@aifabrix/builder 2.40.2 → 2.42.0

package/lib/cli/setup-secrets.js

@@ -1,5 +1,5 @@
 /**
- * CLI secrets and security command setup (secrets set, secure).
+ * CLI secret and security command setup (secret set, secure).
  *
  * @fileoverview Secrets command definitions for AI Fabrix Builder CLI
  * @author AI Fabrix Team
@@ -8,18 +8,50 @@
 
 const { handleCommandError } = require('../utils/cli-utils');
 const { handleSecretsSet } = require('../commands/secrets-set');
+const { handleSecretsList } = require('../commands/secrets-list');
+const { handleSecretsRemove } = require('../commands/secrets-remove');
+const { handleSecretsValidate } = require('../commands/secrets-validate');
 const { handleSecure } = require('../commands/secure');
 
+function setupSecretValidateCommand(secretCmd) {
+  secretCmd
+    .command('validate [path]')
+    .description('Validate secrets file (YAML structure and optional naming convention)')
+    .option('--naming', 'Check key names against *KeyVault convention')
+    .action(async(pathArg, options) => {
+      try {
+        const result = await handleSecretsValidate(pathArg, options);
+        if (!result.valid) process.exit(1);
+      } catch (error) {
+        handleCommandError(error, 'secret validate');
+        process.exit(1);
+      }
+    });
+}
+
 /**
  * Sets up secrets and security commands
  * @param {Command} program - Commander program instance
  */
 function setupSecretsCommands(program) {
-  const secretsCmd = program
-    .command('secrets')
+  const secretCmd = program
+    .command('secret')
     .description('Manage secrets in secrets files');
 
-  secretsCmd
+  secretCmd
+    .command('list')
+    .description('List secret keys (user or shared; use --shared for shared)')
+    .option('--shared', 'List shared secrets (from config aifabrix-secrets or remote API)')
+    .action(async(options) => {
+      try {
+        await handleSecretsList(options);
+      } catch (error) {
+        handleCommandError(error, 'secret list');
+        process.exit(1);
+      }
+    });
+
+  secretCmd
     .command('set <key> <value>')
     .description('Set a secret value in secrets file')
     .option('--shared', 'Save to general secrets file (from config.yaml aifabrix-secrets) instead of user secrets')
@@ -27,11 +59,26 @@ function setupSecretsCommands(program) {
       try {
         await handleSecretsSet(key, value, options);
       } catch (error) {
-        handleCommandError(error, 'secrets set');
+        handleCommandError(error, 'secret set');
+        process.exit(1);
+      }
+    });
+
+  secretCmd
+    .command('remove <key>')
+    .description('Remove a secret by key')
+    .option('--shared', 'Remove from shared secrets (file or remote API)')
+    .action(async(key, options) => {
+      try {
+        await handleSecretsRemove(key, options);
+      } catch (error) {
+        handleCommandError(error, 'secret remove');
         process.exit(1);
       }
     });
 
+  setupSecretValidateCommand(secretCmd);
+
   program.command('secure')
     .description('Encrypt secrets in secrets.local.yaml files for ISO 27001 compliance')
     .option('--secrets-encryption <key>', 'Encryption key (32 bytes, hex or base64)')

package/lib/cli/setup-utility.js

@@ -13,7 +13,7 @@ const secrets = require('../core/secrets');
 const generator = require('../generator');
 const logger = require('../utils/logger');
 const { handleCommandError, logOfflinePathWhenType } = require('../utils/cli-utils');
-const { detectAppType, getDeployJsonPath } = require('../utils/paths');
+const { detectAppType, getDeployJsonPath, getResolveAppPath } = require('../utils/paths');
 
 /**
  * Resolve app path and type for split-json (integration first, then builder).
@@ -77,9 +77,13 @@ function logSplitJsonResult(result) {
     result.datasourceFiles.forEach(filePath => logger.log(`  • datasource: ${filePath}`));
   }
   if (result.rbac) {
-    logger.log(`  • rbac.yml: ${result.rbac}`);
+    logger.log(`  • rbac.yaml: ${result.rbac}`);
+  }
+  if (result.readmeSkipped) {
+    logger.log(`  • README.md: (kept existing) ${result.readmeSkipped}`);
+  } else if (result.readme) {
+    logger.log(`  • README.md: ${result.readme}`);
   }
-  logger.log(`  • README.md: ${result.readme}`);
 }
 
