@aifabrix/builder 2.43.0 → 2.44.1

package/lib/utils/secrets-helpers.js

@@ -46,6 +46,41 @@ function isCommentOrEmptyLine(line) {
 /** Regex for kv:// path (allows slashes, e.g. kv://hubspot/clientId) */
 const KV_REF_PATTERN = /kv:\/\/([a-zA-Z0-9_\-/]+)/g;
 
+const { resolveBashKvFromProcessEnv } = require('./secrets-bash-kv');
+
+/**
+ * Last-resort when infra.parameter.yaml cannot be read (e.g. Jest suites that mock `fs`;
+ * catalog uses `node:fs`, which is often the same mocked instance). Must stay in sync with
+ * `generator.type: emptyAllowed` keys in lib/schema/infra.parameter.yaml.
+ */
+const EMPTY_ALLOWED_KV_FALLBACK = new Set(['redis-passwordKeyVault']);
+
+/**
+ * Infra catalog keys with generator `emptyAllowed` may be absent from the secrets file;
+ * they resolve like an explicit empty string (e.g. local Redis has no password).
+ * @param {string} pathStr - kv path segment (flat key or path with slashes)
+ * @returns {boolean}
+ */
+function isKvKeyAllowedEmptyWhenAbsent(pathStr) {
+  if (!pathStr || typeof pathStr !== 'string') return false;
+  try {
+    const { getInfraParameterCatalog } = require('../parameters/infra-parameter-catalog');
+    return getInfraParameterCatalog().isKeyAllowedEmpty(pathStr);
+  } catch {
+    try {
+      const {
+        readRelaxedEmptyAllowedKeySet,
+        DEFAULT_CATALOG_PATH
+      } = require('../parameters/infra-parameter-catalog');
+      const set = readRelaxedEmptyAllowedKeySet(DEFAULT_CATALOG_PATH);
+      if (set && set.has(pathStr)) return true;
+    } catch {
+      /* ignore */
+    }
+  }
+  return EMPTY_ALLOWED_KV_FALLBACK.has(pathStr);
+}
+
 /**
  * Find object key that matches part case-insensitively.
  * @param {Object} obj - Object to search
@@ -98,19 +133,30 @@ function getValueByPath(secrets, pathStr) {
   return getValueByNestedPath(secrets, pathStr.split('/'));
 }
 
+const { getValueByPathWithEnvScope, mergeSecretsWithPrefixedCopies } =
+  require('./secrets-kv-scope').createScopedKvHelpers(getValueByPath);
+
+function resolveKvRefValue(secretsMap, pathStr, envKey, effective) {
+  const v = getValueByPathWithEnvScope(secretsMap, pathStr, envKey, effective);
+  if (v !== undefined && v !== null) return v;
+  return resolveBashKvFromProcessEnv(pathStr);
+}
+
 /**
  * Collect missing kv:// secrets referenced in content (skips commented and empty lines).
  * Supports path-style refs (e.g. kv://hubspot/clientId). Returns unique refs.
  * @function collectMissingSecrets
  * @param {string} content - Text content
  * @param {Object} secrets - Available secrets (flat or nested)
+ * @param {{ effective?: boolean, envKey?: string }|null} [scopedKv] - Optional env-scoped kv resolution
  * @returns {string[]} Array of missing kv://<path> references (unique)
  */
-function collectMissingSecrets(content, secrets) {
+function collectMissingSecrets(content, secrets, scopedKv = null) {
+  const effective = Boolean(scopedKv && scopedKv.effective && scopedKv.envKey);
+  const secretsMap = effective ? mergeSecretsWithPrefixedCopies(secrets, scopedKv.envKey) : secrets;
   const seen = new Set();
   const missing = [];
-  const lines = content.split('\n');
-  for (const line of lines) {
+  for (const line of content.split('\n')) {
     if (isCommentOrEmptyLine(line)) continue;
     let match;
     KV_REF_PATTERN.lastIndex = 0;
@@ -118,8 +164,8 @@ function collectMissingSecrets(content, secrets) {
       const pathStr = match[1];
       if (seen.has(pathStr)) continue;
       seen.add(pathStr);
-      const value = getValueByPath(secrets, pathStr);
-      if (value === undefined || value === null) {
+      const value = resolveKvRefValue(secretsMap, pathStr, scopedKv?.envKey, effective);
+      if ((value === undefined || value === null) && !isKvKeyAllowedEmptyWhenAbsent(pathStr)) {
         missing.push(`kv://${pathStr}`);
       }
     }
@@ -157,14 +203,20 @@ function formatMissingSecretsFileInfo(secretsFilePaths) {
  * @param {string} content - Text content containing kv:// references
  * @param {Object} secrets - Secrets map (flat or nested)
  * @param {Object} envVars - Environment variables map for nested interpolation
+ * @param {{ effective?: boolean, envKey?: string }|null} [scopedKv] - Optional env-scoped kv resolution
  * @returns {string} Content with kv:// references replaced
  */
-function replaceKvInContent(content, secrets, envVars) {
+function replaceKvInContent(content, secrets, envVars, scopedKv = null) {
+  const effective = Boolean(scopedKv && scopedKv.effective && scopedKv.envKey);
+  const secretsMap = effective ? mergeSecretsWithPrefixedCopies(secrets, scopedKv.envKey) : secrets;
   const lines = content.split('\n');
   const result = lines.map(line => {
     if (isCommentOrEmptyLine(line)) return line;
     return line.replace(KV_REF_PATTERN, (match, pathStr) => {
-      let value = getValueByPath(secrets, pathStr);
+      let value = resolveKvRefValue(secretsMap, pathStr, scopedKv?.envKey, effective);
+      if ((value === undefined || value === null) && isKvKeyAllowedEmptyWhenAbsent(pathStr)) {
+        value = '';
+      }
       if (typeof value === 'string') {
         value = value.replace(/\$\{([A-Z_]+)\}/g, (m, envVar) => {
           return envVars[envVar] || m;
@@ -247,44 +299,23 @@ function getPortFromEnvContent(envContent) {
 }
 
