npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/src/services/dockerfile-generator.test.ts ADDED Viewed

@@ -0,0 +1,401 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { mkdir, writeFile, rm } from 'fs/promises'
+import { join } from 'path'
+import { tmpdir } from 'os'
+import { randomUUID } from 'crypto'
+vi.mock('../utils/logger.js', () => ({
+  logger: {
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+  },
+}))
+import { generateDockerfile, patchCustomDockerfile } from './dockerfile-generator.js'
+import type { ParsedCatalog } from './catalog.js'
+function makeCatalog(overrides: Partial<ParsedCatalog> = {}): ParsedCatalog {
+  return {
+    name: 'test-site',
+    description: 'Test static site',
+    framework: 'static',
+    nodeVersion: '20',
+    buildCommand: 'true',
+    startCommand: '',
+    outputDir: '.',
+    port: 80,
+    healthEndpoint: '/health',
+    envVars: [],
+    routes: [],
+    cronjobs: [],
+    databases: [],
+    internalDependencies: [],
+    lifecycle: 'production',
+    owner: 'test-org',
+    type: 'service',
+    podTier: 'nano',
+    configDeclarations: [],
+    copyPaths: [],
+    catalogVersion: '0.3.0',
+    consumesDatabase: [],
+    dependencies: [],
+    storage: [],
+    modules: [],
+    externalDependencies: [],
+    ...overrides,
+  }
+}
+async function createFixture(files: Record<string, string>): Promise<string> {
+  const dir = join(tmpdir(), `iec-builder-test-${randomUUID()}`)
+  await mkdir(dir, { recursive: true })
+  for (const [name, content] of Object.entries(files)) {
+    const filePath = join(dir, name)
+    const parentDir = join(filePath, '..')
+    await mkdir(parentDir, { recursive: true })
+    await writeFile(filePath, content, 'utf-8')
+  }
+  return dir
+}
+describe('dockerfile-generator', () => {
+  const tempDirs: string[] = []
+  afterEach(async () => {
+    await Promise.all(tempDirs.map(d => rm(d, { recursive: true, force: true })))
+    tempDirs.splice(0, tempDirs.length)
+  })
+  async function setup(files: Record<string, string>) {
+    const dir = await createFixture(files)
+    tempDirs.push(dir)
+    return dir
+  }
+  describe('static framework — no package.json (raw HTML)', () => {
+    it('should generate a simple nginx Dockerfile without build step', async () => {
+      const dir = await setup({
+        'index.html': '<html><body>Hello</body></html>',
+        'catalog-info.yaml': 'apiVersion: backstage.io/v1alpha1',
+      })
+      const result = await generateDockerfile(dir, makeCatalog())
+      expect(result).toContain('Dockerfile.generated')
+      const { readFile } = await import('fs/promises')
+      const content = await readFile(result, 'utf-8')
+      expect(content).toContain('FROM nginx:alpine')
+      expect(content).not.toContain('FROM node:')
+      expect(content).not.toContain('npm install')
+      expect(content).not.toContain('npm run build')
+      expect(content).toContain('COPY . /usr/share/nginx/html')
+      expect(content).toContain('/health')
+      expect(content).toContain('EXPOSE 80')
+      expect(content).toContain('rm -rf')
+      expect(content).toContain('catalog-info.yaml')
+    })
+    it('should clean up non-servable files in raw HTML mode', async () => {
+      const dir = await setup({
+        'index.html': '<html><body>Hello</body></html>',
+      })
+      const result = await generateDockerfile(dir, makeCatalog())
+      const { readFile } = await import('fs/promises')
+      const content = await readFile(result, 'utf-8')
+      expect(content).toContain('.git')
+      expect(content).toContain('.iec.yaml')
+      expect(content).toContain('helm')
+      expect(content).toContain('.gitignore')
+    })
+  })
+  describe('static framework — with package.json (build step)', () => {
+    it('should generate multi-stage Dockerfile with npm build', async () => {
+      const dir = await setup({
+        'package.json': JSON.stringify({ name: 'test', scripts: { build: 'vite build' } }),
+        'index.html': '<html><body>Hello</body></html>',
+      })
+      const catalog = makeCatalog({
+        buildCommand: 'npm run build',
+        outputDir: 'dist',
+      })
