@aifabrix/builder 2.44.5 → 2.45.0

package/lib/commands/app-logs.js

@@ -15,6 +15,7 @@ const containerHelpers = require('../utils/app-run-containers');
 const { validateAppName } = require('../app/push');
 
 const { execWithDockerEnv } = require('../utils/docker-exec');
+const { maskEnvLine } = require('../utils/log-redaction');
 
 /** Default number of log lines */
 const DEFAULT_TAIL_LINES = 100;
@@ -43,36 +44,11 @@ const LEVEL_JSON_NUMERIC_REGEX = /"level"\s*:\s*(\d+)/;
 /** Fallback: line contains whole-word "error" or "Error" when no other level detected (catches stack traces, "Error: msg", etc.) */
 const ERROR_WORD_FALLBACK_REGEX = /\berror\b/i;
 
-/** Env key patterns that indicate a secret (mask value) */
-const SECRET_KEY_PATTERN = /password|secret|token|credential|api[_-]?key/i;
+/** Keycloak / Java style: validation failure without the word "error" (would be dropped by `-l error` otherwise) */
+const VALIDATION_FAILURE_LINE_REGEX = /\bvalidation\s+failed\b/i;
 
-/** Prefixes to strip before checking key (avoids masking KEYCLOAK_SERVER_URL etc.) */
-const KEY_PREFIXES_TO_STRIP = /^KEYCLOAK_|^KEY_VAULT_/;
-
-/** URL with embedded credentials: scheme://user:password@host → scheme://user:***@host */
-const URL_CREDENTIAL_PATTERN = /(\w+:\/\/)([^:@]*):([^@]+)@/g;
-
-/**
- * Masks a single env line if the key looks like a secret or value contains URL credentials
- * @param {string} line - Line in form KEY=value
- * @returns {string} Same line or KEY=*** or value with masked URL credentials
- */
-function maskEnvLine(line) {
-  const eq = line.indexOf('=');
-  if (eq <= 0) return line;
-  const key = line.slice(0, eq);
-  const value = line.slice(eq + 1);
-
-  const keyForCheck = key.replace(KEY_PREFIXES_TO_STRIP, '');
-  const isSecretKey = SECRET_KEY_PATTERN.test(keyForCheck);
-
-  const maskedValue = value.replace(URL_CREDENTIAL_PATTERN, '$1$2:***@');
-  const hasUrlCredentials = maskedValue !== value;
-
-  if (isSecretKey) return `${key}=***`;
-  if (hasUrlCredentials) return `${key}=${maskedValue}`;
-  return line;
-}
+/** Other failure phrases treated as error severity for level filtering */
+const FAILURE_PHRASE_AS_ERROR_REGEX = /\b(fatal|failed to run|unable to (start|run)|exception in thread)\b/i;
 
 /** Normalize level string to canonical 'debug'|'info'|'warn'|'error'. */
 function normalizeLevel(raw) {
@@ -104,9 +80,66 @@ function getLogLevel(line) {
   const jsonNum = line.match(LEVEL_JSON_NUMERIC_REGEX);
   if (jsonNum) return numericLevelToName(parseInt(jsonNum[1], 10));
   if (ERROR_WORD_FALLBACK_REGEX.test(line)) return 'error';
+  if (VALIDATION_FAILURE_LINE_REGEX.test(line)) return 'error';
+  if (FAILURE_PHRASE_AS_ERROR_REGEX.test(line)) return 'error';
+  return null;
+}
+
+/** Lines after an `error`-level line often have no level prefix (e.g. Keycloak config validation details). */
+const ERROR_FILTER_CONTEXT_UNCLASSIFIED_MAX = 50;
+
+/**
+ * Whether to show a log line when `--level` filtering is on. After an emitted error line, includes
+ * up to {@link ERROR_FILTER_CONTEXT_UNCLASSIFIED_MAX} following lines with no parseable level so
+ * stack traces and multi-line validation output are not dropped.
+ *
+ * @param {string} line
+ * @param {string|null} minLevel - normalized LOG_LEVELS value or null
+ * @param {{ pendingAfterError: number }} state - mutable; only used when minLevel is `error`
+ * @returns {boolean}
+ */
+/**
+ * @param {string|null} level
+ * @param {string} minLevel
+ * @param {{ pendingAfterError: number }} state
+ * @returns {boolean|null} true if line shown by sticky rule; null to continue
+ */
+function tryStickyErrorContinuation(level, minLevel, state) {
+  if (minLevel !== 'error' || state.pendingAfterError <= 0) {
+    return null;
+  }
+  if (level === null || level === undefined) {
+    state.pendingAfterError -= 1;
+    return true;
+  }
+  if (level !== 'error') {
+    state.pendingAfterError = 0;
+  }
   return null;
 }
 
