@aifabrix/builder 2.3.6 → 2.5.0

package/lib/secrets.js

@@ -12,11 +12,24 @@
 const fs = require('fs');
 const path = require('path');
 const yaml = require('js-yaml');
-const os = require('os');
-const chalk = require('chalk');
 const logger = require('./utils/logger');
 const config = require('./config');
-const devConfig = require('./utils/dev-config');
+const {
+  interpolateEnvVars,
+  collectMissingSecrets,
+  formatMissingSecretsFileInfo,
+  replaceKvInContent,
+  loadEnvTemplate,
+  processEnvVariables,
+  adjustLocalEnvPortsInContent,
+  rewriteInfraEndpoints,
+  readYamlAtPath,
+  applyCanonicalSecretsOverride,
+  ensureNonEmptySecrets,
+  validateSecrets
+} = require('./utils/secrets-helpers');
+const { buildEnvVarMap } = require('./utils/env-map');
+const { resolveServicePortsInEnvContent } = require('./utils/secrets-url');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -27,21 +40,28 @@ const {
 } = require('./utils/secrets-path');
 const {
   loadUserSecrets,
-  loadBuildSecrets,
-  loadDefaultSecrets,
-  buildHostnameToServiceMap,
-  resolveUrlPort
+  loadDefaultSecrets
 } = require('./utils/secrets-utils');
 const { decryptSecret, isEncrypted } = require('./utils/secrets-encryption');
+const pathsUtil = require('./utils/paths');
 
 /**
- * Loads environment configuration for docker/local context
- * @returns {Object} Environment configuration
+ * Generates a canonical secret name from an environment variable key.
+ * Converts to lowercase, replaces non-alphanumeric characters with hyphens,
+ * collapses consecutive hyphens, and trims leading/trailing hyphens.
+ *
+ * @function getCanonicalSecretName
+ * @param {string} key - Environment variable key (e.g., JWT_SECRET)
+ * @returns {string} Canonical secret name (e.g., jwt-secret)
  */
-function loadEnvConfig() {
-  const envConfigPath = path.join(__dirname, 'schema', 'env-config.yaml');
-  const content = fs.readFileSync(envConfigPath, 'utf8');
-  return yaml.load(content);
+function getCanonicalSecretName(key) {
+  if (!key || typeof key !== 'string') {
+    return '';
+  }
+  const lower = key.toLowerCase();
+  const hyphenated = lower.replace(/[^a-z0-9]/g, '-');
+  const collapsed = hyphenated.replace(/-+/g, '-');
+  return collapsed.replace(/^-+|-+$/g, '');
 }
 
 /**
@@ -103,46 +123,28 @@ async function decryptSecretsObject(secrets) {
  * const secrets = await loadSecrets('../../secrets.local.yaml');
  * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
  */
-async function loadSecrets(secretsPath, appName) {
-  let secrets;
-
-  // If explicit path provided, use it (backward compatibility)
+async function loadSecrets(secretsPath, _appName) {
+  // Explicit path branch
   if (secretsPath) {
     const resolvedPath = resolveSecretsPath(secretsPath);
     if (!fs.existsSync(resolvedPath)) {
       throw new Error(`Secrets file not found: ${resolvedPath}`);
     }
-
-    const content = fs.readFileSync(resolvedPath, 'utf8');
-    secrets = yaml.load(content);
-
-    if (!secrets || typeof secrets !== 'object') {
+    const explicitSecrets = readYamlAtPath(resolvedPath);
+    if (!explicitSecrets || typeof explicitSecrets !== 'object') {
       throw new Error(`Invalid secrets file format: ${resolvedPath}`);
     }
-  } else {
-    // Cascading lookup: user's file first
-    let mergedSecrets = loadUserSecrets();
-
-    // Then check build.secrets from variables.yaml if appName provided
-    if (appName) {
-      mergedSecrets = await loadBuildSecrets(mergedSecrets, appName);
-    }
-
-    // If still no secrets found, try default location
-    if (Object.keys(mergedSecrets).length === 0) {
-      mergedSecrets = loadDefaultSecrets();
-    }
-
-    // If still empty, throw error
-    if (Object.keys(mergedSecrets).length === 0) {
-      throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml');
-    }
-
-    secrets = mergedSecrets;
+    return await decryptSecretsObject(explicitSecrets);
   }
 
