@aifabrix/builder 2.36.0 → 2.36.2

package/integration/hubspot/README.md

@@ -128,9 +128,56 @@ aifabrix datasource list
 aifabrix datasource validate hubspot-company
 ```
 
+## Wizard E2E tests and use case coverage
+
+The script `integration/hubspot/test.js` runs end-to-end wizard and validation tests. It covers all wizard use cases from [Wizard Guide](../../docs/wizard.md):
+
+| Use case | Test ID | Description |
+|----------|---------|-------------|
+| **Headless config (wizard.yaml)** | | |
+| Required `appName` | 2.1 | Rejects config missing `appName` |
+| Valid `appName` pattern (lowercase, hyphens/underscores) | 2.2 | Rejects uppercase in app name |
+| Required `mode` | 2.5 | Rejects invalid `mode` enum |
+| Required `source` block | 2.3 | Rejects config without `source` |
+| Valid `source.type` | 2.4 | Rejects invalid source type |
+| `openapi-file` requires `filePath` | 2.7 | Rejects missing/non-existent OpenAPI file |
+| `openapi-url` requires `url` | 2.8 | Rejects `openapi-url` without `url` |
+| `known-platform` requires `platform` | 2.6 | Rejects known-platform without `platform` |
+| **Mode: add-datasource** | | |
+| `systemIdOrKey` required when mode=add-datasource | 2.9 | Rejects add-datasource without systemIdOrKey |
+| **Credential** | | |
+| `credential.action=select` requires `credentialIdOrKey` | 2.10 | Rejects select without credentialIdOrKey |
+| `credential.action=create` requires `config` | 2.11 | Rejects create without config |
+| **Positive flows** | | |
+| Full wizard with OpenAPI file | 1.1 | Complete flow with local OpenAPI file |
+| Wizard with known platform | 1.2 | Flow using known-platform (e.g. HubSpot) |
+| Wizard with env var substitution in deployment | 1.6 | `${CONTROLLER_URL}`, `${DATAPLANE_URL}` in wizard.yaml |
+| Real credential creation (real-data) | 1.3 | Credential create with real OAuth2 (optional env) |
+| **Post-wizard validation (external system)** | | |
+| RBAC: permissions reference existing roles | 2.12 | Rejects permission referencing non-existent role |
+| RBAC: rbac.yaml valid YAML and structure | 2.13 | Rejects invalid YAML in rbac.yaml |
+| Datasource: dimensions required in fieldMappings | 2.14 | Rejects missing dimensions |
+| Datasource: dimension key pattern | 2.15 | Rejects invalid dimension key |
+| Datasource: attribute path pattern | 2.16 | Rejects invalid attribute path |
+| Datasource: dimensions must be object | 2.17 | Rejects dimensions as array |
+
+**Run tests:**
+
+```bash
+# All tests (positive may skip if dataplane/controller unavailable)
+node integration/hubspot/test.js
+
+# Negative only (no dataplane required)
+node integration/hubspot/test.js --type negative
+
+# Specific test
+node integration/hubspot/test.js --test "2.1,2.2"
+```
+
 ## Documentation
 
 - [External Systems Guide](../../docs/external-systems.md) - Complete guide with examples
+- [Wizard Guide](../../docs/wizard.md) - Wizard workflow and headless config
 - [CLI Reference](../../docs/cli-reference.md) - All commands
 - [Configuration Reference](../../docs/CONFIGURATION.md) - Config file details
 

package/integration/hubspot/env.template

@@ -5,5 +5,10 @@
 CLIENTID=kv://hubspot-clientidKeyVault
 CLIENTSECRET=kv://hubspot-clientsecretKeyVault
 TOKENURL=https://api.hubapi.com/oauth/v1/token
-REDIRECT_URI=kv://hubspot-redirect-uriKeyVault
+
+# Optional: test runner (integration/hubspot/test.js) reads all config from this .env
+# CONTROLLER_URL=http://localhost:3110
+# ENVIRONMENT=miso
+# DATAPLANE_URL=
+# HUBSPOT_OPENAPI_FILE=integration/hubspot/companies.json
 

package/integration/hubspot/hubspot-deploy.json

@@ -61,12 +61,6 @@
         "location": "variable",
         "required": true
       },
-      {
-        "name": "REDIRECT_URI",
-        "value": "hubspot-redirect-uriKeyVault",
-        "location": "keyvault",
-        "required": false
-      },
       {
         "name": "HUBSPOT_API_VERSION",
         "value": "v3",

package/integration/hubspot/hubspot-system.json

@@ -43,12 +43,6 @@
       "location": "variable",
       "required": true
     },
-    {
-      "name": "REDIRECT_URI",
-      "value": "hubspot-redirect-uriKeyVault",
-      "location": "keyvault",
-      "required": false
-    },
     {
       "name": "HUBSPOT_API_VERSION",
       "value": "v3",

package/integration/hubspot/test-artifacts/wizard-hubspot-env-vars.yaml

@@ -6,4 +6,4 @@ source:
 deployment:
   controller: ${CONTROLLER_URL}
   dataplane: ${DATAPLANE_URL}
-  environment: miso
+  environment: dev

package/integration/hubspot/test-dataplane-down-helpers.js

@@ -217,7 +217,10 @@ function validateWizardResult(result, output) {
     'fetch failed',
     'timeout',
     'unreachable',
-    'failed to create wizard session'
