@aifabrix/builder 2.40.2 → 2.42.0

package/lib/utils/port-resolver.js

@@ -5,7 +5,7 @@
  * Use getContainerPort for container/Docker/deployment/registration; use getLocalPort
  * for local .env and dev-id–adjusted host port.
  *
- * @fileoverview Port resolution from variables (port, build.containerPort, build.localPort)
+ * @fileoverview Port resolution from variables (port, build.containerPort)
  * @author AI Fabrix Team
  * @version 2.0.0
  */
@@ -17,8 +17,8 @@ const yaml = require('js-yaml');
 
 /**
  * Resolve container port from variables object.
- * Precedence: build.containerPort → port → defaultPort.
- * Used for: Dockerfile, container .env PORT, compose, deployment, app register, variable-transformer, builders, secrets-utils.
+ * Precedence: build.containerPort (if set and non-empty) → port (main port) → defaultPort.
+ * When containerPort is empty or missing, main port is used (e.g. keycloak 8082:8080 vs miso 3000:3000).
  *
  * @param {Object} variables - Parsed application config (or subset with build, port)
  * @param {number} [defaultPort=3000] - Default when neither build.containerPort nor port is set
@@ -26,13 +26,19 @@ const yaml = require('js-yaml');
  */
 function getContainerPort(variables, defaultPort = 3000) {
   const v = variables || {};
-  return v.build?.containerPort ?? v.port ?? defaultPort;
+  const containerPort = v.build?.containerPort;
+  const useMain = containerPort === undefined || containerPort === null ||
+    (typeof containerPort === 'string' && containerPort.trim() === '');
+  if (!useMain && typeof containerPort === 'number' && containerPort > 0) {
+    return containerPort;
+  }
+  return v.port ?? defaultPort;
 }
 
 /**
  * Resolve local (development) port from variables object.
- * Precedence: build.localPort (if number and > 0) → port → defaultPort.
- * Used for: env-copy, env-ports, and as base for getLocalPortFromPath (secrets-helpers).
+ * Precedence: build.localPort (when positive integer) → port → defaultPort.
+ * Used for env-copy, env-ports, getLocalPortFromPath, run compose host port.
  *
  * @param {Object} variables - Parsed application config
  * @param {number} [defaultPort=3000] - Default when neither build.localPort nor port is set
@@ -40,9 +46,9 @@ function getContainerPort(variables, defaultPort = 3000) {
  */
 function getLocalPort(variables, defaultPort = 3000) {
   const v = variables || {};
-  const local = v.build?.localPort;
-  if (typeof local === 'number' && local > 0) {
-    return local;
+  const localPort = v.build?.localPort;
+  if (typeof localPort === 'number' && localPort > 0) {
+    return localPort;
   }
   return v.port ?? defaultPort;
 }
@@ -67,7 +73,7 @@ function loadVariablesFromPath(variablesPath) {
 
 /**
  * Resolve container port from application config path.
- * Returns null when file is missing or neither build.containerPort nor port is set (for chaining with other sources).
+ * When containerPort is empty or missing, returns main port. Null only when file missing or no port set.
  *
  * @param {string} variablesPath - Path to application config
  * @returns {number|null} Container port or null
@@ -77,14 +83,20 @@ function getContainerPortFromPath(variablesPath) {
   if (!v) {
     return null;
   }
-  const p = v.build?.containerPort ?? v.port;
+  const containerPort = v.build?.containerPort;
+  const useMain = containerPort === undefined || containerPort === null ||
+    (typeof containerPort === 'string' && containerPort.trim() === '');
+  if (!useMain && typeof containerPort === 'number' && containerPort > 0) {
+    return containerPort;
+  }
+  const p = v.port;
   return (p !== undefined && p !== null) ? p : null;
 }
 
