@aifabrix/builder 2.44.5 → 2.44.6

package/lib/core/secrets-ensure-infra.js

@@ -70,8 +70,41 @@ function getInfraSecretKeysForUpInfra() {
   }
 }
 
+/**
+ * Same merge as runtime `loadSecrets()` (user local + project path + remote shared API + defaults).
+ * Ensures missing-key checks treat remote `--shared` keys as already satisfied.
+ *
+ * @returns {Promise<Object.<string, string>>}
+ */
+async function loadMergedSecretsForEnsureMissingCheck() {
+  const { loadSecrets } = require('./secrets-load');
+  return loadSecrets(undefined);
+}
+
+/**
+ * Default on for writes to the primary user secrets file: consult full {@link loadSecrets} merge so remote
+ * `--shared` keys are not duplicated locally. Opt out with `useMergedSecretsForMissingKeys: false`.
+ *
+ * @param {{ useMergedSecretsForMissingKeys?: boolean }} options
+ * @param {{ type?: string, filePath?: string }} target
+ * @returns {boolean}
+ */
+function shouldUseMergedSecretsForMissingKeys(options, target) {
+  if (options.useMergedSecretsForMissingKeys === false) return false;
+  if (options.useMergedSecretsForMissingKeys === true) return true;
+  if (!target || target.type !== 'file' || !target.filePath) return false;
+  try {
+    const primary = pathsUtil.getPrimaryUserSecretsLocalPath();
+    return path.resolve(target.filePath) === path.resolve(primary);
+  } catch {
+    return false;
+  }
+}
+
 module.exports = {
   buildInfraPlaceholderContext,
   isSecretKeyAllowedEmpty,
-  getInfraSecretKeysForUpInfra
+  getInfraSecretKeysForUpInfra,
+  loadMergedSecretsForEnsureMissingCheck,
+  shouldUseMergedSecretsForMissingKeys
 };

package/lib/core/secrets-ensure.js

@@ -1,10 +1,11 @@
 /**
- * AI Fabrix Builder – Ensure secrets in configured store
+ * AI Fabrix Builder – Ensure secrets in the primary user store
  *
- * Ensures missing secret keys exist in the correct store (file path, remote API, or
- * user secrets file). New values are encrypted when writing to file and
- * secrets-encryption is set. Remote write tries API first; on failure falls back
- * to user file with a warning.
+ * Automated flows (resolve, run, wizard, up-infra backfill) **only** write to
+ * `~/.aifabrix/secrets.local.yaml` (or the path from `getPrimaryUserSecretsLocalPath`).
+ * The shared store (`aifabrix-secrets` file or remote API) is **read** via `loadSecrets()`;
+ * writing there is **human-only** through `aifabrix secret set --shared` (see `commands/secrets-set.js`).
+ * New values are encrypted when secrets-encryption is set.
  *
  * @fileoverview Central ensure-secrets service for zero-touch install
  * @author AI Fabrix Team
@@ -17,6 +18,7 @@ const os = require('os');
 const config = require('./config');
 const pathsUtil = require('../utils/paths');
 const logger = require('../utils/logger');
+const { formatSuccessLine, metadata } = require('../utils/cli-test-layout-chalk');
 const remoteDevAuth = require('../utils/remote-dev-auth');
 const devApi = require('../api/dev.api');
 const {
@@ -31,7 +33,9 @@ const { loadEnvTemplate } = require('../utils/secrets-helpers');
 const {
   buildInfraPlaceholderContext,
   isSecretKeyAllowedEmpty,
-  getInfraSecretKeysForUpInfra
+  getInfraSecretKeysForUpInfra,
+  loadMergedSecretsForEnsureMissingCheck,
+  shouldUseMergedSecretsForMissingKeys
 } = require('./secrets-ensure-infra');
 const { syncLiteralKvSecretsFromCliOverrides } = require('./secrets-infra-placeholder-sync');
 
@@ -59,10 +63,12 @@ function expandTilde(filePath) {
 }
 
 /**
- * Resolve write target from config.
+ * Resolve the **configured** shared store for inspection/validation (e.g. `secret validate` without a path).
+ * This is the `aifabrix-secrets` target (file or remote API), not the default for automated writes.
+ *
  * - File path → that path (expand ~)
- * - http(s) URL → remote (fallback: user file)
- * - No config → user file
+ * - http(s) URL → remote
+ * - No config → primary user secrets file
  *
  * @returns {Promise<{ type: 'file'|'remote', filePath?: string, serverUrl?: string|null, secretsEndpointUrl?: string, clientCertPem?: string|null, serverCaPem?: string|null }>}
  */
@@ -91,6 +97,16 @@ async function resolveWriteTarget() {
   return { type: 'file', filePath };
 }
 
