npm - @aifabrix/builder - Versions diffs - 2.21.1 → 2.22.0 - Mend

@aifabrix/builder 2.21.1 → 2.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/lib/app-list.js +60 -22
package/lib/app-register.js +3 -2
package/lib/app-rotate-secret.js +86 -48
package/lib/commands/app.js +3 -0
package/lib/config.js +40 -173
package/lib/external-system-generator.js +3 -1
package/lib/generator-external.js +229 -0
package/lib/generator-helpers.js +205 -0
package/lib/generator.js +2 -367
package/lib/schema/external-system.schema.json +92 -1
package/lib/utils/api-error-handler.js +9 -2
package/lib/utils/app-register-api.js +39 -29
package/lib/utils/app-register-auth.js +103 -39
package/lib/utils/config-paths.js +112 -0
package/lib/utils/config-tokens.js +233 -0
package/lib/utils/device-code.js +28 -6
package/lib/utils/error-formatters/http-status-errors.js +78 -5
package/lib/utils/error-formatters/network-errors.js +24 -4
package/lib/validate.js +67 -7
package/lib/validator.js +3 -1
package/package.json +1 -1
package/templates/external-system/external-system.json.hbs +20 -1

package/lib/app-list.js CHANGED Viewed

@@ -9,10 +9,11 @@
  */
 const chalk = require('chalk');
-const { getConfig } = require('./config');
+const { getConfig, normalizeControllerUrl } = require('./config');
 const { getOrRefreshDeviceToken } = require('./utils/token-manager');
 const { listEnvironmentApplications } = require('./api/environments.api');
 const { formatApiError } = require('./utils/api-error-handler');
+const { formatAuthenticationError } = require('./utils/error-formatters/http-status-errors');
 const logger = require('./utils/logger');
 /**
@@ -82,48 +83,85 @@ function displayApplications(applications, environment) {
  * @async
  * @param {Object} options - Command options
  * @param {string} options.environment - Environment ID or key
+ * @param {string} [options.controller] - Controller URL (optional, uses configured controller if not provided)
  * @throws {Error} If listing fails
  */
 async function listApplications(options) {
   const config = await getConfig();
-  // Try to get device token
-  let controllerUrl = null;
+  // Get controller URL with priority: options.controller > device tokens
+  const controllerUrl = options.controller || null;
   let token = null;
+  let actualControllerUrl = null;
-  if (config.device) {
-    const deviceUrls = Object.keys(config.device);
-    if (deviceUrls.length > 0) {
-      controllerUrl = deviceUrls[0];
-      const deviceToken = await getOrRefreshDeviceToken(controllerUrl);
+  // If controller URL provided, try to get device token
+  if (controllerUrl) {
+    try {
+      const normalizedUrl = normalizeControllerUrl(controllerUrl);
+      const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
       if (deviceToken && deviceToken.token) {
         token = deviceToken.token;
-        controllerUrl = deviceToken.controller;
+        actualControllerUrl = deviceToken.controller || normalizedUrl;
+      }
+    } catch (error) {
+      // Show which controller URL failed
+      logger.error(chalk.red(`❌ Failed to authenticate with controller: ${controllerUrl}`));
+      logger.error(chalk.gray(`Error: ${error.message}`));
+      process.exit(1);
+    }
+  }
+  // If no token yet, try to find any device token in config
+  if (!token && config.device) {
+    const deviceUrls = Object.keys(config.device);
+    if (deviceUrls.length > 0) {
+      for (const storedUrl of deviceUrls) {
+        try {
+          const normalizedStoredUrl = normalizeControllerUrl(storedUrl);
+          const deviceToken = await getOrRefreshDeviceToken(normalizedStoredUrl);
+          if (deviceToken && deviceToken.token) {
+            token = deviceToken.token;
+            actualControllerUrl = deviceToken.controller || normalizedStoredUrl;
+            break;
+          }
+        } catch (error) {
+          // Continue to next URL
+        }
       }
     }
   }
-  if (!token || !controllerUrl) {
-    logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-    logger.error(chalk.gray('   Use device code flow: aifabrix login --method device --controller <url>'));
+  if (!token || !actualControllerUrl) {
+    const formattedError = formatAuthenticationError({
+      controllerUrl: controllerUrl || undefined,
+      message: 'No valid authentication found'
+    });
+    logger.error(formattedError);
     process.exit(1);
   }
   // Use centralized API client
   const authConfig = { type: 'bearer', token: token };
-  const response = await listEnvironmentApplications(controllerUrl, options.environment, authConfig);
+  try {
+    const response = await listEnvironmentApplications(actualControllerUrl, options.environment, authConfig);
+    if (!response.success || !response.data) {
+      const formattedError = response.formattedError || formatApiError(response, actualControllerUrl);
+      logger.error(formattedError);
+      logger.error(chalk.gray(`\nController URL: ${actualControllerUrl}`));
+      // Log full response for debugging
+      logger.error(chalk.gray('\nFull response for debugging:'));
+      logger.error(chalk.gray(JSON.stringify(response, null, 2)));
+      process.exit(1);
+    }
-  if (!response.success || !response.data) {
-    const formattedError = response.formattedError || formatApiError(response);
-    logger.error(formattedError);
-    // Log full response for debugging
-    logger.error(chalk.gray('\nFull response for debugging:'));
-    logger.error(chalk.gray(JSON.stringify(response, null, 2)));
+    const applications = extractApplications(response);
+    displayApplications(applications, options.environment);
+  } catch (error) {
+    logger.error(chalk.red(`❌ Failed to list applications from controller: ${actualControllerUrl}`));
+    logger.error(chalk.gray(`Error: ${error.message}`));
     process.exit(1);
   }
-  const applications = extractApplications(response);
-  displayApplications(applications, options.environment);
 }
 module.exports = { listApplications };