 /**
- * Applies developer-id adjustment to port
- * @function applyDeveloperIdAdjustment
- * @param {number} baseAppPort - Base application port
- * @param {number} devIdNum - Developer ID number
- * @returns {number} Adjusted port
- */
-function applyDeveloperIdAdjustment(baseAppPort, devIdNum) {
-  return devIdNum === 0 ? baseAppPort : (baseAppPort + (devIdNum * 100));
-}
-
-/**
- * Calculate application port following override chain and developer-id adjustment
- * Override chain: env-config.yaml → config.yaml → application.yaml port
+ * Resolve manifest listen port (container port) for the app from override chain.
  * @async
- * @function calculateAppPort
  * @param {string} [variablesPath] - Path to application config
- * @param {Object} localEnv - Local environment config from env-config.yaml and config.yaml
+ * @param {Object} localEnv - Merged local env from defaults + config.yaml
  * @param {string} envContent - Environment content for fallback
- * @param {number} devIdNum - Developer ID number
- * @returns {Promise<number>} Final application port with developer-id adjustment
+ * @returns {Promise<number>} Base listen port (before +10 / +dev*100 local host math)
  */
-async function calculateAppPort(variablesPath, localEnv, envContent, devIdNum) {
-  // Start with env-config value
+async function resolveManifestListenPort(variablesPath, localEnv, envContent) {
   let baseAppPort = getPortFromLocalEnv(localEnv);
-
-  // Override with application config port (strongest)
   const variablesPort = getPortFromVariablesFile(variablesPath);
   if (variablesPort !== null) {
     baseAppPort = variablesPort;
   }
-
-  // Fallback to env content if still no port
   if (baseAppPort === null || baseAppPort === undefined) {
     baseAppPort = getPortFromEnvContent(envContent);
   }
-
-  // Apply developer-id adjustment
-  return applyDeveloperIdAdjustment(baseAppPort, devIdNum);
+  return baseAppPort;
 }
 
 /**
@@ -325,16 +356,6 @@ function getPortVarFromEnvTemplatePath(variablesPath) {
   }
 }
 
-/**
- * Adjust infra-related ports in resolved .env content for local environment.
- * Own case: when we generate .env for envOutputPath (not reload), we use localPort (application.yaml build.localPort or port).
- * Sets PORT and the template port var (e.g. MISO_PORT) to localPort so the generated .env is correct for local use.
- * @async
- * @function adjustLocalEnvPortsInContent
- * @param {string} envContent - Resolved .env content
- * @param {string} [variablesPath] - Path to application config (to read port and template port var)
- * @returns {Promise<string>} Updated content with local ports
- */
 /**
  * Gets developer ID number
  * @async
@@ -418,12 +439,13 @@ async function buildEnvVarsForInterpolation(devIdNum) {
 async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
   const devIdNum = await getDeveloperIdNumber();
   const localEnv = await getLocalEnvWithOverrides();
+  const { localHostPort } = require('./declarative-url-ports');
 
