@aifabrix/builder 2.40.2 → 2.41.0

package/lib/deployment/environment.js

@@ -9,10 +9,7 @@
  * @version 2.0.0
  */
 
-const fs = require('fs');
-const path = require('path');
 const chalk = require('chalk');
-const Ajv = require('ajv');
 const logger = require('../utils/logger');
 const config = require('../core/config');
 const { resolveControllerUrl } = require('../utils/controller-url');
@@ -21,9 +18,12 @@ const { getOrRefreshDeviceToken } = require('../utils/token-manager');
 const { getPipelineDeployment } = require('../api/pipeline.api');
 const { deployEnvironment: deployEnvironmentInfra, getDeployment } = require('../api/deployments.api');
 const { handleDeploymentErrors } = require('../utils/deployment-errors');
-const { formatValidationErrors } = require('../utils/error-formatter');
 const auditLogger = require('../core/audit-logger');
-const environmentDeployRequestSchema = require('../schema/environment-deploy-request.schema.json');
+const {
+  normalizePreset,
+  buildEnvironmentConfigFromPreset,
+  loadAndValidateEnvironmentDeployConfig
+} = require('./environment-config');
 
 /**
  * Validates environment deployment prerequisites
@@ -82,102 +82,26 @@ async function getEnvironmentAuth(controllerUrl) {
  * @returns {Promise<Object>} Deployment result
  * @throws {Error} If deployment fails
  */
-/** Reads and parses config file; throws if missing, unreadable, or invalid structure. */
-function parseEnvironmentConfigFile(resolvedPath) {
-  let raw;
-  try {
-    raw = fs.readFileSync(resolvedPath, 'utf8');
-  } catch (e) {
-    throw new Error(`Cannot read config file: ${resolvedPath}. ${e.message}`);
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch (e) {
-    throw new Error(
-      `Invalid JSON in config file: ${resolvedPath}\n${e.message}\n` +
-      'Expected format: { "environmentConfig": { "key", "environment", "preset", "serviceName", "location" }, "dryRun": false }'
-    );
-  }
-  if (parsed === null || typeof parsed !== 'object') {
-    throw new Error(
-      `Config file must be a JSON object with "environmentConfig". File: ${resolvedPath}\n` +
-      'Example: { "environmentConfig": { "key": "dev", "environment": "dev", "preset": "s", "serviceName": "aifabrix", "location": "swedencentral" }, "dryRun": false }'
-    );
-  }
-  if (parsed.environmentConfig === undefined) {
-    throw new Error(
-      `Config file must contain "environmentConfig" (object). File: ${resolvedPath}\n` +
-      'Example: { "environmentConfig": { "key": "dev", "environment": "dev", "preset": "s", "serviceName": "aifabrix", "location": "swedencentral" } }'
-    );
-  }
-  if (typeof parsed.environmentConfig !== 'object' || parsed.environmentConfig === null) {
-    throw new Error(`"environmentConfig" must be an object. File: ${resolvedPath}`);
-  }
-  return parsed;
-}
-
 /**
- * Validates parsed config against schema and returns deploy request.
- * @param {Object} parsed - Parsed config object
- * @param {string} resolvedPath - Path for error messages
- * @returns {Object} { environmentConfig, dryRun? }
- */
-function validateEnvironmentDeployParsed(parsed, resolvedPath) {
-  const ajv = new Ajv({ allErrors: true, strict: false });
-  const validate = ajv.compile(environmentDeployRequestSchema);
-  if (!validate(parsed)) {
-    const messages = formatValidationErrors(validate.errors);
-    throw new Error(
-      `Environment config validation failed (${resolvedPath}):\n  • ${messages.join('\n  • ')}\n` +
-      'Fix the config file and run the command again. See templates/infra/environment-dev.json for a valid example.'
-    );
-  }
-  return {
-    environmentConfig: parsed.environmentConfig,
-    dryRun: Boolean(parsed.dryRun)
-  };
-}
-
-/**
- * Loads and validates environment deploy config from a JSON file
- * @param {string} configPath - Absolute or relative path to config JSON
- * @returns {Object} Valid deploy request { environmentConfig, dryRun? }
- * @throws {Error} If file missing, invalid JSON, or validation fails
- */
-function loadAndValidateEnvironmentDeployConfig(configPath) {
-  const resolvedPath = path.isAbsolute(configPath) ? configPath : path.resolve(process.cwd(), configPath);
-  if (!fs.existsSync(resolvedPath)) {
-    throw new Error(
-      `Environment config file not found: ${resolvedPath}\n` +
-      'Use --config <file> with a JSON file containing "environmentConfig" (e.g. templates/infra/environment-dev.json).'
-    );
-  }
-  const parsed = parseEnvironmentConfigFile(resolvedPath);
-  return validateEnvironmentDeployParsed(parsed, resolvedPath);
-}
-
-/**
- * Builds environment deployment request from options (config file required)
+ * Builds environment deployment request from options (config file or --preset)
+ * When --config is provided, uses that file; otherwise uses --preset (default s).
  * @function buildEnvironmentDeploymentRequest
  * @param {string} validatedEnvKey - Validated environment key
- * @param {Object} options - Deployment options (must include options.config)
+ * @param {Object} options - Deployment options (options.config optional; options.preset used when no config)
  * @returns {Object} Deployment request object for API
  */
 function buildEnvironmentDeploymentRequest(validatedEnvKey, options) {
-  if (!options.config || typeof options.config !== 'string') {
-    throw new Error(
-      'Environment deploy requires a config file with "environmentConfig". Use --config <file>.\n' +
-      'Example: aifabrix environment deploy dev --config templates/infra/environment-dev.json'
-    );
-  }
-  const deployRequest = loadAndValidateEnvironmentDeployConfig(options.config);
-  if (deployRequest.environmentConfig.key && deployRequest.environmentConfig.key !== validatedEnvKey) {
-    logger.log(chalk.yellow(
-      `⚠ Config key "${deployRequest.environmentConfig.key}" does not match deploy target "${validatedEnvKey}"; using target "${validatedEnvKey}".`
-    ));
+  if (options.config && typeof options.config === 'string') {
+    const deployRequest = loadAndValidateEnvironmentDeployConfig(options.config);
+    if (deployRequest.environmentConfig.key && deployRequest.environmentConfig.key !== validatedEnvKey) {
+      logger.log(chalk.yellow(
+        `⚠ Config key "${deployRequest.environmentConfig.key}" does not match deploy target "${validatedEnvKey}"; using target "${validatedEnvKey}".`
+      ));
+    }
+    return deployRequest;
   }
-  return deployRequest;
+  const preset = normalizePreset(options.preset);
+  return buildEnvironmentConfigFromPreset(validatedEnvKey, preset);
 }
 
