@aifabrix/builder 2.42.1 → 2.43.0

package/lib/datasource/validate.js

@@ -12,6 +12,7 @@ const fs = require('fs');
 const { loadExternalDataSourceSchema } = require('../utils/schema-loader');
 const { formatValidationErrors } = require('../utils/error-formatter');
 const { validateFieldReferences } = require('./field-reference-validator');
+const { validateAbac } = require('./abac-validator');
 
 /**
  * Validates a datasource file against external-datasource schema
@@ -60,10 +61,12 @@ async function validateDatasourceFile(filePath) {
   }
 
   const fieldRefErrors = validateFieldReferences(parsed);
-  if (fieldRefErrors.length > 0) {
+  const abacErrors = validateAbac(parsed);
+  const postSchemaErrors = [...fieldRefErrors, ...abacErrors];
+  if (postSchemaErrors.length > 0) {
     return {
       valid: false,
-      errors: fieldRefErrors,
+      errors: postSchemaErrors,
       warnings: []
     };
   }

package/lib/external-system/generator.js

@@ -16,6 +16,7 @@ const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
 const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
+const { getKvPathSegmentForSecurityKey } = require('../utils/credential-secrets-env');
 
 // Register Handlebars helper for equality check
 handlebars.registerHelper('eq', (a, b) => a === b);
@@ -23,36 +24,39 @@ handlebars.registerHelper('json', (obj) => JSON.stringify(obj));
 
 /**
  * Build authentication object per schema authenticationVariablesByMethod.
- * Security values use kv://<systemKey>/<key> pattern.
+ * Security values use canonical kv://<systemKey>/<segment> paths (segment from getKvPathSegmentForSecurityKey).
  * @param {string} systemKey - External system key
  * @param {string} authType - Auth method (oauth2, aad, apikey, basic, queryParam, oidc, hmac, none)
  * @returns {{ method: string, variables: Object, security: Object }} Authentication object
  */
 function buildAuthenticationFromMethod(systemKey, authType) {
-  const kv = (key) => `kv://${systemKey}/${key}`;
+  const kvPath = (securityKey) => {
+    const segment = getKvPathSegmentForSecurityKey(securityKey);
+    return segment ? `kv://${systemKey}/${segment}` : null;
+  };
   const method = authType || 'apikey';
   const base = 'https://api.example.com';
 
   const authMap = {
     oauth2: {
       variables: { baseUrl: base, tokenUrl: `${base}/oauth/token`, authorizationUrl: `${base}/oauth/authorize` },
-      security: { clientId: kv('clientid'), clientSecret: kv('clientsecret') }
+      security: { clientId: kvPath('clientId'), clientSecret: kvPath('clientSecret') }
     },
     aad: {
       variables: { baseUrl: base, tokenUrl: 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token', tenantId: '{tenant-id}' },
-      security: { clientId: kv('clientid'), clientSecret: kv('clientsecret') }
+      security: { clientId: kvPath('clientId'), clientSecret: kvPath('clientSecret') }
     },
     apikey: {
       variables: { baseUrl: base, headerName: 'X-API-Key' },
-      security: { apiKey: kv('apikey') }
+      security: { apiKey: kvPath('apiKey') }
     },
     basic: {
       variables: { baseUrl: base },
-      security: { username: kv('username'), password: kv('password') }
+      security: { username: kvPath('username'), password: kvPath('password') }
     },
     queryParam: {
       variables: { baseUrl: base, paramName: 'api_key' },
-      security: { paramValue: kv('paramvalue') }
+      security: { paramValue: kvPath('paramValue') }
     },
     oidc: {
       variables: { openIdConfigUrl: 'https://example.com/.well-known/openid-configuration', clientId: 'app-id' },
@@ -60,7 +64,7 @@ function buildAuthenticationFromMethod(systemKey, authType) {
     },
     hmac: {
       variables: { baseUrl: base, algorithm: 'sha256', signatureHeader: 'X-Signature' },
-      security: { signingSecret: kv('signingsecret') }
+      security: { signingSecret: kvPath('signingSecret') }
     },
     none: {
       variables: {},

package/lib/external-system/test-system-level.js

@@ -42,7 +42,7 @@ async function runSystemLevelTest({ appName, systemKey, authConfig, dataplaneUrl
   let success = true;
 
   for (const r of rawResults) {
-    const dsKey = r.key || r.datasourceKey;
+    const dsKey = r.key || r.sourceKey || r.name || r.datasourceKey;
     const dsResult = {
       key: dsKey,
       success: r.success !== false,

package/lib/generator/external-controller-manifest.js

@@ -11,7 +11,7 @@
 
 const path = require('path');
 const { detectAppType } = require('../utils/paths');
-const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('../utils/app-config-resolver');
 const { loadSystemFile, loadDatasourceFiles } = require('./external');
 const { loadVariables, loadRbac } = require('./helpers');
 
