npm - @aifabrix/builder - Versions diffs - 2.42.0 → 2.43.0 - Mend

@aifabrix/builder 2.42.0 → 2.43.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/lib/generator/external.js CHANGED Viewed

@@ -12,7 +12,7 @@ const fs = require('fs');
 const path = require('path');
 const Ajv = require('ajv');
 const { detectAppType, getDeployJsonPath } = require('../utils/paths');
-const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('../utils/app-config-resolver');
 const { loadConfigFile } = require('../utils/config-format');
 const { loadVariables, loadRbac } = require('./helpers');
 const {
@@ -117,9 +117,9 @@ async function generateExternalSystemDeployJson(appName, appPath) {
   const systemFilePath = resolveSystemFilePath(variables, appPath, appName);
   const systemJson = await loadSystemFileContent(systemFilePath);
-  // Load rbac.yaml from app directory (similar to regular apps)
-  const rbacPath = path.join(appPath, 'rbac.yaml');
-  const rbac = loadRbac(rbacPath);
+  // Load RBAC from app directory (rbac.yaml, rbac.yml, or rbac.json)
+  const rbacPath = resolveRbacPath(appPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
   mergeRbacIntoSystemJson(systemJson, rbac);
   // Write it as <app-name>-deploy.json (consistent naming)
@@ -153,9 +153,9 @@ async function loadSystemFile(appPath, schemaBasePath, systemFileName) {
   const systemJson = loadConfigFile(systemFilePath);
-  // Load rbac.yaml from app directory and merge if present
-  const rbacPath = path.join(appPath, 'rbac.yaml');
-  const rbac = loadRbac(rbacPath);
+  // Load RBAC from app directory (rbac.yaml, rbac.yml, or rbac.json) and merge if present
+  const rbacPath = resolveRbacPath(appPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
   if (rbac) {
     if (rbac.roles && (!systemJson.roles || systemJson.roles.length === 0)) {
       systemJson.roles = rbac.roles;

package/lib/generator/helpers.js CHANGED Viewed

@@ -9,7 +9,7 @@
  */
 const fs = require('fs');
-const yaml = require('js-yaml');
+const path = require('path');
 const { loadConfigFile } = require('../utils/config-format');
 /**
@@ -37,21 +37,25 @@ function loadEnvTemplate(templatePath) {
 }
 /**
- * Loads rbac.yaml file if it exists
- * @param {string} rbacPath - Path to rbac.yaml
- * @returns {Object|null} Parsed RBAC configuration or null
- * @throws {Error} If file exists but has invalid YAML
+ * Loads RBAC config file (rbac.yaml, rbac.yml, or rbac.json) if it exists.
+ * Uses loadConfigFile so format is inferred from extension.
+ *
+ * @param {string} rbacPath - Path to RBAC file (e.g. from resolveRbacPath)
+ * @returns {Object|null} Parsed RBAC configuration or null if path is falsy or file does not exist
+ * @throws {Error} If file exists but has invalid syntax (message references actual filename, e.g. rbac.json)
  */
 function loadRbac(rbacPath) {
+  if (!rbacPath || typeof rbacPath !== 'string') {
+    return null;
+  }
   if (!fs.existsSync(rbacPath)) {
     return null;
   }
-  const rbacContent = fs.readFileSync(rbacPath, 'utf8');
   try {
-    return yaml.load(rbacContent);
+    return loadConfigFile(rbacPath);
   } catch (error) {
-    throw new Error(`Invalid YAML syntax in rbac.yaml: ${error.message}`);
+    const basename = path.basename(rbacPath);
+    throw new Error(`Invalid syntax in ${basename}: ${error.message}`);
   }
 }