package/lib/app-register.js CHANGED Viewed

@@ -108,6 +108,7 @@ async function saveLocalCredentials(responseData, apiUrl) {
  * @param {string} appKey - Application key
  * @param {Object} options - Registration options
  * @param {string} options.environment - Environment ID or key
+ * @param {string} [options.controller] - Controller URL (overrides variables.yaml)
  * @param {number} [options.port] - Application port
  * @param {string} [options.name] - Override display name
  * @param {string} [options.description] - Override description
@@ -126,8 +127,8 @@ async function registerApplication(appKey, options) {
   const appConfig = await extractAppConfiguration(finalVariables, appKey, options);
   await validateAppRegistrationData(appConfig, appKey);
-  // Authenticate and get API configuration
-  const controllerUrl = finalVariables?.deployment?.controllerUrl;
+  // Get controller URL with priority: options.controller > variables.yaml > device tokens
+  const controllerUrl = options.controller || finalVariables?.deployment?.controllerUrl;
   const authConfig = await checkAuthentication(controllerUrl, options.environment);
   const environment = registerApplicationSchema.environmentId(options.environment);

package/lib/app-rotate-secret.js CHANGED Viewed

@@ -9,10 +9,11 @@
  */
 const chalk = require('chalk');
-const { getConfig } = require('./config');
+const { getConfig, normalizeControllerUrl } = require('./config');
 const { getOrRefreshDeviceToken } = require('./utils/token-manager');
 const { rotateApplicationSecret } = require('./api/applications.api');
 const { formatApiError } = require('./utils/api-error-handler');
+const { formatAuthenticationError } = require('./utils/error-formatters/http-status-errors');
 const logger = require('./utils/logger');
 const { saveLocalSecret, isLocalhost } = require('./utils/local-secrets');
 const { updateEnvTemplate } = require('./utils/env-template');
@@ -83,6 +84,7 @@ function displayRotationResults(appKey, environment, credentials, apiUrl, messag
  * @param {string} appKey - Application key
  * @param {Object} options - Command options
  * @param {string} options.environment - Environment ID or key
+ * @param {string} [options.controller] - Controller URL (optional, uses configured controller if not provided)
  * @throws {Error} If rotation fails
  */
 async function rotateSecret(appKey, options) {
@@ -90,25 +92,54 @@ async function rotateSecret(appKey, options) {
   const config = await getConfig();
-  // Try to get device token
-  let controllerUrl = null;
+  // Get controller URL with priority: options.controller > device tokens
+  const controllerUrl = options.controller || null;
   let token = null;
+  let actualControllerUrl = null;
-  if (config.device) {
-    const deviceUrls = Object.keys(config.device);
-    if (deviceUrls.length > 0) {
-      controllerUrl = deviceUrls[0];
-      const deviceToken = await getOrRefreshDeviceToken(controllerUrl);
+  // If controller URL provided, try to get device token
+  if (controllerUrl) {
+    try {
+      const normalizedUrl = normalizeControllerUrl(controllerUrl);
+      const deviceToken = await getOrRefreshDeviceToken(normalizedUrl);
       if (deviceToken && deviceToken.token) {
         token = deviceToken.token;
-        controllerUrl = deviceToken.controller;
+        actualControllerUrl = deviceToken.controller || normalizedUrl;
+      }
+    } catch (error) {
+      // Show which controller URL failed
+      logger.error(chalk.red(`❌ Failed to authenticate with controller: ${controllerUrl}`));
+      logger.error(chalk.gray(`Error: ${error.message}`));
+      process.exit(1);
+    }
+  }
+  // If no token yet, try to find any device token in config
+  if (!token && config.device) {
+    const deviceUrls = Object.keys(config.device);
+    if (deviceUrls.length > 0) {
+      for (const storedUrl of deviceUrls) {
+        try {
+          const normalizedStoredUrl = normalizeControllerUrl(storedUrl);
+          const deviceToken = await getOrRefreshDeviceToken(normalizedStoredUrl);
+          if (deviceToken && deviceToken.token) {
+            token = deviceToken.token;
+            actualControllerUrl = deviceToken.controller || normalizedStoredUrl;
+            break;
+          }
+        } catch (error) {
+          // Continue to next URL
+        }
       }
     }
   }
-  if (!token || !controllerUrl) {
