@tadnt2003/n8n-nodes-infisical 0.2.0 → 0.3.0

package/dist/utils/syncOperations.js

@@ -0,0 +1,750 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeSyncOperation = void 0;
+const n8n_workflow_1 = require("n8n-workflow");
+// Maps each supported credential type to the fields to sync.
+// `param` is the n8n parameter name; `secretKey` is the Infisical secret key name.
+const CREDENTIAL_FIELD_MAPS = {
+    googleApi: [
+        { param: 'email', secretKey: 'email' },
+        { param: 'privateKey', secretKey: 'privateKey' },
+        { param: 'delegatedEmail', secretKey: 'delegatedEmail' },
+        { param: 'scopes', secretKey: 'scopes' },
+        // Fix 7.1: condition-controlling fields needed for delegated auth and HTTP scopes branches
+        { param: 'inpersonate', secretKey: 'inpersonate' },
+        { param: 'httpNode', secretKey: 'httpNode' },
+    ],
+    googleOAuth2Api: [
+        { param: 'clientId', secretKey: 'clientId' },
+        { param: 'clientSecret', secretKey: 'clientSecret' },
+        { param: 'scope', secretKey: 'scope' },
+    ],
+    jiraSoftwareCloudApi: [
+        { param: 'email', secretKey: 'email' },
+        { param: 'apiToken', secretKey: 'apiToken' },
+        { param: 'domain', secretKey: 'domain' },
+    ],
+    openAiApi: [
+        { param: 'apiKey', secretKey: 'apiKey' },
+        { param: 'organizationId', secretKey: 'organizationId' },
+        { param: 'url', secretKey: 'url' },
+    ],
+    anthropicApi: [
+        { param: 'apiKey', secretKey: 'apiKey' },
+        { param: 'url', secretKey: 'url' },
+    ],
+    groqApi: [{ param: 'apiKey', secretKey: 'apiKey' }],
+    cohereApi: [{ param: 'apiKey', secretKey: 'apiKey' }],
+    huggingFaceApi: [{ param: 'apiKey', secretKey: 'apiKey' }],
+    mistralCloudApi: [{ param: 'apiKey', secretKey: 'apiKey' }],
+    discordBotApi: [{ param: 'botToken', secretKey: 'botToken' }],
+    discordWebhookApi: [{ param: 'webhookUri', secretKey: 'webhookUri' }],
+    mySql: [
+        { param: 'host', secretKey: 'host' },
+        { param: 'database', secretKey: 'database' },
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'port', secretKey: 'port' },
+        { param: 'ssl', secretKey: 'ssl' },
+        { param: 'sshTunnel', secretKey: 'sshTunnel' },
+        { param: 'sshHost', secretKey: 'sshHost' },
+        { param: 'sshPort', secretKey: 'sshPort' },
+        { param: 'sshUser', secretKey: 'sshUser' },
+        { param: 'sshPassword', secretKey: 'sshPassword' },
+        // Fix 7.1: SSH key-auth fields for the sshTunnel conditional branch
+        { param: 'sshAuthenticateWith', secretKey: 'sshAuthenticateWith' },
+        { param: 'privateKey', secretKey: 'privateKey' },
+        { param: 'passphrase', secretKey: 'passphrase' },
+    ],
+    postgres: [
+        { param: 'host', secretKey: 'host' },
+        { param: 'database', secretKey: 'database' },
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'port', secretKey: 'port' },
+        { param: 'ssl', secretKey: 'ssl' },
+        // Fix 7.1: controls which SSL branch fires; missing caused wrong defaults on create
+        { param: 'allowUnauthorizedCerts', secretKey: 'allowUnauthorizedCerts' },
+        { param: 'sshTunnel', secretKey: 'sshTunnel' },
+        { param: 'sshHost', secretKey: 'sshHost' },
+        { param: 'sshPort', secretKey: 'sshPort' },
+        { param: 'sshUser', secretKey: 'sshUser' },
+        { param: 'sshPassword', secretKey: 'sshPassword' },
+        // Fix 7.1: SSH key-auth fields for the sshTunnel conditional branch
+        { param: 'sshAuthenticateWith', secretKey: 'sshAuthenticateWith' },
+        { param: 'privateKey', secretKey: 'privateKey' },
+        { param: 'passphrase', secretKey: 'passphrase' },
+    ],
+    mongoDb: [
+        { param: 'configurationType', secretKey: 'configurationType' },
+        { param: 'connectionString', secretKey: 'connectionString' },
+        { param: 'host', secretKey: 'host' },
+        { param: 'database', secretKey: 'database' },
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'port', secretKey: 'port' },
+        { param: 'tls', secretKey: 'tls' },
+    ],
+    redis: [
+        { param: 'host', secretKey: 'host' },
+        { param: 'port', secretKey: 'port' },
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'database', secretKey: 'database' },
+        { param: 'ssl', secretKey: 'ssl' },
+    ],
+    microsoftSql: [
+        { param: 'server', secretKey: 'server' },
+        { param: 'database', secretKey: 'database' },
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'port', secretKey: 'port' },
