@aifabrix/builder 2.37.9 → 2.39.0

package/lib/app/run-helpers.js

@@ -27,9 +27,13 @@ const composeGenerator = require('../utils/compose-generator');
 const dockerUtils = require('../utils/docker');
 const containerHelpers = require('../utils/app-run-containers');
 const pathsUtil = require('../utils/paths');
+const { resolveVersionForApp } = require('../utils/image-version');
 
 const execAsync = promisify(exec);
 
+/** Template apps (keycloak, miso-controller, dataplane) - never update variables.yaml when running */
+const TEMPLATE_APP_KEYS = ['keycloak', 'miso-controller', 'dataplane'];
+
 // Re-export container helper functions
 const checkImageExists = containerHelpers.checkImageExists;
 const checkContainerRunning = containerHelpers.checkContainerRunning;
@@ -138,6 +142,25 @@ async function validateAppConfiguration(appName) {
   return appConfig;
 }
 
+/**
+ * Resolves version from image and updates builder/variables.yaml when running.
+ * Template apps (keycloak, miso-controller, dataplane) are never updated - variables.yaml stays pristine.
+ * @async
+ * @param {string} appName - Application name
+ * @param {Object} appConfig - Application configuration
+ * @param {boolean} debug - Enable debug logging
+ */
+async function resolveAndUpdateVersion(appName, appConfig, debug) {
+  const isTemplateApp = TEMPLATE_APP_KEYS.includes(appName);
+  const resolved = await resolveVersionForApp(appName, appConfig, {
+    updateBuilder: !isTemplateApp,
+    builderPath: pathsUtil.getBuilderPath(appName)
+  });
+  if (resolved.fromImage && resolved.updated && debug) {
+    logger.log(chalk.gray(`[DEBUG] Updated app.version to ${resolved.version} from image`));
+  }
+}
+
 /**
  * Checks prerequisites: Docker image and (optionally) infrastructure
  * @async
@@ -163,10 +186,20 @@ async function checkPrerequisites(appName, appConfig, debug = false, skipInfraCh
   }
   logger.log(chalk.green(`✓ Image ${fullImageName} found`));
 
-  if (skipInfraCheck) {
-    return;
+  await resolveAndUpdateVersion(appName, appConfig, debug);
+
+  if (!skipInfraCheck) {
+    await checkInfraHealthOrThrow(debug);
   }
+}
 
+/**
+ * Checks infrastructure health and throws if unhealthy
+ * @async
+ * @param {boolean} debug - Enable debug logging
+ * @throws {Error} If infrastructure is not healthy
+ */
+async function checkInfraHealthOrThrow(debug) {
   logger.log(chalk.blue('Checking infrastructure health...'));
   const infraHealth = await infra.checkInfraHealth();
   if (debug) {

package/lib/app/show-display.js

@@ -31,14 +31,21 @@ function logApplicationRequired(a) {
   logger.log(`  Port:          ${port}`);
 }
 
+const APPLICATION_OPTIONAL_FIELDS = [
+  { key: 'deploymentKey', label: 'Deployment' },
+  { key: 'image', label: 'Image' },
+  { key: 'registryMode', label: 'Registry' },
+  { key: 'healthCheck', label: 'Health' },
+  { key: 'build', label: 'Build' },
+  { key: 'status', label: 'Status' },
+  { key: 'url', label: 'URL' },
+  { key: 'internalUrl', label: 'Internal URL' }
+];
+
 function logApplicationOptional(a) {
-  if (a.deploymentKey !== undefined) logger.log(`  Deployment:    ${a.deploymentKey ?? '—'}`);
-  if (a.image !== undefined) logger.log(`  Image:         ${a.image ?? '—'}`);
-  if (a.registryMode !== undefined) logger.log(`  Registry:      ${a.registryMode ?? '—'}`);
-  if (a.healthCheck !== undefined) logger.log(`  Health:        ${a.healthCheck ?? '—'}`);
-  if (a.build !== undefined) logger.log(`  Build:         ${a.build ?? '—'}`);
-  if (a.status !== undefined) logger.log(`  Status:        ${a.status ?? '—'}`);
-  if (a.url !== undefined) logger.log(`  URL:           ${a.url ?? '—'}`);
+  APPLICATION_OPTIONAL_FIELDS.forEach(({ key, label }) => {
+    if (a[key] !== undefined) logger.log(`  ${(label + ':').padEnd(16)} ${a[key] ?? '—'}`);
+  });
 }
 
