@aifabrix/builder 2.43.0 → 2.44.0

package/lib/utils/infra-status.js

@@ -9,13 +9,10 @@
  * @version 2.0.0
  */
 
-const { exec } = require('child_process');
-const { promisify } = require('util');
 const config = require('../core/config');
 const devConfig = require('./dev-config');
 const containerUtils = require('./infra-containers');
-
-const execAsync = promisify(exec);
+const { execWithDockerEnv } = require('./docker-exec');
 
 /**
  * Builds services config map from ports and config flags.
@@ -52,7 +49,7 @@ async function getServiceStatus(serviceName, serviceConfig, devId) {
   try {
     const containerName = await containerUtils.findContainer(serviceName, devId, { strict: true });
     const rawStatus = containerName
-      ? (await execAsync(`docker inspect --format='{{.State.Status}}' ${containerName}`)).stdout.trim().replace(/['"]/g, '')
+      ? (await execWithDockerEnv(`docker inspect --format='{{.State.Status}}' ${containerName}`)).stdout.trim().replace(/['"]/g, '')
       : 'not running';
     return { status: rawStatus, port: serviceConfig.port, url: serviceConfig.url };
   } catch {
@@ -107,6 +104,9 @@ function getInfraContainerNames(devIdNum, devId) {
 /** Suffixes for init/helper containers to exclude from "Running Applications" (e.g. keycloak-db-init) */
 const INIT_CONTAINER_SUFFIXES = ['-db-init', '-init'];
 
+/** Names like aifabrix-dev02-postgres belong to isolated developer stacks, not legacy dev-0 mode */
+const DEV_PREFIXED_CONTAINER = /^aifabrix-dev\d+-/;
+
 /**
  * Extracts app name from container name
  * @param {string} containerName - Container name
@@ -115,6 +115,9 @@ const INIT_CONTAINER_SUFFIXES = ['-db-init', '-init'];
  * @returns {string|null} App name or null if not matched
  */
 function extractAppName(containerName, devIdNum, devId) {
+  if (devIdNum === 0 && DEV_PREFIXED_CONTAINER.test(containerName)) {
+    return null;
+  }
   const pattern = devIdNum === 0 ? /^aifabrix-(.+)$/ : new RegExp(`^aifabrix-dev${devId}-(.+)$`);
   const match = containerName.match(pattern);
   if (!match) return null;
@@ -176,7 +179,7 @@ async function getAppStatus() {
   try {
     const devIdNum = parseInt(devId, 10);
     const filterPattern = devIdNum === 0 ? 'aifabrix-' : `aifabrix-dev${devId}-`;
-    const { stdout } = await execAsync(`docker ps --filter "name=${filterPattern}" --format "{{.Names}}\t{{.Ports}}\t{{.Status}}"`);
+    const { stdout } = await execWithDockerEnv(`docker ps --filter "name=${filterPattern}" --format "{{.Names}}\t{{.Ports}}\t{{.Status}}"`);
     const lines = stdout.trim().split('\n').filter(line => line.trim() !== '');
     const infraContainers = getInfraContainerNames(devIdNum, devId);
     for (const line of lines) {
@@ -211,9 +214,14 @@ async function listAppContainerNamesForDeveloper(devId, options = {}) {
   const includeExited = !!options.includeExited;
   try {
     const allFlag = includeExited ? ' -a' : '';
-    const { stdout } = await execAsync(`docker ps${allFlag} --filter "name=${filterPattern}" --format "{{.Names}}"`);
+    const { stdout } = await execWithDockerEnv(`docker ps${allFlag} --filter "name=${filterPattern}" --format "{{.Names}}"`);
     const names = (stdout || '').trim().split('\n').filter(Boolean);
-    return names.filter(n => !infraContainers.includes(n));
+    return names.filter(n => {
+      if (devIdNum === 0 && DEV_PREFIXED_CONTAINER.test(n)) {
+        return false;
+      }
+      return !infraContainers.includes(n);
+    });
   } catch {
     return [];
   }

package/lib/utils/local-secrets.js

@@ -1,7 +1,7 @@
 /**
  * Local Secrets Management Utilities
  *
- * Helper functions for managing local secrets in ~/.aifabrix/secrets.local.yaml
+ * Helper functions for managing local secrets in getPrimaryUserSecretsLocalPath() (config dir)
  *
  * @fileoverview Local secrets management utilities
  * @author AI Fabrix Team
@@ -36,8 +36,7 @@ async function resolveValueForWrite(key, value) {
 }
 
