@aifabrix/builder 2.1.7 → 2.3.0

package/lib/secrets.js

@@ -15,6 +15,8 @@ const yaml = require('js-yaml');
 const os = require('os');
 const chalk = require('chalk');
 const logger = require('./utils/logger');
+const config = require('./config');
+const devConfig = require('./utils/dev-config');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -30,6 +32,7 @@ const {
   buildHostnameToServiceMap,
   resolveUrlPort
 } = require('./utils/secrets-utils');
+const { decryptSecret, isEncrypted } = require('./utils/secrets-encryption');
 
 /**
  * Loads environment configuration for docker/local context
@@ -41,16 +44,59 @@ function loadEnvConfig() {
   return yaml.load(content);
 }
 
+/**
+ * Decrypts encrypted values in secrets object
+ * Checks for secure:// prefix and decrypts using encryption key from config
+ *
+ * @async
+ * @function decryptSecretsObject
+ * @param {Object} secrets - Secrets object with potentially encrypted values
+ * @returns {Promise<Object>} Secrets object with decrypted values
+ * @throws {Error} If decryption fails or encryption key is missing
+ */
+async function decryptSecretsObject(secrets) {
+  if (!secrets || typeof secrets !== 'object') {
+    return secrets;
+  }
+
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  if (!encryptionKey) {
+    // No encryption key set, check if any values are encrypted
+    const hasEncrypted = Object.values(secrets).some(value => isEncrypted(value));
+    if (hasEncrypted) {
+      throw new Error('Encrypted secrets found but no encryption key configured. Run "aifabrix secure --secrets-encryption <key>" to set encryption key.');
+    }
+    // No encrypted values, return as-is
+    return secrets;
+  }
+
+  const decryptedSecrets = {};
+  for (const [key, value] of Object.entries(secrets)) {
+    if (isEncrypted(value)) {
+      try {
+        decryptedSecrets[key] = decryptSecret(value, encryptionKey);
+      } catch (error) {
+        throw new Error(`Failed to decrypt secret '${key}': ${error.message}`);
+      }
+    } else {
+      decryptedSecrets[key] = value;
+    }
+  }
+
+  return decryptedSecrets;
+}
+
 /**
  * Loads secrets with cascading lookup
  * Supports both user secrets (~/.aifabrix/secrets.local.yaml) and project overrides
  * User's file takes priority, then falls back to build.secrets from variables.yaml
+ * Automatically decrypts values with secure:// prefix
  *
  * @async
  * @function loadSecrets
  * @param {string} [secretsPath] - Path to secrets file (optional, for explicit override)
  * @param {string} [appName] - Application name (optional, for variables.yaml lookup)
- * @returns {Promise<Object>} Loaded secrets object
+ * @returns {Promise<Object>} Loaded secrets object with decrypted values
  * @throws {Error} If no secrets file found and no fallback available
  *
  * @example
@@ -58,6 +104,8 @@ function loadEnvConfig() {
  * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
  */
 async function loadSecrets(secretsPath, appName) {
+  let secrets;
+
   // If explicit path provided, use it (backward compatibility)
   if (secretsPath) {
     const resolvedPath = resolveSecretsPath(secretsPath);
@@ -66,34 +114,35 @@ async function loadSecrets(secretsPath, appName) {
     }
 
     const content = fs.readFileSync(resolvedPath, 'utf8');
-    const secrets = yaml.load(content);
+    secrets = yaml.load(content);
 
     if (!secrets || typeof secrets !== 'object') {
       throw new Error(`Invalid secrets file format: ${resolvedPath}`);
     }
+  } else {
+    // Cascading lookup: user's file first
+    let mergedSecrets = loadUserSecrets();
 
-    return secrets;
-  }
-
-  // Cascading lookup: user's file first
-  let mergedSecrets = loadUserSecrets();
+    // Then check build.secrets from variables.yaml if appName provided
+    if (appName) {
+      mergedSecrets = await loadBuildSecrets(mergedSecrets, appName);
+    }
 
-  // Then check build.secrets from variables.yaml if appName provided
-  if (appName) {
-    mergedSecrets = await loadBuildSecrets(mergedSecrets, appName);
-  }
+    // If still no secrets found, try default location
+    if (Object.keys(mergedSecrets).length === 0) {
+      mergedSecrets = loadDefaultSecrets();
+    }
 
-  // If still no secrets found, try default location
-  if (Object.keys(mergedSecrets).length === 0) {
-    mergedSecrets = loadDefaultSecrets();
-  }
+    // If still empty, throw error
+    if (Object.keys(mergedSecrets).length === 0) {
+      throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml');
+    }
 
