@aifabrix/builder 2.1.2 → 2.1.5

package/lib/app-deploy.js

@@ -83,7 +83,7 @@ async function executePush(appName, registry, tags) {
 
   await Promise.all(tags.map(async(tag) => {
     await pushUtils.tagImage(`${appName}:latest`, `${registry}/${appName}:${tag}`);
-    await pushUtils.pushImage(`${registry}/${appName}:${tag}`);
+    await pushUtils.pushImage(`${registry}/${appName}:${tag}`, registry);
   }));
 }
 

package/lib/app-push.js

@@ -42,12 +42,30 @@ function validateAppName(appName) {
   }
 }
 
+/**
+ * Extracts image name from configuration using the same logic as build command
+ * @param {Object} config - Configuration object from variables.yaml
+ * @param {string} appName - Application name (fallback)
+ * @returns {string} Image name
+ */
+function extractImageName(config, appName) {
+  if (typeof config.image === 'string') {
+    return config.image.split(':')[0];
+  } else if (config.image?.name) {
+    return config.image.name;
+  } else if (config.app?.key) {
+    return config.app.key;
+  }
+  return appName;
+
+}
+
 /**
  * Loads push configuration from variables.yaml
  * @async
  * @param {string} appName - Application name
  * @param {Object} options - Push options
- * @returns {Promise<Object>} Configuration with registry
+ * @returns {Promise<Object>} Configuration with registry and imageName
  * @throws {Error} If configuration cannot be loaded
  */
 async function loadPushConfig(appName, options) {
@@ -58,7 +76,8 @@ async function loadPushConfig(appName, options) {
     if (!registry) {
       throw new Error('Registry URL is required. Provide via --registry flag or configure in variables.yaml under image.registry');
     }
-    return { registry };
+    const imageName = extractImageName(config, appName);
+    return { registry, imageName };
   } catch (error) {
     if (error.message.includes('Registry URL')) {
       throw error;
@@ -70,10 +89,11 @@ async function loadPushConfig(appName, options) {
 /**
  * Validates push configuration
  * @param {string} registry - Registry URL
- * @param {string} appName - Application name
+ * @param {string} imageName - Image name (from config)
+ * @param {string} appName - Application name (for error messages)
  * @throws {Error} If validation fails
  */
-async function validatePushConfig(registry, appName) {
+async function validatePushConfig(registry, imageName, appName) {
   // Validate ACR URL format specifically (must be *.azurecr.io)
   if (!/^[^.]+\.azurecr\.io$/.test(registry)) {
     throw new Error(`Invalid ACR URL format: ${registry}. Expected format: *.azurecr.io`);
@@ -83,8 +103,8 @@ async function validatePushConfig(registry, appName) {
     throw new Error(`Invalid registry URL format: ${registry}. Expected format: *.azurecr.io`);
   }
 
-  if (!await pushUtils.checkLocalImageExists(appName, 'latest')) {
-    throw new Error(`Docker image ${appName}:latest not found locally.\nRun 'aifabrix build ${appName}' first`);
+  if (!await pushUtils.checkLocalImageExists(imageName, 'latest')) {
+    throw new Error(`Docker image ${imageName}:latest not found locally.\nRun 'aifabrix build ${appName}' first`);
   }
 
   if (!await pushUtils.checkAzureCLIInstalled()) {
@@ -108,26 +128,45 @@ async function authenticateWithRegistry(registry) {
 /**
  * Pushes image tags to registry
  * @async
- * @param {string} appName - Application name
+ * @param {string} imageName - Image name (from config)
  * @param {string} registry - Registry URL
  * @param {Array<string>} tags - Image tags
  */
-async function pushImageTags(appName, registry, tags) {
-  await Promise.all(tags.map(async(tag) => {
-    await pushUtils.tagImage(`${appName}:latest`, `${registry}/${appName}:${tag}`);
-    await pushUtils.pushImage(`${registry}/${appName}:${tag}`);
-  }));
+async function pushImageTags(imageName, registry, tags) {
+  try {
+    await Promise.all(tags.map(async(tag) => {
+      await pushUtils.tagImage(`${imageName}:latest`, `${registry}/${imageName}:${tag}`);
+      await pushUtils.pushImage(`${registry}/${imageName}:${tag}`, registry);
+    }));
+  } catch (error) {
+    // If authentication error, try to re-authenticate and retry once
+    const errorMessage = error.message || String(error);
+    const isAuthError = errorMessage.includes('Authentication required') ||
+                        errorMessage.includes('authentication required') ||
+                        (errorMessage.includes('authentication') && errorMessage.includes('401'));
+
+    if (isAuthError) {
+      logger.log(chalk.yellow('⚠ Authentication expired, re-authenticating...'));
+      await authenticateWithRegistry(registry);
+      // Retry push after re-authentication
+      await Promise.all(tags.map(async(tag) => {
+        await pushUtils.pushImage(`${registry}/${imageName}:${tag}`, registry);
+      }));
+    } else {
+      throw error;
+    }
+  }
 }
 
