npm - @aifabrix/builder - Versions diffs - 2.44.5 → 2.45.0 - Mend

@aifabrix/builder 2.44.5 → 2.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (249) hide show

package/.cursor/rules/cli-layout.mdc +8 -4
package/.cursor/rules/project-rules.mdc +1 -1
package/README.md +15 -23
package/integration/hubspot-test/README.md +2 -0
package/integration/hubspot-test/test.js +5 -3
package/jest.projects.js +104 -2
package/lib/api/controller-health.api.js +49 -0
package/lib/api/dimension-values.api.js +82 -0
package/lib/api/dimensions.api.js +114 -0
package/lib/api/external-systems.api.js +1 -0
package/lib/api/integration-clients.api.js +168 -0
package/lib/api/types/dimension-values.types.js +28 -0
package/lib/api/types/dimensions.types.js +31 -0
package/lib/api/types/integration-clients.types.js +45 -0
package/lib/api/validation-runner.js +46 -25
package/lib/app/deploy-config.js +11 -1
package/lib/app/deploy-status-display.js +3 -3
package/lib/app/deploy.js +36 -14
package/lib/app/display.js +15 -11
package/lib/app/helpers.js +3 -3
package/lib/app/index.js +3 -3
package/lib/app/push.js +46 -23
package/lib/app/register.js +7 -6
package/lib/app/restart-display.js +126 -0
package/lib/app/rotate-secret.js +7 -6
package/lib/app/run-container-start.js +12 -6
package/lib/app/run-env-compose.js +30 -1
package/lib/app/run-helpers.js +58 -19
package/lib/app/run-reload-sync.js +148 -0
package/lib/app/run-resolve-image.js +51 -1
package/lib/app/run.js +148 -74
package/lib/app/show-display.js +7 -0
package/lib/app/show.js +87 -5
package/lib/build/index.js +83 -49
package/lib/cli/doctor-check.js +117 -0
package/lib/cli/index.js +8 -2
package/lib/cli/infra-guided.js +460 -0
package/lib/cli/installation-log-command.js +73 -0
package/lib/cli/setup-app.js +31 -3
package/lib/cli/setup-auth.js +98 -27
package/lib/cli/setup-dev-path-commands.js +50 -3
package/lib/cli/setup-infra-up-dataplane-action.js +111 -0
package/lib/cli/setup-infra-up-platform-action.js +131 -0
package/lib/cli/setup-infra.js +132 -118
package/lib/cli/setup-integration-client.js +182 -0
package/lib/cli/setup-parameters.js +21 -2
package/lib/cli/setup-platform.js +102 -0
package/lib/cli/setup-secrets.js +18 -6
package/lib/cli/setup-utility-resolve.js +132 -0
package/lib/cli/setup-utility.js +143 -84
package/lib/commands/app-logs.js +81 -33
package/lib/commands/auth-config.js +116 -18
package/lib/commands/datasource-capability-dimension-cli.js +128 -0
package/lib/commands/datasource-capability-output.js +29 -0
package/lib/commands/datasource-capability-relate-cli.js +140 -0
package/lib/commands/datasource-capability.js +411 -0
package/lib/commands/datasource-unified-test-cli.options.js +1 -1
package/lib/commands/datasource.js +53 -13
package/lib/commands/dev-down.js +3 -3
package/lib/commands/dev-infra-gate.js +32 -0
package/lib/commands/dev-init.js +13 -7
package/lib/commands/dimension-value.js +179 -0
package/lib/commands/dimension.js +330 -0
package/lib/commands/integration-client.js +430 -0
package/lib/commands/login-device.js +65 -30
package/lib/commands/login.js +21 -10
package/lib/commands/parameters-validate.js +78 -13
package/lib/commands/repair-datasource-auto-rbac.js +166 -0
package/lib/commands/repair-datasource-keys.js +10 -5
package/lib/commands/repair-datasource.js +19 -7
package/lib/commands/repair-env-template.js +4 -1
package/lib/commands/repair-openapi-sync.js +172 -0
package/lib/commands/repair-persist.js +102 -0
package/lib/commands/repair-rbac-extract.js +27 -0
package/lib/commands/repair-rbac-migrate.js +186 -0
package/lib/commands/repair-rbac.js +214 -31
package/lib/commands/repair-system-alignment.js +246 -0
package/lib/commands/repair-system-permissions.js +168 -0
package/lib/commands/repair.js +120 -338
package/lib/commands/secure.js +1 -1
package/lib/commands/setup-modes.js +468 -0
package/lib/commands/setup-prompts.js +421 -0
package/lib/commands/setup.js +254 -0
package/lib/commands/teardown.js +277 -0
package/lib/commands/up-common.js +113 -19
package/lib/commands/up-dataplane.js +44 -19
package/lib/commands/up-miso.js +18 -18
package/lib/commands/upload.js +111 -23
package/lib/commands/wizard-core-helpers.js +14 -11
package/lib/commands/wizard-core.js +6 -5
package/lib/commands/wizard-dataplane.js +2 -2
