@aifabrix/builder 2.42.1 → 2.44.0

package/lib/commands/repair.js

@@ -12,18 +12,19 @@
 /* eslint-disable max-lines -- Repair flow with auth, normalization, and steps */
 
 'use strict';
+const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 
 const path = require('path');
 const fs = require('fs');
 const chalk = require('chalk');
-const yaml = require('js-yaml');
-const { detectAppType } = require('../utils/paths');
-const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
+const { detectAppType, getDeployJsonPath } = require('../utils/paths');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('../utils/app-config-resolver');
 const { loadConfigFile, writeConfigFile, writeYamlPreservingComments, isYamlPath } = require('../utils/config-format');
 const { systemKeyToKvPrefix, securityKeyToVar } = require('../utils/credential-secrets-env');
 const logger = require('../utils/logger');
 const generator = require('../generator');
 const { repairEnvTemplate, normalizeSystemFileAuthAndConfig } = require('./repair-env-template');
+const { generateReadmeFromDeployJson } = require('../generator/split-readme');
 const { repairDatasourceFile } = require('./repair-datasource');
 const { mergeRbacFromDatasources } = require('./repair-rbac');
 const { discoverIntegrationFiles, buildEffectiveDatasourceFiles } = require('./repair-internal');
@@ -32,6 +33,22 @@ const { normalizeDatasourceKeysAndFilenames } = require('./repair-datasource-key
 /** Allowed authentication methods for repair --auth (matches external-system schema) */
 const ALLOWED_AUTH = ['oauth2', 'aad', 'apikey', 'basic', 'queryParam', 'oidc', 'hmac', 'none'];
 
+/**
+ * README "Files" section should match integration config format on disk (YAML vs JSON).
+ * @param {string} appPath - Integration directory
+ * @returns {string} '.yaml' or '.json'
+ */
+function inferExternalReadmeFileExt(appPath) {
+  try {
+    const configPath = resolveApplicationConfigPath(appPath);
+    const ext = path.extname(configPath).toLowerCase();
+    if (ext === '.yaml' || ext === '.yml') return '.yaml';
+  } catch {
+    /* use default */
+  }
+  return '.json';
+}
+
 /**
  * Extracts roles and permissions from system object for rbac.yaml
  * @param {Object} system - Parsed system config
@@ -249,6 +266,11 @@ function normalizedAuthPartFromConfigName(name, systemKey) {
     const rest = n.slice(kvPrefix.length);
     return rest.toUpperCase().replace(/_/g, '');
   }
+  // Old-style or other KV_* names: treat last segment as var (e.g. KV_HUBSPOT_CLIENTID → CLIENTID)
+  if (n.toUpperCase().startsWith('KV_')) {
+    const parts = n.split('_').filter(Boolean);
+    if (parts.length >= 2) return parts[parts.length - 1].toUpperCase();
+  }
   return n.toUpperCase().replace(/_/g, '');
 }
 
@@ -273,26 +295,25 @@ function removeAuthVarsFromConfiguration(systemParsed, systemKey, dryRun, change
   return true;
 }
 
-function createRbacFromSystemIfNeeded(appPath, systemFilePath, systemParsed, dryRun, changes) {
-  const rbacPath = path.join(appPath, 'rbac.yaml');
-  const rbacYmlPath = path.join(appPath, 'rbac.yml');
-  if (fs.existsSync(rbacPath) || fs.existsSync(rbacYmlPath)) return false;
+function createRbacFromSystemIfNeeded(appPath, systemFilePath, systemParsed, dryRun, changes, format) {
+  if (resolveRbacPath(appPath)) return false;
   const rbacFromSystem = extractRbacFromSystem(systemParsed);
   if (!rbacFromSystem) return false;
   if (!dryRun) {
-    const rbacYaml = yaml.dump(rbacFromSystem, { indent: 2, lineWidth: -1 });
-    fs.writeFileSync(rbacPath, rbacYaml, { mode: 0o644, encoding: 'utf8' });
+    const rbacFormat = format === 'json' ? 'json' : 'yaml';
+    const defaultRbacPath = path.join(appPath, rbacFormat === 'json' ? 'rbac.json' : 'rbac.yaml');
+    writeConfigFile(defaultRbacPath, rbacFromSystem, rbacFormat);
     delete systemParsed.roles;
     delete systemParsed.permissions;
     writeConfigFile(systemFilePath, systemParsed);
   }
   changes.push('Created rbac.yaml from system roles/permissions');
-  changes.push('Removed roles/permissions from system file (now in rbac.yaml)');
+  changes.push('Removed roles/permissions from system file (now in rbac file)');
   return true;
 }
 
