@aifabrix/builder 2.2.0 → 2.3.2

package/lib/cli.js

@@ -21,6 +21,7 @@ const chalk = require('chalk');
 const logger = require('./utils/logger');
 const { validateCommand, handleCommandError } = require('./utils/cli-utils');
 const { handleLogin } = require('./commands/login');
+const { handleSecure } = require('./commands/secure');
 
 /**
  * Sets up all CLI commands on the Commander program instance
@@ -335,18 +336,19 @@ function setupCommands(program) {
         // Commander.js converts --set-id to setId in options object
         const setIdValue = options.setId || options['set-id'];
         if (setIdValue) {
-          const id = parseInt(setIdValue, 10);
-          if (isNaN(id) || id < 0) {
-            throw new Error('Developer ID must be a non-negative number (0 = default infra, > 0 = developer-specific)');
+          const digitsOnly = /^[0-9]+$/.test(setIdValue);
+          if (!digitsOnly) {
+            throw new Error('Developer ID must be a non-negative digit string (0 = default infra, > 0 = developer-specific)');
           }
-          await config.setDeveloperId(id);
-          process.env.AIFABRIX_DEVELOPERID = id.toString();
-          logger.log(chalk.green(`✓ Developer ID set to ${id}`));
+          // Convert to number for setDeveloperId and getDevPorts (they expect numbers)
+          const devIdNum = parseInt(setIdValue, 10);
+          await config.setDeveloperId(devIdNum);
+          process.env.AIFABRIX_DEVELOPERID = setIdValue;
+          logger.log(chalk.green(`✓ Developer ID set to ${setIdValue}`));
           // Use the ID we just set instead of reading from file to avoid race conditions
-          const devId = id;
-          const ports = devConfig.getDevPorts(devId);
+          const ports = devConfig.getDevPorts(devIdNum);
           logger.log('\n🔧 Developer Configuration\n');
-          logger.log(`Developer ID: ${devId}`);
+          logger.log(`Developer ID: ${setIdValue}`);
           logger.log('\nPorts:');
           logger.log(`  App: ${ports.app}`);
           logger.log(`  Postgres: ${ports.postgres}`);
@@ -358,7 +360,9 @@ function setupCommands(program) {
         }
 
         const devId = await config.getDeveloperId();
-        const ports = devConfig.getDevPorts(devId);
+        // Convert string developer ID to number for getDevPorts
+        const devIdNum = parseInt(devId, 10);
+        const ports = devConfig.getDevPorts(devIdNum);
         logger.log('\n🔧 Developer Configuration\n');
         logger.log(`Developer ID: ${devId}`);
         logger.log('\nPorts:');
@@ -373,6 +377,19 @@ function setupCommands(program) {
         process.exit(1);
       }
     });
+
+  // Security command
+  program.command('secure')
+    .description('Encrypt secrets in secrets.local.yaml files for ISO 27001 compliance')
+    .option('--secrets-encryption <key>', 'Encryption key (32 bytes, hex or base64)')
+    .action(async(options) => {
+      try {
+        await handleSecure(options);
+      } catch (error) {
+        handleCommandError(error, 'secure');
+        process.exit(1);
+      }
+    });
 }
 
