@aifabrix/builder 2.36.2 → 2.37.5

package/lib/commands/up-common.js

@@ -30,6 +30,36 @@ async function ensureTemplateAtPath(appName, targetAppPath) {
   return true;
 }
 
+/**
+ * Patches variables.yaml to set build.envOutputPath to null for deploy-only (no local code).
+ * Use when running up-miso/up-platform so we do not copy .env to repo paths or show that message.
+ * Patches both primary builder path and cwd/builder if different.
+ *
+ * @param {string} appName - Application name (e.g. miso-controller, dataplane)
+ */
+function patchEnvOutputPathForDeployOnly(appName) {
+  if (!appName || typeof appName !== 'string') return;
+  const pathsToPatch = [pathsUtil.getBuilderPath(appName)];
+  const cwdBuilderPath = path.join(process.cwd(), 'builder', appName);
+  if (path.resolve(cwdBuilderPath) !== path.resolve(pathsToPatch[0])) {
+    pathsToPatch.push(cwdBuilderPath);
+  }
+  const envOutputPathLine = /^(\s*envOutputPath:)\s*.*$/m;
+  const replacement = '$1 null  # deploy only, no copy';
+  for (const appPath of pathsToPatch) {
+    const variablesPath = path.join(appPath, 'variables.yaml');
+    if (!fs.existsSync(variablesPath)) continue;
+    try {
+      let content = fs.readFileSync(variablesPath, 'utf8');
+      if (!envOutputPathLine.test(content)) continue;
+      content = content.replace(envOutputPathLine, replacement);
+      fs.writeFileSync(variablesPath, content, 'utf8');
+    } catch (err) {
+      logger.warn(chalk.yellow(`Could not patch envOutputPath in ${variablesPath}: ${err.message}`));
+    }
+  }
+}
+
 /**
  * Ensures builder app directory exists from template if variables.yaml is missing.
  * If builder/<appName>/variables.yaml does not exist, copies from templates/applications/<appName>.
@@ -69,4 +99,4 @@ async function ensureAppFromTemplate(appName) {
   return primaryCopied;
 }
 
-module.exports = { ensureAppFromTemplate };
+module.exports = { ensureAppFromTemplate, patchEnvOutputPathForDeployOnly };

package/lib/commands/up-miso.js

@@ -19,7 +19,7 @@ const secrets = require('../core/secrets');
 const infra = require('../infrastructure');
 const app = require('../app');
 const { saveLocalSecret } = require('../utils/local-secrets');
-const { ensureAppFromTemplate } = require('./up-common');
+const { ensureAppFromTemplate, patchEnvOutputPathForDeployOnly } = require('./up-common');
 
 /** Keycloak base port (from templates/applications/keycloak/variables.yaml) */
 const KEYCLOAK_BASE_PORT = 8082;
@@ -126,12 +126,16 @@ async function handleUpMiso(options = {}) {
   const health = await infra.checkInfraHealth(undefined, { strict: true });
   const allHealthy = Object.values(health).every(status => status === 'healthy');
   if (!allHealthy) {
-    throw new Error('Infrastructure is not up. Run \'aifabrix up\' first.');
+    throw new Error('Infrastructure is not up. Run \'aifabrix up-infra\' first.');
   }
   logger.log(chalk.green('✓ Infrastructure is up'));
   await ensureAppFromTemplate('keycloak');
   await ensureAppFromTemplate('miso-controller');
   await ensureAppFromTemplate('dataplane');
+  // Deploy-only: do not copy .env to repo paths; patch variables so envOutputPath is null
+  patchEnvOutputPathForDeployOnly('keycloak');
+  patchEnvOutputPathForDeployOnly('miso-controller');
+  patchEnvOutputPathForDeployOnly('dataplane');
   const developerId = await config.getDeveloperId();
   const devIdNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
   await setMisoSecretsAndResolve(devIdNum);

