npm - @aifabrix/builder - Versions diffs - 2.43.0 → 2.44.1 - Mend

@aifabrix/builder 2.43.0 → 2.44.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (371) hide show

package/.cursor/rules/anchor-docs.mdc +15 -0
package/.cursor/rules/cli-layout.mdc +75 -0
package/.cursor/rules/project-rules.mdc +8 -0
package/.npmrc.token +1 -0
package/.nyc_output/55e9d034-ddab-4579-a706-e02a91d75c91.json +1 -0
package/.nyc_output/processinfo/55e9d034-ddab-4579-a706-e02a91d75c91.json +1 -0
package/.nyc_output/processinfo/index.json +1 -0
package/README.md +1 -1
package/anchor-docs/README.md +10 -0
package/anchor-docs/_TEMPLATE +24 -0
package/bin/aifabrix.js +13 -4
package/integration/hubspot-test/README.md +31 -0
package/integration/hubspot-test/create-hubspot.js +5 -5
package/integration/hubspot-test/hubspot-test-datasource-company.json +58 -462
package/integration/hubspot-test/hubspot-test-datasource-contact.json +61 -555
package/integration/hubspot-test/hubspot-test-datasource-deal.json +63 -506
package/integration/hubspot-test/hubspot-test-datasource-users.json +42 -83
package/integration/hubspot-test/hubspot-test-deploy.json +3 -3
package/integration/hubspot-test/test-dataplane-down-tests.js +1 -7
package/integration/hubspot-test/test-dataplane-down.js +3 -3
package/integration/hubspot-test/test.js +35 -43
package/integration/hubspot-test/wizard-hubspot-test-headless.yaml +23 -0
package/integration/roundtrip-test-local/README.md +144 -0
package/integration/roundtrip-test-local/application.yaml +13 -0
package/integration/roundtrip-test-local/env.template +15 -0
package/integration/roundtrip-test-local/roundtrip-test-local-datasource-roundtrip-test-company.yaml +14 -0
package/integration/roundtrip-test-local/roundtrip-test-local-deploy.json +61 -0
package/integration/roundtrip-test-local/roundtrip-test-local-system.yaml +25 -0
package/integration/roundtrip-test-local2/README.md +144 -0
package/integration/roundtrip-test-local2/application.yaml +13 -0
package/integration/roundtrip-test-local2/env.template +15 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-datasource-company.yaml +31 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-deploy.json +86 -0
package/integration/roundtrip-test-local2/roundtrip-test-local2-system.yaml +25 -0
package/integration/test/wizard.yaml +8 -0
package/jest.config.default.js +10 -0
package/jest.config.integration.fixtures.js +22 -0
package/jest.config.integration.js +21 -18
package/jest.config.isolated.js +10 -0
package/jest.projects.js +301 -0
package/lib/api/certificates.api.js +62 -0
package/lib/api/datasources-core.api.js +3 -3
package/lib/api/dev-mtls-request.js +110 -0
package/lib/api/dev-server-https.js +145 -0
package/lib/api/dev.api.js +133 -144
package/lib/api/index.js +11 -3
package/lib/api/pipeline.api.js +67 -20
package/lib/api/types/certificates.types.js +48 -0
package/lib/api/types/dev.types.js +4 -3
package/lib/api/types/pipeline.types.js +8 -5
package/lib/api/types/validation-run.types.js +56 -0
package/lib/api/validation-run.api.js +111 -0
package/lib/api/validation-runner.js +109 -0
package/lib/app/certification-show-enrich.js +129 -0
package/lib/app/certification-verify-rows.js +60 -0
package/lib/app/config.js +1 -1
package/lib/app/deploy-status-display.js +2 -2
package/lib/app/deploy.js +7 -6
package/lib/app/display.js +2 -1
package/lib/app/dockerfile.js +3 -2
package/lib/app/down.js +2 -1
package/lib/app/helpers.js +6 -5
package/lib/app/index.js +27 -8
package/lib/app/list.js +7 -6
package/lib/app/push.js +4 -3
package/lib/app/register.js +16 -7
package/lib/app/rotate-secret.js +14 -13
package/lib/app/run-container-start.js +184 -0
package/lib/app/run-docker-fallback.js +108 -0
package/lib/app/run-env-compose.js +30 -42
package/lib/app/run-helpers.js +49 -126
package/lib/app/run-infra-requirements.js +30 -0
package/lib/app/run-resolve-image.js +21 -0
package/lib/app/run.js +74 -21
package/lib/app/show-display.js +44 -1
package/lib/app/show.js +93 -9
package/lib/build/index.js +13 -10
package/lib/certification/cli-cert-sync-skip.js +21 -0
package/lib/certification/merge-certification-from-artifact.js +185 -0
package/lib/certification/post-unified-cert-sync.js +33 -0
package/lib/certification/sync-after-external-command.js +52 -0
package/lib/certification/sync-system-certification.js +197 -0
package/lib/cli/index.js +2 -0
package/lib/cli/setup-app.help.js +67 -0
package/lib/cli/setup-app.js +61 -121
package/lib/cli/setup-app.test-commands.js +195 -0
package/lib/cli/setup-auth.js +19 -5
package/lib/cli/setup-credential-deployment.js +22 -8
package/lib/cli/setup-dev-path-commands.js +124 -0
package/lib/cli/setup-dev.js +170 -113
package/lib/cli/setup-environment.js +7 -1
package/lib/cli/setup-external-system.js +84 -23
package/lib/cli/setup-infra.js +126 -47
package/lib/cli/setup-parameters.js +32 -0
