@aifabrix/builder 2.40.0 → 2.41.0

package/lib/utils/credential-secrets-env.js

@@ -0,0 +1,267 @@
+/**
+ * Collect KV_* env vars as secret store items and push to dataplane.
+ * Reads integration .env, resolves kv:// in values, scans payload for kv:// refs,
+ * and pushes plain values to POST /api/v1/credential/secret.
+ *
+ * @fileoverview Credential secrets push from .env and payload (Dataplane)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const { loadSecrets } = require('../core/secrets');
+const { storeCredentialSecrets } = require('../api/credential.api');
+
+const KV_PREFIX = 'KV_';
+const KV_REF_PATTERN = /kv:\/\/([a-zA-Z0-9_\-/]+)/g;
+
+/**
+ * Converts KV_* env key to kv:// path (e.g. KV_SECRETS_FOO → kv://secrets/foo).
+ * @param {string} envKey - Env var name (e.g. KV_SECRETS_CLIENT_SECRET)
+ * @returns {string|null} kv:// path or null if invalid
+ */
+function kvEnvKeyToPath(envKey) {
+  if (!envKey || typeof envKey !== 'string' || !envKey.toUpperCase().startsWith(KV_PREFIX)) {
+    return null;
+  }
+  const rest = envKey.slice(KV_PREFIX.length);
+  if (!rest) return null;
+  const segments = rest.split('_').filter(Boolean);
+  const pathPart = segments.map(s => s.toLowerCase()).join('/');
+  return pathPart ? `kv://${pathPart}` : null;
+}
+
+/**
+ * Collects KV_* entries from env map as secret items (key = kv path, value = raw).
+ * Does not resolve values; empty values are skipped.
+ *
+ * @param {Object.<string, string>} envMap - Key-value map from .env
+ * @returns {Array<{ key: string, value: string }>} Items (key = kv://..., value = raw)
+ */
+function collectKvEnvVarsAsSecretItems(envMap) {
+  if (!envMap || typeof envMap !== 'object') {
+    return [];
+  }
+  const items = [];
+  for (const [envKey, rawValue] of Object.entries(envMap)) {
+    const value = typeof rawValue === 'string' ? rawValue.trim() : '';
+    if (value === '') continue;
+    const kvPath = kvEnvKeyToPath(envKey);
+    if (!kvPath) continue;
+    items.push({ key: kvPath, value });
+  }
+  return items;
+}
+
+/**
+ * Resolves a single value if it is a kv:// reference using secrets map.
+ * Supports path-style keys (e.g. secrets/foo) and hyphen-style (secrets-foo).
+ *
+ * @param {Object} secrets - Loaded secrets object
+ * @param {string} value - Value (may be "kv://..." or plain)
+ * @returns {string|null} Resolved plain value or null if unresolved
+ */
+function resolveKvValue(secrets, value) {
+  if (typeof value !== 'string') return null;
+  const trimmed = value.trim();
+  if (!trimmed.startsWith('kv://')) {
+    return trimmed;
+  }
+  const pathMatch = trimmed.match(/^kv:\/\/([a-zA-Z0-9_\-/]+)$/);
+  if (!pathMatch) return null;
+  const pathKey = pathMatch[1];
+  let resolved = secrets[pathKey];
+  if (resolved === undefined && pathKey.includes('/')) {
+    resolved = secrets[pathKey.replace(/\//g, '-')];
+  }
+  if (resolved === undefined) return null;
+  return typeof resolved === 'string' ? resolved : String(resolved);
+}
+
+/**
+ * Recursively collects all kv:// references from a JSON-serializable payload.
+ *
+ * @param {Object|Array|string|number|boolean|null} obj - Upload payload (application + dataSources)
+ * @param {Set<string>} [acc] - Accumulator set (internal)
+ * @returns {string[]} Unique kv:// refs (e.g. ["kv://secrets/foo"])
+ */
+function collectKvRefsFromPayload(obj, acc = new Set()) {
+  if (obj === null || obj === undefined) {
+    return Array.from(acc);
+  }
+  if (typeof obj === 'string') {
+    let m;
+    KV_REF_PATTERN.lastIndex = 0;
+    while ((m = KV_REF_PATTERN.exec(obj)) !== null) {
+      acc.add(`kv://${m[1]}`);
+    }
+    return Array.from(acc);
+  }
+  if (Array.isArray(obj)) {
+    for (const item of obj) {
+      collectKvRefsFromPayload(item, acc);
+    }
+    return Array.from(acc);
+  }
+  if (typeof obj === 'object') {
+    for (const v of Object.values(obj)) {
+      collectKvRefsFromPayload(v, acc);
+    }
+    return Array.from(acc);
+  }
+  return Array.from(acc);
+}
+
+/**
+ * Validates that key is a well-formed kv path (kv:// with alphanumeric/hyphen/slash segments).