@@ -77,8 +77,8 @@ function extractAppMetadata(variables, appName) {
  */
 async function loadSystemWithRbac(appPath, schemaBasePath, systemFile) {
   const systemJson = await loadSystemFile(appPath, schemaBasePath, systemFile);
-  const rbacPath = path.join(appPath, 'rbac.yaml');
-  const rbac = loadRbac(rbacPath);
+  const rbacPath = resolveRbacPath(appPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
   mergeRbacIntoSystemJson(systemJson, rbac);
   return systemJson;
 }

package/lib/generator/external.js

@@ -12,7 +12,7 @@ const fs = require('fs');
 const path = require('path');
 const Ajv = require('ajv');
 const { detectAppType, getDeployJsonPath } = require('../utils/paths');
-const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('../utils/app-config-resolver');
 const { loadConfigFile } = require('../utils/config-format');
 const { loadVariables, loadRbac } = require('./helpers');
 const {
@@ -117,9 +117,9 @@ async function generateExternalSystemDeployJson(appName, appPath) {
   const systemFilePath = resolveSystemFilePath(variables, appPath, appName);
   const systemJson = await loadSystemFileContent(systemFilePath);
 
-  // Load rbac.yaml from app directory (similar to regular apps)
-  const rbacPath = path.join(appPath, 'rbac.yaml');
-  const rbac = loadRbac(rbacPath);
+  // Load RBAC from app directory (rbac.yaml, rbac.yml, or rbac.json)
+  const rbacPath = resolveRbacPath(appPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
   mergeRbacIntoSystemJson(systemJson, rbac);
 
   // Write it as <app-name>-deploy.json (consistent naming)
@@ -153,9 +153,9 @@ async function loadSystemFile(appPath, schemaBasePath, systemFileName) {
 
   const systemJson = loadConfigFile(systemFilePath);
 
-  // Load rbac.yaml from app directory and merge if present
-  const rbacPath = path.join(appPath, 'rbac.yaml');
-  const rbac = loadRbac(rbacPath);
+  // Load RBAC from app directory (rbac.yaml, rbac.yml, or rbac.json) and merge if present
+  const rbacPath = resolveRbacPath(appPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
   if (rbac) {
     if (rbac.roles && (!systemJson.roles || systemJson.roles.length === 0)) {
       systemJson.roles = rbac.roles;

package/lib/generator/helpers.js

@@ -9,7 +9,7 @@
  */
 
 const fs = require('fs');
-const yaml = require('js-yaml');
+const path = require('path');
 const { loadConfigFile } = require('../utils/config-format');
 
 /**
@@ -37,21 +37,25 @@ function loadEnvTemplate(templatePath) {
 }
 
 /**
- * Loads rbac.yaml file if it exists
- * @param {string} rbacPath - Path to rbac.yaml
- * @returns {Object|null} Parsed RBAC configuration or null
- * @throws {Error} If file exists but has invalid YAML
+ * Loads RBAC config file (rbac.yaml, rbac.yml, or rbac.json) if it exists.
+ * Uses loadConfigFile so format is inferred from extension.
+ *
+ * @param {string} rbacPath - Path to RBAC file (e.g. from resolveRbacPath)
+ * @returns {Object|null} Parsed RBAC configuration or null if path is falsy or file does not exist
+ * @throws {Error} If file exists but has invalid syntax (message references actual filename, e.g. rbac.json)
  */
 function loadRbac(rbacPath) {
+  if (!rbacPath || typeof rbacPath !== 'string') {
+    return null;
+  }
   if (!fs.existsSync(rbacPath)) {
     return null;
   }
-
-  const rbacContent = fs.readFileSync(rbacPath, 'utf8');
   try {
-    return yaml.load(rbacContent);
+    return loadConfigFile(rbacPath);
   } catch (error) {
-    throw new Error(`Invalid YAML syntax in rbac.yaml: ${error.message}`);
+    const basename = path.basename(rbacPath);
+    throw new Error(`Invalid syntax in ${basename}: ${error.message}`);
   }
 }
 