package/lib/generator/index.js CHANGED Viewed

@@ -13,7 +13,7 @@ const fs = require('fs');
 const path = require('path');
 const _validator = require('../validation/validator');
 const builders = require('./builders');
-const { detectAppType, getDeployJsonPath, resolveApplicationConfigPath } = require('../utils/paths');
+const { detectAppType, getDeployJsonPath, resolveApplicationConfigPath, resolveRbacPath } = require('../utils/paths');
 const { logOfflinePathWhenType } = require('../utils/cli-utils');
 const splitFunctions = require('./split');
 const { loadVariables, loadEnvTemplate, loadRbac, parseEnvironmentVariables } = require('./helpers');
@@ -39,7 +39,7 @@ const { buildEnvVarMap } = require('../utils/env-map');
  *
  * @example
  * const jsonPath = await generateDeployJson('myapp');
- * // Returns: './builder/myapp/myapp-deploy.json' or './integration/hubspot/application-schema.json'
+ * // Returns: './builder/myapp/myapp-deploy.json' or './integration/hubspot-test/application-schema.json'
  */
 /**
  * Loads configuration files for deployment generation
@@ -51,12 +51,12 @@ const { buildEnvVarMap } = require('../utils/env-map');
 function loadDeploymentConfigFiles(appPath, appType, appName) {
   const variablesPath = resolveApplicationConfigPath(appPath);
   const templatePath = path.join(appPath, 'env.template');
-  const rbacPath = path.join(appPath, 'rbac.yaml');
+  const rbacPath = resolveRbacPath(appPath);
   const jsonPath = getDeployJsonPath(appName, appType, true); // Use new naming
   const { parsed: variables } = loadVariables(variablesPath);
   const envTemplate = loadEnvTemplate(templatePath);
-  const rbac = loadRbac(rbacPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
   return { variables, envTemplate, rbac, jsonPath };
 }

package/lib/generator/split.js CHANGED Viewed

@@ -14,6 +14,7 @@ const yaml = require('js-yaml');
 const { parseImageReference } = require('./parse-image');
 const { generateReadmeFromDeployJson } = require('./split-readme');
 const { extractVariablesYaml, getExternalDatasourceFileName } = require('./split-variables');
+const { generateExternalEnvTemplateContent } = require('../utils/external-env-template');
 /**
  * Converts configuration array back to env.template format
@@ -207,24 +208,49 @@ function mergeEnvTemplateWithExisting(existingContent, expectedByKey) {
   return updatedLines.join('\n') + (updatedLines.length > 0 ? '\n' : '');
 }
+/**
+ * Builds key -> line map from env.template content (for merge when using external system template).
+ * @param {string} content - Full env.template content
+ * @returns {Map<string, string>} Key to full KEY=value line
+ */
+function buildExpectedByKeyFromEnvContent(content) {
+  const expectedByKey = new Map();
+  if (!content || typeof content !== 'string') return expectedByKey;
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      expectedByKey.set(key, trimmed);
+    }
+  }
+  return expectedByKey;
+}
 /**
  * Writes env.template (merge or overwrite).
  * @param {string} outputDir - Output directory
  * @param {string} envTemplate - Default env.template content
- * @param {Object} options - Options (mergeEnvTemplate, configuration)
+ * @param {Object} options - Options (mergeEnvTemplate, configuration, expectedByKey for external)
  * @returns {Promise<string>} Path to env.template
  */
 async function writeEnvTemplateToDir(outputDir, envTemplate, options) {
   const envTemplatePath = path.join(outputDir, 'env.template');
   const fsSync = require('fs');
-  if (options.mergeEnvTemplate && options.configuration && fsSync.existsSync(envTemplatePath)) {
-    const expectedByKey = buildEnvTemplateExpectedByKey(options.configuration);
-    const existingContent = await fs.readFile(envTemplatePath, 'utf8');
-    const merged = mergeEnvTemplateWithExisting(existingContent, expectedByKey);
-    await writeComponentFile(envTemplatePath, merged);
-  } else {
-    await writeComponentFile(envTemplatePath, envTemplate);
+  const useMerge = options.mergeEnvTemplate && fsSync.existsSync(envTemplatePath);
+  if (useMerge) {
+    const expectedByKey = options.expectedByKey ||
+      (options.configuration ? buildEnvTemplateExpectedByKey(options.configuration) : new Map());
+    if (expectedByKey.size > 0) {
+      const existingContent = await fs.readFile(envTemplatePath, 'utf8');
+      const merged = mergeEnvTemplateWithExisting(existingContent, expectedByKey);
+      await writeComponentFile(envTemplatePath, merged);
+      return envTemplatePath;
+    }
   }
+  await writeComponentFile(envTemplatePath, envTemplate);
   return envTemplatePath;
 }
@@ -401,12 +427,21 @@ async function splitDeployJson(deployJsonPath, outputDir = null, splitOptions =
   normalizeDeploymentForSplit(deployment);
   const configArray = deployment.configuration || [];
-  const envTemplate = extractEnvTemplate(configArray);
+  let envTemplate;
+  const writeOptions = buildSplitWriteOptions(splitOptions, configArray);
+  if (deployment.system && typeof deployment.system === 'object') {
+    envTemplate = generateExternalEnvTemplateContent(deployment.system);
+    if (writeOptions.mergeEnvTemplate) {
+      writeOptions.expectedByKey = buildExpectedByKeyFromEnvContent(envTemplate);
+    }
+  } else {
+    envTemplate = extractEnvTemplate(configArray);
+  }
   const variables = extractVariablesYaml(deployment);
   const rbac = extractRbacYaml(deployment);
   const readme = generateReadmeFromDeployJson(deployment);
-  const writeOptions = buildSplitWriteOptions(splitOptions, configArray);
   const result = await writeComponentFiles(finalOutputDir, envTemplate, variables, rbac, readme, writeOptions);
   await applyExternalSystemFilesToResult(finalOutputDir, deployment, result);
   return result;