+ *
+ * @param {string} key - kv:// path
+ * @returns {boolean}
+ */
+function isValidKvPath(key) {
+  return typeof key === 'string' && /^kv:\/\/[a-z0-9][a-z0-9\-/]*$/i.test(key.trim());
+}
+
+/**
+ * Builds secret items from .env file (KV_* vars, values resolved).
+ * @param {string} envFilePath - Path to .env
+ * @param {Object} secrets - Loaded secrets
+ * @param {Map<string, string>} itemsByKey - Mutable map to add items to
+ */
+function buildItemsFromEnv(envFilePath, secrets, itemsByKey) {
+  if (!envFilePath || typeof envFilePath !== 'string' || !fs.existsSync(envFilePath)) return;
+  try {
+    const content = fs.readFileSync(envFilePath, 'utf8');
+    const envMap = parseEnvToMap(content);
+    const fromEnv = collectKvEnvVarsAsSecretItems(envMap);
+    for (const { key, value } of fromEnv) {
+      const resolved = resolveKvValue(secrets, value);
+      if (resolved !== null && resolved !== undefined && isValidKvPath(key)) itemsByKey.set(key, resolved);
+    }
+  } catch {
+    // Best-effort: continue without .env items
+  }
+}
+
+/**
+ * Builds secret items from payload kv:// refs not already in itemsByKey.
+ * @param {Object} payload - Upload payload
+ * @param {Object} secrets - Loaded secrets
+ * @param {Map<string, string>} itemsByKey - Mutable map to add items to
+ */
+function buildItemsFromPayload(payload, secrets, itemsByKey) {
+  if (!payload || typeof payload !== 'object') return;
+  const refs = collectKvRefsFromPayload(payload);
+  const existingKeys = new Set(itemsByKey.keys());
+  for (const ref of refs) {
+    if (existingKeys.has(ref)) continue;
+    const pathKey = ref.replace(/^kv:\/\//, '');
+    let resolved = secrets[pathKey];
+    if (resolved === undefined && pathKey.includes('/')) {
+      resolved = secrets[pathKey.replace(/\//g, '-')];
+    }
+    if (resolved !== null && resolved !== undefined && isValidKvPath(ref)) {
+      itemsByKey.set(ref, typeof resolved === 'string' ? resolved : String(resolved));
+    }
+  }
+}
+
+/**
+ * Derives stored count from API response.
+ * @param {Object} res - Response from storeCredentialSecrets
+ * @param {number} fallback - Fallback when stored not in response
+ * @returns {number}
+ */
+function storedCountFromResponse(res, fallback) {
+  if (res && typeof res.stored === 'number') return res.stored;
+  if (res && res.data && res.data.stored !== undefined && res.data.stored !== null) return res.data.stored;
+  return fallback;
+}
+
+/**
+ * Sends items to dataplane credential API; returns pushed count or warning.
+ * @param {string} dataplaneUrl - Dataplane URL
+ * @param {Object} authConfig - Auth config
+ * @param {Array<{ key: string, value: string }>} items - Items to send
+ * @returns {Promise<{ pushed: number, warning?: string }>}
+ */
+async function sendCredentialSecrets(dataplaneUrl, authConfig, items) {
+  try {
+    const res = await storeCredentialSecrets(dataplaneUrl, authConfig, items);
+    if (res && res.success === false) {
+      const status = res.status ?? res.statusCode;
+      if (status === 403 || status === 401) {
+        return { pushed: 0, warning: 'Could not push credential secrets (permission denied or unauthenticated). Ensure dataplane role has credential:create if you use KV_* in .env.' };
+      }
+      return { pushed: 0, warning: res.formattedError || res.error || 'Failed to push credential secrets to dataplane.' };
+    }
+    return { pushed: storedCountFromResponse(res, items.length) };
+  } catch (err) {
+    return { pushed: 0, warning: err.message || 'Failed to push credential secrets to dataplane.' };
+  }
+}
+
+/**
+ * Pushes credential secrets to dataplane: from .env (KV_*) and from payload kv:// refs.
+ * Resolves all kv:// in values via loadSecrets; sends only plain values. Best-effort:
+ * on 403/401 logs warning and returns; never logs secret values.