 /**
- * Runs datasource repair for each file (dimensions, metadataSchema, optional expose/sync/test).
+ * Runs datasource repair for each file (v2.4 root dimensions, metadataSchema; optional expose/sync/test).
  * @param {string} appPath - Application path
  * @param {string[]} datasourceFiles - Datasource file names
  * @param {Object} options - { expose?: boolean, sync?: boolean, test?: boolean }
@@ -338,13 +359,44 @@ async function regenerateManifest(appName, appPath, changes) {
   }
 }
 
+/**
+ * Regenerates README.md from deployment manifest when options.doc is set.
+ * @param {string} appName - Application name
+ * @param {string} appPath - Application path
+ * @param {Object} options - Options (doc, dryRun)
+ * @param {string[]} changes - Array to append change messages to
+ * @returns {Promise<boolean>} True if README was regenerated
+ */
+async function regenerateReadmeIfRequested(appName, appPath, options, changes) {
+  if (!options.doc) return false;
+  const deployJsonPath = getDeployJsonPath(appName, 'external', true);
+  if (!fs.existsSync(deployJsonPath) && !options.dryRun) {
+    await regenerateManifest(appName, appPath, changes);
+  }
+  if (!fs.existsSync(deployJsonPath)) return false;
+  try {
+    const deployment = JSON.parse(fs.readFileSync(deployJsonPath, 'utf8'));
+    const fileExt = inferExternalReadmeFileExt(appPath);
+    const readmeContent = generateReadmeFromDeployJson(deployment, { fileExt });
+    const readmePath = path.join(appPath, 'README.md');
+    if (!options.dryRun) {
+      fs.writeFileSync(readmePath, readmeContent, { mode: 0o644, encoding: 'utf8' });
+    }
+    changes.push('Regenerated README.md from deployment manifest');
+    return true;
+  } catch (err) {
+    logger.log(chalk.yellow(`⚠ Could not regenerate README: ${err.message}`));
+    return false;
+  }
+}
+
 function persistChangesAndRegenerate(configPath, variables, appName, appPath, changes, originalYamlContent) {
   if (originalYamlContent !== null && originalYamlContent !== undefined && typeof originalYamlContent === 'string' && isYamlPath(configPath)) {
     writeYamlPreservingComments(configPath, originalYamlContent, variables);
   } else {
     writeConfigFile(configPath, variables);
   }
-  logger.log(chalk.green(`✓ Updated ${path.basename(configPath)}`));
+  logger.log(formatSuccessLine(`Updated ${path.basename(configPath)}`));
   changes.forEach(c => logger.log(chalk.gray(`  ${c}`)));
   return regenerateManifest(appName, appPath, changes);
 }
@@ -410,7 +462,7 @@ function runRepairSteps(ctx) {
     ctx.appPath, ctx.datasourceFiles, ctx.systemKey, ctx.dryRun, ctx.changes
   );
   const rbacFileCreated = createRbacFromSystemIfNeeded(
-    ctx.appPath, ctx.systemFilePath, ctx.systemParsed, ctx.dryRun, ctx.changes
+    ctx.appPath, ctx.systemFilePath, ctx.systemParsed, ctx.dryRun, ctx.changes, ctx.format
   );
   const envTemplateRepaired = repairEnvTemplate(
     ctx.appPath, ctx.systemParsed, ctx.systemKey, ctx.dryRun, ctx.changes
@@ -431,7 +483,8 @@ function runRepairSteps(ctx) {
  * @param {string} appName - Application/integration name
  * @param {Object} [options] - Options
  * @param {boolean} [options.dryRun] - If true, only report changes; do not write
- * @returns {Promise<{ updated: boolean, changes: string[], systemFiles: string[], datasourceFiles: string[], appKeyFixed?: boolean, datasourceKeysFixed?: boolean, rbacFileCreated?: boolean, envTemplateRepaired?: boolean, manifestRegenerated?: boolean }>}
+ * @param {boolean} [options.doc] - If true, regenerate README.md from deployment manifest
+ * @returns {Promise<{ updated: boolean, changes: string[], systemFiles: string[], datasourceFiles: string[], appKeyFixed?: boolean, datasourceKeysFixed?: boolean, rbacFileCreated?: boolean, envTemplateRepaired?: boolean, manifestRegenerated?: boolean, readmeRegenerated?: boolean }>}
  */
 /**
  * Loads application config and discovers integration files; validates at least one system file exists.
@@ -453,7 +506,36 @@ function loadConfigAndDiscover(appPath, configPath) {
   return { variables, originalYamlContent, systemFiles, datasourceFiles };
 }
 
