@aifabrix/builder 2.39.2 → 2.40.0

package/lib/commands/upload.js

@@ -0,0 +1,163 @@
+/**
+ * Upload external system to dataplane (upload → validate → publish).
+ *
+ * @fileoverview Upload command handler for aifabrix upload <system-key>
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { getDeploymentAuth, requireBearerForDataplanePipeline } = require('../utils/token-manager');
+const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
+const { validateExternalSystemComplete } = require('../validation/validate');
+const { displayValidationResults } = require('../validation/validate-display');
+const { generateControllerManifest } = require('../generator/external-controller-manifest');
+const {
+  uploadApplicationViaPipeline,
+  validateUploadViaPipeline,
+  publishUploadViaPipeline
+} = require('../api/pipeline.api');
+const { formatApiError } = require('../utils/api-error-handler');
+
+/**
+ * Validates system-key format (same as download).
+ * @param {string} systemKey - System key
+ * @throws {Error} If invalid
+ */
+function validateSystemKeyFormat(systemKey) {
+  if (!systemKey || typeof systemKey !== 'string') {
+    throw new Error('System key is required and must be a string');
+  }
+  if (!/^[a-z0-9-_]+$/.test(systemKey)) {
+    throw new Error('System key must contain only lowercase letters, numbers, hyphens, and underscores');
+  }
+}
+
+/**
+ * Builds pipeline upload payload from controller manifest.
+ * Payload: { version, application, dataSources }; application = system with RBAC.
+ * @param {Object} manifest - Controller manifest from generateControllerManifest
+ * @returns {Object} { version, application, dataSources }
+ */
+function buildUploadPayload(manifest) {
+  return {
+    version: manifest.version || '1.0.0',
+    application: manifest.system,
+    dataSources: manifest.dataSources || []
+  };
+}
+
+/**
+ * Resolves dataplane URL and auth (same pattern as download).
+ * @param {string} systemKey - System key
+ * @param {Object} options - Options with optional dataplane override
+ * @returns {Promise<{ dataplaneUrl: string, authConfig: Object, environment: string }>}
+ */
+async function resolveDataplaneAndAuth(systemKey, options) {
+  const { resolveEnvironment } = require('../core/config');
+  const environment = await resolveEnvironment();
+  const controllerUrl = await resolveControllerUrl();
+  const authConfig = await getDeploymentAuth(controllerUrl, environment, systemKey);
+
+  if (!authConfig.token && !authConfig.clientId) {
+    throw new Error('Authentication required. Run "aifabrix login" or "aifabrix app register <system-key>" first.');
+  }
+
+  let dataplaneUrl;
+  if (options.dataplane) {
+    dataplaneUrl = options.dataplane.replace(/\/$/, '');
+  } else {
+    logger.log(chalk.blue('Resolving dataplane URL...'));
+    dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
+  }
+
+  return { dataplaneUrl, authConfig, environment };
+}
+
+/**
+ * Runs upload → validate → publish on the dataplane.
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Auth config
+ * @param {Object} payload - { version, application, dataSources }
+ * @returns {Promise<{ uploadId: string }>}
+ */
+async function runUploadValidatePublish(dataplaneUrl, authConfig, payload) {
+  const uploadRes = await uploadApplicationViaPipeline(dataplaneUrl, authConfig, payload);
+  const uploadId = uploadRes?.data?.uploadId ?? uploadRes?.data?.id ?? uploadRes?.uploadId;
+  if (!uploadId) {
+    const msg = uploadRes?.success === false
+      ? formatApiError(uploadRes, dataplaneUrl)
+      : 'Upload did not return an upload ID';
+    throw new Error(msg);
+  }
+
+  const validateRes = await validateUploadViaPipeline(dataplaneUrl, uploadId, authConfig);
+  if (validateRes?.success === false) {
+    const msg = formatApiError(validateRes, dataplaneUrl);
+    throw new Error(`Upload validation failed: ${msg}`);
+  }
+
+  await publishUploadViaPipeline(dataplaneUrl, uploadId, authConfig);
+  return { uploadId };
+}
+
+/**
+ * Throws if validation result is invalid (displays results first).
+ * @param {Object} validationResult - Result from validateExternalSystemComplete
+ * @throws {Error} If validationResult.valid is false
+ */
+function throwIfValidationFailed(validationResult) {
+  if (!validationResult.valid) {
+    displayValidationResults(validationResult);
+    throw new Error('Validation failed. Fix errors before uploading.');
+  }
+}
+
+/**
+ * Uploads external system to dataplane (upload → validate → publish). No controller deploy.
+ * @param {string} systemKey - External system key (integration/<system-key>/)
+ * @param {Object} [options] - Options
+ * @param {boolean} [options.dryRun] - Validate and build payload only; no API calls
+ * @param {string} [options.dataplane] - Override dataplane URL
+ * @returns {Promise<void>}
+ * @throws {Error} If validation or API calls fail
+ */
+async function uploadExternalSystem(systemKey, options = {}) {
+  validateSystemKeyFormat(systemKey);
+
+  logger.log(chalk.blue(`\nUploading external system to dataplane: ${systemKey}`));
+
+  const validationResult = await validateExternalSystemComplete(systemKey, { type: 'external' });
+  throwIfValidationFailed(validationResult);
+  logger.log(chalk.green('Validation passed.'));
+
+  const manifest = await generateControllerManifest(systemKey, { type: 'external' });
+  const payload = buildUploadPayload(manifest);
+
+  if (options.dryRun) {
+    logger.log(chalk.yellow('Dry run: would upload payload (no API calls).'));
+    logger.log(chalk.gray(`  System: ${manifest.key}, version: ${payload.version}, datasources: ${payload.dataSources.length}`));
+    return;
+  }
+
+  const { dataplaneUrl, authConfig, environment } = await resolveDataplaneAndAuth(systemKey, options);
+  requireBearerForDataplanePipeline(authConfig);
+  logger.log(chalk.blue(`Dataplane: ${dataplaneUrl}`));
+
+  await runUploadValidatePublish(dataplaneUrl, authConfig, payload);
+
+  logger.log(chalk.green('\nUpload validated and published to dataplane.'));
+  logger.log(chalk.blue(`Environment: ${environment}`));
+  logger.log(chalk.blue(`System: ${systemKey}`));
+  logger.log(chalk.blue(`Dataplane: ${dataplaneUrl}`));
+}
+
+module.exports = {
+  uploadExternalSystem,
+  buildUploadPayload,
+  resolveDataplaneAndAuth,
+  runUploadValidatePublish,
+  validateSystemKeyFormat
+};

