@replayio/app-building 1.16.0 → 1.18.0

package/README.md

@@ -28,18 +28,9 @@ import {
 const orchestrationVars = loadDotEnv("/path/to/project");
 const infisicalConfig = await getInfisicalConfig(orchestrationVars);
 
-// Only pass Infisical credentials to the container — not actual secrets.
-// The container fetches secrets from Infisical at startup and manages them
-// via an internal secrets server. The agent never has direct access to secrets.
-const containerEnvVars: Record<string, string> = {
-  INFISICAL_TOKEN: infisicalConfig.token,
-  INFISICAL_PROJECT_ID: infisicalConfig.projectId,
-  INFISICAL_ENVIRONMENT: infisicalConfig.environment,
-};
-
 const config: ContainerConfig = {
   projectRoot: "/path/to/project",  // optional — only needed for local Docker operations
-  envVars: containerEnvVars,
+  infisical: infisicalConfig,
   registry: new FileContainerRegistry("/path/to/.container-registry.jsonl"),
   flyToken: orchestrationVars.FLY_API_TOKEN,
   flyApp: orchestrationVars.FLY_APP_NAME,
@@ -77,7 +68,7 @@ exec-secrets NETLIFY_AUTH_TOKEN NETLIFY_ACCOUNT_SLUG -- netlify deploy --prod
 
 The secrets server spawns the command with the requested secrets in its environment and **redacts all secret values** from the output.
 
-The agent can also run `list-secrets` to see which secrets are available.
+The agent can also run `list-secrets` to see which secrets are available, and `set-branch-secret` to store new branch-level secrets (e.g., `DATABASE_URL` created at deploy time). The server rejects values that have already appeared in logs.
 
 ## Exported API
 
@@ -85,7 +76,7 @@ The agent can also run `list-secrets` to see which secrets are available.
 
 | Export | Description |
 |---|---|
-| `ContainerConfig` | Interface bundling all external state: optional `projectRoot` (only needed for local Docker operations), `envVars` (Infisical credentials), `registry`, optional `flyToken`/`flyApp`/`imageRef`/`webhookUrl`/`webhookSecret`/`detached`/`initialPrompt`/`localPort`/`absorbTasks`. See [Webhooks](#webhooks) and [Container lifecycle](#container-lifecycle) below. |
+| `ContainerConfig` | Interface bundling all external state: `infisical` (required `InfisicalConfig`), optional `projectRoot` (only needed for local Docker operations), `registry`, optional `flyToken`/`flyApp`/`imageRef`/`webhookUrl`/`webhookSecret`/`detached`/`initialPrompt`/`localPort`/`absorbTasks`. See [Webhooks](#webhooks) and [Container lifecycle](#container-lifecycle) below. |
 | `RepoOptions` | Per-invocation git settings: `repoUrl`, `cloneBranch`, `pushBranch`. |
 | `ContainerRegistry` | Interface for container registry storage. Methods: `log`, `markStopped`, `clearStopped`, `getRecent`, `find`, `findAlive`. |
 | `FileContainerRegistry` | Built-in file-backed implementation of `ContainerRegistry`, backed by a `.jsonl` file. |
@@ -149,9 +140,11 @@ The agent can also run `list-secrets` to see which secrets are available.
 
 | Export | Description |
 |---|---|
+| `infisicalLogin(clientId, clientSecret)` | Log in via Universal Auth, returns a short-lived access token. |
 | `getInfisicalConfig(envVars)` | Extract `InfisicalConfig` from env vars and log in. Requires `INFISICAL_CLIENT_ID`, `INFISICAL_CLIENT_SECRET`, `INFISICAL_PROJECT_ID`, `INFISICAL_ENVIRONMENT`. |
 | `fetchGlobalSecrets(config)` | Fetch secrets from the `/global/` path. |
 | `fetchBranchSecrets(config, branch)` | Fetch secrets from `/branches/<branch>/`. |
+| `createBranchSecret(config, branch, name, value)` | Create or update a secret in `/branches/<branch>/`. |
 | `fetchInfisicalSecrets(config, path)` | Raw fetch from any Infisical folder path. |
 
 **Types:** `InfisicalConfig`
@@ -162,13 +155,8 @@ The agent can also run `list-secrets` to see which secrets are available.
 const orchestrationVars = loadDotEnv(projectRoot);
 const infisicalConfig = await getInfisicalConfig(orchestrationVars);
 