package/lib/commands/wizard-core.js

@@ -18,7 +18,8 @@ const {
   detectType,
   generateConfig,
   validateWizardConfig,
-  getDeploymentDocs
+  getDeploymentDocs,
+  postDeploymentDocs
 } = require('../api/wizard.api');
 const { generateWizardFiles } = require('../generator/wizard');
 const {
@@ -353,23 +354,47 @@ async function handleFileSaving(appName, systemConfig, datasourceConfigs, system
   logger.log(chalk.blue('\n\uD83D\uDCCB Step 7: Save Files'));
   const spinner = ora('Saving files...').start();
   try {
-    let aiGeneratedReadme = null;
-    if (systemKey && dataplaneUrl && authConfig) {
+    const generatedFiles = await generateWizardFiles(appName, systemConfig, datasourceConfigs, systemKey, { aiGeneratedReadme: null });
+    if (systemKey && dataplaneUrl && authConfig && generatedFiles.appPath) {
       try {
-        const docsResponse = await getDeploymentDocs(dataplaneUrl, authConfig, systemKey);
-        if (docsResponse.success && docsResponse.data?.content) aiGeneratedReadme = docsResponse.data.content;
+        const appPath = generatedFiles.appPath;
+        const deployKey = appName;
+        const variablesPath = path.join(appPath, 'variables.yaml');
+        const deployPath = path.join(appPath, `${deployKey}-deploy.json`);
+        let variablesYaml = null;
+        let deployJson = null;
+        try {
+          variablesYaml = await fs.readFile(variablesPath, 'utf8');
+        } catch {
+          // optional
+        }
+        try {
+          const deployContent = await fs.readFile(deployPath, 'utf8');
+          deployJson = JSON.parse(deployContent);
+        } catch {
+          // optional
+        }
+        const body = (variablesYaml !== null && variablesYaml !== undefined) || (deployJson !== null && deployJson !== undefined) ? { variablesYaml: variablesYaml || null, deployJson: deployJson || null } : null;
+        const docsResponse = body
+          ? await postDeploymentDocs(dataplaneUrl, authConfig, systemKey, body)
+          : await getDeploymentDocs(dataplaneUrl, authConfig, systemKey);
+        const content = docsResponse?.data?.content ?? docsResponse?.content;
+        if (content && typeof content === 'string') {
+          const readmePath = path.join(appPath, 'README.md');
+          await fs.writeFile(readmePath, content, 'utf8');
+          logger.log(chalk.gray('  Updated README.md from deployment-docs API (variables.yaml + deploy JSON).'));
+        }
       } catch (e) {
         logger.log(chalk.gray(`  Could not fetch AI-generated README: ${e.message}`));
       }
     }
-    const generatedFiles = await generateWizardFiles(appName, systemConfig, datasourceConfigs, systemKey, { aiGeneratedReadme });
     spinner.stop();
     logger.log(chalk.green('\n\u2713 Wizard completed successfully!'));
     logger.log(chalk.green(`\nFiles created in: ${generatedFiles.appPath}`));
     logger.log(chalk.blue('\nNext steps:'));
     logger.log(chalk.gray(`  1. Review the generated files in integration/${appName}/`));
     logger.log(chalk.gray('  2. Update env.template with your authentication details'));
-    logger.log(chalk.gray(`  3. Deploy using: ./deploy.sh or aifabrix deploy ${appName}`));
+    logger.log(chalk.gray(`  3. Deploy using: node deploy.js or aifabrix deploy ${appName}`));
     return generatedFiles;
   } catch (error) {
     spinner.stop();

package/lib/core/config.js

@@ -396,6 +396,15 @@ async function setSecretsEncryptionKey(key) {
   await saveConfig(config);
 }
 
+/**
+ * Ensure secrets encryption key exists (empty install). Delegates to ensure-encryption-key module.
+ * @returns {Promise<void>}
+ */
+async function ensureSecretsEncryptionKey() {
+  const { ensureSecretsEncryptionKey: run } = require('./ensure-encryption-key');
+  await run({ getSecretsEncryptionKey, setSecretsEncryptionKey, getSecretsPath });
+}
+
 async function getSecretsPath() {
   const config = await getConfig();
   return config['aifabrix-secrets'] || config['secrets-path'] || null;
@@ -427,6 +436,7 @@ const exportsObj = {
   decryptTokenValue,
   getSecretsEncryptionKey,
   setSecretsEncryptionKey,
+  ensureSecretsEncryptionKey,
   getSecretsPath,
   setSecretsPath,
   normalizeControllerUrl,