package/lib/generator/wizard-prompts-secondary.js CHANGED Viewed

@@ -107,6 +107,16 @@ async function promptForEntitySelection(entities = []) {
 /** @param {*} o - Value to stringify */
 const _s = (o) => (o === null || o === undefined || o === '' ? '—' : String(o));
+/**
+ * Humanize app key for display name (must stay in sync with prepareWizardContext in lib/generator/wizard.js).
+ * @param {string} appKey - Application key (e.g. hubspot-demo)
+ * @returns {string} Display name (e.g. Hubspot Demo)
+ */
+function humanizeAppKey(appKey) {
+  if (!appKey || typeof appKey !== 'string') return appKey || '';
+  return appKey.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase());
+}
 /** @param {Object} sys - systemSummary */
 function _formatSystem(sys) {
   return [
@@ -149,8 +159,11 @@ function _formatFieldMappings(fm) {
 /**
  * Derive a preview summary from systemConfig and datasourceConfigs when the dataplane
  * preview API does not return summaries. Ensures a compact summary is always shown.
+ * When appKey is provided, system key/displayName and datasource keys are overridden
+ * to match what prepareWizardContext will write (so the preview matches saved files).
  * @param {Object} systemConfig - System configuration
  * @param {Object[]} datasourceConfigs - Array of datasource configurations
+ * @param {string} [appKey] - Optional app key; when set, overrides system key/displayName and rewrites datasource keys
  * @returns {Object} Preview object compatible with formatPreviewSummary
  */
 function _buildDatasourceSummary(ds) {
@@ -171,8 +184,9 @@ function _buildDatasourceSummary(ds) {
 }
 function _buildSystemSummary(sys) {
-  const baseUrl = sys.openapi?.servers?.[0]?.url ?? sys.baseUrl ?? sys.openapi?.baseUrl ?? null;
-  const authType = sys.authentication?.type ?? sys.authenticationType ?? null;
+  const baseUrl = sys.openapi?.servers?.[0]?.url ?? sys.baseUrl ?? sys.openapi?.baseUrl ??
+    sys.authentication?.variables?.baseUrl ?? null;
+  const authType = sys.authentication?.type ?? sys.authentication?.method ?? sys.authenticationType ?? null;
   const endpointCount = sys.openapi?.endpoints?.length ??
     (sys.openapi?.operations ? Object.keys(sys.openapi.operations || {}).length : null);
   return {
@@ -191,7 +205,7 @@ function _buildFieldMappingsSummary(ds0) {
   return mappedFields.length > 0 ? { mappingCount: mappedFields.length, mappedFields, unmappedFields: [] } : null;
 }
-function derivePreviewFromConfig(systemConfig, datasourceConfigs) {
+function derivePreviewFromConfig(systemConfig, datasourceConfigs, appKey) {
   const sys = systemConfig || {};
   const dsList = Array.isArray(datasourceConfigs) ? datasourceConfigs : (datasourceConfigs ? [datasourceConfigs] : []);
@@ -199,7 +213,23 @@ function derivePreviewFromConfig(systemConfig, datasourceConfigs) {
     systemSummary: _buildSystemSummary(sys),
     fieldMappingsSummary: _buildFieldMappingsSummary(dsList[0] || {})
   };
-  const datasourceSummaries = dsList.map(_buildDatasourceSummary);