 /**
@@ -371,7 +295,8 @@ function displayDeploymentResults(result) {
  * @param {string} envKey - Environment key (miso, dev, tst, pro)
  * @param {Object} options - Deployment options
  * @param {string} options.controller - Controller URL (required)
- * @param {string} [options.config] - Environment configuration file (optional)
+ * @param {string} [options.config] - Environment configuration file (optional; if omitted, --preset is used)
+ * @param {string} [options.preset] - Environment size preset: s, m, l, xl (default: s), used when config is not provided
  * @param {boolean} [options.skipValidation] - Skip validation checks
  * @param {boolean} [options.poll] - Poll for deployment status (default: true)
  * @param {boolean} [options.noPoll] - Do not poll for status
@@ -492,6 +417,4 @@ async function deployEnvironment(envKey, options = {}) {
     throw error;
   }
 }
-module.exports = {
-  deployEnvironment
-};
+module.exports = { deployEnvironment };

package/lib/deployment/push.js

@@ -16,6 +16,29 @@ const logger = require('../utils/logger');
 
 const execAsync = promisify(exec);
 
+/** Timeout for az account show (fail fast when not logged in) */
+const AZ_ACCOUNT_SHOW_TIMEOUT_MS = 10000;
+/** Timeout for az acr show (avoid hang when Azure CLI prompts for login) */
+const AZ_ACR_SHOW_TIMEOUT_MS = 15000;
+/** Timeout for az acr login */
+const AZ_ACR_LOGIN_TIMEOUT_MS = 120000;
+
+/**
+ * Check if user is logged in to Azure CLI
+ * Fails fast so push does not hang when user is not logged in.
+ * @param {Object} [execOptions] - Options for exec (e.g. shell on Windows)
+ * @returns {Promise<boolean>} True if logged in
+ */
+async function checkAzureLogin(execOptions = {}) {
+  const options = process.platform === 'win32' ? { shell: true, ...execOptions } : execOptions;
+  try {
+    await execAsync('az account show', { ...options, timeout: AZ_ACCOUNT_SHOW_TIMEOUT_MS });
+    return true;
+  } catch (_error) {
+    return false;
+  }
+}
+
 /**
  * Check if Azure CLI is installed
  * @returns {Promise<boolean>} True if Azure CLI is available
@@ -128,7 +151,7 @@ async function checkACRAuthentication(registry) {
     const registryName = extractRegistryName(registry);
     // On Windows, use shell option to ensure proper command resolution
     const options = process.platform === 'win32' ? { shell: true } : {};
-    await execAsync(`az acr show --name ${registryName}`, options);
+    await execAsync(`az acr show --name ${registryName}`, { ...options, timeout: AZ_ACR_SHOW_TIMEOUT_MS });
     return true;
   } catch (error) {
     return false;
@@ -146,9 +169,15 @@ async function authenticateACR(registry) {
     logger.log(chalk.blue(`Authenticating with ${registry}...`));
     // On Windows, use shell option to ensure proper command resolution
     const options = process.platform === 'win32' ? { shell: true } : {};
-    await execAsync(`az acr login --name ${registryName}`, options);
+    await execAsync(`az acr login --name ${registryName}`, { ...options, timeout: AZ_ACR_LOGIN_TIMEOUT_MS });
     logger.log(chalk.green(`✓ Authenticated with ${registry}`));
   } catch (error) {
+    const msg = error.message || String(error);
+    if (msg.includes('ETIMEDOUT') || msg.includes('timeout')) {
+      throw new Error(
+        'Authentication timed out. Make sure you\'re logged in to Azure first: az login'
+      );
+    }
     throw new Error(`Failed to authenticate with Azure Container Registry: ${error.message}`);
   }
 }
@@ -267,6 +296,7 @@ async function pushImage(imageWithTag, registry = null) {
 
