@aifabrix/builder 2.21.0 → 2.22.0

package/lib/app-list.js

@@ -9,10 +9,11 @@
  */
 
 const chalk = require('chalk');
-const { getConfig } = require('./config');
+const { getConfig, normalizeControllerUrl } = require('./config');
 const { getOrRefreshDeviceToken } = require('./utils/token-manager');
 const { listEnvironmentApplications } = require('./api/environments.api');
 const { formatApiError } = require('./utils/api-error-handler');
+const { formatAuthenticationError } = require('./utils/error-formatters/http-status-errors');
 const logger = require('./utils/logger');
 
 /**
@@ -82,48 +83,85 @@ function displayApplications(applications, environment) {
  * @async
  * @param {Object} options - Command options
  * @param {string} options.environment - Environment ID or key
+ * @param {string} [options.controller] - Controller URL (optional, uses configured controller if not provided)
  * @throws {Error} If listing fails
  */
 async function listApplications(options) {
   const config = await getConfig();
 
-  // Try to get device token
-  let controllerUrl = null;
+  // Get controller URL with priority: options.controller > device tokens
+  const controllerUrl = options.controller || null;
   let token = null;
+  let actualControllerUrl = null;
 
-  if (config.device) {
-    const deviceUrls = Object.keys(config.device);
-    if (deviceUrls.length > 0) {
-      controllerUrl = deviceUrls[0];
-      const deviceToken = await getOrRefreshDeviceToken(controllerUrl);
+  // If controller URL provided, try to get device token
+  if (controllerUrl) {
+    try {
+      const normalizedUrl = normalizeControllerUrl(controllerUrl);
+      const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
       if (deviceToken && deviceToken.token) {
         token = deviceToken.token;
-        controllerUrl = deviceToken.controller;
+        actualControllerUrl = deviceToken.controller || normalizedUrl;
+      }
+    } catch (error) {
+      // Show which controller URL failed
+      logger.error(chalk.red(`❌ Failed to authenticate with controller: ${controllerUrl}`));
+      logger.error(chalk.gray(`Error: ${error.message}`));
+      process.exit(1);
+    }
+  }
+
+  // If no token yet, try to find any device token in config
+  if (!token && config.device) {
+    const deviceUrls = Object.keys(config.device);
+    if (deviceUrls.length > 0) {
+      for (const storedUrl of deviceUrls) {
+        try {
+          const normalizedStoredUrl = normalizeControllerUrl(storedUrl);
+          const deviceToken = await getOrRefreshDeviceToken(normalizedStoredUrl);
+          if (deviceToken && deviceToken.token) {
+            token = deviceToken.token;
+            actualControllerUrl = deviceToken.controller || normalizedStoredUrl;
+            break;
+          }
+        } catch (error) {
+          // Continue to next URL
+        }
       }
     }
   }
 
-  if (!token || !controllerUrl) {
-    logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-    logger.error(chalk.gray('   Use device code flow: aifabrix login --method device --controller <url>'));
+  if (!token || !actualControllerUrl) {
+    const formattedError = formatAuthenticationError({
+      controllerUrl: controllerUrl || undefined,
+      message: 'No valid authentication found'
+    });
+    logger.error(formattedError);
     process.exit(1);
   }
 
   // Use centralized API client
   const authConfig = { type: 'bearer', token: token };
-  const response = await listEnvironmentApplications(controllerUrl, options.environment, authConfig);
+  try {
+    const response = await listEnvironmentApplications(actualControllerUrl, options.environment, authConfig);
+
+    if (!response.success || !response.data) {
+      const formattedError = response.formattedError || formatApiError(response, actualControllerUrl);
+      logger.error(formattedError);
+      logger.error(chalk.gray(`\nController URL: ${actualControllerUrl}`));
+      // Log full response for debugging
+      logger.error(chalk.gray('\nFull response for debugging:'));
+      logger.error(chalk.gray(JSON.stringify(response, null, 2)));
+      process.exit(1);
+    }
 
