@aifabrix/builder 2.1.7 → 2.3.0

package/lib/commands/secure.js

@@ -0,0 +1,260 @@
+/**
+ * AI Fabrix Builder - Secure Command
+ *
+ * Handles encryption of secrets in secrets.local.yaml files
+ * Sets encryption key in config.yaml and encrypts all secret values
+ *
+ * @fileoverview Secure command implementation for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const yaml = require('js-yaml');
+const inquirer = require('inquirer');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { setSecretsEncryptionKey, getSecretsEncryptionKey } = require('../config');
+const { encryptSecret, isEncrypted, validateEncryptionKey } = require('../utils/secrets-encryption');
+
+/**
+ * Finds all secrets.local.yaml files to encrypt
+ * Includes user secrets file and build secrets from all apps
+ *
+ * @async
+ * @function findSecretsFiles
+ * @returns {Promise<Array<{path: string, type: string}>>} Array of secrets file paths
+ */
+async function findSecretsFiles() {
+  const files = [];
+
+  // User's secrets file
+  const userSecretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+  if (fs.existsSync(userSecretsPath)) {
+    files.push({ path: userSecretsPath, type: 'user' });
+  }
+
+  // Find all apps and check for build.secrets
+  // Scan builder directory for apps
+  try {
+    const builderDir = path.join(process.cwd(), 'builder');
+    if (fs.existsSync(builderDir)) {
+      const entries = fs.readdirSync(builderDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory()) {
+          const appName = entry.name;
+          const variablesPath = path.join(builderDir, appName, 'variables.yaml');
+          if (fs.existsSync(variablesPath)) {
+            try {
+              const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+              const variables = yaml.load(variablesContent);
+
+              if (variables?.build?.secrets) {
+                const buildSecretsPath = path.resolve(
+                  path.dirname(variablesPath),
+                  variables.build.secrets
+                );
+                if (fs.existsSync(buildSecretsPath)) {
+                  files.push({ path: buildSecretsPath, type: `app:${appName}` });
+                }
+              }
+            } catch (error) {
+              // Ignore errors, continue
+            }
+          }
+        }
+      }
+    }
+  } catch (error) {
+    // Ignore errors, continue
+  }
+
+  // Check config.yaml for general secrets-path
+  try {
+    const { getSecretsPath } = require('../config');
+    const generalSecretsPath = await getSecretsPath();
+    if (generalSecretsPath) {
+      const resolvedPath = path.isAbsolute(generalSecretsPath)
+        ? generalSecretsPath
+        : path.resolve(process.cwd(), generalSecretsPath);
+      if (fs.existsSync(resolvedPath) && !files.some(f => f.path === resolvedPath)) {
+        files.push({ path: resolvedPath, type: 'general' });
+      }
+    }
+  } catch (error) {
+    // Ignore errors, continue
+  }
+
+  return files;
+}
+
+/**
+ * Encrypts all non-encrypted values in a secrets file
+ * Preserves YAML structure and comments
+ *
+ * @async
+ * @function encryptSecretsFile
+ * @param {string} filePath - Path to secrets file
+ * @param {string} encryptionKey - Encryption key
+ * @returns {Promise<{encrypted: number, total: number}>} Count of encrypted values
+ */
+async function encryptSecretsFile(filePath, encryptionKey) {
+  const content = fs.readFileSync(filePath, 'utf8');
+  const secrets = yaml.load(content);
+
+  if (!secrets || typeof secrets !== 'object') {
+    throw new Error(`Invalid secrets file format: ${filePath}`);
+  }
+
+  let encryptedCount = 0;
+  let totalCount = 0;
+  const updatedSecrets = {};
+
+  for (const [key, value] of Object.entries(secrets)) {
+    totalCount++;
+    if (typeof value === 'string' && value.trim() !== '') {
+      if (isEncrypted(value)) {
+        // Already encrypted, keep as-is
+        updatedSecrets[key] = value;
+      } else {
+        // Encrypt the value
