npm - @aifabrix/builder - Versions diffs - 2.42.1 → 2.44.0 - Mend

@aifabrix/builder 2.42.1 → 2.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (392) hide show

package/.cursor/rules/anchor-docs.mdc +15 -0
package/README.md +2 -2
package/anchor-docs/README.md +10 -0
package/anchor-docs/_TEMPLATE +24 -0
package/bin/aifabrix.js +13 -4
package/integration/hubspot-test/README.md +157 -0
package/integration/{hubspot → hubspot-test}/application.json +6 -6
package/integration/{hubspot → hubspot-test}/create-hubspot.js +10 -10
package/integration/hubspot-test/env.template +4 -0
package/integration/hubspot-test/hubspot-test-datasource-company.json +138 -0
package/integration/hubspot-test/hubspot-test-datasource-contact.json +146 -0
package/integration/hubspot-test/hubspot-test-datasource-deal.json +146 -0
package/integration/hubspot-test/hubspot-test-datasource-users.json +76 -0
package/integration/{hubspot/hubspot-deploy.json → hubspot-test/hubspot-test-deploy.json} +201 -24
package/integration/{hubspot/hubspot-system.json → hubspot-test/hubspot-test-system.json} +8 -7
package/integration/hubspot-test/rbac.json +166 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-hubspot-credential-real.yaml +3 -3
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-hubspot-env-vars.yaml +2 -2
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-add-datasource.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-credential-create.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-credential-select.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-known-platform.yaml +1 -1
package/integration/hubspot-test/test-artifacts/wizard-invalid-missing-source.yaml +2 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-mode.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-openapi-file.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-openapi-url.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-source.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-dimension-array-test.yaml +1 -1
package/integration/hubspot-test/test-artifacts/wizard-valid-for-dimension-key-test.yaml +5 -0
package/integration/hubspot-test/test-artifacts/wizard-valid-for-dimension-path-test.yaml +5 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-dimension-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-rbac-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-rbac-yaml-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-dataplane-down-tests.js +1 -7
package/integration/{hubspot → hubspot-test}/test-dataplane-down.js +3 -3
package/integration/{hubspot → hubspot-test}/test.js +137 -102
package/integration/{hubspot → hubspot-test}/wizard-hubspot-e2e.yaml +2 -2
package/integration/{hubspot → hubspot-test}/wizard-hubspot-platform.yaml +1 -1
package/integration/hubspot-test/wizard-hubspot-test-headless.yaml +23 -0
package/integration/roundtrip-test-local/README.md +144 -0
package/integration/roundtrip-test-local/application.yaml +13 -0
package/integration/roundtrip-test-local/env.template +15 -0
package/integration/roundtrip-test-local/roundtrip-test-local-datasource-roundtrip-test-company.yaml +14 -0
package/integration/roundtrip-test-local/roundtrip-test-local-deploy.json +61 -0
package/integration/roundtrip-test-local/roundtrip-test-local-system.yaml +25 -0
package/integration/roundtrip-test-local2/README.md +144 -0
package/integration/roundtrip-test-local2/application.yaml +13 -0
package/integration/roundtrip-test-local2/env.template +15 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-datasource-company.yaml +31 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-deploy.json +86 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-system.yaml +25 -0
package/integration/test/wizard.yaml +8 -0
package/jest.config.default.js +10 -0
package/jest.config.integration.fixtures.js +22 -0
package/jest.config.integration.js +21 -18
package/jest.config.isolated.js +10 -0
package/jest.projects.js +288 -0
package/lib/api/datasources-core.api.js +3 -3
package/lib/api/dev-mtls-request.js +110 -0
package/lib/api/dev-server-https.js +145 -0
package/lib/api/dev.api.js +133 -144
package/lib/api/index.js +0 -1
package/lib/api/pipeline.api.js +67 -20
package/lib/api/service-users.api.js +111 -2
package/lib/api/types/dev.types.js +4 -3
package/lib/api/types/pipeline.types.js +8 -5
package/lib/api/types/service-users.types.js +41 -0
package/lib/api/types/validation-run.types.js +56 -0
package/lib/api/validation-run.api.js +99 -0
package/lib/api/validation-runner.js +99 -0
package/lib/app/config.js +1 -1
package/lib/app/deploy-status-display.js +2 -2
package/lib/app/deploy.js +7 -6
package/lib/app/display.js +2 -1
package/lib/app/dockerfile.js +3 -2
package/lib/app/down.js +2 -1
package/lib/app/helpers.js +6 -5
package/lib/app/index.js +27 -8
package/lib/app/list.js +7 -6
package/lib/app/push.js +4 -3
package/lib/app/register.js +19 -8
package/lib/app/rotate-secret.js +17 -13
package/lib/app/run-container-start.js +184 -0
package/lib/app/run-docker-fallback.js +108 -0
package/lib/app/run-env-compose.js +30 -42
package/lib/app/run-helpers.js +49 -126
package/lib/app/run-infra-requirements.js +30 -0
package/lib/app/run-resolve-image.js +21 -0
package/lib/app/run.js +74 -21
package/lib/app/show-display.js +1 -1
package/lib/app/show.js +1 -1
package/lib/build/index.js +13 -10
package/lib/cli/index.js +2 -0
package/lib/cli/setup-app.help.js +67 -0
package/lib/cli/setup-app.js +59 -123
package/lib/cli/setup-app.test-commands.js +179 -0
package/lib/cli/setup-auth.js +36 -14
