@aifabrix/builder 2.1.5 → 2.1.6

package/lib/commands/app.js

@@ -16,6 +16,8 @@ const yaml = require('js-yaml');
 const { getConfig } = require('../config');
 const { authenticatedApiCall } = require('../utils/api');
 const logger = require('../utils/logger');
+const { saveLocalSecret, isLocalhost } = require('../utils/local-secrets');
+const { updateEnvTemplate } = require('../utils/env-template');
 
 // Import createApp to auto-generate config if missing
 let createApp;
@@ -312,6 +314,26 @@ function setupAppCommands(program) {
           registrationData
         );
 
+        // Save credentials to local secrets if localhost
+        if (isLocalhost(config.apiUrl)) {
+          const appKey = responseData.application.key;
+          const clientIdKey = `${appKey}-client-idKeyVault`;
+          const clientSecretKey = `${appKey}-client-secretKeyVault`;
+
+          try {
+            await saveLocalSecret(clientIdKey, responseData.credentials.clientId);
+            await saveLocalSecret(clientSecretKey, responseData.credentials.clientSecret);
+
+            // Update env.template
+            await updateEnvTemplate(appKey, clientIdKey, clientSecretKey);
+
+            logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+            logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID and MISO_CLIENTSECRET\n'));
+          } catch (error) {
+            logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+          }
+        }
+
         // Display results
         displayRegistrationResults(responseData, config.apiUrl);
 
@@ -403,6 +425,27 @@ function setupAppCommands(program) {
         logger.log(chalk.yellow(`   Client Secret: ${response.data.credentials.clientSecret}\n`));
         logger.log(chalk.red('⚠️  Old secret is now invalid. Update GitHub Secrets!\n'));
 
+        // Save credentials to local secrets if localhost
+        if (isLocalhost(config.apiUrl)) {
+          const appKey = response.data.application?.key || options.app;
+          const clientIdKey = `${appKey}-client-idKeyVault`;
+          const clientSecretKey = `${appKey}-client-secretKeyVault`;
+
+          try {
+            await saveLocalSecret(clientIdKey, response.data.credentials.clientId);
+            await saveLocalSecret(clientSecretKey, response.data.credentials.clientSecret);
+
+            // Update env.template
+            await updateEnvTemplate(appKey, clientIdKey, clientSecretKey);
+
+            logger.log(chalk.green('✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+            logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID and MISO_CLIENTSECRET'));
+            logger.log('');
+          } catch (error) {
+            logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+          }
+        }
+
       } catch (error) {
         logger.error(chalk.red('❌ Rotation failed:'), error.message);
         process.exit(1);

package/lib/secrets.js

@@ -19,6 +19,10 @@ const {
   generateMissingSecrets,
   createDefaultSecrets
 } = require('./utils/secrets-generator');
+const {
+  resolveSecretsPath,
+  getActualSecretsPath
+} = require('./utils/secrets-path');
 
 /**
  * Loads environment configuration for docker/local context
@@ -31,73 +35,147 @@ function loadEnvConfig() {
 }
 