+ *
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Auth config (Bearer)
+ * @param {Object} options - Options
+ * @param {string} [options.envFilePath] - Path to .env (integration/<systemKey>/.env)
+ * @param {string} [options.appName] - App/system name for loadSecrets context
+ * @param {Object} [options.payload] - Upload payload { application, dataSources } for kv scan
+ * @returns {Promise<{ pushed: number, warning?: string }>} Count pushed and optional warning
+ */
+async function pushCredentialSecrets(dataplaneUrl, authConfig, options = {}) {
+  const { envFilePath, appName, payload } = options;
+  let secrets;
+  try {
+    secrets = await loadSecrets(undefined, appName);
+  } catch {
+    secrets = {};
+  }
+  const itemsByKey = new Map();
+  buildItemsFromEnv(envFilePath, secrets, itemsByKey);
+  buildItemsFromPayload(payload, secrets, itemsByKey);
+
+  const items = Array.from(itemsByKey.entries())
+    .filter(([k]) => isValidKvPath(k))
+    .map(([key, value]) => ({ key, value }));
+
+  if (items.length === 0) return { pushed: 0 };
+  return sendCredentialSecrets(dataplaneUrl, authConfig, items);
+}
+
+/**
+ * Parses .env-style content into key-value map (first = separates key and value).
+ *
+ * @param {string} content - Raw .env content
+ * @returns {Object.<string, string>}
+ */
+function parseEnvToMap(content) {
+  if (!content || typeof content !== 'string') return {};
+  const map = {};
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      const value = trimmed.substring(eq + 1);
+      map[key] = value;
+    }
+  }
+  return map;
+}
+
+module.exports = {
+  collectKvEnvVarsAsSecretItems,
+  collectKvRefsFromPayload,
+  pushCredentialSecrets,
+  kvEnvKeyToPath,
+  isValidKvPath,
+  resolveKvValue
+};

package/lib/utils/dev-cert-helper.js

@@ -0,0 +1,122 @@
+/**
+ * @fileoverview Helper for generating CSR and saving dev certificates (Builder Server onboarding)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const os = require('os');
+
+/**
+ * Generate a key pair and CSR for developer certificate. Uses OpenSSL when available.
+ * CN in CSR is set to dev-<developerId> per Builder Server convention.
+ * @param {string} developerId - Developer ID (e.g. "01")
+ * @returns {{ csrPem: string, keyPem: string }} PEM-encoded CSR and private key
+ * @throws {Error} If OpenSSL is not available or generation fails
+ */
+function generateCSR(developerId) {
+  if (!developerId || typeof developerId !== 'string') {
+    throw new Error('developerId is required and must be a string');
+  }
+  const cn = `dev-${developerId}`;
+  const tmpDir = path.join(os.tmpdir(), `aifabrix-csr-${Date.now()}`);
+  fs.mkdirSync(tmpDir, { recursive: true });
+  const keyPath = path.join(tmpDir, 'key.pem');
+  const csrPath = path.join(tmpDir, 'csr.pem');
+  try {
+    execSync(
+      `openssl req -new -newkey rsa:2048 -keyout "${keyPath}" -nodes -subj "/CN=${cn}" -out "${csrPath}"`,
+      { stdio: 'pipe', encoding: 'utf8' }
+    );
+    const keyPem = fs.readFileSync(keyPath, 'utf8');
+    const csrPem = fs.readFileSync(csrPath, 'utf8');
+    return { csrPem, keyPem };
+  } catch (err) {
+    if (err.message && (err.message.includes('openssl') || err.message.includes('ENOENT'))) {
+      throw new Error(
+        'OpenSSL is required for certificate generation. Install OpenSSL and ensure it is on PATH, or use a system that provides it (e.g. Git for Windows).'
+      );
+    }
+    throw new Error(`CSR generation failed: ${err.message}`);
+  } finally {
+    try {
+      fs.unlinkSync(keyPath);
+      fs.unlinkSync(csrPath);
+      fs.rmdirSync(tmpDir);
+    } catch {
+      // ignore cleanup errors
+    }
+  }
+}
+
+/**
+ * Return path to the directory where dev certificates are stored for a developer.
+ * @param {string} configDir - Config directory (e.g. from getConfigDirForPaths())
+ * @param {string} developerId - Developer ID
+ * @returns {string} Absolute path to certs/<developerId>/
+ */
+function getCertDir(configDir, developerId) {
+  return path.join(configDir, 'certs', developerId);
+}
+
+/**
+ * Read client certificate PEM from cert dir (cert.pem).
+ * @param {string} certDir - Directory containing cert.pem
+ * @returns {string|null} PEM content or null if not found
+ */
+function readClientCertPem(certDir) {
+  const certPath = path.join(certDir, 'cert.pem');
+  try {
+    return fs.readFileSync(certPath, 'utf8');
+  } catch (e) {
+    if (e.code === 'ENOENT') return null;
+    throw e;
+  }
+}
+
+/**
+ * Read client private key PEM from cert dir (key.pem). Used for mTLS (e.g. getSettings).