 function logApplicationFields(a) {
@@ -75,10 +82,15 @@ function logRolesSection(roles) {
   });
 }
 
-function logPermissionsSection(permissions) {
-  if (permissions.length === 0) return;
+function logPermissionsSection(permissions, opts = {}) {
+  const showWhenEmpty = opts.showWhenEmpty || false;
+  if (permissions.length === 0 && !showWhenEmpty) return;
   logger.log('');
   logger.log('🛡️ Permissions');
+  if (permissions.length === 0) {
+    logger.log('  (none)');
+    return;
+  }
   permissions.forEach((p) => {
     const name = p.name ?? '—';
     const roleList = (p.roles || []).join(', ');
@@ -186,8 +198,10 @@ function logExternalSystemSection(ext) {
 /**
  * Format and print human-readable show output (offline or online).
  * @param {Object} summary - Unified summary (buildOfflineSummaryFromDeployJson or buildOnlineSummary)
+ * @param {Object} [options] - Display options
+ * @param {boolean} [options.permissionsOnly] - When true, output only source and Permissions section
  */
-function display(summary) {
+function display(summary, options = {}) {
   const a = summary.application;
   const roles = summary.roles ?? a.roles ?? [];
   const permissions = summary.permissions ?? a.permissions ?? [];
@@ -197,9 +211,14 @@ function display(summary) {
   const dbNames = Array.isArray(databases) ? databases.map((d) => (d && d.name) || d).filter(Boolean) : [];
 
   logSourceAndHeader(summary);
+  if (options.permissionsOnly) {
+    logPermissionsSection(permissions, { showWhenEmpty: true });
+    logger.log('');
+    return;
+  }
   logApplicationSection(a, summary.isExternal);
   logRolesSection(roles);
-  logPermissionsSection(permissions);
+  /* Permissions section shown only when --permissions is set (permissionsOnly mode) */
   logAuthSection(authentication);
   logConfigurationsSection(portalInputConfigurations);
   logDatabasesSection(dbNames);

package/lib/app/show.js

@@ -418,6 +418,7 @@ function buildApplicationFromAppCfg(app, cfg, portalInputConfigurations) {
     build: formatBuildForDisplay(cfg.build ?? app.build),
     status: pickAppCfg('status', app, cfg, '—'),
     url: pickAppCfg('url', app, cfg, '—'),
+    internalUrl: pickAppCfg('internalUrl', app, cfg, '—'),
     roles: cfg.roles ?? app.roles,
     permissions: cfg.permissions ?? app.permissions,
     authentication: cfg.authentication ?? app.authentication,
@@ -485,9 +486,10 @@ function buildOnlineSummary(apiApp, controllerUrl, externalSystem) {
  * Run show in offline mode: generate manifest (same as aifabrix json) and use it; else fall back to variables.yaml.
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
+ * @param {boolean} [permissionsOnly] - When true, output only permissions
  * @throws {Error} If variables.yaml not found or invalid YAML
  */
-async function runOffline(appKey, json) {
+async function runOffline(appKey, json, permissionsOnly) {
   let summary;
 
