@aifabrix/builder 2.39.3 → 2.40.0

package/.cursor/rules/project-rules.mdc

@@ -77,14 +77,14 @@ Files under **integration/** and **builder/** are **auto-generated** by the CLI.
 - **integration/** – External system / wizard output:
   - Path: `integration/<appName>/` (see `lib/utils/paths.js` → `getIntegrationPath`).
   - Generated by: `lib/generator/wizard.js` (`generateWizardFiles`, `generateConfigFilesForWizard`), `lib/external-system/download.js`, wizard commands in `lib/commands/wizard-core.js` and `lib/commands/wizard.js`.
-  - Typical outputs: `variables.yaml`, `env.template`, `README.md`, `*-system.json`, `*-datasource*.json`, `*-deploy.json`, deploy script (`deploy.js`), and optionally `wizard.yaml`, `error.log`.
+  - Typical outputs: `application.yaml`, `env.template`, `README.md`, `*-system.json`, `*-datasource*.json`, `*-deploy.json`, deploy script (`deploy.js`), and optionally `wizard.yaml`, `error.log`.
 - **builder/** – Application (non-external) output:
   - Path: `builder/<appName>/` or custom root via `AIFABRIX_BUILDER_DIR` (see `lib/utils/paths.js` → `getBuilderPath`).
   - Generated by: app create/register flow, `lib/generator/index.js`, `lib/commands/up-common.js`, `lib/core/secrets.js`, and related app/deploy logic.
-  - Typical outputs: `variables.yaml`, `env.template`, deploy JSON, `.env` (from secrets), and app-specific config.
+  - Typical outputs: `application.yaml`, `env.template`, deploy JSON, `.env` (from secrets), and app-specific config.
 
 **Editable vs generated:**
-- Some generated files are **intended to be edited** (e.g. `variables.yaml`, `env.template`, `README.md`, `wizard.yaml`). Improvements to defaults or structure still belong in the generator/templates.
+- Some generated files are **intended to be edited** (e.g. `application.yaml`, `env.template`, `README.md`, `wizard.yaml`). Improvements to defaults or structure still belong in the generator/templates.
 - **When debugging:** First identify the **source of generation** (which module and function write the file). Fix bugs in that generator or template; avoid treating a one-off edit in integration/ or builder/ as the permanent fix unless it’s a deliberate local override.
 
 ### CLI Command Pattern
@@ -340,7 +340,7 @@ async function getItems() {
 const fs = require('fs').promises;
 const path = require('path');
 
-const filePath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
+const filePath = path.join(process.cwd(), 'builder', appName, 'application.yaml');
 try {
   const content = await fs.readFileSync(filePath, 'utf8');
   // Process content
@@ -728,13 +728,13 @@ function validateAppName(appName) {
 const path = require('path');
 
 const appPath = path.join(process.cwd(), 'builder', appName);
-const configPath = path.join(appPath, 'variables.yaml');
+const configPath = path.join(appPath, 'application.yaml');
 ```
 
 ### Configuration Loading
 ```javascript
 async function loadConfig(appName) {
-  const configPath = path.join(process.cwd(), 'builder', appName, 'variables.yaml');
+  const configPath = path.join(process.cwd(), 'builder', appName, 'application.yaml');
   const content = await fs.readFile(configPath, 'utf8');
   return yaml.load(content);
 }

package/README.md

@@ -101,9 +101,9 @@ Create, configure, and run your own AI Fabrix application locally or deploy it (
 
 All guides and references are listed in **[docs/README.md](docs/README.md)** (table of contents).
 