package/lib/cli/setup-secrets.js +137 -18
package/lib/cli/setup-service-user.js +1 -1
package/lib/cli/setup-utility.js +54 -22
package/lib/commands/app-down.js +5 -7
package/lib/commands/app-install.js +14 -7
package/lib/commands/app-logs.js +13 -10
package/lib/commands/app-shell.js +4 -1
package/lib/commands/app-test.js +25 -19
package/lib/commands/app.js +32 -11
package/lib/commands/auth-config.js +6 -6
package/lib/commands/auth-status.js +4 -3
package/lib/commands/credential-env.js +4 -3
package/lib/commands/credential-list.js +5 -4
package/lib/commands/credential-push.js +4 -3
package/lib/commands/datasource-unified-test-cli.js +428 -0
package/lib/commands/datasource-unified-test-cli.options.js +191 -0
package/lib/commands/datasource-unified-test-e2e-cli-helpers.js +106 -0
package/lib/commands/datasource-validation-cli.js +143 -0
package/lib/commands/datasource.js +125 -95
package/lib/commands/deployment-list.js +6 -5
package/lib/commands/dev-cli-handlers.js +122 -18
package/lib/commands/dev-down.js +4 -3
package/lib/commands/dev-init.js +231 -116
package/lib/commands/dev-show-display.js +473 -0
package/lib/commands/login-credentials.js +3 -2
package/lib/commands/login-device.js +4 -3
package/lib/commands/login.js +5 -4
package/lib/commands/logout.js +8 -7
package/lib/commands/parameters-validate.js +54 -0
package/lib/commands/repair-datasource.js +314 -68
package/lib/commands/repair-env-template.js +2 -2
package/lib/commands/repair.js +21 -3
package/lib/commands/secrets-list.js +23 -12
package/lib/commands/secrets-remove-all.js +220 -0
package/lib/commands/secrets-remove.js +21 -12
package/lib/commands/secrets-set.js +21 -12
package/lib/commands/secrets-validate.js +4 -4
package/lib/commands/secure.js +10 -9
package/lib/commands/service-user.js +26 -25
package/lib/commands/test-e2e-external.js +27 -1
package/lib/commands/up-common.js +3 -2
package/lib/commands/up-dataplane.js +29 -16
package/lib/commands/up-miso.js +19 -29
package/lib/commands/upload.js +149 -39
package/lib/commands/wizard-core-helpers.js +1 -1
package/lib/commands/wizard-dataplane.js +4 -3
package/lib/commands/wizard-helpers.js +3 -3
package/lib/commands/wizard.js +2 -2
package/lib/core/admin-secrets.js +14 -5
package/lib/core/audit-logger.js +12 -4
package/lib/core/config-attach-extensions.js +46 -0
package/lib/core/config-runtime-paths.js +29 -0
package/lib/core/config.js +55 -56
package/lib/core/diff.js +3 -2
package/lib/core/ensure-encryption-key.js +1 -1
package/lib/core/secrets-ensure-infra.js +77 -0
package/lib/core/secrets-ensure.js +120 -64
package/lib/core/secrets-env-write.js +35 -7
package/lib/core/secrets-infra-placeholder-sync.js +61 -0
package/lib/core/secrets.js +200 -37
package/lib/core/templates-env.js +4 -3
package/lib/datasource/abac-validator.js +1 -10
package/lib/datasource/deploy.js +75 -53
package/lib/datasource/field-reference-validator.js +9 -6
package/lib/datasource/integration-context.js +63 -0
package/lib/datasource/list.js +8 -7
package/lib/datasource/log-viewer.js +189 -67
package/lib/datasource/resolve-app.js +4 -4
package/lib/datasource/test-e2e.js +113 -146
package/lib/datasource/test-integration.js +114 -122
package/lib/datasource/unified-validation-run-body.js +68 -0
package/lib/datasource/unified-validation-run-post.js +23 -0
package/lib/datasource/unified-validation-run-resolve.js +43 -0
package/lib/datasource/unified-validation-run.js +93 -0
package/lib/datasource/validate.js +157 -13
package/lib/deployment/deployer.js +4 -3
package/lib/deployment/environment.js +7 -6
package/lib/deployment/push.js +17 -8
package/lib/external-system/delete.js +4 -3
package/lib/external-system/deploy.js +166 -53
package/lib/external-system/download-helpers.js +1 -1
package/lib/external-system/download.js +7 -6
package/lib/external-system/generator.js +92 -6
package/lib/external-system/integration-test-dispatch.js +26 -0
package/lib/external-system/test-execution.js +5 -1
package/lib/external-system/test-helpers.js +0 -4
package/lib/external-system/test-system-level-helpers.js +110 -0
package/lib/external-system/test-system-level.js +83 -44
package/lib/external-system/test.js +59 -8
package/lib/generator/builders.js +23 -11
package/lib/generator/deploy-manifest-azure-kv.js +81 -0
package/lib/generator/external.js +16 -4
package/lib/generator/helpers.js +58 -3
package/lib/generator/index.js +4 -0
package/lib/generator/split-readme.js +12 -7
package/lib/generator/split-variables.js +2 -1
package/lib/generator/split.js +1 -1
package/lib/generator/wizard-readme.js +3 -3
package/lib/generator/wizard.js +8 -8
package/lib/infrastructure/compose.js +70 -7
package/lib/infrastructure/helpers-docker-check.js +67 -0
package/lib/infrastructure/helpers.js +203 -42
package/lib/infrastructure/index.js +31 -18
package/lib/infrastructure/services.js +21 -67
