@aifabrix/builder 2.41.0 → 2.42.1

package/lib/commands/repair-env-template.js

@@ -0,0 +1,348 @@
+/**
+ * Helpers for repairing env.template from system config (KV_* names, path-style kv://).
+ * @fileoverview Repair env.template to match system file
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+const { systemKeyToKvPrefix, kvEnvKeyToPath, securityKeyToVar } = require('../utils/credential-secrets-env');
+const { extractEnvTemplate } = require('../generator/split');
+
+/**
+ * Normalizes a keyvault config entry to canonical KV_* name and path-style value.
+ * Path format: kv://<system-key>/<variable> (e.g. kv://microsoft-teams/clientId).
+ * @param {Object} entry - Config entry with name, value, location
+ * @param {string} prefix - KV prefix (e.g. MICROSOFT_TEAMS)
+ * @param {string} systemKey - System key (e.g. microsoft-teams) for path namespace
+ * @returns {{ name: string, value: string }|null}
+ */
+function normalizeKeyvaultEntry(entry, prefix, systemKey) {
+  const afterPrefix = entry.name.startsWith(`KV_${prefix}_`)
+    ? entry.name.slice(`KV_${prefix}_`.length)
+    : entry.name.replace(/^KV_[A-Z0-9]+_/, '');
+  const normalizedVar = afterPrefix.replace(/_/g, '').toUpperCase();
+  const normalizedName = `KV_${prefix}_${normalizedVar}`;
+  const pathVal = kvEnvKeyToPath(normalizedName, systemKey);
+  if (!pathVal) return null;
+  return {
+    name: normalizedName,
+    value: pathVal.replace(/^kv:\/\//, ''),
+    location: 'keyvault'
+  };
+}
+
+/**
+ * Adds effective config entries from system configuration array.
+ * @param {Array} effective - Mutable result array
+ * @param {Array} config - System configuration array
+ * @param {string} prefix - KV prefix
+ * @param {Set<string>} seenNames - Mutable set of names already added
+ * @param {string} systemKey - System key for path format kv://systemKey/variable
+ */
+function addFromConfiguration(effective, config, prefix, seenNames, systemKey) {
+  for (const entry of config) {
+    if (!entry || !entry.name) continue;
+    if (entry.location === 'keyvault') {
+      const normalized = normalizeKeyvaultEntry(entry, prefix, systemKey);
+      if (normalized && !seenNames.has(normalized.name)) {
+        effective.push(normalized);
+        seenNames.add(normalized.name);
+      }
+    } else if (!seenNames.has(entry.name)) {
+      effective.push({
+        name: entry.name,
+        value: String(entry.value ?? ''),
+        location: entry.location
+      });
+      seenNames.add(entry.name);
+    }
+  }
+}
+
+/**
+ * Adds effective config entries from authentication.security.
+ * Path format: kv://<system-key>/<variable> (e.g. kv://microsoft-teams/clientId).
+ * @param {Array} effective - Mutable result array
+ * @param {Object} systemParsed - Parsed system config
+ * @param {string} prefix - KV prefix
+ * @param {Set<string>} seenNames - Mutable set of names already added
+ * @param {string} systemKey - System key for path namespace
+ */
+function addFromAuthSecurity(effective, systemParsed, prefix, seenNames, systemKey) {
+  const security = systemParsed.authentication?.security;
+  if (!security || typeof security !== 'object') return;
+  for (const key of Object.keys(security)) {
+    const envName = `KV_${prefix}_${securityKeyToVar(key)}`;
+    if (seenNames.has(envName)) continue;
+    const pathVal = kvEnvKeyToPath(envName, systemKey);
+    if (pathVal) {
+      effective.push({
+        name: envName,
+        value: pathVal.replace(/^kv:\/\//, ''),
+        location: 'keyvault'
+      });
+      seenNames.add(envName);
+    }
+  }
+}
+
+/**
+ * Builds effective configuration array from system (KV_* names, path-style kv://).
