npm - @aifabrix/builder - Versions diffs - 2.37.9 → 2.38.0 - Mend

@aifabrix/builder 2.37.9 → 2.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/README.md +19 -0
package/integration/hubspot/hubspot-deploy.json +1 -2
package/lib/api/applications.api.js +23 -1
package/lib/api/credentials.api.js +34 -0
package/lib/api/deployments.api.js +27 -0
package/lib/api/types/applications.types.js +1 -1
package/lib/api/types/deployments.types.js +1 -1
package/lib/api/types/pipeline.types.js +1 -1
package/lib/api/wizard.api.js +21 -1
package/lib/app/run-helpers.js +30 -2
package/lib/cli/index.js +2 -0
package/lib/cli/setup-app.js +32 -0
package/lib/cli/setup-credential-deployment.js +72 -0
package/lib/cli/setup-utility.js +1 -25
package/lib/commands/app-down.js +80 -0
package/lib/commands/app-logs.js +146 -0
package/lib/commands/app.js +22 -0
package/lib/commands/credential-list.js +104 -0
package/lib/commands/deployment-list.js +184 -0
package/lib/core/templates.js +2 -1
package/lib/generator/builders.js +8 -3
package/lib/generator/external-controller-manifest.js +5 -4
package/lib/generator/index.js +16 -14
package/lib/generator/split.js +1 -0
package/lib/generator/wizard.js +4 -1
package/lib/schema/application-schema.json +6 -2
package/lib/schema/deployment-rules.yaml +121 -0
package/lib/utils/app-run-containers.js +2 -1
package/lib/utils/compose-generator.js +2 -1
package/lib/utils/help-builder.js +0 -1
package/lib/utils/image-version.js +209 -0
package/lib/utils/schema-loader.js +1 -1
package/lib/utils/variable-transformer.js +1 -19
package/lib/validation/external-manifest-validator.js +1 -1
package/package.json +1 -1
package/templates/applications/README.md.hbs +1 -3
package/templates/applications/dataplane/Dockerfile +2 -2
package/templates/applications/dataplane/README.md +1 -3
package/templates/applications/dataplane/variables.yaml +5 -3
package/templates/applications/keycloak/Dockerfile +3 -3
package/templates/applications/keycloak/README.md +14 -4
package/templates/applications/keycloak/env.template +14 -2
package/templates/applications/keycloak/variables.yaml +1 -1
package/templates/applications/miso-controller/README.md +1 -3
package/templates/applications/miso-controller/env.template +64 -11

