@aifabrix/builder 2.33.4 → 2.33.6

package/lib/app/run-helpers.js

@@ -139,14 +139,15 @@ async function validateAppConfiguration(appName) {
 }
 
 /**
- * Checks prerequisites: Docker image and infrastructure
+ * Checks prerequisites: Docker image and (optionally) infrastructure
  * @async
  * @param {string} appName - Application name
  * @param {Object} appConfig - Application configuration
  * @param {boolean} [debug=false] - Enable debug logging
+ * @param {boolean} [skipInfraCheck=false] - When true, skip infra health check (e.g. when caller already verified, e.g. up-miso)
  * @throws {Error} If prerequisites are not met
  */
-async function checkPrerequisites(appName, appConfig, debug = false) {
+async function checkPrerequisites(appName, appConfig, debug = false, skipInfraCheck = false) {
   const imageName = composeGenerator.getImageName(appConfig, appName);
   const imageTag = appConfig.image?.tag || 'latest';
   const fullImageName = `${imageName}:${imageTag}`;
@@ -162,6 +163,10 @@ async function checkPrerequisites(appName, appConfig, debug = false) {
   }
   logger.log(chalk.green(`✓ Image ${fullImageName} found`));
 
+  if (skipInfraCheck) {
+    return;
+  }
+
   logger.log(chalk.blue('Checking infrastructure health...'));
   const infraHealth = await infra.checkInfraHealth();
   if (debug) {

package/lib/app/run.js

@@ -177,8 +177,8 @@ async function runApp(appName, options = {}) {
     // Load and configure application
     const appConfig = await loadAndConfigureApp(appName, debug);
 
-    // Check prerequisites: image and infrastructure
-    await helpers.checkPrerequisites(appName, appConfig, debug);
+    // Check prerequisites: image and (unless skipped) infrastructure
+    await helpers.checkPrerequisites(appName, appConfig, debug, options.skipInfraCheck === true);
 
     // Check if container is already running and stop it if needed
     await checkAndStopContainer(appName, appConfig.developerId, debug);

package/lib/cli.js

@@ -155,10 +155,10 @@ function setupInfraCommands(program) {
     });
 
   program.command('up-miso')
-    .description('Install keycloak and miso-controller from images (no build). Infra must be up. Uses auto-generated secrets for testing.')
-    .option('-r, --registry <url>', 'Override registry for both apps (e.g. myacr.azurecr.io)')
+    .description('Install keycloak, miso-controller, and dataplane from images (no build). Infra must be up. Uses auto-generated secrets for testing.')
+    .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
-    .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/keycloak:v1, miso-controller=myreg/m:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
+    .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1, dataplane=myreg/d:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
     .action(async(options) => {
       try {
         await handleUpMiso(options);
@@ -410,9 +410,17 @@ function setupAppCommands(program) {
     });
 
   program.command('wizard')
-    .description('Interactive wizard for creating external systems (or headless with --config)')
-    .option('-a, --app <app>', 'Application name (if not provided, will prompt)')
-    .option('--config <file>', 'Path to wizard.yaml config file for headless mode')
+    .description('Create or extend external systems (OpenAPI, MCP, or known platforms like HubSpot) via guided steps or a config file')
+    .option('-a, --app <app>', 'Application name; skips the prompt in interactive mode')
+    .option('--config <file>', 'Run headless using a wizard.yaml file (appName, mode, source, credential, preferences)')
+    .addHelpText('after', `
+Examples:
+  $ aifabrix wizard                    Run interactively (prompts for app name and steps)
+  $ aifabrix wizard -a my-integration Run interactively with app name set
+  $ aifabrix wizard --config wizard.yaml  Run headless from a wizard config file
+
+Headless config (wizard.yaml) must include: appName, mode (create-system|add-datasource), source (type + filePath/url/platform).
+See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`)
     .action(async(options) => {
       try {
         const { handleWizard } = require('./commands/wizard');

package/lib/commands/auth-status.js

@@ -15,6 +15,9 @@ const { getConfig } = config;
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
 const { getAuthUser } = require('../api/auth.api');
 const { resolveControllerUrl } = require('../utils/controller-url');
+const { findDataplaneServiceAppKey } = require('./wizard-dataplane');
+const { getDataplaneUrl } = require('../datasource/deploy');
+const { checkDataplaneHealth } = require('../utils/dataplane-health');
 
 /**
  * Format expiration date for display
@@ -212,13 +215,53 @@ function displayTokenInfo(tokenInfo) {
   displayUserInfo(tokenInfo.user);
 }
 
