@aifabrix/builder 2.36.2 → 2.37.5

package/lib/deployment/environment.js

@@ -9,16 +9,21 @@
  * @version 2.0.0
  */
 
+const fs = require('fs');
+const path = require('path');
 const chalk = require('chalk');
+const Ajv = require('ajv');
 const logger = require('../utils/logger');
 const config = require('../core/config');
 const { resolveControllerUrl } = require('../utils/controller-url');
 const { validateControllerUrl, validateEnvironmentKey } = require('../utils/deployment-validation');
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
-const { getEnvironmentStatus } = require('../api/environments.api');
-const { deployEnvironment: deployEnvironmentInfra } = require('../api/deployments.api');
+const { getPipelineDeployment } = require('../api/pipeline.api');
+const { deployEnvironment: deployEnvironmentInfra, getDeployment } = require('../api/deployments.api');
 const { handleDeploymentErrors } = require('../utils/deployment-errors');
+const { formatValidationErrors } = require('../utils/error-formatter');
 const auditLogger = require('../core/audit-logger');
+const environmentDeployRequestSchema = require('../schema/environment-deploy-request.schema.json');
 
 /**
  * Validates environment deployment prerequisites
@@ -78,25 +83,88 @@ async function getEnvironmentAuth(controllerUrl) {
  * @throws {Error} If deployment fails
  */
 /**
- * Builds environment deployment request
+ * Loads and validates environment deploy config from a JSON file
+ * @param {string} configPath - Absolute or relative path to config JSON
+ * @returns {Object} Valid deploy request { environmentConfig, dryRun? }
+ * @throws {Error} If file missing, invalid JSON, or validation fails
+ */
+function loadAndValidateEnvironmentDeployConfig(configPath) {
+  const resolvedPath = path.isAbsolute(configPath) ? configPath : path.resolve(process.cwd(), configPath);
+  if (!fs.existsSync(resolvedPath)) {
+    throw new Error(
+      `Environment config file not found: ${resolvedPath}\n` +
+      'Use --config <file> with a JSON file containing "environmentConfig" (e.g. templates/infra/environment-dev.json).'
+    );
+  }
+  let raw;
+  try {
+    raw = fs.readFileSync(resolvedPath, 'utf8');
+  } catch (e) {
+    throw new Error(`Cannot read config file: ${resolvedPath}. ${e.message}`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (e) {
+    throw new Error(
+      `Invalid JSON in config file: ${resolvedPath}\n${e.message}\n` +
+      'Expected format: { "environmentConfig": { "key", "environment", "preset", "serviceName", "location" }, "dryRun": false }'
+    );
+  }
+  if (parsed === null || typeof parsed !== 'object') {
+    throw new Error(
+      `Config file must be a JSON object with "environmentConfig". File: ${resolvedPath}\n` +
+      'Example: { "environmentConfig": { "key": "dev", "environment": "dev", "preset": "s", "serviceName": "aifabrix", "location": "swedencentral" }, "dryRun": false }'
+    );
+  }
+  if (parsed.environmentConfig === undefined) {
+    throw new Error(
+      `Config file must contain "environmentConfig" (object). File: ${resolvedPath}\n` +
+      'Example: { "environmentConfig": { "key": "dev", "environment": "dev", "preset": "s", "serviceName": "aifabrix", "location": "swedencentral" } }'
+    );
+  }
+  if (typeof parsed.environmentConfig !== 'object' || parsed.environmentConfig === null) {
+    throw new Error(
+      `"environmentConfig" must be an object. File: ${resolvedPath}`
+    );
+  }
+  const ajv = new Ajv({ allErrors: true, strict: false });
+  const validate = ajv.compile(environmentDeployRequestSchema);
+  const valid = validate(parsed);
+  if (!valid) {
+    const messages = formatValidationErrors(validate.errors);
+    throw new Error(
+      `Environment config validation failed (${resolvedPath}):\n  • ${messages.join('\n  • ')}\n` +
+      'Fix the config file and run the command again. See templates/infra/environment-dev.json for a valid example.'
+    );
+  }
+  return {
+    environmentConfig: parsed.environmentConfig,
+    dryRun: Boolean(parsed.dryRun)
+  };
+}
+
+/**
+ * Builds environment deployment request from options (config file required)
  * @function buildEnvironmentDeploymentRequest
  * @param {string} validatedEnvKey - Validated environment key
- * @param {Object} options - Deployment options
- * @returns {Object} Deployment request object
+ * @param {Object} options - Deployment options (must include options.config)
+ * @returns {Object} Deployment request object for API
  */
 function buildEnvironmentDeploymentRequest(validatedEnvKey, options) {
-  const capitalized = validatedEnvKey.charAt(0).toUpperCase() + validatedEnvKey.slice(1);
-  const request = {
-    key: validatedEnvKey,
-    displayName: `${capitalized} Environment`,
-    description: `${capitalized} environment for application deployments`
-  };
-
-  if (options.config) {
-    request.description += ` (config: ${options.config})`;
+  if (!options.config || typeof options.config !== 'string') {
+    throw new Error(
+      'Environment deploy requires a config file with "environmentConfig". Use --config <file>.\n' +
+      'Example: aifabrix environment deploy dev --config templates/infra/environment-dev.json'
+    );
   }
-
-  return request;
+  const deployRequest = loadAndValidateEnvironmentDeployConfig(options.config);
+  if (deployRequest.environmentConfig.key && deployRequest.environmentConfig.key !== validatedEnvKey) {
+    logger.log(chalk.yellow(
+      `⚠ Config key "${deployRequest.environmentConfig.key}" does not match deploy target "${validatedEnvKey}"; using target "${validatedEnvKey}".`
+    ));
+  }
+  return deployRequest;
 }
 
