@replayio/app-building 1.10.0 → 1.12.0

package/README.md

@@ -114,6 +114,35 @@ await destroyMachine(config.flyApp, config.flyToken, machineId, volumeId);
 
 **Types:** `FlyMachineInfo`, `FlyVolumeInfo`, `CreateMachineResult`
 
+### Secrets (Infisical)
+
+| Export | Description |
+|---|---|
+| `getInfisicalConfig(envVars)` | Extract `InfisicalConfig` from env vars. Returns `null` if any required var is missing (enables fallback to raw `.env`). |
+| `resolveContainerSecrets(config)` | Fetch global build secrets from Infisical and merge with Infisical config vars. Returns a `Record<string, string>` suitable for `ContainerConfig.envVars`. |
+| `fetchGlobalSecrets(config)` | Fetch secrets from the `/global/` path. |
+| `fetchBranchSecrets(config, branch)` | Fetch secrets from `/branches/<branch>/`. |
+| `fetchInfisicalSecrets(config, path)` | Raw fetch from any Infisical folder path. |
+
+**Types:** `InfisicalConfig`
+
+**Usage pattern** (orchestration scripts):
+
+```ts
+const orchestrationVars = loadDotEnv(projectRoot);
+const infisicalConfig = getInfisicalConfig(orchestrationVars);
+const containerSecrets = infisicalConfig
+  ? await resolveContainerSecrets(infisicalConfig)
+  : orchestrationVars; // fallback for local dev without Infisical
+
+const config: ContainerConfig = {
+  envVars: containerSecrets,
+  flyToken: orchestrationVars.FLY_API_TOKEN,
+  flyApp: orchestrationVars.FLY_APP_NAME,
+  ...
+};
+```
+
 ### Image ref
 
 | Export | Description |
@@ -188,8 +217,8 @@ Every POST body has this shape:
 | `message.started` | Message processing begins | `iteration`, `prompt` |
 | `message.done` | Message processing complete | `messageId`, `cost_usd`, `duration_ms`, `num_turns` |
 | `message.error` | Message processing failed | `messageId`, `error` |
-| `task.started` | Task processing begins | `iteration`, `skill`, `subtasks` |
-| `task.done` | Task processing complete | `skill`, `cost`, `totalCost`, `failed`, `pendingTasks` |
+| `task.started` | Task processing begins | `iteration`, `skill`, `subtasks`, `prompt` |
+| `task.done` | Task processing complete | `skill`, `subtasks`, `prompt`, `cost`, `totalCost`, `failed`, `pendingTasks`, `duration_ms` |
 | `log` | Each log line | `line` |
 
 ### Example

package/dist/container.d.ts

@@ -16,10 +16,13 @@ export interface ContainerConfig {
     flyApp?: string;
     imageRef?: string;
     webhookUrl?: string;
+    webhookSecret?: string;
     /** Start the container in detached mode. It will exit after processing all messages and tasks. */
     detached?: boolean;
     /** Initial prompt to queue at container startup (before the HTTP server accepts external requests). */
     initialPrompt?: string;
+    /** Override the host port for local containers (default: auto-selected). */
+    localPort?: number;
 }
 export interface RepoOptions {
     repoUrl: string;

package/dist/container.js

@@ -105,13 +105,16 @@ export async function startContainer(config, repo) {
     buildImage(config);
     const uniqueId = Math.random().toString(36).slice(2, 8);
     const containerName = `app-building-${uniqueId}`;
-    const hostPort = findFreePort();
+    const containerPort = 3000;
+    const hostPort = config.localPort ?? findFreePort();
     const extra = {
-        PORT: String(hostPort),
+        PORT: String(containerPort),
         CONTAINER_NAME: containerName,
     };
     if (config.webhookUrl)
         extra.WEBHOOK_URL = config.webhookUrl;
+    if (config.webhookSecret)
+        extra.WEBHOOK_SECRET = config.webhookSecret;
     if (config.detached)
         extra.DETACHED = "1";
     if (config.initialPrompt)
@@ -121,7 +124,7 @@ export async function startContainer(config, repo) {
     const args = ["run", "-d", "--rm", "--name", containerName];
     // Use explicit port mapping for macOS Docker Desktop compatibility
     // (--network host only works on Linux)
-    args.push("-p", `${hostPort}:${hostPort}`);
+    args.push("-p", `${hostPort}:${containerPort}`);
     for (const [k, v] of Object.entries(containerEnv)) {
         args.push("--env", `${k}=${v}`);
     }

package/dist/index.d.ts

@@ -4,3 +4,4 @@ export * from "./container-registry";
 export * from "./container-utils";
 export * from "./http-client";
 export * from "./image-ref";
+export * from "./secrets";

package/dist/index.js

@@ -4,3 +4,4 @@ export * from "./container-registry";
 export * from "./container-utils";
 export * from "./http-client";
 export * from "./image-ref";
+export * from "./secrets";

