@ductape/sdk 0.0.4-v59 → 0.0.4-v60

package/dist/products/services/products.service.js

@@ -36,17 +36,20 @@ const update_productDatabaseMigration_validator_1 = __importDefault(require("../
 const create_productNotificationMessage_validator_1 = __importDefault(require("../validators/joi-validators/create.productNotificationMessage.validator"));
 const create_productMessageBrokerTopic_validator_1 = __importDefault(require("../validators/joi-validators/create.productMessageBrokerTopic.validator"));
 const update_productMessageBrokerTopic_validator_1 = __importDefault(require("../validators/joi-validators/update.productMessageBrokerTopic.validator"));
+const secrets_1 = require("../../secrets");
 const update_productNotificationMessage_validator_1 = __importDefault(require("../validators/joi-validators/update.productNotificationMessage.validator"));
 const create_productNotification_validator_1 = require("../validators/joi-validators/create.productNotification.validator");
 const functions_utils_1 = require("../utils/functions.utils");
 const objects_utils_2 = require("../../apps/utils/objects.utils");
 const webhooksApi_service_1 = require("../../api/services/webhooksApi.service");
 class ProductsBuilderService {
-    constructor({ workspace_id, public_key, user_id, token, env_type, redis_client, queues }) {
+    constructor({ workspace_id, public_key, user_id, token, env_type, redis_client, queues, access_key }) {
+        this.workspace_private_key = null;
         this.workspace_id = workspace_id;
         this.public_key = public_key;
         this.user_id = user_id;
         this.token = token;
+        this.access_key = access_key || null;
         this.userApi = new userApi_service_1.UserApiService(env_type, redis_client);
         this.productApi = new productsApi_service_1.ProductsApiService(env_type, redis_client);
         this.workspaceApi = new workspaceApi_service_1.WorkspaceApiService(env_type, redis_client);
@@ -289,6 +292,22 @@ class ProductsBuilderService {
         if (!this.workspace) {
             this.workspace = await this.workspaceApi.fetchWorkspaceById(this.getUserAccess(), subCheck);
         }
+        // Fetch workspace private key using the dedicated endpoint for secrets encryption
+        if (!this.workspace_private_key && this.access_key) {
+            try {
+                this.workspace_private_key = await this.workspaceApi.fetchPrivateKey(this.getUserAccess(), this.access_key);
+            }
+            catch (e) {
+                console.warn('[ProductsBuilderService] Failed to fetch workspace private key:', e);
+            }
+        }
+    }
+    /**
+     * Get the workspace private key for secrets encryption
+     * @returns The workspace private key or null if not available
+     */
+    getWorkspacePrivateKey() {
+        return this.workspace_private_key;
     }
     async initializeProduct(product_id) {
         try {
@@ -578,6 +597,134 @@ class ProductsBuilderService {
             throw new Error(`Message Broker ${messageBrokerTag} not found`);
         return messageBroker.topics;
     }
+    // ==================== MESSAGE BROKER PRODUCERS ====================
+    async createMessageBrokerProducer(data) {
+        var _a, _b;
+        try {
+            const [messageBrokerTag, topicTag] = data.topic.split(':');
+            if (!messageBrokerTag || !topicTag) {
+                throw new Error(`topic is expected to be defined as "messageBroker_tag:topic_tag"`);
+            }
+            const broker = await this.fetchMessageBroker(messageBrokerTag);
+            if (!broker) {
+                throw new Error(`Message Broker ${messageBrokerTag} not found`);
+            }
+            // Check if topic exists
+            const topic = (_a = broker.topics) === null || _a === void 0 ? void 0 : _a.find((t) => t.tag === topicTag);
+            if (!topic) {
+                throw new Error(`Topic ${topicTag} not found in broker ${messageBrokerTag}`);
+            }
+            // Check if producer already exists
+            const existingProducer = (_b = broker.producers) === null || _b === void 0 ? void 0 : _b.find((p) => p.tag === data.tag);
+            if (existingProducer) {
+                throw new Error(`Producer ${data.tag} already exists in broker ${messageBrokerTag}`);
+            }
+            await this.productApi.updateProduct(this.product_id, Object.assign(Object.assign({}, data), { messageBrokerTag, component: enums_1.ProductComponents.MESSAGEBROKER_PRODUCER, action: enums_1.RequestAction.CREATE }), this.getUserAccess());
+        }
+        catch (e) {
+            throw e;
+        }
+    }
+    async updateMessageBrokerProducer(data) {
+        var _a;
+        try {
+            const [messageBrokerTag, topicTag] = data.topic.split(':');
+            if (!messageBrokerTag || !topicTag) {
+                throw new Error(`topic is expected to be defined as "messageBroker_tag:topic_tag"`);
+            }
+            const broker = await this.fetchMessageBroker(messageBrokerTag);
+            if (!broker) {
+                throw new Error(`Message Broker ${messageBrokerTag} not found`);
+            }
+            // Check if producer exists
+            const existingProducer = (_a = broker.producers) === null || _a === void 0 ? void 0 : _a.find((p) => p.tag === data.tag);
+            if (!existingProducer) {
+                throw new Error(`Producer ${data.tag} not found in broker ${messageBrokerTag}`);
+            }
+            await this.productApi.updateProduct(this.product_id, Object.assign(Object.assign({}, data), { messageBrokerTag, component: enums_1.ProductComponents.MESSAGEBROKER_PRODUCER, action: enums_1.RequestAction.UPDATE }), this.getUserAccess());
+        }
+        catch (e) {
+            throw e;
+        }
+    }
+    async fetchMessageBrokerProducer(brokerTag, tag) {
+        var _a;
+        const messageBroker = this.product.messageBrokers.find((data) => data.tag === brokerTag);
+        if (!messageBroker)
+            throw new Error(`MessageBroker ${brokerTag} not found`);
+        const producer = (_a = messageBroker.producers) === null || _a === void 0 ? void 0 : _a.find((p) => p.tag === tag);
+        return producer || null;
+    }
+    async fetchMessageBrokerProducers(messageBrokerTag) {
+        const messageBroker = this.product.messageBrokers.find((data) => data.tag === messageBrokerTag);
+        if (!messageBroker)
+            throw new Error(`Message Broker ${messageBrokerTag} not found`);
+        return messageBroker.producers || [];
+    }
+    // ==================== MESSAGE BROKER CONSUMERS ====================
+    async createMessageBrokerConsumer(data) {
+        var _a, _b;
+        try {
+            const [messageBrokerTag, topicTag] = data.topic.split(':');
+            if (!messageBrokerTag || !topicTag) {
+                throw new Error(`topic is expected to be defined as "messageBroker_tag:topic_tag"`);
+            }
+            const broker = await this.fetchMessageBroker(messageBrokerTag);
+            if (!broker) {
+                throw new Error(`Message Broker ${messageBrokerTag} not found`);
+            }
+            // Check if topic exists
+            const topic = (_a = broker.topics) === null || _a === void 0 ? void 0 : _a.find((t) => t.tag === topicTag);
+            if (!topic) {
+                throw new Error(`Topic ${topicTag} not found in broker ${messageBrokerTag}`);
+            }
+            // Check if consumer already exists
+            const existingConsumer = (_b = broker.consumers) === null || _b === void 0 ? void 0 : _b.find((c) => c.tag === data.tag);
+            if (existingConsumer) {
+                throw new Error(`Consumer ${data.tag} already exists in broker ${messageBrokerTag}`);
+            }
+            await this.productApi.updateProduct(this.product_id, Object.assign(Object.assign({}, data), { messageBrokerTag, component: enums_1.ProductComponents.MESSAGEBROKER_CONSUMER, action: enums_1.RequestAction.CREATE }), this.getUserAccess());
+        }
+        catch (e) {
+            throw e;
+        }
+    }
+    async updateMessageBrokerConsumer(data) {
+        var _a;
+        try {
+            const [messageBrokerTag, topicTag] = data.topic.split(':');
+            if (!messageBrokerTag || !topicTag) {
+                throw new Error(`topic is expected to be defined as "messageBroker_tag:topic_tag"`);
+            }
+            const broker = await this.fetchMessageBroker(messageBrokerTag);
+            if (!broker) {
+                throw new Error(`Message Broker ${messageBrokerTag} not found`);
+            }
+            // Check if consumer exists
+            const existingConsumer = (_a = broker.consumers) === null || _a === void 0 ? void 0 : _a.find((c) => c.tag === data.tag);
+            if (!existingConsumer) {
+                throw new Error(`Consumer ${data.tag} not found in broker ${messageBrokerTag}`);
+            }
+            await this.productApi.updateProduct(this.product_id, Object.assign(Object.assign({}, data), { messageBrokerTag, component: enums_1.ProductComponents.MESSAGEBROKER_CONSUMER, action: enums_1.RequestAction.UPDATE }), this.getUserAccess());
+        }
+        catch (e) {
+            throw e;
+        }
+    }
