@aifabrix/builder 2.44.5 → 2.45.0

package/lib/utils/paths.js

@@ -17,6 +17,7 @@ const {
   getAifabrixRuntimeConfigDir,
   resolveAifabrixHomeLikePath
 } = require('./aifabrix-runtime-config-dir');
+const { resolveSystemBuilderParentDir } = require('./system-builder-root');
 
 function safeHomedir() {
   try {
@@ -43,9 +44,10 @@ function getConfigDirForPaths() {
 }
 
 /**
- * User-owned `secrets.local.yaml` beside effective `config.yaml` (see {@link getConfigDirForPaths}).
- * When `AIFABRIX_HOME` is `$HOME` but config is only at `$HOME/.aifabrix/config.yaml`, uses that folder.
- * Keeps `secret list` / `secret set` aligned with resolve merge (`loadPrimaryUserSecrets`).
+ * User-owned `secrets.local.yaml` beside `config.yaml` (same directory as {@link getConfigDirForPaths}).
+ * When `aifabrix-home` is the POSIX home (e.g. `/home/user`), secrets stay under `~/.aifabrix/`, not
+ * in the home root. {@link getAifabrixHome} remains for applications base, builder parent, and
+ * legacy secrets migration reads in {@link module:lib/utils/secrets-utils}.
  *
  * @returns {string} Absolute path to secrets.local.yaml
  */
@@ -315,7 +317,8 @@ function getDevDirectory(appName, developerId) {
 
 /**
  * Gets the application path (builder or integration folder).
- * Matches getBuilderPath / getIntegrationPath: respects AIFABRIX_BUILDER_DIR and project-root vs cwd base.
+ * Matches {@link getBuilderPath} / {@link getIntegrationPath} (cwd `integration/` / `builder/`, then
+ * material `(aifabrix-work | aifabrix-home)` trees).
  * @param {string} appName - Application name
  * @param {string} [appType] - Application type ('external' or other)
  * @returns {string} Absolute path to application directory
@@ -325,59 +328,161 @@ function getAppPath(appName, appType) {
     throw new Error('App name is required and must be a string');
   }
   if (appType === 'external') {
-    return getIntegrationPath(appName);
+    return module.exports.getIntegrationPath(appName);
   }
-  return path.join(getBuilderRoot(), appName);
+  return module.exports.getBuilderPath(appName);
 }
 
 /**
- * Base directory for integration/builder: project root when cwd is inside project, else cwd.
- * When `aifabrix-work` / `AIFABRIX_WORK` points at a repo that contains `integration/`, use that
- * root even if cwd is elsewhere (e.g. global CLI install + cwd under `integration/<app>/`).
- * @returns {string} Directory to resolve integration/ and builder/ from
+ * Apps materialization / default repo root: **`aifabrix-work`** (or `AIFABRIX_WORK`) when set, else
+ * {@link getAifabrixHome}. Used for `integration/` and `builder/` under that parent (not the CLI
+ * install tree). Aligns with setup / `up-platform` / `up-miso` / `up-dataplane` template targets.
+ *
+ * @returns {string} Absolute directory (no trailing `integration/` or `builder/`)
  */
-function getIntegrationBuilderBaseDir() {
+function getAppsMaterializationParent() {
   const work = getAifabrixWork();
   if (work) {
-    const workNorm = path.resolve(work);
-    const integrationUnderWork = path.join(workNorm, 'integration');
-    try {
-      if (fs.existsSync(integrationUnderWork)) {
-        return workNorm;
-      }
-    } catch {
-      // ignore fs errors
-    }
-  }
-  const root = getProjectRoot();
-  const cwd = path.resolve(process.cwd());
-  const rootNorm = path.resolve(root);
-  if (cwd === rootNorm || cwd.startsWith(rootNorm + path.sep)) {
-    return rootNorm;
+    return path.resolve(work);
   }
-  return cwd;
+  return path.resolve(getAifabrixHome());
 }
 
