@aifabrix/builder 2.43.0 → 2.44.0

package/lib/utils/urls-local-registry.js

@@ -0,0 +1,220 @@
+/**
+ * urls.local.yaml beside effective config.yaml (same directory as secrets.local.yaml).
+ * When AIFABRIX_HOME is POSIX $HOME but config lives in $HOME/.aifabrix/, the registry
+ * is $HOME/.aifabrix/urls.local.yaml (not $HOME/urls.local.yaml).
+ *
+ * @fileoverview Read/write registry; scan each builder app folder for application.yaml
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+const fsRealSync = require('../internal/fs-real-sync');
+const path = require('path');
+const yaml = require('js-yaml');
+const { DECLARATIVE_URL_INFRA_DEFAULTS } = require('./infra-env-defaults');
+const pathsUtil = require('./paths');
+
+/**
+ * @returns {string} Absolute path to urls.local.yaml (primary; beside config.yaml)
+ */
+function getUrlsLocalYamlPath() {
+  return path.join(pathsUtil.getConfigDirForPaths(), 'urls.local.yaml');
+}
+
+/** @returns {string} Legacy path when registry was stored under getAifabrixHome() only */
+function getLegacyUrlsLocalYamlPath() {
+  return path.join(pathsUtil.getAifabrixHome(), 'urls.local.yaml');
+}
+
+function loadRegistryYamlFile(filePath) {
+  try {
+    const doc = yaml.load(fsRealSync.readFileSync(filePath, 'utf8'));
+    return doc && typeof doc === 'object' ? doc : {};
+  } catch {
+    return {};
+  }
+}
+
+/**
+ * @returns {Record<string, unknown>}
+ */
+function readUrlsLocalRegistrySync() {
+  const primary = getUrlsLocalYamlPath();
+  if (fsRealSync.existsSync(primary)) {
+    return loadRegistryYamlFile(primary);
+  }
+  const legacy = getLegacyUrlsLocalYamlPath();
+  if (legacy !== primary && fsRealSync.existsSync(legacy)) {
+    return loadRegistryYamlFile(legacy);
+  }
+  return {};
+}
+
+/**
+ * @param {Object} data - Full registry object to write
+ */
+function writeUrlsLocalRegistrySync(data) {
+  const p = getUrlsLocalYamlPath();
+  const dir = path.dirname(p);
+  if (!fsRealSync.existsSync(dir)) {
+    fsRealSync.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+  const body = `${yaml.dump(data, { lineWidth: 120, noRefs: true }).trim()}\n`;
+  fsRealSync.writeFileSync(p, body, { mode: 0o600 });
+}
+
+/**
+ * Normalize front-door pattern for URLs (/data/* → /data).
+ * @param {string} pattern
+ * @returns {string}
+ */
+function normalizePatternForUrl(pattern) {
+  if (!pattern || typeof pattern !== 'string') {
+    return '/';
+  }
+  let p = pattern.trim();
+  if (!p.startsWith('/')) {
+    p = `/${p}`;
+  }
+  p = p.replace(/\*+$/, '').replace(/\/+$/, '') || '/';
+  return p;
+}
+
+/**
+ * @param {Object} merged
+ * @returns {Object} same object after persist
+ */
+function writeMergedRegistry(merged) {
+  writeUrlsLocalRegistrySync(merged);
+  return merged;
+}
+
+/**
+ * @param {string} cfgPath
+ * @returns {object|null}
+ */
+function tryLoadApplicationYaml(cfgPath) {
+  if (!fsRealSync.existsSync(cfgPath)) {
+    return null;
+  }
+  try {
+    const doc = yaml.load(fsRealSync.readFileSync(cfgPath, 'utf8'));
+    return doc && typeof doc === 'object' ? doc : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * @param {object} doc
+ * @returns {number|null}
+ */
+function readExplicitContainerPortFromDoc(doc) {
