@aifabrix/builder 2.37.9 → 2.39.0

package/templates/applications/dataplane/README.md

@@ -18,17 +18,27 @@ npm install -g @aifabrix/builder
 # Check your environment
 aifabrix doctor
 
-# Login to controller (change your own port)
-aifabrix login --method device --environment dev --controller http://localhost:3100
+# Login to controller (debug mode -c http://localhost:3010 - change your own port)
+aifabrix login 
 
 # Register your application (gets you credentials automatically)
 aifabrix app register dataplane
+
+# Rotate credentials if needed:
+aifabrix app rotate-secret dataplane
+
+# Run locally
+aifabrix run dataplane
+
+# Deploy to miso-controller
+aifabrix deploy dataplane
+
 ```
 
 ### 3. Build & Run Locally
 
 ```bash
-# Build the Docker image
+# Build the Docker image (latest)
 aifabrix build dataplane
 
 # Run locally
@@ -41,7 +51,7 @@ aifabrix run dataplane
 
 ## Testing dataplane (use DATAPLANE_TEST_GUIDE)
 
-**Use the builder's Dataplane Test Guide** for auth, health, wizard, external systems, and pipeline checks:
+**Use the builder’s Dataplane Test Guide** for auth, health, wizard, external systems, and pipeline checks:
 
 - **In aifabrix-builder:** `integration/hubspot/DATAPLANE_TEST_GUIDE.md`
 - **Dataplane base URL:** `http://localhost:3111`
@@ -53,13 +63,13 @@ Keep `build.localPort` in `variables.yaml` at **3111** so it matches that guide.
 **View logs:**
 
 ```bash
-docker logs aifabrix-dataplane -f
+docker logs aifabrix-dev06-dataplane -f
 ```
 
 **Stop:**
 
 ```bash
-docker stop aifabrix-dataplane
+docker stop aifabrix-dev06-dataplane
 ```
 
 ### 4. Deploy to Azure
@@ -73,6 +83,7 @@ aifabrix push dataplane --registry myacr.azurecr.io --tag "v1.0.0,latest"
 
 # Deploy to miso-controller
 aifabrix deploy dataplane
+
 ```
 
 ---
@@ -168,6 +179,8 @@ export AIFABRIX_HOME=/custom/path
 export AIFABRIX_SECRETS=/path/to/secrets.yaml
 ```
 
+**Default OAuth callback URL:** Set `DATAPLANE_WEB_SERVER_URL` (e.g. in `env.template` as `http://localhost:${PORT}`) so the dataplane can build the default OAuth2 callback URL when `redirectUri` is omitted. The callback URL is `{DATAPLANE_WEB_SERVER_URL}/auth/callback`. When you change the domain (e.g. from localhost to a production URL), update this single variable and register the same callback URL in your OAuth app (e.g. HubSpot).
+
 ---
 
 ## Troubleshooting
@@ -178,6 +191,7 @@ export AIFABRIX_SECRETS=/path/to/secrets.yaml
 - **"Authentication failed"** → Run `aifabrix login` again
 - **"Build fails"** → Check Docker is running and `variables.yaml` → `build.secrets` path is correct
 - **"Can't connect"** → Verify infrastructure is running and PostgreSQL is accessible
+- **Wizard / API 401 after `rotate-secret`** → The wizard may write `.env` to a different path (e.g. `../../.env`). Ensure the **project root** `.env` has the new `MISO_CLIENTID` and `MISO_CLIENTSECRET` (copy from the rotate-secret output or run `make resolve`), then **restart the backend** (`make dev` or restart the process) so it loads the new credentials.
 
 **Regenerate files:**
 

package/templates/applications/dataplane/env.template

@@ -6,12 +6,19 @@
 # APPLICATION ENVIRONMENT
 # =============================================================================
 
+# HTTP port for the app
 PORT=3001
+# development | staging | production
 ENVIRONMENT=development
+# Enable debug mode
 DEBUG=false
+# Logging level: DEBUG, INFO, WARNING, ERROR, CRITICAL
 LOG_LEVEL=INFO
+# Log format: json or text
 LOG_FORMAT=json
+# Path for log file output
 LOG_FILE_PATH=/mnt/data/logs/app.log
+# If true, run without Redis/Celery (single process)
 LOCAL_MODE=false
 