package/lib/core/ensure-encryption-key.js

@@ -0,0 +1,56 @@
+/**
+ * Ensure secrets encryption key exists on empty install.
+ * If missing from config and from user/project secrets, generates and saves one. Never logs the key.
+ *
+ * @fileoverview Encryption key bootstrap for empty installation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const fs = require('fs');
+const yaml = require('js-yaml');
+const crypto = require('crypto');
+const pathsUtil = require('../utils/paths');
+const { saveLocalSecret } = require('../utils/local-secrets');
+
+const ENCRYPTION_KEY = 'secrets-encryptionKeyVault';
+
+function readKeyFromFile(filePath) {
+  try {
+    if (!fs.existsSync(filePath)) return null;
+    const content = fs.readFileSync(filePath, 'utf8');
+    const data = yaml.load(content);
+    if (data && typeof data[ENCRYPTION_KEY] === 'string') return data[ENCRYPTION_KEY];
+  } catch {
+    // Ignore
+  }
+  return null;
+}
+
+/**
+ * Ensure secrets encryption key exists. If config already has it, do nothing.
+ * If key exists in user or project secrets file, set config. Otherwise generate, write to user secrets, set config.
+ * @param {Object} config - Config module (getSecretsEncryptionKey, setSecretsEncryptionKey, getSecretsPath)
+ * @returns {Promise<void>}
+ */
+async function ensureSecretsEncryptionKey(config) {
+  const existing = await config.getSecretsEncryptionKey();
+  if (existing) return;
+
+  const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+  const projectSecretsPath = await config.getSecretsPath();
+
+  let key = readKeyFromFile(userSecretsPath);
+  if (!key && projectSecretsPath) key = readKeyFromFile(path.resolve(projectSecretsPath));
+  if (key) {
+    await config.setSecretsEncryptionKey(key);
+    return;
+  }
+
+  const newKey = crypto.randomBytes(32).toString('hex');
+  await saveLocalSecret(ENCRYPTION_KEY, newKey);
+  await config.setSecretsEncryptionKey(newKey);
+}
+
+module.exports = { ensureSecretsEncryptionKey };

package/lib/deployment/deployer-status.js

@@ -0,0 +1,101 @@
+/**
+ * Deployment status and polling helpers for deployer.
+ *
+ * @fileoverview Deployment status checks and polling utilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * Checks if deployment status is terminal
+ * @param {string} status - Deployment status
+ * @returns {boolean} True if status is terminal
+ */
+function isTerminalStatus(status) {
+  return status === 'completed' || status === 'failed' || status === 'cancelled';
+}
+
+/**
+ * Convert authConfig to pipeline auth config format
+ * @param {Object} authConfig - Authentication configuration
+ * @returns {Object} Pipeline auth config
+ */
+function convertToPipelineAuthConfig(authConfig) {
+  return authConfig.type === 'bearer'
+    ? { type: 'bearer', token: authConfig.token }
+    : { type: 'client-credentials', clientId: authConfig.clientId, clientSecret: authConfig.clientSecret };
+}
+
+/**
+ * Handles error response from deployment status check
+ * @param {Object} response - API response
+ * @param {string} deploymentId - Deployment ID
+ * @throws {Error} Appropriate error message
+ */
+function handleDeploymentStatusError(response, deploymentId) {
+  if (response.status === 404) {
+    throw new Error(`Deployment ${deploymentId || response.deploymentId || 'unknown'} not found`);
+  }
+  throw new Error(`Status check failed: ${response.formattedError || response.error || 'Unknown error'}`);
+}
+
+/**
+ * Extracts deployment data from response
+ * @param {Object} response - API response
+ * @returns {Object} Deployment data
+ */
+function extractDeploymentData(response) {
+  const responseData = response.data;
+  return responseData.data || responseData;
+}
+
+/**
+ * Logs deployment progress
+ * @param {Object} deploymentData - Deployment data
+ * @param {number} attempt - Current attempt
+ * @param {number} maxAttempts - Maximum attempts
+ */
+function logDeploymentProgress(deploymentData, attempt, maxAttempts) {
+  const status = deploymentData.status;
+  const progress = deploymentData.progress || 0;
+  logger.log(chalk.blue(`   Status: ${status} (${progress}%) (attempt ${attempt + 1}/${maxAttempts})`));
+}
+
+/**
+ * Process deployment status response
+ * @param {Object} response - API response
+ * @param {number} attempt - Current attempt number
+ * @param {number} maxAttempts - Maximum attempts
+ * @param {number} interval - Polling interval
+ * @param {string} deploymentId - Deployment ID for error messages
+ * @returns {Promise<Object|null>} Deployment data if terminal, null if needs to continue polling
+ */
+async function processDeploymentStatusResponse(response, attempt, maxAttempts, interval, deploymentId) {
+  if (!response.success || !response.data) {
+    handleDeploymentStatusError(response, deploymentId);
+  }
+
+  const deploymentData = extractDeploymentData(response);
+  if (isTerminalStatus(deploymentData.status)) {
+    return deploymentData;
+  }
+
+  logDeploymentProgress(deploymentData, attempt, maxAttempts);
+  if (attempt < maxAttempts - 1) {
+    await new Promise(resolve => setTimeout(resolve, interval));
+  }
+
+  return null;
+}
+
+module.exports = {
+  isTerminalStatus,
+  convertToPipelineAuthConfig,
+  handleDeploymentStatusError,
+  extractDeploymentData,
+  logDeploymentProgress,
+  processDeploymentStatusResponse
+};

