@aifabrix/builder 2.42.1 → 2.44.0

package/lib/utils/remote-docker-env.js

@@ -11,33 +11,85 @@ const config = require('../core/config');
 const { getCertDir } = require('./dev-cert-helper');
 const { getConfigDirForPaths } = require('./paths');
 
+function devTlsCertPaths(certDir) {
+  return {
+    certPath: path.join(certDir, 'cert.pem'),
+    keyPath: path.join(certDir, 'key.pem'),
+    caPath: path.join(certDir, 'ca.pem')
+  };
+}
+
+function missingClientTlsError(trimmed, certDir) {
+  return new Error(
+    `docker-endpoint is set (${trimmed}) but client TLS material is missing in ${certDir}. ` +
+      'Place cert.pem and key.pem there (from Builder Server issue-cert or `AIFABRIX_DEV_ISSUE_PIN`), ' +
+      'or enable TLS skip-verify (`docker-tls-skip-verify: true` or `AIFABRIX_DOCKER_TLS_SKIP_VERIFY=1`) ' +
+      'if the daemon does not require client certificates. With skip-verify and no ca.pem, DOCKER_TLS_VERIFY=0. ' +
+      'Clear docker-endpoint only if you intend to use the local Docker daemon.'
+  );
+}
+
+function missingCaError(trimmed, certDir) {
+  return new Error(
+    `docker-endpoint is set (${trimmed}) but ca.pem is missing in ${certDir} and docker-tls-skip-verify is not enabled. ` +
+      'Add ca.pem (daemon/CA PEM), or for a self-signed Docker API set docker-tls-skip-verify: true in ~/.aifabrix/config.yaml ' +
+      '(or AIFABRIX_DOCKER_TLS_SKIP_VERIFY=1). Skip-verify uses TLS but does not verify the daemon certificate — use only on trusted networks.'
+  );
+}
+
 /**
- * If remote Docker is configured (docker-endpoint + cert.pem, key.pem, and ca.pem present),
- * returns env vars for Docker CLI: DOCKER_HOST, DOCKER_TLS_VERIFY, DOCKER_CERT_PATH.
- * Docker requires ca.pem in DOCKER_CERT_PATH for TLS; if it is missing we return {} so
- * the CLI uses local Docker and avoids "open ca.pem: no such file or directory".
+ * If remote Docker is configured (docker-endpoint set), returns env vars for Docker CLI:
+ * DOCKER_HOST, DOCKER_TLS_VERIFY, and optionally DOCKER_CERT_PATH when client certs exist.
+ * When docker-endpoint is set, we do not fall back to the local daemon without that endpoint
+ * (avoids accidentally using Docker Desktop while the dev profile targets a remote engine).
+ *
+ * When **TLS skip-verify** is enabled (config or env) and **ca.pem is missing**, client cert/key are
+ * optional: Docker can use DOCKER_TLS_VERIFY=0 with no client certs if the daemon allows it.
+ * If **ca.pem is present** (e.g. from Builder Server issue-cert), the daemon certificate is always
+ * verified (DOCKER_TLS_VERIFY=1) even when skip-verify is set — better security once a trust anchor exists.
  *
- * @returns {Promise<Object>} Env overlay (may be empty)
+ * Without skip-verify, cert.pem, key.pem, and ca.pem are required in the dev cert directory.
+ *
+ * @returns {Promise<Object>} Env overlay (empty when docker-endpoint is not set)
+ * @throws {Error} When docker-endpoint is set but required TLS material is missing
  */
 async function getRemoteDockerEnv() {
   const endpoint = await config.getDockerEndpoint();
   if (!endpoint || typeof endpoint !== 'string' || !endpoint.trim()) {
     return {};
   }
-  const devId = await config.getDeveloperId();
-  const certDir = getCertDir(getConfigDirForPaths(), devId);
-  const certPath = path.join(certDir, 'cert.pem');
-  const keyPath = path.join(certDir, 'key.pem');
-  const caPath = path.join(certDir, 'ca.pem');
+  const trimmed = endpoint.trim();
+  const certDir = getCertDir(getConfigDirForPaths(), await config.getDeveloperId());
+  const { certPath, keyPath, caPath } = devTlsCertPaths(certDir);
   const fs = require('fs');
-  if (!fs.existsSync(certPath) || !fs.existsSync(keyPath) || !fs.existsSync(caPath)) {
-    return {};
+  const skipVerify = await config.getDockerTlsSkipVerify();
+  const hasClient = fs.existsSync(certPath) && fs.existsSync(keyPath);
+  const hasCa = fs.existsSync(caPath);
+
+  if (!hasClient) {
+    if (!skipVerify) throw missingClientTlsError(trimmed, certDir);
+    return { DOCKER_HOST: trimmed, DOCKER_TLS_VERIFY: '0' };
   }
+  if (!hasCa && !skipVerify) throw missingCaError(trimmed, certDir);
+  const verifyDaemon = hasCa;
   return {
-    DOCKER_HOST: endpoint.trim(),
-    DOCKER_TLS_VERIFY: '1',
+    DOCKER_HOST: trimmed,
+    DOCKER_TLS_VERIFY: verifyDaemon ? '1' : '0',
     DOCKER_CERT_PATH: certDir
   };
 }
 
