npm - @aifabrix/builder - Versions diffs - 2.42.1 → 2.44.0 - Mend

@aifabrix/builder 2.42.1 → 2.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (392) hide show

package/.cursor/rules/anchor-docs.mdc +15 -0
package/README.md +2 -2
package/anchor-docs/README.md +10 -0
package/anchor-docs/_TEMPLATE +24 -0
package/bin/aifabrix.js +13 -4
package/integration/hubspot-test/README.md +157 -0
package/integration/{hubspot → hubspot-test}/application.json +6 -6
package/integration/{hubspot → hubspot-test}/create-hubspot.js +10 -10
package/integration/hubspot-test/env.template +4 -0
package/integration/hubspot-test/hubspot-test-datasource-company.json +138 -0
package/integration/hubspot-test/hubspot-test-datasource-contact.json +146 -0
package/integration/hubspot-test/hubspot-test-datasource-deal.json +146 -0
package/integration/hubspot-test/hubspot-test-datasource-users.json +76 -0
package/integration/{hubspot/hubspot-deploy.json → hubspot-test/hubspot-test-deploy.json} +201 -24
package/integration/{hubspot/hubspot-system.json → hubspot-test/hubspot-test-system.json} +8 -7
package/integration/hubspot-test/rbac.json +166 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-hubspot-credential-real.yaml +3 -3
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-hubspot-env-vars.yaml +2 -2
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-add-datasource.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-credential-create.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-credential-select.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-known-platform.yaml +1 -1
package/integration/hubspot-test/test-artifacts/wizard-invalid-missing-source.yaml +2 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-mode.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-openapi-file.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-openapi-url.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-source.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-dimension-array-test.yaml +1 -1
package/integration/hubspot-test/test-artifacts/wizard-valid-for-dimension-key-test.yaml +5 -0
package/integration/hubspot-test/test-artifacts/wizard-valid-for-dimension-path-test.yaml +5 -0
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-dimension-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-rbac-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-valid-for-rbac-yaml-test.yaml +1 -1
package/integration/{hubspot → hubspot-test}/test-dataplane-down-tests.js +1 -7
package/integration/{hubspot → hubspot-test}/test-dataplane-down.js +3 -3
package/integration/{hubspot → hubspot-test}/test.js +137 -102
package/integration/{hubspot → hubspot-test}/wizard-hubspot-e2e.yaml +2 -2
package/integration/{hubspot → hubspot-test}/wizard-hubspot-platform.yaml +1 -1
package/integration/hubspot-test/wizard-hubspot-test-headless.yaml +23 -0
package/integration/roundtrip-test-local/README.md +144 -0
package/integration/roundtrip-test-local/application.yaml +13 -0
package/integration/roundtrip-test-local/env.template +15 -0
package/integration/roundtrip-test-local/roundtrip-test-local-datasource-roundtrip-test-company.yaml +14 -0
package/integration/roundtrip-test-local/roundtrip-test-local-deploy.json +61 -0
package/integration/roundtrip-test-local/roundtrip-test-local-system.yaml +25 -0
package/integration/roundtrip-test-local2/README.md +144 -0
package/integration/roundtrip-test-local2/application.yaml +13 -0
package/integration/roundtrip-test-local2/env.template +15 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-datasource-company.yaml +31 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-deploy.json +86 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-system.yaml +25 -0
package/integration/test/wizard.yaml +8 -0
package/jest.config.default.js +10 -0
package/jest.config.integration.fixtures.js +22 -0
package/jest.config.integration.js +21 -18
package/jest.config.isolated.js +10 -0
package/jest.projects.js +288 -0
package/lib/api/datasources-core.api.js +3 -3
package/lib/api/dev-mtls-request.js +110 -0
package/lib/api/dev-server-https.js +145 -0
package/lib/api/dev.api.js +133 -144
package/lib/api/index.js +0 -1
package/lib/api/pipeline.api.js +67 -20
package/lib/api/service-users.api.js +111 -2
package/lib/api/types/dev.types.js +4 -3
package/lib/api/types/pipeline.types.js +8 -5
package/lib/api/types/service-users.types.js +41 -0
package/lib/api/types/validation-run.types.js +56 -0
package/lib/api/validation-run.api.js +99 -0
package/lib/api/validation-runner.js +99 -0
package/lib/app/config.js +1 -1
package/lib/app/deploy-status-display.js +2 -2
package/lib/app/deploy.js +7 -6
package/lib/app/display.js +2 -1
package/lib/app/dockerfile.js +3 -2
package/lib/app/down.js +2 -1
package/lib/app/helpers.js +6 -5
package/lib/app/index.js +27 -8
package/lib/app/list.js +7 -6
package/lib/app/push.js +4 -3
package/lib/app/register.js +19 -8
package/lib/app/rotate-secret.js +17 -13
package/lib/app/run-container-start.js +184 -0
package/lib/app/run-docker-fallback.js +108 -0
package/lib/app/run-env-compose.js +30 -42
package/lib/app/run-helpers.js +49 -126
package/lib/app/run-infra-requirements.js +30 -0
package/lib/app/run-resolve-image.js +21 -0
package/lib/app/run.js +74 -21
package/lib/app/show-display.js +1 -1
package/lib/app/show.js +1 -1
package/lib/build/index.js +13 -10
package/lib/cli/index.js +2 -0
package/lib/cli/setup-app.help.js +67 -0
package/lib/cli/setup-app.js +59 -123
package/lib/cli/setup-app.test-commands.js +179 -0
package/lib/cli/setup-auth.js +36 -14