 module.exports = {
   checkAzureCLIInstalled,
+  checkAzureLogin,
   extractRegistryName,
   validateRegistryURL,
   checkACRAuthentication,

package/lib/external-system/download.js

@@ -390,6 +390,13 @@ async function processDownloadedSystem(systemKey, application, dataSources, temp
   // Move files from temp to final location
   await moveFilesToFinalLocation(tempDir, finalPath, systemKey, filePaths);
 
+  try {
+    const secretsEnsure = require('../core/secrets-ensure');
+    await secretsEnsure.ensureSecretsFromEnvTemplate(path.join(finalPath, 'env.template'), { emptyValuesForCredentials: true });
+  } catch (err) {
+    if (err.code !== 'ENOENT') logger.warn(`Could not ensure integration placeholder secrets: ${err.message}`);
+  }
+
   // Clean up temporary folder
   await fs.rm(tempDir, { recursive: true, force: true });
 

package/lib/external-system/test-auth.js

@@ -15,17 +15,21 @@ const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
 const { resolveControllerUrl } = require('../utils/controller-url');
 
 /**
- * Setup authentication and get dataplane URL for integration tests
+ * Setup authentication and get dataplane URL for integration tests.
+ * Dataplane URL is always discovered from the controller for the given environment.
+ *
  * @async
  * @param {string} appName - Application name (used for auth scope; dataplane URL is discovered from controller)
- * @param {Object} options - Test options; options.dataplane overrides discovered URL
+ * @param {Object} options - Test options; options.environment overrides config env; options.dataplane overrides URL (programmatic only)
  * @param {Object} _config - Configuration object
  * @returns {Promise<Object>} Object with authConfig and dataplaneUrl
  * @throws {Error} If authentication fails
  */
 async function setupIntegrationTestAuth(appName, options, _config) {
   const { resolveEnvironment } = require('../core/config');
-  const environment = await resolveEnvironment();
+  const environment = (options && options.environment && typeof options.environment === 'string' && options.environment.trim())
+    ? options.environment.trim()
+    : await resolveEnvironment();
   const controllerUrl = await resolveControllerUrl();
   const authConfig = await getDeploymentAuth(controllerUrl, environment, appName);
 

package/lib/external-system/test.js

@@ -50,7 +50,11 @@ async function loadVariablesYamlFile(variablesPath) {
   try {
     const variables = loadConfigFile(variablesPath);
     if (!variables.externalIntegration) {
-      throw new Error('externalIntegration block not found in application config');
+      throw new Error(
+        'externalIntegration block not found in application config. ' +
+        'test-integration is for external systems only (integration/<app> with externalIntegration in application.yaml). ' +
+        'For builder apps use: aifabrix test <app> or aifabrix test-e2e <app>'
+      );
     }
     return variables;
   } catch (error) {

package/lib/generator/index.js

@@ -20,6 +20,8 @@ const { loadVariables, loadEnvTemplate, loadRbac, parseEnvironmentVariables } =
 const { generateExternalSystemApplicationSchema, splitExternalApplicationSchema } = require('./external');
 const { generateControllerManifest } = require('./external-controller-manifest');
 const { resolveVersionForApp } = require('../utils/image-version');
+const { getContainerPort } = require('../utils/port-resolver');
+const { buildEnvVarMap } = require('../utils/env-map');
 