+/**
+ * Resolve dataplane URL from controller without progress logs (for auth status display)
+ * @async
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} environment - Environment key
+ * @param {Object} authConfig - Authentication configuration
+ * @returns {Promise<string|null>} Dataplane URL or null if not discoverable
+ */
+async function resolveDataplaneUrlSilent(controllerUrl, environment, authConfig) {
+  try {
+    const dataplaneAppKey = await findDataplaneServiceAppKey(controllerUrl, environment, authConfig);
+    if (dataplaneAppKey) {
+      return await getDataplaneUrl(controllerUrl, dataplaneAppKey, environment, authConfig);
+    }
+    return await getDataplaneUrl(controllerUrl, 'dataplane', environment, authConfig);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Display dataplane section when authenticated
+ * @param {string|null} dataplaneUrl - Dataplane URL or null
+ * @param {boolean} dataplaneConnected - Whether dataplane health check passed
+ */
+function displayDataplaneSection(dataplaneUrl, dataplaneConnected) {
+  if (dataplaneUrl) {
+    logger.log(`Dataplane: ${chalk.cyan(dataplaneUrl)}`);
+    const statusIcon = dataplaneConnected ? chalk.green('✓') : chalk.red('✗');
+    const statusText = dataplaneConnected ? 'Connected' : 'Not reachable';
+    logger.log(`Status: ${statusIcon} ${statusText}`);
+  } else {
+    logger.log(`Dataplane: ${chalk.gray('—')}`);
+    logger.log(`Status: ${chalk.gray('Not discovered')}`);
+  }
+}
+
 /**
  * Display authentication status
  * @param {string} controllerUrl - Controller URL
  * @param {string} environment - Environment key
  * @param {Object|null} tokenInfo - Token information
+ * @param {Object} [dataplaneInfo] - Optional dataplane URL and health
+ * @param {string|null} [dataplaneInfo.url] - Dataplane URL
+ * @param {boolean} [dataplaneInfo.connected] - Whether dataplane is reachable
  */
-function displayStatus(controllerUrl, environment, tokenInfo) {
+function displayStatus(controllerUrl, environment, tokenInfo, dataplaneInfo) {
   logger.log(chalk.bold('\n🔐 Authentication Status\n'));
   logger.log(`Controller: ${chalk.cyan(controllerUrl)}`);
   logger.log(`Environment: ${chalk.cyan(environment || 'Not specified')}\n`);
@@ -231,6 +274,11 @@ function displayStatus(controllerUrl, environment, tokenInfo) {
   }
 
   displayTokenInfo(tokenInfo);
+
+  if (tokenInfo.authenticated && dataplaneInfo) {
+    displayDataplaneSection(dataplaneInfo.url, dataplaneInfo.connected);
+  }
+
   logger.log('');
 }
 
@@ -255,7 +303,15 @@ async function handleAuthStatus(_options) {
     tokenInfo = await checkClientToken(controllerUrl, environment);
   }
 
-  displayStatus(controllerUrl, environment, tokenInfo);
+  let dataplaneInfo = null;
+  if (tokenInfo && tokenInfo.authenticated && tokenInfo.token) {
+    const authConfig = { type: 'bearer', token: tokenInfo.token };
+    const dataplaneUrl = await resolveDataplaneUrlSilent(controllerUrl, environment, authConfig);
+    const connected = dataplaneUrl ? await checkDataplaneHealth(dataplaneUrl, 5000) : false;
+    dataplaneInfo = { url: dataplaneUrl, connected };
+  }
+
+  displayStatus(controllerUrl, environment, tokenInfo, dataplaneInfo);
 }
 
 module.exports = { handleAuthStatus };

package/lib/commands/up-miso.js

@@ -1,7 +1,7 @@
 /**
  * AI Fabrix Builder - Up Miso Command
  *
- * Installs miso-controller and keycloak from images (no build).
+ * Installs keycloak, miso-controller, and dataplane from images (no build).
  * Assumes infra is up; sets dev secrets and resolves (no force; existing .env values preserved).
  *
  * @fileoverview up-miso command implementation
@@ -25,11 +25,13 @@ const { ensureAppFromTemplate } = require('./up-common');
 const KEYCLOAK_BASE_PORT = 8082;
 /** Miso controller base port (dev-config app base) */
 const MISO_BASE_PORT = 3000;
+/** Dataplane base port (from templates/applications/dataplane/variables.yaml) */
+const _DATAPLANE_BASE_PORT = 3001;
 
 /**
- * Parse --image options array into map { keycloak?: string, 'miso-controller'?: string }
- * @param {string[]|string} imageOpts - Option value(s) e.g. ['keycloak=reg/k:v1', 'miso-controller=reg/m:v1']
- * @returns {{ keycloak?: string, 'miso-controller'?: string }}
+ * Parse --image options array into map { keycloak?: string, 'miso-controller'?: string, dataplane?: string }
+ * @param {string[]|string} imageOpts - Option value(s) e.g. ['keycloak=reg/k:v1', 'miso-controller=reg/m:v1', 'dataplane=reg/d:v1']
+ * @returns {{ keycloak?: string, 'miso-controller'?: string, dataplane?: string }}
  */
 function parseImageOptions(imageOpts) {
   const map = {};
@@ -48,7 +50,7 @@ function parseImageOptions(imageOpts) {
 
 /**
  * Build full image ref from registry and app variables (registry/name:tag)
- * @param {string} appName - keycloak or miso-controller
+ * @param {string} appName - keycloak, miso-controller, or dataplane
  * @param {string} registry - Registry URL
  * @returns {string} Full image reference
  */
@@ -65,7 +67,7 @@ function buildImageRefFromRegistry(appName, registry) {
 }
 