 /**
- * Loads secrets from the specified file or default location
- * Supports both user secrets (~/.aifabrix/secrets.yaml) and project overrides
+ * Loads secrets from file with cascading lookup support
+ * First checks ~/.aifabrix/secrets.local.yaml, then build.secrets from variables.yaml
+ *
+ * @async
+ * @function loadSecretsFromFile
+ * @param {string} filePath - Path to secrets file
+ * @returns {Promise<Object>} Loaded secrets object or empty object if file doesn't exist
+ */
+async function loadSecretsFromFile(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return {};
+  }
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const secrets = yaml.load(content);
+
+    if (!secrets || typeof secrets !== 'object') {
+      return {};
+    }
+
+    return secrets;
+  } catch (error) {
+    logger.warn(`Warning: Could not read secrets file ${filePath}: ${error.message}`);
+    return {};
+  }
+}
+
+/**
+ * Loads secrets with cascading lookup
+ * Supports both user secrets (~/.aifabrix/secrets.local.yaml) and project overrides
+ * User's file takes priority, then falls back to build.secrets from variables.yaml
  *
  * @async
  * @function loadSecrets
- * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [secretsPath] - Path to secrets file (optional, for explicit override)
+ * @param {string} [appName] - Application name (optional, for variables.yaml lookup)
  * @returns {Promise<Object>} Loaded secrets object
- * @throws {Error} If secrets file cannot be loaded or parsed
+ * @throws {Error} If no secrets file found and no fallback available
  *
  * @example
  * const secrets = await loadSecrets('../../secrets.local.yaml');
  * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
  */
-async function loadSecrets(secretsPath) {
-  const resolvedPath = resolveSecretsPath(secretsPath);
+async function loadSecrets(secretsPath, appName) {
+  // If explicit path provided, use it (backward compatibility)
+  if (secretsPath) {
+    const resolvedPath = resolveSecretsPath(secretsPath);
+    if (!fs.existsSync(resolvedPath)) {
+      throw new Error(`Secrets file not found: ${resolvedPath}`);
+    }
 
-  if (!fs.existsSync(resolvedPath)) {
-    throw new Error(`Secrets file not found: ${resolvedPath}`);
-  }
+    const content = fs.readFileSync(resolvedPath, 'utf8');
+    const secrets = yaml.load(content);
 
-  const content = fs.readFileSync(resolvedPath, 'utf8');
-  const secrets = yaml.load(content);
+    if (!secrets || typeof secrets !== 'object') {
+      throw new Error(`Invalid secrets file format: ${resolvedPath}`);
+    }
 
-  if (!secrets || typeof secrets !== 'object') {
-    throw new Error(`Invalid secrets file format: ${resolvedPath}`);
+    return secrets;
   }
 
-  return secrets;
-}
+  // Cascading lookup: user's file first
+  const userSecretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+  let mergedSecrets;
+  if (fs.existsSync(userSecretsPath)) {
+    try {
+      const content = fs.readFileSync(userSecretsPath, 'utf8');
+      const secrets = yaml.load(content);
+      if (!secrets || typeof secrets !== 'object') {
+        throw new Error(`Invalid secrets file format: ${userSecretsPath}`);
+      }
+      mergedSecrets = secrets;
+    } catch (error) {
+      // If it's a format error, throw it; otherwise log warning and continue
+      if (error.message.includes('Invalid secrets file format')) {
+        throw error;
+      }
+      logger.warn(`Warning: Could not read secrets file ${userSecretsPath}: ${error.message}`);
+      mergedSecrets = {};
+    }
+  } else {
+    mergedSecrets = {};
+  }
 
-/**
- * Resolves secrets file path (same logic as loadSecrets)
- * Also checks common locations if path is not provided
- * @function resolveSecretsPath
- * @param {string} [secretsPath] - Path to secrets file (optional)
- * @returns {string} Resolved secrets file path
- */
-function resolveSecretsPath(secretsPath) {
-  let resolvedPath = secretsPath;
-
-  if (!resolvedPath) {
-    // Check common locations for secrets.local.yaml
-    const commonLocations = [
-      path.join(process.cwd(), '..', 'aifabrix-setup', 'secrets.local.yaml'),
-      path.join(process.cwd(), '..', '..', 'aifabrix-setup', 'secrets.local.yaml'),
-      path.join(process.cwd(), 'secrets.local.yaml'),
-      path.join(process.cwd(), '..', 'secrets.local.yaml'),
-      path.join(os.homedir(), '.aifabrix', 'secrets.yaml')
-    ];
-
-    // Find first existing file
-    for (const location of commonLocations) {
-      if (fs.existsSync(location)) {
-        resolvedPath = location;
-        break;
+  // Then check build.secrets from variables.yaml if appName provided
+  if (appName) {
+    const variablesPath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
+    if (fs.existsSync(variablesPath)) {
+      try {
+        const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+        const variables = yaml.load(variablesContent);
+
+        if (variables?.build?.secrets) {
+          const buildSecretsPath = path.resolve(
+            path.dirname(variablesPath),
+            variables.build.secrets
+          );
+
+          const buildSecrets = await loadSecretsFromFile(buildSecretsPath);
+
+          // Merge: user's file takes priority, but use build.secrets for missing/empty values
+          for (const [key, value] of Object.entries(buildSecrets)) {
+            if (!(key in mergedSecrets) || !mergedSecrets[key] || mergedSecrets[key] === '') {
+              mergedSecrets[key] = value;
+            }
+          }
+        }
+      } catch (error) {
+        logger.warn(`Warning: Could not load build.secrets from variables.yaml: ${error.message}`);
       }
     }
+  }
 
