@aifabrix/builder 2.42.1 → 2.44.0

package/lib/utils/infra-status-display.js

@@ -0,0 +1,167 @@
+/**
+ * Shared output for `aifabrix status`: title + configuration block.
+ * TLS/SSL (`infraTlsSslCell`) and `devNN` title match `dev-show-display.js`; environment, Traefik,
+ * and scoped-resources lines use uppercase ON/OFF-style labels for status output.
+ *
+ * @fileoverview Infra status CLI display helpers
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const config = require('../core/config');
+const logger = require('./logger');
+
+/** En dash for unset / empty values (same as dev-show-display). */
+const EM = '\u2013';
+const LABEL_W = 18;
+
+/**
+ * @param {unknown} v
+ * @returns {boolean}
+ */
+function isUnset(v) {
+  return v === null || v === undefined || v === '';
+}
+
+/**
+ * @param {unknown} v
+ * @returns {string}
+ */
+function cell(v) {
+  return isUnset(v) ? EM : String(v);
+}
+
+/**
+ * @param {string} label
+ * @param {unknown} value
+ */
+function logPaddedFieldRow(label, value) {
+  logger.log(`  ${label.padEnd(LABEL_W)} ${cell(value)}`);
+}
+
+/**
+ * @param {string|null|undefined} remoteUrl
+ * @returns {string}
+ */
+function hostFromRemoteUrl(remoteUrl) {
+  if (!remoteUrl || typeof remoteUrl !== 'string') {
+    return '';
+  }
+  try {
+    const u = new URL(remoteUrl.trim());
+    return u.hostname || '';
+  } catch {
+    return '';
+  }
+}
+
+/**
+ * @param {string} devIdStr
+ * @returns {string} e.g. dev02
+ */
+function devProfileHandle(devIdStr) {
+  const s = String(devIdStr);
+  if (/^[0-9]+$/.test(s)) {
+    return `dev${s.padStart(2, '0')}`;
+  }
+  return `dev${s}`;
+}
+
+/**
+ * Infra / compose TLS mode from ~/.aifabrix `tlsEnabled` (not Docker TLS verify).
+ * @param {boolean} tlsEnabled
+ * @returns {string}
+ */
+function infraTlsSslCell(tlsEnabled) {
+  return tlsEnabled ? 'ON 🔒' : 'OFF 🕐';
+}
+
+/**
+ * Traefik proxy row (`traefik: true` in config). Icons only (no ANSI color).
+ * @param {boolean} traefikEnabled
+ * @returns {string}
+ */
+function statusTraefikProxyCell(traefikEnabled) {
+  return traefikEnabled ? 'ON 🟢' : 'OFF 🟡';
+}
+
+/**
+ * Environment for status (uppercase).
+ * @param {unknown} environment
+ * @returns {string}
+ */
+function formatStatusEnvironment(environment) {
+  if (isUnset(environment)) {
+    return EM;
+  }
+  return String(environment).trim().toUpperCase();
+}
+
+/**
+ * Scoped resources for status: ON vs OFF (DEFAULT).
+ * @param {boolean} useScoped
+ * @returns {string}
+ */
+function statusScopedResourcesCell(useScoped) {
+  return useScoped ? 'ON' : 'OFF (DEFAULT)';
+}
+
+/**
+ * Single-line title for `aifabrix status` (same dev profile + remote host pattern as dev show).
+ * @param {string} devIdStr
+ * @param {string|null|undefined} remoteServer
+ * @returns {string}
+ */
+function formatInfraStatusTitleLine(devIdStr, remoteServer) {
+  const who = devProfileHandle(devIdStr);
+  const host = hostFromRemoteUrl(remoteServer);
+  if (host) {
+    return `📊 Infrastructure Status (${who} @ ${host})`;
+  }
+  return `📊 Infrastructure Status (${who})`;
+}
+
+/**
+ * @param {{ remoteServer: string|null|undefined, tlsEnabled: boolean, environment: unknown, useScoped: boolean, traefikEnabled: boolean }} p
+ */
+function logInfraStatusConfigurationSummary(p) {
+  logger.log('⚙️ Configuration');
+  logPaddedFieldRow('Server', p.remoteServer);
+  logPaddedFieldRow('TLS/SSL', infraTlsSslCell(p.tlsEnabled));
+  logPaddedFieldRow('Traefik proxy', statusTraefikProxyCell(p.traefikEnabled));
+  logPaddedFieldRow('Environment', formatStatusEnvironment(p.environment));
+  logPaddedFieldRow('Scoped resources', statusScopedResourcesCell(p.useScoped));
+  logger.log('');
+}
+
+/**
+ * @returns {Promise<{ devIdStr: string, remoteServer: string|null|undefined, tlsEnabled: boolean, environment: unknown, useScoped: boolean, traefikEnabled: boolean }>}
+ */
+async function loadInfraStatusSummary() {
+  const [rawDevId, environment, tlsEnabled, remoteServer, useScoped, traefikEnabled] = await Promise.all([
+    config.getDeveloperId(),
+    config.getCurrentEnvironment(),
+    config.getTlsEnabled(),
+    config.getRemoteServer(),
+    config.getUseEnvironmentScopedResources(),
+    config.getTraefikEnabled()
+  ]);
+  const devIdStr = rawDevId === null || rawDevId === undefined ? '0' : String(rawDevId);
+  return {
+    devIdStr,
+    environment,
+    tlsEnabled,
+    remoteServer,
+    useScoped,
+    traefikEnabled
+  };
+}
+
+module.exports = {
+  loadInfraStatusSummary,
+  formatInfraStatusTitleLine,
+  logInfraStatusConfigurationSummary,
+  logPaddedFieldRow
+};