+        updatedSecrets[key] = encryptSecret(value, encryptionKey);
+        encryptedCount++;
+      }
+    } else {
+      // Non-string or empty value, keep as-is
+      updatedSecrets[key] = value;
+    }
+  }
+
+  // Write back to file with same formatting
+  // Use yaml.dump with appropriate options to preserve structure
+  const yamlContent = yaml.dump(updatedSecrets, {
+    indent: 2,
+    lineWidth: -1,
+    noRefs: true,
+    sortKeys: false
+  });
+
+  fs.writeFileSync(filePath, yamlContent, { mode: 0o600 });
+
+  return { encrypted: encryptedCount, total: totalCount };
+}
+
+/**
+ * Prompt for encryption key if not provided
+ *
+ * @async
+ * @function promptForEncryptionKey
+ * @returns {Promise<string>} Encryption key
+ */
+async function promptForEncryptionKey() {
+  const answer = await inquirer.prompt([{
+    type: 'password',
+    name: 'key',
+    message: 'Enter encryption key (32 bytes, hex or base64):',
+    mask: '*',
+    validate: (input) => {
+      if (!input || input.trim().length === 0) {
+        return 'Encryption key is required';
+      }
+      try {
+        validateEncryptionKey(input.trim());
+        return true;
+      } catch (error) {
+        return error.message;
+      }
+    }
+  }]);
+
+  return answer.key.trim();
+}
+
+/**
+ * Handle secure command action
+ * Sets encryption key and encrypts all secrets files
+ *
+ * @async
+ * @function handleSecure
+ * @param {Object} options - Command options
+ * @param {string} [options.secretsEncryption] - Encryption key (optional, will prompt if not provided)
+ * @returns {Promise<void>} Resolves when encryption completes
+ * @throws {Error} If encryption fails
+ */
+async function handleSecure(options) {
+  logger.log(chalk.blue('\n🔐 Securing secrets files...\n'));
+
+  // Get or prompt for encryption key
+  let encryptionKey = options.secretsEncryption || options['secrets-encryption'];
+  if (!encryptionKey) {
+    // Check if key already exists in config
+    const existingKey = await getSecretsEncryptionKey();
+    if (existingKey) {
+      logger.log(chalk.yellow('⚠️  Encryption key already configured in config.yaml'));
+      const useExisting = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'use',
+        message: 'Use existing encryption key?',
+        default: true
+      }]);
+      if (useExisting.use) {
+        encryptionKey = existingKey;
+      } else {
+        encryptionKey = await promptForEncryptionKey();
+        await setSecretsEncryptionKey(encryptionKey);
+        logger.log(chalk.green('✓ Encryption key saved to config.yaml'));
+      }
+    } else {
+      encryptionKey = await promptForEncryptionKey();
+      await setSecretsEncryptionKey(encryptionKey);
+      logger.log(chalk.green('✓ Encryption key saved to config.yaml'));
+    }
+  } else {
+    // Validate and save the provided key
+    validateEncryptionKey(encryptionKey);
+    await setSecretsEncryptionKey(encryptionKey);
+    logger.log(chalk.green('✓ Encryption key saved to config.yaml'));
+  }
+
+  // Find all secrets files
+  const secretsFiles = await findSecretsFiles();
+
+  if (secretsFiles.length === 0) {
+    logger.log(chalk.yellow('⚠️  No secrets files found to encrypt'));
+    logger.log(chalk.gray('   Create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml'));
+    return;
+  }
+
+  logger.log(chalk.gray(`Found ${secretsFiles.length} secrets file(s) to process:\n`));
+
+  // Encrypt each file
+  let totalEncrypted = 0;
+  let totalValues = 0;
+
+  for (const file of secretsFiles) {
+    try {
+      logger.log(chalk.gray(`Processing: ${file.path} (${file.type})`));
+      const result = await encryptSecretsFile(file.path, encryptionKey);
+      totalEncrypted += result.encrypted;
+      totalValues += result.total;
+
+      if (result.encrypted > 0) {
+        logger.log(chalk.green(`  ✓ Encrypted ${result.encrypted} of ${result.total} values`));
+      } else {
+        logger.log(chalk.gray(`  - All values already encrypted (${result.total} total)`));
+      }
+    } catch (error) {