-  if (!response.success || !response.data) {
-    const formattedError = response.formattedError || formatApiError(response);
-    logger.error(formattedError);
-    // Log full response for debugging
-    logger.error(chalk.gray('\nFull response for debugging:'));
-    logger.error(chalk.gray(JSON.stringify(response, null, 2)));
+    const applications = extractApplications(response);
+    displayApplications(applications, options.environment);
+  } catch (error) {
+    logger.error(chalk.red(`❌ Failed to list applications from controller: ${actualControllerUrl}`));
+    logger.error(chalk.gray(`Error: ${error.message}`));
     process.exit(1);
   }
-
-  const applications = extractApplications(response);
-  displayApplications(applications, options.environment);
 }
 
 module.exports = { listApplications };

package/lib/app-register.js

@@ -108,6 +108,7 @@ async function saveLocalCredentials(responseData, apiUrl) {
  * @param {string} appKey - Application key
  * @param {Object} options - Registration options
  * @param {string} options.environment - Environment ID or key
+ * @param {string} [options.controller] - Controller URL (overrides variables.yaml)
  * @param {number} [options.port] - Application port
  * @param {string} [options.name] - Override display name
  * @param {string} [options.description] - Override description
@@ -126,8 +127,8 @@ async function registerApplication(appKey, options) {
   const appConfig = await extractAppConfiguration(finalVariables, appKey, options);
   await validateAppRegistrationData(appConfig, appKey);
 
-  // Authenticate and get API configuration
-  const controllerUrl = finalVariables?.deployment?.controllerUrl;
+  // Get controller URL with priority: options.controller > variables.yaml > device tokens
+  const controllerUrl = options.controller || finalVariables?.deployment?.controllerUrl;
   const authConfig = await checkAuthentication(controllerUrl, options.environment);
   const environment = registerApplicationSchema.environmentId(options.environment);
 

package/lib/app-rotate-secret.js

@@ -9,10 +9,11 @@
  */
 
 const chalk = require('chalk');
-const { getConfig } = require('./config');
+const { getConfig, normalizeControllerUrl } = require('./config');
 const { getOrRefreshDeviceToken } = require('./utils/token-manager');
 const { rotateApplicationSecret } = require('./api/applications.api');
 const { formatApiError } = require('./utils/api-error-handler');
+const { formatAuthenticationError } = require('./utils/error-formatters/http-status-errors');
 const logger = require('./utils/logger');
 const { saveLocalSecret, isLocalhost } = require('./utils/local-secrets');
 const { updateEnvTemplate } = require('./utils/env-template');
@@ -83,6 +84,7 @@ function displayRotationResults(appKey, environment, credentials, apiUrl, messag
  * @param {string} appKey - Application key
  * @param {Object} options - Command options
  * @param {string} options.environment - Environment ID or key
+ * @param {string} [options.controller] - Controller URL (optional, uses configured controller if not provided)
  * @throws {Error} If rotation fails
  */
 async function rotateSecret(appKey, options) {
@@ -90,25 +92,54 @@ async function rotateSecret(appKey, options) {
 
   const config = await getConfig();
 
-  // Try to get device token
-  let controllerUrl = null;
+  // Get controller URL with priority: options.controller > device tokens
+  const controllerUrl = options.controller || null;
   let token = null;
+  let actualControllerUrl = null;
 
-  if (config.device) {
-    const deviceUrls = Object.keys(config.device);
-    if (deviceUrls.length > 0) {
-      controllerUrl = deviceUrls[0];
-      const deviceToken = await getOrRefreshDeviceToken(controllerUrl);
+  // If controller URL provided, try to get device token
+  if (controllerUrl) {
+    try {
+      const normalizedUrl = normalizeControllerUrl(controllerUrl);
+      const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
       if (deviceToken && deviceToken.token) {
         token = deviceToken.token;
-        controllerUrl = deviceToken.controller;
+        actualControllerUrl = deviceToken.controller || normalizedUrl;
+      }
+    } catch (error) {
+      // Show which controller URL failed
+      logger.error(chalk.red(`❌ Failed to authenticate with controller: ${controllerUrl}`));
+      logger.error(chalk.gray(`Error: ${error.message}`));
+      process.exit(1);
+    }
+  }
+
+  // If no token yet, try to find any device token in config
+  if (!token && config.device) {
+    const deviceUrls = Object.keys(config.device);
+    if (deviceUrls.length > 0) {
+      for (const storedUrl of deviceUrls) {
+        try {
+          const normalizedStoredUrl = normalizeControllerUrl(storedUrl);
+          const deviceToken = await getOrRefreshDeviceToken(normalizedStoredUrl);
+          if (deviceToken && deviceToken.token) {
+            token = deviceToken.token;
+            actualControllerUrl = deviceToken.controller || normalizedStoredUrl;
+            break;
+          }
+        } catch (error) {
+          // Continue to next URL
+        }
       }
     }
   }
 