package/lib/deployment/deployer.js

@@ -16,6 +16,23 @@ const { validateControllerUrl, validateEnvironmentKey } = require('../utils/depl
 const { handleDeploymentError, handleDeploymentErrors } = require('../utils/deployment-errors');
 const { validatePipeline, deployPipeline, getPipelineDeployment } = require('../api/pipeline.api');
 const { handleValidationResponse } = require('../utils/deployment-validation-helpers');
+const {
+  convertToPipelineAuthConfig,
+  processDeploymentStatusResponse
+} = require('./deployer-status');
+
+/**
+ * For external systems, send full manifest (application + inline system + full dataSources).
+ * No transform - controller receives complete application, external system, and data sources.
+ * @param {Object} manifest - Full manifest (type 'external', system, dataSources as full objects)
+ * @returns {Object} Manifest to send to pipeline (external sent as-is)
+ */
+function transformExternalManifestForPipeline(manifest) {
+  if (!manifest) {
+    return manifest;
+  }
+  return manifest;
+}
 
 /**
  * Build validation data for deployment
@@ -28,27 +45,42 @@ const { handleValidationResponse } = require('../utils/deployment-validation-hel
  */
 async function buildValidationData(manifest, validatedEnvKey, authConfig, options) {
   const tokenManager = require('../utils/token-manager');
-  const { clientId, clientSecret } = await tokenManager.extractClientCredentials(
-    authConfig,
-    manifest.key,
-    validatedEnvKey,
-    options
-  );
+  let clientId;
+  let clientSecret;
+  let pipelineAuthConfig;
+
+  try {
+    const credentials = await tokenManager.extractClientCredentials(
+      authConfig,
+      manifest.key,
+      validatedEnvKey,
+      options
+    );
+    clientId = credentials.clientId;
+    clientSecret = credentials.clientSecret;
+    pipelineAuthConfig = {
+      type: 'client-credentials',
+      clientId,
+      clientSecret
+    };
+  } catch (credError) {
+    if (authConfig.type === 'bearer' && authConfig.token) {
+      pipelineAuthConfig = { type: 'bearer', token: authConfig.token };
+      clientId = manifest.key;
+      clientSecret = '';
+    } else {
+      throw credError;
+    }
+  }
 
   const repositoryUrl = options.repositoryUrl || `https://github.com/aifabrix/${manifest.key}`;
   const validationData = {
-    clientId: clientId,
-    clientSecret: clientSecret,
+    clientId: clientId || '',
+    clientSecret: clientSecret || '',
     repositoryUrl: repositoryUrl,
     applicationConfig: manifest
   };
 
-  const pipelineAuthConfig = {
-    type: 'client-credentials',
-    clientId: clientId,
-    clientSecret: clientSecret
-  };
-
   return { validationData, pipelineAuthConfig };
 }
 
@@ -130,7 +162,7 @@ function validateDeploymentCredentials(authConfig) {
 }
 
 /**
- * Build deployment data and auth config
+ * Build deployment data and auth config (supports bearer-only when no client credentials)
  * @param {string} validateToken - Validation token
  * @param {Object} authConfig - Authentication configuration
  * @param {Object} options - Deployment options
@@ -143,11 +175,13 @@ function buildDeploymentData(validateToken, authConfig, options) {
     imageTag: imageTag
   };
 
-  const pipelineAuthConfig = {
-    type: 'client-credentials',
-    clientId: authConfig.clientId,
-    clientSecret: authConfig.clientSecret
-  };
+  const pipelineAuthConfig = authConfig.type === 'bearer' && authConfig.token && !authConfig.clientId
+    ? { type: 'bearer', token: authConfig.token }
+    : {
+      type: 'client-credentials',
+      clientId: authConfig.clientId,
+      clientSecret: authConfig.clientSecret
+    };
 
   return { deployData, pipelineAuthConfig };
 }
@@ -212,10 +246,12 @@ async function sendDeploymentRequest(url, envKey, validateToken, authConfig, opt
   const validatedEnvKey = validateEnvironmentKey(envKey);
   const maxRetries = options.maxRetries || 3;
 