+    async fetchMessageBrokerConsumer(brokerTag, tag) {
+        var _a;
+        const messageBroker = this.product.messageBrokers.find((data) => data.tag === brokerTag);
+        if (!messageBroker)
+            throw new Error(`MessageBroker ${brokerTag} not found`);
+        const consumer = (_a = messageBroker.consumers) === null || _a === void 0 ? void 0 : _a.find((c) => c.tag === tag);
+        return consumer || null;
+    }
+    async fetchMessageBrokerConsumers(messageBrokerTag) {
+        const messageBroker = this.product.messageBrokers.find((data) => data.tag === messageBrokerTag);
+        if (!messageBroker)
+            throw new Error(`Message Broker ${messageBrokerTag} not found`);
+        return messageBroker.consumers || [];
+    }
     async validateQuotaFallbackInputAndOutput(data, type) {
         const input = data.input;
         await Promise.all(data.options.map(async (d, index) => {
@@ -1071,69 +1218,125 @@ class ProductsBuilderService {
         }
     }
     async createMessageBroker(data, throwErrorIfExists = false) {
-        if (!(await this.fetchMessageBroker(data.tag))) {
+        var _a;
+        const logPrefix = '[MessageBroker:Create]';
+        console.log(`${logPrefix} Starting creation for broker: ${data.tag}`);
+        console.log(`${logPrefix} Broker name: ${data.name}`);
+        console.log(`${logPrefix} Broker description: ${data.description || 'N/A'}`);
+        console.log(`${logPrefix} Number of environments: ${((_a = data.envs) === null || _a === void 0 ? void 0 : _a.length) || 0}`);
+        const existingBroker = await this.fetchMessageBroker(data.tag);
+        if (!existingBroker) {
+            console.log(`${logPrefix} Broker ${data.tag} does not exist, proceeding with creation`);
+            console.log(`${logPrefix} Validating schema...`);
             await validators_1.CreateMessageBrokerSchema.validateAsync(data);
+            console.log(`${logPrefix} Schema validation passed`);
             const processedEnvs = [];
             for (const env of data.envs) {
+                console.log(`${logPrefix} Processing env: ${env.slug} (type: ${env.type})`);
                 const exists = await this.fetchEnv(env.slug);
                 if (!exists) {
+                    console.error(`${logPrefix} Env ${env.slug} does not exist`);
                     throw new Error(`Env ${env.slug} does not exist`);
                 }
+                console.log(`${logPrefix} Env ${env.slug} exists, verified`);
+                // Store sensitive credentials as secrets
+                console.log(`${logPrefix} Processing secrets for env: ${env.slug}...`);
+                env.config = await this.processMessageBrokerConfigSecrets(env.config, env.type, data.tag, env.slug);
+                console.log(`${logPrefix} Secrets processed for env: ${env.slug}`);
+                console.log(`${logPrefix} Encrypting config for env: ${env.slug}...`);
                 env.config = (0, processor_utils_1.encrypt)(JSON.stringify(env.config), this.product.private_key);
+                console.log(`${logPrefix} Config encrypted for env: ${env.slug}`);
                 processedEnvs.push(env);
             }
             data.envs = processedEnvs;
+            console.log(`${logPrefix} All environments processed: ${processedEnvs.length}`);
             const envs = await this.fetchEnvs();
+            console.log(`${logPrefix} Product has ${envs.length} environments defined`);
             for (const env of envs) {
                 const exists = data.envs.findIndex((dbEnv) => dbEnv.slug === env.slug);
                 if (exists === -1) {
+                    console.error(`${logPrefix} Product env ${env.slug} is not defined in broker config`);
                     throw new Error(`Product env ${env.slug} is not defined, please provide connection details`);
                 }
             }
+            console.log(`${logPrefix} All product environments have broker configs`);
+            console.log(`${logPrefix} Sending create request to API...`);
             await this.productApi.updateProduct(this.product_id, Object.assign(Object.assign({}, data), { component: enums_1.ProductComponents.MESSAGEBROKER, action: enums_1.RequestAction.CREATE }), this.getUserAccess());
+            console.log(`${logPrefix} Message broker ${data.tag} created successfully`);
         }
         else {
+            console.log(`${logPrefix} Broker ${data.tag} already exists`);
             if (throwErrorIfExists)
                 throw new Error(`Message Broker ${data.tag} already exists`);
         }
     }
     async updateMessageBroker(tag, data) {
+        var _a, _b;
+        const logPrefix = '[MessageBroker:Update]';
+        console.log(`${logPrefix} Starting update for broker: ${tag}`);
+        console.log(`${logPrefix} New tag (if changed): ${data.tag || 'unchanged'}`);
+        console.log(`${logPrefix} New name: ${data.name || 'unchanged'}`);
+        console.log(`${logPrefix} Number of environments in update: ${((_a = data.envs) === null || _a === void 0 ? void 0 : _a.length) || 0}`);
         try {
+            console.log(`${logPrefix} Fetching existing broker: ${tag}`);
             const messageBroker = await this.fetchMessageBroker(tag);
             if (!messageBroker) {
+                console.error(`${logPrefix} Broker ${tag} not found`);
                 throw new Error(`Broker ${tag} not found`);
             }
+            console.log(`${logPrefix} Existing broker found with ${((_b = messageBroker.envs) === null || _b === void 0 ? void 0 : _b.length) || 0} environments`);
             const { _id, envs } = messageBroker;
-            await validators_1.UpdateMessageBrokerSchema.validateAsync(data); // Change to update;
+            console.log(`${logPrefix} Broker ID: ${_id}`);
+            console.log(`${logPrefix} Validating update schema...`);
+            await validators_1.UpdateMessageBrokerSchema.validateAsync(data);
+            console.log(`${logPrefix} Schema validation passed`);
             if (data.tag && (await this.fetchMessageBroker(data.tag))) {
-                throw new Error(`tag ${tag} is in use`); // TODO: also check on the backend
+                console.error(`${logPrefix} Tag ${data.tag} is already in use`);
+                throw new Error(`tag ${tag} is in use`);
             }
-            console.log('2', data.envs);
             const processedEnvs = [];
             for (const env of data.envs) {
+                console.log(`${logPrefix} Processing env: ${env.slug} (type: ${env.type})`);
                 const exists = await this.fetchEnv(env.slug);
                 if (!exists) {
+                    console.error(`${logPrefix} Env ${env.slug} does not exist`);
                     throw new Error(`Env ${env.slug} does not exist`);
                 }
-                if (env.config)
+                console.log(`${logPrefix} Env ${env.slug} exists, verified`);
+                if (env.config) {
+                    // Store sensitive credentials as secrets
+                    console.log(`${logPrefix} Processing secrets for env: ${env.slug}...`);
+                    env.config = await this.processMessageBrokerConfigSecrets(env.config, env.type, data.tag || tag, env.slug);
+                    console.log(`${logPrefix} Secrets processed for env: ${env.slug}`);
+                    console.log(`${logPrefix} Encrypting config for env: ${env.slug}...`);
                     env.config = (0, processor_utils_1.encrypt)(JSON.stringify(env.config), this.product.private_key);
+                    console.log(`${logPrefix} Config encrypted for env: ${env.slug}`);
+                }
+                else {
+                    console.log(`${logPrefix} No config provided for env: ${env.slug}, skipping secrets processing`);
+                }
                 processedEnvs.push(env);
             }
             data.envs = processedEnvs;
+            console.log(`${logPrefix} All environments processed: ${processedEnvs.length}`);
             const overwrite = [];
             const newEnvs = [];
             for (const dataEnv of data.envs) {
                 const exists = envs.findIndex((env) => env.slug === dataEnv.slug);
                 if (!(await this.fetchEnv(dataEnv.slug))) {
+                    console.error(`${logPrefix} Product Environment ${dataEnv.slug} doesn't exist`);
                     throw new Error(`Product Environment ${dataEnv.slug} doesn't exist`);
                 }
                 if (exists === -1) {
+                    console.log(`${logPrefix} Env ${dataEnv.slug} is a NEW environment`);
                     if (!dataEnv.config) {
+                        console.error(`${logPrefix} Config is required for new env ${dataEnv.slug}`);
                         throw new Error(`config is required for new env ${data.envs[exists].slug}`);
                     }
                     newEnvs.push(dataEnv);
                 }
                 else {
+                    console.log(`${logPrefix} Env ${dataEnv.slug} will OVERWRITE existing config`);
                     if (envs[exists].config) {
                         envs[exists].config = (0, processor_utils_1.encrypt)(JSON.stringify(envs[exists].config), this.product.private_key);
                     }