+      logger.log(chalk.red(`  ✗ Error: ${error.message}`));
+    }
+  }
+
+  logger.log(chalk.green('\n✅ Encryption complete!'));
+  logger.log(chalk.gray(`   Files processed: ${secretsFiles.length}`));
+  logger.log(chalk.gray(`   Values encrypted: ${totalEncrypted} of ${totalValues} total`));
+  logger.log(chalk.gray('   Encryption key stored in: ~/.aifabrix/config.yaml\n'));
+}
+
+module.exports = { handleSecure };
+

package/lib/config.js

@@ -17,17 +17,53 @@ const yaml = require('js-yaml');
 const CONFIG_DIR = path.join(os.homedir(), '.aifabrix');
 const CONFIG_FILE = path.join(CONFIG_DIR, 'config.yaml');
 
+// Cache for developer ID - loaded when getConfig() is first called
+let cachedDeveloperId = null;
+
 /**
  * Get stored configuration
- * @returns {Promise<Object>} Configuration object with apiUrl and token
+ * Loads developer ID and caches it as a property for easy access
+ * @returns {Promise<Object>} Configuration object with new structure
  */
 async function getConfig() {
   try {
     const configContent = await fs.readFile(CONFIG_FILE, 'utf8');
-    return yaml.load(configContent);
+    let config = yaml.load(configContent);
+
+    // Handle empty file or null/undefined result from yaml.load
+    if (!config || typeof config !== 'object') {
+      config = {};
+    }
+
+    // Ensure developerId defaults to 0 if not set
+    if (typeof config['developer-id'] === 'undefined') {
+      config['developer-id'] = 0;
+    }
+    // Ensure environment defaults to 'dev' if not set
+    if (typeof config.environment === 'undefined') {
+      config.environment = 'dev';
+    }
+    // Ensure environments object exists
+    if (typeof config.environments !== 'object' || config.environments === null) {
+      config.environments = {};
+    }
+    // Ensure device object exists at root level
+    if (typeof config.device !== 'object' || config.device === null) {
+      config.device = {};
+    }
+    // Cache developer ID as property for easy access (use nullish coalescing to allow 0)
+    cachedDeveloperId = config['developer-id'] !== undefined ? config['developer-id'] : 0;
+    return config;
   } catch (error) {
     if (error.code === 'ENOENT') {
-      return { apiUrl: null, token: null };
+      // Default developer ID is 0, default environment is 'dev'
+      cachedDeveloperId = 0;
+      return {
+        'developer-id': 0,
+        environment: 'dev',
+        environments: {},
+        device: {}
+      };
     }
     throw new Error(`Failed to read config: ${error.message}`);
   }
@@ -45,10 +81,19 @@ async function saveConfig(data) {
 
     // Set secure permissions
     const configContent = yaml.dump(data);
+    // Write file first
     await fs.writeFile(CONFIG_FILE, configContent, {
       mode: 0o600,
       flag: 'w'
     });
+    // Open file descriptor and fsync to ensure write is flushed to disk
+    // This is critical on Windows where file writes may be cached
+    const fd = await fs.open(CONFIG_FILE, 'r+');
+    try {
+      await fd.sync();
+    } finally {
+      await fd.close();
+    }
   } catch (error) {
     throw new Error(`Failed to save config: ${error.message}`);
   }
@@ -68,11 +113,277 @@ async function clearConfig() {
   }
 }
 
-module.exports = {
+/**
+ * Get developer ID from configuration
+ * Loads config if not already cached, then returns cached developer ID
+ * Developer ID: 0 = default infra, > 0 = developer-specific
+ * @returns {Promise<number>} Developer ID (defaults to 0)
+ */
+async function getDeveloperId() {
+  // Always reload from file to ensure we have the latest value
+  // This ensures the cache matches what's actually in the file
+  // Clear cache first to force a fresh read
+  cachedDeveloperId = null;
+  await getConfig();
+  return cachedDeveloperId;
+}
+
+/**
+ * Set developer ID in configuration
+ * @param {number} developerId - Developer ID to set (0 = default infra, > 0 = developer-specific)
+ * @returns {Promise<void>}
+ */
+async function setDeveloperId(developerId) {