-- [CLI Reference](docs/cli-reference.md) – All commands
+- [CLI Commands Reference](docs/commands/README.md) – All commands
 - [Infrastructure](docs/infrastructure.md) – What runs and why
-- [Configuration reference](docs/configuration/README.md) – Config files (deployment key, variables.yaml, env.template, secrets)
+- [Configuration reference](docs/configuration/README.md) – Config files (deployment key, application.yaml, env.template, secrets)
 
 ---
 

package/babel.config.js

@@ -0,0 +1,6 @@
+/** Babel config for Jest (babel-jest). Single file so all workers resolve the same config. */
+// Syntax-only plugin ensures Babel never treats config as "no configuration data" in workers.
+module.exports = {
+  presets: [['@babel/preset-env', { targets: { node: 'current' } }]],
+  plugins: ['@babel/plugin-syntax-optional-chaining']
+};

package/integration/hubspot/README.md

@@ -1,184 +1,96 @@
 # HubSpot CRM Integration
 
-HubSpot CRM external system integration with companies, contacts, and deals datasources.
+HubSpot CRM external system integration with companies, contacts, and deals
 
-## Overview
+## System Information
 
-This integration connects to HubSpot CRM API and exposes companies, contacts, and deals data via the AI Fabrix Dataplane. Data is automatically synced and made available for querying via MCP/OpenAPI.
+- **System Key**: `hubspot`
+- **System Type**: `openapi`
+- **Datasources**: 0
 
 ## Files
 
-- `variables.yaml` - Application configuration with externalIntegration block
-- `hubspot-system.json` - External system definition with OAuth2 authentication
-- `hubspot-datasource-company.json` - Companies datasource with field mappings
-- `hubspot-datasource-contact.json` - Contacts datasource with field mappings
-- `hubspot-datasource-deal.json` - Deals datasource with field mappings
-- `hubspot-deploy.json` - Deployment manifest (generated)
-- `env.template` - Environment variables template with kv:// references
+- `application.yaml` – Application configuration with `app` and `externalIntegration` blocks
+- `hubspot-system.json` – External system definition (authentication, OpenAPI/MCP, RBAC)
+- `env.template` – Environment variables template (secrets, API keys)
+- `hubspot-deploy.json` – Deployment manifest (generated by `aifabrix json`)
 
-## Setup
+Optional: `rbac.yaml` – Roles and permissions merged into the system when present.
 
-### 1. Configure OAuth2 Credentials
+## Quick Start
 
-1. Register an OAuth2 app in HubSpot:
-   - Go to HubSpot Settings → Integrations → Private Apps
-   - Create a new private app
-   - Grant scopes:
-     - `crm.objects.companies.read`
-     - `crm.objects.companies.write`
-     - `crm.objects.contacts.read`
-     - `crm.objects.contacts.write`
-     - `crm.objects.deals.read`
-     - `crm.objects.deals.write`
-
-2. Set credentials via Miso Controller or Dataplane portal:
-   - Navigate to the HubSpot external system configuration
-   - Enter OAuth2 Client ID and Client Secret
-   - Values are automatically stored in Key Vault by the platform
-   - No manual Key Vault operations required
-
-**Note:** The platform manages Key Vault storage automatically. You only need to provide values via the interface.
-
-### 2. Validate Configuration
+### 1. Create External System
 
 ```bash
-aifabrix validate hubspot
+aifabrix create hubspot --type external
 ```
 
-### 3. Deploy
+Or use the interactive wizard:
 
 ```bash
-# Login to controller
-aifabrix login --controller http://localhost:3100 --method device --environment dev
-
-# Register application
-aifabrix app register hubspot
+aifabrix wizard --app hubspot
+```
 
-# Deploy entire system
-aifabrix deploy hubspot
+### 2. Configure Authentication and Datasources
 
-# Or deploy individual datasources for testing
-aifabrix datasource deploy hubspot-company --file integration/hubspot/hubspot-datasource-company.json
-aifabrix datasource deploy hubspot-contact --file integration/hubspot/hubspot-datasource-contact.json
-aifabrix datasource deploy hubspot-deal --file integration/hubspot/hubspot-datasource-deal.json
-```
+Edit files in `integration/hubspot/`:
 
-## Field Mappings
+- **Authentication**: `hubspot-system.yaml` (auth type, credentials placeholders)
+- **Field mappings**: `hubspot-datasource-*.yaml` (dimensions, attributes, operations)
 
-HubSpot uses a nested properties structure. Field mappings transform this to flat, normalized fields:
+### 3. Validate Configuration
 
-**HubSpot structure:**
-```json
-{
-  "properties": {
-    "name": { "value": "Acme Corp" },
-    "country": { "value": "us" }
-  }
-}
+```bash
+aifabrix validate hubspot --type external
 ```
 
-**Normalized structure:**
-```json
-{
-  "name": "Acme Corp",
-  "country": "US"
-}
-```
+### 4. Generate Deployment Manifest
 
-Transformations applied:
-- `trim` - Remove whitespace
-- `toLower` - Convert to lowercase (for domains, emails)
-- `toUpper` - Convert to uppercase (for country codes)
+```bash
+aifabrix json hubspot --type external
+```
 
-## Datasources
+This creates `hubspot-deploy.json` in `integration/hubspot/`.
 
