npm - @aifabrix/builder - Versions diffs - 2.37.9 → 2.39.0 - Mend

@aifabrix/builder 2.37.9 → 2.39.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (74) hide show

package/.cursor/rules/project-rules.mdc +3 -0
package/README.md +19 -0
package/integration/hubspot/hubspot-deploy.json +1 -5
package/integration/hubspot/hubspot-system.json +0 -3
package/lib/api/applications.api.js +29 -1
package/lib/api/auth.api.js +14 -0
package/lib/api/credentials.api.js +34 -0
package/lib/api/datasources-core.api.js +16 -1
package/lib/api/datasources-extended.api.js +18 -1
package/lib/api/deployments.api.js +32 -0
package/lib/api/environments.api.js +11 -0
package/lib/api/external-systems.api.js +16 -1
package/lib/api/pipeline.api.js +12 -4
package/lib/api/service-users.api.js +41 -0
package/lib/api/types/applications.types.js +1 -1
package/lib/api/types/deployments.types.js +1 -1
package/lib/api/types/pipeline.types.js +1 -1
package/lib/api/types/service-users.types.js +24 -0
package/lib/api/wizard.api.js +40 -1
package/lib/app/deploy.js +86 -21
package/lib/app/rotate-secret.js +3 -1
package/lib/app/run-helpers.js +35 -2
package/lib/app/show-display.js +30 -11
package/lib/app/show.js +34 -8
package/lib/cli/index.js +4 -0
package/lib/cli/setup-app.js +40 -0
package/lib/cli/setup-credential-deployment.js +72 -0
package/lib/cli/setup-infra.js +3 -3
package/lib/cli/setup-service-user.js +52 -0
package/lib/cli/setup-utility.js +1 -25
package/lib/commands/app-down.js +80 -0
package/lib/commands/app-logs.js +146 -0
package/lib/commands/app.js +24 -1
package/lib/commands/credential-list.js +104 -0
package/lib/commands/deployment-list.js +184 -0
package/lib/commands/service-user.js +193 -0
package/lib/commands/up-common.js +74 -5
package/lib/commands/up-dataplane.js +13 -7
package/lib/commands/up-miso.js +17 -24
package/lib/core/templates.js +2 -2
package/lib/external-system/deploy.js +79 -15
package/lib/generator/builders.js +8 -27
package/lib/generator/external-controller-manifest.js +5 -4
package/lib/generator/index.js +16 -14
package/lib/generator/split.js +1 -0
package/lib/generator/wizard.js +4 -1
package/lib/schema/application-schema.json +6 -14
package/lib/schema/deployment-rules.yaml +121 -0
package/lib/schema/external-system.schema.json +0 -16
package/lib/utils/app-register-config.js +10 -12
package/lib/utils/app-run-containers.js +2 -1
package/lib/utils/compose-generator.js +2 -1
package/lib/utils/deployment-errors.js +10 -0
package/lib/utils/environment-checker.js +25 -6
package/lib/utils/help-builder.js +0 -1
package/lib/utils/image-version.js +209 -0
package/lib/utils/schema-loader.js +1 -1
package/lib/utils/variable-transformer.js +7 -33
package/lib/validation/external-manifest-validator.js +1 -1
package/package.json +1 -1
package/templates/applications/README.md.hbs +1 -3
package/templates/applications/dataplane/Dockerfile +2 -2
package/templates/applications/dataplane/README.md +20 -6
package/templates/applications/dataplane/env.template +31 -2
package/templates/applications/dataplane/rbac.yaml +1 -1
package/templates/applications/dataplane/variables.yaml +7 -4
package/templates/applications/keycloak/Dockerfile +3 -3
package/templates/applications/keycloak/README.md +14 -4
package/templates/applications/keycloak/env.template +17 -2
package/templates/applications/keycloak/variables.yaml +2 -1
package/templates/applications/miso-controller/README.md +1 -3
package/templates/applications/miso-controller/env.template +85 -25
package/templates/applications/miso-controller/rbac.yaml +15 -0
package/templates/applications/miso-controller/variables.yaml +24 -23

package/lib/commands/app-logs.js ADDED Viewed