+  let datasourceSummaries = dsList.map(_buildDatasourceSummary);
+  if (appKey && typeof appKey === 'string') {
+    result.systemSummary.key = appKey;
+    result.systemSummary.displayName = humanizeAppKey(appKey);
+    const originalSystemKey = sys.key || appKey;
+    const originalPrefix = `${originalSystemKey}-`;
+    datasourceSummaries = datasourceSummaries.map((summary, i) => {
+      const ds = dsList[i] || {};
+      const dsKey = ds.key || '';
+      const newKey = dsKey && dsKey.startsWith(originalPrefix)
+        ? `${appKey}-${dsKey.substring(originalPrefix.length)}`
+        : `${appKey}-${ds.entityType || ds.entityKey || (dsKey && dsKey.split('-').pop()) || 'default'}`;
+      return { ...summary, key: newKey };
+    });
+  }
   if (datasourceSummaries.length === 1) {
     result.datasourceSummary = datasourceSummaries[0];
   } else if (datasourceSummaries.length > 1) {
@@ -247,11 +277,12 @@ function formatPreviewSummary(preview) {
  * @param {Object|null} [opts.preview] - Preview data from getPreview (null = fallback to YAML)
  * @param {Object} opts.systemConfig - System configuration
  * @param {Object[]} opts.datasourceConfigs - Array of datasource configurations
+ * @param {string} [opts.appKey] - App key; when set and using fallback preview, overrides system key/displayName and datasource keys
  * @returns {Promise<Object>} Object with action ('accept'|'cancel') and optionally edited configs
  */
-async function promptForConfigReview({ preview, systemConfig, datasourceConfigs }) {
+async function promptForConfigReview({ preview, systemConfig, datasourceConfigs, appKey }) {
   const hasSummary = preview && (preview.systemSummary || preview.datasourceSummary || (preview.datasourceSummaries && preview.datasourceSummaries.length > 0));
-  const summaryToShow = hasSummary ? preview : derivePreviewFromConfig(systemConfig, datasourceConfigs);
+  const summaryToShow = hasSummary ? preview : derivePreviewFromConfig(systemConfig, datasourceConfigs, appKey);
   const canShowSummary = summaryToShow.systemSummary || summaryToShow.datasourceSummary ||
     (summaryToShow.datasourceSummaries && summaryToShow.datasourceSummaries.length > 0);
@@ -290,5 +321,6 @@ module.exports = {
   promptForEntitySelection,
   promptForConfigReview,
   derivePreviewFromConfig,
-  formatPreviewSummary
+  formatPreviewSummary,
+  humanizeAppKey
 };

package/lib/generator/wizard-readme.js CHANGED Viewed

@@ -68,6 +68,8 @@ async function generateReadme(options) {
       };
     });
+    const auth = systemConfig.authentication || systemConfig.auth || {};
+    const authType = auth.type || auth.method || auth.authType;
     const readmeContent = generateExternalReadmeContent({
       appName,
       systemKey,
@@ -75,7 +77,8 @@ async function generateReadme(options) {
       displayName: systemConfig.displayName,
       description: systemConfig.description,
       fileExt: ext,
-      datasources
+      datasources,
+      authType
     });
     await fs.writeFile(readmePath, readmeContent, 'utf8');

