@aifabrix/builder 2.43.0 → 2.44.0

package/lib/app/rotate-secret.js

@@ -1,3 +1,4 @@
+const { formatBlockingError, formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
 /**
  * AI Fabrix Builder - App Rotate Secret Command
  *
@@ -70,7 +71,7 @@ function validateEnvironment(environment) {
 async function resolveControllerAndEnvironment() {
   const controllerUrl = await resolveControllerUrl();
   if (!controllerUrl) {
-    logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" to set the controller URL in config.yaml'));
+    logger.error(formatBlockingError('Controller URL is required. Run "aifabrix login" to set the controller URL in config.yaml'));
     process.exit(1);
   }
   const environment = await resolveEnvironment();
@@ -135,7 +136,7 @@ function extractCredentials(response) {
  */
 function validateResponse(response) {
   if (!response.data || typeof response.data !== 'object') {
-    logger.error(chalk.red('❌ Invalid response: missing data'));
+    logger.error(formatBlockingError('Invalid response: missing data'));
     logger.error(chalk.gray('\nAPI response type:'), typeof response.data);
     logger.error(chalk.gray('API response:'), JSON.stringify(response.data, null, 2));
     logger.error(chalk.gray('\nFull response for debugging:'));
@@ -146,7 +147,7 @@ function validateResponse(response) {
   const result = extractCredentials(response);
 
   if (!result) {
-    logger.error(chalk.red('❌ Invalid response: missing or invalid credentials'));
+    logger.error(formatBlockingError('Invalid response: missing or invalid credentials'));
     logger.error(chalk.gray('\nAPI response type:'), typeof response.data);
     logger.error(chalk.gray('API response:'), JSON.stringify(response.data, null, 2));
     logger.error(chalk.gray('\nFull response for debugging:'));
@@ -166,7 +167,7 @@ function validateResponse(response) {
  * @param {string} [message] - Optional message from API
  */
 function displayRotationResults(appKey, environment, credentials, apiUrl, message) {
-  logger.log(chalk.green('✅ Secret rotated successfully!\n'));
+  logger.log(formatSuccessLine('Secret rotated successfully!\n'));
   logger.log(chalk.bold('📋 Application Details:'));
   logger.log(`   Key:         ${appKey}`);
   logger.log(`   Environment: ${environment}`);
@@ -206,7 +207,7 @@ async function getTokenFromUrl(controllerUrl) {
       };
     }
   } catch (error) {
-    logger.error(chalk.red(`❌ Failed to authenticate with controller: ${controllerUrl}`));
+    logger.error(formatBlockingError(`Failed to authenticate with controller: ${controllerUrl}`));
     logger.error(chalk.gray(`Error: ${error.message}`));
     process.exit(1);
   }
@@ -287,18 +288,18 @@ async function saveCredentialsLocally(appKey, credentials, actualControllerUrl)
       // Regenerate .env file with updated credentials
       try {
         await generateEnvFile(appKey, null, 'local');
-        logger.log(chalk.green('✓ .env file updated with new credentials'));
+        logger.log(formatSuccessLine('.env file updated with new credentials'));
       } catch (error) {
-        logger.warn(chalk.yellow(`⚠️  Could not regenerate .env file: ${error.message}`));
+        logger.warn(chalk.yellow(`⚠  Could not regenerate .env file: ${error.message}`));
       }
 
-      logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-      logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
+      logger.log(formatSuccessParagraph('Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+      logger.log(formatSuccessLine('env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
     } else {
-      logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
+      logger.log(formatSuccessParagraph('Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
     }
   } catch (error) {
-    logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+    logger.warn(chalk.yellow(`⚠  Could not save credentials locally: ${error.message}`));
   }
 }
 
@@ -337,7 +338,7 @@ async function executeRotation(appKey, actualControllerUrl, environment, token)
  * @throws {Error} If rotation fails
  */
 async function rotateSecret(appKey, _options = {}) {
-  logger.log(chalk.yellow('⚠️  This will invalidate the old ClientSecret!\n'));
+  logger.log(chalk.yellow('⚠  This will invalidate the old ClientSecret!\n'));
 
   const { ensureSecretsEncryptionKey } = require('../core/config');
   await ensureSecretsEncryptionKey();
@@ -349,7 +350,7 @@ async function rotateSecret(appKey, _options = {}) {
   try {
     await executeRotation(appKey, actualControllerUrl, environment, token);
   } catch (error) {
-    logger.error(chalk.red(`❌ Failed to rotate secret via controller: ${actualControllerUrl}`));
+    logger.error(formatBlockingError(`Failed to rotate secret via controller: ${actualControllerUrl}`));
     logger.error(chalk.gray(`Error: ${error.message}`));
     process.exit(1);
   }