@@ -1145,6 +1348,7 @@ class ProductsBuilderService {
                 const newEnv = newEnvs.findIndex((dataEnv) => env.slug === dataEnv.slug) > -1;
                 const overwriteEnv = overwrite.findIndex((dataEnv) => env.slug === dataEnv.slug) > -1;
                 if (!newEnv && !overwriteEnv) {
+                    console.log(`${logPrefix} Env ${env.slug} is UNCHANGED`);
                     if (env.config) {
                         env.config = (0, processor_utils_1.encrypt)(JSON.stringify(env.config), this.product.private_key);
                     }
@@ -1152,9 +1356,13 @@ class ProductsBuilderService {
                 }
             }
             data.envs = [...unchanged, ...overwrite, ...newEnvs];
+            console.log(`${logPrefix} Final env breakdown - Unchanged: ${unchanged.length}, Overwrite: ${overwrite.length}, New: ${newEnvs.length}`);
+            console.log(`${logPrefix} Sending update request to API...`);
             await this.productApi.updateProduct(this.product_id, Object.assign(Object.assign(Object.assign({ _id }, messageBroker), data), { component: enums_1.ProductComponents.MESSAGEBROKER, action: enums_1.RequestAction.UPDATE }), this.getUserAccess());
+            console.log(`${logPrefix} Message broker ${tag} updated successfully`);
         }
         catch (e) {
+            console.error(`${logPrefix} Update failed:`, e);
             throw e;
         }
     }
@@ -1228,6 +1436,8 @@ class ProductsBuilderService {
                     // @ts-ignore
                     //env.config.config.private_key = gcpPKCSConvert(env.config.config.private_key)
                 }
+                // Store sensitive credentials as secrets
+                env.config = await this.processStorageConfigSecrets(env.config, env.type, data.tag, env.slug);
                 env.config = (0, processor_utils_1.encrypt)(JSON.stringify(env.config), this.product.private_key);
                 processedEnvs.push(env);
             }
@@ -1266,8 +1476,11 @@ class ProductsBuilderService {
                     // @ts-ignore
                     //env.config.config.private_key = gcpPKCSConvert(env.config.config.private_key)
                 }
-                if (env.config)
+                if (env.config) {
+                    // Store sensitive credentials as secrets
+                    env.config = await this.processStorageConfigSecrets(env.config, env.type, data.tag || tag, env.slug);
                     env.config = (0, processor_utils_1.encrypt)(JSON.stringify(env.config), this.product.private_key);
+                }
                 return env;
             }));
             const overwrite = [];
@@ -1339,21 +1552,56 @@ class ProductsBuilderService {
      * @param throwErrorIfExists Whether to throw error if vector config already exists
      */
     async createVector(data, throwErrorIfExists = false) {
+        var _a, _b, _c, _d;
+        console.log('[ProductsService.createVector] Starting vector creation:', {
+            tag: data.tag,
+            name: data.name,
+            type: data.type,
+            envsCount: (_a = data.envs) === null || _a === void 0 ? void 0 : _a.length,
+            productTag: (_b = this.product) === null || _b === void 0 ? void 0 : _b.tag,
+        });
         if (!(await this.fetchVector(data.tag))) {
             await validators_1.CreateProductVectorSchema.validateAsync(data);
             const processedEnvs = [];
             for (const env of data.envs) {
+                console.log('[ProductsService.createVector] Processing env:', {
+                    slug: env.slug,
+                    hasApiKey: !!env.apiKey,
+                    hasEndpoint: !!env.endpoint,
+                });
                 const exists = await this.fetchEnv(env.slug);
                 if (!exists) {
                     throw new Error(`Env ${env.slug} does not exist`);
                 }
-                // Encrypt API key if provided
+                // Store API key as secret and encrypt
                 if (env.apiKey) {
+                    console.log('[ProductsService.createVector] Converting API key to secret for env:', env.slug);
+                    const originalApiKey = env.apiKey;
+                    env.apiKey = await this.storeVectorApiKeyAsSecret(env.apiKey, data.tag, env.slug);
+                    console.log('[ProductsService.createVector] API key after secret conversion:', {
+                        wasConverted: originalApiKey !== env.apiKey,
+                        isSecretRef: (_c = env.apiKey) === null || _c === void 0 ? void 0 : _c.startsWith('$Secret{'),
+                    });
                     env.apiKey = (0, processor_utils_1.encrypt)(env.apiKey, this.product.private_key);
+                    console.log('[ProductsService.createVector] API key encrypted');
+                }
+                // Store endpoint as secret and encrypt
+                if (env.endpoint) {
+                    console.log('[ProductsService.createVector] Converting endpoint to secret for env:', env.slug);
+                    const originalEndpoint = env.endpoint;
+                    env.endpoint = await this.storeVectorEndpointAsSecret(env.endpoint, data.tag, env.slug);
+                    console.log('[ProductsService.createVector] Endpoint after secret conversion:', {
+                        wasConverted: originalEndpoint !== env.endpoint,
+                        isSecretRef: (_d = env.endpoint) === null || _d === void 0 ? void 0 : _d.startsWith('$Secret{'),
+                    });
+                    env.endpoint = (0, processor_utils_1.encrypt)(env.endpoint, this.product.private_key);
+                    console.log('[ProductsService.createVector] Endpoint encrypted');
                 }
                 processedEnvs.push(env);
+                console.log('[ProductsService.createVector] Env processed successfully:', env.slug);
             }
             data.envs = processedEnvs;
+            console.log('[ProductsService.createVector] All envs processed, total:', processedEnvs.length);
             const envs = await this.fetchEnvs();
             for (const env of envs) {
                 const exists = data.envs.findIndex((vecEnv) => vecEnv.slug === env.slug);
@@ -1374,26 +1622,66 @@ class ProductsBuilderService {
      * @param data Updated vector configuration
      */
     async updateVector(tag, data) {
+        var _a, _b;
+        console.log('[ProductsService.updateVector] Starting vector update:', {
+            tag,
+            newTag: data.tag,
+            name: data.name,
+            envsCount: (_a = data.envs) === null || _a === void 0 ? void 0 : _a.length,
+            productTag: (_b = this.product) === null || _b === void 0 ? void 0 : _b.tag,
+        });
         try {
             const vector = await this.fetchVector(tag);
             if (!vector) {
                 throw new Error(`Vector ${tag} not found`);
             }
             const { _id, envs } = vector;
+            console.log('[ProductsService.updateVector] Found existing vector:', {
+                _id,
+                existingEnvsCount: envs === null || envs === void 0 ? void 0 : envs.length,
+            });
             await validators_1.UpdateProductVectorSchema.validateAsync(data);
             if (data.tag && (await this.fetchVector(data.tag))) {
                 throw new Error(`tag ${data.tag} is in use`);
             }
             if (data.envs) {
+                console.log('[ProductsService.updateVector] Processing envs update');
                 data.envs = await Promise.all(data.envs.map(async (env) => {
+                    var _a, _b;
+                    console.log('[ProductsService.updateVector] Processing env:', {
+                        slug: env.slug,
+                        hasApiKey: !!env.apiKey,
+                        hasEndpoint: !!env.endpoint,
+                    });
                     const exists = await this.fetchEnv(env.slug);
                     if (!exists) {
                         throw new Error(`Env ${env.slug} does not exist`);
                     }
-                    // Encrypt API key if provided
+                    // Store API key as secret and encrypt
                     if (env.apiKey) {
+                        console.log('[ProductsService.updateVector] Converting API key to secret for env:', env.slug);
+                        const originalApiKey = env.apiKey;
+                        env.apiKey = await this.storeVectorApiKeyAsSecret(env.apiKey, data.tag || tag, env.slug);
+                        console.log('[ProductsService.updateVector] API key after secret conversion:', {
+                            wasConverted: originalApiKey !== env.apiKey,
+                            isSecretRef: (_a = env.apiKey) === null || _a === void 0 ? void 0 : _a.startsWith('$Secret{'),
+                        });
                         env.apiKey = (0, processor_utils_1.encrypt)(env.apiKey, this.product.private_key);
+                        console.log('[ProductsService.updateVector] API key encrypted');
                     }
+                    // Store endpoint as secret and encrypt
+                    if (env.endpoint) {
+                        console.log('[ProductsService.updateVector] Converting endpoint to secret for env:', env.slug);