package/lib/cli/setup-credential-deployment.js +22 -8
package/lib/cli/setup-dev-path-commands.js +124 -0
package/lib/cli/setup-dev.js +190 -103
package/lib/cli/setup-environment.js +11 -20
package/lib/cli/setup-external-system.js +62 -22
package/lib/cli/setup-infra.js +139 -47
package/lib/cli/setup-parameters.js +32 -0
package/lib/cli/setup-secrets.js +147 -10
package/lib/cli/setup-service-user.js +146 -20
package/lib/cli/setup-utility.js +47 -19
package/lib/commands/app-down.js +5 -7
package/lib/commands/app-install.js +14 -7
package/lib/commands/app-logs.js +13 -10
package/lib/commands/app-shell.js +4 -1
package/lib/commands/app-test.js +25 -19
package/lib/commands/app.js +22 -10
package/lib/commands/auth-config.js +10 -14
package/lib/commands/auth-status.js +4 -3
package/lib/commands/credential-env.js +4 -3
package/lib/commands/credential-list.js +5 -4
package/lib/commands/credential-push.js +4 -3
package/lib/commands/datasource-unified-test-cli.js +495 -0
package/lib/commands/datasource-unified-test-cli.options.js +149 -0
package/lib/commands/datasource-validation-cli.js +129 -0
package/lib/commands/datasource.js +123 -71
package/lib/commands/deployment-list.js +6 -5
package/lib/commands/dev-cli-handlers.js +122 -18
package/lib/commands/dev-down.js +4 -3
package/lib/commands/dev-init.js +231 -116
package/lib/commands/dev-show-display.js +473 -0
package/lib/commands/login-credentials.js +3 -2
package/lib/commands/login-device.js +4 -3
package/lib/commands/login.js +5 -4
package/lib/commands/logout.js +8 -7
package/lib/commands/parameters-validate.js +54 -0
package/lib/commands/repair-datasource.js +314 -68
package/lib/commands/repair-env-template.js +16 -10
package/lib/commands/repair-rbac.js +25 -19
package/lib/commands/repair.js +116 -32
package/lib/commands/secrets-list.js +23 -12
package/lib/commands/secrets-remove-all.js +220 -0
package/lib/commands/secrets-remove.js +22 -13
package/lib/commands/secrets-set.js +21 -12
package/lib/commands/secrets-validate.js +20 -7
package/lib/commands/secure.js +10 -9
package/lib/commands/service-user.js +243 -13
package/lib/commands/test-e2e-external.js +27 -1
package/lib/commands/up-common.js +28 -2
package/lib/commands/up-dataplane.js +31 -18
package/lib/commands/up-miso.js +19 -29
package/lib/commands/upload.js +138 -39
package/lib/commands/wizard-core-helpers.js +1 -1
package/lib/commands/wizard-dataplane.js +4 -3
package/lib/commands/wizard-helpers.js +3 -3
package/lib/commands/wizard.js +2 -2
package/lib/core/admin-secrets.js +16 -5
package/lib/core/audit-logger.js +12 -4
package/lib/core/config-attach-extensions.js +46 -0
package/lib/core/config-runtime-paths.js +29 -0
package/lib/core/config.js +59 -58
package/lib/core/diff.js +3 -2
package/lib/core/ensure-encryption-key.js +2 -4
package/lib/core/secrets-ensure-infra.js +77 -0
package/lib/core/secrets-ensure.js +120 -64
package/lib/core/secrets-env-write.js +35 -7
package/lib/core/secrets-infra-placeholder-sync.js +61 -0
package/lib/core/secrets.js +228 -42
package/lib/core/templates-env.js +4 -3
package/lib/core/templates.js +1 -1
package/lib/datasource/abac-validator.js +148 -0
package/lib/datasource/deploy.js +75 -53
package/lib/datasource/field-reference-validator.js +77 -36
package/lib/datasource/integration-context.js +63 -0
package/lib/datasource/list.js +8 -7
package/lib/datasource/log-viewer.js +252 -0
package/lib/datasource/resolve-app.js +109 -0
package/lib/datasource/test-e2e.js +95 -155
package/lib/datasource/test-integration.js +121 -109
package/lib/datasource/unified-validation-run-body.js +65 -0
package/lib/datasource/unified-validation-run-post.js +23 -0
package/lib/datasource/unified-validation-run-resolve.js +43 -0
package/lib/datasource/unified-validation-run.js +92 -0
package/lib/datasource/validate.js +162 -15
package/lib/deployment/deployer.js +4 -3
package/lib/deployment/environment.js +7 -6
package/lib/deployment/push.js +17 -8
package/lib/external-system/delete.js +4 -3
package/lib/external-system/deploy.js +131 -53
package/lib/external-system/download-helpers.js +1 -1
package/lib/external-system/download.js +7 -6
package/lib/external-system/generator.js +104 -14
package/lib/external-system/integration-test-dispatch.js +26 -0
package/lib/external-system/test-execution.js +5 -1
package/lib/external-system/test-helpers.js +0 -4
package/lib/external-system/test-system-level-helpers.js +110 -0
package/lib/external-system/test-system-level.js +83 -44
package/lib/external-system/test.js +59 -8
package/lib/generator/builders.js +23 -11
package/lib/generator/deploy-manifest-azure-kv.js +81 -0
package/lib/generator/external-controller-manifest.js +3 -3
package/lib/generator/external.js +23 -11
package/lib/generator/helpers.js +71 -12
package/lib/generator/index.js +8 -4
package/lib/generator/split-readme.js +12 -7
package/lib/generator/split-variables.js +2 -1
package/lib/generator/split.js +46 -11
package/lib/generator/wizard-readme.js +3 -3
package/lib/generator/wizard.js +16 -13
package/lib/infrastructure/compose.js +60 -6
package/lib/infrastructure/helpers.js +238 -51
package/lib/infrastructure/index.js +64 -37
package/lib/infrastructure/services.js +21 -15
package/lib/internal/fs-real-sync.js +104 -0
package/lib/internal/node-fs.js +98 -0
package/lib/parameters/database-secret-values.js +173 -0
package/lib/parameters/infra-kv-discovery.js +121 -0
package/lib/parameters/infra-parameter-catalog.js +458 -0
package/lib/parameters/infra-parameter-validate.js +64 -0
package/lib/schema/application-schema.json +37 -17