package/lib/app/run-container-start.js

@@ -0,0 +1,184 @@
+/**
+ * Docker Compose up and docker-run fallback for `aifabrix run`.
+ *
+ * @fileoverview Extracted from run-helpers to keep file size within limits
+ */
+
+'use strict';
+const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
+
+const fs = require('fs').promises;
+const chalk = require('chalk');
+const { exec } = require('child_process');
+const { promisify } = require('util');
+const logger = require('../utils/logger');
+const dockerUtils = require('../utils/docker');
+const containerHelpers = require('../utils/app-run-containers');
+const healthCheck = require('../utils/health-check');
+const runDockerFallback = require('./run-docker-fallback');
+const { resolveRunImage } = require('./run-resolve-image');
+
+const execAsync = promisify(exec);
+
+/**
+ * Logs and runs docker when Compose CLI is missing (narrow eligibility).
+ * @async
+ * @param {string} appName
+ * @param {Object} appConfig
+ * @param {number} port
+ * @param {Object} opts
+ */
+async function emitAndRunDockerFallback(appName, appConfig, port, opts) {
+  const { debug, runEnvPath, runOptions, misoEnvironment } = opts;
+  logger.log(
+    chalk.yellow(
+      'Docker Compose not found; using docker run (apps without database/redis only). ' +
+        'Install docker-compose-plugin for full compose support.'
+    )
+  );
+  const { imageName, imageTag } = resolveRunImage(appName, appConfig, runOptions);
+  await runDockerFallback.executeDockerRunUp({
+    appName,
+    appConfig,
+    hostPort: port,
+    fullImage: `${imageName}:${imageTag}`,
+    runEnvPath,
+    misoEnvironment,
+    debug
+  });
+}
+
+/**
+ * Prepares env for docker compose child process (UID/GID + remote docker).
+ * @async
+ * @param {boolean} debug
+ * @returns {Promise<Object>}
+ */
+async function prepareContainerEnv(debug) {
+  const { getDockerExecEnv } = require('../utils/remote-docker-env');
+  const env = await getDockerExecEnv();
+
+  if (typeof process.getuid === 'function' && typeof process.getgid === 'function') {
+    env.AIFABRIX_UID = String(process.getuid());
+    env.AIFABRIX_GID = String(process.getgid());
+  } else {
+    env.AIFABRIX_UID = '1000';
+    env.AIFABRIX_GID = '1000';
+  }
+
+  if (debug) {
+    logger.log(chalk.gray('[DEBUG] Container env prepared (secrets via env_file)'));
+  }
+
+  return env;
+}
+
+/**
+ * @async
+ * @param {string} composeCmdBase
+ * @param {string} composePath
+ * @param {Object} env
+ * @param {boolean} debug
+ */
+async function executeComposeUp(composeCmdBase, composePath, env, debug) {
+  const composeCmd = `${composeCmdBase} -f "${composePath}" up -d`;
+  if (debug) {
+    logger.log(chalk.gray(`[DEBUG] Executing: ${composeCmd}`));
+    logger.log(chalk.gray(`[DEBUG] Compose file: ${composePath}`));
+  }
+  await execAsync(composeCmd, { env });
+}
+
+/**
+ * Log status, wait for HTTP health, delete run .env files.
+ * @async
+ * @param {string} appName
+ * @param {number} port
+ * @param {Object} appConfig
+ * @param {{ debug: boolean, runEnvPath: string|null, runEnvAdminPath: string|null }} o