 /**
- * Saves a secret to ~/.aifabrix/secrets.local.yaml
- * Uses paths.getAifabrixHome() to respect config.yaml aifabrix-home override
+ * Saves a secret to the primary user secrets file (getPrimaryUserSecretsLocalPath)
  * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret).
  * Encrypts the value when a secrets-encryption key is configured (except for the bootstrap key).
  *
@@ -61,7 +60,7 @@ async function saveLocalSecret(key, value) {
   }
 
   const valueToWrite = await resolveValueForWrite(key, value);
-  const secretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+  const secretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
   mergeSecretsIntoFile(secretsPath, { [key]: valueToWrite });
 }
 

package/lib/utils/paths.js

@@ -12,6 +12,11 @@
 const path = require('path');
 const fs = require('fs');
 const yaml = require('js-yaml');
+const { nodeFs } = require('../internal/node-fs');
+const {
+  getAifabrixRuntimeConfigDir,
+  resolveAifabrixHomeLikePath
+} = require('./aifabrix-runtime-config-dir');
 
 function safeHomedir() {
   try {
@@ -29,30 +34,46 @@ function safeHomedir() {
 }
 
 /**
- * Returns the path to the config directory (same precedence as config.js so both read the same config).
- * Priority: AIFABRIX_CONFIG (dirname) → AIFABRIX_HOME → ~/.aifabrix.
+ * Returns the path to the config directory (same as {@link getAifabrixRuntimeConfigDir} / config.js).
+ * When `AIFABRIX_HOME` is `$HOME` but `config.yaml` is only under `$HOME/.aifabrix/`, returns the latter.
  * @returns {string} Absolute path to config directory
  */
 function getConfigDirForPaths() {
-  const configFile = process.env.AIFABRIX_CONFIG && typeof process.env.AIFABRIX_CONFIG === 'string';
-  if (configFile) {
-    return path.dirname(path.resolve(process.env.AIFABRIX_CONFIG.trim()));
-  }
-  if (process.env.AIFABRIX_HOME && typeof process.env.AIFABRIX_HOME === 'string') {
-    return path.resolve(process.env.AIFABRIX_HOME.trim());
-  }
-  return path.join(safeHomedir(), '.aifabrix');
+  return getAifabrixRuntimeConfigDir();
+}
+
+/**
+ * User-owned `secrets.local.yaml` beside effective `config.yaml` (see {@link getConfigDirForPaths}).
+ * When `AIFABRIX_HOME` is `$HOME` but config is only at `$HOME/.aifabrix/config.yaml`, uses that folder.
+ * Keeps `secret list` / `secret set` aligned with resolve merge (`loadPrimaryUserSecrets`).
+ *
+ * @returns {string} Absolute path to secrets.local.yaml
+ */
+function getPrimaryUserSecretsLocalPath() {
+  return path.join(getConfigDirForPaths(), 'secrets.local.yaml');
+}
+
+/**
+ * Directory for CLI system state next to `config.yaml`: `admin-secrets.env`, `infra/` or `infra-dev{id}/`,
+ * `audit.log`, etc. Unlike {@link getAifabrixHome}, this follows the resolved config directory (e.g.
+ * `~/.aifabrix` when config lives there even if `aifabrix-home` / `AIFABRIX_HOME` is `$HOME`).
+ *
+ * @returns {string} Absolute path (same as {@link getConfigDirForPaths})
+ */
+function getAifabrixSystemDir() {
+  return getConfigDirForPaths();
 }
 
