npm - @aifabrix/builder - Versions diffs - 2.44.4 → 2.44.6 - Mend

@aifabrix/builder 2.44.4 → 2.44.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (214) hide show

package/.cursor/rules/cli-layout.mdc +1 -1
package/.cursor/rules/project-rules.mdc +1 -1
package/.npmrc.token +1 -1
package/README.md +15 -23
package/integration/hubspot-test/README.md +2 -0
package/integration/hubspot-test/test.js +5 -3
package/jest.projects.js +68 -17
package/lib/api/controller-health.api.js +49 -0
package/lib/api/dimension-values.api.js +82 -0
package/lib/api/dimensions.api.js +114 -0
package/lib/api/external-systems.api.js +1 -0
package/lib/api/integration-clients.api.js +168 -0
package/lib/api/types/dimension-values.types.js +28 -0
package/lib/api/types/dimensions.types.js +31 -0
package/lib/api/types/integration-clients.types.js +45 -0
package/lib/api/types/wizard.types.js +2 -1
package/lib/api/validation-runner.js +46 -25
package/lib/app/deploy-config.js +11 -1
package/lib/app/deploy-status-display.js +3 -3
package/lib/app/deploy.js +36 -14
package/lib/app/display.js +15 -11
package/lib/app/push.js +46 -23
package/lib/app/register.js +1 -1
package/lib/app/restart-display.js +95 -0
package/lib/app/rotate-secret.js +1 -1
package/lib/app/run-container-start.js +12 -6
package/lib/app/run-env-compose.js +30 -1
package/lib/app/run-helpers.js +44 -12
package/lib/app/run-reload-sync.js +148 -0
package/lib/app/run-resolve-image.js +51 -1
package/lib/app/run.js +99 -73
package/lib/build/index.js +75 -45
package/lib/cli/doctor-check.js +117 -0
package/lib/cli/index.js +8 -2
package/lib/cli/infra-guided.js +445 -0
package/lib/cli/setup-app.help.js +1 -1
package/lib/cli/setup-app.js +20 -2
package/lib/cli/setup-app.test-commands.js +9 -5
package/lib/cli/setup-auth.js +26 -0
package/lib/cli/setup-dev-path-commands.js +50 -3
package/lib/cli/setup-infra.js +138 -61
package/lib/cli/setup-integration-client.js +182 -0
package/lib/cli/setup-parameters.js +21 -2
package/lib/cli/setup-platform.js +102 -0
package/lib/cli/setup-secrets.js +18 -6
package/lib/cli/setup-utility.js +97 -33
package/lib/commands/datasource-capability-dimension-cli.js +128 -0
package/lib/commands/datasource-capability-output.js +29 -0
package/lib/commands/datasource-capability-relate-cli.js +140 -0
package/lib/commands/datasource-capability.js +411 -0
package/lib/commands/datasource-unified-test-cli.options.js +1 -1
package/lib/commands/datasource.js +53 -13
package/lib/commands/dev-down.js +3 -3
package/lib/commands/dev-infra-gate.js +32 -0
package/lib/commands/dev-init.js +13 -7
package/lib/commands/dimension-value.js +179 -0
package/lib/commands/dimension.js +330 -0
package/lib/commands/integration-client.js +430 -0
package/lib/commands/login-device.js +65 -30
package/lib/commands/login.js +21 -10
package/lib/commands/parameters-validate.js +78 -13
package/lib/commands/repair-datasource-auto-rbac.js +166 -0
package/lib/commands/repair-datasource-keys.js +10 -5
package/lib/commands/repair-datasource.js +19 -7
package/lib/commands/repair-env-template.js +4 -1
package/lib/commands/repair-openapi-sync.js +172 -0
package/lib/commands/repair-persist.js +102 -0
package/lib/commands/repair-rbac-extract.js +27 -0
package/lib/commands/repair-rbac-migrate.js +186 -0
package/lib/commands/repair-rbac.js +225 -19
package/lib/commands/repair-system-alignment.js +246 -0
package/lib/commands/repair-system-permissions.js +168 -0
package/lib/commands/repair.js +120 -354
package/lib/commands/secure.js +1 -1
package/lib/commands/setup-modes.js +455 -0
package/lib/commands/setup-prompts.js +388 -0
package/lib/commands/setup.js +149 -0
package/lib/commands/teardown.js +228 -0
package/lib/commands/test-e2e-external.js +4 -3
