@aifabrix/builder 2.1.7 → 2.2.0

package/lib/commands/app.js

@@ -9,246 +9,11 @@
  * @version 2.0.0
  */
 
-const fs = require('fs').promises;
-const path = require('path');
 const chalk = require('chalk');
-const yaml = require('js-yaml');
-const { getConfig } = require('../config');
-const { authenticatedApiCall } = require('../utils/api');
 const logger = require('../utils/logger');
-const { saveLocalSecret, isLocalhost } = require('../utils/local-secrets');
-const { updateEnvTemplate } = require('../utils/env-template');
-
-// Import createApp to auto-generate config if missing
-let createApp;
-try {
-  createApp = require('../app').createApp;
-} catch {
-  createApp = null;
-}
-
-/**
- * Validation schema for application registration
- */
-const registerApplicationSchema = {
-  environmentId: (val) => {
-    if (!val || val.length < 1) {
-      throw new Error('Invalid environment ID format');
-    }
-    return val;
-  },
-  key: (val) => {
-    if (!val || val.length < 1) {
-      throw new Error('Application key is required');
-    }
-    if (val.length > 50) {
-      throw new Error('Application key must be at most 50 characters');
-    }
-    if (!/^[a-z0-9-]+$/.test(val)) {
-      throw new Error('Application key must contain only lowercase letters, numbers, and hyphens');
-    }
-    return val;
-  },
-  displayName: (val) => {
-    if (!val || val.length < 1) {
-      throw new Error('Display name is required');
-    }
-    if (val.length > 100) {
-      throw new Error('Display name must be at most 100 characters');
-    }
-    return val;
-  },
-  description: (val) => val || undefined,
-  configuration: (val) => {
-    const validTypes = ['webapp', 'api', 'service', 'functionapp'];
-    const validRegistryModes = ['acr', 'external', 'public'];
-
-    if (!val || !val.type || !validTypes.includes(val.type)) {
-      throw new Error('Configuration type must be one of: webapp, api, service, functionapp');
-    }
-    if (!val.registryMode || !validRegistryModes.includes(val.registryMode)) {
-      throw new Error('Registry mode must be one of: acr, external, public');
-    }
-    if (val.port !== undefined) {
-      if (!Number.isInteger(val.port) || val.port < 1 || val.port > 65535) {
-        throw new Error('Port must be an integer between 1 and 65535');
-      }
-    }
-    return val;
-  }
-};
-
-/**
- * Load variables.yaml file for an application
- * @async
- * @param {string} appKey - Application key
- * @returns {Promise<{variables: Object, created: boolean}>} Variables and creation flag
- */
-async function loadVariablesYaml(appKey) {
-  const variablesPath = path.join(process.cwd(), 'builder', appKey, 'variables.yaml');
-
-  try {
-    const variablesContent = await fs.readFile(variablesPath, 'utf-8');
-    return { variables: yaml.load(variablesContent), created: false };
-  } catch (error) {
-    if (error.code === 'ENOENT') {
-      logger.log(chalk.yellow(`⚠️  variables.yaml not found for ${appKey}`));
-      logger.log(chalk.yellow('📝 Creating minimal configuration...\n'));
-      return { variables: null, created: true };
-    }
-    throw new Error(`Failed to read variables.yaml: ${error.message}`);
-  }
-}
-
-/**
- * Create minimal application configuration if needed
- * @async
- * @param {string} appKey - Application key
- * @param {Object} options - Registration options
- * @returns {Promise<Object>} Variables after creation
- */
-async function createMinimalAppIfNeeded(appKey, options) {
-  if (!createApp) {
-    throw new Error('Cannot auto-create application: createApp function not available');
-  }
-
-  await createApp(appKey, {
-    port: options.port,
-    language: 'typescript',
-    database: false,
-    redis: false,
-    storage: false,
-    authentication: false
-  });
-
-  const variablesPath = path.join(process.cwd(), 'builder', appKey, 'variables.yaml');
-  const variablesContent = await fs.readFile(variablesPath, 'utf-8');
-  return yaml.load(variablesContent);
-}
-
-/**
- * Extract application configuration from variables.yaml
- * @param {Object} variables - Variables from YAML file
- * @param {string} appKey - Application key
- * @param {Object} options - Registration options
- * @returns {Object} Extracted configuration
- */