package/lib/commands/wizard-entity-selection.js +4 -3
package/lib/commands/wizard-headless.js +2 -1
package/lib/commands/wizard.js +2 -1
package/lib/constants/infra-compose-service-names.js +40 -0
package/lib/core/audit-logger.js +1 -34
package/lib/core/config-admin-email.js +56 -0
package/lib/core/config-normalize.js +60 -0
package/lib/core/config-registered-controller-urls.js +54 -0
package/lib/core/config.js +33 -50
package/lib/core/env-reader.js +16 -3
package/lib/core/secrets-admin-env.js +101 -0
package/lib/core/secrets-ensure-infra.js +34 -1
package/lib/core/secrets-ensure.js +88 -66
package/lib/core/secrets-env-content.js +428 -0
package/lib/core/secrets-env-declarative-expand.js +170 -0
package/lib/core/secrets-env-write.js +29 -1
package/lib/core/secrets-load.js +252 -0
package/lib/core/secrets-names.js +32 -0
package/lib/core/secrets.js +17 -757
package/lib/datasource/capability/basic-exposure.js +76 -0
package/lib/datasource/capability/capability-diff-slice.js +41 -0
package/lib/datasource/capability/capability-key.js +34 -0
package/lib/datasource/capability/capability-resolve.js +172 -0
package/lib/datasource/capability/capability-storage-keys.js +22 -0
package/lib/datasource/capability/copy-operations.js +348 -0
package/lib/datasource/capability/copy-test-payload.js +139 -0
package/lib/datasource/capability/create-operations.js +235 -0
package/lib/datasource/capability/dimension-operations.js +151 -0
package/lib/datasource/capability/dimension-validate.js +219 -0
package/lib/datasource/capability/json-pointer.js +31 -0
package/lib/datasource/capability/reference-rewrite.js +51 -0
package/lib/datasource/capability/relate-operations.js +325 -0
package/lib/datasource/capability/relate-validate.js +219 -0
package/lib/datasource/capability/remove-operations.js +275 -0
package/lib/datasource/capability/run-capability-copy.js +152 -0
package/lib/datasource/capability/run-capability-diff.js +135 -0
package/lib/datasource/capability/run-capability-dimension.js +291 -0
package/lib/datasource/capability/run-capability-edit.js +377 -0
package/lib/datasource/capability/run-capability-relate.js +193 -0
package/lib/datasource/capability/run-capability-remove.js +105 -0
package/lib/datasource/capability/templates/minimal-fetch.json +18 -0
package/lib/datasource/capability/validate-capability-slice.js +35 -0
package/lib/datasource/list.js +136 -23
package/lib/datasource/log-viewer.js +2 -4
package/lib/datasource/unified-validation-run.js +51 -16
package/lib/datasource/validate.js +53 -1
package/lib/deployment/deploy-poll-ui.js +60 -0
package/lib/deployment/deployer-status.js +29 -3
package/lib/deployment/deployer.js +48 -30
package/lib/deployment/environment.js +7 -2
package/lib/deployment/poll-interval.js +72 -0
package/lib/deployment/push.js +11 -9
package/lib/external-system/deploy.js +9 -2
package/lib/external-system/download.js +61 -32
package/lib/external-system/sync-deploy-manifest.js +33 -0
package/lib/infrastructure/index.js +49 -19
package/lib/infrastructure/orphan-infra-docker-teardown.js +177 -0
package/lib/internal/node-fs.js +2 -0
package/lib/parameters/infra-kv-discovery.js +29 -4
package/lib/parameters/infra-parameter-catalog.js +6 -3
package/lib/parameters/infra-parameter-validate.js +67 -19
package/lib/resolvers/datasource-resolver.js +53 -0
package/lib/resolvers/dimension-file.js +52 -0
package/lib/resolvers/manifest-resolver.js +133 -0
package/lib/schema/application-schema.json +4 -0
package/lib/schema/external-datasource.schema.json +183 -53
package/lib/schema/external-system.schema.json +23 -10
package/lib/schema/infra.parameter.yaml +26 -1
package/lib/schema/wizard-config.schema.json +1 -1
package/lib/utils/aifabrix-config-dir-walk.js +40 -0
package/lib/utils/aifabrix-runtime-config-dir.js +26 -3
package/lib/utils/app-config-resolver.js +24 -1
package/lib/utils/app-run-containers.js +2 -2
package/lib/utils/applications-config-defaults.js +206 -0
package/lib/utils/auth-config-validator.js +2 -12
package/lib/utils/bash-secret-env.js +59 -0
package/lib/utils/cli-secrets-error-format.js +78 -0
package/lib/utils/cli-test-layout-chalk.js +31 -9
package/lib/utils/cli-utils.js +4 -36
package/lib/utils/compose-generate-docker-compose.js +111 -6