package/lib/commands/up-common.js +97 -12
package/lib/commands/up-dataplane.js +33 -11
package/lib/commands/up-miso.js +7 -11
package/lib/commands/upload.js +109 -23
package/lib/commands/wizard-core-helpers.js +14 -11
package/lib/commands/wizard-core.js +58 -15
package/lib/commands/wizard-dataplane.js +2 -2
package/lib/commands/wizard-entity-selection.js +72 -14
package/lib/commands/wizard-headless.js +7 -3
package/lib/commands/wizard-helpers.js +13 -1
package/lib/commands/wizard.js +210 -61
package/lib/constants/infra-compose-service-names.js +40 -0
package/lib/core/env-reader.js +16 -3
package/lib/core/secrets-admin-env.js +101 -0
package/lib/core/secrets-ensure-infra.js +34 -1
package/lib/core/secrets-ensure.js +88 -66
package/lib/core/secrets-env-content.js +432 -0
package/lib/core/secrets-env-write.js +27 -1
package/lib/core/secrets-load.js +248 -0
package/lib/core/secrets-names.js +32 -0
package/lib/core/secrets.js +17 -757
package/lib/datasource/capability/basic-exposure.js +76 -0
package/lib/datasource/capability/capability-diff-slice.js +41 -0
package/lib/datasource/capability/capability-key.js +34 -0
package/lib/datasource/capability/capability-resolve.js +172 -0
package/lib/datasource/capability/capability-storage-keys.js +22 -0
package/lib/datasource/capability/copy-operations.js +348 -0
package/lib/datasource/capability/copy-test-payload.js +139 -0
package/lib/datasource/capability/create-operations.js +235 -0
package/lib/datasource/capability/dimension-operations.js +151 -0
package/lib/datasource/capability/dimension-validate.js +219 -0
package/lib/datasource/capability/json-pointer.js +31 -0
package/lib/datasource/capability/reference-rewrite.js +51 -0
package/lib/datasource/capability/relate-operations.js +325 -0
package/lib/datasource/capability/relate-validate.js +219 -0
package/lib/datasource/capability/remove-operations.js +275 -0
package/lib/datasource/capability/run-capability-copy.js +152 -0
package/lib/datasource/capability/run-capability-diff.js +135 -0
package/lib/datasource/capability/run-capability-dimension.js +291 -0
package/lib/datasource/capability/run-capability-edit.js +377 -0
package/lib/datasource/capability/run-capability-relate.js +193 -0
package/lib/datasource/capability/run-capability-remove.js +105 -0
package/lib/datasource/capability/templates/minimal-fetch.json +18 -0
package/lib/datasource/capability/validate-capability-slice.js +35 -0
package/lib/datasource/list.js +136 -23
package/lib/datasource/log-viewer.js +2 -4
package/lib/datasource/unified-validation-run.js +51 -16
package/lib/datasource/validate.js +53 -1
package/lib/deployment/deploy-poll-ui.js +60 -0
package/lib/deployment/deployer-status.js +29 -3
package/lib/deployment/deployer.js +48 -30
package/lib/deployment/environment.js +7 -2
package/lib/deployment/poll-interval.js +72 -0
package/lib/deployment/push.js +11 -9
package/lib/external-system/deploy.js +4 -1
package/lib/external-system/download.js +61 -32
package/lib/external-system/sync-deploy-manifest.js +33 -0
package/lib/generator/wizard-prompts.js +7 -1
package/lib/generator/wizard.js +34 -0
package/lib/infrastructure/index.js +49 -19
package/lib/infrastructure/orphan-infra-docker-teardown.js +177 -0
package/lib/parameters/infra-kv-discovery.js +29 -4
package/lib/parameters/infra-parameter-catalog.js +6 -3
package/lib/parameters/infra-parameter-validate.js +67 -19
package/lib/resolvers/datasource-resolver.js +53 -0
package/lib/resolvers/dimension-file.js +52 -0
package/lib/resolvers/manifest-resolver.js +133 -0
package/lib/schema/external-datasource.schema.json +183 -53
package/lib/schema/external-system.schema.json +23 -10
package/lib/schema/infra.parameter.yaml +26 -11