package/lib/internal/fs-real-sync.js +104 -0
package/lib/internal/node-fs.js +98 -0
package/lib/parameters/database-secret-values.js +173 -0
package/lib/parameters/infra-kv-discovery.js +121 -0
package/lib/parameters/infra-parameter-catalog.js +458 -0
package/lib/parameters/infra-parameter-validate.js +64 -0
package/lib/schema/application-schema.json +37 -17
package/lib/schema/datasource-test-run.schema.json +493 -0
package/lib/schema/deployment-rules.yaml +102 -63
package/lib/schema/external-datasource.schema.json +1200 -442
package/lib/schema/external-system.schema.json +203 -5
package/lib/schema/flag-map-validation-run.json +31 -0
package/lib/schema/infra-parameter.schema.json +106 -0
package/lib/schema/infra.parameter.yaml +421 -0
package/lib/schema/type/credential-auth-templates.json +40 -0
package/lib/schema/type/document-storage.json +226 -0
package/lib/schema/type/message-service.json +123 -0
package/lib/schema/type/vector-store.json +88 -0
package/lib/utils/aifabrix-runtime-config-dir.js +132 -0
package/lib/utils/api-error-handler.js +2 -2
package/lib/utils/api.js +77 -17
package/lib/utils/app-register-api.js +3 -2
package/lib/utils/app-register-auth.js +1 -1
package/lib/utils/app-register-config.js +4 -4
package/lib/utils/app-register-display.js +3 -2
package/lib/utils/app-register-validator.js +3 -2
package/lib/utils/app-run-containers.js +26 -22
package/lib/utils/app-scoped-config.js +31 -0
package/lib/utils/app-service-env-from-builder.js +164 -0
package/lib/utils/build-copy.js +1 -1
package/lib/utils/build-helpers.js +20 -20
package/lib/utils/build-resolve-image.js +165 -0
package/lib/utils/cli-layout-chalk.js +8 -0
package/lib/utils/cli-test-layout-chalk.js +267 -0
package/lib/utils/cli-utils.js +88 -11
package/lib/utils/compose-db-passwords.js +138 -0
package/lib/utils/compose-generate-docker-compose.js +216 -0
package/lib/utils/compose-generator.js +197 -291
package/lib/utils/compose-miso-env.js +18 -0
package/lib/utils/compose-traefik-ingress-base.js +158 -0
package/lib/utils/config-paths.js +166 -7
package/lib/utils/config-scoped-resources-preference.js +41 -0
package/lib/utils/configuration-env-resolver.js +11 -8
package/lib/utils/controller-deployment-outcome.js +68 -0
package/lib/utils/credential-display.js +2 -2
package/lib/utils/credential-secrets-env.js +5 -5
package/lib/utils/dataplane-pipeline-warning.js +4 -3
package/lib/utils/datasource-test-run-capability-scope.js +43 -0
package/lib/utils/datasource-test-run-certificate-tty.js +82 -0
package/lib/utils/datasource-test-run-debug-display.js +137 -0
package/lib/utils/datasource-test-run-debug-slice.js +93 -0
package/lib/utils/datasource-test-run-display.js +459 -0
package/lib/utils/datasource-test-run-exit.js +83 -0
package/lib/utils/datasource-test-run-legacy-adapter.js +93 -0
package/lib/utils/datasource-test-run-report-version.js +51 -0
package/lib/utils/datasource-test-run-schema-sync.js +59 -0
package/lib/utils/datasource-test-run-tty-log.js +81 -0
package/lib/utils/datasource-validation-watch.js +266 -0
package/lib/utils/declarative-url-ports.js +47 -0
package/lib/utils/derive-env-key-from-client-id.js +41 -0
package/lib/utils/dev-ca-install.js +185 -23
package/lib/utils/dev-cert-helper.js +266 -17
package/lib/utils/dev-hosts-helper.js +307 -0
package/lib/utils/dev-init-cert-hints.js +37 -0
package/lib/utils/dev-init-health-messages.js +52 -0
package/lib/utils/dev-init-resolve.js +86 -0
package/lib/utils/dev-init-ssh-merge.js +65 -0
package/lib/utils/dev-ssh-config-helper.js +196 -0
package/lib/utils/dev-user-groups.js +93 -0
package/lib/utils/docker-build.js +42 -17
package/lib/utils/docker-exec.js +28 -0
package/lib/utils/docker-manifest-public-port.js +116 -0
package/lib/utils/docker-not-running-hint.js +52 -0
package/lib/utils/docker.js +98 -11
package/lib/utils/ensure-dev-certs-for-remote-docker.js +192 -0
package/lib/utils/env-config-loader.js +10 -91
package/lib/utils/env-copy.js +19 -10
package/lib/utils/env-map.js +35 -8
package/lib/utils/env-template.js +2 -2
package/lib/utils/environment-scoped-resources.js +144 -0
package/lib/utils/error-formatter.js +92 -13
package/lib/utils/error-formatters/http-status-errors.js +6 -5
package/lib/utils/error-formatters/network-errors.js +2 -1
package/lib/utils/error-formatters/permission-errors.js +2 -1
package/lib/utils/error-formatters/validation-errors.js +2 -1
package/lib/utils/external-readme.js +8 -1
package/lib/utils/external-system-display.js +242 -136
package/lib/utils/external-system-local-test-tty.js +389 -0
package/lib/utils/external-system-readiness-core.js +377 -0
package/lib/utils/external-system-readiness-deploy-display.js +270 -0
package/lib/utils/external-system-readiness-display-internals.js +150 -0
package/lib/utils/external-system-readiness-display.js +186 -0