package/lib/utils/infra-status.js

@@ -9,13 +9,10 @@
  * @version 2.0.0
  */
 
-const { exec } = require('child_process');
-const { promisify } = require('util');
 const config = require('../core/config');
 const devConfig = require('./dev-config');
 const containerUtils = require('./infra-containers');
-
-const execAsync = promisify(exec);
+const { execWithDockerEnv } = require('./docker-exec');
 
 /**
  * Builds services config map from ports and config flags.
@@ -52,7 +49,7 @@ async function getServiceStatus(serviceName, serviceConfig, devId) {
   try {
     const containerName = await containerUtils.findContainer(serviceName, devId, { strict: true });
     const rawStatus = containerName
-      ? (await execAsync(`docker inspect --format='{{.State.Status}}' ${containerName}`)).stdout.trim().replace(/['"]/g, '')
+      ? (await execWithDockerEnv(`docker inspect --format='{{.State.Status}}' ${containerName}`)).stdout.trim().replace(/['"]/g, '')
       : 'not running';
     return { status: rawStatus, port: serviceConfig.port, url: serviceConfig.url };
   } catch {
@@ -107,6 +104,9 @@ function getInfraContainerNames(devIdNum, devId) {
 /** Suffixes for init/helper containers to exclude from "Running Applications" (e.g. keycloak-db-init) */
 const INIT_CONTAINER_SUFFIXES = ['-db-init', '-init'];
 
+/** Names like aifabrix-dev02-postgres belong to isolated developer stacks, not legacy dev-0 mode */
+const DEV_PREFIXED_CONTAINER = /^aifabrix-dev\d+-/;
+
 /**
  * Extracts app name from container name
  * @param {string} containerName - Container name
@@ -115,6 +115,9 @@ const INIT_CONTAINER_SUFFIXES = ['-db-init', '-init'];
  * @returns {string|null} App name or null if not matched
  */
 function extractAppName(containerName, devIdNum, devId) {
+  if (devIdNum === 0 && DEV_PREFIXED_CONTAINER.test(containerName)) {
+    return null;
+  }
   const pattern = devIdNum === 0 ? /^aifabrix-(.+)$/ : new RegExp(`^aifabrix-dev${devId}-(.+)$`);
   const match = containerName.match(pattern);
   if (!match) return null;
@@ -176,7 +179,7 @@ async function getAppStatus() {
   try {
     const devIdNum = parseInt(devId, 10);
     const filterPattern = devIdNum === 0 ? 'aifabrix-' : `aifabrix-dev${devId}-`;
-    const { stdout } = await execAsync(`docker ps --filter "name=${filterPattern}" --format "{{.Names}}\t{{.Ports}}\t{{.Status}}"`);
+    const { stdout } = await execWithDockerEnv(`docker ps --filter "name=${filterPattern}" --format "{{.Names}}\t{{.Ports}}\t{{.Status}}"`);
     const lines = stdout.trim().split('\n').filter(line => line.trim() !== '');
     const infraContainers = getInfraContainerNames(devIdNum, devId);
     for (const line of lines) {
@@ -211,9 +214,14 @@ async function listAppContainerNamesForDeveloper(devId, options = {}) {
   const includeExited = !!options.includeExited;
   try {
     const allFlag = includeExited ? ' -a' : '';
-    const { stdout } = await execAsync(`docker ps${allFlag} --filter "name=${filterPattern}" --format "{{.Names}}"`);
+    const { stdout } = await execWithDockerEnv(`docker ps${allFlag} --filter "name=${filterPattern}" --format "{{.Names}}"`);
     const names = (stdout || '').trim().split('\n').filter(Boolean);
-    return names.filter(n => !infraContainers.includes(n));
+    return names.filter(n => {
+      if (devIdNum === 0 && DEV_PREFIXED_CONTAINER.test(n)) {
+        return false;
+      }
+      return !infraContainers.includes(n);
+    });
   } catch {
     return [];
   }