+ */
+async function waitForHealthyAndCleanupEnvFiles(appName, port, appConfig, o) {
+  const { debug, runEnvPath, runEnvAdminPath, runOptions = {} } = o;
+  const ro = runOptions || {};
+  const scopeOpts =
+    ro.effectiveEnvironmentScopedResources === true && ro.env
+      ? { effectiveEnvironmentScopedResources: true, env: String(ro.env).toLowerCase() }
+      : null;
+  const containerName = containerHelpers.getContainerName(appName, appConfig.developerId, scopeOpts);
+  logger.log(formatSuccessLine(`Container ${containerName} started`));
+  await containerHelpers.logContainerStatus(containerName, debug);
+
+  const healthCheckPath = appConfig?.healthCheck?.path || '/health';
+  const healthUrl = (typeof healthCheck.computeHealthCheckUrl === 'function')
+    ? await healthCheck.computeHealthCheckUrl(appName, port, appConfig, { runOptions: ro })
+    : null;
+  // Keep a stable fallback in the message if URL computation fails for any reason.
+  const displayUrl = (healthUrl && typeof healthUrl === 'string')
+    ? healthUrl
+    : `http://localhost:${port}${healthCheckPath}`;
+  logger.log(chalk.blue(`Waiting for application to be healthy at ${displayUrl}...`));
+  await healthCheck.waitForHealthCheck(appName, 90, port, appConfig, debug, ro);
+
+  for (const p of [runEnvPath, runEnvAdminPath]) {
+    if (p && typeof p === 'string') {
+      try {
+        await fs.unlink(p);
+      } catch (err) {
+        if (err.code !== 'ENOENT') logger.log(chalk.yellow(`Warning: could not remove run .env: ${err.message}`));
+      }
+    }
+  }
+}
+
+/**
+ * Starts the container and waits for health check. Deletes run .env files after success (ISO 27K).
+ * @async
+ * @param {string} appName
+ * @param {string} composePath
+ * @param {number} port
+ * @param {Object} appConfig
+ * @param {Object} [opts]
+ */
+async function startContainer(appName, composePath, port, appConfig = null, opts = {}) {
+  const {
+    debug = false,
+    runEnvPath = null,
+    runEnvAdminPath = null,
+    runOptions = {},
+    devMountPath = null,
+    misoEnvironment = 'dev'
+  } = opts;
+  logger.log(chalk.blue(`Starting ${appName}...`));
+
+  let composeCmdBase;
+  let usedDockerRunFallback = false;
+  try {
+    composeCmdBase = await dockerUtils.ensureDockerAndCompose();
+  } catch (composeErr) {
+    if (runDockerFallback.canUseDockerRunWithoutCompose(appConfig, { devMountPath })) {
+      await emitAndRunDockerFallback(appName, appConfig, port, {
+        debug,
+        runEnvPath,
+        runOptions,
+        misoEnvironment
+      });
+      usedDockerRunFallback = true;
+    } else {
+      throw composeErr;
+    }
+  }
+
+  if (!usedDockerRunFallback) {
+    const env = await prepareContainerEnv(debug);
+    await executeComposeUp(composeCmdBase, composePath, env, debug);
+  }
+
+  await waitForHealthyAndCleanupEnvFiles(appName, port, appConfig, {
+    debug,
+    runEnvPath,
+    runEnvAdminPath,
+    runOptions
+  });
+}
+
+module.exports = { startContainer, prepareContainerEnv, executeComposeUp };

