npm - @aifabrix/builder - Versions diffs - 2.42.1 → 2.44.0 - Mend

@aifabrix/builder 2.42.1 → 2.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (392) hide show

package/.cursor/rules/anchor-docs.mdc +15 -0
package/README.md +2 -2
package/anchor-docs/README.md +10 -0
package/anchor-docs/_TEMPLATE +24 -0
package/bin/aifabrix.js +13 -4
package/integration/hubspot-test/README.md +157 -0
package/integration/{hubspot → hubspot-test}/application.json +6 -6
package/integration/{hubspot → hubspot-test}/create-hubspot.js +10 -10
package/integration/hubspot-test/env.template +4 -0
package/integration/hubspot-test/hubspot-test-datasource-company.json +138 -0
package/integration/hubspot-test/hubspot-test-datasource-contact.json +146 -0
package/integration/hubspot-test/hubspot-test-datasource-deal.json +146 -0
package/integration/hubspot-test/hubspot-test-datasource-users.json +76 -0
package/integration/{hubspot/hubspot-deploy.json → hubspot-test/hubspot-test-deploy.json} +201 -24
package/integration/{hubspot/hubspot-system.json → hubspot-test/hubspot-test-system.json} +8 -7
package/integration/hubspot-test/rbac.json +166 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-hubspot-credential-real.yaml +3 -3
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-hubspot-env-vars.yaml +2 -2
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-add-datasource.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-credential-create.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-credential-select.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-known-platform.yaml +1 -1
package/integration/hubspot-test/test-artifacts/wizard-invalid-missing-source.yaml +2 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-mode.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-openapi-file.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-openapi-url.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-source.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-dimension-array-test.yaml +1 -1
package/integration/hubspot-test/test-artifacts/wizard-valid-for-dimension-key-test.yaml +5 -0
package/integration/hubspot-test/test-artifacts/wizard-valid-for-dimension-path-test.yaml +5 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-dimension-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-rbac-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-rbac-yaml-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-dataplane-down-tests.js +1 -7
package/integration/{hubspot → hubspot-test}/test-dataplane-down.js +3 -3
package/integration/{hubspot → hubspot-test}/test.js +137 -102
package/integration/{hubspot → hubspot-test}/wizard-hubspot-e2e.yaml +2 -2
package/integration/{hubspot → hubspot-test}/wizard-hubspot-platform.yaml +1 -1
package/integration/hubspot-test/wizard-hubspot-test-headless.yaml +23 -0
package/integration/roundtrip-test-local/README.md +144 -0
package/integration/roundtrip-test-local/application.yaml +13 -0
package/integration/roundtrip-test-local/env.template +15 -0
package/integration/roundtrip-test-local/roundtrip-test-local-datasource-roundtrip-test-company.yaml +14 -0
package/integration/roundtrip-test-local/roundtrip-test-local-deploy.json +61 -0
package/integration/roundtrip-test-local/roundtrip-test-local-system.yaml +25 -0
package/integration/roundtrip-test-local2/README.md +144 -0
package/integration/roundtrip-test-local2/application.yaml +13 -0
package/integration/roundtrip-test-local2/env.template +15 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-datasource-company.yaml +31 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-deploy.json +86 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-system.yaml +25 -0
package/integration/test/wizard.yaml +8 -0
package/jest.config.default.js +10 -0
package/jest.config.integration.fixtures.js +22 -0
package/jest.config.integration.js +21 -18
package/jest.config.isolated.js +10 -0
package/jest.projects.js +288 -0
package/lib/api/datasources-core.api.js +3 -3
package/lib/api/dev-mtls-request.js +110 -0
package/lib/api/dev-server-https.js +145 -0
package/lib/api/dev.api.js +133 -144
package/lib/api/index.js +0 -1
package/lib/api/pipeline.api.js +67 -20
package/lib/api/service-users.api.js +111 -2
package/lib/api/types/dev.types.js +4 -3
package/lib/api/types/pipeline.types.js +8 -5
package/lib/api/types/service-users.types.js +41 -0
package/lib/api/types/validation-run.types.js +56 -0
package/lib/api/validation-run.api.js +99 -0
package/lib/api/validation-runner.js +99 -0
package/lib/app/config.js +1 -1
package/lib/app/deploy-status-display.js +2 -2
package/lib/app/deploy.js +7 -6
package/lib/app/display.js +2 -1
package/lib/app/dockerfile.js +3 -2
package/lib/app/down.js +2 -1
package/lib/app/helpers.js +6 -5
package/lib/app/index.js +27 -8
package/lib/app/list.js +7 -6
package/lib/app/push.js +4 -3
package/lib/app/register.js +19 -8
package/lib/app/rotate-secret.js +17 -13
package/lib/app/run-container-start.js +184 -0
package/lib/app/run-docker-fallback.js +108 -0
package/lib/app/run-env-compose.js +30 -42
package/lib/app/run-helpers.js +49 -126
package/lib/app/run-infra-requirements.js +30 -0
package/lib/app/run-resolve-image.js +21 -0
package/lib/app/run.js +74 -21
package/lib/app/show-display.js +1 -1
package/lib/app/show.js +1 -1
package/lib/build/index.js +13 -10
package/lib/cli/index.js +2 -0
package/lib/cli/setup-app.help.js +67 -0
package/lib/cli/setup-app.js +59 -123
package/lib/cli/setup-app.test-commands.js +179 -0
package/lib/cli/setup-auth.js +36 -14
package/lib/cli/setup-credential-deployment.js +22 -8
package/lib/cli/setup-dev-path-commands.js +124 -0
package/lib/cli/setup-dev.js +190 -103
package/lib/cli/setup-environment.js +11 -20
package/lib/cli/setup-external-system.js +62 -22
package/lib/cli/setup-infra.js +139 -47
package/lib/cli/setup-parameters.js +32 -0
package/lib/cli/setup-secrets.js +147 -10