package/lib/utils/local-secrets.js

@@ -1,7 +1,7 @@
 /**
  * Local Secrets Management Utilities
  *
- * Helper functions for managing local secrets in ~/.aifabrix/secrets.local.yaml
+ * Helper functions for managing local secrets in getPrimaryUserSecretsLocalPath() (config dir)
  *
  * @fileoverview Local secrets management utilities
  * @author AI Fabrix Team
@@ -15,10 +15,30 @@ const logger = require('../utils/logger');
 const pathsUtil = require('./paths');
 const { mergeSecretsIntoFile } = require('./secrets-generator');
 
+/** Bootstrap key name; never encrypt this key's value when writing (key is stored in config). */
+const ENCRYPTION_KEY_VAULT = 'secrets-encryptionKeyVault';
+
+/**
+ * Resolves value to write: encrypted (secure://) when encryption key is set and key is not the bootstrap key.
+ * @async
+ * @param {string} key - Secret key name
+ * @param {string} value - Secret value
+ * @returns {Promise<string>} Value to write (plaintext or secure://...)
+ */
+async function resolveValueForWrite(key, value) {
+  const config = require('../core/config');
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  if (!encryptionKey || key === ENCRYPTION_KEY_VAULT) {
+    return typeof value === 'string' ? value : String(value);
+  }
+  const { encryptSecret } = require('./secrets-encryption');
+  return encryptSecret(typeof value === 'string' ? value : String(value), encryptionKey);
+}
+
 /**
- * Saves a secret to ~/.aifabrix/secrets.local.yaml
- * Uses paths.getAifabrixHome() to respect config.yaml aifabrix-home override
- * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret)
+ * Saves a secret to the primary user secrets file (getPrimaryUserSecretsLocalPath)
+ * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret).
+ * Encrypts the value when a secrets-encryption key is configured (except for the bootstrap key).
  *
  * @async
  * @function saveLocalSecret
@@ -39,8 +59,9 @@ async function saveLocalSecret(key, value) {
     throw new Error('Secret value is required');
   }
 
-  const secretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
-  mergeSecretsIntoFile(secretsPath, { [key]: value });
+  const valueToWrite = await resolveValueForWrite(key, value);
+  const secretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  mergeSecretsIntoFile(secretsPath, { [key]: valueToWrite });
 }
 
 /**
@@ -121,8 +142,9 @@ function _loadExistingSecrets(resolvedPath) {
 async function saveSecret(key, value, secretsPath) {
   validateSaveSecretParams(key, value, secretsPath);
 
+  const valueToWrite = await resolveValueForWrite(key, value);
   const resolvedPath = resolveAndPrepareSecretsPath(secretsPath);
-  mergeSecretsIntoFile(resolvedPath, { [key]: value });
+  mergeSecretsIntoFile(resolvedPath, { [key]: valueToWrite });
 }
 
 /**

package/lib/utils/paths.js

@@ -12,6 +12,11 @@
 const path = require('path');
 const fs = require('fs');
 const yaml = require('js-yaml');
+const { nodeFs } = require('../internal/node-fs');
+const {
+  getAifabrixRuntimeConfigDir,
+  resolveAifabrixHomeLikePath
+} = require('./aifabrix-runtime-config-dir');
 
 function safeHomedir() {
   try {
@@ -29,30 +34,46 @@ function safeHomedir() {
 }
 