+ * @param {Object} systemParsed - Parsed system config
+ * @param {string} systemKey - System key (e.g. 'hubspot')
+ * @returns {Array<{ name: string, value: string, location?: string }>}
+ */
+function buildEffectiveConfiguration(systemParsed, systemKey) {
+  const effective = [];
+  const prefix = systemKeyToKvPrefix(systemKey);
+  if (!prefix) return effective;
+  const seenNames = new Set();
+  const config = Array.isArray(systemParsed.configuration) ? systemParsed.configuration : [];
+  addFromConfiguration(effective, config, prefix, seenNames, systemKey);
+  addFromAuthSecurity(effective, systemParsed, prefix, seenNames, systemKey);
+  return effective;
+}
+
+/**
+ * Builds map of env key -> full line (KEY=value) from effective config.
+ * @param {Array} effective - Effective configuration array
+ * @returns {Map<string, string>}
+ */
+function buildExpectedByKey(effective) {
+  const expectedByKey = new Map();
+  const lines = extractEnvTemplate(effective).split('\n').filter(Boolean);
+  for (const line of lines) {
+    const eq = line.indexOf('=');
+    if (eq > 0) {
+      const key = line.substring(0, eq).trim();
+      expectedByKey.set(key, `${key}=${line.substring(eq + 1)}`);
+    }
+  }
+  return expectedByKey;
+}
+
+/**
+ * Creates env.template when missing. Returns true if created (and change pushed).
+ * @param {string} envPath - Path to env.template
+ * @param {Map<string, string>} expectedByKey - Expected key->line map
+ * @param {boolean} dryRun - If true, do not write
+ * @param {string[]} changes - Array to append to
+ * @returns {boolean}
+ */
+function createEnvTemplateIfMissing(envPath, expectedByKey, dryRun, changes) {
+  if (fs.existsSync(envPath)) return false;
+  const lines = Array.from(expectedByKey.values());
+  const content = lines.join('\n');
+  if (!content) return false;
+  if (!dryRun) {
+    fs.writeFileSync(envPath, content + '\n', { mode: 0o644, encoding: 'utf8' });
+  }
+  changes.push('Created env.template from system configuration');
+  return true;
+}
+
+/**
+ * Extracts env key from a commented line (e.g. "# KEY=value" or "#KEY=value"). Returns null if not key=value.
+ * @param {string} trimmed - Trimmed line (starts with #)
+ * @returns {string|null} Key part after # and before =, or null
+ */
+function keyFromCommentedLine(trimmed) {
+  const afterHash = trimmed.slice(1).trim();
+  if (!afterHash.includes('=')) return null;
+  const eq = afterHash.indexOf('=');
+  if (eq <= 0) return null;
+  const key = afterHash.substring(0, eq).trim();
+  return key || null;
+}
+
+/**
+ * Processes one line: keep as-is or replace with expected. Mutates updatedLines, keysWritten, changed.
+ * Preserves existing key=value in env.template: if a key already has a value, that value is never overwritten.
+ * Treats commented key=value (e.g. # KV_X=kv://...) as "already present" so repair does not add it again.
+ * Only missing keys from expectedByKey are added at the end.
+ * @param {string} line - Current line
+ * @param {Map<string, string>} expectedByKey - Expected key->line map
+ * @param {string[]} updatedLines - Mutable output lines
+ * @param {Set<string>} keysWritten - Mutable set of keys written
+ * @param {{ value: boolean }} _changedRef - Mutable changed flag (caller tracks changes)
+ */
+function processLine(line, expectedByKey, updatedLines, keysWritten, _changedRef) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith('#')) {
+    if (trimmed.startsWith('#')) {
+      const commentedKey = keyFromCommentedLine(trimmed);
+      if (commentedKey && expectedByKey.has(commentedKey)) keysWritten.add(commentedKey);
+    }
+    updatedLines.push(line);
+    return;
+  }
+  const eq = line.indexOf('=');
+  if (eq <= 0) {
+    updatedLines.push(line);
+    return;
+  }
+  const key = line.substring(0, eq).trim();
+  if (expectedByKey.has(key)) {
+    // Keep existing value; do not overwrite with expected (user may have set kv:// or custom value)
+    updatedLines.push(line);
+    keysWritten.add(key);
+  } else {
+    updatedLines.push(line);
+  }
+}
+
+/**
+ * Merges existing env.template content with expected key=value lines.
+ * Preserves comments, blank lines, and vars not in expectedByKey.