-### Companies (`hubspot-company`)
-- **Resource Type:** `customer`
-- **Access Fields:** `country`, `domain` (for ABAC filtering)
-- **Fields:** `id`, `name`, `domain`, `country`, `city`, `industry`, `website`, `phone`, `createdAt`, `updatedAt`
+### 5. Deploy
 
-### Contacts (`hubspot-contact`)
-- **Resource Type:** `contact`
-- **Access Fields:** `email`, `country` (for ABAC filtering)
-- **Fields:** `id`, `firstName`, `lastName`, `email`, `phone`, `company`, `jobTitle`, `address`, `city`, `country`, `createdAt`, `updatedAt`
+Controller URL and environment are read from config. Configure and log in first:
 
-### Deals (`hubspot-deal`)
-- **Resource Type:** `deal`
-- **Access Fields:** `stage`, `pipeline` (for ABAC filtering)
-- **Fields:** `id`, `dealName`, `amount`, `currency`, `stage`, `pipeline`, `closeDate`, `dealType`, `associatedCompany`, `associatedContacts`, `createdAt`, `updatedAt`
+```bash
+aifabrix auth config --set-controller <url> --set-environment dev
+aifabrix login
+```
 
-## OpenAPI Operations
+Then deploy:
 
-All datasources expose full CRUD operations:
-- `list` - GET `/crm/v3/objects/{entity}`
-- `get` - GET `/crm/v3/objects/{entity}/{id}`
-- `create` - POST `/crm/v3/objects/{entity}`
-- `update` - PATCH `/crm/v3/objects/{entity}/{id}`
-- `delete` - DELETE `/crm/v3/objects/{entity}/{id}`
+```bash
+aifabrix deploy hubspot
+```
 
-RBAC permissions are auto-generated: `hubspot.company.list`, `hubspot.company.get`, etc.
+## Testing
 
-## Verification
+### Unit Tests (Local Validation, No API)
 
 ```bash
-# List datasources
-aifabrix datasource list
-
-# Validate specific datasource
-aifabrix datasource validate hubspot-company
+aifabrix test hubspot
 ```
 
