npm - @aifabrix/builder - Versions diffs - 2.40.2 → 2.42.0 - Mend

@aifabrix/builder 2.40.2 → 2.42.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/.cursor/rules/docs-rules.mdc +30 -0
package/README.md +7 -5
package/integration/hubspot/README.md +8 -4
package/integration/hubspot/application.json +54 -0
package/integration/hubspot/create-hubspot.js +9 -136
package/integration/hubspot/env.template +3 -4
package/integration/hubspot/hubspot-datasource-company.json +343 -5
package/integration/hubspot/hubspot-datasource-contact.json +413 -5
package/integration/hubspot/hubspot-datasource-deal.json +341 -4
package/integration/hubspot/hubspot-datasource-users.json +116 -0
package/integration/hubspot/hubspot-deploy.json +1250 -108
package/integration/hubspot/hubspot-system.json +15 -32
package/integration/hubspot/test-dataplane-down-tests.js +17 -16
package/integration/hubspot/test-dataplane-down.js +2 -2
package/integration/hubspot/test.js +1 -1
package/jest.config.manual.js +2 -1
package/lib/api/credential.api.js +40 -0
package/lib/api/dev.api.js +423 -0
package/lib/api/external-test.api.js +111 -0
package/lib/api/index.js +42 -19
package/lib/api/pipeline.api.js +66 -120
package/lib/api/types/credential.types.js +23 -0
package/lib/api/types/dev.types.js +140 -0
package/lib/api/types/pipeline.types.js +37 -0
package/lib/api/wizard-platform.api.js +61 -0
package/lib/api/wizard.api.js +34 -1
package/lib/app/config.js +44 -11
package/lib/app/down.js +2 -1
package/lib/app/index.js +12 -1
package/lib/app/prompts.js +44 -29
package/lib/app/push.js +36 -12
package/lib/app/readme.js +9 -6
package/lib/app/run-env-compose.js +264 -0
package/lib/app/run-helpers.js +121 -118
package/lib/app/run.js +148 -28
package/lib/app/show-display.js +1 -1
package/lib/app/show.js +5 -2
package/lib/build/index.js +11 -3
package/lib/cli/setup-app.js +172 -15
package/lib/cli/setup-credential-deployment.js +31 -6
package/lib/cli/setup-dev.js +206 -16
package/lib/cli/setup-environment.js +16 -6
package/lib/cli/setup-external-system.js +89 -24
package/lib/cli/setup-infra.js +82 -15
package/lib/cli/setup-secrets.js +52 -5
package/lib/cli/setup-utility.js +129 -24
package/lib/commands/app-install.js +172 -0
package/lib/commands/app-shell.js +75 -0
package/lib/commands/app-test.js +282 -0
package/lib/commands/app.js +1 -1
package/lib/commands/credential-env.js +162 -0
package/lib/commands/credential-list.js +17 -22
package/lib/commands/credential-push.js +96 -0
package/lib/commands/datasource.js +77 -6
package/lib/commands/dev-cli-handlers.js +141 -0
package/lib/commands/dev-down.js +114 -0
package/lib/commands/dev-init.js +347 -0
package/lib/commands/repair-auth-config.js +99 -0
package/lib/commands/repair-datasource-keys.js +208 -0
package/lib/commands/repair-datasource.js +235 -0
package/lib/commands/repair-env-template.js +348 -0
package/lib/commands/repair-internal.js +85 -0
package/lib/commands/repair-rbac.js +158 -0
package/lib/commands/repair.js +507 -0
package/lib/commands/secrets-list.js +118 -0
package/lib/commands/secrets-remove.js +97 -0
package/lib/commands/secrets-set.js +30 -17
package/lib/commands/secrets-validate.js +50 -0
package/lib/commands/test-e2e-external.js +165 -0
package/lib/commands/up-dataplane.js +2 -2
package/lib/commands/up-miso.js +0 -25
package/lib/commands/upload.js +96 -40
package/lib/commands/wizard-core-helpers.js +226 -4
package/lib/commands/wizard-core.js +67 -29
package/lib/commands/wizard-dataplane.js +1 -1
package/lib/commands/wizard-entity-selection.js +43 -0
package/lib/commands/wizard-headless.js +44 -5
package/lib/commands/wizard-helpers.js +7 -3
package/lib/commands/wizard.js +86 -64
package/lib/core/admin-secrets.js +96 -0