 /**
  * Resolve local port from application config path.
- * Matches legacy getPortFromVariablesFile: build.localPort (if number and > 0) else variables.port or null.
- * Returns null when file is missing or neither is set (for calculateAppPort chain).
+ * Same rule as getLocalPort: build.localPort (when positive integer) → port.
+ * Returns null when file is missing or neither localPort nor port is set.
  *
  * @param {string} variablesPath - Path to application config
  * @returns {number|null} Local port or null
@@ -94,9 +106,9 @@ function getLocalPortFromPath(variablesPath) {
   if (!v) {
     return null;
   }
-  const local = v.build?.localPort;
-  if (typeof local === 'number' && local > 0) {
-    return local;
+  const localPort = v.build?.localPort;
+  if (typeof localPort === 'number' && localPort > 0) {
+    return localPort;
   }
   const p = v.port;
   return (p !== undefined && p !== null) ? p : null;

package/lib/utils/remote-dev-auth.js

@@ -0,0 +1,38 @@
+/**
+ * @fileoverview Resolve Builder Server URL and client cert for cert-authenticated dev API calls
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const config = require('../core/config');
+const { getCertDir, readClientCertPem } = require('./dev-cert-helper');
+const { getConfigDirForPaths } = require('./paths');
+
+/**
+ * Check if a string is an http(s) URL (for aifabrix-secrets remote mode).
+ * @param {string} value - Config value
+ * @returns {boolean}
+ */
+function isRemoteSecretsUrl(value) {
+  return typeof value === 'string' && (value.startsWith('http://') || value.startsWith('https://'));
+}
+
+/**
+ * Get Builder Server URL and client cert PEM when remote is configured; otherwise null.
+ * Use for cert-authenticated dev API calls (settings, users, ssh-keys, secrets).
+ * @returns {Promise<{ serverUrl: string, clientCertPem: string }|null>}
+ */
+async function getRemoteDevAuth() {
+  const serverUrl = await config.getRemoteServer();
+  if (!serverUrl) return null;
+  const devId = await config.getDeveloperId();
+  const certDir = getCertDir(getConfigDirForPaths(), devId);
+  const clientCertPem = readClientCertPem(certDir);
+  if (!clientCertPem) return null;
+  return { serverUrl, clientCertPem };
+}
+
+module.exports = {
+  isRemoteSecretsUrl,
+  getRemoteDevAuth
+};

package/lib/utils/remote-docker-env.js

@@ -0,0 +1,43 @@
+/**
+ * Remote Docker environment – DOCKER_HOST and TLS cert path when docker-endpoint is set.
+ *
+ * @fileoverview Env overlay for Docker CLI when using remote Builder Server
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const config = require('../core/config');
+const { getCertDir } = require('./dev-cert-helper');
+const { getConfigDirForPaths } = require('./paths');
+
+/**
+ * If remote Docker is configured (docker-endpoint + cert.pem, key.pem, and ca.pem present),
+ * returns env vars for Docker CLI: DOCKER_HOST, DOCKER_TLS_VERIFY, DOCKER_CERT_PATH.
+ * Docker requires ca.pem in DOCKER_CERT_PATH for TLS; if it is missing we return {} so
+ * the CLI uses local Docker and avoids "open ca.pem: no such file or directory".
+ *
+ * @returns {Promise<Object>} Env overlay (may be empty)
+ */
+async function getRemoteDockerEnv() {
+  const endpoint = await config.getDockerEndpoint();
+  if (!endpoint || typeof endpoint !== 'string' || !endpoint.trim()) {
+    return {};
+  }
+  const devId = await config.getDeveloperId();
+  const certDir = getCertDir(getConfigDirForPaths(), devId);
+  const certPath = path.join(certDir, 'cert.pem');
+  const keyPath = path.join(certDir, 'key.pem');
+  const caPath = path.join(certDir, 'ca.pem');
+  const fs = require('fs');
+  if (!fs.existsSync(certPath) || !fs.existsSync(keyPath) || !fs.existsSync(caPath)) {
+    return {};
+  }
+  return {
+    DOCKER_HOST: endpoint.trim(),
+    DOCKER_TLS_VERIFY: '1',
+    DOCKER_CERT_PATH: certDir
+  };
+}
+
+module.exports = { getRemoteDockerEnv };

