@aifabrix/builder 2.44.6 → 2.45.0

package/lib/utils/log-redaction.js

@@ -0,0 +1,105 @@
+/**
+ * Shared string redaction for file logs (audit, installation), CLI output, and
+ * `aifabrix logs <app>` container env lines (PII / secrets).
+ * Single implementation to avoid secret-handling drift between logs.
+ *
+ * @fileoverview Sensitive substring masking for operational logs
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+/** Env key patterns that indicate a secret (mask value) — same rules as aifabrix logs <app>. */
+const SECRET_KEY_PATTERN = /password|secret|token|credential|api[_-]?key/i;
+
+/** Prefixes to strip before checking key (avoids masking KEYCLOAK_SERVER_URL etc.) */
+const KEY_PREFIXES_TO_STRIP = /^KEYCLOAK_|^KEY_VAULT_/;
+
+/**
+ * URL with embedded credentials: scheme://user:password@host → scheme://user:***@host
+ * (shared with {@link maskEnvLine} / aifabrix logs <app> env dump)
+ */
+const URL_CREDENTIAL_PATTERN = /(\w+:\/\/)([^:@]*):([^@]+)@/g;
+
+/**
+ * Masks embedded user:password@ in URLs inside any string.
+ *
+ * @param {string} text
+ * @returns {string}
+ */
+function maskUrlEmbeddedCredentials(text) {
+  if (!text || typeof text !== 'string') {
+    return text;
+  }
+  return text.replace(URL_CREDENTIAL_PATTERN, '$1$2:***@');
+}
+
+/**
+ * Masks a single env line (KEY=value) for PII/secrets — same behavior as aifabrix logs <app> environment dump.
+ *
+ * @param {string} line - Line in form KEY=value
+ * @returns {string} Same line or KEY=*** or value with masked URL credentials
+ */
+function maskEnvLine(line) {
+  const eq = line.indexOf('=');
+  if (eq <= 0) {
+    return line;
+  }
+  const key = line.slice(0, eq);
+  const value = line.slice(eq + 1);
+
+  const keyForCheck = key.replace(KEY_PREFIXES_TO_STRIP, '');
+  const isSecretKey = SECRET_KEY_PATTERN.test(keyForCheck);
+
+  const maskedValue = maskUrlEmbeddedCredentials(value);
+  const hasUrlCredentials = maskedValue !== value;
+
+  if (isSecretKey) {
+    return `${key}=***`;
+  }
+  if (hasUrlCredentials) {
+    return `${key}=${maskedValue}`;
+  }
+  return line;
+}
+
+/**
+ * Masks sensitive data in strings (audit/installation log messages, metadata).
+ * Also applies URL embedded-credential masking (same as {@link maskEnvLine} values).
+ *
+ * @param {string} value - Value to mask
+ * @returns {string}
+ */
+function maskSensitiveData(value) {
+  if (!value || typeof value !== 'string') {
+    return value;
+  }
+
+  const sensitivePatterns = [
+    { pattern: /password[=:]\s*([^\s]+)/gi, replacement: 'password=***' },
+    { pattern: /secret[=:]\s*([^\s]+)/gi, replacement: 'secret=***' },
+    { pattern: /key[=:]\s*([^\s]+)/gi, replacement: 'key=***' },
+    { pattern: /token[=:]\s*([^\s]+)/gi, replacement: 'token=***' },
+    { pattern: /api[_-]?key[=:]\s*([^\s]+)/gi, replacement: 'api_key=***' }
+  ];
+
+  let masked = value;
+  for (const { pattern, replacement } of sensitivePatterns) {
+    masked = masked.replace(pattern, replacement);
+  }
+
+  masked = maskUrlEmbeddedCredentials(masked);
+
+  if (/^[a-f0-9]{32,}$/i.test(masked.trim())) {
+    return '***';
+  }
+
+  return masked;
+}
+
+module.exports = {
+  maskSensitiveData,
+  maskEnvLine,
+  maskUrlEmbeddedCredentials
+};

package/lib/utils/manifest-location.js

@@ -0,0 +1,164 @@
+/**
+ * Canonical on-disk application manifest discovery (plan 141 Tier 1 + Tier 2).