package/lib/core/config.js +7 -1
package/lib/core/secrets-ensure.js +378 -0
package/lib/core/secrets-env-write.js +157 -0
package/lib/core/secrets.js +176 -89
package/lib/datasource/deploy.js +12 -3
package/lib/datasource/field-reference-validator.js +91 -0
package/lib/datasource/test-e2e.js +219 -0
package/lib/datasource/test-integration.js +154 -0
package/lib/datasource/validate.js +21 -3
package/lib/deployment/deployer.js +7 -5
package/lib/deployment/environment-config.js +137 -0
package/lib/deployment/environment.js +21 -98
package/lib/deployment/push.js +32 -2
package/lib/external-system/download.js +188 -203
package/lib/external-system/generator.js +204 -56
package/lib/external-system/test-auth.js +7 -3
package/lib/external-system/test-execution.js +2 -1
package/lib/external-system/test-system-level.js +73 -0
package/lib/external-system/test.js +56 -19
package/lib/generator/external-controller-manifest.js +29 -2
package/lib/generator/external-schema-utils.js +1 -1
package/lib/generator/external.js +10 -3
package/lib/generator/index.js +177 -25
package/lib/generator/split-readme.js +1 -0
package/lib/generator/split-variables.js +7 -1
package/lib/generator/split.js +194 -54
package/lib/generator/wizard-prompts-secondary.js +294 -0
package/lib/generator/wizard-prompts.js +105 -106
package/lib/generator/wizard-readme.js +88 -0
package/lib/generator/wizard.js +155 -158
package/lib/infrastructure/compose.js +11 -1
package/lib/infrastructure/helpers.js +103 -20
package/lib/infrastructure/index.js +98 -12
package/lib/infrastructure/services.js +88 -22
package/lib/schema/application-schema.json +32 -8
package/lib/schema/external-datasource.schema.json +49 -26
package/lib/schema/external-system.schema.json +509 -411
package/lib/schema/wizard-config.schema.json +16 -0
package/lib/utils/api.js +41 -13
package/lib/utils/app-register-auth.js +25 -3
package/lib/utils/auth-headers.js +8 -7
package/lib/utils/cli-utils.js +20 -0
package/lib/utils/compose-generator.js +77 -76
package/lib/utils/compose-handlebars-helpers.js +54 -0
package/lib/utils/compose-vector-helper.js +18 -0
package/lib/utils/config-format-preference.js +51 -0
package/lib/utils/config-format.js +36 -0
package/lib/utils/config-paths.js +127 -2
package/lib/utils/configuration-env-resolver.js +179 -0
package/lib/utils/credential-display.js +83 -0
package/lib/utils/credential-secrets-env.js +357 -0
package/lib/utils/dataplane-pipeline-warning.js +28 -0
package/lib/utils/deployment-validation-helpers.js +4 -4
package/lib/utils/dev-ca-install.js +139 -0
package/lib/utils/dev-cert-helper.js +122 -0
package/lib/utils/device-code-helpers.js +224 -0
package/lib/utils/device-code.js +37 -336
package/lib/utils/docker-build.js +40 -8
package/lib/utils/env-copy.js +103 -13
package/lib/utils/env-map.js +35 -5
package/lib/utils/env-template.js +6 -5
package/lib/utils/error-formatters/http-status-errors.js +20 -2
package/lib/utils/error-formatters/permission-errors.js +0 -1
package/lib/utils/error-formatters/validation-errors.js +0 -1
package/lib/utils/external-readme.js +56 -29
package/lib/utils/external-system-display.js +59 -1
package/lib/utils/external-system-test-helpers.js +21 -8
package/lib/utils/external-system-validators.js +3 -0
package/lib/utils/file-upload.js +20 -50
package/lib/utils/help-builder.js +16 -2
package/lib/utils/infra-status.js +80 -45
package/lib/utils/local-secrets.js +7 -52
package/lib/utils/mutagen-install.js +195 -0
package/lib/utils/mutagen.js +146 -0
package/lib/utils/paths.js +128 -37
package/lib/utils/port-resolver.js +28 -16
package/lib/utils/remote-dev-auth.js +38 -0
package/lib/utils/remote-docker-env.js +43 -0
package/lib/utils/remote-secrets-loader.js +60 -0