-module.exports = { getRemoteDockerEnv };
+/**
+ * Full environment for child_process exec/spawn: process.env merged with remote Docker vars when configured.
+ * @returns {Promise<Object>}
+ */
+async function getDockerExecEnv() {
+  const overlay = await getRemoteDockerEnv();
+  const merged = { ...process.env };
+  if (overlay.DOCKER_HOST && !Object.prototype.hasOwnProperty.call(overlay, 'DOCKER_CERT_PATH')) {
+    delete merged.DOCKER_CERT_PATH;
+  }
+  return { ...merged, ...overlay };
+}
+
+module.exports = { getRemoteDockerEnv, getDockerExecEnv };

package/lib/utils/remote-secrets-loader.js

@@ -14,16 +14,25 @@ const config = require('../core/config');
  * @returns {Promise<Object|null>} Key-value secrets from API or null
  */
 async function loadRemoteSharedSecrets() {
-  const { isRemoteSecretsUrl, getRemoteDevAuth } = require('./remote-dev-auth');
+  const remoteDevAuth = require('./remote-dev-auth');
   const devApi = require('../api/dev.api');
   const configSecretsPath = await config.getSecretsPath();
-  if (!configSecretsPath || !isRemoteSecretsUrl(configSecretsPath)) {
+  if (!configSecretsPath) {
     return null;
   }
-  const auth = await getRemoteDevAuth();
+  const endpoint = await remoteDevAuth.resolveSharedSecretsEndpoint(configSecretsPath);
+  if (!remoteDevAuth.isRemoteSecretsUrl(endpoint)) {
+    return null;
+  }
+  const auth = await remoteDevAuth.getRemoteDevAuth();
   if (!auth) return null;
   try {
-    const items = await devApi.listSecrets(auth.serverUrl, auth.clientCertPem);
+    const items = await devApi.listSecrets(
+      auth.serverUrl,
+      auth.clientCertPem,
+      auth.serverCaPem || undefined,
+      endpoint
+    );
     if (!Array.isArray(items)) return null;
     const obj = {};
     for (const item of items) {