-// Pass only Infisical credentials to the container
 const config: ContainerConfig = {
-  envVars: {
-    INFISICAL_TOKEN: infisicalConfig.token,
-    INFISICAL_PROJECT_ID: infisicalConfig.projectId,
-    INFISICAL_ENVIRONMENT: infisicalConfig.environment,
-  },
+  infisical: infisicalConfig,
   flyToken: orchestrationVars.FLY_API_TOKEN,
   flyApp: orchestrationVars.FLY_APP_NAME,
   ...
@@ -267,11 +255,7 @@ const infisicalConfig = await getInfisicalConfig(orchestrationVars);
 
 const config: ContainerConfig = {
   projectRoot: "/path/to/project",
-  envVars: {
-    INFISICAL_TOKEN: infisicalConfig.token,
-    INFISICAL_PROJECT_ID: infisicalConfig.projectId,
-    INFISICAL_ENVIRONMENT: infisicalConfig.environment,
-  },
+  infisical: infisicalConfig,
   registry: new FileContainerRegistry("/path/to/.container-registry.jsonl"),
   webhookUrl: "https://example.com/hooks/container-events",
   webhookSecret: "your-webhook-secret",

package/dist/container.d.ts

@@ -1,4 +1,5 @@
 import type { ContainerRegistry } from "./container-registry";
+import type { InfisicalConfig } from "./secrets";
 export interface AgentState {
     type: "local" | "remote";
     containerName: string;
@@ -10,7 +11,8 @@ export interface AgentState {
 }
 export interface ContainerConfig {
     projectRoot?: string;
-    envVars: Record<string, string>;
+    /** Infisical credentials — required for all containers. */
+    infisical: InfisicalConfig;
     registry: ContainerRegistry;
     flyToken?: string;
     flyApp?: string;

package/dist/container.js

@@ -73,7 +73,14 @@ function findFreePort() {
     }
     return port;
 }
-function buildContainerEnv(repo, envVars, extra = {}) {
+function infisicalEnvVars(config) {
+    return {
+        INFISICAL_TOKEN: config.token,
+        INFISICAL_PROJECT_ID: config.projectId,
+        INFISICAL_ENVIRONMENT: config.environment,
+    };
+}
+function buildContainerEnv(repo, infisical, extra = {}) {
     const env = {
         REPO_URL: repo.repoUrl,
         CLONE_BRANCH: repo.cloneBranch,
@@ -83,7 +90,7 @@ function buildContainerEnv(repo, envVars, extra = {}) {
         GIT_COMMITTER_NAME: "App Builder",
         GIT_COMMITTER_EMAIL: "app-builder@localhost",
         PLAYWRIGHT_BROWSERS_PATH: "/opt/playwright",
-        ...envVars,
+        ...infisicalEnvVars(infisical),
         ...extra,
     };
     if (process.env.DEBUG) {
@@ -99,7 +106,6 @@ export async function startContainer(config, repo) {
         webhookUrl: config.webhookUrl,
         detached: config.detached,
         initialPrompt: config.initialPrompt ? `${config.initialPrompt.slice(0, 100)}...` : undefined,
-        envVarKeys: Object.keys(config.envVars),
     });
     debugLog("startContainer repo:", repo);
     buildImage(config);
@@ -121,7 +127,7 @@ export async function startContainer(config, repo) {
         extra.INITIAL_PROMPT = config.initialPrompt;
     if (config.absorbTasks)
         extra.ABSORB_TASKS = "1";
-    const containerEnv = buildContainerEnv(repo, config.envVars, extra);
+    const containerEnv = buildContainerEnv(repo, config.infisical, extra);
     // Build docker run args
     const args = ["run", "-d", "--rm", "--name", containerName];
     // Use explicit port mapping for macOS Docker Desktop compatibility
@@ -196,6 +202,7 @@ export function spawnTestContainer(config) {
     ensureImageExists(config.projectRoot);
     const uniqueId = Math.random().toString(36).slice(2, 8);
     const containerName = `app-building-test-${uniqueId}`;
+    const infisicalVars = infisicalEnvVars(config.infisical);
     const args = ["run", "-it", "--rm", "--name", containerName];
     args.push("-v", `${config.projectRoot}:/repo`);
     args.push("-w", "/repo");
@@ -203,7 +210,7 @@ export function spawnTestContainer(config) {
     args.push("--user", `${process.getuid()}:${process.getgid()}`);
     args.push("--env", "HOME=/repo/.agent-home");
     args.push("--env", "PLAYWRIGHT_BROWSERS_PATH=/opt/playwright");
-    for (const [k, v] of Object.entries(config.envVars)) {
+    for (const [k, v] of Object.entries(infisicalVars)) {
         args.push("--env", `${k}=${v}`);
     }
     args.push(IMAGE_NAME, "bash");