+ * Lazy-loads `./paths` inside functions to avoid circular dependency with `paths.js`.
+ *
+ * @fileoverview resolveApplicationManifestPathSync for cwd-first manifest picks
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const { nodeFs } = require('../internal/node-fs');
+const { resolveApplicationConfigPath } = require('./app-config-resolver');
+
+const fsSync = nodeFs();
+
+/**
+ * @returns {import('./paths')}
+ */
+function getPaths() {
+  return require('./paths');
+}
+
+/**
+ * @param {string} dir
+ * @returns {boolean}
+ */
+function hasApplicationConfig(dir) {
+  try {
+    resolveApplicationConfigPath(dir);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * @param {string} dir
+ * @returns {boolean}
+ */
+function isExistingDir(dir) {
+  try {
+    return fsSync.existsSync(dir) && fsSync.statSync(dir).isDirectory();
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * @param {string} cwd
+ * @param {string} targetKey
+ * @returns {{ absolutePath: string, tier: string, appKey: string }|null}
+ */
+function tryTier1Integration(cwd, targetKey) {
+  const dir = path.join(cwd, 'integration', targetKey);
+  if (!isExistingDir(dir) || !hasApplicationConfig(dir)) {
+    return null;
+  }
+  return { absolutePath: path.resolve(dir), tier: 'cwd-integration', appKey: targetKey };
+}
+
+/**
+ * @param {string} cwd
+ * @param {string} targetKey
+ * @returns {{ absolutePath: string, tier: string, appKey: string }|null}
+ */
+function tryTier1Builder(cwd, targetKey) {
+  const dir = path.join(cwd, 'builder', targetKey);
+  if (!isExistingDir(dir) || !hasApplicationConfig(dir)) {
+    return null;
+  }
+  return { absolutePath: path.resolve(dir), tier: 'cwd-builder', appKey: targetKey };
+}
+
+/**
+ * Tier 2: `(aifabrix-work | aifabrix-home)/builder/<key>` when a resolvable application manifest exists.
+ *
+ * @param {string} targetKey
+ * @returns {{ absolutePath: string, tier: string, appKey: string }|null}
+ */
+function tryTier2MaterializationBuilder(targetKey) {
+  const { getSystemBuilderRoot } = getPaths();
+  const dir = path.join(getSystemBuilderRoot(), targetKey);
+  if (!isExistingDir(dir) || !hasApplicationConfig(dir)) {
+    return null;
+  }
+  return { absolutePath: path.resolve(dir), tier: 'system-builder', appKey: targetKey };
+}
+
+/**
+ * @param {string|undefined} cwdOpt
+ * @returns {string}
+ */
+function resolveCwdSafe(cwdOpt) {
+  try {
+    return path.resolve(cwdOpt ? cwdOpt : process.cwd());
+  } catch {
+    return path.resolve(process.cwd());
+  }
+}
+
+/**
+ * @param {{ targetKey?: string, mode?: string, cwd?: string }|null|undefined} opts
+ * @returns {{ targetKey: string, mode: string, cwd: string }|null}
+ */
+function parseManifestResolveOpts(opts) {
+  const targetKey = opts && typeof opts.targetKey === 'string' ? opts.targetKey.trim() : '';
+  if (!targetKey) {
+    return null;
+  }
+  const mode = opts && opts.mode ? opts.mode : 'auto';
+  const cwd = resolveCwdSafe(opts && opts.cwd);
+  return { targetKey, mode, cwd };
+}
+
+/**
+ * @param {string} mode
+ * @param {string} cwd
+ * @param {string} targetKey
+ * @returns {{ absolutePath: string, tier: string, appKey: string }|null}
+ */
+function tryTier1ByMode(mode, cwd, targetKey) {
+  if (mode === 'integration' || mode === 'auto') {
+    const integrationHit = tryTier1Integration(cwd, targetKey);
+    if (integrationHit) {
+      return integrationHit;
+    }
+  }
+  if (mode === 'builder' || mode === 'auto') {
+    const builderHit = tryTier1Builder(cwd, targetKey);
+    if (builderHit) {
+      return builderHit;
+    }
+  }
+  return null;
+}
+
+/**
+ * Resolves `application.yaml` (or sibling config) for an app using plan 141 order:
+ * `cwd/integration/<key>` → `cwd/builder/<key>` → `(aifabrix-work | aifabrix-home)/builder/<key>`.