package/lib/utils/image-version.js ADDED Viewed

@@ -0,0 +1,209 @@
+/**
+ * AI Fabrix Builder - Image Version Resolution
+ *
+ * Resolves application version from Docker image (OCI label or semver tag).
+ * When template is empty or image version is greater, uses image version.
+ *
+ * @fileoverview Image version resolution utilities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+const { exec } = require('child_process');
+const { promisify } = require('util');
+const fs = require('fs').promises;
+const fsSync = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+const { getBuilderPath } = require('./paths');
+const composeGenerator = require('./compose-generator');
+const containerHelpers = require('./app-run-containers');
+const execAsync = promisify(exec);
+const OCI_VERSION_LABEL = 'org.opencontainers.image.version';
+const SEMVER_REGEX = /^v?(\d+\.\d+\.\d+)(?:-[-.\w]+)?(?:\+[-.\w]+)?$/i;
+/**
+ * Gets version from Docker image via OCI label or semver tag
+ * @async
+ * @param {string} imageName - Image name (e.g. aifabrix/dataplane)
+ * @param {string} imageTag - Image tag (e.g. v1.0.0, latest)
+ * @returns {Promise<string|null>} Version string or null if not found
+ */
+async function getVersionFromImage(imageName, imageTag) {
+  if (!imageName || typeof imageName !== 'string') {
+    return null;
+  }
+  const tag = imageTag || 'latest';
+  const fullImage = `${imageName}:${tag}`;
+  try {
+    const labelFormat = `{{index .Config.Labels "${OCI_VERSION_LABEL}"}}`;
+    const { stdout } = await execAsync(
+      `docker inspect --format '${labelFormat}' "${fullImage}" 2>/dev/null || true`,
+      { timeout: 10000 }
+    );
+    const labelValue = (stdout || '').trim();
+    if (labelValue && labelValue !== '<no value>') {
+      return labelValue;
+    }
+    const tagMatch = tag.match(SEMVER_REGEX);
+    if (tagMatch) {
+      return tagMatch[1];
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+/**
+ * Compares two semantic versions
+ * @param {string} a - First version
+ * @param {string} b - Second version
+ * @returns {number} -1 if a < b, 0 if a === b, 1 if a > b
+ */
+function compareSemver(a, b) {
+  if (!a || !b) {
+    return 0;
+  }
+  const parse = (v) => {
+    const m = String(v).match(SEMVER_REGEX);
+    if (!m) return null;
+    const parts = m[1].split('.').map(Number);
+    return { major: parts[0] || 0, minor: parts[1] || 0, patch: parts[2] || 0 };
+  };
+  const pa = parse(a);
+  const pb = parse(b);
+  if (!pa || !pb) return 0;
+  if (pa.major !== pb.major) return pa.major > pb.major ? 1 : -1;
+  if (pa.minor !== pb.minor) return pa.minor > pb.minor ? 1 : -1;
+  if (pa.patch !== pb.patch) return pa.patch > pb.patch ? 1 : -1;
+  return 0;
+}
+/**
+ * Resolves version for external app (app.version or externalIntegration.version)
+ * @param {Object} variables - Parsed variables.yaml
+ * @returns {string}
+ */
+function resolveExternalVersion(variables) {
+  const version =
+    variables.app?.version ||
+    variables.externalIntegration?.version ||
+    '1.0.0';
+  return String(version).trim() || '1.0.0';
+}
+/**
+ * Resolves version for regular app when image exists
+ * @async
+ * @param {string} imageName - Image name
+ * @param {string} imageTag - Image tag
+ * @param {string} templateVersion - Template version (may be empty)
+ * @returns {Promise<{ version: string, fromImage: boolean }>}
+ */
+async function resolveRegularVersion(imageName, imageTag, templateVersion) {
+  const templateEmpty =
+    templateVersion === undefined ||
+    templateVersion === null ||
+    String(templateVersion).trim() === '';
+  const templateStr = String(templateVersion || '').trim();
+  const imageVersion = await getVersionFromImage(imageName, imageTag);
+  const useImage =
+    imageVersion &&
+    (templateEmpty || compareSemver(imageVersion, templateStr) >= 0);
+  const version = useImage ? imageVersion : (templateEmpty ? '1.0.0' : templateStr);
+  return { version, fromImage: Boolean(useImage) };
+}
+/**
+ * Resolves version for an app: from image when image exists and template empty or smaller
+ * @async
+ * @param {string} appName - Application name
+ * @param {Object} variables - Parsed variables.yaml
+ * @param {Object} [options] - Options
+ * @param {boolean} [options.updateBuilder] - When true, update builder/variables.yaml if fromImage
+ * @param {string} [options.builderPath] - Builder path (defaults to getBuilderPath(appName))
+ * @returns {Promise<{ version: string, fromImage: boolean, updated: boolean }>}
+ */
+async function resolveVersionForApp(appName, variables, options = {}) {
+  if (!appName || typeof appName !== 'string') {
+    return { version: '1.0.0', fromImage: false, updated: false };
+  }
+  if (variables?.externalIntegration) {
+    const version = resolveExternalVersion(variables);
+    return { version, fromImage: false, updated: false };
+  }
+  const imageName = composeGenerator.getImageName(variables, appName);
+  const imageTag = variables?.image?.tag || 'latest';
+  const imageExists = await containerHelpers.checkImageExists(imageName, imageTag);
+  if (!imageExists) {
+    const templateVersion = variables?.app?.version;
+    const templateEmpty =
+      templateVersion === undefined ||
+      templateVersion === null ||
+      String(templateVersion).trim() === '';
+    const fallback = templateEmpty ? '1.0.0' : String(templateVersion).trim();
+    return { version: fallback, fromImage: false, updated: false };
+  }
+  const { version, fromImage } = await resolveRegularVersion(
+    imageName,
+    imageTag,
+    variables?.app?.version
+  );
+  let updated = false;
+  if (fromImage && options.updateBuilder) {
+    const builderPath = options.builderPath || getBuilderPath(appName);
+    updated = await updateAppVersionInVariablesYaml(builderPath, version);
+  }
+  return { version, fromImage, updated };
+}
+/**
+ * Updates app.version in builder variables.yaml
+ * @async
+ * @param {string} builderPath - Path to builder app directory
+ * @param {string} version - Version to set
+ * @returns {Promise<boolean>} True if file was updated
+ */
+async function updateAppVersionInVariablesYaml(builderPath, version) {
+  if (!builderPath || !version || typeof version !== 'string') {
+    return false;
+  }
+  const variablesPath = path.join(builderPath, 'variables.yaml');
+  if (!fsSync.existsSync(variablesPath)) {
+    return false;
+  }
+  try {
+    const content = await fs.readFile(variablesPath, 'utf8');
+    const parsed = yaml.load(content) || {};
+    if (!parsed.app) {
+      parsed.app = {};
+    }
+    parsed.app.version = version;
+    const dumped = yaml.dump(parsed, { lineWidth: -1 });
+    await fs.writeFile(variablesPath, dumped, { mode: 0o644, encoding: 'utf8' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+module.exports = {
+  getVersionFromImage,
+  compareSemver,
+  resolveVersionForApp,
+  updateAppVersionInVariablesYaml
+};