-function extractAppConfiguration(variables, appKey, options) {
-  const appKeyFromFile = variables.app?.key || appKey;
-  const displayName = variables.app?.name || options.name || appKey;
-  const description = variables.app?.description || '';
-  const appType = variables.build?.language === 'typescript' ? 'webapp' : 'service';
-  const registryMode = 'external';
-  const port = variables.build?.port || options.port || 3000;
-  const language = variables.build?.language || 'typescript';
-
-  return {
-    appKey: appKeyFromFile,
-    displayName,
-    description,
-    appType,
-    registryMode,
-    port,
-    language
-  };
-}
-
-/**
- * Validate application registration data
- * @param {Object} config - Application configuration
- * @param {string} originalAppKey - Original app key for error messages
- * @throws {Error} If validation fails
- */
-function validateAppRegistrationData(config, originalAppKey) {
-  const missingFields = [];
-  if (!config.appKey) missingFields.push('app.key');
-  if (!config.displayName) missingFields.push('app.name');
-
-  if (missingFields.length > 0) {
-    logger.error(chalk.red('❌ Missing required fields in variables.yaml:'));
-    missingFields.forEach(field => logger.error(chalk.red(`   - ${field}`)));
-    logger.error(chalk.red(`\n   Please update builder/${originalAppKey}/variables.yaml and try again.`));
-    process.exit(1);
-  }
-
-  try {
-    registerApplicationSchema.key(config.appKey);
-    registerApplicationSchema.displayName(config.displayName);
-    registerApplicationSchema.configuration({
-      type: config.appType,
-      registryMode: config.registryMode,
-      port: config.port
-    });
-  } catch (error) {
-    logger.error(chalk.red(`❌ Invalid configuration: ${error.message}`));
-    process.exit(1);
-  }
-}
-
-/**
- * Check if user is authenticated
- * @async
- * @returns {Promise<Object>} Configuration with API URL and token
- */
-async function checkAuthentication() {
-  const config = await getConfig();
-  if (!config.apiUrl || !config.token) {
-    logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-    process.exit(1);
-  }
-  return config;
-}
-
-/**
- * Call registration API
- * @async
- * @param {string} apiUrl - API URL
- * @param {string} token - Authentication token
- * @param {string} environment - Environment ID
- * @param {Object} registrationData - Registration data
- * @returns {Promise<Object>} API response
- */
-async function registerApplication(apiUrl, token, environment, registrationData) {
-  const response = await authenticatedApiCall(
-    `${apiUrl}/api/v1/environments/${encodeURIComponent(environment)}/applications/register`,
-    {
-      method: 'POST',
-      body: JSON.stringify(registrationData)
-    },
-    token
-  );
-
-  if (!response.success) {
-    logger.error(chalk.red(`❌ Registration failed: ${response.error}`));
-    process.exit(1);
-  }
-
-  return response.data;
-}
-
-/**
- * Display registration success and credentials
- * @param {Object} data - Registration response data
- * @param {string} apiUrl - API URL
- */
-function displayRegistrationResults(data, apiUrl) {
-  logger.log(chalk.green('✅ Application registered successfully!\n'));
-  logger.log(chalk.bold('📋 Application Details:'));
-  logger.log(`   ID:           ${data.application.id}`);
-  logger.log(`   Key:          ${data.application.key}`);
-  logger.log(`   Display Name: ${data.application.displayName}\n`);
-
-  logger.log(chalk.bold.yellow('🔑 CREDENTIALS (save these immediately):'));
-  logger.log(chalk.yellow(`   Client ID:     ${data.credentials.clientId}`));
-  logger.log(chalk.yellow(`   Client Secret: ${data.credentials.clientSecret}\n`));
-
-  logger.log(chalk.red('⚠️  IMPORTANT: Client Secret will not be shown again!\n'));
-
-  logger.log(chalk.bold('📝 Add to GitHub Secrets:'));
-  logger.log(chalk.cyan(`   AIFABRIX_CLIENT_ID = ${data.credentials.clientId}`));
-  logger.log(chalk.cyan(`   AIFABRIX_CLIENT_SECRET = ${data.credentials.clientSecret}`));
-  logger.log(chalk.cyan(`   AIFABRIX_API_URL = ${apiUrl}\n`));
-}
+const { listApplications } = require('../app-list');
+const { registerApplication } = require('../app-register');
+const { rotateSecret } = require('../app-rotate-secret');
 
