@aifabrix/builder 2.40.2 → 2.42.0

package/lib/app/run.js

@@ -14,14 +14,50 @@ const { exec } = require('child_process');
 const { promisify } = require('util');
 const config = require('../core/config');
 const logger = require('../utils/logger');
+const pathsUtil = require('../utils/paths');
 const { checkPortAvailable, waitForHealthCheck } = require('../utils/health-check');
 const composeGenerator = require('../utils/compose-generator');
 const containerHelpers = require('../utils/app-run-containers');
+const mutagen = require('../utils/mutagen');
 // Helper functions extracted to reduce file size and complexity
 const helpers = require('./run-helpers');
 
 const execAsync = promisify(exec);
 
+/**
+ * True if host is localhost or 127.0.0.1 (case-insensitive).
+ * @param {string} host - Hostname or empty
+ * @returns {boolean}
+ */
+function isLocalhostHost(host) {
+  if (!host || typeof host !== 'string') return false;
+  const h = host.trim().toLowerCase();
+  return h === 'localhost' || h === '127.0.0.1';
+}
+
+/**
+ * True if the given URL or endpoint string refers to localhost (host is localhost or 127.0.0.1).
+ * Handles tcp://localhost:2376, https://127.0.0.1:8443, etc.
+ * @param {string} urlOrEndpoint - URL (e.g. https://localhost:8443) or Docker endpoint (e.g. tcp://localhost:2376)
+ * @returns {boolean}
+ */
+function isLocalhostEndpoint(urlOrEndpoint) {
+  if (!urlOrEndpoint || typeof urlOrEndpoint !== 'string') return false;
+  const s = urlOrEndpoint.trim();
+  if (!s) return false;
+  try {
+    if (s.startsWith('tcp://') || s.startsWith('unix://')) {
+      const rest = s.replace(/^tcp:\/\//i, '').replace(/^unix:\/\//i, '');
+      const host = rest.split('/')[0].split(':')[0];
+      return isLocalhostHost(host);
+    }
+    const u = new URL(s);
+    return isLocalhostHost(u.hostname);
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Validate app for run and check if it's an external system
  * @async
@@ -106,6 +142,48 @@ async function calculateHostPort(appConfig, options, debug) {
   return hostPort;
 }
 