-  // Decrypt encrypted values
-  return await decryptSecretsObject(secrets);
+  // Cascading lookup branch
+  let mergedSecrets = loadUserSecrets();
+  mergedSecrets = await applyCanonicalSecretsOverride(mergedSecrets);
+  if (Object.keys(mergedSecrets).length === 0) {
+    mergedSecrets = loadDefaultSecrets();
+  }
+  ensureNonEmptySecrets(mergedSecrets);
+  return await decryptSecretsObject(mergedSecrets);
 }
 
 /**
@@ -166,229 +168,168 @@ async function loadSecrets(secretsPath, appName) {
  * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
  */
 async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
-  const envConfig = loadEnvConfig();
-  const envVars = envConfig.environments[environment] || envConfig.environments.local;
-
-  // First, replace ${VAR} references in the template itself (for variables like DB_HOST=${DB_HOST})
-  let resolved = envTemplate.replace(/\$\{([A-Z_]+)\}/g, (match, envVar) => {
-    return envVars[envVar] || match;
-  });
-
-  const kvPattern = /kv:\/\/([a-zA-Z0-9-_]+)/g;
-  const missingSecrets = [];
-
-  let match;
-  while ((match = kvPattern.exec(resolved)) !== null) {
-    const secretKey = match[1];
-    if (!(secretKey in secrets)) {
-      missingSecrets.push(`kv://${secretKey}`);
-    }
+  const os = require('os');
+  let envVars = await buildEnvVarMap(environment, os);
+  if (!envVars || Object.keys(envVars).length === 0) {
+    // Fallback to local environment variables if requested environment does not exist
+    envVars = await buildEnvVarMap('local', os);
   }
-
-  if (missingSecrets.length > 0) {
-    let fileInfo = '';
-    if (secretsFilePaths) {
-      // Handle backward compatibility: if it's a string, use it as-is
-      if (typeof secretsFilePaths === 'string') {
-        fileInfo = `\n\nSecrets file location: ${secretsFilePaths}`;
-      } else if (typeof secretsFilePaths === 'object' && secretsFilePaths.userPath) {
-        // New format: show both paths if buildPath is configured
-        const paths = [secretsFilePaths.userPath];
-        if (secretsFilePaths.buildPath) {
-          paths.push(secretsFilePaths.buildPath);
-        }
-        fileInfo = `\n\nSecrets file location: ${paths.join(' and ')}`;
-      }
-    }
+  const resolved = interpolateEnvVars(envTemplate, envVars);
+  const missing = collectMissingSecrets(resolved, secrets);
+  if (missing.length > 0) {
+    const fileInfo = formatMissingSecretsFileInfo(secretsFilePaths);
     const resolveCommand = appName ? `aifabrix resolve ${appName}` : 'aifabrix resolve <app-name>';
-    throw new Error(`Missing secrets: ${missingSecrets.join(', ')}${fileInfo}\n\nRun "${resolveCommand}" to generate missing secrets.`);
+    throw new Error(`Missing secrets: ${missing.join(', ')}${fileInfo}\n\nRun "${resolveCommand}" to generate missing secrets.`);
   }
-
-  // Now replace kv:// references, and handle ${VAR} inside the secret values
-  resolved = resolved.replace(kvPattern, (match, secretKey) => {
-    let value = secrets[secretKey];
-    if (typeof value === 'string') {
-      // Replace ${VAR} references inside the secret value
-      value = value.replace(/\$\{([A-Z_]+)\}/g, (m, envVar) => {
-        return envVars[envVar] || m;
-      });
-    }
-    return value;
-  });
-
-  return resolved;
+  return replaceKvInContent(resolved, secrets, envVars);
 }
 
-/**
- * Resolves service ports in URLs within .env content for Docker environment
- * Replaces ports in URLs with containerPort from service's variables.yaml
- *
- * @function resolveServicePortsInEnvContent
- * @param {string} envContent - Resolved .env file content
- * @param {string} environment - Environment context (docker/local)
- * @returns {string} Content with resolved ports
- */
-function resolveServicePortsInEnvContent(envContent, environment) {
-  // Only process docker environment
-  if (environment !== 'docker') {
-    return envContent;
-  }
-
-  const envConfig = loadEnvConfig();
-  const dockerHosts = envConfig.environments.docker || {};
-  const hostnameToService = buildHostnameToServiceMap(dockerHosts);
-
-  // Pattern to match URLs: http://hostname:port or https://hostname:port
-  // Matches: protocol://hostname:port/path?query
-  // Captures: protocol, hostname, port, and optional path/query
-  // Note: [^\s\n]* matches any non-whitespace characters except newline (stops at end of line)
-  const urlPattern = /(https?:\/\/)([a-zA-Z0-9-]+):(\d+)([^\s\n]*)?/g;
-
-  return envContent.replace(urlPattern, (match, protocol, hostname, port, urlPath = '') => {
-    return resolveUrlPort(protocol, hostname, port, urlPath || '', hostnameToService);
-  });
-}
+// resolveServicePortsInEnvContent, loadEnvTemplate, and processEnvVariables
+// are imported from ./utils/secrets-helpers above.
 