package/lib/utils/secrets-canonical.js +93 -0
package/lib/utils/secrets-generator.js +114 -6
package/lib/utils/secrets-helpers.js +108 -114
package/lib/utils/secrets-path.js +2 -2
package/lib/utils/secrets-utils.js +52 -1
package/lib/utils/secrets-validation.js +84 -0
package/lib/utils/ssh-key-helper.js +116 -0
package/lib/utils/test-log-writer.js +56 -0
package/lib/utils/token-manager-messages.js +90 -0
package/lib/utils/token-manager.js +29 -36
package/lib/utils/variable-transformer.js +3 -3
package/lib/validation/env-template-auth.js +157 -0
package/lib/validation/env-template-kv.js +41 -0
package/lib/validation/external-manifest-validator.js +25 -0
package/lib/validation/external-system-auth-rules.js +86 -0
package/lib/validation/validate-batch.js +149 -0
package/lib/validation/validate-datasource-keys-api.js +33 -0
package/lib/validation/validate-display.js +94 -16
package/lib/validation/validate.js +25 -12
package/lib/validation/validator.js +72 -9
package/lib/validation/wizard-datasource-validation.js +50 -0
package/package.json +8 -3
package/scripts/install-local.js +34 -15
package/templates/README.md +0 -1
package/templates/applications/README.md.hbs +4 -4
package/templates/applications/dataplane/application.yaml +6 -5
package/templates/applications/dataplane/env.template +15 -10
package/templates/applications/dataplane/rbac.yaml +2 -2
package/templates/applications/keycloak/env.template +2 -0
package/templates/applications/miso-controller/application.yaml +1 -0
package/templates/applications/miso-controller/env.template +12 -10
package/templates/external-system/README.md.hbs +65 -25
package/templates/external-system/deploy.js.hbs +4 -2
package/templates/external-system/external-datasource.yaml.hbs +217 -0
package/templates/external-system/external-system.json.hbs +1 -18
package/templates/infra/compose.yaml.hbs +6 -0
package/templates/python/docker-compose.hbs +49 -23
package/templates/typescript/docker-compose.hbs +48 -22
package/integration/hubspot/application.yaml +0 -37

package/integration/hubspot/hubspot-system.json CHANGED Viewed

@@ -5,41 +5,18 @@
   "type": "openapi",
   "enabled": true,
   "authentication": {
-    "type": "oauth2",
-    "mode": "oauth2",
-    "oauth2": {
-      "tokenUrl": "{{TOKENURL}}",
-      "clientId": "{{CLIENTID}}",
-      "clientSecret": "{{CLIENTSECRET}}",
-      "scopes": [
-        "crm.objects.companies.read",
-        "crm.objects.companies.write",
-        "crm.objects.contacts.read",
-        "crm.objects.contacts.write",
-        "crm.objects.deals.read",
-        "crm.objects.deals.write"
-      ]
+    "method": "oauth2",
+    "variables": {
+      "baseUrl": "https://api.hubapi.com",
+      "tokenUrl": "https://api.hubapi.com/oauth/v1/token",
+      "scope": "crm.objects.companies.read crm.objects.companies.write crm.objects.contacts.read crm.objects.contacts.write crm.objects.deals.read crm.objects.deals.write"
+    },
+    "security": {
+      "clientId": "kv://hubspot/clientid",
+      "clientSecret": "kv://hubspot/clientsecret"
     }
   },
   "configuration": [
-    {
-      "name": "CLIENTID",
-      "value": "hubspot-clientidKeyVault",
-      "location": "keyvault",
-      "required": true
-    },
-    {
-      "name": "CLIENTSECRET",
-      "value": "hubspot-clientsecretKeyVault",
-      "location": "keyvault",
-      "required": true
-    },
-    {
-      "name": "TOKENURL",
-      "value": "https://api.hubapi.com/oauth/v1/token",
-      "location": "variable",
-      "required": true
-    },
     {
       "name": "HUBSPOT_API_VERSION",
       "value": "v3",
@@ -86,5 +63,11 @@
     "sales",
     "marketing",
     "hubspot"
+  ],
+  "dataSources": [
+    "hubspot-company",
+    "hubspot-contact",
