@vrdmr/fnx-test 0.3.0 → 0.4.0

package/lib/cli.js

@@ -10,6 +10,7 @@ import { launchHost, createHostState } from './host-launcher.js';
 import { startLiveMcpServer } from './live-mcp-server.js';
 import { detectDotnetModel, printInProcessError } from './dotnet-detector.js';
 import { detectRuntimeFromConfig, packFunctionApp } from './pack.js';
+import { loadConfig, migrateConfig, validateConfig, showResolvedConfig } from './config.js';
 import { title, info, funcName, url as urlColor, success, error as errorColor, warning, dim, bold, highlightUrls } from './colors.js';
 
 const FNX_HOME = join(homedir(), '.fnx');
@@ -42,12 +43,16 @@ function hasHelp(args) {
  * 2. Otherwise check cwd for host.json.
  * 3. Fall back to cwd/src if it contains host.json.
  * 4. Error with actionable message if nothing found.
+ *
+ * opts.requireHostJson (default: true) — set to false for commands that
+ * work on config files only (e.g. fnx config migrate).
  */
-function resolveAppPath(args) {
+function resolveAppPath(args, opts = {}) {
+  const requireHostJson = opts.requireHostJson !== false;
   const explicit = getFlag(args, '--app-path');
   if (explicit) {
     const resolved = resolvePath(explicit);
-    if (!existsSync(join(resolved, 'host.json'))) {
+    if (requireHostJson && !existsSync(join(resolved, 'host.json'))) {
       console.error(errorColor(`Error: No host.json found in ${resolved}`));
       console.error(`  The --app-path must point to a directory containing host.json.`);
       console.error(dim(`  Example: fnx start --app-path ./my-function-app`));
@@ -67,6 +72,11 @@ function resolveAppPath(args) {
     return srcDir;
   }
 
+  // For config-only commands, fall back to cwd even without host.json
+  if (!requireHostJson) {
+    return cwd;
+  }
+
   console.error(errorColor(`Error: No function app found.`));
   console.error(`  Could not find host.json in the current directory or ./src.`);
   console.error(dim(`  Use --app-path <dir> to specify the function app location.`));
@@ -100,6 +110,25 @@ export async function main(args) {
     return;
   }
 
+  if (cmd === 'config') {
+    if (hasHelp(args.slice(1))) { printConfigHelp(); return; }
+    const subCmd = args[1];
+    const appPath = resolveAppPath(args, { requireHostJson: false });
+    if (subCmd === 'migrate') {
+      await migrateConfig(appPath);
+    } else if (subCmd === 'validate') {
+      const result = await validateConfig(appPath);
+      if (result.warnings.length) result.warnings.forEach(w => console.log(warning(`  ⚠ ${w}`)));
+      if (result.secrets.length) result.secrets.forEach(s => console.log(errorColor(`  ✗ ${s.path}: ${s.reason}`)));
+      if (result.errors.length) result.errors.forEach(e => console.log(errorColor(`  ✗ ${e}`)));
+      if (result.valid) console.log(success('  ✓ app-config.yaml is valid.'));
+      else process.exit(1);
+    } else {
+      await showResolvedConfig(appPath);
+    }
+    return;
+  }
+
   if (cmd === 'sync') {
     if (hasHelp(args.slice(1))) { printSyncHelp(); return; }
     await runSync(args.slice(1));
@@ -124,6 +153,12 @@ export async function main(args) {
 
   if (hasHelp(args.slice(1))) { printStartHelp(); return; }
 
+  // Handle --sku list early (no config needed)
+  if (getFlag(args, '--sku') === 'list') {
+    await listProfiles();
+    return;
+  }
+
   await maybeWarnForCliUpgrade();
 
   const scriptRoot = resolveAppPath(args);
@@ -143,21 +178,22 @@ export async function main(args) {
     setProfilesSource(profilesSource);
   }
 
-  // Read config files early (needed for SKU resolution and env vars)
-  const appConfig = await readJsonFile(resolvePath(scriptRoot, 'app.config.json'));
-  const localSettings = await readJsonFile(resolvePath(scriptRoot, 'local.settings.json'));
+  // Load and validate app configuration (app-config.yaml + local.settings.json)
+  const appCfg = await loadConfig(scriptRoot);
+  const { mergedValues, workerRuntime } = appCfg;
+
+  if (!workerRuntime) {
+    console.error(errorColor('Error: runtime.name not set in app-config.yaml and FUNCTIONS_WORKER_RUNTIME not in local.settings.json'));
+    process.exit(1);
+  }
 
-  // Resolve SKU: CLI flag > app.config.json > local.settings.json > default "flex"
+  // Resolve SKU: CLI flag > app-config.yaml > default "flex"
   let sku = getFlag(args, '--sku');
   let skuSource = 'CLI flag';
 
-  if (!sku && appConfig?.TargetSku) {
-    sku = appConfig.TargetSku;
-    skuSource = 'app.config.json';
-  }
-  if (!sku && localSettings?.TargetSku) {
-    sku = localSettings.TargetSku;
-    skuSource = 'local.settings.json';
+  if (!sku && appCfg.sku) {
+    sku = appCfg.sku;
+    skuSource = appCfg.skuSource;
   }
   if (!sku) {
     sku = 'flex';
@@ -166,11 +202,6 @@ export async function main(args) {
     console.log(dim(`Tip: Use --sku <name> to target a specific SKU. Run --sku list to see options.\n`));
   }
 