-    // If none found, use default location
-    if (!resolvedPath) {
-      resolvedPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+  // If still no secrets found, try default location
+  if (Object.keys(mergedSecrets).length === 0) {
+    const defaultPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+    if (fs.existsSync(defaultPath)) {
+      try {
+        const content = fs.readFileSync(defaultPath, 'utf8');
+        const secrets = yaml.load(content);
+        if (!secrets || typeof secrets !== 'object') {
+          throw new Error(`Invalid secrets file format: ${defaultPath}`);
+        }
+        mergedSecrets = secrets;
+      } catch (error) {
+        // If it's a format error, throw it; otherwise log warning
+        if (error.message.includes('Invalid secrets file format')) {
+          throw error;
+        }
+        logger.warn(`Warning: Could not read secrets file ${defaultPath}: ${error.message}`);
+      }
     }
-  } else if (secretsPath.startsWith('..')) {
-    resolvedPath = path.resolve(process.cwd(), secretsPath);
   }
 
-  return resolvedPath;
+  // If still empty, throw error
+  if (Object.keys(mergedSecrets).length === 0) {
+    throw new Error('No secrets file found. Please create ~/.aifabrix/secrets.local.yaml or configure build.secrets in variables.yaml');
+  }
+
+  return mergedSecrets;
 }
 
 /**
@@ -246,14 +324,14 @@ async function generateEnvFile(appName, secretsPath, environment = 'local', forc
 
   const template = loadEnvTemplate(templatePath);
 
-  // Resolve secrets path to show in error messages
-  const resolvedSecretsPath = resolveSecretsPath(secretsPath);
+  // Resolve secrets path to show in error messages (use actual path that loadSecrets would use)
+  const resolvedSecretsPath = getActualSecretsPath(secretsPath, appName);
 
   if (force) {
     await generateMissingSecrets(template, resolvedSecretsPath);
   }
 
-  const secrets = await loadSecrets(secretsPath);
+  const secrets = await loadSecrets(secretsPath, appName);
   const resolved = await resolveKvReferences(template, secrets, environment, resolvedSecretsPath);
 
   fs.writeFileSync(envPath, resolved, { mode: 0o600 });