package/lib/schema/wizard-config.schema.json +2 -2
package/lib/utils/aifabrix-config-dir-walk.js +40 -0
package/lib/utils/aifabrix-runtime-config-dir.js +26 -3
package/lib/utils/app-run-containers.js +2 -2
package/lib/utils/bash-secret-env.js +59 -0
package/lib/utils/cli-secrets-error-format.js +78 -0
package/lib/utils/cli-test-layout-chalk.js +31 -9
package/lib/utils/cli-utils.js +4 -36
package/lib/utils/datasource-test-run-display.js +8 -0
package/lib/utils/dev-hosts-helper.js +3 -2
package/lib/utils/dev-init-ssh-merge.js +2 -1
package/lib/utils/docker-build.js +17 -9
package/lib/utils/docker-reload-mount.js +127 -0
package/lib/utils/external-readme.js +117 -4
package/lib/utils/external-system-local-test-tty.js +3 -2
package/lib/utils/external-system-readiness-core.js +45 -12
package/lib/utils/external-system-readiness-deploy-display.js +3 -3
package/lib/utils/external-system-readiness-display-internals.js +33 -3
package/lib/utils/external-system-readiness-display.js +10 -1
package/lib/utils/file-upload.js +40 -3
package/lib/utils/health-check-db-init.js +107 -0
package/lib/utils/health-check-public-warn.js +69 -0
package/lib/utils/health-check-url.js +19 -4
package/lib/utils/health-check.js +135 -105
package/lib/utils/help-builder.js +5 -1
package/lib/utils/image-name.js +34 -7
package/lib/utils/integration-file-backup.js +74 -0
package/lib/utils/mutagen-install.js +30 -3
package/lib/utils/paths.js +108 -25
package/lib/utils/postgres-wipe.js +212 -0
package/lib/utils/register-aifabrix-shell-env.js +15 -0
package/lib/utils/remote-dev-auth.js +21 -5
package/lib/utils/remote-docker-env.js +9 -1
package/lib/utils/remote-secrets-loader.js +42 -3
package/lib/utils/resolve-docker-image-ref.js +9 -3
package/lib/utils/secrets-ancestor-paths.js +47 -0
package/lib/utils/secrets-helpers.js +17 -10
package/lib/utils/secrets-kv-refs.js +42 -0
package/lib/utils/secrets-kv-scope.js +19 -2
package/lib/utils/secrets-materialize-local.js +134 -0
package/lib/utils/secrets-path.js +24 -10
package/lib/utils/secrets-utils.js +2 -2
package/lib/utils/system-builder-root.js +34 -0
package/lib/utils/url-declarative-resolve-build.js +6 -1
package/lib/utils/url-declarative-runtime-base-path.js +32 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +2 -1
package/lib/utils/urls-local-registry.js +73 -20
package/lib/utils/validation-poll-ui.js +81 -0
package/lib/utils/validation-run-poll.js +29 -5
package/lib/utils/with-muted-logger.js +53 -0
package/package.json +1 -1
package/templates/applications/dataplane/application.yaml +1 -1
package/templates/applications/dataplane/rbac.yaml +10 -10
package/templates/applications/keycloak/env.template +8 -6
package/templates/applications/miso-controller/application.yaml +7 -0
package/templates/applications/miso-controller/env.template +7 -7
package/templates/applications/miso-controller/rbac.yaml +9 -9
package/templates/external-system/README.md.hbs +89 -102
package/.nyc_output/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/index.json +0 -1
package/lib/api/service-users.api.js +0 -150
package/lib/api/types/service-users.types.js +0 -65
package/lib/cli/setup-service-user.js +0 -187
package/lib/commands/service-user.js +0 -429

package/lib/core/secrets-ensure.js CHANGED Viewed

@@ -1,10 +1,11 @@
 /**
- * AI Fabrix Builder – Ensure secrets in configured store
+ * AI Fabrix Builder – Ensure secrets in the primary user store
  *
- * Ensures missing secret keys exist in the correct store (file path, remote API, or
- * user secrets file). New values are encrypted when writing to file and
- * secrets-encryption is set. Remote write tries API first; on failure falls back
- * to user file with a warning.
