: the App ID (in Apple Developer portal) doesn't have "Sign In with Apple" capability enabled. EAS can't generate a profile that includes an entitlement the App ID isn't configured for.

Fix: enable the capability on the relevant bundle IDs via the ASC API, then either let EAS regenerate profiles on next build OR force regeneration via `eas credentials`.

## Credentials available
- ASC Key ID: `B55Z7M9TJ8`
- Issuer ID: `93397c87-47a5-4acb-bbe5-565e49823a95`
- Key path: `./AuthKey_B55Z7M9TJ8.p8` (in main repo root — confirm presence)
- Apple Team ID: `8GM434ZGG6`
- Account: nanostreet (mfnano on expo.dev)

## Bundle IDs to fix
| Profile | Bundle ID | Distribution |
|---|---|---|
| development | `ai.nanostreet.app.dev` | ad-hoc |
| preview | `ai.nanostreet.app.preview` | ad-hoc |
| staging | `ai.nanostreet.app.preview` | App Store (shares with preview) |
| production | `ai.nanostreet.app` | App Store |

All 4 should have Sign in with Apple enabled — the app.json `expo-apple-authentication` plugin adds the entitlement at runtime, so every bundle ID needs it.

## Working directory
**Operate from main repo CWD** (`/Users/fathoni/Documents/Project/BlockDev/nano-street/mobile`). This task does NOT modify git state — no commits, no branches, no `git switch`. **Main repo MUST remain on `main` branch throughout.**

## Approach (try in this order)

### Approach A — `eas credentials` interactive (simplest)
```
eas credentials -p ios --profile development
```
- Inspect current capabilities for `ai.nanostreet.app.dev`
- If EAS surfaces a "Manage capabilities" option, use it to enable Sign in with Apple
- Repeat for `--profile preview`, `--profile staging`, `--profile production`

### Approach B — ASC API direct calls (if A doesn't expose capability mgmt)
1. Generate a JWT signed with the .p8 key
2. Call `GET /v1/bundleIds?filter[identifier]=<bundleId>` → get internal ID
3. Call `GET /v1/bundleIds/{id}/relationships/bundleIdCapabilities` → list current
4. If `SIGN_IN_WITH_APPLE` is missing, `POST /v1/bundleIdCapabilities` with body:
   ```json
   {
     "data": {
       "type": "bundleIdCapabilities",
       "attributes": {"capabilityType": "APPLE_ID_AUTH"},
       "relationships": {
         "bundleId": {"data": {"type": "bundleIds", "id": "<id>"}}
       }
     }
   }
   ```
5. Verify with another GET — capability should now be listed

For JWT signing, install `jsonwebtoken` via `npx` or use Python's `pyjwt`. Token claims:
```
{
  "iss": "<issuer-id>",
  "iat": <now>,
  "exp": <now + 1200>,  # max 20 min
  "aud": "appstoreconnect-v1"
}
```
Header: `{"alg": "ES256", "kid": "<key-id>", "typ": "JWT"}`

### Approach C — fastlane spaceship (if A and B both stuck)
```
fastlane spaceauth -u <apple-id>
```
Then use spaceship's API to enable capability. Requires Apple ID 2FA.

## Verification
After enabling, force-regenerate the development profile:
```
eas credentials -p ios --profile development
# → "Build credentials: Manage everything..." → "Provisioning Profile: Add a new one"
```
Verify the new profile includes Sign in with Apple in its entitlements (EAS shows entitlements for each profile).

OR: trigger a fresh dev build to confirm:
```
gh workflow run build-dev.yml --ref main   # only after sdk-fix #205 merges so expo-dev-client is on main
```
Watch the iOS build — if it succeeds, F2 is fixed. If it fails for a different reason, that's progress.

## Output
Write findings to `.agent-status/asc-f2-entitlement-fix.md`:
- Which approach worked
- Per bundle ID: was capability already on? If not, was it enabled successfully?
- Any new errors encountered
- Confirmation that profiles now include the entitlement (or the capability change is pending propagation)
- Any follow-up needed (e.g., "wait 5 min for Apple to propagate, then regen profile")

## Constraints
- **NO git changes.** Read-only on git state. Main repo stays on `main`.
- **No PR.** This is credentials work, not code.
- **Don't touch other capabilities.** Only enable Sign in with Apple. Don't accidentally toggle Push Notifications, App Groups, etc.
- **Don't generate new distribution certs.** Use existing ones.
- If you can't enable a capability for some reason (e.g., the bundle ID isn't owned by the team's ASC API key scope), document the blocker and stop — don't escalate to manual workarounds.

## Coordination
- Coordinator: `nanodev:1`. Standard ping pattern.
- Ping at: bundle ID inspection done (which already have capability, which don't), capability enabled per bundle ID, profile regenerated, verification done, status doc ready.