package/lib/generator/wizard.js CHANGED Viewed

@@ -15,7 +15,8 @@ const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
 const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
-const { systemKeyToKvPrefix } = require('../utils/credential-secrets-env');
+const { systemKeyToKvPrefix, securityKeyToVar, isValidKvPath } = require('../utils/credential-secrets-env');
+const { generateExternalEnvTemplateContent } = require('../utils/external-env-template');
 const { generateReadme } = require('./wizard-readme');
 /**
@@ -130,10 +131,12 @@ async function generateConfigFilesForWizard(params) {
     format: format || 'yaml'
   });
-  // Generate env.template with KV_* authentication variables
-  await generateEnvTemplate(appPath, systemConfig, finalSystemKey);
+  // Generate env.template with Authentication and Configuration sections (Handlebars)
   const envTemplatePath = path.join(appPath, 'env.template');
+  const envTemplateContent = generateExternalEnvTemplateContent(systemConfig);
+  await fs.writeFile(envTemplatePath, envTemplateContent, 'utf8');
+  logger.log(chalk.green('✓ Generated env.template'));
   try {
     const secretsEnsure = require('../core/secrets-ensure');
     await secretsEnsure.ensureSecretsFromEnvTemplate(envTemplatePath, { emptyValuesForCredentials: true });
@@ -297,72 +300,84 @@ async function generateOrUpdateVariablesYaml(params) {
   }
 }
-/**
- * Adds API key authentication lines with KV_* convention
- * @param {Array<string>} lines - Lines array to append to
- * @param {string} prefix - KV prefix (e.g. HUBSPOT)
- */
-function addApiKeyAuthLines(lines, prefix) {
-  lines.push('# API Key Authentication');
-  lines.push(`KV_${prefix}_APIKEY=`);
-  lines.push('');
+/** Path-style kv value: kv://systemKey/key (camelCase key). */
+function toPathStyleKv(systemKey, key) {
+  return `kv://${systemKey}/${key}`;
 }
 /**
- * Adds OAuth2 authentication lines with KV_* convention
+ * Adds env.template lines from authentication.security (path-style kv:// values).
  * @param {Array<string>} lines - Lines array to append to
- * @param {Object} auth - Authentication configuration
- * @param {string} prefix - KV prefix
+ * @param {Object} security - authentication.security object
+ * @param {string} systemKey - System key for path namespace
+ * @param {string} prefix - KV prefix (e.g. HUBSPOT)
  */
-function addOAuth2AuthLines(lines, auth, prefix) {
-  lines.push('# OAuth2 Authentication');
-  lines.push(`KV_${prefix}_CLIENTID=`);
-  lines.push(`KV_${prefix}_CLIENTSECRET=`);
-  if (auth.scope) lines.push(`SCOPE=${auth.scope}`);
-  lines.push('');
+function addLinesFromSecurity(lines, security, systemKey, prefix) {
+  if (!security || typeof security !== 'object') return;
+  for (const key of Object.keys(security)) {
+    const envName = `KV_${prefix}_${securityKeyToVar(key)}`;
+    let value = security[key];
+    if (typeof value === 'string' && value.trim().startsWith('kv://') && isValidKvPath(value.trim())) {
+      value = value.trim();
+    } else {
+      value = toPathStyleKv(systemKey, key);
+    }
+    lines.push(`${envName}=${value}`);
+  }
+  if (Object.keys(security).length > 0) lines.push('');
 }
-/**
- * Adds bearer token authentication lines with KV_* convention
- * @param {Array<string>} lines - Lines array to append to
- * @param {string} prefix - KV prefix
- */
-function addBearerTokenAuthLines(lines, prefix) {
-  lines.push('# Bearer Token Authentication');
-  lines.push(`KV_${prefix}_BEARERTOKEN=`);
-  lines.push('');
-}
+/** Fallback security keys by auth method (camelCase) for path-style kv://. */
+const FALLBACK_SECURITY_BY_AUTH = {
+  oauth2: ['clientId', 'clientSecret'],
+  oauth: ['clientId', 'clientSecret'],
+  aad: ['clientId', 'clientSecret'],
+  apikey: ['apiKey'],
+  apiKey: ['apiKey'],
+  basic: ['username', 'password'],
+  queryParam: ['paramValue'],
+  oidc: [],
+  hmac: ['signingSecret'],
+  bearer: ['bearerToken'],
+  token: ['bearerToken'],
+  none: []
+};
 /**