package/lib/cli/setup-credential-deployment.js +22 -8
package/lib/cli/setup-dev-path-commands.js +124 -0
package/lib/cli/setup-dev.js +190 -103
package/lib/cli/setup-environment.js +11 -20
package/lib/cli/setup-external-system.js +62 -22
package/lib/cli/setup-infra.js +139 -47
package/lib/cli/setup-parameters.js +32 -0
package/lib/cli/setup-secrets.js +147 -10
package/lib/cli/setup-service-user.js +146 -20
package/lib/cli/setup-utility.js +47 -19
package/lib/commands/app-down.js +5 -7
package/lib/commands/app-install.js +14 -7
package/lib/commands/app-logs.js +13 -10
package/lib/commands/app-shell.js +4 -1
package/lib/commands/app-test.js +25 -19
package/lib/commands/app.js +22 -10
package/lib/commands/auth-config.js +10 -14
package/lib/commands/auth-status.js +4 -3
package/lib/commands/credential-env.js +4 -3
package/lib/commands/credential-list.js +5 -4
package/lib/commands/credential-push.js +4 -3
package/lib/commands/datasource-unified-test-cli.js +495 -0
package/lib/commands/datasource-unified-test-cli.options.js +149 -0
package/lib/commands/datasource-validation-cli.js +129 -0
package/lib/commands/datasource.js +123 -71
package/lib/commands/deployment-list.js +6 -5
package/lib/commands/dev-cli-handlers.js +122 -18
package/lib/commands/dev-down.js +4 -3
package/lib/commands/dev-init.js +231 -116
package/lib/commands/dev-show-display.js +473 -0
package/lib/commands/login-credentials.js +3 -2
package/lib/commands/login-device.js +4 -3
package/lib/commands/login.js +5 -4
package/lib/commands/logout.js +8 -7
package/lib/commands/parameters-validate.js +54 -0
package/lib/commands/repair-datasource.js +314 -68
package/lib/commands/repair-env-template.js +16 -10
package/lib/commands/repair-rbac.js +25 -19
package/lib/commands/repair.js +116 -32
package/lib/commands/secrets-list.js +23 -12
package/lib/commands/secrets-remove-all.js +220 -0
package/lib/commands/secrets-remove.js +22 -13
package/lib/commands/secrets-set.js +21 -12
package/lib/commands/secrets-validate.js +20 -7
package/lib/commands/secure.js +10 -9
package/lib/commands/service-user.js +243 -13
package/lib/commands/test-e2e-external.js +27 -1
package/lib/commands/up-common.js +28 -2
package/lib/commands/up-dataplane.js +31 -18
package/lib/commands/up-miso.js +19 -29
package/lib/commands/upload.js +138 -39
package/lib/commands/wizard-core-helpers.js +1 -1
package/lib/commands/wizard-dataplane.js +4 -3
package/lib/commands/wizard-helpers.js +3 -3
package/lib/commands/wizard.js +2 -2
package/lib/core/admin-secrets.js +16 -5
package/lib/core/audit-logger.js +12 -4
package/lib/core/config-attach-extensions.js +46 -0
package/lib/core/config-runtime-paths.js +29 -0
package/lib/core/config.js +59 -58
package/lib/core/diff.js +3 -2
package/lib/core/ensure-encryption-key.js +2 -4
package/lib/core/secrets-ensure-infra.js +77 -0
package/lib/core/secrets-ensure.js +120 -64
package/lib/core/secrets-env-write.js +35 -7
package/lib/core/secrets-infra-placeholder-sync.js +61 -0
package/lib/core/secrets.js +228 -42
package/lib/core/templates-env.js +4 -3
package/lib/core/templates.js +1 -1
package/lib/datasource/abac-validator.js +148 -0
package/lib/datasource/deploy.js +75 -53
package/lib/datasource/field-reference-validator.js +77 -36
package/lib/datasource/integration-context.js +63 -0
package/lib/datasource/list.js +8 -7
package/lib/datasource/log-viewer.js +252 -0
package/lib/datasource/resolve-app.js +109 -0
package/lib/datasource/test-e2e.js +95 -155
package/lib/datasource/test-integration.js +121 -109
package/lib/datasource/unified-validation-run-body.js +65 -0
package/lib/datasource/unified-validation-run-post.js +23 -0
package/lib/datasource/unified-validation-run-resolve.js +43 -0
package/lib/datasource/unified-validation-run.js +92 -0
package/lib/datasource/validate.js +162 -15
package/lib/deployment/deployer.js +4 -3
package/lib/deployment/environment.js +7 -6
package/lib/deployment/push.js +17 -8
package/lib/external-system/delete.js +4 -3
package/lib/external-system/deploy.js +131 -53
package/lib/external-system/download-helpers.js +1 -1
package/lib/external-system/download.js +7 -6
package/lib/external-system/generator.js +104 -14
package/lib/external-system/integration-test-dispatch.js +26 -0
package/lib/external-system/test-execution.js +5 -1
package/lib/external-system/test-helpers.js +0 -4
package/lib/external-system/test-system-level-helpers.js +110 -0
package/lib/external-system/test-system-level.js +83 -44
package/lib/external-system/test.js +59 -8
package/lib/generator/builders.js +23 -11
package/lib/generator/deploy-manifest-azure-kv.js +81 -0
package/lib/generator/external-controller-manifest.js +3 -3
package/lib/generator/external.js +23 -11
package/lib/generator/helpers.js +71 -12
package/lib/generator/index.js +8 -4
package/lib/generator/split-readme.js +12 -7
package/lib/generator/split-variables.js +2 -1
package/lib/generator/split.js +46 -11
package/lib/generator/wizard-readme.js +3 -3
package/lib/generator/wizard.js +16 -13
package/lib/infrastructure/compose.js +60 -6
package/lib/infrastructure/helpers.js +238 -51
package/lib/infrastructure/index.js +64 -37
package/lib/infrastructure/services.js +21 -15
package/lib/internal/fs-real-sync.js +104 -0
package/lib/internal/node-fs.js +98 -0
package/lib/parameters/database-secret-values.js +173 -0
package/lib/parameters/infra-kv-discovery.js +121 -0
package/lib/parameters/infra-parameter-catalog.js +458 -0
package/lib/parameters/infra-parameter-validate.js +64 -0
package/lib/schema/application-schema.json +37 -17
package/lib/schema/datasource-test-run.schema.json +493 -0
