@aifabrix/builder 2.0.0

package/lib/secrets.js

@@ -0,0 +1,282 @@
+/**
+ * AI Fabrix Builder Secrets Management
+ *
+ * This module handles secret resolution and environment file generation.
+ * Resolves kv:// references from secrets files and generates .env files.
+ *
+ * @fileoverview Secret resolution and environment management for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+const os = require('os');
+
+/**
+ * Loads environment configuration for docker/local context
+ * @returns {Object} Environment configuration
+ */
+function loadEnvConfig() {
+  const envConfigPath = path.join(__dirname, 'schema', 'env-config.yaml');
+  const content = fs.readFileSync(envConfigPath, 'utf8');
+  return yaml.load(content);
+}
+
+/**
+ * Loads secrets from the specified file or default location
+ * Supports both user secrets (~/.aifabrix/secrets.yaml) and project overrides
+ *
+ * @async
+ * @function loadSecrets
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @returns {Promise<Object>} Loaded secrets object
+ * @throws {Error} If secrets file cannot be loaded or parsed
+ *
+ * @example
+ * const secrets = await loadSecrets('../../secrets.local.yaml');
+ * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
+ */
+async function loadSecrets(secretsPath) {
+  let resolvedPath = secretsPath;
+
+  if (!resolvedPath) {
+    resolvedPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+  } else if (secretsPath.startsWith('..')) {
+    resolvedPath = path.resolve(process.cwd(), secretsPath);
+  }
+
+  if (!fs.existsSync(resolvedPath)) {
+    throw new Error(`Secrets file not found: ${resolvedPath}`);
+  }
+
+  const content = fs.readFileSync(resolvedPath, 'utf8');
+  const secrets = yaml.load(content);
+
+  if (!secrets || typeof secrets !== 'object') {
+    throw new Error(`Invalid secrets file format: ${resolvedPath}`);
+  }
+
+  return secrets;
+}
+
+/**
+ * Resolves kv:// references in environment template
+ * Replaces kv://keyName with actual values from secrets
+ *
+ * @async
+ * @function resolveKvReferences
+ * @param {string} envTemplate - Environment template content
+ * @param {Object} secrets - Secrets object from loadSecrets()
+ * @param {string} [environment='local'] - Environment context (docker/local)
+ * @returns {Promise<string>} Resolved environment content
+ * @throws {Error} If kv:// reference cannot be resolved
+ *
+ * @example
+ * const resolved = await resolveKvReferences(template, secrets, 'local');
+ * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
+ */
+async function resolveKvReferences(envTemplate, secrets, environment = 'local') {
+  const envConfig = loadEnvConfig();
+  const envVars = envConfig.environments[environment] || envConfig.environments.local;
+
+  let resolved = envTemplate;
+  const kvPattern = /kv:\/\/([a-zA-Z0-9-_]+)/g;
+  const missingSecrets = [];
+
+  let match;
+  while ((match = kvPattern.exec(envTemplate)) !== null) {
+    const secretKey = match[1];
+    if (!(secretKey in secrets)) {
+      missingSecrets.push(`kv://${secretKey}`);
+    }
+  }
+
+  if (missingSecrets.length > 0) {
+    throw new Error(`Missing secrets: ${missingSecrets.join(', ')}`);
+  }
+
+  resolved = resolved.replace(kvPattern, (match, secretKey) => {
+    let value = secrets[secretKey];
+    if (typeof value === 'string') {
+      value = value.replace(/\$\{([A-Z_]+)\}/g, (m, envVar) => {
+        return envVars[envVar] || m;
+      });
+    }
+    return value;
+  });
+
+  return resolved;
+}
+
+/**
+ * Generates .env file from template and secrets
+ * Creates environment file for local development
+ *
+ * @async
+ * @function generateEnvFile
+ * @param {string} appName - Name of the application
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [environment='local'] - Environment context
+ * @returns {Promise<string>} Path to generated .env file
+ * @throws {Error} If generation fails
+ *
+ * @example
+ * const envPath = await generateEnvFile('myapp', '../../secrets.local.yaml');
+ * // Returns: './builder/myapp/.env'
+ */
+async function generateEnvFile(appName, secretsPath, environment = 'local') {
+  const builderPath = path.join(process.cwd(), 'builder', appName);
+  const templatePath = path.join(builderPath, 'env.template');