@@ -0,0 +1,146 @@
+/**
+ * App logs command – show container env (masked) and docker logs for an app
+ *
+ * @fileoverview App logs command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const chalk = require('chalk');
+const { exec, spawn } = require('child_process');
+const { promisify } = require('util');
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const containerHelpers = require('../utils/app-run-containers');
+const { validateAppName } = require('../app/push');
+const execAsync = promisify(exec);
+/** Default number of log lines */
+const DEFAULT_TAIL_LINES = 100;
+/** Env key patterns that indicate a secret (mask value) */
+const SECRET_KEY_PATTERN = /password|secret|token|credential|api[_-]?key/i;
+/** Prefixes to strip before checking key (avoids masking KEYCLOAK_SERVER_URL etc.) */
+const KEY_PREFIXES_TO_STRIP = /^KEYCLOAK_|^KEY_VAULT_/;
+/** URL with embedded credentials: scheme://user:password@host → scheme://user:***@host */
+const URL_CREDENTIAL_PATTERN = /(\w+:\/\/)([^:@]*):([^@]+)@/g;
+/**
+ * Masks a single env line if the key looks like a secret or value contains URL credentials
+ * @param {string} line - Line in form KEY=value
+ * @returns {string} Same line or KEY=*** or value with masked URL credentials
+ */
+function maskEnvLine(line) {
+  const eq = line.indexOf('=');
+  if (eq <= 0) return line;
+  const key = line.slice(0, eq);
+  const value = line.slice(eq + 1);
+  const keyForCheck = key.replace(KEY_PREFIXES_TO_STRIP, '');
+  const isSecretKey = SECRET_KEY_PATTERN.test(keyForCheck);
+  const maskedValue = value.replace(URL_CREDENTIAL_PATTERN, '$1$2:***@');
+  const hasUrlCredentials = maskedValue !== value;
+  if (isSecretKey) return `${key}=***`;
+  if (hasUrlCredentials) return `${key}=${maskedValue}`;
+  return line;
+}
+/**
+ * Dump container env (masked) and print to logger
+ * @async
+ * @param {string} containerName - Docker container name
+ * @returns {Promise<void>}
+ */
+async function dumpMaskedEnv(containerName) {
+  try {
+    const { stdout } = await execAsync(`docker exec ${containerName} env`, { encoding: 'utf8', timeout: 5000 });
+    const lines = stdout.split('\n').filter((l) => l.trim());
+    if (lines.length === 0) return;
+    logger.log(chalk.bold('\n--- Environment (sensitive values masked) ---\n'));
+    lines.sort((a, b) => {
+      const keyA = a.indexOf('=') > 0 ? a.slice(0, a.indexOf('=')) : a;
+      const keyB = b.indexOf('=') > 0 ? b.slice(0, b.indexOf('=')) : b;
+      return keyA.localeCompare(keyB);
+    });
+    lines.forEach((line) => logger.log(maskEnvLine(line)));
+    logger.log(chalk.gray('\n--- Logs ---\n'));
+  } catch (err) {
+    logger.log(chalk.gray('(Could not read container env; container may be stopped)\n'));
+  }
+}
+/**
+ * Run docker logs (non-follow): tail N lines or full (tail 0)
+ * @async
+ * @param {string} containerName - Docker container name
+ * @param {Object} options - { tail: number } (0 = full, no limit)
+ * @returns {Promise<void>}
+ */
+async function runDockerLogs(containerName, options) {
+  const args = options.tail === 0 ? ['logs', containerName] : ['logs', '--tail', String(options.tail), containerName];
+  return new Promise((resolve, reject) => {
+    const proc = spawn('docker', args, { stdio: 'inherit' });
+    proc.on('error', reject);
+    proc.on('close', (code) => (code === 0 ? resolve() : reject(new Error(`docker logs exited with ${code}`))));
+  });
+}
+/**
+ * Run docker logs --follow (stream), optionally with tail
+ * @param {string} containerName - Docker container name
+ * @param {number} [tail] - Lines to show (0 = full, omit --tail)