   try {
@@ -503,6 +505,16 @@ async function runOffline(appKey, json) {
   }
 
   if (json) {
+    if (permissionsOnly) {
+      const out = {
+        source: summary.source,
+        path: summary.path,
+        appKey: summary.appKey,
+        permissions: summary.permissions || []
+      };
+      logger.log(JSON.stringify(out, null, 2));
+      return;
+    }
     const out = {
       source: summary.source,
       path: summary.path,
@@ -519,7 +531,7 @@ async function runOffline(appKey, json) {
     logger.log(JSON.stringify(out, null, 2));
     return;
   }
-  displayShow(summary);
+  displayShow(summary, { permissionsOnly: !!permissionsOnly });
 }
 
 async function resolveOnlineAuth(controllerUrl) {
@@ -550,7 +562,17 @@ async function fetchExternalSystemForOnline(controllerUrl, appKey, authConfig) {
   }
 }
 
-function outputOnlineJson(summary) {
+function outputOnlineJson(summary, permissionsOnly) {
+  if (permissionsOnly) {
+    const out = {
+      source: summary.source,
+      controllerUrl: summary.controllerUrl,
+      appKey: summary.appKey,
+      permissions: summary.permissions || []
+    };
+    logger.log(JSON.stringify(out, null, 2));
+    return;
+  }
   const out = {
     source: summary.source,
     controllerUrl: summary.controllerUrl,
@@ -562,6 +584,7 @@ function outputOnlineJson(summary) {
       type: summary.application.type,
       status: summary.application.status,
       url: summary.application.url,
+      internalUrl: summary.application.internalUrl,
       port: summary.application.port,
       configuration: summary.application.configuration,
       roles: summary.application.roles,
@@ -583,9 +606,10 @@ function outputOnlineJson(summary) {
  * Run show in online mode: getApplication, optionally dataplane for external, display or JSON.
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
+ * @param {boolean} [permissionsOnly] - When true, output only permissions
  * @throws {Error} On auth failure, 404, or API error
  */
-async function runOnline(appKey, json) {
+async function runOnline(appKey, json, permissionsOnly) {
   const controllerUrl = await resolveControllerUrl();
   if (!controllerUrl) {
     throw new Error('Controller URL is required for --online. Run aifabrix login to set the controller URL in config.yaml.');
@@ -599,10 +623,10 @@ async function runOnline(appKey, json) {
     : null;
   const summary = buildOnlineSummary(apiApp, authResult.actualControllerUrl, externalSystem);
   if (json) {
-    outputOnlineJson(summary);
+    outputOnlineJson(summary, permissionsOnly);
     return;
   }
-  displayShow(summary);
+  displayShow(summary, { permissionsOnly: !!permissionsOnly });
 }
 
 /**
@@ -612,6 +636,7 @@ async function runOnline(appKey, json) {
  * @param {Object} options - Options
  * @param {boolean} [options.online] - Fetch from controller
  * @param {boolean} [options.json] - Output as JSON
+ * @param {boolean} [options.permissions] - When true, output only permissions (app show --permissions)
  * @throws {Error} If file missing/invalid (offline) or API/auth error (online)
  */
 async function showApp(appKey, options = {}) {
@@ -621,11 +646,12 @@ async function showApp(appKey, options = {}) {
 
   const online = Boolean(options.online);
   const json = Boolean(options.json);
+  const permissions = Boolean(options.permissions);
 
   if (online) {
-    await runOnline(appKey, json);
+    await runOnline(appKey, json, permissions);
   } else {
-    await runOffline(appKey, json);
+    await runOffline(appKey, json, permissions);
   }
 }
 

package/lib/cli/index.js

@@ -20,6 +20,8 @@ const { setupSecretsCommands } = require('./setup-secrets');
 const { setupExternalSystemCommands } = require('./setup-external-system');
 const { setupAppCommands: setupAppManagementCommands } = require('../commands/app');
 const { setupDatasourceCommands } = require('../commands/datasource');
+const { setupCredentialDeploymentCommands } = require('./setup-credential-deployment');
+const { setupServiceUserCommands } = require('./setup-service-user');
 