 # When API_KEY is set, a matching Bearer token bypasses OAuth2 validation
@@ -19,7 +26,10 @@ API_KEY=kv://miso-controller-api-key-secretKeyVault
 
 # API Configuration
 API_V1_STR=/api/v1
-VERSION=1.6.0
+VERSION=1.7.0
+# Base URL for the dataplane web server (used for default OAuth2 callback URL when redirectUri is omitted)
+DATAPLANE_WEB_SERVER_URL=kv://dataplane-web-server-urlKeyVault
+DATAPLANE_INTERNAL_URL=kv://dataplane-internal-server-urlKeyVault
 
 # CORS Configuration
 ALLOWED_ORIGINS=http://localhost:*
@@ -32,6 +42,7 @@ ENCRYPTION_KEY=kv://secrets-encryptionKeyVault
 # DATABASE CONFIGURATION
 # =============================================================================
 
+# Primary app database URL
 DATABASE_URL=kv://databases-dataplane-0-urlKeyVault
 DB_0_PASSWORD=kv://databases-dataplane-0-passwordKeyVault
 
@@ -59,8 +70,11 @@ REDIS_URL=kv://redis-url
 # CACHE CONFIGURATION
 # =============================================================================
 
+# Enable in-memory cache
 CACHE_ENABLED=true
+# TTL in seconds for CIP execution cache
 CACHE_CIP_EXECUTION_TTL=1800
+# TTL in seconds for metadata filter cache
 CACHE_METADATA_FILTER_TTL=3600
 
 # =============================================================================
@@ -72,12 +86,25 @@ MISO_CLIENTID=kv://dataplane-client-idKeyVault
 MISO_CLIENTSECRET=kv://dataplane-client-secretKeyVault
 
 # Keycloak Configuration (for OAuth2 endpoints)
+# Public: used by OpenAPI OAuth2 / browser (authorizationUrl, tokenUrl).
 KEYCLOAK_SERVER_URL=kv://keycloak-server-urlKeyVault
+# Internal (same role as MISO_CONTROLLER_URL): future server-side Keycloak (e.g. JWKS). Not used by dataplane today.
+KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-urlKeyVault
 KEYCLOAK_REALM=aifabrix
 
-# MISO Controller URL
+# =============================================================================
+# MISO CONTROLLER CONFIGURATION
+# =============================================================================
+# Public: browser redirects and CORS for client_token; set when controller is behind a different public URL.
+MISO_WEB_SERVER_URL=kv://miso-controller-web-server-urlKeyVault
+# Internal: server-to-controller API calls (auth, pipeline, status, RBAC).
 MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
 
+# Pipeline env key for controller URLs: /api/v1/pipeline/{envKey}/validate and /deploy.
+# Set MISO_PIPELINE_ENV_KEY=dev when controller uses dev (e.g. MISO_CLIENTID=miso-controller-dev-dataplane).
+# If unset, derived from MISO_CLIENTID (e.g. dev from miso-controller-dev-dataplane).
+MISO_PIPELINE_ENV_KEY=
+
 # =============================================================================
 # AI/LLM CONFIGURATION
 # =============================================================================
@@ -102,12 +129,14 @@ AUTH_AUDIT_ENABLED=true
 
 # ABAC Audit Configuration
 ABAC_AUDIT_ENABLED=true
+# ABAC audit detail: summary | detailed
 ABAC_AUDIT_DETAIL_LEVEL=summary
 ABAC_EXPLAIN_MODE_ENABLED=false
 ABAC_PERFORMANCE_THRESHOLD_MS=1000
 
 # RBAC Audit Configuration
 RBAC_AUDIT_ENABLED=true
+# RBAC audit detail: summary | detailed | explain
 RBAC_AUDIT_DETAIL_LEVEL=summary
 RBAC_EXPLAIN_MODE_ENABLED=false
 

package/templates/applications/dataplane/rbac.yaml

@@ -280,4 +280,4 @@ permissions:
   
