@aifabrix/builder 2.1.6 → 2.2.0

package/lib/secrets.js

@@ -15,6 +15,8 @@ const yaml = require('js-yaml');
 const os = require('os');
 const chalk = require('chalk');
 const logger = require('./utils/logger');
+const config = require('./config');
+const devConfig = require('./utils/dev-config');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -23,6 +25,13 @@ const {
   resolveSecretsPath,
   getActualSecretsPath
 } = require('./utils/secrets-path');
+const {
+  loadUserSecrets,
+  loadBuildSecrets,
+  loadDefaultSecrets,
+  buildHostnameToServiceMap,
+  resolveUrlPort
+} = require('./utils/secrets-utils');
 
 /**
  * Loads environment configuration for docker/local context
@@ -34,35 +43,6 @@ function loadEnvConfig() {
   return yaml.load(content);
 }
 
-/**
- * Loads secrets from file with cascading lookup support
- * First checks ~/.aifabrix/secrets.local.yaml, then build.secrets from variables.yaml
- *
- * @async
- * @function loadSecretsFromFile
- * @param {string} filePath - Path to secrets file
- * @returns {Promise<Object>} Loaded secrets object or empty object if file doesn't exist
- */
-async function loadSecretsFromFile(filePath) {
-  if (!fs.existsSync(filePath)) {
-    return {};
-  }
-
-  try {
-    const content = fs.readFileSync(filePath, 'utf8');
-    const secrets = yaml.load(content);
-
-    if (!secrets || typeof secrets !== 'object') {
-      return {};
-    }
-
-    return secrets;
-  } catch (error) {
-    logger.warn(`Warning: Could not read secrets file ${filePath}: ${error.message}`);
-    return {};
-  }
-}
-
 /**
  * Loads secrets with cascading lookup
  * Supports both user secrets (~/.aifabrix/secrets.local.yaml) and project overrides
@@ -98,76 +78,16 @@ async function loadSecrets(secretsPath, appName) {
   }
 
   // Cascading lookup: user's file first
-  const userSecretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
-  let mergedSecrets;
-  if (fs.existsSync(userSecretsPath)) {
-    try {
-      const content = fs.readFileSync(userSecretsPath, 'utf8');
-      const secrets = yaml.load(content);
-      if (!secrets || typeof secrets !== 'object') {
-        throw new Error(`Invalid secrets file format: ${userSecretsPath}`);
-      }
-      mergedSecrets = secrets;
-    } catch (error) {
-      // If it's a format error, throw it; otherwise log warning and continue
-      if (error.message.includes('Invalid secrets file format')) {
-        throw error;
-      }
-      logger.warn(`Warning: Could not read secrets file ${userSecretsPath}: ${error.message}`);
-      mergedSecrets = {};
-    }
-  } else {
-    mergedSecrets = {};
-  }
+  let mergedSecrets = loadUserSecrets();
 
   // Then check build.secrets from variables.yaml if appName provided
   if (appName) {
-    const variablesPath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
-    if (fs.existsSync(variablesPath)) {
-      try {
-        const variablesContent = fs.readFileSync(variablesPath, 'utf8');
-        const variables = yaml.load(variablesContent);
-
-        if (variables?.build?.secrets) {
-          const buildSecretsPath = path.resolve(
-            path.dirname(variablesPath),
-            variables.build.secrets
-          );
-
-          const buildSecrets = await loadSecretsFromFile(buildSecretsPath);
-
-          // Merge: user's file takes priority, but use build.secrets for missing/empty values
-          for (const [key, value] of Object.entries(buildSecrets)) {
-            if (!(key in mergedSecrets) || !mergedSecrets[key] || mergedSecrets[key] === '') {
-              mergedSecrets[key] = value;
-            }
-          }
-        }
-      } catch (error) {
-        logger.warn(`Warning: Could not load build.secrets from variables.yaml: ${error.message}`);
-      }
-    }
+    mergedSecrets = await loadBuildSecrets(mergedSecrets, appName);
   }
 
   // If still no secrets found, try default location
   if (Object.keys(mergedSecrets).length === 0) {
-    const defaultPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
-    if (fs.existsSync(defaultPath)) {
-      try {
-        const content = fs.readFileSync(defaultPath, 'utf8');
-        const secrets = yaml.load(content);
-        if (!secrets || typeof secrets !== 'object') {
-          throw new Error(`Invalid secrets file format: ${defaultPath}`);
-        }
-        mergedSecrets = secrets;
-      } catch (error) {
-        // If it's a format error, throw it; otherwise log warning
-        if (error.message.includes('Invalid secrets file format')) {
-          throw error;
-        }
-        logger.warn(`Warning: Could not read secrets file ${defaultPath}: ${error.message}`);
-      }
-    }
+    mergedSecrets = loadDefaultSecrets();
   }
 