package/lib/utils/compose-generator.js +17 -8
package/lib/utils/controller-url.js +50 -7
package/lib/utils/datasource-test-run-display.js +8 -0
package/lib/utils/dev-hosts-helper.js +3 -2
package/lib/utils/dev-init-ssh-merge.js +2 -1
package/lib/utils/docker-build.js +17 -9
package/lib/utils/docker-reload-mount.js +127 -0
package/lib/utils/env-copy.js +99 -14
package/lib/utils/env-template.js +5 -1
package/lib/utils/external-readme.js +71 -2
package/lib/utils/external-system-local-test-tty.js +3 -2
package/lib/utils/external-system-readiness-core.js +45 -12
package/lib/utils/external-system-readiness-deploy-display.js +3 -3
package/lib/utils/external-system-readiness-display-internals.js +33 -3
package/lib/utils/external-system-readiness-display.js +10 -1
package/lib/utils/file-upload.js +40 -3
package/lib/utils/health-check-db-init.js +107 -0
package/lib/utils/health-check-public-warn.js +69 -0
package/lib/utils/health-check-url.js +28 -10
package/lib/utils/health-check.js +139 -107
package/lib/utils/help-builder.js +5 -1
package/lib/utils/image-name.js +34 -7
package/lib/utils/infra-optional-service-flags.js +69 -0
package/lib/utils/installation-log-core.js +282 -0
package/lib/utils/installation-log-record.js +237 -0
package/lib/utils/installation-log.js +123 -0
package/lib/utils/integration-file-backup.js +74 -0
package/lib/utils/log-redaction.js +105 -0
package/lib/utils/manifest-location.js +164 -0
package/lib/utils/manifest-source-emit.js +162 -0
package/lib/utils/mutagen-install.js +30 -3
package/lib/utils/paths.js +308 -76
package/lib/utils/postgres-wipe.js +212 -0
package/lib/utils/register-aifabrix-shell-env.js +15 -0
package/lib/utils/remote-dev-auth.js +21 -5
package/lib/utils/remote-docker-env.js +9 -1
package/lib/utils/remote-secrets-loader.js +49 -4
package/lib/utils/resolve-docker-image-ref.js +9 -3
package/lib/utils/run-cli-flags.js +29 -0
package/lib/utils/secrets-ancestor-paths.js +47 -0
package/lib/utils/secrets-canonical.js +10 -3
package/lib/utils/secrets-helpers.js +17 -10
package/lib/utils/secrets-kv-refs.js +42 -0
package/lib/utils/secrets-kv-scope.js +19 -2
package/lib/utils/secrets-materialize-local.js +134 -0
package/lib/utils/secrets-path.js +26 -13
package/lib/utils/secrets-utils.js +20 -10
package/lib/utils/system-builder-root.js +42 -0
package/lib/utils/url-declarative-public-base.js +80 -12
package/lib/utils/url-declarative-resolve-build-urls.js +238 -0
package/lib/utils/url-declarative-resolve-build.js +24 -388
package/lib/utils/url-declarative-resolve-expand-token.js +189 -0
package/lib/utils/url-declarative-resolve-load-doc.js +12 -3
package/lib/utils/url-declarative-resolve-surface-state.js +102 -0
package/lib/utils/url-declarative-resolve.js +47 -7
package/lib/utils/url-declarative-runtime-base-path.js +52 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +2 -1
package/lib/utils/urls-local-registry-scan.js +103 -0
package/lib/utils/urls-local-registry.js +158 -76
package/lib/utils/validation-poll-ui.js +81 -0
package/lib/utils/validation-run-poll.js +29 -5
package/lib/utils/with-muted-logger.js +53 -0
package/package.json +3 -1
package/templates/applications/dataplane/application.yaml +5 -1
package/templates/applications/dataplane/rbac.yaml +10 -10
package/templates/applications/keycloak/env.template +8 -6
package/templates/applications/miso-controller/application.yaml +9 -0
package/templates/applications/miso-controller/env.template +27 -29
package/templates/applications/miso-controller/rbac.yaml +9 -9
package/templates/external-system/README.md.hbs +83 -123
package/.npmrc.token +0 -1
package/.nyc_output/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/index.json +0 -1
package/lib/api/service-users.api.js +0 -150
package/lib/api/types/service-users.types.js +0 -65
package/lib/cli/setup-service-user.js +0 -187
package/lib/commands/service-user.js +0 -429

package/lib/core/config-registered-controller-urls.js ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+ * Derive controller URLs stored in config (default + device token keys).
+ *
+ * @fileoverview Registered controller URL list for auth --set-controller pick mode
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+'use strict';
+/**
+ * Build sorted unique controller URLs from a config object.