+        { param: 'domain', secretKey: 'domain' },
+    ],
+    googleSheetsOAuth2Api: [
+        { param: 'clientId', secretKey: 'clientId' },
+        { param: 'clientSecret', secretKey: 'clientSecret' },
+        // condition-controlling field: drives the allowedDomains conditional branch
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    googleDriveOAuth2Api: [
+        { param: 'clientId', secretKey: 'clientId' },
+        { param: 'clientSecret', secretKey: 'clientSecret' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    googleDocsOAuth2Api: [
+        { param: 'clientId', secretKey: 'clientId' },
+        { param: 'clientSecret', secretKey: 'clientSecret' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    n8nApi: [
+        { param: 'apiKey', secretKey: 'apiKey' },
+        { param: 'baseUrl', secretKey: 'baseUrl' },
+        // condition-controlling field: drives the allowedDomains conditional branch
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    infisicalApi: [
+        { param: 'apiUrl', secretKey: 'apiUrl' },
+        // condition-controlling field: universalAuth vs serviceToken branches
+        { param: 'authType', secretKey: 'authType' },
+        { param: 'clientId', secretKey: 'clientId' },
+        { param: 'clientSecret', secretKey: 'clientSecret' },
+        { param: 'organizationSlug', secretKey: 'organizationSlug' },
+        // service token value (only active when authType === 'serviceToken')
+        { param: 'apiKey', secretKey: 'apiKey' },
+    ],
+    // ── Generic HTTP auth types ────────────────────────────────────────────────
+    httpBearerAuth: [
+        { param: 'token', secretKey: 'token' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    httpBasicAuth: [
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    httpDigestAuth: [
+        { param: 'user', secretKey: 'user' },
+        { param: 'password', secretKey: 'password' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    httpHeaderAuth: [
+        { param: 'name', secretKey: 'name' },
+        { param: 'value', secretKey: 'value' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    httpQueryAuth: [
+        { param: 'name', secretKey: 'name' },
+        { param: 'value', secretKey: 'value' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    httpCustomAuth: [
+        { param: 'json', secretKey: 'json' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    httpSslAuth: [
+        { param: 'ca', secretKey: 'ca' },
+        { param: 'cert', secretKey: 'cert' },
+        { param: 'key', secretKey: 'key' },
+        { param: 'passphrase', secretKey: 'passphrase' },
+    ],
+    oAuth1Api: [
+        { param: 'signatureMethod', secretKey: 'signatureMethod' },
+        { param: 'consumerKey', secretKey: 'consumerKey' },
+        { param: 'consumerSecret', secretKey: 'consumerSecret' },
+        { param: 'requestTokenUrl', secretKey: 'requestTokenUrl' },
+        { param: 'authUrl', secretKey: 'authUrl' },
+        { param: 'accessTokenUrl', secretKey: 'accessTokenUrl' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    oAuth2Api: [
+        // condition-controlling: grantType drives authUrl/authQueryParameters branch
+        { param: 'grantType', secretKey: 'grantType' },
+        { param: 'authUrl', secretKey: 'authUrl' },
+        { param: 'accessTokenUrl', secretKey: 'accessTokenUrl' },
+        { param: 'clientId', secretKey: 'clientId' },
+        { param: 'clientSecret', secretKey: 'clientSecret' },
+        { param: 'scope', secretKey: 'scope' },
+        { param: 'authQueryParameters', secretKey: 'authQueryParameters' },
+        { param: 'authentication', secretKey: 'authentication' },
+        { param: 'allowedHttpRequestDomains', secretKey: 'allowedHttpRequestDomains' },
+        { param: 'allowedDomains', secretKey: 'allowedDomains' },
+    ],
+    jwtAuth: [
+        // condition-controlling: keyType drives secret vs privateKey/publicKey branches
+        { param: 'keyType', secretKey: 'keyType' },
+        { param: 'secret', secretKey: 'secret' },
+        { param: 'privateKey', secretKey: 'privateKey' },
+        { param: 'publicKey', secretKey: 'publicKey' },
+        { param: 'algorithm', secretKey: 'algorithm' },
+    ],
+};
+function buildSecretPath(rootPath, credentialName) {
+    const root = rootPath.replace(/\/+$/, '') || '/';
+    return root === '/' ? `/${credentialName}` : `${root}/${credentialName}`;
+}
+// Fix 7.5: removed `typeof value === 'boolean' && value === false` — false is a meaningful value
+// that must be written to Infisical (e.g. ssl:false, sshTunnel:false as condition keys).