 /**
- * Returns the path to the config directory (same precedence as config.js so both read the same config).
- * Priority: AIFABRIX_CONFIG (dirname) → AIFABRIX_HOME → ~/.aifabrix.
+ * Returns the path to the config directory (same as {@link getAifabrixRuntimeConfigDir} / config.js).
+ * When `AIFABRIX_HOME` is `$HOME` but `config.yaml` is only under `$HOME/.aifabrix/`, returns the latter.
  * @returns {string} Absolute path to config directory
  */
 function getConfigDirForPaths() {
-  const configFile = process.env.AIFABRIX_CONFIG && typeof process.env.AIFABRIX_CONFIG === 'string';
-  if (configFile) {
-    return path.dirname(path.resolve(process.env.AIFABRIX_CONFIG.trim()));
-  }
-  if (process.env.AIFABRIX_HOME && typeof process.env.AIFABRIX_HOME === 'string') {
-    return path.resolve(process.env.AIFABRIX_HOME.trim());
-  }
-  return path.join(safeHomedir(), '.aifabrix');
+  return getAifabrixRuntimeConfigDir();
+}
+
+/**
+ * User-owned `secrets.local.yaml` beside effective `config.yaml` (see {@link getConfigDirForPaths}).
+ * When `AIFABRIX_HOME` is `$HOME` but config is only at `$HOME/.aifabrix/config.yaml`, uses that folder.
+ * Keeps `secret list` / `secret set` aligned with resolve merge (`loadPrimaryUserSecrets`).
+ *
+ * @returns {string} Absolute path to secrets.local.yaml
+ */
+function getPrimaryUserSecretsLocalPath() {
+  return path.join(getConfigDirForPaths(), 'secrets.local.yaml');
+}
+
+/**
+ * Directory for CLI system state next to `config.yaml`: `admin-secrets.env`, `infra/` or `infra-dev{id}/`,
+ * `audit.log`, etc. Unlike {@link getAifabrixHome}, this follows the resolved config directory (e.g.
+ * `~/.aifabrix` when config lives there even if `aifabrix-home` / `AIFABRIX_HOME` is `$HOME`).
+ *
+ * @returns {string} Absolute path (same as {@link getConfigDirForPaths})
+ */
+function getAifabrixSystemDir() {
+  return getConfigDirForPaths();
 }
 
 /**
  * Returns the base AI Fabrix directory.
- * Priority: AIFABRIX_HOME env → config.yaml `aifabrix-home` (from AIFABRIX_HOME or ~/.aifabrix) → ~/.aifabrix.
+ * Priority: AIFABRIX_HOME env → config.yaml `aifabrix-home` → ~/.aifabrix.
+ * Builder-server SSH provisioning sets `aifabrix-home` to the user POSIX home; dev `.bashrc` exports AIFABRIX_HOME from that key (default $HOME).
  *
  * @returns {string} Absolute path to the AI Fabrix home directory
  */
 function getAifabrixHome() {
   if (process.env.AIFABRIX_HOME && typeof process.env.AIFABRIX_HOME === 'string') {
-    return path.resolve(process.env.AIFABRIX_HOME.trim());
+    return resolveAifabrixHomeLikePath(process.env.AIFABRIX_HOME.trim());
   }
   const isTestEnv = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined;
   if (!isTestEnv) {
@@ -64,7 +85,7 @@ function getAifabrixHome() {
         const config = yaml.load(content) || {};
         const homeOverride = config && typeof config['aifabrix-home'] === 'string' ? config['aifabrix-home'].trim() : '';
         if (homeOverride) {
-          return path.resolve(homeOverride);
+          return resolveAifabrixHomeLikePath(homeOverride);
         }
       }
     } catch {
@@ -74,6 +95,40 @@ function getAifabrixHome() {
   return path.join(safeHomedir(), '.aifabrix');
 }
 
+/**
+ * Default git / workspace root from env or config (optional; no fallback to aifabrix-home).
+ * Priority: AIFABRIX_WORK env (trim, resolve) → config.yaml `aifabrix-work` → null.
+ *
+ * @returns {string|null} Absolute path or null when unset
+ */
+function getAifabrixWork() {
+  if (process.env.AIFABRIX_WORK && typeof process.env.AIFABRIX_WORK === 'string') {
+    const t = process.env.AIFABRIX_WORK.trim();
+    if (t) {
+      return resolveAifabrixHomeLikePath(t);
+    }
+  }
+  const isTestEnv = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined;
+  if (!isTestEnv) {
+    try {
+      const configDir = getConfigDirForPaths();
+      const configPath = path.join(configDir, 'config.yaml');
+      if (fs.existsSync(configPath)) {
+        const content = fs.readFileSync(configPath, 'utf8');
+        const config = yaml.load(content) || {};
+        const workOverride =
+          config && typeof config['aifabrix-work'] === 'string' ? config['aifabrix-work'].trim() : '';
+        if (workOverride) {
+          return resolveAifabrixHomeLikePath(workOverride);
+        }
+      }
+    } catch {
+      // ignore
+    }
+  }
+  return null;
+}
+
 // Cache project root to avoid repeated filesystem lookups
 let cachedProjectRoot = null;
 