+/**
+ * When run --reload in dev with remote: ensure Mutagen sync session; return remote path for compose mount.
+ * Uses codePath (resolved build.context) as Mutagen local path so one config field drives both local and remote.
+ * When Docker endpoint, remote-server, or sync-ssh-host is localhost/127.0.0.1, returns null (no sync; use local path).
+ *
+ * @param {string} appName - Application name
+ * @param {string} developerId - Developer ID
+ * @param {boolean} debug - Debug flag
+ * @param {string} codePath - Resolved build.context (absolute path to app code)
+ * @param {string} [remoteSyncPath] - Optional relative path under user-mutagen-folder (from build.remoteSyncPath); when unset, defaults to dev/<appKey>
+ * @returns {Promise<string|null>} Remote path for -v mount or null if not remote/reload or already on server (localhost)
+ * @throws {Error} If --reload but remote not configured, or Mutagen install fails
+ */
+async function ensureReloadSync(appName, developerId, debug, codePath, remoteSyncPath) {
+  const endpoint = await config.getDockerEndpoint();
+  const serverUrl = await config.getRemoteServer();
+  if (!endpoint && !serverUrl) return null;
+  const syncSshHost = await config.getSyncSshHost();
+  if (isLocalhostEndpoint(endpoint) || isLocalhostEndpoint(serverUrl) || isLocalhostHost(syncSshHost || '')) {
+    if (debug) logger.log(chalk.gray('[DEBUG] Docker/remote/sync host is localhost; skipping Mutagen, using local path'));
+    return null;
+  }
+  const [userMutagenFolder, syncSshUser] = await Promise.all([
+    config.getUserMutagenFolder(),
+    config.getSyncSshUser()
+  ]);
+  if (!userMutagenFolder || !syncSshUser || !syncSshHost) {
+    throw new Error(
+      'run --reload requires remote server sync settings. Run "aifabrix dev init" or set user-mutagen-folder, sync-ssh-user, sync-ssh-host in config.'
+    );
+  }
+  const mutagenPath = await mutagen.ensureMutagenPath(logger.log);
+  const remotePath = mutagen.getRemotePath(userMutagenFolder, appName, remoteSyncPath);
+  const sshUrl = mutagen.getSyncSshUrl(syncSshUser, syncSshHost, remotePath);
+  const sessionName = mutagen.getSessionName(developerId, appName);
+  const localPath = (codePath && typeof codePath === 'string') ? codePath : pathsUtil.getBuilderPath(appName);
+  if (debug) logger.log(chalk.gray(`[DEBUG] Mutagen sync: ${sessionName} ${localPath} <-> ${sshUrl}`));
+  logger.log(chalk.blue('Ensuring Mutagen sync session...'));
+  await mutagen.ensureSyncSession(mutagenPath, sessionName, localPath, sshUrl);
+  return remotePath;
+}
+
 /**
  * Load and configure application
  * @async
@@ -132,16 +210,20 @@ async function loadAndConfigureApp(appName, debug) {
  * @param {string} tempComposePath - Path to compose file
  * @param {number} hostPort - Host port
  * @param {Object} appConfig - Application configuration
- * @param {boolean} debug - Debug flag
+ * @param {Object} opts - Options (debug, runEnvPath, runEnvAdminPath)
  * @throws {Error} If container start fails
  */
-async function startAppContainer(appName, tempComposePath, hostPort, appConfig, debug) {
+async function startAppContainer(appName, tempComposePath, hostPort, appConfig, opts) {
+  const { debug, runEnvPath = null, runEnvAdminPath = null } = opts;
   try {
-    await helpers.startContainer(appName, tempComposePath, hostPort, appConfig, debug);
+    await helpers.startContainer(appName, tempComposePath, hostPort, appConfig, { debug, runEnvPath, runEnvAdminPath });
     await helpers.displayRunStatus(appName, hostPort, appConfig);
   } catch (error) {
     logger.log(chalk.yellow(`\n⚠️  Compose file preserved at: ${tempComposePath}`));
     logger.log(chalk.yellow('   Review the file to debug issues'));
+    if (runEnvPath || runEnvAdminPath) {
+      logger.log(chalk.yellow('   Run .env file(s) (contain secrets) were not deleted; remove them manually if desired.'));
+    }
     if (debug) {
       logger.log(chalk.gray(`[DEBUG] Error during container start: ${error.message}`));
     }
@@ -149,6 +231,54 @@ async function startAppContainer(appName, tempComposePath, hostPort, appConfig,
   }
 }
 