package/lib/schema/deployment-rules.yaml +102 -63
package/lib/schema/external-datasource.schema.json +1201 -433
package/lib/schema/external-system.schema.json +181 -5
package/lib/schema/flag-map-validation-run.json +31 -0
package/lib/schema/infra-parameter.schema.json +106 -0
package/lib/schema/infra.parameter.yaml +421 -0
package/lib/schema/type/credential-auth-templates.json +40 -0
package/lib/schema/type/document-storage.json +213 -0
package/lib/schema/type/message-service.json +123 -0
package/lib/schema/type/vector-store.json +88 -0
package/lib/utils/aifabrix-runtime-config-dir.js +132 -0
package/lib/utils/api-error-handler.js +2 -2
package/lib/utils/api.js +49 -14
package/lib/utils/app-config-resolver.js +23 -1
package/lib/utils/app-register-api.js +3 -2
package/lib/utils/app-register-auth.js +1 -1
package/lib/utils/app-register-config.js +4 -4
package/lib/utils/app-register-display.js +3 -2
package/lib/utils/app-register-validator.js +3 -2
package/lib/utils/app-run-containers.js +26 -22
package/lib/utils/app-scoped-config.js +31 -0
package/lib/utils/app-service-env-from-builder.js +164 -0
package/lib/utils/build-copy.js +1 -1
package/lib/utils/build-helpers.js +20 -20
package/lib/utils/build-resolve-image.js +165 -0
package/lib/utils/cli-layout-chalk.js +8 -0
package/lib/utils/cli-test-layout-chalk.js +267 -0
package/lib/utils/cli-utils.js +88 -11
package/lib/utils/compose-db-passwords.js +138 -0
package/lib/utils/compose-generate-docker-compose.js +216 -0
package/lib/utils/compose-generator.js +197 -291
package/lib/utils/compose-miso-env.js +18 -0
package/lib/utils/compose-traefik-ingress-base.js +158 -0
package/lib/utils/config-paths.js +209 -6
package/lib/utils/config-scoped-resources-preference.js +41 -0
package/lib/utils/controller-deployment-outcome.js +68 -0
package/lib/utils/credential-display.js +2 -2
package/lib/utils/credential-secrets-env.js +16 -1
package/lib/utils/dataplane-pipeline-warning.js +4 -3
package/lib/utils/datasource-test-run-capability-scope.js +43 -0
package/lib/utils/datasource-test-run-debug-display.js +137 -0
package/lib/utils/datasource-test-run-debug-slice.js +93 -0
package/lib/utils/datasource-test-run-display.js +442 -0
package/lib/utils/datasource-test-run-exit.js +58 -0
package/lib/utils/datasource-test-run-legacy-adapter.js +93 -0
package/lib/utils/datasource-test-run-report-version.js +51 -0
package/lib/utils/datasource-test-run-schema-sync.js +59 -0
package/lib/utils/datasource-test-run-tty-log.js +81 -0
package/lib/utils/datasource-validation-watch.js +266 -0
package/lib/utils/declarative-url-ports.js +47 -0
package/lib/utils/derive-env-key-from-client-id.js +41 -0
package/lib/utils/dev-ca-install.js +185 -23
package/lib/utils/dev-cert-helper.js +266 -17
package/lib/utils/dev-hosts-helper.js +307 -0
package/lib/utils/dev-init-cert-hints.js +37 -0
package/lib/utils/dev-init-health-messages.js +52 -0
package/lib/utils/dev-init-resolve.js +86 -0
package/lib/utils/dev-init-ssh-merge.js +65 -0
package/lib/utils/dev-ssh-config-helper.js +196 -0
package/lib/utils/dev-user-groups.js +93 -0
package/lib/utils/docker-build.js +42 -17
package/lib/utils/docker-exec.js +28 -0
package/lib/utils/docker-manifest-public-port.js +116 -0
package/lib/utils/docker-not-running-hint.js +52 -0
package/lib/utils/docker.js +98 -11
package/lib/utils/ensure-dev-certs-for-remote-docker.js +192 -0
package/lib/utils/env-config-loader.js +10 -91
package/lib/utils/env-copy.js +19 -10
package/lib/utils/env-map.js +42 -11
package/lib/utils/env-template.js +2 -2
package/lib/utils/environment-scoped-resources.js +144 -0
package/lib/utils/error-formatter.js +125 -9
package/lib/utils/error-formatters/http-status-errors.js +6 -5
package/lib/utils/error-formatters/network-errors.js +2 -1
package/lib/utils/error-formatters/permission-errors.js +2 -1
package/lib/utils/error-formatters/validation-errors.js +2 -1
package/lib/utils/external-env-template.js +180 -0
package/lib/utils/external-readme.js +8 -1
package/lib/utils/external-system-display.js +277 -136
package/lib/utils/external-system-local-test-tty.js +389 -0
package/lib/utils/external-system-readiness-core.js +377 -0
package/lib/utils/external-system-readiness-deploy-display.js +270 -0
package/lib/utils/external-system-readiness-display-internals.js +150 -0
package/lib/utils/external-system-readiness-display.js +186 -0
package/lib/utils/external-system-test-helpers.js +24 -6
package/lib/utils/external-system-validators.js +32 -14
package/lib/utils/health-check-url.js +119 -0
package/lib/utils/health-check.js +59 -25
package/lib/utils/help-builder.js +14 -13
package/lib/utils/image-version.js +4 -8
package/lib/utils/infra-containers.js +4 -7
package/lib/utils/infra-env-defaults.js +162 -0
package/lib/utils/infra-status-display.js +167 -0
package/lib/utils/infra-status.js +16 -8
package/lib/utils/local-secrets.js +29 -7
package/lib/utils/paths.js +136 -48
package/lib/utils/port-resolver.js +10 -23
package/lib/utils/redis-env-scope.js +62 -0
package/lib/utils/register-aifabrix-shell-env.js +204 -0
package/lib/utils/remote-builder-validation.js +99 -0
package/lib/utils/remote-dev-auth.js +117 -21
package/lib/utils/remote-docker-env.js +67 -15
package/lib/utils/remote-secrets-loader.js +13 -4
package/lib/utils/resolve-docker-image-ref.js +124 -0
package/lib/utils/schema-loader.js +22 -9
package/lib/utils/secrets-bash-kv.js +25 -0
package/lib/utils/secrets-generator.js +171 -51
package/lib/utils/secrets-helpers.js +70 -59
package/lib/utils/secrets-kv-scope.js +60 -0
package/lib/utils/secrets-utils.js +35 -37
package/lib/utils/secrets-validation.js +3 -1