+ * @param {string} content - Current file content
+ * @param {Map<string, string>} expectedByKey - Expected key->line map
+ * @returns {{ output: string, changed: boolean }}
+ */
+function mergeEnvTemplateContent(content, expectedByKey) {
+  const lines = content.split(/\r?\n/);
+  const updatedLines = [];
+  const keysWritten = new Set();
+  const changedRef = { value: false };
+
+  for (const line of lines) {
+    processLine(line, expectedByKey, updatedLines, keysWritten, changedRef);
+  }
+  for (const key of expectedByKey.keys()) {
+    if (!keysWritten.has(key)) {
+      updatedLines.push(expectedByKey.get(key));
+      changedRef.value = true;
+    }
+  }
+
+  const output = updatedLines.join('\n') + (updatedLines.length > 0 ? '\n' : '');
+  return { output, changed: changedRef.value };
+}
+
+/**
+ * Repairs env.template so KV_ names and path-style kv:// values match the system file.
+ * @param {string} appPath - Application directory path
+ * @param {Object} systemParsed - Parsed system config
+ * @param {string} systemKey - System key
+ * @param {boolean} dryRun - If true, do not write
+ * @param {string[]} changes - Array to append change descriptions to
+ * @returns {boolean} True if env.template was repaired or created
+ */
+function repairEnvTemplate(appPath, systemParsed, systemKey, dryRun, changes) {
+  const effective = buildEffectiveConfiguration(systemParsed, systemKey);
+  const expectedByKey = buildExpectedByKey(effective);
+  const envPath = path.join(appPath, 'env.template');
+
+  if (createEnvTemplateIfMissing(envPath, expectedByKey, dryRun, changes)) {
+    return true;
+  }
+  if (!fs.existsSync(envPath)) {
+    return false;
+  }
+
+  const content = fs.readFileSync(envPath, 'utf8');
+  const { output, changed } = mergeEnvTemplateContent(content, expectedByKey);
+
+  if (changed && !dryRun) {
+    fs.writeFileSync(envPath, output, { mode: 0o644, encoding: 'utf8' });
+  }
+  if (changed) {
+    changes.push('Repaired env.template (KV_* names and path-style kv:// values)');
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Returns true if a kv value looks like legacy format (KeyVault suffix or no path segments).
+ * @param {string} val - Value from authentication.security or configuration
+ * @returns {boolean}
+ */
+function isLegacyKvValue(val) {
+  if (typeof val !== 'string' || !val.trim().toLowerCase().startsWith('kv://')) return false;
+  const after = val.trim().slice(5); // after 'kv://'
+  return after.includes('KeyVault') || !after.includes('/');
+}
+
+/**
+ * Normalizes authentication.security values to path-style kv:// (kv://systemKey/variable).
+ * @param {Object} security - authentication.security object (mutated)
+ * @param {string} prefix - KV prefix (e.g. 'HUBSPOT')
+ * @param {string} systemKey - System key for path namespace
+ * @param {string[]} changes - Array to append change descriptions to
+ * @returns {boolean} True if any change was made
+ */
+function normalizeSecuritySection(security, prefix, systemKey, changes) {
+  let updated = false;
+  for (const key of Object.keys(security)) {
+    const val = security[key];
+    if (typeof val !== 'string' || !isLegacyKvValue(val)) continue;
+    const envName = `KV_${prefix}_${securityKeyToVar(key)}`;
+    const pathVal = kvEnvKeyToPath(envName, systemKey);
+    if (pathVal) {
+      security[key] = pathVal;
+      changes.push(`authentication.security.${key}: normalized to path-style ${pathVal}`);
+      updated = true;
+    }
+  }
+  return updated;
+}
+
+/**
+ * Normalizes configuration array keyvault entries to canonical KV_* names and path-style values.