+/**
+ * Resolve run options (paths and optional reload sync) for prepareAppRun.
+ * @param {string} appName - Application name
+ * @param {Object} appConfig - Application configuration
+ * @param {Object} options - Run options
+ * @param {string} envKey - Environment key (dev/tst/pro)
+ * @param {boolean} debug - Debug flag
+ * @returns {Promise<Object>} Run options with optional devMountPath
+ */
+async function resolveRunOptions(appName, appConfig, options, envKey, debug) {
+  const runOptions = { ...options, env: envKey };
+  const builderPath = pathsUtil.getBuilderPath(appName);
+  const codePath = pathsUtil.resolveBuildContext(builderPath, appConfig.build?.context || '.');
+  if (options.reload && envKey === 'dev') {
+    const remoteSyncPath = appConfig.build?.remoteSyncPath;
+    const remotePath = await ensureReloadSync(appName, appConfig.developerId, debug, codePath, remoteSyncPath);
+    runOptions.devMountPath = remotePath || codePath;
+  }
+  return runOptions;
+}
+
+/**
+ * Prepare run: validate app, load config, check prereqs, stop existing container, resolve port and reload, prepare env.
+ * @param {string} appName - Application name
+ * @param {Object} options - Run options
+ * @param {boolean} debug - Debug flag
+ * @returns {Promise<{ appConfig: Object, tempComposePath: string, hostPort: number }|null>} Prepared run context or null if should not continue
+ */
+async function prepareAppRun(appName, options, debug) {
+  const envKey = (options.env || 'dev').toLowerCase();
+  if (envKey !== 'dev' && envKey !== 'tst' && envKey !== 'pro') {
+    throw new Error('--env must be dev, tst, or pro');
+  }
+  const shouldContinue = await validateAppForRun(appName, debug);
+  if (!shouldContinue) {
+    return null;
+  }
+  const appConfig = await loadAndConfigureApp(appName, debug);
+  await helpers.checkPrerequisites(appName, appConfig, debug, options.skipInfraCheck === true, options);
+  await checkAndStopContainer(appName, appConfig.developerId, debug);
+  const hostPort = await calculateHostPort(appConfig, options, debug);
+  const runOptions = await resolveRunOptions(appName, appConfig, options, envKey, debug);
+  const { composePath: tempComposePath, runEnvPath, runEnvAdminPath } = await helpers.prepareEnvironment(appName, appConfig, runOptions);
+  const result = { appConfig, tempComposePath, hostPort, runEnvPath, runEnvAdminPath };
+  if (runOptions.devMountPath) result.devMountPath = runOptions.devMountPath;
+  return result;
+}
+
 /**
  * Runs the application locally using Docker
  * Starts container with proper port mapping and environment
@@ -168,40 +298,27 @@ async function startAppContainer(appName, tempComposePath, hostPort, appConfig,
  */
 async function runApp(appName, options = {}) {
   const debug = options.debug || false;
-
   if (debug) {
     logger.log(chalk.gray(`[DEBUG] Starting run process for: ${appName}`));
     logger.log(chalk.gray(`[DEBUG] Options: ${JSON.stringify(options, null, 2)}`));
   }
-
   try {
-    // Validate app for run and check if external
-    const shouldContinue = await validateAppForRun(appName, debug);
-    if (!shouldContinue) {
+    const prepared = await prepareAppRun(appName, options, debug);
+    if (!prepared) {
       return;
     }
-
-    // Load and configure application
-    const appConfig = await loadAndConfigureApp(appName, debug);
-
-    // Check prerequisites: image and (unless skipped) infrastructure
-    await helpers.checkPrerequisites(appName, appConfig, debug, options.skipInfraCheck === true);
-
-    // Check if container is already running and stop it if needed
-    await checkAndStopContainer(appName, appConfig.developerId, debug);
-
-    // Calculate host port and validate it's available
-    const hostPort = await calculateHostPort(appConfig, options, debug);
-
-    // Prepare environment: ensure .env file and generate Docker Compose
-    const tempComposePath = await helpers.prepareEnvironment(appName, appConfig, options);
     if (debug) {
-      logger.log(chalk.gray(`[DEBUG] Compose file generated: ${tempComposePath}`));
+      logger.log(chalk.gray(`[DEBUG] Compose file generated: ${prepared.tempComposePath}`));
     }
-
-    // Start container and display status
-    await startAppContainer(appName, tempComposePath, hostPort, appConfig, debug);
-
+    if (options.reload && prepared.devMountPath) {
+      logger.log(chalk.gray('With --reload: workspace mounted from host at /app (container runs as your user for write access).'));
+      logger.log(chalk.gray(`  Host path: ${prepared.devMountPath}`));
+    }
+    await startAppContainer(appName, prepared.tempComposePath, prepared.hostPort, prepared.appConfig, {
+      debug,
+      runEnvPath: prepared.runEnvPath,
+      runEnvAdminPath: prepared.runEnvAdminPath
+    });
   } catch (error) {
     if (debug) {
       logger.log(chalk.gray(`[DEBUG] Run failed: ${error.message}`));
@@ -243,6 +360,9 @@ async function restartApp(appName) {
 module.exports = {
   runApp,
   restartApp,
+  ensureReloadSync,
+  isLocalhostHost,
+  isLocalhostEndpoint,
   checkImageExists: helpers.checkImageExists,
   checkContainerRunning: helpers.checkContainerRunning,
   stopAndRemoveContainer: helpers.stopAndRemoveContainer,

package/lib/app/show-display.js

@@ -161,7 +161,7 @@ function logExternalSystemMain(ext) {
   logger.log(`  Credential:    ${ext.credentialId ?? '—'}`);
   logger.log(`  Status:        ${ext.status ?? '—'}`);
   logger.log(`  API docs:      ${ext.openApiDocsPageUrl ?? ext.apiDocumentUrl ?? '—'}`);
-  logger.log(`  MCP server:   ${ext.mcpServerUrl ?? '—'}`);
+  logger.log(`  MCP server:    ${ext.mcpServerUrl ?? '—'}`);
   logger.log(`  OpenAPI spec:  ${ext.apiDocumentUrl ?? '—'}`);
 }
 