package/lib/utils/secrets-yaml-preserve.js +109 -0
package/lib/utils/secure-file-permissions.js +91 -0
package/lib/utils/ssh-key-helper.js +4 -2
package/lib/utils/template-helpers.js +2 -2
package/lib/utils/test-log-writer.js +3 -3
package/lib/utils/token-manager.js +37 -5
package/lib/utils/url-declarative-public-base.js +188 -0
package/lib/utils/url-declarative-resolve-build.js +493 -0
package/lib/utils/url-declarative-resolve-load-doc.js +51 -0
package/lib/utils/url-declarative-resolve.js +220 -0
package/lib/utils/url-declarative-token-parse.js +74 -0
package/lib/utils/url-declarative-url-flags.js +50 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +99 -0
package/lib/utils/url-public-path-prefix.js +34 -0
package/lib/utils/urls-local-registry.js +220 -0
package/lib/utils/validation-report-tty-kit.js +77 -0
package/lib/utils/validation-run-poll.js +89 -0
package/lib/utils/validation-run-post-retry.js +73 -0
package/lib/utils/validation-run-request.js +98 -0
package/lib/utils/variable-transformer.js +21 -4
package/lib/utils/yaml-preserve.js +78 -1
package/lib/validation/datasource-warnings.js +56 -0
package/lib/validation/env-template-auth.js +50 -2
package/lib/validation/external-manifest-validator.js +35 -7
package/lib/validation/validate-display.js +37 -31
package/lib/validation/validate.js +9 -10
package/lib/validation/validator-unresolved-placeholders.js +98 -0
package/lib/validation/validator.js +32 -78
package/lib/validation/wizard-config-validator.js +2 -1
package/package.json +11 -3
package/scripts/check-datasource-test-run-schema-sync.js +34 -0
package/scripts/diagnose-cli.js +150 -0
package/scripts/install-local.js +304 -55
package/templates/README.md +15 -2
package/templates/applications/dataplane/application.yaml +52 -2
package/templates/applications/dataplane/env.template +80 -18
package/templates/applications/dataplane/rbac.yaml +8 -0
package/templates/applications/keycloak/application.yaml +9 -1
package/templates/applications/keycloak/env.template +15 -6
package/templates/applications/miso-controller/application.yaml +10 -2
package/templates/applications/miso-controller/env.template +55 -14
package/templates/applications/miso-controller/rbac.yaml +5 -0
package/templates/external-system/README.md.hbs +20 -7
package/templates/external-system/deploy.js.hbs +5 -5
package/templates/external-system/env.template.hbs +22 -0
package/templates/external-system/external-datasource.yaml.hbs +197 -118
package/templates/infra/compose.yaml.hbs +20 -4
package/templates/python/docker-compose.hbs +16 -0
package/templates/typescript/docker-compose.hbs +16 -0
package/integration/hubspot/README.md +0 -102
package/integration/hubspot/env.template +0 -4
package/integration/hubspot/hubspot-datasource-company.json +0 -541
package/integration/hubspot/hubspot-datasource-contact.json +0 -639
package/integration/hubspot/hubspot-datasource-deal.json +0 -588
package/integration/hubspot/hubspot-datasource-users.json +0 -116
package/integration/hubspot/test-artifacts/wizard-invalid-missing-source.yaml +0 -2
package/integration/hubspot/test-artifacts/wizard-valid-for-dimension-key-test.yaml +0 -5
package/integration/hubspot/test-artifacts/wizard-valid-for-dimension-path-test.yaml +0 -5
package/lib/api/external-test.api.js +0 -111
package/lib/schema/env-config.yaml +0 -43
/package/integration/{hubspot → hubspot-test}/companies.json +0 -0
/package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-app-name.yaml +0 -0
/package/integration/{hubspot → hubspot-test}/test-artifacts/wizard-invalid-missing-app.yaml +0 -0
/package/integration/{hubspot → hubspot-test}/test-dataplane-down-helpers.js +0 -0

package/lib/utils/secrets-generator.js CHANGED Viewed

@@ -16,6 +16,17 @@ const yaml = require('js-yaml');
 const crypto = require('crypto');
 const logger = require('./logger');
 const pathsUtil = require('./paths');
+const { mergeFlatSecretsYamlPreservingComments } = require('./secrets-yaml-preserve');
+const {
+  generateDatabasePasswordValueForKey,
+  generateDatabaseUrlValueForKey,
+  parseDatabaseSecretKey
+} = require('../parameters/database-secret-values');
+/** Lazy require so tests can jest.spyOn getInfraParameterCatalog after module load. */
+function infraParameterCatalogModule() {
+  return require('../parameters/infra-parameter-catalog');
+}
 /**
  * Parse key-value pairs from YAML-like lines (last occurrence wins per key).
@@ -44,7 +55,9 @@ function parseYamlKeyValueLines(content) {
 /**
  * Parse YAML content tolerating duplicate keys (last occurrence wins).
  * Use for secrets files that may have been appended to repeatedly.
- * Tries yaml.load first; on "duplicate key" error falls back to line-by-line parse.
+ * Tries yaml.load first; on duplicate-key errors or other parse failures (e.g. `{}` on line 1
+ * then `key: value` lines — invalid multi-document without `---`) falls back to line-by-line
+ * parse for flat key: value secrets files.
  *
  * @param {string} content - Raw YAML content
  * @returns {Object} Parsed object (last value wins for duplicate keys)
@@ -56,13 +69,11 @@ function loadYamlTolerantOfDuplicateKeys(content) {
   try {
     const parsed = yaml.load(content);
     return parsed && typeof parsed === 'object' ? parsed : {};
-  } catch (err) {
-    const msg = err.message || '';
-    if (!msg.includes('duplicate') && !msg.includes('duplicated mapping')) {
-      throw err;
-    }
+  } catch {
+    // Duplicate keys, `{}` + appended YAML (invalid multi-doc), or other bad merges —
+    // flat secrets files recover via line parse (last key wins).