package/lib/utils/schema-loader.js CHANGED Viewed

@@ -199,7 +199,7 @@ function detectFromDatasourceFields(parsed) {
  * @returns {string|null} Schema type or null if not detected
  */
 function detectFromApplicationFields(parsed) {
-  if (parsed.deploymentKey || (parsed.image && parsed.registryMode && parsed.port)) {
+  if (parsed.image && parsed.registryMode && parsed.port) {
     return 'application';
   }
   return null;

package/lib/utils/variable-transformer.js CHANGED Viewed

@@ -96,20 +96,6 @@ function handlePartialAuthentication(authentication) {
   return auth;
 }
-/**
- * Adds placeholder deployment key if missing
- * @function addPlaceholderDeploymentKey
- * @param {Object} result - Result object
- * @returns {Object} Result object with deployment key
- */
-function addPlaceholderDeploymentKey(result) {
-  if (!result.deploymentKey) {
-    // This is a 64-character hex string matching the SHA256 pattern
-    result.deploymentKey = '0000000000000000000000000000000000000000000000000000000000000000';
-  }
-  return result;
-}
 /**
  * Transforms flat structure to schema-compatible format
  * @function transformFlatStructure
@@ -126,9 +112,6 @@ function transformFlatStructure(variables, appName) {
     result.authentication = handlePartialAuthentication(result.authentication);
   }
-  // Add placeholder deploymentKey for validation
-  addPlaceholderDeploymentKey(result);
   return result;
 }
@@ -379,8 +362,7 @@ function transformVariablesForValidation(variables, appName) {
   // Nested structure - transform it
   const transformed = buildBaseTransformedStructure(variables, appName);
-  const result = transformOptionalFields(variables, transformed);
-  return addPlaceholderDeploymentKey(result);
+  return transformOptionalFields(variables, transformed);
 }
 module.exports = {

package/lib/validation/external-manifest-validator.js CHANGED Viewed

@@ -148,7 +148,7 @@ function validateConditionalRequirements(manifest, errors, warnings) {
  * @returns {void}
  */
 function validateRequiredFields(manifest, errors) {
-  const requiredFields = ['key', 'displayName', 'description', 'type', 'deploymentKey'];
+  const requiredFields = ['key', 'displayName', 'description', 'type'];
   requiredFields.forEach(field => {
     if (!manifest[field]) {
       errors.push(`Required field "${field}" is missing`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.37.9",
+  "version": "2.38.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/README.md.hbs CHANGED Viewed