 /**
  * Sets up all CLI commands on the Commander program instance
@@ -33,6 +35,8 @@ function setupCommands(program) {
   setupAppManagementCommands(program);
   setupDatasourceCommands(program);
   setupUtilityCommands(program);
+  setupCredentialDeploymentCommands(program);
+  setupServiceUserCommands(program);
   setupExternalSystemCommands(program);
   setupDevCommands(program);
   setupSecretsCommands(program);

package/lib/cli/setup-app.js

@@ -173,6 +173,7 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
     .description('Run application locally')
     .option('-p, --port <port>', 'Override local port')
     .option('-d, --debug', 'Enable debug output with detailed container information')
+    .option('-t, --tag <tag>', 'Image tag to run (e.g. v1.0.0); overrides variables.yaml image.tag')
     .action(async(appName, options) => {
       try {
         await app.runApp(appName, options);
@@ -182,6 +183,37 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
       }
     });
 
+  program.command('logs <app>')
+    .description('Show application container logs (and optional env summary with secrets masked)')
+    .option('-f', 'Follow log stream')
+    .option('-t, --tail <lines>', 'Number of lines (default: 100); 0 = full list', '100')
+    .action(async(appName, options) => {
+      try {
+        const { runAppLogs } = require('../commands/app-logs');
+        const tailNum = parseInt(options.tail, 10);
+        await runAppLogs(appName, {
+          follow: options.f,
+          tail: Number.isNaN(tailNum) ? 100 : tailNum
+        });
+      } catch (error) {
+        handleCommandError(error, 'logs');
+        process.exit(1);
+      }
+    });
+
+  program.command('down-app <app>')
+    .description('Stop and remove application container; optionally remove volume and image')
+    .option('--volumes', 'Remove application Docker volume')
+    .action(async(appName, options) => {
+      try {
+        const { runDownAppWithImageRemoval } = require('../commands/app-down');
+        await runDownAppWithImageRemoval(appName, { volumes: options.volumes });
+      } catch (error) {
+        handleCommandError(error, 'down-app');
+        process.exit(1);
+      }
+    });
+
   program.command('push <app>')
     .description('Push image to Azure Container Registry')
     .option('-r, --registry <registry>', 'ACR registry URL (overrides variables.yaml)')
@@ -197,6 +229,7 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
 
   program.command('deploy <app>')
     .description('Deploy to Azure via Miso Controller')
+    .option('--deployment <target>', 'Deployment target: \'local\' (send manifest to controller, then run app locally) or \'cloud\' (deploy via Miso Controller only)', 'cloud')
     .option('--type <type>', 'Application type: external to deploy from integration/<app> (no app register needed)')
     .option('--client-id <id>', 'Client ID (overrides config)')
     .option('--client-secret <secret>', 'Client Secret (overrides config)')
@@ -204,7 +237,14 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
     .option('--no-poll', 'Do not poll for status')
     .action(async(appName, options) => {
       try {
+        const target = (options.deployment || 'cloud').toLowerCase();
+        if (target !== 'local' && target !== 'cloud') {
+          throw new Error('Deployment target must be \'local\' or \'cloud\'');
+        }
         await app.deployApp(appName, options);
+        if (target === 'local') {
+          await app.runApp(appName, options);
+        }
       } catch (error) {
         handleCommandError(error, 'deploy');
         process.exit(1);