package/lib/cli/setup-service-user.js +146 -20
package/lib/cli/setup-utility.js +47 -19
package/lib/commands/app-down.js +5 -7
package/lib/commands/app-install.js +14 -7
package/lib/commands/app-logs.js +13 -10
package/lib/commands/app-shell.js +4 -1
package/lib/commands/app-test.js +25 -19
package/lib/commands/app.js +22 -10
package/lib/commands/auth-config.js +10 -14
package/lib/commands/auth-status.js +4 -3
package/lib/commands/credential-env.js +4 -3
package/lib/commands/credential-list.js +5 -4
package/lib/commands/credential-push.js +4 -3
package/lib/commands/datasource-unified-test-cli.js +495 -0
package/lib/commands/datasource-unified-test-cli.options.js +149 -0
package/lib/commands/datasource-validation-cli.js +129 -0
package/lib/commands/datasource.js +123 -71
package/lib/commands/deployment-list.js +6 -5
package/lib/commands/dev-cli-handlers.js +122 -18
package/lib/commands/dev-down.js +4 -3
package/lib/commands/dev-init.js +231 -116
package/lib/commands/dev-show-display.js +473 -0
package/lib/commands/login-credentials.js +3 -2
package/lib/commands/login-device.js +4 -3
package/lib/commands/login.js +5 -4
package/lib/commands/logout.js +8 -7
package/lib/commands/parameters-validate.js +54 -0
package/lib/commands/repair-datasource.js +314 -68
package/lib/commands/repair-env-template.js +16 -10
package/lib/commands/repair-rbac.js +25 -19
package/lib/commands/repair.js +116 -32
package/lib/commands/secrets-list.js +23 -12
package/lib/commands/secrets-remove-all.js +220 -0
package/lib/commands/secrets-remove.js +22 -13
package/lib/commands/secrets-set.js +21 -12
package/lib/commands/secrets-validate.js +20 -7
package/lib/commands/secure.js +10 -9
package/lib/commands/service-user.js +243 -13
package/lib/commands/test-e2e-external.js +27 -1
package/lib/commands/up-common.js +28 -2
package/lib/commands/up-dataplane.js +31 -18
package/lib/commands/up-miso.js +19 -29
package/lib/commands/upload.js +138 -39
package/lib/commands/wizard-core-helpers.js +1 -1
package/lib/commands/wizard-dataplane.js +4 -3
package/lib/commands/wizard-helpers.js +3 -3
package/lib/commands/wizard.js +2 -2
package/lib/core/admin-secrets.js +16 -5
package/lib/core/audit-logger.js +12 -4
package/lib/core/config-attach-extensions.js +46 -0
package/lib/core/config-runtime-paths.js +29 -0
package/lib/core/config.js +59 -58
package/lib/core/diff.js +3 -2
package/lib/core/ensure-encryption-key.js +2 -4
package/lib/core/secrets-ensure-infra.js +77 -0
package/lib/core/secrets-ensure.js +120 -64
package/lib/core/secrets-env-write.js +35 -7
package/lib/core/secrets-infra-placeholder-sync.js +61 -0
package/lib/core/secrets.js +228 -42
package/lib/core/templates-env.js +4 -3
package/lib/core/templates.js +1 -1
package/lib/datasource/abac-validator.js +148 -0
package/lib/datasource/deploy.js +75 -53
package/lib/datasource/field-reference-validator.js +77 -36
package/lib/datasource/integration-context.js +63 -0
package/lib/datasource/list.js +8 -7
package/lib/datasource/log-viewer.js +252 -0
package/lib/datasource/resolve-app.js +109 -0
package/lib/datasource/test-e2e.js +95 -155
package/lib/datasource/test-integration.js +121 -109
package/lib/datasource/unified-validation-run-body.js +65 -0
package/lib/datasource/unified-validation-run-post.js +23 -0
package/lib/datasource/unified-validation-run-resolve.js +43 -0
package/lib/datasource/unified-validation-run.js +92 -0
package/lib/datasource/validate.js +162 -15
package/lib/deployment/deployer.js +4 -3
package/lib/deployment/environment.js +7 -6
package/lib/deployment/push.js +17 -8
package/lib/external-system/delete.js +4 -3
package/lib/external-system/deploy.js +131 -53
package/lib/external-system/download-helpers.js +1 -1
package/lib/external-system/download.js +7 -6
package/lib/external-system/generator.js +104 -14
package/lib/external-system/integration-test-dispatch.js +26 -0
package/lib/external-system/test-execution.js +5 -1
package/lib/external-system/test-helpers.js +0 -4
package/lib/external-system/test-system-level-helpers.js +110 -0
package/lib/external-system/test-system-level.js +83 -44
package/lib/external-system/test.js +59 -8
package/lib/generator/builders.js +23 -11
package/lib/generator/deploy-manifest-azure-kv.js +81 -0
package/lib/generator/external-controller-manifest.js +3 -3
package/lib/generator/external.js +23 -11
package/lib/generator/helpers.js +71 -12
package/lib/generator/index.js +8 -4
package/lib/generator/split-readme.js +12 -7
package/lib/generator/split-variables.js +2 -1
package/lib/generator/split.js +46 -11
package/lib/generator/wizard-readme.js +3 -3
package/lib/generator/wizard.js +16 -13
package/lib/infrastructure/compose.js +60 -6
package/lib/infrastructure/helpers.js +238 -51
package/lib/infrastructure/index.js +64 -37
package/lib/infrastructure/services.js +21 -15
package/lib/internal/fs-real-sync.js +104 -0
package/lib/internal/node-fs.js +98 -0
package/lib/parameters/database-secret-values.js +173 -0
package/lib/parameters/infra-kv-discovery.js +121 -0
package/lib/parameters/infra-parameter-catalog.js +458 -0
package/lib/parameters/infra-parameter-validate.js +64 -0
package/lib/schema/application-schema.json +37 -17
package/lib/schema/datasource-test-run.schema.json +493 -0
package/lib/schema/deployment-rules.yaml +102 -63
package/lib/schema/external-datasource.schema.json +1201 -433
package/lib/schema/external-system.schema.json +181 -5
package/lib/schema/flag-map-validation-run.json +31 -0
package/lib/schema/infra-parameter.schema.json +106 -0
package/lib/schema/infra.parameter.yaml +421 -0
package/lib/schema/type/credential-auth-templates.json +40 -0
package/lib/schema/type/document-storage.json +213 -0
package/lib/schema/type/message-service.json +123 -0
package/lib/schema/type/vector-store.json +88 -0
package/lib/utils/aifabrix-runtime-config-dir.js +132 -0
package/lib/utils/api-error-handler.js +2 -2
package/lib/utils/api.js +49 -14