+ * @param {Object} cfg - Parsed config.yaml object
+ * @param {(url: string) => string} normalizeControllerUrl - normalizer from config module
+ * @returns {string[]}
+ */
+function buildRegisteredControllerUrlList(cfg, normalizeControllerUrl) {
+  const seen = new Set();
+  const add = (raw) => {
+    if (!raw || typeof raw !== 'string') return;
+    const trimmed = raw.trim();
+    if (!/^https?:\/\//i.test(trimmed)) return;
+    let parsed;
+    try {
+      parsed = new URL(trimmed);
+    } catch {
+      return;
+    }
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return;
+    seen.add(normalizeControllerUrl(trimmed));
+  };
+  if (cfg.controller) {
+    add(cfg.controller);
+  }
+  for (const key of Object.keys(cfg.device || {})) {
+    add(key);
+  }
+  return [...seen].sort((a, b) => a.localeCompare(b));
+}
+/**
+ * @param {() => Promise<Object>} getConfig - async config loader
+ * @param {(url: string) => string} normalizeControllerUrl
+ * @returns {Promise<string[]>}
+ */
+async function getRegisteredControllerUrlsWithLoader(getConfig, normalizeControllerUrl) {
+  const cfg = await getConfig();
+  return buildRegisteredControllerUrlList(cfg, normalizeControllerUrl);
+}
+module.exports = {
+  buildRegisteredControllerUrlList,
+  getRegisteredControllerUrlsWithLoader
+};

package/lib/core/config.js CHANGED Viewed

@@ -15,62 +15,15 @@ const os = require('os');
 const { encryptToken, decryptToken, isTokenEncrypted } = require('../utils/token-encryption');
 const { ensureSecureFilePermissions, ensureSecureDirPermissions } = require('../utils/secure-file-permissions');
 const { getRuntimeConfigDir, getRuntimeConfigFile } = require('./config-runtime-paths');
+const { getAdminEmailFromConfig, setAdminEmailInConfig } = require('./config-admin-email');
+const { getRegisteredControllerUrlsWithLoader } = require('./config-registered-controller-urls');
+const { normalizeControllerUrl, validateAndNormalizeDeveloperId } = require('./config-normalize');
 // Avoid importing paths.js here to prevent circular dependency; use shared runtime config dir helper.
 // Config location: AIFABRIX_CONFIG dirname → AIFABRIX_HOME (with ~/.aifabrix fallback when config lives there) → ~/.aifabrix
 // Cache for developer ID - loaded when getConfig() is first called
 let cachedDeveloperId = null;
-/**
- * Normalize controller URL for consistent storage and lookup
- * Removes trailing slashes and normalizes the URL format
- * @param {string} url - Controller URL to normalize
- * @returns {string} Normalized controller URL
- */
-function normalizeControllerUrl(url) {
-  if (!url || typeof url !== 'string') {
-    return url;
-  }
-  // Remove trailing slashes
-  let normalized = url.trim().replace(/\/+$/, '');
-  // Ensure it starts with http:// or https://
-  if (!normalized.match(/^https?:\/\//)) {
-    // If it doesn't start with protocol, assume http://
-    normalized = `http://${normalized}`;
-  }
-  return normalized;
-}
-/**
- * Validate and normalize developer ID
- * @param {*} developerId - Developer ID value (can be string, number, undefined, or null)
- * @returns {string} Normalized developer ID as string
- * @throws {Error} If developer ID is invalid
- */
-function validateAndNormalizeDeveloperId(developerId) {
-  const DEV_ID_DIGITS_REGEX = /^[0-9]+$/;
-  if (typeof developerId === 'undefined' || developerId === null) {
-    return '0';
-  }
-  if (typeof developerId === 'number') {
-    if (developerId < 0 || !Number.isFinite(developerId)) {
-      throw new Error('Developer ID must be a non-negative digit string or number');
-    }
-    return String(developerId);
-  }
-  if (typeof developerId === 'string') {
-    if (!DEV_ID_DIGITS_REGEX.test(developerId)) {
-      throw new Error('Developer ID must be a non-negative digit string or number');
-    }
-    return developerId;
-  }
-  throw new Error('Developer ID must be a non-negative digit string or number');
-}
 /**
  * Ensure default config values exist
  * @param {Object} config - Configuration object
@@ -258,6 +211,25 @@ async function getTlsEnabled() {
   return cfg.tlsEnabled === true;
 }
+/**
+ * Admin email stored in `config.yaml` by `aifabrix setup` (Keycloak / pgAdmin). Empty when unset.
+ *
+ * @returns {Promise<string>}
+ */
+async function getAdminEmail() {
+  return getAdminEmailFromConfig(getConfig);
+}
+/**
+ * Persist admin email to `config.yaml` (used on subsequent setup runs as the prompt default).
+ *
+ * @param {string} email
+ * @returns {Promise<void>}
+ */
+async function setAdminEmail(email) {
+  return setAdminEmailInConfig(getConfig, saveConfig, email);
+}
 /**
  * Whether Traefik is enabled (`traefik: true` in config; infra compose includes the proxy).
  * @returns {Promise<boolean>}
@@ -316,6 +288,14 @@ async function getControllerUrl() {
   return config.controller || null;
 }
+/**
+ * Controller URLs from config: `controller` plus `device` token keys.
+ * @returns {Promise<string[]>}
+ */
+async function getRegisteredControllerUrls() {
+  return getRegisteredControllerUrlsWithLoader(getConfig, normalizeControllerUrl);
+}
 function isTokenExpired(expiresAt) {
   if (!expiresAt) return true;
   const expirationTime = new Date(expiresAt).getTime();
@@ -454,6 +434,8 @@ const exportsObj = {
   loadDeveloperId,
   getCurrentEnvironment,
   getTlsEnabled,
+  getAdminEmail,
+  setAdminEmail,
   getTraefikEnabled,
   setCurrentEnvironment,
   resolveEnvironment,
@@ -469,6 +451,7 @@ const exportsObj = {
   normalizeControllerUrl,
   setControllerUrl,
   getControllerUrl,
+  getRegisteredControllerUrls,
   get CONFIG_DIR() {
     return getRuntimeConfigDir();
   },

package/lib/core/env-reader.js CHANGED Viewed

@@ -115,6 +115,19 @@ function detectSensitiveValue(key, value) {
   return false;
 }
+/**
+ * Path segment after `kv://` for sensitive env vars; must match infra.parameter.yaml keys.