-    logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
-    logger.error(chalk.gray('   Use device code flow: aifabrix login --method device --controller <url>'));
+  if (!token || !actualControllerUrl) {
+    const formattedError = formatAuthenticationError({
+      controllerUrl: controllerUrl || undefined,
+      message: 'No valid authentication found'
+    });
+    logger.error(formattedError);
     process.exit(1);
   }
@@ -117,51 +148,58 @@ async function rotateSecret(appKey, options) {
   // Use centralized API client
   const authConfig = { type: 'bearer', token: token };
-  const response = await rotateApplicationSecret(controllerUrl, options.environment, appKey, authConfig);
+  try {
+    const response = await rotateApplicationSecret(actualControllerUrl, options.environment, appKey, authConfig);
-  if (!response.success) {
-    const formattedError = response.formattedError || formatApiError(response);
-    logger.error(formattedError);
-    process.exit(1);
-  }
+    if (!response.success) {
+      const formattedError = response.formattedError || formatApiError(response, actualControllerUrl);
+      logger.error(formattedError);
+      logger.error(chalk.gray(`\nController URL: ${actualControllerUrl}`));
+      process.exit(1);
+    }
-  // Validate response structure
-  validateResponse(response);
+    // Validate response structure
+    validateResponse(response);
-  const credentials = response.data.credentials;
-  const message = response.data.message;
+    const credentials = response.data.credentials;
+    const message = response.data.message;
-  // Save credentials to local secrets (always save when rotating)
-  const clientIdKey = `${appKey}-client-idKeyVault`;
-  const clientSecretKey = `${appKey}-client-secretKeyVault`;
+    // Save credentials to local secrets (always save when rotating)
+    const clientIdKey = `${appKey}-client-idKeyVault`;
+    const clientSecretKey = `${appKey}-client-secretKeyVault`;
-  try {
-    await saveLocalSecret(clientIdKey, credentials.clientId);
-    await saveLocalSecret(clientSecretKey, credentials.clientSecret);
-    // Update env.template if localhost
-    if (isLocalhost(controllerUrl)) {
-      await updateEnvTemplate(appKey, clientIdKey, clientSecretKey, controllerUrl);
-      // Regenerate .env file with updated credentials
-      try {
-        await generateEnvFile(appKey, null, 'local');
-        logger.log(chalk.green('✓ .env file updated with new credentials'));
-      } catch (error) {
-        logger.warn(chalk.yellow(`⚠️  Could not regenerate .env file: ${error.message}`));
-      }
+    try {
+      await saveLocalSecret(clientIdKey, credentials.clientId);
+      await saveLocalSecret(clientSecretKey, credentials.clientSecret);
+      // Update env.template if localhost
+      if (isLocalhost(actualControllerUrl)) {
+        await updateEnvTemplate(appKey, clientIdKey, clientSecretKey, actualControllerUrl);
-      logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-      logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
-    } else {
-      logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
+        // Regenerate .env file with updated credentials
+        try {
+          await generateEnvFile(appKey, null, 'local');
+          logger.log(chalk.green('✓ .env file updated with new credentials'));
+        } catch (error) {
+          logger.warn(chalk.yellow(`⚠️  Could not regenerate .env file: ${error.message}`));
+        }
+        logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml'));
+        logger.log(chalk.green('✓ env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
+      } else {
+        logger.log(chalk.green('\n✓ Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
+      }
+    } catch (error) {
+      logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
     }
+    // Display results
+    displayRotationResults(appKey, options.environment, credentials, actualControllerUrl, message);
   } catch (error) {
-    logger.warn(chalk.yellow(`⚠️  Could not save credentials locally: ${error.message}`));
+    logger.error(chalk.red(`❌ Failed to rotate secret via controller: ${actualControllerUrl}`));
+    logger.error(chalk.gray(`Error: ${error.message}`));
+    process.exit(1);
   }
-  // Display results
-  displayRotationResults(appKey, options.environment, credentials, controllerUrl, message);
 }
 module.exports = { rotateSecret };

