npm - @aifabrix/builder - Versions diffs - 2.44.5 → 2.45.0 - Mend

@aifabrix/builder 2.44.5 → 2.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (249) hide show

package/.cursor/rules/cli-layout.mdc +8 -4
package/.cursor/rules/project-rules.mdc +1 -1
package/README.md +15 -23
package/integration/hubspot-test/README.md +2 -0
package/integration/hubspot-test/test.js +5 -3
package/jest.projects.js +104 -2
package/lib/api/controller-health.api.js +49 -0
package/lib/api/dimension-values.api.js +82 -0
package/lib/api/dimensions.api.js +114 -0
package/lib/api/external-systems.api.js +1 -0
package/lib/api/integration-clients.api.js +168 -0
package/lib/api/types/dimension-values.types.js +28 -0
package/lib/api/types/dimensions.types.js +31 -0
package/lib/api/types/integration-clients.types.js +45 -0
package/lib/api/validation-runner.js +46 -25
package/lib/app/deploy-config.js +11 -1
package/lib/app/deploy-status-display.js +3 -3
package/lib/app/deploy.js +36 -14
package/lib/app/display.js +15 -11
package/lib/app/helpers.js +3 -3
package/lib/app/index.js +3 -3
package/lib/app/push.js +46 -23
package/lib/app/register.js +7 -6
package/lib/app/restart-display.js +126 -0
package/lib/app/rotate-secret.js +7 -6
package/lib/app/run-container-start.js +12 -6
package/lib/app/run-env-compose.js +30 -1
package/lib/app/run-helpers.js +58 -19
package/lib/app/run-reload-sync.js +148 -0
package/lib/app/run-resolve-image.js +51 -1
package/lib/app/run.js +148 -74
package/lib/app/show-display.js +7 -0
package/lib/app/show.js +87 -5
package/lib/build/index.js +83 -49
package/lib/cli/doctor-check.js +117 -0
package/lib/cli/index.js +8 -2
package/lib/cli/infra-guided.js +460 -0
package/lib/cli/installation-log-command.js +73 -0
package/lib/cli/setup-app.js +31 -3
package/lib/cli/setup-auth.js +98 -27
package/lib/cli/setup-dev-path-commands.js +50 -3
package/lib/cli/setup-infra-up-dataplane-action.js +111 -0
package/lib/cli/setup-infra-up-platform-action.js +131 -0
package/lib/cli/setup-infra.js +132 -118
package/lib/cli/setup-integration-client.js +182 -0
package/lib/cli/setup-parameters.js +21 -2
package/lib/cli/setup-platform.js +102 -0
package/lib/cli/setup-secrets.js +18 -6
package/lib/cli/setup-utility-resolve.js +132 -0
package/lib/cli/setup-utility.js +143 -84
package/lib/commands/app-logs.js +81 -33
package/lib/commands/auth-config.js +116 -18
package/lib/commands/datasource-capability-dimension-cli.js +128 -0
package/lib/commands/datasource-capability-output.js +29 -0
package/lib/commands/datasource-capability-relate-cli.js +140 -0
package/lib/commands/datasource-capability.js +411 -0
package/lib/commands/datasource-unified-test-cli.options.js +1 -1
package/lib/commands/datasource.js +53 -13
package/lib/commands/dev-down.js +3 -3
package/lib/commands/dev-infra-gate.js +32 -0
package/lib/commands/dev-init.js +13 -7
package/lib/commands/dimension-value.js +179 -0
package/lib/commands/dimension.js +330 -0
package/lib/commands/integration-client.js +430 -0
package/lib/commands/login-device.js +65 -30
package/lib/commands/login.js +21 -10
package/lib/commands/parameters-validate.js +78 -13
package/lib/commands/repair-datasource-auto-rbac.js +166 -0
package/lib/commands/repair-datasource-keys.js +10 -5
package/lib/commands/repair-datasource.js +19 -7
package/lib/commands/repair-env-template.js +4 -1
package/lib/commands/repair-openapi-sync.js +172 -0
package/lib/commands/repair-persist.js +102 -0
package/lib/commands/repair-rbac-extract.js +27 -0
package/lib/commands/repair-rbac-migrate.js +186 -0
package/lib/commands/repair-rbac.js +214 -31
package/lib/commands/repair-system-alignment.js +246 -0
package/lib/commands/repair-system-permissions.js +168 -0
package/lib/commands/repair.js +120 -338
package/lib/commands/secure.js +1 -1
package/lib/commands/setup-modes.js +468 -0