+    "hubspot-deal",
+    "hubspot-users-datasource"
   ]
 }

package/integration/hubspot/test-dataplane-down-tests.js CHANGED Viewed

@@ -194,27 +194,27 @@ async function createTestDatasource(datasourcePath) {
 }
 /**
- * Builds datasource deploy command arguments
- * @function buildDatasourceDeployArgs
+ * Builds datasource upload command arguments
+ * @function buildDatasourceUploadArgs
  * @param {string} datasourcePath - Path to datasource file
  * @returns {string[]} Command arguments
  */
-function buildDatasourceDeployArgs(datasourcePath) {
+function buildDatasourceUploadArgs(datasourcePath) {
   return [
     'bin/aifabrix.js',
     'datasource',
-    'deploy',
+    'upload',
     'test-app',
     datasourcePath
   ];
 }
 /**
- * Gets expected error patterns for datasource deploy
- * @function getDatasourceDeployErrorPatterns
+ * Gets expected error patterns for datasource upload
+ * @function getDatasourceUploadErrorPatterns
  * @returns {string[]} Expected error patterns
  */
-function getDatasourceDeployErrorPatterns() {
+function getDatasourceUploadErrorPatterns() {
   return [
     'failed to connect',
     'connection refused',
@@ -224,24 +224,25 @@ function getDatasourceDeployErrorPatterns() {
     'timeout',
     'unreachable',
     'failed to publish',
+    'upload failed',
     'deployment failed'
   ];
 }
 /**
- * Test datasource deploy command with invalid dataplane
+ * Test datasource upload command with invalid dataplane
  * @async
- * @function testDatasourceDeploy
+ * @function testDatasourceUpload
  * @returns {Promise<Object>} Test result
  */
-async function testDatasourceDeploy() {
-  logInfo('\n🚀 Testing: datasource deploy command');
+async function testDatasourceUpload() {
+  logInfo('\n🚀 Testing: datasource upload command');
   const datasourcePath = path.join(process.cwd(), 'integration', 'test-datasource.json');
   try {
     await createTestDatasource(datasourcePath);
-    const args = buildDatasourceDeployArgs(datasourcePath);
+    const args = buildDatasourceUploadArgs(datasourcePath);
     const result = await runCommand('node', args);
     const output = `${result.stdout}\n${result.stderr}`;
@@ -252,18 +253,18 @@ async function testDatasourceDeploy() {
       // Ignore cleanup errors
     }
-    const expectedPatterns = getDatasourceDeployErrorPatterns();
+    const expectedPatterns = getDatasourceUploadErrorPatterns();
     const isValid = !result.success && validateError(output, expectedPatterns);
     return {
-      name: 'datasource deploy',
+      name: 'datasource upload',
       success: isValid,
       output,
       expectedPatterns
     };
   } catch (error) {
     return {
-      name: 'datasource deploy',
+      name: 'datasource upload',
       success: false,
       output: error.message,
       error: error.message
@@ -385,7 +386,7 @@ module.exports = {
   testWizard,
   testDownload,
   testDelete,
-  testDatasourceDeploy,
+  testDatasourceUpload,
   testIntegration,
   testDataplaneDiscovery
 };

package/integration/hubspot/test-dataplane-down.js CHANGED Viewed

@@ -24,7 +24,7 @@ const {
   testWizard,
   testDownload,
   testDelete,
-  testDatasourceDeploy,
+  testDatasourceUpload,
   testIntegration,
   testDataplaneDiscovery
 } = require('./test-dataplane-down-tests');
@@ -139,7 +139,7 @@ async function runTests() {
     testWizard,
     testDownload,
     testDelete,
-    testDatasourceDeploy,
+    testDatasourceUpload,
     testIntegration,
     testDataplaneDiscovery
   ];

package/integration/hubspot/test.js CHANGED Viewed

@@ -281,7 +281,7 @@ async function loadEnvFile(envPath, options) {
 /**
  * Load test config (controller, environment, dataplane, openapi file).