package/lib/utils/resolve-docker-image-ref.js

@@ -0,0 +1,124 @@
+/**
+ * Resolve Docker repository path and tag from application config and optional CLI overrides.
+ * Precedence: --image (full ref), --registry CLI, image.registry in manifest, else unqualified name.
+ *
+ * For refs like localhost:5000/repo without an explicit tag, prefer --image with :tag (parse ambiguity).
+ *
+ * @fileoverview Shared Docker image reference resolution for run, compose, and version checks
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const { parseImageOverride } = require('./parse-image-ref');
+
+/**
+ * Repository path without host (same rules as compose-generator getImageName).
+ * @param {Object} appConfig - Application configuration
+ * @param {string} appName - Application name fallback
+ * @returns {string}
+ */
+function getRepositoryPathFromConfig(appConfig, appName) {
+  if (!appConfig || typeof appConfig !== 'object') {
+    return appName;
+  }
+  if (typeof appConfig.image === 'string') {
+    return appConfig.image.split(':')[0];
+  }
+  if (appConfig.image?.name) {
+    return appConfig.image.name;
+  }
+  if (appConfig.app?.key) {
+    return appConfig.app.key;
+  }
+  return appName;
+}
+
+/**
+ * @param {Object} [appConfig]
+ * @returns {string}
+ */
+function imageTagFromConfig(appConfig) {
+  return (appConfig && appConfig.image && appConfig.image.tag) || 'latest';
+}
+
+/**
+ * Trim and strip trailing slashes from a registry host/prefix. Empty/whitespace → ''.
+ * @param {string|undefined|null|number} registry - Registry host or prefix
+ * @returns {string}
+ */
+function normalizeDockerRegistryPrefix(registry) {
+  if (registry === null || registry === undefined) {
+    return '';
+  }
+  if (typeof registry !== 'string') {
+    return normalizeDockerRegistryPrefix(String(registry));
+  }
+  const t = registry.trim();
+  if (!t) {
+    return '';
+  }
+  return t.replace(/\/+$/, '');
+}
+
+/**
+ * Effective image repository (may include registry prefix) and tag for Docker.
+ * @param {string} appName - Application name
+ * @param {Object} appConfig - Loaded application manifest
+ * @param {Object} [runOptions] - Run/deploy options
+ * @param {string} [runOptions.image] - Full image ref override
+ * @param {string} [runOptions.registry] - CLI registry prefix (wins over manifest)
+ * @returns {{ imageName: string, imageTag: string }}
+ */
+function resolveDockerImageRef(appName, appConfig, runOptions = {}) {
+  const opts = runOptions || {};
+  if (opts.image) {
+    const parsed = parseImageOverride(opts.image);
+    return {
+      imageName: parsed ? parsed.name : getRepositoryPathFromConfig(appConfig, appName),
+      imageTag: parsed ? parsed.tag : imageTagFromConfig(appConfig)
+    };
+  }
+
+  const baseRepo = getRepositoryPathFromConfig(appConfig, appName);
+  const imageTag = imageTagFromConfig(appConfig);
+  const prefix =
+    normalizeDockerRegistryPrefix(opts.registry) ||
+    normalizeDockerRegistryPrefix(appConfig?.image?.registry ?? '');
+  if (prefix) {
+    return { imageName: `${prefix}/${baseRepo}`, imageTag };
+  }
+  return { imageName: baseRepo, imageTag };
+}
+
+/**
+ * Full image string for compose when manifest/CLI registry applies; else null (use template defaults).
+ * @param {string} appName - Application name
+ * @param {Object} appConfig - Application configuration
+ * @param {Object} [options] - Run options (image, imageOverride, tag, registry)
+ * @returns {string|null}
+ */
+function resolveComposeImageOverrideString(appName, appConfig, options = {}) {
+  if (options.image) return options.image;
+  if (options.imageOverride) return options.imageOverride;
+  const runOpts = { registry: options.registry, image: undefined };
+  if (options.tag) {
+    const { imageName } = resolveDockerImageRef(appName, appConfig, runOpts);
+    return `${imageName}:${options.tag}`;
+  }
+  const { imageName, imageTag } = resolveDockerImageRef(appName, appConfig, runOpts);
+  const shortName = getRepositoryPathFromConfig(appConfig, appName);
+  const shortTag = imageTagFromConfig(appConfig);
+  if (imageName === shortName && imageTag === shortTag) {
+    return null;
+  }
+  return `${imageName}:${imageTag}`;
+}
+
+module.exports = {
+  resolveDockerImageRef,
+  resolveComposeImageOverrideString,
+  normalizeDockerRegistryPrefix,
+  getRepositoryPathFromConfig
+};

package/lib/utils/schema-loader.js

@@ -9,9 +9,10 @@
  * @version 2.0.0
  */
 
-const fs = require('fs');
+const fsRealSync = require('../internal/fs-real-sync');
 const path = require('path');
 const Ajv = require('ajv');
+const addFormats = require('ajv-formats');
 