 /**
  * Displays push results
  * @param {string} registry - Registry URL
- * @param {string} appName - Application name
+ * @param {string} imageName - Image name (from config)
  * @param {Array<string>} tags - Image tags
  */
-function displayPushResults(registry, appName, tags) {
+function displayPushResults(registry, imageName, tags) {
   logger.log(chalk.green(`\n✓ Successfully pushed ${tags.length} tag(s) to ${registry}`));
-  logger.log(chalk.gray(`Image: ${registry}/${appName}:*`));
+  logger.log(chalk.gray(`Image: ${registry}/${imageName}:*`));
   logger.log(chalk.gray(`Tags: ${tags.join(', ')}`));
 }
 
@@ -145,20 +184,20 @@ async function pushApp(appName, options = {}) {
     validateAppName(appName);
 
     // Load configuration
-    const { registry } = await loadPushConfig(appName, options);
+    const { registry, imageName } = await loadPushConfig(appName, options);
 
     // Validate push configuration
-    await validatePushConfig(registry, appName);
+    await validatePushConfig(registry, imageName, appName);
 
     // Authenticate with registry
     await authenticateWithRegistry(registry);
 
     // Push image tags
     const tags = options.tag ? options.tag.split(',').map(t => t.trim()) : ['latest'];
-    await pushImageTags(appName, registry, tags);
+    await pushImageTags(imageName, registry, tags);
 
     // Display results
-    displayPushResults(registry, appName, tags);
+    displayPushResults(registry, imageName, tags);
 
   } catch (error) {
     throw new Error(`Failed to push application: ${error.message}`);

package/lib/app-readme.js

@@ -66,15 +66,18 @@ function generateReadmeMd(appName, config) {
   const displayName = formatAppDisplayName(appName);
   const imageName = `aifabrix/${appName}`;
   const port = config.port || 3000;
+  // Extract registry from nested structure (config.image.registry) or flattened (config.registry)
+  const registry = config.image?.registry || config.registry || 'myacr.azurecr.io';
 
   const context = {
     appName,
     displayName,
     imageName,
     port,
-    hasDatabase: config.database || false,
-    hasRedis: config.redis || false,
-    hasStorage: config.storage || false,
+    registry,
+    hasDatabase: config.database || config.requires?.database || false,
+    hasRedis: config.redis || config.requires?.redis || false,
+    hasStorage: config.storage || config.requires?.storage || false,
     hasAuthentication: config.authentication || false
   };
 

package/lib/cli.js

@@ -198,7 +198,9 @@ function setupCommands(program) {
         logger.log('\n📊 Infrastructure Status\n');
 
         Object.entries(status).forEach(([service, info]) => {
-          const icon = info.status === 'running' ? '✅' : '❌';
+          // Normalize status value for comparison (handle edge cases)
+          const normalizedStatus = String(info.status).trim().toLowerCase();
+          const icon = normalizedStatus === 'running' ? '✅' : '❌';
           logger.log(`${icon} ${service}:`);
           logger.log(`   Status: ${info.status}`);
           logger.log(`   Port: ${info.port}`);

package/lib/infra.js

@@ -290,8 +290,10 @@ async function getInfraStatus() {
       const containerName = await findContainer(serviceName);
       if (containerName) {
         const { stdout } = await execAsync(`docker inspect --format='{{.State.Status}}' ${containerName}`);
+        // Normalize status value (trim whitespace and remove quotes)
+        const normalizedStatus = stdout.trim().replace(/['"]/g, '');
         status[serviceName] = {
-          status: stdout.trim(),
+          status: normalizedStatus,
           port: config.port,
           url: config.url
         };