+ */
+function runDockerLogsFollow(containerName, tail) {
+  const args = tail === 0 ? ['logs', '-f', containerName] : ['logs', '-f', '--tail', String(tail), containerName];
+  const proc = spawn('docker', args, { stdio: 'inherit' });
+  proc.on('error', (err) => {
+    logger.log(chalk.red(`Error: ${err.message}`));
+    process.exit(1);
+  });
+  proc.on('close', (code) => {
+    if (code !== 0 && code !== null) process.exit(code);
+  });
+}
+/**
+ * Run app logs command: optional env dump (masked), then docker logs
+ * @async
+ * @param {string} appKey - Application key (app name)
+ * @param {Object} options - CLI options
+ * @param {boolean} [options.follow] - Follow log stream (-f)
+ * @param {number} [options.tail] - Number of lines (default 100; 0 = full list)
+ * @returns {Promise<void>}
+ */
+async function runAppLogs(appKey, options = {}) {
+  validateAppName(appKey);
+  const developerId = await config.getDeveloperId();
+  const containerName = containerHelpers.getContainerName(appKey, developerId);
+  const follow = !!options.follow;
+  const tail = typeof options.tail === 'number' ? options.tail : DEFAULT_TAIL_LINES;
+  logger.log(chalk.blue(`Container: ${containerName}\n`));
+  if (!follow) {
+    await dumpMaskedEnv(containerName);
+  }
+  if (follow) {
+    runDockerLogsFollow(containerName, tail);
+    return;
+  }
+  try {
+    await runDockerLogs(containerName, { tail });
+  } catch (err) {
+    logger.log(chalk.red(`Error: ${err.message}`));
+    throw new Error(`Failed to show logs: ${err.message}`);
+  }
+}
+module.exports = { runAppLogs, maskEnvLine };

package/lib/commands/app.js CHANGED Viewed

@@ -15,6 +15,7 @@ const { listApplications } = require('../app/list');
 const { registerApplication } = require('../app/register');
 const { rotateSecret } = require('../app/rotate-secret');
 const { showApp } = require('../app/show');
+const { runAppDeploymentList } = require('./deployment-list');
 /**
  * Setup application management commands
@@ -73,9 +74,31 @@ function setupAppCommands(program) {
     .command('show <appKey>')
     .description('Show application from controller (online). Same as aifabrix show <appKey> --online')
     .option('--json', 'Output as JSON')
+    .option('--permissions', 'Show only list of permissions')
     .action(async(appKey, options) => {
       try {
-        await showApp(appKey, { online: true, json: !!options.json });
+        await showApp(appKey, { online: true, json: !!options.json, permissions: !!options.permissions });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        process.exit(1);
+      }
+    });
+  // Deployment list for an application
+  app
+    .command('deployment <appKey>')
+    .description('List last N deployments for an application in current environment (default pageSize=50)')
+    .option('--controller <url>', 'Controller URL (default: from config)')
+    .option('--environment <env>', 'Environment key (default: from config)')
+    .option('--page-size <n>', 'Items per page', '50')
+    .action(async(appKey, options) => {
+      try {
+        const opts = {
+          controller: options.controller,
+          environment: options.environment,
+          pageSize: parseInt(options.pageSize, 10) || 50
+        };
+        await runAppDeploymentList(appKey, opts);
       } catch (error) {
         logger.error(chalk.red(`Error: ${error.message}`));
         process.exit(1);

package/lib/commands/credential-list.js ADDED Viewed

@@ -0,0 +1,104 @@
+/**
+ * Credential list command – list credentials from controller/dataplane
+ * GET /api/v1/credential. Used by `aifabrix credential list`.