 /**
  * Returns the base AI Fabrix directory.
- * Priority: AIFABRIX_HOME env → config.yaml `aifabrix-home` (from AIFABRIX_HOME or ~/.aifabrix) → ~/.aifabrix.
+ * Priority: AIFABRIX_HOME env → config.yaml `aifabrix-home` → ~/.aifabrix.
+ * Builder-server SSH provisioning sets `aifabrix-home` to the user POSIX home; dev `.bashrc` exports AIFABRIX_HOME from that key (default $HOME).
  *
  * @returns {string} Absolute path to the AI Fabrix home directory
  */
 function getAifabrixHome() {
   if (process.env.AIFABRIX_HOME && typeof process.env.AIFABRIX_HOME === 'string') {
-    return path.resolve(process.env.AIFABRIX_HOME.trim());
+    return resolveAifabrixHomeLikePath(process.env.AIFABRIX_HOME.trim());
   }
   const isTestEnv = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined;
   if (!isTestEnv) {
@@ -64,7 +85,7 @@ function getAifabrixHome() {
         const config = yaml.load(content) || {};
         const homeOverride = config && typeof config['aifabrix-home'] === 'string' ? config['aifabrix-home'].trim() : '';
         if (homeOverride) {
-          return path.resolve(homeOverride);
+          return resolveAifabrixHomeLikePath(homeOverride);
         }
       }
     } catch {
@@ -74,6 +95,40 @@ function getAifabrixHome() {
   return path.join(safeHomedir(), '.aifabrix');
 }
 
+/**
+ * Default git / workspace root from env or config (optional; no fallback to aifabrix-home).
+ * Priority: AIFABRIX_WORK env (trim, resolve) → config.yaml `aifabrix-work` → null.
+ *
+ * @returns {string|null} Absolute path or null when unset
+ */
+function getAifabrixWork() {
+  if (process.env.AIFABRIX_WORK && typeof process.env.AIFABRIX_WORK === 'string') {
+    const t = process.env.AIFABRIX_WORK.trim();
+    if (t) {
+      return resolveAifabrixHomeLikePath(t);
+    }
+  }
+  const isTestEnv = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined;
+  if (!isTestEnv) {
+    try {
+      const configDir = getConfigDirForPaths();
+      const configPath = path.join(configDir, 'config.yaml');
+      if (fs.existsSync(configPath)) {
+        const content = fs.readFileSync(configPath, 'utf8');
+        const config = yaml.load(content) || {};
+        const workOverride =
+          config && typeof config['aifabrix-work'] === 'string' ? config['aifabrix-work'].trim() : '';
+        if (workOverride) {
+          return resolveAifabrixHomeLikePath(workOverride);
+        }
+      }
+    } catch {
+      // ignore
+    }
+  }
+  return null;
+}
+
 // Cache project root to avoid repeated filesystem lookups
 let cachedProjectRoot = null;
 
@@ -92,7 +147,8 @@ function clearProjectRootCache() {
  */
 function hasPackageJson(dirPath) {
   const packageJsonPath = path.join(dirPath, 'package.json');
-  return fs.existsSync(packageJsonPath);
+  // Real disk: Jest workers may retain jest.mock('fs') from other suites; project root must stay truthful.
+  return nodeFs().existsSync(packageJsonPath);
 }
 
 /**
@@ -215,22 +271,31 @@ function tryFindProjectRoot() {
 }
 
 function getProjectRoot() {
-  // Return cached value if available and valid
+  // Prefer global.PROJECT_ROOT whenever it is valid so tests that override it (or restore it)
+  // are not defeated by a stale cachedProjectRoot from an earlier call in the same Jest worker.
+  const globalRoot = checkGlobalProjectRoot();
+  if (globalRoot) {
+    cachedProjectRoot = globalRoot;
+    return globalRoot;
+  }
   if (cachedProjectRoot && hasPackageJson(cachedProjectRoot)) {
     return cachedProjectRoot;
   }
-
   return tryFindProjectRoot();
 }
 