+  if (typeof developerId !== 'number' || developerId < 0) {
+    throw new Error('Developer ID must be a non-negative number (0 = default infra, > 0 = developer-specific)');
+  }
+  // Clear cache first to ensure we get fresh data from file
+  cachedDeveloperId = null;
+  // Read file directly to avoid any caching issues
+  const config = await getConfig();
+  // Update developer ID
+  config['developer-id'] = developerId;
+  // Update cache before saving
+  cachedDeveloperId = developerId;
+  // Save the entire config object to ensure all fields are preserved
+  await saveConfig(config);
+  // Verify the file was saved correctly by reading it back
+  // This ensures the file system has written the data
+  // Add a small delay to ensure file system has flushed the write
+  await new Promise(resolve => setTimeout(resolve, 100));
+  // Read file again with fresh file handle to avoid OS caching
+  const savedContent = await fs.readFile(CONFIG_FILE, 'utf8');
+  const savedConfig = yaml.load(savedContent);
+  if (savedConfig['developer-id'] !== developerId) {
+    throw new Error(`Failed to save developer ID: expected ${developerId}, got ${savedConfig['developer-id']}. File content: ${savedContent.substring(0, 200)}`);
+  }
+  // Clear the cache to force reload from file on next getDeveloperId() call
+  // This ensures we get the value that was actually saved to disk
+  cachedDeveloperId = null;
+}
+
+/**
+ * Get current environment from root-level config
+ * @returns {Promise<string>} Current environment (defaults to 'dev')
+ */
+async function getCurrentEnvironment() {
+  const config = await getConfig();
+  return config.environment || 'dev';
+}
+
+/**
+ * Set current environment in root-level config
+ * @param {string} environment - Environment to set (e.g., 'miso', 'dev', 'tst', 'pro')
+ * @returns {Promise<void>}
+ */
+async function setCurrentEnvironment(environment) {
+  if (!environment || typeof environment !== 'string') {
+    throw new Error('Environment must be a non-empty string');
+  }
+  const config = await getConfig();
+  config.environment = environment;
+  await saveConfig(config);
+}
+
+/**
+ * Check if token is expired
+ * @param {string} expiresAt - ISO timestamp string
+ * @returns {boolean} True if token is expired
+ */
+function isTokenExpired(expiresAt) {
+  if (!expiresAt) {
+    return true;
+  }
+  const expirationTime = new Date(expiresAt).getTime();
+  const now = Date.now();
+  // Add 5 minute buffer to refresh before actual expiration
+  return now >= (expirationTime - 5 * 60 * 1000);
+}
+
+/**
+ * Get device token for controller
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Promise<{controller: string, token: string, refreshToken: string, expiresAt: string}|null>} Device token info or null
+ */
+async function getDeviceToken(controllerUrl) {
+  const config = await getConfig();
+  if (!config.device || !config.device[controllerUrl]) {
+    return null;
+  }
+  const deviceToken = config.device[controllerUrl];
+  return {
+    controller: controllerUrl,
+    token: deviceToken.token,
+    refreshToken: deviceToken.refreshToken,
+    expiresAt: deviceToken.expiresAt
+  };
+}
+
+/**
+ * Get client token for environment and app
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @returns {Promise<{controller: string, token: string, expiresAt: string}|null>} Client token info or null
+ */
+async function getClientToken(environment, appName) {
+  const config = await getConfig();
+  if (!config.environments || !config.environments[environment]) {
+    return null;
+  }
+  if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) {
+    return null;
+  }
+  return config.environments[environment].clients[appName];
+}
+
+/**
+ * Save device token for controller (root level)
+ * @param {string} controllerUrl - Controller URL (used as key)
+ * @param {string} token - Device access token
+ * @param {string} refreshToken - Refresh token for token renewal
+ * @param {string} expiresAt - ISO timestamp string
+ * @returns {Promise<void>}
+ */
