@aifabrix/builder 2.37.5 → 2.38.0

package/lib/utils/variable-transformer.js

@@ -96,20 +96,6 @@ function handlePartialAuthentication(authentication) {
   return auth;
 }
 
-/**
- * Adds placeholder deployment key if missing
- * @function addPlaceholderDeploymentKey
- * @param {Object} result - Result object
- * @returns {Object} Result object with deployment key
- */
-function addPlaceholderDeploymentKey(result) {
-  if (!result.deploymentKey) {
-    // This is a 64-character hex string matching the SHA256 pattern
-    result.deploymentKey = '0000000000000000000000000000000000000000000000000000000000000000';
-  }
-  return result;
-}
-
 /**
  * Transforms flat structure to schema-compatible format
  * @function transformFlatStructure
@@ -126,9 +112,6 @@ function transformFlatStructure(variables, appName) {
     result.authentication = handlePartialAuthentication(result.authentication);
   }
 
-  // Add placeholder deploymentKey for validation
-  addPlaceholderDeploymentKey(result);
-
   return result;
 }
 
@@ -379,8 +362,7 @@ function transformVariablesForValidation(variables, appName) {
 
   // Nested structure - transform it
   const transformed = buildBaseTransformedStructure(variables, appName);
-  const result = transformOptionalFields(variables, transformed);
-  return addPlaceholderDeploymentKey(result);
+  return transformOptionalFields(variables, transformed);
 }
 
 module.exports = {

package/lib/validation/external-manifest-validator.js

@@ -148,7 +148,7 @@ function validateConditionalRequirements(manifest, errors, warnings) {
  * @returns {void}
  */
 function validateRequiredFields(manifest, errors) {
-  const requiredFields = ['key', 'displayName', 'description', 'type', 'deploymentKey'];
+  const requiredFields = ['key', 'displayName', 'description', 'type'];
   requiredFields.forEach(field => {
     if (!manifest[field]) {
       errors.push(`Required field "${field}" is missing`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.37.5",
+  "version": "2.38.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/README.md.hbs

@@ -92,8 +92,7 @@ aifabrix dockerfile {{appName}} --force           # Generate Dockerfile
 aifabrix resolve {{appName}}                      # Generate .env file
 
 # Deployment
-aifabrix json {{appName}}                         # Preview deployment JSON
-aifabrix genkey {{appName}}                       # Generate deployment key
+aifabrix json {{appName}}                         # Generate deployment manifest
 aifabrix push {{appName}} --registry {{registry}} # Push to ACR
 aifabrix deploy {{appName}}                       # Deploy (controller/env from config)
 
@@ -176,7 +175,6 @@ Controller URL and environment (for `deploy`, `app register`, etc.) are set via
 ```bash
 aifabrix resolve {{appName}} --force
 aifabrix json {{appName}}
-aifabrix genkey {{appName}}
 ```
 
 ---

package/templates/applications/dataplane/Dockerfile

@@ -9,8 +9,8 @@ FROM aifabrix/dataplane:latest
 EXPOSE 3001
 
 # Health check (documentation; base image may already set this)
-HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:3001/health || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3001/health || exit 1
 
 # CMD inherited from base image; override only if needed
 # CMD inherited: uvicorn app.main:app --host 0.0.0.0 --port 3001

package/templates/applications/dataplane/README.md

@@ -103,8 +103,7 @@ aifabrix dockerfile dataplane --force           # Generate Dockerfile
 aifabrix resolve dataplane                      # Generate .env file
 
 # Deployment
-aifabrix json dataplane                         # Preview deployment JSON
-aifabrix genkey dataplane                       # Generate deployment key
+aifabrix json dataplane                         # Generate deployment manifest
 aifabrix push dataplane --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy dataplane --controller <url>    # Deploy to Azure
 
@@ -184,7 +183,6 @@ export AIFABRIX_SECRETS=/path/to/secrets.yaml
 ```bash
 aifabrix resolve dataplane --force
 aifabrix json dataplane
-aifabrix genkey dataplane
 ```
 
 ---

package/templates/applications/dataplane/variables.yaml

@@ -45,11 +45,13 @@ authentication:
   requiredRoles: ["aifabrix-user"]
 
