@aifabrix/builder 2.1.5 → 2.1.7

package/lib/commands/app.js

@@ -16,6 +16,8 @@ const yaml = require('js-yaml');
 const { getConfig } = require('../config');
 const { authenticatedApiCall } = require('../utils/api');
 const logger = require('../utils/logger');
+const { saveLocalSecret, isLocalhost } = require('../utils/local-secrets');
+const { updateEnvTemplate } = require('../utils/env-template');
 
 // Import createApp to auto-generate config if missing
 let createApp;
@@ -312,6 +314,26 @@ function setupAppCommands(program) {
           registrationData
         );
 
+        // Save credentials to local secrets if localhost
+        if (isLocalhost(config.apiUrl)) {
+          const appKey = responseData.application.key;
+          const clientIdKey = `${appKey}-client-idKeyVault`;
+          const clientSecretKey = `${appKey}-client-secretKeyVault`;
+
+          try {
+            await saveLocalSecret(clientIdKey, responseData.credentials.clientId);
+            await saveLocalSecret(clientSecretKey, responseData.credentials.clientSecret);
+
+            // Update env.template
+            await updateEnvTemplate(appKey, clientIdKey, clientSecretKey);
+
+            logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+            logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID and MISO_CLIENTSECRET\n'));
+          } catch (error) {
+            logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+          }
+        }
+
         // Display results
         displayRegistrationResults(responseData, config.apiUrl);
 
@@ -403,6 +425,27 @@ function setupAppCommands(program) {
         logger.log(chalk.yellow(`   Client Secret: ${response.data.credentials.clientSecret}\n`));
         logger.log(chalk.red('⚠️  Old secret is now invalid. Update GitHub Secrets!\n'));
 
+        // Save credentials to local secrets if localhost
+        if (isLocalhost(config.apiUrl)) {
+          const appKey = response.data.application?.key || options.app;
+          const clientIdKey = `${appKey}-client-idKeyVault`;
+          const clientSecretKey = `${appKey}-client-secretKeyVault`;
+
+          try {
+            await saveLocalSecret(clientIdKey, response.data.credentials.clientId);
+            await saveLocalSecret(clientSecretKey, response.data.credentials.clientSecret);
+
+            // Update env.template
+            await updateEnvTemplate(appKey, clientIdKey, clientSecretKey);
+
+            logger.log(chalk.green('✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+            logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID and MISO_CLIENTSECRET'));
+            logger.log('');
+          } catch (error) {
+            logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+          }
+        }
+
       } catch (error) {
         logger.error(chalk.red('❌ Rotation failed:'), error.message);
         process.exit(1);

package/lib/secrets.js

@@ -19,6 +19,17 @@ const {
   generateMissingSecrets,
   createDefaultSecrets
 } = require('./utils/secrets-generator');
+const {
+  resolveSecretsPath,
+  getActualSecretsPath
+} = require('./utils/secrets-path');
+const {
+  loadUserSecrets,
+  loadBuildSecrets,
+  loadDefaultSecrets,
+  buildHostnameToServiceMap,
+  resolveUrlPort
+} = require('./utils/secrets-utils');
 
 /**
  * Loads environment configuration for docker/local context
@@ -31,73 +42,58 @@ function loadEnvConfig() {
 }
 
 /**
- * Loads secrets from the specified file or default location
- * Supports both user secrets (~/.aifabrix/secrets.yaml) and project overrides
+ * Loads secrets with cascading lookup
+ * Supports both user secrets (~/.aifabrix/secrets.local.yaml) and project overrides
+ * User's file takes priority, then falls back to build.secrets from variables.yaml
  *
  * @async
  * @function loadSecrets
- * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [secretsPath] - Path to secrets file (optional, for explicit override)
+ * @param {string} [appName] - Application name (optional, for variables.yaml lookup)
  * @returns {Promise<Object>} Loaded secrets object
- * @throws {Error} If secrets file cannot be loaded or parsed
+ * @throws {Error} If no secrets file found and no fallback available
  *
  * @example
  * const secrets = await loadSecrets('../../secrets.local.yaml');
  * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
  */
-async function loadSecrets(secretsPath) {
-  const resolvedPath = resolveSecretsPath(secretsPath);
+async function loadSecrets(secretsPath, appName) {
+  // If explicit path provided, use it (backward compatibility)
+  if (secretsPath) {
+    const resolvedPath = resolveSecretsPath(secretsPath);
+    if (!fs.existsSync(resolvedPath)) {
+      throw new Error(`Secrets file not found: ${resolvedPath}`);
+    }
 