 /**
- * Loads environment template from file
- * @function loadEnvTemplate
- * @param {string} templatePath - Path to env.template
- * @returns {string} Template content
- * @throws {Error} If file not found
+ * Generates .env file from template and secrets
+ * Creates environment file for local development
+ *
+ * @async
+ * @function generateEnvFile
+ * @param {string} appName - Name of the application
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [environment='local'] - Environment context
+ * @param {boolean} [force=false] - Generate missing secret keys in secrets file
+ * @param {boolean} [skipOutputPath=false] - Skip processing envOutputPath (to avoid recursion)
+ * @returns {Promise<string>} Path to generated .env file
+ * @throws {Error} If generation fails
+ *
+ * @example
+ * const envPath = await generateEnvFile('myapp', '../../secrets.local.yaml', 'local', true);
+ * // Returns: './builder/myapp/.env'
  */
-function loadEnvTemplate(templatePath) {
-  if (!fs.existsSync(templatePath)) {
-    throw new Error(`env.template not found: ${templatePath}`);
-  }
-  return fs.readFileSync(templatePath, 'utf8');
-}
-
 /**
- * Processes environment variables and copies to output path if needed
- * Updates PORT variable to use localPort if available (only when copying to envOutputPath)
- * When .env stays in builder folder, uses port (container port)
- * @function processEnvVariables
- * @param {string} envPath - Path to generated .env file
- * @param {string} variablesPath - Path to variables.yaml
- * @throws {Error} If processing fails
+ * Updates PORT in resolved content for docker environment
+ * Sets PORT to container port (build.containerPort or port from variables.yaml)
+ * NOT the host port (which includes developer-id offset)
+ * @async
+ * @function updatePortForDocker
+ * @param {string} resolved - Resolved environment content
+ * @param {string} variablesPath - Path to variables.yaml file
+ * @returns {Promise<string>} Updated content with PORT set
  */
-function processEnvVariables(envPath, variablesPath) {
-  if (!fs.existsSync(variablesPath)) {
-    return;
-  }
-
-  const variablesContent = fs.readFileSync(variablesPath, 'utf8');
-  const variables = yaml.load(variablesContent);
+async function updatePortForDocker(resolved, variablesPath) {
+  // Step 1: Get base config from env-config.yaml (includes user env-config file if configured)
+  const { getEnvHosts } = require('./utils/env-endpoints');
+  let dockerEnv = await getEnvHosts('docker');
 
-  if (!variables?.build?.envOutputPath || variables.build.envOutputPath === null) {
-    return;
-  }
-
-  let outputPath = path.resolve(process.cwd(), variables.build.envOutputPath);
-  if (!outputPath.endsWith('.env')) {
-    if (fs.existsSync(outputPath) && fs.statSync(outputPath).isDirectory()) {
-      outputPath = path.join(outputPath, '.env');
-    } else {
-      outputPath = path.join(outputPath, '.env');
+  // Step 2: Apply config.yaml → environments.docker override (if exists)
+  try {
+    const os = require('os');
+    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
+    if (fs.existsSync(cfgPath)) {
+      const cfgContent = fs.readFileSync(cfgPath, 'utf8');
+      const cfg = yaml.load(cfgContent) || {};
+      if (cfg && cfg.environments && cfg.environments.docker) {
+        dockerEnv = { ...dockerEnv, ...cfg.environments.docker };
+      }
     }
+  } catch {
+    // Ignore config.yaml read errors, continue with env-config values
   }
 