 # Build Configuration
+# Dataplane builds from published image; context is project root (like miso-controller)
 build:
-  context: ../..                # Relative to builder/dataplane/ config location (goes to app root)
-  dockerfile: builder/dataplane/Dockerfile
+  context: ../..                # Docker build context (relative to builder/dataplane/)
+  dockerfile: builder/dataplane/Dockerfile  # Dockerfile path (relative to project root)
   envOutputPath: ../../.env     # Copy to repo root for local dev
-  localPort: 3011               # Port for local development (different from Docker port)
+  localPort: 3011              # Port for local development (different from Docker port)
+  language: python             # Runtime language for template selection (typescript or python)
 
 # =============================================================================
 # Portal Input Configuration (Deployment Wizard)

package/templates/applications/keycloak/Dockerfile

@@ -1,7 +1,7 @@
 # Keycloak Identity and Access Management with Custom Themes
-# This Dockerfile extends Keycloak 26.4 with custom themes
+# This Dockerfile extends Keycloak 26.5.2 with custom themes
 
-FROM quay.io/keycloak/keycloak:26.4
+FROM quay.io/keycloak/keycloak:26.5.2
 
 # Set working directory
 WORKDIR /opt/keycloak
@@ -34,4 +34,4 @@ EXPOSE 8080
 
 # Default Keycloak command (can be overridden in docker-compose.yaml)
 # Health checks are enabled via the build step above
-CMD ["start-dev"]
+CMD ["start-dev"]

package/templates/applications/keycloak/README.md

@@ -40,6 +40,18 @@ aifabrix run keycloak
 
 **Access your app:** <http://dev.aifabrix:8082>
 
+**Token issuer (Docker + refresh):** Keycloak is configured with `KC_HOSTNAME=localhost` and `KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}` so tokens always have issuer `http://localhost:<port>/realms/aifabrix`. This lets refresh work when users log in via localhost and the controller (in Docker) calls Keycloak at `http://keycloak:8080`.
+
+**If you get "Invalid token issuer. Expected 'http://keycloak:8080/realms/aifabrix'" on refresh:**
+
+1. Set `KEYCLOAK_PUBLIC_PORT` to the port you use for Keycloak (e.g. if your token issuer shows `http://localhost:8682/realms/aifabrix`, use `8682`). In `.env` (in the directory where you run `aifabrix resolve keycloak`) add or set: `KEYCLOAK_PUBLIC_PORT=8682`.
+2. Regenerate Keycloak env and restart Keycloak:
+   ```bash
+   aifabrix resolve keycloak
+   docker restart $(docker ps -q -f name=keycloak)
+   ```
+3. Re-run `pnpm validate:config -- --test-refresh` from the repo root.
+
 **View logs:**
 
 ```bash
@@ -93,8 +105,7 @@ aifabrix dockerfile keycloak --force           # Generate Dockerfile
 aifabrix resolve keycloak                      # Generate .env file
 
 # Deployment
-aifabrix json keycloak                         # Preview deployment JSON
-aifabrix genkey keycloak                       # Generate deployment key
+aifabrix json keycloak                         # Generate deployment manifest
 aifabrix push keycloak --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy keycloak --controller <url>    # Deploy to Azure
 
@@ -128,7 +139,7 @@ aifabrix run keycloak --debug                  # Debug output
 