+                        const originalEndpoint = env.endpoint;
+                        env.endpoint = await this.storeVectorEndpointAsSecret(env.endpoint, data.tag || tag, env.slug);
+                        console.log('[ProductsService.updateVector] Endpoint after secret conversion:', {
+                            wasConverted: originalEndpoint !== env.endpoint,
+                            isSecretRef: (_b = env.endpoint) === null || _b === void 0 ? void 0 : _b.startsWith('$Secret{'),
+                        });
+                        env.endpoint = (0, processor_utils_1.encrypt)(env.endpoint, this.product.private_key);
+                        console.log('[ProductsService.updateVector] Endpoint encrypted');
+                    }
+                    console.log('[ProductsService.updateVector] Env processed successfully:', env.slug);
                     return env;
                 }));
                 const overwrite = [];
@@ -1605,8 +1893,9 @@ class ProductsBuilderService {
                 if (!exists) {
                     throw new Error(`Env ${env.slug} does not exist`);
                 }
-                // Encrypt API key if provided
+                // Store API key as secret and encrypt
                 if (env.apiKey) {
+                    env.apiKey = await this.storeModelApiKeyAsSecret(env.apiKey, data.tag, env.slug);
                     env.apiKey = (0, processor_utils_1.encrypt)(env.apiKey, this.product.private_key);
                 }
                 processedEnvs.push(env);
@@ -1648,8 +1937,9 @@ class ProductsBuilderService {
                     if (!exists) {
                         throw new Error(`Env ${env.slug} does not exist`);
                     }
-                    // Encrypt API key if provided
+                    // Store API key as secret and encrypt
                     if (env.apiKey) {
+                        env.apiKey = await this.storeModelApiKeyAsSecret(env.apiKey, data.tag || tag, env.slug);
                         env.apiKey = (0, processor_utils_1.encrypt)(env.apiKey, this.product.private_key);
                     }
                     return env;
@@ -2104,17 +2394,19 @@ class ProductsBuilderService {
                     }
                 }
                 for (let i = 0; i < data.envs.length; i++) {
+                    // Process secrets for each notification handler
+                    const processedEnv = await this.processNotificationEnvSecrets(data.envs[i], data.tag, data.envs[i].slug);
                     const updates = {
-                        push_notifications: data.envs[i].push_notifications
-                            ? (0, processor_utils_1.encrypt)(JSON.stringify(data.envs[i].push_notifications), this.product.private_key)
+                        push_notifications: processedEnv.push_notifications
+                            ? (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.push_notifications), this.product.private_key)
                             : undefined,
-                        emails: data.envs[i].emails
-                            ? (0, processor_utils_1.encrypt)(JSON.stringify(data.envs[i].emails), this.product.private_key)
+                        emails: processedEnv.emails
+                            ? (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.emails), this.product.private_key)
                             : undefined,
-                        callbacks: data.envs[i].callbacks
-                            ? (0, processor_utils_1.encrypt)(JSON.stringify(data.envs[i].callbacks), this.product.private_key)
+                        callbacks: processedEnv.callbacks
+                            ? (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.callbacks), this.product.private_key)
                             : undefined,
-                        sms: data.envs[i].sms ? (0, processor_utils_1.encrypt)(JSON.stringify(data.envs[i].sms), this.product.private_key) : undefined,
+                        sms: processedEnv.sms ? (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.sms), this.product.private_key) : undefined,
                     };
                     data.envs[i] = Object.assign(Object.assign({}, data.envs[i]), updates);
                 }
@@ -2300,15 +2592,18 @@ class ProductsBuilderService {
                 data.envs = [...unchanged, ...overwrite, ...newEnvs];
             }
             const update = Object.assign(Object.assign({}, notification), data);
-            for (const env of update.envs) {
-                if (env.emails)
-                    env.emails = (0, processor_utils_1.encrypt)(JSON.stringify(env.emails), this.product.private_key);
-                if (env.push_notifications)
-                    env.push_notifications = (0, processor_utils_1.encrypt)(JSON.stringify(env.push_notifications), this.product.private_key);
-                if (env.callbacks)
-                    env.callbacks = (0, processor_utils_1.encrypt)(JSON.stringify(env.callbacks), this.product.private_key);
-                if (env.sms)
-                    env.sms = (0, processor_utils_1.encrypt)(JSON.stringify(env.sms), this.product.private_key);
+            for (let i = 0; i < update.envs.length; i++) {
+                const env = update.envs[i];
+                // Process secrets for each notification handler
+                const processedEnv = await this.processNotificationEnvSecrets(env, data.tag || tag, env.slug);
+                if (processedEnv.emails)
+                    update.envs[i].emails = (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.emails), this.product.private_key);
+                if (processedEnv.push_notifications)
+                    update.envs[i].push_notifications = (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.push_notifications), this.product.private_key);
+                if (processedEnv.callbacks)
+                    update.envs[i].callbacks = (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.callbacks), this.product.private_key);
+                if (processedEnv.sms)
+                    update.envs[i].sms = (0, processor_utils_1.encrypt)(JSON.stringify(processedEnv.sms), this.product.private_key);
             }
             const payload = Object.assign(Object.assign({ _id }, update), { component: enums_1.ProductComponents.NOTIFICATION, action: enums_1.RequestAction.UPDATE });
             await this.productApi.updateProduct(this.product_id, payload, this.getUserAccess());
@@ -3517,19 +3812,53 @@ class ProductsBuilderService {
     }
     // GRAPH CRUD METHODS
     async createGraph(data, throwErrorIfExists = false) {
+        var _a, _b, _c;
+        console.log('[ProductsService.createGraph] Starting graph creation:', {
+            tag: data.tag,
+            name: data.name,
+            type: data.type,
+            envsCount: (_a = data.envs) === null || _a === void 0 ? void 0 : _a.length,
+            productTag: (_b = this.product) === null || _b === void 0 ? void 0 : _b.tag,
+        });
         try {
             if (!(await this.fetchGraph(data.tag))) {
                 await validators_1.CreateProductGraphSchema.validateAsync(data);
                 const processedEnvs = [];
                 for (const env of data.envs) {
+                    console.log('[ProductsService.createGraph] Processing env:', {
+                        slug: env.slug,
+                        hasConnectionUrl: !!env.connection_url,
+                        hasUsername: !!env.username,
+                        hasPassword: !!env.password,
+                    });
                     const exists = await this.fetchEnv(env.slug);
                     if (!exists) {
                         throw new Error(`Env ${env.slug} does not exist`);
                     }
+                    // Store connection URL as secret
+                    console.log('[ProductsService.createGraph] Converting connection URL to secret for env:', env.slug);
+                    const originalUrl = env.connection_url;
+                    env.connection_url = await this.storeGraphConnectionUrlAsSecret(env.connection_url, data.tag, env.slug);
+                    console.log('[ProductsService.createGraph] Connection URL after secret conversion:', {
+                        wasConverted: originalUrl !== env.connection_url,
+                        isSecretRef: (_c = env.connection_url) === null || _c === void 0 ? void 0 : _c.startsWith('$Secret{'),
+                    });
                     env.connection_url = (0, processor_utils_1.encrypt)(env.connection_url, this.product.private_key);
+                    console.log('[ProductsService.createGraph] Connection URL encrypted');
+                    // Encrypt username and password if provided
+                    if (env.username) {
+                        console.log('[ProductsService.createGraph] Encrypting username for env:', env.slug);
+                        env.username = (0, processor_utils_1.encrypt)(env.username, this.product.private_key);
+                    }
+                    if (env.password) {
+                        console.log('[ProductsService.createGraph] Encrypting password for env:', env.slug);
+                        env.password = (0, processor_utils_1.encrypt)(env.password, this.product.private_key);