package/lib/push.js

@@ -210,15 +210,31 @@ async function tagImage(sourceImage, targetImage) {
 /**
  * Push Docker image to registry
  * @param {string} imageWithTag - Image with full tag
+ * @param {string} registry - Registry URL (for error messages)
  * @throws {Error} If push fails
  */
-async function pushImage(imageWithTag) {
+async function pushImage(imageWithTag, registry = null) {
   try {
     logger.log(chalk.blue(`Pushing ${imageWithTag}...`));
     await execAsync(`docker push ${imageWithTag}`);
     logger.log(chalk.green(`✓ Pushed: ${imageWithTag}`));
   } catch (error) {
-    throw new Error(`Failed to push image: ${error.message}`);
+    const errorMessage = error.message || error.stderr || String(error);
+    const isAuthError = errorMessage.includes('authentication required') ||
+                       errorMessage.includes('unauthorized') ||
+                       errorMessage.includes('authentication') ||
+                       errorMessage.includes('401');
+
+    if (isAuthError && registry) {
+      const registryName = extractRegistryName(registry);
+      throw new Error(
+        `Authentication required for ${registry}.\n` +
+        `Run: az acr login --name ${registryName}\n` +
+        'Make sure you\'re logged into Azure CLI first: az login'
+      );
+    }
+
+    throw new Error(`Failed to push image: ${errorMessage}`);
   }
 }
 

package/lib/templates.js

@@ -128,7 +128,10 @@ function buildDatabaseEnv(config) {
     'DB_PORT': '5432',
     'DB_NAME': dbName,
     'DB_USER': `${dbName}_user`,
-    'DB_PASSWORD': `kv://databases-${appName}-0-passwordKeyVault`
+    'DB_PASSWORD': `kv://databases-${appName}-0-passwordKeyVault`,
+    // Also include DB_0_PASSWORD for compatibility with compose generator
+    // (compose generator expects DB_0_PASSWORD when databases array is present)
+    'DB_0_PASSWORD': `kv://databases-${appName}-0-passwordKeyVault`
   };
 }
 

package/lib/utils/compose-generator.js

@@ -10,9 +10,45 @@
  */
 
 const fsSync = require('fs');
+const fs = require('fs').promises;
 const path = require('path');
 const handlebars = require('handlebars');
 
+// Register Handlebars helper for quoting PostgreSQL identifiers
+// PostgreSQL requires identifiers with hyphens or special characters to be quoted
+handlebars.registerHelper('pgQuote', (identifier) => {
+  if (!identifier) {
+    return '';
+  }
+  // Always quote identifiers to handle hyphens and special characters
+  // Return SafeString to prevent HTML escaping
+  return new handlebars.SafeString(`"${String(identifier).replace(/"/g, '""')}"`);
+});
+
+// Helper to generate quoted PostgreSQL user name from database name
+// User names must use underscores (not hyphens) for PostgreSQL compatibility
+handlebars.registerHelper('pgUser', (dbName) => {
+  if (!dbName) {
+    return '';
+  }
+  // Replace hyphens with underscores in user name (database names can have hyphens, but user names should not)
+  const userName = `${String(dbName).replace(/-/g, '_')}_user`;
+  // Return SafeString to prevent HTML escaping
+  return new handlebars.SafeString(`"${userName.replace(/"/g, '""')}"`);
+});
+
+// Helper to generate old user name format (for migration - drops old users with hyphens)
+// This is used to drop legacy users that were created with hyphens before the fix
+handlebars.registerHelper('pgUserOld', (dbName) => {
+  if (!dbName) {
+    return '';
+  }
+  // Old format: database name + _user (preserving hyphens)
+  const userName = `${String(dbName)}_user`;
+  // Return SafeString to prevent HTML escaping
+  return new handlebars.SafeString(`"${userName.replace(/"/g, '""')}"`);
+});
+
 /**
  * Loads and compiles Docker Compose template
  * @param {string} language - Language type
@@ -92,8 +128,9 @@ function buildHealthCheckConfig(config) {
  * @returns {Object} Requires configuration
  */
 function buildRequiresConfig(config) {
+  const hasDatabases = config.requires?.databases || config.databases;
   return {
-    requiresDatabase: config.requires?.database || config.services?.database || false,
+    requiresDatabase: config.requires?.database || config.services?.database || !!hasDatabases || false,
     requiresStorage: config.requires?.storage || config.services?.storage || false,
     requiresRedis: config.requires?.redis || config.services?.redis || false
   };
@@ -154,6 +191,89 @@ function buildNetworksConfig(config) {
   };
 }
 