package/lib/commands/wizard-core.js

@@ -339,7 +339,7 @@ async function validateWizardConfiguration(dataplaneUrl, authConfig, systemConfi
 }
 
 /**
- * Fetches deployment docs and writes README.md when variables.yaml and deploy JSON are available.
+ * Fetches deployment docs and writes README.md when application config and deploy JSON are available.
  * @async
  * @param {string} appPath - Application path
  * @param {string} appName - Application name
@@ -348,12 +348,13 @@ async function validateWizardConfiguration(dataplaneUrl, authConfig, systemConfi
  * @param {string} systemKey - System key
  */
 async function tryUpdateReadmeFromDeploymentDocs(appPath, appName, dataplaneUrl, authConfig, systemKey) {
-  const variablesPath = path.join(appPath, 'variables.yaml');
+  const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
   const deployPath = path.join(appPath, `${appName}-deploy.json`);
   let variablesYaml = null;
   let deployJson = null;
   try {
-    variablesYaml = await fs.readFile(variablesPath, 'utf8');
+    const configPath = resolveApplicationConfigPath(appPath);
+    variablesYaml = await fs.readFile(configPath, 'utf8');
   } catch {
     // optional
   }
@@ -372,7 +373,7 @@ async function tryUpdateReadmeFromDeploymentDocs(appPath, appName, dataplaneUrl,
   if (content && typeof content === 'string') {
     const readmePath = path.join(appPath, 'README.md');
     await fs.writeFile(readmePath, content, 'utf8');
-    logger.log(chalk.gray('  Updated README.md from deployment-docs API (variables.yaml + deploy JSON).'));
+    logger.log(chalk.gray('  Updated README.md from deployment-docs API (application config + deploy JSON).'));
   }
 }
 