@@ -92,8 +92,7 @@ aifabrix dockerfile {{appName}} --force           # Generate Dockerfile
 aifabrix resolve {{appName}}                      # Generate .env file
 # Deployment
-aifabrix json {{appName}}                         # Preview deployment JSON
-aifabrix genkey {{appName}}                       # Generate deployment key
+aifabrix json {{appName}}                         # Generate deployment manifest
 aifabrix push {{appName}} --registry {{registry}} # Push to ACR
 aifabrix deploy {{appName}}                       # Deploy (controller/env from config)
@@ -176,7 +175,6 @@ Controller URL and environment (for `deploy`, `app register`, etc.) are set via
 ```bash
 aifabrix resolve {{appName}} --force
 aifabrix json {{appName}}
-aifabrix genkey {{appName}}
 ```
 ---

package/templates/applications/dataplane/Dockerfile CHANGED Viewed

@@ -9,8 +9,8 @@ FROM aifabrix/dataplane:latest
 EXPOSE 3001
 # Health check (documentation; base image may already set this)
-HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:3001/health || exit 1
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost:3001/health || exit 1
 # CMD inherited from base image; override only if needed
 # CMD inherited: uvicorn app.main:app --host 0.0.0.0 --port 3001

package/templates/applications/dataplane/README.md CHANGED Viewed

@@ -103,8 +103,7 @@ aifabrix dockerfile dataplane --force           # Generate Dockerfile
 aifabrix resolve dataplane                      # Generate .env file
 # Deployment
-aifabrix json dataplane                         # Preview deployment JSON
-aifabrix genkey dataplane                       # Generate deployment key
+aifabrix json dataplane                         # Generate deployment manifest
 aifabrix push dataplane --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy dataplane --controller <url>    # Deploy to Azure
@@ -184,7 +183,6 @@ export AIFABRIX_SECRETS=/path/to/secrets.yaml
 ```bash
 aifabrix resolve dataplane --force
 aifabrix json dataplane
-aifabrix genkey dataplane
 ```
 ---

package/templates/applications/dataplane/variables.yaml CHANGED Viewed

@@ -45,11 +45,13 @@ authentication:
   requiredRoles: ["aifabrix-user"]
 # Build Configuration
+# Dataplane builds from published image; context is project root (like miso-controller)
 build:
-  context: ../..                # Relative to builder/dataplane/ config location (goes to app root)
-  dockerfile: builder/dataplane/Dockerfile
+  context: ../..                # Docker build context (relative to builder/dataplane/)
+  dockerfile: builder/dataplane/Dockerfile  # Dockerfile path (relative to project root)
   envOutputPath: ../../.env     # Copy to repo root for local dev
-  localPort: 3011               # Port for local development (different from Docker port)
+  localPort: 3011              # Port for local development (different from Docker port)
+  language: python             # Runtime language for template selection (typescript or python)
 # =============================================================================
 # Portal Input Configuration (Deployment Wizard)

package/templates/applications/keycloak/Dockerfile CHANGED Viewed

@@ -1,7 +1,7 @@
 # Keycloak Identity and Access Management with Custom Themes
-# This Dockerfile extends Keycloak 26.4 with custom themes
+# This Dockerfile extends Keycloak 26.5.2 with custom themes
-FROM quay.io/keycloak/keycloak:26.4
+FROM quay.io/keycloak/keycloak:26.5.2
 # Set working directory
 WORKDIR /opt/keycloak
@@ -34,4 +34,4 @@ EXPOSE 8080
 # Default Keycloak command (can be overridden in docker-compose.yaml)
 # Health checks are enabled via the build step above
-CMD ["start-dev"]
+CMD ["start-dev"]