+                    }
                     processedEnvs.push(env);
+                    console.log('[ProductsService.createGraph] Env processed successfully:', env.slug);
                 }
                 data.envs = processedEnvs;
+                console.log('[ProductsService.createGraph] All envs processed, total:', processedEnvs.length);
                 const envs = await this.fetchEnvs();
                 for (const env of envs) {
                     const exists = data.envs.findIndex((graphEnv) => graphEnv.slug === env.slug);
@@ -3549,24 +3878,64 @@ class ProductsBuilderService {
         }
     }
     async updateGraph(tag, data) {
+        var _a, _b;
+        console.log('[ProductsService.updateGraph] Starting graph update:', {
+            tag,
+            newTag: data.tag,
+            name: data.name,
+            type: data.type,
+            envsCount: (_a = data.envs) === null || _a === void 0 ? void 0 : _a.length,
+            productTag: (_b = this.product) === null || _b === void 0 ? void 0 : _b.tag,
+        });
         try {
             const graph = await this.fetchGraph(tag);
             if (!graph) {
                 throw new Error(`Graph ${tag} not found`);
             }
             const { _id, envs } = graph;
+            console.log('[ProductsService.updateGraph] Found existing graph:', {
+                _id,
+                existingEnvsCount: envs === null || envs === void 0 ? void 0 : envs.length,
+            });
             await validators_1.UpdateProductGraphSchema.validateAsync(data);
             if (data.tag && this.fetchGraph(data.tag)) {
                 throw new Error(`tag ${tag} is in use`);
             }
+            console.log('[ProductsService.updateGraph] Processing envs update');
             data.envs = await Promise.all(data.envs.map(async (env) => {
+                var _a;
+                console.log('[ProductsService.updateGraph] Processing env:', {
+                    slug: env.slug,
+                    hasConnectionUrl: !!env.connection_url,
+                    hasUsername: !!env.username,
+                    hasPassword: !!env.password,
+                });
                 const exists = await this.fetchEnv(env.slug);
                 if (!exists) {
                     throw new Error(`Env ${env.slug} does not exist`);
                 }
                 if (env.connection_url) {
+                    // Store connection URL as secret
+                    console.log('[ProductsService.updateGraph] Converting connection URL to secret for env:', env.slug);
+                    const originalUrl = env.connection_url;
+                    env.connection_url = await this.storeGraphConnectionUrlAsSecret(env.connection_url, data.tag || tag, env.slug);
+                    console.log('[ProductsService.updateGraph] Connection URL after secret conversion:', {
+                        wasConverted: originalUrl !== env.connection_url,
+                        isSecretRef: (_a = env.connection_url) === null || _a === void 0 ? void 0 : _a.startsWith('$Secret{'),
+                    });
                     env.connection_url = (0, processor_utils_1.encrypt)(env.connection_url, this.product.private_key);
+                    console.log('[ProductsService.updateGraph] Connection URL encrypted');
+                }
+                // Encrypt username and password if provided
+                if (env.username) {
+                    console.log('[ProductsService.updateGraph] Encrypting username for env:', env.slug);
+                    env.username = (0, processor_utils_1.encrypt)(env.username, this.product.private_key);
                 }
+                if (env.password) {
+                    console.log('[ProductsService.updateGraph] Encrypting password for env:', env.slug);
+                    env.password = (0, processor_utils_1.encrypt)(env.password, this.product.private_key);
+                }
+                console.log('[ProductsService.updateGraph] Env processed successfully:', env.slug);
                 return env;
             }));
             const overwrite = [];
@@ -4270,11 +4639,599 @@ class ProductsBuilderService {
             workspace_id: this.workspace_id,
             token: this.token,
             public_key: this.public_key,
+            access_key: this.access_key,
         };
     }
     async fetchSessionUser(ductape_user_id) {
         return await this.productApi.fetchProductSessionUser(ductape_user_id, this.getUserAccess());
     }
+    /**
+     * Process storage config to store sensitive credentials as secrets
+     * Format: STORAGE_{PRODUCT}_{STORAGE_TAG}_{ENV}_{KEY}
+     *
+     * Product parsing: split by ":", select first element
+     * Storage tag: replace "-" with "_"
+     */
+    async processStorageConfigSecrets(config, providerType, storageTag, envSlug) {
+        console.log(`[Storage Secrets] Processing secrets for storage: ${storageTag}, env: ${envSlug}, provider: ${providerType}`);
+        const secretsService = (0, secrets_1.getSecretsService)();
+        if (!secretsService) {
+            console.log(`[Storage Secrets] No secrets service available, skipping secret storage`);
+            return config;
+        }
+        const generateSecretKey = (keyName) => {
+            const sanitize = (str) => str.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+            const productParts = this.product.tag.split(':');
+            const productKey = productParts[1] || productParts[0]; // Use product name (index 1), fallback to index 0
+            const storageKey = storageTag.replace(/-/g, '_');
+            const key = `STORAGE_${sanitize(productKey)}_${sanitize(storageKey)}_${sanitize(envSlug)}_${sanitize(keyName)}`;
+            console.log(`[Storage Secrets] Generated secret key: ${key}`);
+            return key;
+        };
+        const storeAsSecret = async (value, keyName) => {
+            const secretCheck = (0, secrets_1.isSecretReference)(value);
+            if (secretCheck.isSecret) {
+                console.log(`[Storage Secrets] ${keyName} is already a secret reference, skipping`);
+                return value; // Already a secret reference
+            }
+            const secretKey = generateSecretKey(keyName);
+            try {
+                const exists = await secretsService.exists(secretKey);
+                if (exists) {
+                    console.log(`[Storage Secrets] Updating existing secret: ${secretKey}`);
+                    await secretsService.update(secretKey, { value });
+                }
+                else {
+                    console.log(`[Storage Secrets] Creating new secret: ${secretKey}`);
+                    await secretsService.create({
+                        key: secretKey,
+                        value,
+                        description: `Storage ${keyName} for ${storageTag} in ${envSlug}`,
+                        scope: [this.product.tag, storageTag],
+                        envs: [envSlug],
+                    });
+                }
+                console.log(`[Storage Secrets] Successfully stored ${keyName} as secret: $Secret{${secretKey}}`);
+                return `$Secret{${secretKey}}`;
+            }
+            catch (error) {
+                console.warn(`[Storage Secrets] Failed to store storage credential as secret: ${error}`);
+                return value;
+            }
+        };
+        if (providerType === productsBuilder_types_1.StorageProviders.AWS) {
+            console.log(`[Storage Secrets] Processing AWS S3 credentials`);
+            const awsConfig = config;
+            const result = Object.assign(Object.assign({}, awsConfig), { accessKeyId: await storeAsSecret(awsConfig.accessKeyId, 'ACCESS_KEY_ID'), secretAccessKey: await storeAsSecret(awsConfig.secretAccessKey, 'SECRET_ACCESS_KEY') });
+            console.log(`[Storage Secrets] AWS S3 config processed successfully`);
+            return result;
+        }
+        else if (providerType === productsBuilder_types_1.StorageProviders.GCP) {
+            console.log(`[Storage Secrets] Processing GCP credentials`);
+            const gcpConfig = config;
+            if (gcpConfig.config) {
+                const processedConfig = Object.assign({}, gcpConfig.config);
+                // Store private_key_id as secret
+                if (processedConfig.private_key_id) {
+                    processedConfig.private_key_id = await storeAsSecret(processedConfig.private_key_id, 'PRIVATE_KEY_ID');
+                }
+                // Store private_key as secret
+                if (processedConfig.private_key) {
+                    processedConfig.private_key = await storeAsSecret(processedConfig.private_key, 'PRIVATE_KEY');
+                }
+                // Store client_email as secret
+                if (processedConfig.client_email) {
+                    processedConfig.client_email = await storeAsSecret(processedConfig.client_email, 'CLIENT_EMAIL');
+                }
+                // Store client_id as secret
+                if (processedConfig.client_id) {
+                    processedConfig.client_id = await storeAsSecret(processedConfig.client_id, 'CLIENT_ID');
+                }