+function shouldShowFilteredLogLine(line, minLevel, state) {
+  if (minLevel === null || minLevel === undefined || minLevel === '' || !LOG_LEVELS.includes(minLevel)) {
+    return true;
+  }
+  if (line.trim() === '' && minLevel === 'error' && state.pendingAfterError > 0) {
+    return true;
+  }
+  const level = getLogLevel(line);
+  const sticky = tryStickyErrorContinuation(level, minLevel, state);
+  if (sticky === true) {
+    return true;
+  }
+
+  if (passesLevelFilter(level, minLevel)) {
+    if (minLevel === 'error' && level === 'error') {
+      state.pendingAfterError = ERROR_FILTER_CONTEXT_UNCLASSIFIED_MAX;
+    }
+    return true;
+  }
+  return false;
+}
+
 /**
  * Whether a line's level passes the minimum level filter (show this level and above).
  * @param {string|null} lineLevel - Level from getLogLevel (null treated as 'info')
@@ -143,7 +176,12 @@ async function dumpMaskedEnv(containerName) {
     lines.forEach((line) => logger.log(maskEnvLine(line)));
     logger.log(chalk.gray('\n--- Logs ---\n'));
   } catch (err) {
-    logger.log(chalk.gray('(Could not read container env; container may be stopped)\n'));
+    logger.log(
+      chalk.gray(
+        '(Could not read container env — the container may be stopped, restarting, or not ready yet. ' +
+          'Docker log output below is still shown.)\n'
+      )
+    );
   }
 }
 
@@ -175,8 +213,9 @@ async function runDockerLogs(containerName, options) {
     const proc = spawn('docker', args, { stdio: ['inherit', 'pipe', 'pipe'], env: dockerEnv });
     proc.on('error', reject);
 
+    const filterState = { pendingAfterError: 0 };
     function onLine(line) {
-      if (passesLevelFilter(getLogLevel(line), minLevel)) {
+      if (shouldShowFilteredLogLine(line, minLevel, filterState)) {
         process.stdout.write(line + '\n');
       }
     }
@@ -241,8 +280,11 @@ async function runDockerLogsFollow(containerName, tail, minLevel) {
     logger.log(chalk.red(`Error: ${err.message}`));
     process.exit(1);
   });
+  const filterState = { pendingAfterError: 0 };
   function onLine(line) {
-    if (passesLevelFilter(getLogLevel(line), level)) process.stdout.write(line + '\n');
+    if (shouldShowFilteredLogLine(line, level, filterState)) {
+      process.stdout.write(line + '\n');
+    }
   }
   const rlOut = readline.createInterface({ input: proc.stdout, crlfDelay: Infinity });
   rlOut.on('line', onLine);
@@ -301,4 +343,10 @@ async function runAppLogs(appKey, options = {}) {
   }
 }
 
-module.exports = { runAppLogs, maskEnvLine, getLogLevel, passesLevelFilter };
+module.exports = {
+  runAppLogs,
+  maskEnvLine,
+  getLogLevel,
+  passesLevelFilter,
+  shouldShowFilteredLogLine
+};

package/lib/commands/auth-config.js

@@ -8,53 +8,144 @@
  * @version 2.0.0
  */
 
+const chalk = require('chalk');
 const { formatBlockingError, formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 const {
   setControllerUrl,
   setCurrentEnvironment,
-  getControllerUrl
+  getControllerUrl,
+  getRegisteredControllerUrls,
+  getConfig
 } = require('../core/config');
 const {
   validateControllerUrl,
   validateEnvironment,
   checkUserLoggedIn
 } = require('../utils/auth-config-validator');
-const { getControllerUrlFromLoggedInUser } = require('../utils/controller-url');
+const { hasStoredDeviceTokenForController } = require('../utils/controller-url');
 const logger = require('../utils/logger');
 