+ *
+ * @fileoverview Credential list command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { getOrRefreshDeviceToken } = require('../utils/token-manager');
+const { normalizeControllerUrl } = require('../core/config');
+const { listCredentials } = require('../api/credentials.api');
+const DEFAULT_PAGE_SIZE = 50;
+/**
+ * Get auth token for credential list (device token from config)
+ * @async
+ * @param {string} controllerUrl - Controller base URL
+ * @returns {Promise<{token: string, controllerUrl: string}|null>}
+ */
+async function getCredentialListAuth(controllerUrl) {
+  const normalizedUrl = normalizeControllerUrl(controllerUrl);
+  const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
+  if (deviceToken && deviceToken.token) {
+    return {
+      token: deviceToken.token,
+      controllerUrl: deviceToken.controller || normalizedUrl
+    };
+  }
+  return null;
+}
+/**
+ * Extract credentials array from API response
+ * @param {Object} response - API response
+ * @returns {Array}
+ */
+function extractCredentials(response) {
+  const data = response?.data ?? response;
+  const items = data?.credentials ?? data?.items ?? (Array.isArray(data) ? data : []);
+  return Array.isArray(items) ? items : [];
+}
+/**
+ * Display credential list to user
+ * @param {Array} list - Credentials array
+ * @param {string} controllerUrl - Controller URL for header
+ */
+function displayCredentialList(list, controllerUrl) {
+  logger.log(chalk.bold(`\n🔐 Credentials (${controllerUrl}):\n`));
+  if (list.length === 0) {
+    logger.log(chalk.gray('  No credentials found.\n'));
+    return;
+  }
+  list.forEach((c) => {
+    const key = c.key ?? c.id ?? c.credentialKey ?? '-';
+    const name = c.displayName ?? c.name ?? key;
+    logger.log(`  ${chalk.cyan(key)} - ${name}`);
+  });
+  logger.log('');
+}
+/**
+ * Run credential list command: call GET /api/v1/credential and display results
+ * @async
+ * @param {Object} options - CLI options
+ * @param {string} [options.controller] - Controller URL override
+ * @param {boolean} [options.activeOnly] - List only active credentials
+ * @param {number} [options.pageSize] - Items per page
+ * @returns {Promise<void>}
+ */
+async function runCredentialList(options = {}) {
+  const controllerUrl = options.controller || (await resolveControllerUrl());
+  if (!controllerUrl) {
+    logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
+    process.exit(1);
+    return;
+  }
+  const authResult = await getCredentialListAuth(controllerUrl);
+  if (!authResult || !authResult.token) {
+    logger.error(chalk.red(`❌ No authentication token for controller: ${controllerUrl}`));
+    logger.error(chalk.gray('Run: aifabrix login'));
+    process.exit(1);
+    return;
+  }
+  const authConfig = { type: 'bearer', token: authResult.token };
+  const listOptions = {
+    pageSize: options.pageSize || DEFAULT_PAGE_SIZE,
+    activeOnly: options.activeOnly
+  };
+  try {
+    const response = await listCredentials(authResult.controllerUrl, authConfig, listOptions);
+    displayCredentialList(extractCredentials(response), authResult.controllerUrl);
+  } catch (error) {
+    logger.error(chalk.red(`❌ Failed to list credentials: ${error.message}`));
+    process.exit(1);
+  }
+}
+module.exports = { runCredentialList };

package/lib/commands/deployment-list.js ADDED Viewed

@@ -0,0 +1,184 @@
+/**
+ * Deployment list commands – list deployments for environment or for an app
+ * Uses GET .../deployments and GET .../applications/{appKey}/deployments.