+ * Automated flows (resolve, run, wizard, up-infra backfill) **only** write to
+ * `~/.aifabrix/secrets.local.yaml` (or the path from `getPrimaryUserSecretsLocalPath`).
+ * The shared store (`aifabrix-secrets` file or remote API) is **read** via `loadSecrets()`;
+ * writing there is **human-only** through `aifabrix secret set --shared` (see `commands/secrets-set.js`).
+ * New values are encrypted when secrets-encryption is set.
  *
  * @fileoverview Central ensure-secrets service for zero-touch install
  * @author AI Fabrix Team
@@ -17,6 +18,7 @@ const os = require('os');
 const config = require('./config');
 const pathsUtil = require('../utils/paths');
 const logger = require('../utils/logger');
+const { formatSuccessLine, metadata } = require('../utils/cli-test-layout-chalk');
 const remoteDevAuth = require('../utils/remote-dev-auth');
 const devApi = require('../api/dev.api');
 const {
@@ -31,7 +33,9 @@ const { loadEnvTemplate } = require('../utils/secrets-helpers');
 const {
   buildInfraPlaceholderContext,
   isSecretKeyAllowedEmpty,
-  getInfraSecretKeysForUpInfra
+  getInfraSecretKeysForUpInfra,
+  loadMergedSecretsForEnsureMissingCheck,
+  shouldUseMergedSecretsForMissingKeys
 } = require('./secrets-ensure-infra');
 const { syncLiteralKvSecretsFromCliOverrides } = require('./secrets-infra-placeholder-sync');
@@ -59,10 +63,12 @@ function expandTilde(filePath) {
 }
 /**
- * Resolve write target from config.
+ * Resolve the **configured** shared store for inspection/validation (e.g. `secret validate` without a path).
+ * This is the `aifabrix-secrets` target (file or remote API), not the default for automated writes.
+ *
  * - File path → that path (expand ~)
- * - http(s) URL → remote (fallback: user file)
- * - No config → user file
+ * - http(s) URL → remote
+ * - No config → primary user secrets file
  *
  * @returns {Promise<{ type: 'file'|'remote', filePath?: string, serverUrl?: string|null, secretsEndpointUrl?: string, clientCertPem?: string|null, serverCaPem?: string|null }>}
  */
@@ -91,6 +97,16 @@ async function resolveWriteTarget() {
   return { type: 'file', filePath };
 }
+/**
+ * Default write target for **automated** ensure / `setSecretInStore` (resolve, run, wizard, infra).
+ * Never the shared store; use `aifabrix secret set --shared` to write shared.
+ *
+ * @returns {Promise<{ type: 'file', filePath: string }>}
+ */
+async function resolvePrimaryUserWriteTarget() {
+  return { type: 'file', filePath: pathsUtil.getPrimaryUserSecretsLocalPath() };
+}
 /**
  * Load existing secrets from the resolved target (file or remote).
  *
@@ -166,34 +182,36 @@ function valueForKey(key, suggested, emptyForCredentials, placeholderContext) {
 }
 /**
- * Add secrets via remote API; on failure write to local file (with encryption if configured).
- * @param {Object} target - Resolved target (remote)
- * @param {string[]} toAdd - Keys to add
- * @param {Object} suggested - Suggested values
- * @param {string[]} added - Array to push added keys to
- * @param {string|null} encryptionKey - Encryption key for file fallback or null
- * @returns {Promise<string[]>}
+ * Short label for logs (file path or remote secrets URL).
