@aifabrix/builder 2.40.2 → 2.42.0

package/lib/commands/app-test.js

@@ -0,0 +1,282 @@
+/**
+ * Test command – run tests inside app container (dev: running container; tst: ephemeral).
+ *
+ * @fileoverview App test command for builder apps (plan 65: dev = in container, tst = ephemeral)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { spawn } = require('child_process');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const containerHelpers = require('../utils/app-run-containers');
+const composeGenerator = require('../utils/compose-generator');
+const pathsUtil = require('../utils/paths');
+const { loadConfigFile } = require('../utils/config-format');
+const secretsEnvWrite = require('../core/secrets-env-write');
+
+/**
+ * Load application config for builder app.
+ * @param {string} appName - Application name
+ * @returns {Object} Application config
+ */
+function loadAppConfig(appName) {
+  const builderPath = pathsUtil.getBuilderPath(appName);
+  const configPath = pathsUtil.resolveApplicationConfigPath(builderPath);
+  return loadConfigFile(configPath);
+}
+
+/**
+ * Resolve test command from application config (language or build.scripts).
+ * @param {Object} appConfig - Application config
+ * @returns {string} Shell command to run tests (e.g. "pnpm test" or "make test")
+ */
+function getTestCommand(appConfig) {
+  const scripts = appConfig.build?.scripts || appConfig.scripts;
+  if (scripts && typeof scripts.test === 'string' && scripts.test.trim()) {
+    return scripts.test.trim();
+  }
+  const lang = (appConfig.build?.language || appConfig.language || 'typescript').toLowerCase();
+  return lang === 'python' ? 'make test' : 'pnpm test';
+}
+
+/**
+ * Resolve test:e2e command from application config.
+ * @param {Object} appConfig - Application config
+ * @returns {string} Shell command (e.g. "pnpm test:e2e" or "make test:e2e")
+ */
+function getTestE2eCommand(appConfig) {
+  const scripts = appConfig.build?.scripts || appConfig.scripts;
+  const cmd = scripts?.['test:e2e'] || scripts?.testE2e;
+  if (typeof cmd === 'string' && cmd.trim()) return cmd.trim();
+  const lang = (appConfig.build?.language || appConfig.language || 'typescript').toLowerCase();
+  return lang === 'python' ? 'make test:e2e' : 'pnpm test:e2e';
+}
+
+/**
+ * Resolve test:integration command from application config (aifabrix test-integration <app>).
+ * Defaults to test:e2e when not set so builder apps can run integration-style tests.
+ * @param {Object} appConfig - Application config
+ * @returns {string} Shell command (e.g. "pnpm test:integration" or "make test-integration")
+ */
+function getTestIntegrationCommand(appConfig) {
+  const scripts = appConfig.build?.scripts || appConfig.scripts;
+  const cmd = scripts?.['test:integration'] || scripts?.testIntegration;
+  if (typeof cmd === 'string' && cmd.trim()) return cmd.trim();
+  return getTestE2eCommand(appConfig);
+}
+
+/**
+ * Resolve lint command from application config.
+ * @param {Object} appConfig - Application config
+ * @returns {string} Shell command (e.g. "pnpm lint" or "make lint")
+ */
+function getLintCommand(appConfig) {
+  const scripts = appConfig.build?.scripts || appConfig.scripts;
+  if (scripts && typeof scripts.lint === 'string' && scripts.lint.trim()) {
+    return scripts.lint.trim();
+  }
+  const lang = (appConfig.build?.language || appConfig.language || 'typescript').toLowerCase();
+  return lang === 'python' ? 'make lint' : 'pnpm lint';
+}
+
+/**
+ * Run tests in dev (exec in running container).
+ * Resolves app .env (including NPM_TOKEN/PYPI_TOKEN) and passes it so tests have registry tokens.
+ * @param {string} appName - Application name
+ * @param {string|number} developerId - Developer ID
+ * @param {string} testCmd - Test command
+ * @returns {Promise<number>} Exit code
+ */