-  const baseAppPort = await calculateAppPort(variablesPath, localEnv, envContent, 0);
-  const appPort = await calculateAppPort(variablesPath, localEnv, envContent, devIdNum);
+  const baseListen = await resolveManifestListenPort(variablesPath, localEnv, envContent);
+  const appPort = localHostPort(baseListen, devIdNum);
 
   let updated = updatePortVariable(envContent, appPort);
-  updated = updateLocalhostUrls(updated, baseAppPort, appPort);
+  updated = updateLocalhostUrls(updated, baseListen, appPort);
   updated = await rewriteInfraEndpoints(updated, 'local');
 
   const envVars = await buildEnvVarsForInterpolation(devIdNum);
@@ -437,18 +459,6 @@ async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
   return updated;
 }
 
-/**
- * Ensure secrets map is non-empty or throw a friendly guidance error
- * @function ensureNonEmptySecrets
- * @param {Object} secrets - Secrets map
- * @throws {Error} If secrets is empty
- */
-function ensureNonEmptySecrets(secrets) {
-  if (Object.keys(secrets || {}).length === 0) {
-    throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure aifabrix-secrets in config.yaml');
-  }
-}
-
 /**
  * Validate secrets against the env template (skips commented and empty lines)
  * @function validateSecrets
@@ -465,6 +475,8 @@ module.exports = {
   loadEnvConfig,
   interpolateEnvVars,
   collectMissingSecrets,
+  resolveBashKvFromProcessEnv,
+  mergeSecretsWithPrefixedCopies,
   formatMissingSecretsFileInfo,
   replaceKvInContent,
   resolveServicePortsInEnvContent,
@@ -473,7 +485,6 @@ module.exports = {
   adjustLocalEnvPortsInContent,
   readYamlAtPath,
   applyCanonicalSecretsOverride,
-  ensureNonEmptySecrets,
   validateSecrets,
   rewriteInfraEndpoints,
   getEnvHosts

package/lib/utils/secrets-kv-scope.js

@@ -0,0 +1,60 @@
+/**
+ * Env-scoped kv:// resolution helpers (prefixed keys + in-memory aliases).
+ *
+ * @fileoverview Split from secrets-helpers for file size limits
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+/**
+ * @param {Function} getValueByPath - From secrets-helpers
+ * @returns {{ getValueByPathWithEnvScope: Function, mergeSecretsWithPrefixedCopies: Function }}
+ */
+function createScopedKvHelpers(getValueByPath) {
+  /**
+   * @param {Object} secrets
+   * @param {string} pathStr
+   * @param {string|null|undefined} envKey
+   * @param {boolean} effective
+   * @returns {*}
+   */
+  function getValueByPathWithEnvScope(secrets, pathStr, envKey, effective) {
+    if (!effective || !envKey) {
+      return getValueByPath(secrets, pathStr);
+    }
+    const prefix = `${String(envKey).toLowerCase()}-`;
+    const prefixedPath = prefix + pathStr;
+    const fromPrefixed = getValueByPath(secrets, prefixedPath);
+    if (fromPrefixed !== undefined && fromPrefixed !== null) {
+      return fromPrefixed;
+    }
+    return getValueByPath(secrets, pathStr);
+  }
+
+  /**
+   * @param {Object} secrets
+   * @param {string} envKey
+   * @returns {Object}
+   */
+  function mergeSecretsWithPrefixedCopies(secrets, envKey) {
+    if (!secrets || typeof secrets !== 'object' || !envKey) {
+      return secrets;
+    }
+    const prefix = `${String(envKey).toLowerCase()}-`;
+    const merged = { ...secrets };
+    for (const [k, v] of Object.entries(secrets)) {
+      if (typeof k !== 'string' || !k || k.startsWith(prefix)) continue;
+      const pk = prefix + k;
+      if (merged[pk] === undefined && v !== undefined && v !== null) {
+        merged[pk] = v;
+      }
+    }
+    return merged;
+  }
+
+  return { getValueByPathWithEnvScope, mergeSecretsWithPrefixedCopies };
+}
+
+module.exports = { createScopedKvHelpers };

package/lib/utils/secrets-utils.js

@@ -19,25 +19,18 @@ const { getContainerPort } = require('./port-resolver');
 const { loadYamlTolerantOfDuplicateKeys } = require('./secrets-generator');
 