-  if (!token || !controllerUrl) {
-    logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-    logger.error(chalk.gray('   Use device code flow: aifabrix login --method device --controller <url>'));
+  if (!token || !actualControllerUrl) {
+    const formattedError = formatAuthenticationError({
+      controllerUrl: controllerUrl || undefined,
+      message: 'No valid authentication found'
+    });
+    logger.error(formattedError);
     process.exit(1);
   }
 
@@ -117,51 +148,58 @@ async function rotateSecret(appKey, options) {
 
   // Use centralized API client
   const authConfig = { type: 'bearer', token: token };
-  const response = await rotateApplicationSecret(controllerUrl, options.environment, appKey, authConfig);
+  try {
+    const response = await rotateApplicationSecret(actualControllerUrl, options.environment, appKey, authConfig);
 
-  if (!response.success) {
-    const formattedError = response.formattedError || formatApiError(response);
-    logger.error(formattedError);
-    process.exit(1);
-  }
+    if (!response.success) {
+      const formattedError = response.formattedError || formatApiError(response, actualControllerUrl);
+      logger.error(formattedError);
+      logger.error(chalk.gray(`\nController URL: ${actualControllerUrl}`));
+      process.exit(1);
+    }
 
-  // Validate response structure
-  validateResponse(response);
+    // Validate response structure
+    validateResponse(response);
 
-  const credentials = response.data.credentials;
-  const message = response.data.message;
+    const credentials = response.data.credentials;
+    const message = response.data.message;
 
-  // Save credentials to local secrets (always save when rotating)
-  const clientIdKey = `${appKey}-client-idKeyVault`;
-  const clientSecretKey = `${appKey}-client-secretKeyVault`;
+    // Save credentials to local secrets (always save when rotating)
+    const clientIdKey = `${appKey}-client-idKeyVault`;
+    const clientSecretKey = `${appKey}-client-secretKeyVault`;
 
-  try {
-    await saveLocalSecret(clientIdKey, credentials.clientId);
-    await saveLocalSecret(clientSecretKey, credentials.clientSecret);
-
-    // Update env.template if localhost
-    if (isLocalhost(controllerUrl)) {
-      await updateEnvTemplate(appKey, clientIdKey, clientSecretKey, controllerUrl);
-
-      // Regenerate .env file with updated credentials
-      try {
-        await generateEnvFile(appKey, null, 'local');
-        logger.log(chalk.green('✓ .env file updated with new credentials'));
-      } catch (error) {
-        logger.warn(chalk.yellow(`⚠️  Could not regenerate .env file: ${error.message}`));
-      }
+    try {
+      await saveLocalSecret(clientIdKey, credentials.clientId);
+      await saveLocalSecret(clientSecretKey, credentials.clientSecret);
+
+      // Update env.template if localhost
+      if (isLocalhost(actualControllerUrl)) {
+        await updateEnvTemplate(appKey, clientIdKey, clientSecretKey, actualControllerUrl);
 
-      logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-      logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
-    } else {
-      logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
+        // Regenerate .env file with updated credentials
+        try {
+          await generateEnvFile(appKey, null, 'local');
+          logger.log(chalk.green('✓ .env file updated with new credentials'));
+        } catch (error) {
+          logger.warn(chalk.yellow(`⚠️  Could not regenerate .env file: ${error.message}`));
+        }
+
+        logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+        logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
+      } else {
+        logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
+      }
+    } catch (error) {
+      logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
     }
+
+    // Display results
+    displayRotationResults(appKey, options.environment, credentials, actualControllerUrl, message);
   } catch (error) {
-    logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+    logger.error(chalk.red(`❌ Failed to rotate secret via controller: ${actualControllerUrl}`));
+    logger.error(chalk.gray(`Error: ${error.message}`));
+    process.exit(1);
   }
-
-  // Display results
-  displayRotationResults(appKey, options.environment, credentials, controllerUrl, message);
 }
 
 module.exports = { rotateSecret };

package/lib/cli.js

@@ -340,7 +340,33 @@ function setupCommands(program) {
       }
     });
 