+  const cpRaw = doc.build && doc.build.containerPort;
+  if (typeof cpRaw === 'number' && cpRaw > 0) {
+    return cpRaw;
+  }
+  if (typeof cpRaw === 'string' && /^\d+$/.test(cpRaw.trim())) {
+    return parseInt(cpRaw.trim(), 10);
+  }
+  return null;
+}
+
+/**
+ * @param {Object} merged
+ * @param {object} doc
+ * @param {string} folderName - builder/<folderName>
+ */
+function mergeDocIntoRegistry(merged, doc, folderName) {
+  const appKey = (doc.app && doc.app.key) || folderName;
+  let port = null;
+  if (typeof doc.port === 'number' && doc.port > 0) {
+    port = doc.port;
+  } else if (typeof doc.port === 'string' && /^\d+$/.test(doc.port.trim())) {
+    port = parseInt(doc.port.trim(), 10);
+  }
+  if (port === null || port <= 0) {
+    return;
+  }
+  const rawPattern = doc.frontDoorRouting && doc.frontDoorRouting.pattern;
+  const pattern =
+    typeof rawPattern === 'string'
+      ? rawPattern
+      : DECLARATIVE_URL_INFRA_DEFAULTS.frontDoorPatternWhenUnspecified;
+  merged[`${appKey}-port`] = port;
+  merged[`${appKey}-pattern`] = pattern;
+
+  const explicitC = readExplicitContainerPortFromDoc(doc);
+  const ckey = `${appKey}-containerPort`;
+  if (explicitC !== null) {
+    merged[ckey] = explicitC;
+  } else {
+    delete merged[ckey];
+  }
+}
+
+/**
+ * Merge scan results into registry (does not remove stale keys).
+ * @param {string|null} projectRoot - getProjectRoot() or null
+ * @returns {Object} Updated registry
+ */
+function refreshUrlsLocalRegistryFromBuilder(projectRoot) {
+  const root = projectRoot || pathsUtil.getProjectRoot();
+  const merged = { ...readUrlsLocalRegistrySync() };
+  if (!root) {
+    return writeMergedRegistry(merged);
+  }
+  const builderDir = path.join(root, 'builder');
+  if (!fsRealSync.existsSync(builderDir) || !fsRealSync.statSync(builderDir).isDirectory()) {
+    return writeMergedRegistry(merged);
+  }
+  for (const ent of fsRealSync.readdirSync(builderDir, { withFileTypes: true })) {
+    if (!ent.isDirectory()) {
+      continue;
+    }
+    const doc = tryLoadApplicationYaml(path.join(builderDir, ent.name, 'application.yaml'));
+    if (!doc) {
+      continue;
+    }
+    mergeDocIntoRegistry(merged, doc, ent.name);
+  }
+  return writeMergedRegistry(merged);
+}
+
+/**
+ * @param {string} appKey
+ * @param {Object} registry
+ * @returns {{ port: number, containerPort: number|null, pattern: string }|null}
+ */
+function getRegistryEntryForApp(appKey, registry) {
+  const r = registry || {};
+  const portKey = `${appKey}-port`;
+  const patKey = `${appKey}-pattern`;
+  const cportKey = `${appKey}-containerPort`;
+  const port = r[portKey];
+  const pattern = r[patKey];
+  const cport = r[cportKey];
+  if (typeof port !== 'number' || port <= 0) {
+    return null;
+  }
+  const containerPort = typeof cport === 'number' && cport > 0 ? cport : null;
+  return {
+    port,
+    containerPort,
+    pattern:
+      typeof pattern === 'string'
+        ? pattern
+        : DECLARATIVE_URL_INFRA_DEFAULTS.frontDoorPatternWhenUnspecified
+  };
+}
+
+module.exports = {
+  getUrlsLocalYamlPath,
+  readUrlsLocalRegistrySync,
+  writeUrlsLocalRegistrySync,
+  refreshUrlsLocalRegistryFromBuilder,
+  normalizePatternForUrl,
+  getRegistryEntryForApp
+};