package/lib/commands/setup-prompts.js +421 -0
package/lib/commands/setup.js +254 -0
package/lib/commands/teardown.js +277 -0
package/lib/commands/up-common.js +113 -19
package/lib/commands/up-dataplane.js +44 -19
package/lib/commands/up-miso.js +18 -18
package/lib/commands/upload.js +111 -23
package/lib/commands/wizard-core-helpers.js +14 -11
package/lib/commands/wizard-core.js +6 -5
package/lib/commands/wizard-dataplane.js +2 -2
package/lib/commands/wizard-entity-selection.js +4 -3
package/lib/commands/wizard-headless.js +2 -1
package/lib/commands/wizard.js +2 -1
package/lib/constants/infra-compose-service-names.js +40 -0
package/lib/core/audit-logger.js +1 -34
package/lib/core/config-admin-email.js +56 -0
package/lib/core/config-normalize.js +60 -0
package/lib/core/config-registered-controller-urls.js +54 -0
package/lib/core/config.js +33 -50
package/lib/core/env-reader.js +16 -3
package/lib/core/secrets-admin-env.js +101 -0
package/lib/core/secrets-ensure-infra.js +34 -1
package/lib/core/secrets-ensure.js +88 -66
package/lib/core/secrets-env-content.js +428 -0
package/lib/core/secrets-env-declarative-expand.js +170 -0
package/lib/core/secrets-env-write.js +29 -1
package/lib/core/secrets-load.js +252 -0
package/lib/core/secrets-names.js +32 -0
package/lib/core/secrets.js +17 -757
package/lib/datasource/capability/basic-exposure.js +76 -0
package/lib/datasource/capability/capability-diff-slice.js +41 -0
package/lib/datasource/capability/capability-key.js +34 -0
package/lib/datasource/capability/capability-resolve.js +172 -0
package/lib/datasource/capability/capability-storage-keys.js +22 -0
package/lib/datasource/capability/copy-operations.js +348 -0
package/lib/datasource/capability/copy-test-payload.js +139 -0
package/lib/datasource/capability/create-operations.js +235 -0
package/lib/datasource/capability/dimension-operations.js +151 -0
package/lib/datasource/capability/dimension-validate.js +219 -0
package/lib/datasource/capability/json-pointer.js +31 -0
package/lib/datasource/capability/reference-rewrite.js +51 -0
package/lib/datasource/capability/relate-operations.js +325 -0
package/lib/datasource/capability/relate-validate.js +219 -0
package/lib/datasource/capability/remove-operations.js +275 -0
package/lib/datasource/capability/run-capability-copy.js +152 -0
package/lib/datasource/capability/run-capability-diff.js +135 -0
package/lib/datasource/capability/run-capability-dimension.js +291 -0
package/lib/datasource/capability/run-capability-edit.js +377 -0
package/lib/datasource/capability/run-capability-relate.js +193 -0
package/lib/datasource/capability/run-capability-remove.js +105 -0
package/lib/datasource/capability/templates/minimal-fetch.json +18 -0
package/lib/datasource/capability/validate-capability-slice.js +35 -0
package/lib/datasource/list.js +136 -23
package/lib/datasource/log-viewer.js +2 -4
package/lib/datasource/unified-validation-run.js +51 -16
package/lib/datasource/validate.js +53 -1
package/lib/deployment/deploy-poll-ui.js +60 -0
package/lib/deployment/deployer-status.js +29 -3
package/lib/deployment/deployer.js +48 -30
package/lib/deployment/environment.js +7 -2
package/lib/deployment/poll-interval.js +72 -0
package/lib/deployment/push.js +11 -9
package/lib/external-system/deploy.js +9 -2
package/lib/external-system/download.js +61 -32
package/lib/external-system/sync-deploy-manifest.js +33 -0
package/lib/infrastructure/index.js +49 -19
package/lib/infrastructure/orphan-infra-docker-teardown.js +177 -0
package/lib/internal/node-fs.js +2 -0
package/lib/parameters/infra-kv-discovery.js +29 -4
package/lib/parameters/infra-parameter-catalog.js +6 -3
package/lib/parameters/infra-parameter-validate.js +67 -19
package/lib/resolvers/datasource-resolver.js +53 -0
package/lib/resolvers/dimension-file.js +52 -0
package/lib/resolvers/manifest-resolver.js +133 -0