 /**
  * Generates deployment JSON from application configuration files
@@ -59,6 +61,96 @@ function loadDeploymentConfigFiles(appPath, appType, appName) {
   return { variables, envTemplate, rbac, jsonPath };
 }
 
+/** Placeholder replaced with application port from application.yaml */
+const PORT_PLACEHOLDER = '${PORT}';
+
+/**
+ * Returns the numeric port to use when substituting ${PORT} in the manifest.
+ * When application.yaml has port: "${PORT}", uses defaultPort (e.g. 3000).
+ *
+ * @param {Object} variables - Parsed application config
+ * @param {number} [defaultPort=3000] - Default when port is "${PORT}" or invalid
+ * @returns {number} Port number for substitution
+ */
+function getEffectivePortForSubstitution(variables, defaultPort = 3000) {
+  const raw = getContainerPort(variables, defaultPort);
+  if (raw === PORT_PLACEHOLDER || (typeof raw === 'string' && raw.trim() === PORT_PLACEHOLDER)) {
+    return defaultPort;
+  }
+  if (typeof raw === 'number' && raw > 0) {
+    return raw;
+  }
+  const num = Number(raw);
+  return Number.isFinite(num) && num > 0 ? num : defaultPort;
+}
+
+/**
+ * Recursively replaces ${PORT} with the given port number in all string values of obj (in-place).
+ *
+ * @param {Object} obj - Deployment manifest or any nested object
+ * @param {number} portNumber - Port to substitute (e.g. from application.yaml)
+ */
+function substitutePortInDeployment(obj, portNumber) {
+  if (obj === null || obj === undefined) return;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < obj.length; i++) {
+      if (typeof obj[i] === 'string' && obj[i].includes(PORT_PLACEHOLDER)) {
+        obj[i] = obj[i].split(PORT_PLACEHOLDER).join(String(portNumber));
+      } else if (typeof obj[i] === 'object' && obj[i] !== null) {
+        substitutePortInDeployment(obj[i], portNumber);
+      }
+    }
+    return;
+  }
+  if (typeof obj === 'object') {
+    for (const key of Object.keys(obj)) {
+      const value = obj[key];
+      if (typeof value === 'string' && value.includes(PORT_PLACEHOLDER)) {
+        obj[key] = value.split(PORT_PLACEHOLDER).join(String(portNumber));
+      } else if (typeof value === 'object' && value !== null) {
+        substitutePortInDeployment(value, portNumber);
+      }
+    }
+  }
+}
+
+/** Regex to find ${VAR} placeholders for env substitution */
+const ENV_VAR_PLACEHOLDER_REGEX = /\$\{([^}]+)\}/g;
+
+/**
+ * Recursively replaces ${VAR} with envVarMap[VAR] in all string values of obj (in-place).
+ * Only substitutes when VAR is a key in envVarMap (from env-config.yaml / config).
+ *
+ * @param {Object} obj - Deployment manifest or any nested object
+ * @param {Object} envVarMap - Flat map of variable names to values (e.g. from buildEnvVarMap('docker'))
+ */
+function substituteEnvVarsInDeployment(obj, envVarMap) {
+  if (!envVarMap || typeof envVarMap !== 'object') return;
+  if (obj === null || obj === undefined) return;
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < obj.length; i++) {
+      if (typeof obj[i] === 'string') {
+        obj[i] = obj[i].replace(ENV_VAR_PLACEHOLDER_REGEX, (match, varName) =>
+          Object.prototype.hasOwnProperty.call(envVarMap, varName) ? String(envVarMap[varName]) : match);
+      } else if (typeof obj[i] === 'object' && obj[i] !== null) {
+        substituteEnvVarsInDeployment(obj[i], envVarMap);
+      }
+    }
+    return;
+  }
+  if (typeof obj === 'object') {
+    for (const key of Object.keys(obj)) {
+      const value = obj[key];
+      if (typeof value === 'string') {
+        obj[key] = value.replace(ENV_VAR_PLACEHOLDER_REGEX, (match, varName) =>
+          Object.prototype.hasOwnProperty.call(envVarMap, varName) ? String(envVarMap[varName]) : match);
+      } else if (typeof value === 'object' && value !== null) {
+        substituteEnvVarsInDeployment(value, envVarMap);
+      }
+    }
+  }
+}
+
 /**
  * Builds and validates deployment manifest
  * @function buildAndValidateDeployment
@@ -66,10 +158,12 @@ function loadDeploymentConfigFiles(appPath, appType, appName) {
  * @param {Object} variables - Variables configuration
  * @param {Object} envTemplate - Environment template
  * @param {Object} rbac - RBAC configuration
+ * @param {Object} [options] - Optional options
+ * @param {Object} [options.envVarMap] - Env vars from env-config (e.g. REDIS_HOST, DB_HOST) to resolve ${VAR} in manifest
  * @returns {Object} Deployment manifest
  * @throws {Error} If validation fails
  */
-function buildAndValidateDeployment(appName, variables, envTemplate, rbac) {
+function buildAndValidateDeployment(appName, variables, envTemplate, rbac, options = null) {
   // Parse environment variables from template and merge portalInput from application config
   const configuration = parseEnvironmentVariables(envTemplate, variables);
 