+/**
+ * True when user ran --set-controller with no URL (pick from config.yaml).
+ * @param {unknown} setController - Commander option value
+ * @returns {boolean}
+ */
+function isInteractiveControllerPick(setController) {
+  return (
+    setController === true ||
+    (typeof setController === 'string' && setController.trim() === '')
+  );
+}
+
+/**
+ * True when a non-empty controller URL string was passed.
+ * @param {unknown} setController - Commander option value
+ * @returns {boolean}
+ */
+function hasExplicitControllerUrl(setController) {
+  return typeof setController === 'string' && setController.trim() !== '';
+}
+
+/**
+ * Normalize controller URL for equality checks (trailing slashes).
+ * @param {string|null|undefined} url - URL or empty
+ * @returns {string}
+ */
+function normalizeForCompare(url) {
+  if (!url || typeof url !== 'string') return '';
+  return url.trim().replace(/\/+$/, '');
+}
+
+function throwNoRegisteredControllers() {
+  const msg =
+    'No controllers are registered in config. Run "aifabrix login" first, or set a controller with "aifabrix auth --set-controller <url>".';
+  logger.error(formatBlockingError(msg));
+  throw new Error(msg);
+}
+
+function throwNonInteractiveControllerPick() {
+  const msg =
+    'Cannot choose a controller without a URL in non-interactive mode. Run: aifabrix auth --set-controller <url>';
+  logger.error(formatBlockingError(msg));
+  throw new Error(msg);
+}
+
+/**
+ * Pick default controller from URLs in config (`controller` + `device` keys), or set the only one.
+ * @async
+ * @returns {Promise<void>}
+ */
+async function handleSelectRegisteredController() {
+  const urls = await getRegisteredControllerUrls();
+
+  if (urls.length === 0) {
+    throwNoRegisteredControllers();
+  }
+
+  if (!process.stdin.isTTY) {
+    throwNonInteractiveControllerPick();
+  }
+
+  if (urls.length === 1) {
+    const sole = urls[0];
+    const current = await getControllerUrl();
+    if (normalizeForCompare(current) === normalizeForCompare(sole)) {
+      logger.log(formatSuccessLine(`Default controller is already set to ${sole}.`));
+      logger.log(
+        chalk.white('To add another controller, run: aifabrix auth --set-controller <url>')
+      );
+      return;
+    }
+    await handleSetController(sole);
+    return;
+  }
+
+  const inquirer = require('inquirer');
+  const { controllerUrl } = await inquirer.prompt([
+    {
+      type: 'list',
+      name: 'controllerUrl',
+      message: 'Select default controller:',
+      choices: urls
+    }
+  ]);
+  await handleSetController(controllerUrl);
+}
+
 /**
  * Handle set-controller command
- * Allows setting the default controller when no credentials are stored, or when already logged in to that controller.
- * If credentials exist for a different controller, throws with a clear message.
+ * Allows setting the default controller when there are no device tokens, or when a token exists
+ * for the target URL (including switching among multiple logged-in controllers). If device tokens
+ * exist only for other controller URLs, throws with a clear message.
  *
  * @async
  * @function handleSetController
  * @param {string} url - Controller URL to set
  * @returns {Promise<void>}
- * @throws {Error} If validation fails or credentials exist for another controller
+ * @throws {Error} If validation fails or credentials exist only for other controllers
  */
 async function handleSetController(url) {
   try {
     validateControllerUrl(url);
     const normalizedUrl = url.trim().replace(/\/+$/, '');
 
-    const loggedInControllerUrl = await getControllerUrlFromLoggedInUser();
-    if (!loggedInControllerUrl) {
-      // No stored credentials: allow setting controller so "aifabrix login" opens the right place
-      await setControllerUrl(url);
-      logger.log(formatSuccessLine(`Controller URL set to: ${url}`));
-      return;
-    }
+    const userConfig = await getConfig();
+    const device =
+      userConfig.device && typeof userConfig.device === 'object' ? userConfig.device : {};
+    const deviceKeys = Object.keys(device);
+    const hasTokenForTarget = await hasStoredDeviceTokenForController(normalizedUrl);
 
-    const normalizedLoggedIn = loggedInControllerUrl.trim().replace(/\/+$/, '');
-    if (normalizedLoggedIn === normalizedUrl) {
+    if (deviceKeys.length === 0 || hasTokenForTarget) {
       await setControllerUrl(url);
       logger.log(formatSuccessLine(`Controller URL set to: ${url}`));
       return;
     }
 