package/lib/utils/env-template.js

@@ -0,0 +1,70 @@
+/**
+ * Environment Template Utilities
+ *
+ * Helper functions for updating env.template files
+ *
+ * @fileoverview Environment template update utilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs').promises;
+const fsSync = require('fs');
+const path = require('path');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * Updates env.template to add MISO_CLIENTID and MISO_CLIENTSECRET entries
+ * @async
+ * @param {string} appKey - Application key
+ * @param {string} clientIdKey - Secret key for client ID (e.g., 'myapp-client-idKeyVault')
+ * @param {string} clientSecretKey - Secret key for client secret (e.g., 'myapp-client-secretKeyVault')
+ * @returns {Promise<void>} Resolves when template is updated
+ */
+async function updateEnvTemplate(appKey, clientIdKey, clientSecretKey) {
+  const envTemplatePath = path.join(process.cwd(), 'builder', appKey, 'env.template');
+
+  if (!fsSync.existsSync(envTemplatePath)) {
+    logger.warn(chalk.yellow(`⚠️  env.template not found for ${appKey}, skipping update`));
+    return;
+  }
+
+  try {
+    let content = await fs.readFile(envTemplatePath, 'utf8');
+
+    // Check if MISO_CLIENTID already exists
+    const hasClientId = /^MISO_CLIENTID\s*=/m.test(content);
+    const hasClientSecret = /^MISO_CLIENTSECRET\s*=/m.test(content);
+
+    if (hasClientId && hasClientSecret) {
+      // Update existing entries
+      content = content.replace(/^MISO_CLIENTID\s*=.*$/m, `MISO_CLIENTID=kv://${clientIdKey}`);
+      content = content.replace(/^MISO_CLIENTSECRET\s*=.*$/m, `MISO_CLIENTSECRET=kv://${clientSecretKey}`);
+    } else {
+      // Add new section if not present
+      const misoSection = `# MISO Application Client Credentials (per application)
+MISO_CLIENTID=kv://${clientIdKey}
+MISO_CLIENTSECRET=kv://${clientSecretKey}
+`;
+
+      // Try to find a good place to insert (after last section or at end)
+      const lastSectionMatch = content.match(/# =+.*$/gm);
+      if (lastSectionMatch && lastSectionMatch.length > 0) {
+        const lastSectionIndex = content.lastIndexOf(lastSectionMatch[lastSectionMatch.length - 1]);
+        const insertIndex = content.indexOf('\n', lastSectionIndex) + 1;
+        content = content.slice(0, insertIndex) + '\n' + misoSection + content.slice(insertIndex);
+      } else {
+        content = content + '\n' + misoSection;
+      }
+    }
+
+    await fs.writeFile(envTemplatePath, content, 'utf8');
+    logger.log(chalk.green(`✓ Updated env.template for ${appKey}`));
+  } catch (error) {
+    logger.warn(chalk.yellow(`⚠️  Could not update env.template: ${error.message}`));
+  }
+}
+
+module.exports = { updateEnvTemplate };
+

package/lib/utils/local-secrets.js

@@ -0,0 +1,98 @@
+/**
+ * Local Secrets Management Utilities
+ *
+ * Helper functions for managing local secrets in ~/.aifabrix/secrets.local.yaml
+ *
+ * @fileoverview Local secrets management utilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+const os = require('os');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * Saves a secret to ~/.aifabrix/secrets.local.yaml
+ * Merges with existing secrets without overwriting other keys
+ *
+ * @async
+ * @function saveLocalSecret
+ * @param {string} key - Secret key name
+ * @param {string} value - Secret value
+ * @returns {Promise<void>} Resolves when secret is saved
+ * @throws {Error} If save fails
+ *
+ * @example
+ * await saveLocalSecret('myapp-client-idKeyVault', 'client-id-value');
+ */
+async function saveLocalSecret(key, value) {
+  if (!key || typeof key !== 'string') {
+    throw new Error('Secret key is required and must be a string');
+  }
+
+  if (value === undefined || value === null) {
+    throw new Error('Secret value is required');
+  }
+
+  const secretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+  const secretsDir = path.dirname(secretsPath);
+
+  // Create directory if needed
+  if (!fs.existsSync(secretsDir)) {
+    fs.mkdirSync(secretsDir, { recursive: true, mode: 0o700 });
+  }
+
+  // Load existing secrets
+  let existingSecrets = {};
+  if (fs.existsSync(secretsPath)) {
+    try {
+      const content = fs.readFileSync(secretsPath, 'utf8');
+      existingSecrets = yaml.load(content) || {};
+      if (typeof existingSecrets !== 'object') {
+        existingSecrets = {};
+      }
+    } catch (error) {
+      logger.warn(`Warning: Could not read existing secrets file: ${error.message}`);
+      existingSecrets = {};
+    }
+  }
+
+  // Merge with new secret
+  const updatedSecrets = {
+    ...existingSecrets,
+    [key]: value
+  };
+
+  // Save to file
+  const yamlContent = yaml.dump(updatedSecrets, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false
+  });
+
+  fs.writeFileSync(secretsPath, yamlContent, { mode: 0o600 });
+  logger.log(chalk.green(`✓ Saved secret ${key} to ${secretsPath}`));
+}
+
+/**
+ * Checks if a URL is localhost
+ * @function isLocalhost
+ * @param {string} url - URL to check
+ * @returns {boolean} True if URL is localhost
+ */
+function isLocalhost(url) {
+  if (!url || typeof url !== 'string') {
+    return false;
+  }
+
+  const urlLower = url.toLowerCase();
+  return urlLower.includes('localhost') || urlLower.includes('127.0.0.1');
+}
+
+module.exports = { saveLocalSecret, isLocalhost };
+

