@aifabrix/builder 2.42.0 → 2.43.0

package/lib/core/config.js

@@ -13,6 +13,7 @@ const path = require('path');
 const yaml = require('js-yaml');
 const os = require('os');
 const { encryptToken, decryptToken, isTokenEncrypted } = require('../utils/token-encryption');
+const { ensureSecureFilePermissions, ensureSecureDirPermissions } = require('../utils/secure-file-permissions');
 // Avoid importing paths here to prevent circular dependency.
 // Config location (first match wins):
 //   1. AIFABRIX_CONFIG env = full path to config.yaml
@@ -111,7 +112,7 @@ function applyConfigDefaults(config) {
     config.device = {};
   }
   // Ensure controller field exists (but don't set defaults)
-  // It will be set by login or auth config commands
+  // It will be set by login or auth --set-controller
   return config;
 }
 
@@ -133,6 +134,8 @@ function getDefaultConfig() {
 
 async function getConfig() {
   try {
+    ensureSecureDirPermissions(RUNTIME_CONFIG_DIR);
+    ensureSecureFilePermissions(RUNTIME_CONFIG_FILE);
     const configContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
     let config = yaml.load(configContent);
 
@@ -233,6 +236,7 @@ async function getDeveloperId() {
  */
 async function verifyDeveloperIdSaved(devIdString) {
   await new Promise(resolve => setTimeout(resolve, 100));
+  ensureSecureFilePermissions(RUNTIME_CONFIG_FILE);
   const savedContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
   const savedConfig = yaml.load(savedContent);
   const savedDevIdString = String(savedConfig['developer-id']);
@@ -427,11 +431,11 @@ async function getSecretsPath() {
 }
 
 async function setSecretsPath(secretsPath) {
-  if (!secretsPath || typeof secretsPath !== 'string') {
+  if (typeof secretsPath !== 'string') {
     throw new Error('Secrets path is required and must be a string');
   }
   const config = await getConfig();
-  config['aifabrix-secrets'] = secretsPath;
+  config['aifabrix-secrets'] = secretsPath.trim() || undefined;
   await saveConfig(config);
 }
 
@@ -489,10 +493,8 @@ Object.assign(exportsObj, tokenFunctions);
 const { createPathConfigFunctions } = require('../utils/config-paths');
 const pathConfigFunctions = createPathConfigFunctions(getConfig, saveConfig);
 Object.assign(exportsObj, pathConfigFunctions);
-
 // Format preference functions
 const { createFormatFunctions } = require('../utils/config-format-preference');
 const formatFunctions = createFormatFunctions(getConfig, saveConfig);
 Object.assign(exportsObj, formatFunctions);
-
 module.exports = exportsObj;

package/lib/core/ensure-encryption-key.js

@@ -12,7 +12,6 @@ const fs = require('fs');
 const yaml = require('js-yaml');
 const crypto = require('crypto');
 const pathsUtil = require('../utils/paths');
-const { saveLocalSecret } = require('../utils/local-secrets');
 
 const ENCRYPTION_KEY = 'secrets-encryptionKeyVault';
 
@@ -30,7 +29,7 @@ function readKeyFromFile(filePath) {
 
 /**
  * Ensure secrets encryption key exists. If config already has it, do nothing.
- * If key exists in user or project secrets file, set config. Otherwise generate, write to user secrets, set config.
+ * If key exists in user or project secrets file, set config. Otherwise generate and store only in config (not in secrets file).
  * @param {Object} config - Config module (getSecretsEncryptionKey, setSecretsEncryptionKey, getSecretsPath)
  * @returns {Promise<void>}
  */
@@ -49,7 +48,6 @@ async function ensureSecretsEncryptionKey(config) {
   }
 
   const newKey = crypto.randomBytes(32).toString('hex');
-  await saveLocalSecret(ENCRYPTION_KEY, newKey);
   await config.setSecretsEncryptionKey(newKey);
 }
 

package/lib/core/secrets.js

@@ -52,6 +52,7 @@ const {
 } = require('../utils/secrets-utils');
 const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
 const pathsUtil = require('../utils/paths');
+const { ensureSecureFilePermissions } = require('../utils/secure-file-permissions');
 