package/lib/schema/application-schema.json +4 -0
package/lib/schema/external-datasource.schema.json +183 -53
package/lib/schema/external-system.schema.json +23 -10
package/lib/schema/infra.parameter.yaml +26 -1
package/lib/schema/wizard-config.schema.json +1 -1
package/lib/utils/aifabrix-config-dir-walk.js +40 -0
package/lib/utils/aifabrix-runtime-config-dir.js +26 -3
package/lib/utils/app-config-resolver.js +24 -1
package/lib/utils/app-run-containers.js +2 -2
package/lib/utils/applications-config-defaults.js +206 -0
package/lib/utils/auth-config-validator.js +2 -12
package/lib/utils/bash-secret-env.js +59 -0
package/lib/utils/cli-secrets-error-format.js +78 -0
package/lib/utils/cli-test-layout-chalk.js +31 -9
package/lib/utils/cli-utils.js +4 -36
package/lib/utils/compose-generate-docker-compose.js +111 -6
package/lib/utils/compose-generator.js +17 -8
package/lib/utils/controller-url.js +50 -7
package/lib/utils/datasource-test-run-display.js +8 -0
package/lib/utils/dev-hosts-helper.js +3 -2
package/lib/utils/dev-init-ssh-merge.js +2 -1
package/lib/utils/docker-build.js +17 -9
package/lib/utils/docker-reload-mount.js +127 -0
package/lib/utils/env-copy.js +99 -14
package/lib/utils/env-template.js +5 -1
package/lib/utils/external-readme.js +71 -2
package/lib/utils/external-system-local-test-tty.js +3 -2
package/lib/utils/external-system-readiness-core.js +45 -12
package/lib/utils/external-system-readiness-deploy-display.js +3 -3
package/lib/utils/external-system-readiness-display-internals.js +33 -3
package/lib/utils/external-system-readiness-display.js +10 -1
package/lib/utils/file-upload.js +40 -3
package/lib/utils/health-check-db-init.js +107 -0
package/lib/utils/health-check-public-warn.js +69 -0
package/lib/utils/health-check-url.js +28 -10
package/lib/utils/health-check.js +139 -107
package/lib/utils/help-builder.js +5 -1
package/lib/utils/image-name.js +34 -7
package/lib/utils/infra-optional-service-flags.js +69 -0
package/lib/utils/installation-log-core.js +282 -0
package/lib/utils/installation-log-record.js +237 -0
package/lib/utils/installation-log.js +123 -0
package/lib/utils/integration-file-backup.js +74 -0
package/lib/utils/log-redaction.js +105 -0
package/lib/utils/manifest-location.js +164 -0
package/lib/utils/manifest-source-emit.js +162 -0
package/lib/utils/mutagen-install.js +30 -3
package/lib/utils/paths.js +308 -76
package/lib/utils/postgres-wipe.js +212 -0
package/lib/utils/register-aifabrix-shell-env.js +15 -0
package/lib/utils/remote-dev-auth.js +21 -5
package/lib/utils/remote-docker-env.js +9 -1
package/lib/utils/remote-secrets-loader.js +49 -4
package/lib/utils/resolve-docker-image-ref.js +9 -3
package/lib/utils/run-cli-flags.js +29 -0
package/lib/utils/secrets-ancestor-paths.js +47 -0
package/lib/utils/secrets-canonical.js +10 -3
package/lib/utils/secrets-helpers.js +17 -10
package/lib/utils/secrets-kv-refs.js +42 -0
package/lib/utils/secrets-kv-scope.js +19 -2
package/lib/utils/secrets-materialize-local.js +134 -0
package/lib/utils/secrets-path.js +26 -13
package/lib/utils/secrets-utils.js +20 -10
package/lib/utils/system-builder-root.js +42 -0
package/lib/utils/url-declarative-public-base.js +80 -12
package/lib/utils/url-declarative-resolve-build-urls.js +238 -0
package/lib/utils/url-declarative-resolve-build.js +24 -388
package/lib/utils/url-declarative-resolve-expand-token.js +189 -0
package/lib/utils/url-declarative-resolve-load-doc.js +12 -3
package/lib/utils/url-declarative-resolve-surface-state.js +102 -0
package/lib/utils/url-declarative-resolve.js +47 -7
package/lib/utils/url-declarative-runtime-base-path.js +52 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +2 -1
package/lib/utils/urls-local-registry-scan.js +103 -0
package/lib/utils/urls-local-registry.js +158 -76
package/lib/utils/validation-poll-ui.js +81 -0