+/**
+ * Reads database passwords from .env file
+ * Requires DB_0_PASSWORD, DB_1_PASSWORD, etc. to be set in .env file
+ * @async
+ * @param {string} envPath - Path to .env file
+ * @param {Array<Object>} databases - Array of database configurations
+ * @param {string} appKey - Application key (fallback for single database)
+ * @returns {Promise<Object>} Object with passwords array and lookup map
+ * @throws {Error} If required password variables are missing
+ */
+async function readDatabasePasswords(envPath, databases, appKey) {
+  const passwords = {};
+  const passwordsArray = [];
+
+  // Read .env file
+  const envVars = {};
+  if (!fsSync.existsSync(envPath)) {
+    throw new Error(`.env file not found: ${envPath}`);
+  }
+
+  try {
+    const envContent = await fs.readFile(envPath, 'utf8');
+    const lines = envContent.split('\n');
+
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed || trimmed.startsWith('#')) {
+        continue;
+      }
+
+      const equalIndex = trimmed.indexOf('=');
+      if (equalIndex > 0) {
+        const key = trimmed.substring(0, equalIndex).trim();
+        const value = trimmed.substring(equalIndex + 1).trim();
+        envVars[key] = value;
+      }
+    }
+  } catch (error) {
+    throw new Error(`Failed to read .env file: ${error.message}`);
+  }
+
+  // Process each database
+  if (databases && databases.length > 0) {
+    for (let i = 0; i < databases.length; i++) {
+      const db = databases[i];
+      const dbName = db.name || appKey;
+      const passwordKey = `DB_${i}_PASSWORD`;
+
+      if (!(passwordKey in envVars)) {
+        throw new Error(`Missing required password variable ${passwordKey} in .env file`);
+      }
+
+      const password = envVars[passwordKey].trim();
+      if (!password || password.length === 0) {
+        throw new Error(`Password variable ${passwordKey} is empty in .env file`);
+      }
+
+      passwords[dbName] = password;
+      passwordsArray.push(password);
+    }
+  } else {
+    // Single database case - use DB_0_PASSWORD or DB_PASSWORD
+    const passwordKey = ('DB_0_PASSWORD' in envVars) ? 'DB_0_PASSWORD' : 'DB_PASSWORD';
+
+    if (!(passwordKey in envVars)) {
+      throw new Error(`Missing required password variable ${passwordKey} in .env file. Add DB_0_PASSWORD or DB_PASSWORD to your .env file.`);
+    }
+
+    const password = envVars[passwordKey].trim();
+    if (!password || password.length === 0) {
+      throw new Error(`Password variable ${passwordKey} is empty in .env file`);
+    }
+
+    passwords[appKey] = password;
+    passwordsArray.push(password);
+  }
+
+  return {
+    map: passwords,
+    array: passwordsArray
+  };
+}
+
 /**
  * Generates Docker Compose configuration from template
  * @param {string} appName - Application name
@@ -177,11 +297,16 @@ async function generateDockerCompose(appName, config, options) {
   const envFilePath = path.join(process.cwd(), 'builder', appName, '.env');
   const envFileAbsolutePath = envFilePath.replace(/\\/g, '/'); // Use forward slashes for Docker
 
+  // Read database passwords from .env file
+  const databases = networksConfig.databases || [];
+  const databasePasswords = await readDatabasePasswords(envFilePath, databases, appName);
+
   const templateData = {
     ...serviceConfig,
     ...volumesConfig,
     ...networksConfig,
-    envFile: envFileAbsolutePath
+    envFile: envFileAbsolutePath,
+    databasePasswords: databasePasswords
   };
 
   return template(templateData);

package/lib/utils/health-check.js

@@ -170,8 +170,7 @@ async function checkHealthEndpoint(healthCheckUrl, debug = false) {
         hostname: urlObj.hostname,
         port: urlObj.port || (urlObj.protocol === 'https:' ? 443 : 80),
         path: urlObj.pathname + urlObj.search,
-        method: 'GET',
-        timeout: 5000
+        method: 'GET'
       };
 
       if (debug) {
@@ -179,7 +178,12 @@ async function checkHealthEndpoint(healthCheckUrl, debug = false) {
         logger.log(chalk.gray(`[DEBUG] Request options: ${JSON.stringify(options, null, 2)}`));
       }
 