 /**
  * Generates a canonical secret name from an environment variable key.
@@ -150,6 +151,7 @@ function mergeUserWithConfigFile(userSecrets, resolvedConfigPath) {
   if (!fs.existsSync(resolvedConfigPath)) {
     return null;
   }
+  ensureSecureFilePermissions(resolvedConfigPath);
   let configSecrets;
   try {
     configSecrets = readYamlAtPath(resolvedConfigPath);
@@ -225,6 +227,7 @@ async function loadSecretsWithFallbacks() {
     if (projectRoot) {
       const builderPath = path.join(projectRoot, 'builder', 'secrets.local.yaml');
       if (fs.existsSync(builderPath)) {
+        ensureSecureFilePermissions(builderPath);
         const builderSecrets = mergeUserWithConfigFile(merged || {}, builderPath);
         if (builderSecrets) merged = builderSecrets;
       }
@@ -244,6 +247,7 @@ async function loadSecrets(secretsPath, _appName) {
     if (!fs.existsSync(resolvedPath)) {
       throw new Error(`Secrets file not found: ${resolvedPath}`);
     }
+    ensureSecureFilePermissions(resolvedPath);
     const explicitSecrets = readYamlAtPath(resolvedPath);
     if (!explicitSecrets || typeof explicitSecrets !== 'object') {
       throw new Error(`Invalid secrets file format: ${resolvedPath}`);
@@ -516,6 +520,24 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
   return envPath;
 }
 
+/**
+ * Writes admin env key-value pairs to content; encrypts values when encryption key is set.
+ * @async
+ * @param {Object.<string, string>} adminObj - Key-value object (e.g. POSTGRES_PASSWORD, ...)
+ * @returns {Promise<string>} .env-style content (plaintext or secure:// for secrets)
+ */
+async function formatAdminSecretsContent(adminObj) {
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  const { encryptSecret } = require('../utils/secrets-encryption');
+  const lines = ['# Infrastructure Admin Credentials'];
+  for (const [k, v] of Object.entries(adminObj)) {
+    const value = (v === null || v === undefined) ? '' : String(v).replace(/\n/g, ' ').trim();
+    const valueToWrite = encryptionKey ? encryptSecret(value, encryptionKey) : value;
+    lines.push(`${k}=${valueToWrite}`);
+  }
+  return lines.join('\n');
+}
+
 /** Generates admin secrets for infrastructure (~/.aifabrix/admin-secrets.env). Uses admin123 when no postgres password. */
 async function generateAdminSecretsEnv(secretsPath) {
   let secrets;
@@ -541,15 +563,15 @@ async function generateAdminSecretsEnv(secretsPath) {
   const raw = secrets['postgres-passwordKeyVault'];
   const postgresPassword = (raw && String(raw).trim()) || 'admin123';
 
-  const adminSecrets = `# Infrastructure Admin Credentials
-POSTGRES_PASSWORD=${postgresPassword}
-PGADMIN_DEFAULT_EMAIL=admin@aifabrix.dev
-PGADMIN_DEFAULT_PASSWORD=${postgresPassword}
-REDIS_HOST=local:redis:6379:0:
-REDIS_COMMANDER_USER=admin
-REDIS_COMMANDER_PASSWORD=${postgresPassword}
-`;
-
+  const adminObj = {
+    POSTGRES_PASSWORD: postgresPassword,
+    PGADMIN_DEFAULT_EMAIL: 'admin@aifabrix.dev',
+    PGADMIN_DEFAULT_PASSWORD: postgresPassword,
+    REDIS_HOST: 'local:redis:6379:0:',
+    REDIS_COMMANDER_USER: 'admin',
+    REDIS_COMMANDER_PASSWORD: postgresPassword
+  };
+  const adminSecrets = await formatAdminSecretsContent(adminObj);
   fs.writeFileSync(adminEnvPath, adminSecrets, { mode: 0o600 });
   return adminEnvPath;
 }
@@ -560,6 +582,7 @@ module.exports = {
   generateEnvContent,
   generateMissingSecrets,
   generateAdminSecretsEnv,
+  formatAdminSecretsContent,
   validateSecrets,
   createDefaultSecrets,
   getCanonicalSecretName,

package/lib/core/templates.js

@@ -268,7 +268,7 @@ function generateSecretsYaml(config, existingSecrets = {}) {
   Object.entries(existingSecrets).forEach(([key, value]) => {
     secrets.data[key] = Buffer.from(value).toString('base64');
   });
-  return yaml.dump(secrets, { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false });
+  return yaml.dump(secrets, { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false });
 }
 