-  if (!fs.existsSync(resolvedPath)) {
-    throw new Error(`Secrets file not found: ${resolvedPath}`);
-  }
+    const content = fs.readFileSync(resolvedPath, 'utf8');
+    const secrets = yaml.load(content);
 
-  const content = fs.readFileSync(resolvedPath, 'utf8');
-  const secrets = yaml.load(content);
+    if (!secrets || typeof secrets !== 'object') {
+      throw new Error(`Invalid secrets file format: ${resolvedPath}`);
+    }
 
-  if (!secrets || typeof secrets !== 'object') {
-    throw new Error(`Invalid secrets file format: ${resolvedPath}`);
+    return secrets;
   }
 
-  return secrets;
-}
+  // Cascading lookup: user's file first
+  let mergedSecrets = loadUserSecrets();
 
-/**
- * Resolves secrets file path (same logic as loadSecrets)
- * Also checks common locations if path is not provided
- * @function resolveSecretsPath
- * @param {string} [secretsPath] - Path to secrets file (optional)
- * @returns {string} Resolved secrets file path
- */
-function resolveSecretsPath(secretsPath) {
-  let resolvedPath = secretsPath;
-
-  if (!resolvedPath) {
-    // Check common locations for secrets.local.yaml
-    const commonLocations = [
-      path.join(process.cwd(), '..', 'aifabrix-setup', 'secrets.local.yaml'),
-      path.join(process.cwd(), '..', '..', 'aifabrix-setup', 'secrets.local.yaml'),
-      path.join(process.cwd(), 'secrets.local.yaml'),
-      path.join(process.cwd(), '..', 'secrets.local.yaml'),
-      path.join(os.homedir(), '.aifabrix', 'secrets.yaml')
-    ];
-
-    // Find first existing file
-    for (const location of commonLocations) {
-      if (fs.existsSync(location)) {
-        resolvedPath = location;
-        break;
-      }
-    }
+  // Then check build.secrets from variables.yaml if appName provided
+  if (appName) {
+    mergedSecrets = await loadBuildSecrets(mergedSecrets, appName);
+  }
 
-    // If none found, use default location
-    if (!resolvedPath) {
-      resolvedPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
-    }
-  } else if (secretsPath.startsWith('..')) {
-    resolvedPath = path.resolve(process.cwd(), secretsPath);
+  // If still no secrets found, try default location
+  if (Object.keys(mergedSecrets).length === 0) {
+    mergedSecrets = loadDefaultSecrets();
+  }
+
+  // If still empty, throw error
+  if (Object.keys(mergedSecrets).length === 0) {
+    throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml');
   }
 
-  return resolvedPath;
+  return mergedSecrets;
 }
 
 /**
@@ -109,7 +105,9 @@ function resolveSecretsPath(secretsPath) {
  * @param {string} envTemplate - Environment template content
  * @param {Object} secrets - Secrets object from loadSecrets()
  * @param {string} [environment='local'] - Environment context (docker/local)
- * @param {string} [secretsFilePath] - Path to secrets file (for error messages)
+ * @param {Object|string|null} [secretsFilePaths] - Paths object with userPath and buildPath, or string path (for backward compatibility)
+ * @param {string} [secretsFilePaths.userPath] - User's secrets file path
+ * @param {string|null} [secretsFilePaths.buildPath] - App's build.secrets file path (if configured)
  * @returns {Promise<string>} Resolved environment content
  * @throws {Error} If kv:// reference cannot be resolved
  *
@@ -117,7 +115,7 @@ function resolveSecretsPath(secretsPath) {
  * const resolved = await resolveKvReferences(template, secrets, 'local');
  * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
  */
-async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePath = null) {
+async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null) {
   const envConfig = loadEnvConfig();
   const envVars = envConfig.environments[environment] || envConfig.environments.local;
 