+ * @param {string} certDir - Directory containing key.pem
+ * @returns {string|null} PEM content or null if not found
+ */
+function readClientKeyPem(certDir) {
+  const keyPath = path.join(certDir, 'key.pem');
+  try {
+    return fs.readFileSync(keyPath, 'utf8');
+  } catch (e) {
+    if (e.code === 'ENOENT') return null;
+    throw e;
+  }
+}
+
+/**
+ * Get certificate validity end (notAfter) from cert.pem in certDir using OpenSSL.
+ * @param {string} certDir - Directory containing cert.pem
+ * @returns {Date|null} Expiry date or null if cert missing/invalid or OpenSSL fails
+ */
+function getCertValidNotAfter(certDir) {
+  const certPath = path.join(certDir, 'cert.pem');
+  try {
+    if (!fs.existsSync(certPath)) return null;
+    const out = execSync(
+      `openssl x509 -enddate -noout -in "${certPath}"`,
+      { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }
+    );
+    const match = out.match(/notAfter=(.+)/);
+    if (!match) return null;
+    const date = new Date(match[1].trim());
+    return isNaN(date.getTime()) ? null : date;
+  } catch {
+    return null;
+  }
+}
+
+module.exports = {
+  generateCSR,
+  getCertDir,
+  readClientCertPem,
+  readClientKeyPem,
+  getCertValidNotAfter
+};

package/lib/utils/device-code-helpers.js

@@ -0,0 +1,224 @@
+/**
+ * Device code flow parsing, error handling, and polling helpers.
+ * Used by device-code.js; not part of the public API.
+ *
+ * @fileoverview Helpers for device code flow (RFC 8628)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+/**
+ * Parses device code response from API
+ * @param {Object} response - API response object
+ * @returns {Object} Parsed device code response
+ */
+function parseDeviceCodeResponse(response) {
+  const apiResponse = response.data;
+  const responseData = apiResponse.data || apiResponse;
+  const deviceCode = responseData.deviceCode;
+  const userCode = responseData.userCode;
+  const verificationUri = responseData.verificationUri;
+  const expiresIn = responseData.expiresIn || 600;
+  const interval = responseData.interval || 5;
+
+  if (!deviceCode || !userCode || !verificationUri) {
+    throw new Error('Invalid device code response: missing required fields');
+  }
+
+  return {
+    device_code: deviceCode,
+    user_code: userCode,
+    verification_uri: verificationUri,
+    expires_in: expiresIn,
+    interval: interval
+  };
+}
+
+/**
+ * Parses token response from API
+ * @param {Object} response - API response object
+ * @returns {Object|null} Parsed token response or null if pending
+ */
+function parseTokenResponse(response) {
+  const apiResponse = response.data;
+  const responseData = apiResponse.data || apiResponse;
+  const error = responseData.error || apiResponse.error;
+  if (error === 'authorization_pending' || error === 'slow_down') {
+    return null;
+  }
+
+  const accessToken = responseData.accessToken;
+  const refreshToken = responseData.refreshToken;
+  const expiresIn = responseData.expiresIn || 3600;
+
+  if (!accessToken) {
+    throw new Error('Invalid token response: missing accessToken');
+  }
+
+  return {
+    access_token: accessToken,
+    refresh_token: refreshToken,
+    expires_in: expiresIn
+  };
+}
+
+/**
+ * Checks if token has expired based on elapsed time
+ * @param {number} startTime - Start time in milliseconds
+ * @param {number} expiresIn - Expiration time in seconds
+ */
+function checkTokenExpiration(startTime, expiresIn) {
+  const maxWaitTime = (expiresIn + 30) * 1000;
+  if (Date.now() - startTime > maxWaitTime) {
+    throw new Error('Device code expired: Maximum polling time exceeded');
+  }
+}
+
+function attachFormattedError(validationError, response) {
+  if (response && response.formattedError) {
+    validationError.formattedError = response.formattedError;
+    validationError.message = `Token polling failed:\n${response.formattedError}`;
+  }
+}
+
+function buildDetailedErrorMessage(errorData) {
+  const detail = errorData.detail || errorData.title || errorData.message || 'Validation error';
+  let errorMsg = `Token polling failed: ${detail}`;
+  if (errorData.errors && Array.isArray(errorData.errors) && errorData.errors.length > 0) {
+    errorMsg += '\n\nValidation errors:';
+    errorData.errors.forEach(err => {
+      const field = err.field || err.path || 'validation';
+      const message = err.message || 'Invalid value';
+      errorMsg += (field === 'validation' || field === 'unknown')
+        ? `\n  • ${message}` : `\n  • ${field}: ${message}`;
+    });
+  }
+  return errorMsg;
+}
+
+function attachErrorData(validationError, response) {
+  if (response && response.errorData) {
+    validationError.errorData = response.errorData;
+    validationError.errorType = response.errorType || 'validation';
+    if (!validationError.formattedError) {
+      validationError.message = buildDetailedErrorMessage(response.errorData);
+    }
+  }
+}
+
+function createValidationError(response) {
+  const validationError = new Error('Token polling failed: Validation error');
+  attachFormattedError(validationError, response);
+  attachErrorData(validationError, response);
+  return validationError;
+}
+
+/**
+ * Handles polling errors; throws for fatal errors, returns true to continue polling.