 module.exports = {

package/lib/datasource/abac-validator.js

@@ -0,0 +1,157 @@
+/**
+ * ABAC (Attribute-Based Access Control) validator for external datasources.
+ *
+ * Validates config.abac.dimensions (dimension-to-attribute references),
+ * config.abac.crossSystemJson (allowed operators, one per path, value types),
+ * and errors on legacy config.abac.crossSystem.
+ *
+ * @fileoverview ABAC validation for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const DIMENSION_KEY_PATTERN = /^[a-zA-Z0-9_]+$/;
+const ATTRIBUTE_PATH_PATTERN = /^[a-zA-Z0-9_.]+$/;
+const CROSS_SYSTEM_JSON_PATH_PATTERN = /^[a-zA-Z0-9_.]+$/;
+const ALLOWED_CROSS_SYSTEM_OPERATORS = new Set([
+  'eq', 'ne', 'gt', 'lt', 'gte', 'lte', 'in', 'nin', 'contains', 'like', 'isNull', 'isNotNull'
+]);
+
+/**
+ * Validates dimension keys and attribute path values for a dimensions object.
+ *
+ * @param {Object} dimensions - Object mapping dimension keys to attribute paths
+ * @param {string} source - Label for error messages (e.g. "config.abac.dimensions")
+ * @param {Set<string>} validAttributeNames - Set of valid attribute names (from fieldMappings.attributes)
+ * @returns {string[]} Error messages
+ */
+function validateDimensionsObject(dimensions, source, validAttributeNames) {
+  const errors = [];
+  if (!dimensions || typeof dimensions !== 'object' || Array.isArray(dimensions)) {
+    return errors;
+  }
+  for (const [dimKey, attrPath] of Object.entries(dimensions)) {
+    if (!DIMENSION_KEY_PATTERN.test(dimKey)) {
+      errors.push(
+        `${source}: dimension key '${dimKey}' must contain only letters, numbers, and underscores. Add '${dimKey}' to fieldMappings.attributes or fix the key.`
+      );
+    }
+    if (typeof attrPath !== 'string' || !ATTRIBUTE_PATH_PATTERN.test(attrPath)) {
+      errors.push(
+        `${source}: attribute path for dimension '${dimKey}' must be a string with letters, numbers, underscores, and dots only.`
+      );
+    } else if (validAttributeNames && validAttributeNames.size > 0) {
+      const normalizedName = attrPath.includes('.') ? attrPath.split('.').pop() : attrPath;
+      if (!validAttributeNames.has(attrPath) && !validAttributeNames.has(normalizedName)) {
+        errors.push(
+          `${source}: dimension '${dimKey}' maps to '${attrPath}' which is not in fieldMappings.attributes. Add the attribute or remove from dimensions.`
+        );
+      }
+    }
+  }
+  return errors;
+}
+
+/**
+ * Validates crossSystemJson: path format, exactly one operator per path, allowed operators and value types.
+ *
+ * @param {Object} crossSystemJson - Object mapping field paths to operator objects
+ * @returns {string[]} Error messages
+ */
+function validateCrossSystemJson(crossSystemJson) {
+  const errors = [];
+  if (!crossSystemJson || typeof crossSystemJson !== 'object' || Array.isArray(crossSystemJson)) {
+    return errors;
+  }
+  for (const [path, opObj] of Object.entries(crossSystemJson)) {
+    if (!CROSS_SYSTEM_JSON_PATH_PATTERN.test(path)) {
+      errors.push(
+        `config.abac.crossSystemJson: path '${path}' must contain only letters, numbers, underscores, and dots.`
+      );
+      continue;
+    }
+    if (typeof opObj !== 'object' || opObj === null || Array.isArray(opObj)) {
+      errors.push(
+        `config.abac.crossSystemJson.${path}: value must be an object with exactly one operator (e.g. { "eq": "user.country" }).`
+      );
+      continue;
+    }
+    const keys = Object.keys(opObj);
+    if (keys.length === 0) {
+      errors.push(
+        `config.abac.crossSystemJson.${path}: object must have exactly one operator. Allowed: ${[...ALLOWED_CROSS_SYSTEM_OPERATORS].join(', ')}.`
+      );
+    } else if (keys.length > 1) {
+      errors.push(
+        `config.abac.crossSystemJson.${path}: must have exactly one operator per path, got ${keys.join(', ')}. Use one of: ${[...ALLOWED_CROSS_SYSTEM_OPERATORS].join(', ')}.`
+      );
+    } else {
+      const op = keys[0];
+      if (!ALLOWED_CROSS_SYSTEM_OPERATORS.has(op)) {
+        errors.push(
+          `config.abac.crossSystemJson.${path}: unknown operator '${op}'. Allowed: ${[...ALLOWED_CROSS_SYSTEM_OPERATORS].join(', ')}.`
+        );
+      }
+    }
+  }
+  return errors;
+}
+
+/**
+ * Validates ABAC configuration for a parsed datasource.
+ * Checks dimensions (from config.abac or fieldMappings), crossSystemJson, and rejects legacy crossSystem.
+ *
+ * @function validateAbac
+ * @param {Object} parsed - Parsed datasource object (after JSON parse)
+ * @returns {string[]} Array of error messages; empty if valid
+ *
+ * @example
+ * const errors = validateAbac(parsed);
+ * if (errors.length > 0) errors.forEach(e => console.error(e));
+ */
+function validateAbac(parsed) {
+  const errors = [];
+  const abac = parsed?.config?.abac;
+  if (!abac || typeof abac !== 'object') {
+    return errors;
+  }
+
+  if ('crossSystem' in abac) {
+    errors.push(
+      'config.abac.crossSystem is deprecated. Use config.abac.crossSystemJson or config.abac.crossSystemSql instead.'
+    );
+  }
+
+  const attributeNames = new Set(
+    Object.keys(parsed?.fieldMappings?.attributes ?? {})
+  );
+
+  if (abac.dimensions) {
+    errors.push(...validateDimensionsObject(
+      abac.dimensions,
+      'config.abac.dimensions',
+      attributeNames
+    ));
+  }
+
+  const fieldMappingsDimensions = parsed?.fieldMappings?.dimensions;
+  if (fieldMappingsDimensions && typeof fieldMappingsDimensions === 'object') {
+    errors.push(...validateDimensionsObject(
+      fieldMappingsDimensions,
+      'fieldMappings.dimensions',
+      attributeNames
+    ));
+  }
+
+  if (abac.crossSystemJson) {
+    errors.push(...validateCrossSystemJson(abac.crossSystemJson));
+  }
+
+  return errors;
+}
+
+module.exports = {
+  validateAbac,
+  validateDimensionsObject,
+  validateCrossSystemJson
+};