package/lib/app/show.js

@@ -171,7 +171,9 @@ function healthStrFromVariables(variables) {
 function buildStrFromVariables(variables) {
   const build = variables.build;
   if (!build) return '—';
-  return `${build.language || '—'}, localPort ${build.localPort || '—'}`;
+  const port = variables.port ?? build.containerPort;
+  const portStr = (port !== undefined && port !== null) ? `port ${port}` : '';
+  return [build.language || '—', portStr].filter(Boolean).join(', ') || '—';
 }
 
 function buildApplicationFromVariables(variables) {
@@ -438,7 +440,8 @@ function formatBuildForDisplay(build) {
   if (!build) return '—';
   const parts = [];
   if (build.language) parts.push(build.language);
-  if (build.localPort !== undefined && build.localPort !== null) parts.push(`localPort ${build.localPort}`);
+  const port = build.port ?? build.localPort;
+  if (port !== undefined && port !== null) parts.push(`port ${port}`);
   if (build.dockerfile) parts.push('dockerfile');
   if (build.envOutputPath) parts.push(`envOutputPath: ${build.envOutputPath}`);
   return parts.length ? parts.join(', ') : '—';

package/lib/build/index.js

@@ -26,6 +26,7 @@ const dockerBuild = require('../utils/docker-build');
 const buildCopy = require('../utils/build-copy');
 const { buildDevImageName } = require('../utils/image-name');
 const buildHelpers = require('../utils/build-helpers');
+const secretsEnvWrite = require('../core/secrets-env-write');
 
 /**
  * Loads application config for an application
@@ -410,11 +411,18 @@ async function buildApp(appName, options = {}) {
       appConfig
     }, options, buildHelpers);
 
-    // 5. Execute Docker build
+    // 5. Resolve NPM_TOKEN/PYPI_TOKEN for private registries and pass as build-args
+    const envMap = await secretsEnvWrite.resolveAndGetEnvMap(appName, { environment: 'docker' });
+    const buildArgs = {};
+    if (envMap.NPM_TOKEN) buildArgs.NPM_TOKEN = envMap.NPM_TOKEN;
+    if (envMap.PYPI_TOKEN) buildArgs.PYPI_TOKEN = envMap.PYPI_TOKEN;
+    const buildOptions = { ...options, buildArgs };
+
+    // 6. Execute Docker build
     const tag = options.tag || 'latest';
-    await dockerBuild.executeDockerBuildWithTag(effectiveImageName, imageName, dockerfilePath, contextPath, tag, options);
+    await dockerBuild.executeDockerBuildWithTag(effectiveImageName, imageName, dockerfilePath, contextPath, tag, buildOptions);
 
-    // 6. Post-build tasks
+    // 7. Post-build tasks
     await postBuildTasks(appName, buildConfig);
 
     logger.log(chalk.green('\n✅ Build completed successfully!'));