-  // If still empty, throw error
-  if (Object.keys(mergedSecrets).length === 0) {
-    throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml');
+    secrets = mergedSecrets;
   }
 
-  return mergedSecrets;
+  // Decrypt encrypted values
+  return await decryptSecretsObject(secrets);
 }
 
 /**
@@ -108,6 +157,7 @@ async function loadSecrets(secretsPath, appName) {
  * @param {Object|string|null} [secretsFilePaths] - Paths object with userPath and buildPath, or string path (for backward compatibility)
  * @param {string} [secretsFilePaths.userPath] - User's secrets file path
  * @param {string|null} [secretsFilePaths.buildPath] - App's build.secrets file path (if configured)
+ * @param {string} [appName] - Application name (optional, for error messages)
  * @returns {Promise<string>} Resolved environment content
  * @throws {Error} If kv:// reference cannot be resolved
  *
@@ -115,7 +165,7 @@ async function loadSecrets(secretsPath, appName) {
  * const resolved = await resolveKvReferences(template, secrets, 'local');
  * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
  */
-async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null) {
+async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
   const envConfig = loadEnvConfig();
   const envVars = envConfig.environments[environment] || envConfig.environments.local;
 
@@ -150,7 +200,8 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
         fileInfo = `\n\nSecrets file location: ${paths.join(' and ')}`;
       }
     }
-    throw new Error(`Missing secrets: ${missingSecrets.join(', ')}${fileInfo}`);
+    const resolveCommand = appName ? `aifabrix resolve ${appName}` : 'aifabrix resolve <app-name>';
+    throw new Error(`Missing secrets: ${missingSecrets.join(', ')}${fileInfo}\n\nRun "${resolveCommand}" to generate missing secrets.`);
   }
 
   // Now replace kv:// references, and handle ${VAR} inside the secret values
@@ -288,7 +339,7 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
   const template = loadEnvTemplate(templatePath);
 
   // Resolve secrets paths to show in error messages (use actual paths that loadSecrets would use)
-  const secretsPaths = getActualSecretsPath(secretsPath, appName);
+  const secretsPaths = await getActualSecretsPath(secretsPath, appName);
 
   if (force) {
     // Use userPath for generating missing secrets (priority file)
@@ -296,13 +347,28 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
   }
 
   const secrets = await loadSecrets(secretsPath, appName);
-  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths);
+  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths, appName);
 
   // Resolve service ports in URLs for docker environment
   if (environment === 'docker') {
     resolved = resolveServicePortsInEnvContent(resolved, environment);
   }
 
+  // For local environment, update infrastructure ports to use dev-specific ports
+  if (environment === 'local') {
+    const devId = await config.getDeveloperId();
+    const ports = devConfig.getDevPorts(devId);
+
+    // Update DATABASE_PORT if present
+    resolved = resolved.replace(/^DATABASE_PORT\s*=\s*.*$/m, `DATABASE_PORT=${ports.postgres}`);
+
+    // Update REDIS_URL if present (format: redis://localhost:port)
+    resolved = resolved.replace(/^REDIS_URL\s*=\s*redis:\/\/localhost:\d+/m, `REDIS_URL=redis://localhost:${ports.redis}`);
+
+    // Update REDIS_HOST if it contains a port
+    resolved = resolved.replace(/^REDIS_HOST\s*=\s*localhost:\d+/m, `REDIS_HOST=localhost:${ports.redis}`);
+  }
+
   fs.writeFileSync(envPath, resolved, { mode: 0o600 });
 
   // Update PORT variable in container .env file to use port (from variables.yaml)

package/lib/templates.js

@@ -49,7 +49,7 @@ function generateVariablesYaml(appName, config) {
     build: {
       language: config.language || 'typescript',
       envOutputPath: null,
-      context: `../${appName}`,
+      context: null, // Defaults to dev directory in build process
       dockerfile: '',
       secrets: null
     },