+ * @param {{ type?: string, filePath?: string, secretsEndpointUrl?: string }|null} target
+ * @returns {string}
  */
-async function addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext) {
-  const emptyForCredentials = false;
-  for (const key of toAdd) {
-    const value = valueForKey(key, suggested, emptyForCredentials, placeholderContext);
-    try {
-      await devApi.addSecret(
-        target.serverUrl,
-        target.clientCertPem,
-        { key, value },
-        target.serverCaPem || undefined,
-        target.secretsEndpointUrl
-      );
-      added.push(key);
-    } catch (err) {
-      logger.warn(`Remote secret "${key}" failed (${err.message}); writing to local file.`);
-      await writeSecretToFile(target.filePath, key, value, encryptionKey);
-      added.push(key);
-    }
+function summarizeSecretsStoreForLog(target) {
+  if (!target || typeof target !== 'object') return 'secrets store';
+  if (target.type === 'remote' && typeof target.secretsEndpointUrl === 'string' && target.secretsEndpointUrl.trim()) {
+    return target.secretsEndpointUrl.trim();
   }
-  return added;
+  if (typeof target.filePath === 'string' && target.filePath.trim()) {
+    return target.filePath.trim();
+  }
+  return 'secrets store';
+}
+/**
+ * Log that new values were written for keys that were missing or empty.
+ * @param {string[]} added
+ * @param {{ type?: string, filePath?: string, secretsEndpointUrl?: string }|null} target
+ */
+function logNewSecretValuesWritten(added, target) {
+  if (!Array.isArray(added) || added.length === 0) return;
+  const where = summarizeSecretsStoreForLog(target);
+  logger.log(
+    formatSuccessLine(
+      `Wrote ${added.length} new secret value(s) to ${where}. ` +
+        'These keys were missing or empty; values are now stored.'
+    )
+  );
+  logger.log(metadata(`  Keys: ${added.join(', ')}`));
 }
 /**
@@ -223,9 +241,7 @@ async function addSecretsToFile(batch) {
     await writeSecretToFile(filePath, key, value, encryptionKey);
     added.push(key);
   }
-  if (added.length > 0) {
-    logger.log(`✔ Ensured ${added.length} secret key(s): ${added.join(', ')}`);
-  }
+  logNewSecretValuesWritten(added, { type: 'file', filePath });
   return added;
 }
@@ -240,6 +256,9 @@ async function addSecretsToFile(batch) {
  * @param {Object} [options] - Options
  * @param {boolean} [options.emptyValuesForCredentials=false] - Use empty string for new values
  * @param {Object} [options.suggestedValues] - Optional map key -> value for specific keys
+ * @param {boolean} [options.useMergedSecretsForMissingKeys] - When true, treat keys present in the full
+ *   `loadSecrets()` merge (including remote `--shared`) as satisfied. When false, only the target store file
+ *   is consulted. When omitted and the target file is the primary user secrets path, merged secrets are used (default).
  * @returns {Promise<string[]>} Keys that were added (new or backfilled)
  * @throws {Error} If config or file write fails
  */
@@ -253,8 +272,11 @@ async function ensureSecretsForKeys(keys, options = {}) {
     : {};
   const placeholderContext = options.placeholderContext;
-  const target = options._targetOverride || await resolveWriteTarget();
-  const existing = await loadExistingFromTarget(target);
+  const target = options._targetOverride || (await resolvePrimaryUserWriteTarget());
+  let existing = await loadExistingFromTarget(target);
+  if (shouldUseMergedSecretsForMissingKeys(options, target)) {
+    existing = await loadMergedSecretsForEnsureMissingCheck();
+  }
   const toAdd = keys.filter((k) => {
     const v = existing[k];
     const missingOrEmpty = v === undefined || v === null || (typeof v === 'string' && v.trim() === '');
@@ -265,9 +287,6 @@ async function ensureSecretsForKeys(keys, options = {}) {
   const encryptionKey = await config.getSecretsEncryptionKey();
   const added = [];
-  if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    return addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext);
-  }
   return addSecretsToFile({
     filePath: target.filePath,
     toAdd,