 /**
- * Returns the applications base directory. Dev 0: <home>/applications; Dev > 0: <home>/applications-dev-{id}
+ * Returns the applications base directory next to effective `config.yaml` (same root as infra, secrets, audit).
+ * Dev 0: `<configDir>/applications`; non-zero dev: `<configDir>/applications-dev-{id}`.
+ * Uses {@link getAifabrixSystemDir}, not raw {@link getAifabrixHome}, so builder-server layouts with
+ * `AIFABRIX_HOME=$HOME` and config under `~/.aifabrix/` keep apps under `.aifabrix` (not `$HOME/applications-dev-*`).
+ *
  * @param {number|string} developerId - Developer ID
  * @returns {string} Absolute path to applications base directory
  */
 function getApplicationsBaseDir(developerId) {
   const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
-  const base = getAifabrixHome();
+  const base = getAifabrixSystemDir();
   if (idNum === 0) {
     return path.join(base, 'applications');
   }
@@ -249,7 +314,8 @@ function getDevDirectory(appName, developerId) {
 }
 
 /**
- * Gets the application path (builder or integration folder)
+ * Gets the application path (builder or integration folder).
+ * Matches getBuilderPath / getIntegrationPath: respects AIFABRIX_BUILDER_DIR and project-root vs cwd base.
  * @param {string} appName - Application name
  * @param {string} [appType] - Application type ('external' or other)
  * @returns {string} Absolute path to application directory
@@ -258,9 +324,10 @@ function getAppPath(appName, appType) {
   if (!appName || typeof appName !== 'string') {
     throw new Error('App name is required and must be a string');
   }
-
-  const baseDir = appType === 'external' ? 'integration' : 'builder';
-  return path.join(process.cwd(), baseDir, appName);
+  if (appType === 'external') {
+    return getIntegrationPath(appName);
+  }
+  return path.join(getBuilderRoot(), appName);
 }
 
 /**
@@ -299,28 +366,45 @@ function getBuilderRoot() {
   return path.join(getIntegrationBuilderBaseDir(), 'builder');
 }
 
+/**
+ * True when name under root is a real directory (follows symlinks). False for broken symlinks, files, ENOENT.
+ * @param {string} root - Parent directory (must exist)
+ * @param {string} name - Entry from readdir
+ * @returns {boolean}
+ */
+function isAppSubdirSync(root, name) {
+  if (!name || name.startsWith('.')) return false;
+  const fullPath = path.join(root, name);
+  try {
+    const st = nodeFs().statSync(fullPath);
+    return Boolean(st && typeof st.isDirectory === 'function' && st.isDirectory());
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Lists app names (directories) under integration root. Excludes dot-prefixed entries.
  * Returns [] if root does not exist.
  * @returns {string[]} Sorted list of app directory names
  */
 function listIntegrationAppNames() {
+  const disk = nodeFs();
   const root = getIntegrationRoot();
-  if (!fs.existsSync(root)) {
+  if (!disk.existsSync(root)) {
+    return [];
+  }
+  let rootStat;
+  try {
+    rootStat = disk.statSync(root);
+  } catch {
     return [];
   }
-  const stat = fs.statSync(root);
-  if (!stat || typeof stat.isDirectory !== 'function' || !stat.isDirectory()) {
+  if (!rootStat || typeof rootStat.isDirectory !== 'function' || !rootStat.isDirectory()) {
     return [];
   }
-  const entries = fs.readdirSync(root);
-  return entries
-    .filter(name => !name.startsWith('.'))
-    .filter(name => {
-      const fullPath = path.join(root, name);
-      return fs.statSync(fullPath).isDirectory();
-    })
-    .sort();
+  const entries = disk.readdirSync(root);
+  return entries.filter((name) => isAppSubdirSync(root, name)).sort();
 }
 
