@aifabrix/builder 2.42.1 → 2.44.0

package/lib/utils/validation-report-tty-kit.js

@@ -0,0 +1,77 @@
+/**
+ * @fileoverview Reusable TTY helpers for validation/test reports (verdict, readiness, data-quality lines).
+ */
+
+'use strict';
+
+const { SEP, statusGlyph } = require('./datasource-test-run-display');
+
+const TRUST_LINE_LABELS = Object.freeze({
+  schema: 'Schema coverage',
+  consistency: 'Data consistency',
+  reliability: 'Data reliability'
+});
+
+function rollupGlyph(r) {
+  return statusGlyph(r === 'fail' ? 'fail' : r === 'warn' ? 'warn' : 'ok');
+}
+
+function verdictLineFromEnvelope(rootStatus, certStatus, runType) {
+  if (rootStatus === 'skipped') return '⏭ Skipped';
+  if (rootStatus === 'warn') return '⚠ Limited production use';
+  if (rootStatus === 'fail') {
+    if (runType === 'integration') return '✖ Pipeline not working';
+    if (runType === 'e2e') return '✖ Not usable';
+    return '✖ Configuration invalid';
+  }
+  if (certStatus === 'not_passed') return '✔ Functional with certification gaps';
+  return '✔ Suitable for production use';
+}
+
+function verdictLineLocalExternalTest(status) {
+  if (status === 'ok') return '✔ Suitable for continued setup (local manifest check passed).';
+  if (status === 'warn') return '⚠ Limited production use';
+  return '✖ Configuration invalid';
+}
+
+function readinessLineFromAggregateStatus(status) {
+  if (status === 'fail') return `Readiness: ${statusGlyph('fail')} Not ready`;
+  if (status === 'warn') return `Readiness: ${statusGlyph('warn')} Partial`;
+  return `Readiness: ${statusGlyph('ok')} Ready`;
+}
+
+function readinessLineFromDataReadiness(dataReadiness) {
+  if (!dataReadiness) return null;
+  if (dataReadiness === 'not_ready') return `Readiness: ${statusGlyph('fail')} Not ready`;
+  if (dataReadiness === 'partial') return `Readiness: ${statusGlyph('warn')} Partial`;
+  if (dataReadiness === 'ready') return `Readiness: ${statusGlyph('ok')} Ready`;
+  return null;
+}
+
+function formatDataQualityLines(rollups, descriptions) {
+  const d = descriptions || {};
+  return [
+    `${rollupGlyph(rollups.schema)} ${TRUST_LINE_LABELS.schema}${d.schema ? ` — ${d.schema}` : ''}`,
+    `${rollupGlyph(rollups.consistency)} ${TRUST_LINE_LABELS.consistency}${d.consistency ? ` — ${d.consistency}` : ''}`,
+    `${rollupGlyph(rollups.reliability)} ${TRUST_LINE_LABELS.reliability}${d.reliability ? ` — ${d.reliability}` : ''}`
+  ];
+}
+
+function pushSeparatorBlock(lines) {
+  lines.push('');
+  lines.push(SEP);
+  lines.push('');
+}
+
+module.exports = {
+  SEP,
+  statusGlyph,
+  TRUST_LINE_LABELS,
+  rollupGlyph,
+  verdictLineFromEnvelope,
+  verdictLineLocalExternalTest,
+  readinessLineFromAggregateStatus,
+  readinessLineFromDataReadiness,
+  formatDataQualityLines,
+  pushSeparatorBlock
+};

