@aifabrix/builder 2.43.0 → 2.44.0

package/lib/core/audit-logger.js

@@ -16,12 +16,12 @@ const path = require('path');
 const os = require('os');
 const paths = require('../utils/paths');
 
-// Audit log file path (in user's home directory for compliance)
+// Audit log file path (beside config.yaml / CLI system dir for compliance)
 let auditLogPath = null;
 
 /**
  * Gets the audit log file path
- * Creates .aifabrix directory in user's home if it doesn't exist
+ * Creates config / system directory if it doesn't exist
  * @returns {Promise<string>} Path to audit log file
  */
 async function getAuditLogPath() {
@@ -29,7 +29,7 @@ async function getAuditLogPath() {
     return auditLogPath;
   }
 
-  const aifabrixDir = paths.getAifabrixHome();
+  const aifabrixDir = paths.getAifabrixSystemDir();
 
   try {
     await fs.mkdir(aifabrixDir, { recursive: true });
@@ -336,6 +336,13 @@ function extractPathFromUrl(url) {
   }
 }
 
+/**
+ * Clears cached audit log path (for tests that vary getAifabrixSystemDir between calls).
+ */
+function resetAuditLogPathCache() {
+  auditLogPath = null;
+}
+
 module.exports = {
   auditLog,
   logDeploymentAttempt,
@@ -345,6 +352,7 @@ module.exports = {
   logApplicationCreation,
   logApiCall,
   maskSensitiveData,
-  createAuditEntry
+  createAuditEntry,
+  resetAuditLogPathCache
 };
 

package/lib/core/config-attach-extensions.js

@@ -0,0 +1,46 @@
+/**
+ * Attach token, path, format, and scoped-resources helpers to config exports.
+ *
+ * @fileoverview Keeps lib/core/config.js under max-lines
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+/**
+ * @param {object} exportsObj - Module exports object to mutate
+ * @param {object} deps
+ * @param {Function} deps.getConfig
+ * @param {Function} deps.saveConfig
+ * @param {Function} deps.getSecretsEncryptionKey
+ * @param {Function} deps.encryptTokenValue
+ * @param {Function} deps.decryptTokenValue
+ */
+function attachConfigExtensions(exportsObj, deps) {
+  const { getConfig, saveConfig, getSecretsEncryptionKey, encryptTokenValue, decryptTokenValue } = deps;
+
+  const { createTokenManagementFunctions } = require('../utils/config-tokens');
+  Object.assign(
+    exportsObj,
+    createTokenManagementFunctions({
+      getConfigFn: getConfig,
+      saveConfigFn: saveConfig,
+      getSecretsEncryptionKeyFn: getSecretsEncryptionKey,
+      encryptTokenValueFn: encryptTokenValue,
+      decryptTokenValueFn: decryptTokenValue,
+      isTokenEncryptedFn: require('../utils/token-encryption').isTokenEncrypted
+    })
+  );
+
+  const { createPathConfigFunctions } = require('../utils/config-paths');
+  Object.assign(exportsObj, createPathConfigFunctions(getConfig, saveConfig));
+
+  const { createFormatFunctions } = require('../utils/config-format-preference');
+  Object.assign(exportsObj, createFormatFunctions(getConfig, saveConfig));
+
+  const { createScopedResourcesPreferenceFunctions } = require('../utils/config-scoped-resources-preference');
+  Object.assign(exportsObj, createScopedResourcesPreferenceFunctions(getConfig, saveConfig));
+}
+
+module.exports = { attachConfigExtensions };

package/lib/core/config-runtime-paths.js

@@ -0,0 +1,29 @@
+/**
+ * Resolves config.yaml directory/file on each access (aligned with paths.getConfigDirForPaths).
+ * Split from config.js for max-lines compliance.
+ *
+ * @fileoverview Dynamic CONFIG_DIR / CONFIG_FILE for lib/core/config.js
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const { getAifabrixRuntimeConfigDir } = require('../utils/aifabrix-runtime-config-dir');
+
+/**
+ * @returns {string}
+ */
+function getRuntimeConfigDir() {
+  return getAifabrixRuntimeConfigDir();
+}
+
+/**
+ * @returns {string}
+ */
+function getRuntimeConfigFile() {
+  return path.join(getRuntimeConfigDir(), 'config.yaml');
+}
+
+module.exports = { getRuntimeConfigDir, getRuntimeConfigFile };