package/lib/generator/index.js

@@ -13,7 +13,7 @@ const fs = require('fs');
 const path = require('path');
 const _validator = require('../validation/validator');
 const builders = require('./builders');
-const { detectAppType, getDeployJsonPath, resolveApplicationConfigPath } = require('../utils/paths');
+const { detectAppType, getDeployJsonPath, resolveApplicationConfigPath, resolveRbacPath } = require('../utils/paths');
 const { logOfflinePathWhenType } = require('../utils/cli-utils');
 const splitFunctions = require('./split');
 const { loadVariables, loadEnvTemplate, loadRbac, parseEnvironmentVariables } = require('./helpers');
@@ -39,7 +39,7 @@ const { buildEnvVarMap } = require('../utils/env-map');
  *
  * @example
  * const jsonPath = await generateDeployJson('myapp');
- * // Returns: './builder/myapp/myapp-deploy.json' or './integration/hubspot/application-schema.json'
+ * // Returns: './builder/myapp/myapp-deploy.json' or './integration/hubspot-test/application-schema.json'
  */
 /**
  * Loads configuration files for deployment generation
@@ -51,12 +51,12 @@ const { buildEnvVarMap } = require('../utils/env-map');
 function loadDeploymentConfigFiles(appPath, appType, appName) {
   const variablesPath = resolveApplicationConfigPath(appPath);
   const templatePath = path.join(appPath, 'env.template');
-  const rbacPath = path.join(appPath, 'rbac.yaml');
+  const rbacPath = resolveRbacPath(appPath);
   const jsonPath = getDeployJsonPath(appName, appType, true); // Use new naming
 
   const { parsed: variables } = loadVariables(variablesPath);
   const envTemplate = loadEnvTemplate(templatePath);
-  const rbac = loadRbac(rbacPath);
+  const rbac = rbacPath ? loadRbac(rbacPath) : null;
 
   return { variables, envTemplate, rbac, jsonPath };
 }

package/lib/generator/split.js

@@ -14,6 +14,7 @@ const yaml = require('js-yaml');
 const { parseImageReference } = require('./parse-image');
 const { generateReadmeFromDeployJson } = require('./split-readme');
 const { extractVariablesYaml, getExternalDatasourceFileName } = require('./split-variables');
+const { generateExternalEnvTemplateContent } = require('../utils/external-env-template');
 
 /**
  * Converts configuration array back to env.template format
@@ -207,24 +208,49 @@ function mergeEnvTemplateWithExisting(existingContent, expectedByKey) {
   return updatedLines.join('\n') + (updatedLines.length > 0 ? '\n' : '');
 }
 
+/**
+ * Builds key -> line map from env.template content (for merge when using external system template).
+ * @param {string} content - Full env.template content
+ * @returns {Map<string, string>} Key to full KEY=value line
+ */
+function buildExpectedByKeyFromEnvContent(content) {
+  const expectedByKey = new Map();
+  if (!content || typeof content !== 'string') return expectedByKey;
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      expectedByKey.set(key, trimmed);
+    }
+  }
+  return expectedByKey;
+}
+
 /**
  * Writes env.template (merge or overwrite).
  * @param {string} outputDir - Output directory
  * @param {string} envTemplate - Default env.template content
- * @param {Object} options - Options (mergeEnvTemplate, configuration)
+ * @param {Object} options - Options (mergeEnvTemplate, configuration, expectedByKey for external)
  * @returns {Promise<string>} Path to env.template
  */
 async function writeEnvTemplateToDir(outputDir, envTemplate, options) {
   const envTemplatePath = path.join(outputDir, 'env.template');
   const fsSync = require('fs');
-  if (options.mergeEnvTemplate && options.configuration && fsSync.existsSync(envTemplatePath)) {
-    const expectedByKey = buildEnvTemplateExpectedByKey(options.configuration);
-    const existingContent = await fs.readFile(envTemplatePath, 'utf8');
-    const merged = mergeEnvTemplateWithExisting(existingContent, expectedByKey);
-    await writeComponentFile(envTemplatePath, merged);
-  } else {
-    await writeComponentFile(envTemplatePath, envTemplate);
+  const useMerge = options.mergeEnvTemplate && fsSync.existsSync(envTemplatePath);
+  if (useMerge) {
+    const expectedByKey = options.expectedByKey ||
+      (options.configuration ? buildEnvTemplateExpectedByKey(options.configuration) : new Map());
+    if (expectedByKey.size > 0) {
+      const existingContent = await fs.readFile(envTemplatePath, 'utf8');
+      const merged = mergeEnvTemplateWithExisting(existingContent, expectedByKey);
+      await writeComponentFile(envTemplatePath, merged);
+      return envTemplatePath;
+    }
   }
+  await writeComponentFile(envTemplatePath, envTemplate);
   return envTemplatePath;
 }
 