 /**
  * Setup application management commands
@@ -269,74 +34,7 @@ function setupAppCommands(program) {
     .option('-d, --description <desc>', 'Override description')
     .action(async(appKey, options) => {
       try {
-        logger.log(chalk.blue('📋 Registering application...\n'));
-
-        // Load variables.yaml
-        const { variables, created } = await loadVariablesYaml(appKey);
-        let finalVariables = variables;
-
-        // Create minimal app if needed
-        if (created) {
-          finalVariables = await createMinimalAppIfNeeded(appKey, options);
-        }
-
-        // Extract configuration
-        const appConfig = extractAppConfiguration(finalVariables, appKey, options);
-
-        // Validate configuration (pass original appKey for error messages)
-        validateAppRegistrationData(appConfig, appKey);
-
-        // Check authentication
-        const config = await checkAuthentication();
-
-        // Validate environment
-        const environment = registerApplicationSchema.environmentId(options.environment);
-
-        // Prepare registration data
-        const registrationData = {
-          environmentId: environment,
-          key: appConfig.appKey,
-          displayName: appConfig.displayName,
-          description: appConfig.description || options.description,
-          configuration: {
-            type: appConfig.appType,
-            registryMode: appConfig.registryMode,
-            port: appConfig.port,
-            language: appConfig.language
-          }
-        };
-
-        // Register application
-        const responseData = await registerApplication(
-          config.apiUrl,
-          config.token,
-          environment,
-          registrationData
-        );
-
-        // Save credentials to local secrets if localhost
-        if (isLocalhost(config.apiUrl)) {
-          const appKey = responseData.application.key;
-          const clientIdKey = `${appKey}-client-idKeyVault`;
-          const clientSecretKey = `${appKey}-client-secretKeyVault`;
-
-          try {
-            await saveLocalSecret(clientIdKey, responseData.credentials.clientId);
-            await saveLocalSecret(clientSecretKey, responseData.credentials.clientSecret);
-
-            // Update env.template
-            await updateEnvTemplate(appKey, clientIdKey, clientSecretKey);
-
-            logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-            logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID and MISO_CLIENTSECRET\n'));
-          } catch (error) {
-            logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
-          }
-        }
-
-        // Display results
-        displayRegistrationResults(responseData, config.apiUrl);
-
+        await registerApplication(appKey, options);
       } catch (error) {
         logger.error(chalk.red('❌ Registration failed:'), error.message);
         process.exit(1);
@@ -350,30 +48,7 @@ function setupAppCommands(program) {
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
     .action(async(options) => {
       try {
-        const config = await getConfig();
-        if (!config.apiUrl || !config.token) {
-          logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-          process.exit(1);
-        }
-
-        const response = await authenticatedApiCall(
-          `${config.apiUrl}/api/v1/applications?environmentId=${options.environment}`,
-          {},
-          config.token
-        );
-
-        if (!response.success || !response.data) {
-          logger.error(chalk.red('❌ Failed to fetch applications'));
-          process.exit(1);
-        }
-
-        logger.log(chalk.bold('\n📱 Applications:\n'));
-        response.data.forEach((app) => {
-          const hasPipeline = app.configuration?.pipeline?.isActive ? '✓' : '✗';
-          logger.log(`${hasPipeline} ${chalk.cyan(app.key)} - ${app.displayName} (${app.status})`);
-        });
-        logger.log('');
-
+        await listApplications(options);
       } catch (error) {
         logger.error(chalk.red('❌ Failed to list applications:'), error.message);
         process.exit(1);
@@ -382,70 +57,12 @@ function setupAppCommands(program) {
 