 module.exports = {

package/lib/commands/secure.js

@@ -0,0 +1,242 @@
+/**
+ * AI Fabrix Builder - Secure Command
+ *
+ * Handles encryption of secrets in secrets.local.yaml files
+ * Sets encryption key in config.yaml and encrypts all secret values
+ *
+ * @fileoverview Secure command implementation for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const yaml = require('js-yaml');
+const inquirer = require('inquirer');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { setSecretsEncryptionKey, getSecretsEncryptionKey } = require('../config');
+const { validateEncryptionKey } = require('../utils/secrets-encryption');
+const { encryptYamlValues } = require('../utils/yaml-preserve');
+
+/**
+ * Finds all secrets.local.yaml files to encrypt
+ * Includes user secrets file and build secrets from all apps
+ *
+ * @async
+ * @function findSecretsFiles
+ * @returns {Promise<Array<{path: string, type: string}>>} Array of secrets file paths
+ */
+async function findSecretsFiles() {
+  const files = [];
+
+  // User's secrets file
+  const userSecretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+  if (fs.existsSync(userSecretsPath)) {
+    files.push({ path: userSecretsPath, type: 'user' });
+  }
+
+  // Find all apps and check for build.secrets
+  // Scan builder directory for apps
+  try {
+    const builderDir = path.join(process.cwd(), 'builder');
+    if (fs.existsSync(builderDir)) {
+      const entries = fs.readdirSync(builderDir, { withFileTypes: true });
+      for (const entry of entries) {
+        if (entry.isDirectory()) {
+          const appName = entry.name;
+          const variablesPath = path.join(builderDir, appName, 'variables.yaml');
+          if (fs.existsSync(variablesPath)) {
+            try {
+              const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+              const variables = yaml.load(variablesContent);
+
+              if (variables?.build?.secrets) {
+                const buildSecretsPath = path.resolve(
+                  path.dirname(variablesPath),
+                  variables.build.secrets
+                );
+                if (fs.existsSync(buildSecretsPath)) {
+                  files.push({ path: buildSecretsPath, type: `app:${appName}` });
+                }
+              }
+            } catch (error) {
+              // Ignore errors, continue
+            }
+          }
+        }
+      }
+    }
+  } catch (error) {
+    // Ignore errors, continue
+  }
+
+  // Check config.yaml for general secrets-path
+  try {
+    const { getSecretsPath } = require('../config');
+    const generalSecretsPath = await getSecretsPath();
+    if (generalSecretsPath) {
+      const resolvedPath = path.isAbsolute(generalSecretsPath)
+        ? generalSecretsPath
+        : path.resolve(process.cwd(), generalSecretsPath);
+      if (fs.existsSync(resolvedPath) && !files.some(f => f.path === resolvedPath)) {
+        files.push({ path: resolvedPath, type: 'general' });
+      }
+    }
+  } catch (error) {
+    // Ignore errors, continue
+  }
+
+  return files;
+}
+
+/**
+ * Encrypts all non-encrypted values in a secrets file
+ * Preserves YAML structure, comments, and formatting
+ * Skips URLs (http:// and https://) as they are not secrets
+ *
+ * @async
+ * @function encryptSecretsFile
+ * @param {string} filePath - Path to secrets file
+ * @param {string} encryptionKey - Encryption key
+ * @returns {Promise<{encrypted: number, total: number}>} Count of encrypted values
+ */
+async function encryptSecretsFile(filePath, encryptionKey) {
+  const content = fs.readFileSync(filePath, 'utf8');
+
+  // Validate that file contains valid YAML structure (optional check)
+  try {
+    const secrets = yaml.load(content);
+    if (!secrets || typeof secrets !== 'object') {
+      throw new Error(`Invalid secrets file format: ${filePath}`);
+    }
+  } catch (error) {
+    // If YAML parsing fails, still try to encrypt (might have syntax issues but could be fixable)
+    // The line-by-line parser will handle it gracefully
+  }
+
+  // Use line-by-line encryption to preserve comments and formatting
+  const result = encryptYamlValues(content, encryptionKey);
+
+  // Write back to file preserving all formatting
+  fs.writeFileSync(filePath, result.content, { mode: 0o600 });
+
+  return { encrypted: result.encrypted, total: result.total };
+}
+
+/**
+ * Prompt for encryption key if not provided
+ *
+ * @async
+ * @function promptForEncryptionKey
+ * @returns {Promise<string>} Encryption key
+ */
+async function promptForEncryptionKey() {
+  const answer = await inquirer.prompt([{
+    type: 'password',
+    name: 'key',
+    message: 'Enter encryption key (32 bytes, hex or base64):',
+    mask: '*',
+    validate: (input) => {
+      if (!input || input.trim().length === 0) {
+        return 'Encryption key is required';
+      }
+      try {
+        validateEncryptionKey(input.trim());
+        return true;
+      } catch (error) {
+        return error.message;
+      }
+    }
+  }]);
+
+  return answer.key.trim();
+}
+
+/**
+ * Handle secure command action
+ * Sets encryption key and encrypts all secrets files
+ *
+ * @async
+ * @function handleSecure
+ * @param {Object} options - Command options
+ * @param {string} [options.secretsEncryption] - Encryption key (optional, will prompt if not provided)
+ * @returns {Promise<void>} Resolves when encryption completes
+ * @throws {Error} If encryption fails
+ */
+async function handleSecure(options) {
+  logger.log(chalk.blue('\n🔐 Securing secrets files...\n'));
+
+  // Get or prompt for encryption key
+  let encryptionKey = options.secretsEncryption || options['secrets-encryption'];
+  if (!encryptionKey) {
+    // Check if key already exists in config
+    const existingKey = await getSecretsEncryptionKey();
+    if (existingKey) {
+      logger.log(chalk.yellow('⚠️  Encryption key already configured in config.yaml'));
+      const useExisting = await inquirer.prompt([{
+        type: 'confirm',
+        name: 'use',
+        message: 'Use existing encryption key?',
+        default: true
+      }]);
+      if (useExisting.use) {
+        encryptionKey = existingKey;
+      } else {
+        encryptionKey = await promptForEncryptionKey();
+        await setSecretsEncryptionKey(encryptionKey);
+        logger.log(chalk.green('✓ Encryption key saved to config.yaml'));
+      }
+    } else {
+      encryptionKey = await promptForEncryptionKey();
+      await setSecretsEncryptionKey(encryptionKey);
+      logger.log(chalk.green('✓ Encryption key saved to config.yaml'));
+    }
+  } else {
+    // Validate and save the provided key
+    validateEncryptionKey(encryptionKey);
+    await setSecretsEncryptionKey(encryptionKey);
+    logger.log(chalk.green('✓ Encryption key saved to config.yaml'));
+  }
+
+  // Find all secrets files
+  const secretsFiles = await findSecretsFiles();
+
+  if (secretsFiles.length === 0) {
+    logger.log(chalk.yellow('⚠️  No secrets files found to encrypt'));
+    logger.log(chalk.gray('   Create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml'));
+    return;
+  }
+
+  logger.log(chalk.gray(`Found ${secretsFiles.length} secrets file(s) to process:\n`));
+
+  // Encrypt each file
+  let totalEncrypted = 0;
+  let totalValues = 0;
+
+  for (const file of secretsFiles) {
+    try {
+      logger.log(chalk.gray(`Processing: ${file.path} (${file.type})`));
+      const result = await encryptSecretsFile(file.path, encryptionKey);
+      totalEncrypted += result.encrypted;
+      totalValues += result.total;
+
+      if (result.encrypted > 0) {
+        logger.log(chalk.green(`  ✓ Encrypted ${result.encrypted} of ${result.total} values`));
+      } else {
+        logger.log(chalk.gray(`  - All values already encrypted (${result.total} total)`));
+      }
+    } catch (error) {
+      logger.log(chalk.red(`  ✗ Error: ${error.message}`));
+    }
+  }
+
+  logger.log(chalk.green('\n✅ Encryption complete!'));
+  logger.log(chalk.gray(`   Files processed: ${secretsFiles.length}`));
+  logger.log(chalk.gray(`   Values encrypted: ${totalEncrypted} of ${totalValues} total`));
+  logger.log(chalk.gray('   Encryption key stored in: ~/.aifabrix/config.yaml\n'));
+}
+
+module.exports = { handleSecure };
+