package/lib/utils/validation-run-poll.js

@@ -0,0 +1,89 @@
+/**
+ * @fileoverview Poll GET /api/v1/validation/run/{testRunId} until reportCompleteness is full (plan §3.5–3.6).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { getValidationRunWithTransportRetry } = require('./validation-run-post-retry');
+
+const INITIAL_INTERVAL_MS = 2000;
+const MAX_INTERVAL_MS = 15000;
+
+/**
+ * Delay between polls after attempt `n` (0-based): 2s, 4s, 8s, … cap 15s.
+ * @param {number} attemptIndex - Zero-based poll index after initial POST
+ * @returns {number}
+ */
+function nextPollDelayMs(attemptIndex) {
+  const raw = INITIAL_INTERVAL_MS * 2 ** Math.max(0, attemptIndex);
+  return Math.min(raw, MAX_INTERVAL_MS);
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Whether polling should stop on this envelope.
+ * @param {Object} envelope - DatasourceTestRun-like
+ * @returns {boolean}
+ */
+function isTerminalReportCompleteness(envelope) {
+  if (!envelope || typeof envelope !== 'object') return false;
+  return envelope.reportCompleteness === 'full';
+}
+
+/**
+ * Poll until reportCompleteness === 'full' or budget exhausted.
+ * @async
+ * @param {Object} opts
+ * @param {string} opts.dataplaneUrl
+ * @param {Object} opts.authConfig
+ * @param {string} opts.testRunId
+ * @param {number} opts.budgetMs - Remaining wall-clock budget for polls only (POST excluded)
+ * @param {typeof getValidationRunWithTransportRetry} [opts.fetchRun] - Inject for tests (default: GET with transport retry)
+ * @returns {Promise<{ envelope: Object|null, timedOut: boolean, lastApiResult: Object|null }>}
+ */
+async function pollValidationRunUntilComplete(opts) {
+  const {
+    dataplaneUrl,
+    authConfig,
+    testRunId,
+    budgetMs,
+    fetchRun = getValidationRunWithTransportRetry
+  } = opts;
+  const deadline = Date.now() + Math.max(0, budgetMs);
+  let attempt = 0;
+  let lastApiResult = null;
+  let envelope = null;
+
+  while (Date.now() < deadline) {
+    const remaining = deadline - Date.now();
+    if (remaining <= 0) break;
+
+    lastApiResult = await fetchRun(dataplaneUrl, authConfig, testRunId);
+    if (!lastApiResult.success) {
+      return { envelope: null, timedOut: false, lastApiResult };
+    }
+    envelope = lastApiResult.data;
+    if (isTerminalReportCompleteness(envelope)) {
+      return { envelope, timedOut: false, lastApiResult };
+    }
+
+    const delay = Math.min(nextPollDelayMs(attempt), Math.max(0, deadline - Date.now()));
+    attempt += 1;
+    if (delay > 0) {
+      await sleep(delay);
+    }
+  }
+
+  return { envelope, timedOut: true, lastApiResult };
+}
+
+module.exports = {
+  INITIAL_INTERVAL_MS,
+  MAX_INTERVAL_MS,
+  nextPollDelayMs,
+  pollValidationRunUntilComplete,
+  isTerminalReportCompleteness
+};

package/lib/utils/validation-run-post-retry.js

@@ -0,0 +1,73 @@
+/**
+ * @fileoverview Transient transport retries for POST validation/run and GET poll.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { postValidationRun, getValidationRun } = require('../api/validation-run.api');
+
+const RETRYABLE_CODES = new Set(['ECONNRESET', 'ETIMEDOUT', 'ECONNABORTED']);
+
+/**
+ * @param {Object} res - ApiClient-style result
+ * @returns {boolean}
+ */
+function isRetryablePostFailure(res) {
+  if (!res || res.success) return false;
+  if (!res.network) return false;
+  const err = res.originalError;
+  if (!err) return false;
+  const code = err.code || (err.cause && err.cause.code);
+  if (code && RETRYABLE_CODES.has(code)) return true;
+  if (err.name === 'AbortError') return true;
+  return false;
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * POST validation run with up to 2 retries on transient socket/timeout errors (1s / 2s backoff).
+ * Does not retry HTTP 4xx/5xx.
+ * @param {string} dataplaneUrl
+ * @param {Object} authConfig
+ * @param {Object} body
+ * @returns {Promise<Object>}
+ */
+async function postValidationRunWithTransportRetry(dataplaneUrl, authConfig, body) {
+  let last = await postValidationRun(dataplaneUrl, authConfig, body);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(1000);
+  last = await postValidationRun(dataplaneUrl, authConfig, body);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(2000);
+  return postValidationRun(dataplaneUrl, authConfig, body);
+}
+
+/**
+ * GET validation run poll with up to 2 retries on transient socket/timeout errors (1s / 2s backoff).
+ * @param {string} dataplaneUrl
+ * @param {Object} authConfig
+ * @param {string} testRunId
+ * @returns {Promise<Object>}
+ */
+async function getValidationRunWithTransportRetry(dataplaneUrl, authConfig, testRunId) {
+  let last = await getValidationRun(dataplaneUrl, authConfig, testRunId);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(1000);
+  last = await getValidationRun(dataplaneUrl, authConfig, testRunId);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(2000);
+  return getValidationRun(dataplaneUrl, authConfig, testRunId);
+}
+
+module.exports = {
+  isRetryablePostFailure,
+  postValidationRunWithTransportRetry,
+  getValidationRunWithTransportRetry
+};