 /**
@@ -155,22 +223,47 @@ async function sendEnvironmentDeployment(controllerUrl, envKey, authConfig, opti
 }
 
 /**
- * Process environment status response
- * @param {Object} response - API response
+ * Fetches deployment status by ID (pipeline endpoint first, then environments)
+ * Mirrors miso-controller manual test: GET pipeline/deployments/:id then GET environments/deployments/:id
+ * @async
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} envKey - Environment key
+ * @param {string} deploymentId - Deployment ID
+ * @param {Object} apiAuthConfig - Auth config { type: 'bearer', token }
+ * @returns {Promise<Object|null>} Deployment record (status, progress, etc.) or null
+ */
+async function getDeploymentStatusById(controllerUrl, envKey, deploymentId, apiAuthConfig) {
+  try {
+    const pipelineRes = await getPipelineDeployment(controllerUrl, envKey, deploymentId, apiAuthConfig);
+    if (pipelineRes?.data?.data) return pipelineRes.data.data;
+    if (pipelineRes?.data && typeof pipelineRes.data === 'object' && pipelineRes.data.status) return pipelineRes.data;
+  } catch {
+    // Fallback to environments endpoint
+  }
+  try {
+    const envRes = await getDeployment(controllerUrl, envKey, deploymentId, apiAuthConfig);
+    if (envRes?.data?.data) return envRes.data.data;
+    if (envRes?.data && typeof envRes.data === 'object' && envRes.data.status) return envRes.data;
+  } catch {
+    // Ignore
+  }
+  return null;
+}
+
+/**
+ * Process deployment record from GET .../deployments/:deploymentId
+ * @param {Object|null} deployment - Deployment record (status, progress, message, error)
  * @param {string} validatedEnvKey - Validated environment key
- * @returns {Object|null} Status result if ready, null if needs to continue polling
+ * @returns {Object|null} Status result if completed, null if still in progress
  * @throws {Error} If deployment failed
  */
-function processEnvironmentStatusResponse(response, validatedEnvKey) {
-  if (!response.success || !response.data) {
+function processDeploymentStatusResponse(deployment, validatedEnvKey) {
+  if (!deployment || typeof deployment !== 'object') {
     return null;
   }
 