   - name: "dataplane:rbac-simulate"
     roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-developer"]
-    description: "Simulate RBAC policy evaluation in IDE"
+    description: "Simulate RBAC policy evaluation in IDE"

package/templates/applications/dataplane/variables.yaml

@@ -2,9 +2,10 @@
 app:
   key: dataplane
   displayName: "AI Fabrix Dataplane"
-  description: "Python microservice for AI processing and bulk operations. Handles document processing, external data management, and Flowise integration with MisoClient SDK authentication."
+  description: "AI Fabrix Dataplane is a secure, in-tenant integration and automation layer that supplies governed, normalized, and explainable enterprise data to AI agents. Using CIP as a declarative standard, it enforces RBAC and ABAC, executes integrations, and exposes trusted data via MCP and OpenAPI."
   type: webapp
   language: python  # Explicitly specify Python language
+  version: 1.7.0
 
 # Image Configuration
 # Set tag to match your build (e.g. aifabrix build dataplane -t v1.0.0 then tag: v1.0.0)
@@ -45,11 +46,13 @@ authentication:
   requiredRoles: ["aifabrix-user"]
 
 # Build Configuration
+# Dataplane builds from published image; context is project root (like miso-controller)
 build:
-  context: ../..                # Relative to builder/dataplane/ config location (goes to app root)
-  dockerfile: builder/dataplane/Dockerfile
+  context: ../..                # Docker build context (relative to builder/dataplane/)
+  dockerfile: builder/dataplane/Dockerfile  # Dockerfile path (relative to project root)
   envOutputPath: ../../.env     # Copy to repo root for local dev
-  localPort: 3011               # Port for local development (different from Docker port)
+  localPort: 3011              # Port for local development (different from Docker port)
+  language: python             # Runtime language for template selection (typescript or python)
 
 # =============================================================================
 # Portal Input Configuration (Deployment Wizard)

package/templates/applications/keycloak/Dockerfile

@@ -1,7 +1,7 @@
 # Keycloak Identity and Access Management with Custom Themes
-# This Dockerfile extends Keycloak 26.4 with custom themes
+# This Dockerfile extends Keycloak 26.5.2 with custom themes
 
-FROM quay.io/keycloak/keycloak:26.4
+FROM quay.io/keycloak/keycloak:26.5.2
 
 # Set working directory
 WORKDIR /opt/keycloak
@@ -34,4 +34,4 @@ EXPOSE 8080
 
 # Default Keycloak command (can be overridden in docker-compose.yaml)
 # Health checks are enabled via the build step above
-CMD ["start-dev"]
+CMD ["start-dev"]

package/templates/applications/keycloak/README.md

@@ -40,6 +40,18 @@ aifabrix run keycloak
 
 **Access your app:** <http://dev.aifabrix:8082>
 
+**Token issuer (Docker + refresh):** Keycloak is configured with `KC_HOSTNAME=localhost` and `KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}` so tokens always have issuer `http://localhost:<port>/realms/aifabrix`. This lets refresh work when users log in via localhost and the controller (in Docker) calls Keycloak at `http://keycloak:8080`.
+
+**If you get "Invalid token issuer. Expected 'http://keycloak:8080/realms/aifabrix'" on refresh:**
+
+1. Set `KEYCLOAK_PUBLIC_PORT` to the port you use for Keycloak (e.g. if your token issuer shows `http://localhost:8682/realms/aifabrix`, use `8682`). In `.env` (in the directory where you run `aifabrix resolve keycloak`) add or set: `KEYCLOAK_PUBLIC_PORT=8682`.
+2. Regenerate Keycloak env and restart Keycloak:
+   ```bash
+   aifabrix resolve keycloak
+   docker restart $(docker ps -q -f name=keycloak)
+   ```
+3. Re-run `pnpm validate:config -- --test-refresh` from the repo root.
+
 **View logs:**
 
 ```bash
@@ -93,8 +105,7 @@ aifabrix dockerfile keycloak --force           # Generate Dockerfile
 aifabrix resolve keycloak                      # Generate .env file
 
 # Deployment
-aifabrix json keycloak                         # Preview deployment JSON
-aifabrix genkey keycloak                       # Generate deployment key
+aifabrix json keycloak                         # Generate deployment manifest
 aifabrix push keycloak --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy keycloak --controller <url>    # Deploy to Azure
 
@@ -128,7 +139,7 @@ aifabrix run keycloak --debug                  # Debug output
 