package/lib/utils/validation-run-request.js

@@ -0,0 +1,98 @@
+/**
+ * @fileoverview Build ValidationRunRequest bodies for datasource-scoped CLI commands.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+/**
+ * Whether the unified validation request should set includeDebug (any `--debug` or `--debug <level>`).
+ * @param {*} debugOpt - Commander `options.debug`
+ * @returns {boolean}
+ */
+function includeDebugForRequest(debugOpt) {
+  if (debugOpt === undefined || debugOpt === false || debugOpt === null || debugOpt === '') {
+    return false;
+  }
+  return true;
+}
+
+/**
+ * Merge E2E options from CLI flags into e2eOptions for ExternalDataSourceE2ETestRequest (dataplane).
+ * @param {Object} options - CLI-derived options
+ * @param {boolean} [options.debug]
+ * @param {boolean} [options.verbose]
+ * @param {boolean} [options.testCrud]
+ * @param {string} [options.recordId]
+ * @param {boolean} [options.cleanup]
+ * @param {string|Object} [options.primaryKeyValue]
+ * @param {Object} [options.e2eOptionsExtra] - Shallow-merged last (e.g. server-specific drill-down fields)
+ * @returns {Object}
+ */
+function buildE2eOptionsFromCli(options = {}) {
+  const e2e = {};
+  if (options.debug) e2e.includeDebug = true;
+  if (options.verbose) e2e.audit = true;
+  if (options.testCrud === true) e2e.testCrud = true;
+  if (options.recordId !== undefined && options.recordId !== null && options.recordId !== '') {
+    e2e.recordId = String(options.recordId);
+  }
+  if (options.cleanup === false) e2e.cleanup = false;
+  else if (options.cleanup === true) e2e.cleanup = true;
+  if (options.primaryKeyValue !== undefined && options.primaryKeyValue !== null) {
+    e2e.primaryKeyValue = options.primaryKeyValue;
+  }
+  if (options.e2eOptionsExtra && typeof options.e2eOptionsExtra === 'object') {
+    Object.assign(e2e, options.e2eOptionsExtra);
+  }
+  return e2e;
+}
+
+/**
+ * Build request body for validationScope=externalDataSource (single datasource in DB).
+ * @param {Object} params
+ * @param {string} params.systemKey - External system key
+ * @param {string} params.datasourceKey - Datasource key
+ * @param {'test'|'integration'|'e2e'} params.runType
+ * @param {Object} [params.payloadTemplate] - Required for integration-style payload tests when runType=test
+ * @param {boolean} [params.asyncRun]
+ * @param {boolean} [params.includeDebug]
+ * @param {boolean} [params.explain]
+ * @param {Object} [params.e2eOptions] - Merged with buildE2eOptionsFromCli when both used by caller
+ * @returns {import('../api/types/validation-run.types').ValidationRunRequestBody}
+ */
+function buildExternalDataSourceValidationRequest(params) {
+  const {
+    systemKey,
+    datasourceKey,
+    runType,
+    payloadTemplate,
+    asyncRun,
+    includeDebug,
+    explain,
+    e2eOptions
+  } = params;
+  if (!systemKey || !datasourceKey || !runType) {
+    throw new Error('systemKey, datasourceKey, and runType are required');
+  }
+  /** @type {import('../api/types/validation-run.types').ValidationRunRequestBody} */
+  const body = {
+    validationScope: 'externalDataSource',
+    systemIdOrKey: systemKey,
+    datasourceKey,
+    runType
+  };
+  if (payloadTemplate !== undefined) body.payloadTemplate = payloadTemplate;
+  if (asyncRun === true) body.asyncRun = true;
+  if (includeDebug === true) body.includeDebug = true;
+  if (explain === true) body.explain = true;
+  if (e2eOptions && typeof e2eOptions === 'object' && Object.keys(e2eOptions).length > 0) {
+    body.e2eOptions = e2eOptions;
+  }
+  return body;
+}
+
+module.exports = {
+  includeDebugForRequest,
+  buildE2eOptionsFromCli,
+  buildExternalDataSourceValidationRequest
+};