+ *
+ * @fileoverview Deployment list command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { resolveEnvironment } = require('../core/config');
+const { getOrRefreshDeviceToken } = require('../utils/token-manager');
+const { listDeployments, listApplicationDeployments } = require('../api/deployments.api');
+const { normalizeControllerUrl } = require('../core/config');
+const DEFAULT_PAGE_SIZE = 50;
+/**
+ * Get auth token for deployment list (device token from config)
+ * @async
+ * @param {string} controllerUrl - Controller base URL
+ * @returns {Promise<{token: string, controllerUrl: string}|null>}
+ */
+async function getDeploymentListAuth(controllerUrl) {
+  const normalizedUrl = normalizeControllerUrl(controllerUrl);
+  const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
+  if (deviceToken && deviceToken.token) {
+    return {
+      token: deviceToken.token,
+      controllerUrl: deviceToken.controller || normalizedUrl
+    };
+  }
+  return null;
+}
+/**
+ * Extract deployments array from API response
+ * @param {Object} response - API response
+ * @returns {Array}
+ */
+function extractDeployments(response) {
+  const data = response?.data ?? response;
+  const items = data?.items ?? data?.deployments ?? (Array.isArray(data) ? data : []);
+  return Array.isArray(items) ? items : [];
+}
+/**
+ * Display environment deployment list to user
+ * @param {Array} deployments - Deployments array
+ * @param {string} environment - Environment key
+ * @param {string} controllerUrl - Controller URL
+ */
+function displayDeploymentList(deployments, environment, controllerUrl) {
+  logger.log(chalk.bold(`\n📋 Deployments (${environment}) at ${controllerUrl}:\n`));
+  if (deployments.length === 0) {
+    logger.log(chalk.gray('  No deployments found.\n'));
+    return;
+  }
+  deployments.forEach((d) => {
+    const id = d.id ?? d.deploymentId ?? '-';
+    const appKey = d.applicationKey ?? d.appKey ?? d.application?.key ?? '-';
+    const status = d.status ?? '-';
+    const createdAt = d.createdAt ?? d.created ?? '';
+    logger.log(`  ${chalk.cyan(id)} ${appKey} ${status} ${chalk.gray(createdAt)}`);
+  });
+  logger.log('');
+}
+/**
+ * Run deployment list (environment): list last N deployments for current environment
+ * @async
+ * @param {Object} options - CLI options
+ * @param {string} [options.controller] - Controller URL override
+ * @param {string} [options.environment] - Environment key override
+ * @param {number} [options.pageSize] - Items per page (default 50)
+ * @returns {Promise<void>}
+ */
+async function runDeploymentList(options = {}) {
+  const { environment, authResult } = await resolveDeploymentListContext(options);
+  const authConfig = { type: 'bearer', token: authResult.token };
+  const listOptions = { pageSize: options.pageSize || DEFAULT_PAGE_SIZE };
+  try {
+    const response = await listDeployments(
+      authResult.controllerUrl,
+      environment,
+      authConfig,
+      listOptions
+    );
+    displayDeploymentList(extractDeployments(response), environment, authResult.controllerUrl);
+  } catch (error) {
+    logger.error(chalk.red(`❌ Failed to list deployments: ${error.message}`));
+    process.exit(1);
+  }
+}
+/**
+ * Display app deployment list to user
+ * @param {Array} deployments - Deployments array
+ * @param {string} appKey - Application key
+ * @param {string} environment - Environment key
+ * @param {string} controllerUrl - Controller URL
+ */
+function displayAppDeploymentList(deployments, appKey, environment, controllerUrl) {
+  logger.log(chalk.bold(`\n📋 Deployments for ${appKey} (${environment}) at ${controllerUrl}:\n`));
+  if (deployments.length === 0) {
+    logger.log(chalk.gray('  No deployments found for this application.\n'));
+    return;
+  }
+  deployments.forEach((d) => {
+    const id = d.id ?? d.deploymentId ?? '-';
+    const status = d.status ?? '-';
+    const createdAt = d.createdAt ?? d.created ?? '';
+    logger.log(`  ${chalk.cyan(id)} ${status} ${chalk.gray(createdAt)}`);
+  });
+  logger.log('');
+}
+/**
+ * Resolve controller URL, environment, and auth for deployment list commands
+ * @async
+ * @param {Object} options - Options with optional controller, environment
+ * @returns {Promise<{controllerUrl: string, environment: string, authResult: Object}>}
+ */
+async function resolveDeploymentListContext(options) {