 /**
- * Parses secrets YAML content with fallback for duplicate keys.
+ * Parses secrets YAML content with fallback for duplicate keys and broken concat files
+ * (e.g. empty map `{}` then appended key lines — invalid without `---`).
  * @param {string} content - Raw file content
  * @returns {Object} Parsed secrets object
  */
 function parseSecretsContent(content) {
-  try {
-    return yaml.load(content);
-  } catch (yamlErr) {
-    const msg = yamlErr.message || '';
-    if (msg.includes('duplicate') || msg.includes('duplicated mapping')) {
-      return loadYamlTolerantOfDuplicateKeys(content);
-    }
-    throw yamlErr;
-  }
+  return loadYamlTolerantOfDuplicateKeys(content);
 }
 
 /**
  * Loads secrets from file with cascading lookup support
- * First checks ~/.aifabrix/secrets.local.yaml, then aifabrix-secrets from config.yaml
+ * First checks the primary user secrets file (see getPrimaryUserSecretsLocalPath in paths.js), then aifabrix-secrets from config.yaml
  *
  * @async
  * @function loadSecretsFromFile
@@ -51,7 +44,7 @@ async function loadSecretsFromFile(filePath) {
 
   try {
     const content = fs.readFileSync(filePath, 'utf8');
-    const secrets = yaml.load(content);
+    const secrets = parseSecretsContent(content);
 
     if (!secrets || typeof secrets !== 'object') {
       return {};
@@ -65,17 +58,15 @@ async function loadSecretsFromFile(filePath) {
 }
 
 /**
- * Loads user secrets from the primary config directory (AIFABRIX_HOME or ~/.aifabrix).
+ * Loads user secrets from getPrimaryUserSecretsLocalPath() (same dir as config.yaml resolution).
  * Used as the master source when merging with project/public secrets: user values win,
  * missing keys are filled from the public (aifabrix-secrets) file.
- * Does not use config.yaml aifabrix-home so the merge always sees the actual user file.
  *
  * @function loadPrimaryUserSecrets
  * @returns {Object} Loaded secrets object or empty object
  */
 function loadPrimaryUserSecrets() {
-  const primaryDir = pathsUtil.getConfigDirForPaths();
-  const userSecretsPath = path.join(primaryDir, 'secrets.local.yaml');
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
   if (!fs.existsSync(userSecretsPath)) {
     return {};
   }
@@ -98,32 +89,12 @@ function loadPrimaryUserSecrets() {
 }
 
 /**
- * Loads user secrets from ~/.aifabrix/secrets.local.yaml
- * Uses paths.getAifabrixHome() to respect config.yaml aifabrix-home override
+ * Same as {@link loadPrimaryUserSecrets} (legacy name; kept for callers).
  * @function loadUserSecrets
  * @returns {Object} Loaded secrets object or empty object
  */
 function loadUserSecrets() {
-  const userSecretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
-  if (!fs.existsSync(userSecretsPath)) {
-    return {};
-  }
-  ensureSecureFilePermissions(userSecretsPath);
-
-  try {
-    const content = fs.readFileSync(userSecretsPath, 'utf8');
-    const secrets = parseSecretsContent(content);
-    if (!secrets || typeof secrets !== 'object') {
-      throw new Error(`Invalid secrets file format: ${userSecretsPath}`);
-    }
-    return secrets;
-  } catch (error) {
-    if (error.message.includes('Invalid secrets file format')) {
-      throw error;
-    }
-    logger.warn(`Warning: Could not read secrets file ${userSecretsPath}: ${error.message}`);
-    return {};
-  }
+  return loadPrimaryUserSecrets();
 }
 
 /**
@@ -155,6 +126,28 @@ function loadDefaultSecrets() {
   }
 }
 
+/**
+ * Creates the primary user secrets file if missing (empty map) for first-run installs.
+ * Uses the same directory as {@link loadPrimaryUserSecrets} (config dir / ~/.aifabrix).
+ *
+ * @function ensurePrimaryUserSecretsFileExists
+ */
+function ensurePrimaryUserSecretsFileExists() {
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const primaryDir = path.dirname(userSecretsPath);
+  if (fs.existsSync(userSecretsPath)) {
+    return;
+  }
+  if (!fs.existsSync(primaryDir)) {
+    fs.mkdirSync(primaryDir, { recursive: true, mode: 0o700 });
+  }
+  const header =
+    '# Local secrets for AI Fabrix CLI (kv:// references in env.template resolve here)\n' +
+    '# Keys are appended by `aifabrix resolve` / ensure — do not prefix with JSON `{}`.\n';
+  fs.writeFileSync(userSecretsPath, header, { mode: 0o600 });
+  ensureSecureFilePermissions(userSecretsPath);
+}
+
 /**
  * Builds a map of hostname to service name from environment config
  * @function buildHostnameToServiceMap
@@ -214,6 +207,7 @@ module.exports = {
   loadPrimaryUserSecrets,
   loadUserSecrets,
   loadDefaultSecrets,
+  ensurePrimaryUserSecretsFileExists,
   buildHostnameToServiceMap,
   resolveUrlPort
 };