package/lib/cli/setup-credential-deployment.js

@@ -0,0 +1,72 @@
+/**
+ * CLI credential and deployment list command setup.
+ * Commands: credential list, deployment list.
+ *
+ * @fileoverview Credential and deployment list CLI definitions
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { handleCommandError } = require('../utils/cli-utils');
+const { runCredentialList } = require('../commands/credential-list');
+const { runDeploymentList } = require('../commands/deployment-list');
+
+/**
+ * Sets up credential and deployment list commands
+ * @param {Command} program - Commander program instance
+ */
+function setupCredentialDeploymentCommands(program) {
+  const credential = program
+    .command('credential')
+    .description('Manage credentials');
+
+  credential
+    .command('list')
+    .description('List credentials from controller/dataplane (GET /api/v1/credential)')
+    .option('--controller <url>', 'Controller URL (default: from config)')
+    .option('--active-only', 'List only active credentials')
+    .option('--page-size <n>', 'Items per page', '50')
+    .action(async(options) => {
+      try {
+        const opts = {
+          controller: options.controller,
+          activeOnly: options.activeOnly,
+          pageSize: parseInt(options.pageSize, 10) || 50
+        };
+        await runCredentialList(opts);
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'credential list');
+        process.exit(1);
+      }
+    });
+
+  const deployment = program
+    .command('deployment')
+    .description('List deployments');
+
+  deployment
+    .command('list')
+    .description('List last N deployments for current environment (default pageSize=50)')
+    .option('--controller <url>', 'Controller URL (default: from config)')
+    .option('--environment <env>', 'Environment key (default: from config)')
+    .option('--page-size <n>', 'Items per page', '50')
+    .action(async(options) => {
+      try {
+        const opts = {
+          controller: options.controller,
+          environment: options.environment,
+          pageSize: parseInt(options.pageSize, 10) || 50
+        };
+        await runDeploymentList(opts);
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'deployment list');
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = { setupCredentialDeploymentCommands };

package/lib/cli/setup-infra.js

@@ -83,10 +83,10 @@ function setupInfraCommands(program) {
     });
 
   program.command('up-miso')
-    .description('Install keycloak, miso-controller, and dataplane from images (no build). Infra must be up. Uses auto-generated secrets for testing.')
+    .description('Install keycloak and miso-controller from images (no build). Infra must be up. For dataplane use up-dataplane. Uses auto-generated secrets for testing.')
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
-    .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1, dataplane=myreg/d:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
     .action(async(options) => {
       try {
         await handleUpMiso(options);
@@ -97,7 +97,7 @@ function setupInfraCommands(program) {
     });
 
   program.command('up-dataplane')
-    .description('Register and deploy dataplane app in dev (requires login, environment must be dev)')
+    .description('Register, deploy, then run dataplane app locally in dev (always local deployment; requires login, environment must be dev)')
     .option('-r, --registry <url>', 'Override registry for dataplane image')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <ref>', 'Override dataplane image reference (e.g. myreg/dataplane:latest)')

package/lib/cli/setup-service-user.js

@@ -0,0 +1,52 @@
+/**
+ * CLI service-user command setup.
+ * Command: service-user create (create service user, get one-time secret).
+ *
+ * @fileoverview Service user CLI definitions
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { handleCommandError } = require('../utils/cli-utils');
+const { runServiceUserCreate } = require('../commands/service-user');
+
+/**
+ * Sets up service-user commands
+ * @param {Command} program - Commander program instance
+ */
+function setupServiceUserCommands(program) {
+  const serviceUser = program
+    .command('service-user')
+    .description('Create service users for integrations (one-time secret on create)');
+
+  serviceUser
+    .command('create')
+    .description('Create a service user (username, email, redirectUris, groupIds); receive one-time clientSecret (save it now)')
+    .option('--controller <url>', 'Controller URL (default: from config)')
+    .option('-u, --username <username>', 'Service user username (required)')
+    .option('-e, --email <email>', 'Email address (required)')
+    .option('--redirect-uris <uris>', 'Comma-separated redirect URIs for OAuth2 (required, e.g. https://app.example.com/callback)')
+    .option('--group-names <names>', 'Comma-separated group names (required, e.g. AI-Fabrix-Developers)')
+    .option('-d, --description <description>', 'Optional description')
+    .action(async(options) => {
+      try {
+        const opts = {
+          controller: options.controller,
+          username: options.username,
+          email: options.email,
+          redirectUris: options.redirectUris,
+          groupNames: options.groupNames,
+          description: options.description
+        };
+        await runServiceUserCreate(opts);
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'service-user create');
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = { setupServiceUserCommands };

package/lib/cli/setup-utility.js

@@ -1,5 +1,5 @@
 /**
- * CLI utility command setup (resolve, json, split-json, genkey, show, validate, diff).
+ * CLI utility command setup (resolve, json, split-json, show, validate, diff).
  *
  * @fileoverview Utility command definitions for AI Fabrix Builder CLI
  * @author AI Fabrix Team
@@ -127,30 +127,6 @@ function setupUtilityCommands(program) {
       }
     });
 