package/lib/core/config.js

@@ -14,31 +14,9 @@ const yaml = require('js-yaml');
 const os = require('os');
 const { encryptToken, decryptToken, isTokenEncrypted } = require('../utils/token-encryption');
 const { ensureSecureFilePermissions, ensureSecureDirPermissions } = require('../utils/secure-file-permissions');
-// Avoid importing paths here to prevent circular dependency.
-// Config location (first match wins):
-//   1. AIFABRIX_CONFIG env = full path to config.yaml
-//   2. AIFABRIX_HOME env = directory containing config.yaml
-//   3. ~/.aifabrix
-// Set AIFABRIX_HOME=/workspace/.aifabrix or AIFABRIX_CONFIG=/workspace/.aifabrix/config.yaml when config is not in default home.
-
-function getConfigDir() {
-  const configFile = process.env.AIFABRIX_CONFIG && typeof process.env.AIFABRIX_CONFIG === 'string';
-  if (configFile) {
-    return path.dirname(path.resolve(process.env.AIFABRIX_CONFIG.trim()));
-  }
-  if (process.env.AIFABRIX_HOME && typeof process.env.AIFABRIX_HOME === 'string') {
-    return path.resolve(process.env.AIFABRIX_HOME.trim());
-  }
-  return path.join(os.homedir(), '.aifabrix');
-}
-
-// Runtime config directory and file (respect AIFABRIX_HOME)
-const RUNTIME_CONFIG_DIR = getConfigDir();
-const RUNTIME_CONFIG_FILE = path.join(RUNTIME_CONFIG_DIR, 'config.yaml');
-
-// Legacy exports (same as runtime when module loads)
-const CONFIG_DIR = RUNTIME_CONFIG_DIR;
-const CONFIG_FILE = RUNTIME_CONFIG_FILE;
+const { getRuntimeConfigDir, getRuntimeConfigFile } = require('./config-runtime-paths');
+// Avoid importing paths.js here to prevent circular dependency; use shared runtime config dir helper.
+// Config location: AIFABRIX_CONFIG dirname → AIFABRIX_HOME (with ~/.aifabrix fallback when config lives there) → ~/.aifabrix
 
 // Cache for developer ID - loaded when getConfig() is first called
 let cachedDeveloperId = null;
@@ -111,6 +89,9 @@ function applyConfigDefaults(config) {
   if (typeof config.device !== 'object' || config.device === null) {
     config.device = {};
   }
+  if (typeof config.useEnvironmentScopedResources === 'undefined') {
+    config.useEnvironmentScopedResources = false;
+  }
   // Ensure controller field exists (but don't set defaults)
   // It will be set by login or auth --set-controller
   return config;
@@ -128,15 +109,18 @@ function getDefaultConfig() {
     controller: undefined,
     environments: {},
     device: {},
-    format: undefined
+    format: undefined,
+    useEnvironmentScopedResources: false
   };
 }
 
 async function getConfig() {
   try {
-    ensureSecureDirPermissions(RUNTIME_CONFIG_DIR);
-    ensureSecureFilePermissions(RUNTIME_CONFIG_FILE);
-    const configContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
+    const dir = getRuntimeConfigDir();
+    const file = getRuntimeConfigFile();
+    ensureSecureDirPermissions(dir);
+    ensureSecureFilePermissions(file);
+    const configContent = await fs.readFile(file, 'utf8');
     let config = yaml.load(configContent);
 
     // Handle empty file or null/undefined result from yaml.load
@@ -168,20 +152,22 @@ async function getConfig() {
  */
 async function saveConfig(data) {
   try {
+    const dir = getRuntimeConfigDir();
+    const file = getRuntimeConfigFile();
     // Create directory if it doesn't exist
-    await fs.mkdir(RUNTIME_CONFIG_DIR, { recursive: true });
+    await fs.mkdir(dir, { recursive: true });
 