-  const responseData = response.data.data || response.data;
-  const status = responseData.status || responseData.ready;
-  const isReady = status === 'ready' || status === 'completed' || responseData.ready === true;
-
-  if (isReady) {
+  const status = deployment.status;
+  if (status === 'completed') {
     return {
       success: true,
       environment: validatedEnvKey,
@@ -179,9 +272,9 @@ function processEnvironmentStatusResponse(response, validatedEnvKey) {
     };
   }
 
-  // Check for terminal failure states
   if (status === 'failed' || status === 'error') {
-    throw new Error(`Environment deployment failed: ${responseData.message || 'Unknown error'}`);
+    const msg = deployment.message || deployment.error || 'Unknown error';
+    throw new Error(`Environment deployment failed: ${msg}`);
   }
 
   return null;
@@ -213,8 +306,18 @@ async function pollEnvironmentStatus(deploymentId, controllerUrl, envKey, authCo
     try {
       await new Promise(resolve => setTimeout(resolve, pollInterval));
 
-      const response = await getEnvironmentStatus(validatedUrl, validatedEnvKey, apiAuthConfig);
-      const statusResult = processEnvironmentStatusResponse(response, validatedEnvKey);
+      const deployment = await getDeploymentStatusById(
+        validatedUrl,
+        validatedEnvKey,
+        deploymentId,
+        apiAuthConfig
+      );
+      const progress = deployment?.progress ?? 0;
+      const statusLabel = deployment?.status ?? 'pending';
+      if (attempt <= maxAttempts) {
+        logger.log(chalk.gray(`   Attempt ${attempt}/${maxAttempts}... Status: ${statusLabel} (${progress}%)`));
+      }
+      const statusResult = processDeploymentStatusResponse(deployment, validatedEnvKey);
       if (statusResult) {
         return statusResult;
       }
@@ -225,10 +328,6 @@ async function pollEnvironmentStatus(deploymentId, controllerUrl, envKey, authCo
       }
       // Otherwise, continue polling
     }
-
-    if (attempt < maxAttempts) {
-      logger.log(chalk.gray(`   Attempt ${attempt}/${maxAttempts}...`));
-    }
   }
 
   // Timeout

package/lib/external-system/deploy.js

@@ -97,7 +97,11 @@ async function deployExternalSystem(appName, options = {}) {
 
     return result;
   } catch (error) {
-    throw new Error(`Failed to deploy external system: ${error.message}`);
+    let message = `Failed to deploy external system: ${error.message}`;
+    if (error.message && error.message.includes('Application not found')) {
+      message += `\n\n💡 Register the app in the controller first: aifabrix app register ${appName}`;
+    }
+    throw new Error(message);
   }
 }
 

package/lib/external-system/test-auth.js

@@ -1,7 +1,9 @@
 /**
  * External System Test Authentication Helpers
  *
- * Authentication setup for integration tests
+ * Authentication setup for integration tests. Uses the dataplane service URL
+ * (discovered from the controller), not the external system app's config—external
+ * apps do not store a dataplane URL.
  *
  * @fileoverview Authentication helpers for external system testing
  * @author AI Fabrix Team
@@ -9,19 +11,19 @@
  */
 
 const { getDeploymentAuth } = require('../utils/token-manager');
-const { getDataplaneUrl } = require('../datasource/deploy');
+const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
 const { resolveControllerUrl } = require('../utils/controller-url');
 