package/lib/utils/secrets-path.js

@@ -0,0 +1,114 @@
+/**
+ * AI Fabrix Builder Secrets Path Resolution
+ *
+ * This module handles secrets file path resolution with cascading lookup support.
+ * Determines the actual path that would be used for loading secrets.
+ *
+ * @fileoverview Secrets path resolution utilities for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const yaml = require('js-yaml');
+
+/**
+ * Resolves secrets file path (backward compatibility)
+ * Checks common locations if path is not provided
+ * @function resolveSecretsPath
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @returns {string} Resolved secrets file path
+ */
+function resolveSecretsPath(secretsPath) {
+  let resolvedPath = secretsPath;
+
+  if (!resolvedPath) {
+    // Check common locations for secrets.local.yaml
+    const commonLocations = [
+      path.join(process.cwd(), '..', 'aifabrix-setup', 'secrets.local.yaml'),
+      path.join(process.cwd(), '..', '..', 'aifabrix-setup', 'secrets.local.yaml'),
+      path.join(process.cwd(), 'secrets.local.yaml'),
+      path.join(process.cwd(), '..', 'secrets.local.yaml'),
+      path.join(os.homedir(), '.aifabrix', 'secrets.yaml')
+    ];
+
+    // Find first existing file
+    for (const location of commonLocations) {
+      if (fs.existsSync(location)) {
+        resolvedPath = location;
+        break;
+      }
+    }
+
+    // If none found, use default location
+    if (!resolvedPath) {
+      resolvedPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+    }
+  } else if (secretsPath.startsWith('..')) {
+    resolvedPath = path.resolve(process.cwd(), secretsPath);
+  }
+
+  return resolvedPath;
+}
+
+/**
+ * Determines the actual secrets file path that loadSecrets would use
+ * Mirrors the cascading lookup logic from loadSecrets
+ * @function getActualSecretsPath
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [appName] - Application name (optional, for variables.yaml lookup)
+ * @returns {string} Actual secrets file path that would be used
+ */
+function getActualSecretsPath(secretsPath, appName) {
+  // If explicit path provided, use it (backward compatibility)
+  if (secretsPath) {
+    return resolveSecretsPath(secretsPath);
+  }
+
+  // Cascading lookup: user's file first
+  const userSecretsPath = path.join(os.homedir(), '.aifabrix', 'secrets.local.yaml');
+  if (fs.existsSync(userSecretsPath)) {
+    return userSecretsPath;
+  }
+
+  // Then check build.secrets from variables.yaml if appName provided
+  if (appName) {
+    const variablesPath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
+    if (fs.existsSync(variablesPath)) {
+      try {
+        const variablesContent = fs.readFileSync(variablesPath, 'utf8');
+        const variables = yaml.load(variablesContent);
+
+        if (variables?.build?.secrets) {
+          const buildSecretsPath = path.resolve(
+            path.dirname(variablesPath),
+            variables.build.secrets
+          );
+
+          if (fs.existsSync(buildSecretsPath)) {
+            return buildSecretsPath;
+          }
+        }
+      } catch (error) {
+        // Ignore errors, continue to next check
+      }
+    }
+  }
+
+  // If still no secrets found, try default location
+  const defaultPath = path.join(os.homedir(), '.aifabrix', 'secrets.yaml');
+  if (fs.existsSync(defaultPath)) {
+    return defaultPath;
+  }
+
+  // Return user's file path as default (even if it doesn't exist) for error messages
+  return userSecretsPath;
+}
+
+module.exports = {
+  resolveSecretsPath,
+  getActualSecretsPath
+};
+