+    'failed to create wizard session',
+    'authentication failed',
+    'no authentication method',
+    'client token unavailable'
   ];
 
   const isValid = !result.success && validateError(output, expectedPatterns);

package/integration/hubspot/test-dataplane-down-tests.js

@@ -65,13 +65,7 @@ async function testWizard() {
       'bin/aifabrix.js',
       'wizard',
       '--config',
-      configPath,
-      '--controller',
-      CONTROLLER_URL,
-      '--environment',
-      ENVIRONMENT,
-      '--dataplane',
-      INVALID_DATAPLANE_URL
+      configPath
     ];
 
     const result = await runCommand('node', args);
@@ -107,11 +101,7 @@ async function testDownload() {
   const args = [
     'bin/aifabrix.js',
     'download',
-    'non-existent-system-that-should-fail',
-    '--environment',
-    ENVIRONMENT,
-    '--controller',
-    CONTROLLER_URL
+    'non-existent-system-that-should-fail'
   ];
 
   const result = await runCommand('node', args);
@@ -155,10 +145,6 @@ async function testDelete() {
     'non-existent-system-that-should-fail',
     '--type',
     'external',
-    '--environment',
-    ENVIRONMENT,
-    '--controller',
-    CONTROLLER_URL,
     '--yes'
   ];
 
@@ -219,13 +205,7 @@ function buildDatasourceDeployArgs(datasourcePath) {
     'datasource',
     'deploy',
     'test-app',
-    datasourcePath,
-    '--environment',
-    ENVIRONMENT,
-    '--controller',
-    CONTROLLER_URL,
-    '--dataplane',
-    INVALID_DATAPLANE_URL
+    datasourcePath
   ];
 }
 
@@ -321,11 +301,7 @@ async function testIntegration() {
   const args = [
     'bin/aifabrix.js',
     'test-integration',
-    testApp,
-    '--environment',
-    ENVIRONMENT,
-    '--controller',
-    CONTROLLER_URL
+    testApp
   ];
 
   const result = await runCommand('node', args);
@@ -372,11 +348,7 @@ async function testDataplaneDiscovery() {
   const args = [
     'bin/aifabrix.js',
     'download',
-    'non-existent-system-for-discovery-test',
-    '--environment',
-    ENVIRONMENT,
-    '--controller',
-    CONTROLLER_URL
+    'non-existent-system-for-discovery-test'
   ];
 
   const result = await runCommand('node', args);

package/integration/hubspot/test-dataplane-down.js

@@ -11,6 +11,9 @@
  */
 'use strict';
 
+const fs = require('fs').promises;
+const path = require('path');
+const os = require('os');
 const {
   logInfo,
   logSuccess,
@@ -27,9 +30,51 @@ const {
 } = require('./test-dataplane-down-tests');
 
 const INVALID_DATAPLANE_URL = 'http://localhost:9999';
-const CONTROLLER_URL = process.env.CONTROLLER_URL || 'http://localhost:3110';
 const ENVIRONMENT = process.env.ENVIRONMENT || 'miso';
 
+/** Path to temp config used so CLI uses invalid controller URL and fails with connection error */
+let tempConfigPath = null;
+let originalAifabrixConfig = null;
+
+/**
+ * Create temp config pointing controller to invalid URL so commands fail with connection error
+ * @async
+ * @returns {Promise<string>} Path to temp config file
+ */
+async function createTempConfig() {
+  const dir = path.join(os.tmpdir(), `aifabrix-dataplane-down-${Date.now()}`);
+  await fs.mkdir(dir, { recursive: true });
+  const configPath = path.join(dir, 'config.yaml');
+  const content = `controller: "${INVALID_DATAPLANE_URL}"
+environment: "${ENVIRONMENT}"
+`;
+  await fs.writeFile(configPath, content, 'utf8');
+  return configPath;
+}
+
+/**
+ * Restore AIFABRIX_CONFIG and remove temp config
+ * @async
+ * @returns {Promise<void>} Resolves when cleanup is complete
+ */
+async function cleanupTempConfig() {
+  if (originalAifabrixConfig !== undefined) {
+    if (originalAifabrixConfig === null) {
+      delete process.env.AIFABRIX_CONFIG;
+    } else {
+      process.env.AIFABRIX_CONFIG = originalAifabrixConfig;
+    }
+  }
+  if (tempConfigPath) {
+    try {
+      await fs.rm(path.dirname(tempConfigPath), { recursive: true, force: true }).catch(() => {});
+    } catch {
+      // Ignore cleanup errors
+    }
+    tempConfigPath = null;
+  }
+}
+
 /**
  * Displays failed test details
  * @function displayFailedTestDetails
@@ -137,17 +182,24 @@ async function main() {
   logInfo('='.repeat(60));
   logInfo('Dataplane Down Error Handling Test Suite');
   logInfo('='.repeat(60));
-  logInfo(`Invalid Dataplane URL: ${INVALID_DATAPLANE_URL}`);
-  logInfo(`Controller URL: ${CONTROLLER_URL}`);
+  logInfo(`Invalid Controller URL (used for all commands): ${INVALID_DATAPLANE_URL}`);
   logInfo(`Environment: ${ENVIRONMENT}`);
   logInfo('='.repeat(60));
 
-  const results = await runTests();
-  displaySummary(results);
+  try {
+    tempConfigPath = await createTempConfig();
+    originalAifabrixConfig = process.env.AIFABRIX_CONFIG || null;