package/lib/commands/app.js CHANGED Viewed

@@ -29,6 +29,7 @@ function setupAppCommands(program) {
     .command('register <appKey>')
     .description('Register application and get pipeline credentials')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .option('-c, --controller <url>', 'Controller URL (overrides variables.yaml)')
     .option('-p, --port <port>', 'Application port (default: from variables.yaml)')
     .option('-n, --name <name>', 'Override display name')
     .option('-d, --description <desc>', 'Override description')
@@ -46,6 +47,7 @@ function setupAppCommands(program) {
     .command('list')
     .description('List applications')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .option('-c, --controller <url>', 'Controller URL (optional, uses configured controller if not provided)')
     .action(async(options) => {
       try {
         await listApplications(options);
@@ -60,6 +62,7 @@ function setupAppCommands(program) {
     .command('rotate-secret <appKey>')
     .description('Rotate pipeline ClientSecret for an application')
     .requiredOption('-e, --environment <env>', 'Environment ID or key')
+    .option('-c, --controller <url>', 'Controller URL (optional, uses configured controller if not provided)')
     .action(async(appKey, options) => {
       try {
         await rotateSecret(appKey, options);

package/lib/config.js CHANGED Viewed

@@ -27,6 +27,26 @@ const RUNTIME_CONFIG_FILE = path.join(RUNTIME_CONFIG_DIR, 'config.yaml');
 // Cache for developer ID - loaded when getConfig() is first called
 let cachedDeveloperId = null;
+/**
+ * Normalize controller URL for consistent storage and lookup
+ * Removes trailing slashes and normalizes the URL format
+ * @param {string} url - Controller URL to normalize
+ * @returns {string} Normalized controller URL
+ */
+function normalizeControllerUrl(url) {
+  if (!url || typeof url !== 'string') {
+    return url;
+  }
+  // Remove trailing slashes
+  let normalized = url.trim().replace(/\/+$/, '');
+  // Ensure it starts with http:// or https://
+  if (!normalized.match(/^https?:\/\//)) {
+    // If it doesn't start with protocol, assume http://
+    normalized = `http://${normalized}`;
+  }
+  return normalized;
+}
 async function getConfig() {
   try {
     const configContent = await fs.readFile(RUNTIME_CONFIG_FILE, 'utf8');
@@ -231,131 +251,7 @@ async function decryptTokenValue(value) {
     return value;
   }
 }
-/**
- * Get device token for controller
- * @param {string} controllerUrl - Controller URL
- * @returns {Promise<{controller: string, token: string, refreshToken: string, expiresAt: string}|null>} Device token info or null
- */
-async function getDeviceToken(controllerUrl) {
-  const config = await getConfig();
-  if (!config.device || !config.device[controllerUrl]) return null;
-  const deviceToken = config.device[controllerUrl];
-  // Migration: If tokens are plain text and encryption key exists, encrypt them first
-  const encryptionKey = await getSecretsEncryptionKey();
-  if (encryptionKey) {
-    let needsSave = false;
-    if (deviceToken.token && !isTokenEncrypted(deviceToken.token)) {
-      // Token is plain text, encrypt it
-      deviceToken.token = await encryptTokenValue(deviceToken.token);
-      needsSave = true;
-    }
-    if (deviceToken.refreshToken && !isTokenEncrypted(deviceToken.refreshToken)) {
-      // Refresh token is plain text, encrypt it
-      deviceToken.refreshToken = await encryptTokenValue(deviceToken.refreshToken);
-      needsSave = true;
