npm - @aifabrix/builder - Versions diffs - 2.40.2 → 2.41.0 - Mend

@aifabrix/builder 2.40.2 → 2.41.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/README.md +6 -4
package/integration/hubspot/test.js +1 -1
package/lib/api/credential.api.js +40 -0
package/lib/api/dev.api.js +423 -0
package/lib/api/types/credential.types.js +23 -0
package/lib/api/types/dev.types.js +140 -0
package/lib/app/config.js +21 -0
package/lib/app/down.js +2 -1
package/lib/app/index.js +9 -0
package/lib/app/push.js +36 -12
package/lib/app/readme.js +1 -3
package/lib/app/run-env-compose.js +201 -0
package/lib/app/run-helpers.js +121 -118
package/lib/app/run.js +148 -28
package/lib/app/show.js +5 -2
package/lib/build/index.js +11 -3
package/lib/cli/setup-app.js +140 -14
package/lib/cli/setup-dev.js +180 -17
package/lib/cli/setup-environment.js +4 -2
package/lib/cli/setup-external-system.js +71 -21
package/lib/cli/setup-infra.js +29 -2
package/lib/cli/setup-secrets.js +52 -5
package/lib/cli/setup-utility.js +12 -3
package/lib/commands/app-install.js +172 -0
package/lib/commands/app-shell.js +75 -0
package/lib/commands/app-test.js +282 -0
package/lib/commands/app.js +1 -1
package/lib/commands/dev-cli-handlers.js +141 -0
package/lib/commands/dev-down.js +114 -0
package/lib/commands/dev-init.js +309 -0
package/lib/commands/secrets-list.js +118 -0
package/lib/commands/secrets-remove.js +97 -0
package/lib/commands/secrets-set.js +30 -17
package/lib/commands/secrets-validate.js +50 -0
package/lib/commands/up-dataplane.js +2 -2
package/lib/commands/up-miso.js +0 -25
package/lib/commands/upload.js +26 -1
package/lib/core/admin-secrets.js +96 -0
package/lib/core/secrets-ensure.js +378 -0
package/lib/core/secrets-env-write.js +157 -0
package/lib/core/secrets.js +147 -81
package/lib/datasource/field-reference-validator.js +91 -0
package/lib/datasource/validate.js +21 -3
package/lib/deployment/environment-config.js +137 -0
package/lib/deployment/environment.js +21 -98
package/lib/deployment/push.js +32 -2
package/lib/external-system/download.js +7 -0
package/lib/external-system/test-auth.js +7 -3
package/lib/external-system/test.js +5 -1
package/lib/generator/index.js +174 -25
package/lib/generator/wizard.js +8 -0
package/lib/infrastructure/helpers.js +103 -20
package/lib/infrastructure/index.js +88 -10
package/lib/infrastructure/services.js +70 -15
package/lib/schema/application-schema.json +24 -3
package/lib/schema/external-system.schema.json +435 -413
package/lib/utils/api.js +3 -3
package/lib/utils/app-register-auth.js +25 -3
package/lib/utils/cli-utils.js +20 -0
package/lib/utils/compose-generator.js +76 -75
package/lib/utils/compose-handlebars-helpers.js +43 -0
package/lib/utils/compose-vector-helper.js +18 -0
package/lib/utils/config-paths.js +127 -2
package/lib/utils/credential-secrets-env.js +267 -0
package/lib/utils/dev-cert-helper.js +122 -0
package/lib/utils/device-code-helpers.js +224 -0
package/lib/utils/device-code.js +37 -336
package/lib/utils/docker-build.js +40 -8
package/lib/utils/env-copy.js +83 -13
package/lib/utils/env-map.js +35 -5
package/lib/utils/env-template.js +6 -5
package/lib/utils/error-formatters/http-status-errors.js +20 -1
package/lib/utils/help-builder.js +15 -2
package/lib/utils/infra-status.js +30 -1
package/lib/utils/local-secrets.js +7 -52
package/lib/utils/mutagen-install.js +195 -0
package/lib/utils/mutagen.js +146 -0
package/lib/utils/paths.js +43 -33
package/lib/utils/port-resolver.js +28 -16
package/lib/utils/remote-dev-auth.js +38 -0
package/lib/utils/remote-docker-env.js +43 -0
package/lib/utils/remote-secrets-loader.js +60 -0
package/lib/utils/secrets-generator.js +94 -6
package/lib/utils/secrets-helpers.js +33 -25
package/lib/utils/secrets-path.js +2 -2
package/lib/utils/secrets-utils.js +52 -1
package/lib/utils/secrets-validation.js +84 -0
package/lib/utils/ssh-key-helper.js +116 -0
package/lib/utils/token-manager-messages.js +90 -0
package/lib/utils/token-manager.js +5 -4
package/lib/utils/variable-transformer.js +3 -3
package/lib/validation/validator.js +65 -0
package/package.json +2 -2
package/scripts/install-local.js +34 -15
package/templates/README.md +0 -1
package/templates/applications/README.md.hbs +4 -4
package/templates/applications/dataplane/application.yaml +5 -4
package/templates/applications/dataplane/env.template +12 -7
package/templates/applications/keycloak/env.template +2 -0
package/templates/applications/miso-controller/application.yaml +1 -0
package/templates/applications/miso-controller/env.template +11 -9
package/templates/python/docker-compose.hbs +49 -23
package/templates/typescript/docker-compose.hbs +48 -22