     // Set secure permissions
     // Force quotes to ensure numeric-like strings (e.g., "01") remain strings in YAML
     const configContent = yaml.dump(data, { forceQuotes: true });
     // Write file first
-    await fs.writeFile(RUNTIME_CONFIG_FILE, configContent, {
+    await fs.writeFile(file, configContent, {
       mode: 0o600,
       flag: 'w'
     });
     // Open file descriptor and fsync to ensure write is flushed to disk
     // This is critical on Windows where file writes may be cached
-    const fd = await fs.open(RUNTIME_CONFIG_FILE, 'r+');
+    const fd = await fs.open(file, 'r+');
     try {
       await fd.sync();
     } finally {
@@ -198,7 +184,7 @@ async function saveConfig(data) {
  */
 async function clearConfig() {
   try {
-    await fs.unlink(RUNTIME_CONFIG_FILE);
+    await fs.unlink(getRuntimeConfigFile());
   } catch (error) {
     if (error.code !== 'ENOENT') {
       throw new Error(`Failed to clear config: ${error.message}`);
@@ -236,8 +222,9 @@ async function getDeveloperId() {
  */
 async function verifyDeveloperIdSaved(devIdString) {
   await new Promise(resolve => setTimeout(resolve, 100));
-  ensureSecureFilePermissions(RUNTIME_CONFIG_FILE);
-  const savedContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
+  const file = getRuntimeConfigFile();
+  ensureSecureFilePermissions(file);
+  const savedContent = await fs.readFile(file, 'utf8');
   const savedConfig = yaml.load(savedContent);
   const savedDevIdString = String(savedConfig['developer-id']);
   if (savedDevIdString !== devIdString) {
@@ -262,6 +249,24 @@ async function getCurrentEnvironment() {
   return config.environment || 'dev';
 }
 
+/**
+ * Whether infra TLS mode is enabled (`tlsEnabled: true` in config.yaml; e.g. after `up-infra --tls`).
+ * @returns {Promise<boolean>}
+ */
+async function getTlsEnabled() {
+  const cfg = await getConfig();
+  return cfg.tlsEnabled === true;
+}
+
+/**
+ * Whether Traefik is enabled (`traefik: true` in config; infra compose includes the proxy).
+ * @returns {Promise<boolean>}
+ */
+async function getTraefikEnabled() {
+  const cfg = await getConfig();
+  return cfg.traefik === true;
+}
+
 /**
  * Resolve environment from configuration
  * Uses config.environment, defaults to 'dev'
@@ -448,6 +453,8 @@ const exportsObj = {
   setDeveloperId,
   loadDeveloperId,
   getCurrentEnvironment,
+  getTlsEnabled,
+  getTraefikEnabled,
   setCurrentEnvironment,
   resolveEnvironment,
   isTokenExpired,
@@ -462,8 +469,12 @@ const exportsObj = {
   normalizeControllerUrl,
   setControllerUrl,
   getControllerUrl,
-  CONFIG_DIR,
-  CONFIG_FILE
+  get CONFIG_DIR() {
+    return getRuntimeConfigDir();
+  },
+  get CONFIG_FILE() {
+    return getRuntimeConfigFile();
+  }
 };
 
 // Add developerId as a property getter for direct access
@@ -477,24 +488,12 @@ Object.defineProperty(exportsObj, 'developerId', {
   configurable: true
 });
 
-// Token management functions - created after dependencies are defined
-const { createTokenManagementFunctions } = require('../utils/config-tokens');
-const tokenFunctions = createTokenManagementFunctions({
-  getConfigFn: getConfig,
-  saveConfigFn: saveConfig,
-  getSecretsEncryptionKeyFn: getSecretsEncryptionKey,
-  encryptTokenValueFn: encryptTokenValue,
-  decryptTokenValueFn: decryptTokenValue,
-  isTokenEncryptedFn: require('../utils/token-encryption').isTokenEncrypted
+const { attachConfigExtensions } = require('./config-attach-extensions');
+attachConfigExtensions(exportsObj, {
+  getConfig,
+  saveConfig,
+  getSecretsEncryptionKey,
+  encryptTokenValue,
+  decryptTokenValue
 });
-Object.assign(exportsObj, tokenFunctions);
-
-// Path configuration functions - created after getConfig/saveConfig are defined
-const { createPathConfigFunctions } = require('../utils/config-paths');
-const pathConfigFunctions = createPathConfigFunctions(getConfig, saveConfig);
-Object.assign(exportsObj, pathConfigFunctions);
-// Format preference functions
-const { createFormatFunctions } = require('../utils/config-format-preference');
-const formatFunctions = createFormatFunctions(getConfig, saveConfig);
-Object.assign(exportsObj, formatFunctions);
 module.exports = exportsObj;