+    process.env.AIFABRIX_CONFIG = tempConfigPath;
 
-  const failed = results.filter(r => !r.success).length;
-  if (failed > 0) {
-    process.exitCode = 1;
+    const results = await runTests();
+    displaySummary(results);
+
+    const failed = results.filter(r => !r.success).length;
+    if (failed > 0) {
+      process.exitCode = 1;
+    }
+  } finally {
+    await cleanupTempConfig();
   }
 }
 

package/integration/hubspot/test.js

@@ -18,19 +18,14 @@ const yaml = require('js-yaml');
 const chalk = require('chalk');
 const { getDeploymentAuth } = require('../../lib/utils/token-manager');
 const { discoverDataplaneUrl } = require('../../lib/commands/wizard-dataplane');
+const { resolveControllerUrl } = require('../../lib/utils/controller-url');
+const { resolveEnvironment } = require('../../lib/core/config');
 
 const execFileAsync = promisify(execFile);
 
-const DEFAULT_CONTROLLER_URL = process.env.CONTROLLER_URL || 'http://localhost:3110';
-const DEFAULT_ENVIRONMENT = process.env.ENVIRONMENT || 'miso';
-const DEFAULT_DATAPLANE_URL = process.env.DATAPLANE_URL || '';
-const DEFAULT_OPENAPI_FILE = process.env.HUBSPOT_OPENAPI_FILE ||
-  '/workspace/aifabrix-dataplane/data/hubspot/openapi/companies.json';
-const LOCAL_ENV_PATH = path.join(process.cwd(), 'integration', 'hubspot', '.env');
-const DEFAULT_ENV_PATH = process.env.HUBSPOT_ENV_PATH ||
-  (fsSync.existsSync(LOCAL_ENV_PATH) ? LOCAL_ENV_PATH : '/workspace/aifabrix-dataplane/data/hubspot/.env');
-
+/** Single source for test config: integration/hubspot/.env */
 const HUBSPOT_DIR = path.join(process.cwd(), 'integration', 'hubspot');
+const LOCAL_ENV_PATH = path.join(HUBSPOT_DIR, '.env');
 const ARTIFACT_DIR = path.join(HUBSPOT_DIR, 'test-artifacts');
 const MAX_OUTPUT_BYTES = 10 * 1024 * 1024;
 const COMMAND_TIMEOUT_MS = 10 * 60 * 1000;
@@ -271,11 +266,54 @@ async function loadEnvFile(envPath, options) {
       process.env[key] = value;
     }
   }
+  // Map common .env keys so tests and wizard use credentials from integration/hubspot/.env
+  if (process.env.CLIENTID && process.env.HUBSPOT_CLIENT_ID === undefined) {
+    process.env.HUBSPOT_CLIENT_ID = process.env.CLIENTID;
+  }
+  if (process.env.CLIENTSECRET && process.env.HUBSPOT_CLIENT_SECRET === undefined) {
+    process.env.HUBSPOT_CLIENT_SECRET = process.env.CLIENTSECRET;
+  }
   if (options.verbose) {
     logInfo(`Loaded env vars from: ${envPath}`);
   }
 }
 
+/**
+ * Load test config (controller, environment, dataplane, openapi file).
+ * Reads integration/hubspot/.env; missing CONTROLLER_URL/ENVIRONMENT fall back to
+ * the same resolution as the CLI (aifx auth status) so tests use the same controller.
+ * @async
+ * @function loadTestConfigFromEnv
+ * @returns {Promise<Object>} Context with controllerUrl, environment, dataplaneUrl, openapiFile
+ */
+async function loadTestConfigFromEnv() {
+  const defaults = {
+    DATAPLANE_URL: '',
+    HUBSPOT_OPENAPI_FILE: path.join(HUBSPOT_DIR, 'companies.json')
+  };
+  let parsed = {};
+  try {
+    if (fsSync.existsSync(LOCAL_ENV_PATH)) {
+      const content = await fs.readFile(LOCAL_ENV_PATH, 'utf8');
+      parsed = parseEnvFile(content);
+    }
+  } catch (error) {
+    logWarn(`Could not read ${LOCAL_ENV_PATH}: ${error.message}`);
+  }
+  const controllerUrl = parsed.CONTROLLER_URL
+    ? parsed.CONTROLLER_URL.trim()
+    : await resolveControllerUrl();
+  const environment = parsed.ENVIRONMENT
+    ? parsed.ENVIRONMENT.trim()
+    : await resolveEnvironment();
+  return {
+    controllerUrl,
+    environment,
+    dataplaneUrl: parsed.DATAPLANE_URL || defaults.DATAPLANE_URL,
+    openapiFile: parsed.HUBSPOT_OPENAPI_FILE || defaults.HUBSPOT_OPENAPI_FILE
+  };
+}
+
 /**
  * Ensure dataplane URL is available for tests
  * @async
@@ -392,7 +430,8 @@ async function validateAuth(context, options) {
     throw new Error('Authentication check failed. Run: node bin/aifabrix.js login --controller <url> --method device');
   }
   const output = `${result.stdout}\n${result.stderr}`;
-  if (output.includes('Not authenticated') || output.includes('✗')) {
+  // Only treat "Not authenticated" as failure; "✗ Not reachable" (dataplane) is not auth failure
+  if (output.includes('Not authenticated')) {
     throw new Error('Not authenticated. Run: node bin/aifabrix.js login --controller <url> --method device');
   }
   logSuccess('Authentication validated.');
@@ -689,7 +728,7 @@ async function runCommandWithErrorHandling(command, args, options, appName) {
     const errorOutput = `${result.stdout}\n${result.stderr}`;
     if (appName && (errorOutput.includes('not found') ||
         (errorOutput.includes('External system') && errorOutput.includes('not found')))) {