package/lib/utils/variable-transformer.js

@@ -105,6 +105,9 @@ function handlePartialAuthentication(authentication) {
  */
 function transformFlatStructure(variables, appName) {
   const result = buildBaseResult(variables, appName);
+  if (result.frontDoorRouting) {
+    result.frontDoorRouting = normalizeFrontDoorRoutingForValidation(result.frontDoorRouting);
+  }
 
   // Sanitize authentication if present
   if (result.authentication) {
@@ -190,9 +193,6 @@ function validateBuildConfig(build) {
   if (build.dockerfile && build.dockerfile.trim() !== '') {
     buildConfig.dockerfile = build.dockerfile;
   }
-  if (build.localPort !== undefined && build.localPort !== null) {
-    buildConfig.localPort = build.localPort;
-  }
 
   return Object.keys(buildConfig).length > 0 ? buildConfig : null;
 }
@@ -256,6 +256,23 @@ function transformConfigSections(variables, transformed) {
   }
 }
 
+/**
+ * Clone frontDoorRouting for schema validation: JSON Schema expects `tls` as a string
+ * (e.g. "${TLS_ENABLED}", "true") but YAML often uses booleans (`tls: false`).
+ * @param {Object} fd - frontDoorRouting block from application.yaml
+ * @returns {Object}
+ */
+function normalizeFrontDoorRoutingForValidation(fd) {
+  if (!fd || typeof fd !== 'object') {
+    return fd;
+  }
+  const out = { ...fd };
+  if (typeof out.tls === 'boolean') {
+    out.tls = out.tls ? 'true' : 'false';
+  }
+  return out;
+}
+
 /**
  * Transforms simple optional fields
  * @function transformSimpleOptionalFields
@@ -273,7 +290,7 @@ function transformSimpleOptionalFields(variables, transformed) {
     transformed.scaling = variables.scaling;
   }
   if (variables.frontDoorRouting) {
-    transformed.frontDoorRouting = variables.frontDoorRouting;
+    transformed.frontDoorRouting = normalizeFrontDoorRoutingForValidation(variables.frontDoorRouting);
   }
   if (variables.roles) {
     transformed.roles = variables.roles;

package/lib/utils/yaml-preserve.js

@@ -185,6 +185,9 @@ function formatValue(value, quoted, quoteChar) {
  * const result = encryptYamlValues(yamlContent, encryptionKey);
  * // Returns: { content: '...', encrypted: 5, total: 10 }
  */
+/** Pattern for YAML block scalar indicator (e.g. key: >- or key: |) */
+const BLOCK_SCALAR_PATTERN = /^(\s*)([^#:\n]+?):\s*(\|[-+]?|>[-+]?)(\s*)(#.*)?$/;
+
 /**
  * Processes a single line for encryption
  * @function processLineForEncryption
@@ -221,13 +224,87 @@ function processLineForEncryption(line, encryptionKey, stats) {
   return line;
 }
 