package/lib/utils/remote-secrets-loader.js

@@ -0,0 +1,60 @@
+/**
+ * Load shared secrets from Builder Server when aifabrix-secrets is an http(s) URL.
+ * Used for .env resolution only; values are never persisted to disk.
+ *
+ * @fileoverview Remote shared secrets loader for .env generation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const config = require('../core/config');
+
+/**
+ * Fetches shared secrets from Builder Server when aifabrix-secrets is an http(s) URL.
+ * @returns {Promise<Object|null>} Key-value secrets from API or null
+ */
+async function loadRemoteSharedSecrets() {
+  const { isRemoteSecretsUrl, getRemoteDevAuth } = require('./remote-dev-auth');
+  const devApi = require('../api/dev.api');
+  const configSecretsPath = await config.getSecretsPath();
+  if (!configSecretsPath || !isRemoteSecretsUrl(configSecretsPath)) {
+    return null;
+  }
+  const auth = await getRemoteDevAuth();
+  if (!auth) return null;
+  try {
+    const items = await devApi.listSecrets(auth.serverUrl, auth.clientCertPem);
+    if (!Array.isArray(items)) return null;
+    const obj = {};
+    for (const item of items) {
+      if (item && typeof item.name === 'string' && item.value !== undefined) {
+        obj[item.name] = String(item.value);
+      }
+    }
+    return obj;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Merges remote shared secrets with user secrets. User wins on same key.
+ * @param {Object} userSecrets - User secrets object
+ * @param {Object} remoteSecrets - Remote API secrets (key-value)
+ * @returns {Object} Merged object
+ */
+function mergeUserWithRemoteSecrets(userSecrets, remoteSecrets) {
+  const merged = { ...userSecrets };
+  if (!remoteSecrets || typeof remoteSecrets !== 'object') return merged;
+  for (const key of Object.keys(remoteSecrets)) {
+    if (!(key in merged) || merged[key] === undefined || merged[key] === null || merged[key] === '') {
+      merged[key] = remoteSecrets[key];
+    }
+  }
+  return merged;
+}
+
+module.exports = {
+  loadRemoteSharedSecrets,
+  mergeUserWithRemoteSecrets
+};

package/lib/utils/secrets-canonical.js

@@ -0,0 +1,93 @@
+/**
+ * Canonical secrets path and YAML helpers
+ *
+ * @fileoverview Read/merge canonical secrets from config path
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+const config = require('../core/config');
+
+/**
+ * Read a YAML file and return parsed object
+ * @function readYamlAtPath
+ * @param {string} filePath - Absolute file path
+ * @returns {Object} Parsed YAML object
+ */
+function readYamlAtPath(filePath) {
+  const content = fs.readFileSync(filePath, 'utf8');
+  return yaml.load(content);
+}
+
+/**
+ * Merge a single secret value from canonical into result
+ * @function mergeSecretValue
+ * @param {Object} result - Result object to merge into
+ * @param {string} key - Secret key
+ * @param {*} canonicalValue - Value from canonical secrets
+ */
+function mergeSecretValue(result, key, canonicalValue) {
+  const currentValue = result[key];
+  // Fill missing, empty, or undefined values
+  if (!(key in result) || currentValue === undefined || currentValue === null || currentValue === '') {
+    result[key] = canonicalValue;
+    return;
+  }
+  // Only replace values that are encrypted (have secure:// prefix)
+  // Plaintext values (no secure://) are used as-is
+  if (typeof currentValue === 'string' && typeof canonicalValue === 'string') {
+    if (currentValue.startsWith('secure://')) {
+      result[key] = canonicalValue;
+    }
+  }
+}
+
+/**
+ * Apply canonical secrets path override if configured and file exists
+ * @async
+ * @function applyCanonicalSecretsOverride
+ * @param {Object} currentSecrets - Current secrets map
+ * @returns {Promise<Object>} Possibly overridden secrets
+ */
+async function applyCanonicalSecretsOverride(currentSecrets) {
+  let mergedSecrets = currentSecrets || {};
+  try {
+    const canonicalPath = await config.getSecretsPath();
+    if (!canonicalPath) {
+      return mergedSecrets;
+    }
+    const resolvedCanonical = path.isAbsolute(canonicalPath)
+      ? canonicalPath
+      : path.resolve(process.cwd(), canonicalPath);
+    if (!fs.existsSync(resolvedCanonical)) {
+      return mergedSecrets;
+    }
+    const configSecrets = readYamlAtPath(resolvedCanonical);
+    if (!configSecrets || typeof configSecrets !== 'object') {
+      return mergedSecrets;
+    }
+    // Apply canonical secrets as a fallback source:
+    // - Do NOT override any existing keys from user/build
+    // - Add only missing keys from canonical path
+    // - Also fill in empty/undefined values from canonical path
+    // - Replace encrypted values (secure://) with canonical plaintext
+    const result = { ...mergedSecrets };
+    for (const [key, canonicalValue] of Object.entries(configSecrets)) {
+      mergeSecretValue(result, key, canonicalValue);
+    }
+    mergedSecrets = result;
+  } catch {
+    // ignore and fall through
+  }
+  return mergedSecrets;
+}
+
+module.exports = {
+  readYamlAtPath,
+  applyCanonicalSecretsOverride
+};