 /**
@@ -329,22 +413,22 @@ function listIntegrationAppNames() {
  * @returns {string[]} Sorted list of app directory names
  */
 function listBuilderAppNames() {
+  const disk = nodeFs();
   const root = getBuilderRoot();
-  if (!fs.existsSync(root)) {
+  if (!disk.existsSync(root)) {
+    return [];
+  }
+  let rootStat;
+  try {
+    rootStat = disk.statSync(root);
+  } catch {
     return [];
   }
-  const stat = fs.statSync(root);
-  if (!stat || typeof stat.isDirectory !== 'function' || !stat.isDirectory()) {
+  if (!rootStat || typeof rootStat.isDirectory !== 'function' || !rootStat.isDirectory()) {
     return [];
   }
-  const entries = fs.readdirSync(root);
-  return entries
-    .filter(name => !name.startsWith('.'))
-    .filter(name => {
-      const fullPath = path.join(root, name);
-      return fs.statSync(fullPath).isDirectory();
-    })
-    .sort();
+  const entries = disk.readdirSync(root);
+  return entries.filter((name) => isAppSubdirSync(root, name)).sort();
 }
 
 /**
@@ -387,7 +471,7 @@ function getBuilderPath(appName) {
     ? process.env.AIFABRIX_BUILDER_DIR.trim()
     : null;
   if (builderRoot) {
-    return path.join(builderRoot, appName);
+    return path.join(path.resolve(builderRoot), appName);
   }
   const base = getIntegrationBuilderBaseDir();
   return path.join(base, 'builder', appName);
@@ -518,7 +602,7 @@ async function detectAppType(appName, _options = {}) {
 
 /**
  * Resolve-specific app path: prefer integration + env.template only (env-only mode).
- * If integration/<appName>/env.template exists, use that directory without requiring application.yaml.
+ * If integration/<systemKey>/env.template exists, use that directory without requiring application.yaml.
  * Otherwise fall back to detectAppType (integration or builder with full config).
  *
  * @param {string} appName - Application name
@@ -538,7 +622,7 @@ async function getResolveAppPath(appName) {
   return { appPath: result.appPath, envOnly: false };
 }
 
-/** Resolve appKey when cwd is inside integration/<appKey>/. */
+/** Resolve app folder name when cwd is inside integration/<systemKey>/. */
 function resolveIntegrationAppKeyFromCwd() {
   const integrationNorm = path.resolve(path.join(getIntegrationBuilderBaseDir(), 'integration'));
   const cwd = path.resolve(process.cwd());
@@ -548,7 +632,10 @@ function resolveIntegrationAppKeyFromCwd() {
 
 module.exports = {
   getAifabrixHome,
+  getAifabrixWork,
   getConfigDirForPaths,
+  getAifabrixSystemDir,
+  getPrimaryUserSecretsLocalPath,
   getApplicationsBaseDir,
   getDevDirectory,
   getAppPath,

package/lib/utils/port-resolver.js

@@ -3,7 +3,7 @@
  *
  * Single source of truth for resolving application port from application config.
  * Use getContainerPort for container/Docker/deployment/registration; use getLocalPort
- * for local .env and dev-id–adjusted host port.
+ * for manifest listen port (same as port; local host uses port+10+dev*100 in secrets-helpers).
  *
  * @fileoverview Port resolution from variables (port, build.containerPort)
  * @author AI Fabrix Team
@@ -14,6 +14,7 @@
 
 const fs = require('fs');
 const yaml = require('js-yaml');
+const { DECLARATIVE_URL_INFRA_DEFAULTS } = require('./infra-env-defaults');
 
 /**
  * Resolve container port from variables object.
@@ -21,10 +22,10 @@ const yaml = require('js-yaml');
  * When containerPort is empty or missing, main port is used (e.g. keycloak 8082:8080 vs miso 3000:3000).
  *
  * @param {Object} variables - Parsed application config (or subset with build, port)
- * @param {number} [defaultPort=3000] - Default when neither build.containerPort nor port is set
+ * @param {number} [defaultPort] - Default when neither build.containerPort nor port is set (infra fallback)
  * @returns {number} Resolved container port
  */
-function getContainerPort(variables, defaultPort = 3000) {
+function getContainerPort(variables, defaultPort = DECLARATIVE_URL_INFRA_DEFAULTS.manifestPortFallback) {
   const v = variables || {};
   const containerPort = v.build?.containerPort;
   const useMain = containerPort === undefined || containerPort === null ||
@@ -36,20 +37,13 @@ function getContainerPort(variables, defaultPort = 3000) {
 }
 