 function setupResolveCommand(program) {
@@ -89,9 +93,18 @@ function setupResolveCommand(program) {
     .option('--skip-validation', 'Skip file validation after generating .env')
     .action(async(appName, options) => {
       try {
-        const envPath = await secrets.generateEnvFile(appName, undefined, 'docker', options.force);
+        const { appPath, envOnly } = await getResolveAppPath(appName);
+        const envPath = await secrets.generateEnvFile(
+          appName,
+          undefined,
+          'docker',
+          options.force,
+          { appPath, envOnly, skipOutputPath: false, preserveFromPath: null }
+        );
         logger.log(`✓ Generated .env file: ${envPath}`);
-        if (!options.skipValidation) {
+        if (envOnly) {
+          logger.log(chalk.gray('  (env-only mode: validation skipped; no application.yaml)'));
+        } else if (!options.skipValidation) {
           const validate = require('../validation/validate');
           const result = await validate.validateAppOrFile(appName);
           validate.displayValidationResults(result);
@@ -132,7 +145,7 @@ function setupJsonCommand(program) {
     });
 }
 
-function setupSplitJsonConvertShowCommands(program) {
+function setupSplitJsonCommand(program) {
   program.command('split-json <app>')
     .description('Split deployment JSON into component files (env.template, application.yaml, rbac.yml, README.md)')
     .option('-o, --output <dir>', 'Output directory for component files (defaults to same directory as JSON)')
@@ -144,15 +157,66 @@ function setupSplitJsonConvertShowCommands(program) {
         process.exit(1);
       }
     });
+}
 
+function setupRepairCommand(program) {
+  program.command('repair <app>')
+    .description('Repair external integration config: fix drift (file lists, app key, datasource alignment, rbac, manifest)')
+    .option('--auth <method>', 'Set authentication method (oauth2, aad, apikey, basic, queryParam, oidc, hmac, none); updates system file and env.template')
+    .option('--dry-run', 'Report changes only; do not write')
+    .option('--rbac', 'Ensure RBAC permissions per datasource and add default Admin/Reader roles if none exist')
+    .option('--expose', 'Set exposed.attributes on each datasource to all fieldMappings.attributes keys')
+    .option('--sync', 'Add default sync section to datasources that lack it')
+    .option('--test', 'Generate testPayload.payloadTemplate and testPayload.expectedResult from attributes')
+    .action(async(appName, options) => {
+      try {
+        const { repairExternalIntegration } = require('../commands/repair');
+        const { detectAppType } = require('../utils/paths');
+        const { appPath } = await detectAppType(appName);
+        logOfflinePathWhenType(appPath);
+        const result = await repairExternalIntegration(appName, {
+          auth: options.auth,
+          dryRun: options.dryRun,
+          rbac: options.rbac,
+          expose: options.expose,
+          sync: options.sync,
+          test: options.test
+        });
+        if (options.dryRun && result.updated && result.changes.length > 0) {
+          logger.log(chalk.yellow('\nWould apply:'));
+          result.changes.forEach(c => logger.log(chalk.gray(`  ${c}`)));
+        } else if (result.updated) {
+          logger.log(chalk.green('\n✓ Repaired external integration config.'));
+        } else {
+          logger.log(chalk.gray('No changes needed; config already matches files on disk.'));
+        }
+      } catch (error) {
+        handleCommandError(error, 'repair');
+        process.exit(1);
+      }
+    });
+}
+
+function setupConvertCommand(program) {
   program.command('convert <app>')
     .description('Convert integration/external system and datasource config files between JSON and YAML')
-    .option('--format <format>', 'Target format: json | yaml (required)')
+    .option('--format <format>', 'Target format: json | yaml (required unless config format is set)')
     .option('-f, --force', 'Skip confirmation prompt')
     .action(async(appName, options) => {
       try {
+        const config = require('../core/config');
+        const effectiveFormat = options.format || (await config.getFormat());
+        if (!effectiveFormat) {
+          throw new Error(
+            'Option --format is required and must be \'json\' or \'yaml\' (or set default with aifabrix dev set-format)'
+          );
+        }
+        const normalized = effectiveFormat.trim().toLowerCase();
+        if (normalized !== 'json' && normalized !== 'yaml') {
+          throw new Error('Option --format must be \'json\' or \'yaml\'');
+        }
         const { runConvert } = require('../commands/convert');
-        const { converted, deleted } = await runConvert(appName, { format: options.format, force: options.force });
+        const { converted, deleted } = await runConvert(appName, { format: normalized, force: options.force });
         logger.log(chalk.green('\n✓ Convert complete.'));
         converted.forEach(p => logger.log(`  • ${p}`));
         if (deleted.length > 0) {
@@ -164,7 +228,9 @@ function setupSplitJsonConvertShowCommands(program) {
         process.exit(1);
       }
     });
+}
 