package/lib/app/run-docker-fallback.js

@@ -0,0 +1,108 @@
+/**
+ * Fallback `docker run` when Docker Compose CLI is missing — narrow case only.
+ *
+ * @fileoverview Apps that declare no Postgres/Redis in application.yaml can start
+ *   with plain Docker; same eligibility as skipping local infra health.
+ */
+
+'use strict';
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { execWithDockerEnv } = require('../utils/docker-exec');
+const { getContainerPort } = require('../utils/port-resolver');
+const { getAppInfraRequirements } = require('./run-infra-requirements');
+
+/**
+ * Shell-single-quote a string for use inside a POSIX sh -c style command.
+ * @param {string} value
+ * @returns {string}
+ */
+function shellSingleQuote(value) {
+  const s = String(value);
+  return '\'' + s.replace(/'/g, '\'\\\'\'') + '\'';
+}
+
+/**
+ * Named volume for /mnt/data (must match templates/typescript/docker-compose.hbs).
+ * @param {string} appName
+ * @param {string|number} developerId
+ * @returns {string}
+ */
+function storageVolumeName(appName, developerId) {
+  const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
+  if (idNum === 0) {
+    return `aifabrix_${appName}_data`;
+  }
+  return `aifabrix_dev${developerId}_${appName}_data`;
+}
+
+/**
+ * True when safe to emulate compose with `docker run` if Compose is unavailable.
+ * @param {Object} appConfig
+ * @param {{ devMountPath?: string|null }} startOpts
+ * @returns {boolean}
+ */
+function canUseDockerRunWithoutCompose(appConfig, startOpts) {
+  const req = getAppInfraRequirements(appConfig);
+  if (!req || req.needsPostgres || req.needsRedis) {
+    return false;
+  }
+  if (appConfig.frontDoorRouting && appConfig.frontDoorRouting.enabled === true) {
+    return false;
+  }
+  if (startOpts.devMountPath) {
+    return false;
+  }
+  return true;
+}
+
+/**
+ * @param {Object} o
+ * @param {string} o.appName
+ * @param {Object} o.appConfig
+ * @param {number} o.hostPort
+ * @param {string} o.fullImage image:tag
+ * @param {string|null} o.runEnvPath
+ * @param {string} o.misoEnvironment
+ * @param {boolean} o.debug
+ * @returns {Promise<void>}
+ */
+async function executeDockerRunUp(o) {
+  const { appName, appConfig, hostPort, fullImage, runEnvPath, misoEnvironment, debug } = o;
+  const idNum = typeof appConfig.developerId === 'string' ? parseInt(appConfig.developerId, 10) : appConfig.developerId;
+  const containerName = idNum === 0 ? `aifabrix-${appName}` : `aifabrix-dev${appConfig.developerId}-${appName}`;
+  const containerPort = getContainerPort(appConfig, 3000);
+
+  const needsStorage =
+    appConfig.requires?.storage === true ||
+    appConfig.services?.storage === true;
+
+  const parts = [
+    'docker run -d',
+    `--name ${shellSingleQuote(containerName)}`,
+    '--restart unless-stopped',
+    `-p ${hostPort}:${containerPort}`,
+    `-e MISO_ENVIRONMENT=${shellSingleQuote(misoEnvironment)}`
+  ];
+
+  if (needsStorage) {
+    parts.push(`-v ${shellSingleQuote(storageVolumeName(appName, appConfig.developerId))}:/mnt/data`);
+  }
+  if (runEnvPath && typeof runEnvPath === 'string') {
+    parts.push(`--env-file ${shellSingleQuote(runEnvPath)}`);
+  }
+  parts.push(shellSingleQuote(fullImage));
+
+  const cmd = parts.join(' ');
+  if (debug) {
+    logger.log(chalk.gray(`[DEBUG] Docker run fallback: ${cmd.replace(/env-file [^ ]+/, 'env-file <redacted>')}`));
+  }
+  await execWithDockerEnv(cmd);
+}
+
+module.exports = {
+  canUseDockerRunWithoutCompose,
+  executeDockerRunUp,
+  storageVolumeName
+};

package/lib/app/run-env-compose.js

@@ -16,7 +16,6 @@ const pathsUtil = require('../utils/paths');
 const adminSecrets = require('../core/admin-secrets');
 const secretsEnvWrite = require('../core/secrets-env-write');
 const { getContainerPort } = require('../utils/port-resolver');
-const { getInfraDirName } = require('../infrastructure/helpers');
 
 /**
  * Clean applications directory: remove generated docker-compose.yaml and .env.* files.
@@ -58,12 +57,20 @@ function pgUserName(dbName) {
  * @param {Object} env - Merged env object (mutated)
  * @param {Object} appConfig - Application config (requires.databases or databases array)
  */
-function injectDatabaseNamesAndUsers(env, appConfig) {
+function injectDatabaseNamesAndUsers(env, appConfig, scopeOpts = null) {
   const databases = appConfig?.requires?.databases || appConfig?.databases;
   if (!Array.isArray(databases) || databases.length === 0) return;
+  const prefix =
+    scopeOpts &&
+    scopeOpts.effectiveEnvironmentScopedResources &&
+    scopeOpts.runEnvKey &&
+    (scopeOpts.runEnvKey === 'dev' || scopeOpts.runEnvKey === 'tst')
+      ? `${String(scopeOpts.runEnvKey).toLowerCase()}-`
+      : '';
   for (let i = 0; i < databases.length; i++) {
     const db = databases[i];
-    const name = db?.name || (appConfig?.app?.key || 'app');
+    const baseName = db?.name || (appConfig?.app?.key || 'app');
+    const name = prefix ? `${prefix}${baseName}` : baseName;
     env[`DB_${i}_NAME`] = name;
     env[`DB_${i}_USER`] = pgUserName(name);
   }
@@ -146,24 +153,6 @@ function buildDbInitOnlyEnv(merged) {
   return dbInit;
 }
 
-/**
- * Return pgpass paths under infra-dev* directories in aifabrix home (for fallback lookup).
- * @param {string} aifabrixDir - Aifabrix home directory
- * @returns {string[]} Paths to pgpass files
- */
-function getInfraDevPgpassPaths(aifabrixDir) {
-  if (!fsSync.existsSync(aifabrixDir)) return [];
-  let entries;
-  try {
-    entries = fsSync.readdirSync(aifabrixDir).sort();
-  } catch {
-    return [];
-  }
-  return entries
-    .filter((name) => name.startsWith('infra-dev'))
-    .map((name) => path.join(aifabrixDir, name, 'pgpass'));
-}
-
 /**
  * Read first password from a pgpass file (format host:port:db:user:password).
  * @param {string} pgpassPath - Path to pgpass file
@@ -178,34 +167,31 @@ async function readPasswordFromPgpassFile(pgpassPath) {
 }
 