+async function runTestsInDev(appName, developerId, testCmd) {
+  const containerName = containerHelpers.getContainerName(appName, developerId);
+  const isRunning = await containerHelpers.checkContainerRunning(appName, developerId);
+  if (!isRunning) {
+    throw new Error(
+      `Container ${containerName} is not running.\nRun 'aifabrix run ${appName}' first.`
+    );
+  }
+  logger.log(chalk.blue(`Running tests in container ${containerName}: ${testCmd}\n`));
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  return runDockerExec(containerName, testCmd, envFilePath);
+}
+
+/**
+ * Run tests for a builder app. DEV: exec in running container; TST: ephemeral container.
+ * @param {string} appName - Application name
+ * @param {Object} [options] - { env: 'dev'|'tst' }
+ * @returns {Promise<void>}
+ */
+async function runAppTest(appName, options = {}) {
+  const env = (options.env || 'dev').toLowerCase();
+  if (env !== 'dev' && env !== 'tst') {
+    throw new Error('--env must be dev or tst');
+  }
+  const appConfig = loadAppConfig(appName);
+  const testCmd = getTestCommand(appConfig);
+  const developerId = await config.getDeveloperId();
+  const imageName = composeGenerator.getImageName(appConfig, appName);
+  const imageTag = appConfig.image?.tag || 'latest';
+  const fullImage = `${imageName}:${imageTag}`;
+
+  if (env === 'dev') {
+    const code = await runTestsInDev(appName, developerId, testCmd);
+    if (code !== 0) process.exit(code);
+    logger.log(chalk.green('✓ Tests completed'));
+    return;
+  }
+  logger.log(chalk.blue(`Running tests in ephemeral container (${fullImage}): ${testCmd}\n`));
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  const code = await runDockerRunEphemeral(fullImage, testCmd, envFilePath);
+  if (code !== 0) process.exit(code);
+  logger.log(chalk.green('✓ Tests completed'));
+}
+
+/**
+ * Run command in container via docker exec; stream output. Returns exit code.
+ * When envFilePath is set, passes --env-file so NPM_TOKEN/PYPI_TOKEN (from kv://) are available.
+ * @param {string} containerName - Container name
+ * @param {string} testCmd - Shell command
+ * @param {string|null} [envFilePath] - Path to resolved .env for --env-file (optional)
+ * @returns {Promise<number>} Exit code
+ */
+function runDockerExec(containerName, testCmd, envFilePath = null) {
+  return new Promise((resolve) => {
+    const args = ['exec'];
+    if (envFilePath) args.push('--env-file', envFilePath);
+    args.push(containerName, 'sh', '-c', testCmd);
+    const proc = spawn('docker', args, {
+      stdio: 'inherit',
+      shell: false
+    });
+    proc.on('close', code => resolve(code !== null ? code : 1));
+    proc.on('error', () => resolve(1));
+  });
+}
+
+/**
+ * Run command in ephemeral container; optional --env-file. Returns exit code.
+ * @param {string} fullImage - Image:tag
+ * @param {string} testCmd - Shell command
+ * @param {string|null} [envFilePath] - Path to .env for docker run --env-file (optional)
+ * @returns {Promise<number>} Exit code
+ */
+function runDockerRunEphemeral(fullImage, testCmd, envFilePath = null) {
+  return new Promise((resolve) => {
+    const args = ['run', '--rm'];
+    if (envFilePath) args.push('--env-file', envFilePath);
+    args.push(fullImage, 'sh', '-c', testCmd);
+    const proc = spawn('docker', args, {
+      stdio: 'inherit',
+      shell: false
+    });
+    proc.on('close', code => resolve(code !== null ? code : 1));
+    proc.on('error', () => resolve(1));
+  });
+}
+
+/**
+ * Run test-e2e for a builder app. DEV: exec in running container; TST: ephemeral with .env.
+ * @param {string} appName - Application name
+ * @param {Object} [options] - { env: 'dev'|'tst' }
+ * @returns {Promise<void>}
+ */
+async function runAppTestE2e(appName, options = {}) {
+  const env = (options.env || 'dev').toLowerCase();