package/lib/core/diff.js

@@ -13,6 +13,10 @@ const fs = require('fs');
 const path = require('path');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const { loadConfigFile } = require('../utils/config-format');
+const { detectSchemaTypeFromParsed, loadExternalSystemSchema, loadExternalDataSourceSchema } = require('../utils/schema-loader');
+const { validateObjectAgainstApplicationSchema } = require('../validation/validator');
+const { formatValidationErrors } = require('../utils/error-formatter');
 
 /**
  * Handle added field in comparison
@@ -169,19 +173,22 @@ function identifyBreakingChanges(comparison) {
 }
 
 /**
- * Compares two configuration files
- * Loads files, parses JSON, and performs deep comparison
+ * Compares two configuration files.
+ * Both files must be the same config type (app, system, or datasource).
+ * By default validates both against their schema; pass { validate: false } to skip.
  *
  * @async
  * @function compareFiles
  * @param {string} file1 - Path to first file
  * @param {string} file2 - Path to second file
+ * @param {Object} [options] - Options
+ * @param {boolean} [options.validate=true] - If true, validate both files against their schema
  * @returns {Promise<Object>} Comparison result with differences
- * @throws {Error} If files cannot be read or parsed
+ * @throws {Error} If files cannot be read, parsed, types differ, or validation fails
  *
  * @example
  * const result = await compareFiles('./old.json', './new.json');
- * // Returns: { identical: false, added: [...], removed: [...], changed: [...] }
+ * const resultNoValidate = await compareFiles('./a.yaml', './b.yaml', { validate: false });
  */
 /**
  * Validates file paths
@@ -206,21 +213,70 @@ function validateFilePaths(file1, file2) {
 }
 
 /**
- * Reads and parses a JSON file
+ * Reads and parses a config file (JSON or YAML by extension: .json, .yaml, .yml).
  * @function readAndParseFile
  * @param {string} filePath - File path
- * @returns {Object} Parsed JSON object
+ * @returns {Object} Parsed object
  * @throws {Error} If file cannot be read or parsed
  */
 function readAndParseFile(filePath) {
   try {
-    const content = fs.readFileSync(filePath, 'utf8');
-    return JSON.parse(content);
+    return loadConfigFile(filePath);
   } catch (error) {
     throw new Error(`Failed to parse ${filePath}: ${error.message}`);
   }
 }
 
+/**
+ * Maps schema type to user-facing label (app | system | datasource).
+ * @param {string} schemaType - 'application' | 'external-system' | 'external-datasource'
+ * @returns {string} 'app' | 'system' | 'datasource'
+ */
+function toUserFacingType(schemaType) {
+  const map = {
+    application: 'app',
+    'external-system': 'system',
+    'external-datasource': 'datasource'
+  };
+  return map[schemaType] || 'app';
+}
+
+/**
+ * Runs external schema validator and returns error messages or null.
+ * @param {Function} validateFn - AJV validate function
+ * @param {Object} parsed - Parsed config object
+ * @returns {string[]|null} Error messages or null if valid
+ */
+function getValidationErrors(validateFn, parsed) {
+  const valid = validateFn(parsed);
+  if (valid) return null;
+  return formatValidationErrors(validateFn.errors);
+}
+
+/**
+ * Validates parsed object against the schema for the given type.
+ * @param {Object} parsed - Parsed config object
+ * @param {string} schemaType - 'application' | 'external-system' | 'external-datasource'
+ * @param {string} filePath - File path (for error messages)
+ * @throws {Error} If validation fails
+ */
+function validateParsedForType(parsed, schemaType, filePath) {
+  let messages = [];
+  if (schemaType === 'application') {
+    const result = validateObjectAgainstApplicationSchema(parsed);
+    if (!result.valid) messages = result.errors;
+  } else if (schemaType === 'external-system') {
+    messages = getValidationErrors(loadExternalSystemSchema(), parsed) || [];
+  } else if (schemaType === 'external-datasource') {
+    messages = getValidationErrors(loadExternalDataSourceSchema(), parsed) || [];
+  } else {
+    throw new Error(`Unknown schema type: ${schemaType}`);
+  }
+  if (messages.length > 0) {
+    throw new Error(`Validation failed for ${filePath}: ${messages.join('; ')}`);
+  }
+}
+
 /**
  * Extracts version from parsed object
  * @function extractVersion
@@ -267,12 +323,31 @@ function buildComparisonResult(comparison, parsed1, parsed2, file1, file2) {
   };
 }
 