 ```bash
 aifabrix push keycloak --registry myacr.azurecr.io --tag v1.0.0
-aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest,stable"
+aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest"
 ```
 
 ### Deploy Options
@@ -174,7 +185,6 @@ export AIFABRIX_SECRETS=/path/to/secrets.yaml
 ```bash
 aifabrix resolve keycloak --force
 aifabrix json keycloak
-aifabrix genkey keycloak
 ```
 
 ---

package/templates/applications/keycloak/env.template

@@ -11,6 +11,20 @@ KEYCLOAK_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
 KC_HOSTNAME_STRICT=false
 KC_HTTP_ENABLED=true
 
+# =============================================================================
+# HOSTNAME / ISSUER (Docker vs localhost)
+# =============================================================================
+# Flow: Client gets callback from Keycloak (public URL) → server does auth code
+# exchange by calling Keycloak on the INTERNAL address (keycloak:8080). Keycloak
+# must use the PUBLIC URL as issuer in all tokens so they match what the
+# controller expects (KEYCLOAK_SERVER_URL).
+# - Users log in via http://localhost:${KEYCLOAK_PUBLIC_PORT} (browser/CLI)
+# - Server calls Keycloak at http://keycloak:8080 for token exchange and refresh
+# Without KC_HOSTNAME/KC_HOSTNAME_PORT, Keycloak would put issuer keycloak:8080
+# in tokens when the server calls internally, and validation would fail.
+KC_HOSTNAME=localhost
+KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}
+
 # =============================================================================
 # HEALTH CHECK CONFIGURATION
 # =============================================================================
@@ -30,8 +44,6 @@ KC_HTTP_MANAGEMENT_HEALTH_ENABLED=false
 # MISO Application Client Credentials (per application)
 MISO_CLIENTID=kv://keycloak-client-idKeyVault
 MISO_CLIENTSECRET=kv://keycloak-client-secretKeyVault
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
-MISO_WEB_SERVER_URL=kv://miso-controller-web-server-url
 
 # Connects to postgres service in Docker network (postgres) or localhost (local)
 

package/templates/applications/keycloak/variables.yaml

@@ -12,7 +12,7 @@ image:
   registry: devflowiseacr.azurecr.io
   registryMode: acr
 
-# Port Configuration
+# Port Configuration (base for host; host port = 8082 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 8082
 
 # Azure Requirements

package/templates/applications/miso-controller/README.md

@@ -93,8 +93,7 @@ aifabrix dockerfile miso-controller --force           # Generate Dockerfile
 aifabrix resolve miso-controller                      # Generate .env file
 
 # Deployment
-aifabrix json miso-controller                         # Preview deployment JSON
-aifabrix genkey miso-controller                       # Generate deployment key
+aifabrix json miso-controller                         # Generate deployment manifest
 aifabrix push miso-controller --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy miso-controller --controller <url>    # Deploy to Azure
 
@@ -348,7 +347,6 @@ Failed to getSecret postgres-adminPassword: Secret not found
 ```bash
 aifabrix resolve miso-controller --force
 aifabrix json miso-controller
-aifabrix genkey miso-controller
 ```
 
 ---

package/templates/applications/miso-controller/env.template

@@ -79,13 +79,23 @@ REDIS_ROLES_TTL=900
 REDIS_PERMISSIONS_TTL=900
 
 # =============================================================================
-# KEYCLOAK CONFIGURATION
+# KEYCLOAK CONFIGURATION (single canonical block)
 # =============================================================================
-# Connects to external keycloak from aifabrix-setup
+# Connects to external Keycloak from aifabrix-setup.
+#
+# URL semantics:
+#   KEYCLOAK_SERVER_URL        = Public URL (browser, issuer, OAuth callbacks)
+#   KEYCLOAK_INTERNAL_SERVER_URL = Internal URL (server-to-Keycloak HTTP only, e.g. Docker)
+#
+# Usage: Env vars are used for bootstrap/onboarding only. Runtime config comes from DB
+# (KeycloakConfiguration + Application url/internalUrl). Sync env->DB at startup via
+# sync-application-urls-from-env.service.
+#
+# NOTE: Do NOT onboard Azure Entra SSO in Keycloak during onboarding (skipAzureEntraSso=true).
 
 KEYCLOAK_REALM=aifabrix
 KEYCLOAK_SERVER_URL=kv://keycloak-server-urlKeyVault
-KEYCLOAK_PUBLIC_SERVER_URL=kv://keycloak-public-server-urlKeyVault
+KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-urlKeyVault
 KEYCLOAK_CLIENT_ID=miso-controller
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
@@ -120,9 +130,9 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 # =============================================================================
 # DEPLOYMENT TYPE CONFIGURATION
 # =============================================================================
-# Controls deployment behavior for Azure, mock Azure, or local Docker deployments
+# Controls deployment behavior for Azure, mock Azure, local Docker, or database-only deployments
 #
-# DEPLOYMENT types: azure, azure-mock, local