-      logWarn(`System ${appName} not deployed, skipping download test`);
+      logInfo(`System ${appName} not deployed on dataplane; download step omitted (optional).`);
       return { skipped: true };
     }
     throw new Error(`${command} failed: ${result.stderr || result.stdout}`);
@@ -1216,7 +1255,7 @@ async function corruptSystemFileWithInvalidRole(appPath) {
  * @returns {Promise<void>} Resolves when file is corrupted
  */
 async function corruptRbacFile(appPath) {
-  const rbacPath = path.join(appPath, 'rbac.yml');
+  const rbacPath = path.join(appPath, 'rbac.yaml');
   await fs.writeFile(rbacPath, 'invalid: yaml: syntax: [', 'utf8');
 }
 
@@ -1339,7 +1378,7 @@ function buildNegativeRbacTestCases(context) {
         const appName = 'hubspot-test-negative-rbac-invalid-yaml';
         const appPath = await createSystemForNegativeTest(appName, 'wizard-valid-for-rbac-yaml-test', context, options);
         await corruptRbacFile(appPath);
-        await runValidationExpectFailure(appName, context, options, 'schema must be object or boolean');
+        await runValidationExpectFailure(appName, context, options, 'Invalid YAML syntax in rbac.yaml');
         await cleanupAppArtifacts(appName, options);
       }
     }
@@ -1485,13 +1524,8 @@ async function main() {
     return;
   }
   await ensureDir(ARTIFACT_DIR);
-  await loadEnvFile(DEFAULT_ENV_PATH, args);
-  const context = {
-    controllerUrl: DEFAULT_CONTROLLER_URL,
-    environment: DEFAULT_ENVIRONMENT,
-    dataplaneUrl: DEFAULT_DATAPLANE_URL,
-    openapiFile: DEFAULT_OPENAPI_FILE
-  };
+  await loadEnvFile(LOCAL_ENV_PATH, args);
+  const context = await loadTestConfigFromEnv();
   setupTestContext(context);
   await validateAuth(context, args);
   const testCases = buildTestCases(context).filter(testCase => (

package/integration/hubspot/wizard-hubspot-e2e.yaml

@@ -13,4 +13,4 @@ preferences:
   enableRBAC: false
 deployment:
   controller: http://localhost:3110
-  environment: miso
+  environment: dev

package/lib/api/pipeline.api.js

@@ -81,9 +81,33 @@ async function getPipelineHealth(controllerUrl, envKey) {
   return await client.get(`/api/v1/pipeline/${envKey}/health`);
 }
 
+/**
+ * Publish one external system via dataplane pipeline endpoint
+ * POST /api/v1/pipeline/publish
+ * Request body: external system JSON (external-system.schema.json). Optional field in body:
+ * generateMcpContract (boolean, default true). Optional: generateOpenApiContract (boolean).
+ * Do not use query parameters for MCP; use the field in the body only.
+ *
+ * @async
+ * @function publishSystemViaPipeline
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {Object} systemConfig - External system configuration (conforms to external-system.schema.json)
+ * @returns {Promise<Object>} Published external system response
+ * @throws {Error} If publish fails
+ */
+async function publishSystemViaPipeline(dataplaneUrl, authConfig, systemConfig) {
+  const client = new ApiClient(dataplaneUrl, authConfig);
+  return await client.post('/api/v1/pipeline/publish', {
+    body: systemConfig
+  });
+}
+
 /**
  * Publish datasource via dataplane pipeline endpoint
  * POST /api/v1/pipeline/{systemKey}/publish
+ * No generateMcpContract for this endpoint; dataplane always uses default (MCP generated).
+ *
  * @async
  * @function publishDatasourceViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
@@ -169,11 +193,15 @@ async function deployDatasourceViaPipeline(dataplaneUrl, systemKey, authConfig,
 /**
  * Upload application configuration via dataplane pipeline endpoint
  * POST /api/v1/pipeline/upload
+ * Body: { version, application, dataSources }. Include application.generateMcpContract
+ * and/or application.generateOpenApiContract to control contract generation when
+ * publishing this upload (publish reads from stored config; no query param on publish).
+ *
  * @async
  * @function uploadApplicationViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
  * @param {Object} authConfig - Authentication configuration
- * @param {Object} applicationSchema - Application schema configuration
+ * @param {Object} applicationSchema - { version, application, dataSources }; application may include generateMcpContract, generateOpenApiContract
  * @returns {Promise<Object>} Upload response with uploadId
  * @throws {Error} If upload fails
  */
@@ -203,20 +231,22 @@ async function validateUploadViaPipeline(dataplaneUrl, uploadId, authConfig) {
 /**
  * Publish upload via dataplane pipeline endpoint
  * POST /api/v1/pipeline/upload/{uploadId}/publish
+ * No body or query parameters. MCP/OpenAPI generation is taken from the application config
+ * that was uploaded (application.generateMcpContract, application.generateOpenApiContract).