+function setupShowCommand(program) {
   program.command('show <appKey>')
     .description('Show application info from local builder/ or integration/ (offline) or from controller (--online)')
     .option('--online', 'Fetch application data from the controller')
@@ -180,25 +246,60 @@ function setupSplitJsonConvertShowCommands(program) {
     });
 }
 
+function setupSplitJsonConvertShowCommands(program) {
+  setupSplitJsonCommand(program);
+  setupRepairCommand(program);
+  setupConvertCommand(program);
+  setupShowCommand(program);
+}
+
+async function runValidateCommand(appOrFile, options) {
+  const validate = require('../validation/validate');
+  const opts = options.opts ? options.opts() : options;
+  const integration = opts.integration === true;
+  const builder = opts.builder === true;
+  const outFormat = (opts.format || 'default').toLowerCase();
+
+  if (integration || builder) {
+    const batchResult = integration && builder
+      ? await validate.validateAll(opts)
+      : integration
+        ? await validate.validateAllIntegrations(opts)
+        : await validate.validateAllBuilderApps(opts);
+    if (outFormat === 'json') {
+      logger.log(JSON.stringify(batchResult, null, 2));
+    } else {
+      validate.displayBatchValidationResults(batchResult);
+    }
+    if (!batchResult.valid) process.exit(1);
+    return;
+  }
+
+  if (!appOrFile || typeof appOrFile !== 'string') {
+    logger.log(chalk.red('App name or file path is required, or use --integration / --builder'));
+    process.exit(1);
+  }
+
+  const result = await validate.validateAppOrFile(appOrFile, opts);
+  if (outFormat === 'json') {
+    logger.log(JSON.stringify(result, null, 2));
+  } else {
+    validate.displayValidationResults(result);
+  }
+  if (!result.valid) process.exit(1);
+}
+
 function setupValidateDiffCommands(program) {
-  program.command('validate <appOrFile>')
-    .description('Validate application or external integration file')
+  program.command('validate [appOrFile]')
+    .description('Validate application or external integration file; use --integration or --builder to validate all apps')
     .option('--format <format>', 'Output format: json | default (human-readable)')
-    .action(async(appOrFile, options) => {
-      try {
-        const validate = require('../validation/validate');
-        const result = await validate.validateAppOrFile(appOrFile, options);
-        const outFormat = (options.format || 'default').toLowerCase();
-        if (outFormat === 'json') {
-          logger.log(JSON.stringify(result, null, 2));
-        } else {
-          validate.displayValidationResults(result);
-        }
-        if (!result.valid) process.exit(1);
-      } catch (error) {
+    .option('--integration', 'Validate all applications under integration/')
+    .option('--builder', 'Validate all applications under builder/')
+    .action((appOrFile, options) => {
+      runValidateCommand(appOrFile, options).catch((error) => {
         handleCommandError(error, 'validate');
         process.exit(1);
-      }
+      });
     });
 
   program.command('diff <file1> <file2>')
@@ -229,4 +330,8 @@ function setupUtilityCommands(program) {
   setupValidateDiffCommands(program);
 }
 
-module.exports = { setupUtilityCommands };
+module.exports = {
+  setupUtilityCommands,
+  resolveSplitJsonApp,
+  handleSplitJsonCommand
+};