package/lib/cli/setup-app.js

@@ -17,12 +17,20 @@ const { handleCommandError } = require('../utils/cli-utils');
  * @param {Object} options - Raw CLI options
  * @returns {Object} Normalized options
  */
+const VALID_ENTITY_TYPES = ['recordStorage', 'documentStorage', 'vectorStore', 'messageService', 'none'];
+
 function normalizeExternalOptions(options) {
   const normalized = { ...options };
   if (options.displayName) normalized.systemDisplayName = options.displayName;
   if (options.description) normalized.systemDescription = options.description;
   if (options.systemType) normalized.systemType = options.systemType;
   if (options.authType) normalized.authType = options.authType;
+  if (options.entityType) {
+    if (!VALID_ENTITY_TYPES.includes(options.entityType)) {
+      throw new Error(`Invalid --entity-type. Must be one of: ${VALID_ENTITY_TYPES.join(', ')}`);
+    }
+    normalized.entityType = options.entityType;
+  }
   if (options.datasources !== undefined) {
     const parsedCount = parseInt(options.datasources, 10);
     if (Number.isNaN(parsedCount) || parsedCount < 1 || parsedCount > 10) {
@@ -48,6 +56,7 @@ function validateNonInteractiveExternalOptions(normalizedOptions) {
   if (!normalizedOptions.systemDescription) missing.push('--description');
   if (!normalizedOptions.systemType) missing.push('--system-type');
   if (!normalizedOptions.authType) missing.push('--auth-type');
+  if (!normalizedOptions.entityType) missing.push('--entity-type');
   if (!normalizedOptions.datasourceCount) missing.push('--datasources');
   if (missing.length > 0) {
     throw new Error(`Missing required options for non-interactive external create: ${missing.join(', ')}`);
@@ -110,7 +119,8 @@ function setupCreateCommand(program) {
     .option('--display-name <name>', 'External system display name')
     .option('--description <desc>', 'External system description')
     .option('--system-type <type>', 'External system type (openapi, mcp, custom)')
-    .option('--auth-type <type>', 'External system auth type (oauth2, apikey, basic)')
+    .option('--auth-type <type>', 'External system auth type (oauth2, aad, apikey, basic, queryParam, oidc, hmac, none)')
+    .option('--entity-type <type>', 'Entity type for datasources (recordStorage, documentStorage, vectorStore, messageService, none)')
     .option('--datasources <count>', 'Number of datasources to create')
     .action(async(appName, options) => {
       try {
@@ -130,6 +140,7 @@ Examples:
   $ aifabrix wizard my-integration --silent  Run headless with integration/my-integration/wizard.yaml (no prompts)
   $ aifabrix wizard -a my-integration   Same as above (app name set)
   $ aifabrix wizard --config wizard.yaml  Run headless from a wizard config file
+  $ aifabrix wizard hubspot-test-v2 --debug  Enable debug output and save debug manifests on validation failure
 
 Config path: When appName is provided, integration/<appName>/wizard.yaml is used for load/save and error.log.
 To change settings after a run, edit that file and run "aifabrix wizard <app>" again.
@@ -140,6 +151,7 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`;
     .option('-a, --app <app>', 'Application name (synonym for positional appName)')
     .option('--config <file>', 'Run headless using a wizard.yaml file (appName, mode, source, credential, preferences)')
     .option('--silent', 'Run with saved integration/<app>/wizard.yaml only; no prompts (requires app name and existing wizard.yaml)')
+    .option('--debug', 'Enable debug output and save debug manifests on validation failure')
     .addHelpText('after', wizardHelp)
     .action(async(positionalAppName, options) => {
       try {
@@ -154,6 +166,31 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`;
     });
 }
 
+function registerRunCommand(program) {
+  const runHelp = `
+In dev: use --reload for sync and mount (requires remote server with Mutagen, or local Docker).
+Examples:
+  $ aifabrix run myapp
+  $ aifabrix run myapp --env tst
+  $ aifabrix run myapp --reload`;
+  program.command('run <app>')
+    .description('Run application locally (or remotely on your Docker host)')
+    .option('-p, --port <port>', 'Override local port')
+    .option('-d, --debug', 'Enable debug output with detailed container information')
+    .option('-t, --tag <tag>', 'Image tag to run (e.g. v1.0.0); overrides application.yaml image.tag')
+    .option('-e, --env <env>', 'Environment: dev (default), tst, or pro', 'dev')
+    .option('--reload', 'In dev: use sync and mount (requires remote server; Mutagen or local Docker)')
+    .addHelpText('after', runHelp)
+    .action(async(appName, options) => {
+      try {
+        await app.runApp(appName, options);
+      } catch (error) {
+        handleCommandError(error, 'run');
+        process.exit(1);
+      }
+    });
+}
+
 function setupBuildRunLogsDownCommands(program) {
   program.command('build <app>')
     .description('Build container image (auto-detects runtime)')
@@ -170,19 +207,7 @@ function setupBuildRunLogsDownCommands(program) {
       }
     });
 
-  program.command('run <app>')
-    .description('Run application locally')
-    .option('-p, --port <port>', 'Override local port')
-    .option('-d, --debug', 'Enable debug output with detailed container information')
-    .option('-t, --tag <tag>', 'Image tag to run (e.g. v1.0.0); overrides application.yaml image.tag')
-    .action(async(appName, options) => {
-      try {
-        await app.runApp(appName, options);
-      } catch (error) {
-        handleCommandError(error, 'run');
-        process.exit(1);
-      }
-    });
+  registerRunCommand(program);
 
   program.command('logs <app>')
     .description('Show application container logs (and optional env summary with secrets masked)')
@@ -215,6 +240,136 @@ function setupBuildRunLogsDownCommands(program) {
     });
 }
 