-  program.command('app split-json <app-name>')
+  program.command('json <app>')
+    .description('Generate deployment JSON (aifabrix-deploy.json for normal apps, application-schema.json for external systems)')
+    .action(async(appName) => {
+      try {
+        const result = await generator.generateDeployJsonWithValidation(appName);
+        if (result.success) {
+          const fileName = result.path.includes('application-schema.json') ? 'application-schema.json' : 'deployment JSON';
+          logger.log(`✓ Generated ${fileName}: ${result.path}`);
+
+          if (result.validation.warnings && result.validation.warnings.length > 0) {
+            logger.log('\n⚠️  Warnings:');
+            result.validation.warnings.forEach(warning => logger.log(`   • ${warning}`));
+          }
+        } else {
+          logger.log('❌ Validation failed:');
+          if (result.validation.errors && result.validation.errors.length > 0) {
+            result.validation.errors.forEach(error => logger.log(`   • ${error}`));
+          }
+          process.exit(1);
+        }
+      } catch (error) {
+        handleCommandError(error, 'json');
+        process.exit(1);
+      }
+    });
+
+  program.command('split-json <app>')
     .description('Split deployment JSON into component files (env.template, variables.yaml, rbac.yml, README.md)')
     .option('-o, --output <dir>', 'Output directory for component files (defaults to same directory as JSON)')
     .action(async(appName, options) => {
@@ -365,33 +391,7 @@ function setupCommands(program) {
         }
         logger.log(`  • README.md: ${result.readme}`);
       } catch (error) {
-        handleCommandError(error, 'app split-json');
-        process.exit(1);
-      }
-    });
-
-  program.command('json <app>')
-    .description('Generate deployment JSON (aifabrix-deploy.json for normal apps, application-schema.json for external systems)')
-    .action(async(appName) => {
-      try {
-        const result = await generator.generateDeployJsonWithValidation(appName);
-        if (result.success) {
-          const fileName = result.path.includes('application-schema.json') ? 'application-schema.json' : 'deployment JSON';
-          logger.log(`✓ Generated ${fileName}: ${result.path}`);
-
-          if (result.validation.warnings && result.validation.warnings.length > 0) {
-            logger.log('\n⚠️  Warnings:');
-            result.validation.warnings.forEach(warning => logger.log(`   • ${warning}`));
-          }
-        } else {
-          logger.log('❌ Validation failed:');
-          if (result.validation.errors && result.validation.errors.length > 0) {
-            result.validation.errors.forEach(error => logger.log(`   • ${error}`));
-          }
-          process.exit(1);
-        }
-      } catch (error) {
-        handleCommandError(error, 'json');
+        handleCommandError(error, 'split-json');
         process.exit(1);
       }
     });

package/lib/commands/app.js

@@ -29,6 +29,7 @@ function setupAppCommands(program) {
     .command('register <appKey>')
     .description('Register application and get pipeline credentials')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .option('-c, --controller <url>', 'Controller URL (overrides variables.yaml)')
     .option('-p, --port <port>', 'Application port (default: from variables.yaml)')
     .option('-n, --name <name>', 'Override display name')
     .option('-d, --description <desc>', 'Override description')
@@ -46,6 +47,7 @@ function setupAppCommands(program) {
     .command('list')
     .description('List applications')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .option('-c, --controller <url>', 'Controller URL (optional, uses configured controller if not provided)')
     .action(async(options) => {
       try {
         await listApplications(options);
@@ -60,6 +62,7 @@ function setupAppCommands(program) {
     .command('rotate-secret <appKey>')
     .description('Rotate pipeline ClientSecret for an application')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .option('-c, --controller <url>', 'Controller URL (optional, uses configured controller if not provided)')
     .action(async(appKey, options) => {
       try {
         await rotateSecret(appKey, options);

package/lib/config.js

@@ -27,6 +27,26 @@ const RUNTIME_CONFIG_FILE = path.join(RUNTIME_CONFIG_DIR, 'config.yaml');
 // Cache for developer ID - loaded when getConfig() is first called
 let cachedDeveloperId = null;
 