 ```bash
 aifabrix push keycloak --registry myacr.azurecr.io --tag v1.0.0
-aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest,stable"
+aifabrix push keycloak --registry myacr.azurecr.io --tag "v1.0.0,latest"
 ```
 
 ### Deploy Options
@@ -174,7 +185,6 @@ export AIFABRIX_SECRETS=/path/to/secrets.yaml
 ```bash
 aifabrix resolve keycloak --force
 aifabrix json keycloak
-aifabrix genkey keycloak
 ```
 
 ---

package/templates/applications/keycloak/env.template

@@ -11,6 +11,23 @@ KEYCLOAK_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
 KC_HOSTNAME_STRICT=false
 KC_HTTP_ENABLED=true
 
+# =============================================================================
+# HOSTNAME / ISSUER (Docker vs localhost)
+# =============================================================================
+# Flow: Client gets callback from Keycloak (public URL) → server does auth code
+# exchange by calling Keycloak on the INTERNAL address (keycloak:8080). Keycloak
+# must use the PUBLIC URL as issuer in all tokens so they match what the
+# controller expects (KEYCLOAK_SERVER_URL).
+# - Users log in via http://localhost:${KEYCLOAK_PUBLIC_PORT} (browser/CLI)
+# - Server calls Keycloak at http://keycloak:8080 for token exchange and refresh
+# - Controller sends Host: localhost:${KEYCLOAK_PUBLIC_PORT} so Keycloak validates issuer
+#   against public URL (requires KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true)
+# When KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true, hostname must be a full URL
+KC_HOSTNAME=http://localhost:${KEYCLOAK_PUBLIC_PORT}
+KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}
+# Required for Host header to work: Keycloak resolves backchannel URL from request headers
+KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
+
 # =============================================================================
 # HEALTH CHECK CONFIGURATION
 # =============================================================================
@@ -30,8 +47,6 @@ KC_HTTP_MANAGEMENT_HEALTH_ENABLED=false
 # MISO Application Client Credentials (per application)
 MISO_CLIENTID=kv://keycloak-client-idKeyVault
 MISO_CLIENTSECRET=kv://keycloak-client-secretKeyVault
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
-MISO_WEB_SERVER_URL=kv://miso-controller-web-server-url
 
 # Connects to postgres service in Docker network (postgres) or localhost (local)
 

package/templates/applications/keycloak/variables.yaml

@@ -4,6 +4,7 @@ app:
   displayName: 'AI Fabrix Keycloak'
   description: 'Identity and Access Management'
   type: webapp
+  version: '26.5.2'
 
 # Image Configuration
 image:
@@ -12,7 +13,7 @@ image:
   registry: devflowiseacr.azurecr.io
   registryMode: acr
 
-# Port Configuration
+# Port Configuration (base for host; host port = 8082 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 8082
 
 # Azure Requirements

package/templates/applications/miso-controller/README.md

@@ -93,8 +93,7 @@ aifabrix dockerfile miso-controller --force           # Generate Dockerfile
 aifabrix resolve miso-controller                      # Generate .env file
 
 # Deployment
-aifabrix json miso-controller                         # Preview deployment JSON
-aifabrix genkey miso-controller                       # Generate deployment key
+aifabrix json miso-controller                         # Generate deployment manifest
 aifabrix push miso-controller --registry myacr.azurecr.io # Push to ACR
 aifabrix deploy miso-controller --controller <url>    # Deploy to Azure
 
@@ -348,7 +347,6 @@ Failed to getSecret postgres-adminPassword: Secret not found
 ```bash
 aifabrix resolve miso-controller --force
 aifabrix json miso-controller
-aifabrix genkey miso-controller
 ```
 
 ---

package/templates/applications/miso-controller/env.template

@@ -79,13 +79,23 @@ REDIS_ROLES_TTL=900
 REDIS_PERMISSIONS_TTL=900
 
 # =============================================================================
-# KEYCLOAK CONFIGURATION
+# KEYCLOAK CONFIGURATION (single canonical block)
 # =============================================================================
-# Connects to external keycloak from aifabrix-setup
+# Connects to external Keycloak from aifabrix-setup.
+#
+# URL semantics:
+#   KEYCLOAK_SERVER_URL        = Public URL (browser, issuer, OAuth callbacks)
+#   KEYCLOAK_INTERNAL_SERVER_URL = Internal URL (server-to-Keycloak HTTP only, e.g. Docker)