+ *
+ * @param {{ targetKey: string, mode?: 'auto'|'integration'|'builder', cwd?: string }} opts
+ * @returns {{ absolutePath: string, tier: string, appKey: string }|null} Null when not found
+ */
+function resolveApplicationManifestPathSync(opts) {
+  const parsed = parseManifestResolveOpts(opts);
+  if (!parsed) {
+    return null;
+  }
+  const { targetKey, mode, cwd } = parsed;
+  const tier1 = tryTier1ByMode(mode, cwd, targetKey);
+  if (tier1) {
+    return tier1;
+  }
+  if (mode === 'auto') {
+    return tryTier2MaterializationBuilder(targetKey);
+  }
+  return null;
+}
+
+module.exports = {
+  resolveApplicationManifestPathSync
+};

package/lib/utils/manifest-source-emit.js

@@ -0,0 +1,162 @@
+/**
+ * Plan 141 P2: one gray **Manifest:** line on TTY when a command has resolved an application manifest.
+ *
+ * @fileoverview emitManifestMetadataLineIfTTY
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const { resolveApplicationConfigPath } = require('./app-config-resolver');
+const { resolveApplicationManifestPathSync } = require('./manifest-location');
+const { metadata } = require('./cli-test-layout-chalk');
+const pathsUtil = require('./paths');
+
+/**
+ * @param {string} tier - Tier id from {@link resolveApplicationManifestPathSync}
+ * @returns {string}
+ */
+function humanTierLabel(tier) {
+  if (tier === 'cwd-integration') return 'cwd/integration';
+  if (tier === 'cwd-builder') return 'cwd/builder';
+  if (tier === 'system-builder') return 'system-builder';
+  return tier;
+}
+
+/**
+ * Gray metadata line: `Manifest: <tier> — <configPath>`.
+ *
+ * @param {{ tier: string, configPath: string }} args
+ * @returns {string}
+ */
+function formatManifestSourceMetadataLine(args) {
+  const tier = args && typeof args.tier === 'string' ? args.tier : 'resolved';
+  const configPath = args && typeof args.configPath === 'string' ? args.configPath : '';
+  return metadata(`Manifest: ${humanTierLabel(tier)} — ${configPath}`);
+}
+
+/**
+ * @param {string} appKey
+ * @param {string} appPath
+ * @param {string} [cwd]
+ * @returns {string}
+ */
+function computeTierForAppPath(appKey, appPath, cwd) {
+  const hit = resolveApplicationManifestPathSync({
+    targetKey: appKey,
+    cwd: cwd || process.cwd()
+  });
+  if (hit && path.resolve(hit.absolutePath) === path.resolve(appPath)) {
+    return hit.tier;
+  }
+  return 'resolved';
+}
+
+/**
+ * Machine-readable manifest provenance for `--json` consumers (plan 141).