+  if (env !== 'dev' && env !== 'tst') {
+    throw new Error('--env must be dev or tst');
+  }
+  const appConfig = loadAppConfig(appName);
+  const cmd = getTestE2eCommand(appConfig);
+  const developerId = await config.getDeveloperId();
+  const imageName = composeGenerator.getImageName(appConfig, appName);
+  const imageTag = appConfig.image?.tag || 'latest';
+  const fullImage = `${imageName}:${imageTag}`;
+
+  if (env === 'dev') {
+    const code = await runTestsInDev(appName, developerId, cmd);
+    if (code !== 0) process.exit(code);
+    logger.log(chalk.green('✓ Test-e2e completed'));
+    return;
+  }
+  logger.log(chalk.blue(`Running test-e2e in ephemeral container (${fullImage}): ${cmd}\n`));
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  const code = await runDockerRunEphemeral(fullImage, cmd, envFilePath);
+  if (code !== 0) process.exit(code);
+  logger.log(chalk.green('✓ Test-e2e completed'));
+}
+
+/**
+ * Run test-integration for a builder app (integration tests in container). DEV: exec in running container; TST: ephemeral with .env.
+ * Uses build.scripts.testIntegration or test:integration; falls back to test:e2e when not set.
+ * @param {string} appName - Application name
+ * @param {Object} [options] - { env: 'dev'|'tst' }
+ * @returns {Promise<void>}
+ */
+async function runAppTestIntegration(appName, options = {}) {
+  const env = (options.env || 'dev').toLowerCase();
+  if (env !== 'dev' && env !== 'tst') {
+    throw new Error('--env must be dev or tst');
+  }
+  const appConfig = loadAppConfig(appName);
+  const cmd = getTestIntegrationCommand(appConfig);
+  const developerId = await config.getDeveloperId();
+  const imageName = composeGenerator.getImageName(appConfig, appName);
+  const imageTag = appConfig.image?.tag || 'latest';
+  const fullImage = `${imageName}:${imageTag}`;
+
+  if (env === 'dev') {
+    const code = await runTestsInDev(appName, developerId, cmd);
+    if (code !== 0) process.exit(code);
+    logger.log(chalk.green('✓ Test-integration completed'));
+    return;
+  }
+  logger.log(chalk.blue(`Running test-integration in ephemeral container (${fullImage}): ${cmd}\n`));
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  const code = await runDockerRunEphemeral(fullImage, cmd, envFilePath);
+  if (code !== 0) process.exit(code);
+  logger.log(chalk.green('✓ Test-integration completed'));
+}
+
+/**
+ * Run lint for a builder app. DEV: exec in running container; TST: ephemeral with .env.
+ * @param {string} appName - Application name
+ * @param {Object} [options] - { env: 'dev'|'tst' }
+ * @returns {Promise<void>}
+ */
+async function runAppLint(appName, options = {}) {
+  const env = (options.env || 'dev').toLowerCase();
+  if (env !== 'dev' && env !== 'tst') {
+    throw new Error('--env must be dev or tst');
+  }
+  const appConfig = loadAppConfig(appName);
+  const cmd = getLintCommand(appConfig);
+  const developerId = await config.getDeveloperId();
+  const imageName = composeGenerator.getImageName(appConfig, appName);
+  const imageTag = appConfig.image?.tag || 'latest';
+  const fullImage = `${imageName}:${imageTag}`;
+
+  if (env === 'dev') {
+    const code = await runTestsInDev(appName, developerId, cmd);
+    if (code !== 0) process.exit(code);
+    logger.log(chalk.green('✓ Lint completed'));
+    return;
+  }
+  logger.log(chalk.blue(`Running lint in ephemeral container (${fullImage}): ${cmd}\n`));
+  const envFilePath = await secretsEnvWrite.resolveAndWriteEnvFile(appName, {});
+  const code = await runDockerRunEphemeral(fullImage, cmd, envFilePath);
+  if (code !== 0) process.exit(code);
+  logger.log(chalk.green('✓ Lint completed'));
+}
+
+module.exports = {
+  runAppTest,
+  getTestCommand,
+  getTestE2eCommand,
+  getTestIntegrationCommand,
+  getLintCommand,
+  runAppTestE2e,
+  runAppTestIntegration,
+  runAppLint
+};