+      const result = await generateDockerfile(dir, catalog)
+      const { readFile } = await import('fs/promises')
+      const content = await readFile(result, 'utf-8')
+      expect(content).toContain('FROM node:20-alpine AS builder')
+      expect(content).toContain('npm install')
+      expect(content).toContain('npm run build')
+      expect(content).toContain('FROM nginx:alpine AS runner')
+      expect(content).toContain('COPY --from=builder /app/dist /usr/share/nginx/html')
+      expect(content).toContain('/health')
+    })
+  })
+  describe('existing Dockerfile', () => {
+    it('should always generate Dockerfile.generated even when Dockerfile exists', async () => {
+      const dir = await setup({
+        'Dockerfile': 'FROM nginx:alpine\nCOPY . /usr/share/nginx/html',
+        'index.html': '<html><body>Hello</body></html>',
+      })
+      const result = await generateDockerfile(dir, makeCatalog())
+      expect(result).toEqual(join(dir, 'Dockerfile.generated'))
+    })
+  })
+  describe('other frameworks', () => {
+    it('should generate express Dockerfile', async () => {
+      const dir = await setup({
+        'package.json': JSON.stringify({ name: 'test' }),
+      })
+      const catalog = makeCatalog({
+        framework: 'express',
+        port: 3000,
+        buildCommand: 'npm run build',
+        startCommand: 'npm start',
+        outputDir: 'dist',
+      })
+      const result = await generateDockerfile(dir, catalog)
+      const { readFile } = await import('fs/promises')
+      const content = await readFile(result, 'utf-8')
+      expect(content).toContain('Express/Hono/Fastify')
+      expect(content).toContain('EXPOSE 3000')
+    })
+  })
+})
+describe('patchCustomDockerfile', () => {
+  const tempDirs: string[] = []
+  afterEach(async () => {
+    await Promise.all(tempDirs.map(d => rm(d, { recursive: true, force: true })))
+    tempDirs.splice(0, tempDirs.length)
+  })
+  async function setupDockerfile(content: string): Promise<string> {
+    const dir = join(tmpdir(), `iec-builder-test-${randomUUID()}`)
+    await mkdir(dir, { recursive: true })
+    const filePath = join(dir, 'Dockerfile')
+    await writeFile(filePath, content, 'utf-8')
+    tempDirs.push(dir)
+    return filePath
+  }
+  async function readPatched(filePath: string): Promise<string> {
+    const { readFile } = await import('fs/promises')
+    return readFile(filePath, 'utf-8')
+  }
+  describe('numeric UID patching', () => {
+    it('should replace non-numeric USER with USER 1001', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine AS builder',
+        'WORKDIR /app',
+        'COPY . .',
+        'RUN npm run build',
+        'FROM node:20-alpine AS runner',
+        'USER nextjs',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, false)
+      const content = await readPatched(path)
+      expect(patches).toHaveLength(1)
+      expect(patches[0].type).toBe('numeric-uid')
+      expect(patches[0].message).toContain('USER nextjs')
+      expect(content).toContain('USER 1001')
+      expect(content).not.toContain('USER nextjs')
+    })
+    it('should leave numeric USER untouched', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'USER 1001',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, false)
+      const content = await readPatched(path)
+      expect(patches).toHaveLength(0)
+      expect(content).toContain('USER 1001')
+    })
+    it('should not replace root USER (validated separately)', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'USER root',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, false)
+      expect(patches).toHaveLength(0)
+    })
+    it('should only patch USER in the final stage', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine AS builder',
+        'USER builduser',
+        'RUN npm run build',
+        'FROM node:20-alpine AS runner',
+        'USER appuser',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, false)
+      const content = await readPatched(path)
+      // Only the final stage USER should be patched
+      expect(patches).toHaveLength(1)
+      expect(content).toContain('USER builduser')
+      expect(content).not.toContain('USER appuser')