-async function repairExternalIntegration(appName, options = {}) {
+/**
+ * Builds the repair result object from steps and flags.
+ * @param {Object} steps - Result of runRepairSteps
+ * @param {boolean} anyUpdated - Whether any repair made changes
+ * @param {boolean} manifestRegenerated - Whether manifest was regenerated
+ * @param {boolean} readmeRegenerated - Whether README was regenerated
+ * @param {{ changes: string[], systemFiles: string[], datasourceFiles: string[] }} ctx - changes and file lists
+ * @returns {Object} Combined result object
+ */
+function buildRepairResult(steps, anyUpdated, manifestRegenerated, readmeRegenerated, ctx) {
+  return Object.assign(
+    { updated: anyUpdated, changes: ctx.changes, systemFiles: ctx.systemFiles, datasourceFiles: ctx.datasourceFiles },
+    {
+      appKeyFixed: steps.appKeyFixed,
+      datasourceKeysFixed: steps.datasourceKeysFixed,
+      rbacFileCreated: steps.rbacFileCreated,
+      envTemplateRepaired: steps.envTemplateRepaired,
+      manifestRegenerated,
+      readmeRegenerated
+    }
+  );
+}
+
+/**
+ * Validates repair inputs and resolves app path and config path.
+ * @param {string} appName - Application name
+ * @param {Object} options - Command options (auth)
+ * @returns {Promise<{ appPath: string, configPath: string, dryRun: boolean, authOption: string|undefined }>}
+ */
+async function validateAndResolveRepairPaths(appName, options) {
   if (!appName || typeof appName !== 'string') throw new Error('App name is required');
   const { dryRun = false, auth: authOption } = options;
   if (authOption !== undefined && authOption !== null && typeof authOption !== 'string') {
@@ -463,6 +545,11 @@ async function repairExternalIntegration(appName, options = {}) {
   if (!isExternal) throw new Error(`App '${appName}' is not an external integration`);
   const configPath = resolveApplicationConfigPath(appPath);
   if (!fs.existsSync(configPath)) throw new Error(`Application config not found: ${configPath}`);
+  return { appPath, configPath, dryRun, authOption };
+}
+
+async function repairExternalIntegration(appName, options = {}) {
+  const { appPath, configPath, dryRun, authOption } = await validateAndResolveRepairPaths(appName, options);
 