package/lib/commands/app.js

@@ -21,7 +21,7 @@ function setupAppRegisterCommand(app) {
   app.command('register <appKey>')
     .description('Register application and get pipeline credentials')
     .option('-p, --port <port>', 'Application port (default: from application.yaml)')
-    .option('-u, --url <url>', 'Application URL. If omitted: app.url, deployment.dataplaneUrl or deployment.appUrl in application.yaml; else http://localhost:{build.localPort or port}')
+    .option('-u, --url <url>', 'Application URL. If omitted: app.url, deployment.dataplaneUrl or deployment.appUrl in application.yaml; else http://localhost:{port})')
     .option('-n, --name <name>', 'Override display name')
     .option('-d, --description <desc>', 'Override description')
     .action(async(appKey, options) => {

package/lib/commands/credential-env.js

@@ -0,0 +1,162 @@
+/**
+ * Credential env command – prompts for KV_* values and writes .env.
+ * Used by `aifabrix credential env <system-key>`.
+ *
+ * @fileoverview Credential env command – interactive credential capture to .env
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const fs = require('fs');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { getIntegrationPath } = require('../utils/paths');
+const { kvEnvKeyToPath } = require('../utils/credential-secrets-env');
+const { parseEnvToMap } = require('../utils/credential-secrets-env');
+
+const KV_PREFIX = 'KV_';
+
+/**
+ * Secret var suffixes (use password prompt).
+ * @type {Set<string>}
+ */
+const SECRET_SUFFIXES = new Set([
+  'CLIENTID', 'CLIENTSECRET', 'APIKEY', 'USERNAME', 'PASSWORD', 'PARAMVALUE',
+  'SIGNINGSECRET', 'BEARERTOKEN'
+]);
+
+/**
+ * Validates system-key format.
+ * @param {string} systemKey - System key
+ * @throws {Error} If invalid
+ */
+function validateSystemKeyFormat(systemKey) {
+  if (!systemKey || typeof systemKey !== 'string') {
+    throw new Error('System key is required and must be a string');
+  }
+  if (!/^[a-z0-9-_]+$/.test(systemKey)) {
+    throw new Error('System key must contain only lowercase letters, numbers, hyphens, and underscores');
+  }
+}
+
+/**
+ * Extracts KV_* variable names from env.template content.
+ * @param {string} content - env.template content
+ * @returns {Array<{ key: string, isSecret: boolean }>} KV_* vars to prompt
+ */
+function extractKvVarsFromTemplate(content) {
+  if (!content || typeof content !== 'string') return [];
+  const vars = [];
+  const seen = new Set();
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq <= 0) continue;
+    const key = trimmed.substring(0, eq).trim();
+    if (!key.toUpperCase().startsWith(KV_PREFIX)) continue;
+    if (kvEnvKeyToPath(key) && !seen.has(key)) {
+      seen.add(key);
+      const suffix = key.slice(KV_PREFIX.length).split('_').pop() || '';
+      vars.push({ key, isSecret: SECRET_SUFFIXES.has(suffix.toUpperCase()) });
+    }
+  }
+  return vars;
+}
+
+/**
+ * Prompts for KV_* values using inquirer.
+ * @async
+ * @param {Array<{ key: string, isSecret: boolean }>} vars - Variables to prompt
+ * @param {Object} existingMap - Existing .env key-value map (for default values)
+ * @returns {Promise<Object.<string, string>>} Key-value map from prompts
+ */
+async function promptForKvValues(vars, existingMap) {
+  if (vars.length === 0) return {};
+  const inquirer = require('inquirer');
+  const questions = vars.map(({ key, isSecret }) => ({
+    type: isSecret ? 'password' : 'input',
+    name: key,
+    message: key,
+    default: existingMap[key] || undefined
+  }));
+  return await inquirer.prompt(questions);
+}
+
+/**
+ * Builds .env content: template lines with KV_* values replaced/merged from prompts.
+ * Preserves comments, non-KV lines, and structure; updates KV_* with prompted values.
+ * @param {string} templateContent - env.template content
+ * @param {Object.<string, string>} promptValues - Values from prompts
+ * @returns {string} Final .env content
+ */
+function buildEnvContent(templateContent, promptValues) {
+  if (!templateContent || typeof templateContent !== 'string') return '';
+  const lines = templateContent.split(/\r?\n/);
+  const result = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+      result.push(line);
+      continue;
+    }
+    const eq = trimmed.indexOf('=');
+    if (eq <= 0) {
+      result.push(line);
+      continue;
+    }
+    const key = trimmed.substring(0, eq).trim();
+    if (key.toUpperCase().startsWith(KV_PREFIX) && key in promptValues) {
+      result.push(`${key}=${promptValues[key]}`);
+    } else {
+      result.push(line);
+    }
+  }
+  return result.join('\n');
+}
+
+/**
+ * Runs credential env command: prompt for KV_* values and write .env.
+ * @async
+ * @param {string} systemKey - External system key (integration/<system-key>/)
+ * @returns {Promise<string>} Path to written .env file
+ * @throws {Error} If env.template missing or write fails
+ */
+function loadExistingEnvMap(envPath) {
+  if (!fs.existsSync(envPath)) return {};
+  return parseEnvToMap(fs.readFileSync(envPath, 'utf8'));
+}
+
+async function runCredentialEnv(systemKey) {
+  validateSystemKeyFormat(systemKey);
+  const appPath = getIntegrationPath(systemKey);
+  const envTemplatePath = path.join(appPath, 'env.template');
+  const envPath = path.join(appPath, '.env');
+
+  if (!fs.existsSync(envTemplatePath)) {
+    throw new Error(`env.template not found at ${envTemplatePath}. Create the integration first (e.g. aifabrix wizard or download).`);
+  }
+
+  const templateContent = fs.readFileSync(envTemplatePath, 'utf8');
+  const vars = extractKvVarsFromTemplate(templateContent);
+
+  if (vars.length === 0) {
+    logger.log(chalk.yellow('No KV_* variables in env.template. Nothing to prompt.'));
+    return envPath;
+  }
+
+  const existingMap = loadExistingEnvMap(envPath);
+  logger.log(chalk.blue(`\nEnter credential values for ${systemKey} (integration/${systemKey}/):`));
+  const promptValues = await promptForKvValues(vars, existingMap);
+  const content = buildEnvContent(templateContent, promptValues);
+
+  const dir = path.dirname(envPath);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  fs.writeFileSync(envPath, content, { mode: 0o600 });
+  logger.log(chalk.green(`✓ Wrote ${envPath}`));
+  return envPath;
+}
+
+module.exports = { runCredentialEnv, validateSystemKeyFormat, extractKvVarsFromTemplate, buildEnvContent };