package/lib/utils/external-system-system-test-tty-overview.js +120 -0
package/lib/utils/external-system-system-test-tty.js +417 -0
package/lib/utils/external-system-test-helpers.js +24 -6
package/lib/utils/external-system-validators.js +30 -12
package/lib/utils/health-check-url.js +119 -0
package/lib/utils/health-check.js +59 -25
package/lib/utils/help-builder.js +11 -8
package/lib/utils/image-version.js +4 -8
package/lib/utils/infra-containers.js +4 -7
package/lib/utils/infra-env-defaults.js +162 -0
package/lib/utils/infra-status-display.js +167 -0
package/lib/utils/infra-status.js +16 -8
package/lib/utils/local-secrets.js +3 -4
package/lib/utils/paths.js +148 -47
package/lib/utils/port-resolver.js +10 -23
package/lib/utils/redis-env-scope.js +62 -0
package/lib/utils/register-aifabrix-shell-env.js +204 -0
package/lib/utils/remote-builder-validation.js +99 -0
package/lib/utils/remote-dev-auth.js +117 -21
package/lib/utils/remote-docker-env.js +67 -15
package/lib/utils/remote-secrets-loader.js +13 -4
package/lib/utils/resolve-docker-image-ref.js +124 -0
package/lib/utils/schema-loader.js +22 -9
package/lib/utils/secrets-bash-kv.js +25 -0
package/lib/utils/secrets-generator.js +169 -49
package/lib/utils/secrets-helpers.js +70 -59
package/lib/utils/secrets-kv-scope.js +60 -0
package/lib/utils/secrets-utils.js +32 -38
package/lib/utils/secrets-validation.js +3 -1
package/lib/utils/secrets-yaml-preserve.js +109 -0
package/lib/utils/ssh-key-helper.js +4 -2
package/lib/utils/template-helpers.js +2 -2
package/lib/utils/test-log-writer.js +3 -3
package/lib/utils/token-manager.js +1 -2
package/lib/utils/url-declarative-public-base.js +188 -0
package/lib/utils/url-declarative-resolve-build.js +493 -0
package/lib/utils/url-declarative-resolve-load-doc.js +51 -0
package/lib/utils/url-declarative-resolve.js +220 -0
package/lib/utils/url-declarative-token-parse.js +74 -0
package/lib/utils/url-declarative-url-flags.js +50 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +99 -0
package/lib/utils/url-public-path-prefix.js +34 -0
package/lib/utils/urls-local-registry.js +220 -0
package/lib/utils/validation-report-tty-kit.js +77 -0
package/lib/utils/validation-run-poll.js +112 -0
package/lib/utils/validation-run-post-retry.js +85 -0
package/lib/utils/validation-run-request.js +116 -0
package/lib/utils/variable-transformer.js +21 -4
package/lib/utils/yaml-preserve.js +33 -14
package/lib/validation/datasource-warnings.js +56 -0
package/lib/validation/env-template-auth.js +1 -1
package/lib/validation/external-manifest-validator.js +27 -7
package/lib/validation/validate-display.js +37 -31
package/lib/validation/validate-external-cert-sync.js +23 -0
package/lib/validation/validate.js +8 -14
package/lib/validation/validator-unresolved-placeholders.js +98 -0
package/lib/validation/validator.js +22 -65
package/lib/validation/wizard-config-validator.js +2 -1
package/package.json +9 -4
package/scripts/check-datasource-test-run-schema-sync.js +34 -0
package/scripts/diagnose-cli.js +150 -0
package/scripts/install-local.js +307 -55
package/scripts/pnpm-global-remove.js +48 -0
package/templates/README.md +15 -2
package/templates/applications/dataplane/application.yaml +52 -2
package/templates/applications/dataplane/env.template +79 -17
package/templates/applications/dataplane/rbac.yaml +8 -0
package/templates/applications/keycloak/application.yaml +9 -1
package/templates/applications/keycloak/env.template +15 -6
package/templates/applications/miso-controller/application.yaml +10 -2
package/templates/applications/miso-controller/env.template +42 -12
package/templates/applications/miso-controller/rbac.yaml +5 -0
package/templates/external-system/README.md.hbs +20 -7
package/templates/external-system/deploy.js.hbs +5 -5
package/templates/external-system/external-datasource.yaml.hbs +197 -118
package/templates/infra/compose.yaml.hbs +33 -16
package/templates/infra/servers.json.hbs +3 -1
package/templates/python/docker-compose.hbs +16 -0
package/templates/typescript/docker-compose.hbs +16 -0
package/lib/api/external-test.api.js +0 -111
package/lib/schema/env-config.yaml +0 -60

package/lib/core/secrets-ensure.js CHANGED Viewed

@@ -17,7 +17,7 @@ const os = require('os');
 const config = require('./config');
 const pathsUtil = require('../utils/paths');
 const logger = require('../utils/logger');
-const { isRemoteSecretsUrl, getRemoteDevAuth } = require('../utils/remote-dev-auth');
+const remoteDevAuth = require('../utils/remote-dev-auth');
 const devApi = require('../api/dev.api');
 const {
   findMissingSecretKeys,
@@ -28,6 +28,21 @@ const {
 } = require('../utils/secrets-generator');
 const { encryptSecret } = require('../utils/secrets-encryption');
 const { loadEnvTemplate } = require('../utils/secrets-helpers');
+const {
+  buildInfraPlaceholderContext,