+ * To control MCP/OpenAPI, include those fields in the application object when calling
+ * uploadApplicationViaPipeline.
+ *
  * @async
  * @function publishUploadViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
  * @param {string} uploadId - Upload ID
  * @param {Object} authConfig - Authentication configuration
- * @param {Object} [options] - Publish options
- * @param {boolean} [options.generateMcpContract] - Generate MCP contract (default: true)
  * @returns {Promise<Object>} Publish response
  * @throws {Error} If publish fails
  */
-async function publishUploadViaPipeline(dataplaneUrl, uploadId, authConfig, options = {}) {
+async function publishUploadViaPipeline(dataplaneUrl, uploadId, authConfig) {
   const client = new ApiClient(dataplaneUrl, authConfig);
-  const generateMcpContract = options.generateMcpContract !== false; // Default to true
-  return await client.post(`/api/v1/pipeline/upload/${uploadId}/publish?generateMcpContract=${generateMcpContract}`);
+  return await client.post(`/api/v1/pipeline/upload/${uploadId}/publish`);
 }
 
 module.exports = {
@@ -224,6 +254,7 @@ module.exports = {
   deployPipeline,
   getPipelineDeployment,
   getPipelineHealth,
+  publishSystemViaPipeline,
   publishDatasourceViaPipeline,
   testDatasourceViaPipeline,
   deployExternalSystemViaPipeline,

package/lib/app/config.js

@@ -66,7 +66,6 @@ function generateExternalSystemEnvTemplate(config, appName) {
     lines.push('CLIENTID=kv://' + systemKey + '-clientidKeyVault');
     lines.push('CLIENTSECRET=kv://' + systemKey + '-clientsecretKeyVault');
     lines.push('TOKENURL=https://api.example.com/oauth/token');
-    lines.push('REDIRECT_URI=kv://' + systemKey + '-redirect-uriKeyVault');
   } else if (authType === 'apikey') {
     lines.push('API_KEY=kv://' + systemKey + '-api-keyKeyVault');
   } else if (authType === 'basic') {

package/lib/app/list.js

@@ -168,7 +168,7 @@ function displayApplications(applications, environment, controllerUrl) {
     const urlAndPort = formatUrlAndPort(app);
     logger.log(`${hasPipeline} ${chalk.cyan(app.key)} - ${app.displayName} (${app.status || 'unknown'})${urlAndPort}`);
   });
-  logger.log('');
+  logger.log(chalk.gray('  To show details for an app: aifabrix app show <appKey>\n'));
 }
 
 /**

package/lib/app/show-display.js

@@ -51,7 +51,7 @@ function logApplicationExternalIntegration(ei) {
   logger.log(`    schemaBasePath: ${ei.schemaBasePath}`);
   logger.log(`    systems: [${(ei.systems || []).join(', ')}]`);
   logger.log(`    dataSources: [${(ei.dataSources || []).join(', ')}]`);
-  logger.log(chalk.gray('\n  For external system data as on dataplane, run with --online.'));
+  logger.log(chalk.gray('\n  For external system data as on dataplane, run: aifabrix show <appKey> --online or aifabrix app show <appKey>.'));
 }
 
 function logApplicationSection(a, isExternal) {
@@ -130,6 +130,31 @@ function logExternalSystemDataSources(dataSources) {
   });
 }
 
+/**
+ * Log OpenAPI and MCP documentation links for external system (dataplane endpoints).
+ * REST: /api/v1/rest/{systemKey}/docs; MCP: /api/v1/mcp/{systemKey}/{resourceType}/docs per dataSource.
+ * @param {Object} ext - External system result (dataplaneUrl, systemKey, dataSources, openapiFiles, openapiEndpoints)
+ */
+function logExternalSystemServiceLinks(ext) {
+  if (!ext || !ext.dataplaneUrl || !ext.systemKey) return;
+  const base = ext.dataplaneUrl.replace(/\/$/, '');
+  const sk = ext.systemKey;
+  const hasOpenApi = (ext.openapiFiles && ext.openapiFiles.length > 0) ||
+    (ext.openapiEndpoints && ext.openapiEndpoints.length > 0);
+  const dataSources = ext.dataSources || [];
+  const hasMcp = dataSources.length > 0;
+  if (!hasOpenApi && !hasMcp) return;
+
+  logger.log('  Service links:');
+  logger.log(`    REST OpenAPI:  ${base}/api/v1/rest/${sk}/docs`);
+  if (hasMcp) {
+    dataSources.forEach((ds) => {
+      const resourceType = ds.key || ds.systemKey || sk;
+      logger.log(`    MCP ${resourceType}:  ${base}/api/v1/mcp/${sk}/${resourceType}/docs`);
+    });
+  }
+}
+
 function logExternalSystemApplication(ap) {
   if (!ap) return;
   logger.log('  Application (from dataplane):');
@@ -155,6 +180,7 @@ function logExternalSystemSection(ext) {
     const sample = ext.openapiEndpoints.slice(0, 3).map((e) => `${e.method || 'GET'} ${e.path || e.pathPattern || e}`).join(', ');
     logger.log(`  OpenAPI endpoints: ${ext.openapiEndpoints.length} (e.g. ${sample}${ext.openapiEndpoints.length > 3 ? ' …' : ''})`);
   }
+  logExternalSystemServiceLinks(ext);
 }
 
 /**

package/lib/commands/app.js

@@ -14,6 +14,7 @@ const logger = require('../utils/logger');
 const { listApplications } = require('../app/list');
 const { registerApplication } = require('../app/register');
 const { rotateSecret } = require('../app/rotate-secret');
+const { showApp } = require('../app/show');
 
 /**
  * Setup application management commands
@@ -66,6 +67,20 @@ function setupAppCommands(program) {
         process.exit(1);
       }
     });
+
+  // Show command: show application from controller (online). Same as aifabrix show <appKey> --online.