-  const outputDir = path.dirname(outputPath);
-  if (!fs.existsSync(outputDir)) {
-    fs.mkdirSync(outputDir, { recursive: true });
+  // Step 3: Get PORT value for container (should be container port, NOT host port)
+  // For Docker containers, PORT should be the container port (build.containerPort or port)
+  // NOT the host port (which includes developer-id offset)
+  let containerPort = null;
+  if (variablesPath && fs.existsSync(variablesPath)) {
+    try {
+      const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+      const variables = yaml.load(variablesContent);
+      // Use containerPort if specified, otherwise use base port (no developer-id offset)
+      containerPort = variables?.build?.containerPort || variables?.port || 3000;
+    } catch {
+      // Fallback to default
+      containerPort = 3000;
+    }
+  } else {
+    // Fallback: check dockerEnv.PORT (but this should be container port, not host port)
+    if (dockerEnv.PORT !== undefined && dockerEnv.PORT !== null) {
+      const portVal = typeof dockerEnv.PORT === 'number' ? dockerEnv.PORT : parseInt(dockerEnv.PORT, 10);
+      if (!Number.isNaN(portVal)) {
+        containerPort = portVal;
+      }
+    }
+    if (containerPort === null || containerPort === undefined) {
+      containerPort = 3000;
+    }
   }
 
-  // Read the .env file content
-  let envContent = fs.readFileSync(envPath, 'utf8');
-
-  // Update PORT variable: use localPort ONLY when copying to envOutputPath (outside builder folder)
-  // When .env stays in builder folder, it uses port (container port)
-  const portToUse = variables.build?.localPort || variables.port || 3000;
-
-  // Replace PORT line (handles PORT=value format, with or without spaces)
-  envContent = envContent.replace(/^PORT\s*=\s*.*$/m, `PORT=${portToUse}`);
+  // PORT in container should be the container port (no developer-id adjustment)
+  // Docker will map container port to host port via port mapping
+  return resolved.replace(/^PORT\s*=\s*.*$/m, `PORT=${containerPort}`);
+}
 
-  // Write updated content to output path
-  fs.writeFileSync(outputPath, envContent, { mode: 0o600 });
-  logger.log(chalk.green(`✓ Copied .env to: ${variables.build.envOutputPath}`));
+/**
+ * Applies environment-specific transformations to resolved content
+ * @async
+ * @function applyEnvironmentTransformations
+ * @param {string} resolved - Resolved environment content
+ * @param {string} environment - Environment context
+ * @param {string} variablesPath - Path to variables.yaml file
+ * @returns {Promise<string>} Transformed content
+ */
+async function applyEnvironmentTransformations(resolved, environment, variablesPath) {
+  if (environment === 'docker') {
+    resolved = await resolveServicePortsInEnvContent(resolved, environment);
+    resolved = await rewriteInfraEndpoints(resolved, 'docker');
+    resolved = await updatePortForDocker(resolved, variablesPath);
+  } else if (environment === 'local') {
+    resolved = await adjustLocalEnvPortsInContent(resolved, variablesPath);
+  }
+  return resolved;
 }
 
 /**
- * Generates .env file from template and secrets
- * Creates environment file for local development
- *
+ * Generates .env file content from template and secrets (without writing to disk)
  * @async
- * @function generateEnvFile
+ * @function generateEnvContent
  * @param {string} appName - Name of the application
  * @param {string} [secretsPath] - Path to secrets file (optional)
  * @param {string} [environment='local'] - Environment context
  * @param {boolean} [force=false] - Generate missing secret keys in secrets file
- * @returns {Promise<string>} Path to generated .env file
+ * @returns {Promise<string>} Generated .env file content
  * @throws {Error} If generation fails
- *
- * @example
- * const envPath = await generateEnvFile('myapp', '../../secrets.local.yaml', 'local', true);
- * // Returns: './builder/myapp/.env'
  */
-async function generateEnvFile(appName, secretsPath, environment = 'local', force = false) {
+async function generateEnvContent(appName, secretsPath, environment = 'local', force = false) {
   const builderPath = path.join(process.cwd(), 'builder', appName);
   const templatePath = path.join(builderPath, 'env.template');
   const variablesPath = path.join(builderPath, 'variables.yaml');
-  const envPath = path.join(builderPath, '.env');
 
   const template = loadEnvTemplate(templatePath);
-
-  // Resolve secrets paths to show in error messages (use actual paths that loadSecrets would use)
   const secretsPaths = await getActualSecretsPath(secretsPath, appName);
 
   if (force) {
-    // Use userPath for generating missing secrets (priority file)
     await generateMissingSecrets(template, secretsPaths.userPath);
   }
 
   const secrets = await loadSecrets(secretsPath, appName);
   let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths, appName);
+  resolved = await applyEnvironmentTransformations(resolved, environment, variablesPath);
 