@@ -83,6 +177,23 @@ function buildAndValidateDeployment(appName, variables, envTemplate, rbac) {
     throw new Error(`Generated deployment JSON does not match schema:\n${errorMessages}`);
   }
 
+  // Replace ${PORT} with port from application.yaml so manifest deploys correctly
+  const effectivePort = getEffectivePortForSubstitution(variables, 3000);
+  substitutePortInDeployment(deployment, effectivePort);
+  if (deployment.port !== undefined) {
+    deployment.port = typeof deployment.port === 'string' && /^\d+$/.test(deployment.port)
+      ? parseInt(deployment.port, 10) : (typeof deployment.port === 'number' ? deployment.port : effectivePort);
+  }
+
+  // Resolve ${REDIS_HOST}, ${DB_HOST}, etc. from env-config.yaml so manifest has no unresolved vars
+  const envVarMap = options && options.envVarMap;
+  if (envVarMap) {
+    substituteEnvVarsInDeployment(deployment, envVarMap);
+  }
+
+  // Ensure no other ${...} placeholders remain in manifest
+  _validator.validateNoUnresolvedVariablesInDeployment(deployment);
+
   return deployment;
 }
 
@@ -117,46 +228,81 @@ async function buildDeploymentManifestInMemory(appName, options = {}) {
   const configuration = parseEnvironmentVariables(envTemplate, variables);
   const deployment = builders.buildManifestStructure(appName, variablesWithVersion, configuration, rbac);
 
+  const effectivePort = getEffectivePortForSubstitution(variablesWithVersion, 3000);
+  substitutePortInDeployment(deployment, effectivePort);
+  if (deployment.port !== undefined) {
+    deployment.port = typeof deployment.port === 'string' && /^\d+$/.test(deployment.port)
+      ? parseInt(deployment.port, 10) : (typeof deployment.port === 'number' ? deployment.port : effectivePort);
+  }
+  const envVarMap = await buildEnvVarMap('docker', null, null, { appPort: effectivePort });
+  substituteEnvVarsInDeployment(deployment, envVarMap);
+  _validator.validateNoUnresolvedVariablesInDeployment(deployment);
   return { deployment, appPath };
 }
 