package/lib/config.js

@@ -35,10 +35,24 @@ async function getConfig() {
       config = {};
     }
 
-    // Ensure developerId defaults to 0 if not set
-    if (typeof config['developer-id'] === 'undefined') {
-      config['developer-id'] = 0;
+    // Ensure developer-id exists as a digit-only string (default "0") and validate
+    const DEV_ID_DIGITS_REGEX = /^[0-9]+$/;
+    if (typeof config['developer-id'] === 'undefined' || config['developer-id'] === null) {
+      config['developer-id'] = '0';
+    } else if (typeof config['developer-id'] === 'number') {
+      // Convert numeric to string to preserve type consistency
+      if (config['developer-id'] < 0 || !Number.isFinite(config['developer-id'])) {
+        throw new Error(`Invalid developer-id value: "${config['developer-id']}". Must be a non-negative digit string.`);
+      }
+      config['developer-id'] = String(config['developer-id']);
+    } else if (typeof config['developer-id'] === 'string') {
+      if (!DEV_ID_DIGITS_REGEX.test(config['developer-id'])) {
+        throw new Error(`Invalid developer-id value: "${config['developer-id']}". Must contain only digits 0-9.`);
+      }
+    } else {
+      throw new Error(`Invalid developer-id value type: ${typeof config['developer-id']}. Must be a non-negative digit string.`);
     }
+
     // Ensure environment defaults to 'dev' if not set
     if (typeof config.environment === 'undefined') {
       config.environment = 'dev';
@@ -51,15 +65,15 @@ async function getConfig() {
     if (typeof config.device !== 'object' || config.device === null) {
       config.device = {};
     }
-    // Cache developer ID as property for easy access (use nullish coalescing to allow 0)
-    cachedDeveloperId = config['developer-id'] !== undefined ? config['developer-id'] : 0;
+    // Cache developer ID as property for easy access (string, default "0")
+    cachedDeveloperId = config['developer-id'] !== undefined ? config['developer-id'] : '0';
     return config;
   } catch (error) {
     if (error.code === 'ENOENT') {
-      // Default developer ID is 0, default environment is 'dev'
-      cachedDeveloperId = 0;
+      // Default developer ID is "0", default environment is 'dev'
+      cachedDeveloperId = '0';
       return {
-        'developer-id': 0,
+        'developer-id': '0',
         environment: 'dev',
         environments: {},
         device: {}
@@ -80,7 +94,8 @@ async function saveConfig(data) {
     await fs.mkdir(CONFIG_DIR, { recursive: true });
 