 /**
- * Resolve local (development) port from variables object.
- * Precedence: build.localPort (when positive integer) → port → defaultPort.
- * Used for env-copy, env-ports, getLocalPortFromPath, run compose host port.
- *
+ * Resolve base application listen port (manifest `port` only; build.localPort removed).
  * @param {Object} variables - Parsed application config
- * @param {number} [defaultPort=3000] - Default when neither build.localPort nor port is set
- * @returns {number} Resolved local port
+ * @param {number} [defaultPort] - Default when port is unset (infra fallback)
+ * @returns {number} Listen port
  */
-function getLocalPort(variables, defaultPort = 3000) {
+function getLocalPort(variables, defaultPort = DECLARATIVE_URL_INFRA_DEFAULTS.manifestPortFallback) {
   const v = variables || {};
-  const localPort = v.build?.localPort;
-  if (typeof localPort === 'number' && localPort > 0) {
-    return localPort;
-  }
   return v.port ?? defaultPort;
 }
 
@@ -94,22 +88,15 @@ function getContainerPortFromPath(variablesPath) {
 }
 
 /**
- * Resolve local port from application config path.
- * Same rule as getLocalPort: build.localPort (when positive integer) → port.
- * Returns null when file is missing or neither localPort nor port is set.
- *
+ * Resolve manifest port from application config path.
  * @param {string} variablesPath - Path to application config
- * @returns {number|null} Local port or null
+ * @returns {number|null} Port or null
  */
 function getLocalPortFromPath(variablesPath) {
   const v = loadVariablesFromPath(variablesPath);
   if (!v) {
     return null;
   }
-  const localPort = v.build?.localPort;
-  if (typeof localPort === 'number' && localPort > 0) {
-    return localPort;
-  }
   const p = v.port;
   return (p !== undefined && p !== null) ? p : null;
 }

package/lib/utils/redis-env-scope.js

@@ -0,0 +1,62 @@
+/**
+ * Adjust Redis DB index in resolved .env content when environment-scoped resources are effective.
+ *
+ * @fileoverview REDIS_DB and redis:// URL path segment (plan 117)
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+/**
+ * Set pathname /dbIndex for redis(s) URLs.
+ *
+ * @param {string} urlStr - redis:// or rediss:// URL
+ * @param {number} dbIndex - logical DB (0–15 typical)
+ * @returns {string}
+ */
+function setRedisUrlDbIndex(urlStr, dbIndex) {
+  if (!urlStr || typeof urlStr !== 'string') return urlStr;
+  try {
+    const u = new URL(urlStr.trim());
+    if (u.protocol !== 'redis:' && u.protocol !== 'rediss:') {
+      return urlStr;
+    }
+    u.pathname = `/${dbIndex}`;
+    return u.toString();
+  } catch {
+    return urlStr;
+  }
+}
+
+/**
+ * Apply Redis DB index to REDIS_DB= and REDIS_URL= lines when effective.
+ *
+ * @param {string} content - .env text
+ * @param {number|null} dbIndex - from redisDbIndexForScopedRunEnv; skip if null
+ * @returns {string}
+ */
+function applyRedisDbIndexToEnvContent(content, dbIndex) {
+  if (dbIndex === null || dbIndex === undefined || typeof content !== 'string') {
+    return content;
+  }
+  const lines = content.split('\n');
+  const out = lines.map((line) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) return line;
+    const eq = trimmed.indexOf('=');
+    if (eq <= 0) return line;
+    const key = trimmed.slice(0, eq).trim();
+    const value = trimmed.slice(eq + 1);
+    if (key === 'REDIS_DB') {
+      return `${key}=${dbIndex}`;
+    }
+    if (key === 'REDIS_URL' && value && !value.startsWith('kv://')) {
+      return `${key}=${setRedisUrlDbIndex(value, dbIndex)}`;
+    }
+    return line;
+  });
+  return out.join('\n');
+}
+
+module.exports = { applyRedisDbIndexToEnvContent, setRedisUrlDbIndex };