package/lib/utils/validation-run-poll.js +29 -5
package/lib/utils/with-muted-logger.js +53 -0
package/package.json +3 -1
package/templates/applications/dataplane/application.yaml +5 -1
package/templates/applications/dataplane/rbac.yaml +10 -10
package/templates/applications/keycloak/env.template +8 -6
package/templates/applications/miso-controller/application.yaml +9 -0
package/templates/applications/miso-controller/env.template +27 -29
package/templates/applications/miso-controller/rbac.yaml +9 -9
package/templates/external-system/README.md.hbs +83 -123
package/.npmrc.token +0 -1
package/.nyc_output/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/index.json +0 -1
package/lib/api/service-users.api.js +0 -150
package/lib/api/types/service-users.types.js +0 -65
package/lib/cli/setup-service-user.js +0 -187
package/lib/commands/service-user.js +0 -429

package/lib/core/secrets-load.js ADDED Viewed

@@ -0,0 +1,252 @@
+/**
+ * Secrets loading: primary user file plus configured `aifabrix-secrets` (shared YAML or remote API).
+ *
+ * @fileoverview Default `kv://` resolution uses only `~/.aifabrix/secrets.local.yaml` and `aifabrix-secrets`
+ *   from config — not cwd-ancestor `.aifabrix/secrets.local.yaml`, not `builder/secrets.local.yaml`,
+ *   and not `~/.aifabrix/secrets.yaml`.
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+'use strict';
+const fs = require('fs');
+const path = require('path');
+const config = require('./config');
+const { readYamlAtPath, applyCanonicalSecretsOverride } = require('../utils/secrets-canonical');
+const { ensureSecureFilePermissions } = require('../utils/secure-file-permissions');
+const { resolveSecretsPath } = require('../utils/secrets-path');
+const {
+  loadPrimaryUserSecrets,
+  loadDefaultSecrets,
+  ensurePrimaryUserSecretsFileExists
+} = require('../utils/secrets-utils');
+const pathsUtil = require('../utils/paths');
+const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
+const logger = require('../utils/logger');
+const { isSecretKeyAllowedEmpty } = require('./secrets-ensure-infra');
+/** Dedupe optional decrypt warnings across repeated `loadSecrets` (and duplicate module instances). */
+function optionalDecryptWarnSeen(key) {
+  const g = globalThis;
+  if (!g.__aifabrixOptionalDecryptWarnOnce) {
+    g.__aifabrixOptionalDecryptWarnOnce = new Set();
+  }
+  const set = g.__aifabrixOptionalDecryptWarnOnce;
+  if (set.has(key)) return true;
+  set.add(key);
+  return false;
+}
+/**
+ * @param {string} key
+ * @param {unknown} value
+ * @param {string} encryptionKey
+ * @param {Record<string, string>} decryptedSecrets
+ * @param {string} [sourceHint] - File path or API label for decrypt errors / warnings
+ */
+function mergeDecryptedEntry(key, value, encryptionKey, decryptedSecrets, sourceHint) {
+  if (!isEncrypted(value)) {
+    decryptedSecrets[key] = value;
+    return;
+  }
+  try {
+    decryptedSecrets[key] = decryptSecret(value, encryptionKey);
+  } catch (error) {
+    const msg = error && error.message ? error.message : String(error);
+    if (!isSecretKeyAllowedEmpty(key)) {
+      const where =
+        sourceHint && String(sourceHint).trim().length > 0
+          ? ` (encrypted value loaded from: ${sourceHint})`
+          : ' (encrypted value source not recorded; check ~/.aifabrix/secrets.local.yaml and aifabrix-secrets)';
+      throw new Error(`Failed to decrypt secret '${key}'${where}: ${msg}`);
+    }
+    if (!optionalDecryptWarnSeen(key)) {
+      const where =
+        sourceHint && String(sourceHint).trim().length > 0
+          ? ` Encrypted value loaded from: ${sourceHint}.`
+          : '';
+      logger.warn(
+        `Optional secret '${key}' could not be decrypted (${msg}). Treating as empty.${where} ` +
+          'Remove the stale key from shared or local secrets, or fix secrets-encryption alignment.'