 /**
  * Setup authentication and get dataplane URL for integration tests
  * @async
- * @param {string} appName - Application name
- * @param {Object} options - Test options
- * @param {Object} config - Configuration object
+ * @param {string} appName - Application name (used for auth scope; dataplane URL is discovered from controller)
+ * @param {Object} options - Test options; options.dataplane overrides discovered URL
+ * @param {Object} _config - Configuration object
  * @returns {Promise<Object>} Object with authConfig and dataplaneUrl
  * @throws {Error} If authentication fails
  */
-async function setupIntegrationTestAuth(appName, _options, _config) {
+async function setupIntegrationTestAuth(appName, options, _config) {
   const { resolveEnvironment } = require('../core/config');
   const environment = await resolveEnvironment();
   const controllerUrl = await resolveControllerUrl();
@@ -31,7 +33,12 @@ async function setupIntegrationTestAuth(appName, _options, _config) {
     throw new Error('Authentication required. Run "aifabrix login" or "aifabrix app register" first.');
   }
 
-  const dataplaneUrl = await getDataplaneUrl(controllerUrl, appName, environment, authConfig);
+  let dataplaneUrl;
+  if (options && options.dataplane && typeof options.dataplane === 'string' && options.dataplane.trim()) {
+    dataplaneUrl = options.dataplane.trim();
+  } else {
+    dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
+  }
 
   return { authConfig, dataplaneUrl };
 }

package/lib/generator/wizard.js

@@ -12,6 +12,19 @@ const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { generateExternalReadmeContent } = require('../utils/external-readme');
 
+/**
+ * Converts a string to a schema-valid key segment (lowercase letters, numbers, hyphens only).
+ * e.g. "recordStorage" -> "record-storage", "documentStorage" -> "document-storage"
+ * @param {string} str - Raw entity type or key segment (may be camelCase)
+ * @returns {string} Segment matching ^[a-z0-9-]+$
+ */
+function toKeySegment(str) {
+  if (!str || typeof str !== 'string') return 'default';
+  const withHyphens = str.replace(/([A-Z])/g, '-$1').toLowerCase();
+  const sanitized = withHyphens.replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+  return sanitized || 'default';
+}
+
 /**
  * Generate files from dataplane-generated wizard configurations
  * @async
@@ -53,11 +66,12 @@ async function writeDatasourceJsonFiles(appPath, finalSystemKey, datasourceConfi
   const datasourceFileNames = [];
   for (const datasourceConfig of datasourceConfigs) {
     const entityType = datasourceConfig.entityType || datasourceConfig.entityKey || datasourceConfig.key?.split('-').pop() || 'default';
-    const datasourceKey = datasourceConfig.key || `${finalSystemKey}-${entityType}`;
-    // Extract datasource key (remove system key prefix if present)
+    const keySegment = toKeySegment(entityType);
+    const datasourceKey = datasourceConfig.key || `${finalSystemKey}-${keySegment}`;
+    // Extract datasource key (remove system key prefix if present); use normalized segment for filename
     const datasourceKeyOnly = datasourceKey.includes('-') && datasourceKey.startsWith(`${finalSystemKey}-`)
       ? datasourceKey.substring(finalSystemKey.length + 1)
-      : entityType;
+      : keySegment;
     const datasourceFileName = `${finalSystemKey}-datasource-${datasourceKeyOnly}.json`;
     const datasourceFilePath = path.join(appPath, datasourceFileName);
     await fs.writeFile(datasourceFilePath, JSON.stringify(datasourceConfig, null, 2), 'utf8');
@@ -143,13 +157,14 @@ async function generateWizardFiles(appName, systemConfig, datasourceConfigs, sys
       displayName: appDisplayName
     };
 