+#
+# Usage: Env vars are used for bootstrap/onboarding only. Runtime config comes from DB
+# (KeycloakConfiguration + Application url/internalUrl). Sync env->DB at startup via
+# sync-application-urls-from-env.service.
+#
+# NOTE: Do NOT onboard Azure Entra SSO in Keycloak during onboarding (skipAzureEntraSso=true).
 
 KEYCLOAK_REALM=aifabrix
 KEYCLOAK_SERVER_URL=kv://keycloak-server-urlKeyVault
-KEYCLOAK_PUBLIC_SERVER_URL=kv://keycloak-public-server-urlKeyVault
+KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-urlKeyVault
 KEYCLOAK_CLIENT_ID=miso-controller
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
@@ -100,12 +110,11 @@ KEYCLOAK_EVENTS_ENABLED=true
 KEYCLOAK_EVENTS_VERIFY_SIGNATURE=true
 KEYCLOAK_EVENTS_SECRET=kv://keycloak-events-secretKeyVault
 
-# Keycloak Startup Wait Configuration (optional)
-# Auto-detected in Azure (WEBSITE_SITE_NAME present) - waits 20min by default
-# Local environments skip the wait automatically
-# Override if needed:
-# WAIT_FOR_KEYCLOAK=true|false
-# KEYCLOAK_WAIT_TIMEOUT=1200
+# Keycloak Startup Wait Configuration
+# When true, controller waits for Keycloak before onboarding (ensures admin user creation succeeds).
+# Recommended for local Docker and Azure where Keycloak and controller start together.
+WAIT_FOR_KEYCLOAK=true
+# KEYCLOAK_WAIT_TIMEOUT=60
 
 # =============================================================================
 # AZURE AD PROVIDER CONFIGURATION
@@ -120,9 +129,9 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 # =============================================================================
 # DEPLOYMENT TYPE CONFIGURATION
 # =============================================================================
-# Controls deployment behavior for Azure, mock Azure, or local Docker deployments
+# Controls deployment behavior for Azure, mock Azure, local Docker, or database-only deployments
 #
-# DEPLOYMENT types: azure, azure-mock, local
+# DEPLOYMENT types: azure, azure-mock, local, database
 #
 # -----------------------------------------------------------------------------
 # DEPLOYMENT=azure: Real Azure Operations (Production Mode)
@@ -151,8 +160,7 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 # DEPLOYMENT=local: Local Docker Deployment (Localhost Controller)
 # -----------------------------------------------------------------------------
 #   - Does NOT touch Azure at all (completely skips all Azure operations)
-#   - Deploys applications as Docker containers on localhost
-#   - Uses docker-compose for container orchestration
+#   - Deploys applications as Docker containers on localhost (runs "docker run")
 #   - Works with local PostgreSQL and Redis containers
 #   - Fastest mode for local development (no Azure SDK overhead)
 #   - No Azure SDK initialization (reduces startup time)
@@ -162,13 +170,57 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Local development and testing of applications
 #   - Testing deployment workflows with actual containers
 #   - Development when Azure SDK is not needed
-#   - Fastest startup time for development
+#
+#   Requirements (controller must be able to run "docker" successfully):
+#   - Docker must be installed and running where the controller runs
+#   - Docker network (e.g. infra-<env>-aifabrix-network) must exist
+#
+#   When miso-controller runs INSIDE a Docker container (e.g. aifabrix up-miso):
+#   - The controller has no Docker CLI or host daemon by default, so deployments
+#     will fail with "docker: not found" unless you either:
+#     (A) Mount the host Docker socket and install Docker CLI in the controller
+#         image (e.g. -v /var/run/docker.sock:/var/run/docker.sock and docker
+#         client in the image), or
+#     (B) Use DEPLOYMENT=database instead and start apps from the host, e.g.:
+#         "aifabrix up-dataplane" (controller will only update DB; you run
+#         dataplane/other apps via aifabrix on the host).
+#   - Recommended when controller is in Docker: DEPLOYMENT=database and start
+#     dataplane with "aifabrix up-dataplane" (see QUICK-START.md).
+#
+# -----------------------------------------------------------------------------
+# DEPLOYMENT=database: Database-Only Mode (DB Updates Only)
+# -----------------------------------------------------------------------------
+#   - Performs only database operations (deployment/job/application records, RBAC sync)