   // Rotate secret command
   app
-    .command('rotate-secret')
+    .command('rotate-secret <appKey>')
     .description('Rotate pipeline ClientSecret for an application')
-    .requiredOption('-a, --app <appKey>', 'Application key')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
-    .action(async(options) => {
+    .action(async(appKey, options) => {
       try {
-        logger.log(chalk.yellow('⚠️  This will invalidate the old ClientSecret!\n'));
-
-        const config = await getConfig();
-        if (!config.apiUrl || !config.token) {
-          logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-          process.exit(1);
-        }
-
-        // Validate environment
-        if (!options.environment || options.environment.length < 1) {
-          logger.error(chalk.red('❌ Environment is required'));
-          process.exit(1);
-        }
-
-        const response = await authenticatedApiCall(
-          `${config.apiUrl}/api/v1/applications/${options.app}/rotate-secret?environmentId=${options.environment}`,
-          {
-            method: 'POST'
-          },
-          config.token
-        );
-
-        if (!response.success) {
-          logger.error(chalk.red(`❌ Rotation failed: ${response.error}`));
-          process.exit(1);
-        }
-
-        logger.log(chalk.green('✅ Secret rotated successfully!\n'));
-        logger.log(chalk.bold('📋 Application Details:'));
-        logger.log(`   Key:         ${response.data.application?.key || options.app}`);
-        logger.log(`   Environment: ${options.environment}\n`);
-
-        logger.log(chalk.bold.yellow('🔑 NEW CREDENTIALS:'));
-        logger.log(chalk.yellow(`   Client ID:     ${response.data.credentials.clientId}`));
-        logger.log(chalk.yellow(`   Client Secret: ${response.data.credentials.clientSecret}\n`));
-        logger.log(chalk.red('⚠️  Old secret is now invalid. Update GitHub Secrets!\n'));
-
-        // Save credentials to local secrets if localhost
-        if (isLocalhost(config.apiUrl)) {
-          const appKey = response.data.application?.key || options.app;
-          const clientIdKey = `${appKey}-client-idKeyVault`;
-          const clientSecretKey = `${appKey}-client-secretKeyVault`;
-
-          try {
-            await saveLocalSecret(clientIdKey, response.data.credentials.clientId);
-            await saveLocalSecret(clientSecretKey, response.data.credentials.clientSecret);
-
-            // Update env.template
-            await updateEnvTemplate(appKey, clientIdKey, clientSecretKey);
-
-            logger.log(chalk.green('✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-            logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID and MISO_CLIENTSECRET'));
-            logger.log('');
-          } catch (error) {
-            logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
-          }
-        }
-
+        await rotateSecret(appKey, options);
       } catch (error) {
         logger.error(chalk.red('❌ Rotation failed:'), error.message);
         process.exit(1);

package/lib/commands/login.js

@@ -12,8 +12,10 @@
 const inquirer = require('inquirer');
 const chalk = require('chalk');
 const ora = require('ora');
-const { saveConfig } = require('../config');
+const { setCurrentEnvironment, saveDeviceToken, saveClientToken } = require('../config');
 const { makeApiCall, initiateDeviceCodeFlow, pollDeviceCodeToken, displayDeviceCodeInfo } = require('../utils/api');
+const { formatApiError } = require('../utils/api-error-handler');
+const { loadClientCredentials } = require('../utils/token-manager');
 const logger = require('../utils/logger');
 
 /**
@@ -118,7 +120,7 @@ async function getEnvironmentKey(environment) {
   const envPrompt = await inquirer.prompt([{
     type: 'input',
     name: 'environment',
-    message: 'Environment key (e.g., dev, tst, pro):',
+    message: 'Environment key (e.g., miso, dev, tst, pro):',
     validate: (input) => {
       if (!input || input.trim().length === 0) {
         return 'Environment key is required';
@@ -132,50 +134,112 @@ async function getEnvironmentKey(environment) {
 }
 
 /**
- * Save login configuration
+ * Save device token configuration (root level, controller-specific)
+ * @async
+ * @param {string} controllerUrl - Controller URL (used as key)
+ * @param {string} token - Authentication token
+ * @param {string} refreshToken - Refresh token for token renewal
+ * @param {string} expiresAt - Token expiration time
+ */
+async function saveDeviceLoginConfig(controllerUrl, token, refreshToken, expiresAt) {
+  await saveDeviceToken(controllerUrl, token, refreshToken, expiresAt);
+}
+
+/**
+ * Save client credentials token configuration
  * @async
  * @param {string} controllerUrl - Controller URL
  * @param {string} token - Authentication token
  * @param {string} expiresAt - Token expiration time
- * @param {string} [environment] - Environment key
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
  */
-async function saveLoginConfig(controllerUrl, token, expiresAt, environment) {
-  await saveConfig({
-    apiUrl: controllerUrl,
-    token: token,
-    expiresAt: expiresAt,
-    environment: environment || undefined
-  });
+async function saveCredentialsLoginConfig(controllerUrl, token, expiresAt, environment, appName) {
+  await saveClientToken(environment, appName, controllerUrl, token, expiresAt);
 }
 