-    // Update datasource configs to use appName-based keys and systemKey
+    // Update datasource configs to use appName-based keys and systemKey (key must match ^[a-z0-9-]+$)
     const updatedDatasourceConfigs = datasourceConfigs.map(ds => {
       const entityType = ds.entityType || ds.entityKey || ds.key?.split('-').pop() || 'default';
+      const keySegment = toKeySegment(entityType);
       const entityDisplayName = entityType.charAt(0).toUpperCase() + entityType.slice(1).replace(/-/g, ' ');
       return {
         ...ds,
-        key: `${finalSystemKey}-${entityType}`,
+        key: `${finalSystemKey}-${keySegment}`,
         systemKey: finalSystemKey,
         displayName: `${appDisplayName} ${entityDisplayName}`
       };
@@ -360,54 +375,34 @@ async function generateEnvTemplate(appPath, systemConfig) {
 }
 
 /**
- * Generate deployment scripts (deploy.sh and deploy.ps1) from templates
+ * Generate deployment script (deploy.js) from template
  * @async
  * @function generateDeployScripts
  * @param {string} appPath - Application directory path
  * @param {string} systemKey - System key
  * @param {string} systemFileName - System file name
  * @param {string[]} datasourceFileNames - Array of datasource file names
- * @returns {Promise<Object>} Object with script file paths
+ * @returns {Promise<Object>} Object with deployJsPath
  * @throws {Error} If generation fails
  */
+const templatesExternalDir = path.join(__dirname, '..', '..', 'templates', 'external-system');
+
+async function writeDeployScriptFromTemplate(templateName, outputPath, context) {
+  const templatePath = path.join(templatesExternalDir, templateName);
+  const content = Handlebars.compile(await fs.readFile(templatePath, 'utf8'))(context);
+  await fs.writeFile(outputPath, content, 'utf8');
+  logger.log(chalk.green(`✓ Generated ${path.basename(outputPath)}`));
+}
+
 async function generateDeployScripts(appPath, systemKey, systemFileName, datasourceFileNames) {
   try {
     const allJsonFiles = [systemFileName, ...datasourceFileNames];
+    const context = { systemKey, allJsonFiles, datasourceFileNames };
 
-    // Load and compile deploy.sh template
-    const deployShTemplatePath = path.join(__dirname, '..', '..', 'templates', 'external-system', 'deploy.sh.hbs');
-    const deployShTemplateContent = await fs.readFile(deployShTemplatePath, 'utf8');
-    const deployShTemplate = Handlebars.compile(deployShTemplateContent);
-
-    // Generate deploy.sh
-    const deployShPath = path.join(appPath, 'deploy.sh');
-    const deployShContent = deployShTemplate({
-      systemKey,
-      allJsonFiles,
-      datasourceFileNames
-    });
-    await fs.writeFile(deployShPath, deployShContent, 'utf8');
-    await fs.chmod(deployShPath, 0o755); // Make executable
-    logger.log(chalk.green('✓ Generated deploy.sh'));
-
-    // Load and compile deploy.ps1 template
-    const deployPs1TemplatePath = path.join(__dirname, '..', '..', 'templates', 'external-system', 'deploy.ps1.hbs');
-    const deployPs1TemplateContent = await fs.readFile(deployPs1TemplatePath, 'utf8');
-    const deployPs1Template = Handlebars.compile(deployPs1TemplateContent);
-
-    // Generate deploy.ps1
-    const deployPs1Path = path.join(appPath, 'deploy.ps1');
-    const deployPs1Content = deployPs1Template({
-      systemKey,
-      allJsonFiles,
-      datasourceFileNames
-    });
-    await fs.writeFile(deployPs1Path, deployPs1Content, 'utf8');
-    logger.log(chalk.green('✓ Generated deploy.ps1'));
+    await writeDeployScriptFromTemplate('deploy.js.hbs', path.join(appPath, 'deploy.js'), context);
 
     return {
-      deployShPath,
-      deployPs1Path
+      deployJsPath: path.join(appPath, 'deploy.js')
     };
   } catch (error) {
     throw new Error(`Failed to generate deployment scripts: ${error.message}`);
@@ -439,10 +434,11 @@ async function generateReadme(appPath, appName, systemKey, systemConfig, datasou
 