package/lib/schema/datasource-test-run.schema.json +493 -0
package/lib/schema/deployment-rules.yaml +102 -63
package/lib/schema/external-datasource.schema.json +1201 -433
package/lib/schema/external-system.schema.json +181 -5
package/lib/schema/flag-map-validation-run.json +31 -0
package/lib/schema/infra-parameter.schema.json +106 -0
package/lib/schema/infra.parameter.yaml +421 -0
package/lib/schema/type/credential-auth-templates.json +40 -0
package/lib/schema/type/document-storage.json +213 -0
package/lib/schema/type/message-service.json +123 -0
package/lib/schema/type/vector-store.json +88 -0
package/lib/utils/aifabrix-runtime-config-dir.js +132 -0
package/lib/utils/api-error-handler.js +2 -2
package/lib/utils/api.js +49 -14
package/lib/utils/app-config-resolver.js +23 -1
package/lib/utils/app-register-api.js +3 -2
package/lib/utils/app-register-auth.js +1 -1
package/lib/utils/app-register-config.js +4 -4
package/lib/utils/app-register-display.js +3 -2
package/lib/utils/app-register-validator.js +3 -2
package/lib/utils/app-run-containers.js +26 -22
package/lib/utils/app-scoped-config.js +31 -0
package/lib/utils/app-service-env-from-builder.js +164 -0
package/lib/utils/build-copy.js +1 -1
package/lib/utils/build-helpers.js +20 -20
package/lib/utils/build-resolve-image.js +165 -0
package/lib/utils/cli-layout-chalk.js +8 -0
package/lib/utils/cli-test-layout-chalk.js +267 -0
package/lib/utils/cli-utils.js +88 -11
package/lib/utils/compose-db-passwords.js +138 -0
package/lib/utils/compose-generate-docker-compose.js +216 -0
package/lib/utils/compose-generator.js +197 -291
package/lib/utils/compose-miso-env.js +18 -0
package/lib/utils/compose-traefik-ingress-base.js +158 -0
package/lib/utils/config-paths.js +209 -6
package/lib/utils/config-scoped-resources-preference.js +41 -0
package/lib/utils/controller-deployment-outcome.js +68 -0
package/lib/utils/credential-display.js +2 -2
package/lib/utils/credential-secrets-env.js +16 -1
package/lib/utils/dataplane-pipeline-warning.js +4 -3
package/lib/utils/datasource-test-run-capability-scope.js +43 -0
package/lib/utils/datasource-test-run-debug-display.js +137 -0
package/lib/utils/datasource-test-run-debug-slice.js +93 -0
package/lib/utils/datasource-test-run-display.js +442 -0
package/lib/utils/datasource-test-run-exit.js +58 -0
package/lib/utils/datasource-test-run-legacy-adapter.js +93 -0
package/lib/utils/datasource-test-run-report-version.js +51 -0
package/lib/utils/datasource-test-run-schema-sync.js +59 -0
package/lib/utils/datasource-test-run-tty-log.js +81 -0
package/lib/utils/datasource-validation-watch.js +266 -0
package/lib/utils/declarative-url-ports.js +47 -0
package/lib/utils/derive-env-key-from-client-id.js +41 -0
package/lib/utils/dev-ca-install.js +185 -23
package/lib/utils/dev-cert-helper.js +266 -17
package/lib/utils/dev-hosts-helper.js +307 -0
package/lib/utils/dev-init-cert-hints.js +37 -0
package/lib/utils/dev-init-health-messages.js +52 -0
package/lib/utils/dev-init-resolve.js +86 -0
package/lib/utils/dev-init-ssh-merge.js +65 -0
package/lib/utils/dev-ssh-config-helper.js +196 -0
package/lib/utils/dev-user-groups.js +93 -0
package/lib/utils/docker-build.js +42 -17
package/lib/utils/docker-exec.js +28 -0
package/lib/utils/docker-manifest-public-port.js +116 -0
package/lib/utils/docker-not-running-hint.js +52 -0
package/lib/utils/docker.js +98 -11
package/lib/utils/ensure-dev-certs-for-remote-docker.js +192 -0
package/lib/utils/env-config-loader.js +10 -91
package/lib/utils/env-copy.js +19 -10
package/lib/utils/env-map.js +42 -11
package/lib/utils/env-template.js +2 -2
package/lib/utils/environment-scoped-resources.js +144 -0
package/lib/utils/error-formatter.js +125 -9
package/lib/utils/error-formatters/http-status-errors.js +6 -5
package/lib/utils/error-formatters/network-errors.js +2 -1
package/lib/utils/error-formatters/permission-errors.js +2 -1
package/lib/utils/error-formatters/validation-errors.js +2 -1
package/lib/utils/external-env-template.js +180 -0
package/lib/utils/external-readme.js +8 -1
package/lib/utils/external-system-display.js +277 -136
package/lib/utils/external-system-local-test-tty.js +389 -0
package/lib/utils/external-system-readiness-core.js +377 -0
package/lib/utils/external-system-readiness-deploy-display.js +270 -0
package/lib/utils/external-system-readiness-display-internals.js +150 -0
package/lib/utils/external-system-readiness-display.js +186 -0
package/lib/utils/external-system-test-helpers.js +24 -6
package/lib/utils/external-system-validators.js +32 -14
package/lib/utils/health-check-url.js +119 -0
package/lib/utils/health-check.js +59 -25
package/lib/utils/help-builder.js +14 -13
package/lib/utils/image-version.js +4 -8
package/lib/utils/infra-containers.js +4 -7
package/lib/utils/infra-env-defaults.js +162 -0
package/lib/utils/infra-status-display.js +167 -0
package/lib/utils/infra-status.js +16 -8
package/lib/utils/local-secrets.js +29 -7
package/lib/utils/paths.js +136 -48
package/lib/utils/port-resolver.js +10 -23
package/lib/utils/redis-env-scope.js +62 -0
package/lib/utils/register-aifabrix-shell-env.js +204 -0
package/lib/utils/remote-builder-validation.js +99 -0
package/lib/utils/remote-dev-auth.js +117 -21
package/lib/utils/remote-docker-env.js +67 -15
package/lib/utils/remote-secrets-loader.js +13 -4
package/lib/utils/resolve-docker-image-ref.js +124 -0
package/lib/utils/schema-loader.js +22 -9
package/lib/utils/secrets-bash-kv.js +25 -0
package/lib/utils/secrets-generator.js +171 -51
package/lib/utils/secrets-helpers.js +70 -59
package/lib/utils/secrets-kv-scope.js +60 -0