package/lib/commands/app-install.js

@@ -0,0 +1,172 @@
+/**
+ * Install command – run install (dependencies) inside app container (dev: running; tst: ephemeral with .env).
+ *
+ * @fileoverview App install command for builder apps (plan 73)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { spawn } = require('child_process');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const containerHelpers = require('../utils/app-run-containers');
+const composeGenerator = require('../utils/compose-generator');
+const pathsUtil = require('../utils/paths');
+const { loadConfigFile } = require('../utils/config-format');
+const secretsEnvWrite = require('../core/secrets-env-write');
+
+/**
+ * Load application config for builder app.
+ * @param {string} appName - Application name
+ * @returns {Object} Application config
+ */
+function loadAppConfig(appName) {
+  const builderPath = pathsUtil.getBuilderPath(appName);
+  const configPath = pathsUtil.resolveApplicationConfigPath(builderPath);
+  return loadConfigFile(configPath);
+}
+
+/** Env set so install/test/lint use a writable temp dir in the container (e.g. when /app is read-only). */
+const TMPDIR_VALUE = '/tmp';
+
+/** pnpm store in /tmp when /app is read-only (avoids EACCES on _tmp_ files in project root). */
+const PNPM_STORE_DIR = '/tmp/.pnpm-store';
+
+/**
+ * Ensure install command can run when /app is read-only: use TMPDIR and pnpm --store-dir.
+ * @param {string} cmd - Raw install command (e.g. "pnpm install")
+ * @returns {string} Command (possibly with --store-dir for pnpm)
+ */
+function installCommandForReadOnlyApp(cmd) {
+  const t = typeof cmd === 'string' ? cmd.trim() : '';
+  if (t === 'pnpm install' || t.startsWith('pnpm install ') ||
+      t === 'pnpm i' || t.startsWith('pnpm i ')) {
+    return t.includes('--store-dir') ? t : `${t} --store-dir ${PNPM_STORE_DIR}`;
+  }
+  return t;
+}
+
+/**
+ * Resolve install command from application config (language or build.scripts).
+ * @param {Object} appConfig - Application config
+ * @returns {string} Shell command to run install (e.g. "pnpm install" or "make install")
+ */
+function getInstallCommand(appConfig) {
+  const build = appConfig.build;
+  const scripts = (build && build.scripts) || appConfig.scripts;
+  if (scripts && typeof scripts.install === 'string' && scripts.install.trim()) {
+    return scripts.install.trim();
+  }
+  const lang = (build && build.language || appConfig.language || 'typescript').toLowerCase();
+  return lang === 'python' ? 'make install' : 'pnpm install';
+}
+
+/**
+ * Run install in dev (exec in running container).
+ * Resolves app .env (including NPM_TOKEN/PYPI_TOKEN from kv://) and passes it so install has registry tokens.
+ * @param {string} appName - Application name
+ * @param {string|number} developerId - Developer ID
+ * @param {string} installCmd - Install command
+ * @returns {Promise<number>} Exit code
+ */
+async function runInstallInDev(appName, developerId, installCmd) {
+  const containerName = containerHelpers.getContainerName(appName, developerId);
+  const isRunning = await containerHelpers.checkContainerRunning(appName, developerId);
+  if (!isRunning) {
+    throw new Error(
+      `Container ${containerName} is not running.\nRun 'aifabrix run ${appName}' first.`
+    );
+  }
+  logger.log(chalk.blue(`Running install in container ${containerName}: ${installCmd}\n`));
+  const cmd = installCommandForReadOnlyApp(installCmd);
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  return runDockerExec(containerName, cmd, envFilePath);
+}
+
+/**
+ * Run command in container via docker exec; stream output. Returns exit code.
+ * Uses -e TMPDIR, pnpm store, CI; when envFilePath is set passes --env-file so NPM_TOKEN/PYPI_TOKEN (from kv://) are available.
+ * @param {string} containerName - Container name
+ * @param {string} cmd - Shell command
+ * @param {string|null} [envFilePath] - Path to resolved .env for --env-file (optional; when set, install has registry tokens)
+ * @returns {Promise<number>} Exit code
+ */
+function runDockerExec(containerName, cmd, envFilePath = null) {
+  return new Promise((resolve) => {
+    const args = [
+      'exec',
+      '-e', `TMPDIR=${TMPDIR_VALUE}`,
+      '-e', `npm_config_store_dir=${PNPM_STORE_DIR}`,
+      '-e', 'CI=true'
+    ];
+    if (envFilePath) {
+      args.push('--env-file', envFilePath);
+    }
+    args.push(containerName, 'sh', '-c', cmd);
+    const proc = spawn('docker', args, {
+      stdio: 'inherit',
+      shell: false
+    });
+    proc.on('close', code => resolve(code !== null ? code : 1));
+    proc.on('error', () => resolve(1));
+  });
+}
+
+/**
+ * Run command in ephemeral container with optional env file; stream output. Returns exit code.
+ * @param {string} fullImage - Image:tag
+ * @param {string} cmd - Shell command
+ * @param {string|null} [envFilePath] - Path to .env file for --env-file (optional)
+ * @returns {Promise<number>} Exit code
+ */
+function runDockerRunEphemeral(fullImage, cmd, envFilePath = null) {
+  return new Promise((resolve) => {
+    const args = ['run', '--rm', '-e', `TMPDIR=${TMPDIR_VALUE}`, '-e', `npm_config_store_dir=${PNPM_STORE_DIR}`, '-e', 'CI=true'];
+    if (envFilePath) {
+      args.push('--env-file', envFilePath);
+    }
+    args.push(fullImage, 'sh', '-c', cmd);
+    const proc = spawn('docker', args, {
+      stdio: 'inherit',
+      shell: false
+    });
+    proc.on('close', code => resolve(code !== null ? code : 1));
+    proc.on('error', () => resolve(1));
+  });
+}
+
+/**
+ * Run install for a builder app. DEV: exec in running container; TST: ephemeral with resolved .env.
+ * @param {string} appName - Application name
+ * @param {Object} [options] - { env: 'dev'|'tst' }
+ * @returns {Promise<void>}
+ */
+async function runAppInstall(appName, options = {}) {
+  const env = (options.env || 'dev').toLowerCase();
+  if (env !== 'dev' && env !== 'tst') {
+    throw new Error('--env must be dev or tst');
+  }
+  const appConfig = loadAppConfig(appName);
+  const installCmd = getInstallCommand(appConfig);
+  const developerId = await config.getDeveloperId();
+  const imageName = composeGenerator.getImageName(appConfig, appName);
+  const imageTag = (appConfig.image && appConfig.image.tag) ? appConfig.image.tag : 'latest';
+  const fullImage = `${imageName}:${imageTag}`;
+
+  if (env === 'dev') {
+    const code = await runInstallInDev(appName, developerId, installCmd);
+    if (code !== 0) process.exit(code);
+    logger.log(chalk.green('✓ Install completed'));
+    return;
+  }
+
+  logger.log(chalk.blue(`Running install in ephemeral container (${fullImage}): ${installCmd}\n`));
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  const cmd = installCommandForReadOnlyApp(installCmd);
+  const code = await runDockerRunEphemeral(fullImage, cmd, envFilePath);
+  if (code !== 0) process.exit(code);
+  logger.log(chalk.green('✓ Install completed'));
+}
+
+module.exports = { runAppInstall, getInstallCommand };