+  isSecretKeyAllowedEmpty,
+  getInfraSecretKeysForUpInfra
+} = require('./secrets-ensure-infra');
+const { syncLiteralKvSecretsFromCliOverrides } = require('./secrets-infra-placeholder-sync');
+/**
+ * Lazy require so tests that `jest.mock('../parameters/infra-parameter-catalog')` after other
+ * suites loaded secrets-ensure still see the mocked exports (avoids stale destructured refs).
+ * @returns {typeof import('../parameters/infra-parameter-catalog')}
+ */
+function infraParameterCatalogModule() {
+  return require('../parameters/infra-parameter-catalog');
+}
 /**
  * Expand leading ~ to home directory.
@@ -49,27 +64,30 @@ function expandTilde(filePath) {
  * - http(s) URL → remote (fallback: user file)
  * - No config → user file
  *
- * @returns {Promise<{ type: 'file'|'remote', filePath?: string, serverUrl?: string, clientCertPem?: string }>}
+ * @returns {Promise<{ type: 'file'|'remote', filePath?: string, serverUrl?: string|null, secretsEndpointUrl?: string, clientCertPem?: string|null, serverCaPem?: string|null }>}
  */
 async function resolveWriteTarget() {
   const secretsPath = await config.getSecretsPath();
-  const userFilePath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+  const userFilePath = pathsUtil.getPrimaryUserSecretsLocalPath();
   if (!secretsPath) {
     return { type: 'file', filePath: userFilePath };
   }
-  if (isRemoteSecretsUrl(secretsPath)) {
-    const auth = await getRemoteDevAuth();
+  const resolvedSecrets = await remoteDevAuth.resolveSharedSecretsEndpoint(secretsPath);
+  if (remoteDevAuth.isRemoteSecretsUrl(resolvedSecrets)) {
+    const auth = await remoteDevAuth.getRemoteDevAuth();
     return {
       type: 'remote',
       filePath: userFilePath,
-      serverUrl: secretsPath.replace(/\/+$/, ''),
-      clientCertPem: auth ? auth.clientCertPem : null
+      serverUrl: auth ? auth.serverUrl : null,
+      secretsEndpointUrl: resolvedSecrets.trim().replace(/\/+$/, ''),
+      clientCertPem: auth ? auth.clientCertPem : null,
+      serverCaPem: auth ? auth.serverCaPem : null
     };
   }
-  const filePath = path.isAbsolute(secretsPath)
-    ? secretsPath
-    : path.resolve(process.cwd(), expandTilde(secretsPath));
+  const filePath = path.isAbsolute(resolvedSecrets)
+    ? resolvedSecrets
+    : path.resolve(process.cwd(), expandTilde(resolvedSecrets));
   return { type: 'file', filePath };
 }
@@ -85,7 +103,12 @@ async function loadExistingFromTarget(target) {
   }
   if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
     try {
-      const items = await devApi.listSecrets(target.serverUrl, target.clientCertPem);
+      const items = await devApi.listSecrets(
+        target.serverUrl,
+        target.clientCertPem,
+        target.serverCaPem || undefined,
+        target.secretsEndpointUrl
+      );
       if (!Array.isArray(items)) return {};
       const obj = {};
       for (const item of items) {
@@ -134,11 +157,12 @@ async function writeSecretToFile(filePath, key, value, encryptionKey) {
  * @param {string} key - Secret key
  * @param {Object} suggested - Map of suggested values
  * @param {boolean} emptyForCredentials - Use empty string if true
+ * @param {Record<string, string>|undefined} placeholderContext - Catalog defaults + CLI merged map
  * @returns {string}
  */
-function valueForKey(key, suggested, emptyForCredentials) {
+function valueForKey(key, suggested, emptyForCredentials, placeholderContext) {
   if (key in suggested) return String(suggested[key]);
-  return emptyForCredentials ? '' : generateSecretValue(key);
+  return emptyForCredentials ? '' : generateSecretValue(key, placeholderContext);
 }
 /**
@@ -150,12 +174,18 @@ function valueForKey(key, suggested, emptyForCredentials) {
  * @param {string|null} encryptionKey - Encryption key for file fallback or null
  * @returns {Promise<string[]>}
  */
-async function addSecretsRemote(target, toAdd, suggested, added, encryptionKey) {
+async function addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext) {
   const emptyForCredentials = false;
   for (const key of toAdd) {
-    const value = valueForKey(key, suggested, emptyForCredentials);
+    const value = valueForKey(key, suggested, emptyForCredentials, placeholderContext);
     try {
-      await devApi.addSecret(target.serverUrl, target.clientCertPem, { key, value });
+      await devApi.addSecret(
+        target.serverUrl,
+        target.clientCertPem,
+        { key, value },
+        target.serverCaPem || undefined,
+        target.secretsEndpointUrl
+      );
       added.push(key);
     } catch (err) {
       logger.warn(`Remote secret "${key}" failed (${err.message}); writing to local file.`);
@@ -168,22 +198,33 @@ async function addSecretsRemote(target, toAdd, suggested, added, encryptionKey)
 /**
  * Add secrets to file (with optional encryption).