  * Reads integration/hubspot/.env; missing CONTROLLER_URL/ENVIRONMENT fall back to
- * the same resolution as the CLI (aifx auth status) so tests use the same controller.
+ * the same resolution as the CLI (af auth status) so tests use the same controller.
  * @async
  * @function loadTestConfigFromEnv
  * @returns {Promise<Object>} Context with controllerUrl, environment, dataplaneUrl, openapiFile

package/jest.config.manual.js CHANGED Viewed

@@ -10,6 +10,8 @@
 const baseProject = require('./jest.config').projects[0];
 module.exports = {
+  // Top-level so Jest actually applies it (project-level testTimeout is ignored in some Jest versions)
+  testTimeout: 60000,
   projects: [
     {
       ...baseProject,
@@ -22,7 +24,6 @@ module.exports = {
         '\\\\node_modules\\\\'
       ],
       setupFilesAfterEnv: ['<rootDir>/tests/manual/setup.js'],
-      testTimeout: 60000,
       maxWorkers: 1
     }
   ]

package/lib/api/credential.api.js ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * @fileoverview Credential API functions (Dataplane secret store)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const { ApiClient } = require('./index');
+const CREDENTIAL_SECRET_ENDPOINT = '/api/v1/credential/secret';
+/**
+ * Store credential secrets in the dataplane secret store.
+ * Values are encrypted at rest by the dataplane; send plain values only (no kv:// as value).
+ *
+ * POST /api/v1/credential/secret
+ * @requiresPermission {Dataplane} credential:create
+ * @async
+ * @function storeCredentialSecrets
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Authentication configuration (Bearer token required)
+ * @param {Array<{ key: string, value: string }>} items - Secret items (key = kv path, value = plain)
+ * @returns {Promise<{ stored?: number, success?: boolean, error?: string }>} Secret store response
+ * @throws {Error} If request fails (non-2xx) and caller may handle 403/401 as warning
+ */
+async function storeCredentialSecrets(dataplaneUrl, authConfig, items) {
+  if (!dataplaneUrl || typeof dataplaneUrl !== 'string') {
+    throw new Error('dataplaneUrl is required and must be a string');
+  }
+  if (!items || !Array.isArray(items) || items.length === 0) {
+    return { stored: 0 };
+  }
+  const client = new ApiClient(dataplaneUrl, authConfig);
+  return await client.post(CREDENTIAL_SECRET_ENDPOINT, {
+    body: items
+  });
+}
+module.exports = {
+  storeCredentialSecrets
+};

package/lib/api/dev.api.js ADDED Viewed

@@ -0,0 +1,423 @@
+/**
+ * @fileoverview Builder Server (dev) API – issue-cert, settings, users, SSH keys, secrets.
+ * First call: issue-cert is public (no client cert). All other routes require client certificate:
+ * when clientKeyPem is provided, requests use mTLS (TLS client cert); otherwise X-Client-Cert header only.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const https = require('https');
+const { makeApiCall } = require('../utils/api');
+const DEFAULT_TIMEOUT_MS = 15000;
+/**
+ * Encode PEM for use in X-Client-Cert header. HTTP header values must not contain newlines;
+ * we send certPem as base64: Buffer.from(pem, 'utf8').toString('base64').
+ * Server should decode with Buffer.from(headerVal, 'base64').toString('utf8').
+ * @param {string} clientCertPem - PEM-encoded client certificate
+ * @returns {string} Base64-encoded PEM for header
+ */
+function encodeCertForHeader(clientCertPem) {
+  if (!clientCertPem || typeof clientCertPem !== 'string') return '';
+  return Buffer.from(clientCertPem, 'utf8').toString('base64');
+}
+/**
+ * Normalize base URL (no trailing slash)
+ * @param {string} serverUrl - Base URL of Builder Server
+ * @returns {string} Normalized URL
+ */
+function normalizeBaseUrl(serverUrl) {
+  if (!serverUrl || typeof serverUrl !== 'string') {
+    throw new Error('remote-server URL is required and must be a string');
+  }
+  return serverUrl.trim().replace(/\/+$/, '');
+}
+/**
+ * Build full URL for an endpoint path
+ * @param {string} baseUrl - Normalized base URL
+ * @param {string} path - Path (e.g. /api/dev/issue-cert)
+ * @returns {string} Full URL
+ */
+function buildUrl(baseUrl, path) {
+  const p = path.startsWith('/') ? path : `/${path}`;
+  return `${baseUrl}${p}`;
+}
+/**
+ * Make request to Builder Server. Throws on !success with message from response or error.