+                const result = Object.assign(Object.assign({}, gcpConfig), { config: processedConfig });
+                console.log(`[Storage Secrets] GCP config processed successfully`);
+                console.log(`[Storage Secrets] Converted GCP config:`, JSON.stringify(result, null, 2));
+                return result;
+            }
+            console.log(`[Storage Secrets] GCP config has no nested config, skipping`);
+            return gcpConfig;
+        }
+        else if (providerType === productsBuilder_types_1.StorageProviders.AZURE) {
+            console.log(`[Storage Secrets] Processing Azure Blob credentials`);
+            const azureConfig = config;
+            const result = Object.assign(Object.assign({}, azureConfig), { connectionString: await storeAsSecret(azureConfig.connectionString, 'CONNECTION_STRING') });
+            console.log(`[Storage Secrets] Azure Blob config processed successfully`);
+            return result;
+        }
+        console.log(`[Storage Secrets] Unknown provider type: ${providerType}, returning config as-is`);
+        return config;
+    }
+    /**
+     * Process message broker config to store sensitive credentials as secrets
+     * Format: BROKER_{PRODUCT}_{BROKER_TAG}_{ENV}_{KEY}
+     *
+     * Product parsing: split by ":", select first element
+     * Broker tag: replace "-" with "_"
+     */
+    async processMessageBrokerConfigSecrets(config, brokerType, brokerTag, envSlug) {
+        var _a, _b, _c, _d, _e, _f, _g;
+        const logPrefix = '[MessageBroker:Secrets]';
+        console.log(`${logPrefix} Processing secrets for broker: ${brokerTag}, env: ${envSlug}, type: ${brokerType}`);
+        const secretsService = (0, secrets_1.getSecretsService)();
+        if (!secretsService) {
+            console.log(`${logPrefix} No secrets service available, skipping secret storage`);
+            return config;
+        }
+        console.log(`${logPrefix} Secrets service available`);
+        const generateSecretKey = (keyName) => {
+            const sanitize = (str) => str.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+            const productParts = this.product.tag.split(':');
+            const productKey = productParts[1] || productParts[0];
+            const brokerKey = brokerTag.replace(/-/g, '_');
+            const key = `BROKER_${sanitize(productKey)}_${sanitize(brokerKey)}_${sanitize(envSlug)}_${sanitize(keyName)}`;
+            console.log(`${logPrefix} Generated secret key: ${key}`);
+            return key;
+        };
+        const storeAsSecret = async (value, keyName) => {
+            console.log(`${logPrefix} Processing field: ${keyName}`);
+            if (!value) {
+                console.log(`${logPrefix} Field ${keyName} is empty, skipping`);
+                return value;
+            }
+            const secretCheck = (0, secrets_1.isSecretReference)(value);
+            if (secretCheck.isSecret) {
+                console.log(`${logPrefix} Field ${keyName} is already a secret reference: ${value}`);
+                return value;
+            }
+            const secretKey = generateSecretKey(keyName);
+            console.log(`${logPrefix} Storing ${keyName} as secret with key: ${secretKey}`);
+            try {
+                const exists = await secretsService.exists(secretKey);
+                console.log(`${logPrefix} Secret ${secretKey} exists: ${exists}`);
+                if (exists) {
+                    console.log(`${logPrefix} Updating existing secret: ${secretKey}`);
+                    await secretsService.update(secretKey, { value });
+                    console.log(`${logPrefix} Secret ${secretKey} updated successfully`);
+                }
+                else {
+                    console.log(`${logPrefix} Creating new secret: ${secretKey}`);
+                    await secretsService.create({
+                        key: secretKey,
+                        value,
+                        description: `Message broker ${keyName} for ${brokerTag} in ${envSlug}`,
+                        scope: [this.product.tag, brokerTag],
+                        envs: [envSlug],
+                    });
+                    console.log(`${logPrefix} Secret ${secretKey} created successfully`);
+                }
+                const secretRef = `$Secret{${secretKey}}`;
+                console.log(`${logPrefix} Field ${keyName} converted to secret reference: ${secretRef}`);
+                return secretRef;
+            }
+            catch (error) {
+                console.error(`${logPrefix} Failed to store ${keyName} as secret:`, error);
+                console.warn(`${logPrefix} Returning original value for ${keyName}`);
+                return value;
+            }
+        };
+        // Handle different broker types - config is passed directly without wrapper
+        console.log(`${logPrefix} Processing broker type: ${brokerType}`);
+        if (brokerType === productsBuilder_types_1.MessageBrokerTypes.REDIS) {
+            console.log(`${logPrefix} Redis config detected`);
+            console.log(`${logPrefix} Redis fields - host: ${config.host}, port: ${config.port}, password: ${config.password ? '[SET]' : '[NOT SET]'}`);
+            if (config.password) {
+                config.password = await storeAsSecret(config.password, 'PASSWORD');
+            }
+        }
+        else if (brokerType === productsBuilder_types_1.MessageBrokerTypes.RABBITMQ) {
+            console.log(`${logPrefix} RabbitMQ config detected`);
+            console.log(`${logPrefix} RabbitMQ fields - url: ${config.url ? '[SET]' : '[NOT SET]'}`);
+            if (config.url) {
+                config.url = await storeAsSecret(config.url, 'URL');
+            }
+        }
+        else if (brokerType === productsBuilder_types_1.MessageBrokerTypes.KAFKA) {
+            console.log(`${logPrefix} Kafka config detected`);
+            console.log(`${logPrefix} Kafka fields - brokers: ${(_a = config.brokers) === null || _a === void 0 ? void 0 : _a.join(', ')}, clientId: ${config.clientId}, ssl: ${config.ssl}`);
+            console.log(`${logPrefix} Kafka SASL - mechanism: ${((_b = config.sasl) === null || _b === void 0 ? void 0 : _b.mechanism) || 'N/A'}, username: ${((_c = config.sasl) === null || _c === void 0 ? void 0 : _c.username) ? '[SET]' : '[NOT SET]'}, password: ${((_d = config.sasl) === null || _d === void 0 ? void 0 : _d.password) ? '[SET]' : '[NOT SET]'}`);
+            if ((_e = config.sasl) === null || _e === void 0 ? void 0 : _e.username) {
+                config.sasl.username = await storeAsSecret(config.sasl.username, 'SASL_USERNAME');
+            }
+            if ((_f = config.sasl) === null || _f === void 0 ? void 0 : _f.password) {
+                config.sasl.password = await storeAsSecret(config.sasl.password, 'SASL_PASSWORD');
+            }
+        }
+        else if (brokerType === productsBuilder_types_1.MessageBrokerTypes.AWS_SQS) {
+            console.log(`${logPrefix} AWS SQS config detected`);
+            console.log(`${logPrefix} AWS SQS fields - region: ${config.region}, accessKeyId: ${config.accessKeyId ? '[SET]' : '[NOT SET]'}, secretAccessKey: ${config.secretAccessKey ? '[SET]' : '[NOT SET]'}`);
+            if (config.accessKeyId) {
+                config.accessKeyId = await storeAsSecret(config.accessKeyId, 'ACCESS_KEY_ID');
+            }
+            if (config.secretAccessKey) {
+                config.secretAccessKey = await storeAsSecret(config.secretAccessKey, 'SECRET_ACCESS_KEY');
+            }
+        }
+        else if (brokerType === productsBuilder_types_1.MessageBrokerTypes.NATS) {
+            console.log(`${logPrefix} NATS config detected`);
+            console.log(`${logPrefix} NATS fields - servers: ${(_g = config.servers) === null || _g === void 0 ? void 0 : _g.join(', ')}, token: ${config.token ? '[SET]' : '[NOT SET]'}, user: ${config.user ? '[SET]' : '[NOT SET]'}, pass: ${config.pass ? '[SET]' : '[NOT SET]'}, tls: ${config.tls}`);
+            if (config.token) {
+                config.token = await storeAsSecret(config.token, 'TOKEN');
+            }
+            if (config.user) {
+                config.user = await storeAsSecret(config.user, 'USER');
+            }
+            if (config.pass) {
+                config.pass = await storeAsSecret(config.pass, 'PASSWORD');
+            }
+        }
+        else if (brokerType === productsBuilder_types_1.MessageBrokerTypes.GOOGLE_PUBSUB) {
+            console.log(`${logPrefix} Google Pub/Sub config detected`);
+            console.log(`${logPrefix} Google Pub/Sub fields - projectId: ${config.projectId}, credentials: ${config.credentials ? '[SET]' : '[NOT SET]'}`);
+            if (config.credentials) {
+                console.log(`${logPrefix} Google Pub/Sub credentials - type: ${config.credentials.type}, project_id: ${config.credentials.project_id}`);
+                console.log(`${logPrefix} Google Pub/Sub credentials - private_key_id: ${config.credentials.private_key_id ? '[SET]' : '[NOT SET]'}, private_key: ${config.credentials.private_key ? '[SET]' : '[NOT SET]'}`);
+                console.log(`${logPrefix} Google Pub/Sub credentials - client_email: ${config.credentials.client_email ? '[SET]' : '[NOT SET]'}, client_id: ${config.credentials.client_id ? '[SET]' : '[NOT SET]'}`);