- * @param {string} filePath - File path
- * @param {string[]} toAdd - Keys to add
- * @param {Object} suggested - Suggested values
- * @param {boolean} emptyForCredentials - Use empty for new values
- * @param {string|null} encryptionKey - Encryption key or null
- * @param {string[]} added - Array to push added keys to
+ * @param {Object} batch
+ * @param {string} batch.filePath
+ * @param {string[]} batch.toAdd
+ * @param {Object} batch.suggested
+ * @param {boolean} batch.emptyForCredentials
+ * @param {string|null} batch.encryptionKey
+ * @param {string[]} batch.added
+ * @param {Record<string, string>|undefined} batch.placeholderContext
  * @returns {Promise<string[]>}
  */
-async function addSecretsToFile(filePath, toAdd, suggested, emptyForCredentials, encryptionKey, added) {
+async function addSecretsToFile(batch) {
+  const {
+    filePath,
+    toAdd,
+    suggested,
+    emptyForCredentials,
+    encryptionKey,
+    added,
+    placeholderContext
+  } = batch;
   for (const key of toAdd) {
-    const value = valueForKey(key, suggested, emptyForCredentials);
+    const value = valueForKey(key, suggested, emptyForCredentials, placeholderContext);
     await writeSecretToFile(filePath, key, value, encryptionKey);
     added.push(key);
   }
   if (added.length > 0) {
-    logger.log(`✓ Ensured ${added.length} secret key(s): ${added.join(', ')}`);
+    logger.log(`✔ Ensured ${added.length} secret key(s): ${added.join(', ')}`);
   }
   return added;
 }
@@ -210,13 +251,14 @@ async function ensureSecretsForKeys(keys, options = {}) {
   const suggested = options.suggestedValues && typeof options.suggestedValues === 'object'
     ? options.suggestedValues
     : {};
+  const placeholderContext = options.placeholderContext;
   const target = options._targetOverride || await resolveWriteTarget();
   const existing = await loadExistingFromTarget(target);
   const toAdd = keys.filter((k) => {
     const v = existing[k];
     const missingOrEmpty = v === undefined || v === null || (typeof v === 'string' && v.trim() === '');
-    return missingOrEmpty && !KEYS_ALLOWED_EMPTY.has(k);
+    return missingOrEmpty && !isSecretKeyAllowedEmpty(k);
   });
   if (toAdd.length === 0) return [];
@@ -224,9 +266,17 @@ async function ensureSecretsForKeys(keys, options = {}) {
   const added = [];
   if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    return addSecretsRemote(target, toAdd, suggested, added, encryptionKey);
+    return addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext);
   }
-  return addSecretsToFile(target.filePath, toAdd, suggested, emptyForCredentials, encryptionKey, added);
+  return addSecretsToFile({
+    filePath: target.filePath,
+    toAdd,
+    suggested,
+    emptyForCredentials,
+    encryptionKey,
+    added,
+    placeholderContext
+  });
 }
 /**
@@ -270,33 +320,6 @@ async function ensureSecretsFromEnvTemplate(envTemplatePathOrContent, options =
   return ensureSecretsForKeys(missingKeys, { ...options, _targetOverride: target });
 }
-/**
- * Infra secret keys used by createDefaultSecrets / keyvault.md for up-infra.
- * Includes miso-controller DB keys so ensureMisoInitScript can read from store.
- *
- * postgres-passwordKeyVault: Postgres superuser/admin password for local Docker Postgres,
- * PgAdmin, and Redis Commander (see generateAdminSecretsEnv in lib/core/secrets.js).
- *
- * @type {string[]}
- */
-const INFRA_SECRET_KEYS = [
-  'postgres-passwordKeyVault',
-  'redis-passwordKeyVault',
-  'redis-url',
-  'keycloak-admin-passwordKeyVault',
-  'keycloak-server-url',
-  'databases-miso-controller-0-passwordKeyVault',
-  'databases-miso-controller-0-urlKeyVault'
-];
-/**
- * Keys that are valid when empty (e.g. no Redis password in local dev).
- * We do not backfill these when empty, so the file is not appended with a duplicate key.