+ * API_KEY uses the shared miso-controller/dataplane catalog entry (not a flat `api-key` slug).
+ * @param {string} key - Environment variable name
+ * @returns {string}
+ */
+function sensitiveKvPathSegmentFromEnvKey(key) {
+  if (key === 'API_KEY') {
+    return 'miso-controller-secrets-apiKeyVault';
+  }
+  return key.toLowerCase().replace(/[^a-z0-9]/g, '-');
+}
 /**
  * Convert existing .env variables to env.template format
  * @param {Object} existingEnv - Existing environment variables
@@ -128,7 +141,7 @@ function convertToEnvTemplate(existingEnv, requiredVars) {
   Object.entries(existingEnv).forEach(([key, value]) => {
     if (detectSensitiveValue(key, value)) {
       // Convert sensitive values to kv:// references
-      convertedEnv[key] = `kv://${key.toLowerCase().replace(/[^a-z0-9]/g, '-')}`;
+      convertedEnv[key] = `kv://${sensitiveKvPathSegmentFromEnvKey(key)}`;
     } else {
       // Keep non-sensitive values as-is
       convertedEnv[key] = value;
@@ -148,8 +161,8 @@ function generateSecretsFromEnv(envVars) {
   Object.entries(envVars).forEach(([key, value]) => {
     if (detectSensitiveValue(key, value)) {
-      // Use centralized resolver for canonical secret names
-      const secretName = getCanonicalSecretName(key);
+      const secretName =
+        key === 'API_KEY' ? sensitiveKvPathSegmentFromEnvKey(key) : getCanonicalSecretName(key);
       secrets[secretName] = value;
     }
   });

package/lib/core/secrets-admin-env.js ADDED Viewed

@@ -0,0 +1,101 @@
+/**
+ * Infrastructure admin-secrets.env generation (PG/Redis Commander defaults).
+ *
+ * @fileoverview Split from secrets.js for module size limits
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const logger = require('../utils/logger');
+const config = require('./config');
+const {
+  mergeInfraParameterDefaultsForCli,
+  getInfraParameterCatalog,
+  readRelaxedCatalogDefaults
+} = require('../parameters/infra-parameter-catalog');
+const { createDefaultSecrets } = require('../utils/secrets-generator');
+const pathsUtil = require('../utils/paths');
+const { loadSecrets } = require('./secrets-load');
+/**
+ * Writes admin env key-value pairs to content; encrypts values when encryption key is set.
+ * @async
+ * @param {Object.<string, string>} adminObj - Key-value object (e.g. POSTGRES_PASSWORD, ...)
+ * @returns {Promise<string>} .env-style content (plaintext or secure:// for secrets)
+ */
+async function formatAdminSecretsContent(adminObj) {
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  const { encryptSecret } = require('../utils/secrets-encryption');
+  const lines = ['# Infrastructure Admin Credentials'];
+  for (const [k, v] of Object.entries(adminObj)) {
+    const value = (v === null || v === undefined) ? '' : String(v).replace(/\n/g, ' ').trim();
+    const valueToWrite = encryptionKey ? encryptSecret(value, encryptionKey) : value;
+    lines.push(`${k}=${valueToWrite}`);
+  }
+  return lines.join('\n');
+}
+async function loadSecretsOrBootstrapForAdmin(secretsPath) {
+  try {
+    return await loadSecrets(secretsPath);
+  } catch (error) {
+    const defaultSecretsPath = secretsPath || path.join(pathsUtil.getAifabrixHome(), 'secrets.yaml');
+    if (!fs.existsSync(defaultSecretsPath)) {
+      logger.log('Creating default secrets file...');
+      await createDefaultSecrets(defaultSecretsPath);
+      return await loadSecrets(secretsPath);
+    }
+    throw error;
+  }
+}
+function getInfraDefaultsMergedForAdmin() {
+  try {
+    return mergeInfraParameterDefaultsForCli(getInfraParameterCatalog().data, {});
+  } catch {
+    return {};
+  }
+}
+function buildLocalAdminSecretsObject(secrets, infraDefaults) {
+  const raw = secrets['postgres-passwordKeyVault'];
+  const relaxed = readRelaxedCatalogDefaults();
+  const postgresPassword =
+    (raw && String(raw).trim()) ||
+    infraDefaults.adminPassword ||
+    relaxed.adminPassword ||
+    '';
+  const pgAdminEmail = infraDefaults.adminEmail || relaxed.adminEmail || '';
+  return {
+    POSTGRES_PASSWORD: postgresPassword,
+    PGADMIN_DEFAULT_EMAIL: pgAdminEmail,
+    PGADMIN_DEFAULT_PASSWORD: postgresPassword,
+    REDIS_HOST: 'local:redis:6379:0:',
+    REDIS_COMMANDER_USER: 'admin',
+    REDIS_COMMANDER_PASSWORD: postgresPassword
+  };
+}
+/** Generates admin secrets for infrastructure (beside config.yaml, typically ~/.aifabrix/admin-secrets.env). Defaults from infra.parameter.yaml `defaults`. */
+async function generateAdminSecretsEnv(secretsPath) {
+  const secrets = await loadSecretsOrBootstrapForAdmin(secretsPath);
+  const infraDefaults = getInfraDefaultsMergedForAdmin();
+  const adminObj = buildLocalAdminSecretsObject(secrets, infraDefaults);
+  const aifabrixDir = pathsUtil.getAifabrixSystemDir();
+  const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
+  if (!fs.existsSync(aifabrixDir)) {
+    fs.mkdirSync(aifabrixDir, { recursive: true, mode: 0o700 });
+  }
+  const adminSecrets = await formatAdminSecretsContent(adminObj);
+  fs.writeFileSync(adminEnvPath, adminSecrets, { mode: 0o600 });
+  return adminEnvPath;
+}
+module.exports = {
+  formatAdminSecretsContent,
+  generateAdminSecretsEnv
+};

package/lib/core/secrets-ensure-infra.js CHANGED Viewed

@@ -70,8 +70,41 @@ function getInfraSecretKeysForUpInfra() {
   }
 }
+/**
+ * Same merge as runtime `loadSecrets()` (primary `~/.aifabrix/secrets.local.yaml` plus `aifabrix-secrets` file or remote API).