+  const controllerUrl = options.controller || (await resolveControllerUrl());
+  if (!controllerUrl) {
+    logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
+    process.exit(1);
+  }
+  const environment = options.environment || (await resolveEnvironment());
+  const authResult = await getDeploymentListAuth(controllerUrl);
+  if (!authResult || !authResult.token) {
+    logger.error(chalk.red(`❌ No authentication token for controller: ${controllerUrl}`));
+    logger.error(chalk.gray('Run: aifabrix login'));
+    process.exit(1);
+  }
+  return { controllerUrl, environment, authResult };
+}
+/**
+ * Run app deployment list: list last N deployments for an application
+ * @async
+ * @param {string} appKey - Application key
+ * @param {Object} options - CLI options
+ * @param {string} [options.controller] - Controller URL override
+ * @param {string} [options.environment] - Environment key override
+ * @param {number} [options.pageSize] - Items per page (default 50)
+ * @returns {Promise<void>}
+ */
+async function runAppDeploymentList(appKey, options = {}) {
+  if (!appKey || typeof appKey !== 'string') {
+    logger.error(chalk.red('❌ Application key is required.'));
+    process.exit(1);
+    return;
+  }
+  const { environment, authResult } = await resolveDeploymentListContext(options);
+  const authConfig = { type: 'bearer', token: authResult.token };
+  const listOptions = { pageSize: options.pageSize || DEFAULT_PAGE_SIZE };
+  try {
+    const response = await listApplicationDeployments(
+      authResult.controllerUrl,
+      environment,
+      appKey,
+      authConfig,
+      listOptions
+    );
+    displayAppDeploymentList(
+      extractDeployments(response),
+      appKey,
+      environment,
+      authResult.controllerUrl
+    );
+  } catch (error) {
+    logger.error(chalk.red(`❌ Failed to list deployments for ${appKey}: ${error.message}`));
+    process.exit(1);
+  }
+}
+module.exports = {
+  runDeploymentList,
+  runAppDeploymentList
+};

package/lib/commands/service-user.js ADDED Viewed

@@ -0,0 +1,193 @@
+/**
+ * Service user create command – create service user and get one-time secret
+ * POST /api/v1/service-users. Used by `aifabrix service-user create`.
+ *
+ * @fileoverview Service user create command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { getOrRefreshDeviceToken } = require('../utils/token-manager');
+const { normalizeControllerUrl } = require('../core/config');
+const { createServiceUser } = require('../api/service-users.api');
+const ONE_TIME_WARNING =
+  'Save this secret now; it will not be shown again.';
+/**
+ * Get auth token for service-user (device token from config)
+ * @async
+ * @param {string} controllerUrl - Controller base URL
+ * @returns {Promise<{token: string, controllerUrl: string}|null>}
+ */
+async function getServiceUserAuth(controllerUrl) {
+  const normalizedUrl = normalizeControllerUrl(controllerUrl);
+  const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
+  if (deviceToken && deviceToken.token) {
+    return {
+      token: deviceToken.token,
+      controllerUrl: deviceToken.controller || normalizedUrl
+    };
+  }
+  return null;
+}
+/**
+ * Extract clientId and clientSecret from API response (response may be wrapped in data)
+ * @param {Object} response - API response
+ * @returns {{ clientId: string, clientSecret: string }}
+ */
+function extractCreateResponse(response) {
+  const data = response?.data ?? response;
+  return {
+    clientId: data?.clientId ?? '',
+    clientSecret: data?.clientSecret ?? ''
+  };
+}
+/**
+ * Log error for failed create response and exit
+ * @param {Object} response - API response with success: false
+ */
+function handleCreateError(response) {
+  const status = response.status;
+  const msg = response.formattedError || response.error || 'Request failed';
+  if (status === 400) {
+    logger.error(chalk.red(`❌ Validation error: ${msg}`));
+  } else if (status === 401) {
+    logger.error(chalk.red('❌ Unauthorized. Run "aifabrix login" and try again.'));
+  } else if (status === 403) {
+    logger.error(chalk.red('❌ Missing permission: service-user:create'));
+    logger.error(chalk.gray('Your account needs the service-user:create permission on the controller.'));
+  } else {
+    logger.error(chalk.red(`❌ Failed to create service user: ${msg}`));
+  }
+  process.exit(1);
+}