 /**
  * Handle credentials-based login
+ * Uses OpenAPI /api/v1/auth/token endpoint with x-client-id and x-client-secret headers
+ * Reads credentials from secrets.local.yaml using pattern <app-name>-client-idKeyVault
  * @async
  * @param {string} controllerUrl - Controller URL
- * @param {string} [clientId] - Client ID from options
- * @param {string} [clientSecret] - Client Secret from options
+ * @param {string} appName - Application name
+ * @param {string} [clientId] - Client ID from options (optional, overrides secrets.local.yaml)
+ * @param {string} [clientSecret] - Client Secret from options (optional, overrides secrets.local.yaml)
  * @returns {Promise<string>} Authentication token
  */
-async function handleCredentialsLogin(controllerUrl, clientId, clientSecret) {
-  const credentials = await promptForCredentials(clientId, clientSecret);
+async function handleCredentialsLogin(controllerUrl, appName, clientId, clientSecret) {
+  let credentials;
+
+  // Try to load from secrets.local.yaml if appName provided and credentials not provided
+  if (appName && !clientId && !clientSecret) {
+    credentials = await loadClientCredentials(appName);
+    if (!credentials) {
+      logger.log(chalk.yellow(`⚠️  Credentials not found in secrets.local.yaml for app '${appName}'`));
+      logger.log(chalk.gray(`   Looking for: '${appName}-client-idKeyVault' and '${appName}-client-secretKeyVault'`));
+      logger.log(chalk.gray('   Prompting for credentials...\n'));
+    }
+  }
+
+  // If still no credentials, prompt for them
+  if (!credentials) {
+    credentials = await promptForCredentials(clientId, clientSecret);
+  }
 
-  const response = await makeApiCall(`${controllerUrl}/api/v1/auth/login`, {
+  // OpenAPI spec: POST /api/v1/auth/token with x-client-id and x-client-secret headers
+  // Response: { success: boolean, token: string, expiresIn: number, expiresAt: string, timestamp: string }
+  const response = await makeApiCall(`${controllerUrl}/api/v1/auth/token`, {
     method: 'POST',
     headers: {
-      'Content-Type': 'application/json'
-    },
-    body: JSON.stringify({
-      clientId: credentials.clientId,
-      clientSecret: credentials.clientSecret
-    })
+      'Content-Type': 'application/json',
+      'x-client-id': credentials.clientId,
+      'x-client-secret': credentials.clientSecret
+    }
   });
 
   if (!response.success) {
-    logger.error(chalk.red(`❌ Login failed: ${response.error}`));
+    const formattedError = response.formattedError || formatApiError(response);
+    logger.error(formattedError);
+
+    // Provide additional context for login failures
+    if (response.status === 401) {
+      logger.log(chalk.gray('\n💡 Tip: Verify your client credentials are correct.'));
+      logger.log(chalk.gray('   Check secrets.local.yaml for:'));
+      logger.log(chalk.gray(`   - ${appName}-client-idKeyVault`));
+      logger.log(chalk.gray(`   - ${appName}-client-secretKeyVault`));
+    }
+
+    process.exit(1);
+  }
+
+  // OpenAPI spec response: { success: boolean, token: string, expiresIn: number, expiresAt: string, ... }
+  // Handle both flat and nested response structures (some APIs wrap in data field)
+  const apiResponse = response.data;
+  const responseData = apiResponse.data || apiResponse;
+
+  if (!responseData || !responseData.token) {
+    logger.error(chalk.red('❌ Invalid response: missing token'));
+    if (responseData) {
+      logger.error(chalk.gray(`Response structure: ${JSON.stringify(responseData, null, 2)}`));
+    }
     process.exit(1);
   }
 
-  return response.data.token || response.data.accessToken;
+  // Calculate expiration (use expiresAt if provided, otherwise calculate from expiresIn, default to 24 hours)
+  let expiresAt;
+  if (responseData.expiresAt) {
+    expiresAt = responseData.expiresAt;
+  } else if (responseData.expiresIn) {
+    expiresAt = new Date(Date.now() + responseData.expiresIn * 1000).toISOString();
+  } else {
+    expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+  }
+
+  return {
+    token: responseData.token,
+    expiresAt: expiresAt
+  };
 }
 