+                if (config.credentials.private_key_id) {
+                    config.credentials.private_key_id = await storeAsSecret(config.credentials.private_key_id, 'PRIVATE_KEY_ID');
+                }
+                if (config.credentials.private_key) {
+                    config.credentials.private_key = await storeAsSecret(config.credentials.private_key, 'PRIVATE_KEY');
+                }
+                if (config.credentials.client_email) {
+                    config.credentials.client_email = await storeAsSecret(config.credentials.client_email, 'CLIENT_EMAIL');
+                }
+                if (config.credentials.client_id) {
+                    config.credentials.client_id = await storeAsSecret(config.credentials.client_id, 'CLIENT_ID');
+                }
+            }
+        }
+        else {
+            console.log(`${logPrefix} Unknown broker type: ${brokerType}, no secrets processing`);
+        }
+        console.log(`${logPrefix} Secrets processing completed for ${brokerTag}:${envSlug}`);
+        return config;
+    }
+    /**
+     * Process notification environment config to store sensitive credentials as secrets
+     * Format: NOTIFIER_{PRODUCT}_{NOTIFIER_TAG}_{ENV}_{KEY}
+     *
+     * Product parsing: split by ":", select first element
+     * Notifier tag: replace "-" with "_"
+     */
+    async processNotificationEnvSecrets(env, notifierTag, envSlug) {
+        var _a, _b;
+        const secretsService = (0, secrets_1.getSecretsService)();
+        if (!secretsService) {
+            return env;
+        }
+        const generateSecretKey = (keyName) => {
+            const sanitize = (str) => str.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+            const productParts = this.product.tag.split(':');
+            const productKey = productParts[1] || productParts[0]; // Use product name (index 1), fallback to index 0
+            const notifierKey = notifierTag.replace(/-/g, '_');
+            return `NOTIFIER_${sanitize(productKey)}_${sanitize(notifierKey)}_${sanitize(envSlug)}_${sanitize(keyName)}`;
+        };
+        const storeAsSecret = async (value, keyName) => {
+            if (!value)
+                return value;
+            const secretCheck = (0, secrets_1.isSecretReference)(value);
+            if (secretCheck.isSecret) {
+                return value; // Already a secret reference
+            }
+            const secretKey = generateSecretKey(keyName);
+            try {
+                const exists = await secretsService.exists(secretKey);
+                if (exists) {
+                    await secretsService.update(secretKey, { value });
+                }
+                else {
+                    await secretsService.create({
+                        key: secretKey,
+                        value,
+                        description: `Notification ${keyName} for ${notifierTag} in ${envSlug}`,
+                        scope: [this.product.tag, notifierTag],
+                        envs: [envSlug],
+                    });
+                }
+                return `$Secret{${secretKey}}`;
+            }
+            catch (error) {
+                console.warn(`Failed to store notification credential as secret: ${error}`);
+                return value;
+            }
+        };
+        const result = Object.assign({}, env);
+        // Process email handler
+        if ((_a = result.emails) === null || _a === void 0 ? void 0 : _a.auth) {
+            result.emails = Object.assign(Object.assign({}, result.emails), { auth: Object.assign(Object.assign({}, result.emails.auth), { pass: await storeAsSecret(result.emails.auth.pass, 'EMAIL_PASSWORD') }) });
+        }
+        // Process SMS handler
+        if (result.sms) {
+            const smsUpdates = {};
+            if (result.sms.authToken) {
+                smsUpdates.authToken = await storeAsSecret(result.sms.authToken, 'SMS_AUTH_TOKEN');
+            }
+            if (result.sms.apiSecret) {
+                smsUpdates.apiSecret = await storeAsSecret(result.sms.apiSecret, 'SMS_API_SECRET');
+            }
+            if (result.sms.apiKey) {
+                smsUpdates.apiKey = await storeAsSecret(result.sms.apiKey, 'SMS_API_KEY');
+            }
+            if (result.sms.accountSid) {
+                smsUpdates.accountSid = await storeAsSecret(result.sms.accountSid, 'SMS_ACCOUNT_SID');
+            }
+            result.sms = Object.assign(Object.assign({}, result.sms), smsUpdates);
+        }
+        // Process push notifications handler (Firebase credentials)
+        if ((_b = result.push_notifications) === null || _b === void 0 ? void 0 : _b.credentials) {
+            const creds = result.push_notifications.credentials;
+            if (creds.private_key) {
+                result.push_notifications = Object.assign(Object.assign({}, result.push_notifications), { credentials: Object.assign(Object.assign({}, creds), { private_key: await storeAsSecret(creds.private_key, 'PUSH_PRIVATE_KEY') }) });
+            }
+        }
+        return result;
+    }
+    /**
+     * Store graph connection URL as a secret
+     * Format: GRAPH_{PRODUCT}_{GRAPH_TAG}_{ENV}_URL
+     */
+    async storeGraphConnectionUrlAsSecret(connectionUrl, graphTag, envSlug) {
+        var _a;
+        console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Starting secret conversion:', {
+            graphTag,
+            envSlug,
+            hasConnectionUrl: !!connectionUrl,
+            connectionUrlLength: connectionUrl === null || connectionUrl === void 0 ? void 0 : connectionUrl.length,
+            productTag: (_a = this.product) === null || _a === void 0 ? void 0 : _a.tag,
+        });
+        const secretsService = (0, secrets_1.getSecretsService)();
+        if (!secretsService) {
+            console.log('[ProductsService.storeGraphConnectionUrlAsSecret] No secrets service available, returning original value');
+            return connectionUrl;
+        }
+        console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Secrets service is available');
+        const secretCheck = (0, secrets_1.isSecretReference)(connectionUrl);
+        console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Secret reference check:', {
+            isSecret: secretCheck.isSecret,
+            secretKey: secretCheck.isSecret ? secretCheck.key : null,
+        });
+        if (secretCheck.isSecret) {
+            console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Value is already a secret reference, returning as-is');
+            return connectionUrl;
+        }
+        const sanitize = (str) => str.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+        const productParts = this.product.tag.split(':');
+        const productKey = productParts[1] || productParts[0]; // Use product name (index 1), fallback to index 0
+        const graphKey = graphTag.replace(/-/g, '_');
+        const secretKey = `GRAPH_${sanitize(productKey)}_${sanitize(graphKey)}_${sanitize(envSlug)}_URL`;
+        console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Generated secret key:', {
+            secretKey,
+            productParts,
+            productKey,
+            graphKey,
+        });
+        try {
+            const exists = await secretsService.exists(secretKey);
+            console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Secret exists check:', { secretKey, exists });
+            if (exists) {
+                console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Updating existing secret:', secretKey);
+                await secretsService.update(secretKey, { value: connectionUrl });
+                console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Secret updated successfully');
+            }
+            else {
+                console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Creating new secret:', {
+                    secretKey,
+                    description: `Graph connection URL for ${graphTag} in ${envSlug}`,
+                    scope: [this.product.tag, graphTag],
+                    envs: [envSlug],
+                });
+                await secretsService.create({
+                    key: secretKey,
+                    value: connectionUrl,
+                    description: `Graph connection URL for ${graphTag} in ${envSlug}`,
+                    scope: [this.product.tag, graphTag],
+                    envs: [envSlug],
+                });
+                console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Secret created successfully');
+            }
+            const secretRef = `$Secret{${secretKey}}`;
+            console.log('[ProductsService.storeGraphConnectionUrlAsSecret] Returning secret reference:', secretRef);
+            return secretRef;
+        }
+        catch (error) {
+            console.error('[ProductsService.storeGraphConnectionUrlAsSecret] Failed to store secret:', {
+                secretKey,
+                error: error instanceof Error ? error.message : String(error),
+                stack: error instanceof Error ? error.stack : undefined,
+            });
+            return connectionUrl;
+        }
+    }
+    /**
+     * Generate a secret key for vector configuration field