 /**
- * Returns the integration root directory (used for listing apps).
+ * Base directory for legacy callers that meant “non-cwd app tree”: same as {@link getAppsMaterializationParent}.
+ *
+ * @returns {string}
+ */
+function getIntegrationBuilderBaseDir() {
+  return getAppsMaterializationParent();
+}
+
+/**
+ * Returns the default integration root under {@link getAppsMaterializationParent} (listing may also
+ * scan {@link getCwdIntegrationRoot}; see {@link listIntegrationAppNames}).
+ *
  * @returns {string} Absolute path to integration/ directory
  */
 function getIntegrationRoot() {
-  return path.join(getIntegrationBuilderBaseDir(), 'integration');
+  return path.join(getAppsMaterializationParent(), 'integration');
+}
+
+/**
+ * Absolute `integration/` next to {@link process.cwd} when that directory exists.
+ *
+ * @returns {string|null}
+ */
+function getCwdIntegrationRoot() {
+  const p = path.join(path.resolve(process.cwd()), 'integration');
+  try {
+    if (nodeFs().existsSync(p)) {
+      const st = nodeFs().statSync(p);
+      if (st && typeof st.isDirectory === 'function' && st.isDirectory()) {
+        return p;
+      }
+    }
+  } catch {
+    // ignore
+  }
+  return null;
 }
 
 /**
- * Returns the builder root directory. Uses AIFABRIX_BUILDER_DIR when set, else project/cwd + builder.
+ * Absolute `builder/` next to {@link process.cwd} when that directory exists.
+ *
+ * @returns {string|null}
+ */
+function getCwdBuilderRoot() {
+  const p = path.join(path.resolve(process.cwd()), 'builder');
+  try {
+    if (nodeFs().existsSync(p)) {
+      const st = nodeFs().statSync(p);
+      if (st && typeof st.isDirectory === 'function' && st.isDirectory()) {
+        return p;
+      }
+    }
+  } catch {
+    // ignore
+  }
+  return null;
+}
+
+/**
+ * Returns the material `builder/` root: {@link getAppsMaterializationParent}`/builder`
+ * (same as {@link getSystemBuilderRoot}). Does not use `AIFABRIX_BUILDER_DIR` — app paths follow
+ * cwd + `integration/` / `builder/` or this root only.
+ *
  * @returns {string} Absolute path to builder/ directory
  */
 function getBuilderRoot() {
-  const envDir = process.env.AIFABRIX_BUILDER_DIR && typeof process.env.AIFABRIX_BUILDER_DIR === 'string'
-    ? process.env.AIFABRIX_BUILDER_DIR.trim()
-    : null;
-  if (envDir) {
-    return path.resolve(envDir);
+  return path.join(getAppsMaterializationParent(), 'builder');
+}
+
+/**
+ * Platform system apps (`up-platform` / `up-miso` / `up-dataplane` / `setup`): materialize under
+ * {@link getSystemBuilderRoot} (= {@link getAppsMaterializationParent}`/builder`), never the global CLI package tree.
+ * @readonly
+ */
+const SYSTEM_BUILDER_APP_KEYS = Object.freeze(['keycloak', 'miso-controller', 'dataplane']);
+
+/**
+ * @param {string} appName
+ * @returns {boolean}
+ */
+function isSystemBuilderAppName(appName) {
+  if (!appName || typeof appName !== 'string') return false;
+  return SYSTEM_BUILDER_APP_KEYS.includes(appName);
+}
+
+/**
+ * `builder/<appName>` under {@link getAppsMaterializationParent} (same tree as {@link getSystemBuilderRoot}).
+ *
+ * @param {string} appName
+ * @returns {string}
+ */
+function getProjectBuilderAppPath(appName) {
+  return path.join(getIntegrationBuilderBaseDir(), 'builder', appName);
+}
+
+/**
+ * Same parent as {@link getAppsMaterializationParent} (exported for diagnostics / allowlist checks).
+ *
+ * @returns {string} Absolute path (no trailing `builder/`)
+ */
+function getSystemPlatformMaterializationParent() {
+  return getAppsMaterializationParent();
+}
+
+/**
+ * Default `builder/` root for materialized platform apps and Tier‑2 manifest discovery:
+ * {@link getAppsMaterializationParent}`/builder`.
+ *
+ * @returns {string}
+ */
+function getSystemBuilderRoot() {
+  return path.join(getAppsMaterializationParent(), 'builder');
+}
+
+/**
+ * True when `projectAppPath` is a directory that contains a resolvable application config
+ * (`application.yaml` / `.json` / legacy `variables.yaml`). Empty `builder/<platformApp>`
+ * stubs must not win over {@link getSystemBuilderRoot} or secrets/run would read the wrong tree
+ * (missing `env.template` → skipped ensure → "Missing secrets" on first platform boot).
+ *
+ * @param {string} projectAppPath - Absolute `.../builder/<app>`
+ * @returns {boolean}
+ */
+function isProjectBuilderAppDirectory(projectAppPath) {
+  try {
+    if (!projectAppPath || !nodeFs().existsSync(projectAppPath)) return false;
+    const st = nodeFs().statSync(projectAppPath);
+    if (!st || typeof st.isDirectory !== 'function' || !st.isDirectory()) return false;
+    const { resolveApplicationConfigPath } = require('./app-config-resolver');
+    resolveApplicationConfigPath(projectAppPath);
+    return true;
+  } catch {
+    return false;
   }
-  return path.join(getIntegrationBuilderBaseDir(), 'builder');
 }
 