@@ -138,7 +136,20 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
   }
 
   if (missingSecrets.length > 0) {
-    const fileInfo = secretsFilePath ? `\n\nSecrets file location: ${secretsFilePath}` : '';
+    let fileInfo = '';
+    if (secretsFilePaths) {
+      // Handle backward compatibility: if it's a string, use it as-is
+      if (typeof secretsFilePaths === 'string') {
+        fileInfo = `\n\nSecrets file location: ${secretsFilePaths}`;
+      } else if (typeof secretsFilePaths === 'object' && secretsFilePaths.userPath) {
+        // New format: show both paths if buildPath is configured
+        const paths = [secretsFilePaths.userPath];
+        if (secretsFilePaths.buildPath) {
+          paths.push(secretsFilePaths.buildPath);
+        }
+        fileInfo = `\n\nSecrets file location: ${paths.join(' and ')}`;
+      }
+    }
     throw new Error(`Missing secrets: ${missingSecrets.join(', ')}${fileInfo}`);
   }
 
@@ -157,6 +168,36 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
   return resolved;
 }
 
+/**
+ * Resolves service ports in URLs within .env content for Docker environment
+ * Replaces ports in URLs with containerPort from service's variables.yaml
+ *
+ * @function resolveServicePortsInEnvContent
+ * @param {string} envContent - Resolved .env file content
+ * @param {string} environment - Environment context (docker/local)
+ * @returns {string} Content with resolved ports
+ */
+function resolveServicePortsInEnvContent(envContent, environment) {
+  // Only process docker environment
+  if (environment !== 'docker') {
+    return envContent;
+  }
+
+  const envConfig = loadEnvConfig();
+  const dockerHosts = envConfig.environments.docker || {};
+  const hostnameToService = buildHostnameToServiceMap(dockerHosts);
+
+  // Pattern to match URLs: http://hostname:port or https://hostname:port
+  // Matches: protocol://hostname:port/path?query
+  // Captures: protocol, hostname, port, and optional path/query
+  // Note: [^\s\n]* matches any non-whitespace characters except newline (stops at end of line)
+  const urlPattern = /(https?:\/\/)([a-zA-Z0-9-]+):(\d+)([^\s\n]*)?/g;
+
+  return envContent.replace(urlPattern, (match, protocol, hostname, port, urlPath = '') => {
+    return resolveUrlPort(protocol, hostname, port, urlPath || '', hostnameToService);
+  });
+}
+
 /**
  * Loads environment template from file
  * @function loadEnvTemplate
@@ -246,15 +287,21 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
 
   const template = loadEnvTemplate(templatePath);
 
-  // Resolve secrets path to show in error messages
-  const resolvedSecretsPath = resolveSecretsPath(secretsPath);
+  // Resolve secrets paths to show in error messages (use actual paths that loadSecrets would use)
+  const secretsPaths = getActualSecretsPath(secretsPath, appName);
 
   if (force) {
-    await generateMissingSecrets(template, resolvedSecretsPath);
+    // Use userPath for generating missing secrets (priority file)
+    await generateMissingSecrets(template, secretsPaths.userPath);
   }
 
-  const secrets = await loadSecrets(secretsPath);
-  const resolved = await resolveKvReferences(template, secrets, environment, resolvedSecretsPath);
+  const secrets = await loadSecrets(secretsPath, appName);
+  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths);
+
+  // Resolve service ports in URLs for docker environment
+  if (environment === 'docker') {
+    resolved = resolveServicePortsInEnvContent(resolved, environment);
+  }
 
   fs.writeFileSync(envPath, resolved, { mode: 0o600 });
 