package/lib/utils/validation-report-tty-kit.js

@@ -0,0 +1,77 @@
+/**
+ * @fileoverview Reusable TTY helpers for validation/test reports (verdict, readiness, data-quality lines).
+ */
+
+'use strict';
+
+const { SEP, statusGlyph } = require('./datasource-test-run-display');
+
+const TRUST_LINE_LABELS = Object.freeze({
+  schema: 'Schema coverage',
+  consistency: 'Data consistency',
+  reliability: 'Data reliability'
+});
+
+function rollupGlyph(r) {
+  return statusGlyph(r === 'fail' ? 'fail' : r === 'warn' ? 'warn' : 'ok');
+}
+
+function verdictLineFromEnvelope(rootStatus, certStatus, runType) {
+  if (rootStatus === 'skipped') return '⏭ Skipped';
+  if (rootStatus === 'warn') return '⚠ Limited production use';
+  if (rootStatus === 'fail') {
+    if (runType === 'integration') return '✖ Pipeline not working';
+    if (runType === 'e2e') return '✖ Not usable';
+    return '✖ Configuration invalid';
+  }
+  if (certStatus === 'not_passed') return '✔ Functional with certification gaps';
+  return '✔ Suitable for production use';
+}
+
+function verdictLineLocalExternalTest(status) {
+  if (status === 'ok') return '✔ Suitable for continued setup (local manifest check passed).';
+  if (status === 'warn') return '⚠ Limited production use';
+  return '✖ Configuration invalid';
+}
+
+function readinessLineFromAggregateStatus(status) {
+  if (status === 'fail') return `Readiness: ${statusGlyph('fail')} Not ready`;
+  if (status === 'warn') return `Readiness: ${statusGlyph('warn')} Partial`;
+  return `Readiness: ${statusGlyph('ok')} Ready`;
+}
+
+function readinessLineFromDataReadiness(dataReadiness) {
+  if (!dataReadiness) return null;
+  if (dataReadiness === 'not_ready') return `Readiness: ${statusGlyph('fail')} Not ready`;
+  if (dataReadiness === 'partial') return `Readiness: ${statusGlyph('warn')} Partial`;
+  if (dataReadiness === 'ready') return `Readiness: ${statusGlyph('ok')} Ready`;
+  return null;
+}
+
+function formatDataQualityLines(rollups, descriptions) {
+  const d = descriptions || {};
+  return [
+    `${rollupGlyph(rollups.schema)} ${TRUST_LINE_LABELS.schema}${d.schema ? ` — ${d.schema}` : ''}`,
+    `${rollupGlyph(rollups.consistency)} ${TRUST_LINE_LABELS.consistency}${d.consistency ? ` — ${d.consistency}` : ''}`,
+    `${rollupGlyph(rollups.reliability)} ${TRUST_LINE_LABELS.reliability}${d.reliability ? ` — ${d.reliability}` : ''}`
+  ];
+}
+
+function pushSeparatorBlock(lines) {
+  lines.push('');
+  lines.push(SEP);
+  lines.push('');
+}
+
+module.exports = {
+  SEP,
+  statusGlyph,
+  TRUST_LINE_LABELS,
+  rollupGlyph,
+  verdictLineFromEnvelope,
+  verdictLineLocalExternalTest,
+  readinessLineFromAggregateStatus,
+  readinessLineFromDataReadiness,
+  formatDataQualityLines,
+  pushSeparatorBlock
+};

package/lib/utils/validation-run-poll.js

@@ -0,0 +1,89 @@
+/**
+ * @fileoverview Poll GET /api/v1/validation/run/{testRunId} until reportCompleteness is full (plan §3.5–3.6).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { getValidationRunWithTransportRetry } = require('./validation-run-post-retry');
+
+const INITIAL_INTERVAL_MS = 2000;
+const MAX_INTERVAL_MS = 15000;
+
+/**
+ * Delay between polls after attempt `n` (0-based): 2s, 4s, 8s, … cap 15s.
+ * @param {number} attemptIndex - Zero-based poll index after initial POST
+ * @returns {number}
+ */
+function nextPollDelayMs(attemptIndex) {
+  const raw = INITIAL_INTERVAL_MS * 2 ** Math.max(0, attemptIndex);
+  return Math.min(raw, MAX_INTERVAL_MS);
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Whether polling should stop on this envelope.
+ * @param {Object} envelope - DatasourceTestRun-like
+ * @returns {boolean}
+ */
+function isTerminalReportCompleteness(envelope) {
+  if (!envelope || typeof envelope !== 'object') return false;
+  return envelope.reportCompleteness === 'full';
+}
+
+/**
+ * Poll until reportCompleteness === 'full' or budget exhausted.
+ * @async
+ * @param {Object} opts
+ * @param {string} opts.dataplaneUrl
+ * @param {Object} opts.authConfig
+ * @param {string} opts.testRunId
+ * @param {number} opts.budgetMs - Remaining wall-clock budget for polls only (POST excluded)
+ * @param {typeof getValidationRunWithTransportRetry} [opts.fetchRun] - Inject for tests (default: GET with transport retry)
+ * @returns {Promise<{ envelope: Object|null, timedOut: boolean, lastApiResult: Object|null }>}
+ */
+async function pollValidationRunUntilComplete(opts) {
+  const {
+    dataplaneUrl,
+    authConfig,
+    testRunId,
+    budgetMs,
+    fetchRun = getValidationRunWithTransportRetry
+  } = opts;
+  const deadline = Date.now() + Math.max(0, budgetMs);
+  let attempt = 0;
+  let lastApiResult = null;
+  let envelope = null;
+
+  while (Date.now() < deadline) {
+    const remaining = deadline - Date.now();
+    if (remaining <= 0) break;
+
+    lastApiResult = await fetchRun(dataplaneUrl, authConfig, testRunId);
+    if (!lastApiResult.success) {
+      return { envelope: null, timedOut: false, lastApiResult };
+    }
+    envelope = lastApiResult.data;
+    if (isTerminalReportCompleteness(envelope)) {
+      return { envelope, timedOut: false, lastApiResult };
+    }
+
+    const delay = Math.min(nextPollDelayMs(attempt), Math.max(0, deadline - Date.now()));
+    attempt += 1;
+    if (delay > 0) {
+      await sleep(delay);
+    }
+  }
+
+  return { envelope, timedOut: true, lastApiResult };
+}
+
+module.exports = {
+  INITIAL_INTERVAL_MS,
+  MAX_INTERVAL_MS,
+  nextPollDelayMs,
+  pollValidationRunUntilComplete,
+  isTerminalReportCompleteness
+};