 /**
- * Set URL secrets and resolve keycloak + miso-controller (no force; existing .env preserved)
+ * Set URL secrets and resolve keycloak + miso-controller + dataplane (no force; existing .env preserved)
  * @async
  * @param {number} devIdNum - Developer ID number
  */
@@ -77,11 +79,12 @@ async function setMisoSecretsAndResolve(devIdNum) {
   logger.log(chalk.green('✓ Set keycloak and miso-controller URL secrets'));
   await secrets.generateEnvFile('keycloak', undefined, 'docker', false, true);
   await secrets.generateEnvFile('miso-controller', undefined, 'docker', false, true);
-  logger.log(chalk.green('✓ Resolved keycloak and miso-controller'));
+  await secrets.generateEnvFile('dataplane', undefined, 'docker', false, true);
+  logger.log(chalk.green('✓ Resolved keycloak, miso-controller, and dataplane'));
 }
 
 /**
- * Build run options and run keycloak then miso-controller
+ * Build run options and run keycloak, miso-controller, then dataplane
  * @async
  * @param {Object} options - Commander options (image, registry, registryMode)
  */
@@ -89,23 +92,27 @@ async function runMisoApps(options) {
   const imageMap = parseImageOptions(options.image);
   const keycloakImage = imageMap.keycloak || (options.registry ? buildImageRefFromRegistry('keycloak', options.registry) : undefined);
   const misoImage = imageMap['miso-controller'] || (options.registry ? buildImageRefFromRegistry('miso-controller', options.registry) : undefined);
-  const keycloakRunOpts = { image: keycloakImage, registry: options.registry, registryMode: options.registryMode, skipEnvOutputPath: true };
-  const misoRunOpts = { image: misoImage, registry: options.registry, registryMode: options.registryMode, skipEnvOutputPath: true };
+  const dataplaneImage = imageMap.dataplane || (options.registry ? buildImageRefFromRegistry('dataplane', options.registry) : undefined);
+  const keycloakRunOpts = { image: keycloakImage, registry: options.registry, registryMode: options.registryMode, skipEnvOutputPath: true, skipInfraCheck: true };
+  const misoRunOpts = { image: misoImage, registry: options.registry, registryMode: options.registryMode, skipEnvOutputPath: true, skipInfraCheck: true };
+  const dataplaneRunOpts = { image: dataplaneImage, registry: options.registry, registryMode: options.registryMode, skipEnvOutputPath: true, skipInfraCheck: true };
   logger.log(chalk.blue('Starting keycloak...'));
   await app.runApp('keycloak', keycloakRunOpts);
   logger.log(chalk.blue('Starting miso-controller...'));
   await app.runApp('miso-controller', misoRunOpts);
+  logger.log(chalk.blue('Starting dataplane...'));
+  await app.runApp('dataplane', dataplaneRunOpts);
 }
 
 /**
- * Handle up-miso command: ensure infra, ensure app dirs, set secrets, resolve (preserve existing .env), run keycloak then miso-controller.
+ * Handle up-miso command: ensure infra, ensure app dirs, set secrets, resolve (preserve existing .env), run keycloak, miso-controller, then dataplane.
  *
  * @async
  * @function handleUpMiso
  * @param {Object} options - Commander options
- * @param {string} [options.registry] - Override registry for both apps
+ * @param {string} [options.registry] - Override registry for all apps
  * @param {string} [options.registryMode] - Override registry mode (acr|external)
- * @param {string[]|string} [options.image] - Override images e.g. keycloak=reg/k:v1 or miso-controller=reg/m:v1
+ * @param {string[]|string} [options.image] - Override images e.g. keycloak=reg/k:v1, miso-controller=reg/m:v1, dataplane=reg/d:v1
  * @returns {Promise<void>}
  * @throws {Error} If infra not up or any step fails
  */
@@ -114,8 +121,9 @@ async function handleUpMiso(options = {}) {
   if (builderDir) {
     process.env.AIFABRIX_BUILDER_DIR = builderDir;
   }
-  logger.log(chalk.blue('Starting up-miso (keycloak + miso-controller from images)...\n'));
-  const health = await infra.checkInfraHealth();
+  logger.log(chalk.blue('Starting up-miso (keycloak + miso-controller + dataplane from images)...\n'));
+  // Strict: only this developer's infra (same as status), so up-miso and status agree
+  const health = await infra.checkInfraHealth(undefined, { strict: true });
   const allHealthy = Object.values(health).every(status => status === 'healthy');
   if (!allHealthy) {
     throw new Error('Infrastructure is not up. Run \'aifabrix up\' first.');
@@ -123,11 +131,12 @@ async function handleUpMiso(options = {}) {
   logger.log(chalk.green('✓ Infrastructure is up'));
   await ensureAppFromTemplate('keycloak');
   await ensureAppFromTemplate('miso-controller');
+  await ensureAppFromTemplate('dataplane');
   const developerId = await config.getDeveloperId();
   const devIdNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
   await setMisoSecretsAndResolve(devIdNum);
   await runMisoApps(options);
-  logger.log(chalk.green('\n✓ up-miso complete. Keycloak and miso-controller are running.'));
+  logger.log(chalk.green('\n✓ up-miso complete. Keycloak, miso-controller, and dataplane are running.'));
   logger.log(chalk.gray('  Run onboarding and register Keycloak from the miso-controller repo if needed.'));
 }
 

package/lib/commands/wizard-core.js

@@ -9,7 +9,7 @@ const ora = require('ora');
 const path = require('path');
 const fs = require('fs').promises;
 const logger = require('../utils/logger');
-const { getDeploymentAuth, getDeviceOnlyAuth } = require('../utils/token-manager');
+const { getDeploymentAuth } = require('../utils/token-manager');
 const { resolveControllerUrl } = require('../utils/controller-url');
 const { normalizeWizardConfigs } = require('./wizard-config-normalizer');
 const {
@@ -75,6 +75,32 @@ function extractSessionId(responseData) {
   return sessionId;
 }
 