package/lib/utils/secrets-generator.js

@@ -17,6 +17,54 @@ const crypto = require('crypto');
 const logger = require('./logger');
 const pathsUtil = require('./paths');
 
+/**
+ * Parse key-value pairs from YAML-like lines (last occurrence wins per key).
+ * @param {string} content - Raw YAML content
+ * @returns {Object} Parsed object
+ */
+function parseYamlKeyValueLines(content) {
+  const result = {};
+  const keyValueRe = /^\s*([^#:]+):\s*(.*)$/;
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed === '' || trimmed.startsWith('#')) continue;
+    const m = line.match(keyValueRe);
+    if (!m) continue;
+    const key = m[1].trim();
+    let value = m[2].trim();
+    if ((value.startsWith('\'') && value.endsWith('\'')) || (value.startsWith('"') && value.endsWith('"'))) {
+      value = value.slice(1, -1).replace(/\\'/g, '\'').replace(/\\"/g, '"');
+    }
+    result[key] = value;
+  }
+  return result;
+}
+
+/**
+ * Parse YAML content tolerating duplicate keys (last occurrence wins).
+ * Use for secrets files that may have been appended to repeatedly.
+ * Tries yaml.load first; on "duplicate key" error falls back to line-by-line parse.
+ *
+ * @param {string} content - Raw YAML content
+ * @returns {Object} Parsed object (last value wins for duplicate keys)
+ */
+function loadYamlTolerantOfDuplicateKeys(content) {
+  if (!content || typeof content !== 'string') {
+    return {};
+  }
+  try {
+    const parsed = yaml.load(content);
+    return parsed && typeof parsed === 'object' ? parsed : {};
+  } catch (err) {
+    const msg = err.message || '';
+    if (!msg.includes('duplicate') && !msg.includes('duplicated mapping')) {
+      throw err;
+    }
+  }
+  return parseYamlKeyValueLines(content);
+}
+
 /**
  * Skips commented or empty lines when scanning env.template
  * @param {string} line - Single line
@@ -127,7 +175,7 @@ function loadExistingSecrets(resolvedPath) {
 
   try {
     const content = fs.readFileSync(resolvedPath, 'utf8');
-    const secrets = yaml.load(content) || {};
+    const secrets = loadYamlTolerantOfDuplicateKeys(content);
     return typeof secrets === 'object' ? secrets : {};
   } catch (error) {
     logger.warn(`Warning: Could not read existing secrets file: ${error.message}`);
@@ -136,7 +184,7 @@ function loadExistingSecrets(resolvedPath) {
 }
 
 /**
- * Saves secrets file
+ * Saves secrets file (full overwrite). Use appendSecretsToFile to add keys without changing existing content.
  * @function saveSecretsFile
  * @param {string} resolvedPath - Path to secrets file
  * @param {Object} secrets - Secrets object to save
@@ -158,6 +206,64 @@ function saveSecretsFile(resolvedPath, secrets) {
   fs.writeFileSync(resolvedPath, yamlContent, { mode: 0o600 });
 }
 