- * Adds basic authentication lines with KV_* convention
+ * Adds auth lines by type with path-style kv:// values (fallback when security is absent).
  * @param {Array<string>} lines - Lines array to append to
+ * @param {string} authType - Authentication type
+ * @param {string} systemKey - System key
  * @param {string} prefix - KV prefix
  */
-function addBasicAuthLines(lines, prefix) {
-  lines.push('# Basic Authentication');
-  lines.push(`KV_${prefix}_USERNAME=`);
-  lines.push(`KV_${prefix}_PASSWORD=`);
+function addFallbackAuthLines(lines, authType, systemKey, prefix) {
+  const keys = FALLBACK_SECURITY_BY_AUTH[authType] || FALLBACK_SECURITY_BY_AUTH.apikey;
+  if (keys.length === 0) return;
+  const labels = { oauth2: 'OAuth2', aad: 'Azure AD', apikey: 'API Key', basic: 'Basic', queryParam: 'Query Param', hmac: 'HMAC', bearer: 'Bearer Token' };
+  const label = labels[authType] || authType;
+  lines.push(`# ${label} Authentication`);
+  for (const key of keys) {
+    lines.push(`KV_${prefix}_${securityKeyToVar(key)}=${toPathStyleKv(systemKey, key)}`);
+  }
   lines.push('');
 }
 /**
- * Adds authentication lines based on auth type. Uses KV_<APPKEY>_<VAR> convention.
+ * Adds authentication lines: from authentication.security when present, else by auth type with path-style kv://.
  * @param {Array<string>} lines - Lines array to append to
- * @param {Object} auth - Authentication configuration
- * @param {string} authType - Authentication type
- * @param {string} systemKey - System key (e.g. hubspot) for KV_ prefix
+ * @param {Object} auth - Authentication configuration (may have security, type/method)
+ * @param {string} authType - Normalized auth type
+ * @param {string} systemKey - System key for KV path namespace
  */
 function addAuthenticationLines(lines, auth, authType, systemKey) {
   const prefix = systemKeyToKvPrefix(systemKey);
   if (!prefix) return;
-  if (authType === 'apikey' || authType === 'apiKey') {
-    addApiKeyAuthLines(lines, prefix);
-  } else if (authType === 'oauth2' || authType === 'oauth') {
-    addOAuth2AuthLines(lines, auth || {}, prefix);
-  } else if (authType === 'bearer' || authType === 'token') {
-    addBearerTokenAuthLines(lines, prefix);
-  } else if (authType === 'basic') {
-    addBasicAuthLines(lines, prefix);
+  const security = auth?.security;
+  if (security && typeof security === 'object' && Object.keys(security).length > 0) {
+    lines.push('# Authentication (from security)');
+    addLinesFromSecurity(lines, security, systemKey, prefix);
+  } else {
+    addFallbackAuthLines(lines, authType, systemKey, prefix);
   }
 }
@@ -381,22 +396,22 @@ function addBaseUrlLines(lines, systemConfig) {
 }
 /**
- * Generate env.template with KV_* authentication variables
+ * Generate env.template with KV_* authentication variables (legacy; prefer generateExternalEnvTemplateContent).
  * @async
- * @function generateEnvTemplate
+ * @function _generateEnvTemplate
  * @param {string} appPath - Application directory path
  * @param {Object} systemConfig - System configuration (must have key for systemKey)
  * @param {string} [finalSystemKey] - Final system key for KV_ prefix (default: systemConfig.key)
  * @throws {Error} If generation fails
  */
-async function generateEnvTemplate(appPath, systemConfig, finalSystemKey) {
+async function _generateEnvTemplate(appPath, systemConfig, finalSystemKey) {
   try {
     const envTemplatePath = path.join(appPath, 'env.template');
     const systemKey = finalSystemKey || systemConfig?.key;
     const lines = ['# Environment variables for external system integration', '# Use KV_* for credential push (aifabrix credential push)', ''];
     const auth = systemConfig?.authentication || systemConfig?.auth || {};
-    const authType = auth.type || auth.authType || 'apikey';
+    const authType = (auth.type || auth.method || auth.authType || 'apikey').toLowerCase();
     addAuthenticationLines(lines, auth, authType, systemKey);
     addBaseUrlLines(lines, systemConfig);