-  if (sku === 'list') {
-    await listProfiles();
-    return;
-  }
-
   // 1. Resolve profile
   if (skuSource !== 'default') {
     console.log(title(`Resolving SKU profile: ${sku} (from ${skuSource})...`));
@@ -195,19 +226,6 @@ export async function main(args) {
   console.log(`  ${dim('Profile Source:')}    ${info(source)}`);
   console.log();
 
-  // Early validation: merge config and check runtime before downloading anything
-  const mergedValues = {
-    ...(appConfig?.Values || {}),
-    ...(localSettings?.Values || {}),
-  };
-
-  const workerRuntime = mergedValues.FUNCTIONS_WORKER_RUNTIME;
-
-  if (!workerRuntime) {
-    console.error(errorColor('Error: FUNCTIONS_WORKER_RUNTIME not set in app.config.json or local.settings.json'));
-    process.exit(1);
-  }
-
   // F9: .NET isolated worker only — block in-process projects with guidance
   const dotnetRuntimes = ['dotnet', 'dotnet-isolated'];
   if (dotnetRuntimes.includes(workerRuntime)) {
@@ -440,6 +458,7 @@ ${title('Commands:')}
   ${funcName('start')}            Launch the Azure Functions host runtime for a specific SKU.
   ${funcName('sync')}             Sync cached host/extensions with current catalog profile.
   ${funcName('pack')}             Package a Functions app into a deployment zip.
+  ${funcName('config')}           Show, validate, or migrate app configuration.
   ${funcName('warmup')}           Pre-download host binaries and extension bundles.
   ${funcName('templates-mcp')}    Start the Azure Functions templates MCP server (stdio).
 
@@ -604,3 +623,33 @@ ${title('VS Code Configuration:')}
     }
   }`.trim());
 }
+
+function printConfigHelp() {
+  console.log(`
+${bold(title('fnx config'))} — Show, validate, or migrate app configuration.
+
+${title('Usage:')} fnx config [subcommand] [options]
+
+${title('Subcommands:')}
+  ${funcName('(none)')}           Show resolved config with provenance (which file each value comes from).
+  ${funcName('migrate')}          Create app-config.yaml from local.settings.json (extract non-secrets).
+  ${funcName('validate')}         Validate app-config.yaml (schema, secrets, allowlist) without starting.
+
+${title('Options:')}
+  ${success('--app-path')} <dir>  Path to the function app directory (default: cwd).
+  ${success('-h')}, ${success('--help')}         Show this help message.
+
+${title('Configuration Files:')}
+  ${funcName('app-config.yaml')}       Non-secret behavioral config (committed to source control).
+                          Contains runtime, SKU target, scale settings, and app settings.
+  ${funcName('local.settings.json')}   Secrets and connection strings (git-ignored).
+                          Values here override app-config.yaml values.
+
+${title('Precedence:')} CLI flags > local.settings.json > app-config.yaml > defaults
+
+${title('Examples:')}
+  fnx config                               Show resolved config
+  fnx config migrate                       Create app-config.yaml from local.settings.json
+  fnx config validate                      Check app-config.yaml for errors
+  fnx config validate --app-path ./my-app  Validate a specific app`.trim());
+}