+      // Declare timeoutId before creating req so it can be used in callbacks
+      // eslint-disable-next-line prefer-const
+      let timeoutId;
+
       const req = http.request(options, (res) => {
+        clearTimeout(timeoutId);
         let data = '';
         if (debug) {
           logger.log(chalk.gray(`[DEBUG] Response status code: ${res.statusCode}`));
@@ -201,17 +205,20 @@ async function checkHealthEndpoint(healthCheckUrl, debug = false) {
         });
       });
 
-      req.on('error', (error) => {
+      // Set timeout for the request using setTimeout
+      timeoutId = setTimeout(() => {
         if (debug) {
-          logger.log(chalk.gray(`[DEBUG] Health check request error: ${error.message}`));
+          logger.log(chalk.gray('[DEBUG] Health check request timeout after 5 seconds'));
         }
+        req.destroy();
         resolve(false);
-      });
-      req.on('timeout', () => {
+      }, 5000);
+
+      req.on('error', (error) => {
+        clearTimeout(timeoutId);
         if (debug) {
-          logger.log(chalk.gray('[DEBUG] Health check request timeout after 5 seconds'));
+          logger.log(chalk.gray(`[DEBUG] Health check request error: ${error.message}`));
         }
-        req.destroy();
         resolve(false);
       });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.1.2",
+  "version": "2.1.5",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/README.md.hbs

@@ -37,7 +37,7 @@ docker stop {{appName}}
 ## Push to Azure Container Registry
 
 ```bash
-aifabrix push {{appName}} --action acr --tag latest
+aifabrix push {{appName}} --registry {{registry}} --tag latest
 ```
 
 **Note:** ACR push requires `az login` or ACR credentials in `variables.yaml`

package/templates/applications/keycloak/Dockerfile

@@ -1,7 +1,7 @@
 # Keycloak Identity and Access Management with Custom Themes
-# This Dockerfile extends Keycloak 24.0 with custom themes
+# This Dockerfile extends Keycloak 26.4 with custom themes
 
-FROM quay.io/keycloak/keycloak:24.0
+FROM quay.io/keycloak/keycloak:26.4
 
 # Set working directory
 WORKDIR /opt/keycloak

package/templates/applications/keycloak/env.template

@@ -29,4 +29,5 @@ KC_DB_URL_PORT=5432
 KC_DB_URL_DATABASE=keycloak
 KC_DB_USERNAME=keycloak_user
 KC_DB_PASSWORD=kv://databases-keycloak-0-passwordKeyVault
+DB_0_PASSWORD=kv://databases-keycloak-0-passwordKeyVault
 

package/templates/applications/miso-controller/env.template

@@ -2,6 +2,28 @@
 # Use kv:// references for secrets (resolved from secrets.local.yaml)
 # Use ${VAR} for environment-specific values
 
+
+# =============================================================================
+# FIRST-TIME ONBOARDING CONFIGURATION
+# =============================================================================
+
+# Skip automatic first-time onboarding (default: false)
+# Set to true to disable automatic onboarding on first startup
+SKIP_FIRST_TIME_SETUP=false
+
+# Optional custom controller key for onboarding (default: miso-controller)
+ONBOARDING_CONTROLLER_KEY=miso-controller
+
+# Optional infrastructure name override for onboarding (default: from INFRASTRUCTURE_NAME or aifabrix)
+ONBOARDING_INFRASTRUCTURE_NAME=
+
+# Required for admin user creation during onboarding
+# Password for the initial administrator user (username: admin)
+ONBOARDING_ADMIN_PASSWORD=kv://miso-controller-admin-passwordKeyVault
+
+# Optional admin email for onboarding (default: admin@aifabrix.ai)
+ONBOARDING_ADMIN_EMAIL=kv://miso-controller-admin-emailKeyVault
+
 # =============================================================================
 # APPLICATION ENVIRONMENT
 # =============================================================================
@@ -22,7 +44,11 @@ ENABLE_API_DOCS=true
 # Connects to external postgres from aifabrix-setup
 
 DATABASE_URL=kv://databases-miso-controller-0-urlKeyVault
+DB_0_PASSWORD=kv://databases-miso-controller-0-passwordKeyVault
+
 DATABASELOG_URL=kv://databases-miso-controller-1-urlKeyVault
+DB_1_PASSWORD=kv://databases-miso-controller-1-passwordKeyVault
+
 MISO_ADMIN_PASSWORD=kv://miso-controller-admin-passwordKeyVault
 