package/lib/utils/env-template.js

@@ -0,0 +1,70 @@
+/**
+ * Environment Template Utilities
+ *
+ * Helper functions for updating env.template files
+ *
+ * @fileoverview Environment template update utilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs').promises;
+const fsSync = require('fs');
+const path = require('path');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * Updates env.template to add MISO_CLIENTID and MISO_CLIENTSECRET entries
+ * @async
+ * @param {string} appKey - Application key
+ * @param {string} clientIdKey - Secret key for client ID (e.g., 'myapp-client-idKeyVault')
+ * @param {string} clientSecretKey - Secret key for client secret (e.g., 'myapp-client-secretKeyVault')
+ * @returns {Promise<void>} Resolves when template is updated
+ */
+async function updateEnvTemplate(appKey, clientIdKey, clientSecretKey) {
+  const envTemplatePath = path.join(process.cwd(), 'builder', appKey, 'env.template');
+
+  if (!fsSync.existsSync(envTemplatePath)) {
+    logger.warn(chalk.yellow(`⚠️  env.template not found for ${appKey}, skipping update`));
+    return;
+  }
+
+  try {
+    let content = await fs.readFile(envTemplatePath, 'utf8');
+
+    // Check if MISO_CLIENTID already exists
+    const hasClientId = /^MISO_CLIENTID\s*=/m.test(content);
+    const hasClientSecret = /^MISO_CLIENTSECRET\s*=/m.test(content);
+
+    if (hasClientId && hasClientSecret) {
+      // Update existing entries
+      content = content.replace(/^MISO_CLIENTID\s*=.*$/m, `MISO_CLIENTID=kv://${clientIdKey}`);
+      content = content.replace(/^MISO_CLIENTSECRET\s*=.*$/m, `MISO_CLIENTSECRET=kv://${clientSecretKey}`);
+    } else {
+      // Add new section if not present
+      const misoSection = `# MISO Application Client Credentials (per application)
+MISO_CLIENTID=kv://${clientIdKey}
+MISO_CLIENTSECRET=kv://${clientSecretKey}
+`;
+
+      // Try to find a good place to insert (after last section or at end)
+      const lastSectionMatch = content.match(/# =+.*$/gm);
+      if (lastSectionMatch && lastSectionMatch.length > 0) {
+        const lastSectionIndex = content.lastIndexOf(lastSectionMatch[lastSectionMatch.length - 1]);
+        const insertIndex = content.indexOf('\n', lastSectionIndex) + 1;
+        content = content.slice(0, insertIndex) + '\n' + misoSection + content.slice(insertIndex);
+      } else {
+        content = content + '\n' + misoSection;
+      }
+    }
+
+    await fs.writeFile(envTemplatePath, content, 'utf8');
+    logger.log(chalk.green(`✓ Updated env.template for ${appKey}`));
+  } catch (error) {
+    logger.warn(chalk.yellow(`⚠️  Could not update env.template: ${error.message}`));
+  }
+}
+
+module.exports = { updateEnvTemplate };
+

package/lib/utils/local-secrets.js

@@ -0,0 +1,98 @@
+/**
+ * Local Secrets Management Utilities
+ *
+ * Helper functions for managing local secrets in ~/.aifabrix/secrets.local.yaml
+ *
+ * @fileoverview Local secrets management utilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+const os = require('os');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * Saves a secret to ~/.aifabrix/secrets.local.yaml
+ * Merges with existing secrets without overwriting other keys
+ *
+ * @async
+ * @function saveLocalSecret
+ * @param {string} key - Secret key name
+ * @param {string} value - Secret value
+ * @returns {Promise<void>} Resolves when secret is saved
+ * @throws {Error} If save fails
+ *
+ * @example
+ * await saveLocalSecret('myapp-client-idKeyVault', 'client-id-value');
+ */
+async function saveLocalSecret(key, value) {
+  if (!key || typeof key !== 'string') {
+    throw new Error('Secret key is required and must be a string');
+  }
+
+  if (value === undefined || value === null) {
+    throw new Error('Secret value is required');
+  }
+
+  const secretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+  const secretsDir = path.dirname(secretsPath);
+
+  // Create directory if needed
+  if (!fs.existsSync(secretsDir)) {
+    fs.mkdirSync(secretsDir, { recursive: true, mode: 0o700 });
+  }
+
+  // Load existing secrets
+  let existingSecrets = {};
+  if (fs.existsSync(secretsPath)) {
+    try {
+      const content = fs.readFileSync(secretsPath, 'utf8');
+      existingSecrets = yaml.load(content) || {};
+      if (typeof existingSecrets !== 'object') {
+        existingSecrets = {};
+      }
+    } catch (error) {
+      logger.warn(`Warning: Could not read existing secrets file: ${error.message}`);
+      existingSecrets = {};
+    }
+  }
+
+  // Merge with new secret
+  const updatedSecrets = {
+    ...existingSecrets,
+    [key]: value
+  };
+
+  // Save to file
+  const yamlContent = yaml.dump(updatedSecrets, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false
+  });
+
+  fs.writeFileSync(secretsPath, yamlContent, { mode: 0o600 });
+  logger.log(chalk.green(`✓ Saved secret ${key} to ${secretsPath}`));
+}
+
+/**
+ * Checks if a URL is localhost
+ * @function isLocalhost
+ * @param {string} url - URL to check
+ * @returns {boolean} True if URL is localhost
+ */
+function isLocalhost(url) {
+  if (!url || typeof url !== 'string') {
+    return false;
+  }
+
+  const urlLower = url.toLowerCase();
+  return urlLower.includes('localhost') || urlLower.includes('127.0.0.1');
+}
+
+module.exports = { saveLocalSecret, isLocalhost };
+