 /**
@@ -404,49 +509,67 @@ function isAppSubdirSync(root, name) {
  */
 function listIntegrationAppNames() {
   const disk = nodeFs();
-  const root = getIntegrationRoot();
-  if (!disk.existsSync(root)) {
-    return [];
+  const names = new Set();
+  const cwdRoot = getCwdIntegrationRoot();
+  if (cwdRoot) {
+    addBuilderSubdirNamesToSet(disk, cwdRoot, names, null);
   }
-  let rootStat;
+  const matInt = getIntegrationRoot();
+  addBuilderSubdirNamesToSet(disk, matInt, names, null);
+  return [...names].sort();
+}
+
+/**
+ * Adds immediate subdirectory names under a builder root into `names` (real disk via {@link nodeFs}).
+ * @param {ReturnType<typeof nodeFs>} disk
+ * @param {string} builderRootDir
+ * @param {Set<string>} names
+ * @param {(name: string) => boolean} [nameFilter] - When set, only names passing this filter (after dir check)
+ */
+function addBuilderSubdirNamesToSet(disk, builderRootDir, names, nameFilter) {
+  if (!builderRootDir || !disk.existsSync(builderRootDir)) return;
+  let st;
   try {
-    rootStat = disk.statSync(root);
+    st = disk.statSync(builderRootDir);
   } catch {
-    return [];
+    return;
   }
-  if (!rootStat || typeof rootStat.isDirectory !== 'function' || !rootStat.isDirectory()) {
-    return [];
+  if (!st || typeof st.isDirectory !== 'function' || !st.isDirectory()) return;
+  try {
+    for (const name of disk.readdirSync(builderRootDir)) {
+      if (!isAppSubdirSync(builderRootDir, name)) continue;
+      if (nameFilter && !nameFilter(name)) continue;
+      names.add(name);
+    }
+  } catch {
+    // ignore
   }
-  const entries = disk.readdirSync(root);
-  return entries.filter((name) => isAppSubdirSync(root, name)).sort();
 }
 
 /**
- * Lists app names (directories) under builder root. Excludes dot-prefixed entries.
- * Returns [] if root does not exist.
+ * Lists app names (directories) under builder roots. Excludes dot-prefixed entries.
+ * Merges `cwd/builder` and material `(aifabrix-work | aifabrix-home)/builder` (deduped).
  * @returns {string[]} Sorted list of app directory names
  */
 function listBuilderAppNames() {
   const disk = nodeFs();
-  const root = getBuilderRoot();
-  if (!disk.existsSync(root)) {
-    return [];
-  }
-  let rootStat;
-  try {
-    rootStat = disk.statSync(root);
-  } catch {
-    return [];
+  const names = new Set();
+  const roots = new Set();
+  const cwdRoot = getCwdBuilderRoot();
+  if (cwdRoot) {
+    roots.add(path.resolve(cwdRoot));
   }
-  if (!rootStat || typeof rootStat.isDirectory !== 'function' || !rootStat.isDirectory()) {
-    return [];
+  roots.add(path.resolve(getSystemBuilderRoot()));
+  for (const r of roots) {
+    addBuilderSubdirNamesToSet(disk, r, names, null);
   }
-  const entries = disk.readdirSync(root);
-  return entries.filter((name) => isAppSubdirSync(root, name)).sort();
+  return [...names].sort();
 }
 