     const datasources = (Array.isArray(datasourceConfigs) ? datasourceConfigs : []).map((ds, index) => {
       const entityType = ds.entityType || ds.entityKey || ds.key?.split('-').pop() || `datasource${index + 1}`;
-      const datasourceKey = ds.key || `${systemKey}-${entityType}`;
+      const keySegment = toKeySegment(entityType);
+      const datasourceKey = ds.key || `${systemKey}-${keySegment}`;
       const datasourceKeyOnly = datasourceKey.includes('-') && datasourceKey.startsWith(`${systemKey}-`)
         ? datasourceKey.substring(systemKey.length + 1)
-        : entityType;
+        : keySegment;
       return {
         entityType,
         displayName: ds.displayName || ds.name || ds.key || `Datasource ${index + 1}`,

package/lib/infrastructure/helpers.js

@@ -119,7 +119,7 @@ function extractPasswordFromUrlOrValue(urlOrPassword) {
  * Ensures Postgres init script exists for miso-controller app (database miso, user miso_user).
  * Uses password from secrets (databases-miso-controller-0-passwordKeyVault) or default miso_pass123.
  * Init scripts run only when the Postgres data volume is first created. If infra was already
- * started before this script existed, run `aifabrix down -v` then `aifabrix up` to re-init, or
+ * started before this script existed, run `aifabrix down-infra -v` then `aifabrix up-infra` to re-init, or
  * create the database and user manually (e.g. via pgAdmin or psql).
  *
  * @async

package/lib/schema/environment-deploy-request.schema.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/environment-deploy-request.schema.json",
+  "title": "Environment Deploy Request",
+  "description": "Request body for POST /api/v1/environments/{envKey}/deploy",
+  "type": "object",
+  "required": ["environmentConfig"],
+  "properties": {
+    "environmentConfig": {
+      "type": "object",
+      "description": "Environment infrastructure configuration",
+      "required": ["key", "environment", "preset", "serviceName", "location"],
+      "properties": {
+        "key": {
+          "type": "string",
+          "description": "Environment key",
+          "pattern": "^[a-z0-9-]+$",
+          "minLength": 2,
+          "maxLength": 40
+        },
+        "environment": {
+          "type": "string",
+          "description": "Environment type",
+          "enum": ["miso", "dev", "tst", "pro"]
+        },
+        "preset": {
+          "type": "string",
+          "description": "Deployment preset size",
+          "enum": ["evaluation", "eval", "s", "m", "l", "xl"]
+        },
+        "serviceName": {
+          "type": "string",
+          "description": "Service name for resource naming",
+          "pattern": "^[a-z0-9-]{2,40}$"
+        },
+        "location": {
+          "type": "string",
+          "description": "Azure region (e.g. swedencentral)"
+        },
+        "resourceGroupName": { "type": "string" },
+        "subscriptionId": { "type": "string" },
+        "tenantId": { "type": "string" },
+        "customDomain": { "type": "object" },
+        "frontDoor": { "type": "object" },
+        "networking": { "type": "object" },
+        "allowedIPs": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "infrastructureAccess": {
+          "type": "array",
+          "items": { "type": "object" }
+        }
+      },
+      "additionalProperties": true
+    },
+    "dryRun": {
+      "type": "boolean",
+      "description": "If true, validate only without deploying",
+      "default": false
+    }
+  },
+  "additionalProperties": false
+}

package/lib/utils/help-builder.js

@@ -20,8 +20,11 @@ const CATEGORIES = [
   {
     name: 'Infrastructure (Local Development)',
     commands: [
-      { name: 'up' },
-      { name: 'down', term: 'down [app]' },
+      { name: 'up-infra' },
+      { name: 'up-platform' },
+      { name: 'up-miso' },
+      { name: 'up-dataplane' },
+      { name: 'down-infra', term: 'down-infra [app]' },
       { name: 'doctor' },
       { name: 'status' },
       { name: 'restart', term: 'restart <service>' }