package/lib/commands/secrets-remove.js ADDED Viewed

@@ -0,0 +1,97 @@
+/**
+ * @fileoverview aifabrix secret remove – remove a secret (user file, shared file, or remote API)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const path = require('path');
+const fs = require('fs');
+const yaml = require('js-yaml');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { getAifabrixSecretsPath } = require('../core/config');
+const pathsUtil = require('../utils/paths');
+const { isRemoteSecretsUrl, getRemoteDevAuth } = require('../utils/remote-dev-auth');
+const devApi = require('../api/dev.api');
+/**
+ * Remove a key from a YAML secrets file.
+ * @param {string} key - Secret key
+ * @param {string} filePath - Absolute path to secrets file
+ * @throws {Error} If file cannot be read or written
+ */
+function removeKeyFromFile(key, filePath) {
+  let data = {};
+  if (fs.existsSync(filePath)) {
+    const content = fs.readFileSync(filePath, 'utf8');
+    data = yaml.load(content) || {};
+    if (typeof data !== 'object' || Array.isArray(data)) {
+      data = {};
+    }
+  }
+  if (!Object.prototype.hasOwnProperty.call(data, key)) {
+    throw new Error(`Secret '${key}' not found.`);
+  }
+  delete data[key];
+  const yamlContent = yaml.dump(data, { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false });
+  fs.writeFileSync(filePath, yamlContent, { mode: 0o600 });
+}
+/**
+ * Remove secret from shared store (remote API or file).
+ * @param {string} key - Secret key
+ * @param {string} generalSecretsPath - Path or URL for shared secrets
+ * @returns {Promise<void>}
+ */
+async function removeSharedSecret(key, generalSecretsPath) {
+  if (isRemoteSecretsUrl(generalSecretsPath)) {
+    const auth = await getRemoteDevAuth();
+    if (!auth) {
+      throw new Error('Remote server not configured or certificate missing. Run "aifabrix dev init" first.');
+    }
+    try {
+      await devApi.deleteSecret(auth.serverUrl, auth.clientCertPem, key);
+    } catch (err) {
+      if (err.status === 404) {
+        throw new Error(`Secret '${key}' not found.`);
+      }
+      throw err;
+    }
+    logger.log(chalk.green(`✓ Secret '${key}' removed from remote shared secrets.`));
+    return;
+  }
+  const resolvedPath = path.isAbsolute(generalSecretsPath)
+    ? generalSecretsPath
+    : path.resolve(process.cwd(), generalSecretsPath);
+  removeKeyFromFile(key, resolvedPath);
+  logger.log(chalk.green(`✓ Secret '${key}' removed from shared secrets file.`));
+}
+/**
+ * Handle secret remove command.
+ * @param {string} key - Secret key to remove
+ * @param {Object} options - Command options
+ * @param {boolean} [options.shared] - If true, remove from shared secrets (file or remote API)
+ * @returns {Promise<void>}
+ */
+async function handleSecretsRemove(key, options) {
+  if (!key || typeof key !== 'string') {
+    throw new Error('Secret key is required.');
+  }
+  const isShared = options.shared || options['shared'] || false;
+  if (isShared) {
+    const generalSecretsPath = await getAifabrixSecretsPath();
+    if (!generalSecretsPath) {
+      throw new Error('Shared secrets not configured. Set aifabrix-secrets in config.yaml.');
+    }
+    await removeSharedSecret(key, generalSecretsPath);
+  } else {
+    const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+    removeKeyFromFile(key, userSecretsPath);
+    logger.log(chalk.green(`✓ Secret '${key}' removed from user secrets.`));
+  }
+}
+module.exports = { handleSecretsRemove };