+    return parseYamlKeyValueLines(content);
   }
-  return parseYamlKeyValueLines(content);
 }
 /**
@@ -104,18 +115,37 @@ function findMissingSecretKeys(envTemplate, existingSecrets) {
   return missingKeys;
 }
+/**
+ * Resolve app directory for database key generation (application.yaml lookup).
+ * @param {string} key - Secret key
+ * @returns {string|null}
+ */
+function resolveAppDirForDatabaseKey(key) {
+  const parsed = parseDatabaseSecretKey(key);
+  if (!parsed) return null;
+  try {
+    const builderPath = pathsUtil.getBuilderPath(parsed.appKey);
+    if (fs.existsSync(builderPath)) return builderPath;
+  } catch {
+    /* ignore */
+  }
+  try {
+    const intPath = pathsUtil.getIntegrationPath(parsed.appKey);
+    if (fs.existsSync(intPath)) return intPath;
+  } catch {
+    /* ignore */
+  }
+  return null;
+}
 /**
  * Generate database password value for a key (databases-*-passwordKeyVault)
  * @param {string} key - Secret key name
  * @returns {string|null} Password string or null if key does not match
  */
 function generateDbPasswordValue(key) {
-  const dbPasswordMatch = key.match(/^databases-([a-z0-9-_]+)-\d+-passwordKeyVault$/i);
-  if (!dbPasswordMatch) return null;
-  const appName = dbPasswordMatch[1];
-  if (appName === 'miso-controller') return 'miso_pass123';
-  const dbName = appName.replace(/-/g, '_');
-  return `${dbName}_pass123`;
+  const appDir = resolveAppDirForDatabaseKey(key);
+  return generateDatabasePasswordValueForKey(key, appDir);
 }
 /**
@@ -124,44 +154,98 @@ function generateDbPasswordValue(key) {
  * @returns {string|null} URL string or null if key does not match
  */
 function generateDbUrlValue(key) {
-  const dbUrlMatch = key.match(/^databases-([a-z0-9-_]+)-\d+-urlKeyVault$/i);
-  if (!dbUrlMatch) return null;
-  const appName = dbUrlMatch[1];
-  if (appName === 'miso-controller') {
-    return 'postgresql://miso_user:miso_pass123@${DB_HOST}:${DB_PORT}/miso';
+  const appDir = resolveAppDirForDatabaseKey(key);
+  return generateDatabaseUrlValueForKey(key, appDir);
+}
+/**
+ * @param {string} key - Secret key
+ * @param {Record<string, string>|undefined} placeholderContext - Merged infra.parameter.yaml defaults + CLI overrides
+ * @returns {string|undefined} Value if catalog handled key; undefined to use legacy rules
+ */
+function tryGenerateSecretValueFromCatalog(key, placeholderContext) {
+  let catalogEntry;
+  try {
+    catalogEntry = infraParameterCatalogModule().getInfraParameterCatalog().findEntryForKey(key);
+  } catch (err) {
+    logger.warn(`infra parameter catalog unavailable (${err.message}); using legacy generators.`);
+    return undefined;
+  }
+  if (!catalogEntry || !catalogEntry.generator) return undefined;
+  const g = catalogEntry.generator.type;
+  if (g === 'databasePassword') {
+    const v = generateDbPasswordValue(key);
+    return v !== null ? v : undefined;
+  }
+  if (g === 'databaseUrl') {
+    const v = generateDbUrlValue(key);
+    return v !== null ? v : undefined;
   }
-  const dbName = appName.replace(/-/g, '_');
-  return `postgresql://${dbName}_user:${dbName}_pass123@\${DB_HOST}:\${DB_PORT}/${dbName}`;
+  if (
+    g === 'randomBytes32' ||
+    g === 'randomAlphanumeric' ||
+    g === 'password' ||
+    g === 'emptyString' ||
+    g === 'emptyAllowed' ||
+    g === 'literal'
+  ) {
+    return infraParameterCatalogModule().generateValueFromCatalogEntry(key, catalogEntry, crypto, placeholderContext);
+  }
+  return undefined;
 }
 /**
- * Generates secret value based on key name
- * @function generateSecretValue
- * @param {string} key - Secret key name
- * @returns {string} Generated secret value
+ * Last-resort generation when infra.parameter.yaml cannot be loaded (e.g. tests, broken install).
+ * @param {string} key
+ * @returns {string}
  */
-function generateSecretValue(key) {
+function legacySecretValueWhenCatalogUnavailable(key) {
   const keyLower = key.toLowerCase();
   if (keyLower.includes('password')) {
     const dbPassword = generateDbPasswordValue(key);
     if (dbPassword !== null) return dbPassword;
     return crypto.randomBytes(32).toString('base64');
   }
   if (keyLower.includes('url') || keyLower.includes('uri')) {
     const dbUrl = generateDbUrlValue(key);
     if (dbUrl !== null) return dbUrl;
     return '';
   }
   if (keyLower.includes('key') || keyLower.includes('secret') || keyLower.includes('token')) {
     return crypto.randomBytes(32).toString('base64');
   }
   return '';
 }
+/**
+ * @param {string} key - Secret key name
+ * @param {Record<string, string>|undefined} placeholderContext - Optional merged catalog defaults + CLI (e.g. up-infra)
+ * @returns {string} Generated secret value
+ */
+function generateSecretValue(key, placeholderContext) {
+  const fromCatalog = tryGenerateSecretValueFromCatalog(key, placeholderContext);
+  if (fromCatalog !== undefined) return fromCatalog;
+  const dbPassword = generateDbPasswordValue(key);
+  if (dbPassword !== null) return dbPassword;
+  const dbUrl = generateDbUrlValue(key);
+  if (dbUrl !== null) return dbUrl;
+  try {
+    infraParameterCatalogModule().getInfraParameterCatalog();
+  } catch {
+    logger.warn(
+      `Secret key "${key}": infra parameter catalog unavailable; using legacy name heuristics.`
+    );
+    return legacySecretValueWhenCatalogUnavailable(key);
+  }
+  throw new Error(
+    `Cannot generate secret for key "${key}": no matching rule in infra.parameter.yaml. ` +
+      'Add a catalog entry or run `aifabrix parameters validate` after fixing env.template references.'