package/lib/infrastructure/helpers.js CHANGED Viewed

@@ -14,6 +14,7 @@ const fs = require('fs');
 const chalk = require('chalk');
 const handlebars = require('handlebars');
 const secrets = require('../core/secrets');
+const adminSecrets = require('../core/admin-secrets');
 const logger = require('../utils/logger');
 const dockerUtils = require('../utils/docker');
 const paths = require('../utils/paths');
@@ -69,19 +70,6 @@ function logVolumeResetHint(infraDir) {
   ));
 }
-/**
- * Apply password to admin-secrets file content (all three password keys).
- * @param {string} content - Current file content
- * @param {string} password - Password to set
- * @returns {string} Updated content
- */
-function applyPasswordToAdminSecretsContent(content, password) {
-  return content
-    .replace(/^POSTGRES_PASSWORD=.*$/m, `POSTGRES_PASSWORD=${password}`)
-    .replace(/^PGADMIN_DEFAULT_PASSWORD=.*$/m, `PGADMIN_DEFAULT_PASSWORD=${password}`)
-    .replace(/^REDIS_COMMANDER_PASSWORD=.*$/m, `REDIS_COMMANDER_PASSWORD=${password}`);
-}
 /**
  * Sync postgres-passwordKeyVault to the main secrets store (file or remote).
  * @param {string} password - Password to store
@@ -94,10 +82,42 @@ async function syncPostgresPasswordToStore(password) {
   }
 }
+/** Default admin env keys and values when missing. */
+const DEFAULT_ADMIN_OBJ = {
+  PGADMIN_DEFAULT_EMAIL: 'admin@aifabrix.dev',
+  REDIS_HOST: 'local:redis:6379:0:',
+  REDIS_COMMANDER_USER: 'admin'
+};
+/**
+ * Writes merged admin secrets to disk and logs/syncs as needed.
+ * @async
+ * @param {string} adminSecretsPath - Path to admin-secrets.env
+ * @param {Object} adminObj - Decrypted admin secrets object
+ * @param {string} passwordToUse - Password to set for Postgres, pgAdmin, Redis Commander
+ * @param {boolean} shouldOverwriteWithAdminPwd - Whether this was an explicit admin password update
+ */
+async function applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse, shouldOverwriteWithAdminPwd) {
+  const merged = { ...DEFAULT_ADMIN_OBJ, ...adminObj };
+  merged.POSTGRES_PASSWORD = passwordToUse;
+  merged.PGADMIN_DEFAULT_PASSWORD = passwordToUse;
+  merged.REDIS_COMMANDER_PASSWORD = passwordToUse;
+  const content = await secrets.formatAdminSecretsContent(merged);
+  fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
+  if (shouldOverwriteWithAdminPwd) {
+    logger.log('Updated admin password in admin-secrets.env.');
+    await syncPostgresPasswordToStore(passwordToUse);
+    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
+  } else {
+    logger.log('Set default admin password in admin-secrets.env for local use.');
+  }
+}
 /**
  * Ensure admin secrets file exists and set admin password.
  * When adminPwd is provided, update POSTGRES_PASSWORD, PGADMIN_DEFAULT_PASSWORD, REDIS_COMMANDER_PASSWORD
  * in admin-secrets.env (overwrites existing values). Otherwise only backfill empty fields.
+ * Reads and writes using decrypted values; writes encrypted when secrets-encryption key is set.
  *
  * @async
  * @param {Object} [options] - Options
@@ -109,29 +129,25 @@ async function ensureAdminSecrets(options = {}) {
     ? options.adminPwd.trim()
     : null;