+ * @param {string} url - Full URL
+ * @param {Object} options - Fetch options (method, headers, body)
+ * @returns {Promise<Object>} result.data when success
+ */
+async function request(url, options = {}) {
+  const fetchOptions = {
+    method: options.method || 'GET',
+    headers: { 'Content-Type': 'application/json', ...options.headers },
+    signal: AbortSignal.timeout(DEFAULT_TIMEOUT_MS)
+  };
+  if (options.body !== undefined) {
+    fetchOptions.body = typeof options.body === 'string' ? options.body : JSON.stringify(options.body);
+  }
+  const result = await makeApiCall(url, fetchOptions);
+  if (!result.success) {
+    const msg = result.formattedError || result.error || result.message || `Request failed (${result.status})`;
+    const err = new Error(msg);
+    err.status = result.status;
+    err.errorData = result.errorData;
+    throw err;
+  }
+  return result.data;
+}
+/**
+ * Build request options and TLS agent for mTLS request.
+ * @param {string} url - Full URL
+ * @param {Object} options - { method, headers, body }
+ * @param {string} certPem - PEM client certificate
+ * @param {string} keyPem - PEM client key
+ * @returns {{ urlObj: URL, method: string, headers: Object, body: string|undefined, agent: https.Agent }}
+ */
+function buildMtlsRequestOptions(url, options, certPem, keyPem) {
+  const urlObj = new URL(url);
+  const method = (options.method || 'GET').toUpperCase();
+  const headers = { 'Content-Type': 'application/json', ...options.headers };
+  let body = options.body;
+  if (body !== undefined && typeof body !== 'string') {
+    body = JSON.stringify(body);
+  }
+  if (body) {
+    headers['Content-Length'] = Buffer.byteLength(body, 'utf8');
+  }
+  const tlsOptions = { cert: certPem, key: keyPem, rejectUnauthorized: true };
+  const agent = new https.Agent(tlsOptions);
+  return { urlObj, method, headers, body, agent, tlsOptions };
+}
+/**
+ * Handle mTLS response: collect body, parse JSON, resolve or reject.
+ * @param {import('http').IncomingMessage} res - HTTP response
+ * @param {Function} resolve - Promise resolve
+ * @param {Function} reject - Promise reject
+ */
+function handleMtlsResponse(res, resolve, reject) {
+  const chunks = [];
+  res.on('data', (c) => chunks.push(c));
+  res.on('end', () => {
+    const raw = Buffer.concat(chunks).toString('utf8');
+    let data;
+    try {
+      data = raw ? JSON.parse(raw) : {};
+    } catch {
+      data = raw;
+    }
+    if (res.statusCode < 200 || res.statusCode >= 300) {
+      const msg = (data && (data.message || data.error)) || res.statusMessage || `Request failed (${res.statusCode})`;
+      const err = new Error(msg);
+      err.status = res.statusCode;
+      err.errorData = data;
+      reject(err);
+    } else {
+      resolve(data);
+    }
+  });
+}
+/**
+ * Make request with mTLS (TLS client certificate). Uses Node https module so the client cert
+ * is presented in the TLS handshake. Also sends X-Client-Cert header for backends that read it.