+      expect(content).toMatch(/AS runner[\s\S]*USER 1001/)
+    })
+  })
+  describe('Vault entrypoint injection', () => {
+    it('should inject Vault entrypoint when missing and vault enabled', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'WORKDIR /app',
+        'COPY . .',
+        'USER 1001',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, true)
+      const content = await readPatched(path)
+      expect(patches).toHaveLength(1)
+      expect(patches[0].type).toBe('vault-entrypoint')
+      expect(content).toContain('/vault/secrets')
+      expect(content).toContain('entrypoint.sh')
+      expect(content).toContain('ENTRYPOINT')
+    })
+    it('should not inject Vault entrypoint when vault disabled', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'USER 1001',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, false)
+      expect(patches).toHaveLength(0)
+    })
+    it('should skip injection if Vault entrypoint already present', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'WORKDIR /app',
+        'COPY . .',
+        'RUN printf \'#!/bin/sh\\nfor f in /vault/secrets/*; do . "$f"; done\\nexec "$@"\\n\' > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh',
+        'ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]',
+        'USER 1001',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, true)
+      expect(patches).toHaveLength(0)
+    })
+    it('should inject Vault entrypoint before USER directive', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'WORKDIR /app',
+        'COPY . .',
+        'USER 1001',
+        'CMD ["node", "server.js"]',
+      ].join('\n'))
+      await patchCustomDockerfile(path, true)
+      const content = await readPatched(path)
+      // Vault ENTRYPOINT should appear before USER 1001
+      const entrypointIdx = content.indexOf('ENTRYPOINT')
+      const userIdx = content.indexOf('USER 1001')
+      expect(entrypointIdx).toBeGreaterThan(-1)
+      expect(entrypointIdx).toBeLessThan(userIdx)
+    })
+    it('should convert existing ENTRYPOINT to CMD when wrapping with Vault', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine',
+        'WORKDIR /app',
+        'COPY . .',
+        'USER 1001',
+        'ENTRYPOINT ["node", "server.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, true)
+      const content = await readPatched(path)
+      expect(patches).toHaveLength(1)
+      expect(patches[0].type).toBe('vault-entrypoint')
+      // Original ENTRYPOINT should be converted to CMD
+      expect(content).toContain('CMD ["node", "server.js"]')
+      // Vault ENTRYPOINT should be present
+      expect(content).toContain('ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]')
+    })
+  })
+  describe('combined patches', () => {
+    it('should apply both UID fix and Vault injection', async () => {
+      const path = await setupDockerfile([
+        'FROM node:20-alpine AS builder',
+        'WORKDIR /app',
+        'COPY . .',
+        'RUN npm run build',
+        'FROM node:20-alpine AS runner',
+        'WORKDIR /app',
+        'COPY --from=builder /app/dist ./dist',
+        'USER nextjs',
+        'CMD ["node", "dist/index.js"]',
+      ].join('\n'))
+      const patches = await patchCustomDockerfile(path, true)
+      const content = await readPatched(path)
+      expect(patches).toHaveLength(2)
+      const types = patches.map(p => p.type)
+      expect(types).toContain('numeric-uid')
+      expect(types).toContain('vault-entrypoint')
+      expect(content).toContain('USER 1001')
+      expect(content).not.toContain('USER nextjs')
+      expect(content).toContain('/vault/secrets')
+      expect(content).toContain('ENTRYPOINT')
+    })
+    it('should not modify file when no patches needed', async () => {
+      const original = [
+        'FROM node:20-alpine',
+        'WORKDIR /app',
+        'COPY . .',
+        'USER 1001',
+        'CMD ["node", "server.js"]',
+      ].join('\n')
+      const path = await setupDockerfile(original)
+      const patches = await patchCustomDockerfile(path, false)
+      const content = await readPatched(path)
+      expect(patches).toHaveLength(0)
+      expect(content).toBe(original)
+    })
+  })
+})