+function isEmptyValue(value) {
+    if (value === null || value === undefined)
+        return true;
+    if (typeof value === 'string' && value.trim() === '')
+        return true;
+    return false;
+}
+// Fix 7.4: handles `number` type (port, connectTimeout, maxConnections, etc.)
+// Fix 7.7: reads schema's own `default` before falling back to enum heuristic
+function applyDefaultForProp(key, def, defaults, required) {
+    var _a;
+    if (required.has(key) || key in defaults)
+        return;
+    if (Array.isArray(def.enum) && def.enum.length > 0) {
+        defaults[key] = ((_a = def.default) !== null && _a !== void 0 ? _a : (key === 'allowedHttpRequestDomains' ? 'all' : def.enum[0]));
+    }
+    else if (def.type === 'boolean') {
+        defaults[key] = false;
+    }
+    else if (def.type === 'string') {
+        defaults[key] = '';
+    }
+    else if (def.type === 'number') {
+        defaults[key] = 0;
+    }
+    else if (def.type === 'json') {
+        defaults[key] = '{}';
+    }
+}
+// Coerce a string value from Infisical to the type the n8n schema expects.
+function coerceValue(raw, def) {
+    if (!def)
+        return raw;
+    if (def.type === 'number') {
+        const n = Number(raw);
+        return Number.isNaN(n) ? raw : n;
+    }
+    if (def.type === 'boolean')
+        return raw === 'true' || raw === '1';
+    return raw;
+}
+// Validate credential data against the n8n schema's required fields and conditional requirements.
+// For form mode, pass availableFormFields to skip checks for fields the form cannot provide.
+function validateAgainstSchema(data, schemaInfo, availableFormFields) {
+    const errors = [];
+    for (const field of schemaInfo.topRequired) {
+        if (availableFormFields && !availableFormFields.has(field))
+            continue;
+        if (isEmptyValue(data[field])) {
+            errors.push(`"${field}" is required but missing or empty`);
+        }
+    }
+    for (const { condKey, condValues, thenRequired } of schemaInfo.condBranches) {
+        const condVal = data[condKey];
+        const condKeyInSchema = condKey in schemaInfo.props;
+        if (!condKeyInSchema || condValues.includes(condVal)) {
+            for (const field of thenRequired) {
+                if (availableFormFields && !availableFormFields.has(field))
+                    continue;
+                if (isEmptyValue(data[field])) {
+                    const when = condKeyInSchema ? ` when "${condKey}" is "${String(condVal)}"` : '';
+                    errors.push(`"${field}" is required${when} but missing or empty`);
+                }
+            }
+        }
+    }
+    return errors;
+}
+async function syncFromInfisical(ctx, apiUrl, baseHeaders, i) {
+    var _a;
+    const projectId = ctx.getNodeParameter('projectId', i);
+    const environment = ctx.getNodeParameter('environment', i);
+    const rootPath = ctx.getNodeParameter('rootPath', i, '/') || '/';
+    const credentialName = ctx.getNodeParameter('credentialName', i);
+    const n8nCredentialId = ctx.getNodeParameter('n8nCredentialId', i);
+    const n8nCreds = await ctx.getCredentials('n8nApi');
+    const n8nApiUrl = (n8nCreds.baseUrl || 'http://localhost:5678').replace(/\/$/, '').replace(/\/api\/v1$/, '');
+    const n8nApiKey = n8nCreds.apiKey;
+    const secretPath = buildSecretPath(rootPath, credentialName);
+    // 1. Read all secrets from the Infisical folder
+    const infisicalResponse = await ctx.helpers.httpRequest({
+        method: 'GET',
+        url: `${apiUrl}/v4/secrets`,
+        headers: baseHeaders,
+        qs: { projectId, environment, secretPath },
+    });
+    const secrets = ((_a = infisicalResponse.secrets) !== null && _a !== void 0 ? _a : []);
+    if (secrets.length === 0) {
+        throw new n8n_workflow_1.NodeOperationError(ctx.getNode(), `No secrets found at path "${secretPath}" in environment "${environment}"`, { itemIndex: i });
+    }
+    // 2. Build n8n credential data from Infisical secret key/value pairs
+    const credentialData = {};
+    for (const secret of secrets) {
+        credentialData[secret.secretKey] = secret.secretValue;
+    }
+    // 3. Update the n8n credential via its REST API
+    const updated = await ctx.helpers.httpRequest({
+        method: 'PATCH',
+        url: `${n8nApiUrl}/api/v1/credentials/${n8nCredentialId}`,
+        headers: { 'X-N8N-API-KEY': n8nApiKey, 'Content-Type': 'application/json' },
+        body: { data: credentialData },
+    });
+    return [{ json: updated, pairedItem: { item: i } }];
+}
+// Collect field names from then/else allOf sub-schemas.