+function setupShellTestStopCommands(program) {
+  program.command('stop <app>')
+    .description('Stop and remove application container (alias for down-app)')
+    .option('--volumes', 'Remove application Docker volume')
+    .action(async(appName, options) => {
+      try {
+        const { runDownAppWithImageRemoval } = require('../commands/app-down');
+        await runDownAppWithImageRemoval(appName, { volumes: options.volumes });
+      } catch (error) {
+        handleCommandError(error, 'stop');
+        process.exit(1);
+      }
+    });
+
+  program.command('shell <app>')
+    .description('Open interactive shell in the application container')
+    .option('--env <env>', 'Environment (dev|tst); dev uses running container', 'dev')
+    .action(async(appName, options) => {
+      try {
+        const { runAppShell } = require('../commands/app-shell');
+        await runAppShell(appName, { env: options.env });
+      } catch (error) {
+        handleCommandError(error, 'shell');
+        process.exit(1);
+      }
+    });
+
+  program.command('test <app>')
+    .description('Run tests (builder app: in container; external system: local validation)')
+    .option('--env <env>', 'For builder app: dev (running container) or tst (ephemeral)', 'dev')
+    .option('-d, --datasource <key>', 'For external system: test specific datasource only')
+    .option('-v, --verbose', 'Verbose output')
+    .action(async(appName, options) => {
+      try {
+        const pathsUtil = require('../utils/paths');
+        const appType = await pathsUtil.detectAppType(appName).catch(() => null);
+        if (appType && appType.baseDir === 'integration') {
+          const test = require('../external-system/test');
+          const results = await test.testExternalSystem(appName, options);
+          test.displayTestResults(results, options.verbose);
+          if (!results.valid) process.exit(1);
+        } else {
+          const { runAppTest } = require('../commands/app-test');
+          await runAppTest(appName, { env: options.env });
+        }
+      } catch (error) {
+        handleCommandError(error, 'test');
+        process.exit(1);
+      }
+    });
+}
+
+async function runTestE2ECommand(appName, options) {
+  const pathsUtil = require('../utils/paths');
+  const appType = await pathsUtil.detectAppType(appName).catch(() => null);
+  if (appType && appType.baseDir === 'integration') {
+    const { runTestE2EForExternalSystem } = require('../commands/test-e2e-external');
+    const { success, results } = await runTestE2EForExternalSystem(appName, {
+      env: options.env,
+      debug: options.debug,
+      verbose: options.verbose,
+      async: options.async !== false
+    });
+    results.forEach(r => {
+      const icon = r.success ? chalk.green('✓') : chalk.red('✗');
+      const msg = r.error ? `${r.key}: ${r.error}` : r.key;
+      logger.log(`  ${icon} ${msg}`);
+    });
+    if (!success) process.exit(1);
+    return;
+  }
+  const { runAppTestE2e } = require('../commands/app-test');
+  await runAppTestE2e(appName, { env: options.env });
+}
+
+function setupInstallTestE2eLintCommands(program) {
+  program.command('install <app>')
+    .description('Install dependencies in container (builder apps only)')
+    .option('--env <env>', 'dev (running container) or tst (ephemeral with .env)', 'dev')
+    .action(async(appName, options) => {
+      try {
+        const pathsUtil = require('../utils/paths');
+        const appType = await pathsUtil.detectAppType(appName).catch(() => null);
+        if (appType && appType.baseDir === 'integration') {
+          logger.log(chalk.gray('Install is for builder applications only. Use aifabrix shell <app> to run commands in external setups.'));
+          return;
+        }
+        const { runAppInstall } = require('../commands/app-install');
+        await runAppInstall(appName, { env: options.env });
+      } catch (error) {
+        handleCommandError(error, 'install');
+        process.exit(1);
+      }
+    });
+
+  program.command('test-e2e <app>')
+    .description('Run e2e tests (builder: in container; external system: all datasources via dataplane)')
+    .option('-e, --env <env>', 'Environment: dev, tst, or pro (builder: dev/tst for container)')
+    .option('-v, --verbose', 'Show detailed step output and poll progress')
+    .option('--debug', 'Include debug output and write log to integration/<app>/logs/')
+    .option('--no-async', 'Use sync mode (no polling); single POST per datasource')
+    .action(async(appName, options) => {
+      try {
+        await runTestE2ECommand(appName, options);
+      } catch (error) {
+        handleCommandError(error, 'test-e2e');
+        process.exit(1);
+      }
+    });
+
+  program.command('lint <app>')
+    .description('Run lint in container (builder apps only)')
+    .option('--env <env>', 'dev (running container) or tst (ephemeral with .env)', 'dev')
+    .action(async(appName, options) => {
+      try {
+        const pathsUtil = require('../utils/paths');
+        const appType = await pathsUtil.detectAppType(appName).catch(() => null);
+        if (appType && appType.baseDir === 'integration') {
+          logger.log(chalk.gray('lint is for builder applications only. Use aifabrix shell <app> then make lint or pnpm lint.'));
+          return;
+        }
+        const { runAppLint } = require('../commands/app-test');
+        await runAppLint(appName, { env: options.env });
+      } catch (error) {
+        handleCommandError(error, 'lint');
+        process.exit(1);
+      }
+    });
+}
+
 function setupPushDeployDockerfileCommands(program) {
   program.command('push <app>')
     .description('Push image to Azure Container Registry')
@@ -230,7 +385,7 @@ function setupPushDeployDockerfileCommands(program) {
     });
 