-    }
-    if (needsSave) {
-      // Save encrypted tokens back to config
-      await saveConfig(config);
-    }
-  }
-  // Decrypt tokens if encrypted (for return value)
-  const token = deviceToken.token ? await decryptTokenValue(deviceToken.token) : undefined;
-  const refreshToken = deviceToken.refreshToken ? await decryptTokenValue(deviceToken.refreshToken) : null;
-  return {
-    controller: controllerUrl,
-    token: token,
-    refreshToken: refreshToken,
-    expiresAt: deviceToken.expiresAt
-  };
-}
-/**
- * Get client token for environment and app
- * @param {string} environment - Environment key
- * @param {string} appName - Application name
- * @returns {Promise<{controller: string, token: string, expiresAt: string}|null>} Client token info or null
- */
-async function getClientToken(environment, appName) {
-  const config = await getConfig();
-  if (!config.environments || !config.environments[environment]) return null;
-  if (!config.environments[environment].clients || !config.environments[environment].clients[appName]) return null;
-  const clientToken = config.environments[environment].clients[appName];
-  // Migration: If token is plain text and encryption key exists, encrypt it first
-  const encryptionKey = await getSecretsEncryptionKey();
-  if (encryptionKey && clientToken.token && !isTokenEncrypted(clientToken.token)) {
-    // Token is plain text, encrypt it
-    clientToken.token = await encryptTokenValue(clientToken.token);
-    // Save encrypted token back to config
-    await saveConfig(config);
-  }
-  // Decrypt token if encrypted (for return value)
-  const token = await decryptTokenValue(clientToken.token);
-  return {
-    controller: clientToken.controller,
-    token: token,
-    expiresAt: clientToken.expiresAt
-  };
-}
-/**
- * Save device token for controller (root level)
- * @param {string} controllerUrl - Controller URL (used as key)
- * @param {string} token - Device access token
- * @param {string} refreshToken - Refresh token for token renewal
- * @param {string} expiresAt - ISO timestamp string
- * @returns {Promise<void>}
- */
-async function saveDeviceToken(controllerUrl, token, refreshToken, expiresAt) {
-  const config = await getConfig();
-  if (!config.device) config.device = {};
-  // Encrypt tokens before saving
-  const encryptedToken = await encryptTokenValue(token);
-  const encryptedRefreshToken = refreshToken ? await encryptTokenValue(refreshToken) : null;
-  config.device[controllerUrl] = {
-    token: encryptedToken,
-    refreshToken: encryptedRefreshToken,
-    expiresAt
-  };
-  await saveConfig(config);
-}
-/**
- * Save client token for environment and app
- * @param {string} environment - Environment key
- * @param {string} appName - Application name
- * @param {string} controllerUrl - Controller URL
- * @param {string} token - Client token
- * @param {string} expiresAt - ISO timestamp string
- * @returns {Promise<void>}
- */
-async function saveClientToken(environment, appName, controllerUrl, token, expiresAt) {
-  const config = await getConfig();
-  if (!config.environments) config.environments = {};
-  if (!config.environments[environment]) config.environments[environment] = { clients: {} };
-  if (!config.environments[environment].clients) config.environments[environment].clients = {};
-  // Encrypt token before saving
-  const encryptedToken = await encryptTokenValue(token);
-  config.environments[environment].clients[appName] = {
-    controller: controllerUrl,