-async function compareFiles(file1, file2) {
+async function compareFiles(file1, file2, options = {}) {
+  const shouldValidate = options.validate !== false;
+
   validateFilePaths(file1, file2);
 
   const parsed1 = readAndParseFile(file1);
   const parsed2 = readAndParseFile(file2);
 
+  const type1 = detectSchemaTypeFromParsed(parsed1, file1);
+  const type2 = detectSchemaTypeFromParsed(parsed2, file2);
+  const userType1 = toUserFacingType(type1);
+  const userType2 = toUserFacingType(type2);
+
+  if (userType1 !== userType2) {
+    throw new Error(
+      `Type mismatch: ${file1} is ${userType1} config and ${file2} is ${userType2} config. ` +
+      'Both files must be the same type (app, system, or datasource).'
+    );
+  }
+
+  if (shouldValidate) {
+    validateParsedForType(parsed1, type1, file1);
+    validateParsedForType(parsed2, type2, file2);
+  }
+
   const comparison = compareObjects(parsed1, parsed2);
   return buildComparisonResult(comparison, parsed1, parsed2, file1, file2);
 }

package/lib/core/key-generator.js

@@ -2,7 +2,7 @@
  * AI Fabrix Builder Deployment Key Generator
  *
  * This module generates SHA256-based deployment keys for controller authentication.
- * Keys are computed from variables.yaml content to ensure deployment integrity.
+ * Keys are computed from application config content to ensure deployment integrity.
  *
  * @fileoverview Deployment key generation for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -14,14 +14,14 @@ const fs = require('fs');
 const path = require('path');
 
 /**
- * Generates deployment key from variables.yaml content
+ * Generates deployment key from application config content
  * Creates SHA256 hash for controller authentication and deployment integrity
  *
  * @async
  * @function generateDeploymentKey
  * @param {string} appName - Name of the application
- * @returns {Promise<string>} SHA256 hash of variables.yaml content
- * @throws {Error} If variables.yaml cannot be read
+ * @returns {Promise<string>} SHA256 hash of application config content
+ * @throws {Error} If application config cannot be read
  *
  * @example
  * const key = await generateDeploymentKey('myapp');
@@ -32,22 +32,19 @@ async function generateDeploymentKey(appName) {
     throw new Error('App name is required and must be a string');
   }
 
-  const variablesPath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
-
-  if (!fs.existsSync(variablesPath)) {
-    throw new Error(`variables.yaml not found: ${variablesPath}`);
-  }
-
+  const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
+  const builderPath = path.join(process.cwd(), 'builder', appName);
+  const variablesPath = resolveApplicationConfigPath(builderPath);
   const content = fs.readFileSync(variablesPath, 'utf8');
   return generateDeploymentKeyFromContent(content);
 }
 
 /**
- * Generates deployment key from raw variables.yaml content
+ * Generates deployment key from raw application config content
  * Useful for testing or when content is already loaded
  *
  * @function generateDeploymentKeyFromContent
- * @param {string} content - Raw variables.yaml content
+ * @param {string} content - Raw application config content
  * @returns {string} SHA256 hash of content
  *
  * @example

package/lib/core/secrets-docker-env.js

@@ -60,12 +60,12 @@ function getContainerPortFromDockerEnv(dockerEnv) {
 
 /**
  * Updates PORT in resolved content for docker environment
- * Sets PORT to container port (build.containerPort or port from variables.yaml)
+ * Sets PORT to container port (build.containerPort or port from application config)
  * NOT the host port (which includes developer-id offset)
  * @async
  * @function updatePortForDocker
  * @param {string} resolved - Resolved environment content
- * @param {string} variablesPath - Path to variables.yaml file
+ * @param {string} variablesPath - Path to application config file
  * @returns {Promise<string>} Updated content with PORT set
  */
 async function updatePortForDocker(resolved, variablesPath) {