+/**
+ * Full error message when dataplane returns 401 (controller accepts token, dataplane rejects it).
+ * Avoids misleading "token invalid or expired" / "run login" text from the API formatter.
+ * @param {string} [dataplaneUrl] - Dataplane URL (for context)
+ * @param {string} [appName] - Application name for credential hint
+ * @param {string} [apiMessage] - Raw message from API (e.g. "Invalid token or insufficient permissions")
+ * @returns {string} Full message explaining the actual problem
+ */
+function formatDataplaneRejectedTokenMessage(dataplaneUrl = '', appName = null, apiMessage = '') {
+  const app = appName || '<app>';
+  const where = dataplaneUrl ? ` the dataplane at ${dataplaneUrl}` : ' the dataplane';
+  const apiLine = apiMessage ? `\n\nResponse: ${apiMessage}` : '';
+  return (
+    'Failed to create wizard session.' +
+    apiLine +
+    `\n\nYour token is valid for the controller (aifabrix auth status shows you as authenticated), but${where} rejected the request.` +
+    ' This usually means:\n' +
+    '  • The dataplane is configured to accept only client credentials, not device tokens, or\n' +
+    '  • There is a permission or configuration issue on the dataplane side.\n\n' +
+    'What you can do:\n' +
+    `  • Add client credentials to ~/.aifabrix/secrets.local.yaml as "${app}-client-idKeyVault" and "${app}-client-secretKeyVault" if the dataplane accepts them.\n` +
+    '  • Contact your administrator to have the dataplane accept your token or to get the required client credentials.\n' +
+    '  • Run "aifabrix doctor" for environment diagnostics.'
+  );
+}
+
 /**
  * Handle mode selection step - create wizard session
  * @async
@@ -92,7 +118,11 @@ async function handleModeSelection(dataplaneUrl, authConfig, configMode = null,
   if (!sessionResponse.success || !sessionResponse.data) {
     const errorMsg = sessionResponse.formattedError || sessionResponse.error ||
       sessionResponse.errorData?.detail || 'Unknown error';
-    throw new Error(`Failed to create wizard session: ${errorMsg}`);
+    const apiMessage = sessionResponse.errorData?.message || sessionResponse.errorData?.detail || sessionResponse.error || '';
+    const fullMsg = sessionResponse.status === 401
+      ? formatDataplaneRejectedTokenMessage(dataplaneUrl, null, apiMessage)
+      : `Failed to create wizard session: ${errorMsg}`;
+    throw new Error(fullMsg);
   }
   const sessionId = extractSessionId(sessionResponse.data);
   logger.log(chalk.green(`\u2713 Session created: ${sessionId}`));
@@ -478,20 +508,13 @@ async function setupDataplaneAndAuth(options, appName) {
   const { resolveEnvironment } = require('../core/config');
   const environment = await resolveEnvironment();
   const controllerUrl = await resolveControllerUrl();
+  // Prefer device token; use client token or client credentials when available.
+  // Some dataplanes accept only client credentials; getDeploymentAuth tries all.
   let authConfig;
   try {
-    // For wizard mode creating new external systems, use device-only auth
-    // since the app doesn't exist yet. Device token is sufficient for
-    // discovering the dataplane URL and running the wizard.
-    authConfig = await getDeviceOnlyAuth(controllerUrl);
+    authConfig = await getDeploymentAuth(controllerUrl, environment, appName);
   } catch (error) {
-    // Fallback to getDeploymentAuth if device-only auth fails
-    // (e.g., for add-datasource mode where app might exist)
-    try {
-      authConfig = await getDeploymentAuth(controllerUrl, environment, appName);
-    } catch (fallbackError) {
-      throw new Error(`Authentication failed: ${error.message}`);
-    }
+    throw new Error(`Authentication failed: ${error.message}`);
   }
   const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
   let dataplaneUrl;
@@ -509,7 +532,16 @@ async function setupDataplaneAndAuth(options, appName) {
 }
 
 module.exports = {
-  validateAndCheckAppDirectory, extractSessionId, handleModeSelection, handleSourceSelection, handleOpenApiParsing,
-  handleCredentialSelection, handleTypeDetection, handleConfigurationGeneration, validateWizardConfiguration,
-  handleFileSaving, setupDataplaneAndAuth
+  validateAndCheckAppDirectory,
+  extractSessionId,
+  formatDataplaneRejectedTokenMessage,
+  handleModeSelection,
+  handleSourceSelection,
+  handleOpenApiParsing,
+  handleCredentialSelection,
+  handleTypeDetection,
+  handleConfigurationGeneration,
+  validateWizardConfiguration,
+  handleFileSaving,
+  setupDataplaneAndAuth
 };