@@ -401,12 +427,21 @@ async function splitDeployJson(deployJsonPath, outputDir = null, splitOptions =
   normalizeDeploymentForSplit(deployment);
 
   const configArray = deployment.configuration || [];
-  const envTemplate = extractEnvTemplate(configArray);
+  let envTemplate;
+  const writeOptions = buildSplitWriteOptions(splitOptions, configArray);
+  if (deployment.system && typeof deployment.system === 'object') {
+    envTemplate = generateExternalEnvTemplateContent(deployment.system);
+    if (writeOptions.mergeEnvTemplate) {
+      writeOptions.expectedByKey = buildExpectedByKeyFromEnvContent(envTemplate);
+    }
+  } else {
+    envTemplate = extractEnvTemplate(configArray);
+  }
+
   const variables = extractVariablesYaml(deployment);
   const rbac = extractRbacYaml(deployment);
   const readme = generateReadmeFromDeployJson(deployment);
 
-  const writeOptions = buildSplitWriteOptions(splitOptions, configArray);
   const result = await writeComponentFiles(finalOutputDir, envTemplate, variables, rbac, readme, writeOptions);
   await applyExternalSystemFilesToResult(finalOutputDir, deployment, result);
   return result;

package/lib/generator/wizard.js

@@ -16,6 +16,7 @@ const logger = require('../utils/logger');
 const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
 const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
 const { systemKeyToKvPrefix, securityKeyToVar, isValidKvPath } = require('../utils/credential-secrets-env');
+const { generateExternalEnvTemplateContent } = require('../utils/external-env-template');
 const { generateReadme } = require('./wizard-readme');
 
 /**
@@ -130,10 +131,12 @@ async function generateConfigFilesForWizard(params) {
     format: format || 'yaml'
   });
 
-  // Generate env.template with KV_* authentication variables
-  await generateEnvTemplate(appPath, systemConfig, finalSystemKey);
-
+  // Generate env.template with Authentication and Configuration sections (Handlebars)
   const envTemplatePath = path.join(appPath, 'env.template');
+  const envTemplateContent = generateExternalEnvTemplateContent(systemConfig);
+  await fs.writeFile(envTemplatePath, envTemplateContent, 'utf8');
+  logger.log(chalk.green('✓ Generated env.template'));
+
   try {
     const secretsEnsure = require('../core/secrets-ensure');
     await secretsEnsure.ensureSecretsFromEnvTemplate(envTemplatePath, { emptyValuesForCredentials: true });
@@ -393,15 +396,15 @@ function addBaseUrlLines(lines, systemConfig) {
 }
 
 /**
- * Generate env.template with KV_* authentication variables
+ * Generate env.template with KV_* authentication variables (legacy; prefer generateExternalEnvTemplateContent).
  * @async
- * @function generateEnvTemplate
+ * @function _generateEnvTemplate
  * @param {string} appPath - Application directory path
  * @param {Object} systemConfig - System configuration (must have key for systemKey)
  * @param {string} [finalSystemKey] - Final system key for KV_ prefix (default: systemConfig.key)
  * @throws {Error} If generation fails
  */
-async function generateEnvTemplate(appPath, systemConfig, finalSystemKey) {
+async function _generateEnvTemplate(appPath, systemConfig, finalSystemKey) {
   try {
     const envTemplatePath = path.join(appPath, 'env.template');
     const systemKey = finalSystemKey || systemConfig?.key;