+ * Ensures missing-key checks treat remote `--shared` keys as already satisfied.
+ *
+ * @returns {Promise<Object.<string, string>>}
+ */
+async function loadMergedSecretsForEnsureMissingCheck() {
+  const { loadSecrets } = require('./secrets-load');
+  return loadSecrets(undefined);
+}
+/**
+ * Default on for writes to the primary user secrets file: consult full {@link loadSecrets} merge so remote
+ * `--shared` keys are not duplicated locally. Opt out with `useMergedSecretsForMissingKeys: false`.
+ *
+ * @param {{ useMergedSecretsForMissingKeys?: boolean }} options
+ * @param {{ type?: string, filePath?: string }} target
+ * @returns {boolean}
+ */
+function shouldUseMergedSecretsForMissingKeys(options, target) {
+  if (options.useMergedSecretsForMissingKeys === false) return false;
+  if (options.useMergedSecretsForMissingKeys === true) return true;
+  if (!target || target.type !== 'file' || !target.filePath) return false;
+  try {
+    const primary = pathsUtil.getPrimaryUserSecretsLocalPath();
+    return path.resolve(target.filePath) === path.resolve(primary);
+  } catch {
+    return false;
+  }
+}
 module.exports = {
   buildInfraPlaceholderContext,
   isSecretKeyAllowedEmpty,
-  getInfraSecretKeysForUpInfra
+  getInfraSecretKeysForUpInfra,
+  loadMergedSecretsForEnsureMissingCheck,
+  shouldUseMergedSecretsForMissingKeys
 };

package/lib/core/secrets-ensure.js CHANGED Viewed

@@ -1,10 +1,11 @@
 /**
- * AI Fabrix Builder – Ensure secrets in configured store
+ * AI Fabrix Builder – Ensure secrets in the primary user store
  *
- * Ensures missing secret keys exist in the correct store (file path, remote API, or
- * user secrets file). New values are encrypted when writing to file and
- * secrets-encryption is set. Remote write tries API first; on failure falls back
- * to user file with a warning.
+ * Automated flows (resolve, run, wizard, up-infra backfill) **only** write to
+ * `~/.aifabrix/secrets.local.yaml` (or the path from `getPrimaryUserSecretsLocalPath`).
+ * The shared store (`aifabrix-secrets` file or remote API) is **read** via `loadSecrets()`;
+ * writing there is **human-only** through `aifabrix secret set --shared` (see `commands/secrets-set.js`).
+ * New values are encrypted when secrets-encryption is set.
  *
  * @fileoverview Central ensure-secrets service for zero-touch install
  * @author AI Fabrix Team
@@ -17,6 +18,7 @@ const os = require('os');
 const config = require('./config');
 const pathsUtil = require('../utils/paths');
 const logger = require('../utils/logger');
+const { formatSuccessLine, metadata } = require('../utils/cli-test-layout-chalk');
 const remoteDevAuth = require('../utils/remote-dev-auth');
 const devApi = require('../api/dev.api');
 const {
@@ -31,7 +33,9 @@ const { loadEnvTemplate } = require('../utils/secrets-helpers');
 const {
   buildInfraPlaceholderContext,
   isSecretKeyAllowedEmpty,
-  getInfraSecretKeysForUpInfra
+  getInfraSecretKeysForUpInfra,
+  loadMergedSecretsForEnsureMissingCheck,
+  shouldUseMergedSecretsForMissingKeys
 } = require('./secrets-ensure-infra');
 const { syncLiteralKvSecretsFromCliOverrides } = require('./secrets-infra-placeholder-sync');
@@ -59,10 +63,12 @@ function expandTilde(filePath) {
 }
 /**
- * Resolve write target from config.