package/lib/commands/wizard.js

@@ -21,6 +21,7 @@ const {
 } = require('../generator/wizard-prompts');
 const {
   validateAndCheckAppDirectory,
+  formatDataplaneRejectedTokenMessage,
   handleOpenApiParsing,
   handleCredentialSelection,
   handleTypeDetection,
@@ -57,9 +58,10 @@ function extractSessionId(responseData) {
  * @function handleInteractiveModeSelection
  * @param {string} dataplaneUrl - Dataplane URL
  * @param {Object} authConfig - Authentication configuration
+ * @param {string} [appName] - Application name (for 401 hint)
  * @returns {Promise<Object>} Object with mode and sessionId
  */
-async function handleInteractiveModeSelection(dataplaneUrl, authConfig) {
+async function handleInteractiveModeSelection(dataplaneUrl, authConfig, appName) {
   logger.log(chalk.blue('\n\uD83D\uDCCB Step 1: Mode Selection'));
   const mode = await promptForMode();
   let systemIdOrKey = null;
@@ -71,7 +73,11 @@ async function handleInteractiveModeSelection(dataplaneUrl, authConfig) {
     const errorMsg = sessionResponse.formattedError || sessionResponse.error ||
                      sessionResponse.errorData?.detail || sessionResponse.message ||
                      (sessionResponse.status ? `HTTP ${sessionResponse.status}` : 'Unknown error');
-    throw new Error(`Failed to create wizard session: ${errorMsg}`);
+    const apiMessage = sessionResponse.errorData?.message || sessionResponse.errorData?.detail || sessionResponse.error || '';
+    const fullMsg = sessionResponse.status === 401
+      ? formatDataplaneRejectedTokenMessage(dataplaneUrl, appName, apiMessage)
+      : `Failed to create wizard session: ${errorMsg}`;
+    throw new Error(fullMsg);
   }
   const sessionId = extractSessionId(sessionResponse.data);
   return { mode, sessionId, systemIdOrKey };
@@ -187,7 +193,7 @@ async function handleConfigurationReview(dataplaneUrl, authConfig, systemConfig,
  */
 async function executeWizardFlow(appName, dataplaneUrl, authConfig) {
   // Step 1: Mode Selection
-  const { mode, sessionId, systemIdOrKey } = await handleInteractiveModeSelection(dataplaneUrl, authConfig);
+  const { mode, sessionId, systemIdOrKey } = await handleInteractiveModeSelection(dataplaneUrl, authConfig, appName);
 
   // Step 2: Source Selection
   const { sourceType, sourceData } = await handleInteractiveSourceSelection(dataplaneUrl, sessionId, authConfig);

package/lib/datasource/list.js

@@ -1,8 +1,8 @@
 /**
  * Datasource List Command
  *
- * Lists datasources from an environment via dataplane API.
- * Gets dataplane URL from controller, then lists datasources from dataplane.
+ * Lists datasources from the dataplane (GET /api/v1/external/).
+ * Resolves dataplane URL from the controller, then calls the dataplane list API.
  *
  * @fileoverview Datasource listing for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -12,7 +12,7 @@
 const chalk = require('chalk');
 const { getConfig, resolveEnvironment } = require('../core/config');
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
-const { listDatasources: listDatasourcesFromDataplane } = require('../api/datasources-core.api');
+const { listDatasources: listDatasourcesFromDataplane } = require('../api/datasources.api');
 const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
 const { formatApiError } = require('../utils/api-error-handler');
 const logger = require('../utils/logger');
@@ -291,8 +291,11 @@ async function listDatasources(_options) {
 
   const controllerUrl = validateControllerUrl(authInfo.controllerUrl);
   const authConfig = setupAuthConfig(authInfo.token, controllerUrl);
+
+  // Resolve dataplane URL first (required for list call)
   const dataplaneUrl = await resolveAndValidateDataplaneUrl(controllerUrl, environment, authConfig);
 
+  // List datasources from dataplane (GET /api/v1/external/)
   const response = await listDatasourcesFromDataplane(dataplaneUrl, authConfig);
 
   if (!response.success || !response.data) {

package/lib/infrastructure/services.js

@@ -132,6 +132,8 @@ async function waitForServices(devId = null) {
  * @async
  * @function checkInfraHealth
  * @param {number|string|null} [devId] - Developer ID (null = use current)
+ * @param {Object} [options] - Options
+ * @param {boolean} [options.strict=false] - When true, only consider current dev's containers (no fallback to dev 0); use for up-miso and status consistency
  * @returns {Promise<Object>} Health status of each service
  * @throws {Error} If health check fails
  *
@@ -139,20 +141,21 @@ async function waitForServices(devId = null) {
  * const health = await checkInfraHealth();
  * // Returns: { postgres: 'healthy', redis: 'healthy', pgadmin: 'healthy', redis-commander: 'healthy' }
  */
-async function checkInfraHealth(devId = null) {
+async function checkInfraHealth(devId = null, options = {}) {
   const developerId = devId || await config.getDeveloperId();
   const servicesWithHealthCheck = ['postgres', 'redis'];
   const servicesWithoutHealthCheck = ['pgadmin', 'redis-commander'];
   const health = {};
+  const lookupOptions = options.strict ? { strict: true } : {};
 
   // Check health status for services with health checks
   for (const service of servicesWithHealthCheck) {
-    health[service] = await containerUtils.checkServiceWithHealthCheck(service, developerId);
+    health[service] = await containerUtils.checkServiceWithHealthCheck(service, developerId, lookupOptions);
   }
 
   // Check if services without health checks are running
   for (const service of servicesWithoutHealthCheck) {
-    health[service] = await containerUtils.checkServiceWithoutHealthCheck(service, developerId);
+    health[service] = await containerUtils.checkServiceWithoutHealthCheck(service, developerId, lookupOptions);
   }
 
   return health;

package/lib/utils/app-register-auth.js

@@ -138,6 +138,7 @@ async function tryFindDeviceTokenFromConfig(deviceConfig, attemptedUrls) {
 