- *
- * @type {Set<string>}
- */
-const KEYS_ALLOWED_EMPTY = new Set(['redis-passwordKeyVault']);
 /**
  * Write one key-value to a file store (load, merge, optionally encrypt, save).
  * @param {string} filePath - Secrets file path
@@ -325,7 +348,7 @@ async function writeSecretToStoreFile(filePath, key, strValue) {
 /**
  * Write a single secret to the configured store (overwrites if key exists).
- * Used when syncing e.g. postgres-passwordKeyVault after --adminPwd override.
+ * Used when syncing e.g. postgres-passwordKeyVault after --adminPassword override.
  *
  * @async
  * @function setSecretInStore
@@ -339,7 +362,13 @@ async function setSecretInStore(key, value) {
   const strValue = typeof value === 'string' ? value : String(value);
   if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
     try {
-      await devApi.addSecret(target.serverUrl, target.clientCertPem, { key, value: strValue });
+      await devApi.addSecret(
+        target.serverUrl,
+        target.clientCertPem,
+        { key, value: strValue },
+        target.serverCaPem || undefined,
+        target.secretsEndpointUrl
+      );
     } catch (err) {
       logger.warn(`Could not sync secret "${key}" to remote store: ${err.message}`);
       const encryptionKey = await config.getSecretsEncryptionKey();
@@ -356,15 +385,27 @@ async function setSecretInStore(key, value) {
  * @async
  * @function ensureInfraSecrets
  * @param {Object} [options] - Options
- * @param {string} [options.adminPwd] - Override for postgres-passwordKeyVault when creating new secrets
+ * @param {string} [options.adminPassword] - Overrides {{adminPassword}} (and alias adminPwd)
+ * @param {string} [options.adminPwd] - Alias for adminPassword
+ * @param {string} [options.adminEmail] - Overrides {{adminEmail}}
+ * @param {string} [options.userPassword] - Overrides {{userPassword}}
+ * @param {boolean} [options.tlsEnabled] - Merged into catalog placeholders: TLS_ENABLED / HTTP_ENABLED (HTTP is opposite of TLS; default TLS off)
  * @returns {Promise<string[]>} Keys that were added
+ *
+ * After backfill, non-empty `--adminPassword` / `--userPassword` / `--adminEmail` update all catalog
+ * literals that reference the same `{{placeholder}}` (see `secrets-infra-placeholder-sync.js`).
  */
 async function ensureInfraSecrets(options = {}) {
-  const suggested = {};
-  if (options.adminPwd && typeof options.adminPwd === 'string' && options.adminPwd.trim() !== '') {
-    suggested['postgres-passwordKeyVault'] = options.adminPwd.trim();
-  }
-  return ensureSecretsForKeys(INFRA_SECRET_KEYS, { suggestedValues: suggested });
+  const keys = getInfraSecretKeysForUpInfra();
+  const placeholderContext = buildInfraPlaceholderContext(options);
+  const added = await ensureSecretsForKeys(keys, { placeholderContext });
+  await syncLiteralKvSecretsFromCliOverrides(
+    options,
+    placeholderContext,
+    setSecretInStore,
+    infraParameterCatalogModule
+  );
+  return added;
 }
 module.exports = {
@@ -374,5 +415,20 @@ module.exports = {
   setSecretInStore,
   resolveWriteTarget,
   loadExistingFromTarget,
-  INFRA_SECRET_KEYS
+  getInfraSecretKeysForUpInfra,
+  isSecretKeyAllowedEmpty,
+  buildInfraPlaceholderContext
 };
+/**
+ * @deprecated Prefer getInfraSecretKeysForUpInfra(). Names only: relaxed read of infra.parameter.yaml
+ * (standardUpInfraEnsureKeys + exact keys with ensureOn upInfra), not workspace discovery.
+ */
+Object.defineProperty(module.exports, 'INFRA_SECRET_KEYS', {
+  enumerable: true,
+  get() {
+    const cat = infraParameterCatalogModule();
+    const bundledYaml = path.join(__dirname, '..', 'schema', 'infra.parameter.yaml');
+    return cat.readRelaxedUpInfraEnsureKeyList(bundledYaml) || [];
+  }
+});

package/lib/core/secrets-env-write.js CHANGED Viewed

@@ -47,7 +47,33 @@ function getSecretForEnvVar(secrets, preferred, alternate) {
 }
 /**
- * Inject NPM_TOKEN and PYPI_TOKEN from loaded secrets into content when missing.
+ * Append KEY=value as its own line (avoids joining with previous line when content ended with newline).
+ * @param {string} content
+ * @param {string} key
+ * @param {string} value
+ * @returns {string}
+ */
+function appendEnvLine(content, key, value) {
+  const line = `${key}=${value}`;
+  if (!content || content.length === 0) return `${line}\n`;
+  return `${content.replace(/\s+$/, '')}\n${line}\n`;
+}
+/**
+ * Non-empty process.env for registry tokens when template has no kv://BASH_* line (inject fallback).
+ * @param {string} name
+ * @returns {string|null}
+ */
+function getProcessEnvToken(name) {
+  const raw = process.env[name];
+  if (raw === undefined || raw === null) return null;
+  const t = String(raw).trim();
+  return t.length > 0 ? t : null;
+}
+/**
+ * Inject NPM_TOKEN and PYPI_TOKEN from loaded secrets, then from process.env when still missing.