+    const otherKey =
+      deviceKeys.find((k) => normalizeForCompare(k) !== normalizeForCompare(normalizedUrl)) ||
+      deviceKeys[0];
     throw new Error(
-      `You have credentials for another controller (${loggedInControllerUrl}).\n` +
+      `You have credentials for another controller (${otherKey.trim().replace(/\/+$/, '')}).\n` +
       'To use a different controller either run "aifabrix login" with that controller, or run "aifabrix logout" first to clear credentials, then set the new controller with "aifabrix auth --set-controller <url>".'
     );
   } catch (error) {
@@ -107,20 +198,27 @@ async function handleSetEnvironment(environment) {
  * @async
  * @function handleAuthConfig
  * @param {Object} options - Command options
- * @param {string} [options.setController] - Controller URL to set
+ * @param {string|boolean} [options.setController] - Controller URL, or true when flag has no value
  * @param {string} [options.setEnvironment] - Environment to set
  * @returns {Promise<void>}
  * @throws {Error} If command fails
  */
 async function handleAuthConfig(options) {
-  if (!options.setController && !options.setEnvironment) {
+  const pick = isInteractiveControllerPick(options.setController);
+  const hasUrl = hasExplicitControllerUrl(options.setController);
+
+  if (!pick && !hasUrl && !options.setEnvironment) {
     throw new Error(
       'No action specified. Use "aifabrix auth --set-controller <url>" or "aifabrix auth --set-environment <env>".'
     );
   }
-  if (options.setController) {
+
+  if (pick) {
+    await handleSelectRegisteredController();
+  } else if (hasUrl) {
     await handleSetController(options.setController);
   }
+
   if (options.setEnvironment) {
     await handleSetEnvironment(options.setEnvironment);
   }

package/lib/commands/datasource-capability-dimension-cli.js

@@ -0,0 +1,128 @@
+/**
+ * `datasource capability dimension` command registration.
+ *
+ * @fileoverview dimension binding CLI
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const logger = require('../utils/logger');
+const {
+  formatBlockingError,
+  headerKeyValue,
+  infoLine,
+  formatSuccessLine,
+  colorRollupPrefixedLine
+} = require('../utils/cli-test-layout-chalk');
+const { runCapabilityDimension } = require('../datasource/capability/run-capability-dimension');
+const { printCapabilitySuccessFooter } = require('./datasource-capability-output');
+
+const CAP_DIMENSION_HELP = `
+Adds or replaces one root **dimensions.<key>** binding (metadata-only; no pipeline).
+
+Examples:
+  $ aifabrix datasource capability dimension test-e2e-hubspot-companies --dimension market --type local --field country
+  $ aifabrix datasource capability dimension test-e2e-hubspot-companies --dimension owner --type fk --via hubspotOwner:owner --actor email
+`;
+
+function parseVia(raw) {
+  const list = Array.isArray(raw) ? raw : [];
+  return list.map((x) => String(x).trim()).filter(Boolean);
+}
+
+function logDimensionValidationOutcome(result) {
+  logger.log(formatSuccessLine('Local validation passed'));
+  if (result.remoteValidation?.ok) {
+    logger.log(formatSuccessLine('Remote validation passed'));