+/**
+ * Default write target for **automated** ensure / `setSecretInStore` (resolve, run, wizard, infra).
+ * Never the shared store; use `aifabrix secret set --shared` to write shared.
+ *
+ * @returns {Promise<{ type: 'file', filePath: string }>}
+ */
+async function resolvePrimaryUserWriteTarget() {
+  return { type: 'file', filePath: pathsUtil.getPrimaryUserSecretsLocalPath() };
+}
+
 /**
  * Load existing secrets from the resolved target (file or remote).
  *
@@ -166,34 +182,36 @@ function valueForKey(key, suggested, emptyForCredentials, placeholderContext) {
 }
 
 /**
- * Add secrets via remote API; on failure write to local file (with encryption if configured).
- * @param {Object} target - Resolved target (remote)
- * @param {string[]} toAdd - Keys to add
- * @param {Object} suggested - Suggested values
- * @param {string[]} added - Array to push added keys to
- * @param {string|null} encryptionKey - Encryption key for file fallback or null
- * @returns {Promise<string[]>}
+ * Short label for logs (file path or remote secrets URL).
+ * @param {{ type?: string, filePath?: string, secretsEndpointUrl?: string }|null} target
+ * @returns {string}
  */
-async function addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext) {
-  const emptyForCredentials = false;
-  for (const key of toAdd) {
-    const value = valueForKey(key, suggested, emptyForCredentials, placeholderContext);
-    try {
-      await devApi.addSecret(
-        target.serverUrl,
-        target.clientCertPem,
-        { key, value },
-        target.serverCaPem || undefined,
-        target.secretsEndpointUrl
-      );
-      added.push(key);
-    } catch (err) {
-      logger.warn(`Remote secret "${key}" failed (${err.message}); writing to local file.`);
-      await writeSecretToFile(target.filePath, key, value, encryptionKey);
-      added.push(key);
-    }
+function summarizeSecretsStoreForLog(target) {
+  if (!target || typeof target !== 'object') return 'secrets store';
+  if (target.type === 'remote' && typeof target.secretsEndpointUrl === 'string' && target.secretsEndpointUrl.trim()) {
+    return target.secretsEndpointUrl.trim();
   }
-  return added;
+  if (typeof target.filePath === 'string' && target.filePath.trim()) {
+    return target.filePath.trim();
+  }
+  return 'secrets store';
+}
+
+/**
+ * Log that new values were written for keys that were missing or empty.
+ * @param {string[]} added
+ * @param {{ type?: string, filePath?: string, secretsEndpointUrl?: string }|null} target
+ */
+function logNewSecretValuesWritten(added, target) {
+  if (!Array.isArray(added) || added.length === 0) return;
+  const where = summarizeSecretsStoreForLog(target);
+  logger.log(
+    formatSuccessLine(
+      `Wrote ${added.length} new secret value(s) to ${where}. ` +
+        'These keys were missing or empty; values are now stored.'
+    )
+  );
+  logger.log(metadata(`  Keys: ${added.join(', ')}`));
 }
 
 /**
@@ -223,9 +241,7 @@ async function addSecretsToFile(batch) {
     await writeSecretToFile(filePath, key, value, encryptionKey);
     added.push(key);
   }
-  if (added.length > 0) {
-    logger.log(`✔ Ensured ${added.length} secret key(s): ${added.join(', ')}`);
-  }
+  logNewSecretValuesWritten(added, { type: 'file', filePath });
   return added;
 }
 
@@ -240,6 +256,9 @@ async function addSecretsToFile(batch) {
  * @param {Object} [options] - Options
  * @param {boolean} [options.emptyValuesForCredentials=false] - Use empty string for new values
  * @param {Object} [options.suggestedValues] - Optional map key -> value for specific keys
+ * @param {boolean} [options.useMergedSecretsForMissingKeys] - When true, treat keys present in the full
+ *   `loadSecrets()` merge (including remote `--shared`) as satisfied. When false, only the target store file
+ *   is consulted. When omitted and the target file is the primary user secrets path, merged secrets are used (default).
  * @returns {Promise<string[]>} Keys that were added (new or backfilled)
  * @throws {Error} If config or file write fails
  */
@@ -253,8 +272,11 @@ async function ensureSecretsForKeys(keys, options = {}) {
     : {};
   const placeholderContext = options.placeholderContext;
 