+  const variablesPath = path.join(builderPath, 'variables.yaml');
+  const envPath = path.join(builderPath, '.env');
+
+  if (!fs.existsSync(templatePath)) {
+    throw new Error(`env.template not found: ${templatePath}`);
+  }
+
+  const template = fs.readFileSync(templatePath, 'utf8');
+  const secrets = await loadSecrets(secretsPath);
+  const resolved = await resolveKvReferences(template, secrets, environment);
+
+  fs.writeFileSync(envPath, resolved, { mode: 0o600 });
+
+  if (fs.existsSync(variablesPath)) {
+    const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+    const variables = yaml.load(variablesContent);
+
+    if (variables?.build?.envOutputPath) {
+      const outputPath = path.resolve(builderPath, variables.build.envOutputPath);
+      const outputDir = path.dirname(outputPath);
+
+      if (!fs.existsSync(outputDir)) {
+        fs.mkdirSync(outputDir, { recursive: true });
+      }
+
+      fs.copyFileSync(envPath, outputPath);
+    }
+  }
+
+  return envPath;
+}
+
+/**
+ * Generates admin secrets for infrastructure
+ * Creates ~/.aifabrix/admin-secrets.env with Postgres and Redis credentials
+ *
+ * @async
+ * @function generateAdminSecretsEnv
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @returns {Promise<string>} Path to generated admin-secrets.env file
+ * @throws {Error} If generation fails
+ *
+ * @example
+ * const adminEnvPath = await generateAdminSecretsEnv('../../secrets.local.yaml');
+ * // Returns: '~/.aifabrix/admin-secrets.env'
+ */
+async function generateAdminSecretsEnv(secretsPath) {
+  const secrets = await loadSecrets(secretsPath);
+  const aifabrixDir = path.join(os.homedir(), '.aifabrix');
+  const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
+
+  if (!fs.existsSync(aifabrixDir)) {
+    fs.mkdirSync(aifabrixDir, { recursive: true, mode: 0o700 });
+  }
+
+  const postgresPassword = secrets['postgres-passwordKeyVault'] || '';
+
+  const adminSecrets = `# Infrastructure Admin Credentials
+POSTGRES_PASSWORD=${postgresPassword}
+PGADMIN_DEFAULT_EMAIL=admin@aifabrix.ai
+PGADMIN_DEFAULT_PASSWORD=${postgresPassword}
+REDIS_HOST=local:localhost:6379
+REDIS_COMMANDER_USER=admin
+REDIS_COMMANDER_PASSWORD=${postgresPassword}
+`;
+
+  fs.writeFileSync(adminEnvPath, adminSecrets, { mode: 0o600 });
+  return adminEnvPath;
+}
+
+/**
+ * Validates that all required secrets are present
+ * Checks for missing kv:// references and provides helpful error messages
+ *
+ * @function validateSecrets
+ * @param {string} envTemplate - Environment template content
+ * @param {Object} secrets - Available secrets
+ * @returns {Object} Validation result with missing secrets
+ *
+ * @example
+ * const validation = validateSecrets(template, secrets);
+ * // Returns: { valid: false, missing: ['kv://missing-secret'] }
+ */
+function validateSecrets(envTemplate, secrets) {
+  const kvPattern = /kv:\/\/([a-zA-Z0-9-_]+)/g;
+  const missing = [];
+
+  let match;
+  while ((match = kvPattern.exec(envTemplate)) !== null) {
+    const secretKey = match[1];
+    if (!(secretKey in secrets)) {
+      missing.push(`kv://${secretKey}`);
+    }
+  }
+
+  return {
+    valid: missing.length === 0,
+    missing
+  };
+}
+
+/**
+ * Creates default secrets file if it doesn't exist
+ * Generates template with common secrets for local development
+ *
+ * @async
+ * @function createDefaultSecrets
+ * @param {string} secretsPath - Path where to create secrets file
+ * @returns {Promise<void>} Resolves when file is created
+ * @throws {Error} If file creation fails
+ *
+ * @example
+ * await createDefaultSecrets('~/.aifabrix/secrets.yaml');
+ * // Default secrets file is created
+ */
+async function createDefaultSecrets(secretsPath) {
+  const resolvedPath = secretsPath.startsWith('~')
+    ? path.join(os.homedir(), secretsPath.slice(1))
+    : secretsPath;
+
+  const dir = path.dirname(resolvedPath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+
+  const defaultSecrets = `# Local Development Secrets
+# Production uses Azure KeyVault
+
+# Database Secrets
+postgres-passwordKeyVault: "admin123"
+
+# Redis Secrets
+redis-passwordKeyVault: ""
+redis-urlKeyVault: "redis://\${REDIS_HOST}:6379"
+
+# Keycloak Secrets