package/templates/applications/keycloak/README.md CHANGED Viewed

@@ -40,6 +40,18 @@ aifabrix run keycloak
 **Access your app:** <http://dev.aifabrix:8082>
+**Token issuer (Docker + refresh):** Keycloak is configured with `KC_HOSTNAME=localhost` and `KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}` so tokens always have issuer `http://localhost:<port>/realms/aifabrix`. This lets refresh work when users log in via localhost and the controller (in Docker) calls Keycloak at `http://keycloak:8080`.
+**If you get "Invalid token issuer. Expected 'http://keycloak:8080/realms/aifabrix'" on refresh:**
+1. Set `KEYCLOAK_PUBLIC_PORT` to the port you use for Keycloak (e.g. if your token issuer shows `http://localhost:8682/realms/aifabrix`, use `8682`). In `.env` (in the directory where you run `aifabrix resolve keycloak`) add or set: `KEYCLOAK_PUBLIC_PORT=8682`.
+2. Regenerate Keycloak env and restart Keycloak:
+   ```bash
+   aifabrix resolve keycloak
+   docker restart $(docker ps -q -f name=keycloak)
+   ```
+3. Re-run `pnpm validate:config -- --test-refresh` from the repo root.
 **View logs:**
 ```bash
@@ -93,8 +105,7 @@ aifabrix dockerfile keycloak --force           # Generate Dockerfile
 aifabrix resolve keycloak                      # Generate .env file
 # Deployment
-aifabrix json keycloak                         # Preview deployment JSON
-aifabrix genkey keycloak                       # Generate deployment key
+aifabrix json keycloak                         # Generate deployment manifest
 aifabrix push keycloak --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy keycloak --controller <url>    # Deploy to Azure
@@ -128,7 +139,7 @@ aifabrix run keycloak --debug                  # Debug output
 ```bash
 aifabrix push keycloak --registry myacr.azurecr.io --tag v1.0.0
-aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest,stable"
+aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest"
 ```
 ### Deploy Options
@@ -174,7 +185,6 @@ export AIFABRIX_SECRETS=/path/to/secrets.yaml
 ```bash
 aifabrix resolve keycloak --force
 aifabrix json keycloak
-aifabrix genkey keycloak
 ```
 ---

package/templates/applications/keycloak/env.template CHANGED Viewed

@@ -11,6 +11,20 @@ KEYCLOAK_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
 KC_HOSTNAME_STRICT=false
 KC_HTTP_ENABLED=true
+# =============================================================================
+# HOSTNAME / ISSUER (Docker vs localhost)
+# =============================================================================
+# Flow: Client gets callback from Keycloak (public URL) → server does auth code
+# exchange by calling Keycloak on the INTERNAL address (keycloak:8080). Keycloak
+# must use the PUBLIC URL as issuer in all tokens so they match what the
+# controller expects (KEYCLOAK_SERVER_URL).
+# - Users log in via http://localhost:${KEYCLOAK_PUBLIC_PORT} (browser/CLI)
+# - Server calls Keycloak at http://keycloak:8080 for token exchange and refresh
+# Without KC_HOSTNAME/KC_HOSTNAME_PORT, Keycloak would put issuer keycloak:8080
+# in tokens when the server calls internally, and validation would fail.
+KC_HOSTNAME=localhost
+KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}
 # =============================================================================
 # HEALTH CHECK CONFIGURATION
 # =============================================================================
@@ -30,8 +44,6 @@ KC_HTTP_MANAGEMENT_HEALTH_ENABLED=false
 # MISO Application Client Credentials (per application)
 MISO_CLIENTID=kv://keycloak-client-idKeyVault
 MISO_CLIENTSECRET=kv://keycloak-client-secretKeyVault
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
-MISO_WEB_SERVER_URL=kv://miso-controller-web-server-url
 # Connects to postgres service in Docker network (postgres) or localhost (local)

package/templates/applications/keycloak/variables.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ image:
   registry: devflowiseacr.azurecr.io
   registryMode: acr
-# Port Configuration
+# Port Configuration (base for host; host port = 8082 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 8082
 # Azure Requirements

package/templates/applications/miso-controller/README.md CHANGED Viewed

@@ -93,8 +93,7 @@ aifabrix dockerfile miso-controller --force           # Generate Dockerfile
 aifabrix resolve miso-controller                      # Generate .env file
 # Deployment
-aifabrix json miso-controller                         # Preview deployment JSON
-aifabrix genkey miso-controller                       # Generate deployment key
+aifabrix json miso-controller                         # Generate deployment manifest
 aifabrix push miso-controller --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy miso-controller --controller <url>    # Deploy to Azure
@@ -348,7 +347,6 @@ Failed to getSecret postgres-adminPassword: Secret not found
 ```bash
 aifabrix resolve miso-controller --force
 aifabrix json miso-controller
-aifabrix genkey miso-controller
 ```
 ---

package/templates/applications/miso-controller/env.template CHANGED Viewed

@@ -79,13 +79,23 @@ REDIS_ROLES_TTL=900
 REDIS_PERMISSIONS_TTL=900
 # =============================================================================
-# KEYCLOAK CONFIGURATION
+# KEYCLOAK CONFIGURATION (single canonical block)
 # =============================================================================
-# Connects to external keycloak from aifabrix-setup
+# Connects to external Keycloak from aifabrix-setup.
+#
+# URL semantics:
+#   KEYCLOAK_SERVER_URL        = Public URL (browser, issuer, OAuth callbacks)
+#   KEYCLOAK_INTERNAL_SERVER_URL = Internal URL (server-to-Keycloak HTTP only, e.g. Docker)
+#
+# Usage: Env vars are used for bootstrap/onboarding only. Runtime config comes from DB
+# (KeycloakConfiguration + Application url/internalUrl). Sync env->DB at startup via
+# sync-application-urls-from-env.service.
+#
+# NOTE: Do NOT onboard Azure Entra SSO in Keycloak during onboarding (skipAzureEntraSso=true).
 KEYCLOAK_REALM=aifabrix
 KEYCLOAK_SERVER_URL=kv://keycloak-server-urlKeyVault
-KEYCLOAK_PUBLIC_SERVER_URL=kv://keycloak-public-server-urlKeyVault
+KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-urlKeyVault
 KEYCLOAK_CLIENT_ID=miso-controller
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
@@ -120,9 +130,9 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 # =============================================================================
 # DEPLOYMENT TYPE CONFIGURATION
 # =============================================================================
-# Controls deployment behavior for Azure, mock Azure, or local Docker deployments
+# Controls deployment behavior for Azure, mock Azure, local Docker, or database-only deployments
 #
-# DEPLOYMENT types: azure, azure-mock, local
+# DEPLOYMENT types: azure, azure-mock, local, database
 #
 # -----------------------------------------------------------------------------
 # DEPLOYMENT=azure: Real Azure Operations (Production Mode)
@@ -171,6 +181,41 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Local PostgreSQL container for database (if required)
 #
 # -----------------------------------------------------------------------------
+# DEPLOYMENT=database: Database-Only Mode (DB Updates Only)
+# -----------------------------------------------------------------------------
+#   - Performs only database operations (deployment/job/application records, RBAC sync)
+#   - Does NOT run Docker containers (no container startup, health checks, port mapping)
+#   - Does NOT use Azure SDK (no Azure SDK initialization overhead)
+#   - Fastest mode for CI/CD pipelines that only need DB state validation
+#   - Use for: Testing DB workflows, validating RBAC sync, testing deployment records
+#
+#   Example use cases:
+#   - CI/CD pipelines that validate deployment workflow without containers