   // If still empty, throw error
@@ -187,7 +107,9 @@ async function loadSecrets(secretsPath, appName) {
  * @param {string} envTemplate - Environment template content
  * @param {Object} secrets - Secrets object from loadSecrets()
  * @param {string} [environment='local'] - Environment context (docker/local)
- * @param {string} [secretsFilePath] - Path to secrets file (for error messages)
+ * @param {Object|string|null} [secretsFilePaths] - Paths object with userPath and buildPath, or string path (for backward compatibility)
+ * @param {string} [secretsFilePaths.userPath] - User's secrets file path
+ * @param {string|null} [secretsFilePaths.buildPath] - App's build.secrets file path (if configured)
  * @returns {Promise<string>} Resolved environment content
  * @throws {Error} If kv:// reference cannot be resolved
  *
@@ -195,7 +117,7 @@ async function loadSecrets(secretsPath, appName) {
  * const resolved = await resolveKvReferences(template, secrets, 'local');
  * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
  */
-async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePath = null) {
+async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null) {
   const envConfig = loadEnvConfig();
   const envVars = envConfig.environments[environment] || envConfig.environments.local;
 
@@ -216,7 +138,20 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
   }
 
   if (missingSecrets.length > 0) {
-    const fileInfo = secretsFilePath ? `\n\nSecrets file location: ${secretsFilePath}` : '';
+    let fileInfo = '';
+    if (secretsFilePaths) {
+      // Handle backward compatibility: if it's a string, use it as-is
+      if (typeof secretsFilePaths === 'string') {
+        fileInfo = `\n\nSecrets file location: ${secretsFilePaths}`;
+      } else if (typeof secretsFilePaths === 'object' && secretsFilePaths.userPath) {
+        // New format: show both paths if buildPath is configured
+        const paths = [secretsFilePaths.userPath];
+        if (secretsFilePaths.buildPath) {
+          paths.push(secretsFilePaths.buildPath);
+        }
+        fileInfo = `\n\nSecrets file location: ${paths.join(' and ')}`;
+      }
+    }
     throw new Error(`Missing secrets: ${missingSecrets.join(', ')}${fileInfo}`);
   }
 
@@ -235,6 +170,36 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
   return resolved;
 }
 
+/**
+ * Resolves service ports in URLs within .env content for Docker environment
+ * Replaces ports in URLs with containerPort from service's variables.yaml
+ *
+ * @function resolveServicePortsInEnvContent
+ * @param {string} envContent - Resolved .env file content
+ * @param {string} environment - Environment context (docker/local)
+ * @returns {string} Content with resolved ports
+ */
+function resolveServicePortsInEnvContent(envContent, environment) {
+  // Only process docker environment
+  if (environment !== 'docker') {
+    return envContent;
+  }
+
+  const envConfig = loadEnvConfig();
+  const dockerHosts = envConfig.environments.docker || {};
+  const hostnameToService = buildHostnameToServiceMap(dockerHosts);
+
+  // Pattern to match URLs: http://hostname:port or https://hostname:port
+  // Matches: protocol://hostname:port/path?query
+  // Captures: protocol, hostname, port, and optional path/query
+  // Note: [^\s\n]* matches any non-whitespace characters except newline (stops at end of line)
+  const urlPattern = /(https?:\/\/)([a-zA-Z0-9-]+):(\d+)([^\s\n]*)?/g;
+
+  return envContent.replace(urlPattern, (match, protocol, hostname, port, urlPath = '') => {
+    return resolveUrlPort(protocol, hostname, port, urlPath || '', hostnameToService);
+  });
+}
+
 /**
  * Loads environment template from file
  * @function loadEnvTemplate
@@ -324,15 +289,36 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
 
   const template = loadEnvTemplate(templatePath);
 
-  // Resolve secrets path to show in error messages (use actual path that loadSecrets would use)
-  const resolvedSecretsPath = getActualSecretsPath(secretsPath, appName);
+  // Resolve secrets paths to show in error messages (use actual paths that loadSecrets would use)
+  const secretsPaths = getActualSecretsPath(secretsPath, appName);
 
   if (force) {
-    await generateMissingSecrets(template, resolvedSecretsPath);
+    // Use userPath for generating missing secrets (priority file)
+    await generateMissingSecrets(template, secretsPaths.userPath);
   }
 
   const secrets = await loadSecrets(secretsPath, appName);
-  const resolved = await resolveKvReferences(template, secrets, environment, resolvedSecretsPath);
+  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths);
+
+  // Resolve service ports in URLs for docker environment
+  if (environment === 'docker') {
+    resolved = resolveServicePortsInEnvContent(resolved, environment);
+  }
+
+  // For local environment, update infrastructure ports to use dev-specific ports
+  if (environment === 'local') {
+    const devId = await config.getDeveloperId();
+    const ports = devConfig.getDevPorts(devId);
+
+    // Update DATABASE_PORT if present
+    resolved = resolved.replace(/^DATABASE_PORT\s*=\s*.*$/m, `DATABASE_PORT=${ports.postgres}`);
+
+    // Update REDIS_URL if present (format: redis://localhost:port)
+    resolved = resolved.replace(/^REDIS_URL\s*=\s*redis:\/\/localhost:\d+/m, `REDIS_URL=redis://localhost:${ports.redis}`);
+
+    // Update REDIS_HOST if it contains a port
+    resolved = resolved.replace(/^REDIS_HOST\s*=\s*localhost:\d+/m, `REDIS_HOST=localhost:${ports.redis}`);
+  }
 
   fs.writeFileSync(envPath, resolved, { mode: 0o600 });