     // Set secure permissions
-    const configContent = yaml.dump(data);
+    // Force quotes to ensure numeric-like strings (e.g., "01") remain strings in YAML
+    const configContent = yaml.dump(data, { forceQuotes: true });
     // Write file first
     await fs.writeFile(CONFIG_FILE, configContent, {
       mode: 0o600,
@@ -117,7 +132,7 @@ async function clearConfig() {
  * Get developer ID from configuration
  * Loads config if not already cached, then returns cached developer ID
  * Developer ID: 0 = default infra, > 0 = developer-specific
- * @returns {Promise<number>} Developer ID (defaults to 0)
+ * @returns {Promise<string>} Developer ID as string (defaults to "0")
  */
 async function getDeveloperId() {
   // Always reload from file to ensure we have the latest value
@@ -130,21 +145,33 @@ async function getDeveloperId() {
 
 /**
  * Set developer ID in configuration
- * @param {number} developerId - Developer ID to set (0 = default infra, > 0 = developer-specific)
+ * @param {number|string} developerId - Developer ID to set (digit-only string preserved, or number). "0" = default infra, > "0" = developer-specific
  * @returns {Promise<void>}
  */
 async function setDeveloperId(developerId) {
-  if (typeof developerId !== 'number' || developerId < 0) {
-    throw new Error('Developer ID must be a non-negative number (0 = default infra, > 0 = developer-specific)');
+  const DEV_ID_DIGITS_REGEX = /^[0-9]+$/;
+  let devIdString;
+  if (typeof developerId === 'number') {
+    if (!Number.isFinite(developerId) || developerId < 0) {
+      throw new Error('Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)');
+    }
+    devIdString = String(developerId);
+  } else if (typeof developerId === 'string') {
+    if (!DEV_ID_DIGITS_REGEX.test(developerId)) {
+      throw new Error('Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)');
+    }
+    devIdString = developerId;
+  } else {
+    throw new Error('Developer ID must be a non-negative digit string or number (0 = default infra, > 0 = developer-specific)');
   }
   // Clear cache first to ensure we get fresh data from file
   cachedDeveloperId = null;
   // Read file directly to avoid any caching issues
   const config = await getConfig();
   // Update developer ID
-  config['developer-id'] = developerId;
+  config['developer-id'] = devIdString;
   // Update cache before saving
-  cachedDeveloperId = developerId;
+  cachedDeveloperId = devIdString;
   // Save the entire config object to ensure all fields are preserved
   await saveConfig(config);
   // Verify the file was saved correctly by reading it back
@@ -154,8 +181,10 @@ async function setDeveloperId(developerId) {
   // Read file again with fresh file handle to avoid OS caching
   const savedContent = await fs.readFile(CONFIG_FILE, 'utf8');
   const savedConfig = yaml.load(savedContent);
-  if (savedConfig['developer-id'] !== developerId) {
-    throw new Error(`Failed to save developer ID: expected ${developerId}, got ${savedConfig['developer-id']}. File content: ${savedContent.substring(0, 200)}`);
+  // YAML may parse numbers as numbers, so convert to string for comparison
+  const savedDevIdString = String(savedConfig['developer-id']);
+  if (savedDevIdString !== devIdString) {
+    throw new Error(`Failed to save developer ID: expected ${devIdString}, got ${savedDevIdString}. File content: ${savedContent.substring(0, 200)}`);
   }
   // Clear the cache to force reload from file on next getDeveloperId() call
   // This ensures we get the value that was actually saved to disk
@@ -288,7 +317,7 @@ async function saveClientToken(environment, appName, controllerUrl, token, expir
 /**
  * Initialize and load developer ID
  * Call this to ensure developerId is loaded and cached
- * @returns {Promise<number>} Developer ID
+ * @returns {Promise<string>} Developer ID (string)
  */
 async function loadDeveloperId() {
   if (cachedDeveloperId === null) {
@@ -297,6 +326,60 @@ async function loadDeveloperId() {
   return cachedDeveloperId;
 }
 