-## Wizard E2E tests and use case coverage
-
-The script `integration/hubspot/test.js` runs end-to-end wizard and validation tests. It covers all wizard use cases from [Wizard Guide](../../docs/wizard.md):
-
-| Use case | Test ID | Description |
-|----------|---------|-------------|
-| **Headless config (wizard.yaml)** | | |
-| Required `appName` | 2.1 | Rejects config missing `appName` |
-| Valid `appName` pattern (lowercase, hyphens/underscores) | 2.2 | Rejects uppercase in app name |
-| Required `mode` | 2.5 | Rejects invalid `mode` enum |
-| Required `source` block | 2.3 | Rejects config without `source` |
-| Valid `source.type` | 2.4 | Rejects invalid source type |
-| `openapi-file` requires `filePath` | 2.7 | Rejects missing/non-existent OpenAPI file |
-| `openapi-url` requires `url` | 2.8 | Rejects `openapi-url` without `url` |
-| `known-platform` requires `platform` | 2.6 | Rejects known-platform without `platform` |
-| **Mode: add-datasource** | | |
-| `systemIdOrKey` required when mode=add-datasource | 2.9 | Rejects add-datasource without systemIdOrKey |
-| **Credential** | | |
-| `credential.action=select` requires `credentialIdOrKey` | 2.10 | Rejects select without credentialIdOrKey |
-| `credential.action=create` requires `config` | 2.11 | Rejects create without config |
-| **Positive flows** | | |
-| Full wizard with OpenAPI file | 1.1 | Complete flow with local OpenAPI file |
-| Wizard with known platform | 1.2 | Flow using known-platform (e.g. HubSpot) |
-| Wizard with env var substitution in deployment | 1.6 | `${CONTROLLER_URL}`, `${DATAPLANE_URL}` in wizard.yaml |
-| Real credential creation (real-data) | 1.3 | Credential create with real OAuth2 (optional env) |
-| **Post-wizard validation (external system)** | | |
-| RBAC: permissions reference existing roles | 2.12 | Rejects permission referencing non-existent role |
-| RBAC: rbac.yaml valid YAML and structure | 2.13 | Rejects invalid YAML in rbac.yaml |
-| Datasource: dimensions required in fieldMappings | 2.14 | Rejects missing dimensions |
-| Datasource: dimension key pattern | 2.15 | Rejects invalid dimension key |
-| Datasource: attribute path pattern | 2.16 | Rejects invalid attribute path |
-| Datasource: dimensions must be object | 2.17 | Rejects dimensions as array |
-
-**Run tests:**
+### Integration Tests (Via Dataplane)
 
 ```bash
-# All tests (positive may skip if dataplane/controller unavailable)
-node integration/hubspot/test.js
-
-# Negative only (no dataplane required)
-node integration/hubspot/test.js --type negative
-
-# Specific test
-node integration/hubspot/test.js --test "2.1,2.2"
+aifabrix test-integration hubspot
 ```
 
-## Documentation
+## Deployment
+
+Deploy via miso-controller pipeline (same as regular apps). Auth and controller come from `aifabrix login` and `aifabrix auth config`:
 
-- [External Systems Guide](../../docs/external-systems.md) - Complete guide with examples
-- [Wizard Guide](../../docs/wizard.md) - Wizard workflow and headless config
-- [CLI Reference](../../docs/cli-reference.md) - All commands
-- [Configuration Reference](../../docs/CONFIGURATION.md) - Config file details
+```bash
+aifabrix deploy hubspot
+```
 
+## Troubleshooting
 
+- **Validation errors**: Run `aifabrix validate hubspot --type external` to see schema and manifest errors.
+- **Deployment / auth**: Run `aifabrix auth config --set-controller <url> --set-environment <env>` and `aifabrix login` before `aifabrix deploy`.
+- **File not found**: Run commands from the project root (where `package.json` and `integration/` live).

package/integration/hubspot/application.yaml

@@ -0,0 +1,37 @@
+app:
+  key: hubspot
+  displayName: HubSpot CRM Integration
+  description: HubSpot CRM external system integration with companies, contacts, and deals
+  type: external
+configuration:
+  - name: HUBSPOT_API_VERSION
+    portalInput:
+      field: select
+      label: HubSpot API Version
+      placeholder: Select API version
+      options:
+        - v1
+        - v2
+        - v3
+      validation:
+        required: false
+  - name: MAX_PAGE_SIZE
+    portalInput:
+      field: text
+      label: Maximum Page Size
+      placeholder: '100'
+      validation:
+        required: false
+        pattern: ^[0-9]+$
+        minLength: 1
+        maxLength: 1000
+externalIntegration:
+  schemaBasePath: ./
+  systems:
+    - hubspot-system.json
+  dataSources:
+    - hubspot-datasource-company.json
+    - hubspot-datasource-contact.json
+    - hubspot-datasource-deal.json
+  autopublish: true
+  version: 1.0.0

package/integration/hubspot/env.template

@@ -1,14 +1,5 @@
-# HubSpot OAuth2 Configuration
-# These values are set via the Miso Controller interface or Dataplane portal
-# Values are stored in Key Vault automatically by the platform
-
 CLIENTID=kv://hubspot-clientidKeyVault
 CLIENTSECRET=kv://hubspot-clientsecretKeyVault
 TOKENURL=https://api.hubapi.com/oauth/v1/token
-
-# Optional: test runner (integration/hubspot/test.js) reads all config from this .env
-# CONTROLLER_URL=http://localhost:3110
-# ENVIRONMENT=miso
-# DATAPLANE_URL=
-# HUBSPOT_OPENAPI_FILE=integration/hubspot/companies.json
-
+HUBSPOT_API_VERSION=v3
+MAX_PAGE_SIZE=100