package/lib/core/secrets.js

@@ -12,6 +12,7 @@
 const fs = require('fs');
 const path = require('path');
 const logger = require('../utils/logger');
+const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
 const config = require('./config');
 const {
   interpolateEnvVars,
@@ -288,7 +289,7 @@ async function applyEnvironmentTransformations(resolved, environment, variablesP
 async function generateEnvContent(appName, secretsPath, environment = 'local', force = false) {
   const builderPath = pathsUtil.getBuilderPath(appName);
   const templatePath = path.join(builderPath, 'env.template');
-  const variablesPath = path.join(builderPath, 'variables.yaml');
+  const variablesPath = resolveApplicationConfigPath(builderPath);
   const template = loadEnvTemplate(templatePath);
   const secretsPaths = await getActualSecretsPath(secretsPath, appName);
   if (force) {
@@ -391,7 +392,7 @@ function mergeEnvContentPreservingExisting(newContent, existingMap) {
  */
 async function generateEnvFile(appName, secretsPath, environment = 'local', force = false, skipOutputPath = false, preserveFromPath = null) {
   const builderPath = pathsUtil.getBuilderPath(appName);
-  const variablesPath = path.join(builderPath, 'variables.yaml');
+  const variablesPath = resolveApplicationConfigPath(builderPath);
   const envPath = path.join(builderPath, '.env');
 
   const resolved = await generateEnvContent(appName, secretsPath, environment, force);

package/lib/core/templates.js

@@ -8,7 +8,7 @@
 const yaml = require('js-yaml');
 
 /**
- * Generate variables.yaml content for an application
+ * Generate application.yaml content for an application
  * Matches application-schema.json structure
  * @param {string} appName - Application name
  * @param {Object} config - Configuration options
@@ -166,7 +166,7 @@ function generateVariablesYaml(appName, config) {
   const displayName = appName.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase());
   const appType = config.type || 'webapp';
 
-  // For external type, create minimal variables.yaml
+  // For external type, create minimal application config
   if (appType === 'external') {
     const variables = generateExternalSystemVariables(appName, displayName, config);
     return dumpVariablesToYaml(variables);

package/lib/datasource/deploy.js

@@ -11,7 +11,7 @@
 
 const fs = require('fs');
 const chalk = require('chalk');
-const { getDeploymentAuth } = require('../utils/token-manager');
+const { getDeploymentAuth, requireBearerForDataplanePipeline } = require('../utils/token-manager');
 const { getEnvironmentApplication } = require('../api/environments.api');
 const { publishDatasourceViaPipeline } = require('../api/pipeline.api');
 const { formatApiError } = require('../utils/api-error-handler');
@@ -152,6 +152,7 @@ async function setupDeploymentAuth(controllerUrl, environment, appKey) {
  * @throws {Error} If publish fails
  */
 async function publishDatasourceToDataplane(dataplaneUrl, systemKey, authConfig, datasourceConfig) {
+  requireBearerForDataplanePipeline(authConfig);
   logger.log(chalk.blue('\n🚀 Publishing datasource to dataplane...'));
 
   const publishResponse = await publishDatasourceViaPipeline(dataplaneUrl, systemKey, authConfig, datasourceConfig);

package/lib/deployment/deployer.js

@@ -15,6 +15,7 @@ const logger = require('../utils/logger');
 const { validateControllerUrl, validateEnvironmentKey } = require('../utils/deployment-validation');
 const { handleDeploymentError, handleDeploymentErrors } = require('../utils/deployment-errors');
 const { validatePipeline, deployPipeline, getPipelineDeployment } = require('../api/pipeline.api');
+const { getAuthUser } = require('../api/auth.api');
 const { handleValidationResponse } = require('../utils/deployment-validation-helpers');
 const {
   convertToPipelineAuthConfig,
@@ -36,73 +37,72 @@ function transformExternalManifestForPipeline(manifest) {
 