-async function generateDeployJson(appName, options = {}) {
-  if (!appName || typeof appName !== 'string') {
-    throw new Error('App name is required and must be a string');
-  }
-
-  // Detect app type and get correct path (integration first, then builder)
-  const { isExternal, appPath, appType } = await detectAppType(appName);
-  logOfflinePathWhenType(appPath);
-
-  // Check if app type is external
-  if (isExternal) {
-    const manifest = await generateControllerManifest(appName, options);
-
-    // Determine system key for file naming
-    const systemKey = manifest.key || appName;
-    const deployJsonPath = path.join(appPath, `${systemKey}-deploy.json`);
-
-    await fs.promises.writeFile(deployJsonPath, JSON.stringify(manifest, null, 2), { mode: 0o644, encoding: 'utf8' });
-    return deployJsonPath;
+/**
+ * Writes external system deploy JSON (manifest + ${PORT} substitution + validation).
+ * @async
+ * @param {string} appName - Application name
+ * @param {string} appPath - Application path
+ * @param {Object} options - Generation options
+ * @returns {Promise<string>} Path to written deploy JSON
+ */
+async function writeExternalDeployJson(appName, appPath, options) {
+  const manifest = await generateControllerManifest(appName, options);
+  let effectivePort = 3000;
+  try {
+    const variablesPath = resolveApplicationConfigPath(appPath);
+    const { parsed: variables } = loadVariables(variablesPath);
+    effectivePort = getEffectivePortForSubstitution(variables, 3000);
+    substitutePortInDeployment(manifest, effectivePort);
+  } catch {
+    substitutePortInDeployment(manifest, 3000);
   }
+  const envVarMap = await buildEnvVarMap('docker', null, null, { appPort: effectivePort });
+  substituteEnvVarsInDeployment(manifest, envVarMap);
+  _validator.validateNoUnresolvedVariablesInDeployment(manifest);
+  const systemKey = manifest.key || appName;
+  const deployJsonPath = path.join(appPath, `${systemKey}-deploy.json`);
+  await fs.promises.writeFile(deployJsonPath, JSON.stringify(manifest, null, 2), { mode: 0o644, encoding: 'utf8' });
+  return deployJsonPath;
+}
 
-  // Regular app: generate deployment manifest
+/**
+ * Writes regular app deploy JSON (build + validate + write).
+ * @async
+ * @param {string} appName - Application name
+ * @param {string} appPath - Application path
+ * @param {string} appType - Application type
+ * @returns {Promise<string>} Path to written deploy JSON
+ */
+async function writeRegularDeployJson(appName, appPath, appType) {
   const { variables, envTemplate, rbac, jsonPath } = loadDeploymentConfigFiles(appPath, appType, appName);
   const resolved = await resolveVersionForApp(appName, variables, { updateBuilder: false });
   const variablesWithVersion = {
     ...variables,
     app: { ...variables.app, version: resolved.version }
   };
-  const deployment = buildAndValidateDeployment(appName, variablesWithVersion, envTemplate, rbac);
-
-  // Write deployment JSON
+  const effectivePort = getEffectivePortForSubstitution(variablesWithVersion, 3000);
+  const envVarMap = await buildEnvVarMap('docker', null, null, { appPort: effectivePort });
+  const deployment = buildAndValidateDeployment(appName, variablesWithVersion, envTemplate, rbac, { envVarMap });
   const jsonContent = JSON.stringify(deployment, null, 2);
   fs.writeFileSync(jsonPath, jsonContent, { mode: 0o644 });
-
   return jsonPath;
 }
 
+async function generateDeployJson(appName, options = {}) {
+  if (!appName || typeof appName !== 'string') {
+    throw new Error('App name is required and must be a string');
+  }
+  const { isExternal, appPath, appType } = await detectAppType(appName);
+  logOfflinePathWhenType(appPath);
+  if (isExternal) {
+    return writeExternalDeployJson(appName, appPath, options);
+  }
+  return await writeRegularDeployJson(appName, appPath, appType);
+}
+
 async function generateDeployJsonWithValidation(appName, options = {}) {
   const jsonPath = await generateDeployJson(appName, options);
   const jsonContent = fs.readFileSync(jsonPath, 'utf8');
@@ -187,6 +333,9 @@ module.exports = {
   generateDeployJson,
   generateDeployJsonWithValidation,
   buildDeploymentManifestInMemory,
+  getEffectivePortForSubstitution,
+  substitutePortInDeployment,
+  substituteEnvVarsInDeployment,
   generateExternalSystemApplicationSchema,
   splitExternalApplicationSchema,
   parseEnvironmentVariables,

package/lib/generator/wizard.js

@@ -117,6 +117,14 @@ async function generateConfigFilesForWizard(params) {
   // Generate env.template with authentication variables
   await generateEnvTemplate(appPath, systemConfig);
 
+  const envTemplatePath = path.join(appPath, 'env.template');
+  try {
+    const secretsEnsure = require('../core/secrets-ensure');
+    await secretsEnsure.ensureSecretsFromEnvTemplate(envTemplatePath, { emptyValuesForCredentials: true });
+  } catch (err) {
+    if (err.code !== 'ENOENT') logger.warn(`Could not ensure integration placeholder secrets: ${err.message}`);
+  }
+
   // Generate README.md (use AI-generated content if available)
   await generateReadme(appPath, appName, finalSystemKey, systemConfig, datasourceConfigs, aiGeneratedReadme);