package/integration/hubspot/hubspot-deploy.json

@@ -3,6 +3,7 @@
   "displayName": "HubSpot CRM Integration",
   "description": "HubSpot CRM external system integration with companies, contacts, and deals",
   "type": "external",
+  "version": "1.0.0",
   "externalIntegration": {
     "schemaBasePath": "./",
     "systems": [

package/integration/hubspot/test.js

@@ -511,7 +511,7 @@ async function checkAppDirectory(appPath) {
  * @throws {Error} If required files are missing
  */
 async function validateRequiredFiles(appPath, entries) {
-  const requiredFiles = ['variables.yaml', 'env.template', 'README.md', 'deploy.js'];
+  const requiredFiles = ['application.yaml', 'env.template', 'README.md', 'deploy.js'];
   const missingFiles = [];
   for (const fileName of requiredFiles) {
     const filePath = path.join(appPath, fileName);
@@ -558,10 +558,10 @@ function validateDeployFiles(appPath, entries) {
  */
 async function validateFileContents(appPath, deployFiles) {
   try {
-    const variablesContent = await fs.readFile(path.join(appPath, 'variables.yaml'), 'utf8');
+    const variablesContent = await fs.readFile(path.join(appPath, 'application.yaml'), 'utf8');
     yaml.load(variablesContent);
   } catch (error) {
-    throw new Error(`Invalid YAML syntax in variables.yaml: ${error.message}`);
+    throw new Error(`Invalid YAML syntax in application.yaml: ${error.message}`);
   }
   for (const fileName of deployFiles) {
     try {
@@ -597,7 +597,7 @@ async function validateGeneratedFiles(appName) {
  * @returns {Promise<Object>} Snapshot of file contents keyed by path
  */
 async function captureExternalSnapshot(appPath) {
-  const variablesPath = path.join(appPath, 'variables.yaml');
+  const variablesPath = path.join(appPath, 'application.yaml');
   const variablesContent = await fs.readFile(variablesPath, 'utf8');
   const variables = yaml.load(variablesContent);
 
@@ -608,7 +608,7 @@ async function captureExternalSnapshot(appPath) {
   const systemFiles = variables.externalIntegration.systems || [];
   const datasourceFiles = variables.externalIntegration.dataSources || [];
   const fileNames = [
-    'variables.yaml',
+    'application.yaml',
     'env.template',
     'README.md',
     ...systemFiles,

package/lib/api/credentials.api.js

@@ -1,5 +1,5 @@
 /**
- * @fileoverview Credentials API functions (controller/dataplane credential list)
+ * @fileoverview Credentials API functions (Dataplane credential list)
  * @author AI Fabrix Team
  * @version 2.0.0
  */
@@ -7,13 +7,13 @@
 const { ApiClient } = require('./index');
 
 /**
- * List credentials from controller or dataplane
+ * List credentials from Dataplane
  * GET /api/v1/credential
- * Used by `aifabrix credential list`. Call with controller or dataplane base URL per deployment.
- * @requiresPermission {Dataplane} credential:read (when baseUrl is dataplane; controller may differ)
+ * Used by `aifabrix credential list`. The Controller does not expose this endpoint; call with Dataplane base URL.
+ * @requiresPermission {Dataplane} credential:read
  * @async
  * @function listCredentials
- * @param {string} baseUrl - Controller or dataplane base URL
+ * @param {string} baseUrl - Dataplane base URL (GET /api/v1/credential is a Dataplane endpoint)
  * @param {Object} authConfig - Authentication configuration
  * @param {Object} [options] - List options
  * @param {boolean} [options.activeOnly] - If true, return only active credentials