-  // Validate credentials
-  validateDeploymentCredentials(authConfig);
+  const useBearerOnly = authConfig.type === 'bearer' && authConfig.token && !authConfig.clientId;
+  if (!useBearerOnly) {
+    validateDeploymentCredentials(authConfig);
+  }
 
-  // Build deployment data
+  // Build deployment data (supports bearer-only when no client credentials)
   const { deployData, pipelineAuthConfig } = buildDeploymentData(validateToken, authConfig, options);
 
   // Wrap API call with retry logic
@@ -237,92 +273,6 @@ async function sendDeploymentRequest(url, envKey, validateToken, authConfig, opt
   throwDeploymentError(lastError, maxRetries);
 }
 
-/**
- * Checks if deployment status is terminal
- * @function isTerminalStatus
- * @param {string} status - Deployment status
- * @returns {boolean} True if status is terminal
- */
-function isTerminalStatus(status) {
-  return status === 'completed' || status === 'failed' || status === 'cancelled';
-}
-
-/**
- * Convert authConfig to pipeline auth config format
- * @param {Object} authConfig - Authentication configuration
- * @returns {Object} Pipeline auth config
- */
-function convertToPipelineAuthConfig(authConfig) {
-  return authConfig.type === 'bearer'
-    ? { type: 'bearer', token: authConfig.token }
-    : { type: 'client-credentials', clientId: authConfig.clientId, clientSecret: authConfig.clientSecret };
-}
-
-/**
- * Process deployment status response
- * @param {Object} response - API response
- * @param {number} attempt - Current attempt number
- * @param {number} maxAttempts - Maximum attempts
- * @param {number} interval - Polling interval
- * @param {string} deploymentId - Deployment ID for error messages
- * @returns {Object|null} Deployment data if terminal, null if needs to continue polling
- */
-/**
- * Handles error response from deployment status check
- * @function handleDeploymentStatusError
- * @param {Object} response - API response
- * @param {string} deploymentId - Deployment ID
- * @throws {Error} Appropriate error message
- */
-function handleDeploymentStatusError(response, deploymentId) {
-  if (response.status === 404) {
-    throw new Error(`Deployment ${deploymentId || response.deploymentId || 'unknown'} not found`);
-  }
-  throw new Error(`Status check failed: ${response.formattedError || response.error || 'Unknown error'}`);
-}
-
-/**
- * Extracts deployment data from response
- * @function extractDeploymentData
- * @param {Object} response - API response
- * @returns {Object} Deployment data
- */
-function extractDeploymentData(response) {
-  const responseData = response.data;
-  return responseData.data || responseData;
-}
-
-/**
- * Logs deployment progress
- * @function logDeploymentProgress
- * @param {Object} deploymentData - Deployment data
- * @param {number} attempt - Current attempt
- * @param {number} maxAttempts - Maximum attempts
- */
-function logDeploymentProgress(deploymentData, attempt, maxAttempts) {
-  const status = deploymentData.status;
-  const progress = deploymentData.progress || 0;
-  logger.log(chalk.blue(`   Status: ${status} (${progress}%) (attempt ${attempt + 1}/${maxAttempts})`));
-}
-
-async function processDeploymentStatusResponse(response, attempt, maxAttempts, interval, deploymentId) {
-  if (!response.success || !response.data) {
-    handleDeploymentStatusError(response, deploymentId);
-  }
-
-  const deploymentData = extractDeploymentData(response);
-  if (isTerminalStatus(deploymentData.status)) {
-    return deploymentData;
-  }
-
-  logDeploymentProgress(deploymentData, attempt, maxAttempts);
-  if (attempt < maxAttempts - 1) {
-    await new Promise(resolve => setTimeout(resolve, interval));
-  }
-
-  return null;
-}
-
 /**
  * Polls deployment status from controller
  * Uses pipeline endpoint for CI/CD monitoring with minimal deployment info
@@ -470,9 +420,11 @@ async function deployToController(manifest, controllerUrl, envKey, authConfig, o
   // Log deployment attempt for audit
   await auditLogger.logDeploymentAttempt(manifest.key, url, options);
 
+  const pipelineManifest = transformExternalManifestForPipeline(manifest);
+
   try {
     // Send deployment request
-    const result = await sendDeployment(url, validatedEnvKey, manifest, authConfig, options);
+    const result = await sendDeployment(url, validatedEnvKey, pipelineManifest, authConfig, options);
 
     // Poll for deployment status if enabled
     return await pollDeployment(result, url, validatedEnvKey, authConfig, options);