+     * Format: VECTOR_{PRODUCT}_{ASSET_TAG}_{ENV}_{KEY}
+     *
+     * Where:
+     * - PRODUCT = productTag.split('.')[1] (second part after workspace)
+     * - ASSET_TAG = if vectorTag starts with same workspace prefix, use second part; otherwise sanitize full tag
+     * - All parts are automatically capitalized
+     */
+    generateVectorSecretKey(vectorTag, envSlug, field) {
+        var _a;
+        console.log('[ProductsService.generateVectorSecretKey] Generating secret key:', {
+            vectorTag,
+            envSlug,
+            field,
+            productTag: (_a = this.product) === null || _a === void 0 ? void 0 : _a.tag,
+        });
+        const sanitize = (str) => str.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+        // Support both ':' and '.' delimiters for product tags (e.g., 'ductape:rematch' or 'ductape.rematch')
+        const productParts = this.product.tag.includes(':')
+            ? this.product.tag.split(':')
+            : this.product.tag.split('.');
+        const product = productParts[1] || productParts[0]; // Use product name (index 1), fallback to index 0
+        const workspace = productParts[0];
+        console.log('[ProductsService.generateVectorSecretKey] Product parsing:', {
+            productParts,
+            product,
+            workspace,
+        });
+        // Support both ':' and '.' delimiters for vector tags
+        const vectorParts = vectorTag.includes(':') ? vectorTag.split(':') : vectorTag.split('.');
+        let assetTag;
+        if (vectorParts.length > 1 && vectorParts[0] === workspace) {
+            // Same workspace prefix, use second part
+            assetTag = vectorParts[1];
+            console.log('[ProductsService.generateVectorSecretKey] Using second part of vectorTag:', assetTag);
+        }
+        else {
+            // Different or no prefix, use full tag
+            assetTag = vectorTag;
+            console.log('[ProductsService.generateVectorSecretKey] Using full vectorTag:', assetTag);
+        }
+        const secretKey = `VECTOR_${sanitize(product)}_${sanitize(assetTag)}_${sanitize(envSlug)}_${sanitize(field)}`;
+        console.log('[ProductsService.generateVectorSecretKey] Generated secret key:', secretKey);
+        return secretKey;
+    }
+    /**
+     * Store a vector field value as a secret if it exists and is not already a secret reference
+     * @returns The secret reference if stored, or the original value
+     */
+    async storeVectorFieldAsSecret(value, vectorTag, envSlug, fieldName, description) {
+        var _a;
+        console.log('[ProductsService.storeVectorFieldAsSecret] Starting secret conversion:', {
+            vectorTag,
+            envSlug,
+            fieldName,
+            hasValue: !!value,
+            valueLength: value === null || value === void 0 ? void 0 : value.length,
+            productTag: (_a = this.product) === null || _a === void 0 ? void 0 : _a.tag,
+        });
+        if (!value) {
+            console.log('[ProductsService.storeVectorFieldAsSecret] No value provided, returning undefined');
+            return undefined;
+        }
+        const secretsService = (0, secrets_1.getSecretsService)();
+        if (!secretsService) {
+            console.log('[ProductsService.storeVectorFieldAsSecret] No secrets service available, returning original value');
+            return value;
+        }
+        console.log('[ProductsService.storeVectorFieldAsSecret] Secrets service is available');
+        const secretCheck = (0, secrets_1.isSecretReference)(value);
+        console.log('[ProductsService.storeVectorFieldAsSecret] Secret reference check:', {
+            isSecret: secretCheck.isSecret,
+            secretKey: secretCheck.isSecret ? secretCheck.key : null,
+        });
+        if (secretCheck.isSecret) {
+            console.log('[ProductsService.storeVectorFieldAsSecret] Value is already a secret reference, returning as-is');
+            return value;
+        }
+        const secretKey = this.generateVectorSecretKey(vectorTag, envSlug, fieldName);
+        console.log('[ProductsService.storeVectorFieldAsSecret] Generated secret key:', secretKey);
+        try {
+            const exists = await secretsService.exists(secretKey);
+            console.log('[ProductsService.storeVectorFieldAsSecret] Secret exists check:', { secretKey, exists });
+            if (exists) {
+                console.log('[ProductsService.storeVectorFieldAsSecret] Updating existing secret:', secretKey);
+                await secretsService.update(secretKey, { value });
+                console.log('[ProductsService.storeVectorFieldAsSecret] Secret updated successfully');
+            }
+            else {
+                console.log('[ProductsService.storeVectorFieldAsSecret] Creating new secret:', {
+                    secretKey,
+                    description,
+                    scope: [this.product.tag, vectorTag],
+                    envs: [envSlug],
+                });
+                await secretsService.create({
+                    key: secretKey,
+                    value,
+                    description,
+                    scope: [this.product.tag, vectorTag],
+                    envs: [envSlug],
+                });
+                console.log('[ProductsService.storeVectorFieldAsSecret] Secret created successfully');
+            }
+            const secretRef = `$Secret{${secretKey}}`;
+            console.log('[ProductsService.storeVectorFieldAsSecret] Returning secret reference:', secretRef);
+            return secretRef;
+        }
+        catch (error) {
+            console.error('[ProductsService.storeVectorFieldAsSecret] Failed to store secret:', {
+                secretKey,
+                fieldName,
+                error: error instanceof Error ? error.message : String(error),
+                stack: error instanceof Error ? error.stack : undefined,
+            });
+            return value;
+        }
+    }
+    async storeVectorApiKeyAsSecret(apiKey, vectorTag, envSlug) {
+        console.log('[ProductsService.storeVectorApiKeyAsSecret] Storing API key as secret:', {
+            vectorTag,
+            envSlug,
+            hasApiKey: !!apiKey,
+            apiKeyLength: apiKey === null || apiKey === void 0 ? void 0 : apiKey.length,
+        });
+        const result = await this.storeVectorFieldAsSecret(apiKey, vectorTag, envSlug, 'API_KEY', `Vector API key for ${vectorTag} in ${envSlug}`);
+        console.log('[ProductsService.storeVectorApiKeyAsSecret] Result:', {
+            hasResult: !!result,
+            isSecretRef: result === null || result === void 0 ? void 0 : result.startsWith('$Secret{'),
+        });
+        return result || apiKey;
+    }
+    async storeVectorEndpointAsSecret(endpoint, vectorTag, envSlug) {
+        console.log('[ProductsService.storeVectorEndpointAsSecret] Storing endpoint as secret:', {
+            vectorTag,
+            envSlug,
+            hasEndpoint: !!endpoint,
+            endpointLength: endpoint === null || endpoint === void 0 ? void 0 : endpoint.length,
+        });
+        const result = await this.storeVectorFieldAsSecret(endpoint, vectorTag, envSlug, 'ENDPOINT', `Vector endpoint for ${vectorTag} in ${envSlug}`);
+        console.log('[ProductsService.storeVectorEndpointAsSecret] Result:', {
+            hasResult: !!result,
+            isSecretRef: result === null || result === void 0 ? void 0 : result.startsWith('$Secret{'),
+        });
+        return result || endpoint;
+    }
+    /**
+     * Store LLM model API key as a secret
+     * Format: MODEL_{PRODUCT}_{MODEL_TAG}_{ENV}_API_KEY
+     */
+    async storeModelApiKeyAsSecret(apiKey, modelTag, envSlug) {
+        const secretsService = (0, secrets_1.getSecretsService)();
+        if (!secretsService) {
+            return apiKey;
+        }
+        const secretCheck = (0, secrets_1.isSecretReference)(apiKey);
+        if (secretCheck.isSecret) {
+            return apiKey;
+        }
+        const sanitize = (str) => str.toUpperCase().replace(/[^A-Z0-9]/g, '_');
+        const productParts = this.product.tag.split(':');
+        const productKey = productParts[1] || productParts[0]; // Use product name (index 1), fallback to index 0
+        const modelKey = modelTag.replace(/-/g, '_');
+        const secretKey = `MODEL_${sanitize(productKey)}_${sanitize(modelKey)}_${sanitize(envSlug)}_API_KEY`;
+        try {
+            const exists = await secretsService.exists(secretKey);
+            if (exists) {
+                await secretsService.update(secretKey, { value: apiKey });
+            }
+            else {
+                await secretsService.create({
+                    key: secretKey,
+                    value: apiKey,
+                    description: `LLM model API key for ${modelTag} in ${envSlug}`,
+                    scope: [this.product.tag, modelTag],
+                    envs: [envSlug],
+                });
+            }
+            return `$Secret{${secretKey}}`;
+        }
+        catch (error) {
+            console.warn(`Failed to store model API key as secret: ${error}`);
+            return apiKey;
+        }
+    }
 }
 exports.default = ProductsBuilderService;
 //# sourceMappingURL=products.service.js.map