+#   - Does NOT run Docker containers (no container startup, health checks, port mapping)
+#   - Does NOT use Azure SDK (no Azure SDK initialization overhead)
+#   - Fastest mode for CI/CD pipelines that only need DB state validation
+#   - Use for: Testing DB workflows, validating RBAC sync, testing deployment records
+#
+#   Example use cases:
+#   - CI/CD pipelines that validate deployment workflow without containers
+#   - Testing RBAC sync logic without Docker/Azure dependencies
+#   - Validating database schema changes and migrations
+#   - Testing deployment job creation and status updates
+#   - Fast validation of DB state changes
+#
+#   What happens:
+#   - Creates deployment job in database
+#   - Updates deployment status (DEPLOYING → COMPLETED)
+#   - Updates application record (status, version, repository URL)
+#   - Syncs roles and permissions (RBAC)
+#   - Marks deployment as completed
+#   - Cleans up expired tokens
+#   - Invalidates role/permission caches
+#
+#   What does NOT happen:
+#   - No Docker container execution
+#   - No Azure SDK initialization
+#   - No container URLs or health check URLs
 #
 #   Requirements:
-#   - Docker must be installed and running
-#   - docker-compose must be available
-#   - Docker network (infra-aifabrix-network) must exist
-#   - Local PostgreSQL container for database (if required)
+#   - Database connection (DATABASE_URL)
+#   - No Docker required
+#   - No Azure credentials required
 #
 # -----------------------------------------------------------------------------
 # Configuration Notes
@@ -181,15 +233,17 @@ AZURE_CLIENT_SECRET=kv://azure-client-secretKeyVault
 #   - Production: DEPLOYMENT=azure
 #   - Staging: DEPLOYMENT=azure
 #   - Local Development: DEPLOYMENT=azure-mock or DEPLOYMENT=local
-#   - CI/CD Testing: DEPLOYMENT=azure-mock
+#   - CI/CD Testing: DEPLOYMENT=azure-mock or DEPLOYMENT=database
 #   - Local Docker development: DEPLOYMENT=local
+#   - DB-only validation/testing: DEPLOYMENT=database
 #
 # When to use each mode:
 #   - Need to deploy to actual Azure resources? → DEPLOYMENT=azure
 #   - Need to test deployment logic without creating resources? → DEPLOYMENT=azure-mock
 #   - Want to run applications locally in Docker? → DEPLOYMENT=local
+#   - Only need DB updates and RBAC sync (no containers/Azure)? → DEPLOYMENT=database
 #
-DEPLOYMENT=local
+DEPLOYMENT=database
 
 # =============================================================================
 # SECURITY & ENCRYPTION
@@ -212,16 +266,13 @@ API_KEY=kv://miso-controller-api-key-secretKeyVault
 # =============================================================================
 # MISO CONTROLLER CONFIGURATION
 # =============================================================================
-
-# MISO Controller URL
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
-
 # Web Server URL (for OpenAPI documentation server URLs and Keycloak callbacks)
 # This is the PUBLIC-FACING URL that browsers/users access (e.g., http://localhost:3100)
 # Used to generate correct server URLs in OpenAPI spec and Keycloak callback URLs
 # For Docker: use localhost with mapped port (e.g., localhost:3100)
 # For production: use public domain (e.g., https://miso.example.com)
-MISO_WEB_SERVER_URL=http://localhost:${MISO_PUBLIC_PORT}
+MISO_WEB_SERVER_URL=kv://miso-controller-web-server-urlKeyVault
+MISO_CONTROLLER_URL=kv://miso-controller-internal-server-urlKeyVault
 
 # MISO Environment Configuration (miso, dev, tst, pro)
 MISO_ENVIRONMENT=miso
@@ -234,12 +285,21 @@ MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
 # Use wildcards for ports: http://localhost:*
 MISO_ALLOWED_ORIGINS=http://localhost:*
 
+# =============================================================================
+# LICENSE CONFIGURATION
+# =============================================================================
+# Temporary development bypass: set LICENSE_JWT=DEVELOPMENT to skip Mori validation.
+# Will be replaced by JWT license validation (see plan 131-jwt_license_offline_validation).
+LICENSE_JWT=DEVELOPMENT
+
 # =============================================================================
 # MORI SERVICE CONFIGURATION
 # =============================================================================
 
 MORI_BASE_URL=kv://mori-controller-url
 MORI_API_KEY=kv://mori-controller-api-keyKeyVault