+/**
+ * Get secrets encryption key from configuration
+ * @returns {Promise<string|null>} Encryption key or null if not set
+ */
+async function getSecretsEncryptionKey() {
+  const config = await getConfig();
+  return config['secrets-encryption'] || null;
+}
+
+/**
+ * Set secrets encryption key in configuration
+ * @param {string} key - Encryption key (32 bytes, hex or base64)
+ * @returns {Promise<void>}
+ * @throws {Error} If key format is invalid
+ */
+async function setSecretsEncryptionKey(key) {
+  if (!key || typeof key !== 'string') {
+    throw new Error('Encryption key is required and must be a string');
+  }
+
+  // Validate key format using encryption utilities
+  const { validateEncryptionKey } = require('./utils/secrets-encryption');
+  validateEncryptionKey(key);
+
+  const config = await getConfig();
+  config['secrets-encryption'] = key;
+  await saveConfig(config);
+}
+
+/**
+ * Get general secrets path from configuration
+ * Used as fallback when build.secrets is not set in variables.yaml
+ * @returns {Promise<string|null>} Secrets path or null if not set
+ */
+async function getSecretsPath() {
+  const config = await getConfig();
+  return config['secrets-path'] || null;
+}
+
+/**
+ * Set general secrets path in configuration
+ * @param {string} secretsPath - Path to general secrets file
+ * @returns {Promise<void>}
+ */
+async function setSecretsPath(secretsPath) {
+  if (!secretsPath || typeof secretsPath !== 'string') {
+    throw new Error('Secrets path is required and must be a string');
+  }
+
+  const config = await getConfig();
+  config['secrets-path'] = secretsPath;
+  await saveConfig(config);
+}
+
 // Create exports object
 const exportsObj = {
   getConfig,
@@ -312,6 +395,10 @@ const exportsObj = {
   getClientToken,
   saveDeviceToken,
   saveClientToken,
+  getSecretsEncryptionKey,
+  setSecretsEncryptionKey,
+  getSecretsPath,
+  setSecretsPath,
   CONFIG_DIR,
   CONFIG_FILE
 };
@@ -321,7 +408,7 @@ const exportsObj = {
 // Developer ID: 0 = default infra, > 0 = developer-specific
 Object.defineProperty(exportsObj, 'developerId', {
   get() {
-    return cachedDeveloperId !== null ? cachedDeveloperId : 0; // Default to 0 if not loaded yet
+    return cachedDeveloperId !== null ? cachedDeveloperId : '0'; // Default to "0" if not loaded yet
   },
   enumerable: true,
   configurable: true

package/lib/infra.js

@@ -28,21 +28,23 @@ const execAsync = promisify(exec);
 /**
  * Gets infrastructure directory name based on developer ID
  * Dev 0: infra (no dev-0 suffix), Dev > 0: infra-dev{id}
- * @param {number} devId - Developer ID
+ * @param {number|string} devId - Developer ID
  * @returns {string} Infrastructure directory name
  */
 function getInfraDirName(devId) {
-  return devId === 0 ? 'infra' : `infra-dev${devId}`;
+  const idNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
+  return idNum === 0 ? 'infra' : `infra-dev${devId}`;
 }
 
 /**
  * Gets Docker Compose project name based on developer ID
  * Dev 0: infra (no dev-0 suffix), Dev > 0: infra-dev{id}
- * @param {number} devId - Developer ID
+ * @param {number|string} devId - Developer ID
  * @returns {string} Docker Compose project name
  */
 function getInfraProjectName(devId) {
-  return devId === 0 ? 'infra' : `infra-dev${devId}`;
+  const idNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
+  return idNum === 0 ? 'infra' : `infra-dev${devId}`;
 }
 