package/lib/utils/secrets-utils.js +35 -37
package/lib/utils/secrets-validation.js +3 -1
package/lib/utils/secrets-yaml-preserve.js +109 -0
package/lib/utils/secure-file-permissions.js +91 -0
package/lib/utils/ssh-key-helper.js +4 -2
package/lib/utils/template-helpers.js +2 -2
package/lib/utils/test-log-writer.js +3 -3
package/lib/utils/token-manager.js +37 -5
package/lib/utils/url-declarative-public-base.js +188 -0
package/lib/utils/url-declarative-resolve-build.js +493 -0
package/lib/utils/url-declarative-resolve-load-doc.js +51 -0
package/lib/utils/url-declarative-resolve.js +220 -0
package/lib/utils/url-declarative-token-parse.js +74 -0
package/lib/utils/url-declarative-url-flags.js +50 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +99 -0
package/lib/utils/url-public-path-prefix.js +34 -0
package/lib/utils/urls-local-registry.js +220 -0
package/lib/utils/validation-report-tty-kit.js +77 -0
package/lib/utils/validation-run-poll.js +89 -0
package/lib/utils/validation-run-post-retry.js +73 -0
package/lib/utils/validation-run-request.js +98 -0
package/lib/utils/variable-transformer.js +21 -4
package/lib/utils/yaml-preserve.js +78 -1
package/lib/validation/datasource-warnings.js +56 -0
package/lib/validation/env-template-auth.js +50 -2
package/lib/validation/external-manifest-validator.js +35 -7
package/lib/validation/validate-display.js +37 -31
package/lib/validation/validate.js +9 -10
package/lib/validation/validator-unresolved-placeholders.js +98 -0
package/lib/validation/validator.js +32 -78
package/lib/validation/wizard-config-validator.js +2 -1
package/package.json +11 -3
package/scripts/check-datasource-test-run-schema-sync.js +34 -0
package/scripts/diagnose-cli.js +150 -0
package/scripts/install-local.js +304 -55
package/templates/README.md +15 -2
package/templates/applications/dataplane/application.yaml +52 -2
package/templates/applications/dataplane/env.template +80 -18
package/templates/applications/dataplane/rbac.yaml +8 -0
package/templates/applications/keycloak/application.yaml +9 -1
package/templates/applications/keycloak/env.template +15 -6
package/templates/applications/miso-controller/application.yaml +10 -2
package/templates/applications/miso-controller/env.template +55 -14
package/templates/applications/miso-controller/rbac.yaml +5 -0
package/templates/external-system/README.md.hbs +20 -7
package/templates/external-system/deploy.js.hbs +5 -5
package/templates/external-system/env.template.hbs +22 -0
package/templates/external-system/external-datasource.yaml.hbs +197 -118
package/templates/infra/compose.yaml.hbs +20 -4
package/templates/python/docker-compose.hbs +16 -0
package/templates/typescript/docker-compose.hbs +16 -0
package/integration/hubspot/README.md +0 -102
package/integration/hubspot/env.template +0 -4
package/integration/hubspot/hubspot-datasource-company.json +0 -541
package/integration/hubspot/hubspot-datasource-contact.json +0 -639
package/integration/hubspot/hubspot-datasource-deal.json +0 -588
package/integration/hubspot/hubspot-datasource-users.json +0 -116
package/integration/hubspot/test-artifacts/wizard-invalid-missing-source.yaml +0 -2
package/integration/hubspot/test-artifacts/wizard-valid-for-dimension-key-test.yaml +0 -5
package/integration/hubspot/test-artifacts/wizard-valid-for-dimension-path-test.yaml +0 -5
package/lib/api/external-test.api.js +0 -111
package/lib/schema/env-config.yaml +0 -43
/package/integration/{hubspot → hubspot-test}/companies.json +0 -0
/package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-app-name.yaml +0 -0
/package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-missing-app.yaml +0 -0
/package/integration/{hubspot → hubspot-test}/test-dataplane-down-helpers.js +0 -0

package/lib/cli/setup-infra.js CHANGED Viewed

@@ -1,3 +1,4 @@
+const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 /**
  * CLI infrastructure command setup (up-infra, up-platform, up-miso, up-dataplane, down-infra, doctor, status, restart).
  *
@@ -17,6 +18,23 @@ const { resolveControllerUrl } = require('../utils/controller-url');
 const { handleLogin } = require('../commands/login');
 const { handleUpMiso } = require('../commands/up-miso');
 const { handleUpDataplane } = require('../commands/up-dataplane');
+const { cleanBuilderAppDirs } = require('../commands/up-common');
+const {
+  loadInfraStatusSummary,
+  formatInfraStatusTitleLine,
+  logInfraStatusConfigurationSummary,
+  logPaddedFieldRow
+} = require('../utils/infra-status-display');
+const UP_INFRA_HELP_AFTER = `
+Typical sequence:
+  $ aifabrix up-infra
+  $ aifabrix up-platform
+  Or: aifabrix up-miso, then aifabrix up-dataplane (login required for dataplane)
+Full bootstrap example (Traefik, TLS flag, pgAdmin, catalog overrides — matches shipped defaults in infra.parameter.yaml):
+  $ aifabrix up-infra --traefik --tls --adminPassword admin123 --adminEmail admin@aifabrix.dev --userPassword user123 --pgAdmin
+`;
 /**
  * Persists optional service flag to config when explicitly set.
@@ -28,7 +46,29 @@ const { handleUpDataplane } = require('../commands/up-dataplane');
 async function persistOptionalServiceFlag(cfg, key, value, label) {
   cfg[key] = value;
   await config.saveConfig(cfg);
-  logger.log(chalk.green(`✓ ${label} ${value ? 'enabled' : 'disabled'} and saved to config`));
+  logger.log(formatSuccessLine(`${label} ${value ? 'enabled' : 'disabled'} and saved to config`));
+}
+/**
+ * Persists TLS mode for ${TLS_ENABLED} / ${HTTP_ENABLED} in application.yaml / deployment manifest interpolation.