package/lib/utils/api-error-handler.js

@@ -0,0 +1,465 @@
+/**
+ * AI Fabrix Builder API Error Handler
+ *
+ * Parses and formats structured error responses from the controller API
+ * Handles permission errors, validation errors, authentication errors,
+ * network errors, and server errors with user-friendly formatting
+ *
+ * @fileoverview API error handling utilities for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+
+/**
+ * Formats permission error with missing and required permissions
+ * @param {Object} errorData - Error response data
+ * @returns {string} Formatted permission error message
+ */
+function formatPermissionError(errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Permission Denied\n'));
+
+  // Handle detail message if present
+  if (errorData.detail) {
+    lines.push(chalk.yellow(errorData.detail));
+    lines.push('');
+  }
+
+  // Extract missing permissions (support both flat and nested structures)
+  let missingPerms = [];
+  if (errorData.missingPermissions && Array.isArray(errorData.missingPermissions)) {
+    missingPerms = errorData.missingPermissions;
+  } else if (errorData.missing && errorData.missing.permissions && Array.isArray(errorData.missing.permissions)) {
+    missingPerms = errorData.missing.permissions;
+  }
+
+  if (missingPerms.length > 0) {
+    lines.push(chalk.yellow('Missing permissions:'));
+    missingPerms.forEach(perm => {
+      lines.push(chalk.gray(`  - ${perm}`));
+    });
+    lines.push('');
+  }
+
+  // Extract required permissions (support both flat and nested structures)
+  let requiredPerms = [];
+  if (errorData.requiredPermissions && Array.isArray(errorData.requiredPermissions)) {
+    requiredPerms = errorData.requiredPermissions;
+  } else if (errorData.required && errorData.required.permissions && Array.isArray(errorData.required.permissions)) {
+    requiredPerms = errorData.required.permissions;
+  }
+
+  if (requiredPerms.length > 0) {
+    lines.push(chalk.yellow('Required permissions:'));
+    requiredPerms.forEach(perm => {
+      lines.push(chalk.gray(`  - ${perm}`));
+    });
+    lines.push('');
+  }
+
+  // Use instance (from RFC 7807) or url field
+  const requestUrl = errorData.instance || errorData.url;
+  const method = errorData.method || 'POST';
+  if (requestUrl) {
+    lines.push(chalk.gray(`Request: ${method} ${requestUrl}`));
+  }
+
+  if (errorData.correlationId) {
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats validation error with field-level details
+ * Handles unified error API response format (RFC 7807 Problem Details)
+ * @param {Object} errorData - Error response data
+ * @returns {string} Formatted validation error message
+ */
+function formatValidationError(errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Validation Error\n'));
+
+  // Handle RFC 7807 Problem Details format
+  // Priority: detail > title > message
+  if (errorData.detail) {
+    lines.push(chalk.yellow(errorData.detail));
+    lines.push('');
+  } else if (errorData.title) {
+    lines.push(chalk.yellow(errorData.title));
+    lines.push('');
+  } else if (errorData.message) {
+    lines.push(chalk.yellow(errorData.message));
+    lines.push('');
+  }
+
+  // Handle errors array - this is the most important part
+  if (errorData.errors && Array.isArray(errorData.errors) && errorData.errors.length > 0) {
+    lines.push(chalk.yellow('Validation errors:'));
+    errorData.errors.forEach(err => {
+      const field = err.field || err.path || 'validation';
+      const message = err.message || 'Invalid value';
+      // If field is 'validation' or generic, just show the message
+      if (field === 'validation' || field === 'unknown') {
+        lines.push(chalk.gray(`  • ${message}`));
+      } else {
+        lines.push(chalk.gray(`  • ${field}: ${message}`));
+      }
+    });
+    lines.push('');
+  }
+
+  // Show instance (endpoint) if available (RFC 7807)
+  if (errorData.instance) {
+    lines.push(chalk.gray(`Endpoint: ${errorData.instance}`));
+  }
+
+  // Show correlation ID if available
+  if (errorData.correlationId) {
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats authentication error
+ * @param {Object} errorData - Error response data
+ * @returns {string} Formatted authentication error message
+ */
+function formatAuthenticationError(errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Authentication Failed\n'));
+
+  if (errorData.message) {
+    lines.push(chalk.yellow(errorData.message));
+  } else {
+    lines.push(chalk.yellow('Invalid credentials or token expired.'));
+  }
+  lines.push('');
+  lines.push(chalk.gray('Run: aifabrix login'));
+
+  if (errorData.correlationId) {
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats network error
+ * @param {string} errorMessage - Error message
+ * @param {Object} errorData - Error response data (optional)