package/lib/utils/secrets-validation.js

@@ -63,7 +63,9 @@ function validateSecretsFile(filePath, options = {}) {
   if (!filePath || typeof filePath !== 'string') {
     return { valid: false, errors: ['Path is required'], path: '' };
   }
-  const resolvedPath = path.isAbsolute(filePath) ? filePath : path.resolve(process.cwd(), filePath);
+  // Always normalize to an OS-resolved absolute path. This makes behavior consistent
+  // on Windows when callers pass POSIX-style absolute paths like "/nonexistent/foo".
+  const resolvedPath = path.resolve(filePath);
   if (!fs.existsSync(resolvedPath)) {
     return { valid: false, errors: [`File not found: ${resolvedPath}`], path: resolvedPath };
   }

package/lib/utils/secrets-yaml-preserve.js

@@ -0,0 +1,109 @@
+/**
+ * YAML merge utilities that preserve comments/blank lines for flat secrets files.
+ *
+ * Intended for `secrets.local.yaml` which is typically a simple `key: value` mapping
+ * with user-owned comments. When the file isn't flat (complex YAML), callers should
+ * fall back to a full YAML rewrite.
+ *
+ * @fileoverview Comment-preserving YAML merge helpers
+ */
+
+const keyLineRe = /^(\s*)([^#:\n]+):\s*(.*)$/;
+
+function isCommentOrBlank(line) {
+  const t = line.trim();
+  return !t || t.startsWith('#');
+}
+
+function parseFlatKeyLine(line) {
+  const m = line.match(keyLineRe);
+  if (!m) return null;
+  const indent = m[1] || '';
+  const key = (m[2] || '').trim();
+  const rest = m[3] || '';
+  if (!key) return null;
+  return { indent, key, rest };
+}
+
+function splitInlineComment(rest) {
+  const idx = rest.indexOf(' #');
+  return { inlineComment: idx >= 0 ? rest.slice(idx) : '' };
+}
+
+function formatYamlScalarForFlatLine(yaml, dumpOpts, value) {
+  const dumped = yaml.dump({ _k: value }, dumpOpts);
+  const lines = dumped.split(/\r?\n/).filter(Boolean);
+  if (lines.length !== 1) return null;
+  const idx = lines[0].indexOf(':');
+  if (idx < 0) return null;
+  return lines[0].slice(idx + 1).trimStart();
+}
+
+function appendMissingKeys(out, seen, desiredSecrets, yaml, dumpOpts) {
+  for (const key of Object.keys(desiredSecrets)) {
+    if (seen.has(key)) continue;
+    const scalar = formatYamlScalarForFlatLine(yaml, dumpOpts, desiredSecrets[key]);
+    if (scalar === null) return null;
+    out.push(`${key}: ${scalar}`.trimEnd());
+    seen.add(key);
+  }
+  return out;
+}
+
+function mergeExistingLinesPreservingComments(lines, desiredSecrets, yaml, dumpOpts) {
+  const out = [];
+  const seen = new Set();
+  const encountered = new Set();
+
+  for (const line of lines) {
+    if (isCommentOrBlank(line)) {
+      out.push(line);
+      continue;
+    }
+    const parsed = parseFlatKeyLine(line);
+    if (!parsed) return null;
+    const { indent, key, rest } = parsed;
+
+    if (encountered.has(key)) continue;
+    encountered.add(key);
+
+    if (!Object.prototype.hasOwnProperty.call(desiredSecrets, key)) continue;
+
+    const { inlineComment } = splitInlineComment(rest);
+    const scalar = formatYamlScalarForFlatLine(yaml, dumpOpts, desiredSecrets[key]);
+    if (scalar === null) return null;
+    seen.add(key);
+    out.push(`${indent}${key}: ${scalar}${inlineComment}`.trimEnd());
+  }
+
+  return { out, seen };
+}
+
+/**
+ * Merge a desired flat secrets object into existing file content while preserving comments/blank lines.
+ * Supports deletes: keys present in existing content but absent in desired are removed.
+ *
+ * Returns null when content cannot be treated as a flat key-value file.
+ *
+ * @param {string} existingContent
+ * @param {Record<string, any>} desiredSecrets
+ * @param {{ yaml: any, dumpOpts: any }} yamlCtx
+ * @returns {string|null}
+ */
+function mergeFlatSecretsYamlPreservingComments(existingContent, desiredSecrets, yamlCtx) {
+  if (typeof existingContent !== 'string') return null;
+  if (!desiredSecrets || typeof desiredSecrets !== 'object') return null;
+  if (!yamlCtx || !yamlCtx.yaml) return null;
+
+  const { yaml, dumpOpts } = yamlCtx;
+  const lines = existingContent.split(/\r?\n/);
+  const merged = mergeExistingLinesPreservingComments(lines, desiredSecrets, yaml, dumpOpts);
+  if (!merged) return null;
+
+  const appended = appendMissingKeys(merged.out, merged.seen, desiredSecrets, yaml, dumpOpts);
+  if (appended === null) return null;
+  return appended.join('\n');
+}
+
+module.exports = { mergeFlatSecretsYamlPreservingComments };
+