package/lib/utils/secrets-path.js

@@ -0,0 +1,111 @@
+/**
+ * AI Fabrix Builder Secrets Path Resolution
+ *
+ * This module handles secrets file path resolution with cascading lookup support.
+ * Determines the actual path that would be used for loading secrets.
+ *
+ * @fileoverview Secrets path resolution utilities for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const yaml = require('js-yaml');
+
+/**
+ * Resolves secrets file path (backward compatibility)
+ * Checks common locations if path is not provided
+ * @function resolveSecretsPath
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @returns {string} Resolved secrets file path
+ */
+function resolveSecretsPath(secretsPath) {
+  let resolvedPath = secretsPath;
+
+  if (!resolvedPath) {
+    // Check common locations for secrets.local.yaml
+    const commonLocations = [
+      path.join(process.cwd(), '..', 'aifabrix-setup', 'secrets.local.yaml'),
+      path.join(process.cwd(), '..', '..', 'aifabrix-setup', 'secrets.local.yaml'),
+      path.join(process.cwd(), 'secrets.local.yaml'),
+      path.join(process.cwd(), '..', 'secrets.local.yaml'),
+      path.join(os.homedir(), '.aifabrix', 'secrets.yaml')
+    ];
+
+    // Find first existing file
+    for (const location of commonLocations) {
+      if (fs.existsSync(location)) {
+        resolvedPath = location;
+        break;
+      }
+    }
+
+    // If none found, use default location
+    if (!resolvedPath) {
+      resolvedPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+    }
+  } else if (secretsPath.startsWith('..')) {
+    resolvedPath = path.resolve(process.cwd(), secretsPath);
+  }
+
+  return resolvedPath;
+}
+
+/**
+ * Determines the actual secrets file paths that loadSecrets would use
+ * Mirrors the cascading lookup logic from loadSecrets
+ * @function getActualSecretsPath
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [appName] - Application name (optional, for variables.yaml lookup)
+ * @returns {Object} Object with userPath and buildPath (if configured)
+ * @returns {string} returns.userPath - User's secrets file path (~/.aifabrix/secrets.local.yaml)
+ * @returns {string|null} returns.buildPath - App's build.secrets file path (if configured in variables.yaml)
+ */
+function getActualSecretsPath(secretsPath, appName) {
+  // If explicit path provided, use it (backward compatibility)
+  if (secretsPath) {
+    const resolvedPath = resolveSecretsPath(secretsPath);
+    return {
+      userPath: resolvedPath,
+      buildPath: null
+    };
+  }
+
+  // Cascading lookup: user's file first
+  const userSecretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+
+  // Check build.secrets from variables.yaml if appName provided
+  let buildSecretsPath = null;
+  if (appName) {
+    const variablesPath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
+    if (fs.existsSync(variablesPath)) {
+      try {
+        const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+        const variables = yaml.load(variablesContent);
+
+        if (variables?.build?.secrets) {
+          buildSecretsPath = path.resolve(
+            path.dirname(variablesPath),
+            variables.build.secrets
+          );
+        }
+      } catch (error) {
+        // Ignore errors, continue
+      }
+    }
+  }
+
+  // Return both paths (even if files don't exist) for error messages
+  return {
+    userPath: userSecretsPath,
+    buildPath: buildSecretsPath
+  };
+}
+
+module.exports = {
+  resolveSecretsPath,
+  getActualSecretsPath
+};
+