package/lib/config-schema.js

@@ -0,0 +1,167 @@
+// config-schema.js — Canonical mapping: app-config.yaml paths → host environment variables
+//
+// This is the single source of truth for the config format. fnx is the first consumer,
+// but workers, deployment tools, and other components can adopt the same schema.
+
+// ── Structured field mappings (YAML path → env var) ──
+
+export const STRUCTURED_FIELDS = {
+  'runtime.name': {
+    envVar: 'FUNCTIONS_WORKER_RUNTIME',
+    required: true,
+    allowed: ['python', 'node', 'dotnet-isolated', 'dotnet', 'java', 'powershell', 'custom'],
+    description: 'Language runtime for the function app',
+  },
+  'runtime.version': {
+    envVar: 'FUNCTIONS_WORKER_RUNTIME_VERSION',
+    required: false,
+    description: 'Language runtime version (e.g. "3.11" for Python)',
+  },
+  'scaleAndConcurrency.maximumInstanceCount': {
+    envVar: 'WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT',
+    required: false,
+    type: 'number',
+    description: 'Maximum number of instances for scale-out',
+  },
+  'scaleAndConcurrency.instanceMemoryMB': {
+    envVar: 'WEBSITE_INSTANCE_MEMORY_MB',
+    required: false,
+    type: 'number',
+    description: 'Memory allocation per instance in MB',
+  },
+};
+
+// ── Allowlisted configuration keys (non-secret app settings) ──
+// These are the only keys permitted in the `configurations:` section.
+// Reference: https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings
+
+export const ALLOWED_CONFIGURATIONS = new Set([
+  // Core runtime
+  'AzureWebJobsFeatureFlags',
+  'AZURE_FUNCTIONS_ENVIRONMENT',
+  'FUNCTIONS_WORKER_PROCESS_COUNT',
+  'FUNCTIONS_WORKER_SHARED_MEMORY_DATA_TRANSFER_ENABLED',
+
+  // Python worker
+  'PYTHON_ISOLATE_WORKER_DEPENDENCIES',
+  'PYTHON_ENABLE_WORKER_EXTENSIONS',
+  'PYTHON_THREADPOOL_THREAD_COUNT',
+  'PYTHON_ENABLE_DEBUG_LOGGING',
+
+  // Node worker
+  'languageWorkers__node__arguments',
+
+  // Java worker
+  'JAVA_OPTS',
+  'FUNCTIONS_WORKER_JAVA_LOAD_APP_LIBS',
+
+  // .NET (isolated)
+  'FUNCTIONS_WORKER_DOTNET_RELEASE_COMPILATION',
+
+  // Host behavior
+  'AzureWebJobsDisableHomepage',
+  'FUNCTIONS_REQUEST_BODY_SIZE_LIMIT',
+  'PythonPath',
+
+  // Extension bundle overrides
+  'AzureFunctionsJobHost__extensionBundle__id',
+  'AzureFunctionsJobHost__extensionBundle__version',
+
+  // Scale controller
+  'WEBSITE_MAX_DYNAMIC_APPLICATION_SCALE_OUT',
+
+  // Misc non-secret behavioral
+  'FUNCTIONS_V2_COMPATIBILITY_MODE',
+  'AzureWebJobsDotNetReleaseCompilation',
+]);
+
+// ── Top-level YAML sections ──
+
+export const VALID_TOP_LEVEL_KEYS = new Set([
+  'local',
+  'runtime',
+  'scaleAndConcurrency',
+  'configurations',
+  // Reserved for future use
+  // 'deployment',
+]);
+
+// ── Local section keys (fnx-specific) ──
+
+export const VALID_LOCAL_KEYS = new Set([
+  'targetSku',
+  'port',
+  'mcpPort',
+]);
+
+// ── Resolve structured YAML config → flat env var map ──
+
+export function resolveEnvVars(config) {
+  const envVars = {};
+  const errors = [];
+
+  // Map structured fields
+  for (const [yamlPath, spec] of Object.entries(STRUCTURED_FIELDS)) {
+    const value = getNestedValue(config, yamlPath);
+    if (value !== undefined && value !== null) {
+      if (spec.allowed && !spec.allowed.includes(value)) {
+        errors.push(`${yamlPath}: "${value}" is not allowed. Valid: ${spec.allowed.join(', ')}`);
+        continue;
+      }
+      if (spec.type === 'number' && typeof value !== 'number') {
+        errors.push(`${yamlPath}: expected number, got ${typeof value}`);
+        continue;
+      }
+      envVars[spec.envVar] = String(value);
+    } else if (spec.required) {
+      errors.push(`${yamlPath} is required (maps to ${spec.envVar})`);
+    }
+  }
+
+  // Pass through configurations.* as env vars
+  if (config.configurations && typeof config.configurations === 'object') {
+    for (const [key, value] of Object.entries(config.configurations)) {
+      if (!ALLOWED_CONFIGURATIONS.has(key)) {
+        errors.push(`configurations.${key}: not in the allowlist. Move to local.settings.json if needed.`);
+        continue;
+      }
+      envVars[key] = String(value);
+    }
+  }
+
+  return { envVars, errors };
+}
+
+// ── Validate top-level structure ──
+
+export function validateStructure(config) {
+  const warnings = [];
+  if (!config || typeof config !== 'object') {
+    return { warnings: ['app-config.yaml is empty or not a valid YAML object'] };
+  }
+  for (const key of Object.keys(config)) {
+    if (!VALID_TOP_LEVEL_KEYS.has(key)) {
+      warnings.push(`Unknown top-level key "${key}". Valid keys: ${[...VALID_TOP_LEVEL_KEYS].join(', ')}`);
+    }
+  }
+  if (config.local && typeof config.local === 'object') {
+    for (const key of Object.keys(config.local)) {
+      if (!VALID_LOCAL_KEYS.has(key)) {
+        warnings.push(`Unknown key "local.${key}". Valid keys: ${[...VALID_LOCAL_KEYS].join(', ')}`);
+      }
+    }
+  }
+  return { warnings };
+}
+
+// ── Helper: get nested value by dot path ──
+
+function getNestedValue(obj, path) {
+  const parts = path.split('.');
+  let current = obj;
+  for (const part of parts) {
+    if (current == null || typeof current !== 'object') return undefined;
+    current = current[part];
+  }
+  return current;
+}