package/lib/utils/app-config-resolver.js +23 -1
package/lib/utils/app-register-api.js +3 -2
package/lib/utils/app-register-auth.js +1 -1
package/lib/utils/app-register-config.js +4 -4
package/lib/utils/app-register-display.js +3 -2
package/lib/utils/app-register-validator.js +3 -2
package/lib/utils/app-run-containers.js +26 -22
package/lib/utils/app-scoped-config.js +31 -0
package/lib/utils/app-service-env-from-builder.js +164 -0
package/lib/utils/build-copy.js +1 -1
package/lib/utils/build-helpers.js +20 -20
package/lib/utils/build-resolve-image.js +165 -0
package/lib/utils/cli-layout-chalk.js +8 -0
package/lib/utils/cli-test-layout-chalk.js +267 -0
package/lib/utils/cli-utils.js +88 -11
package/lib/utils/compose-db-passwords.js +138 -0
package/lib/utils/compose-generate-docker-compose.js +216 -0
package/lib/utils/compose-generator.js +197 -291
package/lib/utils/compose-miso-env.js +18 -0
package/lib/utils/compose-traefik-ingress-base.js +158 -0
package/lib/utils/config-paths.js +209 -6
package/lib/utils/config-scoped-resources-preference.js +41 -0
package/lib/utils/controller-deployment-outcome.js +68 -0
package/lib/utils/credential-display.js +2 -2
package/lib/utils/credential-secrets-env.js +16 -1
package/lib/utils/dataplane-pipeline-warning.js +4 -3
package/lib/utils/datasource-test-run-capability-scope.js +43 -0
package/lib/utils/datasource-test-run-debug-display.js +137 -0
package/lib/utils/datasource-test-run-debug-slice.js +93 -0
package/lib/utils/datasource-test-run-display.js +442 -0
package/lib/utils/datasource-test-run-exit.js +58 -0
package/lib/utils/datasource-test-run-legacy-adapter.js +93 -0
package/lib/utils/datasource-test-run-report-version.js +51 -0
package/lib/utils/datasource-test-run-schema-sync.js +59 -0
package/lib/utils/datasource-test-run-tty-log.js +81 -0
package/lib/utils/datasource-validation-watch.js +266 -0
package/lib/utils/declarative-url-ports.js +47 -0
package/lib/utils/derive-env-key-from-client-id.js +41 -0
package/lib/utils/dev-ca-install.js +185 -23
package/lib/utils/dev-cert-helper.js +266 -17
package/lib/utils/dev-hosts-helper.js +307 -0
package/lib/utils/dev-init-cert-hints.js +37 -0
package/lib/utils/dev-init-health-messages.js +52 -0
package/lib/utils/dev-init-resolve.js +86 -0
package/lib/utils/dev-init-ssh-merge.js +65 -0
package/lib/utils/dev-ssh-config-helper.js +196 -0
package/lib/utils/dev-user-groups.js +93 -0
package/lib/utils/docker-build.js +42 -17
package/lib/utils/docker-exec.js +28 -0
package/lib/utils/docker-manifest-public-port.js +116 -0
package/lib/utils/docker-not-running-hint.js +52 -0
package/lib/utils/docker.js +98 -11
package/lib/utils/ensure-dev-certs-for-remote-docker.js +192 -0
package/lib/utils/env-config-loader.js +10 -91
package/lib/utils/env-copy.js +19 -10
package/lib/utils/env-map.js +42 -11
package/lib/utils/env-template.js +2 -2
package/lib/utils/environment-scoped-resources.js +144 -0
package/lib/utils/error-formatter.js +125 -9
package/lib/utils/error-formatters/http-status-errors.js +6 -5
package/lib/utils/error-formatters/network-errors.js +2 -1
package/lib/utils/error-formatters/permission-errors.js +2 -1
package/lib/utils/error-formatters/validation-errors.js +2 -1
package/lib/utils/external-env-template.js +180 -0
package/lib/utils/external-readme.js +8 -1
package/lib/utils/external-system-display.js +277 -136
package/lib/utils/external-system-local-test-tty.js +389 -0
package/lib/utils/external-system-readiness-core.js +377 -0
package/lib/utils/external-system-readiness-deploy-display.js +270 -0
package/lib/utils/external-system-readiness-display-internals.js +150 -0
package/lib/utils/external-system-readiness-display.js +186 -0
package/lib/utils/external-system-test-helpers.js +24 -6
package/lib/utils/external-system-validators.js +32 -14
package/lib/utils/health-check-url.js +119 -0
package/lib/utils/health-check.js +59 -25
package/lib/utils/help-builder.js +14 -13
package/lib/utils/image-version.js +4 -8
package/lib/utils/infra-containers.js +4 -7
package/lib/utils/infra-env-defaults.js +162 -0
package/lib/utils/infra-status-display.js +167 -0
package/lib/utils/infra-status.js +16 -8
package/lib/utils/local-secrets.js +29 -7
package/lib/utils/paths.js +136 -48
package/lib/utils/port-resolver.js +10 -23
package/lib/utils/redis-env-scope.js +62 -0
package/lib/utils/register-aifabrix-shell-env.js +204 -0
package/lib/utils/remote-builder-validation.js +99 -0
package/lib/utils/remote-dev-auth.js +117 -21
package/lib/utils/remote-docker-env.js +67 -15
package/lib/utils/remote-secrets-loader.js +13 -4
package/lib/utils/resolve-docker-image-ref.js +124 -0
package/lib/utils/schema-loader.js +22 -9
package/lib/utils/secrets-bash-kv.js +25 -0
package/lib/utils/secrets-generator.js +171 -51
package/lib/utils/secrets-helpers.js +70 -59
package/lib/utils/secrets-kv-scope.js +60 -0
package/lib/utils/secrets-utils.js +35 -37
package/lib/utils/secrets-validation.js +3 -1
package/lib/utils/secrets-yaml-preserve.js +109 -0
package/lib/utils/secure-file-permissions.js +91 -0
package/lib/utils/ssh-key-helper.js +4 -2
package/lib/utils/template-helpers.js +2 -2
package/lib/utils/test-log-writer.js +3 -3
package/lib/utils/token-manager.js +37 -5
package/lib/utils/url-declarative-public-base.js +188 -0
package/lib/utils/url-declarative-resolve-build.js +493 -0
package/lib/utils/url-declarative-resolve-load-doc.js +51 -0
package/lib/utils/url-declarative-resolve.js +220 -0
package/lib/utils/url-declarative-token-parse.js +74 -0
package/lib/utils/url-declarative-url-flags.js +50 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +99 -0
package/lib/utils/url-public-path-prefix.js +34 -0
package/lib/utils/urls-local-registry.js +220 -0
package/lib/utils/validation-report-tty-kit.js +77 -0
package/lib/utils/validation-run-poll.js +89 -0
package/lib/utils/validation-run-post-retry.js +73 -0
package/lib/utils/validation-run-request.js +98 -0