-    token: encryptedToken,
-    expiresAt
-  };
-  await saveConfig(config);
-}
+// Token management functions moved to lib/utils/config-tokens.js to reduce file size
 /**
  * Initialize and load developer ID
@@ -412,44 +308,6 @@ async function setSecretsPath(secretsPath) {
   await saveConfig(config);
 }
-async function getPathConfig(key) {
-  const config = await getConfig();
-  return config[key] || null;
-}
-async function setPathConfig(key, value, errorMsg) {
-  if (!value || typeof value !== 'string') {
-    throw new Error(errorMsg);
-  }
-  const config = await getConfig();
-  config[key] = value;
-  await saveConfig(config);
-}
-async function getAifabrixHomeOverride() {
-  return getPathConfig('aifabrix-home');
-}
-async function setAifabrixHomeOverride(homePath) {
-  await setPathConfig('aifabrix-home', homePath, 'Home path is required and must be a string');
-}
-async function getAifabrixSecretsPath() {
-  return getPathConfig('aifabrix-secrets');
-}
-async function setAifabrixSecretsPath(secretsPath) {
-  await setPathConfig('aifabrix-secrets', secretsPath, 'Secrets path is required and must be a string');
-}
-async function getAifabrixEnvConfigPath() {
-  return getPathConfig('aifabrix-env-config');
-}
-async function setAifabrixEnvConfigPath(envConfigPath) {
-  await setPathConfig('aifabrix-env-config', envConfigPath, 'Env config path is required and must be a string');
-}
 // Create exports object
 const exportsObj = {
   getConfig,
@@ -462,22 +320,13 @@ const exportsObj = {
   setCurrentEnvironment,
   isTokenExpired,
   shouldRefreshToken,
-  getDeviceToken,
-  getClientToken,
-  saveDeviceToken,
-  saveClientToken,
   encryptTokenValue,
   decryptTokenValue,
   getSecretsEncryptionKey,
   setSecretsEncryptionKey,
   getSecretsPath,
   setSecretsPath,
-  getAifabrixHomeOverride,
-  setAifabrixHomeOverride,
-  getAifabrixSecretsPath,
-  setAifabrixSecretsPath,
-  getAifabrixEnvConfigPath,
-  setAifabrixEnvConfigPath,
+  normalizeControllerUrl,
   CONFIG_DIR,
   CONFIG_FILE
 };
@@ -492,4 +341,22 @@ Object.defineProperty(exportsObj, 'developerId', {
   enumerable: true,
   configurable: true
 });
+// Token management functions - created after dependencies are defined
+const { createTokenManagementFunctions } = require('./utils/config-tokens');
+const tokenFunctions = createTokenManagementFunctions(
+  getConfig,
+  saveConfig,
+  getSecretsEncryptionKey,
+  encryptTokenValue,
+  decryptTokenValue,
+  require('./utils/token-encryption').isTokenEncrypted
+);
+Object.assign(exportsObj, tokenFunctions);
+// Path configuration functions - created after getConfig/saveConfig are defined
+const { createPathConfigFunctions } = require('./utils/config-paths');
+const pathConfigFunctions = createPathConfigFunctions(getConfig, saveConfig);
+Object.assign(exportsObj, pathConfigFunctions);
 module.exports = exportsObj;

package/lib/external-system-generator.js CHANGED Viewed

@@ -40,7 +40,9 @@ async function generateExternalSystemTemplate(appPath, systemKey, config) {
       systemDisplayName: config.systemDisplayName || systemKey.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase()),
       systemDescription: config.systemDescription || `External system integration for ${systemKey}`,
       systemType: config.systemType || 'openapi',
-      authType: config.authType || 'apikey'
+      authType: config.authType || 'apikey',
+      roles: config.roles || null,
+      permissions: config.permissions || null
     };
     const rendered = template(context);