 /**
  * Creates error data for authentication failure
+ * Deduplicates attemptedUrls so the same URL is not shown twice (e.g. when controller URL and device config URL match).
  * @function createAuthErrorData
  * @param {Error|null} lastError - Last error encountered
  * @param {string|null} controllerUrl - Original controller URL
@@ -145,10 +146,16 @@ async function tryFindDeviceTokenFromConfig(deviceConfig, attemptedUrls) {
  * @returns {Object} Error data object
  */
 function createAuthErrorData(lastError, controllerUrl, attemptedUrls) {
+  const seen = new Set();
+  const uniqueUrls = attemptedUrls.filter(u => {
+    if (seen.has(u)) return false;
+    seen.add(u);
+    return true;
+  });
   return {
     message: lastError ? lastError.message : 'No valid authentication found',
-    controllerUrl: controllerUrl || (attemptedUrls.length > 0 ? attemptedUrls[0] : undefined),
-    attemptedUrls: attemptedUrls.length > 1 ? attemptedUrls : undefined,
+    controllerUrl: controllerUrl || (uniqueUrls.length > 0 ? uniqueUrls[0] : undefined),
+    attemptedUrls: uniqueUrls.length > 1 ? uniqueUrls : undefined,
     correlationId: undefined
   };
 }

package/lib/utils/env-config-loader.js

@@ -75,6 +75,19 @@ function mergeEnvConfigs(baseConfig, userConfig) {
   return merged;
 }
 
+/**
+ * Load schema-only env-config (no user merge). Used for *_PUBLIC_PORT calculation
+ * so public ports always use canonical base (e.g. KEYCLOAK_PUBLIC_PORT = 8082 + devId*100).
+ *
+ * @function loadSchemaEnvConfig
+ * @returns {Object} Parsed schema env-config (environments.docker / .local only)
+ */
+function loadSchemaEnvConfig() {
+  const envConfigPath = path.join(__dirname, '..', 'schema', 'env-config.yaml');
+  const content = fs.readFileSync(envConfigPath, 'utf8');
+  return yaml.load(content) || {};
+}
+
 /**
  * Load env config YAML used for environment variable interpolation
  * Loads base config from lib/schema/env-config.yaml and merges with user config if configured
@@ -84,10 +97,7 @@ function mergeEnvConfigs(baseConfig, userConfig) {
  * @throws {Error} If base file cannot be read or parsed
  */
 async function loadEnvConfig() {
-  // Load base env-config.yaml
-  const envConfigPath = path.join(__dirname, '..', 'schema', 'env-config.yaml');
-  const content = fs.readFileSync(envConfigPath, 'utf8');
-  const baseConfig = yaml.load(content) || {};
+  const baseConfig = loadSchemaEnvConfig();
 
   // Load user env-config if configured
   const userConfig = await loadUserEnvConfig();
@@ -97,6 +107,7 @@ async function loadEnvConfig() {
 }
 
 module.exports = {
-  loadEnvConfig
+  loadEnvConfig,
+  loadSchemaEnvConfig
 };
 

package/lib/utils/env-map.js

@@ -10,7 +10,7 @@
 
 const fs = require('fs');
 const yaml = require('js-yaml');
-const { loadEnvConfig } = require('./env-config-loader');
+const { loadEnvConfig, loadSchemaEnvConfig } = require('./env-config-loader');
 const config = require('../core/config');
 
 /**
@@ -233,15 +233,15 @@ function applyLocalPortAdjustment(result, devIdNum) {
 
 /**
  * Calculate public ports for docker context
- * Uses base ports from env-config when available so *_PUBLIC_PORT is always base + devId*100
- * (e.g. KEYCLOAK_PUBLIC_PORT = 8082 + 600 = 8682 for dev 6, not 8080 + 600 from overrides)
+ * Uses schema env-config ports only so *_PUBLIC_PORT is always canonical base + devId*100
+ * (e.g. KEYCLOAK_PUBLIC_PORT = 8082 + 600 = 8682 for dev 6, even if user env-config or config overrides KEYCLOAK_PORT to 8080)
  *
  * @function calculateDockerPublicPorts
  * @param {Object} result - Environment variable map (merged base + overrides)
  * @param {number} devIdNum - Developer ID number
- * @param {Object} [baseVars] - Base vars from env-config (used for *_PUBLIC_PORT calculation when present)
+ * @param {Object} [schemaBaseVars] - Schema-only env-config vars (lib/schema/env-config.yaml) for *_PUBLIC_PORT
  */
-function calculateDockerPublicPorts(result, devIdNum, baseVars = {}) {
+function calculateDockerPublicPorts(result, devIdNum, schemaBaseVars = {}) {
   if (devIdNum <= 0) {
     return;
   }
@@ -249,9 +249,9 @@ function calculateDockerPublicPorts(result, devIdNum, baseVars = {}) {
     // Match any variable ending with _PORT (e.g., MISO_PORT, KEYCLOAK_PORT, DB_PORT)
     if (/_PORT$/.test(key) && !/_PUBLIC_PORT$/.test(key)) {
       const publicPortKey = key.replace(/_PORT$/, '_PUBLIC_PORT');
-      // Use base port from env-config when available so PUBLIC_PORT is canonical (e.g. 8082 not 8080)
-      const basePort = baseVars[key];
-      const sourceVal = basePort !== undefined && basePort !== null ? basePort : value;
+      // Use schema port when available so PUBLIC_PORT is canonical (e.g. 8082), not overridden (e.g. 8080)
+      const schemaPort = schemaBaseVars[key];
+      const sourceVal = schemaPort !== undefined && schemaPort !== null ? schemaPort : value;
       let portVal;
       if (typeof sourceVal === 'string') {
         portVal = parseInt(sourceVal, 10);
@@ -294,7 +294,9 @@ async function buildEnvVarMap(context, osModule = null, developerId = null) {
     applyLocalPortAdjustment(result, devIdNum);
   } else if (context === 'docker') {
     const devIdNum = await getDeveloperIdNumber(developerId);
-    calculateDockerPublicPorts(result, devIdNum, baseVars);
+    const schemaCfg = loadSchemaEnvConfig();
+    const schemaBaseVars = (schemaCfg && schemaCfg.environments && schemaCfg.environments[context]) ? schemaCfg.environments[context] : {};
+    calculateDockerPublicPorts(result, devIdNum, schemaBaseVars);
   }
 