package/lib/utils/variable-transformer.js +21 -4
package/lib/utils/yaml-preserve.js +78 -1
package/lib/validation/datasource-warnings.js +56 -0
package/lib/validation/env-template-auth.js +50 -2
package/lib/validation/external-manifest-validator.js +35 -7
package/lib/validation/validate-display.js +37 -31
package/lib/validation/validate.js +9 -10
package/lib/validation/validator-unresolved-placeholders.js +98 -0
package/lib/validation/validator.js +32 -78
package/lib/validation/wizard-config-validator.js +2 -1
package/package.json +11 -3
package/scripts/check-datasource-test-run-schema-sync.js +34 -0
package/scripts/diagnose-cli.js +150 -0
package/scripts/install-local.js +304 -55
package/templates/README.md +15 -2
package/templates/applications/dataplane/application.yaml +52 -2
package/templates/applications/dataplane/env.template +80 -18
package/templates/applications/dataplane/rbac.yaml +8 -0
package/templates/applications/keycloak/application.yaml +9 -1
package/templates/applications/keycloak/env.template +15 -6
package/templates/applications/miso-controller/application.yaml +10 -2
package/templates/applications/miso-controller/env.template +55 -14
package/templates/applications/miso-controller/rbac.yaml +5 -0
package/templates/external-system/README.md.hbs +20 -7
package/templates/external-system/deploy.js.hbs +5 -5
package/templates/external-system/env.template.hbs +22 -0
package/templates/external-system/external-datasource.yaml.hbs +197 -118
package/templates/infra/compose.yaml.hbs +20 -4
package/templates/python/docker-compose.hbs +16 -0
package/templates/typescript/docker-compose.hbs +16 -0
package/integration/hubspot/README.md +0 -102
package/integration/hubspot/env.template +0 -4
package/integration/hubspot/hubspot-datasource-company.json +0 -541
package/integration/hubspot/hubspot-datasource-contact.json +0 -639
package/integration/hubspot/hubspot-datasource-deal.json +0 -588
package/integration/hubspot/hubspot-datasource-users.json +0 -116
package/integration/hubspot/test-artifacts/wizard-invalid-missing-source.yaml +0 -2
package/integration/hubspot/test-artifacts/wizard-valid-for-dimension-key-test.yaml +0 -5
package/integration/hubspot/test-artifacts/wizard-valid-for-dimension-path-test.yaml +0 -5
package/lib/api/external-test.api.js +0 -111
package/lib/schema/env-config.yaml +0 -43
/package/integration/{hubspot → hubspot-test}/companies.json +0 -0
/package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-app-name.yaml +0 -0
/package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-missing-app.yaml +0 -0
/package/integration/{hubspot → hubspot-test}/test-dataplane-down-helpers.js +0 -0

package/lib/core/secrets.js CHANGED Viewed

@@ -24,10 +24,14 @@ const {
   rewriteInfraEndpoints,
   readYamlAtPath,
   applyCanonicalSecretsOverride,
-  ensureNonEmptySecrets,
   validateSecrets
 } = require('../utils/secrets-helpers');
 const { buildEnvVarMap } = require('../utils/env-map');
+const {
+  mergeInfraParameterDefaultsForCli,
+  getInfraParameterCatalog,
+  readRelaxedCatalogDefaults
+} = require('../parameters/infra-parameter-catalog');
 const { resolveServicePortsInEnvContent } = require('../utils/secrets-url');
 const {
   updatePortForDocker,
@@ -35,7 +39,7 @@ const {
   applyDockerEnvOverride,
   getContainerPortFromDockerEnv
 } = require('./secrets-docker-env');
-const { getContainerPortFromPath } = require('../utils/port-resolver');
+const { getContainerPortFromPath, loadVariablesFromPath } = require('../utils/port-resolver');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -48,10 +52,21 @@ const {
 const {
   loadUserSecrets,
   loadPrimaryUserSecrets,
-  loadDefaultSecrets
+  loadDefaultSecrets,
+  ensurePrimaryUserSecretsFileExists
 } = require('../utils/secrets-utils');
 const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
 const pathsUtil = require('../utils/paths');
+const { ensureSecureFilePermissions } = require('../utils/secure-file-permissions');
+const { readAppEnvironmentScopedFlagForAppPath } = require('../utils/app-scoped-config');
+const { computeEffectiveEnvironmentScopedResources, redisDbIndexForScopedRunEnv } = require('../utils/environment-scoped-resources');
+const { applyRedisDbIndexToEnvContent } = require('../utils/redis-env-scope');
+const { expandDeclarativeUrlsInEnvContent } = require('../utils/url-declarative-resolve');
+const { rewriteInactiveDeclarativeVdirPublicContent } = require('../utils/url-declarative-vdir-inactive-env');
+const {
+  mergeDockerManifestPublishedPort,
+  rewriteDockerManifestPublicPortEnvLine
+} = require('../utils/docker-manifest-public-port');
 /**
  * Generates a canonical secret name from an environment variable key.
@@ -127,8 +142,8 @@ async function decryptSecretsObject(secrets) {
  * @function loadSecrets
  * @param {string} [secretsPath] - Path to secrets file (optional, for explicit override)
  * @param {string} [appName] - Application name (optional, for backward compatibility)
- * @returns {Promise<Object>} Loaded secrets object with decrypted values
- * @throws {Error} If no secrets file found and no fallback available
+ * @returns {Promise<Object>} Loaded secrets object with decrypted values (may be empty after bootstrap file create)
+ * @throws {Error} If explicit secretsPath is set but file is missing or invalid
  *
  * @example
  * const secrets = await loadSecrets('../../secrets.local.yaml');
@@ -150,6 +165,7 @@ function mergeUserWithConfigFile(userSecrets, resolvedConfigPath) {
   if (!fs.existsSync(resolvedConfigPath)) {
     return null;
   }
+  ensureSecureFilePermissions(resolvedConfigPath);
   let configSecrets;
   try {
     configSecrets = readYamlAtPath(resolvedConfigPath);
@@ -170,16 +186,17 @@ function mergeUserWithConfigFile(userSecrets, resolvedConfigPath) {
 /**
  * Loads config secrets path, merges with user secrets (user/master wins, public fills missing).