 // Wrapper to support cwd option
@@ -96,7 +98,10 @@ async function startInfra(developerId = null) {
 
   // Get developer ID from parameter or config
   const devId = developerId || await config.getDeveloperId();
-  const ports = devConfig.getDevPorts(devId);
+  // Convert to number for getDevPorts (it expects numbers)
+  const devIdNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
+  const ports = devConfig.getDevPorts(devIdNum);
+  const idNum = devIdNum;
 
   // Load compose template (Handlebars)
   const templatePath = path.join(__dirname, '..', 'templates', 'infra', 'compose.yaml.hbs');
@@ -116,7 +121,7 @@ async function startInfra(developerId = null) {
   const templateContent = fs.readFileSync(templatePath, 'utf8');
   const template = handlebars.compile(templateContent);
   // Dev 0: infra-aifabrix-network, Dev > 0: infra-dev{id}-aifabrix-network
-  const networkName = devId === 0 ? 'infra-aifabrix-network' : `infra-dev${devId}-aifabrix-network`;
+  const networkName = idNum === 0 ? 'infra-aifabrix-network' : `infra-dev${devId}-aifabrix-network`;
   const composeContent = template({
     devId: devId,
     postgresPort: ports.postgres,
@@ -261,7 +266,9 @@ async function checkInfraHealth(devId = null) {
  */
 async function getInfraStatus() {
   const devId = await config.getDeveloperId();
-  const ports = devConfig.getDevPorts(devId);
+  // Convert string developer ID to number for getDevPorts
+  const devIdNum = parseInt(devId, 10);
+  const ports = devConfig.getDevPorts(devIdNum);
   const services = {
     postgres: { port: ports.postgres, url: `localhost:${ports.postgres}` },
     redis: { port: ports.redis, url: `localhost:${ports.redis}` },

package/lib/push.js

@@ -21,12 +21,35 @@ const execAsync = promisify(exec);
  * @returns {Promise<boolean>} True if Azure CLI is available
  */
 async function checkAzureCLIInstalled() {
-  try {
-    await execAsync('az --version');
-    return true;
-  } catch (error) {
-    return false;
+  // On Windows, use shell option to ensure proper command resolution
+  const options = process.platform === 'win32' ? { shell: true } : {};
+
+  // Try multiple methods to detect Azure CLI (commands that don't require authentication)
+  const commands = process.platform === 'win32'
+    ? ['az --version', 'az.cmd --version']
+    : ['az --version'];
+
+  for (const command of commands) {
+    try {
+      // Use a timeout to avoid hanging if command doesn't exist
+      await execAsync(command, { ...options, timeout: 5000 });
+      return true;
+    } catch (error) {
+      // Log the error for debugging (only in development)
+      if (process.env.DEBUG) {
+        logger.log(chalk.gray(`[DEBUG] Command '${command}' failed: ${error.message}`));
+      }
+      // Continue to next command if this one fails
+      continue;
+    }
+  }
+
+  // If all commands failed, Azure CLI is not available
+  // Log for debugging if enabled
+  if (process.env.DEBUG) {
+    logger.log(chalk.gray('[DEBUG] All Azure CLI detection methods failed'));
   }
+  return false;
 }
 
 /**
@@ -103,7 +126,9 @@ function validateRegistryURL(registryUrl) {
 async function checkACRAuthentication(registry) {
   try {
     const registryName = extractRegistryName(registry);
-    await execAsync(`az acr show --name ${registryName}`);
+    // On Windows, use shell option to ensure proper command resolution
+    const options = process.platform === 'win32' ? { shell: true } : {};
+    await execAsync(`az acr show --name ${registryName}`, options);
     return true;
   } catch (error) {
     return false;
@@ -119,7 +144,9 @@ async function authenticateACR(registry) {
   try {
     const registryName = extractRegistryName(registry);
     logger.log(chalk.blue(`Authenticating with ${registry}...`));
-    await execAsync(`az acr login --name ${registryName}`);
+    // On Windows, use shell option to ensure proper command resolution
+    const options = process.platform === 'win32' ? { shell: true } : {};
+    await execAsync(`az acr login --name ${registryName}`, options);
     logger.log(chalk.green(`✓ Authenticated with ${registry}`));
   } catch (error) {
     throw new Error(`Failed to authenticate with Azure Container Registry: ${error.message}`);