package/lib/commands/secrets-set.js CHANGED Viewed

@@ -15,24 +15,46 @@ const logger = require('../utils/logger');
 const { getAifabrixSecretsPath } = require('../core/config');
 const { saveLocalSecret, saveSecret } = require('../utils/local-secrets');
 const pathsUtil = require('../utils/paths');
+const { isRemoteSecretsUrl, getRemoteDevAuth } = require('../utils/remote-dev-auth');
+const devApi = require('../api/dev.api');
 /**
- * Handle secrets set command action
- * Sets a secret value in either user secrets or general secrets file
+ * Handle secret set command action
+ * Sets a secret value in either user secrets, general secrets file, or remote API (when aifabrix-secrets is http(s) URL).
  *
  * @async
  * @function handleSecretsSet
  * @param {string} key - Secret key name
  * @param {string} value - Secret value (supports full URLs or environment variable interpolation)
  * @param {Object} options - Command options
- * @param {boolean} [options.shared] - If true, save to general secrets file
+ * @param {boolean} [options.shared] - If true, save to general secrets file or remote API
  * @returns {Promise<void>} Resolves when secret is saved
  * @throws {Error} If save fails or validation fails
- *
- * @example
- * await handleSecretsSet('keycloak-public-server-urlKeyVault', 'https://mydomain.com/keycloak', { shared: false });
- * await handleSecretsSet('keycloak-public-server-urlKeyVault', 'https://${VAR}:8182', { shared: true });
  */
+/**
+ * Save secret to shared store (remote API or file).
+ * @param {string} key - Secret key
+ * @param {string} value - Secret value
+ * @param {string} generalSecretsPath - Path or URL for shared secrets
+ * @returns {Promise<void>}
+ */
+async function setSharedSecret(key, value, generalSecretsPath) {
+  if (isRemoteSecretsUrl(generalSecretsPath)) {
+    const auth = await getRemoteDevAuth();
+    if (!auth) {
+      throw new Error('Remote server not configured or certificate missing. Run "aifabrix dev init" first.');
+    }
+    await devApi.addSecret(auth.serverUrl, auth.clientCertPem, { key, value });
+    logger.log(chalk.green(`✓ Secret '${key}' saved to remote secrets (shared).`));
+    return;
+  }
+  const resolvedPath = path.isAbsolute(generalSecretsPath)
+    ? generalSecretsPath
+    : path.resolve(process.cwd(), generalSecretsPath);
+  await saveSecret(key, value, resolvedPath);
+  logger.log(chalk.green(`✓ Secret '${key}' saved to general secrets file: ${resolvedPath}`));
+}
 async function handleSecretsSet(key, value, options) {
   if (!key || typeof key !== 'string') {
     throw new Error('Secret key is required and must be a string');
@@ -45,21 +67,12 @@ async function handleSecretsSet(key, value, options) {
   const isShared = options.shared || options['shared'] || false;
   if (isShared) {
-    // Save to general secrets file
     const generalSecretsPath = await getAifabrixSecretsPath();
     if (!generalSecretsPath) {
       throw new Error('General secrets file not configured. Set aifabrix-secrets in config.yaml or use without --shared flag for user secrets.');
     }
-    // Resolve path (handle absolute vs relative)
-    const resolvedPath = path.isAbsolute(generalSecretsPath)
-      ? generalSecretsPath
-      : path.resolve(process.cwd(), generalSecretsPath);
-    await saveSecret(key, value, resolvedPath);
-    logger.log(chalk.green(`✓ Secret '${key}' saved to general secrets file: ${resolvedPath}`));
+    await setSharedSecret(key, value, generalSecretsPath);
   } else {
-    // Save to user secrets file
     await saveLocalSecret(key, value);
     const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
     logger.log(chalk.green(`✓ Secret '${key}' saved to user secrets file: ${userSecretsPath}`));