@@ -92,7 +147,8 @@ function clearProjectRootCache() {
  */
 function hasPackageJson(dirPath) {
   const packageJsonPath = path.join(dirPath, 'package.json');
-  return fs.existsSync(packageJsonPath);
+  // Real disk: Jest workers may retain jest.mock('fs') from other suites; project root must stay truthful.
+  return nodeFs().existsSync(packageJsonPath);
 }
 
 /**
@@ -215,22 +271,31 @@ function tryFindProjectRoot() {
 }
 
 function getProjectRoot() {
-  // Return cached value if available and valid
+  // Prefer global.PROJECT_ROOT whenever it is valid so tests that override it (or restore it)
+  // are not defeated by a stale cachedProjectRoot from an earlier call in the same Jest worker.
+  const globalRoot = checkGlobalProjectRoot();
+  if (globalRoot) {
+    cachedProjectRoot = globalRoot;
+    return globalRoot;
+  }
   if (cachedProjectRoot && hasPackageJson(cachedProjectRoot)) {
     return cachedProjectRoot;
   }
-
   return tryFindProjectRoot();
 }
 
 /**
- * Returns the applications base directory. Dev 0: <home>/applications; Dev > 0: <home>/applications-dev-{id}
+ * Returns the applications base directory next to effective `config.yaml` (same root as infra, secrets, audit).
+ * Dev 0: `<configDir>/applications`; non-zero dev: `<configDir>/applications-dev-{id}`.
+ * Uses {@link getAifabrixSystemDir}, not raw {@link getAifabrixHome}, so builder-server layouts with
+ * `AIFABRIX_HOME=$HOME` and config under `~/.aifabrix/` keep apps under `.aifabrix` (not `$HOME/applications-dev-*`).
+ *
  * @param {number|string} developerId - Developer ID
  * @returns {string} Absolute path to applications base directory
  */
 function getApplicationsBaseDir(developerId) {
   const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
-  const base = getAifabrixHome();
+  const base = getAifabrixSystemDir();
   if (idNum === 0) {
     return path.join(base, 'applications');
   }
@@ -249,7 +314,8 @@ function getDevDirectory(appName, developerId) {
 }
 
 /**
- * Gets the application path (builder or integration folder)
+ * Gets the application path (builder or integration folder).
+ * Matches getBuilderPath / getIntegrationPath: respects AIFABRIX_BUILDER_DIR and project-root vs cwd base.
  * @param {string} appName - Application name
  * @param {string} [appType] - Application type ('external' or other)
  * @returns {string} Absolute path to application directory
@@ -258,9 +324,10 @@ function getAppPath(appName, appType) {
   if (!appName || typeof appName !== 'string') {
     throw new Error('App name is required and must be a string');
   }
-
-  const baseDir = appType === 'external' ? 'integration' : 'builder';
-  return path.join(process.cwd(), baseDir, appName);
+  if (appType === 'external') {
+    return getIntegrationPath(appName);
+  }
+  return path.join(getBuilderRoot(), appName);
 }
 
 /**
@@ -299,28 +366,45 @@ function getBuilderRoot() {
   return path.join(getIntegrationBuilderBaseDir(), 'builder');
 }
 