+  } else {
+    logger.log(colorRollupPrefixedLine('⚠ Remote validation skipped (not authenticated)'));
+  }
+  if (Array.isArray(result.semanticWarnings) && result.semanticWarnings.length > 0) {
+    result.semanticWarnings.forEach((w) => logger.log(colorRollupPrefixedLine(`⚠ ${w}`)));
+  }
+  logger.log(formatSuccessLine('Dimension binding updated'));
+}
+
+/**
+ * @param {string} fileOrKey
+ * @param {object} options - Commander options
+ * @returns {Promise<void>}
+ */
+async function runDimensionAction(fileOrKey, options) {
+  const via = parseVia(options.via);
+
+  const result = await runCapabilityDimension({
+    fileOrKey,
+    dimension: options.dimension,
+    type: options.type,
+    field: options.field,
+    via,
+    actor: options.actor,
+    operator: options.operator,
+    required: options.required,
+    dryRun: Boolean(options.dryRun),
+    noBackup: Boolean(options.noBackup),
+    overwrite: Boolean(options.overwrite)
+  });
+
+  if (result.dryRun) {
+    logger.log(infoLine('Dry run — planned JSON Patch operations:'));
+    logger.log('');
+    logger.log(JSON.stringify(result.patchOperations, null, 2));
+    return;
+  }
+
+  logDimensionValidationOutcome(result);
+
+  if (result.backupPath) {
+    logger.log(headerKeyValue('Backup:', result.backupPath));
+  }
+  printCapabilitySuccessFooter(result.resolvedPath, result.updatedSections, 'Updated');
+}
+
+/**
+ * @param {import('commander').Command} cap
+ * @returns {void}
+ */
+function setupCapabilityDimensionCommand(cap) {
+  cap
+    .command('dimension <file-or-key>')
+    .description('Add or replace one root dimensions binding (local or FK-backed)')
+    .requiredOption('--dimension <key>', 'Dimension key (ABAC-facing key; underscores allowed)')
+    .requiredOption('--type <type>', 'local | fk')
+    .option('--field <name>', 'For type=local: normalized attribute name in metadataSchema.properties')
+    .option(
+      '--via <fk:dimension>',
+      'For type=fk: hop as <fkName>:<dimensionKey>; repeat for multi-hop traversal',
+      (value, prev) => {
+        const list = prev || [];
+        list.push(value);
+        return list;
+      },
+      []
+    )
+    .option('--actor <actor>', 'For type=fk: displayName | email | userId | groups | roles')
+    .option('--operator <op>', 'For type=fk: eq | in (default depends on actor)')
+    .option('--required', 'Set dimensions.<key>.required=true')
+    .option('--no-required', 'Set dimensions.<key>.required=false')
+    .option('--dry-run', 'Print JSON Patch operations; do not write')
+    .option('--overwrite', 'Replace existing dimensions.<key> binding')
+    .option('--no-backup', 'Skip backup copy under integration/<app>/backup/')
+    .addHelpText('after', CAP_DIMENSION_HELP)
+    .action(async(fileOrKey, options) => {
+      try {
+        await runDimensionAction(fileOrKey, options);
+      } catch (error) {
+        logger.error(formatBlockingError(`capability dimension failed: ${error.message}`));
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = {
+  setupCapabilityDimensionCommand,
+  runDimensionAction
+};
+