+ * @param {Object} cfg - Config object (mutated)
+ * @param {boolean} value - Whether TLS mode is on
+ */
+async function persistTlsEnabledFlag(cfg, value) {
+  cfg.tlsEnabled = value;
+  await config.saveConfig(cfg);
+  const tlsStr = value ? 'true' : 'false';
+  const httpStr = value ? 'false' : 'true';
+  logger.log(
+    chalk.green(
+      `✔ TLS mode ${value ? 'enabled' : 'disabled'} and saved to config (` +
+        '${TLS_ENABLED}=' +
+        tlsStr +
+        ', ${HTTP_ENABLED}=' +
+        httpStr +
+        ' when generating deployment JSON)'
+    )
+  );
 }
 /**
@@ -45,24 +85,26 @@ function resolveFlag(optValue, cfgValue, defaultWhenUndef = true) {
 }
 /**
- * Runs the up-infra command: resolves developer ID, traefik, pgAdmin, redisAdmin, and starts infra.
- * @param {Object} options - Commander options (developer, traefik, pgAdmin, redisAdmin)
- * @returns {Promise<void>}
+ * @param {Object} options - Commander options
+ * @returns {Promise<number|null>} Developer ID or null
  */
-async function runUpInfraCommand(options) {
-  await config.ensureSecretsEncryptionKey();
-  let developerId = null;
-  if (options.developer) {
-    const id = parseInt(options.developer, 10);
-    if (isNaN(id) || id < 0) {
-      throw new Error('Developer ID must be a non-negative number (0 = default infra, > 0 = developer-specific)');
-    }
-    await config.setDeveloperId(id);
-    process.env.AIFABRIX_DEVELOPERID = id.toString();
-    developerId = id;
-    logger.log(chalk.green(`✓ Developer ID set to ${id}`));
+async function applyDeveloperIdFromUpInfra(options) {
+  if (!options.developer) return null;
+  const id = parseInt(options.developer, 10);
+  if (isNaN(id) || id < 0) {
+    throw new Error('Developer ID must be a non-negative number (0 = default infra, > 0 = developer-specific)');
   }
-  const cfg = await config.getConfig();
+  await config.setDeveloperId(id);
+  process.env.AIFABRIX_DEVELOPERID = id.toString();
+  logger.log(formatSuccessLine(`Developer ID set to ${id}`));
+  return id;
+}
+/**
+ * @param {Object} options
+ * @param {Object} cfg - Mutable config from getConfig()
+ */
+async function persistOptionalInfraFlagsFromCli(options, cfg) {
   const flagSpecs = [
     { opt: options.traefik, key: 'traefik', label: 'Traefik' },
     { opt: options.pgAdmin, key: 'pgadmin', label: 'pgAdmin' },
@@ -73,25 +115,59 @@ async function runUpInfraCommand(options) {
       await persistOptionalServiceFlag(cfg, key, opt, label);
     }
   }
+}
+/**
+ * @param {Object} options
+ * @param {Object} cfg
+ */
+async function maybePersistTlsFromUpInfra(options, cfg) {
+  // Commander maps --no-tls to options.tls === false (not a separate notls flag).
+  if (options.tls === true) await persistTlsEnabledFlag(cfg, true);
+  else if (options.tls === false) await persistTlsEnabledFlag(cfg, false);
+}
+/**
+ * Runs the up-infra command: resolves developer ID, traefik, pgAdmin, redisAdmin, and starts infra.
+ * @param {Object} options - Commander options (developer, traefik, pgAdmin, redisAdmin)
+ * @returns {Promise<void>}
+ */
+async function runUpInfraCommand(options) {
+  await config.ensureSecretsEncryptionKey();
+  const developerId = await applyDeveloperIdFromUpInfra(options);
+  const cfg = await config.getConfig();
+  await persistOptionalInfraFlagsFromCli(options, cfg);
+  await maybePersistTlsFromUpInfra(options, cfg);
+  const adminPass = options.adminPassword || options.adminPwd;
+  const tlsEnabledEffective = cfg.tlsEnabled === true;
   await infra.startInfra(developerId, {
     traefik: resolveFlag(options.traefik, cfg.traefik, false),
     pgadmin: resolveFlag(options.pgAdmin, cfg.pgadmin, true),
     redisCommander: resolveFlag(options.redisAdmin, cfg.redisCommander, true),
-    adminPwd: options.adminPwd
+    adminPassword: adminPass,
+    adminPwd: adminPass,
+    adminEmail: options.adminEmail,
+    userPassword: options.userPassword,
+    tlsEnabled: tlsEnabledEffective
   });
 }
 function setupUpInfraCommand(program) {
   program.command('up-infra')
-    .description('Start local infrastructure: Postgres, Redis, optional pgAdmin, Redis Commander, Traefik')
+    .description('Start Postgres, Redis; optional pgAdmin, Redis Commander, Traefik')
+    .addHelpText('after', UP_INFRA_HELP_AFTER)
     .option('-d, --developer <id>', 'Set developer ID and start infrastructure')
-    .option('--adminPwd <password>', 'Override default admin password for new install (Postgres, pgAdmin, Redis Commander)')
+    .option('--adminPassword <password>', 'Override {{adminPassword}} defaults (Postgres, pgAdmin, Redis Commander, catalog literals)')
+    .option('--adminEmail <email>', 'Override {{adminEmail}} default (e.g. pgAdmin login email)')
+    .option('--userPassword <password>', 'Override {{userPassword}} default (e.g. Keycloak default user password)')
     .option('--pgAdmin', 'Include pgAdmin web UI and save to config')
     .option('--no-pgAdmin', 'Exclude pgAdmin and save to config')
     .option('--redisAdmin', 'Include Redis Commander web UI and save to config')
     .option('--no-redisAdmin', 'Exclude Redis Commander and save to config')
     .option('--traefik', 'Include Traefik reverse proxy and save to config')
     .option('--no-traefik', 'Exclude Traefik and save to config')
+    .option('--tls', 'Enable TLS mode; save tlsEnabled (${TLS_ENABLED}=true, ${HTTP_ENABLED}=false in application.yaml)')
+    .option('--no-tls', 'Disable TLS mode (${TLS_ENABLED}=false, ${HTTP_ENABLED}=true)')
     .action(async(options) => {
       try {
         await runUpInfraCommand(options);
@@ -104,12 +180,16 @@ function setupUpInfraCommand(program) {
 function setupUpPlatformCommand(program) {
   program.command('up-platform')
-    .description('Start platform (Keycloak, Miso Controller, Dataplane) from community images; infra must be up')
+    .description('Start Keycloak, Miso Controller, dataplane from images (needs up-infra)')
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1, dataplane=myreg/d:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-f, --force', 'Clean builder/keycloak, builder/miso-controller, builder/dataplane and re-fetch from templates')
     .action(async(options) => {
       try {
+        if (options.force) {
+          await cleanBuilderAppDirs(['keycloak', 'miso-controller', 'dataplane']);
+        }
         await handleUpMiso(options);
         await handleUpDataplane(options);
       } catch (error) {
@@ -133,12 +213,16 @@ function setupUpPlatformCommand(program) {
 function setupUpMisoCommand(program) {
   program.command('up-miso')
-    .description('Install keycloak and miso-controller from images (no build). Infra must be up. For dataplane use up-dataplane. Uses auto-generated secrets for testing.')