- * User/master = primary home (AIFABRIX_HOME or ~/.aifabrix) secrets.local.yaml.
+ * User/master = getPrimaryUserSecretsLocalPath() (config dir; same file as loadPrimaryUserSecrets).
  * Public = aifabrix-secrets path from config. Used by loadSecrets cascade.
- * When aifabrix-secrets is an http(s) URL, fetches shared secrets from API (never persisted to disk).
+ * When the effective shared-secrets target (after remote-dev resolution) is an http(s) URL,
+ * fetches shared secrets from API (never persisted to disk).
  *
  * @async
  * @returns {Promise<Object|null>} Merged secrets object or null
  */
 async function loadMergedConfigAndUserSecrets() {
   const { loadRemoteSharedSecrets, mergeUserWithRemoteSecrets } = require('../utils/remote-secrets-loader');
-  const { isRemoteSecretsUrl } = require('../utils/remote-dev-auth');
+  const remoteDevAuth = require('../utils/remote-dev-auth');
   const userSecrets = loadPrimaryUserSecrets();
   const hasKeys = (obj) => obj && Object.keys(obj).length > 0;
   const userOrNull = () => (hasKeys(userSecrets) ? userSecrets : null);
@@ -188,7 +205,8 @@ async function loadMergedConfigAndUserSecrets() {
     if (!configSecretsPath) {
       return userOrNull();
     }
-    if (isRemoteSecretsUrl(configSecretsPath)) {
+    const effectiveShared = await remoteDevAuth.resolveSharedSecretsEndpoint(configSecretsPath);
+    if (remoteDevAuth.isRemoteSecretsUrl(effectiveShared)) {
       const remoteSecrets = await loadRemoteSharedSecrets();
       const merged = mergeUserWithRemoteSecrets(userSecrets, remoteSecrets);
       return hasKeys(merged) ? merged : userOrNull();
@@ -225,6 +243,7 @@ async function loadSecretsWithFallbacks() {
     if (projectRoot) {
       const builderPath = path.join(projectRoot, 'builder', 'secrets.local.yaml');
       if (fs.existsSync(builderPath)) {
+        ensureSecureFilePermissions(builderPath);
         const builderSecrets = mergeUserWithConfigFile(merged || {}, builderPath);
         if (builderSecrets) merged = builderSecrets;
       }
@@ -244,15 +263,19 @@ async function loadSecrets(secretsPath, _appName) {
     if (!fs.existsSync(resolvedPath)) {
       throw new Error(`Secrets file not found: ${resolvedPath}`);
     }
+    ensureSecureFilePermissions(resolvedPath);
     const explicitSecrets = readYamlAtPath(resolvedPath);
     if (!explicitSecrets || typeof explicitSecrets !== 'object') {
       throw new Error(`Invalid secrets file format: ${resolvedPath}`);
     }
     return await decryptSecretsObject(explicitSecrets);
   }
-  const mergedSecrets = await loadSecretsWithFallbacks();
-  ensureNonEmptySecrets(mergedSecrets);
-  return await decryptSecretsObject(mergedSecrets);
+  let mergedSecrets = await loadSecretsWithFallbacks();
+  if (!mergedSecrets || Object.keys(mergedSecrets).length === 0) {
+    ensurePrimaryUserSecretsFileExists();
+    mergedSecrets = await loadSecretsWithFallbacks();
+  }
+  return await decryptSecretsObject(mergedSecrets || {});
 }
 /**
@@ -275,7 +298,7 @@ async function loadSecrets(secretsPath, _appName) {
  * const resolved = await resolveKvReferences(template, secrets, 'local');
  * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
  */
-async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
+async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null, scopedKv = null) {
   const os = require('os');
   // Get developer-id for port variables (local and docker: *_PUBLIC_PORT = base + devId*100)
@@ -286,25 +309,56 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
     // ignore, buildEnvVarMap will use default
   }
-  let envVars = await buildEnvVarMap(environment, os, developerId);
+  const envKey = String(environment || 'local').toLowerCase();
+  const mapContext = envKey === 'docker' || envKey === 'local' ? envKey : 'local';
+  let envVars = await buildEnvVarMap(mapContext, os, developerId);
   if (!envVars || Object.keys(envVars).length === 0) {
     // Fallback to local environment variables if requested environment does not exist
     envVars = await buildEnvVarMap('local', os, developerId);
   }
   const resolved = interpolateEnvVars(envTemplate, envVars);
-  const missing = collectMissingSecrets(resolved, secrets);
+  const missing = collectMissingSecrets(resolved, secrets, scopedKv);
   if (missing.length > 0) {
     const fileInfo = formatMissingSecretsFileInfo(secretsFilePaths);
     const resolveCommand = appName ? `aifabrix resolve ${appName}` : 'aifabrix resolve <app-name>';
     throw new Error(`Missing secrets: ${missing.join(', ')}${fileInfo}\n\nRun "${resolveCommand}" to generate missing secrets.`);
   }
-  return replaceKvInContent(resolved, secrets, envVars);
+  return replaceKvInContent(resolved, secrets, envVars, scopedKv);
 }
-/** Docker env transformations: ports, infra endpoints, PORT. */
-async function applyDockerTransformations(resolved, variablesPath) {
-  resolved = await resolveServicePortsInEnvContent(resolved, 'docker');
-  resolved = await rewriteInfraEndpoints(resolved, 'docker');
+/**
+ * Resolve run env key and effective env-scoped kv/redis behavior for generateEnvContent.