-  // Resolve service ports in URLs for docker environment
-  if (environment === 'docker') {
-    resolved = resolveServicePortsInEnvContent(resolved, environment);
-  }
-
-  // For local environment, update infrastructure ports to use dev-specific ports
-  if (environment === 'local') {
-    const devId = await config.getDeveloperId();
-    // Convert string developer ID to number for getDevPorts
-    const devIdNum = parseInt(devId, 10);
-    const ports = devConfig.getDevPorts(devIdNum);
-
-    // Update DATABASE_PORT if present
-    resolved = resolved.replace(/^DATABASE_PORT\s*=\s*.*$/m, `DATABASE_PORT=${ports.postgres}`);
+  return resolved;
+}
 
-    // Update REDIS_URL if present (format: redis://localhost:port)
-    resolved = resolved.replace(/^REDIS_URL\s*=\s*redis:\/\/localhost:\d+/m, `REDIS_URL=redis://localhost:${ports.redis}`);
+async function generateEnvFile(appName, secretsPath, environment = 'local', force = false, skipOutputPath = false) {
+  const builderPath = path.join(process.cwd(), 'builder', appName);
+  const variablesPath = path.join(builderPath, 'variables.yaml');
+  const envPath = path.join(builderPath, '.env');
 
-    // Update REDIS_HOST if it contains a port
-    resolved = resolved.replace(/^REDIS_HOST\s*=\s*localhost:\d+/m, `REDIS_HOST=localhost:${ports.redis}`);
-  }
+  const resolved = await generateEnvContent(appName, secretsPath, environment, force);
 
   fs.writeFileSync(envPath, resolved, { mode: 0o600 });
 
-  // Update PORT variable in container .env file to use port (from variables.yaml)
-  // Note: containerPort is ONLY used for Docker Compose port mapping, NOT for PORT env variable
-  // The application inside container listens on PORT env variable, which should be 'port' from variables.yaml
-  if (fs.existsSync(variablesPath)) {
-    const variablesContent = fs.readFileSync(variablesPath, 'utf8');
-    const variables = yaml.load(variablesContent);
-    const port = variables.port || 3000;
-
-    // Update PORT in container .env file to use port (NOT containerPort, NOT localPort)
-    let envContent = fs.readFileSync(envPath, 'utf8');
-    envContent = envContent.replace(/^PORT\s*=\s*.*$/m, `PORT=${port}`);
-    fs.writeFileSync(envPath, envContent, { mode: 0o600 });
-  }
-
   // Process and copy to envOutputPath if configured (uses localPort for copied file)
-  processEnvVariables(envPath, variablesPath);
+  if (!skipOutputPath) {
+    await processEnvVariables(envPath, variablesPath, appName, secretsPath);
+  }
 
   return envPath;
 }
@@ -414,7 +355,7 @@ async function generateAdminSecretsEnv(secretsPath) {
     secrets = await loadSecrets(secretsPath);
   } catch (error) {
     // If secrets file doesn't exist, create default secrets
-    const defaultSecretsPath = secretsPath || path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+    const defaultSecretsPath = secretsPath || path.join(pathsUtil.getAifabrixHome(), 'secrets.yaml');
 
     if (!fs.existsSync(defaultSecretsPath)) {
       logger.log('Creating default secrets file...');
@@ -425,7 +366,7 @@ async function generateAdminSecretsEnv(secretsPath) {
     }
   }
 
-  const aifabrixDir = path.join(os.homedir(), '.aifabrix');
+  const aifabrixDir = pathsUtil.getAifabrixHome();
   const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(aifabrixDir)) {
@@ -447,43 +388,16 @@ REDIS_COMMANDER_PASSWORD=${postgresPassword}
   return adminEnvPath;
 }
 