+ * Resolve the **configured** shared store for inspection/validation (e.g. `secret validate` without a path).
+ * This is the `aifabrix-secrets` target (file or remote API), not the default for automated writes.
+ *
  * - File path → that path (expand ~)
- * - http(s) URL → remote (fallback: user file)
- * - No config → user file
+ * - http(s) URL → remote
+ * - No config → primary user secrets file
  *
  * @returns {Promise<{ type: 'file'|'remote', filePath?: string, serverUrl?: string|null, secretsEndpointUrl?: string, clientCertPem?: string|null, serverCaPem?: string|null }>}
  */
@@ -91,6 +97,16 @@ async function resolveWriteTarget() {
   return { type: 'file', filePath };
 }
+/**
+ * Default write target for **automated** ensure / `setSecretInStore` (resolve, run, wizard, infra).
+ * Never the shared store; use `aifabrix secret set --shared` to write shared.
+ *
+ * @returns {Promise<{ type: 'file', filePath: string }>}
+ */
+async function resolvePrimaryUserWriteTarget() {
+  return { type: 'file', filePath: pathsUtil.getPrimaryUserSecretsLocalPath() };
+}
 /**
  * Load existing secrets from the resolved target (file or remote).
  *
@@ -166,34 +182,36 @@ function valueForKey(key, suggested, emptyForCredentials, placeholderContext) {
 }
 /**
- * Add secrets via remote API; on failure write to local file (with encryption if configured).
- * @param {Object} target - Resolved target (remote)
- * @param {string[]} toAdd - Keys to add
- * @param {Object} suggested - Suggested values
- * @param {string[]} added - Array to push added keys to
- * @param {string|null} encryptionKey - Encryption key for file fallback or null
- * @returns {Promise<string[]>}
+ * Short label for logs (file path or remote secrets URL).
+ * @param {{ type?: string, filePath?: string, secretsEndpointUrl?: string }|null} target
+ * @returns {string}
  */
-async function addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext) {
-  const emptyForCredentials = false;
-  for (const key of toAdd) {
-    const value = valueForKey(key, suggested, emptyForCredentials, placeholderContext);
-    try {
-      await devApi.addSecret(
-        target.serverUrl,
-        target.clientCertPem,
-        { key, value },
-        target.serverCaPem || undefined,
-        target.secretsEndpointUrl
-      );
-      added.push(key);
-    } catch (err) {
-      logger.warn(`Remote secret "${key}" failed (${err.message}); writing to local file.`);
-      await writeSecretToFile(target.filePath, key, value, encryptionKey);
-      added.push(key);
-    }
+function summarizeSecretsStoreForLog(target) {
+  if (!target || typeof target !== 'object') return 'secrets store';
+  if (target.type === 'remote' && typeof target.secretsEndpointUrl === 'string' && target.secretsEndpointUrl.trim()) {
+    return target.secretsEndpointUrl.trim();
   }
-  return added;
+  if (typeof target.filePath === 'string' && target.filePath.trim()) {
+    return target.filePath.trim();
+  }
+  return 'secrets store';
+}
+/**
+ * Log that new values were written for keys that were missing or empty.
+ * @param {string[]} added
+ * @param {{ type?: string, filePath?: string, secretsEndpointUrl?: string }|null} target
+ */
+function logNewSecretValuesWritten(added, target) {
+  if (!Array.isArray(added) || added.length === 0) return;
+  const where = summarizeSecretsStoreForLog(target);
+  logger.log(
+    formatSuccessLine(
+      `Wrote ${added.length} new secret value(s) to ${where}. ` +
+        'These keys were missing or empty; values are now stored.'
+    )
+  );
+  logger.log(metadata(`  Keys: ${added.join(', ')}`));
 }
 /**
@@ -223,9 +241,7 @@ async function addSecretsToFile(batch) {
     await writeSecretToFile(filePath, key, value, encryptionKey);
     added.push(key);
   }
-  if (added.length > 0) {
-    logger.log(`✔ Ensured ${added.length} secret key(s): ${added.join(', ')}`);
-  }
+  logNewSecretValuesWritten(added, { type: 'file', filePath });
   return added;
 }
@@ -240,6 +256,9 @@ async function addSecretsToFile(batch) {
  * @param {Object} [options] - Options
  * @param {boolean} [options.emptyValuesForCredentials=false] - Use empty string for new values
  * @param {Object} [options.suggestedValues] - Optional map key -> value for specific keys
+ * @param {boolean} [options.useMergedSecretsForMissingKeys] - When true, treat keys present in the full
+ *   `loadSecrets()` merge (including remote `--shared`) as satisfied. When false, only the target store file
+ *   is consulted. When omitted and the target file is the primary user secrets path, merged secrets are used (default).