+async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
+  const config = await getConfig();
+  if (!config.device) {
+    config.device = {};
+  }
+  config.device[controllerUrl] = {
+    token: token,
+    refreshToken: refreshToken,
+    expiresAt: expiresAt
+  };
+  await saveConfig(config);
+}
+
+/**
+ * Save client token for environment and app
+ * @param {string} environment - Environment key
+ * @param {string} appName - Application name
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} token - Client token
+ * @param {string} expiresAt - ISO timestamp string
+ * @returns {Promise<void>}
+ */
+async function saveClientToken(environment, appName, controllerUrl, token, expiresAt) {
+  const config = await getConfig();
+  if (!config.environments) {
+    config.environments = {};
+  }
+  if (!config.environments[environment]) {
+    config.environments[environment] = { clients: {} };
+  }
+  if (!config.environments[environment].clients) {
+    config.environments[environment].clients = {};
+  }
+  config.environments[environment].clients[appName] = {
+    controller: controllerUrl,
+    token: token,
+    expiresAt: expiresAt
+  };
+  await saveConfig(config);
+}
+
+/**
+ * Initialize and load developer ID
+ * Call this to ensure developerId is loaded and cached
+ * @returns {Promise<number>} Developer ID
+ */
+async function loadDeveloperId() {
+  if (cachedDeveloperId === null) {
+    await getConfig();
+  }
+  return cachedDeveloperId;
+}
+
+/**
+ * Get secrets encryption key from configuration
+ * @returns {Promise<string|null>} Encryption key or null if not set
+ */
+async function getSecretsEncryptionKey() {
+  const config = await getConfig();
+  return config['secrets-encryption'] || null;
+}
+
+/**
+ * Set secrets encryption key in configuration
+ * @param {string} key - Encryption key (32 bytes, hex or base64)
+ * @returns {Promise<void>}
+ * @throws {Error} If key format is invalid
+ */
+async function setSecretsEncryptionKey(key) {
+  if (!key || typeof key !== 'string') {
+    throw new Error('Encryption key is required and must be a string');
+  }
+
+  // Validate key format using encryption utilities
+  const { validateEncryptionKey } = require('./utils/secrets-encryption');
+  validateEncryptionKey(key);
+
+  const config = await getConfig();
+  config['secrets-encryption'] = key;
+  await saveConfig(config);
+}
+
+/**
+ * Get general secrets path from configuration
+ * Used as fallback when build.secrets is not set in variables.yaml
+ * @returns {Promise<string|null>} Secrets path or null if not set
+ */
+async function getSecretsPath() {
+  const config = await getConfig();
+  return config['secrets-path'] || null;
+}
+
+/**
+ * Set general secrets path in configuration
+ * @param {string} secretsPath - Path to general secrets file
+ * @returns {Promise<void>}
+ */
+async function setSecretsPath(secretsPath) {
+  if (!secretsPath || typeof secretsPath !== 'string') {
+    throw new Error('Secrets path is required and must be a string');
+  }
+
+  const config = await getConfig();
+  config['secrets-path'] = secretsPath;
+  await saveConfig(config);
+}
+
+// Create exports object
+const exportsObj = {
   getConfig,
   saveConfig,
   clearConfig,
+  getDeveloperId,
+  setDeveloperId,
+  loadDeveloperId,
+  getCurrentEnvironment,
+  setCurrentEnvironment,
+  isTokenExpired,
+  getDeviceToken,
+  getClientToken,
+  saveDeviceToken,
+  saveClientToken,
+  getSecretsEncryptionKey,
+  setSecretsEncryptionKey,
+  getSecretsPath,
+  setSecretsPath,
   CONFIG_DIR,
   CONFIG_FILE
 };
 
+// Add developerId as a property getter for direct access
+// After getConfig() or getDeveloperId() is called, config.developerId will be available
+// Developer ID: 0 = default infra, > 0 = developer-specific
+Object.defineProperty(exportsObj, 'developerId', {
+  get() {
+    return cachedDeveloperId !== null ? cachedDeveloperId : 0; // Default to 0 if not loaded yet
+  },
+  enumerable: true,
+  configurable: true
+});
+
+module.exports = exportsObj;
+