-/**
- * Validates that all required secrets are present
- * Checks for missing kv:// references and provides helpful error messages
- *
- * @function validateSecrets
- * @param {string} envTemplate - Environment template content
- * @param {Object} secrets - Available secrets
- * @returns {Object} Validation result with missing secrets
- *
- * @example
- * const validation = validateSecrets(template, secrets);
- * // Returns: { valid: false, missing: ['kv://missing-secret'] }
- */
-function validateSecrets(envTemplate, secrets) {
-  const kvPattern = /kv:\/\/([a-zA-Z0-9-_]+)/g;
-  const missing = [];
-
-  let match;
-  while ((match = kvPattern.exec(envTemplate)) !== null) {
-    const secretKey = match[1];
-    if (!(secretKey in secrets)) {
-      missing.push(`kv://${secretKey}`);
-    }
-  }
-
-  return {
-    valid: missing.length === 0,
-    missing
-  };
-}
+// validateSecrets is imported from ./utils/secrets-helpers
 
 module.exports = {
   loadSecrets,
   resolveKvReferences,
   generateEnvFile,
+  generateEnvContent,
   generateMissingSecrets,
   generateAdminSecretsEnv,
   validateSecrets,
-  createDefaultSecrets
+  createDefaultSecrets,
+  getCanonicalSecretName
 };

package/lib/templates.js

@@ -50,8 +50,7 @@ function generateVariablesYaml(appName, config) {
       language: config.language || 'typescript',
       envOutputPath: null,
       context: null, // Defaults to dev directory in build process
-      dockerfile: '',
-      secrets: null
+      dockerfile: ''
     },
     repository: {
       enabled: false,
@@ -59,9 +58,7 @@ function generateVariablesYaml(appName, config) {
     },
     deployment: {
       controllerUrl: '',
-      environment: 'dev',
-      clientId: '',
-      clientSecret: ''
+      environment: 'dev'
     }
   };
 
@@ -125,7 +122,7 @@ function buildDatabaseEnv(config) {
   return {
     'DATABASE_URL': `kv://databases-${appName}-0-urlKeyVault`,
     'DB_HOST': '${DB_HOST}',
-    'DB_PORT': '5432',
+    'DB_PORT': '${DB_PORT}',
     'DB_NAME': dbName,
     'DB_USER': `${dbName}_user`,
     'DB_PASSWORD': `kv://databases-${appName}-0-passwordKeyVault`,
@@ -143,8 +140,8 @@ function buildRedisEnv(config) {
   return {
     'REDIS_URL': 'kv://redis-url',
     'REDIS_HOST': '${REDIS_HOST}',
-    'REDIS_PORT': '6379',
-    'REDIS_PASSWORD': 'kv://redis-password'
+    'REDIS_PORT': '${REDIS_PORT}',
+    'REDIS_PASSWORD': 'kv://redis-passwordKeyVault'
   };
 }
 
@@ -155,10 +152,7 @@ function buildStorageEnv(config) {
 
   return {
     'STORAGE_TYPE': 'local',
-    'STORAGE_PATH': '/app/storage',
-    'STORAGE_URL': 'kv://storage-url',
-    'STORAGE_KEY': 'kv://storage-key',
-    'STORAGE_SECRET': 'kv://storage-secret'
+    'STORAGE_PATH': '/app/storage'
   };
 }
 
@@ -168,10 +162,9 @@ function buildAuthEnv(config) {
   }
 
   return {
-    'JWT_SECRET': 'kv://jwt-secret',
+    'JWT_SECRET': 'kv://miso-controller-jwt-secretKeyVault',
     'JWT_EXPIRES_IN': '24h',
-    'AUTH_PROVIDER': 'local',
-    'SESSION_SECRET': 'kv://session-secret'
+    'AUTH_PROVIDER': 'local'
   };
 }
 
@@ -415,15 +408,14 @@ function generateSecretsYaml(config, existingSecrets = {}) {
     secrets.data['database-user'] = 'base64-encoded-user';
   }
   if (config.redis) {
-    secrets.data['redis-password'] = 'base64-encoded-redis-password';
+    secrets.data['redis-passwordKeyVault'] = 'base64-encoded-redis-password';
   }
   if (config.storage) {
     secrets.data['storage-key'] = 'base64-encoded-storage-key';
     secrets.data['storage-secret'] = 'base64-encoded-storage-secret';
   }
   if (config.authentication) {
-    secrets.data['jwt-secret'] = 'base64-encoded-jwt-secret';
-    secrets.data['session-secret'] = 'base64-encoded-session-secret';
+    secrets.data['miso-controller-jwt-secretKeyVault'] = 'base64-encoded-miso-controller-jwt-secretKeyVault';
   }
   Object.entries(existingSecrets).forEach(([key, value]) => {
     secrets.data[key] = Buffer.from(value).toString('base64');