package/lib/infrastructure/helpers.js

@@ -14,6 +14,7 @@ const fs = require('fs');
 const chalk = require('chalk');
 const handlebars = require('handlebars');
 const secrets = require('../core/secrets');
+const adminSecrets = require('../core/admin-secrets');
 const logger = require('../utils/logger');
 const dockerUtils = require('../utils/docker');
 const paths = require('../utils/paths');
@@ -69,19 +70,6 @@ function logVolumeResetHint(infraDir) {
   ));
 }
 
-/**
- * Apply password to admin-secrets file content (all three password keys).
- * @param {string} content - Current file content
- * @param {string} password - Password to set
- * @returns {string} Updated content
- */
-function applyPasswordToAdminSecretsContent(content, password) {
-  return content
-    .replace(/^POSTGRES_PASSWORD=.*$/m, `POSTGRES_PASSWORD=${password}`)
-    .replace(/^PGADMIN_DEFAULT_PASSWORD=.*$/m, `PGADMIN_DEFAULT_PASSWORD=${password}`)
-    .replace(/^REDIS_COMMANDER_PASSWORD=.*$/m, `REDIS_COMMANDER_PASSWORD=${password}`);
-}
-
 /**
  * Sync postgres-passwordKeyVault to the main secrets store (file or remote).
  * @param {string} password - Password to store
@@ -94,10 +82,42 @@ async function syncPostgresPasswordToStore(password) {
   }
 }
 
+/** Default admin env keys and values when missing. */
+const DEFAULT_ADMIN_OBJ = {
+  PGADMIN_DEFAULT_EMAIL: 'admin@aifabrix.dev',
+  REDIS_HOST: 'local:redis:6379:0:',
+  REDIS_COMMANDER_USER: 'admin'
+};
+
+/**
+ * Writes merged admin secrets to disk and logs/syncs as needed.
+ * @async
+ * @param {string} adminSecretsPath - Path to admin-secrets.env
+ * @param {Object} adminObj - Decrypted admin secrets object
+ * @param {string} passwordToUse - Password to set for Postgres, pgAdmin, Redis Commander
+ * @param {boolean} shouldOverwriteWithAdminPwd - Whether this was an explicit admin password update
+ */
+async function applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse, shouldOverwriteWithAdminPwd) {
+  const merged = { ...DEFAULT_ADMIN_OBJ, ...adminObj };
+  merged.POSTGRES_PASSWORD = passwordToUse;
+  merged.PGADMIN_DEFAULT_PASSWORD = passwordToUse;
+  merged.REDIS_COMMANDER_PASSWORD = passwordToUse;
+  const content = await secrets.formatAdminSecretsContent(merged);
+  fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
+  if (shouldOverwriteWithAdminPwd) {
+    logger.log('Updated admin password in admin-secrets.env.');
+    await syncPostgresPasswordToStore(passwordToUse);
+    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
+  } else {
+    logger.log('Set default admin password in admin-secrets.env for local use.');
+  }
+}
+
 /**
  * Ensure admin secrets file exists and set admin password.
  * When adminPwd is provided, update POSTGRES_PASSWORD, PGADMIN_DEFAULT_PASSWORD, REDIS_COMMANDER_PASSWORD
  * in admin-secrets.env (overwrites existing values). Otherwise only backfill empty fields.
+ * Reads and writes using decrypted values; writes encrypted when secrets-encryption key is set.
  *
  * @async
  * @param {Object} [options] - Options
@@ -109,29 +129,25 @@ async function ensureAdminSecrets(options = {}) {
     ? options.adminPwd.trim()
     : null;
   const passwordToUse = adminPwdOverride || DEFAULT_ADMIN_PASSWORD;
-
   const adminSecretsPath = path.join(paths.getAifabrixHome(), 'admin-secrets.env');
+
   if (!fs.existsSync(adminSecretsPath)) {
     logger.log('Generating admin-secrets.env...');
     await secrets.generateAdminSecretsEnv(undefined);
+    return adminSecretsPath;
   }
-  let content = fs.readFileSync(adminSecretsPath, 'utf8');
-  const needsBackfill = /^POSTGRES_PASSWORD=\s*$/m.test(content) ||
-    /^PGADMIN_DEFAULT_PASSWORD=\s*$/m.test(content) ||
-    /^REDIS_COMMANDER_PASSWORD=\s*$/m.test(content);
+
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+  const needsBackfill = !(adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
+    !(adminObj.PGADMIN_DEFAULT_PASSWORD && adminObj.PGADMIN_DEFAULT_PASSWORD.trim()) ||
+    !(adminObj.REDIS_COMMANDER_PASSWORD && adminObj.REDIS_COMMANDER_PASSWORD.trim());
   const shouldOverwriteWithAdminPwd = adminPwdOverride !== null;
 