   const passwordToUse = adminPwdOverride || DEFAULT_ADMIN_PASSWORD;
   const adminSecretsPath = path.join(paths.getAifabrixHome(), 'admin-secrets.env');
   if (!fs.existsSync(adminSecretsPath)) {
     logger.log('Generating admin-secrets.env...');
     await secrets.generateAdminSecretsEnv(undefined);
+    return adminSecretsPath;
   }
-  let content = fs.readFileSync(adminSecretsPath, 'utf8');
-  const needsBackfill = /^POSTGRES_PASSWORD=\s*$/m.test(content) ||
-    /^PGADMIN_DEFAULT_PASSWORD=\s*$/m.test(content) ||
-    /^REDIS_COMMANDER_PASSWORD=\s*$/m.test(content);
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+  const needsBackfill = !(adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
+    !(adminObj.PGADMIN_DEFAULT_PASSWORD && adminObj.PGADMIN_DEFAULT_PASSWORD.trim()) ||
+    !(adminObj.REDIS_COMMANDER_PASSWORD && adminObj.REDIS_COMMANDER_PASSWORD.trim());
   const shouldOverwriteWithAdminPwd = adminPwdOverride !== null;
-  if (shouldOverwriteWithAdminPwd) {
-    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
-    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
-    logger.log('Updated admin password in admin-secrets.env.');
-    await syncPostgresPasswordToStore(passwordToUse);
-    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
-  } else if (needsBackfill) {
-    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
-    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
-    logger.log('Set default admin password in admin-secrets.env for local use.');
+  if (!shouldOverwriteWithAdminPwd && !needsBackfill) {
+    return adminSecretsPath;
   }
+  await applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse, shouldOverwriteWithAdminPwd);
   return adminSecretsPath;
 }
@@ -243,12 +259,13 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "miso" -c "GRANT AL
 }
 /**
- * Prepare infrastructure directory and extract postgres password
+ * Prepare infrastructure directory and extract postgres password from decrypted admin secrets.
+ * @async
  * @param {string} devId - Developer ID
  * @param {string} adminSecretsPath - Path to admin secrets file
- * @returns {Object} Object with infraDir and postgresPassword
+ * @returns {Promise<Object>} Object with infraDir and postgresPassword
  */
-function prepareInfraDirectory(devId, adminSecretsPath) {
+async function prepareInfraDirectory(devId, adminSecretsPath) {
   const aifabrixDir = paths.getAifabrixHome();
   const infraDirName = getInfraDirName(devId);
   const infraDir = path.join(aifabrixDir, infraDirName);
@@ -265,10 +282,8 @@ function prepareInfraDirectory(devId, adminSecretsPath) {
     }
   }
-  const adminSecretsContent = fs.readFileSync(adminSecretsPath, 'utf8');
-  const postgresPasswordMatch = adminSecretsContent.match(/^POSTGRES_PASSWORD=(.+)$/m);
-  const raw = postgresPasswordMatch ? postgresPasswordMatch[1] : '';
-  const postgresPassword = (raw && raw.trim()) || DEFAULT_ADMIN_PASSWORD;
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+  const postgresPassword = (adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) || DEFAULT_ADMIN_PASSWORD;
   generatePgAdminConfig(infraDir, postgresPassword);
   return { infraDir, postgresPassword };