package/dist/secrets.d.ts

@@ -1,3 +1,11 @@
+/**
+ * Infisical secrets API.
+ *
+ * API versions used (per https://infisical.com/docs/api-reference):
+ *   - Auth:    POST /api/v1/auth/universal-auth/login
+ *   - Secrets: GET/POST/PATCH /api/v4/secrets[/{secretName}]
+ *   - Folders: POST /api/v2/folders
+ */
 export interface InfisicalConfig {
     token: string;
     projectId: string;
@@ -5,12 +13,14 @@ export interface InfisicalConfig {
 }
 /**
  * Log in to Infisical using Universal Auth (Client ID + Client Secret).
- * Returns a short-lived access token (default 30 day TTL).
+ * POST /api/v1/auth/universal-auth/login
+ * Returns a short-lived access token.
  */
 export declare function infisicalLogin(clientId: string, clientSecret: string): Promise<string>;
 /**
  * Fetch secrets from an Infisical folder path.
- * Returns a key-value record of secret names to values.
+ * GET /api/v4/secrets?projectId=…&environment=…&secretPath=…
+ * Returns a key→value record.
  */
 export declare function fetchInfisicalSecrets(config: InfisicalConfig, secretPath: string): Promise<Record<string, string>>;
 /**
@@ -21,6 +31,16 @@ export declare function fetchGlobalSecrets(config: InfisicalConfig): Promise<Rec
  * Fetch per-branch deployment secrets from `/branches/<branch>/`.
  */
 export declare function fetchBranchSecrets(config: InfisicalConfig, branch: string): Promise<Record<string, string>>;
+/**
+ * Create or update a branch secret in Infisical.
+ * Creates the folder path if it doesn't exist yet.
+ *
+ *   POST  /api/v4/secrets/{name}   — create
+ *   PATCH /api/v4/secrets/{name}   — update (if secret already exists)
+ *
+ * Body: { projectId, environment, secretPath, secretValue, type }
+ */
+export declare function createBranchSecret(config: InfisicalConfig, branch: string, name: string, value: string): Promise<void>;
 /**
  * Extract Infisical config from environment variables and log in.
  * Reads INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, INFISICAL_PROJECT_ID,