package/lib/datasource/field-reference-validator.js

@@ -11,78 +11,116 @@
  */
 
 /**
- * Validates that all field references in indexing, validation, and quality
- * exist in fieldMappings.attributes. When fieldMappings.attributes is missing
- * or empty, returns no errors (skip check, matching dataplane behavior).
+ * Set of attribute names plus dimension keys valid for field references.
+ * Used for primaryKey (schema allows dimensions or attributes) and other paths (attributes only).
  *
- * @function validateFieldReferences
- * @param {Object} parsed - Parsed datasource object (after JSON parse)
- * @returns {string[]} Array of error messages; empty if no invalid references
- *
- * @example
- * const errors = validateFieldReferences(parsed);
- * if (errors.length > 0) {
- *   errors.forEach(e => console.error(e));
- * }
+ * @param {Object} parsed - Parsed datasource object
+ * @returns {{ attributes: string[], attributesAndDimensions: Set<string> }}
  */
-function validateFieldReferences(parsed) {
-  const errors = [];
-  const normalizedAttributes = Object.keys(
-    parsed?.fieldMappings?.attributes ?? {}
-  );
+function getNormalizedSets(parsed) {
+  const attributes = Object.keys(parsed?.fieldMappings?.attributes ?? {});
+  const dimensions = Object.keys(parsed?.fieldMappings?.dimensions ?? {});
+  const attributesAndDimensions = new Set([...attributes, ...dimensions]);
+  return { attributes, attributesAndDimensions };
+}
 
-  if (normalizedAttributes.length === 0) {
-    return [];
-  }
+/** @param {string[]} errors */
+function checkPrimaryKey(parsed, attributesAndDimensions, errors) {
+  const primaryKey = parsed?.primaryKey;
+  if (!Array.isArray(primaryKey)) return;
+  primaryKey.forEach((field, i) => {
+    if (typeof field === 'string' && field !== '' && !attributesAndDimensions.has(field)) {
+      errors.push(
+        `primaryKey[${i}]: field '${field}' does not exist in fieldMappings.attributes or fieldMappings.dimensions. Each primaryKey value must reference an attribute or dimension name.`
+      );
+    }
+  });
+}
+
+/** @param {string[]} errors */
+function checkExposedProfiles(parsed, attrSet, errors) {
+  const profiles = parsed?.exposed?.profiles;
+  if (!profiles || typeof profiles !== 'object' || Array.isArray(profiles)) return;
+  Object.entries(profiles).forEach(([profileName, fields]) => {
+    if (!Array.isArray(fields)) return;
+    fields.forEach((field, idx) => {
+      if (typeof field === 'string' && !attrSet.has(field)) {
+        errors.push(
+          `exposed.profiles.${profileName}[${idx}]: field '${field}' does not exist in fieldMappings.attributes. Add the attribute or remove the reference.`
+        );
+      }
+    });
+  });
+}
 