+      );
+    }
+    decryptedSecrets[key] = '';
+  }
+}
+/**
+ * Decrypts encrypted values in secrets object
+ *
+ * @async
+ * @param {Object} secrets - Secrets object with potentially encrypted values
+ * @param {{ keySources?: Record<string, string>, defaultSourceLabel?: string }} [options] - Per-key file/API path for errors
+ * @returns {Promise<Object>} Secrets object with decrypted values
+ */
+async function decryptSecretsObject(secrets, options) {
+  if (!secrets || typeof secrets !== 'object') {
+    return secrets;
+  }
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  if (!encryptionKey) {
+    const hasEncrypted = Object.values(secrets).some((value) => isEncrypted(value));
+    if (hasEncrypted) {
+      throw new Error(
+        'Encrypted secrets found but no encryption key configured. Run "aifabrix secure --secrets-encryption <key>" to set encryption key.'
+      );
+    }
+    return secrets;
+  }
+  const keySources = options && options.keySources ? options.keySources : null;
+  const defaultLabel = options && options.defaultSourceLabel ? options.defaultSourceLabel : '';
+  const decryptedSecrets = {};
+  for (const [key, value] of Object.entries(secrets)) {
+    const sourceHint = (keySources && keySources[key]) || defaultLabel || '';
+    mergeDecryptedEntry(key, value, encryptionKey, decryptedSecrets, sourceHint);
+  }
+  return decryptedSecrets;
+}
+/**
+ * Merges config file secrets into user secrets (user wins). Returns null if path missing or config empty.
+ * @param {Record<string, string>} [keySources] - Mutated: path for keys filled from this file
+ */
+function mergeUserWithConfigFile(userSecrets, resolvedConfigPath, keySources) {
+  if (!fs.existsSync(resolvedConfigPath)) {
+    return null;
+  }
+  ensureSecureFilePermissions(resolvedConfigPath);
+  let configSecrets;
+  try {
+    configSecrets = readYamlAtPath(resolvedConfigPath);
+  } catch (loadError) {
+    throw new Error(`Failed to load secrets file ${resolvedConfigPath}: ${loadError.message}`);
+  }
+  if (!configSecrets || typeof configSecrets !== 'object') {
+    return null;
+  }
+  const merged = { ...userSecrets };
+  for (const key of Object.keys(configSecrets)) {
+    if (!(key in merged) || merged[key] === undefined || merged[key] === null || merged[key] === '') {
+      merged[key] = configSecrets[key];
+      if (keySources) {
+        keySources[key] = resolvedConfigPath;
+      }
+    }
+  }
+  return merged;
+}
+function createMergeHelpers(userSecrets) {
+  const hasKeys = (obj) => obj && Object.keys(obj).length > 0;
+  return {
+    hasKeys,
+    userOrNull: () => (hasKeys(userSecrets) ? userSecrets : null)
+  };
+}
+async function mergeFromConfiguredSecretsPath(configSecretsPath, userSecrets, helpers, keySources) {
+  const remoteDevAuth = require('../utils/remote-dev-auth');
+  const effectiveShared = await remoteDevAuth.resolveSharedSecretsEndpoint(configSecretsPath);
+  if (remoteDevAuth.isRemoteSecretsUrl(effectiveShared)) {
+    const { loadRemoteSharedSecrets, mergeUserWithRemoteSecrets } = require('../utils/remote-secrets-loader');
+    const remoteSecrets = await loadRemoteSharedSecrets();
+    const remoteLabel = `shared secrets API (${effectiveShared})`;
+    const merged = mergeUserWithRemoteSecrets(userSecrets, remoteSecrets, keySources, remoteLabel);
+    return helpers.hasKeys(merged) ? merged : helpers.userOrNull();
+  }
+  const resolvedConfigPath = path.isAbsolute(configSecretsPath)
+    ? configSecretsPath
+    : path.resolve(process.cwd(), configSecretsPath);
+  const merged = mergeUserWithConfigFile(userSecrets, resolvedConfigPath, keySources);
+  return merged !== null ? merged : helpers.userOrNull();
+}
+async function loadMergedConfigAndUserSecrets() {
+  const userSecrets = loadPrimaryUserSecrets();
+  const helpers = createMergeHelpers(userSecrets);