+ * @param {Object[]} config - configuration array (mutated)
+ * @param {string} prefix - KV prefix (e.g. 'HUBSPOT')
+ * @param {string} systemKey - System key for path namespace
+ * @param {string[]} changes - Array to append change descriptions to
+ * @returns {boolean} True if any change was made
+ */
+function normalizeConfigurationSection(config, prefix, systemKey, changes) {
+  let updated = false;
+  for (let i = 0; i < config.length; i++) {
+    const entry = config[i];
+    if (!entry || !entry.name || (entry.location !== 'keyvault' && !String(entry.name).startsWith('KV_'))) continue;
+    const afterPrefix = entry.name.startsWith(`KV_${prefix}_`)
+      ? entry.name.slice(`KV_${prefix}_`.length)
+      : entry.name.replace(/^KV_[A-Z0-9]+_/, '');
+    const normalizedVar = afterPrefix.replace(/_/g, '').toUpperCase();
+    const canonicalName = `KV_${prefix}_${normalizedVar}`;
+    const pathVal = kvEnvKeyToPath(canonicalName, systemKey);
+    if (!pathVal) continue;
+    const pathValWithoutPrefix = pathVal.replace(/^kv:\/\//, '');
+    const valueLegacy = typeof entry.value === 'string' && (entry.value.includes('KeyVault') || !entry.value.includes('/'));
+    if (entry.name !== canonicalName || (valueLegacy && entry.value !== pathValWithoutPrefix)) {
+      config[i] = { ...entry, name: canonicalName, value: pathValWithoutPrefix, location: 'keyvault' };
+      changes.push(`configuration: normalized ${entry.name} → ${canonicalName}, value → path-style`);
+      updated = true;
+    }
+  }
+  return updated;
+}
+
+/**
+ * Normalizes system file authentication.security and configuration keyvault entries.
+ * @param {Object} systemParsed - Parsed system config (mutated)
+ * @param {string} systemKey - System key (e.g. 'hubspot')
+ * @param {string[]} changes - Array to append change descriptions to
+ * @returns {boolean} True if any change was made
+ */
+function normalizeSystemFileAuthAndConfig(systemParsed, systemKey, changes) {
+  const prefix = systemKeyToKvPrefix(systemKey);
+  if (!prefix) return false;
+  const security = systemParsed.authentication?.security;
+  let updated = (security && typeof security === 'object' && normalizeSecuritySection(security, prefix, systemKey, changes));
+  const config = systemParsed.configuration;
+  if (Array.isArray(config)) {
+    updated = normalizeConfigurationSection(config, prefix, systemKey, changes) || updated;
+  }
+  return updated;
+}
+
+module.exports = {
+  buildEffectiveConfiguration,
+  repairEnvTemplate,
+  normalizeSystemFileAuthAndConfig
+};

package/lib/commands/repair-internal.js

@@ -0,0 +1,85 @@
+/**
+ * Internal helpers for repair command: file discovery and datasource list building.
+ *
+ * @fileoverview Repair discovery and datasource helpers
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/** Matches *-datasource-*.(yaml|yml|json) or datasource-*.(yaml|yml|json) */
+function isDatasourceFileName(name) {
+  if (!/\.(yaml|yml|json)$/i.test(name)) return false;
+  return /-datasource-.+\.(yaml|yml|json)$/i.test(name) || /^datasource-.+\.(yaml|yml|json)$/i.test(name);
+}
+
+/**
+ * Discovers system and datasource files in app directory
+ * @param {string} appPath - Application directory path
+ * @returns {{ systemFiles: string[], datasourceFiles: string[] }}
+ */
+function discoverIntegrationFiles(appPath) {
+  if (!fs.existsSync(appPath)) {
+    return { systemFiles: [], datasourceFiles: [] };
+  }
+  const entries = fs.readdirSync(appPath);
+  const systemFiles = [];
+  const datasourceFiles = [];
+  for (const name of entries) {
+    if (!/^[a-z0-9_.-]+\.(yaml|yml|json)$/i.test(name)) continue;
+    if (/-system\.(yaml|yml|json)$/i.test(name)) {
+      systemFiles.push(name);
+    } else if (isDatasourceFileName(name)) {
+      datasourceFiles.push(name);
+    }
+  }
+  systemFiles.sort();
+  datasourceFiles.sort();
+  return { systemFiles, datasourceFiles };
+}
+
+/**
+ * Builds the effective datasource file list from application.yaml and discovered files.