+#   - Testing RBAC sync logic without Docker/Azure dependencies
+#   - Validating database schema changes and migrations
+#   - Testing deployment job creation and status updates
+#   - Fast validation of DB state changes
+#
+#   What happens:
+#   - Creates deployment job in database
+#   - Updates deployment status (DEPLOYING → COMPLETED)
+#   - Updates application record (status, version, repository URL)
+#   - Syncs roles and permissions (RBAC)
+#   - Marks deployment as completed
+#   - Cleans up expired tokens
+#   - Invalidates role/permission caches
+#
+#   What does NOT happen:
+#   - No Docker container execution
+#   - No Azure SDK initialization
+#   - No container URLs or health check URLs
+#
+#   Requirements:
+#   - Database connection (DATABASE_URL)
+#   - No Docker required
+#   - No Azure credentials required
+#
+# -----------------------------------------------------------------------------
 # Configuration Notes
 # -----------------------------------------------------------------------------
 # Default: azure (Real Azure) if not set or invalid value
@@ -181,13 +226,15 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Production: DEPLOYMENT=azure
 #   - Staging: DEPLOYMENT=azure
 #   - Local Development: DEPLOYMENT=azure-mock or DEPLOYMENT=local
-#   - CI/CD Testing: DEPLOYMENT=azure-mock
+#   - CI/CD Testing: DEPLOYMENT=azure-mock or DEPLOYMENT=database
 #   - Local Docker development: DEPLOYMENT=local
+#   - DB-only validation/testing: DEPLOYMENT=database
 #
 # When to use each mode:
 #   - Need to deploy to actual Azure resources? → DEPLOYMENT=azure
 #   - Need to test deployment logic without creating resources? → DEPLOYMENT=azure-mock
 #   - Want to run applications locally in Docker? → DEPLOYMENT=local
+#   - Only need DB updates and RBAC sync (no containers/Azure)? → DEPLOYMENT=database
 #
 DEPLOYMENT=local
@@ -212,16 +259,13 @@ API_KEY=kv://miso-controller-api-key-secretKeyVault
 # =============================================================================
 # MISO CONTROLLER CONFIGURATION
 # =============================================================================
-# MISO Controller URL
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
 # Web Server URL (for OpenAPI documentation server URLs and Keycloak callbacks)
 # This is the PUBLIC-FACING URL that browsers/users access (e.g., http://localhost:3100)
 # Used to generate correct server URLs in OpenAPI spec and Keycloak callback URLs
 # For Docker: use localhost with mapped port (e.g., localhost:3100)
 # For production: use public domain (e.g., https://miso.example.com)
-MISO_WEB_SERVER_URL=http://localhost:${MISO_PUBLIC_PORT}
+MISO_WEB_SERVER_URL=kv://miso-controller-web-server-urlKeyVault
+MISO_CONTROLLER_URL=kv://miso-controller-internal-server-urlKeyVault
 # MISO Environment Configuration (miso, dev, tst, pro)
 MISO_ENVIRONMENT=miso
@@ -234,12 +278,21 @@ MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
 # Use wildcards for ports: http://localhost:*
 MISO_ALLOWED_ORIGINS=http://localhost:*
+# =============================================================================
+# LICENSE CONFIGURATION
+# =============================================================================
+# Temporary development bypass: set LICENSE_JWT=DEVELOPMENT to skip Mori validation.
+# Will be replaced by JWT license validation (see plan 131-jwt_license_offline_validation).
+LICENSE_JWT=DEVELOPMENT
 # =============================================================================
 # MORI SERVICE CONFIGURATION
 # =============================================================================
 MORI_BASE_URL=kv://mori-controller-url
 MORI_API_KEY=kv://mori-controller-api-keyKeyVault
+MORI_USERNAME=kv://mori-controller-basic-usernameKeyVault
+MORI_PASSWORD=kv://mori-controller-basic-passwordKeyVault
 # =============================================================================
 # LOGGING CONFIGURATION