+  const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  /** @type {Record<string, string>} */
+  const keySources = {};
+  for (const k of Object.keys(userSecrets || {})) {
+    keySources[k] = userPath;
+  }
+  try {
+    const configSecretsPath = await config.getSecretsPath();
+    if (!configSecretsPath) {
+      return { merged: helpers.userOrNull(), keySources };
+    }
+    const merged = await mergeFromConfiguredSecretsPath(configSecretsPath, userSecrets, helpers, keySources);
+    return { merged, keySources };
+  } catch (error) {
+    if (error.message && error.message.startsWith('Failed to load secrets file')) {
+      throw error;
+    }
+    return { merged: null, keySources };
+  }
+}
+async function loadSecretsWithFallbacks() {
+  const mergedResult = await loadMergedConfigAndUserSecrets();
+  let merged = mergedResult.merged;
+  const keySources = mergedResult.keySources;
+  if (!merged || Object.keys(merged).length === 0) {
+    merged = loadPrimaryUserSecrets();
+    const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+    for (const k of Object.keys(merged || {})) {
+      keySources[k] = userPath;
+    }
+    merged = await applyCanonicalSecretsOverride(merged || {}, keySources);
+  }
+  const configuredShared = await config.getSecretsPath();
+  if ((!merged || Object.keys(merged).length === 0) && !configuredShared) {
+    merged = loadDefaultSecrets();
+    const defaultPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.yaml');
+    for (const k of Object.keys(merged || {})) {
+      keySources[k] = defaultPath;
+    }
+  }
+  if (!merged || Object.keys(merged).length === 0) {
+    return { merged: {}, keySources };
+  }
+  return { merged, keySources };
+}
+/**
+ * @param {string} [secretsPath]
+ * @param {string} [_appName]
+ */
+async function loadSecrets(secretsPath, _appName) {
+  if (secretsPath) {
+    const resolvedPath = resolveSecretsPath(secretsPath);
+    if (!fs.existsSync(resolvedPath)) {
+      throw new Error(`Secrets file not found: ${resolvedPath}`);
+    }
+    ensureSecureFilePermissions(resolvedPath);
+    const explicitSecrets = readYamlAtPath(resolvedPath);
+    if (!explicitSecrets || typeof explicitSecrets !== 'object') {
+      throw new Error(`Invalid secrets file format: ${resolvedPath}`);
+    }
+    return await decryptSecretsObject(explicitSecrets, { defaultSourceLabel: resolvedPath });
+  }
+  let { merged: mergedSecrets, keySources } = await loadSecretsWithFallbacks();
+  if (!mergedSecrets || Object.keys(mergedSecrets).length === 0) {
+    ensurePrimaryUserSecretsFileExists();
+    const again = await loadSecretsWithFallbacks();
+    mergedSecrets = again.merged;
+    keySources = again.keySources;
+  }
+  return await decryptSecretsObject(mergedSecrets || {}, { keySources });
+}
+module.exports = {
+  loadSecrets,
+  decryptSecretsObject
+};

package/lib/core/secrets-names.js ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Canonical secret name normalization for env keys.
+ *
+ * @fileoverview Split from secrets.js for module size limits
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+'use strict';
+/**
+ * Generates a canonical secret name from an environment variable key.
+ * Converts to lowercase, replaces non-alphanumeric characters with hyphens,
+ * collapses consecutive hyphens, and trims leading/trailing hyphens.
+ *
+ * @param {string} key - Environment variable key (e.g., JWT_SECRET)
+ * @returns {string} Canonical secret name (e.g., jwt-secret)
+ */
+function getCanonicalSecretName(key) {
+  if (!key || typeof key !== 'string') {
+    return '';
+  }
+  const withHyphens = key.replace(/([a-z0-9])([A-Z])/g, '$1-$2');
+  const lower = withHyphens.toLowerCase();
+  const hyphenated = lower.replace(/[^a-z0-9]/g, '-');
+  const collapsed = hyphenated.replace(/-+/g, '-');
+  return collapsed.replace(/^-+|-+$/g, '');
+}
+module.exports = {
+  getCanonicalSecretName
+};