+/**
+ * Normalize controller URL for consistent storage and lookup
+ * Removes trailing slashes and normalizes the URL format
+ * @param {string} url - Controller URL to normalize
+ * @returns {string} Normalized controller URL
+ */
+function normalizeControllerUrl(url) {
+  if (!url || typeof url !== 'string') {
+    return url;
+  }
+  // Remove trailing slashes
+  let normalized = url.trim().replace(/\/+$/, '');
+  // Ensure it starts with http:// or https://
+  if (!normalized.match(/^https?:\/\//)) {
+    // If it doesn't start with protocol, assume http://
+    normalized = `http://${normalized}`;
+  }
+  return normalized;
+}
+
 async function getConfig() {
   try {
     const configContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
@@ -231,131 +251,7 @@ async function decryptTokenValue(value) {
     return value;
   }
 }
-/**
- * Get device token for controller
- * @param {string} controllerUrl - Controller URL
- * @returns {Promise<{controller: string, token: string, refreshToken: string, expiresAt: string}|null>} Device token info or null
- */
-async function getDeviceToken(controllerUrl) {
-  const config = await getConfig();
-  if (!config.device || !config.device[controllerUrl]) return null;
-  const deviceToken = config.device[controllerUrl];
-
-  // Migration: If tokens are plain text and encryption key exists, encrypt them first
-  const encryptionKey = await getSecretsEncryptionKey();
-  if (encryptionKey) {
-    let needsSave = false;
-
-    if (deviceToken.token && !isTokenEncrypted(deviceToken.token)) {
-      // Token is plain text, encrypt it
-      deviceToken.token = await encryptTokenValue(deviceToken.token);
-      needsSave = true;
-    }
-
-    if (deviceToken.refreshToken && !isTokenEncrypted(deviceToken.refreshToken)) {
-      // Refresh token is plain text, encrypt it
-      deviceToken.refreshToken = await encryptTokenValue(deviceToken.refreshToken);
-      needsSave = true;
-    }
-
-    if (needsSave) {
-      // Save encrypted tokens back to config
-      await saveConfig(config);
-    }
-  }
-  // Decrypt tokens if encrypted (for return value)
-  const token = deviceToken.token ? await decryptTokenValue(deviceToken.token) : undefined;
-  const refreshToken = deviceToken.refreshToken ? await decryptTokenValue(deviceToken.refreshToken) : null;
-
-  return {
-    controller: controllerUrl,
-    token: token,
-    refreshToken: refreshToken,
-    expiresAt: deviceToken.expiresAt
-  };
-}
-
-/**
- * Get client token for environment and app
- * @param {string} environment - Environment key
- * @param {string} appName - Application name
- * @returns {Promise<{controller: string, token: string, expiresAt: string}|null>} Client token info or null
- */
-async function getClientToken(environment, appName) {
-  const config = await getConfig();
-  if (!config.environments || !config.environments[environment]) return null;
-  if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) return null;
-
-  const clientToken = config.environments[environment].clients[appName];
-
-  // Migration: If token is plain text and encryption key exists, encrypt it first
-  const encryptionKey = await getSecretsEncryptionKey();
-  if (encryptionKey && clientToken.token && !isTokenEncrypted(clientToken.token)) {
-    // Token is plain text, encrypt it
-    clientToken.token = await encryptTokenValue(clientToken.token);
-    // Save encrypted token back to config
-    await saveConfig(config);
-  }
-
-  // Decrypt token if encrypted (for return value)
-  const token = await decryptTokenValue(clientToken.token);
-
-  return {
-    controller: clientToken.controller,
-    token: token,
-    expiresAt: clientToken.expiresAt
-  };
-}
-
-/**
- * Save device token for controller (root level)
- * @param {string} controllerUrl - Controller URL (used as key)
- * @param {string} token - Device access token
- * @param {string} refreshToken - Refresh token for token renewal
- * @param {string} expiresAt - ISO timestamp string
- * @returns {Promise<void>}
- */
-async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
-  const config = await getConfig();
-  if (!config.device) config.device = {};
-
-  // Encrypt tokens before saving
-  const encryptedToken = await encryptTokenValue(token);
-  const encryptedRefreshToken = refreshToken ? await encryptTokenValue(refreshToken) : null;
-
-  config.device[controllerUrl] = {
-    token: encryptedToken,
-    refreshToken: encryptedRefreshToken,
-    expiresAt
-  };
-  await saveConfig(config);
-}
-
-/**
- * Save client token for environment and app
- * @param {string} environment - Environment key
- * @param {string} appName - Application name
- * @param {string} controllerUrl - Controller URL
- * @param {string} token - Client token
- * @param {string} expiresAt - ISO timestamp string
- * @returns {Promise<void>}
- */
-async function saveClientToken(environment, appName, controllerUrl, token, expiresAt) {
-  const config = await getConfig();
-  if (!config.environments) config.environments = {};
-  if (!config.environments[environment]) config.environments[environment] = { clients: {} };
-  if (!config.environments[environment].clients) config.environments[environment].clients = {};
-
-  // Encrypt token before saving
-  const encryptedToken = await encryptTokenValue(token);
-
-  config.environments[environment].clients[appName] = {
-    controller: controllerUrl,
-    token: encryptedToken,
-    expiresAt
-  };
-  await saveConfig(config);
-}
+// Token management functions moved to lib/utils/config-tokens.js to reduce file size
 