package/lib/api/deployments.api.js

@@ -62,8 +62,8 @@ async function deployEnvironment(controllerUrl, envKey, authConfig, deployData)
  * @param {string} envKey - Environment key
  * @param {Object} authConfig - Authentication configuration
  * @param {Object} [options] - List options
- * @param {number} [options.page] - Page number
- * @property {number} [options.pageSize] - Items per page
+ * @param {number} [options.page] - Page number (1-based)
+ * @param {number} [options.pageSize] - Items per page
  * @param {string} [options.sort] - Sort parameter
  * @param {string} [options.filter] - Filter parameter
  * @param {string} [options.search] - Search term

package/lib/api/pipeline.api.js

@@ -87,15 +87,15 @@ async function getPipelineHealth(controllerUrl, envKey) {
 
 /**
  * Publish one external system via dataplane pipeline endpoint
- * POST /api/v1/pipeline/publish
+ * POST /api/v1/pipeline/publish (Dataplane OpenAPI operationId: publishExternalSystemViaPipeline)
  * Request body: external system JSON (external-system.schema.json). Optional field in body:
  * generateMcpContract (boolean, default true). Optional: generateOpenApiContract (boolean).
  * Do not use query parameters for MCP; use the field in the body only.
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function publishSystemViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
- * @param {Object} authConfig - Authentication configuration
+ * @param {Object} authConfig - Authentication configuration (must include token for Bearer; client id/secret rejected)
  * @param {Object} systemConfig - External system configuration (conforms to external-system.schema.json)
  * @returns {Promise<Object>} Published external system response
  * @throws {Error} If publish fails
@@ -109,9 +109,9 @@ async function publishSystemViaPipeline(dataplaneUrl, authConfig, systemConfig)
 
 /**
  * Publish datasource via dataplane pipeline endpoint
- * POST /api/v1/pipeline/{systemKey}/publish
+ * POST /api/v1/pipeline/{systemKey}/publish (Dataplane OpenAPI operationId: publishExternalDataSourceViaPipeline)
  * No generateMcpContract for this endpoint; dataplane always uses default (MCP generated).
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function publishDatasourceViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
@@ -130,8 +130,8 @@ async function publishDatasourceViaPipeline(dataplaneUrl, systemKey, authConfig,
 
 /**
  * Test datasource via dataplane pipeline endpoint
- * POST /api/v1/pipeline/{systemKey}/{datasourceKey}/test
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * POST /api/v1/pipeline/{systemKey}/{datasourceKey}/test (Dataplane OpenAPI operationId: testExternalDataSourceViaPipeline)
+ * @requiresPermission {Dataplane} external-system:publish or external-data-source:read. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function testDatasourceViaPipeline
  * @param {Object} params - Function parameters
@@ -161,7 +161,7 @@ async function testDatasourceViaPipeline({ dataplaneUrl, systemKey, datasourceKe
 /**
  * Deploy external system via dataplane pipeline endpoint
  * POST /api/v1/pipeline/deploy
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function deployExternalSystemViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
@@ -180,7 +180,7 @@ async function deployExternalSystemViaPipeline(dataplaneUrl, authConfig, systemC
 /**
  * Deploy datasource via dataplane pipeline endpoint
  * POST /api/v1/pipeline/{systemKey}/deploy
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function deployDatasourceViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
@@ -199,15 +199,15 @@ async function deployDatasourceViaPipeline(dataplaneUrl, systemKey, authConfig,
 
 /**
  * Upload application configuration via dataplane pipeline endpoint
- * POST /api/v1/pipeline/upload
+ * POST /api/v1/pipeline/upload (Dataplane OpenAPI operationId: uploadApplication)
  * Body: { version, application, dataSources }. Include application.generateMcpContract
  * and/or application.generateOpenApiContract to control contract generation when
  * publishing this upload (publish reads from stored config; no query param on publish).
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function uploadApplicationViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
- * @param {Object} authConfig - Authentication configuration
+ * @param {Object} authConfig - Authentication configuration (must include token for Bearer; client id/secret rejected)
  * @param {Object} applicationSchema - { version, application, dataSources }; application may include generateMcpContract, generateOpenApiContract
  * @returns {Promise<Object>} Upload response with uploadId
  * @throws {Error} If upload fails
@@ -221,8 +221,8 @@ async function uploadApplicationViaPipeline(dataplaneUrl, authConfig, applicatio
 