@@ -288,6 +307,8 @@ async function ensureSecretsForKeys(keys, options = {}) {
  * @param {string} envTemplatePathOrContent - Path to env.template or template content
  * @param {Object} [options] - Options
  * @param {boolean} [options.emptyValuesForCredentials=false] - Use empty string for new values
+ * @param {boolean} [options.useMergedSecretsForMissingKeys] - Same semantics as {@link ensureSecretsForKeys};
+ *   defaults to merged lookup when the write target is the primary user secrets file
  * @returns {Promise<string[]>} Keys that were added
  * @throws {Error} If template cannot be read or ensure fails
  */
@@ -313,9 +334,12 @@ async function ensureSecretsFromEnvTemplate(envTemplatePathOrContent, options =
       : path.resolve(process.cwd(), options.preferredFilePath);
     target = { type: 'file', filePath };
   } else {
-    target = await resolveWriteTarget();
+    target = await resolvePrimaryUserWriteTarget();
+  }
+  let existing = await loadExistingFromTarget(target);
+  if (shouldUseMergedSecretsForMissingKeys(options, target)) {
+    existing = await loadMergedSecretsForEnsureMissingCheck();
   }
-  const existing = await loadExistingFromTarget(target);
   const missingKeys = findMissingSecretKeys(template, existing);
   return ensureSecretsForKeys(missingKeys, { ...options, _targetOverride: target });
 }
@@ -358,29 +382,16 @@ async function writeSecretToStoreFile(filePath, key, strValue) {
  */
 async function setSecretInStore(key, value) {
   if (!key || typeof key !== 'string' || value === undefined) return;
-  const target = await resolveWriteTarget();
   const strValue = typeof value === 'string' ? value : String(value);
-  if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    try {
-      await devApi.addSecret(
-        target.serverUrl,
-        target.clientCertPem,
-        { key, value: strValue },
-        target.serverCaPem || undefined,
-        target.secretsEndpointUrl
-      );
-    } catch (err) {
-      logger.warn(`Could not sync secret "${key}" to remote store: ${err.message}`);
-      const encryptionKey = await config.getSecretsEncryptionKey();
-      await writeSecretToFile(target.filePath, key, strValue, encryptionKey);
-    }
-    return;
-  }
-  await writeSecretToStoreFile(target.filePath, key, strValue);
+  const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  await writeSecretToStoreFile(userPath, key, strValue);
 }
 /**
- * Ensure infra secrets exist in the configured store. Call before ensureAdminSecrets or startInfra.
+ * Ensure infra secrets exist before ensureAdminSecrets or startInfra.
+ * Writes go to the primary user secrets file only (same as all **`ensureSecretsForKeys`** / **`setSecretInStore`** paths).
+ * **`kv://` resolution** merges the shared store via **`loadSecrets()`**. To publish a key to shared, use
+ * **`aifabrix secret set --shared`**.
  *
  * @async
  * @function ensureInfraSecrets
@@ -398,11 +409,21 @@ async function setSecretInStore(key, value) {
 async function ensureInfraSecrets(options = {}) {
   const keys = getInfraSecretKeysForUpInfra();
   const placeholderContext = buildInfraPlaceholderContext(options);
-  const added = await ensureSecretsForKeys(keys, { placeholderContext });
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const added = await ensureSecretsForKeys(keys, {
+    placeholderContext,
+    _targetOverride: { type: 'file', filePath: userSecretsPath }
+  });
+  async function writeInfraPlaceholderLiteralToUserLocal(key, value) {
+    const strValue = typeof value === 'string' ? value : String(value);
+    await writeSecretToStoreFile(userSecretsPath, key, strValue);
+  }
   await syncLiteralKvSecretsFromCliOverrides(
     options,
     placeholderContext,
-    setSecretInStore,
+    writeInfraPlaceholderLiteralToUserLocal,
     infraParameterCatalogModule
   );
   return added;
@@ -414,6 +435,7 @@ module.exports = {
   ensureInfraSecrets,
   setSecretInStore,
   resolveWriteTarget,
+  resolvePrimaryUserWriteTarget,
   loadExistingFromTarget,
   getInfraSecretKeysForUpInfra,
   isSecretKeyAllowedEmpty,