+ *
+ * @async
+ * @param {string} appPath - Builder application directory
+ * @param {Object} [options] - generateEnvContent options; may set runEnvKey
+ * @returns {Promise<{ runEnvKey: string, effective: boolean }>}
+ */
+async function buildScopedKvContext(appPath, options = {}) {
+  let runEnvKey;
+  if (options.runEnvKey !== undefined && options.runEnvKey !== null) {
+    runEnvKey = String(options.runEnvKey).toLowerCase();
+  } else if (typeof config.getCurrentEnvironment === 'function') {
+    runEnvKey = String((await config.getCurrentEnvironment()) || 'dev').toLowerCase();
+  } else {
+    runEnvKey = 'dev';
+  }
+  const userCfg =
+    typeof config.getConfig === 'function'
+      ? await config.getConfig()
+      : { useEnvironmentScopedResources: false };
+  const useGate = Boolean(userCfg.useEnvironmentScopedResources);
+  const appFlag = readAppEnvironmentScopedFlagForAppPath(appPath);
+  const effective = computeEffectiveEnvironmentScopedResources(useGate, appFlag, runEnvKey);
+  return { runEnvKey, effective };
+}
+/**
+ * Redis/DB service endpoints for docker env interpolation.
+ * @returns {Promise<{ redisHost: string, redisPort: number, dbHost: string, dbPort: number }>}
+ */
+async function getDockerRedisDbEndpoints() {
   const { getEnvHosts, getServiceHost, getServicePort, getLocalhostOverride } = require('../utils/env-endpoints');
   const hosts = await getEnvHosts('docker');
   const localhostOverride = getLocalhostOverride('docker');
@@ -312,16 +366,97 @@ async function applyDockerTransformations(resolved, variablesPath) {
   const redisPort = await getServicePort('REDIS_PORT', 'redis', hosts, 'docker', null);
   const dbHost = getServiceHost(hosts.DB_HOST, 'docker', 'postgres', localhostOverride);
   const dbPort = await getServicePort('DB_PORT', 'postgres', hosts, 'docker', null);
+  return { redisHost, redisPort, dbHost, dbPort };
+}
+/**
+ * Config inputs for declarative url:// expansion (keeps expandDeclarativeUrlsIfPresent small).
+ * @param {string} appPath
+ * @returns {Promise<Object>}
+ */
+async function loadDeclarativeUrlExpandInputs(appPath) {
+  const userCfg = await config.getConfig();
+  let remoteServer = null;
+  try {
+    const rs = await config.getRemoteServer();
+    if (rs && String(rs).trim()) {
+      remoteServer = String(rs).trim();
+    }
+  } catch {
+    remoteServer = null;
+  }
+  let developerIdRaw = null;
+  try {
+    developerIdRaw = await config.getDeveloperId();
+  } catch {
+    developerIdRaw = null;
+  }
+  let infraTlsEnabled = false;
+  try {
+    infraTlsEnabled = await config.getTlsEnabled();
+  } catch {
+    infraTlsEnabled = false;
+  }
+  return {
+    userCfg,
+    remoteServer,
+    developerIdRaw,
+    infraTlsEnabled,
+    appScopedFlag: readAppEnvironmentScopedFlagForAppPath(appPath)
+  };
+}
+/**
+ * After kv:// resolution, expand url:// references when application config exists.
+ * @param {string} resolved
+ * @param {string} appName
+ * @param {string} appPath
+ * @param {string|null} variablesPath
+ * @param {string} environment
+ * @param {boolean} envOnly
+ * @returns {Promise<string>}
+ */
+async function expandDeclarativeUrlsIfPresent(resolved, appName, appPath, variablesPath, environment, envOnly) {
+  if (envOnly || !variablesPath) {
+    return resolved;
+  }
+  const { userCfg, remoteServer, developerIdRaw, infraTlsEnabled, appScopedFlag } =
+    await loadDeclarativeUrlExpandInputs(appPath);
+  resolved = rewriteInactiveDeclarativeVdirPublicContent(resolved, variablesPath, userCfg);
+  if (!resolved.includes('url://')) {
+    return resolved;
+  }
+  return expandDeclarativeUrlsInEnvContent(resolved, {
+    profile: environment === 'docker' ? 'docker' : 'local',
+    currentAppKey: appName,
+    variablesPath,
+    useEnvironmentScopedResources: Boolean(userCfg.useEnvironmentScopedResources),
+    appEnvironmentScopedResources: appScopedFlag,
+    remoteServer,
+    developerIdRaw,
+    traefik: Boolean(userCfg.traefik),
+    infraTlsEnabled
+  });
+}
+/** Docker env transformations: ports, infra endpoints, PORT. */
+async function applyDockerTransformations(resolved, variablesPath) {
+  resolved = await resolveServicePortsInEnvContent(resolved, 'docker');
+  resolved = await rewriteInfraEndpoints(resolved, 'docker');
+  const { redisHost, redisPort, dbHost, dbPort } = await getDockerRedisDbEndpoints();
   let dockerEnv = await getBaseDockerEnv();
   dockerEnv = applyDockerEnvOverride(dockerEnv);
   const containerPort = getContainerPortFromPath(variablesPath) ?? getContainerPortFromDockerEnv(dockerEnv) ?? 3000;
   const envVars = await buildEnvVarMap('docker', null, null, { appPort: containerPort });
+  const appDoc = loadVariablesFromPath(variablesPath);
+  await mergeDockerManifestPublishedPort(envVars, appDoc);
   envVars.REDIS_HOST = redisHost;
   envVars.REDIS_PORT = String(redisPort);
   envVars.DB_HOST = dbHost;
   envVars.DB_PORT = String(dbPort);
   envVars.PORT = String(containerPort);
   resolved = interpolateEnvVars(resolved, envVars);
+  resolved = rewriteDockerManifestPublicPortEnvLine(resolved, envVars, appDoc);
   return updatePortForDocker(resolved, variablesPath);
 }
 /** Environment-specific transformations to resolved content. */
@@ -353,8 +488,22 @@ async function generateEnvContent(appName, secretsPath, environment = 'local', f
     await secretsEnsure.ensureSecretsFromEnvTemplate(templatePath, { preferredFilePath: preferredPath });
   }
   const secrets = await loadSecrets(secretsPath, appName);
-  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths, appName);
+  const { runEnvKey, effective } = await buildScopedKvContext(appPath, options);
+  const scopedKv = { envKey: runEnvKey, effective };
+  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths, appName, scopedKv);
+  resolved = await expandDeclarativeUrlsIfPresent(
+    resolved,
+    appName,
+    appPath,
+    variablesPath,
+    environment,
+    Boolean(options.envOnly)
+  );
   resolved = await applyEnvironmentTransformations(resolved, environment, variablesPath);
+  if (effective) {
+    const idx = redisDbIndexForScopedRunEnv(runEnvKey);
+    resolved = applyRedisDbIndexToEnvContent(resolved, idx);
+  }
   return resolved;
 }
@@ -516,40 +665,76 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
   return envPath;
 }
-/** Generates admin secrets for infrastructure (~/.aifabrix/admin-secrets.env). Uses admin123 when no postgres password. */
-async function generateAdminSecretsEnv(secretsPath) {
-  let secrets;
+/**
+ * Writes admin env key-value pairs to content; encrypts values when encryption key is set.