package/lib/core/diff.js

@@ -1,3 +1,4 @@
+const { formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
 /**
  * File Comparison Utilities
  *
@@ -377,7 +378,7 @@ function displayVersionInfo(diffResult) {
  */
 function displayBreakingChanges(breakingChanges) {
   if (breakingChanges.length > 0) {
-    logger.log(chalk.red('\n⚠️  Breaking Changes:'));
+    logger.log(chalk.red('\n⚠  Breaking Changes:'));
     breakingChanges.forEach(change => {
       logger.log(chalk.red(`  • ${change.description}`));
     });
@@ -445,7 +446,7 @@ function formatDiffOutput(diffResult) {
   logger.log(chalk.blue(`\nComparing: ${diffResult.file1} ↔ ${diffResult.file2}`));
 
   if (diffResult.identical) {
-    logger.log(chalk.green('\n✓ Files are identical'));
+    logger.log(formatSuccessParagraph('Files are identical'));
     return;
   }
 

package/lib/core/ensure-encryption-key.js

@@ -37,7 +37,7 @@ async function ensureSecretsEncryptionKey(config) {
   const existing = await config.getSecretsEncryptionKey();
   if (existing) return;
 
-  const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
   const projectSecretsPath = await config.getSecretsPath();
 
   let key = readKeyFromFile(userSecretsPath);

package/lib/core/secrets-ensure-infra.js

@@ -0,0 +1,77 @@
+/**
+ * Infra catalog helpers for secrets-ensure (placeholder context, empty-allowed keys, up-infra key list).
+ * @fileoverview Split from secrets-ensure.js for max-lines compliance
+ */
+'use strict';
+
+const path = require('path');
+const logger = require('../utils/logger');
+const pathsUtil = require('../utils/paths');
+const { getAllInfraEnsureKeys } = require('../parameters/infra-kv-discovery');
+
+/** Shipped infra.parameter.yaml (matches infra-parameter-catalog DEFAULT_CATALOG_PATH). Local join so partial Jest mocks cannot omit DEFAULT_CATALOG_PATH. */
+const BUNDLED_INFRA_PARAMETER_YAML = path.join(__dirname, '..', 'schema', 'infra.parameter.yaml');
+
+/**
+ * Lazy require so Jest mocks of infra-parameter-catalog apply when this module loads after mocks.
+ * @returns {typeof import('../parameters/infra-parameter-catalog')}
+ */
+function infraParameterCatalogModule() {
+  return require('../parameters/infra-parameter-catalog');
+}
+
+/**
+ * Merge infra.parameter.yaml defaults with up-infra CLI options for {{placeholder}} expansion.
+ * @param {Object} [options]
+ * @returns {Record<string, string>}
+ */
+function buildInfraPlaceholderContext(options) {
+  const cat = infraParameterCatalogModule();
+  try {
+    return cat.mergeInfraParameterDefaultsForCli(cat.getInfraParameterCatalog().data, options || {});
+  } catch {
+    return cat.mergeInfraParameterDefaultsForCli({}, options || {});
+  }
+}
+
+/**
+ * Keys that may stay empty without backfill (catalog generator emptyAllowed).
+ * @param {string} key - Secret key
+ * @returns {boolean}
+ */
+function isSecretKeyAllowedEmpty(key) {
+  const cat = infraParameterCatalogModule();
+  try {
+    return cat.getInfraParameterCatalog().isKeyAllowedEmpty(key);
+  } catch {
+    const emptyAllowed = cat.readRelaxedEmptyAllowedKeySet(BUNDLED_INFRA_PARAMETER_YAML);
+    return Boolean(emptyAllowed && emptyAllowed.has(key));
+  }
+}
+
+/**
+ * Infra secret keys for up-infra: catalog (ensureOn upInfra) + workspace DB/template discovery
+ * + standard miso-controller multi-DB keys.
+ * @returns {string[]}
+ */
+function getInfraSecretKeysForUpInfra() {
+  const cat = infraParameterCatalogModule();
+  try {
+    const catalog = cat.getInfraParameterCatalog();
+    return getAllInfraEnsureKeys(catalog, pathsUtil);
+  } catch (err) {
+    logger.warn(`Could not build infra secret key list from catalog (${err.message}); using relaxed YAML read.`);
+    const relaxed = cat.readRelaxedUpInfraEnsureKeyList(BUNDLED_INFRA_PARAMETER_YAML);
+    if (relaxed && relaxed.length > 0) {
+      return relaxed;
+    }
+    logger.warn('Relaxed read of infra.parameter.yaml produced no keys; up-infra may skip secret backfill.');
+    return [];
+  }
+}
+
+module.exports = {
+  buildInfraPlaceholderContext,
+  isSecretKeyAllowedEmpty,
+  getInfraSecretKeysForUpInfra
+};