+ * @returns {string} Formatted network error message
+ */
+function formatNetworkError(errorMessage, errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Network Error\n'));
+
+  if (errorMessage.includes('ECONNREFUSED') || errorMessage.includes('Cannot connect')) {
+    lines.push(chalk.yellow('Cannot connect to controller.'));
+    lines.push(chalk.gray('Check if the controller is running.'));
+  } else if (errorMessage.includes('ENOTFOUND') || errorMessage.includes('hostname not found')) {
+    lines.push(chalk.yellow('Controller hostname not found.'));
+    lines.push(chalk.gray('Check your controller URL.'));
+  } else if (errorMessage.includes('timeout') || errorMessage.includes('timed out')) {
+    lines.push(chalk.yellow('Request timed out.'));
+    lines.push(chalk.gray('The controller may be overloaded.'));
+  } else {
+    lines.push(chalk.yellow(errorMessage));
+  }
+
+  if (errorData && errorData.correlationId) {
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats server error (500+)
+ * @param {Object} errorData - Error response data
+ * @returns {string} Formatted server error message
+ */
+function formatServerError(errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Server Error\n'));
+
+  // Check for RFC 7807 Problem Details format (detail field)
+  if (errorData.detail) {
+    lines.push(chalk.yellow(errorData.detail));
+  } else if (errorData.message) {
+    lines.push(chalk.yellow(errorData.message));
+  } else {
+    lines.push(chalk.yellow('An internal server error occurred.'));
+  }
+  lines.push('');
+  lines.push(chalk.gray('Please try again later or contact support.'));
+
+  if (errorData.correlationId) {
+    lines.push('');
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats conflict error (409)
+ * @param {Object} errorData - Error response data
+ * @returns {string} Formatted conflict error message
+ */
+function formatConflictError(errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Conflict\n'));
+
+  // Check if it's an application already exists error
+  const detail = errorData.detail || errorData.message || '';
+  if (detail.toLowerCase().includes('application already exists')) {
+    lines.push(chalk.yellow('This application already exists in this environment.'));
+    lines.push('');
+    lines.push(chalk.gray('Options:'));
+    lines.push(chalk.gray('  • Use a different environment'));
+    lines.push(chalk.gray('  • Check existing applications: aifabrix app list -e <environment>'));
+    lines.push(chalk.gray('  • Update the existing application if needed'));
+  } else if (detail) {
+    lines.push(chalk.yellow(detail));
+  } else if (errorData.message) {
+    lines.push(chalk.yellow(errorData.message));
+  } else {
+    lines.push(chalk.yellow('A conflict occurred. The resource may already exist.'));
+  }
+
+  if (errorData.correlationId) {
+    lines.push('');
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats not found error (404)
+ * @param {Object} errorData - Error response data
+ * @returns {string} Formatted not found error message
+ */
+function formatNotFoundError(errorData) {
+  const lines = [];
+  lines.push(chalk.red('❌ Not Found\n'));
+
+  // Extract detail from RFC 7807 Problem Details format
+  const detail = errorData.detail || errorData.message || '';
+
+  if (detail) {
+    lines.push(chalk.yellow(detail));
+    lines.push('');
+  }
+
+  // Provide actionable guidance based on error context
+  if (detail.toLowerCase().includes('environment')) {
+    lines.push(chalk.gray('Options:'));
+    lines.push(chalk.gray('  • Check the environment key spelling'));
+    lines.push(chalk.gray('  • List available environments: aifabrix app list -e <environment>'));
+    lines.push(chalk.gray('  • Verify you have access to this environment'));
+  } else if (detail.toLowerCase().includes('application')) {
+    lines.push(chalk.gray('Options:'));
+    lines.push(chalk.gray('  • Check the application key spelling'));
+    lines.push(chalk.gray('  • List applications: aifabrix app list -e <environment>'));
+    lines.push(chalk.gray('  • Verify the application exists in this environment'));
+  } else {
+    lines.push(chalk.gray('Options:'));
+    lines.push(chalk.gray('  • Check the resource identifier'));
+    lines.push(chalk.gray('  • Verify the resource exists'));
+    lines.push(chalk.gray('  • Check your permissions'));
+  }
+
+  if (errorData.correlationId) {
+    lines.push('');
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Formats generic error
+ * @param {Object} errorData - Error response data
+ * @param {number} statusCode - HTTP status code
+ * @returns {string} Formatted error message
+ */
+function formatGenericError(errorData, statusCode) {
+  const lines = [];
+  lines.push(chalk.red(`❌ Error (HTTP ${statusCode})\n`));
+