package/lib/utils/validation-run-post-retry.js

@@ -0,0 +1,73 @@
+/**
+ * @fileoverview Transient transport retries for POST validation/run and GET poll.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { postValidationRun, getValidationRun } = require('../api/validation-run.api');
+
+const RETRYABLE_CODES = new Set(['ECONNRESET', 'ETIMEDOUT', 'ECONNABORTED']);
+
+/**
+ * @param {Object} res - ApiClient-style result
+ * @returns {boolean}
+ */
+function isRetryablePostFailure(res) {
+  if (!res || res.success) return false;
+  if (!res.network) return false;
+  const err = res.originalError;
+  if (!err) return false;
+  const code = err.code || (err.cause && err.cause.code);
+  if (code && RETRYABLE_CODES.has(code)) return true;
+  if (err.name === 'AbortError') return true;
+  return false;
+}
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * POST validation run with up to 2 retries on transient socket/timeout errors (1s / 2s backoff).
+ * Does not retry HTTP 4xx/5xx.
+ * @param {string} dataplaneUrl
+ * @param {Object} authConfig
+ * @param {Object} body
+ * @returns {Promise<Object>}
+ */
+async function postValidationRunWithTransportRetry(dataplaneUrl, authConfig, body) {
+  let last = await postValidationRun(dataplaneUrl, authConfig, body);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(1000);
+  last = await postValidationRun(dataplaneUrl, authConfig, body);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(2000);
+  return postValidationRun(dataplaneUrl, authConfig, body);
+}
+
+/**
+ * GET validation run poll with up to 2 retries on transient socket/timeout errors (1s / 2s backoff).
+ * @param {string} dataplaneUrl
+ * @param {Object} authConfig
+ * @param {string} testRunId
+ * @returns {Promise<Object>}
+ */
+async function getValidationRunWithTransportRetry(dataplaneUrl, authConfig, testRunId) {
+  let last = await getValidationRun(dataplaneUrl, authConfig, testRunId);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(1000);
+  last = await getValidationRun(dataplaneUrl, authConfig, testRunId);
+  if (last.success || !isRetryablePostFailure(last)) return last;
+
+  await sleep(2000);
+  return getValidationRun(dataplaneUrl, authConfig, testRunId);
+}
+
+module.exports = {
+  isRetryablePostFailure,
+  postValidationRunWithTransportRetry,
+  getValidationRunWithTransportRetry
+};