+  app
+    .command('show <appKey>')
+    .description('Show application from controller (online). Same as aifabrix show <appKey> --online')
+    .option('--json', 'Output as JSON')
+    .action(async(appKey, options) => {
+      try {
+        await showApp(appKey, { online: true, json: !!options.json });
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        process.exit(1);
+      }
+    });
 }
 
 module.exports = { setupAppCommands };

package/lib/commands/auth-status.js

@@ -197,15 +197,15 @@ function displayTokenInfo(tokenInfo) {
   const statusIcon = tokenInfo.authenticated ? chalk.green('✓') : chalk.red('✗');
   const statusText = tokenInfo.authenticated ? 'Authenticated' : 'Not authenticated';
 
-  logger.log(`Status: ${statusIcon} ${statusText}`);
-  logger.log(`Token Type: ${chalk.cyan(tokenInfo.type)}`);
+  logger.log(`  Status: ${statusIcon} ${statusText}`);
+  logger.log(`  Token Type: ${chalk.cyan(tokenInfo.type)}`);
 
   if (tokenInfo.appName) {
-    logger.log(`Application: ${chalk.cyan(tokenInfo.appName)}`);
+    logger.log(`  Application: ${chalk.cyan(tokenInfo.appName)}`);
   }
 
   if (tokenInfo.expiresAt) {
-    logger.log(`Expires: ${chalk.gray(formatExpiration(tokenInfo.expiresAt))}`);
+    logger.log(`  Expires: ${chalk.gray(formatExpiration(tokenInfo.expiresAt))}`);
   }
 
   if (tokenInfo.error) {
@@ -241,14 +241,43 @@ async function resolveDataplaneUrlSilent(controllerUrl, environment, authConfig)
  * @param {boolean} dataplaneConnected - Whether dataplane health check passed
  */
 function displayDataplaneSection(dataplaneUrl, dataplaneConnected) {
+  logger.log('');
   if (dataplaneUrl) {
     logger.log(`Dataplane: ${chalk.cyan(dataplaneUrl)}`);
     const statusIcon = dataplaneConnected ? chalk.green('✓') : chalk.red('✗');
     const statusText = dataplaneConnected ? 'Connected' : 'Not reachable';
-    logger.log(`Status: ${statusIcon} ${statusText}`);
+    displayOpenApiDocs(null, dataplaneUrl);
+    logger.log('');
+    logger.log(`  Status: ${statusIcon} ${statusText}`);
   } else {
     logger.log(`Dataplane: ${chalk.gray('—')}`);
-    logger.log(`Status: ${chalk.gray('Not discovered')}`);
+    logger.log('');
+    logger.log(`  Status: ${chalk.gray('Not discovered')}`);
+  }
+}
+
+/**
+ * Normalize base URL (no trailing slash) for docs path
+ * @param {string} url - Base URL
+ * @returns {string} URL without trailing slash
+ */
+function normalizeBaseUrl(url) {
+  return (url || '').replace(/\/$/, '');
+}
+
+/**
+ * Display Open API documentation links (Controller and Dataplane)
+ * @param {string} controllerUrl - Controller URL
+ * @param {string|null} dataplaneUrl - Dataplane URL or null
+ */
+function displayOpenApiDocs(controllerUrl, dataplaneUrl) {
+  const controllerBase = normalizeBaseUrl(controllerUrl);
+  if (controllerBase) {
+    logger.log(`  Open API docs: ${chalk.cyan(controllerBase + '/api/docs')}`);
+  }
+  if (dataplaneUrl) {
+    const dataplaneBase = normalizeBaseUrl(dataplaneUrl);
+    logger.log(`  Open API docs: ${chalk.cyan(dataplaneBase + '/api/docs')}`);
   }
 }
 
@@ -264,11 +293,12 @@ function displayDataplaneSection(dataplaneUrl, dataplaneConnected) {
 function displayStatus(controllerUrl, environment, tokenInfo, dataplaneInfo) {
   logger.log(chalk.bold('\n🔐 Authentication Status\n'));
   logger.log(`Controller: ${chalk.cyan(controllerUrl)}`);
-  logger.log(`Environment: ${chalk.cyan(environment || 'Not specified')}\n`);
+  displayOpenApiDocs(controllerUrl, null);
+  logger.log(`  Environment: ${chalk.cyan(environment || 'Not specified')}\n`);
 
   if (!tokenInfo) {
-    logger.log(`Status: ${chalk.red('✗ Not authenticated')}`);
-    logger.log(`Token Type: ${chalk.gray('None')}\n`);
+    logger.log(`  Status: ${chalk.red('✗ Not authenticated')}`);
+    logger.log(`  Token Type: ${chalk.gray('None')}\n`);