+ * @async
+ * @param {Object.<string, string>} adminObj - Key-value object (e.g. POSTGRES_PASSWORD, ...)
+ * @returns {Promise<string>} .env-style content (plaintext or secure:// for secrets)
+ */
+async function formatAdminSecretsContent(adminObj) {
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  const { encryptSecret } = require('../utils/secrets-encryption');
+  const lines = ['# Infrastructure Admin Credentials'];
+  for (const [k, v] of Object.entries(adminObj)) {
+    const value = (v === null || v === undefined) ? '' : String(v).replace(/\n/g, ' ').trim();
+    const valueToWrite = encryptionKey ? encryptSecret(value, encryptionKey) : value;
+    lines.push(`${k}=${valueToWrite}`);
+  }
+  return lines.join('\n');
+}
+async function loadSecretsOrBootstrapForAdmin(secretsPath) {
   try {
-    secrets = await loadSecrets(secretsPath);
+    return await loadSecrets(secretsPath);
   } catch (error) {
     const defaultSecretsPath = secretsPath || path.join(pathsUtil.getAifabrixHome(), 'secrets.yaml');
     if (!fs.existsSync(defaultSecretsPath)) {
       logger.log('Creating default secrets file...');
       await createDefaultSecrets(defaultSecretsPath);
-      secrets = await loadSecrets(secretsPath);
-    } else {
-      throw error;
+      return await loadSecrets(secretsPath);
     }
+    throw error;
   }
-  const aifabrixDir = pathsUtil.getAifabrixHome();
-  const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
-  if (!fs.existsSync(aifabrixDir)) {
-    fs.mkdirSync(aifabrixDir, { recursive: true, mode: 0o700 });
+}
+function getInfraDefaultsMergedForAdmin() {
+  try {
+    return mergeInfraParameterDefaultsForCli(getInfraParameterCatalog().data, {});
+  } catch {
+    return {};
   }
+}
+function buildLocalAdminSecretsObject(secrets, infraDefaults) {
   const raw = secrets['postgres-passwordKeyVault'];
-  const postgresPassword = (raw && String(raw).trim()) || 'admin123';
-  const adminSecrets = `# Infrastructure Admin Credentials
-POSTGRES_PASSWORD=${postgresPassword}
-PGADMIN_DEFAULT_EMAIL=admin@aifabrix.dev
-PGADMIN_DEFAULT_PASSWORD=${postgresPassword}
-REDIS_HOST=local:redis:6379:0:
-REDIS_COMMANDER_USER=admin
-REDIS_COMMANDER_PASSWORD=${postgresPassword}
-`;
+  const relaxed = readRelaxedCatalogDefaults();
+  const postgresPassword =
+    (raw && String(raw).trim()) ||
+    infraDefaults.adminPassword ||
+    relaxed.adminPassword ||
+    '';
+  const pgAdminEmail = infraDefaults.adminEmail || relaxed.adminEmail || '';
+  return {
+    POSTGRES_PASSWORD: postgresPassword,
+    PGADMIN_DEFAULT_EMAIL: pgAdminEmail,
+    PGADMIN_DEFAULT_PASSWORD: postgresPassword,
+    REDIS_HOST: 'local:redis:6379:0:',
+    REDIS_COMMANDER_USER: 'admin',
+    REDIS_COMMANDER_PASSWORD: postgresPassword
+  };
+}
+/** Generates admin secrets for infrastructure (beside config.yaml, typically ~/.aifabrix/admin-secrets.env). Defaults from infra.parameter.yaml `defaults`. */
+async function generateAdminSecretsEnv(secretsPath) {
+  const secrets = await loadSecretsOrBootstrapForAdmin(secretsPath);
+  const infraDefaults = getInfraDefaultsMergedForAdmin();
+  const adminObj = buildLocalAdminSecretsObject(secrets, infraDefaults);
+  const aifabrixDir = pathsUtil.getAifabrixSystemDir();
+  const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
+  if (!fs.existsSync(aifabrixDir)) {
+    fs.mkdirSync(aifabrixDir, { recursive: true, mode: 0o700 });
+  }
+  const adminSecrets = await formatAdminSecretsContent(adminObj);
   fs.writeFileSync(adminEnvPath, adminSecrets, { mode: 0o600 });
   return adminEnvPath;
 }
@@ -560,6 +745,7 @@ module.exports = {
   generateEnvContent,
   generateMissingSecrets,
   generateAdminSecretsEnv,
+  formatAdminSecretsContent,
   validateSecrets,
   createDefaultSecrets,
   getCanonicalSecretName,

package/lib/core/templates-env.js CHANGED Viewed

@@ -106,9 +106,10 @@ function buildMonitoringEnv(config) {
   return {
     'MISO_CONTROLLER_URL': config.controllerUrl || 'https://controller.aifabrix.dev',
     'MISO_ENVIRONMENT': 'dev',
-    'MISO_CLIENTID': 'kv://miso-controller-client-idKeyVault',
-    'MISO_CLIENTSECRET': 'kv://miso-controller-client-secretKeyVault',
-    'MISO_WEB_SERVER_URL': 'kv://miso-controller-web-server-url'
+    // Filled after `aifabrix register <app>`; empty avoids bogus kv placeholders in new apps
+    'MISO_CLIENTID': '',
+    'MISO_CLIENTSECRET': '',
+    'MISO_WEB_SERVER_URL': 'url://miso-controller-public'
   };
 }

package/lib/core/templates.js CHANGED Viewed

@@ -268,7 +268,7 @@ function generateSecretsYaml(config, existingSecrets = {}) {
   Object.entries(existingSecrets).forEach(([key, value]) => {
     secrets.data[key] = Buffer.from(value).toString('base64');
   });
-  return yaml.dump(secrets, { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false });
+  return yaml.dump(secrets, { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false });
 }
 module.exports = {

package/lib/datasource/abac-validator.js ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * ABAC (Attribute-Based Access Control) validator for external datasources.