+const YAML_DUMP_OPTS = { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false };
+
+/**
+ * Merges secret keys into the secrets file (load existing, merge, overwrite file).
+ * Use when setting or updating keys so that existing keys are updated in place instead of duplicated.
+ * Creates the file if it does not exist. Tolerant of duplicate keys in existing file (last wins when loading).
+ *
+ * @function mergeSecretsIntoFile
+ * @param {string} resolvedPath - Path to secrets file
+ * @param {Object} secrets - Key-value object to merge (overwrites existing same keys)
+ * @throws {Error} If write fails
+ */
+function mergeSecretsIntoFile(resolvedPath, secrets) {
+  if (!secrets || typeof secrets !== 'object' || Object.keys(secrets).length === 0) {
+    return;
+  }
+  const existing = loadExistingSecrets(resolvedPath);
+  const merged = { ...existing, ...secrets };
+  saveSecretsFile(resolvedPath, merged);
+}
+
+/**
+ * Appends secret keys to the end of the secrets file without modifying existing content (preserves comments and structure).
+ * Creates the file if it does not exist. For existing files, new keys are appended.
+ * When the file has duplicate keys, use loadExistingSecrets (tolerant parse) to read; last occurrence wins.
+ *
+ * @function appendSecretsToFile
+ * @param {string} resolvedPath - Path to secrets file
+ * @param {Object} secrets - Key-value object to append (only these keys are written)
+ * @throws {Error} If write fails
+ */
+function appendSecretsToFile(resolvedPath, secrets) {
+  if (!secrets || typeof secrets !== 'object' || Object.keys(secrets).length === 0) {
+    return;
+  }
+  const dir = path.dirname(resolvedPath);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+
+  const appendContent = yaml.dump(secrets, YAML_DUMP_OPTS);
+
+  if (!fs.existsSync(resolvedPath)) {
+    fs.writeFileSync(resolvedPath, appendContent, { mode: 0o600 });
+    return;
+  }
+
+  let existing = '';
+  try {
+    const raw = fs.readFileSync(resolvedPath, 'utf8');
+    existing = typeof raw === 'string' ? raw : '';
+  } catch (err) {
+    logger.warn(`Could not read existing secrets file: ${err.message}; appending new keys only.`);
+  }
+  const separator = existing.length > 0 && !existing.endsWith('\n') ? '\n' : '';
+  fs.writeFileSync(resolvedPath, existing + separator + appendContent, { mode: 0o600 });
+}
+
 /**
  * Generates missing secret keys in secrets file
  * Scans env.template for kv:// references and adds missing keys with secure defaults
@@ -188,8 +294,7 @@ async function generateMissingSecrets(envTemplate, secretsPath) {
     newSecrets[key] = generateSecretValue(key);
   }
 
-  const updatedSecrets = { ...existingSecrets, ...newSecrets };
-  saveSecretsFile(resolvedPath, updatedSecrets);
+  appendSecretsToFile(resolvedPath, newSecrets);
 
   logger.log(`✓ Generated ${missingKeys.length} missing secret key(s): ${missingKeys.join(', ')}`);
   return missingKeys;
@@ -227,11 +332,11 @@ postgres-passwordKeyVault: "admin123"
 
 # Redis Secrets
 redis-passwordKeyVault: ""
-redis-urlKeyVault: "redis://\${REDIS_HOST}:\${REDIS_PORT}"
+redis-url: "redis://\${REDIS_HOST}:\${REDIS_PORT}"
 
 # Keycloak Secrets
 keycloak-admin-passwordKeyVault: "admin123"
-keycloak-auth-server-urlKeyVault: "http://\${KEYCLOAK_HOST}:\${KEYCLOAK_PORT}"
+keycloak-server-url: "http://\${KEYCLOAK_HOST}:\${KEYCLOAK_PORT}"
 `;
 
   fs.writeFileSync(resolvedPath, defaultSecrets, { mode: 0o600 });
@@ -240,8 +345,11 @@ keycloak-auth-server-urlKeyVault: "http://\${KEYCLOAK_HOST}:\${KEYCLOAK_PORT}"
 module.exports = {
   findMissingSecretKeys,
   generateSecretValue,
+  loadYamlTolerantOfDuplicateKeys,
   loadExistingSecrets,
   saveSecretsFile,
+  mergeSecretsIntoFile,
+  appendSecretsToFile,
   generateMissingSecrets,
   createDefaultSecrets
 };