+ * @param {string} appPath - Application directory path
+ * @param {string[]} discoveredDatasourceFiles - Filenames from discoverIntegrationFiles
+ * @param {string[]} [existingDataSources] - externalIntegration.dataSources from application.yaml
+ * @returns {string[]} Sorted, deduplicated list of datasource filenames
+ */
+function buildEffectiveDatasourceFiles(appPath, discoveredDatasourceFiles, existingDataSources) {
+  const existing = Array.isArray(existingDataSources) ? existingDataSources : [];
+  const seen = new Set();
+  const result = [];
+  for (const name of existing) {
+    if (!name || typeof name !== 'string') continue;
+    const trimmed = name.trim();
+    if (!trimmed || seen.has(trimmed)) continue;
+    const filePath = path.join(appPath, trimmed);
+    if (fs.existsSync(filePath)) {
+      result.push(trimmed);
+      seen.add(trimmed);
+    } else {
+      logger.log(chalk.yellow(`⚠ Datasource file referenced in application.yaml not found: ${trimmed}`));
+    }
+  }
+  for (const name of discoveredDatasourceFiles) {
+    if (seen.has(name)) continue;
+    const filePath = path.join(appPath, name);
+    if (fs.existsSync(filePath)) {
+      result.push(name);
+      seen.add(name);
+    }
+  }
+  result.sort();
+  return result;
+}
+
+module.exports = {
+  discoverIntegrationFiles,
+  buildEffectiveDatasourceFiles
+};

package/lib/commands/repair-rbac.js

@@ -0,0 +1,158 @@
+/**
+ * RBAC merge for repair: build permissions from datasources and ensure default roles.
+ *
+ * @fileoverview Repair RBAC merge from datasource resourceType/capabilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+const yaml = require('js-yaml');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { loadConfigFile } = require('../utils/config-format');
+
+const DEFAULT_CAPABILITIES = ['list', 'get', 'create', 'update', 'delete'];
+
+/**
+ * Resolves capabilities from datasource (array or legacy object).
+ * @param {Object} parsed - Parsed datasource
+ * @returns {string[]}
+ */
+function getCapabilitiesFromDatasource(parsed) {
+  const cap = parsed?.capabilities;
+  if (Array.isArray(cap)) return cap.filter(c => typeof c === 'string');
+  if (cap && typeof cap === 'object') {
+    return Object.keys(cap).filter(k => cap[k] === true);
+  }
+  return [...DEFAULT_CAPABILITIES];
+}
+
+/**
+ * Collects permission names (resourceType:capability) from datasource files.
+ * @param {string} appPath - Application path
+ * @param {string[]} datasourceFiles - Datasource file names
+ * @returns {Set<string>}
+ */
+function collectPermissionNames(appPath, datasourceFiles) {
+  const permissionNames = new Set();
+  for (const fileName of datasourceFiles || []) {
+    const filePath = path.join(appPath, fileName);
+    if (!fs.existsSync(filePath)) continue;
+    try {
+      const parsed = loadConfigFile(filePath);
+      const resourceType = parsed?.resourceType || 'document';
+      const caps = getCapabilitiesFromDatasource(parsed);
+      for (const cap of caps) permissionNames.add(`${resourceType}:${cap}`);
+    } catch (err) {
+      logger.log(chalk.yellow(`⚠ Could not load ${fileName} for RBAC: ${err.message}`));
+    }
+  }
+  return permissionNames;
+}
+
+/**
+ * Loads existing rbac or creates empty structure. Uses extractRbacFromSystem when provided.
+ * @param {string} appPath - Application path
+ * @param {Object} [systemParsed] - Parsed system for extractRbacFromSystem
+ * @param {Function} extractRbacFromSystem - (system) => rbac or null
+ * @returns {{ rbac: Object, rbacPath: string, rbacYmlPath: string }}
+ */
+function loadOrCreateRbac(appPath, systemParsed, extractRbacFromSystem) {
+  const rbacPath = path.join(appPath, 'rbac.yaml');
+  const rbacYmlPath = path.join(appPath, 'rbac.yml');
+  let rbac;
+  if (fs.existsSync(rbacPath)) {
+    rbac = loadConfigFile(rbacPath);
+  } else if (fs.existsSync(rbacYmlPath)) {
+    rbac = loadConfigFile(rbacYmlPath);
+  } else {
+    rbac = extractRbacFromSystem(systemParsed) || { roles: [], permissions: [] };
+    if (!Array.isArray(rbac.roles)) rbac.roles = [];
+    if (!Array.isArray(rbac.permissions)) rbac.permissions = [];
+  }
+  return { rbac, rbacPath, rbacYmlPath };
+}
+
+/**
+ * Adds missing permissions to rbac.permissions. Mutates rbac.