   return result;

package/lib/utils/error-formatters/http-status-errors.js

@@ -9,6 +9,7 @@
  */
 
 const chalk = require('chalk');
+const { getPermissionDetailLines } = require('./permission-errors');
 
 /**
  * Formats authentication error
@@ -108,6 +109,13 @@ function formatAuthenticationError(errorData) {
   addControllerUrlInfo(lines, errorData);
   addAttemptedUrlsInfo(lines, errorData);
   addErrorMessageIfNotGeneric(lines, errorData);
+
+  // Show permission details when API returns them (401 "insufficient permissions" etc.)
+  const permissionLines = getPermissionDetailLines(errorData);
+  if (permissionLines.length > 0) {
+    lines.push(...permissionLines);
+  }
+
   addAuthenticationGuidance(lines, errorData);
 
   return lines.join('\n');

package/lib/utils/error-formatters/permission-errors.js

@@ -12,31 +12,44 @@ const chalk = require('chalk');
 
 /**
  * Extracts missing permissions from error data
+ * Supports: missingPermissions, missing.permissions, data.missing.permissions
  * @param {Object} errorData - Error response data
  * @returns {Array<string>} Array of missing permissions
  */
 function extractMissingPermissions(errorData) {
+  if (!errorData || typeof errorData !== 'object') return [];
   if (errorData.missingPermissions && Array.isArray(errorData.missingPermissions)) {
     return errorData.missingPermissions;
   }
   if (errorData.missing && errorData.missing.permissions && Array.isArray(errorData.missing.permissions)) {
     return errorData.missing.permissions;
   }
+  if (errorData.data?.missing?.permissions && Array.isArray(errorData.data.missing.permissions)) {
+    return errorData.data.missing.permissions;
+  }
   return [];
 }
 
 /**
  * Extracts required permissions from error data
+ * Supports: requiredPermissions, required.permissions, permissions (array), data.required.permissions
  * @param {Object} errorData - Error response data
  * @returns {Array<string>} Array of required permissions
  */
 function extractRequiredPermissions(errorData) {
+  if (!errorData || typeof errorData !== 'object') return [];
   if (errorData.requiredPermissions && Array.isArray(errorData.requiredPermissions)) {
     return errorData.requiredPermissions;
   }
   if (errorData.required && errorData.required.permissions && Array.isArray(errorData.required.permissions)) {
     return errorData.required.permissions;
   }
+  if (errorData.permissions && Array.isArray(errorData.permissions)) {
+    return errorData.permissions;
+  }
+  if (errorData.data?.required?.permissions && Array.isArray(errorData.data.required.permissions)) {
+    return errorData.data.required.permissions;
+  }
   return [];
 }
 
@@ -56,6 +69,33 @@ function addPermissionList(lines, perms, label) {
   }
 }
 
+/**
+ * Returns permission detail lines for appending to any error formatter (401, 403).
+ * Use when the API returns required/missing permissions in the error body.
+ * @param {Object} errorData - Error response data (may include required.permissions, missing.permissions, etc.)
+ * @returns {string[]} Array of formatted lines to append (may be empty)
+ */
+function getPermissionDetailLines(errorData) {
+  const lines = [];
+  const missingPerms = extractMissingPermissions(errorData);
+  const requiredPerms = extractRequiredPermissions(errorData);
+  if (missingPerms.length > 0) {
+    lines.push(chalk.yellow('Missing permissions:'));
+    missingPerms.forEach(perm => {
+      lines.push(chalk.gray(`  - ${perm}`));
+    });
+    lines.push('');
+  }
+  if (requiredPerms.length > 0) {
+    lines.push(chalk.yellow('Required permissions:'));
+    requiredPerms.forEach(perm => {
+      lines.push(chalk.gray(`  - ${perm}`));
+    });
+    lines.push('');
+  }
+  return lines;
+}
+
 /**
  * Formats permission error with missing and required permissions
  * @param {Object} errorData - Error response data
@@ -89,6 +129,9 @@ function formatPermissionError(errorData) {
 }
 