 # =============================================================================
@@ -30,8 +56,8 @@ MISO_ADMIN_PASSWORD=kv://miso-controller-admin-passwordKeyVault
 # =============================================================================
 # Connects to external redis from aifabrix-setup
 
-REDIS_URL=kv://redis-urlKeyVault
-REDIS_HOST=localhost
+REDIS_URL=kv://redis-url
+REDIS_HOST=${REDIS_HOST}
 REDIS_PORT=6379
 REDIS_PASSWORD=kv://redis-passwordKeyVault
 REDIS_DB=0
@@ -53,7 +79,7 @@ KEYCLOAK_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
 KEYCLOAK_PUBLIC_KEY=
 KEYCLOAK_VERIFY_AUDIENCE=false
 KEYCLOAK_TOKEN_TIMEOUT=5000
-KEYCLOAK_DEFAULT_PASSWORD=kv://keycloak-admin-passwordKeyVault
+KEYCLOAK_DEFAULT_PASSWORD=kv://keycloak-default-passwordKeyVault
 
 # Keycloak Events Configuration
 KEYCLOAK_EVENTS_ENABLED=true
@@ -67,7 +93,6 @@ KEYCLOAK_EVENTS_SECRET=kv://keycloak-events-secretKeyVault
 AZURE_SUBSCRIPTION_ID=kv://azure-subscription-idKeyVault
 AZURE_TENANT_ID=kv://azure-tenant-idKeyVault
 AZURE_SERVICE_NAME=kv://azure-service-nameKeyVault
-MOCK=true
 AZURE_CLIENT_ID=kv://azure-client-idKeyVault
 AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 
@@ -96,21 +121,21 @@ MISO_CONTROLLER_URL=kv://miso-controller-url
 
 # Web Server URL (for OpenAPI documentation server URLs)
 # Used to generate correct server URLs in OpenAPI spec
-WEB_SERVER_URL=kv ://web-server-url
+WEB_SERVER_URL=kv://miso-web-server-url
 
 # MISO Environment Configuration (miso, dev, tst, pro)
 MISO_ENVIRONMENT=miso
 
 # MISO Application Client Credentials (per application)
-MISO_CLIENTID=kv ://miso-client-idKeyVault
-MISO_CLIENTSECRET=kv ://miso-client-secretKeyVault
+MISO_CLIENTID=kv://miso-client-idKeyVault
+MISO_CLIENTSECRET=kv://miso-client-secretKeyVault
 
 # =============================================================================
 # MORI SERVICE CONFIGURATION
 # =============================================================================
 
-MORI_BASE_URL=kv://mori-base-urlKeyVault
-MORI_API_KEY=kv ://mori-api-keyKeyVault
+MORI_BASE_URL=kv://mori-controller-url
+MORI_API_KEY=kv://mori-controller-api-keyKeyVault
 
 # =============================================================================
 # LOGGING CONFIGURATION

package/templates/applications/miso-controller/rbac.yaml

@@ -190,6 +190,22 @@ permissions:
     roles: ["aifabrix-platform-admin", "aifabrix-developer"]
     description: "Write audit and error logs"
   
+  - name: "logs:export"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin"]
+    description: "Export logs for archival and compliance"
+  
+  - name: "audit:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin"]
+    description: "View audit trail logs"
+  
+  - name: "jobs:read"
+    roles: ["aifabrix-platform-admin", "aifabrix-infrastructure-admin", "aifabrix-deployment-admin", "aifabrix-observer"]
+    description: "View job and performance logs"
+  
+  - name: "admin:export"
+    roles: ["aifabrix-platform-admin"]
+    description: "Administrative export access to all data"
+  
   # Admin Operations
   - name: "admin.sync"
     roles: ["aifabrix-platform-admin", "aifabrix-infrastructure-admin"]

package/templates/applications/miso-controller/variables.yaml

@@ -49,6 +49,7 @@ build:
   localPort: 3010                                           # Port for local development (different from Docker port)
   language: typescript                                  		# Runtime language for template selection (typescript or python)
   secrets:                                                 	# Path to secrets file
+  envFilePath: .env                                     		# Generated in builder/
 