   const { variables, originalYamlContent, systemFiles, datasourceFiles: initialDatasourceFiles } = loadConfigAndDiscover(appPath, configPath);
   const changes = [];
@@ -486,30 +573,27 @@ async function repairExternalIntegration(appName, options = {}) {
     datasourceFiles,
     dryRun,
     changes,
-    auth: authOption
+    auth: authOption,
+    format: options.format === 'json' ? 'json' : 'yaml'
   });
-
-  const opts = { expose: Boolean(options.expose), sync: Boolean(options.sync), test: Boolean(options.test) };
-  const datasourceRepairUpdated = runDatasourceRepairs(appPath, datasourceFiles, opts, dryRun, changes);
+  const datasourceRepairUpdated = runDatasourceRepairs(appPath, datasourceFiles, {
+    expose: Boolean(options.expose),
+    sync: Boolean(options.sync),
+    test: Boolean(options.test)
+  }, dryRun, changes);
   const rbacMergeUpdated = options.rbac
-    ? mergeRbacFromDatasources(appPath, systemParsed, datasourceFiles, extractRbacFromSystem, dryRun, changes)
+    ? mergeRbacFromDatasources(appPath, systemParsed, datasourceFiles, extractRbacFromSystem, {
+      format: options.format === 'json' ? 'json' : 'yaml',
+      dryRun,
+      changes
+    })
     : false;
   const anyUpdated = keysNormalized || steps.updated || datasourceRepairUpdated || rbacMergeUpdated;
   const manifestRegenerated = (anyUpdated && !dryRun)
     ? await persistChangesAndRegenerate(configPath, variables, appName, appPath, changes, originalYamlContent)
     : false;
-
-  return {
-    updated: anyUpdated,
-    changes,
-    systemFiles,
-    datasourceFiles,
-    appKeyFixed: steps.appKeyFixed,
-    datasourceKeysFixed: steps.datasourceKeysFixed,
-    rbacFileCreated: steps.rbacFileCreated,
-    envTemplateRepaired: steps.envTemplateRepaired,
-    manifestRegenerated
-  };
+  const readmeRegenerated = await regenerateReadmeIfRequested(appName, appPath, options, changes);
+  return buildRepairResult(steps, anyUpdated, manifestRegenerated, readmeRegenerated, { changes, systemFiles, datasourceFiles });
 }
 
 module.exports = {

package/lib/commands/secrets-list.js

@@ -11,7 +11,7 @@ const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { getAifabrixSecretsPath } = require('../core/config');
 const pathsUtil = require('../utils/paths');
-const { isRemoteSecretsUrl, getRemoteDevAuth } = require('../utils/remote-dev-auth');
+const remoteDevAuth = require('../utils/remote-dev-auth');
 const devApi = require('../api/dev.api');
 
 const REMOTE_NOT_CONFIGURED_MSG = 'Remote server is not configured. Set remote-server and run "aifabrix dev init" first.';
@@ -38,8 +38,8 @@ function listKeysAndValuesFromFile(filePath) {
   }
 }
 
-const KEY_COL_WIDTH = 45;
-const TABLE_SEPARATOR_LENGTH = 120;
+const KEY_COL_WIDTH = 55;
+const TABLE_SEPARATOR_LENGTH = 130;
 
 /**
  * Log a list of secret keys and values as a table (header, column headers, separator, rows).
@@ -70,19 +70,26 @@ function logKeyValueList(emptyMessage, title, items) {
  * @returns {Promise<void>}
  */
 async function listSharedSecrets(generalSecretsPath) {
-  if (isRemoteSecretsUrl(generalSecretsPath)) {
-    const auth = await getRemoteDevAuth();
+  const target = await remoteDevAuth.resolveSharedSecretsEndpoint(generalSecretsPath);
+  if (remoteDevAuth.isRemoteSecretsUrl(target)) {
+    const auth = await remoteDevAuth.getRemoteDevAuth();
     if (!auth) {
       throw new Error(REMOTE_NOT_CONFIGURED_MSG);
     }
-    const items = await devApi.listSecrets(auth.serverUrl, auth.clientCertPem);
+    const items = await devApi.listSecrets(
+      auth.serverUrl,
+      auth.clientCertPem,
+      auth.serverCaPem || undefined,
+      target
+    );
     const keyValues = items.map(i => ({ key: i.name || i.key || '', value: (i.value !== null && i.value !== undefined) ? String(i.value) : '' }));
-    logKeyValueList('No shared secrets (remote).', 'Shared secrets (remote)', keyValues);
+    const { title, emptyMessage } = remoteDevAuth.getSharedSecretsRemoteListLabels(target);
+    logKeyValueList(emptyMessage, title, keyValues);
     return;
   }
-  const resolvedPath = path.isAbsolute(generalSecretsPath)
-    ? generalSecretsPath
-    : path.resolve(process.cwd(), generalSecretsPath);
+  const resolvedPath = path.isAbsolute(target)
+    ? target
+    : path.resolve(process.cwd(), target);
   const keyValues = listKeysAndValuesFromFile(resolvedPath);
   const fileTitle = `Shared secrets (file: ${resolvedPath})`;
   logKeyValueList('No shared secrets in file.', fileTitle, keyValues);
@@ -90,9 +97,13 @@ async function listSharedSecrets(generalSecretsPath) {
 