+ * @param {string} error - Error code
+ * @param {number} status - HTTP status code
+ * @param {Object} response - Full API response object
+ * @returns {boolean} True if should continue polling
+ */
+function handlePollingErrors(error, status, response) {
+  if (error === 'authorization_pending' || status === 202) {
+    return true;
+  }
+  if (error === 'authorization_declined') {
+    throw new Error('Authorization declined: User denied the request');
+  }
+  if (error === 'expired_token' || status === 410) {
+    throw new Error('Device code expired: Please restart the authentication process');
+  }
+  if (error === 'slow_down') {
+    return true;
+  }
+  if (error === 'validation_error' || status === 400 ||
+      error === 'INVALID_TOKEN' || error === 'INVALID_ACCESS_TOKEN') {
+    throw createValidationError(response);
+  }
+  throw new Error(`Token polling failed: ${error}`);
+}
+
+async function waitForNextPoll(interval, slowDown) {
+  const waitInterval = slowDown ? interval * 2 : interval;
+  await new Promise(resolve => setTimeout(resolve, waitInterval * 1000));
+}
+
+function isValidationErrorCode(errorCode) {
+  return errorCode === 'INVALID_TOKEN' || errorCode === 'INVALID_ACCESS_TOKEN';
+}
+
+function extractStructuredError(response) {
+  if (response.errorType === 'validation') {
+    return 'validation_error';
+  }
+  const errorData = response.errorData;
+  const errorCode = errorData.error || errorData.code || response.error;
+  if (isValidationErrorCode(errorCode)) {
+    return 'validation_error';
+  }
+  return errorData.detail || errorData.title || errorData.message || errorCode || response.error || 'Unknown error';
+}
+
+function extractFallbackError(response) {
+  const apiResponse = response.data || {};
+  const errorData = typeof apiResponse === 'object' ? apiResponse : {};
+  const errorCode = errorData.error || response.error || 'Unknown error';
+  if (isValidationErrorCode(errorCode)) {
+    return 'validation_error';
+  }
+  return errorCode;
+}
+
+function extractPollingError(response) {
+  if (response.errorData) {
+    return extractStructuredError(response);
+  }
+  return extractFallbackError(response);
+}
+
+function handleSuccessfulPoll(response) {
+  const tokenResponse = parseTokenResponse(response);
+  return tokenResponse || null;
+}
+
+/**
+ * Processes polling response and determines next action.
+ * @param {Object} response - API response object
+ * @param {number} interval - Polling interval in seconds
+ * @returns {Promise<Object|null>} Token response if complete, null if should continue
+ */
+async function processPollingResponse(response, interval) {
+  if (response.success) {
+    const apiResponse = response.data || {};
+    const responseData = apiResponse.data || apiResponse;
+    const errorCode = responseData.error || apiResponse.error || response.error;
+    if (errorCode && (errorCode === 'INVALID_TOKEN' || errorCode === 'INVALID_ACCESS_TOKEN')) {
+      throw createValidationError(response);
+    }
+    const tokenResponse = handleSuccessfulPoll(response);
+    if (tokenResponse) {
+      return tokenResponse;
+    }
+    const error = errorCode;
+    const slowDown = error === 'slow_down';
+    await waitForNextPoll(interval, slowDown);
+    return null;
+  }
+
+  const error = extractPollingError(response);
+  const shouldContinue = handlePollingErrors(error, response.status, response);
+  if (shouldContinue) {
+    await waitForNextPoll(interval, error === 'slow_down');
+    return null;
+  }
+  return null;
+}
+
+module.exports = {
+  parseDeviceCodeResponse,
+  parseTokenResponse,
+  checkTokenExpiration,
+  processPollingResponse
+};