 /**
- * Gets the integration folder path for external systems.
+ * Gets the integration folder path: **`cwd/integration/<appName>`** when that directory exists, else
+ * **`aifabrix-work` or `aifabrix-home` + `/integration/<appName>`**.
+ *
  * @param {string} appName - Application name
  * @returns {string} Absolute path to integration directory
  */
@@ -454,8 +577,18 @@ function getIntegrationPath(appName) {
   if (!appName || typeof appName !== 'string') {
     throw new Error('App name is required and must be a string');
   }
-  const base = getIntegrationBuilderBaseDir();
-  return path.join(base, 'integration', appName);
+  const cwdInt = path.join(path.resolve(process.cwd()), 'integration', appName);
+  try {
+    if (nodeFs().existsSync(cwdInt)) {
+      const st = nodeFs().statSync(cwdInt);
+      if (st && typeof st.isDirectory === 'function' && st.isDirectory()) {
+        return cwdInt;
+      }
+    }
+  } catch {
+    // ignore
+  }
+  return path.join(getAppsMaterializationParent(), 'integration', appName);
 }
 
 /**
@@ -473,7 +606,39 @@ function resolveBuildContext(configDir, buildContext) {
 }
 
 /**
- * Gets the builder folder path. Uses AIFABRIX_BUILDER_DIR when set, else project root.
+ * `cwd/builder/<appName>` when present as a directory and allowed (platform empty stubs skipped).
+ *
+ * @param {string} appName
+ * @returns {string|null}
+ */
+function tryCwdBuilderPathOrNull(appName) {
+  const cwdApp = path.join(path.resolve(process.cwd()), 'builder', appName);
+  try {
+    if (!nodeFs().existsSync(cwdApp)) {
+      return null;
+    }
+    const st = nodeFs().statSync(cwdApp);
+    if (!st || typeof st.isDirectory !== 'function' || !st.isDirectory()) {
+      return null;
+    }
+    if (isSystemBuilderAppName(appName) && !isProjectBuilderAppDirectory(cwdApp)) {
+      return null;
+    }
+    return cwdApp;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Gets the builder folder path:
+ * 1. Plan 141 Tier‑1: `cwd/builder/<app>` or `cwd/integration/<app>` when a resolvable application manifest exists.
+ * 2. Else **`cwd/builder/<app>`** when that directory exists. For **platform** apps (`keycloak`,
+ *    `miso-controller`, `dataplane`), an **empty** cwd stub is ignored so materialization under
+ *    `(work|home)/builder` still wins.
+ * 3. Else **`(aifabrix-work or aifabrix-home)/builder/<appName>`** — used by setup / `up-platform` /
+ *    `up-miso` / `up-dataplane` for template materialization.
+ *
  * @param {string} appName - Application name
  * @returns {string} Absolute path to builder directory
  */
@@ -481,14 +646,20 @@ function getBuilderPath(appName) {
   if (!appName || typeof appName !== 'string') {
     throw new Error('App name is required and must be a string');
   }
-  const builderRoot = process.env.AIFABRIX_BUILDER_DIR && typeof process.env.AIFABRIX_BUILDER_DIR === 'string'
-    ? process.env.AIFABRIX_BUILDER_DIR.trim()
-    : null;
-  if (builderRoot) {
-    return path.join(path.resolve(builderRoot), appName);
+  const { resolveApplicationManifestPathSync } = require('./manifest-location');
+  const manifestHit = resolveApplicationManifestPathSync({
+    targetKey: appName,
+    mode: 'auto',
+    cwd: process.cwd()
+  });
+  if (manifestHit && (manifestHit.tier === 'cwd-builder' || manifestHit.tier === 'cwd-integration')) {
+    return manifestHit.absolutePath;
   }
-  const base = getIntegrationBuilderBaseDir();
-  return path.join(base, 'builder', appName);
+  const cwdHit = tryCwdBuilderPathOrNull(appName);
+  if (cwdHit) {
+    return cwdHit;
+  }
+  return path.join(getAppsMaterializationParent(), 'builder', appName);
 }
 