 /** List user secrets and log key and value. */
 function listUserSecrets() {
-  const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
   const keyValues = listKeysAndValuesFromFile(userSecretsPath);
-  logKeyValueList('No user secrets.', 'User secrets', keyValues);
+  logKeyValueList(
+    `No user secrets (file: ${userSecretsPath}). Use "aifabrix secret set <KEY> <value>" or resolve/up-infra to populate.`,
+    'User secrets',
+    keyValues
+  );
 }
 
 /**

package/lib/commands/secrets-remove-all.js

@@ -0,0 +1,220 @@
+const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
+/**
+ * @fileoverview aifabrix secret remove-all – remove every secret (user file, shared file, or remote API)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const fs = require('fs');
+const readline = require('readline');
+const yaml = require('js-yaml');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { getAifabrixSecretsPath } = require('../core/config');
+const pathsUtil = require('../utils/paths');
+const remoteDevAuth = require('../utils/remote-dev-auth');
+const devApi = require('../api/dev.api');
+
+/**
+ * @param {string} question
+ * @returns {Promise<string>}
+ */
+function promptLine(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(resolve => {
+    rl.question(question, answer => {
+      rl.close();
+      resolve((answer || '').trim());
+    });
+  });
+}
+
+/**
+ * Read secret keys from a YAML secrets file.
+ * @param {string} filePath - Absolute path
+ * @returns {string[]} Sorted unique keys
+ */
+function listKeysFromYamlFile(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return [];
+  }
+  try {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const data = yaml.load(content) || {};
+    if (typeof data !== 'object' || Array.isArray(data)) {
+      return [];
+    }
+    return Object.keys(data).sort((a, b) => a.localeCompare(b, undefined, { sensitivity: 'base' }));
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Write an empty secrets map to file (same options as single-key remove).
+ * @param {string} filePath - Absolute path
+ */
+function writeEmptySecretsFile(filePath) {
+  const yamlContent = yaml.dump({}, { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false });
+  fs.writeFileSync(filePath, yamlContent, { mode: 0o600 });
+}
+
+/**
+ * @param {boolean} skipPrompt - When true (--yes), skip confirmation
+ * @param {string} whereLabel - Human-readable target
+ * @param {number} count - Number of keys
+ * @returns {Promise<boolean>}
+ */
+async function confirmRemoveAll(skipPrompt, whereLabel, count) {
+  if (skipPrompt) {
+    return true;
+  }
+  logger.log(chalk.yellow(`\nThis will permanently remove all ${count} secret key(s) from ${whereLabel}.`));
+  logger.log(chalk.gray('This cannot be undone.\n'));
+  const answer = (await promptLine(chalk.bold('Type "yes" to confirm (anything else cancels): '))).toLowerCase();
+  return answer === 'yes';
+}
+
+/**
+ * @param {Object} auth - Remote dev auth (serverUrl, clientCertPem, serverCaPem)
+ * @param {string} target - Secrets endpoint URL
+ * @returns {Promise<string[]>}
+ */
+async function listRemoteSecretKeys(auth, target) {
+  const items = await devApi.listSecrets(
+    auth.serverUrl,
+    auth.clientCertPem,
+    auth.serverCaPem || undefined,
+    target
+  );
+  return (Array.isArray(items) ? items : [])
+    .map(i => i.name || i.key || '')
+    .filter(k => typeof k === 'string' && k.length > 0)
+    .sort((a, b) => a.localeCompare(b, undefined, { sensitivity: 'base' }));
+}
+
+/**
+ * @param {string} target - Secrets endpoint URL
+ * @returns {string}
+ */
+function labelForRemoteSharedSecrets(target) {
+  const host = remoteDevAuth.getSharedSecretsRemoteHostname(target);
+  return host ? `shared secrets (remote - ${host})` : 'shared secrets (remote)';
+}
+
+/**
+ * @param {Object} auth
+ * @param {string[]} keys
+ * @param {string} target
+ * @returns {Promise<void>}
+ */