+keycloak-admin-passwordKeyVault: "admin123"
+keycloak-auth-server-urlKeyVault: "http://\${KEYCLOAK_HOST}:8082"
+`;
+
+  fs.writeFileSync(resolvedPath, defaultSecrets, { mode: 0o600 });
+}
+
+module.exports = {
+  loadSecrets,
+  resolveKvReferences,
+  generateEnvFile,
+  generateAdminSecretsEnv,
+  validateSecrets,
+  createDefaultSecrets
+};

package/lib/templates.js

@@ -0,0 +1,301 @@
+/**
+ * YAML Template Generation Module
+ *
+ * Generates configuration files for AI Fabrix applications
+ * following ISO 27001 security standards
+ */
+
+const yaml = require('js-yaml');
+
+/**
+ * Generate variables.yaml content for an application
+ * @param {string} appName - Application name
+ * @param {Object} config - Configuration options
+ * @returns {string} YAML content
+ */
+function generateVariablesYaml(appName, config) {
+  const variables = {
+    app: {
+      key: appName,
+      name: appName.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase()),
+      description: `${appName.replace(/-/g, ' ')} application`,
+      version: '1.0.0'
+    },
+    build: {
+      language: config.language || 'typescript',
+      port: parseInt(config.port, 10) || 3000,
+      environment: 'development'
+    },
+    services: {
+      database: config.database || false,
+      redis: config.redis || false,
+      storage: config.storage || false,
+      authentication: config.authentication || false
+    },
+    security: {
+      enableRBAC: config.authentication || false,
+      requireAuth: config.authentication || false,
+      auditLogging: true
+    },
+    monitoring: {
+      healthCheck: true,
+      metrics: true,
+      logging: true
+    }
+  };
+
+  return yaml.dump(variables, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false
+  });
+}
+
+/**
+ * Generate env.template content with conditional variables
+ * @param {Object} config - Configuration options
+ * @param {Object} existingEnv - Existing environment variables
+ * @returns {string} Environment template content
+ */
+function generateEnvTemplate(config, existingEnv = {}) {
+  const envVars = {
+    // Core application settings
+    'NODE_ENV': 'development',
+    'PORT': config.port || 3000,
+    'APP_NAME': config.appName || 'myapp',
+    'LOG_LEVEL': 'info'
+  };
+
+  // Add database variables if enabled
+  if (config.database) {
+    envVars['DATABASE_URL'] = 'kv://database-url';
+    envVars['DB_HOST'] = 'localhost';
+    envVars['DB_PORT'] = '5432';
+    envVars['DB_NAME'] = config.appName || 'myapp';
+    envVars['DB_USER'] = 'kv://database-user';
+    envVars['DB_PASSWORD'] = 'kv://database-password';
+  }
+
+  // Add Redis variables if enabled
+  if (config.redis) {
+    envVars['REDIS_URL'] = 'kv://redis-url';
+    envVars['REDIS_HOST'] = 'localhost';
+    envVars['REDIS_PORT'] = '6379';
+    envVars['REDIS_PASSWORD'] = 'kv://redis-password';
+  }
+
+  // Add storage variables if enabled
+  if (config.storage) {
+    envVars['STORAGE_TYPE'] = 'local';
+    envVars['STORAGE_PATH'] = '/app/storage';
+    envVars['STORAGE_URL'] = 'kv://storage-url';
+    envVars['STORAGE_KEY'] = 'kv://storage-key';
+    envVars['STORAGE_SECRET'] = 'kv://storage-secret';
+  }
+
+  // Add authentication variables if enabled
+  if (config.authentication) {
+    envVars['JWT_SECRET'] = 'kv://jwt-secret';
+    envVars['JWT_EXPIRES_IN'] = '24h';
+    envVars['AUTH_PROVIDER'] = 'local';
+    envVars['SESSION_SECRET'] = 'kv://session-secret';
+  }
+
+  // Merge with existing environment variables
+  Object.assign(envVars, existingEnv);
+
+  // Generate template content
+  const lines = [
+    '# AI Fabrix Environment Template',
+    '# Copy this file to .env and fill in the actual values',
+    '# Values marked with kv:// are secrets stored in Azure Key Vault',
+    '',
+    '# Core Application Settings',
+    ''
+  ];
+
+  // Add core variables
+  Object.entries(envVars).forEach(([key, value]) => {
+    if (key.startsWith('NODE_ENV') || key.startsWith('PORT') ||
+        key.startsWith('APP_NAME') || key.startsWith('LOG_LEVEL')) {
+      lines.push(`${key}=${value}`);
+    }
+  });
+
+  // Add service-specific sections
+  if (config.database) {
+    lines.push('', '# Database Configuration', '');