+    .description('Start Keycloak + Miso Controller from images only (no dataplane; needs up-infra)')
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-f, --force', 'Clean builder/keycloak and builder/miso-controller and re-fetch from templates')
     .action(async(options) => {
       try {
+        if (options.force) {
+          await cleanBuilderAppDirs(['keycloak', 'miso-controller']);
+        }
         await handleUpMiso(options);
       } catch (error) {
         handleCommandError(error, 'up-miso');
@@ -149,12 +233,16 @@ function setupUpMisoCommand(program) {
 function setupUpDataplaneCommand(program) {
   program.command('up-dataplane')
-    .description('Register, deploy, then run dataplane app locally in dev (always local deployment; requires login, environment must be dev)')
+    .description('Register, deploy, run dataplane locally (dev env; login required)')
     .option('-r, --registry <url>', 'Override registry for dataplane image')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <ref>', 'Override dataplane image reference (e.g. myreg/dataplane:latest)')
+    .option('-f, --force', 'Clean builder/dataplane and re-fetch from templates')
     .action(async(options) => {
       try {
+        if (options.force) {
+          await cleanBuilderAppDirs(['dataplane']);
+        }
         await handleUpDataplane(options);
       } catch (error) {
         if (isAuthenticationError(error)) {
@@ -176,8 +264,8 @@ function setupUpDataplaneCommand(program) {
 }
 function setupDownInfraCommand(program) {
-  program.command('down-infra [app]')
-    .description('Stop and remove local infrastructure services or a specific application')
+  program.command('down-infra [service|app]')
+    .description('Stop all infra, or stop one app; use -v to remove volumes')
     .option('-v, --volumes', 'Remove volumes (deletes all data)')
     .action(async(appName, options) => {
       try {
@@ -196,14 +284,14 @@ function setupDownInfraCommand(program) {
 function setupDoctorCommand(program) {
   program.command('doctor')
-    .description('Check environment and configuration')
+    .description('Check Docker, ports, secrets, and infra health')
     .action(async() => {
       try {
         const result = await validator.checkEnvironment();
         logger.log('\n🔍 AI Fabrix Environment Check\n');
-        logger.log(`Docker: ${result.docker === 'ok' ? '✅ Running' : '❌ Not available'}`);
-        logger.log(`Ports: ${result.ports === 'ok' ? '✅ Available' : '⚠️  Some ports in use'}`);
-        logger.log(`Secrets: ${result.secrets === 'ok' ? '✅ Configured' : '❌ Missing'}`);
+        logger.log(`Docker: ${result.docker === 'ok' ? '✔ Running' : '✖ Not available'}`);
+        logger.log(`Ports: ${result.ports === 'ok' ? '✔ Available' : '⚠  Some ports in use'}`);
+        logger.log(`Secrets: ${result.secrets === 'ok' ? '✔ Configured' : '✖ Missing'}`);
         if (result.recommendations.length > 0) {
           logger.log('\n📋 Recommendations:');
           result.recommendations.forEach(rec => logger.log(`  • ${rec}`));
@@ -218,7 +306,7 @@ function setupDoctorCommand(program) {
             });
             logger.log('\n🏥 Infrastructure Health:');
             Object.entries(health).forEach(([service, status]) => {
-              const icon = status === 'healthy' ? '✅' : status === 'unknown' ? '❓' : '❌';
+              const icon = status === 'healthy' ? '✔' : status === 'unknown' ? '❓' : '✖';
               logger.log(`  ${icon} ${service}: ${status}`);
             });
           } catch (error) {
@@ -235,17 +323,21 @@ function setupDoctorCommand(program) {
 function setupStatusCommand(program) {
   program.command('status')
-    .description('Show detailed infrastructure service status and running applications')
+    .description('Show infra services and running apps (ports, URLs)')
     .action(async() => {
       try {
+        const summary = await loadInfraStatusSummary();
         const status = await infra.getInfraStatus();
-        logger.log('\n📊 Infrastructure Status\n');
+        logger.log('');
+        logger.log(formatInfraStatusTitleLine(summary.devIdStr, summary.remoteServer));
+        logger.log('');
+        logInfraStatusConfigurationSummary(summary);
         Object.entries(status).forEach(([service, info]) => {
-          const icon = String(info.status).trim().toLowerCase() === 'running' ? '✅' : '❌';
-          logger.log(`${icon} ${service}:`);
-          logger.log(`   Status: ${info.status}`);
-          logger.log(`   Port: ${info.port}`);
-          logger.log(`   URL: ${info.url}`);
+          const icon = String(info.status).trim().toLowerCase() === 'running' ? '✔' : '✖';
+          logger.log(`${icon} ${service}`);
+          logPaddedFieldRow('Status', info.status);
+          logPaddedFieldRow('Port', info.port);
+          logPaddedFieldRow('URL', info.url);
           logger.log('');
         });
         const apps = await infra.getAppStatus();
@@ -253,12 +345,12 @@ function setupStatusCommand(program) {
           logger.log('📱 Running Applications\n');
           apps.forEach((appInfo) => {