+  );
+}
 /**
  * Loads existing secrets from file
  * @function loadExistingSecrets
@@ -196,9 +280,26 @@ function saveSecretsFile(resolvedPath, secrets) {
     fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
+  if (fs.existsSync(resolvedPath)) {
+    try {
+      const existing = fs.readFileSync(resolvedPath, 'utf8');
+      const mergedContent = mergeFlatSecretsYamlPreservingComments(existing, secrets, {
+        yaml,
+        dumpOpts: YAML_DUMP_OPTS
+      });
+      if (mergedContent !== null) {
+        fs.writeFileSync(resolvedPath, mergedContent + (mergedContent.endsWith('\n') ? '' : '\n'), { mode: 0o600 });
+        return;
+      }
+    } catch (err) {
+      logger.warn(`Could not preserve comments when writing secrets file: ${err.message}; rewriting YAML.`);
+      // fall through to dump overwrite
+    }
+  }
   const yamlContent = yaml.dump(secrets, {
     indent: 2,
-    lineWidth: 120,
+    lineWidth: -1,
     noRefs: true,
     sortKeys: false
   });
@@ -206,7 +307,21 @@ function saveSecretsFile(resolvedPath, secrets) {
   fs.writeFileSync(resolvedPath, yamlContent, { mode: 0o600 });
 }
-const YAML_DUMP_OPTS = { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false };
+const YAML_DUMP_OPTS = { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false };
+/**
+ * @param {string} resolvedPath
+ * @returns {string}
+ */
+function readSecretsFileUtf8OrWarnEmpty(resolvedPath) {
+  try {
+    const raw = fs.readFileSync(resolvedPath, 'utf8');
+    return typeof raw === 'string' ? raw : '';
+  } catch (err) {
+    logger.warn(`Could not read existing secrets file: ${err.message}; appending new keys only.`);
+    return '';
+  }
+}
 /**
  * Merges secret keys into the secrets file (load existing, merge, overwrite file).
@@ -253,12 +368,13 @@ function appendSecretsToFile(resolvedPath, secrets) {
     return;
   }
-  let existing = '';
+  const existing = readSecretsFileUtf8OrWarnEmpty(resolvedPath);
   try {
-    const raw = fs.readFileSync(resolvedPath, 'utf8');
-    existing = typeof raw === 'string' ? raw : '';
-  } catch (err) {
-    logger.warn(`Could not read existing secrets file: ${err.message}; appending new keys only.`);
+    yaml.load(existing);
+  } catch {
+    const mergedObj = { ...loadExistingSecrets(resolvedPath), ...secrets };
+    saveSecretsFile(resolvedPath, mergedObj);
+    return;
   }
   const separator = existing.length > 0 && !existing.endsWith('\n') ? '\n' : '';
   fs.writeFileSync(resolvedPath, existing + separator + appendContent, { mode: 0o600 });
@@ -296,7 +412,7 @@ async function generateMissingSecrets(envTemplate, secretsPath) {
   appendSecretsToFile(resolvedPath, newSecrets);
-  logger.log(`✓ Generated ${missingKeys.length} missing secret key(s): ${missingKeys.join(', ')}`);
+  logger.log(`✔ Generated ${missingKeys.length} missing secret key(s): ${missingKeys.join(', ')}`);
   return missingKeys;
 }
@@ -314,6 +430,15 @@ async function generateMissingSecrets(envTemplate, secretsPath) {
  * await createDefaultSecrets('~/.aifabrix/secrets.yaml');
  * // Default secrets file is created
  */
+/** Minimal seed keys for first-time secrets file; values match infra.parameter.yaml generators. */
+const DEFAULT_SECRETS_SEED_KEYS = [
+  'postgres-passwordKeyVault',
+  'redis-passwordKeyVault',
+  'redis-url',
+  'keycloak-admin-passwordKeyVault',
+  'keycloak-web-server-url'
+];
 async function createDefaultSecrets(secretsPath) {
   const resolvedPath = secretsPath.startsWith('~')
     ? path.join(os.homedir(), secretsPath.slice(1))
@@ -324,22 +449,17 @@ async function createDefaultSecrets(secretsPath) {
     fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
-  const defaultSecrets = `# Local Development Secrets
-# Production uses Azure KeyVault
-# Database Secrets
-postgres-passwordKeyVault: "admin123"
-# Redis Secrets
-redis-passwordKeyVault: ""
-redis-url: "redis://\${REDIS_HOST}:\${REDIS_PORT}"
+  const seeded = {};
+  for (const k of DEFAULT_SECRETS_SEED_KEYS) {
+    seeded[k] = generateSecretValue(k);
+  }
-# Keycloak Secrets
-keycloak-admin-passwordKeyVault: "admin123"
-keycloak-server-url: "http://\${KEYCLOAK_HOST}:\${KEYCLOAK_PORT}"
-`;
+  const header =
+    '# Local development secrets (catalog-aligned seed). Run aifabrix up-infra and aifabrix resolve <app> --force for full keys.\n' +
+    '# Production uses Azure Key Vault.\n\n';
+  const body = yaml.dump(seeded, { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false });
-  fs.writeFileSync(resolvedPath, defaultSecrets, { mode: 0o600 });
+  fs.writeFileSync(resolvedPath, header + body, { mode: 0o600 });
 }
 module.exports = {

package/lib/utils/secrets-helpers.js CHANGED Viewed

@@ -46,6 +46,41 @@ function isCommentOrEmptyLine(line) {
 /** Regex for kv:// path (allows slashes, e.g. kv://hubspot/clientId) */
 const KV_REF_PATTERN = /kv:\/\/([a-zA-Z0-9_\-/]+)/g;
+const { resolveBashKvFromProcessEnv } = require('./secrets-bash-kv');
+/**
+ * Last-resort when infra.parameter.yaml cannot be read (e.g. Jest suites that mock `fs`;
+ * catalog uses `node:fs`, which is often the same mocked instance). Must stay in sync with
+ * `generator.type: emptyAllowed` keys in lib/schema/infra.parameter.yaml.