package/lib/commands/secrets-validate.js ADDED Viewed

@@ -0,0 +1,50 @@
+/**
+ * AI Fabrix Builder – Secrets validate command
+ *
+ * Validates a secrets file (structure and optional naming convention).
+ *
+ * @fileoverview Secrets validate command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const chalk = require('chalk');
+const path = require('path');
+const logger = require('../utils/logger');
+const { validateSecretsFile } = require('../utils/secrets-validation');
+const pathsUtil = require('../utils/paths');
+const secretsEnsure = require('../core/secrets-ensure');
+/**
+ * Handle secret validate command action.
+ * Validates secrets file at given path or at resolved write target from config.
+ *
+ * @async
+ * @function handleSecretsValidate
+ * @param {string} [pathArg] - Optional path to secrets file
+ * @param {Object} options - Command options
+ * @param {boolean} [options.naming] - Check key names against *KeyVault convention
+ * @returns {Promise<{ valid: boolean, errors: string[] }>}
+ */
+async function handleSecretsValidate(pathArg, options = {}) {
+  let filePath = pathArg;
+  if (!filePath) {
+    const target = await secretsEnsure.resolveWriteTarget();
+    if (target.type === 'file' && target.filePath) {
+      filePath = target.filePath;
+    } else {
+      filePath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+    }
+  }
+  const result = validateSecretsFile(filePath, { checkNaming: Boolean(options.naming) });
+  if (result.valid) {
+    logger.log(chalk.green(`✓ Secrets file is valid: ${result.path}`));
+    return { valid: true, errors: [] };
+  }
+  logger.log(chalk.red(`✗ Validation failed: ${result.path}`));
+  result.errors.forEach((err) => logger.log(chalk.yellow(`  • ${err}`)));
+  return { valid: false, errors: result.errors };
+}
+module.exports = { handleSecretsValidate };

package/lib/commands/up-dataplane.js CHANGED Viewed

@@ -86,7 +86,7 @@ async function handleUpDataplane(options = {}) {
   logger.log(chalk.blue('Starting up-dataplane (register/rotate, deploy, then run dataplane locally)...\n'));
   const [controllerUrl, environmentKey] = await Promise.all([resolveControllerUrl(), resolveEnvironment()]);
-  const authConfig = await checkAuthentication(controllerUrl, environmentKey);
+  const authConfig = await checkAuthentication(controllerUrl, environmentKey, { throwOnFailure: true });
   const cfg = await config.getConfig();
   const environment = (cfg && cfg.environment) ? cfg.environment : 'dev';
@@ -108,7 +108,7 @@ async function handleUpDataplane(options = {}) {
   await app.deployApp('dataplane', deployOpts);
   logger.log('');
-  await app.runApp('dataplane', {});
+  await app.runApp('dataplane', { skipEnvOutputPath: true });
   logger.log(chalk.green('\n✓ up-dataplane complete. Dataplane is registered, deployed in dev, and running locally.'));
 }