 /**
  * Build validation data for deployment
+ * When authenticated with bearer token only, clientId/clientSecret are not sent (controller uses token).
  * @async
  * @param {Object} manifest - Application manifest/config
  * @param {string} validatedEnvKey - Validated environment key
  * @param {Object} authConfig - Authentication configuration
  * @param {Object} options - Additional options
- * @returns {Promise<Object>} Object with validationData and pipelineAuthConfig
+ * @returns {Promise<Object>} Object with validationData, pipelineAuthConfig, and useBearerOnly
  */
 async function buildValidationData(manifest, validatedEnvKey, authConfig, options) {
-  const tokenManager = require('../utils/token-manager');
-  let clientId;
-  let clientSecret;
-  let pipelineAuthConfig;
+  const repositoryUrl = options.repositoryUrl || `https://github.com/aifabrix/${manifest.key}`;
 
-  try {
-    const credentials = await tokenManager.extractClientCredentials(
-      authConfig,
-      manifest.key,
-      validatedEnvKey,
-      options
-    );
-    clientId = credentials.clientId;
-    clientSecret = credentials.clientSecret;
-    pipelineAuthConfig = {
-      type: 'client-credentials',
-      clientId,
-      clientSecret
+  if (authConfig.type === 'bearer' && authConfig.token && !authConfig.clientId) {
+    const pipelineAuthConfig = { type: 'bearer', token: authConfig.token };
+    const validationData = {
+      clientId: manifest.key,
+      repositoryUrl,
+      applicationConfig: manifest
     };
-  } catch (credError) {
-    if (authConfig.type === 'bearer' && authConfig.token) {
-      pipelineAuthConfig = { type: 'bearer', token: authConfig.token };
-      clientId = manifest.key;
-      clientSecret = '';
-    } else {
-      throw credError;
-    }
+    return { validationData, pipelineAuthConfig, useBearerOnly: true };
   }
 
-  const repositoryUrl = options.repositoryUrl || `https://github.com/aifabrix/${manifest.key}`;
+  const tokenManager = require('../utils/token-manager');
+  const credentials = await tokenManager.extractClientCredentials(
+    authConfig,
+    manifest.key,
+    validatedEnvKey,
+    options
+  );
+  const pipelineAuthConfig = {
+    type: 'client-credentials',
+    clientId: credentials.clientId,
+    clientSecret: credentials.clientSecret
+  };
   const validationData = {
-    clientId: clientId || '',
-    clientSecret: clientSecret || '',
-    repositoryUrl: repositoryUrl,
+    clientId: credentials.clientId || '',
+    clientSecret: credentials.clientSecret || '',
+    repositoryUrl,
     applicationConfig: manifest
   };
-
-  return { validationData, pipelineAuthConfig };
+  return { validationData, pipelineAuthConfig, useBearerOnly: false };
 }
 
 /**
  * Handle authentication errors during validation
  * @param {Error} error - Error object
  * @param {string} appKey - Application key
+ * @param {boolean} [useBearerOnly] - True when auth was bearer token only (no client id/secret sent)
  * @throws {Error} Enhanced authentication error
  */
-function handleValidationAuthError(error, appKey) {
-  if (error.status === 401 || (error.response && error.response.status === 401)) {
-    const authError = new Error(
-      `Authentication failed: Invalid or expired credentials for application '${appKey}'.\n` +
-      'The provided Client ID and Client Secret are incorrect or have been revoked.\n\n' +
-      '💡 If the application already exists, rotate the secret:\n' +
-      `   aifabrix app rotate-secret ${appKey}\n\n` +
-      '💡 Otherwise, ensure credentials are correct in ~/.aifabrix/secrets.local.yaml or use --client-id and --client-secret flags.'
-    );
-    authError.status = 401;
-    authError.originalError = error;
-    throw authError;
+function handleValidationAuthError(error, appKey, useBearerOnly) {
+  if (error.status !== 401 && (!error.response || error.response.status !== 401)) {
+    return;
   }
+  const authError = new Error(
+    useBearerOnly
+      ? 'Authentication failed: Your authentication token is invalid or expired.\n\n' +
+        'To authenticate, run:\n  aifabrix login --method device --controller <url>'
+      : `Authentication failed: Invalid or expired credentials for application '${appKey}'.\n` +
+        'The provided Client ID and Client Secret are incorrect or have been revoked.\n\n' +
+        '💡 If the application already exists, rotate the secret:\n' +
+        `   aifabrix app rotate-secret ${appKey}\n\n` +
+        '💡 Otherwise, ensure credentials are correct in ~/.aifabrix/secrets.local.yaml or use --client-id and --client-secret flags.'
+  );
+  authError.status = 401;
+  authError.originalError = error;
+  throw authError;
 }
 