-  if (shouldOverwriteWithAdminPwd) {
-    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
-    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
-    logger.log('Updated admin password in admin-secrets.env.');
-    await syncPostgresPasswordToStore(passwordToUse);
-    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
-  } else if (needsBackfill) {
-    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
-    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
-    logger.log('Set default admin password in admin-secrets.env for local use.');
+  if (!shouldOverwriteWithAdminPwd && !needsBackfill) {
+    return adminSecretsPath;
   }
+
+  await applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse, shouldOverwriteWithAdminPwd);
   return adminSecretsPath;
 }
 
@@ -243,12 +259,13 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "miso" -c "GRANT AL
 }
 
 /**
- * Prepare infrastructure directory and extract postgres password
+ * Prepare infrastructure directory and extract postgres password from decrypted admin secrets.
+ * @async
  * @param {string} devId - Developer ID
  * @param {string} adminSecretsPath - Path to admin secrets file
- * @returns {Object} Object with infraDir and postgresPassword
+ * @returns {Promise<Object>} Object with infraDir and postgresPassword
  */
-function prepareInfraDirectory(devId, adminSecretsPath) {
+async function prepareInfraDirectory(devId, adminSecretsPath) {
   const aifabrixDir = paths.getAifabrixHome();
   const infraDirName = getInfraDirName(devId);
   const infraDir = path.join(aifabrixDir, infraDirName);
@@ -265,10 +282,8 @@ function prepareInfraDirectory(devId, adminSecretsPath) {
     }
   }
 
-  const adminSecretsContent = fs.readFileSync(adminSecretsPath, 'utf8');
-  const postgresPasswordMatch = adminSecretsContent.match(/^POSTGRES_PASSWORD=(.+)$/m);
-  const raw = postgresPasswordMatch ? postgresPasswordMatch[1] : '';
-  const postgresPassword = (raw && raw.trim()) || DEFAULT_ADMIN_PASSWORD;
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+  const postgresPassword = (adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) || DEFAULT_ADMIN_PASSWORD;
   generatePgAdminConfig(infraDir, postgresPassword);
 
   return { infraDir, postgresPassword };

package/lib/infrastructure/index.js

@@ -37,8 +37,34 @@ const {
   startDockerServicesAndConfigure,
   checkInfraHealth
 } = require('./services');
+const adminSecrets = require('../core/admin-secrets');
 // Lazy require to avoid circular dependency: infra -> app/down -> run-helpers -> infra
 
+/**
+ * Runs a callback with a temporary .env.run file in infraDir (created from admin-secrets).
+ * Removes the file in a finally block.
+ * @async
+ * @param {string} infraDir - Infrastructure directory path
+ * @param {string} adminSecretsPath - Path to admin-secrets.env
+ * @param {function(string): Promise<void>} fn - Callback receiving runEnvPath
+ * @returns {Promise<void>}
+ */
+async function withRunEnv(infraDir, adminSecretsPath, fn) {
+  const runEnvPath = path.join(infraDir, '.env.run');
+  try {
+    const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+    const content = adminSecrets.envObjectToContent(adminObj);
+    fs.writeFileSync(runEnvPath, content, { mode: 0o600 });
+    await fn(runEnvPath);
+  } finally {
+    try {
+      if (fs.existsSync(runEnvPath)) fs.unlinkSync(runEnvPath);
+    } catch {
+      // Ignore unlink errors
+    }
+  }
+}
+
 /**
  * Prepares infrastructure environment
  * Ensures infra secrets exist, then admin-secrets.env, then miso init script.
@@ -65,7 +91,7 @@ async function prepareInfrastructureEnvironment(developerId, options = {}) {
   }
 