+async function deleteRemoteSecretKeys(auth, keys, target) {
+  const ca = auth.serverCaPem || undefined;
+  for (const key of keys) {
+    await devApi.deleteSecret(auth.serverUrl, auth.clientCertPem, key, ca, target);
+  }
+}
+
+/**
+ * Remove every shared secret via remote API.
+ * @param {string} target - Resolved secrets endpoint URL
+ * @param {Object} options - { yes?: boolean }
+ * @returns {Promise<void>}
+ */
+async function removeAllRemoteSharedSecrets(target, options) {
+  const auth = await remoteDevAuth.getRemoteDevAuth();
+  if (!auth) {
+    throw new Error('Remote server not configured or certificate missing. Run "aifabrix dev init" first.');
+  }
+  const keys = await listRemoteSecretKeys(auth, target);
+  if (keys.length === 0) {
+    logger.log(chalk.gray('No shared secrets to remove.'));
+    return;
+  }
+  const where = labelForRemoteSharedSecrets(target);
+  const ok = await confirmRemoveAll(!!options.yes, where, keys.length);
+  if (!ok) {
+    logger.log(chalk.gray('Cancelled. No secrets were removed.'));
+    return;
+  }
+  await deleteRemoteSecretKeys(auth, keys, target);
+  logger.log(formatSuccessLine(`Removed ${keys.length} secret key(s) from ${where}.`));
+}
+
+/**
+ * Remove every key from a shared secrets YAML file.
+ * @param {string} resolvedPath - Absolute file path
+ * @param {Object} options - { yes?: boolean }
+ * @returns {Promise<void>}
+ */
+async function removeAllSharedFileSecrets(resolvedPath, options) {
+  const keys = listKeysFromYamlFile(resolvedPath);
+  if (keys.length === 0) {
+    logger.log(chalk.gray('No shared secrets to remove.'));
+    return;
+  }
+  const ok = await confirmRemoveAll(!!options.yes, `shared secrets file (${resolvedPath})`, keys.length);
+  if (!ok) {
+    logger.log(chalk.gray('Cancelled. No secrets were removed.'));
+    return;
+  }
+  writeEmptySecretsFile(resolvedPath);
+  logger.log(formatSuccessLine(`Removed ${keys.length} secret key(s) from shared secrets file.`));
+}
+
+/**
+ * Remove every key from shared store (remote API or file).
+ * @param {string} generalSecretsPath - Path or URL from config
+ * @param {Object} options - { yes?: boolean }
+ * @returns {Promise<void>}
+ */
+async function removeAllSharedSecrets(generalSecretsPath, options) {
+  const target = await remoteDevAuth.resolveSharedSecretsEndpoint(generalSecretsPath);
+  if (remoteDevAuth.isRemoteSecretsUrl(target)) {
+    await removeAllRemoteSharedSecrets(target, options);
+    return;
+  }
+  const resolvedPath = path.isAbsolute(target) ? target : path.resolve(process.cwd(), target);
+  await removeAllSharedFileSecrets(resolvedPath, options);
+}
+
+/**
+ * @param {Object} options - { yes?: boolean }
+ * @returns {Promise<void>}
+ */
+async function removeAllUserSecrets(options) {
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const keys = listKeysFromYamlFile(userSecretsPath);
+  if (keys.length === 0) {
+    logger.log(chalk.gray('No user secrets to remove.'));
+    return;
+  }
+  const ok = await confirmRemoveAll(!!options.yes, `user secrets (${userSecretsPath})`, keys.length);
+  if (!ok) {
+    logger.log(chalk.gray('Cancelled. No secrets were removed.'));
+    return;
+  }
+  writeEmptySecretsFile(userSecretsPath);
+  logger.log(formatSuccessLine(`Removed ${keys.length} secret key(s) from user secrets.`));
+}
+
+/**
+ * Handle secret remove-all command.
+ * @param {Object} options - { shared?: boolean, yes?: boolean }
+ * @returns {Promise<void>}
+ */
+async function handleSecretsRemoveAll(options) {
+  const isShared = options.shared || options['shared'] || false;
+  if (!isShared) {
+    await removeAllUserSecrets(options);
+    return;
+  }
+  const generalSecretsPath = await getAifabrixSecretsPath();
+  if (!generalSecretsPath) {
+    throw new Error('Shared secrets not configured. Set aifabrix-secrets in config.yaml.');
+  }
+  await removeAllSharedSecrets(generalSecretsPath, options);
+}
+
+module.exports = { handleSecretsRemoveAll };