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.1.5",
+  "version": "2.1.6",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/keycloak/Dockerfile

@@ -21,9 +21,10 @@ RUN if [ -d "/tmp/build-context/themes" ] && [ "$(ls -A /tmp/build-context/theme
     fi && \
     rm -rf /tmp/build-context
 
-# Build Keycloak with health checks enabled
+# Build Keycloak with health checks enabled (similar to Keycloak 24.0)
 # This enables the /health, /health/live, /health/ready, and /health/started endpoints
-RUN /opt/keycloak/bin/kc.sh build --health-enabled=true
+# Expose health endpoints on main HTTP port (like 24.0) instead of management port
+RUN /opt/keycloak/bin/kc.sh build --health-enabled=true --http-management-health-enabled=false
 
 # Switch back to keycloak user
 USER keycloak

package/templates/applications/keycloak/env.template

@@ -15,8 +15,13 @@ KC_HTTP_ENABLED=true
 # HEALTH CHECK CONFIGURATION
 # =============================================================================
 # Enable health check endpoints: /health, /health/live, /health/ready, /health/started
+# Keycloak 26.4.0+: Health endpoints are exposed on main HTTP(S) port (8080) by default
+# Set http-management-health-enabled=false to expose on main port instead of management port
 
 KC_HEALTH_ENABLED=true
+# Expose health endpoints on main HTTP port (like Keycloak 24.0)
+# Set to false to expose on main port instead of management port (9000)
+KC_HTTP_MANAGEMENT_HEALTH_ENABLED=false
 
 # =============================================================================
 # DATABASE CONFIGURATION

package/templates/applications/keycloak/variables.yaml

@@ -25,9 +25,9 @@ requires:
 
 # Health Check
 healthCheck:
-  path: /health
+  path: /health/ready
   interval: 30
-  probePath: /health
+  probePath: /health/ready
   probeRequestType: GET
   probeProtocol: Https
   probeIntervalInSeconds: 120
@@ -49,4 +49,4 @@ build:
 # Docker Compose
 compose:
   file: docker-compose.yaml
-  service: keycloak
+  service: keycloak

package/templates/applications/miso-controller/Dockerfile

@@ -62,6 +62,9 @@ RUN pnpm exec tsc -p tsconfig.docker.json || true
 # Copy sensitive-fields.config.json to dist folder
 RUN mkdir -p dist/src/services/logging && \
     cp src/services/logging/sensitive-fields.config.json dist/src/services/logging/ || true
+# Copy generated Prisma logs client to dist folder (needed at runtime)
+RUN mkdir -p dist/database/generated && \
+    cp -r src/database/generated/logs-client dist/database/generated/ || true
 
 # Return to root to prune correctly (needed to keep workspace dependencies)
 WORKDIR /app

package/templates/applications/miso-controller/env.template

@@ -121,14 +121,14 @@ MISO_CONTROLLER_URL=kv://miso-controller-url
 
 # Web Server URL (for OpenAPI documentation server URLs)
 # Used to generate correct server URLs in OpenAPI spec
-WEB_SERVER_URL=kv://miso-web-server-url
+WEB_SERVER_URL=kv://miso-controller-web-server-url
 
 # MISO Environment Configuration (miso, dev, tst, pro)
 MISO_ENVIRONMENT=miso
 
 # MISO Application Client Credentials (per application)
-MISO_CLIENTID=kv://miso-client-idKeyVault
-MISO_CLIENTSECRET=kv://miso-client-secretKeyVault
+MISO_CLIENTID=kv://miso-controller-client-idKeyVault
+MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
 
 # =============================================================================
 # MORI SERVICE CONFIGURATION