package/lib/utils/validation-run-request.js

@@ -0,0 +1,98 @@
+/**
+ * @fileoverview Build ValidationRunRequest bodies for datasource-scoped CLI commands.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+/**
+ * Whether the unified validation request should set includeDebug (any `--debug` or `--debug <level>`).
+ * @param {*} debugOpt - Commander `options.debug`
+ * @returns {boolean}
+ */
+function includeDebugForRequest(debugOpt) {
+  if (debugOpt === undefined || debugOpt === false || debugOpt === null || debugOpt === '') {
+    return false;
+  }
+  return true;
+}
+
+/**
+ * Merge E2E options from CLI flags into e2eOptions for ExternalDataSourceE2ETestRequest (dataplane).
+ * @param {Object} options - CLI-derived options
+ * @param {boolean} [options.debug]
+ * @param {boolean} [options.verbose]
+ * @param {boolean} [options.testCrud]
+ * @param {string} [options.recordId]
+ * @param {boolean} [options.cleanup]
+ * @param {string|Object} [options.primaryKeyValue]
+ * @param {Object} [options.e2eOptionsExtra] - Shallow-merged last (e.g. server-specific drill-down fields)
+ * @returns {Object}
+ */
+function buildE2eOptionsFromCli(options = {}) {
+  const e2e = {};
+  if (options.debug) e2e.includeDebug = true;
+  if (options.verbose) e2e.audit = true;
+  if (options.testCrud === true) e2e.testCrud = true;
+  if (options.recordId !== undefined && options.recordId !== null && options.recordId !== '') {
+    e2e.recordId = String(options.recordId);
+  }
+  if (options.cleanup === false) e2e.cleanup = false;
+  else if (options.cleanup === true) e2e.cleanup = true;
+  if (options.primaryKeyValue !== undefined && options.primaryKeyValue !== null) {
+    e2e.primaryKeyValue = options.primaryKeyValue;
+  }
+  if (options.e2eOptionsExtra && typeof options.e2eOptionsExtra === 'object') {
+    Object.assign(e2e, options.e2eOptionsExtra);
+  }
+  return e2e;
+}
+
+/**
+ * Build request body for validationScope=externalDataSource (single datasource in DB).
+ * @param {Object} params
+ * @param {string} params.systemKey - External system key
+ * @param {string} params.datasourceKey - Datasource key
+ * @param {'test'|'integration'|'e2e'} params.runType
+ * @param {Object} [params.payloadTemplate] - Required for integration-style payload tests when runType=test
+ * @param {boolean} [params.asyncRun]
+ * @param {boolean} [params.includeDebug]
+ * @param {boolean} [params.explain]
+ * @param {Object} [params.e2eOptions] - Merged with buildE2eOptionsFromCli when both used by caller
+ * @returns {import('../api/types/validation-run.types').ValidationRunRequestBody}
+ */
+function buildExternalDataSourceValidationRequest(params) {
+  const {
+    systemKey,
+    datasourceKey,
+    runType,
+    payloadTemplate,
+    asyncRun,
+    includeDebug,
+    explain,
+    e2eOptions
+  } = params;
+  if (!systemKey || !datasourceKey || !runType) {
+    throw new Error('systemKey, datasourceKey, and runType are required');
+  }
+  /** @type {import('../api/types/validation-run.types').ValidationRunRequestBody} */
+  const body = {
+    validationScope: 'externalDataSource',
+    systemIdOrKey: systemKey,
+    datasourceKey,
+    runType
+  };
+  if (payloadTemplate !== undefined) body.payloadTemplate = payloadTemplate;
+  if (asyncRun === true) body.asyncRun = true;
+  if (includeDebug === true) body.includeDebug = true;
+  if (explain === true) body.explain = true;
+  if (e2eOptions && typeof e2eOptions === 'object' && Object.keys(e2eOptions).length > 0) {
+    body.e2eOptions = e2eOptions;
+  }
+  return body;
+}
+
+module.exports = {
+  includeDebugForRequest,
+  buildE2eOptionsFromCli,
+  buildExternalDataSourceValidationRequest
+};

package/lib/utils/variable-transformer.js

@@ -105,6 +105,9 @@ function handlePartialAuthentication(authentication) {
  */
 function transformFlatStructure(variables, appName) {
   const result = buildBaseResult(variables, appName);
+  if (result.frontDoorRouting) {
+    result.frontDoorRouting = normalizeFrontDoorRoutingForValidation(result.frontDoorRouting);
+  }
 
   // Sanitize authentication if present
   if (result.authentication) {
@@ -190,9 +193,6 @@ function validateBuildConfig(build) {
   if (build.dockerfile && build.dockerfile.trim() !== '') {
     buildConfig.dockerfile = build.dockerfile;
   }
-  if (build.localPort !== undefined && build.localPort !== null) {
-    buildConfig.localPort = build.localPort;
-  }
 
   return Object.keys(buildConfig).length > 0 ? buildConfig : null;
 }
@@ -256,6 +256,23 @@ function transformConfigSections(variables, transformed) {
   }
 }
 