package/lib/commands/secrets-remove.js

@@ -4,14 +4,14 @@
  * @version 2.0.0
  */
 
+const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 const path = require('path');
 const fs = require('fs');
 const yaml = require('js-yaml');
-const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { getAifabrixSecretsPath } = require('../core/config');
 const pathsUtil = require('../utils/paths');
-const { isRemoteSecretsUrl, getRemoteDevAuth } = require('../utils/remote-dev-auth');
+const remoteDevAuth = require('../utils/remote-dev-auth');
 const devApi = require('../api/dev.api');
 
 /**
@@ -33,7 +33,7 @@ function removeKeyFromFile(key, filePath) {
     throw new Error(`Secret '${key}' not found.`);
   }
   delete data[key];
-  const yamlContent = yaml.dump(data, { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false });
+  const yamlContent = yaml.dump(data, { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false });
   fs.writeFileSync(filePath, yamlContent, { mode: 0o600 });
 }
 
@@ -44,27 +44,36 @@ function removeKeyFromFile(key, filePath) {
  * @returns {Promise<void>}
  */
 async function removeSharedSecret(key, generalSecretsPath) {
-  if (isRemoteSecretsUrl(generalSecretsPath)) {
-    const auth = await getRemoteDevAuth();
+  const target = await remoteDevAuth.resolveSharedSecretsEndpoint(generalSecretsPath);
+  if (remoteDevAuth.isRemoteSecretsUrl(target)) {
+    const auth = await remoteDevAuth.getRemoteDevAuth();
     if (!auth) {
       throw new Error('Remote server not configured or certificate missing. Run "aifabrix dev init" first.');
     }
     try {
-      await devApi.deleteSecret(auth.serverUrl, auth.clientCertPem, key);
+      await devApi.deleteSecret(
+        auth.serverUrl,
+        auth.clientCertPem,
+        key,
+        auth.serverCaPem || undefined,
+        target
+      );
     } catch (err) {
       if (err.status === 404) {
         throw new Error(`Secret '${key}' not found.`);
       }
       throw err;
     }
-    logger.log(chalk.green(`✓ Secret '${key}' removed from remote shared secrets.`));
+    const host = remoteDevAuth.getSharedSecretsRemoteHostname(target);
+    const where = host ? `shared secrets (remote - ${host})` : 'shared secrets (remote)';
+    logger.log(formatSuccessLine(`Secret '${key}' removed from ${where}.`));
     return;
   }
-  const resolvedPath = path.isAbsolute(generalSecretsPath)
-    ? generalSecretsPath
-    : path.resolve(process.cwd(), generalSecretsPath);
+  const resolvedPath = path.isAbsolute(target)
+    ? target
+    : path.resolve(process.cwd(), target);
   removeKeyFromFile(key, resolvedPath);
-  logger.log(chalk.green(`✓ Secret '${key}' removed from shared secrets file.`));
+  logger.log(formatSuccessLine(`Secret '${key}' removed from shared secrets file.`));
 }
 
 /**
@@ -88,9 +97,9 @@ async function handleSecretsRemove(key, options) {
     }
     await removeSharedSecret(key, generalSecretsPath);
   } else {
-    const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+    const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
     removeKeyFromFile(key, userSecretsPath);
-    logger.log(chalk.green(`✓ Secret '${key}' removed from user secrets.`));
+    logger.log(formatSuccessLine(`Secret '${key}' removed from user secrets.`));
   }
 }