package/lib/commands/app-shell.js

@@ -0,0 +1,75 @@
+/**
+ * Shell command – open an interactive shell in the app container (docker exec -it).
+ *
+ * @fileoverview App shell command implementation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { spawn } = require('child_process');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const containerHelpers = require('../utils/app-run-containers');
+const pathsUtil = require('../utils/paths');
+const secretsEnvWrite = require('../core/secrets-env-write');
+
+/**
+ * Load application config for builder app (used to ensure app exists).
+ * @param {string} appName - Application name
+ * @returns {Object} Application config
+ */
+function loadAppConfig(appName) {
+  const { loadConfigFile } = require('../utils/config-format');
+  const builderPath = pathsUtil.getBuilderPath(appName);
+  const configPath = pathsUtil.resolveApplicationConfigPath(builderPath);
+  return loadConfigFile(configPath);
+}
+
+/**
+ * Run interactive shell in the application container. Uses sh.
+ * Resolves app .env (including NPM_TOKEN/PYPI_TOKEN from kv://) and passes it via --env-file so the shell has registry tokens.
+ * @param {string} appName - Application name
+ * @param {Object} [options] - Options (e.g. --env for future remote)
+ * @returns {Promise<void>} Resolves when shell exits
+ */
+async function runAppShell(appName, _options = {}) {
+  loadAppConfig(appName);
+
+  const developerId = await config.getDeveloperId();
+  const containerName = containerHelpers.getContainerName(appName, developerId);
+  const isRunning = await containerHelpers.checkContainerRunning(appName, developerId);
+
+  if (!isRunning) {
+    throw new Error(
+      `Container ${containerName} is not running.\nRun 'aifabrix run ${appName}' first.`
+    );
+  }
+
+  logger.log(chalk.blue(`Opening shell in ${containerName} (exit with 'exit' or Ctrl+D)...\n`));
+
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  const proc = spawn('docker', [
+    'exec', '-it',
+    '--env-file', envFilePath,
+    '-e', 'TMPDIR=/tmp',
+    containerName,
+    'sh'
+  ], {
+    stdio: 'inherit',
+    shell: false
+  });
+
+  return new Promise((resolve, reject) => {
+    proc.on('close', code => {
+      if (code !== 0 && code !== null) {
+        reject(new Error(`Shell exited with code ${code}`));
+      } else {
+        resolve();
+      }
+    });
+    proc.on('error', err => reject(err));
+  });
+}
+
+module.exports = { runAppShell };