-  const target = options._targetOverride || await resolveWriteTarget();
-  const existing = await loadExistingFromTarget(target);
+  const target = options._targetOverride || (await resolvePrimaryUserWriteTarget());
+  let existing = await loadExistingFromTarget(target);
+  if (shouldUseMergedSecretsForMissingKeys(options, target)) {
+    existing = await loadMergedSecretsForEnsureMissingCheck();
+  }
   const toAdd = keys.filter((k) => {
     const v = existing[k];
     const missingOrEmpty = v === undefined || v === null || (typeof v === 'string' && v.trim() === '');
@@ -265,9 +287,6 @@ async function ensureSecretsForKeys(keys, options = {}) {
   const encryptionKey = await config.getSecretsEncryptionKey();
   const added = [];
 
-  if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    return addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext);
-  }
   return addSecretsToFile({
     filePath: target.filePath,
     toAdd,
@@ -288,6 +307,8 @@ async function ensureSecretsForKeys(keys, options = {}) {
  * @param {string} envTemplatePathOrContent - Path to env.template or template content
  * @param {Object} [options] - Options
  * @param {boolean} [options.emptyValuesForCredentials=false] - Use empty string for new values
+ * @param {boolean} [options.useMergedSecretsForMissingKeys] - Same semantics as {@link ensureSecretsForKeys};
+ *   defaults to merged lookup when the write target is the primary user secrets file
  * @returns {Promise<string[]>} Keys that were added
  * @throws {Error} If template cannot be read or ensure fails
  */
@@ -313,9 +334,12 @@ async function ensureSecretsFromEnvTemplate(envTemplatePathOrContent, options =
       : path.resolve(process.cwd(), options.preferredFilePath);
     target = { type: 'file', filePath };
   } else {
-    target = await resolveWriteTarget();
+    target = await resolvePrimaryUserWriteTarget();
+  }
+  let existing = await loadExistingFromTarget(target);
+  if (shouldUseMergedSecretsForMissingKeys(options, target)) {
+    existing = await loadMergedSecretsForEnsureMissingCheck();
   }
-  const existing = await loadExistingFromTarget(target);
   const missingKeys = findMissingSecretKeys(template, existing);
   return ensureSecretsForKeys(missingKeys, { ...options, _targetOverride: target });
 }
@@ -358,29 +382,16 @@ async function writeSecretToStoreFile(filePath, key, strValue) {
  */
 async function setSecretInStore(key, value) {
   if (!key || typeof key !== 'string' || value === undefined) return;
-  const target = await resolveWriteTarget();
   const strValue = typeof value === 'string' ? value : String(value);
-  if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    try {
-      await devApi.addSecret(
-        target.serverUrl,
-        target.clientCertPem,
-        { key, value: strValue },
-        target.serverCaPem || undefined,
-        target.secretsEndpointUrl
-      );
-    } catch (err) {
-      logger.warn(`Could not sync secret "${key}" to remote store: ${err.message}`);
-      const encryptionKey = await config.getSecretsEncryptionKey();
-      await writeSecretToFile(target.filePath, key, strValue, encryptionKey);
-    }
-    return;
-  }
-  await writeSecretToStoreFile(target.filePath, key, strValue);
+  const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  await writeSecretToStoreFile(userPath, key, strValue);
 }
 
 /**
- * Ensure infra secrets exist in the configured store. Call before ensureAdminSecrets or startInfra.
+ * Ensure infra secrets exist before ensureAdminSecrets or startInfra.
+ * Writes go to the primary user secrets file only (same as all **`ensureSecretsForKeys`** / **`setSecretInStore`** paths).
+ * **`kv://` resolution** merges the shared store via **`loadSecrets()`**. To publish a key to shared, use
+ * **`aifabrix secret set --shared`**.
  *
  * @async
  * @function ensureInfraSecrets
@@ -398,11 +409,21 @@ async function setSecretInStore(key, value) {
 async function ensureInfraSecrets(options = {}) {
   const keys = getInfraSecretKeysForUpInfra();
   const placeholderContext = buildInfraPlaceholderContext(options);
-  const added = await ensureSecretsForKeys(keys, { placeholderContext });
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const added = await ensureSecretsForKeys(keys, {
+    placeholderContext,
+    _targetOverride: { type: 'file', filePath: userSecretsPath }
+  });
+
+  async function writeInfraPlaceholderLiteralToUserLocal(key, value) {
+    const strValue = typeof value === 'string' ? value : String(value);
+    await writeSecretToStoreFile(userSecretsPath, key, strValue);
+  }
+
   await syncLiteralKvSecretsFromCliOverrides(
     options,
     placeholderContext,
-    setSecretInStore,
+    writeInfraPlaceholderLiteralToUserLocal,
     infraParameterCatalogModule
   );
   return added;
@@ -414,6 +435,7 @@ module.exports = {
   ensureInfraSecrets,
   setSecretInStore,
   resolveWriteTarget,
+  resolvePrimaryUserWriteTarget,
   loadExistingFromTarget,
   getInfraSecretKeysForUpInfra,
   isSecretKeyAllowedEmpty,