 module.exports = {
-  formatPermissionError
+  formatPermissionError,
+  getPermissionDetailLines,
+  extractMissingPermissions,
+  extractRequiredPermissions
 };
 

package/lib/utils/infra-containers.js

@@ -21,24 +21,25 @@ const execAsync = promisify(exec);
  * @async
  * @param {string} serviceName - Service name
  * @param {number|string} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {Object} [options] - Options
+ * @param {boolean} [options.strict=false] - When true, only match current dev's container (no fallback to dev 0 / infra-*); use for status display
  * @returns {Promise<string|null>} Container name or null if not found
  */
-async function findContainer(serviceName, devId = null) {
+async function findContainer(serviceName, devId = null, options = {}) {
   try {
     const developerId = devId || await config.getDeveloperId();
     const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
     // Dev 0: aifabrix-{serviceName}, Dev > 0: aifabrix-dev{id}-{serviceName}
     const primaryPattern = idNum === 0 ? `aifabrix-${serviceName}` : `aifabrix-dev${developerId}-${serviceName}`;
 
-    // Search order expected by tests:
-    // 1) primaryPattern
-    // 2) infra-{serviceName} (old pattern)
-    // 3) aifabrix-{serviceName} (base pattern)
-    const patternsToTry = [
-      primaryPattern,
-      `infra-${serviceName}`,
-      `aifabrix-${serviceName}`
-    ];
+    // When strict (e.g. status command), only show this developer's infra; no fallback to dev 0
+    const patternsToTry = options.strict
+      ? [primaryPattern]
+      : [
+        primaryPattern,
+        `infra-${serviceName}`,
+        `aifabrix-${serviceName}`
+      ];
 
     for (const pattern of patternsToTry) {
       const { stdout } = await execAsync(`docker ps --filter "name=${pattern}" --format "{{.Names}}"`);
@@ -64,12 +65,13 @@ async function findContainer(serviceName, devId = null) {
  * @private
  * @async
  * @param {string} serviceName - Service name
- * @param {number} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {number|string} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {Object} [options] - Options (e.g. { strict: true } for current dev only)
  * @returns {Promise<string>} Health status
  */
-async function checkServiceWithHealthCheck(serviceName, devId = null) {
+async function checkServiceWithHealthCheck(serviceName, devId = null, options = {}) {
   try {
-    const containerName = await findContainer(serviceName, devId);
+    const containerName = await findContainer(serviceName, devId, options);
     if (!containerName) {
       return 'unknown';
     }
@@ -87,12 +89,13 @@ async function checkServiceWithHealthCheck(serviceName, devId = null) {
  * @private
  * @async
  * @param {string} serviceName - Service name
- * @param {number} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {number|string} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {Object} [options] - Options (e.g. { strict: true } for current dev only)
  * @returns {Promise<string>} Health status
  */
-async function checkServiceWithoutHealthCheck(serviceName, devId = null) {
+async function checkServiceWithoutHealthCheck(serviceName, devId = null, options = {}) {
   try {
-    const containerName = await findContainer(serviceName, devId);
+    const containerName = await findContainer(serviceName, devId, options);
     if (!containerName) {
       return 'unknown';
     }

package/lib/utils/infra-status.js

@@ -40,7 +40,7 @@ async function getInfraStatus() {
     pgadmin: { port: ports.pgadmin, url: `http://localhost:${ports.pgadmin}` },
     'redis-commander': { port: ports.redisCommander, url: `http://localhost:${ports.redisCommander}` },
     traefik: {
-      port: `${ports.traefikHttp}/${ports.traefikHttps}`,
+      port: `${ports.traefikHttp}, ${ports.traefikHttps}`,
       url: `http://localhost:${ports.traefikHttp}, https://localhost:${ports.traefikHttps}`
     }
   };
@@ -49,7 +49,8 @@ async function getInfraStatus() {
 
   for (const [serviceName, serviceConfig] of Object.entries(services)) {
     try {
-      const containerName = await containerUtils.findContainer(serviceName, devId);
+      // Strict: only this developer's infra (no fallback to dev 0), so status reflects reality
+      const containerName = await containerUtils.findContainer(serviceName, devId, { strict: true });
       if (containerName) {
         const { stdout } = await execAsync(`docker inspect --format='{{.State.Status}}' ${containerName}`);
         // Normalize status value (trim whitespace and remove quotes)
@@ -97,6 +98,9 @@ function getInfraContainerNames(devIdNum, devId) {
   ];
 }
 
+/** Suffixes for init/helper containers to exclude from "Running Applications" (e.g. keycloak-db-init) */
+const INIT_CONTAINER_SUFFIXES = ['-db-init', '-init'];
+
 /**
  * Extracts app name from container name
  * @param {string} containerName - Container name
@@ -107,7 +111,12 @@ function getInfraContainerNames(devIdNum, devId) {
 function extractAppName(containerName, devIdNum, devId) {
   const pattern = devIdNum === 0 ? /^aifabrix-(.+)$/ : new RegExp(`^aifabrix-dev${devId}-(.+)$`);
   const match = containerName.match(pattern);
-  return match ? match[1] : null;
+  if (!match) return null;
+  const appName = match[1];
+  if (INIT_CONTAINER_SUFFIXES.some(suffix => appName.endsWith(suffix))) {
+    return null;
+  }
+  return appName;
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.33.4",
+  "version": "2.33.6",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {