npm - @aifabrix/builder - Versions diffs - 2.43.0 → 2.44.0 - Mend

@aifabrix/builder 2.43.0 → 2.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (346) hide show

package/.cursor/rules/anchor-docs.mdc +15 -0
package/README.md +1 -1
package/anchor-docs/README.md +10 -0
package/anchor-docs/_TEMPLATE +24 -0
package/bin/aifabrix.js +13 -4
package/integration/hubspot-test/README.md +31 -0
package/integration/hubspot-test/create-hubspot.js +5 -5
package/integration/hubspot-test/hubspot-test-datasource-company.json +58 -462
package/integration/hubspot-test/hubspot-test-datasource-contact.json +61 -555
package/integration/hubspot-test/hubspot-test-datasource-deal.json +63 -506
package/integration/hubspot-test/hubspot-test-datasource-users.json +42 -83
package/integration/hubspot-test/hubspot-test-deploy.json +3 -3
package/integration/hubspot-test/test-dataplane-down-tests.js +1 -7
package/integration/hubspot-test/test-dataplane-down.js +3 -3
package/integration/hubspot-test/test.js +35 -43
package/integration/hubspot-test/wizard-hubspot-test-headless.yaml +23 -0
package/integration/roundtrip-test-local/README.md +144 -0
package/integration/roundtrip-test-local/application.yaml +13 -0
package/integration/roundtrip-test-local/env.template +15 -0
package/integration/roundtrip-test-local/roundtrip-test-local-datasource-roundtrip-test-company.yaml +14 -0
package/integration/roundtrip-test-local/roundtrip-test-local-deploy.json +61 -0
package/integration/roundtrip-test-local/roundtrip-test-local-system.yaml +25 -0
package/integration/roundtrip-test-local2/README.md +144 -0
package/integration/roundtrip-test-local2/application.yaml +13 -0
package/integration/roundtrip-test-local2/env.template +15 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-datasource-company.yaml +31 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-deploy.json +86 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-system.yaml +25 -0
package/integration/test/wizard.yaml +8 -0
package/jest.config.default.js +10 -0
package/jest.config.integration.fixtures.js +22 -0
package/jest.config.integration.js +21 -18
package/jest.config.isolated.js +10 -0
package/jest.projects.js +288 -0
package/lib/api/datasources-core.api.js +3 -3
package/lib/api/dev-mtls-request.js +110 -0
package/lib/api/dev-server-https.js +145 -0
package/lib/api/dev.api.js +133 -144
package/lib/api/index.js +0 -1
package/lib/api/pipeline.api.js +67 -20
package/lib/api/types/dev.types.js +4 -3
package/lib/api/types/pipeline.types.js +8 -5
package/lib/api/types/validation-run.types.js +56 -0
package/lib/api/validation-run.api.js +99 -0
package/lib/api/validation-runner.js +99 -0
package/lib/app/config.js +1 -1
package/lib/app/deploy-status-display.js +2 -2
package/lib/app/deploy.js +7 -6
package/lib/app/display.js +2 -1
package/lib/app/dockerfile.js +3 -2
package/lib/app/down.js +2 -1
package/lib/app/helpers.js +6 -5
package/lib/app/index.js +27 -8
package/lib/app/list.js +7 -6
package/lib/app/push.js +4 -3
package/lib/app/register.js +16 -7
package/lib/app/rotate-secret.js +14 -13
package/lib/app/run-container-start.js +184 -0
package/lib/app/run-docker-fallback.js +108 -0
package/lib/app/run-env-compose.js +30 -42
package/lib/app/run-helpers.js +49 -126
package/lib/app/run-infra-requirements.js +30 -0
package/lib/app/run-resolve-image.js +21 -0
package/lib/app/run.js +74 -21
package/lib/app/show-display.js +1 -1
package/lib/app/show.js +1 -1
package/lib/build/index.js +13 -10
package/lib/cli/index.js +2 -0
package/lib/cli/setup-app.help.js +67 -0
package/lib/cli/setup-app.js +57 -121
package/lib/cli/setup-app.test-commands.js +179 -0
package/lib/cli/setup-auth.js +19 -5
package/lib/cli/setup-credential-deployment.js +22 -8
package/lib/cli/setup-dev-path-commands.js +124 -0
package/lib/cli/setup-dev.js +170 -113
package/lib/cli/setup-environment.js +7 -1
package/lib/cli/setup-external-system.js +62 -22
package/lib/cli/setup-infra.js +126 -47
package/lib/cli/setup-parameters.js +32 -0
package/lib/cli/setup-secrets.js +106 -8
package/lib/cli/setup-service-user.js +1 -1
package/lib/cli/setup-utility.js +36 -20
package/lib/commands/app-down.js +5 -7
package/lib/commands/app-install.js +14 -7
package/lib/commands/app-logs.js +13 -10
package/lib/commands/app-shell.js +4 -1
package/lib/commands/app-test.js +25 -19
package/lib/commands/app.js +22 -10
package/lib/commands/auth-config.js +6 -6
package/lib/commands/auth-status.js +4 -3
package/lib/commands/credential-env.js +4 -3
package/lib/commands/credential-list.js +5 -4
package/lib/commands/credential-push.js +4 -3
package/lib/commands/datasource-unified-test-cli.js +495 -0