 /**
@@ -122,8 +122,8 @@ async function validateDeployment(url, envKey, manifest, authConfig, options = {
   const validatedEnvKey = validateEnvironmentKey(envKey);
   const maxRetries = options.maxRetries || 3;
 
-  // Build validation data
-  const { validationData, pipelineAuthConfig } = await buildValidationData(manifest, validatedEnvKey, authConfig, options);
+  // Build validation data (bearer-only: no clientId/clientSecret sent)
+  const { validationData, pipelineAuthConfig, useBearerOnly } = await buildValidationData(manifest, validatedEnvKey, authConfig, options);
 
   let lastError;
   for (let attempt = 1; attempt <= maxRetries; attempt++) {
@@ -133,8 +133,8 @@ async function validateDeployment(url, envKey, manifest, authConfig, options = {
     } catch (error) {
       lastError = error;
 
-      // Handle authentication errors (401) - credentials are invalid, not missing
-      handleValidationAuthError(error, manifest.key);
+      // Handle authentication errors (401)
+      handleValidationAuthError(error, manifest.key, useBearerOnly);
 
       const shouldRetry = attempt < maxRetries && error.status && error.status >= 500;
       if (shouldRetry) {
@@ -310,6 +310,32 @@ async function pollDeploymentStatus(deploymentId, controllerUrl, envKey, authCon
   throw new Error('Deployment timeout: Maximum polling attempts reached');
 }
 
+/**
+ * When using bearer token only (no client credentials), verify token is valid before deploy.
+ * @async
+ * @param {string} controllerUrl - Controller URL
+ * @param {Object} authConfig - Authentication configuration
+ * @throws {Error} If token is invalid or expired
+ */
+async function ensureBearerTokenValid(controllerUrl, authConfig) {
+  if (authConfig.type !== 'bearer' || !authConfig.token || authConfig.clientId) {
+    return;
+  }
+  try {
+    const response = await getAuthUser(controllerUrl, authConfig);
+    if (response && response.success && response.data && response.data.authenticated !== false) {
+      return;
+    }
+  } catch (_) {
+    // Fall through to throw below
+  }
+  throw new Error(
+    'Your authentication token is invalid or expired.\n\n' +
+    'Run: aifabrix login --method device --controller <url>\n\n' +
+    'Then run deploy again.'
+  );
+}
+
 /**
  * Validates and sends deployment request to controller
  * Implements two-step process: validate then deploy
@@ -322,6 +348,8 @@ async function pollDeploymentStatus(deploymentId, controllerUrl, envKey, authCon
  * @returns {Promise<Object>} Deployment result
  */
 async function sendDeployment(url, validatedEnvKey, manifest, authConfig, options) {
+  await ensureBearerTokenValid(url, authConfig);
+
   // Step 1: Validate deployment
   logger.log(chalk.blue('🔍 Validating deployment configuration...'));
   const validateResult = await validateDeployment(url, validatedEnvKey, manifest, authConfig, {

package/lib/external-system/delete.js

@@ -50,7 +50,6 @@ async function getAuthAndDataplane(systemKey, _options) {
   const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
   logger.log(chalk.blue('🌐 Resolving dataplane URL...'));
   const dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
-  logger.log(chalk.green(`✓ Dataplane URL: ${dataplaneUrl}`));
 
   return { authConfig, dataplaneUrl, environment, controllerUrl };
 }