 # Docker Compose
 compose:

package/templates/python/docker-compose.hbs

@@ -36,11 +36,19 @@ services:
     container_name: aifabrix-{{app.key}}-db-init
     env_file:
       - ${ADMIN_SECRETS_PATH}
+      - {{envFile}}
     environment:
       POSTGRES_DB: postgres
       PGHOST: postgres
       PGPORT: "5432"
       PGUSER: pgadmin
+      {{#if databases}}
+      {{#each databases}}
+      DB_{{@index}}_PASSWORD: {{lookup ../databasePasswords.array @index}}
+      {{/each}}
+      {{else}}
+      DB_PASSWORD: {{lookup databasePasswords.array 0}}
+      {{/if}}
     networks:
       - infra_aifabrix-network
     command: >
@@ -49,31 +57,33 @@ services:
         export PGPASSWORD=\"${POSTGRES_PASSWORD}\" &&
         echo 'Waiting for PostgreSQL to be ready...' &&
         counter=0 &&
-        while [ $counter -lt 30 ]; do
+        while [ ${counter:-0} -lt 30 ]; do
           if pg_isready -h postgres -p 5432 -U pgadmin >/dev/null 2>&1; then
             echo 'PostgreSQL is ready!'
             break
           fi
           echo 'Waiting for PostgreSQL...'
           sleep 1
-          counter=$((counter + 1))
+          counter=$((${counter:-0} + 1))
         done &&
         {{#if databases}}
         {{#each databases}}
         echo 'Creating {{name}} database and user...' &&
-        (psql -d postgres -c 'CREATE DATABASE {{name}};' || true) &&
-        (psql -d postgres -c \"CREATE USER {{name}}_user WITH PASSWORD '{{name}}_pass123';\" || true) &&
-        psql -d postgres -c 'GRANT ALL PRIVILEGES ON DATABASE {{name}} TO {{name}}_user;' || true &&
-        psql -d {{name}} -c 'ALTER SCHEMA public OWNER TO {{name}}_user;' || true &&
-        psql -d {{name}} -c 'GRANT ALL ON SCHEMA public TO {{name}}_user;' || true &&
+        (psql -d postgres -c \"CREATE DATABASE \\\"{{name}}\\\";\" || true) &&
+        (psql -d postgres -c \"DROP USER IF EXISTS {{pgUserOld name}};\" || true) &&
+        (psql -d postgres -c \"CREATE USER {{pgUser name}} WITH PASSWORD '${DB_{{@index}}_PASSWORD}';\" || true) &&
+        psql -d postgres -c \"GRANT ALL PRIVILEGES ON DATABASE \\\"{{name}}\\\" TO {{pgUser name}};\" || true &&
+        psql -d {{name}} -c \"ALTER SCHEMA public OWNER TO {{pgUser name}};\" || true &&
+        psql -d {{name}} -c \"GRANT ALL ON SCHEMA public TO {{pgUser name}};\" || true &&
         {{/each}}
         {{else}}
         echo 'Creating {{app.key}} database and user...' &&
-        (psql -d postgres -c 'CREATE DATABASE {{app.key}};' || true) &&
-        (psql -d postgres -c \"CREATE USER {{app.key}}_user WITH PASSWORD '{{app.key}}_pass123';\" || true) &&
-        psql -d postgres -c 'GRANT ALL PRIVILEGES ON DATABASE {{app.key}} TO {{app.key}}_user;' || true &&
-        psql -d {{app.key}} -c 'ALTER SCHEMA public OWNER TO {{app.key}}_user;' || true &&
-        psql -d {{app.key}} -c 'GRANT ALL ON SCHEMA public TO {{app.key}}_user;' || true &&
+        (psql -d postgres -c \"CREATE DATABASE \\\"{{app.key}}\\\";\" || true) &&
+        (psql -d postgres -c \"DROP USER IF EXISTS {{pgUserOld app.key}};\" || true) &&
+        (psql -d postgres -c \"CREATE USER {{pgUser app.key}} WITH PASSWORD '${DB_0_PASSWORD:-${DB_PASSWORD}}';\" || true) &&
+        psql -d postgres -c \"GRANT ALL PRIVILEGES ON DATABASE \\\"{{app.key}}\\\" TO {{pgUser app.key}};\" || true &&
+        psql -d {{app.key}} -c \"ALTER SCHEMA public OWNER TO {{pgUser app.key}};\" || true &&
+        psql -d {{app.key}} -c \"GRANT ALL ON SCHEMA public TO {{pgUser app.key}};\" || true &&
         {{/if}}
         echo 'Database initialization complete!'
       "