package/lib/config.js

@@ -0,0 +1,468 @@
+// config.js — App config loader, validator, and auto-creator
+//
+// Reads app-config.yaml (primary) or auto-creates it from local.settings.json.
+// Validates against config-schema.js, checks for secrets, manages .gitignore protection.
+
+import { readFile, writeFile, access, readdir } from 'node:fs/promises';
+import { join, resolve as resolvePath } from 'node:path';
+import { createInterface } from 'node:readline';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+
+import { resolveEnvVars, validateStructure, ALLOWED_CONFIGURATIONS, STRUCTURED_FIELDS } from './config-schema.js';
+import { detectSecrets } from './secret-patterns.js';
+import { error as errorColor, warning as warningColor, success as successColor, info as infoColor, dim } from './colors.js';
+
+const APP_CONFIG_FILE = 'app-config.yaml';
+const LEGACY_APP_CONFIG_FILE = 'app.config.json';
+const LOCAL_SETTINGS_FILE = 'local.settings.json';
+
+// ── Public API ──
+
+/**
+ * Load and validate app configuration from the given app directory.
+ *
+ * Resolution order:
+ *   1. app-config.yaml exists → read, validate, return
+ *   2. app-config.yaml missing + local.settings.json exists → auto-create from local.settings.json
+ *   3. Neither exists → interactive prompt to generate
+ *
+ * Returns: { config, envVars, mergedValues, workerRuntime, sku, skuSource }
+ */
+export async function loadConfig(appPath, opts = {}) {
+  const appConfigPath = join(appPath, APP_CONFIG_FILE);
+  const legacyConfigPath = join(appPath, LEGACY_APP_CONFIG_FILE);
+  const localSettingsPath = join(appPath, LOCAL_SETTINGS_FILE);
+
+  let config;
+  const hasAppConfig = await fileExists(appConfigPath);
+  const hasLegacyConfig = await fileExists(legacyConfigPath);
+  const hasLocalSettings = await fileExists(localSettingsPath);
+
+  if (hasAppConfig) {
+    // Case 1: app-config.yaml exists
+    config = await readAppConfig(appConfigPath);
+  } else if (hasLegacyConfig) {
+    // Case 1b: Legacy app.config.json — convert to structured format
+    config = await readLegacyConfig(legacyConfigPath);
+  } else if (hasLocalSettings) {
+    // Case 2: Auto-create from local.settings.json
+    config = await autoCreateFromLocalSettings(appPath, localSettingsPath);
+  } else {
+    // Case 3: Nothing exists — interactive or error
+    const isInteractive = process.stdin.isTTY && !opts.nonInteractive;
+    if (!isInteractive) {
+      console.error(errorColor('Error: No app-config.yaml or local.settings.json found.'));
+      console.error(dim(`  Create app-config.yaml in ${appPath} or run fnx interactively.`));
+      process.exit(1);
+    }
+    config = await interactiveCreate(appPath);
+  }
+
+  // Validate structure
+  const { warnings } = validateStructure(config);
+  for (const w of warnings) {
+    console.error(warningColor(`  ⚠ ${w}`));
+  }
+
+  // Secret detection
+  const secrets = detectSecrets(config);
+  if (secrets.length > 0) {
+    await addToGitignore(appPath, APP_CONFIG_FILE);
+    console.error(errorColor('\n  ✗ Secrets detected in app-config.yaml:'));
+    for (const s of secrets) {
+      console.error(errorColor(`    • ${s.path}: ${s.reason}`));
+    }
+    console.error(errorColor(`\n  app-config.yaml has been added to .gitignore as a safety measure.`));
+    console.error(dim(`  Move secrets to local.settings.json, then remove app-config.yaml from .gitignore.`));
+    process.exit(1);
+  }
+
+  // Ensure app-config.yaml is NOT in .gitignore (clean state)
+  await removeFromGitignore(appPath, APP_CONFIG_FILE);
+
+  // Resolve structured fields → env vars
+  const { envVars, errors } = resolveEnvVars(config);
+  if (errors.length > 0) {
+    for (const e of errors) {
+      console.error(errorColor(`  ✗ ${e}`));
+    }
+    process.exit(1);
+  }
+
+  // Read local.settings.json for secrets/overrides
+  const localSettings = hasLocalSettings ? await readJsonFile(localSettingsPath) : null;
+  const localValues = localSettings?.Values || {};
+
+  // Merge: app-config.yaml envVars → local.settings.json overrides
+  const mergedValues = { ...envVars, ...localValues };
+
+  // Resolve worker runtime
+  const workerRuntime = mergedValues.FUNCTIONS_WORKER_RUNTIME;
+
+  // Resolve SKU: config.local.targetSku (CLI flag handled by caller)
+  const sku = config.local?.targetSku || null;
+  const skuSource = sku ? 'app-config.yaml' : null;
+
+  return {
+    config,
+    envVars,
+    mergedValues,
+    workerRuntime,
+    sku,
+    skuSource,
+  };
+}
+
+/**
+ * Migrate local.settings.json → app-config.yaml (standalone command).
+ * Returns the generated config object.
+ */
+export async function migrateConfig(appPath) {
+  const appConfigPath = join(appPath, APP_CONFIG_FILE);
+  const localSettingsPath = join(appPath, LOCAL_SETTINGS_FILE);
+
+  if (await fileExists(appConfigPath)) {
+    console.log(infoColor(`  app-config.yaml already exists at ${appConfigPath}`));
+    return readAppConfig(appConfigPath);
+  }
+
+  if (!await fileExists(localSettingsPath)) {
+    console.error(errorColor(`  No local.settings.json found at ${localSettingsPath}`));
+    process.exit(1);
+  }
+
+  return autoCreateFromLocalSettings(appPath, localSettingsPath);
+}
+
+/**
+ * Validate app-config.yaml (standalone command).
+ * Returns { valid, errors, warnings, secrets }.
+ */
+export async function validateConfig(appPath) {
+  const appConfigPath = join(appPath, APP_CONFIG_FILE);
+
+  if (!await fileExists(appConfigPath)) {