package/lib/utils/paths.js

@@ -281,7 +281,23 @@ function getAppPath(appName, appType) {
 }
 
 /**
- * Gets the integration folder path for external systems
+ * Base directory for integration/builder: project root when cwd is inside project, else cwd.
+ * So deploy works when run from integration/<app> (e.g. node deploy.js), and tests using temp dirs still work.
+ * @returns {string} Directory to resolve integration/ and builder/ from
+ */
+function getIntegrationBuilderBaseDir() {
+  const root = getProjectRoot();
+  const cwd = path.resolve(process.cwd());
+  const rootNorm = path.resolve(root);
+  if (cwd === rootNorm || cwd.startsWith(rootNorm + path.sep)) {
+    return rootNorm;
+  }
+  return cwd;
+}
+
+/**
+ * Gets the integration folder path for external systems.
+ * Uses project root when cwd is inside project so deploy works when run from integration/<app> (e.g. node deploy.js).
  * @param {string} appName - Application name
  * @returns {string} Absolute path to integration directory
  */
@@ -289,13 +305,14 @@ function getIntegrationPath(appName) {
   if (!appName || typeof appName !== 'string') {
     throw new Error('App name is required and must be a string');
   }
-  return path.join(process.cwd(), 'integration', appName);
+  const base = getIntegrationBuilderBaseDir();
+  return path.join(base, 'integration', appName);
 }
 
 /**
  * Gets the builder folder path for regular applications.
  * When AIFABRIX_BUILDER_DIR is set (e.g. by up-miso/up-dataplane from config aifabrix-env-config),
- * uses that as builder root instead of cwd/builder.
+ * uses that as builder root; otherwise uses project root so deploy works when run from integration/<app>.
  * @param {string} appName - Application name
  * @returns {string} Absolute path to builder directory
  */
@@ -309,7 +326,8 @@ function getBuilderPath(appName) {
   if (builderRoot) {
     return path.join(builderRoot, appName);
   }
-  return path.join(process.cwd(), 'builder', appName);
+  const base = getIntegrationBuilderBaseDir();
+  return path.join(base, 'builder', appName);
 }
 
 /**

package/lib/utils/secrets-generator.js

@@ -18,7 +18,17 @@ const logger = require('./logger');
 const pathsUtil = require('./paths');
 
 /**
- * Finds missing secret keys from template
+ * Skips commented or empty lines when scanning env.template
+ * @param {string} line - Single line
+ * @returns {boolean}
+ */
+function isCommentOrEmptyLine(line) {
+  const t = line.trim();
+  return t === '' || t.startsWith('#');
+}
+
+/**
+ * Finds missing secret keys from template (skips commented and empty lines)
  * @function findMissingSecretKeys
  * @param {string} envTemplate - Environment template content
  * @param {Object} existingSecrets - Existing secrets object
@@ -28,13 +38,18 @@ function findMissingSecretKeys(envTemplate, existingSecrets) {
   const kvPattern = /kv:\/\/([a-zA-Z0-9-_]+)/g;
   const missingKeys = [];
   const seenKeys = new Set();
-
-  let match;
-  while ((match = kvPattern.exec(envTemplate)) !== null) {
-    const secretKey = match[1];
-    if (!seenKeys.has(secretKey) && !(secretKey in existingSecrets)) {
-      missingKeys.push(secretKey);
-      seenKeys.add(secretKey);
+  const lines = envTemplate.split('\n');
+
+  for (const line of lines) {
+    if (isCommentOrEmptyLine(line)) continue;
+    let match;
+    kvPattern.lastIndex = 0;
+    while ((match = kvPattern.exec(line)) !== null) {
+      const secretKey = match[1];
+      if (!seenKeys.has(secretKey) && !(secretKey in existingSecrets)) {
+        missingKeys.push(secretKey);
+        seenKeys.add(secretKey);
+      }
     }
   }