-  program.command('genkey <app>')
-    .description('Generate deployment key')
-    .action(async(appName) => {
-      try {
-        const jsonPath = await generator.generateDeployJson(appName);
-
-        const jsonContent = fs.readFileSync(jsonPath, 'utf8');
-        const deployment = JSON.parse(jsonContent);
-
-        const key = deployment.deploymentKey;
-
-        if (!key) {
-          throw new Error('deploymentKey not found in generated JSON');
-        }
-
-        logger.log(`\nDeployment key for ${appName}:`);
-        logger.log(key);
-        logger.log(chalk.gray(`\nGenerated from: ${jsonPath}`));
-      } catch (error) {
-        handleCommandError(error, 'genkey');
-        process.exit(1);
-      }
-    });
-
   program.command('show <appKey>')
     .description('Show application info from local builder/ or integration/ (offline) or from controller (--online)')
     .option('--online', 'Fetch application data from the controller')

package/lib/commands/app-down.js

@@ -0,0 +1,80 @@
+/**
+ * Down-app command – stop container, optionally volumes, then remove image if unused
+ *
+ * @fileoverview Down-app command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const { exec } = require('child_process');
+const { promisify } = require('util');
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const containerHelpers = require('../utils/app-run-containers');
+const { downApp } = require('../app/down');
+
+const execAsync = promisify(exec);
+
+/**
+ * Get image ID of a running container (sha or name:tag)
+ * @async
+ * @param {string} containerName - Docker container name
+ * @returns {Promise<string|null>} Image ID or null if container not found / not running
+ */
+async function getContainerImageId(containerName) {
+  try {
+    const { stdout } = await execAsync(
+      `docker inspect --format='{{.Image}}' ${containerName}`,
+      { encoding: 'utf8' }
+    );
+    const id = (stdout && stdout.trim()) || null;
+    return id || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Remove Docker image by ID; ignore "in use" or "no such image"
+ * @async
+ * @param {string} imageId - Image ID (sha or name:tag)
+ */
+async function removeImageIfUnused(imageId) {
+  if (!imageId) return;
+  try {
+    await execAsync(`docker rmi ${imageId}`);
+    logger.log(chalk.green(`✓ Image ${imageId} removed`));
+  } catch (err) {
+    const msg = (err && err.message) || '';
+    if (msg.includes('in use') || msg.includes('is being used')) {
+      logger.log(chalk.gray(`Image ${imageId} still in use by another container; not removed`));
+    } else if (msg.includes('No such image')) {
+      logger.log(chalk.gray(`Image ${imageId} not found (already removed)`));
+    } else {
+      logger.log(chalk.yellow(`Could not remove image: ${msg}`));
+    }
+  }
+}
+
+/**
+ * Run down-app: get image from container, stop/remove container (and optionally volume), then remove image if unused
+ * @async
+ * @param {string} appName - Application name
+ * @param {Object} options - { volumes: boolean }
+ * @returns {Promise<void>}
+ */
+async function runDownAppWithImageRemoval(appName, options = {}) {
+  const developerId = await config.getDeveloperId();
+  const containerName = containerHelpers.getContainerName(appName, developerId);
+  const imageId = await getContainerImageId(containerName);
+
+  await downApp(appName, options);
+  await removeImageIfUnused(imageId);
+}
+
+module.exports = {
+  runDownAppWithImageRemoval,
+  getContainerImageId,
+  removeImageIfUnused
+};