+function collectClauseFields(clause) {
+    var _a, _b, _c, _d, _e;
+    const required = [];
+    const notRequired = [];
+    if (!clause)
+        return { required, notRequired };
+    for (const f of (_a = clause.required) !== null && _a !== void 0 ? _a : [])
+        required.push(f);
+    for (const sub of (_b = clause.allOf) !== null && _b !== void 0 ? _b : []) {
+        for (const f of (_c = sub.required) !== null && _c !== void 0 ? _c : [])
+            required.push(f);
+        for (const f of (_e = (_d = sub.not) === null || _d === void 0 ? void 0 : _d.required) !== null && _e !== void 0 ? _e : [])
+            notRequired.push(f);
+    }
+    return { required, notRequired };
+}
+// Fetch schema, derive safe defaults, and return conditional branch info for post-merge handling.
+//
+// The schema's allOf branches use if/then/else. Each else block typically has
+// `not: { required: [field] }` entries that PROHIBIT those fields when the condition is off.
+// We must not pre-populate those fields as defaults, or the else block rejects the payload.
+// Conversely, when the condition fires (e.g. sshTunnel:true from Infisical), the then block
+// requires those fields, so post-merge we fill any still-missing ones with safe values.
+async function fetchN8nSchema(n8nApiUrl, credentialType, n8nHeaders, ctx) {
+    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
+    const schema = await ctx.helpers.httpRequest({
+        method: 'GET',
+        url: `${n8nApiUrl}/api/v1/credentials/schema/${credentialType}`,
+        headers: n8nHeaders,
+    });
+    const topLevelRequired = new Set(Array.isArray(schema.required) ? schema.required : []);
+    const props = ((_a = schema.properties) !== null && _a !== void 0 ? _a : {});
+    // Analyse allOf branches to determine which fields must be excluded from defaults.
+    // A field is "excluded" when its controlling condition key defaults to OFF, causing the
+    // else block to fire and prohibit that field.
+    const excludedFields = new Set();
+    const condBranches = [];
+    const allOf = ((_b = schema.allOf) !== null && _b !== void 0 ? _b : []);
+    for (const branch of allOf) {
+        const ifKeys = Object.keys((_d = (_c = branch.if) === null || _c === void 0 ? void 0 : _c.properties) !== null && _d !== void 0 ? _d : {});
+        if (ifKeys.length !== 1)
+            continue;
+        const condKey = ifKeys[0];
+        const condValues = (_h = (_g = ((_f = (_e = branch.if) === null || _e === void 0 ? void 0 : _e.properties) !== null && _f !== void 0 ? _f : {})[condKey]) === null || _g === void 0 ? void 0 : _g.enum) !== null && _h !== void 0 ? _h : [];
+        const { required: thenRequired } = collectClauseFields(branch.then);
+        const { required: elseRequired, notRequired: elseProhibited } = collectClauseFields(branch.else);
+        // Fix 7.6: elseProhibited covers both `not.required` and plain `required` in else blocks,
+        // ensuring post-merge deletion handles any field that must be absent when condition is off.
+        condBranches.push({ condKey, condValues, thenRequired, elseProhibited: [...elseProhibited, ...elseRequired] });
+        if (condKey in props) {
+            // Determine the default value for the condition key.