+ *
+ * @param {string} appKey
+ * @param {string} appPath - Application directory (absolute)
+ * @param {{ cwd?: string }} [opts]
+ * @returns {{ tier: string, tierLabel: string, configPath: string }}
+ */
+function getManifestSourcePayload(appKey, appPath, opts = {}) {
+  const key = appKey && typeof appKey === 'string' ? appKey.trim() : '';
+  const dir = appPath && typeof appPath === 'string' ? appPath.trim() : '';
+  if (!key || !dir) {
+    return { tier: 'unknown', tierLabel: 'unknown', configPath: '' };
+  }
+  let configPath = '';
+  try {
+    configPath = resolveApplicationConfigPath(dir);
+  } catch {
+    configPath = '';
+  }
+  let tier = 'resolved';
+  try {
+    tier = computeTierForAppPath(key, dir, opts.cwd);
+  } catch {
+    tier = 'resolved';
+  }
+  return {
+    tier,
+    tierLabel: humanTierLabel(tier),
+    configPath
+  };
+}
+
+/**
+ * @returns {boolean}
+ */
+function isStdoutTty() {
+  return Boolean(process.stdout && process.stdout.isTTY);
+}
+
+/**
+ * Logs one gray manifest line when appropriate (TTY, not JSON, not env-only).
+ *
+ * @param {{ log: function(string): void }} logger - e.g. `require('./logger')`
+ * @param {{ appKey: string, appPath: string, envOnly?: boolean, json?: boolean, cwd?: string }} opts
+ * @returns {void}
+ */
+function emitManifestMetadataLineIfTTY(logger, opts) {
+  if (!logger || typeof logger.log !== 'function') return;
+  if (!opts || opts.json || opts.envOnly) return;
+  if (!isStdoutTty()) return;
+  const appKey = opts.appKey && typeof opts.appKey === 'string' ? opts.appKey.trim() : '';
+  const appPath = opts.appPath && typeof opts.appPath === 'string' ? opts.appPath.trim() : '';
+  if (!appKey || !appPath) return;
+  let configPath;
+  try {
+    configPath = resolveApplicationConfigPath(appPath);
+  } catch {
+    return;
+  }
+  const tier = computeTierForAppPath(appKey, appPath, opts.cwd);
+  logger.log(formatManifestSourceMetadataLine({ tier, configPath }));
+}
+
+/**
+ * One gray **Manifest:** line for a platform system builder app (`keycloak`, `miso-controller`, `dataplane`).
+ *
+ * @param {{ log: function(string): void }} logger
+ * @param {string} appKey
+ * @param {{ envOnly?: boolean, json?: boolean, cwd?: string }} [opts]
+ * @returns {void}
+ */
+function emitSystemBuilderAppManifestLineIfTTY(logger, appKey, opts = {}) {
+  if (!appKey || typeof appKey !== 'string') return;
+  emitManifestMetadataLineIfTTY(logger, {
+    appKey,
+    appPath: pathsUtil.getBuilderPath(appKey),
+    envOnly: !!opts.envOnly,
+    json: !!opts.json,
+    cwd: opts.cwd
+  });
+}
+
+/**
+ * Gray **Manifest:** line for each platform app (Keycloak, Miso Controller, dataplane), in order.
+ * Used after templates exist (e.g. guided `up-platform` after muted registry prep).
+ *
+ * @param {{ log: function(string): void }} logger
+ * @param {{ envOnly?: boolean, json?: boolean, cwd?: string }} [opts]
+ * @returns {void}
+ */
+function emitAllPlatformSystemManifestLinesIfTTY(logger, opts = {}) {
+  for (const appKey of pathsUtil.SYSTEM_BUILDER_APP_KEYS) {
+    emitSystemBuilderAppManifestLineIfTTY(logger, appKey, opts);
+  }
+}
+
+module.exports = {
+  emitManifestMetadataLineIfTTY,
+  emitSystemBuilderAppManifestLineIfTTY,
+  emitAllPlatformSystemManifestLinesIfTTY,
+  formatManifestSourceMetadataLine,
+  computeTierForAppPath,
+  humanTierLabel,
+  getManifestSourcePayload
+};