  * @returns {Promise<string[]>} Keys that were added (new or backfilled)
  * @throws {Error} If config or file write fails
  */
@@ -253,8 +272,11 @@ async function ensureSecretsForKeys(keys, options = {}) {
     : {};
   const placeholderContext = options.placeholderContext;
-  const target = options._targetOverride || await resolveWriteTarget();
-  const existing = await loadExistingFromTarget(target);
+  const target = options._targetOverride || (await resolvePrimaryUserWriteTarget());
+  let existing = await loadExistingFromTarget(target);
+  if (shouldUseMergedSecretsForMissingKeys(options, target)) {
+    existing = await loadMergedSecretsForEnsureMissingCheck();
+  }
   const toAdd = keys.filter((k) => {
     const v = existing[k];
     const missingOrEmpty = v === undefined || v === null || (typeof v === 'string' && v.trim() === '');
@@ -265,9 +287,6 @@ async function ensureSecretsForKeys(keys, options = {}) {
   const encryptionKey = await config.getSecretsEncryptionKey();
   const added = [];
-  if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    return addSecretsRemote(target, toAdd, suggested, added, encryptionKey, placeholderContext);
-  }
   return addSecretsToFile({
     filePath: target.filePath,
     toAdd,
@@ -288,6 +307,8 @@ async function ensureSecretsForKeys(keys, options = {}) {
  * @param {string} envTemplatePathOrContent - Path to env.template or template content
  * @param {Object} [options] - Options
  * @param {boolean} [options.emptyValuesForCredentials=false] - Use empty string for new values
+ * @param {boolean} [options.useMergedSecretsForMissingKeys] - Same semantics as {@link ensureSecretsForKeys};
+ *   defaults to merged lookup when the write target is the primary user secrets file
  * @returns {Promise<string[]>} Keys that were added
  * @throws {Error} If template cannot be read or ensure fails
  */
@@ -313,9 +334,12 @@ async function ensureSecretsFromEnvTemplate(envTemplatePathOrContent, options =
       : path.resolve(process.cwd(), options.preferredFilePath);
     target = { type: 'file', filePath };
   } else {
-    target = await resolveWriteTarget();
+    target = await resolvePrimaryUserWriteTarget();
+  }
+  let existing = await loadExistingFromTarget(target);
+  if (shouldUseMergedSecretsForMissingKeys(options, target)) {
+    existing = await loadMergedSecretsForEnsureMissingCheck();
   }
-  const existing = await loadExistingFromTarget(target);
   const missingKeys = findMissingSecretKeys(template, existing);
   return ensureSecretsForKeys(missingKeys, { ...options, _targetOverride: target });
 }
@@ -358,29 +382,16 @@ async function writeSecretToStoreFile(filePath, key, strValue) {
  */
 async function setSecretInStore(key, value) {
   if (!key || typeof key !== 'string' || value === undefined) return;
-  const target = await resolveWriteTarget();
   const strValue = typeof value === 'string' ? value : String(value);
-  if (target.type === 'remote' && target.serverUrl && target.clientCertPem) {
-    try {
-      await devApi.addSecret(
-        target.serverUrl,
-        target.clientCertPem,
-        { key, value: strValue },
-        target.serverCaPem || undefined,
-        target.secretsEndpointUrl
-      );
-    } catch (err) {
-      logger.warn(`Could not sync secret "${key}" to remote store: ${err.message}`);
-      const encryptionKey = await config.getSecretsEncryptionKey();
-      await writeSecretToFile(target.filePath, key, strValue, encryptionKey);
-    }
-    return;
-  }
-  await writeSecretToStoreFile(target.filePath, key, strValue);
+  const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  await writeSecretToStoreFile(userPath, key, strValue);
 }
 /**
- * Ensure infra secrets exist in the configured store. Call before ensureAdminSecrets or startInfra.
+ * Ensure infra secrets exist before ensureAdminSecrets or startInfra.
+ * Writes go to the primary user secrets file only (same as all **`ensureSecretsForKeys`** / **`setSecretInStore`** paths).
+ * **`kv://` resolution** merges the shared store via **`loadSecrets()`**. To publish a key to shared, use
+ * **`aifabrix secret set --shared`**.
  *
  * @async
  * @function ensureInfraSecrets
@@ -398,11 +409,21 @@ async function setSecretInStore(key, value) {
 async function ensureInfraSecrets(options = {}) {
   const keys = getInfraSecretKeysForUpInfra();
   const placeholderContext = buildInfraPlaceholderContext(options);
-  const added = await ensureSecretsForKeys(keys, { placeholderContext });
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const added = await ensureSecretsForKeys(keys, {
+    placeholderContext,
+    _targetOverride: { type: 'file', filePath: userSecretsPath }
+  });
+  async function writeInfraPlaceholderLiteralToUserLocal(key, value) {
+    const strValue = typeof value === 'string' ? value : String(value);
+    await writeSecretToStoreFile(userSecretsPath, key, strValue);
+  }
   await syncLiteralKvSecretsFromCliOverrides(
     options,
     placeholderContext,
-    setSecretInStore,
+    writeInfraPlaceholderLiteralToUserLocal,
     infraParameterCatalogModule
   );
   return added;
@@ -414,6 +435,7 @@ module.exports = {
   ensureInfraSecrets,
   setSecretInStore,
   resolveWriteTarget,
+  resolvePrimaryUserWriteTarget,
   loadExistingFromTarget,
   getInfraSecretKeysForUpInfra,
   isSecretKeyAllowedEmpty,