 /**
@@ -639,16 +810,66 @@ async function getResolveAppPath(appName) {
       return { appPath: integrationPath, envOnly: true };
     }
   }
+  const { resolveApplicationManifestPathSync } = require('./manifest-location');
+  const manifestHit = resolveApplicationManifestPathSync({
+    targetKey: appName,
+    mode: 'auto',
+    cwd: process.cwd()
+  });
+  if (manifestHit) {
+    return { appPath: manifestHit.absolutePath, envOnly: false };
+  }
   const result = await detectAppType(appName);
   return { appPath: result.appPath, envOnly: false };
 }
 
-/** Resolve app folder name when cwd is inside integration/<systemKey>/. */
+/**
+ * @param {string} walkDir - Candidate workspace root (walk upward from cwd)
+ * @param {string} cwd - Resolved process.cwd()
+ * @param {ReturnType<typeof nodeFs>} disk
+ * @returns {string|null}
+ */
+function tryIntegrationAppKeyAtWalkStep(walkDir, cwd, disk) {
+  const integrationDir = path.join(walkDir, 'integration');
+  try {
+    if (!disk.existsSync(integrationDir)) {
+      return null;
+    }
+    const intNorm = path.resolve(integrationDir);
+    if (cwd !== intNorm && !cwd.startsWith(intNorm + path.sep)) {
+      return null;
+    }
+    const rel = path.relative(intNorm, cwd);
+    if (!rel || rel.startsWith('..') || path.isAbsolute(rel)) {
+      return null;
+    }
+    return rel.split(path.sep)[0] || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Resolve app folder name when cwd is under some ancestor's `integration/<systemKey>/`.
+ * Walks up from cwd (does not use {@link getIntegrationBuilderBaseDir}) so detection still works
+ * when the canonical base is config/home but the shell is inside a checkout's integration tree.
+ */
 function resolveIntegrationAppKeyFromCwd() {
-  const integrationNorm = path.resolve(path.join(getIntegrationBuilderBaseDir(), 'integration'));
   const cwd = path.resolve(process.cwd());
-  if (cwd !== integrationNorm && !cwd.startsWith(integrationNorm + path.sep)) return null;
-  return path.relative(integrationNorm, cwd).split(path.sep)[0] || null;
+  const disk = nodeFs();
+  let p = cwd;
+  for (let i = 0; i < 64; i += 1) {
+    const key = tryIntegrationAppKeyAtWalkStep(p, cwd, disk);
+    if (key) {
+      return key;
+    }
+    const parent = path.dirname(p);
+    if (parent === p) {
+      break;
+    }
+    p = parent;
+  }
+  return null;
 }
 
 module.exports = {
@@ -660,11 +881,22 @@ module.exports = {
   getApplicationsBaseDir,
   getDevDirectory,
   getAppPath,
+  getAppsMaterializationParent,
+  getCwdIntegrationRoot,
+  getCwdBuilderRoot,
   getProjectRoot,
+  findProjectRootFromCwd,
   getIntegrationPath,
   getBuilderPath,
   getIntegrationRoot,
   getBuilderRoot,
+  getIntegrationBuilderBaseDir,
+  SYSTEM_BUILDER_APP_KEYS,
+  isSystemBuilderAppName,
+  getProjectBuilderAppPath,
+  getSystemPlatformMaterializationParent,
+  getSystemBuilderRoot,
+  resolveSystemBuilderParentDir,
   listIntegrationAppNames,
   listBuilderAppNames,
   resolveBuildContext,