+ *
+ * Validates config.abac.dimensions (dimension-to-attribute references),
+ * config.abac.crossSystemJson (allowed operators, one per path, value types),
+ * and errors on legacy config.abac.crossSystem.
+ *
+ * @fileoverview ABAC validation for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const DIMENSION_KEY_PATTERN = /^[a-zA-Z0-9_]+$/;
+const ATTRIBUTE_PATH_PATTERN = /^[a-zA-Z0-9_.]+$/;
+const CROSS_SYSTEM_JSON_PATH_PATTERN = /^[a-zA-Z0-9_.]+$/;
+const ALLOWED_CROSS_SYSTEM_OPERATORS = new Set([
+  'eq', 'ne', 'gt', 'lt', 'gte', 'lte', 'in', 'nin', 'contains', 'like', 'isNull', 'isNotNull'
+]);
+/**
+ * Validates dimension keys and attribute path values for a dimensions object.
+ *
+ * @param {Object} dimensions - Object mapping dimension keys to attribute paths
+ * @param {string} source - Label for error messages (e.g. "config.abac.dimensions")
+ * @param {Set<string>} validAttributeNames - Set of valid attribute names (from fieldMappings.attributes)
+ * @returns {string[]} Error messages
+ */
+function validateDimensionsObject(dimensions, source, validAttributeNames) {
+  const errors = [];
+  if (!dimensions || typeof dimensions !== 'object' || Array.isArray(dimensions)) {
+    return errors;
+  }
+  for (const [dimKey, attrPath] of Object.entries(dimensions)) {
+    if (!DIMENSION_KEY_PATTERN.test(dimKey)) {
+      errors.push(
+        `${source}: dimension key '${dimKey}' must contain only letters, numbers, and underscores. Add '${dimKey}' to fieldMappings.attributes or fix the key.`
+      );
+    }
+    if (typeof attrPath !== 'string' || !ATTRIBUTE_PATH_PATTERN.test(attrPath)) {
+      errors.push(
+        `${source}: attribute path for dimension '${dimKey}' must be a string with letters, numbers, underscores, and dots only.`
+      );
+    } else if (validAttributeNames && validAttributeNames.size > 0) {
+      const normalizedName = attrPath.includes('.') ? attrPath.split('.').pop() : attrPath;
+      if (!validAttributeNames.has(attrPath) && !validAttributeNames.has(normalizedName)) {
+        errors.push(
+          `${source}: dimension '${dimKey}' maps to '${attrPath}' which is not in fieldMappings.attributes. Add the attribute or remove from dimensions.`
+        );
+      }
+    }
+  }
+  return errors;
+}
+/**
+ * Validates crossSystemJson: path format, exactly one operator per path, allowed operators and value types.
+ *
+ * @param {Object} crossSystemJson - Object mapping field paths to operator objects
+ * @returns {string[]} Error messages
+ */
+function validateCrossSystemJson(crossSystemJson) {
+  const errors = [];
+  if (!crossSystemJson || typeof crossSystemJson !== 'object' || Array.isArray(crossSystemJson)) {
+    return errors;
+  }
+  for (const [path, opObj] of Object.entries(crossSystemJson)) {
+    if (!CROSS_SYSTEM_JSON_PATH_PATTERN.test(path)) {
+      errors.push(
+        `config.abac.crossSystemJson: path '${path}' must contain only letters, numbers, underscores, and dots.`
+      );
+      continue;
+    }
+    if (typeof opObj !== 'object' || opObj === null || Array.isArray(opObj)) {
+      errors.push(
+        `config.abac.crossSystemJson.${path}: value must be an object with exactly one operator (e.g. { "eq": "user.country" }).`
+      );
+      continue;
+    }
+    const keys = Object.keys(opObj);
+    if (keys.length === 0) {
+      errors.push(
+        `config.abac.crossSystemJson.${path}: object must have exactly one operator. Allowed: ${[...ALLOWED_CROSS_SYSTEM_OPERATORS].join(', ')}.`
+      );
+    } else if (keys.length > 1) {
+      errors.push(
+        `config.abac.crossSystemJson.${path}: must have exactly one operator per path, got ${keys.join(', ')}. Use one of: ${[...ALLOWED_CROSS_SYSTEM_OPERATORS].join(', ')}.`
+      );
+    } else {
+      const op = keys[0];
+      if (!ALLOWED_CROSS_SYSTEM_OPERATORS.has(op)) {
+        errors.push(
+          `config.abac.crossSystemJson.${path}: unknown operator '${op}'. Allowed: ${[...ALLOWED_CROSS_SYSTEM_OPERATORS].join(', ')}.`
+        );
+      }
+    }
+  }
+  return errors;
+}
+/**
+ * Validates ABAC configuration for a parsed datasource.
+ * Checks dimensions from config.abac, crossSystemJson, and rejects legacy crossSystem.
+ *
+ * @function validateAbac
+ * @param {Object} parsed - Parsed datasource object (after JSON parse)
+ * @returns {string[]} Array of error messages; empty if valid
+ *
+ * @example
+ * const errors = validateAbac(parsed);
+ * if (errors.length > 0) errors.forEach(e => console.error(e));
+ */
+function validateAbac(parsed) {
+  const errors = [];
+  const abac = parsed?.config?.abac;
+  if (!abac || typeof abac !== 'object') {
+    return errors;
+  }
+  if ('crossSystem' in abac) {
+    errors.push(
+      'config.abac.crossSystem is deprecated. Use config.abac.crossSystemJson or config.abac.crossSystemSql instead.'
+    );
+  }
+  const attributeNames = new Set(
+    Object.keys(parsed?.fieldMappings?.attributes ?? {})
+  );
+  if (abac.dimensions) {
+    errors.push(...validateDimensionsObject(
+      abac.dimensions,
+      'config.abac.dimensions',
+      attributeNames
+    ));
+  }
+  if (abac.crossSystemJson) {
+    errors.push(...validateCrossSystemJson(abac.crossSystemJson));
+  }
+  return errors;
+}
+module.exports = {
+  validateAbac,
+  validateDimensionsObject,
+  validateCrossSystemJson
+};