+  // Check for RFC 7807 Problem Details format (detail field)
+  if (errorData.detail) {
+    lines.push(chalk.yellow(errorData.detail));
+  } else if (errorData.message) {
+    lines.push(chalk.yellow(errorData.message));
+  } else if (errorData.error) {
+    lines.push(chalk.yellow(errorData.error));
+  } else {
+    lines.push(chalk.yellow('An error occurred while processing your request.'));
+  }
+
+  if (errorData.correlationId) {
+    lines.push('');
+    lines.push(chalk.gray(`Correlation ID: ${errorData.correlationId}`));
+  }
+
+  return lines.join('\n');
+}
+
+/**
+ * Parses error response and determines error type
+ * @param {string|Object} errorResponse - Error response (string or parsed JSON)
+ * @param {number} statusCode - HTTP status code
+ * @param {boolean} isNetworkError - Whether this is a network error
+ * @returns {Object} Parsed error object with type, message, and formatted output
+ */
+function parseErrorResponse(errorResponse, statusCode, isNetworkError) {
+  let errorData = {};
+
+  // Handle undefined or null error response
+  if (errorResponse === undefined || errorResponse === null) {
+    errorData = { message: 'Unknown error occurred' };
+  } else if (typeof errorResponse === 'string') {
+    // Parse error response
+    try {
+      errorData = JSON.parse(errorResponse);
+    } catch {
+      errorData = { message: errorResponse };
+    }
+  } else if (typeof errorResponse === 'object') {
+    errorData = errorResponse;
+  } else {
+    // Fallback for unexpected types
+    errorData = { message: String(errorResponse) };
+  }
+
+  // Handle nested response structure (some APIs wrap errors in data field)
+  if (errorData.data && typeof errorData.data === 'object') {
+    errorData = errorData.data;
+  }
+
+  // Handle network errors
+  if (isNetworkError) {
+    const errorMessage = errorData.message || errorResponse || 'Network error';
+    return {
+      type: 'network',
+      message: errorMessage,
+      formatted: formatNetworkError(errorMessage, errorData),
+      data: errorData
+    };
+  }
+
+  // Handle different HTTP status codes
+  if (statusCode === 403) {
+    // Permission error
+    return {
+      type: 'permission',
+      message: 'Permission denied',
+      formatted: formatPermissionError(errorData),
+      data: errorData
+    };
+  }
+
+  if (statusCode === 401) {
+    // Authentication error
+    return {
+      type: 'authentication',
+      message: 'Authentication failed',
+      formatted: formatAuthenticationError(errorData),
+      data: errorData
+    };
+  }
+
+  if (statusCode === 400) {
+    // Validation error
+    // Extract message from unified error format (RFC 7807)
+    const errorMessage = errorData.detail || errorData.title || errorData.message || 'Validation error';
+    return {
+      type: 'validation',
+      message: errorMessage,
+      formatted: formatValidationError(errorData),
+      data: errorData
+    };
+  }
+
+  if (statusCode === 404) {
+    // Not found error
+    return {
+      type: 'notfound',
+      message: errorData.detail || errorData.message || 'Not found',
+      formatted: formatNotFoundError(errorData),
+      data: errorData
+    };
+  }
+
+  if (statusCode === 409) {
+    // Conflict error
+    return {
+      type: 'conflict',
+      message: errorData.detail || errorData.message || 'Conflict',
+      formatted: formatConflictError(errorData),
+      data: errorData
+    };
+  }
+
+  if (statusCode >= 500) {
+    // Server error
+    return {
+      type: 'server',
+      message: 'Server error',
+      formatted: formatServerError(errorData),
+      data: errorData
+    };
+  }
+
+  // Generic error
+  return {
+    type: 'generic',
+    message: errorData.message || errorData.error || 'Unknown error',
+    formatted: formatGenericError(errorData, statusCode),
+    data: errorData
+  };
+}
+
+/**
+ * Formats error for display in CLI
+ * @param {Object} apiResponse - API response object from makeApiCall
+ * @returns {string} Formatted error message
+ */
+function formatApiError(apiResponse) {
+  if (!apiResponse || apiResponse.success !== false) {
+    return chalk.red('❌ Unknown error occurred');
+  }
+
+  // Use formattedError if already available
+  if (apiResponse.formattedError) {
+    return apiResponse.formattedError;
+  }
+
+  const errorResponse = apiResponse.error || apiResponse.data || '';
+  const statusCode = apiResponse.status || 0;
+  const isNetworkError = apiResponse.network === true;
+
+  const parsed = parseErrorResponse(errorResponse, statusCode, isNetworkError);
+  return parsed.formatted;
+}
+
+module.exports = {
+  parseErrorResponse,
+  formatApiError,
+  formatPermissionError,
+  formatValidationError,
+  formatAuthenticationError,
+  formatConflictError,
+  formatNetworkError,
+  formatServerError,
+  formatGenericError
+};
+