             const s = String(appInfo.status).trim().toLowerCase();
-            const icon = s.includes('running') || s.includes('up') ? '✅' : '❌';
-            logger.log(`${icon} ${appInfo.name}:`);
-            logger.log(`   Container: ${appInfo.container}`);
-            logger.log(`   Port: ${appInfo.port}`);
-            logger.log(`   Status: ${appInfo.status}`);
-            logger.log(`   URL: ${appInfo.url}`);
+            const icon = s.includes('running') || s.includes('up') ? '✔' : '✖';
+            logger.log(`${icon} ${appInfo.name}`);
+            logPaddedFieldRow('Container', appInfo.container);
+            logPaddedFieldRow('Port', appInfo.port);
+            logPaddedFieldRow('Status', appInfo.status);
+            logPaddedFieldRow('URL', appInfo.url);
             logger.log('');
           });
         }
@@ -272,16 +364,16 @@ function setupStatusCommand(program) {
 const INFRA_SERVICES = ['postgres', 'redis', 'pgadmin', 'redis-commander', 'traefik'];
 function setupRestartCommand(program) {
-  program.command('restart <service>')
-    .description('Restart an infrastructure service or a Docker application (builder/<app>)')
+  program.command('restart <service|app>')
+    .description('Restart infra service (postgres, redis, …) or a builder/<app> container')
     .action(async(service) => {
       try {
         if (INFRA_SERVICES.includes(service)) {
           await infra.restartService(service);
-          logger.log(`✅ ${service} service restarted successfully`);
+          logger.log(`✔ ${service} service restarted successfully`);
         } else {
           await appLib.restartApp(service);
-          logger.log(`✅ ${service} restarted successfully`);
+          logger.log(`✔ ${service} restarted successfully`);
         }
       } catch (error) {
         handleCommandError(error, 'restart');

package/lib/cli/setup-parameters.js ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * @fileoverview parameters subcommand (validate kv:// catalog coverage)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const { handleCommandError } = require('../utils/cli-utils');
+const { handleParametersValidate } = require('../commands/parameters-validate');
+/**
+ * @param {import('commander').Command} program - Commander program
+ */
+function setupParametersCommands(program) {
+  const parameters = program
+    .command('parameters')
+    .description('Infra parameter catalog (kv:// keys, generators, Azure naming hints)');
+  parameters
+    .command('validate')
+    .description('Check env.template kv:// references against lib/schema/infra.parameter.yaml')
+    .option('--catalog <path>', 'Override path to infra.parameter.yaml')
+    .action(async(opts) => {
+      try {
+        const result = await handleParametersValidate({ catalogPath: opts.catalog });
+        if (!result.valid) process.exit(1);
+      } catch (error) {
+        handleCommandError(error, 'parameters validate');
+      }
+    });
+}
+module.exports = { setupParametersCommands };

package/lib/cli/setup-secrets.js CHANGED Viewed

@@ -6,20 +6,115 @@
  * @version 2.0.0
  */
+const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 const { handleCommandError } = require('../utils/cli-utils');
 const { handleSecretsSet } = require('../commands/secrets-set');
 const { handleSecretsList } = require('../commands/secrets-list');
 const { handleSecretsRemove } = require('../commands/secrets-remove');
 const { handleSecretsValidate } = require('../commands/secrets-validate');
 const { handleSecure } = require('../commands/secure');
+const config = require('../core/config');
+const logger = require('../utils/logger');
+const SECRET_GROUP_HELP_AFTER = `
+Subcommands:
+  list, set, remove, remove-all   User secrets.local.yaml (add --shared for shared/remote)
+  set-secrets-file      Point config at a shared secrets file or https URL
+  validate              YAML structure (+ optional --naming)
+Also: aifabrix secure   Encrypt secrets.local.yaml (ISO 27001)
+Examples:
+  $ aifabrix secret list
+  $ aifabrix secret set myapp/clientSecret "your-value"
+  $ aifabrix secret remove old-key
+  $ aifabrix secret remove-all
+  $ aifabrix secret validate
+Shared over https: key BASH_NPM_TOKEN --shared → NPM_TOKEN available in terminal (exported).
+`;
+const SECRET_LIST_HELP_AFTER = `
+Examples:
+  $ aifabrix secret list
+  $ aifabrix secret list --shared
+`;
+const SECRET_SET_HELP_AFTER = `
+Examples:
+  $ aifabrix secret set myapp/clientSecret "your-secret"
+  $ aifabrix secret set hubspot/apiKey "$HUBSPOT_KEY"
+  $ aifabrix secret set team/shared-token "value" --shared
+  $ aifabrix secret set BASH_NPM_TOKEN "$NPM_TOKEN" --shared
+With https aifabrix-secrets: keys named BASH_<NAME> --shared expose <NAME> in your
+  terminal as an exported env var (e.g. BASH_NPM_TOKEN → NPM_TOKEN).
+`;
+const SECRET_REMOVE_HELP_AFTER = `
+Examples:
+  $ aifabrix secret remove deprecated-key
+  $ aifabrix secret remove shared-key --shared
+`;
+const SECRET_REMOVE_ALL_HELP_AFTER = `
+You will be asked to type "yes" to confirm unless you pass --yes.