+            const condKeyDef = props[condKey];
+            let condKeyDefault;
+            if (Array.isArray(condKeyDef === null || condKeyDef === void 0 ? void 0 : condKeyDef.enum) && ((_j = condKeyDef === null || condKeyDef === void 0 ? void 0 : condKeyDef.enum) === null || _j === void 0 ? void 0 : _j.length) > 0) {
+                // Fix 7.7: read schema's own default first, fall back to enum heuristic
+                condKeyDefault = (_k = condKeyDef === null || condKeyDef === void 0 ? void 0 : condKeyDef.default) !== null && _k !== void 0 ? _k : (condKey === 'allowedHttpRequestDomains' ? 'all' : (_l = condKeyDef === null || condKeyDef === void 0 ? void 0 : condKeyDef.enum) === null || _l === void 0 ? void 0 : _l[0]);
+            }
+            else if ((condKeyDef === null || condKeyDef === void 0 ? void 0 : condKeyDef.type) === 'boolean') {
+                condKeyDefault = false;
+            }
+            if (!condValues.includes(condKeyDefault)) {
+                // Default makes the condition FALSE → else fires → these fields are prohibited.
+                for (const f of elseProhibited)
+                    excludedFields.add(f);
+                for (const f of elseRequired)
+                    excludedFields.add(f);
+                for (const f of thenRequired)
+                    excludedFields.add(f);
+            }
+            // (If default makes condition TRUE → then fires → fields go into condBranches for post-merge fill)
+        }
+        else {
+            // condKey not in schema properties → can't be set → always absent →
+            // properties validator skips it (vacuously passes) → then always fires.
+            // The thenRequired fields must always be present; generate safe defaults for them.
+            // (handled in the post-main-loop step below)
+        }
+    }
+    // Generate base defaults: skip unconditionally required fields AND conditionally excluded ones.
+    const defaults = {};
+    for (const [key, def] of Object.entries(props)) {
+        if (topLevelRequired.has(key) || excludedFields.has(key))
+            continue;
+        applyDefaultForProp(key, def, defaults, topLevelRequired);
+    }
+    // For branches whose condition key is absent from the schema (vacuously always fires),
+    // ensure all then-required fields have at least a safe empty default.
+    for (const { condKey, thenRequired } of condBranches) {
+        if (condKey in props)
+            continue; // handled above
+        for (const field of thenRequired) {
+            if (field in defaults || topLevelRequired.has(field))
+                continue;
+            const def = (_m = props[field]) !== null && _m !== void 0 ? _m : {};
+            applyDefaultForProp(field, def, defaults, topLevelRequired);
+            if (!(field in defaults))
+                defaults[field] = ''; // fallback for types we don't handle
+        }
+    }
+    return { defaults, props, condBranches, topRequired: topLevelRequired };
+}
+// Apply conditional branch logic to fullData in-place.
+// Shared by both create and update paths (fix 7.2) to avoid duplication.
+// When a condition fires: fill any missing thenRequired fields with safe defaults.
+// When a condition does not fire: delete elseProhibited fields to satisfy the else block.
+function applyCondBranches(fullData, schemaInfo) {
+    var _a, _b;
+    for (const { condKey, condValues, thenRequired, elseProhibited } of schemaInfo.condBranches) {
+        const condVal = fullData[condKey];
+        // When condKey is absent from schema properties it can't appear in the data,
+        // so JSON Schema's `properties` validator skips it → condition fires vacuously.
+        const condKeyInSchema = condKey in schemaInfo.props;
+        if (!condKeyInSchema || condValues.includes(condVal)) {
+            // Condition fires → fill any missing then-required fields with safe defaults.
+            for (const field of thenRequired) {
+                if (field in fullData)
+                    continue;
+                const def = (_a = schemaInfo.props[field]) !== null && _a !== void 0 ? _a : {};
+                if (def.type === 'number') {
+                    fullData[field] = 0;
+                }
+                else if (def.type === 'boolean') {
+                    fullData[field] = false;
+                }
+                else if (Array.isArray(def.enum) && def.enum.length > 0) {
+                    // Fix 7.7: read schema's own default first
+                    fullData[field] = ((_b = def.default) !== null && _b !== void 0 ? _b : def.enum[0]);
+                }
+                else {
+                    fullData[field] = '';
+                }
+            }
+        }
+        else {
+            // Condition doesn't fire → remove prohibited fields to satisfy else block.