 /**
  * Validate upload via dataplane pipeline endpoint
- * POST /api/v1/pipeline/upload/{uploadId}/validate
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * POST /api/v1/pipeline/upload/{uploadId}/validate (Dataplane OpenAPI operationId: validateApplication)
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function validateUploadViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
@@ -238,17 +238,17 @@ async function validateUploadViaPipeline(dataplaneUrl, uploadId, authConfig) {
 
 /**
  * Publish upload via dataplane pipeline endpoint
- * POST /api/v1/pipeline/upload/{uploadId}/publish
+ * POST /api/v1/pipeline/upload/{uploadId}/publish (Dataplane OpenAPI operationId: publishApplication)
  * No body or query parameters. MCP/OpenAPI generation is taken from the application config
  * that was uploaded (application.generateMcpContract, application.generateOpenApiContract).
  * To control MCP/OpenAPI, include those fields in the application object when calling
  * uploadApplicationViaPipeline.
- * @requiresPermission {Dataplane} Authenticated (oauth2: [])
+ * @requiresPermission {Dataplane} external-system:publish. Auth: OAuth2 (Bearer) or API_KEY only; client id/secret are not accepted.
  * @async
  * @function publishUploadViaPipeline
  * @param {string} dataplaneUrl - Dataplane base URL
  * @param {string} uploadId - Upload ID
- * @param {Object} authConfig - Authentication configuration
+ * @param {Object} authConfig - Authentication configuration (must include token for Bearer; client id/secret rejected)
  * @returns {Promise<Object>} Publish response
  * @throws {Error} If publish fails
  */

package/lib/api/wizard.api.js

@@ -343,7 +343,7 @@ async function getDeploymentDocs(dataplaneUrl, authConfig, systemKey) {
 }
 
 /**
- * Generate deployment documentation with variables.yaml and deploy JSON for better quality
+ * Generate deployment documentation with application.yaml and deploy JSON for better quality
  * POST /api/v1/wizard/deployment-docs/{systemKey}
  * Sends deployJson and variablesYaml in the request body so the dataplane can align README with the integration folder.
  * @requiresPermission {Dataplane} external-system:update
@@ -354,7 +354,7 @@ async function getDeploymentDocs(dataplaneUrl, authConfig, systemKey) {
  * @param {string} systemKey - System key identifier
  * @param {Object} [body] - Optional request body (WizardDeploymentDocsRequest)
  * @param {Object} [body.deployJson] - Deploy JSON object (e.g. *-deploy.json content)
- * @param {string} [body.variablesYaml] - variables.yaml file content as string
+ * @param {string} [body.variablesYaml] - application config file content as string
  * @returns {Promise<Object>} Deployment documentation response (content, contentType, systemKey)
  * @throws {Error} If request fails
  */

package/lib/app/config.js

@@ -1,7 +1,7 @@
 /**
  * Application Configuration File Generation
  *
- * Generates configuration files for applications (variables.yaml, env.template, rbac.yaml, etc.)
+ * Generates configuration files for applications (application.yaml, env.template, rbac.yaml, etc.)
  *
  * @fileoverview Configuration file generation for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -32,18 +32,23 @@ async function fileExists(filePath) {
 }
 
 /**
- * Generates variables.yaml file if it doesn't exist
+ * Generates application.yaml file if no application config exists
  * @async
  * @param {string} appPath - Path to application directory
  * @param {string} appName - Application name
  * @param {Object} config - Application configuration
  */
 async function generateVariablesYamlFile(appPath, appName, config) {
-  const variablesPath = path.join(appPath, 'variables.yaml');
-  if (!(await fileExists(variablesPath))) {
-    const variablesYaml = generateVariablesYaml(appName, config);
-    await fs.writeFile(variablesPath, variablesYaml);
+  const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
+  try {
+    resolveApplicationConfigPath(appPath);
+    return;
+  } catch {
+    // No config file; create application.yaml
   }
+  const variablesPath = path.join(appPath, 'application.yaml');
+  const variablesYaml = generateVariablesYaml(appName, config);
+  await fs.writeFile(variablesPath, variablesYaml);
 }
 
 /**