package/dist/secrets.js

@@ -1,7 +1,19 @@
+/**
+ * Infisical secrets API.
+ *
+ * API versions used (per https://infisical.com/docs/api-reference):
+ *   - Auth:    POST /api/v1/auth/universal-auth/login
+ *   - Secrets: GET/POST/PATCH /api/v4/secrets[/{secretName}]
+ *   - Folders: POST /api/v2/folders
+ */
 const INFISICAL_API_BASE = "https://app.infisical.com";
+// ---------------------------------------------------------------------------
+// Auth
+// ---------------------------------------------------------------------------
 /**
  * Log in to Infisical using Universal Auth (Client ID + Client Secret).
- * Returns a short-lived access token (default 30 day TTL).
+ * POST /api/v1/auth/universal-auth/login
+ * Returns a short-lived access token.
  */
 export async function infisicalLogin(clientId, clientSecret) {
     const res = await fetch(`${INFISICAL_API_BASE}/api/v1/auth/universal-auth/login`, {
@@ -16,30 +28,33 @@ export async function infisicalLogin(clientId, clientSecret) {
     const data = (await res.json());
     return data.accessToken;
 }
-async function infisicalFetch(path, config) {
-    const res = await fetch(`${INFISICAL_API_BASE}${path}`, {
-        headers: {
-            Authorization: `Bearer ${config.token}`,
-            "Content-Type": "application/json",
-        },
-    });
-    if (!res.ok) {
-        const body = await res.text().catch(() => "");
-        throw new Error(`Infisical API GET ${path} → ${res.status}: ${body}`);
-    }
-    return res;
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function authHeaders(config) {
+    return {
+        Authorization: `Bearer ${config.token}`,
+        "Content-Type": "application/json",
+    };
 }
 /**
  * Fetch secrets from an Infisical folder path.
- * Returns a key-value record of secret names to values.
+ * GET /api/v4/secrets?projectId=…&environment=…&secretPath=…
+ * Returns a key→value record.
  */
 export async function fetchInfisicalSecrets(config, secretPath) {
     const params = new URLSearchParams({
-        workspaceId: config.projectId,
+        projectId: config.projectId,
         environment: config.environment,
         secretPath,
     });
-    const res = await infisicalFetch(`/api/v3/secrets/raw?${params}`, config);
+    const res = await fetch(`${INFISICAL_API_BASE}/api/v4/secrets?${params}`, {
+        headers: authHeaders(config),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => "");
+        throw new Error(`Infisical GET secrets ${secretPath} → ${res.status}: ${body}`);
+    }
     const data = (await res.json());
     const secrets = {};
     for (const s of data.secrets) {
@@ -59,6 +74,116 @@ export async function fetchGlobalSecrets(config) {
 export async function fetchBranchSecrets(config, branch) {
     return fetchInfisicalSecrets(config, `/branches/${branch}/`);
 }
+// ---------------------------------------------------------------------------
+// Folders
+// ---------------------------------------------------------------------------
+/**
+ * Ensure all folders in a path exist, creating any missing ones.
+ * POST /api/v2/folders  — body: { projectId, environment, name, path }
+ *
+ * Infisical requires folders to exist before secrets can be written into them.
+ * We walk each segment of the path and issue a create; a 400 response means
+ * the folder already exists (the docs list 400 for "Bad Request" which
+ * Infisical returns for duplicate folder names).
+ */
+async function ensureFolder(config, folderPath) {
+    const segments = folderPath.split("/").filter(Boolean);
+    let parentPath = "/";
+    for (const segment of segments) {
+        const res = await fetch(`${INFISICAL_API_BASE}/api/v2/folders`, {
+            method: "POST",
+            headers: authHeaders(config),
+            body: JSON.stringify({
+                projectId: config.projectId,
+                environment: config.environment,
+                name: segment,
+                path: parentPath,
+            }),
+        });
+        // 200 = created. 400 = folder already exists (Infisical returns 400 for
+        // duplicate folder names under the same parent).
+        if (res.ok || res.status === 400) {
+            parentPath += segment + "/";
+            continue;
+        }
+        const text = await res.text().catch(() => "");
+        throw new Error(`Infisical create folder ${parentPath}${segment} → ${res.status}: ${text}`);
+    }
+}
+// ---------------------------------------------------------------------------
+// Secrets — write
+// ---------------------------------------------------------------------------
+/**
+ * Create or update a branch secret in Infisical.
+ * Creates the folder path if it doesn't exist yet.
+ *
+ *   POST  /api/v4/secrets/{name}   — create
+ *   PATCH /api/v4/secrets/{name}   — update (if secret already exists)
+ *
+ * Body: { projectId, environment, secretPath, secretValue, type }
+ */
+export async function createBranchSecret(config, branch, name, value) {
+    const secretPath = `/branches/${branch}/`;
+    const url = `${INFISICAL_API_BASE}/api/v4/secrets/${encodeURIComponent(name)}`;
+    const body = {
+        projectId: config.projectId,
+        environment: config.environment,
+        secretPath,
+        secretValue: value,
+        type: "shared",
+    };
+    const headers = authHeaders(config);
+    // --- Try POST (create) ---------------------------------------------------
+    const res = await fetch(url, {
+        method: "POST",
+        headers,
+        body: JSON.stringify(body),
+    });
+    if (res.ok)
+        return;
+    // Secret already exists → PATCH to update
+    if (res.status === 400) {
+        const patchRes = await fetch(url, {
+            method: "PATCH",
+            headers,
+            body: JSON.stringify(body),
+        });
+        if (patchRes.ok)
+            return;
+        const text = await patchRes.text().catch(() => "");
+        throw new Error(`Infisical PATCH ${name} → ${patchRes.status}: ${text}`);
+    }
+    // Folder doesn't exist → create folders then retry POST
+    if (res.status === 404) {
+        await ensureFolder(config, secretPath);
+        const retryRes = await fetch(url, {
+            method: "POST",
+            headers,
+            body: JSON.stringify(body),
+        });
+        if (retryRes.ok)
+            return;
+        // Retry may 400 if another process created it concurrently → try PATCH
+        if (retryRes.status === 400) {
+            const patchRes = await fetch(url, {
+                method: "PATCH",
+                headers,
+                body: JSON.stringify(body),
+            });
+            if (patchRes.ok)
+                return;
+            const text = await patchRes.text().catch(() => "");
+            throw new Error(`Infisical PATCH ${name} (after folder creation) → ${patchRes.status}: ${text}`);
+        }
+        const text = await retryRes.text().catch(() => "");
+        throw new Error(`Infisical POST ${name} (after folder creation) → ${retryRes.status}: ${text}`);
+    }
+    const text = await res.text().catch(() => "");
+    throw new Error(`Infisical POST ${name} → ${res.status}: ${text}`);
+}
+// ---------------------------------------------------------------------------
+// Config helper
+// ---------------------------------------------------------------------------
 /**
  * Extract Infisical config from environment variables and log in.
  * Reads INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, INFISICAL_PROJECT_ID,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@replayio/app-building",
-  "version": "1.16.0",
+  "version": "1.18.0",
   "description": "Library for managing agentic app-building containers",
   "type": "module",
   "exports": {