+/**
+ * True when name under root is a real directory (follows symlinks). False for broken symlinks, files, ENOENT.
+ * @param {string} root - Parent directory (must exist)
+ * @param {string} name - Entry from readdir
+ * @returns {boolean}
+ */
+function isAppSubdirSync(root, name) {
+  if (!name || name.startsWith('.')) return false;
+  const fullPath = path.join(root, name);
+  try {
+    const st = nodeFs().statSync(fullPath);
+    return Boolean(st && typeof st.isDirectory === 'function' && st.isDirectory());
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Lists app names (directories) under integration root. Excludes dot-prefixed entries.
  * Returns [] if root does not exist.
  * @returns {string[]} Sorted list of app directory names
  */
 function listIntegrationAppNames() {
+  const disk = nodeFs();
   const root = getIntegrationRoot();
-  if (!fs.existsSync(root)) {
+  if (!disk.existsSync(root)) {
+    return [];
+  }
+  let rootStat;
+  try {
+    rootStat = disk.statSync(root);
+  } catch {
     return [];
   }
-  const stat = fs.statSync(root);
-  if (!stat || typeof stat.isDirectory !== 'function' || !stat.isDirectory()) {
+  if (!rootStat || typeof rootStat.isDirectory !== 'function' || !rootStat.isDirectory()) {
     return [];
   }
-  const entries = fs.readdirSync(root);
-  return entries
-    .filter(name => !name.startsWith('.'))
-    .filter(name => {
-      const fullPath = path.join(root, name);
-      return fs.statSync(fullPath).isDirectory();
-    })
-    .sort();
+  const entries = disk.readdirSync(root);
+  return entries.filter((name) => isAppSubdirSync(root, name)).sort();
 }
 
 /**
@@ -329,22 +413,22 @@ function listIntegrationAppNames() {
  * @returns {string[]} Sorted list of app directory names
  */
 function listBuilderAppNames() {
+  const disk = nodeFs();
   const root = getBuilderRoot();
-  if (!fs.existsSync(root)) {
+  if (!disk.existsSync(root)) {
+    return [];
+  }
+  let rootStat;
+  try {
+    rootStat = disk.statSync(root);
+  } catch {
     return [];
   }
-  const stat = fs.statSync(root);
-  if (!stat || typeof stat.isDirectory !== 'function' || !stat.isDirectory()) {
+  if (!rootStat || typeof rootStat.isDirectory !== 'function' || !rootStat.isDirectory()) {
     return [];
   }
-  const entries = fs.readdirSync(root);
-  return entries
-    .filter(name => !name.startsWith('.'))
-    .filter(name => {
-      const fullPath = path.join(root, name);
-      return fs.statSync(fullPath).isDirectory();
-    })
-    .sort();
+  const entries = disk.readdirSync(root);
+  return entries.filter((name) => isAppSubdirSync(root, name)).sort();
 }
 
 /**
@@ -387,7 +471,7 @@ function getBuilderPath(appName) {
     ? process.env.AIFABRIX_BUILDER_DIR.trim()
     : null;
   if (builderRoot) {
-    return path.join(builderRoot, appName);
+    return path.join(path.resolve(builderRoot), appName);
   }
   const base = getIntegrationBuilderBaseDir();
   return path.join(base, 'builder', appName);
@@ -430,7 +514,7 @@ function getDeployJsonPath(appName, appType, preferNew = false) {
   // If neither exists, return new naming (for generation)
   return newPath;
 }
-const { resolveApplicationConfigPath } = require('./app-config-resolver');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('./app-config-resolver');
 const { loadConfigFile } = require('./config-format');
 /**
  * Checks if app type is external from variables object
@@ -518,7 +602,7 @@ async function detectAppType(appName, _options = {}) {
 
 /**
  * Resolve-specific app path: prefer integration + env.template only (env-only mode).
- * If integration/<appName>/env.template exists, use that directory without requiring application.yaml.
+ * If integration/<systemKey>/env.template exists, use that directory without requiring application.yaml.
  * Otherwise fall back to detectAppType (integration or builder with full config).
  *
  * @param {string} appName - Application name
@@ -538,7 +622,7 @@ async function getResolveAppPath(appName) {
   return { appPath: result.appPath, envOnly: false };
 }
 
-/** Resolve appKey when cwd is inside integration/<appKey>/. */
+/** Resolve app folder name when cwd is inside integration/<systemKey>/. */
 function resolveIntegrationAppKeyFromCwd() {
   const integrationNorm = path.resolve(path.join(getIntegrationBuilderBaseDir(), 'integration'));
   const cwd = path.resolve(process.cwd());
@@ -548,7 +632,10 @@ function resolveIntegrationAppKeyFromCwd() {
 
 module.exports = {
   getAifabrixHome,
+  getAifabrixWork,
   getConfigDirForPaths,
+  getAifabrixSystemDir,
+  getPrimaryUserSecretsLocalPath,
   getApplicationsBaseDir,
   getDevDirectory,
   getAppPath,
@@ -562,6 +649,7 @@ module.exports = {
   resolveBuildContext,
   getDeployJsonPath,
   resolveApplicationConfigPath,
+  resolveRbacPath,
   detectAppType,
   getResolveAppPath,
   resolveIntegrationAppKeyFromCwd,