+ */
+const EMPTY_ALLOWED_KV_FALLBACK = new Set(['redis-passwordKeyVault']);
+/**
+ * Infra catalog keys with generator `emptyAllowed` may be absent from the secrets file;
+ * they resolve like an explicit empty string (e.g. local Redis has no password).
+ * @param {string} pathStr - kv path segment (flat key or path with slashes)
+ * @returns {boolean}
+ */
+function isKvKeyAllowedEmptyWhenAbsent(pathStr) {
+  if (!pathStr || typeof pathStr !== 'string') return false;
+  try {
+    const { getInfraParameterCatalog } = require('../parameters/infra-parameter-catalog');
+    return getInfraParameterCatalog().isKeyAllowedEmpty(pathStr);
+  } catch {
+    try {
+      const {
+        readRelaxedEmptyAllowedKeySet,
+        DEFAULT_CATALOG_PATH
+      } = require('../parameters/infra-parameter-catalog');
+      const set = readRelaxedEmptyAllowedKeySet(DEFAULT_CATALOG_PATH);
+      if (set && set.has(pathStr)) return true;
+    } catch {
+      /* ignore */
+    }
+  }
+  return EMPTY_ALLOWED_KV_FALLBACK.has(pathStr);
+}
 /**
  * Find object key that matches part case-insensitively.
  * @param {Object} obj - Object to search
@@ -98,19 +133,30 @@ function getValueByPath(secrets, pathStr) {
   return getValueByNestedPath(secrets, pathStr.split('/'));
 }
+const { getValueByPathWithEnvScope, mergeSecretsWithPrefixedCopies } =
+  require('./secrets-kv-scope').createScopedKvHelpers(getValueByPath);
+function resolveKvRefValue(secretsMap, pathStr, envKey, effective) {
+  const v = getValueByPathWithEnvScope(secretsMap, pathStr, envKey, effective);
+  if (v !== undefined && v !== null) return v;
+  return resolveBashKvFromProcessEnv(pathStr);
+}
 /**
  * Collect missing kv:// secrets referenced in content (skips commented and empty lines).
  * Supports path-style refs (e.g. kv://hubspot/clientId). Returns unique refs.
  * @function collectMissingSecrets
  * @param {string} content - Text content
  * @param {Object} secrets - Available secrets (flat or nested)
+ * @param {{ effective?: boolean, envKey?: string }|null} [scopedKv] - Optional env-scoped kv resolution
  * @returns {string[]} Array of missing kv://<path> references (unique)
  */
-function collectMissingSecrets(content, secrets) {
+function collectMissingSecrets(content, secrets, scopedKv = null) {
+  const effective = Boolean(scopedKv && scopedKv.effective && scopedKv.envKey);
+  const secretsMap = effective ? mergeSecretsWithPrefixedCopies(secrets, scopedKv.envKey) : secrets;
   const seen = new Set();
   const missing = [];
-  const lines = content.split('\n');
-  for (const line of lines) {
+  for (const line of content.split('\n')) {
     if (isCommentOrEmptyLine(line)) continue;
     let match;
     KV_REF_PATTERN.lastIndex = 0;
@@ -118,8 +164,8 @@ function collectMissingSecrets(content, secrets) {
       const pathStr = match[1];
       if (seen.has(pathStr)) continue;
       seen.add(pathStr);
-      const value = getValueByPath(secrets, pathStr);
-      if (value === undefined || value === null) {
+      const value = resolveKvRefValue(secretsMap, pathStr, scopedKv?.envKey, effective);
+      if ((value === undefined || value === null) && !isKvKeyAllowedEmptyWhenAbsent(pathStr)) {
         missing.push(`kv://${pathStr}`);
       }
     }
@@ -157,14 +203,20 @@ function formatMissingSecretsFileInfo(secretsFilePaths) {
  * @param {string} content - Text content containing kv:// references
  * @param {Object} secrets - Secrets map (flat or nested)
  * @param {Object} envVars - Environment variables map for nested interpolation
+ * @param {{ effective?: boolean, envKey?: string }|null} [scopedKv] - Optional env-scoped kv resolution
  * @returns {string} Content with kv:// references replaced
  */
-function replaceKvInContent(content, secrets, envVars) {
+function replaceKvInContent(content, secrets, envVars, scopedKv = null) {
+  const effective = Boolean(scopedKv && scopedKv.effective && scopedKv.envKey);
+  const secretsMap = effective ? mergeSecretsWithPrefixedCopies(secrets, scopedKv.envKey) : secrets;
   const lines = content.split('\n');
   const result = lines.map(line => {
     if (isCommentOrEmptyLine(line)) return line;
     return line.replace(KV_REF_PATTERN, (match, pathStr) => {
-      let value = getValueByPath(secrets, pathStr);
+      let value = resolveKvRefValue(secretsMap, pathStr, scopedKv?.envKey, effective);
+      if ((value === undefined || value === null) && isKvKeyAllowedEmptyWhenAbsent(pathStr)) {
+        value = '';
+      }
       if (typeof value === 'string') {
         value = value.replace(/\$\{([A-Z_]+)\}/g, (m, envVar) => {
           return envVars[envVar] || m;
@@ -247,44 +299,23 @@ function getPortFromEnvContent(envContent) {
 }
 /**
- * Applies developer-id adjustment to port
- * @function applyDeveloperIdAdjustment
- * @param {number} baseAppPort - Base application port
- * @param {number} devIdNum - Developer ID number
- * @returns {number} Adjusted port
- */
-function applyDeveloperIdAdjustment(baseAppPort, devIdNum) {
-  return devIdNum === 0 ? baseAppPort : (baseAppPort + (devIdNum * 100));
-}
-/**
- * Calculate application port following override chain and developer-id adjustment
- * Override chain: env-config.yaml → config.yaml → application.yaml port
+ * Resolve manifest listen port (container port) for the app from override chain.