 /**
  * Initialize and load developer ID
@@ -412,44 +308,6 @@ async function setSecretsPath(secretsPath) {
   await saveConfig(config);
 }
 
-async function getPathConfig(key) {
-  const config = await getConfig();
-  return config[key] || null;
-}
-
-async function setPathConfig(key, value, errorMsg) {
-  if (!value || typeof value !== 'string') {
-    throw new Error(errorMsg);
-  }
-  const config = await getConfig();
-  config[key] = value;
-  await saveConfig(config);
-}
-
-async function getAifabrixHomeOverride() {
-  return getPathConfig('aifabrix-home');
-}
-
-async function setAifabrixHomeOverride(homePath) {
-  await setPathConfig('aifabrix-home', homePath, 'Home path is required and must be a string');
-}
-
-async function getAifabrixSecretsPath() {
-  return getPathConfig('aifabrix-secrets');
-}
-
-async function setAifabrixSecretsPath(secretsPath) {
-  await setPathConfig('aifabrix-secrets', secretsPath, 'Secrets path is required and must be a string');
-}
-
-async function getAifabrixEnvConfigPath() {
-  return getPathConfig('aifabrix-env-config');
-}
-
-async function setAifabrixEnvConfigPath(envConfigPath) {
-  await setPathConfig('aifabrix-env-config', envConfigPath, 'Env config path is required and must be a string');
-}
-
 // Create exports object
 const exportsObj = {
   getConfig,
@@ -462,22 +320,13 @@ const exportsObj = {
   setCurrentEnvironment,
   isTokenExpired,
   shouldRefreshToken,
-  getDeviceToken,
-  getClientToken,
-  saveDeviceToken,
-  saveClientToken,
   encryptTokenValue,
   decryptTokenValue,
   getSecretsEncryptionKey,
   setSecretsEncryptionKey,
   getSecretsPath,
   setSecretsPath,
-  getAifabrixHomeOverride,
-  setAifabrixHomeOverride,
-  getAifabrixSecretsPath,
-  setAifabrixSecretsPath,
-  getAifabrixEnvConfigPath,
-  setAifabrixEnvConfigPath,
+  normalizeControllerUrl,
   CONFIG_DIR,
   CONFIG_FILE
 };
@@ -492,4 +341,22 @@ Object.defineProperty(exportsObj, 'developerId', {
   enumerable: true,
   configurable: true
 });
+
+// Token management functions - created after dependencies are defined
+const { createTokenManagementFunctions } = require('./utils/config-tokens');
+const tokenFunctions = createTokenManagementFunctions(
+  getConfig,
+  saveConfig,
+  getSecretsEncryptionKey,
+  encryptTokenValue,
+  decryptTokenValue,
+  require('./utils/token-encryption').isTokenEncrypted
+);
+Object.assign(exportsObj, tokenFunctions);
+
+// Path configuration functions - created after getConfig/saveConfig are defined
+const { createPathConfigFunctions } = require('./utils/config-paths');
+const pathConfigFunctions = createPathConfigFunctions(getConfig, saveConfig);
+Object.assign(exportsObj, pathConfigFunctions);
+
 module.exports = exportsObj;

package/lib/external-system-generator.js

@@ -40,7 +40,9 @@ async function generateExternalSystemTemplate(appPath, systemKey, config) {
       systemDisplayName: config.systemDisplayName || systemKey.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase()),
       systemDescription: config.systemDescription || `External system integration for ${systemKey}`,
       systemType: config.systemType || 'openapi',
-      authType: config.authType || 'apikey'
+      authType: config.authType || 'apikey',
+      roles: config.roles || null,
+      permissions: config.permissions || null
     };
 
     const rendered = template(context);