     logger.log(chalk.yellow('💡 Run "aifabrix login" to authenticate\n'));
     return;
   }

package/lib/commands/wizard-helpers.js

@@ -12,13 +12,15 @@ const logger = require('../utils/logger');
 /**
  * Build preferences object for wizard.yaml (schema shape: intent, fieldOnboardingLevel, enableOpenAPIGeneration, enableMCP, enableABAC, enableRBAC)
  * @param {string} intent - User intent
- * @param {Object} preferences - From promptForUserPreferences (mcp, abac, rbac)
+ * @param {Object} preferences - From promptForUserPreferences (fieldOnboardingLevel, mcp, abac, rbac)
  * @returns {Object} Preferences for wizard-config schema
  */
 function buildPreferencesForSave(intent, preferences) {
+  const level = preferences?.fieldOnboardingLevel;
+  const validLevel = level === 'standard' || level === 'minimal' ? level : 'full';
   return {
     intent: intent || 'general integration',
-    fieldOnboardingLevel: 'full',
+    fieldOnboardingLevel: validLevel,
     enableOpenAPIGeneration: true,
     enableMCP: Boolean(preferences?.mcp),
     enableABAC: Boolean(preferences?.abac),
@@ -78,11 +80,18 @@ function formatSourceLine(source) {
  * @returns {string|null}
  */
 function formatPreferencesLine(preferences) {
-  if (!preferences || (!preferences.intent && (preferences.enableMCP === undefined || preferences.enableMCP === null))) {
+  if (!preferences || (!preferences.intent && (preferences.enableMCP === undefined || preferences.enableMCP === null) && !preferences.fieldOnboardingLevel)) {
     return null;
   }
   const p = preferences;
-  return [p.intent && `intent=${p.intent}`, p.enableMCP && 'MCP', p.enableABAC && 'ABAC', p.enableRBAC && 'RBAC'].filter(Boolean).join(', ') || '(defaults)';
+  const parts = [
+    p.fieldOnboardingLevel && `level=${p.fieldOnboardingLevel}`,
+    p.intent && `intent=${p.intent}`,
+    p.enableMCP && 'MCP',
+    p.enableABAC && 'ABAC',
+    p.enableRBAC && 'RBAC'
+  ].filter(Boolean);
+  return parts.length ? parts.join(', ') : '(defaults)';
 }
 
 /**

package/lib/commands/wizard.js

@@ -148,6 +148,7 @@ async function handleInteractiveConfigGeneration(options) {
 
   const configPrefs = {
     intent: userIntent,
+    fieldOnboardingLevel: preferences.fieldOnboardingLevel || 'full',
     enableMCP: preferences.mcp,
     enableABAC: preferences.abac,
     enableRBAC: preferences.rbac

package/lib/generator/wizard-prompts.js

@@ -309,10 +309,21 @@ async function promptForUserIntent() {
  * Prompt for user preferences
  * @async
  * @function promptForUserPreferences
- * @returns {Promise<Object>} User preferences object
+ * @returns {Promise<Object>} User preferences object (fieldOnboardingLevel, mcp, abac, rbac)
  */
 async function promptForUserPreferences() {
   const answers = await inquirer.prompt([
+    {
+      type: 'list',
+      name: 'fieldOnboardingLevel',
+      message: 'Field onboarding level:',
+      choices: [
+        { name: 'full - All fields mapped and indexed', value: 'full' },
+        { name: 'standard - Core and important fields only', value: 'standard' },
+        { name: 'minimal - Essential fields only', value: 'minimal' }
+      ],
+      default: 'full'
+    },
     {
       type: 'confirm',
       name: 'mcp',
@@ -333,6 +344,7 @@ async function promptForUserPreferences() {
     }
   ]);
   return {
+    fieldOnboardingLevel: answers.fieldOnboardingLevel,
     mcp: answers.mcp,
     abac: answers.abac,
     rbac: answers.rbac

package/lib/schema/env-config.yaml

@@ -20,7 +20,7 @@ environments:
     KEYCLOAK_PORT: 8082  # Internal port (container-to-container). KEYCLOAK_PUBLIC_PORT calculated automatically.
     KEYCLOAK_PUBLIC_PORT: 8082
     DATAPLANE_HOST: dataplane
-    DATAPLANE_PORT: 3001
+    DATAPLANE_PORT: 3001 # Internal port (container-to-container). DATAPLANE_PUBLIC_PORT calculated automatically.