package/lib/commands/datasource-unified-test-cli.options.js +149 -0
package/lib/commands/datasource-validation-cli.js +129 -0
package/lib/commands/datasource.js +105 -98
package/lib/commands/deployment-list.js +6 -5
package/lib/commands/dev-cli-handlers.js +122 -18
package/lib/commands/dev-down.js +4 -3
package/lib/commands/dev-init.js +231 -116
package/lib/commands/dev-show-display.js +473 -0
package/lib/commands/login-credentials.js +3 -2
package/lib/commands/login-device.js +4 -3
package/lib/commands/login.js +5 -4
package/lib/commands/logout.js +8 -7
package/lib/commands/parameters-validate.js +54 -0
package/lib/commands/repair-datasource.js +314 -68
package/lib/commands/repair-env-template.js +2 -2
package/lib/commands/repair.js +21 -3
package/lib/commands/secrets-list.js +23 -12
package/lib/commands/secrets-remove-all.js +220 -0
package/lib/commands/secrets-remove.js +21 -12
package/lib/commands/secrets-set.js +21 -12
package/lib/commands/secrets-validate.js +4 -4
package/lib/commands/secure.js +10 -9
package/lib/commands/service-user.js +26 -25
package/lib/commands/test-e2e-external.js +27 -1
package/lib/commands/up-common.js +3 -2
package/lib/commands/up-dataplane.js +29 -16
package/lib/commands/up-miso.js +19 -29
package/lib/commands/upload.js +138 -39
package/lib/commands/wizard-core-helpers.js +1 -1
package/lib/commands/wizard-dataplane.js +4 -3
package/lib/commands/wizard-helpers.js +3 -3
package/lib/commands/wizard.js +2 -2
package/lib/core/admin-secrets.js +14 -5
package/lib/core/audit-logger.js +12 -4
package/lib/core/config-attach-extensions.js +46 -0
package/lib/core/config-runtime-paths.js +29 -0
package/lib/core/config.js +55 -56
package/lib/core/diff.js +3 -2
package/lib/core/ensure-encryption-key.js +1 -1
package/lib/core/secrets-ensure-infra.js +77 -0
package/lib/core/secrets-ensure.js +120 -64
package/lib/core/secrets-env-write.js +35 -7
package/lib/core/secrets-infra-placeholder-sync.js +61 -0
package/lib/core/secrets.js +200 -37
package/lib/core/templates-env.js +4 -3
package/lib/datasource/abac-validator.js +1 -10
package/lib/datasource/deploy.js +75 -53
package/lib/datasource/field-reference-validator.js +9 -6
package/lib/datasource/integration-context.js +63 -0
package/lib/datasource/list.js +8 -7
package/lib/datasource/log-viewer.js +84 -53
package/lib/datasource/resolve-app.js +4 -4
package/lib/datasource/test-e2e.js +95 -146
package/lib/datasource/test-integration.js +114 -122
package/lib/datasource/unified-validation-run-body.js +65 -0
package/lib/datasource/unified-validation-run-post.js +23 -0
package/lib/datasource/unified-validation-run-resolve.js +43 -0
package/lib/datasource/unified-validation-run.js +92 -0
package/lib/datasource/validate.js +157 -13
package/lib/deployment/deployer.js +4 -3
package/lib/deployment/environment.js +7 -6
package/lib/deployment/push.js +17 -8
package/lib/external-system/delete.js +4 -3
package/lib/external-system/deploy.js +131 -53
package/lib/external-system/download-helpers.js +1 -1
package/lib/external-system/download.js +7 -6
package/lib/external-system/generator.js +92 -6
package/lib/external-system/integration-test-dispatch.js +26 -0
package/lib/external-system/test-execution.js +5 -1
package/lib/external-system/test-helpers.js +0 -4
package/lib/external-system/test-system-level-helpers.js +110 -0
package/lib/external-system/test-system-level.js +83 -44
package/lib/external-system/test.js +59 -8
package/lib/generator/builders.js +23 -11
package/lib/generator/deploy-manifest-azure-kv.js +81 -0
package/lib/generator/external.js +16 -4
package/lib/generator/helpers.js +58 -3
package/lib/generator/index.js +4 -0
package/lib/generator/split-readme.js +12 -7
package/lib/generator/split-variables.js +2 -1
package/lib/generator/split.js +1 -1
package/lib/generator/wizard-readme.js +3 -3
package/lib/generator/wizard.js +8 -8
package/lib/infrastructure/compose.js +60 -6
package/lib/infrastructure/helpers.js +201 -29
package/lib/infrastructure/index.js +28 -17
package/lib/infrastructure/services.js +21 -15
package/lib/internal/fs-real-sync.js +104 -0
package/lib/internal/node-fs.js +98 -0
package/lib/parameters/database-secret-values.js +173 -0
package/lib/parameters/infra-kv-discovery.js +121 -0
package/lib/parameters/infra-parameter-catalog.js +458 -0
package/lib/parameters/infra-parameter-validate.js +64 -0
package/lib/schema/application-schema.json +37 -17
package/lib/schema/datasource-test-run.schema.json +493 -0
package/lib/schema/deployment-rules.yaml +102 -63
package/lib/schema/external-datasource.schema.json +1200 -442
package/lib/schema/external-system.schema.json +181 -5
package/lib/schema/flag-map-validation-run.json +31 -0
package/lib/schema/infra-parameter.schema.json +106 -0
package/lib/schema/infra.parameter.yaml +421 -0
package/lib/schema/type/credential-auth-templates.json +40 -0
package/lib/schema/type/document-storage.json +213 -0
package/lib/schema/type/message-service.json +123 -0
package/lib/schema/type/vector-store.json +88 -0
package/lib/utils/aifabrix-runtime-config-dir.js +132 -0
package/lib/utils/api-error-handler.js +2 -2
package/lib/utils/api.js +49 -14
package/lib/utils/app-register-api.js +3 -2
package/lib/utils/app-register-auth.js +1 -1
package/lib/utils/app-register-config.js +4 -4
package/lib/utils/app-register-display.js +3 -2
package/lib/utils/app-register-validator.js +3 -2
package/lib/utils/app-run-containers.js +26 -22
package/lib/utils/app-scoped-config.js +31 -0
package/lib/utils/app-service-env-from-builder.js +164 -0
package/lib/utils/build-copy.js +1 -1
package/lib/utils/build-helpers.js +20 -20
package/lib/utils/build-resolve-image.js +165 -0
package/lib/utils/cli-layout-chalk.js +8 -0
package/lib/utils/cli-test-layout-chalk.js +267 -0
package/lib/utils/cli-utils.js +88 -11
package/lib/utils/compose-db-passwords.js +138 -0
package/lib/utils/compose-generate-docker-compose.js +216 -0
package/lib/utils/compose-generator.js +197 -291
package/lib/utils/compose-miso-env.js +18 -0
package/lib/utils/compose-traefik-ingress-base.js +158 -0
package/lib/utils/config-paths.js +166 -7
package/lib/utils/config-scoped-resources-preference.js +41 -0
package/lib/utils/controller-deployment-outcome.js +68 -0
package/lib/utils/credential-display.js +2 -2
package/lib/utils/dataplane-pipeline-warning.js +4 -3
package/lib/utils/datasource-test-run-capability-scope.js +43 -0
package/lib/utils/datasource-test-run-debug-display.js +137 -0
package/lib/utils/datasource-test-run-debug-slice.js +93 -0
package/lib/utils/datasource-test-run-display.js +442 -0
package/lib/utils/datasource-test-run-exit.js +58 -0
package/lib/utils/datasource-test-run-legacy-adapter.js +93 -0
package/lib/utils/datasource-test-run-report-version.js +51 -0
package/lib/utils/datasource-test-run-schema-sync.js +59 -0
package/lib/utils/datasource-test-run-tty-log.js +81 -0
package/lib/utils/datasource-validation-watch.js +266 -0
package/lib/utils/declarative-url-ports.js +47 -0
package/lib/utils/derive-env-key-from-client-id.js +41 -0
package/lib/utils/dev-ca-install.js +185 -23
package/lib/utils/dev-cert-helper.js +266 -17
package/lib/utils/dev-hosts-helper.js +307 -0
package/lib/utils/dev-init-cert-hints.js +37 -0
package/lib/utils/dev-init-health-messages.js +52 -0
package/lib/utils/dev-init-resolve.js +86 -0
package/lib/utils/dev-init-ssh-merge.js +65 -0
package/lib/utils/dev-ssh-config-helper.js +196 -0
package/lib/utils/dev-user-groups.js +93 -0
package/lib/utils/docker-build.js +42 -17
package/lib/utils/docker-exec.js +28 -0
package/lib/utils/docker-manifest-public-port.js +116 -0
package/lib/utils/docker-not-running-hint.js +52 -0
package/lib/utils/docker.js +98 -11
package/lib/utils/ensure-dev-certs-for-remote-docker.js +192 -0
package/lib/utils/env-config-loader.js +10 -91
package/lib/utils/env-copy.js +19 -10
package/lib/utils/env-map.js +35 -8
package/lib/utils/env-template.js +2 -2
package/lib/utils/environment-scoped-resources.js +144 -0
package/lib/utils/error-formatter.js +92 -13
package/lib/utils/error-formatters/http-status-errors.js +6 -5
package/lib/utils/error-formatters/network-errors.js +2 -1
package/lib/utils/error-formatters/permission-errors.js +2 -1
package/lib/utils/error-formatters/validation-errors.js +2 -1
package/lib/utils/external-readme.js +8 -1
package/lib/utils/external-system-display.js +234 -136
package/lib/utils/external-system-local-test-tty.js +389 -0
package/lib/utils/external-system-readiness-core.js +377 -0
package/lib/utils/external-system-readiness-deploy-display.js +270 -0
package/lib/utils/external-system-readiness-display-internals.js +150 -0
package/lib/utils/external-system-readiness-display.js +186 -0
package/lib/utils/external-system-test-helpers.js +24 -6
package/lib/utils/external-system-validators.js +30 -12
package/lib/utils/health-check-url.js +119 -0
package/lib/utils/health-check.js +59 -25
package/lib/utils/help-builder.js +11 -8
package/lib/utils/image-version.js +4 -8
package/lib/utils/infra-containers.js +4 -7
package/lib/utils/infra-env-defaults.js +162 -0
package/lib/utils/infra-status-display.js +167 -0
package/lib/utils/infra-status.js +16 -8
package/lib/utils/local-secrets.js +3 -4
package/lib/utils/paths.js +134 -47
package/lib/utils/port-resolver.js +10 -23
package/lib/utils/redis-env-scope.js +62 -0
package/lib/utils/register-aifabrix-shell-env.js +204 -0
package/lib/utils/remote-builder-validation.js +99 -0
package/lib/utils/remote-dev-auth.js +117 -21
package/lib/utils/remote-docker-env.js +67 -15
package/lib/utils/remote-secrets-loader.js +13 -4
package/lib/utils/resolve-docker-image-ref.js +124 -0
package/lib/utils/schema-loader.js +22 -9
package/lib/utils/secrets-bash-kv.js +25 -0
package/lib/utils/secrets-generator.js +169 -49
package/lib/utils/secrets-helpers.js +70 -59
package/lib/utils/secrets-kv-scope.js +60 -0
package/lib/utils/secrets-utils.js +32 -38
package/lib/utils/secrets-validation.js +3 -1
package/lib/utils/secrets-yaml-preserve.js +109 -0
package/lib/utils/ssh-key-helper.js +4 -2
package/lib/utils/template-helpers.js +2 -2
package/lib/utils/test-log-writer.js +3 -3
package/lib/utils/token-manager.js +1 -2
package/lib/utils/url-declarative-public-base.js +188 -0
package/lib/utils/url-declarative-resolve-build.js +493 -0
package/lib/utils/url-declarative-resolve-load-doc.js +51 -0
package/lib/utils/url-declarative-resolve.js +220 -0
package/lib/utils/url-declarative-token-parse.js +74 -0
package/lib/utils/url-declarative-url-flags.js +50 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +99 -0
package/lib/utils/url-public-path-prefix.js +34 -0
package/lib/utils/urls-local-registry.js +220 -0
package/lib/utils/validation-report-tty-kit.js +77 -0
package/lib/utils/validation-run-poll.js +89 -0
package/lib/utils/validation-run-post-retry.js +73 -0
package/lib/utils/validation-run-request.js +98 -0
package/lib/utils/variable-transformer.js +21 -4
package/lib/utils/yaml-preserve.js +33 -14
package/lib/validation/datasource-warnings.js +56 -0
package/lib/validation/env-template-auth.js +1 -1
package/lib/validation/external-manifest-validator.js +27 -7
package/lib/validation/validate-display.js +37 -31
package/lib/validation/validate.js +4 -13
package/lib/validation/validator-unresolved-placeholders.js +98 -0
package/lib/validation/validator.js +22 -65
package/lib/validation/wizard-config-validator.js +2 -1
package/package.json +7 -3
package/scripts/check-datasource-test-run-schema-sync.js +34 -0
package/scripts/diagnose-cli.js +150 -0
package/scripts/install-local.js +304 -55
package/templates/README.md +15 -2
package/templates/applications/dataplane/application.yaml +52 -2
package/templates/applications/dataplane/env.template +75 -17
package/templates/applications/dataplane/rbac.yaml +8 -0
package/templates/applications/keycloak/application.yaml +9 -1
package/templates/applications/keycloak/env.template +15 -6
package/templates/applications/miso-controller/application.yaml +10 -2
package/templates/applications/miso-controller/env.template +42 -12
package/templates/applications/miso-controller/rbac.yaml +5 -0
package/templates/external-system/README.md.hbs +20 -7
package/templates/external-system/deploy.js.hbs +5 -5
package/templates/external-system/external-datasource.yaml.hbs +197 -118
package/templates/infra/compose.yaml.hbs +20 -4
package/templates/python/docker-compose.hbs +16 -0
package/templates/typescript/docker-compose.hbs +16 -0
package/lib/api/external-test.api.js +0 -111
package/lib/schema/env-config.yaml +0 -60

package/lib/utils/resolve-docker-image-ref.js ADDED Viewed

@@ -0,0 +1,124 @@
+/**
+ * Resolve Docker repository path and tag from application config and optional CLI overrides.
+ * Precedence: --image (full ref), --registry CLI, image.registry in manifest, else unqualified name.
+ *
+ * For refs like localhost:5000/repo without an explicit tag, prefer --image with :tag (parse ambiguity).
+ *
+ * @fileoverview Shared Docker image reference resolution for run, compose, and version checks
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+'use strict';
+const { parseImageOverride } = require('./parse-image-ref');
+/**
+ * Repository path without host (same rules as compose-generator getImageName).
+ * @param {Object} appConfig - Application configuration
+ * @param {string} appName - Application name fallback
+ * @returns {string}
+ */
+function getRepositoryPathFromConfig(appConfig, appName) {
+  if (!appConfig || typeof appConfig !== 'object') {
+    return appName;
+  }
+  if (typeof appConfig.image === 'string') {
+    return appConfig.image.split(':')[0];
+  }
+  if (appConfig.image?.name) {
+    return appConfig.image.name;
+  }
+  if (appConfig.app?.key) {
+    return appConfig.app.key;
+  }
+  return appName;
+}
+/**
+ * @param {Object} [appConfig]
+ * @returns {string}
+ */
+function imageTagFromConfig(appConfig) {
+  return (appConfig && appConfig.image && appConfig.image.tag) || 'latest';
+}
+/**
+ * Trim and strip trailing slashes from a registry host/prefix. Empty/whitespace → ''.
+ * @param {string|undefined|null|number} registry - Registry host or prefix
+ * @returns {string}
+ */
+function normalizeDockerRegistryPrefix(registry) {
+  if (registry === null || registry === undefined) {
+    return '';
+  }
+  if (typeof registry !== 'string') {
+    return normalizeDockerRegistryPrefix(String(registry));
+  }
+  const t = registry.trim();
+  if (!t) {
+    return '';
+  }
+  return t.replace(/\/+$/, '');
+}
+/**
+ * Effective image repository (may include registry prefix) and tag for Docker.
+ * @param {string} appName - Application name
+ * @param {Object} appConfig - Loaded application manifest
+ * @param {Object} [runOptions] - Run/deploy options
+ * @param {string} [runOptions.image] - Full image ref override
+ * @param {string} [runOptions.registry] - CLI registry prefix (wins over manifest)
+ * @returns {{ imageName: string, imageTag: string }}
+ */
+function resolveDockerImageRef(appName, appConfig, runOptions = {}) {
+  const opts = runOptions || {};
+  if (opts.image) {
+    const parsed = parseImageOverride(opts.image);
+    return {
+      imageName: parsed ? parsed.name : getRepositoryPathFromConfig(appConfig, appName),
+      imageTag: parsed ? parsed.tag : imageTagFromConfig(appConfig)
+    };
+  }
+  const baseRepo = getRepositoryPathFromConfig(appConfig, appName);
+  const imageTag = imageTagFromConfig(appConfig);
+  const prefix =
+    normalizeDockerRegistryPrefix(opts.registry) ||
+    normalizeDockerRegistryPrefix(appConfig?.image?.registry ?? '');
+  if (prefix) {
+    return { imageName: `${prefix}/${baseRepo}`, imageTag };
+  }
+  return { imageName: baseRepo, imageTag };
+}
+/**
+ * Full image string for compose when manifest/CLI registry applies; else null (use template defaults).
+ * @param {string} appName - Application name
+ * @param {Object} appConfig - Application configuration
+ * @param {Object} [options] - Run options (image, imageOverride, tag, registry)
+ * @returns {string|null}
+ */
+function resolveComposeImageOverrideString(appName, appConfig, options = {}) {
+  if (options.image) return options.image;
+  if (options.imageOverride) return options.imageOverride;
+  const runOpts = { registry: options.registry, image: undefined };
+  if (options.tag) {
+    const { imageName } = resolveDockerImageRef(appName, appConfig, runOpts);
+    return `${imageName}:${options.tag}`;
+  }
+  const { imageName, imageTag } = resolveDockerImageRef(appName, appConfig, runOpts);
+  const shortName = getRepositoryPathFromConfig(appConfig, appName);
+  const shortTag = imageTagFromConfig(appConfig);
+  if (imageName === shortName && imageTag === shortTag) {
+    return null;
+  }
+  return `${imageName}:${imageTag}`;
+}
+module.exports = {
+  resolveDockerImageRef,
+  resolveComposeImageOverrideString,
+  normalizeDockerRegistryPrefix,
+  getRepositoryPathFromConfig
+};

package/lib/utils/schema-loader.js CHANGED Viewed

@@ -9,9 +9,10 @@
  * @version 2.0.0
  */
-const fs = require('fs');
+const fsRealSync = require('../internal/fs-real-sync');
 const path = require('path');
 const Ajv = require('ajv');
+const addFormats = require('ajv-formats');
 // Cache for compiled validators
 // These are reset when module is reloaded (for testing)
@@ -46,11 +47,14 @@ function loadExternalSystemSchema() {
   const schemaPath = path.join(__dirname, '..', 'schema', 'external-system.schema.json');
-  if (!fs.existsSync(schemaPath)) {
-    throw new Error(`External system schema not found: ${schemaPath}`);
+  if (!fsRealSync.existsSync(schemaPath)) {
+    throw new Error(
+      `External system schema not found: ${schemaPath}. ` +
+        'Ensure the file exists (tracked under lib/schema/); run git checkout HEAD -- lib/schema/external-system.schema.json if your tree is incomplete.'
+    );
   }
-  const schemaContent = fs.readFileSync(schemaPath, 'utf8');
+  const schemaContent = fsRealSync.readFileSync(schemaPath, 'utf8');
   let schema;
   try {
@@ -60,6 +64,7 @@ function loadExternalSystemSchema() {
   }
   const ajv = new Ajv({ allErrors: true, strict: false });
+  addFormats(ajv);
   externalSystemValidator = ajv.compile(schema);
   return externalSystemValidator;
@@ -84,11 +89,14 @@ function loadExternalDataSourceSchema() {
   const schemaPath = path.join(__dirname, '..', 'schema', 'external-datasource.schema.json');
-  if (!fs.existsSync(schemaPath)) {
-    throw new Error(`External datasource schema not found: ${schemaPath}`);
+  if (!fsRealSync.existsSync(schemaPath)) {
+    throw new Error(
+      `External datasource schema not found: ${schemaPath}. ` +
+        'Ensure the file exists (tracked under lib/schema/); run git checkout HEAD -- lib/schema/external-datasource.schema.json if your tree is incomplete.'
+    );
   }
-  const schemaContent = fs.readFileSync(schemaPath, 'utf8');
+  const schemaContent = fsRealSync.readFileSync(schemaPath, 'utf8');
   let schema;
   try {
@@ -106,6 +114,11 @@ function loadExternalDataSourceSchema() {
   }
   const ajv = new Ajv({ allErrors: true, strict: false, strictSchema: false });
+  addFormats(ajv);
+  // external-datasource.schema.json references these by $id (aifabrix://schema/type/*)
+  ajv.addSchema(require('../schema/type/document-storage.json'));
+  ajv.addSchema(require('../schema/type/message-service.json'));
+  ajv.addSchema(require('../schema/type/vector-store.json'));
   externalDataSourceValidator = ajv.compile(schemaToCompile);
   return externalDataSourceValidator;
@@ -250,10 +263,10 @@ function readAndParseFileContent(filePath, content) {
   let fileContent = content;
   if (!fileContent) {
-    if (!fs.existsSync(filePath)) {
+    if (!fsRealSync.existsSync(filePath)) {
       throw new Error(`File not found: ${filePath}`);
     }
-    fileContent = fs.readFileSync(filePath, 'utf8');
+    fileContent = fsRealSync.readFileSync(filePath, 'utf8');
   }
   try {

package/lib/utils/secrets-bash-kv.js ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * kv://BASH_<NAME> fallback: use process.env.<NAME>, then process.env.BASH_<NAME> (shared BASH_ keys).
+ * @fileoverview
+ */
+'use strict';
+/**
+ * @param {string} pathStr - Flat kv path (no slashes)
+ * @returns {string|undefined}
+ */
+function resolveBashKvFromProcessEnv(pathStr) {
+  if (!pathStr || typeof pathStr !== 'string' || pathStr.includes('/')) return undefined;
+  if (!pathStr.startsWith('BASH_')) return undefined;
+  const suffix = pathStr.slice(5);
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(suffix)) return undefined;
+  const pick = k => {
+    const raw = process.env[k];
+    if (raw === undefined || raw === null) return undefined;
+    const t = String(raw).trim();
+    return t.length > 0 ? t : undefined;
+  };
+  return pick(suffix) ?? pick(pathStr);
+}
+module.exports = { resolveBashKvFromProcessEnv };

package/lib/utils/secrets-generator.js CHANGED Viewed

@@ -16,6 +16,17 @@ const yaml = require('js-yaml');
 const crypto = require('crypto');
 const logger = require('./logger');
 const pathsUtil = require('./paths');
+const { mergeFlatSecretsYamlPreservingComments } = require('./secrets-yaml-preserve');
+const {
+  generateDatabasePasswordValueForKey,
+  generateDatabaseUrlValueForKey,
+  parseDatabaseSecretKey
+} = require('../parameters/database-secret-values');
+/** Lazy require so tests can jest.spyOn getInfraParameterCatalog after module load. */
+function infraParameterCatalogModule() {
+  return require('../parameters/infra-parameter-catalog');
+}
 /**
  * Parse key-value pairs from YAML-like lines (last occurrence wins per key).
@@ -44,7 +55,9 @@ function parseYamlKeyValueLines(content) {
 /**
  * Parse YAML content tolerating duplicate keys (last occurrence wins).
  * Use for secrets files that may have been appended to repeatedly.
- * Tries yaml.load first; on "duplicate key" error falls back to line-by-line parse.
+ * Tries yaml.load first; on duplicate-key errors or other parse failures (e.g. `{}` on line 1
+ * then `key: value` lines — invalid multi-document without `---`) falls back to line-by-line
+ * parse for flat key: value secrets files.
  *
  * @param {string} content - Raw YAML content
  * @returns {Object} Parsed object (last value wins for duplicate keys)
@@ -56,13 +69,11 @@ function loadYamlTolerantOfDuplicateKeys(content) {
   try {
     const parsed = yaml.load(content);
     return parsed && typeof parsed === 'object' ? parsed : {};
-  } catch (err) {
-    const msg = err.message || '';
-    if (!msg.includes('duplicate') && !msg.includes('duplicated mapping')) {
-      throw err;
-    }
+  } catch {
+    // Duplicate keys, `{}` + appended YAML (invalid multi-doc), or other bad merges —
+    // flat secrets files recover via line parse (last key wins).
+    return parseYamlKeyValueLines(content);
   }
-  return parseYamlKeyValueLines(content);
 }
 /**
@@ -104,18 +115,37 @@ function findMissingSecretKeys(envTemplate, existingSecrets) {
   return missingKeys;
 }
+/**
+ * Resolve app directory for database key generation (application.yaml lookup).
+ * @param {string} key - Secret key
+ * @returns {string|null}
+ */
+function resolveAppDirForDatabaseKey(key) {
+  const parsed = parseDatabaseSecretKey(key);
+  if (!parsed) return null;
+  try {
+    const builderPath = pathsUtil.getBuilderPath(parsed.appKey);
+    if (fs.existsSync(builderPath)) return builderPath;
+  } catch {
+    /* ignore */
+  }
+  try {
+    const intPath = pathsUtil.getIntegrationPath(parsed.appKey);
+    if (fs.existsSync(intPath)) return intPath;
+  } catch {
+    /* ignore */
+  }
+  return null;
+}
 /**
  * Generate database password value for a key (databases-*-passwordKeyVault)
  * @param {string} key - Secret key name
  * @returns {string|null} Password string or null if key does not match
  */
 function generateDbPasswordValue(key) {
-  const dbPasswordMatch = key.match(/^databases-([a-z0-9-_]+)-\d+-passwordKeyVault$/i);
-  if (!dbPasswordMatch) return null;
-  const appName = dbPasswordMatch[1];
-  if (appName === 'miso-controller') return 'miso_pass123';
-  const dbName = appName.replace(/-/g, '_');
-  return `${dbName}_pass123`;
+  const appDir = resolveAppDirForDatabaseKey(key);
+  return generateDatabasePasswordValueForKey(key, appDir);
 }
 /**
@@ -124,44 +154,98 @@ function generateDbPasswordValue(key) {
  * @returns {string|null} URL string or null if key does not match
  */
 function generateDbUrlValue(key) {
-  const dbUrlMatch = key.match(/^databases-([a-z0-9-_]+)-\d+-urlKeyVault$/i);
-  if (!dbUrlMatch) return null;
-  const appName = dbUrlMatch[1];
-  if (appName === 'miso-controller') {
-    return 'postgresql://miso_user:miso_pass123@${DB_HOST}:${DB_PORT}/miso';
+  const appDir = resolveAppDirForDatabaseKey(key);
+  return generateDatabaseUrlValueForKey(key, appDir);
+}
+/**
+ * @param {string} key - Secret key
+ * @param {Record<string, string>|undefined} placeholderContext - Merged infra.parameter.yaml defaults + CLI overrides
+ * @returns {string|undefined} Value if catalog handled key; undefined to use legacy rules
+ */
+function tryGenerateSecretValueFromCatalog(key, placeholderContext) {
+  let catalogEntry;
+  try {
+    catalogEntry = infraParameterCatalogModule().getInfraParameterCatalog().findEntryForKey(key);
+  } catch (err) {
+    logger.warn(`infra parameter catalog unavailable (${err.message}); using legacy generators.`);
+    return undefined;
+  }
+  if (!catalogEntry || !catalogEntry.generator) return undefined;
+  const g = catalogEntry.generator.type;
+  if (g === 'databasePassword') {
+    const v = generateDbPasswordValue(key);
+    return v !== null ? v : undefined;
+  }
+  if (g === 'databaseUrl') {
+    const v = generateDbUrlValue(key);
+    return v !== null ? v : undefined;
   }
-  const dbName = appName.replace(/-/g, '_');
-  return `postgresql://${dbName}_user:${dbName}_pass123@\${DB_HOST}:\${DB_PORT}/${dbName}`;
+  if (
+    g === 'randomBytes32' ||
+    g === 'randomAlphanumeric' ||
+    g === 'password' ||
+    g === 'emptyString' ||
+    g === 'emptyAllowed' ||
+    g === 'literal'
+  ) {
+    return infraParameterCatalogModule().generateValueFromCatalogEntry(key, catalogEntry, crypto, placeholderContext);
+  }
+  return undefined;
 }
 /**
- * Generates secret value based on key name
- * @function generateSecretValue
- * @param {string} key - Secret key name
- * @returns {string} Generated secret value
+ * Last-resort generation when infra.parameter.yaml cannot be loaded (e.g. tests, broken install).
+ * @param {string} key
+ * @returns {string}
  */
-function generateSecretValue(key) {
+function legacySecretValueWhenCatalogUnavailable(key) {
   const keyLower = key.toLowerCase();
   if (keyLower.includes('password')) {
     const dbPassword = generateDbPasswordValue(key);
     if (dbPassword !== null) return dbPassword;
     return crypto.randomBytes(32).toString('base64');
   }
   if (keyLower.includes('url') || keyLower.includes('uri')) {
     const dbUrl = generateDbUrlValue(key);
     if (dbUrl !== null) return dbUrl;
     return '';
   }
   if (keyLower.includes('key') || keyLower.includes('secret') || keyLower.includes('token')) {
     return crypto.randomBytes(32).toString('base64');
   }
   return '';
 }
+/**
+ * @param {string} key - Secret key name
+ * @param {Record<string, string>|undefined} placeholderContext - Optional merged catalog defaults + CLI (e.g. up-infra)
+ * @returns {string} Generated secret value
+ */
+function generateSecretValue(key, placeholderContext) {
+  const fromCatalog = tryGenerateSecretValueFromCatalog(key, placeholderContext);
+  if (fromCatalog !== undefined) return fromCatalog;
+  const dbPassword = generateDbPasswordValue(key);
+  if (dbPassword !== null) return dbPassword;
+  const dbUrl = generateDbUrlValue(key);
+  if (dbUrl !== null) return dbUrl;
+  try {
+    infraParameterCatalogModule().getInfraParameterCatalog();
+  } catch {
+    logger.warn(
+      `Secret key "${key}": infra parameter catalog unavailable; using legacy name heuristics.`
+    );
+    return legacySecretValueWhenCatalogUnavailable(key);
+  }
+  throw new Error(
+    `Cannot generate secret for key "${key}": no matching rule in infra.parameter.yaml. ` +
+      'Add a catalog entry or run `aifabrix parameters validate` after fixing env.template references.'