package/lib/utils/ssh-key-helper.js

@@ -5,6 +5,7 @@
  */
 
 const fs = require('fs');
+const { nodeFs } = require('../internal/node-fs');
 const path = require('path');
 const os = require('os');
 const { execSync } = require('child_process');
@@ -40,9 +41,10 @@ function getDefaultEd25519PrivateKeyPath() {
  * @returns {string} Resolved SSH dir path
  */
 function ensureSshDir(sshDir) {
+  const syncFs = nodeFs();
   const dir = sshDir || getDefaultSshDir();
-  if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  if (!syncFs.existsSync(dir)) {
+    syncFs.mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
   return dir;
 }

package/lib/utils/template-helpers.js

@@ -35,7 +35,7 @@ async function loadTemplateVariables(templateName) {
   } catch (error) {
     // Template application.yaml not found or invalid, continue without it
     if (error.code !== 'ENOENT') {
-      logger.warn(chalk.yellow(`⚠️  Warning: Could not load template application.yaml: ${error.message}`));
+      logger.warn(chalk.yellow(`⚠  Warning: Could not load template application.yaml: ${error.message}`));
     }
     return null;
   }
@@ -125,7 +125,7 @@ async function updateTemplateVariables(appPath, appName, options, config) {
     writeConfigFile(variablesPath, variables);
   } catch (error) {
     if (error.message && !error.message.includes('not found')) {
-      logger.warn(chalk.yellow(`⚠️  Warning: Could not update application config: ${error.message}`));
+      logger.warn(chalk.yellow(`⚠  Warning: Could not update application config: ${error.message}`));
     }
   }
 }

package/lib/utils/test-log-writer.js

@@ -1,5 +1,5 @@
 /**
- * Test log writer - writes debug logs to integration/<appKey>/logs/
+ * Test log writer - writes debug logs to integration/<systemKey>/logs/
  * Sanitization (tokens, secrets) is done by dataplane before responses are returned.
  *
  * @fileoverview Write test request/response logs for debugging
@@ -29,9 +29,9 @@ function sanitizeForLog(obj, seen = new Set()) {
 }
 
 /**
- * Write test log to integration/<appKey>/logs/<logType>-<timestamp>.json
+ * Write test log to integration/<systemKey>/logs/<logType>-<timestamp>.json
  * @async
- * @param {string} appKey - Application key (used for path)
+ * @param {string} appKey - Integration folder name under integration/ (used for path)
  * @param {Object} data - Log data (request, response) - will be sanitized
  * @param {string} [logType] - Log type prefix (default: test-integration)
  * @param {string} [integrationBaseDir] - Base dir for integration (default: cwd/integration)

package/lib/utils/token-manager.js

@@ -10,7 +10,6 @@
  */
 
 const fs = require('fs');
-const path = require('path');
 const yaml = require('js-yaml');
 const config = require('../core/config');
 const logger = require('./logger');
@@ -25,7 +24,7 @@ const { warnRefreshFailureOnce, warnRefreshTokenExpiredOnce } = require('./token
 const DATAPLANE_APP_KEY = 'dataplane';
 
 function getSecretsFilePath() {
-  return path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
+  return pathsUtil.getPrimaryUserSecretsLocalPath();
 }
 
 /**