+ * @param {Object} rbac - RBAC object (mutated)
+ * @param {Set<string>} permissionNames - Desired permission names
+ * @param {string[]} changes - Array to append to
+ * @returns {boolean}
+ */
+function addMissingPermissions(rbac, permissionNames, changes) {
+  const existing = new Set((rbac.permissions || []).map(p => p?.name).filter(Boolean));
+  let updated = false;
+  for (const name of permissionNames) {
+    if (existing.has(name)) continue;
+    rbac.permissions = rbac.permissions || [];
+    rbac.permissions.push({ name, roles: [], description: `Permission: ${name}` });
+    existing.add(name);
+    changes.push(`Added RBAC permission: ${name}`);
+    updated = true;
+  }
+  return updated;
+}
+
+/**
+ * Ensures default Admin and Reader roles if rbac.roles is empty. Mutates rbac.
+ * @param {Object} rbac - RBAC object (mutated)
+ * @param {string} systemKey - System key
+ * @param {string} displayName - Display name
+ * @param {string[]} changes - Array to append to
+ * @returns {boolean}
+ */
+function ensureDefaultRoles(rbac, systemKey, displayName, changes) {
+  const hasRoles = Array.isArray(rbac.roles) && rbac.roles.length > 0;
+  if (hasRoles) return false;
+  const adminValue = `${systemKey}-admin`;
+  const readerValue = `${systemKey}-reader`;
+  rbac.roles = [
+    { name: `${displayName} Admin`, value: adminValue, description: `Full access to all ${displayName} operations`, groups: [] },
+    { name: `${displayName} Reader`, value: readerValue, description: `Read-only access to all ${displayName} data`, groups: [] }
+  ];
+  const listGetPerms = (rbac.permissions || [])
+    .filter(p => p?.name && (p.name.split(':')[1] === 'list' || p.name.split(':')[1] === 'get'))
+    .map(p => p.name);
+  for (const p of rbac.permissions || []) {
+    if (!p.roles) p.roles = [];
+    if (p.name && listGetPerms.includes(p.name) && !p.roles.includes(readerValue)) p.roles.push(readerValue);
+    if (!p.roles.includes(adminValue)) p.roles.push(adminValue);
+  }
+  changes.push('Added default Admin and Reader roles to rbac.yaml');
+  return true;
+}
+
+/**
+ * Merges RBAC from datasources: ensures permission per resourceType:capability, adds Admin/Reader roles if none.
+ * @param {string} appPath - Application path
+ * @param {Object} systemParsed - Parsed system (key, displayName)
+ * @param {string[]} datasourceFiles - Datasource file names
+ * @param {Function} extractRbacFromSystem - (system) => rbac or null
+ * @param {boolean} dryRun - If true, do not write
+ * @param {string[]} changes - Array to append change descriptions to
+ * @returns {boolean} True if rbac was updated (or would be in dry-run)
+ */
+function mergeRbacFromDatasources(appPath, systemParsed, datasourceFiles, extractRbacFromSystem, dryRun, changes) {
+  const permissionNames = collectPermissionNames(appPath, datasourceFiles);
+  if (permissionNames.size === 0) return false;
+  const systemKey = systemParsed?.key || 'system';
+  const displayName = systemParsed?.displayName || systemKey;
+  const { rbac, rbacPath, rbacYmlPath } = loadOrCreateRbac(appPath, systemParsed, extractRbacFromSystem);
+  let updated = addMissingPermissions(rbac, permissionNames, changes);
+  updated = ensureDefaultRoles(rbac, systemKey, displayName, changes) || updated;
+  if (updated && !dryRun) {
+    const outPath = fs.existsSync(rbacPath) ? rbacPath : (fs.existsSync(rbacYmlPath) ? rbacYmlPath : rbacPath);
+    fs.writeFileSync(outPath, yaml.dump(rbac, { indent: 2, lineWidth: -1 }), { mode: 0o644, encoding: 'utf8' });
+  }
+  return updated;
+}
+
+module.exports = {
+  getCapabilitiesFromDatasource,
+  mergeRbacFromDatasources
+};