 /**
@@ -212,12 +276,22 @@ async function pollAndSaveDeviceCodeToken(controllerUrl, deviceCode, interval, e
     spinner.succeed('Authentication approved!');
 
     const token = tokenResponse.access_token;
+    const refreshToken = tokenResponse.refresh_token;
     const expiresAt = new Date(Date.now() + (tokenResponse.expires_in * 1000)).toISOString();
 
-    await saveLoginConfig(controllerUrl, token, expiresAt, envKey);
+    // Save device token at root level (controller-specific, not environment-specific)
+    await saveDeviceLoginConfig(controllerUrl, token, refreshToken, expiresAt);
+
+    // Still set current environment if provided (for other purposes)
+    if (envKey) {
+      await setCurrentEnvironment(envKey);
+    }
 
     logger.log(chalk.green('\n✅ Successfully logged in!'));
     logger.log(chalk.gray(`Controller: ${controllerUrl}`));
+    if (envKey) {
+      logger.log(chalk.gray(`Environment: ${envKey}`));
+    }
     logger.log(chalk.gray('Token stored securely in ~/.aifabrix/config.yaml\n'));
 
     return { token, environment: envKey };
@@ -264,26 +338,46 @@ async function handleDeviceCodeLogin(controllerUrl, environment) {
  * @async
  * @function handleLogin
  * @param {Object} options - Login options
- * @param {string} [options.url] - Controller URL (default: 'http://localhost:3000')
+ * @param {string} [options.controller] - Controller URL (default: 'http://localhost:3000')
  * @param {string} [options.method] - Authentication method ('device' or 'credentials')
- * @param {string} [options.clientId] - Client ID (for credentials method)
- * @param {string} [options.clientSecret] - Client Secret (for credentials method)
- * @param {string} [options.environment] - Environment key (for device method)
+ * @param {string} [options.app] - Application name (for credentials method, reads from secrets.local.yaml)
+ * @param {string} [options.clientId] - Client ID (for credentials method, overrides secrets.local.yaml)
+ * @param {string} [options.clientSecret] - Client Secret (for credentials method, overrides secrets.local.yaml)
+ * @param {string} [options.environment] - Environment key (updates root-level environment in config.yaml)
  * @returns {Promise<void>} Resolves when login completes
  * @throws {Error} If login fails
  */
 async function handleLogin(options) {
   logger.log(chalk.blue('\n🔐 Logging in to Miso Controller...\n'));
 
-  const controllerUrl = options.url.replace(/\/$/, '');
+  const controllerUrl = (options.controller || options.url || 'http://localhost:3000').replace(/\/$/, '');
   logger.log(chalk.gray(`Controller URL: ${controllerUrl}`));
 
+  // Update root-level environment if provided
+  let environment = null;
+  if (options.environment) {
+    environment = options.environment.trim();
+    await setCurrentEnvironment(environment);
+    logger.log(chalk.gray(`Environment: ${environment}`));
+  } else {
+    // Get current environment from config
+    const { getCurrentEnvironment } = require('../config');
+    environment = await getCurrentEnvironment();
+  }
+
   const method = await determineAuthMethod(options.method);
   let token;
-  let environment = null;
+  let expiresAt;
 
   if (method === 'credentials') {
-    token = await handleCredentialsLogin(controllerUrl, options.clientId, options.clientSecret);
+    if (!options.app) {
+      logger.error(chalk.red('❌ --app is required for credentials login method'));
+      process.exit(1);
+    }
+    const loginResult = await handleCredentialsLogin(controllerUrl, options.app, options.clientId, options.clientSecret);
+    token = loginResult.token;
+    expiresAt = loginResult.expiresAt;
+    await saveCredentialsLoginConfig(controllerUrl, token, expiresAt, environment, options.app);
   } else if (method === 'device') {
     const result = await handleDeviceCodeLogin(controllerUrl, options.environment);
     token = result.token;
@@ -291,12 +385,12 @@ async function handleLogin(options) {
     return; // Early return for device flow (already saved config)
   }
 
-  // Save configuration for credentials method
-  const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
-  await saveLoginConfig(controllerUrl, token, expiresAt, environment);
-
   logger.log(chalk.green('\n✅ Successfully logged in!'));
   logger.log(chalk.gray(`Controller: ${controllerUrl}`));
+  logger.log(chalk.gray(`Environment: ${environment}`));
+  if (options.app) {
+    logger.log(chalk.gray(`App: ${options.app}`));
+  }
   logger.log(chalk.gray('Token stored securely in ~/.aifabrix/config.yaml\n'));
 }