  * @async
- * @function calculateAppPort
  * @param {string} [variablesPath] - Path to application config
- * @param {Object} localEnv - Local environment config from env-config.yaml and config.yaml
+ * @param {Object} localEnv - Merged local env from defaults + config.yaml
  * @param {string} envContent - Environment content for fallback
- * @param {number} devIdNum - Developer ID number
- * @returns {Promise<number>} Final application port with developer-id adjustment
+ * @returns {Promise<number>} Base listen port (before +10 / +dev*100 local host math)
  */
-async function calculateAppPort(variablesPath, localEnv, envContent, devIdNum) {
-  // Start with env-config value
+async function resolveManifestListenPort(variablesPath, localEnv, envContent) {
   let baseAppPort = getPortFromLocalEnv(localEnv);
-  // Override with application config port (strongest)
   const variablesPort = getPortFromVariablesFile(variablesPath);
   if (variablesPort !== null) {
     baseAppPort = variablesPort;
   }
-  // Fallback to env content if still no port
   if (baseAppPort === null || baseAppPort === undefined) {
     baseAppPort = getPortFromEnvContent(envContent);
   }
-  // Apply developer-id adjustment
-  return applyDeveloperIdAdjustment(baseAppPort, devIdNum);
+  return baseAppPort;
 }
 /**
@@ -325,16 +356,6 @@ function getPortVarFromEnvTemplatePath(variablesPath) {
   }
 }
-/**
- * Adjust infra-related ports in resolved .env content for local environment.
- * Own case: when we generate .env for envOutputPath (not reload), we use localPort (application.yaml build.localPort or port).
- * Sets PORT and the template port var (e.g. MISO_PORT) to localPort so the generated .env is correct for local use.
- * @async
- * @function adjustLocalEnvPortsInContent
- * @param {string} envContent - Resolved .env content
- * @param {string} [variablesPath] - Path to application config (to read port and template port var)
- * @returns {Promise<string>} Updated content with local ports
- */
 /**
  * Gets developer ID number
  * @async
@@ -418,12 +439,13 @@ async function buildEnvVarsForInterpolation(devIdNum) {
 async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
   const devIdNum = await getDeveloperIdNumber();
   const localEnv = await getLocalEnvWithOverrides();
+  const { localHostPort } = require('./declarative-url-ports');
-  const baseAppPort = await calculateAppPort(variablesPath, localEnv, envContent, 0);
-  const appPort = await calculateAppPort(variablesPath, localEnv, envContent, devIdNum);
+  const baseListen = await resolveManifestListenPort(variablesPath, localEnv, envContent);
+  const appPort = localHostPort(baseListen, devIdNum);
   let updated = updatePortVariable(envContent, appPort);
-  updated = updateLocalhostUrls(updated, baseAppPort, appPort);
+  updated = updateLocalhostUrls(updated, baseListen, appPort);
   updated = await rewriteInfraEndpoints(updated, 'local');
   const envVars = await buildEnvVarsForInterpolation(devIdNum);
@@ -437,18 +459,6 @@ async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
   return updated;
 }
-/**
- * Ensure secrets map is non-empty or throw a friendly guidance error
- * @function ensureNonEmptySecrets
- * @param {Object} secrets - Secrets map
- * @throws {Error} If secrets is empty
- */
-function ensureNonEmptySecrets(secrets) {
-  if (Object.keys(secrets || {}).length === 0) {
-    throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure aifabrix-secrets in config.yaml');
-  }
-}
 /**
  * Validate secrets against the env template (skips commented and empty lines)
  * @function validateSecrets
@@ -465,6 +475,8 @@ module.exports = {
   loadEnvConfig,
   interpolateEnvVars,
   collectMissingSecrets,
+  resolveBashKvFromProcessEnv,
+  mergeSecretsWithPrefixedCopies,
   formatMissingSecretsFileInfo,
   replaceKvInContent,
   resolveServicePortsInEnvContent,
@@ -473,7 +485,6 @@ module.exports = {
   adjustLocalEnvPortsInContent,
   readYamlAtPath,
   applyCanonicalSecretsOverride,
-  ensureNonEmptySecrets,
   validateSecrets,
   rewriteInfraEndpoints,
   getEnvHosts

package/lib/utils/secrets-kv-scope.js ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * Env-scoped kv:// resolution helpers (prefixed keys + in-memory aliases).
+ *
+ * @fileoverview Split from secrets-helpers for file size limits
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+'use strict';
+/**
+ * @param {Function} getValueByPath - From secrets-helpers
+ * @returns {{ getValueByPathWithEnvScope: Function, mergeSecretsWithPrefixedCopies: Function }}
+ */
+function createScopedKvHelpers(getValueByPath) {
+  /**
+   * @param {Object} secrets
+   * @param {string} pathStr
+   * @param {string|null|undefined} envKey
+   * @param {boolean} effective
+   * @returns {*}
+   */
+  function getValueByPathWithEnvScope(secrets, pathStr, envKey, effective) {
+    if (!effective || !envKey) {
+      return getValueByPath(secrets, pathStr);
+    }
+    const prefix = `${String(envKey).toLowerCase()}-`;
+    const prefixedPath = prefix + pathStr;
+    const fromPrefixed = getValueByPath(secrets, prefixedPath);
+    if (fromPrefixed !== undefined && fromPrefixed !== null) {
+      return fromPrefixed;
+    }
+    return getValueByPath(secrets, pathStr);
+  }
+  /**
+   * @param {Object} secrets
+   * @param {string} envKey
+   * @returns {Object}
+   */
+  function mergeSecretsWithPrefixedCopies(secrets, envKey) {
+    if (!secrets || typeof secrets !== 'object' || !envKey) {
+      return secrets;
+    }
+    const prefix = `${String(envKey).toLowerCase()}-`;
+    const merged = { ...secrets };
+    for (const [k, v] of Object.entries(secrets)) {
+      if (typeof k !== 'string' || !k || k.startsWith(prefix)) continue;
+      const pk = prefix + k;
+      if (merged[pk] === undefined && v !== undefined && v !== null) {
+        merged[pk] = v;
+      }
+    }
+    return merged;
+  }
+  return { getValueByPathWithEnvScope, mergeSecretsWithPrefixedCopies };
+}
+module.exports = { createScopedKvHelpers };