-  // indexing.embedding: array of field names
+/** @param {string[]} errors */
+function checkIndexingAndValidation(parsed, normalizedAttributes, errors) {
   const embedding = parsed?.indexing?.embedding;
   if (Array.isArray(embedding)) {
     embedding.forEach((field, i) => {
       if (typeof field === 'string' && !normalizedAttributes.includes(field)) {
         errors.push(
-          `indexing.embedding[${i}]: field '${field}' does not exist in fieldMappings.attributes`
+          `indexing.embedding[${i}]: field '${field}' does not exist in fieldMappings.attributes. Add the attribute or remove the reference.`
         );
       }
     });
   }
-
-  // indexing.uniqueKey: single field name
   const uniqueKey = parsed?.indexing?.uniqueKey;
-  if (typeof uniqueKey === 'string' && uniqueKey !== '') {
-    if (!normalizedAttributes.includes(uniqueKey)) {
-      errors.push(
-        `indexing.uniqueKey: field '${uniqueKey}' does not exist in fieldMappings.attributes`
-      );
-    }
+  if (typeof uniqueKey === 'string' && uniqueKey !== '' && !normalizedAttributes.includes(uniqueKey)) {
+    errors.push(
+      `indexing.uniqueKey: field '${uniqueKey}' does not exist in fieldMappings.attributes. Add the attribute or remove the reference.`
+    );
   }
-
-  // validation.repeatingValues[].field
   const repeatingValues = parsed?.validation?.repeatingValues;
   if (Array.isArray(repeatingValues)) {
     repeatingValues.forEach((rule, index) => {
       const field = rule?.field;
       if (typeof field === 'string' && !normalizedAttributes.includes(field)) {
         errors.push(
-          `validation.repeatingValues[${index}].field: field '${field}' does not exist in fieldMappings.attributes`
+          `validation.repeatingValues[${index}].field: field '${field}' does not exist in fieldMappings.attributes. Add the attribute or remove the reference.`
         );
       }
     });
   }
-
-  // quality.rejectIf[].field
   const rejectIf = parsed?.quality?.rejectIf;
   if (Array.isArray(rejectIf)) {
     rejectIf.forEach((rule, index) => {
       const field = rule?.field;
       if (typeof field === 'string' && !normalizedAttributes.includes(field)) {
         errors.push(
-          `quality.rejectIf[${index}].field: field '${field}' does not exist in fieldMappings.attributes`
+          `quality.rejectIf[${index}].field: field '${field}' does not exist in fieldMappings.attributes. Add the attribute or remove the reference.`
         );
       }
     });
   }
+}
+
+/**
+ * Validates that all field references in indexing, validation, quality,
+ * primaryKey, and exposed.profiles exist in fieldMappings.attributes (or
+ * dimensions for primaryKey per schema). When fieldMappings.attributes is
+ * missing or empty, returns no errors (skip check, matching dataplane behavior).
+ *
+ * @function validateFieldReferences
+ * @param {Object} parsed - Parsed datasource object (after JSON parse)
+ * @returns {string[]} Array of error messages; empty if no invalid references
+ *
+ * @example
+ * const errors = validateFieldReferences(parsed);
+ * if (errors.length > 0) {
+ *   errors.forEach(e => console.error(e));
+ * }
+ */
+function validateFieldReferences(parsed) {
+  const errors = [];
+  const { attributes: normalizedAttributes, attributesAndDimensions } = getNormalizedSets(parsed);
+  const attrSet = new Set(normalizedAttributes);
+
+  checkPrimaryKey(parsed, attributesAndDimensions, errors);
+  checkExposedProfiles(parsed, attrSet, errors);
+  if (normalizedAttributes.length === 0) return errors;
 
+  checkIndexingAndValidation(parsed, normalizedAttributes, errors);
   return errors;
 }