   // Prepare infrastructure directory
-  const { infraDir } = prepareInfraDirectory(devId, adminSecretsPath);
+  const { infraDir } = await prepareInfraDirectory(devId, adminSecretsPath);
   await ensureMisoInitScript(infraDir);
 
   return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath };
@@ -174,8 +200,7 @@ async function removeAppVolumes(appNames, devId) {
 async function stopInfra() {
   const devId = await config.getDeveloperId();
   const aifabrixDir = paths.getAifabrixHome();
-  const infraDirName = getInfraDirName(devId);
-  const infraDir = path.join(aifabrixDir, infraDirName);
+  const infraDir = path.join(aifabrixDir, getInfraDirName(devId));
   const composePath = path.join(infraDir, 'compose.yaml');
   const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
@@ -184,17 +209,15 @@ async function stopInfra() {
     return;
   }
 
-  try {
+  await withRunEnv(infraDir, adminSecretsPath, async(runEnvPath) => {
     logger.log('Stopping application containers on the same network...');
     await stopAllAppContainers(devId);
     logger.log('Stopping infrastructure services...');
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
-    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${adminSecretsPath}" down`, { cwd: infraDir });
+    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${runEnvPath}" down`, { cwd: infraDir });
     logger.log('Infrastructure services stopped');
-  } finally {
-    // Keep the compose file for future use
-  }
+  });
 }
 
 /**
@@ -240,8 +263,7 @@ async function stopAllAppContainersAndVolumes(devId) {
 async function stopInfraWithVolumes() {
   const devId = await config.getDeveloperId();
   const aifabrixDir = paths.getAifabrixHome();
-  const infraDirName = getInfraDirName(devId);
-  const infraDir = path.join(aifabrixDir, infraDirName);
+  const infraDir = path.join(aifabrixDir, getInfraDirName(devId));
   const composePath = path.join(infraDir, 'compose.yaml');
   const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
@@ -250,17 +272,15 @@ async function stopInfraWithVolumes() {
     return;
   }
 
-  try {
+  await withRunEnv(infraDir, adminSecretsPath, async(runEnvPath) => {
     logger.log('Stopping application containers on the same network...');
     await stopAllAppContainersAndVolumes(devId);
     logger.log('Stopping infrastructure services and removing all data...');
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
-    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${adminSecretsPath}" down -v`, { cwd: infraDir });
+    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${runEnvPath}" down -v`, { cwd: infraDir });
     logger.log('Infrastructure services stopped and all data removed');
-  } finally {
-    // Keep the compose file for future use
-  }
+  });
 }
 
 /**
@@ -281,7 +301,6 @@ async function restartService(serviceName) {
   if (!serviceName || typeof serviceName !== 'string') {
     throw new Error('Service name is required and must be a string');
   }
-
   const validServices = ['postgres', 'redis', 'pgadmin', 'redis-commander', 'traefik'];
   if (!validServices.includes(serviceName)) {
     throw new Error(`Invalid service name. Must be one of: ${validServices.join(', ')}`);
@@ -289,8 +308,7 @@ async function restartService(serviceName) {
 
   const devId = await config.getDeveloperId();
   const aifabrixDir = paths.getAifabrixHome();
-  const infraDirName = getInfraDirName(devId);
-  const infraDir = path.join(aifabrixDir, infraDirName);
+  const infraDir = path.join(aifabrixDir, getInfraDirName(devId));
   const composePath = path.join(infraDir, 'compose.yaml');
   const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
@@ -298,15 +316,13 @@ async function restartService(serviceName) {
     throw new Error('Infrastructure not properly configured');
   }
 
-  try {
+  await withRunEnv(infraDir, adminSecretsPath, async(runEnvPath) => {
     logger.log(`Restarting ${serviceName} service...`);
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
-    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${adminSecretsPath}" restart ${serviceName}`, { cwd: infraDir });
+    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${runEnvPath}" restart ${serviceName}`, { cwd: infraDir });
     logger.log(`${serviceName} service restarted successfully`);
-  } finally {
-    // Keep the compose file for future use
-  }
+  });
 }
 
 // Re-export status helper functions