+/**
+ * Display success output with clientId, clientSecret and one-time warning
+ * @param {string} clientId - Service user client ID
+ * @param {string} clientSecret - One-time client secret
+ */
+function displayCreateSuccess(clientId, clientSecret) {
+  logger.log(chalk.bold('\n✓ Service user created\n'));
+  logger.log(chalk.cyan('  clientId:    ') + clientId);
+  logger.log(chalk.cyan('  clientSecret: ') + clientSecret);
+  logger.log('');
+  logger.log(chalk.yellow('⚠ ' + ONE_TIME_WARNING));
+  logger.log('');
+}
+/**
+ * Parse comma-separated string into non-empty trimmed array
+ * @param {string} [val] - Comma-separated value
+ * @returns {string[]}
+ */
+function parseList(val) {
+  if (val === undefined || val === null || String(val).trim() === '') {
+    return [];
+  }
+  return String(val)
+    .split(',')
+    .map(s => s.trim())
+    .filter(Boolean);
+}
+/**
+ * Validate username, email, redirectUris, groupIds; exit on failure
+ * @param {Object} options - CLI options
+ * @returns {{ username: string, email: string, redirectUris: string[], groupNames: string[], description?: string }}
+ */
+function validateServiceUserOptions(options) {
+  const username = options.username?.trim();
+  const email = options.email?.trim();
+  const redirectUris = parseList(options.redirectUris);
+  const groupNames = parseList(options.groupNames);
+  if (!username) {
+    logger.error(chalk.red('❌ Username is required. Use --username <username>.'));
+    process.exit(1);
+  }
+  if (!email) {
+    logger.error(chalk.red('❌ Email is required. Use --email <email>.'));
+    process.exit(1);
+  }
+  if (redirectUris.length === 0) {
+    logger.error(chalk.red('❌ At least one redirect URI is required. Use --redirect-uris <uri1,uri2,...>.'));
+    process.exit(1);
+  }
+  if (groupNames.length === 0) {
+    logger.error(chalk.red('❌ At least one group name is required. Use --group-names <name1,name2,...>.'));
+    process.exit(1);
+  }
+  return {
+    username,
+    email,
+    redirectUris,
+    groupNames,
+    description: options.description?.trim() || undefined
+  };
+}
+/**
+ * Resolve controller URL and auth; exit on failure
+ * @async
+ * @param {Object} options - CLI options
+ * @returns {Promise<{ username: string, email: string, redirectUris: string[], groupNames: string[], description?: string, controllerUrl: string, authConfig: Object }>}
+ */
+async function resolveOptionsAndAuth(options) {
+  const validated = validateServiceUserOptions(options);
+  const controllerUrl = options.controller || (await resolveControllerUrl());
+  if (!controllerUrl) {
+    logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
+    process.exit(1);
+  }
+  const authResult = await getServiceUserAuth(controllerUrl);
+  if (!authResult || !authResult.token) {
+    logger.error(chalk.red(`❌ No authentication token for controller: ${controllerUrl}`));
+    logger.error(chalk.gray('Run: aifabrix login'));
+    process.exit(1);
+  }
+  return {
+    ...validated,
+    controllerUrl: authResult.controllerUrl,
+    authConfig: { type: 'bearer', token: authResult.token }
+  };
+}
+/**
+ * Run service-user create: call POST /api/v1/service-users and display one-time secret with warning
+ * @async
+ * @param {Object} options - CLI options
+ * @param {string} [options.controller] - Controller URL override
+ * @param {string} options.username - Username (required)
+ * @param {string} options.email - Email (required)
+ * @param {string} options.redirectUris - Comma-separated redirect URIs (required, min 1)
+ * @param {string} options.groupNames - Comma-separated group names (required, e.g. AI-Fabrix-Developers)
+ * @param {string} [options.description] - Optional description
+ * @returns {Promise<void>}
+ */
+async function runServiceUserCreate(options = {}) {
+  const ctx = await resolveOptionsAndAuth(options);
+  const body = {
+    username: ctx.username,
+    email: ctx.email,
+    redirectUris: ctx.redirectUris,
+    groupNames: ctx.groupNames,
+    description: ctx.description
+  };
+  const response = await createServiceUser(ctx.controllerUrl, ctx.authConfig, body);
+  if (!response.success) {
+    handleCreateError(response);
+    return;
+  }
+  const { clientId, clientSecret } = extractCreateResponse(response);
+  displayCreateSuccess(clientId, clientSecret);
+}
+module.exports = {
+  runServiceUserCreate
+};