+/**
+ * Collects continuation lines for a YAML block scalar (value on next lines).
+ * @param {string[]} lines - All lines
+ * @param {number} startIndex - Index of line after the key: >- line
+ * @param {number} keyIndentLen - Number of leading spaces on the key line
+ * @returns {{ value: string, endIndex: number }} Combined value and index after last continuation line
+ */
+function collectBlockScalarLines(lines, startIndex, keyIndentLen) {
+  const parts = [];
+  let i = startIndex;
+  while (i < lines.length) {
+    const line = lines[i];
+    const contentTrimmed = line.trim();
+    if (contentTrimmed === '' || contentTrimmed.startsWith('#')) {
+      i++;
+      continue;
+    }
+    const indentLen = line.length - line.trimStart().length;
+    if (indentLen <= keyIndentLen) {
+      break;
+    }
+    parts.push(contentTrimmed);
+    i++;
+  }
+  return { value: parts.join(' '), endIndex: i };
+}
+
+/**
+ * Processes a single block-scalar key line and its continuation lines.
+ * @param {string} line - Line matching BLOCK_SCALAR_PATTERN
+ * @param {string[]} lines - All lines
+ * @param {number} lineIndex - Index of current line
+ * @param {string} encryptionKey - Encryption key
+ * @param {Object} stats - Mutable stats object
+ * @returns {{ resultLine: string, nextIndex: number }|null} Result or null if not a block scalar
+ */
+function processBlockScalarLine(line, lines, lineIndex, encryptionKey, stats) {
+  const blockMatch = line.match(BLOCK_SCALAR_PATTERN);
+  if (!blockMatch) {
+    return null;
+  }
+  const [, indent, key, blockIndicator, trailingWhitespace, comment] = blockMatch;
+  const keyIndentLen = indent.length;
+  const folded = blockIndicator.startsWith('>');
+  const { value: rawValue, endIndex } = collectBlockScalarLines(lines, lineIndex + 1, keyIndentLen);
+  const value = folded ? rawValue.replace(/\s+/g, ' ').trim() : rawValue;
+  stats.total++;
+  const needEncrypt = shouldEncryptValue(value);
+  const outValue = needEncrypt ? encryptSecret(value, encryptionKey) : value;
+  if (needEncrypt) {
+    stats.encrypted++;
+  }
+  const resultLine = `${indent}${key}: ${outValue}${trailingWhitespace || ''}${comment || ''}`;
+  return { resultLine, nextIndex: endIndex };
+}
+
 function encryptYamlValues(content, encryptionKey) {
   const lines = content.split(/\r?\n/);
   const encryptedLines = [];
   const stats = { encrypted: 0, total: 0 };
+  let i = 0;
+
+  while (i < lines.length) {
+    const line = lines[i];
+    const trimmed = line.trim();
+
+    if (trimmed === '' || trimmed.startsWith('#')) {
+      encryptedLines.push(line);
+      i++;
+      continue;
+    }
+
+    const blockResult = processBlockScalarLine(line, lines, i, encryptionKey, stats);
+    if (blockResult) {
+      encryptedLines.push(blockResult.resultLine);
+      i = blockResult.nextIndex;
+      continue;
+    }
 
-  for (const line of lines) {
     encryptedLines.push(processLineForEncryption(line, encryptionKey, stats));
+    i++;
   }
 
   return {

package/lib/validation/datasource-warnings.js

@@ -0,0 +1,56 @@
+/**
+ * Optional v2.4.x datasource validation warnings (beyond JSON Schema).
+ *
+ * @fileoverview Post-schema warnings for external datasource configs
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const STORAGE_ENTITIES = new Set(['recordStorage', 'documentStorage']);
+
+function warnMissingDimensions(parsed, warnings) {
+  const entityType = parsed.entityType;
+  if (!STORAGE_ENTITIES.has(entityType)) {
+    return;
+  }
+  const dims = parsed.dimensions;
+  if (!dims || typeof dims !== 'object' || Array.isArray(dims) || Object.keys(dims).length === 0) {
+    warnings.push(
+      `Datasource "${parsed.key || '(unknown)'}": dimensions missing or empty for entityType=${entityType} (recommended for ABAC; see schema 2.4.x notes).`
+    );
+  }
+}
+
+function warnFkWithoutActor(parsed, warnings) {
+  const dimensions = parsed.dimensions;
+  if (!dimensions || typeof dimensions !== 'object' || Array.isArray(dimensions)) {
+    return;
+  }
+  for (const [dimKey, binding] of Object.entries(dimensions)) {
+    if (!binding || typeof binding !== 'object' || binding.type !== 'fk') {
+      continue;
+    }
+    if (!Object.prototype.hasOwnProperty.call(binding, 'actor')) {
+      warnings.push(
+        `Datasource "${parsed.key || '(unknown)'}": dimension "${dimKey}" uses type=fk without actor; set actor (displayName, email, userId, groups, roles) for predictable ABAC binding.`
+      );
+    }
+  }
+}
+
+/**
+ * Collects non-fatal warnings for an external datasource document (already parsed).
+ * @param {Object} parsed - Parsed datasource JSON
+ * @returns {string[]} Warning messages (empty if none)
+ */
+function collectExternalDatasourceWarnings(parsed) {
+  const warnings = [];
+  if (!parsed || typeof parsed !== 'object') {
+    return warnings;
+  }
+  warnMissingDimensions(parsed, warnings);
+  warnFkWithoutActor(parsed, warnings);
+  return warnings;
+}
+
+module.exports = { collectExternalDatasourceWarnings };