+    return { valid: false, errors: ['app-config.yaml not found'], warnings: [], secrets: [] };
+  }
+
+  const config = await readAppConfig(appConfigPath);
+  const { warnings } = validateStructure(config);
+  const { errors } = resolveEnvVars(config);
+  const secrets = detectSecrets(config);
+
+  return {
+    valid: errors.length === 0 && secrets.length === 0,
+    errors,
+    warnings,
+    secrets,
+  };
+}
+
+/**
+ * Show resolved config with provenance (standalone command).
+ */
+export async function showResolvedConfig(appPath) {
+  const appConfigPath = join(appPath, APP_CONFIG_FILE);
+  const localSettingsPath = join(appPath, LOCAL_SETTINGS_FILE);
+
+  const hasAppConfig = await fileExists(appConfigPath);
+  const hasLocalSettings = await fileExists(localSettingsPath);
+
+  if (!hasAppConfig && !hasLocalSettings) {
+    console.error(errorColor('  No configuration files found.'));
+    return;
+  }
+
+  let appConfigEnvVars = {};
+  if (hasAppConfig) {
+    const config = await readAppConfig(appConfigPath);
+    const result = resolveEnvVars(config);
+    appConfigEnvVars = result.envVars;
+  }
+
+  const localSettings = hasLocalSettings ? await readJsonFile(localSettingsPath) : null;
+  const localValues = localSettings?.Values || {};
+
+  // Sensitive keys to redact
+  const sensitiveKeys = ['AzureWebJobsStorage', 'EventHubConnectionString', 'ServiceBusConnectionString'];
+
+  console.log(infoColor('\n  Resolved Configuration:\n'));
+  console.log(dim('  Source precedence: CLI flags > local.settings.json > app-config.yaml\n'));
+
+  const merged = { ...appConfigEnvVars, ...localValues };
+  const maxKeyLen = Math.max(...Object.keys(merged).map(k => k.length), 10);
+
+  for (const [key, value] of Object.entries(merged).sort(([a], [b]) => a.localeCompare(b))) {
+    const source = (key in localValues) ? 'local.settings.json' : 'app-config.yaml';
+    const isSecret = sensitiveKeys.some(sk => key.includes(sk)) && value !== 'UseDevelopmentStorage=true';
+    const displayValue = isSecret ? '***REDACTED***' : value;
+    console.log(`  ${key.padEnd(maxKeyLen)}  ${dim(displayValue)}  ${dim(`← ${source}`)}`);
+  }
+  console.log('');
+}
+
+// ── Internal helpers ──
+
+async function readAppConfig(filePath) {
+  const raw = await readFile(filePath, 'utf-8');
+  const config = parseYaml(raw);
+  if (!config || typeof config !== 'object') {
+    console.error(errorColor(`  ✗ app-config.yaml is empty or invalid YAML`));
+    process.exit(1);
+  }
+  return config;
+}
+
+/**
+ * Read legacy app.config.json and convert to structured config format.
+ * This provides backward compatibility during the transition to app-config.yaml.
+ */
+async function readLegacyConfig(filePath) {
+  const legacy = await readJsonFile(filePath);
+  if (!legacy) {
+    console.error(errorColor(`  ✗ app.config.json is empty or invalid JSON`));
+    process.exit(1);
+  }
+
+  const config = {};
+
+  // Map TargetSku → local.targetSku
+  if (legacy.TargetSku) {
+    config.local = { targetSku: legacy.TargetSku };
+  }
+
+  // Map Values.FUNCTIONS_WORKER_RUNTIME → runtime.name
+  const values = legacy.Values || {};
+  if (values.FUNCTIONS_WORKER_RUNTIME) {
+    config.runtime = { name: values.FUNCTIONS_WORKER_RUNTIME };
+    if (values.FUNCTIONS_WORKER_RUNTIME_VERSION) {
+      config.runtime.version = values.FUNCTIONS_WORKER_RUNTIME_VERSION;
+    }
+  }
+
+  // Remaining values → configurations (skip structured fields)
+  const structuredEnvVars = new Set(['FUNCTIONS_WORKER_RUNTIME', 'FUNCTIONS_WORKER_RUNTIME_VERSION']);
+  const configEntries = {};
+  for (const [key, value] of Object.entries(values)) {
+    if (!structuredEnvVars.has(key)) {
+      configEntries[key] = value;
+    }
+  }
+  if (Object.keys(configEntries).length > 0) {
+    config.configurations = configEntries;
+  }
+
+  return config;
+}
+
+async function readJsonFile(filePath) {
+  try {
+    return JSON.parse(await readFile(filePath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+async function autoCreateFromLocalSettings(appPath, localSettingsPath) {
+  const localSettings = await readJsonFile(localSettingsPath);
+  if (!localSettings?.Values) {
+    console.error(errorColor('  local.settings.json has no Values section.'));
+    process.exit(1);
+  }
+
+  const values = localSettings.Values;
+  const secrets = detectSecretsInFlatValues(values);
+  const nonSecretKeys = Object.keys(values).filter(k => !secrets.has(k));
+
+  // Build structured config
+  const config = {};
+
+  // Extract runtime
+  const runtime = values.FUNCTIONS_WORKER_RUNTIME;
+  if (runtime) {
+    config.runtime = { name: runtime };
+    // Check for runtime version in env or values
+    const version = values.FUNCTIONS_WORKER_RUNTIME_VERSION;
+    if (version) config.runtime.version = version;
+  }
+
+  // Extract targetSku from local settings (non-standard but some users set it)
+  if (localSettings.TargetSku) {
+    config.local = { targetSku: localSettings.TargetSku };
+  }
+
+  // Remaining non-secret, non-structured values → configurations
+  const structuredEnvVars = new Set(Object.values(STRUCTURED_FIELDS).map(s => s.envVar));
+  const configEntries = {};
+  for (const key of nonSecretKeys) {
+    if (structuredEnvVars.has(key)) continue; // Already mapped structurally
+    if (ALLOWED_CONFIGURATIONS.has(key)) {
+      configEntries[key] = values[key];
+    }
+  }
+  if (Object.keys(configEntries).length > 0) {