   program.command('deploy <app>')
-    .description('Deploy to Azure via Miso Controller')
+    .description('Deploy to Azure or locally via Miso Controller')
     .option('--local', 'Send manifest to controller then run app locally (app: same as aifabrix run <app>; external: restart dataplane)')
     .option('--client-id <id>', 'Client ID (overrides config)')
     .option('--client-secret <secret>', 'Client Secret (overrides config)')
@@ -274,6 +429,8 @@ function setupAppCommands(program) {
   setupCreateCommand(program);
   setupWizardCommand(program);
   setupBuildRunLogsDownCommands(program);
+  setupShellTestStopCommands(program);
+  setupInstallTestE2eLintCommands(program);
   setupPushDeployDockerfileCommands(program);
 }
 

package/lib/cli/setup-credential-deployment.js

@@ -11,8 +11,37 @@ const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { handleCommandError } = require('../utils/cli-utils');
 const { runCredentialList } = require('../commands/credential-list');
+const { runCredentialEnv } = require('../commands/credential-env');
+const { runCredentialPush } = require('../commands/credential-push');
 const { runDeploymentList } = require('../commands/deployment-list');
 
+function setupCredentialEnvAndPush(credential) {
+  credential
+    .command('env <system-key>')
+    .description('Prompt for KV_* credential values and write integration/<system-key>/.env')
+    .action(async(systemKey, _options) => {
+      try {
+        await runCredentialEnv(systemKey);
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'credential env');
+        process.exit(1);
+      }
+    });
+  credential
+    .command('push <system-key>')
+    .description('Push credential secrets from .env to Dataplane (KV_* vars)')
+    .action(async(systemKey, _options) => {
+      try {
+        await runCredentialPush(systemKey);
+      } catch (error) {
+        logger.error(chalk.red(`Error: ${error.message}`));
+        handleCommandError(error, 'credential push');
+        process.exit(1);
+      }
+    });
+}
+
 /**
  * Sets up credential and deployment list commands
  * @param {Command} program - Commander program instance
@@ -21,19 +50,15 @@ function setupCredentialDeploymentCommands(program) {
   const credential = program
     .command('credential')
     .description('Manage credentials');
-
+  setupCredentialEnvAndPush(credential);
   credential
     .command('list')
-    .description('List credentials from Dataplane (GET /api/v1/credential). Controller does not expose this endpoint.')
-    .option('--controller <url>', 'Controller URL (default: from config)')
-    .option('--dataplane <url>', 'Dataplane URL (default: resolved from controller + environment)')
+    .description('Get credentials from Dataplane')
     .option('--active-only', 'List only active credentials')
     .option('--page-size <n>', 'Items per page', '50')
     .action(async(options) => {
       try {
         const opts = {
-          controller: options.controller,
-          dataplane: options.dataplane,
           activeOnly: options.activeOnly,
           pageSize: parseInt(options.pageSize, 10) || 50
         };