package/lib/commands/datasource-capability-output.js

@@ -0,0 +1,29 @@
+/**
+ * Shared success footer for datasource capability mutating commands.
+ *
+ * @fileoverview capability CLI output footer
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const logger = require('../utils/logger');
+const { formatBulletSection, formatNextActions } = require('../utils/cli-test-layout-chalk');
+
+/**
+ * @param {string} resolvedPath
+ * @param {string[]} updatedSections
+ * @param {string} [heading='Updated']
+ * @returns {void}
+ */
+function printCapabilitySuccessFooter(resolvedPath, updatedSections, heading = 'Updated') {
+  const display =
+    resolvedPath.includes(' ') ? `"${resolvedPath}"` : resolvedPath;
+  logger.log('');
+  logger.log(formatBulletSection(`${heading}:`, updatedSections));
+  logger.log('');
+  logger.log(formatNextActions([`aifabrix datasource validate ${display}`]));
+}
+
+module.exports = {
+  printCapabilitySuccessFooter
+};

package/lib/commands/datasource-capability-relate-cli.js

@@ -0,0 +1,140 @@
+/**
+ * `datasource capability relate` command registration.
+ *
+ * @fileoverview relate CLI
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const logger = require('../utils/logger');
+const {
+  formatBlockingError,
+  headerKeyValue,
+  infoLine,
+  formatSuccessLine,
+  colorRollupPrefixedLine
+} = require('../utils/cli-test-layout-chalk');
+const { runCapabilityRelate } = require('../datasource/capability/run-capability-relate');
+const { printCapabilitySuccessFooter } = require('./datasource-capability-output');
+
+const CAP_RELATE_HELP = `
+Adds or replaces one **foreignKeys[]** row (metadata-only; no pipeline). Optional **metadataSchema.properties** stub unless **--skip-metadata-property**.
+
+  $ aifabrix datasource capability relate hubspot-deals --relation-name company --to hubspot-companies --field companyId --target-field externalId
+`;
+
+function parseTargetFields(raw) {
+  const tf = raw;
+  if (Array.isArray(tf) && tf.length > 0) {
+    return tf.map((x) => String(x).trim()).filter(Boolean);
+  }
+  if (tf !== undefined && tf !== null && String(tf).trim()) {
+    return [String(tf).trim()];
+  }
+  return undefined;
+}
+
+function logRelateValidationOutcome(result, joinLeft, joinRight) {
+  logger.log(formatSuccessLine('Local validation passed'));
+  if (result.remoteValidation?.ok) {
+    logger.log(formatSuccessLine('Remote validation passed'));
+  } else {
+    logger.log(colorRollupPrefixedLine('⚠ Remote validation skipped (not authenticated)'));
+  }
+  if (Array.isArray(result.semanticWarnings) && result.semanticWarnings.length > 0) {
+    result.semanticWarnings.forEach((w) => logger.log(colorRollupPrefixedLine(`⚠ ${w}`)));
+  }
+  logger.log(formatSuccessLine(`Relation created: ${joinLeft} → ${joinRight}`));
+}
+
+/**
+ * @param {string} fileOrKey
+ * @param {object} options - Commander options
+ * @returns {Promise<void>}
+ */
+async function runRelateAction(fileOrKey, options) {
+  const fields = [];
+  if (options.field) {
+    fields.push(String(options.field).trim());
+  }
+  const targetFields = parseTargetFields(options.targetField);
+
+  const result = await runCapabilityRelate({
+    fileOrKey,
+    relationName: options.relationName,
+    targetDatasource: options.to,
+    fields,
+    targetFields,
+    required: options.required,
+    description: options.description,
+    dryRun: Boolean(options.dryRun),
+    noBackup: Boolean(options.noBackup),
+    overwrite: Boolean(options.overwrite),
+    addMetadataProperty: !options.skipMetadataProperty
+  });
+
+  if (result.dryRun) {
+    logger.log(infoLine('Dry run — planned JSON Patch operations:'));
+    logger.log('');
+    logger.log(JSON.stringify(result.patchOperations, null, 2));
+    return;
+  }
+
+  const joinLeft = fields.length === 1 ? fields[0] : 'fields';
+  const joinRight =
+    Array.isArray(targetFields) && targetFields.length === 1
+      ? `${options.to}.${targetFields[0]}`
+      : options.to;
+  logRelateValidationOutcome(result, joinLeft, joinRight);
+
+  if (result.backupPath) {
+    logger.log(headerKeyValue('Backup:', result.backupPath));
+  }
+  printCapabilitySuccessFooter(result.resolvedPath, result.updatedSections, 'Updated');
+}
+
+/**
+ * @param {import('commander').Command} cap
+ * @returns {void}
+ */
+function setupCapabilityRelateCommand(cap) {
+  cap
+    .command('relate <file-or-key>')
+    .description(
+      'Add or replace foreignKeys[] metadata (+ optional metadataSchema property for relation name)'
+    )
+    .requiredOption('--relation-name <name>', 'FK name (camelCase; unique per datasource)')
+    .requiredOption('--to <targetDatasource>', 'Target datasource key (cross-system JSON key)')
+    .requiredOption('--field <name>', 'Local normalized attribute (foreignKeys.fields[])')
+    .option('--description <text>', 'FK description (defaults to a generated description)')
+    .option('--required', 'Mark FK required (foreignKeys[].required=true)')
+    .option('--no-required', 'Mark FK optional (foreignKeys[].required=false)')
+    .option(
+      '--target-field <name>',
+      'Target join field(s); repeat flag for composite; omit to use runtime default (externalId)',
+      (value, prev) => {
+        const list = prev || [];
+        list.push(value);
+        return list;
+      },
+      []
+    )
+    .option('--dry-run', 'Print JSON Patch operations; do not write')
+    .option('--overwrite', 'Replace existing foreignKeys row with the same name')
+    .option('--skip-metadata-property', 'Do not add metadataSchema.properties.<relationName>')
+    .option('--no-backup', 'Skip backup copy under integration/<app>/backup/')
+    .addHelpText('after', CAP_RELATE_HELP)
+    .action(async(fileOrKey, options) => {
+      try {
+        await runRelateAction(fileOrKey, options);
+      } catch (error) {
+        logger.error(formatBlockingError(`capability relate failed: ${error.message}`));
+        process.exit(1);
+      }
+    });
+}
+
+module.exports = {
+  setupCapabilityRelateCommand,
+  runRelateAction
+};