package/lib/commands/up-miso.js CHANGED Viewed

@@ -14,16 +14,10 @@ const pathsUtil = require('../utils/paths');
 const { loadConfigFile } = require('../utils/config-format');
 const logger = require('../utils/logger');
 const config = require('../core/config');
-const secrets = require('../core/secrets');
 const infra = require('../infrastructure');
 const app = require('../app');
-const { saveLocalSecret } = require('../utils/local-secrets');
 const { ensureAppFromTemplate, patchEnvOutputPathForDeployOnly, validateEnvOutputPathFolderOrNull } = require('./up-common');
-/** Keycloak base port (from templates/applications/keycloak application config) */
-const KEYCLOAK_BASE_PORT = 8082;
-/** Miso controller base port (dev-config app base) */
-const MISO_BASE_PORT = 3000;
 /**
  * Parse --image options array into map { keycloak?: string, 'miso-controller'?: string }
  * @param {string[]|string} imageOpts - Option value(s) e.g. ['keycloak=reg/k:v1', 'miso-controller=reg/m:v1']
@@ -64,22 +58,6 @@ function buildImageRefFromRegistry(appName, registry) {
   }
 }
-/**
- * Set URL secrets and resolve keycloak + miso-controller (no force; existing .env preserved)
- * @async
- * @param {number} devIdNum - Developer ID number
- */
-async function setMisoSecretsAndResolve(devIdNum) {
-  const keycloakPort = KEYCLOAK_BASE_PORT + (devIdNum === 0 ? 0 : devIdNum * 100);
-  const misoPort = MISO_BASE_PORT + (devIdNum === 0 ? 0 : devIdNum * 100);
-  await saveLocalSecret('keycloak-public-server-urlKeyVault', `http://localhost:${keycloakPort}`);
-  await saveLocalSecret('miso-controller-web-server-url', `http://localhost:${misoPort}`);
-  logger.log(chalk.green('✓ Set keycloak and miso-controller URL secrets'));
-  await secrets.generateEnvFile('keycloak', undefined, 'docker', false, true);
-  await secrets.generateEnvFile('miso-controller', undefined, 'docker', false, true);
-  logger.log(chalk.green('✓ Resolved keycloak and miso-controller'));
-}
 /**
  * Build run options and run keycloak, then miso-controller
  * @async
@@ -130,9 +108,6 @@ async function handleUpMiso(options = {}) {
   // Deploy-only: do not copy .env to repo paths; patch variables so envOutputPath is null
   patchEnvOutputPathForDeployOnly('keycloak');
   patchEnvOutputPathForDeployOnly('miso-controller');
-  const developerId = await config.getDeveloperId();
-  const devIdNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
-  await setMisoSecretsAndResolve(devIdNum);
   await runMisoApps(options);
   logger.log(chalk.green('\n✓ up-miso complete. Keycloak and miso-controller are running.') +
     chalk.gray('\n  Run onboarding and register Keycloak from the miso-controller repo if needed. Use \'aifabrix up-dataplane\' for dataplane.'));

package/lib/commands/upload.js CHANGED Viewed

@@ -6,11 +6,14 @@
  * @version 2.0.0
  */
+const path = require('path');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { resolveControllerUrl } = require('../utils/controller-url');
 const { getDeploymentAuth, requireBearerForDataplanePipeline } = require('../utils/token-manager');
 const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
+const { getIntegrationPath } = require('../utils/paths');
+const { pushCredentialSecrets } = require('../utils/credential-secrets-env');
 const { validateExternalSystemComplete } = require('../validation/validate');
 const { displayValidationResults } = require('../validation/validate-display');
 const { generateControllerManifest } = require('../generator/external-controller-manifest');
@@ -115,6 +118,28 @@ function throwIfValidationFailed(validationResult) {
   }
 }
+/**
+ * Pushes credential secrets from .env and payload to dataplane; logs result or warning.
+ * @param {string} dataplaneUrl - Dataplane URL
+ * @param {Object} authConfig - Auth config
+ * @param {string} systemKey - System key
+ * @param {Object} payload - Upload payload
+ */
+async function pushAndLogCredentialSecrets(dataplaneUrl, authConfig, systemKey, payload) {
+  const envFilePath = path.join(getIntegrationPath(systemKey), '.env');
+  const pushResult = await pushCredentialSecrets(dataplaneUrl, authConfig, {
+    envFilePath,
+    appName: systemKey,
+    payload
+  });
+  if (pushResult.pushed > 0) {
+    logger.log(chalk.green(`Pushed ${pushResult.pushed} credential secret(s) to dataplane.`));
+  }
+  if (pushResult.warning) {
+    logger.log(chalk.yellow(`Warning: ${pushResult.warning}`));
+  }
+}
 /**
  * Uploads external system to dataplane (upload → validate → publish). No controller deploy.
  * @param {string} systemKey - External system key (integration/<system-key>/)
@@ -126,7 +151,6 @@ function throwIfValidationFailed(validationResult) {
  */
 async function uploadExternalSystem(systemKey, options = {}) {
   validateSystemKeyFormat(systemKey);
   logger.log(chalk.blue(`\nUploading external system to dataplane: ${systemKey}`));
   const validationResult = await validateExternalSystemComplete(systemKey, { type: 'external' });
@@ -146,6 +170,7 @@ async function uploadExternalSystem(systemKey, options = {}) {
   requireBearerForDataplanePipeline(authConfig);
   logger.log(chalk.blue(`Dataplane: ${dataplaneUrl}`));
+  await pushAndLogCredentialSecrets(dataplaneUrl, authConfig, systemKey, payload);
   await runUploadValidatePublish(dataplaneUrl, authConfig, payload);
   logger.log(chalk.green('\nUpload validated and published to dataplane.'));