package/dist/secrets.d.ts

@@ -0,0 +1,29 @@
+export interface InfisicalConfig {
+    token: string;
+    projectId: string;
+    environment: string;
+}
+/**
+ * Fetch secrets from an Infisical folder path.
+ * Returns a key-value record of secret names to values.
+ */
+export declare function fetchInfisicalSecrets(config: InfisicalConfig, secretPath: string): Promise<Record<string, string>>;
+/**
+ * Fetch global build secrets from `/global/`.
+ */
+export declare function fetchGlobalSecrets(config: InfisicalConfig): Promise<Record<string, string>>;
+/**
+ * Fetch per-branch deployment secrets from `/branches/<branch>/`.
+ */
+export declare function fetchBranchSecrets(config: InfisicalConfig, branch: string): Promise<Record<string, string>>;
+/**
+ * Resolve the full set of secrets to inject into a container:
+ * global build secrets + Infisical config vars (so the container can fetch branch secrets).
+ * Throws if any required secret from .env.example is missing.
+ */
+export declare function resolveContainerSecrets(config: InfisicalConfig): Promise<Record<string, string>>;
+/**
+ * Extract Infisical config from environment variables.
+ * Throws if any required Infisical var is missing.
+ */
+export declare function getInfisicalConfig(envVars: Record<string, string>): InfisicalConfig;

package/dist/secrets.js

@@ -0,0 +1,95 @@
+import { readFileSync } from "fs";
+import { resolve, dirname } from "path";
+import { fileURLToPath } from "url";
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const INFISICAL_API_BASE = "https://app.infisical.com";
+/** Keys listed in src/package/.env.example that must be present in container secrets. */
+function getRequiredSecretKeys() {
+    const examplePath = resolve(__dirname, ".env.example");
+    return readFileSync(examplePath, "utf-8")
+        .split("\n")
+        .map((l) => l.split("#")[0].trim())
+        .filter((l) => l && l.includes("="))
+        .map((l) => l.split("=")[0].trim());
+}
+async function infisicalFetch(path, config) {
+    const res = await fetch(`${INFISICAL_API_BASE}${path}`, {
+        headers: {
+            Authorization: `Bearer ${config.token}`,
+            "Content-Type": "application/json",
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`Infisical API GET ${path} → ${res.status}: ${body}`);
+    }
+    return res;
+}
+/**
+ * Fetch secrets from an Infisical folder path.
+ * Returns a key-value record of secret names to values.
+ */
+export async function fetchInfisicalSecrets(config, secretPath) {
+    const params = new URLSearchParams({
+        workspaceId: config.projectId,
+        environment: config.environment,
+        secretPath,
+    });
+    const res = await infisicalFetch(`/api/v3/secrets/raw?${params}`, config);
+    const data = (await res.json());
+    const secrets = {};
+    for (const s of data.secrets) {
+        secrets[s.secretKey] = s.secretValue;
+    }
+    return secrets;
+}
+/**
+ * Fetch global build secrets from `/global/`.
+ */
+export async function fetchGlobalSecrets(config) {
+    return fetchInfisicalSecrets(config, "/global/");
+}
+/**
+ * Fetch per-branch deployment secrets from `/branches/<branch>/`.
+ */
+export async function fetchBranchSecrets(config, branch) {
+    return fetchInfisicalSecrets(config, `/branches/${branch}/`);
+}
+/**
+ * Resolve the full set of secrets to inject into a container:
+ * global build secrets + Infisical config vars (so the container can fetch branch secrets).
+ * Throws if any required secret from .env.example is missing.
+ */
+export async function resolveContainerSecrets(config) {
+    const globals = await fetchGlobalSecrets(config);
+    const secrets = {
+        ...globals,
+        INFISICAL_TOKEN: config.token,
+        INFISICAL_PROJECT_ID: config.projectId,
+        INFISICAL_ENVIRONMENT: config.environment,
+    };
+    const required = getRequiredSecretKeys();
+    const missing = required.filter((k) => !secrets[k]);
+    if (missing.length > 0) {
+        throw new Error(`Missing required secrets in Infisical /global/: ${missing.join(", ")}`);
+    }
+    return secrets;
+}
+/**
+ * Extract Infisical config from environment variables.
+ * Throws if any required Infisical var is missing.
+ */
+export function getInfisicalConfig(envVars) {
+    const token = envVars.INFISICAL_TOKEN;
+    const projectId = envVars.INFISICAL_PROJECT_ID;
+    const environment = envVars.INFISICAL_ENVIRONMENT;
+    const missing = [
+        !token && "INFISICAL_TOKEN",
+        !projectId && "INFISICAL_PROJECT_ID",
+        !environment && "INFISICAL_ENVIRONMENT",
+    ].filter(Boolean);
+    if (missing.length > 0) {
+        throw new Error(`Missing Infisical config in .env: ${missing.join(", ")}`);
+    }
+    return { token: token, projectId: projectId, environment: environment };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@replayio/app-building",
-  "version": "1.10.0",
+  "version": "1.12.0",
   "description": "Library for managing agentic app-building containers",
   "type": "module",
   "exports": {