package/templates/typescript/docker-compose.hbs

@@ -36,11 +36,19 @@ services:
     container_name: aifabrix-{{app.key}}-db-init
     env_file:
       - ${ADMIN_SECRETS_PATH}
+      - {{envFile}}
     environment:
       POSTGRES_DB: postgres
       PGHOST: postgres
       PGPORT: "5432"
       PGUSER: pgadmin
+      {{#if databases}}
+      {{#each databases}}
+      DB_{{@index}}_PASSWORD: {{lookup ../databasePasswords.array @index}}
+      {{/each}}
+      {{else}}
+      DB_PASSWORD: {{lookup databasePasswords.array 0}}
+      {{/if}}
     networks:
       - infra_aifabrix-network
     command: >
@@ -49,31 +57,33 @@ services:
         export PGPASSWORD=\"${POSTGRES_PASSWORD}\" &&
         echo 'Waiting for PostgreSQL to be ready...' &&
         counter=0 &&
-        while [ $counter -lt 30 ]; do
+        while [ ${counter:-0} -lt 30 ]; do
           if pg_isready -h postgres -p 5432 -U pgadmin >/dev/null 2>&1; then
             echo 'PostgreSQL is ready!'
             break
           fi
           echo 'Waiting for PostgreSQL...'
           sleep 1
-          counter=$((counter + 1))
+          counter=$((${counter:-0} + 1))
         done &&
         {{#if databases}}
         {{#each databases}}
         echo 'Creating {{name}} database and user...' &&
-        (psql -d postgres -c 'CREATE DATABASE {{name}};' || true) &&
-        (psql -d postgres -c \"CREATE USER {{name}}_user WITH PASSWORD '{{name}}_pass123';\" || true) &&
-        psql -d postgres -c 'GRANT ALL PRIVILEGES ON DATABASE {{name}} TO {{name}}_user;' || true &&
-        psql -d {{name}} -c 'ALTER SCHEMA public OWNER TO {{name}}_user;' || true &&
-        psql -d {{name}} -c 'GRANT ALL ON SCHEMA public TO {{name}}_user;' || true &&
+        (psql -d postgres -c \"CREATE DATABASE \\\"{{name}}\\\";\" || true) &&
+        (psql -d postgres -c \"DROP USER IF EXISTS {{pgUserOld name}};\" || true) &&
+        (psql -d postgres -c \"CREATE USER {{pgUser name}} WITH PASSWORD '${DB_{{@index}}_PASSWORD}';\" || true) &&
+        psql -d postgres -c \"GRANT ALL PRIVILEGES ON DATABASE \\\"{{name}}\\\" TO {{pgUser name}};\" || true &&
+        psql -d {{name}} -c \"ALTER SCHEMA public OWNER TO {{pgUser name}};\" || true &&
+        psql -d {{name}} -c \"GRANT ALL ON SCHEMA public TO {{pgUser name}};\" || true &&
         {{/each}}
         {{else}}
         echo 'Creating {{app.key}} database and user...' &&
-        (psql -d postgres -c 'CREATE DATABASE {{app.key}};' || true) &&
-        (psql -d postgres -c \"CREATE USER {{app.key}}_user WITH PASSWORD '{{app.key}}_pass123';\" || true) &&
-        psql -d postgres -c 'GRANT ALL PRIVILEGES ON DATABASE {{app.key}} TO {{app.key}}_user;' || true &&
-        psql -d {{app.key}} -c 'ALTER SCHEMA public OWNER TO {{app.key}}_user;' || true &&
-        psql -d {{app.key}} -c 'GRANT ALL ON SCHEMA public TO {{app.key}}_user;' || true &&
+        (psql -d postgres -c \"CREATE DATABASE \\\"{{app.key}}\\\";\" || true) &&
+        (psql -d postgres -c \"DROP USER IF EXISTS {{pgUserOld app.key}};\" || true) &&
+        (psql -d postgres -c \"CREATE USER {{pgUser app.key}} WITH PASSWORD '${DB_0_PASSWORD:-${DB_PASSWORD}}';\" || true) &&
+        psql -d postgres -c \"GRANT ALL PRIVILEGES ON DATABASE \\\"{{app.key}}\\\" TO {{pgUser app.key}};\" || true &&
+        psql -d {{app.key}} -c \"ALTER SCHEMA public OWNER TO {{pgUser app.key}};\" || true &&
+        psql -d {{app.key}} -c \"GRANT ALL ON SCHEMA public TO {{pgUser app.key}};\" || true &&
         {{/if}}
         echo 'Database initialization complete!'
       "