+    config.configurations = configEntries;
+  }
+
+  // Write app-config.yaml
+  const yaml = generateYaml(config);
+  const appConfigPath = join(appPath, APP_CONFIG_FILE);
+  await writeFile(appConfigPath, yaml, 'utf-8');
+
+  console.log(successColor(`  ✓ Created app-config.yaml from local.settings.json (non-secret settings extracted)`));
+  if (secrets.size > 0) {
+    console.log(dim(`    ${secrets.size} secret(s) left in local.settings.json: ${[...secrets].join(', ')}`));
+  }
+
+  return config;
+}
+
+async function interactiveCreate(appPath) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const ask = (q) => new Promise(r => rl.question(q, r));
+
+  console.log(warningColor('\n  No configuration files found.\n'));
+
+  const proceed = await ask('  Generate app-config.yaml? [Y/n] ');
+  if (proceed.toLowerCase() === 'n') {
+    rl.close();
+    console.error(errorColor('  Cannot proceed without configuration.'));
+    process.exit(1);
+  }
+
+  console.log(dim('  Select your runtime:'));
+  console.log(dim('    1) node'));
+  console.log(dim('    2) python'));
+  console.log(dim('    3) dotnet-isolated'));
+  console.log(dim('    4) java'));
+  console.log(dim('    5) powershell'));
+
+  const choice = await ask('  Runtime [1-5]: ');
+  const runtimes = { '1': 'node', '2': 'python', '3': 'dotnet-isolated', '4': 'java', '5': 'powershell' };
+  const runtime = runtimes[choice.trim()] || 'node';
+
+  rl.close();
+
+  const config = {
+    local: { targetSku: 'flex' },
+    runtime: { name: runtime },
+    configurations: {
+      AzureWebJobsFeatureFlags: 'EnableWorkerIndexing',
+    },
+  };
+
+  // Write app-config.yaml
+  const yaml = generateYaml(config);
+  await writeFile(join(appPath, APP_CONFIG_FILE), yaml, 'utf-8');
+  console.log(successColor(`  ✓ Created app-config.yaml`));
+
+  // Also create local.settings.json with Azurite
+  const localSettingsPath = join(appPath, LOCAL_SETTINGS_FILE);
+  if (!await fileExists(localSettingsPath)) {
+    const localSettings = {
+      IsEncrypted: false,
+      Values: {
+        AzureWebJobsStorage: 'UseDevelopmentStorage=true',
+      },
+    };
+    await writeFile(localSettingsPath, JSON.stringify(localSettings, null, 2) + '\n', 'utf-8');
+    console.log(successColor(`  ✓ Created local.settings.json (with Azurite storage)`));
+  }
+
+  return config;
+}
+
+function generateYaml(config) {
+  const lines = [
+    '# Azure Functions App Configuration',
+    '# Commit this to source control. Do NOT put secrets here.',
+    '# Secrets and connection strings go in local.settings.json (git-ignored).',
+    '#',
+    '# Reference: https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings',
+    '',
+  ];
+
+  if (config.local) {
+    lines.push('# Local emulator (fnx) settings');
+    lines.push(stringifyYaml({ local: config.local }).trim());
+    lines.push('');
+  }
+
+  if (config.runtime) {
+    lines.push('# Runtime configuration');
+    lines.push(stringifyYaml({ runtime: config.runtime }).trim());
+    lines.push('');
+  }
+
+  if (config.scaleAndConcurrency) {
+    lines.push('# Scale & concurrency (mirrors ARM functionAppConfig)');
+    lines.push(stringifyYaml({ scaleAndConcurrency: config.scaleAndConcurrency }).trim());
+    lines.push('');
+  }
+
+  if (config.configurations) {
+    lines.push('# App settings (non-secret behavioral config)');
+    lines.push(stringifyYaml({ configurations: config.configurations }).trim());
+    lines.push('');
+  }
+
+  return lines.join('\n') + '\n';
+}
+
+/**
+ * Detect which keys in a flat values map are secrets (for migration).
+ * Returns a Set of secret key names.
+ */
+function detectSecretsInFlatValues(values) {
+  const secretKeys = new Set();
+  const secretKeyPatterns = [
+    /ConnectionString$/i,
+    /^AzureWebJobsStorage$/i,
+    /^APPINSIGHTS_INSTRUMENTATIONKEY$/i,
+    /^APPLICATIONINSIGHTS_CONNECTION_STRING$/i,
+    /Password$/i, /Secret$/i, /ApiKey$/i, /Token$/i,
+  ];
+  const secretValuePatterns = [
+    /DefaultEndpointsProtocol\s*=/i,
+    /AccountKey\s*=/i,
+    /SharedAccessSignature\s*=/i,
+    /Endpoint\s*=\s*sb:\/\//i,
+  ];
+
+  for (const [key, value] of Object.entries(values)) {
+    const strValue = String(value);
+    // Azurite marker is not a secret
+    if (strValue === 'UseDevelopmentStorage=true') continue;
+
+    if (secretKeyPatterns.some(p => p.test(key))) { secretKeys.add(key); continue; }
+    if (secretValuePatterns.some(p => p.test(strValue))) { secretKeys.add(key); continue; }
+  }
+  return secretKeys;
+}
+
+async function fileExists(filePath) {
+  try { await access(filePath); return true; } catch { return false; }
+}
+
+async function addToGitignore(appPath, filename) {
+  const gitignorePath = join(appPath, '.gitignore');
+  try {
+    const content = await readFile(gitignorePath, 'utf-8');
+    if (content.includes(filename)) return; // Already there
+    await writeFile(gitignorePath, content.trimEnd() + '\n' + filename + '\n', 'utf-8');
+  } catch {
+    await writeFile(gitignorePath, filename + '\n', 'utf-8');
+  }
+}
+
+async function removeFromGitignore(appPath, filename) {
+  const gitignorePath = join(appPath, '.gitignore');
+  try {
+    const content = await readFile(gitignorePath, 'utf-8');
+    if (!content.includes(filename)) return;
+    const lines = content.split('\n').filter(l => l.trim() !== filename);
+    await writeFile(gitignorePath, lines.join('\n'), 'utf-8');
+  } catch {
+    // No .gitignore — nothing to do
+  }
+}