+            for (const field of elseProhibited) {
+                delete fullData[field];
+            }
+        }
+    }
+}
+async function autoSyncFromInfisical(ctx, apiUrl, baseHeaders, i) {
+    var _a, _b, _c, _d, _e, _f;
+    const projectId = ctx.getNodeParameter('projectId', i);
+    const environment = ctx.getNodeParameter('environment', i);
+    const rootPath = ctx.getNodeParameter('rootPath', i, '/') || '/';
+    const n8nCreds = await ctx.getCredentials('n8nApi');
+    const n8nApiUrl = (n8nCreds.baseUrl || 'http://localhost:5678').replace(/\/$/, '').replace(/\/api\/v1$/, '');
+    const n8nApiKey = n8nCreds.apiKey;
+    const n8nHeaders = { 'X-N8N-API-KEY': n8nApiKey, 'Content-Type': 'application/json' };
+    // 1. Discover all credential folders at rootPath
+    const folderPath = rootPath.replace(/\/+$/, '') || '/';
+    const folderResponse = await ctx.helpers.httpRequest({
+        method: 'GET',
+        url: `${apiUrl}/v2/folders`,
+        headers: baseHeaders,
+        qs: { projectId, environment, path: folderPath },
+    });
+    const folders = ((_a = folderResponse.folders) !== null && _a !== void 0 ? _a : []);
+    if (folders.length === 0) {
+        return [{
+                json: { success: true, message: `No folders found at "${folderPath}"`, synced: 0 },
+                pairedItem: { item: i },
+            }];
+    }
+    // 2. Fetch all existing n8n credentials (paginated) and index by name
+    const allN8nCreds = [];
+    let cursor;
+    do {
+        const qs = { limit: 250 };
+        if (cursor)
+            qs.cursor = cursor;
+        const resp = await ctx.helpers.httpRequest({
+            method: 'GET',
+            url: `${n8nApiUrl}/api/v1/credentials`,
+            headers: n8nHeaders,
+            qs,
+        });
+        allN8nCreds.push(...((_b = resp.data) !== null && _b !== void 0 ? _b : []));
+        cursor = resp.nextCursor;
+    } while (cursor);
+    const credByName = new Map(allN8nCreds.map((c) => [c.name, c]));
+    // Fix 7.3: cache schema results so the same credential type is only fetched once per execution,
+    // avoiding N redundant HTTP calls when multiple folders share the same type.
+    const schemaCache = new Map();
+    // 3. Process each folder
+    const results = [];
+    for (const folder of folders) {
+        const folderName = folder.name;
+        const secretPath = folderPath === '/' ? `/${folderName}` : `${folderPath}/${folderName}`;
+        // Read all secrets in this folder
+        const secretsResponse = await ctx.helpers.httpRequest({
+            method: 'GET',
+            url: `${apiUrl}/v4/secrets`,
+            headers: baseHeaders,
+            qs: { projectId, environment, secretPath },
+        });
+        const secrets = ((_c = secretsResponse.secrets) !== null && _c !== void 0 ? _c : []);
+        if (secrets.length === 0) {
+            results.push({
+                json: { folderName, secretPath, action: 'skipped', reason: 'no secrets in folder' },
+                pairedItem: { item: i },
+            });
+            continue;
+        }
+        // Extract n8n_credential_type from any secret's metadata
+        let credentialType;
+        for (const secret of secrets) {
+            const meta = ((_d = secret.secretMetadata) !== null && _d !== void 0 ? _d : []);
+            const entry = meta.find((m) => m.key === 'n8n_credential_type');
+            if (entry) {
+                credentialType = entry.value;
+                break;
+            }
+        }
+        // Fix 7.3: use cached schema when available
+        let schemaInfo;
+        if (credentialType) {
+            try {
+                if (!schemaCache.has(credentialType)) {
+                    schemaCache.set(credentialType, await fetchN8nSchema(n8nApiUrl, credentialType, n8nHeaders, ctx));
+                }
+                schemaInfo = schemaCache.get(credentialType);
+            }
+            catch (_g) {
+                // proceed without schema — no coercion or defaults applied
+            }
+        }
+        // Build n8n credential data applying secretKey→param mapping (if available)
+        // and coercing string values to the types the schema expects (e.g. port → number).
+        const fieldMap = credentialType ? CREDENTIAL_FIELD_MAPS[credentialType] : undefined;
+        const credentialData = {};
+        if (fieldMap) {
+            const secretsByKey = new Map(secrets.map((s) => [s.secretKey, s.secretValue]));
+            for (const { param, secretKey } of fieldMap) {
+                const raw = secretsByKey.get(secretKey);
+                if (raw === undefined)
+                    continue;
+                credentialData[param] = coerceValue(raw, schemaInfo === null || schemaInfo === void 0 ? void 0 : schemaInfo.props[param]);
+            }
+        }
+        else {
+            for (const secret of secrets) {
+                const key = secret.secretKey;
+                const raw = secret.secretValue;
+                credentialData[key] = coerceValue(raw, schemaInfo === null || schemaInfo === void 0 ? void 0 : schemaInfo.props[key]);
+            }
+        }
+        const existing = credByName.get(folderName);
+        if (existing) {
+            // Fix 7.2: apply the same fullData build logic as the create path so that condition-key
+            // changes (e.g. ssl:false→true) get their required fields filled and their prohibited
+            // fields removed, preventing spurious 422 errors on update.
+            const fullData = Object.assign(Object.assign({}, ((_e = schemaInfo === null || schemaInfo === void 0 ? void 0 : schemaInfo.defaults) !== null && _e !== void 0 ? _e : {})), credentialData);
+            if (schemaInfo)
+                applyCondBranches(fullData, schemaInfo);
+            const updated = await ctx.helpers.httpRequest({
+                method: 'PATCH',
+                url: `${n8nApiUrl}/api/v1/credentials/${existing.id}`,
+                headers: n8nHeaders,
+                body: { data: fullData },
+            });
+            results.push({
+                json: Object.assign(Object.assign({}, updated), { action: 'updated', secretPath, secretCount: secrets.length }),
+                pairedItem: { item: i },
+            });
+        }
+        else {
+            // Create new credential — needs type from metadata
+            if (!credentialType) {
+                results.push({
+                    json: { folderName, secretPath, action: 'skipped', reason: 'credential not found in n8n and no n8n_credential_type metadata to create it' },
+                    pairedItem: { item: i },
+                });
+                continue;
+            }
+            // Merge schema defaults (Infisical values take precedence) then apply
+            // conditional field rules: fill any still-missing then-required fields,
+            // and remove any fields prohibited by else blocks given actual merged values.
+            const fullData = Object.assign(Object.assign({}, ((_f = schemaInfo === null || schemaInfo === void 0 ? void 0 : schemaInfo.defaults) !== null && _f !== void 0 ? _f : {})), credentialData);
+            if (schemaInfo)
+                applyCondBranches(fullData, schemaInfo);
+            const created = await ctx.helpers.httpRequest({
+                method: 'POST',
+                url: `${n8nApiUrl}/api/v1/credentials`,
+                headers: n8nHeaders,
+                body: { name: folderName, type: credentialType, data: fullData },
+            });
+            results.push({
+                json: Object.assign(Object.assign({}, created), { action: 'created', secretPath, secretCount: secrets.length }),
+                pairedItem: { item: i },
+            });
+        }
+    }
+    return results;
+}
+async function executeSyncOperation(ctx, apiUrl, baseHeaders, operation, i) {
+    var _a, _b, _c, _d;
+    if (operation === 'syncFromInfisical') {
+        return syncFromInfisical(ctx, apiUrl, baseHeaders, i);
+    }
+    if (operation === 'autoSyncFromInfisical') {
+        return autoSyncFromInfisical(ctx, apiUrl, baseHeaders, i);
+    }
+    if (operation !== 'syncToInfisical') {
+        throw new n8n_workflow_1.NodeOperationError(ctx.getNode(), `Unknown sync operation: ${operation}`, {
+            itemIndex: i,
+        });
+    }
+    const projectId = ctx.getNodeParameter('projectId', i);
+    const environment = ctx.getNodeParameter('environment', i);
+    const rootPath = ctx.getNodeParameter('rootPath', i, '/') || '/';
+    const credentialName = ctx.getNodeParameter('credentialName', i);
+    const inputMode = ctx.getNodeParameter('inputMode', i, 'form');
+    const credentialType = inputMode === 'json'
+        ? ctx.getNodeParameter('credentialTypeJson', i)
+        : ctx.getNodeParameter('credentialType', i);
+    // Parse JSON early so it can be used for both validation and secret collection.
+    let parsedJson;
+    if (inputMode === 'json') {
+        const rawJson = ctx.getNodeParameter('credentialJson', i, '{}');
+        try {
+            parsedJson = JSON.parse(rawJson);
+        }
+        catch (_e) {
+            throw new n8n_workflow_1.NodeOperationError(ctx.getNode(), 'Credential Fields (JSON) is not valid JSON', { itemIndex: i });
+        }
+    }
+    // Validate against the n8n credential schema if n8nApi credentials are available.
+    // Silently skipped when n8nApi is not configured or the schema endpoint is unreachable.
+    let fetchedSchemaProps;
+    try {
+        const n8nCreds = await ctx.getCredentials('n8nApi');
+        const n8nApiUrl = (n8nCreds.baseUrl || 'http://localhost:5678')
+            .replace(/\/$/, '').replace(/\/api\/v1$/, '');
+        const n8nHeaders = { 'X-N8N-API-KEY': n8nCreds.apiKey, 'Content-Type': 'application/json' };
+        const schemaInfo = await fetchN8nSchema(n8nApiUrl, credentialType, n8nHeaders, ctx);
+        fetchedSchemaProps = schemaInfo.props;
+        const validationData = {};
+        let availableFormFields;
+        if (inputMode === 'json') {
+            Object.assign(validationData, parsedJson);
+        }
+        else {
+            const fieldMap = CREDENTIAL_FIELD_MAPS[credentialType];
+            if (fieldMap) {
+                availableFormFields = new Set(fieldMap.map((f) => f.param));
+                for (const { param } of fieldMap) {
+                    validationData[param] = ctx.getNodeParameter(param, i, '');
+                }
+            }
+        }
+        const errors = validateAgainstSchema(validationData, schemaInfo, availableFormFields);
+        if (errors.length > 0) {
+            throw new n8n_workflow_1.NodeOperationError(ctx.getNode(), `Credential validation failed for "${credentialType}":\n${errors.map((e) => `• ${e}`).join('\n')}`, { itemIndex: i });
+        }
+    }
+    catch (err) {
+        if (err instanceof n8n_workflow_1.NodeOperationError)
+            throw err;
+        // n8nApi not configured or schema fetch failed — skip validation
+    }
+    const folderPath = rootPath.replace(/\/+$/, '') || '/';
+    const secretPath = buildSecretPath(rootPath, credentialName);
+    // Ensure the credential folder exists; ignore conflict if it already does
+    try {
+        await ctx.helpers.httpRequest({
+            method: 'POST',
+            url: `${apiUrl}/v2/folders`,
+            headers: baseHeaders,
+            body: { projectId, environment, name: credentialName, path: folderPath },
+        });
+    }
+    catch (err) {
+        const e = err;
+        const status = (_b = (_a = e === null || e === void 0 ? void 0 : e.response) === null || _a === void 0 ? void 0 : _a.status) !== null && _b !== void 0 ? _b : e === null || e === void 0 ? void 0 : e.statusCode;
+        if (status !== 409 && !((_c = e === null || e === void 0 ? void 0 : e.message) === null || _c === void 0 ? void 0 : _c.toLowerCase().includes('already exist'))) {
+            throw err;
+        }
+    }
+    // Collect non-empty credential fields as Infisical secrets
+    const secretMetadata = [{ key: 'n8n_credential_type', value: credentialType }];
+    const secrets = [];
+    if (inputMode === 'json') {
+        for (const [key, value] of Object.entries(parsedJson !== null && parsedJson !== void 0 ? parsedJson : {})) {
+            if (isEmptyValue(value))
+                continue;
+            if (fetchedSchemaProps && !(key in fetchedSchemaProps))
+                continue;
+            const secretValue = typeof value === 'object' ? JSON.stringify(value) : String(value);
+            secrets.push({ secretKey: key, secretValue, secretMetadata });
+        }
+    }
+    else {
+        const fieldMap = CREDENTIAL_FIELD_MAPS[credentialType];
+        if (!fieldMap) {
+            throw new n8n_workflow_1.NodeOperationError(ctx.getNode(), `Unsupported credential type: ${credentialType}`, { itemIndex: i });
+        }
+        for (const { param, secretKey } of fieldMap) {
+            const value = ctx.getNodeParameter(param, i, '');
+            if (isEmptyValue(value))
+                continue;
+            secrets.push({ secretKey, secretValue: String(value), secretMetadata });
+        }
+    }
+    if (secrets.length === 0) {
+        throw new n8n_workflow_1.NodeOperationError(ctx.getNode(), 'No credential fields provided — all fields are empty', { itemIndex: i });
+    }
+    // Upsert all secrets in one batch call (mode=upsert: create if missing, update if exists)
+    const response = await ctx.helpers.httpRequest({
+        method: 'PATCH',
+        url: `${apiUrl}/v4/secrets/batch`,
+        headers: baseHeaders,
+        body: { projectId, environment, secretPath, secrets, mode: 'upsert' },
+    });
+    const synced = ((_d = response.secrets) !== null && _d !== void 0 ? _d : []);
+    if (synced.length === 0) {
+        return [
+            {
+                json: { success: true, credentialType, credentialName, secretPath, syncedCount: secrets.length },
+                pairedItem: { item: i },
+            },
+        ];
+    }
+    return synced.map((secret) => ({ json: secret, pairedItem: { item: i } }));
+}
+exports.executeSyncOperation = executeSyncOperation;