+ * @param {string} url - Full URL (https only)
+ * @param {Object} options - { method, headers, body }
+ * @param {string} certPem - PEM-encoded client certificate
+ * @param {string} keyPem - PEM-encoded client private key
+ * @returns {Promise<Object>} response data when success
+ */
+function requestWithCertImpl(url, options, certPem, keyPem) {
+  return new Promise((resolve, reject) => {
+    const urlObj = new URL(url);
+    if (urlObj.protocol !== 'https:') {
+      reject(new Error('mTLS request requires https URL'));
+      return;
+    }
+    const { method, headers, body, agent, tlsOptions } = buildMtlsRequestOptions(url, options, certPem, keyPem);
+    const req = https.request(
+      {
+        hostname: urlObj.hostname,
+        port: urlObj.port || 443,
+        path: urlObj.pathname + urlObj.search,
+        method,
+        headers,
+        agent,
+        ...tlsOptions
+      },
+      (res) => handleMtlsResponse(res, resolve, reject)
+    );
+    req.on('error', reject);
+    req.setTimeout(DEFAULT_TIMEOUT_MS, () => {
+      req.destroy();
+      reject(new Error(`Request timed out after ${DEFAULT_TIMEOUT_MS}ms`));
+    });
+    if (body) {
+      req.write(body, 'utf8');
+    }
+    req.end();
+  });
+}
+/**
+ * Issue developer certificate (public; no client cert). POST /api/dev/issue-cert
+ * @requiresPermission {BuilderServer} Public (no auth required)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {Object} body - IssueCertDto: developerId, pin, csr
+ * @returns {Promise<Object>} IssueCertResponseDto: certificate, validDays, validNotAfter
+ */
+async function issueCert(serverUrl, body) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, '/api/dev/issue-cert'), { method: 'POST', body });
+}
+/**
+ * Get health. GET /health (public)
+ * @requiresPermission {BuilderServer} Public (no auth required)
+ * @param {string} serverUrl - Builder Server base URL
+ * @returns {Promise<Object>} HealthResponseDto: status, checks (dataDir, encryptionKey, ca, users, tokens)
+ */
+async function getHealth(serverUrl) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, '/health'));
+}
+/**
+ * Get developer settings (cert-authenticated). GET /api/dev/settings
+ * When clientKeyPem is provided, uses mTLS (TLS client cert); otherwise X-Client-Cert header only.
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert or mTLS)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM-encoded client certificate
+ * @param {string} [clientKeyPem] - PEM-encoded client private key (enables mTLS when provided)
+ * @returns {Promise<Object>} SettingsResponseDto
+ */
+async function getSettings(serverUrl, clientCertPem, clientKeyPem) {
+  if (!clientCertPem || typeof clientCertPem !== 'string') {
+    throw new Error('Client certificate PEM is required for getSettings');
+  }
+  const base = normalizeBaseUrl(serverUrl);
+  const url = buildUrl(base, '/api/dev/settings');
+  const reqOptions = { method: 'GET', headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) } };
+  if (clientKeyPem && typeof clientKeyPem === 'string') {
+    return requestWithCertImpl(url, reqOptions, clientCertPem, clientKeyPem);
+  }
+  return request(url, reqOptions);
+}
+/**
+ * List developers. GET /api/dev/users
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @returns {Promise<Object[]>} Array of UserResponseDto (empty when none)
+ */
+async function listUsers(serverUrl, clientCertPem) {
+  const base = normalizeBaseUrl(serverUrl);
+  const data = await request(buildUrl(base, '/api/dev/users'), {
+    method: 'GET',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+  return Array.isArray(data) ? data : [];
+}
+/**
+ * Create developer. POST /api/dev/users
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {Object} body - CreateUserDto: developerId, name, email, optional groups
+ * @returns {Promise<Object>} UserResponseDto
+ */
+async function createUser(serverUrl, clientCertPem, body) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, '/api/dev/users'), {
+    method: 'POST',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) },
+    body
+  });
+}
+/**
+ * Update developer. PATCH /api/dev/users/:id
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} id - Developer ID
+ * @param {Object} body - UpdateUserDto: at least one of name, email, groups
+ * @returns {Promise<Object>} UserResponseDto
+ */
+async function updateUser(serverUrl, clientCertPem, id, body) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, `/api/dev/users/${encodeURIComponent(id)}`), {
+    method: 'PATCH',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) },
+    body
+  });
+}
+/**
+ * Delete developer. DELETE /api/dev/users/:id
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} id - Developer ID
+ * @returns {Promise<Object>} DeletedResponseDto
+ */
+async function deleteUser(serverUrl, clientCertPem, id) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, `/api/dev/users/${encodeURIComponent(id)}`), {
+    method: 'DELETE',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+}
+/**
+ * Create or regenerate one-time PIN. POST /api/dev/users/:id/pin
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} id - Developer ID
+ * @returns {Promise<Object>} CreatePinResponseDto: pin, expiresAt
+ */
+async function createPin(serverUrl, clientCertPem, id) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, `/api/dev/users/${encodeURIComponent(id)}/pin`), {
+    method: 'POST',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+}
+/**
+ * List SSH keys for developer. GET /api/dev/users/:id/ssh-keys
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} id - Developer ID
+ * @returns {Promise<Object[]>} Array of SshKeyItemDto
+ */
+async function listSshKeys(serverUrl, clientCertPem, id) {
+  const base = normalizeBaseUrl(serverUrl);
+  const data = await request(buildUrl(base, `/api/dev/users/${encodeURIComponent(id)}/ssh-keys`), {
+    method: 'GET',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+  return Array.isArray(data) ? data : [];
+}
+/**
+ * Add SSH public key for developer. POST /api/dev/users/:id/ssh-keys
+ * When clientKeyPem is provided, uses mTLS (TLS client cert); otherwise X-Client-Cert header only.