 /**
- * Read POSTGRES_PASSWORD from an existing infra pgpass so db-init uses the same password as running Postgres.
- * Tries dev-specific, then default infra, then any infra-dev* dir (e.g. dev 1 run when only infra-dev06 has pgpass).
+ * Read POSTGRES_PASSWORD from `pgpass` next to the active infra compose (same as `resolveInfraStatePaths()`).
+ * Does not use `getAifabrixHome()` alone, so a stale pgpass under the wrong base directory (e.g. when
+ * `aifabrix-home` points at $HOME but compose lives under the config dir) cannot override admin-secrets.
  * @param {number|string} developerId - Developer ID
  * @returns {Promise<string|undefined>} Password or undefined
  */
 async function readPostgresPasswordFromPgpass(developerId) {
-  const home = pathsUtil.getAifabrixHome();
-  const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
-  const candidates = [path.join(home, getInfraDirName(developerId), 'pgpass')];
-  if (idNum !== 0) candidates.push(path.join(home, getInfraDirName(0), 'pgpass'));
-  const extra = getInfraDevPgpassPaths(home).filter((p) => !candidates.includes(p));
-  candidates.push(...extra);
-  for (const pgpassPath of candidates) {
-    if (!fsSync.existsSync(pgpassPath)) continue;
-    try {
-      const pwd = await readPasswordFromPgpassFile(pgpassPath);
-      if (pwd !== undefined) return pwd;
-    } catch {
-      // ignore
-    }
+  const { resolveInfraStatePaths } = require('../infrastructure/helpers');
+  const { infraDir } = resolveInfraStatePaths(developerId);
+  const pgpassPath = path.join(infraDir, 'pgpass');
+  if (!fsSync.existsSync(pgpassPath)) {
+    return undefined;
+  }
+  try {
+    const pwd = await readPasswordFromPgpassFile(pgpassPath);
+    return pwd;
+  } catch {
+    return undefined;
   }
-  return undefined;
 }
 
 /**
  * Build two run env files: .env.run (app-only, no admin secrets) and .env.run.admin (start-only, for db-init).
  * Admin password is never set in the app container; .env.run.admin is used only for start and then deleted.
- * When an infra pgpass exists, POSTGRES_PASSWORD is taken from it so db-init matches the running Postgres.
+ * When `pgpass` exists beside the active infra compose, POSTGRES_PASSWORD is taken from it so db-init matches Postgres.
  * @async
  * @param {string} appName - Application name
  * @param {Object} appConfig - Application configuration
@@ -213,24 +199,26 @@ async function readPostgresPasswordFromPgpass(developerId) {
  * @param {number|string} [developerId] - Developer ID (for pgpass lookup)
  * @returns {Promise<{ runEnvPath: string, runEnvAdminPath: string }>} Paths to .env.run and .env.run.admin
  */
-async function buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId) {
+async function buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId, scopeOpts = null) {
   const infra = require('../infrastructure');
   const ensureAdminSecretsFn = typeof infra.ensureAdminSecrets === 'function'
     ? infra.ensureAdminSecrets
     : require('../infrastructure/helpers').ensureAdminSecrets;
   await ensureAdminSecretsFn();
   const adminObj = await adminSecrets.readAndDecryptAdminSecrets();
+  const runEnvKey = scopeOpts && scopeOpts.runEnvKey ? String(scopeOpts.runEnvKey).toLowerCase() : 'dev';
   const appObj = await secretsEnvWrite.resolveAndGetEnvMap(appName, {
     environment: 'docker',
     secretsPath: null,
-    force: false
+    force: false,
+    runEnvKey
   });
   const merged = { ...adminObj, ...appObj };
   if (developerId !== undefined) {
     const pgpassPwd = await readPostgresPasswordFromPgpass(developerId);
     if (pgpassPwd !== undefined) merged.POSTGRES_PASSWORD = pgpassPwd;
   }
-  injectDatabaseNamesAndUsers(merged, appConfig);
+  injectDatabaseNamesAndUsers(merged, appConfig, scopeOpts);
   injectContainerPortForRun(merged, appConfig, appName);
 
   const runEnvPath = path.join(devDir, '.env.run');