+Examples:
+  $ aifabrix secret remove-all
+  $ aifabrix secret remove-all --yes
+  $ aifabrix secret remove-all --shared
+  $ aifabrix secret remove-all --shared --yes
+`;
+const SECRET_SET_SECRETS_FILE_HELP_AFTER = `
+Examples:
+  $ aifabrix secret set-secrets-file ./shared-secrets.yaml
+  $ aifabrix secret set-secrets-file https://dev.example.com/api/secrets
+  $ aifabrix secret set-secrets-file ""
+`;
+const SECRET_VALIDATE_HELP_AFTER = `
+Examples:
+  $ aifabrix secret validate
+  $ aifabrix secret validate ./secrets.local.yaml
+  $ aifabrix secret validate --naming
+`;
+const SECURE_HELP_AFTER = `
+Examples:
+  $ aifabrix secure
+  $ aifabrix secure --secrets-encryption <32-byte-hex-or-base64>
+`;
+function setupSecretRemoveAllCommand(secretCmd) {
+  const { handleSecretsRemoveAll } = require('../commands/secrets-remove-all');
+  secretCmd
+    .command('remove-all')
+    .description('Remove all secret keys (requires typing "yes" unless --yes)')
+    .addHelpText('after', SECRET_REMOVE_ALL_HELP_AFTER)
+    .option('--shared', 'Remove all from shared secrets (file or remote API)')
+    .option('-y, --yes', 'Skip confirmation prompt (non-interactive / scripts)')
+    .action(async options => {
+      try {
+        await config.ensureSecretsEncryptionKey();
+        await handleSecretsRemoveAll(options);
+      } catch (error) {
+        handleCommandError(error, 'secret remove-all');
+        process.exit(1);
+      }
+    });
+}
 function setupSecretValidateCommand(secretCmd) {
   secretCmd
     .command('validate [path]')
     .description('Validate secrets file (YAML structure and optional naming convention)')
+    .addHelpText('after', SECRET_VALIDATE_HELP_AFTER)
     .option('--naming', 'Check key names against *KeyVault convention')
     .action(async(pathArg, options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         const result = await handleSecretsValidate(pathArg, options);
         if (!result.valid) process.exit(1);
       } catch (error) {
@@ -29,6 +124,26 @@ function setupSecretValidateCommand(secretCmd) {
     });
 }
+/**
+ * Registers the secure command on the program.
+ * @param {Command} program - Commander program instance
+ */
+function setupSecureCommand(program) {
+  program.command('secure')
+    .description('Encrypt secrets.local.yaml at rest (ISO 27001)')
+    .addHelpText('after', SECURE_HELP_AFTER)
+    .option('--secrets-encryption <key>', 'Encryption key (32 bytes, hex or base64)')
+    .action(async(options) => {
+      try {
+        await config.ensureSecretsEncryptionKey();
+        await handleSecure(options);
+      } catch (error) {
+        handleCommandError(error, 'secure');
+        process.exit(1);
+      }
+    });
+}
 /**
  * Sets up secrets and security commands
  * @param {Command} program - Commander program instance
@@ -36,14 +151,17 @@ function setupSecretValidateCommand(secretCmd) {
 function setupSecretsCommands(program) {
   const secretCmd = program
     .command('secret')
-    .description('Manage secrets in secrets files');
+    .description('User and shared secrets (list, set, remove, remove-all, validate)')
+    .addHelpText('after', SECRET_GROUP_HELP_AFTER);
   secretCmd
     .command('list')
-    .description('List secret keys (user or shared; use --shared for shared)')
+    .description('List secret keys (--shared for shared/remote)')
+    .addHelpText('after', SECRET_LIST_HELP_AFTER)
     .option('--shared', 'List shared secrets (from config aifabrix-secrets or remote API)')
     .action(async(options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         await handleSecretsList(options);
       } catch (error) {
         handleCommandError(error, 'secret list');
@@ -53,10 +171,12 @@ function setupSecretsCommands(program) {
   secretCmd
     .command('set <key> <value>')
-    .description('Set a secret value in secrets file')
+    .description('Set a secret value')
+    .addHelpText('after', SECRET_SET_HELP_AFTER)
     .option('--shared', 'Save to general secrets file (from config.yaml aifabrix-secrets) instead of user secrets')
     .action(async(key, value, options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         await handleSecretsSet(key, value, options);
       } catch (error) {
         handleCommandError(error, 'secret set');
@@ -66,10 +186,12 @@ function setupSecretsCommands(program) {
   secretCmd
     .command('remove <key>')
-    .description('Remove a secret by key')
+    .description('Remove a secret key')
+    .addHelpText('after', SECRET_REMOVE_HELP_AFTER)
     .option('--shared', 'Remove from shared secrets (file or remote API)')
     .action(async(key, options) => {
       try {
+        await config.ensureSecretsEncryptionKey();
         await handleSecretsRemove(key, options);
       } catch (error) {
         handleCommandError(error, 'secret remove');
@@ -77,16 +199,31 @@ function setupSecretsCommands(program) {
       }
     });
+  setupSecretRemoveAllCommand(secretCmd);
+  setupSecretSetSecretsFileCommand(secretCmd);
   setupSecretValidateCommand(secretCmd);
+  setupSecureCommand(program);
+}
-  program.command('secure')
-    .description('Encrypt secrets in secrets.local.yaml files for ISO 27001 compliance')
-    .option('--secrets-encryption <key>', 'Encryption key (32 bytes, hex or base64)')
-    .action(async(options) => {
+/**
+ * Register secret set-secrets-file command.
+ * @param {Command} secretCmd - secret command group
+ */
+function setupSecretSetSecretsFileCommand(secretCmd) {
+  secretCmd
+    .command('set-secrets-file <path>')
+    .description('Set shared secrets path in config (file or https; empty clears; not validated)')
+    .addHelpText('after', SECRET_SET_SECRETS_FILE_HELP_AFTER)
+    .action(async(secretsPath) => {
       try {
-        await handleSecure(options);
+        const trimmed = (secretsPath || '').trim();
+        if (trimmed !== '' && trimmed.startsWith('http://')) {
+          throw new Error('Only https URLs are allowed for remote secrets');
+        }
+        await config.setSecretsPath(trimmed);
+        logger.log(trimmed === '' ? formatSuccessLine('Secrets file path cleared') : formatSuccessLine(`Secrets file path set to ${trimmed}`));
       } catch (error) {
-        handleCommandError(error, 'secure');
+        handleCommandError(error, 'secret set-secrets-file');
         process.exit(1);
       }
     });