package/lib/host-launcher.js

@@ -54,7 +54,7 @@ export function createHostState() {
 // ─── Python executable detection ────────────────────────────────────────
 // The .NET host needs a compatible Python version. The host's bundled worker
 // supports up to 3.13 (3.14 is unsupported). We check:
-//   1. Explicit config (app.config.json "PythonPath")
+//   1. Explicit config (app-config.yaml PythonPath or env var)
 //   2. .venv in the script root
 //   3. System python3.13 → python3.12 → python3.11 → python3 → python
 // This mirrors Core Tools behavior which also searches versioned binaries.
@@ -62,7 +62,7 @@ export function createHostState() {
 const SUPPORTED_PYTHON_VERSIONS = ['3.13', '3.12', '3.11', '3.10', '3.9'];
 
 function findPythonExecutable(scriptRoot, explicitPath) {
-  // 0. Explicit path from config (app.config.json "PythonPath" or env var)
+  // 0. Explicit path from config (app-config.yaml PythonPath or env var)
   if (explicitPath) {
     if (existsSync(explicitPath)) return explicitPath;
     // Maybe it's a command name on PATH
@@ -361,7 +361,7 @@ export async function launchHost(hostDir, opts) {
       } catch { /* non-fatal */ }
     } else {
       console.error(warning('⚠️  Python runtime requested but no compatible python (3.9-3.13) found.'));
-      console.error(dim('   Set "PythonPath" in app.config.json or FNX_PYTHON_PATH env var.'));
+      console.error(dim('   Set "PythonPath" in app-config.yaml configurations or FNX_PYTHON_PATH env var.'));
     }
   }
 

package/lib/live-mcp-server.js

@@ -200,7 +200,7 @@ Only HTTP functions can be invoked. For non-HTTP, upload data to the trigger sou
     'get_app_settings',
     {
       title: 'Get App Settings',
-      description: `Get merged app settings (app.config.json + local.settings.json) with secrets redacted.
+      description: `Get merged app settings (app-config.yaml + local.settings.json) with secrets redacted.
 Shows environment variables injected into the host process.`,
       inputSchema: z.object({}),
     },

package/lib/pack.js

@@ -90,21 +90,39 @@ async function stageDotnetIsolatedBuild(scriptRoot, tempRoot) {
 }
 
 export async function detectRuntimeFromConfig(scriptRoot) {
-  const appConfigPath = resolvePath(scriptRoot, 'app.config.json');
-  const localSettingsPath = resolvePath(scriptRoot, 'local.settings.json');
+  // Try app-config.yaml first (new format), then fall back to app.config.json (legacy)
+  const { parse: parseYaml } = await import('yaml');
 
-  const parseIfExists = async (filePath) => {
-    try {
-      const raw = await readFile(filePath, 'utf-8');
-      return JSON.parse(raw);
-    } catch {
-      return null;
-    }
+  const tryRead = async (filePath) => {
+    try { return await readFile(filePath, 'utf-8'); } catch { return null; }
   };
 