     NODE_ENV: production
     PYTHONUNBUFFERED: 1
     PYTHONDONTWRITEBYTECODE: 1
@@ -33,10 +33,8 @@ environments:
     REDIS_PORT: 6379
     MISO_HOST: localhost
     MISO_PORT: 3010
-    MISO_PUBLIC_PORT: 3010
     KEYCLOAK_HOST: localhost
     KEYCLOAK_PORT: 8082
-    KEYCLOAK_PUBLIC_PORT: 8082
     DATAPLANE_HOST: localhost
     DATAPLANE_PORT: 3011
     NODE_ENV: development

package/lib/schema/external-system.schema.json

@@ -7,7 +7,7 @@
     "key": "external-system-schema",
     "name": "External System Configuration Schema",
     "description": "JSON schema for validating ExternalSystem configuration files",
-    "version": "1.1.0",
+    "version": "1.2.0",
     "type": "schema",
     "category": "integration",
     "author": "AI Fabrix Team",
@@ -27,6 +27,15 @@
     ],
     "dependencies": [],
     "changelog": [
+      {
+        "version": "1.2.0",
+        "date": "2025-02-01T00:00:00Z",
+        "changes": [
+          "Added generateMcpContract (boolean, default true): config-only control for MCP contract generation on publish",
+          "Added generateOpenApiContract (boolean, default true): reserved for future use"
+        ],
+        "breaking": false
+      },
       {
         "version": "1.1.0",
         "date": "2025-12-01T00:00:00Z",
@@ -407,6 +416,20 @@
       "type": "boolean",
       "description": "Master switch for all endpoints in this system. If false, no endpoints are registered regardless of individual endpoint active flags.",
       "default": true
+    },
+    "credentialIdOrKey": {
+      "type": "string",
+      "description": "Credential identifier (ID or key) to use for authenticating with this external system."
+    },
+    "generateMcpContract": {
+      "type": "boolean",
+      "description": "Whether to generate MCP contract on publish. Config only (no query parameter); default true when absent.",
+      "default": true
+    },
+    "generateOpenApiContract": {
+      "type": "boolean",
+      "description": "Reserved: whether to generate or expose OpenAPI contract on publish. Not yet implemented.",
+      "default": true
     }
   },
   "additionalProperties": false

package/lib/utils/token-manager.js

@@ -25,8 +25,9 @@ function getSecretsFilePath() {
 }
 
 /**
- * Load client credentials from secrets.local.yaml
- * Reads using pattern: <app-name>-client-idKeyVault and <app-name>-client-secretKeyVault
+ * Load client credentials from secrets.local.yaml or process.env (e.g. integration/hubspot/.env).
+ * Reads secrets file using pattern: <app-name>-client-idKeyVault and <app-name>-client-secretKeyVault.
+ * If not found, checks process.env.CLIENTID and process.env.CLIENTSECRET (set when .env is loaded).
  * @param {string} appName - Application name
  * @returns {Promise<{clientId: string, clientSecret: string}|null>} Credentials or null if not found
  */
@@ -37,31 +38,38 @@ async function loadClientCredentials(appName) {
 
   try {
     const secretsFile = getSecretsFilePath();
-    if (!fs.existsSync(secretsFile)) {
-      return null;
-    }
-
-    const content = fs.readFileSync(secretsFile, 'utf8');
-    const secrets = yaml.load(content) || {};
-
-    const clientIdKey = `${appName}-client-idKeyVault`;
-    const clientSecretKey = `${appName}-client-secretKeyVault`;
-
-    const clientId = secrets[clientIdKey];
-    const clientSecret = secrets[clientSecretKey];
-
-    if (!clientId || !clientSecret) {
-      return null;
+    if (fs.existsSync(secretsFile)) {
+      const content = fs.readFileSync(secretsFile, 'utf8');
+      const secrets = yaml.load(content) || {};
+
+      const clientIdKey = `${appName}-client-idKeyVault`;
+      const clientSecretKey = `${appName}-client-secretKeyVault`;
+
+      const clientId = secrets[clientIdKey];
+      const clientSecret = secrets[clientSecretKey];
+
+      if (clientId && clientSecret) {
+        return {
+          clientId: String(clientId),
+          clientSecret: String(clientSecret)
+        };
+      }
     }
+  } catch (error) {
+    logger.warn(`Failed to load credentials from secrets.local.yaml: ${error.message}`);
+  }
 
+  // Fallback: use CLIENTID/CLIENTSECRET from process.env (e.g. from integration/hubspot/.env)
+  const envClientId = process.env.CLIENTID || process.env.CLIENT_ID;
+  const envClientSecret = process.env.CLIENTSECRET || process.env.CLIENT_SECRET;
+  if (envClientId && envClientSecret) {
     return {
-      clientId: clientId,
-      clientSecret: clientSecret
+      clientId: String(envClientId).trim(),
+      clientSecret: String(envClientSecret).trim()
     };
-  } catch (error) {
-    logger.warn(`Failed to load credentials from secrets.local.yaml: ${error.message}`);
-    return null;
   }
+
+  return null;
 }
 
 /**
@@ -243,9 +251,8 @@ async function tryClientTokenAuth(environment, appName, controllerUrl) {
         controller: clientToken.controller
       };
     }
-  } catch (error) {
-    // Client token unavailable, continue to credentials
-    logger.warn(`Client token unavailable: ${error.message}`);
+  } catch {
+    // Client token unavailable; getDeploymentAuth will try client credentials next (no warning here to avoid misleading output when env credentials succeed)
   }
   return null;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.36.0",
+  "version": "2.36.2",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/integration/test-hubspot/wizard.yaml

@@ -1,8 +0,0 @@
-appName: test-hubspot
-mode: create-system
-source:
-  type: openapi-file
-  filePath: /workspace/aifabrix-builder/integration/hubspot/companies.json
-credential:
-  action: skip
-preferences: {}