+/**
+ * Clone frontDoorRouting for schema validation: JSON Schema expects `tls` as a string
+ * (e.g. "${TLS_ENABLED}", "true") but YAML often uses booleans (`tls: false`).
+ * @param {Object} fd - frontDoorRouting block from application.yaml
+ * @returns {Object}
+ */
+function normalizeFrontDoorRoutingForValidation(fd) {
+  if (!fd || typeof fd !== 'object') {
+    return fd;
+  }
+  const out = { ...fd };
+  if (typeof out.tls === 'boolean') {
+    out.tls = out.tls ? 'true' : 'false';
+  }
+  return out;
+}
+
 /**
  * Transforms simple optional fields
  * @function transformSimpleOptionalFields
@@ -273,7 +290,7 @@ function transformSimpleOptionalFields(variables, transformed) {
     transformed.scaling = variables.scaling;
   }
   if (variables.frontDoorRouting) {
-    transformed.frontDoorRouting = variables.frontDoorRouting;
+    transformed.frontDoorRouting = normalizeFrontDoorRoutingForValidation(variables.frontDoorRouting);
   }
   if (variables.roles) {
     transformed.roles = variables.roles;

package/lib/utils/yaml-preserve.js

@@ -251,6 +251,35 @@ function collectBlockScalarLines(lines, startIndex, keyIndentLen) {
   return { value: parts.join(' '), endIndex: i };
 }
 
+/**
+ * Processes a single block-scalar key line and its continuation lines.
+ * @param {string} line - Line matching BLOCK_SCALAR_PATTERN
+ * @param {string[]} lines - All lines
+ * @param {number} lineIndex - Index of current line
+ * @param {string} encryptionKey - Encryption key
+ * @param {Object} stats - Mutable stats object
+ * @returns {{ resultLine: string, nextIndex: number }|null} Result or null if not a block scalar
+ */
+function processBlockScalarLine(line, lines, lineIndex, encryptionKey, stats) {
+  const blockMatch = line.match(BLOCK_SCALAR_PATTERN);
+  if (!blockMatch) {
+    return null;
+  }
+  const [, indent, key, blockIndicator, trailingWhitespace, comment] = blockMatch;
+  const keyIndentLen = indent.length;
+  const folded = blockIndicator.startsWith('>');
+  const { value: rawValue, endIndex } = collectBlockScalarLines(lines, lineIndex + 1, keyIndentLen);
+  const value = folded ? rawValue.replace(/\s+/g, ' ').trim() : rawValue;
+  stats.total++;
+  const needEncrypt = shouldEncryptValue(value);
+  const outValue = needEncrypt ? encryptSecret(value, encryptionKey) : value;
+  if (needEncrypt) {
+    stats.encrypted++;
+  }
+  const resultLine = `${indent}${key}: ${outValue}${trailingWhitespace || ''}${comment || ''}`;
+  return { resultLine, nextIndex: endIndex };
+}
+
 function encryptYamlValues(content, encryptionKey) {
   const lines = content.split(/\r?\n/);
   const encryptedLines = [];
@@ -267,20 +296,10 @@ function encryptYamlValues(content, encryptionKey) {
       continue;
     }
 
-    const blockMatch = line.match(BLOCK_SCALAR_PATTERN);
-    if (blockMatch) {
-      const [, indent, key, blockIndicator, trailingWhitespace, comment] = blockMatch;
-      const keyIndentLen = indent.length;
-      const folded = blockIndicator.startsWith('>');
-      const { value: rawValue, endIndex } = collectBlockScalarLines(lines, i + 1, keyIndentLen);
-      const value = folded ? rawValue.replace(/\s+/g, ' ').trim() : rawValue;
-      stats.total++;
-      const outValue = shouldEncryptValue(value) ? encryptSecret(value, encryptionKey) : value;
-      if (shouldEncryptValue(value)) {
-        stats.encrypted++;
-      }
-      encryptedLines.push(`${indent}${key}: ${outValue}${trailingWhitespace || ''}${comment || ''}`);
-      i = endIndex;
+    const blockResult = processBlockScalarLine(line, lines, i, encryptionKey, stats);
+    if (blockResult) {
+      encryptedLines.push(blockResult.resultLine);
+      i = blockResult.nextIndex;
       continue;
     }