-  const appConfig = await parseIfExists(appConfigPath);
-  const localSettings = await parseIfExists(localSettingsPath);
-  return appConfig?.Values?.FUNCTIONS_WORKER_RUNTIME || localSettings?.Values?.FUNCTIONS_WORKER_RUNTIME || null;
+  // app-config.yaml: runtime.name
+  const yamlContent = await tryRead(resolvePath(scriptRoot, 'app-config.yaml'));
+  if (yamlContent) {
+    const config = parseYaml(yamlContent);
+    if (config?.runtime?.name) return config.runtime.name;
+  }
+
+  // Legacy app.config.json: Values.FUNCTIONS_WORKER_RUNTIME
+  const jsonContent = await tryRead(resolvePath(scriptRoot, 'app.config.json'));
+  if (jsonContent) {
+    try {
+      const config = JSON.parse(jsonContent);
+      if (config?.Values?.FUNCTIONS_WORKER_RUNTIME) return config.Values.FUNCTIONS_WORKER_RUNTIME;
+    } catch { /* ignore */ }
+  }
+
+  // local.settings.json fallback
+  const localContent = await tryRead(resolvePath(scriptRoot, 'local.settings.json'));
+  if (localContent) {
+    try {
+      const config = JSON.parse(localContent);
+      if (config?.Values?.FUNCTIONS_WORKER_RUNTIME) return config.Values.FUNCTIONS_WORKER_RUNTIME;
+    } catch { /* ignore */ }
+  }
+
+  return null;
 }
 
 export async function packFunctionApp({ scriptRoot, runtime, outputPath, noBuild = false }) {

package/lib/secret-patterns.js

@@ -0,0 +1,108 @@
+// secret-patterns.js — Heuristics for detecting secrets in app-config.yaml values
+//
+// If any value matches these patterns, app-config.yaml is added to .gitignore
+// and fnx operations are blocked until the secret is moved to local.settings.json.
+
+// ── Connection string patterns ──
+
+const CONNECTION_STRING_PATTERNS = [
+  /DefaultEndpointsProtocol\s*=/i,
+  /AccountKey\s*=/i,
+  /SharedAccessSignature\s*=/i,
+  /Endpoint\s*=\s*sb:\/\//i,           // Service Bus
+  /Endpoint\s*=\s*https?:\/\//i,       // Generic endpoint-based
+  /Data Source\s*=.*Password\s*=/i,     // SQL connection string
+  /Server\s*=.*User Id\s*=/i,          // SQL alternate format
+  /mongodb(\+srv)?:\/\//i,             // MongoDB
+  /redis:\/\//i,                        // Redis
+  /amqps?:\/\//i,                       // AMQP (Event Hub, RabbitMQ)
+];
+
+// ── Key name patterns (these setting NAMES typically hold secrets) ──
+
+const SECRET_KEY_NAMES = [
+  /ConnectionString$/i,
+  /^AzureWebJobsStorage$/i,
+  /^APPINSIGHTS_INSTRUMENTATIONKEY$/i,
+  /^APPLICATIONINSIGHTS_CONNECTION_STRING$/i,
+  /StorageConnectionString/i,
+  /EventHubConnectionString/i,
+  /ServiceBusConnectionString/i,
+  /^AzureWebJobsSecretStorage/i,
+  /SecretStorageKeyVault/i,
+  /Password$/i,
+  /Secret$/i,
+  /ApiKey$/i,
+  /Token$/i,
+  /^SAS_/i,
+];
+
+// ── Value patterns (values that look like secrets regardless of key name) ──
+
+const SECRET_VALUE_PATTERNS = [
+  /^sig=[A-Za-z0-9%+/=]{20,}/,         // SAS token signature
+  /^Bearer\s+[A-Za-z0-9._-]{20,}/,     // Bearer token
+  /^ey[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/,  // JWT
+];
+
+// Special case: "UseDevelopmentStorage=true" is NOT a secret
+const AZURITE_VALUE = 'UseDevelopmentStorage=true';
+
+/**
+ * Scan all values in the config for secrets.
+ * Returns array of { path, reason } for each detected secret.
+ */
+export function detectSecrets(config) {
+  const findings = [];
+
+  // Scan configurations.* section
+  if (config.configurations && typeof config.configurations === 'object') {
+    for (const [key, value] of Object.entries(config.configurations)) {
+      const strValue = String(value);
+
+      // Skip Azurite marker — it's not a real secret
+      if (strValue === AZURITE_VALUE) continue;
+
+      // Check key name
+      for (const pattern of SECRET_KEY_NAMES) {
+        if (pattern.test(key)) {
+          findings.push({
+            path: `configurations.${key}`,
+            reason: `Key name "${key}" typically holds secrets. Move to local.settings.json.`,
+          });
+          break;
+        }
+      }
+
+      // Check value for connection string patterns
+      for (const pattern of CONNECTION_STRING_PATTERNS) {
+        if (pattern.test(strValue)) {
+          findings.push({
+            path: `configurations.${key}`,
+            reason: `Value looks like a connection string. Move to local.settings.json.`,
+          });
+          break;
+        }
+      }
+
+      // Check value patterns
+      for (const pattern of SECRET_VALUE_PATTERNS) {
+        if (pattern.test(strValue)) {
+          findings.push({
+            path: `configurations.${key}`,
+            reason: `Value looks like a token or credential. Move to local.settings.json.`,
+          });
+          break;
+        }
+      }
+    }
+  }
+
+  // Deduplicate by path (a value might match both key name and value patterns)
+  const seen = new Set();
+  return findings.filter(f => {
+    if (seen.has(f.path)) return false;
+    seen.add(f.path);
+    return true;
+  });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vrdmr/fnx-test",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "SKU-aware Azure Functions local emulator",
   "type": "module",
   "bin": {
@@ -34,6 +34,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.26.0",
+    "yaml": "^2.8.2",
     "zod": "^4.3.6"
   }
 }