 // Cache for compiled validators
 // These are reset when module is reloaded (for testing)
@@ -46,11 +47,14 @@ function loadExternalSystemSchema() {
 
   const schemaPath = path.join(__dirname, '..', 'schema', 'external-system.schema.json');
 
-  if (!fs.existsSync(schemaPath)) {
-    throw new Error(`External system schema not found: ${schemaPath}`);
+  if (!fsRealSync.existsSync(schemaPath)) {
+    throw new Error(
+      `External system schema not found: ${schemaPath}. ` +
+        'Ensure the file exists (tracked under lib/schema/); run git checkout HEAD -- lib/schema/external-system.schema.json if your tree is incomplete.'
+    );
   }
 
-  const schemaContent = fs.readFileSync(schemaPath, 'utf8');
+  const schemaContent = fsRealSync.readFileSync(schemaPath, 'utf8');
   let schema;
 
   try {
@@ -60,6 +64,7 @@ function loadExternalSystemSchema() {
   }
 
   const ajv = new Ajv({ allErrors: true, strict: false });
+  addFormats(ajv);
   externalSystemValidator = ajv.compile(schema);
 
   return externalSystemValidator;
@@ -84,11 +89,14 @@ function loadExternalDataSourceSchema() {
 
   const schemaPath = path.join(__dirname, '..', 'schema', 'external-datasource.schema.json');
 
-  if (!fs.existsSync(schemaPath)) {
-    throw new Error(`External datasource schema not found: ${schemaPath}`);
+  if (!fsRealSync.existsSync(schemaPath)) {
+    throw new Error(
+      `External datasource schema not found: ${schemaPath}. ` +
+        'Ensure the file exists (tracked under lib/schema/); run git checkout HEAD -- lib/schema/external-datasource.schema.json if your tree is incomplete.'
+    );
   }
 
-  const schemaContent = fs.readFileSync(schemaPath, 'utf8');
+  const schemaContent = fsRealSync.readFileSync(schemaPath, 'utf8');
   let schema;
 
   try {
@@ -106,6 +114,11 @@ function loadExternalDataSourceSchema() {
   }
 
   const ajv = new Ajv({ allErrors: true, strict: false, strictSchema: false });
+  addFormats(ajv);
+  // external-datasource.schema.json references these by $id (aifabrix://schema/type/*)
+  ajv.addSchema(require('../schema/type/document-storage.json'));
+  ajv.addSchema(require('../schema/type/message-service.json'));
+  ajv.addSchema(require('../schema/type/vector-store.json'));
   externalDataSourceValidator = ajv.compile(schemaToCompile);
 
   return externalDataSourceValidator;
@@ -250,10 +263,10 @@ function readAndParseFileContent(filePath, content) {
   let fileContent = content;
 
   if (!fileContent) {
-    if (!fs.existsSync(filePath)) {
+    if (!fsRealSync.existsSync(filePath)) {
       throw new Error(`File not found: ${filePath}`);
     }
-    fileContent = fs.readFileSync(filePath, 'utf8');
+    fileContent = fsRealSync.readFileSync(filePath, 'utf8');
   }
 
   try {

package/lib/utils/secrets-bash-kv.js

@@ -0,0 +1,25 @@
+/**
+ * kv://BASH_<NAME> fallback: use process.env.<NAME>, then process.env.BASH_<NAME> (shared BASH_ keys).
+ * @fileoverview
+ */
+'use strict';
+
+/**
+ * @param {string} pathStr - Flat kv path (no slashes)
+ * @returns {string|undefined}
+ */
+function resolveBashKvFromProcessEnv(pathStr) {
+  if (!pathStr || typeof pathStr !== 'string' || pathStr.includes('/')) return undefined;
+  if (!pathStr.startsWith('BASH_')) return undefined;
+  const suffix = pathStr.slice(5);
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(suffix)) return undefined;
+  const pick = k => {
+    const raw = process.env[k];
+    if (raw === undefined || raw === null) return undefined;
+    const t = String(raw).trim();
+    return t.length > 0 ? t : undefined;
+  };
+  return pick(suffix) ?? pick(pathStr);
+}
+
+module.exports = { resolveBashKvFromProcessEnv };