+  );
+}
 /**
  * Loads existing secrets from file
  * @function loadExistingSecrets
@@ -196,6 +280,23 @@ function saveSecretsFile(resolvedPath, secrets) {
     fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
+  if (fs.existsSync(resolvedPath)) {
+    try {
+      const existing = fs.readFileSync(resolvedPath, 'utf8');
+      const mergedContent = mergeFlatSecretsYamlPreservingComments(existing, secrets, {
+        yaml,
+        dumpOpts: YAML_DUMP_OPTS
+      });
+      if (mergedContent !== null) {
+        fs.writeFileSync(resolvedPath, mergedContent + (mergedContent.endsWith('\n') ? '' : '\n'), { mode: 0o600 });
+        return;
+      }
+    } catch (err) {
+      logger.warn(`Could not preserve comments when writing secrets file: ${err.message}; rewriting YAML.`);
+      // fall through to dump overwrite
+    }
+  }
   const yamlContent = yaml.dump(secrets, {
     indent: 2,
     lineWidth: -1,
@@ -208,6 +309,20 @@ function saveSecretsFile(resolvedPath, secrets) {
 const YAML_DUMP_OPTS = { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false };
+/**
+ * @param {string} resolvedPath
+ * @returns {string}
+ */
+function readSecretsFileUtf8OrWarnEmpty(resolvedPath) {
+  try {
+    const raw = fs.readFileSync(resolvedPath, 'utf8');
+    return typeof raw === 'string' ? raw : '';
+  } catch (err) {
+    logger.warn(`Could not read existing secrets file: ${err.message}; appending new keys only.`);
+    return '';
+  }
+}
 /**
  * Merges secret keys into the secrets file (load existing, merge, overwrite file).
  * Use when setting or updating keys so that existing keys are updated in place instead of duplicated.
@@ -253,12 +368,13 @@ function appendSecretsToFile(resolvedPath, secrets) {
     return;
   }
-  let existing = '';
+  const existing = readSecretsFileUtf8OrWarnEmpty(resolvedPath);
   try {
-    const raw = fs.readFileSync(resolvedPath, 'utf8');
-    existing = typeof raw === 'string' ? raw : '';
-  } catch (err) {
-    logger.warn(`Could not read existing secrets file: ${err.message}; appending new keys only.`);
+    yaml.load(existing);
+  } catch {
+    const mergedObj = { ...loadExistingSecrets(resolvedPath), ...secrets };
+    saveSecretsFile(resolvedPath, mergedObj);
+    return;
   }
   const separator = existing.length > 0 && !existing.endsWith('\n') ? '\n' : '';
   fs.writeFileSync(resolvedPath, existing + separator + appendContent, { mode: 0o600 });
@@ -296,7 +412,7 @@ async function generateMissingSecrets(envTemplate, secretsPath) {
   appendSecretsToFile(resolvedPath, newSecrets);
-  logger.log(`✓ Generated ${missingKeys.length} missing secret key(s): ${missingKeys.join(', ')}`);
+  logger.log(`✔ Generated ${missingKeys.length} missing secret key(s): ${missingKeys.join(', ')}`);
   return missingKeys;
 }
@@ -314,6 +430,15 @@ async function generateMissingSecrets(envTemplate, secretsPath) {
  * await createDefaultSecrets('~/.aifabrix/secrets.yaml');
  * // Default secrets file is created
  */
+/** Minimal seed keys for first-time secrets file; values match infra.parameter.yaml generators. */
+const DEFAULT_SECRETS_SEED_KEYS = [
+  'postgres-passwordKeyVault',
+  'redis-passwordKeyVault',
+  'redis-url',
+  'keycloak-admin-passwordKeyVault',
+  'keycloak-web-server-url'
+];
 async function createDefaultSecrets(secretsPath) {
   const resolvedPath = secretsPath.startsWith('~')
     ? path.join(os.homedir(), secretsPath.slice(1))
@@ -324,22 +449,17 @@ async function createDefaultSecrets(secretsPath) {
     fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
-  const defaultSecrets = `# Local Development Secrets
-# Production uses Azure KeyVault
-# Database Secrets
-postgres-passwordKeyVault: "admin123"
-# Redis Secrets
-redis-passwordKeyVault: ""
-redis-url: "redis://\${REDIS_HOST}:\${REDIS_PORT}"
+  const seeded = {};
+  for (const k of DEFAULT_SECRETS_SEED_KEYS) {
+    seeded[k] = generateSecretValue(k);
+  }
-# Keycloak Secrets
-keycloak-admin-passwordKeyVault: "admin123"
-keycloak-server-url: "http://\${KEYCLOAK_HOST}:\${KEYCLOAK_PORT}"
-`;
+  const header =
+    '# Local development secrets (catalog-aligned seed). Run aifabrix up-infra and aifabrix resolve <app> --force for full keys.\n' +
+    '# Production uses Azure Key Vault.\n\n';
+  const body = yaml.dump(seeded, { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false });
-  fs.writeFileSync(resolvedPath, defaultSecrets, { mode: 0o600 });
+  fs.writeFileSync(resolvedPath, header + body, { mode: 0o600 });
 }
 module.exports = {