+ * kv://BASH_* refs are resolved in secrets-helpers (process.env suffix after BASH_) before this runs.
  * @param {string} content - .env-style content
  * @param {string|null} secretsPath - Path to secrets file
  * @param {string} appName - Application name
@@ -59,12 +85,14 @@ async function injectRegistryTokens(content, secretsPath, appName) {
     const loadedSecrets = await secrets.loadSecrets(secretsPath, appName);
     let out = content || '';
     if (!envContentHasKey(out, 'NPM_TOKEN')) {
-      const v = getSecretForEnvVar(loadedSecrets, 'NPM_TOKEN', 'npm_token');
-      if (v) out = out.trimEnd() + (out.endsWith('\n') ? '' : '\n') + `NPM_TOKEN=${v}\n`;
+      let v = getSecretForEnvVar(loadedSecrets, 'NPM_TOKEN', 'npm_token');
+      if (!v) v = getProcessEnvToken('NPM_TOKEN');
+      if (v) out = appendEnvLine(out, 'NPM_TOKEN', v);
     }
     if (!envContentHasKey(out, 'PYPI_TOKEN')) {
-      const v = getSecretForEnvVar(loadedSecrets, 'PYPI_TOKEN', 'pypi_token');
-      if (v) out = out.trimEnd() + (out.endsWith('\n') ? '' : '\n') + `PYPI_TOKEN=${v}\n`;
+      let v = getSecretForEnvVar(loadedSecrets, 'PYPI_TOKEN', 'pypi_token');
+      if (!v) v = getProcessEnvToken('PYPI_TOKEN');
+      if (v) out = appendEnvLine(out, 'PYPI_TOKEN', v);
     }
     return out;
   } catch {
@@ -95,7 +123,7 @@ function parseEnvContentToMap(content) {
 /**
  * Resolve .env in memory and write only to envOutputPath or temp (no builder/ or integration/).
- * Injects NPM_TOKEN and PYPI_TOKEN from secrets when missing so shell/install/test have registry tokens.
+ * Injects NPM_TOKEN and PYPI_TOKEN from secrets when missing, then from process.env, so shell/install/test/build can use exported tokens.
  *
  * @async
  * @function resolveAndWriteEnvFile
@@ -136,7 +164,7 @@ async function resolveAndWriteEnvFile(appName, options = {}) {
 /**
  * Resolve app env (template + kv:// secrets) and return as key-value map.
  * Used by build to pass NPM_TOKEN/PYPI_TOKEN as Docker build-args.
- * Injects NPM_TOKEN/PYPI_TOKEN from secrets when missing (same as resolveAndWriteEnvFile).
+ * Injects from secrets when missing, then from process.env if set (e.g. exported NPM_TOKEN in shell).
  *
  * @async
  * @function resolveAndGetEnvMap

package/lib/core/secrets-infra-placeholder-sync.js ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * @fileoverview Sync secrets store with up-infra CLI placeholder overrides (catalog-driven).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const logger = require('../utils/logger');
+/**
+ * When CLI passes --adminPassword, --userPassword, or --adminEmail, overwrite every catalog literal
+ * that embeds the matching {{placeholder}}. ensureSecretsForKeys only backfills missing keys; this
+ * keeps the store aligned with explicit CLI overrides (keys come from infra.parameter.yaml).
+ *
+ * @param {Object} options - Same flags as ensureInfraSecrets
+ * @param {Record<string, string>} placeholderContext - Merged catalog defaults + CLI
+ * @param {(key: string, value: string) => Promise<void>} setSecretInStore
+ * @param {() => typeof import('../parameters/infra-parameter-catalog')} getCatalogModule - Lazy catalog require
+ * @returns {Promise<void>}
+ */
+async function syncLiteralKvSecretsFromCliOverrides(
+  options,
+  placeholderContext,
+  setSecretInStore,
+  getCatalogModule
+) {
+  const crypto = require('crypto');
+  const ipc = getCatalogModule();
+  let catalog;
+  try {
+    catalog = ipc.getInfraParameterCatalog();
+  } catch {
+    return;
+  }
+  const runOne = async(placeholder, cliValue) => {
+    const trimmed = String(cliValue || '').trim();
+    if (!trimmed) return;
+    const keys = ipc.listKvKeysWithLiteralPlaceholder(catalog, placeholder);
+    if (keys.length === 0) return;
+    for (const key of keys) {
+      const entry = catalog.findEntryForKey(key);
+      if (!entry) continue;
+      const val = ipc.generateValueFromCatalogEntry(key, entry, crypto, placeholderContext);
+      await setSecretInStore(key, val);
+    }
+    logger.log(
+      `Updated ${keys.length} secret(s) in store (catalog literals using {{${placeholder}}}).`
+    );
+  };
+  await runOne(
+    'adminPassword',
+    options.adminPassword || options.adminPwd || ''
+  );
+  await runOne('userPassword', options.userPassword || '');
+  await runOne('adminEmail', options.adminEmail || '');
+}
+module.exports = {
+  syncLiteralKvSecretsFromCliOverrides
+};