+    Object.entries(envVars).forEach(([key, value]) => {
+      if (key.startsWith('DB_') || key.startsWith('DATABASE_')) {
+        lines.push(`${key}=${value}`);
+      }
+    });
+  }
+
+  if (config.redis) {
+    lines.push('', '# Redis Configuration', '');
+    Object.entries(envVars).forEach(([key, value]) => {
+      if (key.startsWith('REDIS_')) {
+        lines.push(`${key}=${value}`);
+      }
+    });
+  }
+
+  if (config.storage) {
+    lines.push('', '# Storage Configuration', '');
+    Object.entries(envVars).forEach(([key, value]) => {
+      if (key.startsWith('STORAGE_')) {
+        lines.push(`${key}=${value}`);
+      }
+    });
+  }
+
+  if (config.authentication) {
+    lines.push('', '# Authentication Configuration', '');
+    Object.entries(envVars).forEach(([key, value]) => {
+      if (key.startsWith('JWT_') || key.startsWith('AUTH_') || key.startsWith('SESSION_')) {
+        lines.push(`${key}=${value}`);
+      }
+    });
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Generate rbac.yaml content for RBAC configuration
+ * @param {string} appName - Application name
+ * @param {Object} config - Configuration options
+ * @returns {string} RBAC YAML content
+ */
+function generateRbacYaml(appName, config) {
+  if (!config.authentication) {
+    return null;
+  }
+
+  const rbac = {
+    apiVersion: 'v1',
+    kind: 'RBACConfig',
+    metadata: {
+      name: `${appName}-rbac`,
+      namespace: 'default'
+    },
+    spec: {
+      roles: [
+        {
+          name: 'admin',
+          description: 'Full administrative access',
+          permissions: ['*']
+        },
+        {
+          name: 'user',
+          description: 'Standard user access',
+          permissions: ['read', 'write']
+        },
+        {
+          name: 'viewer',
+          description: 'Read-only access',
+          permissions: ['read']
+        }
+      ],
+      policies: [
+        {
+          name: 'admin-policy',
+          role: 'admin',
+          resources: ['*'],
+          actions: ['*']
+        },
+        {
+          name: 'user-policy',
+          role: 'user',
+          resources: ['data', 'profile'],
+          actions: ['read', 'write']
+        },
+        {
+          name: 'viewer-policy',
+          role: 'viewer',
+          resources: ['data'],
+          actions: ['read']
+        }
+      ],
+      bindings: [
+        {
+          name: 'admin-binding',
+          role: 'admin',
+          subjects: [
+            {
+              kind: 'User',
+              name: 'admin@example.com'
+            }
+          ]
+        }
+      ]
+    }
+  };
+
+  return yaml.dump(rbac, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false
+  });
+}
+
+/**
+ * Generate secrets.yaml content for sensitive values
+ * @param {Object} config - Configuration options
+ * @param {Object} existingSecrets - Existing secrets from .env
+ * @returns {string} Secrets YAML content
+ */
+function generateSecretsYaml(config, existingSecrets = {}) {
+  const secrets = {
+    apiVersion: 'v1',
+    kind: 'Secret',
+    metadata: {
+      name: 'app-secrets',
+      namespace: 'default'
+    },
+    type: 'Opaque',
+    data: {}
+  };
+
+  // Add secrets based on enabled services
+  if (config.database) {
+    secrets.data['database-password'] = 'base64-encoded-password';
+    secrets.data['database-user'] = 'base64-encoded-user';
+  }
+
+  if (config.redis) {
+    secrets.data['redis-password'] = 'base64-encoded-redis-password';
+  }
+
+  if (config.storage) {
+    secrets.data['storage-key'] = 'base64-encoded-storage-key';
+    secrets.data['storage-secret'] = 'base64-encoded-storage-secret';
+  }
+
+  if (config.authentication) {
+    secrets.data['jwt-secret'] = 'base64-encoded-jwt-secret';
+    secrets.data['session-secret'] = 'base64-encoded-session-secret';
+  }
+
+  // Add existing secrets
+  Object.entries(existingSecrets).forEach(([key, value]) => {
+    secrets.data[key] = Buffer.from(value).toString('base64');
+  });
+
+  return yaml.dump(secrets, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false
+  });
+}
+
+module.exports = {
+  generateVariablesYaml,
+  generateEnvTemplate,
+  generateRbacYaml,
+  generateSecretsYaml
+};