+MORI_USERNAME=kv://mori-controller-basic-usernameKeyVault
+MORI_PASSWORD=kv://mori-controller-basic-passwordKeyVault
 
 # =============================================================================
 # LOGGING CONFIGURATION

package/templates/applications/miso-controller/rbac.yaml

@@ -352,3 +352,18 @@ permissions:
   - name: 'delegation:admin:delete'
     roles: ['aifabrix-platform-admin', 'aifabrix-security-admin']
     description: 'Administrative delete access to all delegated credentials'
+
+  # Onboarding
+  - name: 'onboarding:read'
+    roles:
+      [
+        'aifabrix-platform-admin',
+        'aifabrix-infrastructure-admin',
+        'aifabrix-deployment-admin',
+        'aifabrix-observer'
+      ]
+    description: 'View onboarding status and configuration'
+
+  - name: 'onboarding:config'
+    roles: ['aifabrix-platform-admin', 'aifabrix-infrastructure-admin']
+    description: 'Configure onboarding (license, Entra ID, subscription config)'

package/templates/applications/miso-controller/variables.yaml

@@ -2,8 +2,9 @@
 app:
   key: miso-controller
   displayName: 'Miso Controller'
-  description: 'AI Fabrix Miso Controller - Backend API and orchestration service'
+  description: 'Miso is the AI Fabrix in-tenant controller and portal layer for securely operating enterprise AI apps inside a customer’s Azure tenant. It provides Entra ID SSO, RBAC, audit logs, environment/app configuration via schemas, and safe secret handling via Key Vault references—ensuring governance, traceability, and predictable UX across portal, SDK, and CLI.'
   type: webapp
+  version: '1.8.0'
 
 # Image Configuration
 image:
@@ -11,7 +12,7 @@ image:
   registry: devflowiseacr.azurecr.io
   registryMode: acr
 
-# Port Configuration
+# Port Configuration (container port; host port = 3000 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 3000
 
 # Azure Requirements
@@ -64,7 +65,7 @@ configuration:
   - name: LOG_LEVEL
     portalInput:
       field: select
-      label: "Log Level"
+      label: 'Log Level'
       options:
         - debug
         - info
@@ -74,26 +75,26 @@ configuration:
   - name: ENABLE_API_DOCS
     portalInput:
       field: select
-      label: "Enable API Documentation (Swagger/ReDoc)"
+      label: 'Enable API Documentation (Swagger/ReDoc)'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   - name: FAST_STARTUP
     portalInput:
       field: select
-      label: "Fast Startup (skip non-critical init)"
+      label: 'Fast Startup (skip non-critical init)'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   - name: LOG_TO_FILE
     portalInput:
       field: select
-      label: "Log to File"
+      label: 'Log to File'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   # -------------------------------------------------------------------------
   # Keycloak Events (feature flag)
@@ -101,10 +102,10 @@ configuration:
   - name: KEYCLOAK_EVENTS_ENABLED
     portalInput:
       field: select
-      label: "Keycloak Events (sync users/groups)"
+      label: 'Keycloak Events (sync users/groups)'
       options:
-        - "true"
-        - "false"
+        - 'true'
+        - 'false'
 
   # -------------------------------------------------------------------------
   # Rate Limiting (tune for environment)
@@ -112,14 +113,14 @@ configuration:
   - name: RATE_LIMIT_WINDOW_MS
     portalInput:
       field: text
-      label: "Rate Limit Window (milliseconds)"
-      placeholder: "900000"
+      label: 'Rate Limit Window (milliseconds)'
+      placeholder: '900000'
 
   - name: RATE_LIMIT_MAX
     portalInput:
       field: text
-      label: "Rate Limit Max Requests per Window"
-      placeholder: "100"
+      label: 'Rate Limit Max Requests per Window'
+      placeholder: '100'
 
   # -------------------------------------------------------------------------
   # Redis Cache TTL (seconds) – RBAC/roles caching
@@ -127,11 +128,11 @@ configuration:
   - name: REDIS_ROLES_TTL
     portalInput:
       field: text
-      label: "Redis Roles Cache TTL (seconds)"
-      placeholder: "900"
+      label: 'Redis Roles Cache TTL (seconds)'
+      placeholder: '900'
 
   - name: REDIS_PERMISSIONS_TTL
     portalInput:
       field: text
-      label: "Redis Permissions Cache TTL (seconds)"
-      placeholder: "900"
+      label: 'Redis Permissions Cache TTL (seconds)'
+      placeholder: '900'