package/lib/core/admin-secrets.js ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * Read and decrypt admin-secrets.env for use in Docker runs.
+ * Supports plain KEY=value and secure:// encrypted values; uses config secrets-encryption key.
+ * Decrypted content is for in-memory use only (e.g. to build a temporary .env for compose).
+ *
+ * @fileoverview Admin secrets read/decrypt for infra and application runs
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+'use strict';
+const path = require('path');
+const fs = require('fs');
+const config = require('./config');
+const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
+/**
+ * Parse .env-style content into key-value map (excludes comments and empty lines).
+ * Values are trimmed; does not unescape quotes.
+ * @param {string} content - Raw file content
+ * @returns {Object.<string, string>} Map of variable name to value
+ */
+function parseAdminEnvContent(content) {
+  const map = {};
+  if (!content || typeof content !== 'string') return map;
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      let value = trimmed.substring(eq + 1);
+      if (value.length >= 2 && (value.startsWith('"') && value.endsWith('"') || value.startsWith('\'') && value.endsWith('\''))) {
+        value = value.slice(1, -1);
+      }
+      map[key] = value.trim();
+    }
+  }
+  return map;
+}
+/**
+ * Read admin-secrets.env from disk and return decrypted key-value object.
+ * Values with secure:// prefix are decrypted using config secrets-encryption key.
+ * Use the returned object only in memory (e.g. to build a temporary .env for docker compose).
+ *
+ * @async
+ * @param {string} [adminSecretsPath] - Path to admin-secrets.env; default: ~/.aifabrix/admin-secrets.env
+ * @returns {Promise<Object.<string, string>>} Plain object e.g. { POSTGRES_PASSWORD, PGADMIN_DEFAULT_EMAIL, ... }
+ * @throws {Error} If file missing, or encrypted value and decryption fails / no key configured
+ */
+async function readAndDecryptAdminSecrets(adminSecretsPath) {
+  const pathsUtil = require('../utils/paths');
+  const resolvedPath = adminSecretsPath || path.join(pathsUtil.getAifabrixHome(), 'admin-secrets.env');
+  if (!fs.existsSync(resolvedPath)) {
+    throw new Error(`Admin secrets file not found: ${resolvedPath}. Run 'aifabrix up-infra' or ensure admin-secrets.env exists.`);
+  }
+  const content = fs.readFileSync(resolvedPath, 'utf8');
+  const raw = parseAdminEnvContent(content);
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  const out = {};
+  for (const [key, value] of Object.entries(raw)) {
+    if (value && isEncrypted(value)) {
+      if (!encryptionKey) {
+        throw new Error('Admin secrets contain encrypted values but no secrets-encryption key is configured. Run "aifabrix secure --secrets-encryption <key>" to set the key.');
+      }
+      out[key] = decryptSecret(value, encryptionKey);
+    } else {
+      out[key] = value;
+    }
+  }
+  return out;
+}
+/**
+ * Serialize a key-value object to .env file format (KEY=value, one per line).
+ * @param {Object.<string, string>} obj - Decrypted admin or merged env object
+ * @returns {string} .env file content
+ */
+function envObjectToContent(obj) {
+  const lines = [];
+  for (const [key, value] of Object.entries(obj)) {
+    if (key === undefined || key === '') continue;
+    const safe = String(value ?? '').replace(/\n/g, ' ').trim();
+    lines.push(`${key}=${safe}`);
+  }
+  return lines.join('\n');
+}
+module.exports = {
+  readAndDecryptAdminSecrets,
+  parseAdminEnvContent,
+  envObjectToContent
+};