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert or mTLS)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} id - Developer ID
+ * @param {Object} body - AddSshKeyDto: publicKey, optional label
+ * @param {string} [clientKeyPem] - PEM-encoded client private key (enables mTLS when provided)
+ * @returns {Promise<Object>} SshKeyItemDto
+ */
+async function addSshKey(serverUrl, clientCertPem, id, body, clientKeyPem) {
+  const base = normalizeBaseUrl(serverUrl);
+  const url = buildUrl(base, `/api/dev/users/${encodeURIComponent(id)}/ssh-keys`);
+  const reqOptions = {
+    method: 'POST',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) },
+    body
+  };
+  if (clientKeyPem && typeof clientKeyPem === 'string') {
+    return requestWithCertImpl(url, reqOptions, clientCertPem, clientKeyPem);
+  }
+  return request(url, reqOptions);
+}
+/**
+ * Remove SSH key by fingerprint. DELETE /api/dev/users/:id/ssh-keys/:fingerprint
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} id - Developer ID
+ * @param {string} fingerprint - Key fingerprint
+ * @returns {Promise<Object>} DeletedResponseDto
+ */
+async function removeSshKey(serverUrl, clientCertPem, id, fingerprint) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, `/api/dev/users/${encodeURIComponent(id)}/ssh-keys/${encodeURIComponent(fingerprint)}`), {
+    method: 'DELETE',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+}
+/**
+ * List secrets. GET /api/dev/secrets
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @returns {Promise<Object[]>} Array of SecretItemDto: name, value
+ */
+async function listSecrets(serverUrl, clientCertPem) {
+  const base = normalizeBaseUrl(serverUrl);
+  const data = await request(buildUrl(base, '/api/dev/secrets'), {
+    method: 'GET',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+  return Array.isArray(data) ? data : [];
+}
+/**
+ * Add or update secret. POST /api/dev/secrets
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {Object} body - AddSecretDto: key, value
+ * @returns {Promise<Object>} AddSecretResponseDto
+ */
+async function addSecret(serverUrl, clientCertPem, body) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, '/api/dev/secrets'), {
+    method: 'POST',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) },
+    body
+  });
+}
+/**
+ * Delete secret by key. DELETE /api/dev/secrets/:key
+ * @requiresPermission {BuilderServer} Client certificate (X-Client-Cert)
+ * @param {string} serverUrl - Builder Server base URL
+ * @param {string} clientCertPem - PEM client certificate
+ * @param {string} key - Secret key
+ * @returns {Promise<Object>} DeleteSecretResponseDto
+ */
+async function deleteSecret(serverUrl, clientCertPem, key) {
+  const base = normalizeBaseUrl(serverUrl);
+  return request(buildUrl(base, `/api/dev/secrets/${encodeURIComponent(key)}`), {
+    method: 'DELETE',
+    headers: { 'X-Client-Cert': encodeCertForHeader(clientCertPem) }
+  });
+}
+module.exports = {
+  issueCert,
+  getHealth,
+  getSettings,
+  listUsers,
+  createUser,
+  updateUser,
+  deleteUser,
+  createPin,
+  listSshKeys,
+  addSshKey,
+  removeSshKey,
+  listSecrets,
+  addSecret,
+  deleteSecret,
+  normalizeBaseUrl,
+  buildUrl,
+  encodeCertForHeader
+};