+# DEPLOYMENT types: azure, azure-mock, local, database
 #
 # -----------------------------------------------------------------------------
 # DEPLOYMENT=azure: Real Azure Operations (Production Mode)
@@ -171,6 +181,41 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Local PostgreSQL container for database (if required)
 #
 # -----------------------------------------------------------------------------
+# DEPLOYMENT=database: Database-Only Mode (DB Updates Only)
+# -----------------------------------------------------------------------------
+#   - Performs only database operations (deployment/job/application records, RBAC sync)
+#   - Does NOT run Docker containers (no container startup, health checks, port mapping)
+#   - Does NOT use Azure SDK (no Azure SDK initialization overhead)
+#   - Fastest mode for CI/CD pipelines that only need DB state validation
+#   - Use for: Testing DB workflows, validating RBAC sync, testing deployment records
+#
+#   Example use cases:
+#   - CI/CD pipelines that validate deployment workflow without containers
+#   - Testing RBAC sync logic without Docker/Azure dependencies
+#   - Validating database schema changes and migrations
+#   - Testing deployment job creation and status updates
+#   - Fast validation of DB state changes
+#
+#   What happens:
+#   - Creates deployment job in database
+#   - Updates deployment status (DEPLOYING → COMPLETED)
+#   - Updates application record (status, version, repository URL)
+#   - Syncs roles and permissions (RBAC)
+#   - Marks deployment as completed
+#   - Cleans up expired tokens
+#   - Invalidates role/permission caches
+#
+#   What does NOT happen:
+#   - No Docker container execution
+#   - No Azure SDK initialization
+#   - No container URLs or health check URLs
+#
+#   Requirements:
+#   - Database connection (DATABASE_URL)
+#   - No Docker required
+#   - No Azure credentials required
+#
+# -----------------------------------------------------------------------------
 # Configuration Notes
 # -----------------------------------------------------------------------------
 # Default: azure (Real Azure) if not set or invalid value
@@ -181,13 +226,15 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Production: DEPLOYMENT=azure
 #   - Staging: DEPLOYMENT=azure
 #   - Local Development: DEPLOYMENT=azure-mock or DEPLOYMENT=local
-#   - CI/CD Testing: DEPLOYMENT=azure-mock
+#   - CI/CD Testing: DEPLOYMENT=azure-mock or DEPLOYMENT=database
 #   - Local Docker development: DEPLOYMENT=local
+#   - DB-only validation/testing: DEPLOYMENT=database
 #
 # When to use each mode:
 #   - Need to deploy to actual Azure resources? → DEPLOYMENT=azure
 #   - Need to test deployment logic without creating resources? → DEPLOYMENT=azure-mock
 #   - Want to run applications locally in Docker? → DEPLOYMENT=local
+#   - Only need DB updates and RBAC sync (no containers/Azure)? → DEPLOYMENT=database
 #
 DEPLOYMENT=local
 
@@ -212,16 +259,13 @@ API_KEY=kv://miso-controller-api-key-secretKeyVault
 # =============================================================================
 # MISO CONTROLLER CONFIGURATION
 # =============================================================================
-
-# MISO Controller URL
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
-
 # Web Server URL (for OpenAPI documentation server URLs and Keycloak callbacks)
 # This is the PUBLIC-FACING URL that browsers/users access (e.g., http://localhost:3100)
 # Used to generate correct server URLs in OpenAPI spec and Keycloak callback URLs
 # For Docker: use localhost with mapped port (e.g., localhost:3100)
 # For production: use public domain (e.g., https://miso.example.com)
-MISO_WEB_SERVER_URL=http://localhost:${MISO_PUBLIC_PORT}
+MISO_WEB_SERVER_URL=kv://miso-controller-web-server-urlKeyVault
+MISO_CONTROLLER_URL=kv://miso-controller-internal-server-urlKeyVault
 
 # MISO Environment Configuration (miso, dev, tst, pro)
 MISO_ENVIRONMENT=miso
@@ -234,12 +278,21 @@ MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
 # Use wildcards for ports: http://localhost:*
 MISO_ALLOWED_ORIGINS=http://localhost:*
 
+# =============================================================================
+# LICENSE CONFIGURATION
+# =============================================================================
+# Temporary development bypass: set LICENSE_JWT=DEVELOPMENT to skip Mori validation.
+# Will be replaced by JWT license validation (see plan 131-jwt_license_offline_validation).
+LICENSE_JWT=DEVELOPMENT
+
 # =============================================================================
 # MORI SERVICE CONFIGURATION
 # =============================================================================
 
 MORI_BASE_URL=kv://mori-controller-url
 MORI_API_KEY=kv://mori-controller-api-keyKeyVault
+MORI_USERNAME=kv://mori-controller-basic-usernameKeyVault
+MORI_PASSWORD=kv://mori-controller-basic-passwordKeyVault
 
 # =============================================================================
 # LOGGING CONFIGURATION