package/lib/validation/env-template-auth.js

@@ -10,6 +10,7 @@
  */
 
 const { loadExternalIntegrationConfig, loadSystemFile } = require('../generator/external');
+const { getKvPathSegmentForSecurityKey } = require('../utils/credential-secrets-env');
 
 /**
  * Extracts all kv:// paths from env.template content (RHS of VAR=value lines).
@@ -93,7 +94,7 @@ function setHasPathIgnoreCase(pathSet, requiredPath) {
  * @returns {Promise<{ requiredPaths: Set<string>, warning?: string }>} Required kv paths and optional warning
  *
  * @example
- * const { requiredPaths } = await collectRequiredAuthKvPaths('/path/to/integration/hubspot');
+ * const { requiredPaths } = await collectRequiredAuthKvPaths('/path/to/integration/hubspot-test');
  * // requiredPaths has kv:// paths from authentication.security
  */
 async function collectRequiredAuthKvPaths(appPath, _options = {}) {
@@ -148,10 +149,57 @@ async function validateAuthKvCoverage(appPath, content, errors, warnings, option
   }
 }
 
+/**
+ * Derives system key from system file name (e.g. hubspot-system.yaml -> hubspot).
+ * @param {string} systemFileName - System file name
+ * @returns {string}
+ */
+function systemKeyFromFileName(systemFileName) {
+  if (!systemFileName || typeof systemFileName !== 'string') return '';
+  return systemFileName.replace(/-system\.(yaml|yml|json)$/i, '');
+}
+
+/**
+ * Validates that authentication.security paths in system files match the canonical path
+ * (kv://<systemKey>/<getKvPathSegmentForSecurityKey(securityKey)>). Pushes errors when they differ.
+ *
+ * @async
+ * @function validateAuthSecurityPathConsistency
+ * @param {string} appPath - Application path (integration or builder dir)
+ * @param {string[]} errors - Errors array to push to
+ * @param {string[]} warnings - Warnings array to push to (unused; for API consistency)
+ */
+async function validateAuthSecurityPathConsistency(appPath, errors, _warnings) {
+  try {
+    const { schemaBasePath, systemFiles } = await loadExternalIntegrationConfig(appPath);
+    for (const systemFileName of systemFiles) {
+      const systemKey = systemKeyFromFileName(systemFileName);
+      if (!systemKey) continue;
+      const systemJson = await loadSystemFile(appPath, schemaBasePath, systemFileName);
+      const security = systemJson.authentication?.security;
+      if (!security || typeof security !== 'object') continue;
+      for (const [key, value] of Object.entries(security)) {
+        if (typeof value !== 'string' || !/^kv:\/\/.+/.test(value)) continue;
+        const canonicalSegment = getKvPathSegmentForSecurityKey(key);
+        const canonicalPath = canonicalSegment ? `kv://${systemKey}/${canonicalSegment}` : null;
+        if (canonicalPath && value !== canonicalPath) {
+          errors.push(
+            `authentication.security.${key} has path ${value}; canonical path is ${canonicalPath}. Run \`aifabrix repair <systemKey>\` to normalize.`
+          );
+        }
+      }
+    }
+  } catch (error) {
+    _warnings.push(`Could not validate auth path consistency: ${error.message}`);
+  }
+}
+
 module.exports = {
   extractKvPathsFromEnvTemplate,
   extractKvPathsFromCommentedLines,
   setHasPathIgnoreCase,
   collectRequiredAuthKvPaths,
-  validateAuthKvCoverage
+  validateAuthKvCoverage,
+  validateAuthSecurityPathConsistency,
+  systemKeyFromFileName
 };