package/lib/commands/credential-list.js

@@ -1,7 +1,6 @@
 /**
  * Credential list command – list credentials from Dataplane
  * GET /api/v1/credential. Used by `aifabrix credential list`.
- * The Controller does not expose this endpoint; credentials are listed from the Dataplane.
  *
  * @fileoverview Credential list command implementation
  * @author AI Fabrix Team
@@ -10,6 +9,7 @@
 
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const { formatCredentialWithStatus } = require('../utils/credential-display');
 const { resolveControllerUrl } = require('../utils/controller-url');
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
 const { normalizeControllerUrl, resolveEnvironment } = require('../core/config');
@@ -37,12 +37,14 @@ async function getCredentialListAuth(controllerUrl) {
 }
 
 /**
- * Extract credentials array from API response
- * @param {Object} response - API response
+ * Extract credentials array from API response.
+ * Handles: { data: { meta, data: [...] } } (paginated), { data: [...] }, { credentials: [...] }, { items: [...] }.
+ * @param {Object} response - API response (e.g. { success, data } from API client, or raw body)
  * @returns {Array}
  */
 function extractCredentials(response) {
-  const data = response?.data ?? response;
+  const body = response?.data ?? response;
+  const data = body?.data ?? body;
   const items = data?.credentials ?? data?.items ?? (Array.isArray(data) ? data : []);
   return Array.isArray(items) ? items : [];
 }
@@ -59,9 +61,10 @@ function displayCredentialList(list, baseUrl) {
     return;
   }
   list.forEach((c) => {
-    const key = c.key ?? c.id ?? c.credentialKey ?? '-';
-    const name = c.displayName ?? c.name ?? key;
-    logger.log(`  ${chalk.cyan(key)} - ${name}`);
+    const { key, name, statusFormatted, statusLabel } = formatCredentialWithStatus(c);
+    const prefix = statusFormatted ? `${statusFormatted} ` : '  ';
+    const line = `${prefix}${chalk.cyan(key)} - ${name}${statusLabel}`;
+    logger.log(line);
   });
   logger.log('');
 }
@@ -69,10 +72,10 @@ function displayCredentialList(list, baseUrl) {
 /**
  * Ensure controller URL and auth; exit on failure. Returns { controllerUrl, authConfig } when valid.
  * @async
- * @param {Object} options - CLI options with optional controller
+ * @param {Object} options - CLI options
  * @returns {Promise<{controllerUrl: string, authConfig: Object}>}
  */
-async function ensureControllerAndAuth(options) {
+async function ensureControllerAndAuth(options = {}) {
   const controllerUrl = options.controller || (await resolveControllerUrl());
   if (!controllerUrl) {
     logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
@@ -91,19 +94,14 @@ async function ensureControllerAndAuth(options) {
 }
 
 /**
- * Resolve Dataplane URL for credential list (override or discover from controller + environment)
+ * Resolve Dataplane URL for credential list (discover from controller + environment)
  * @async
  * @param {string} controllerUrl - Controller base URL
  * @param {Object} authConfig - Auth config with token
- * @param {Object} options - CLI options
- * @param {string} [options.dataplane] - Optional Dataplane URL override
  * @returns {Promise<string>} Dataplane base URL
  * @throws {Error} When resolution fails (caller should exit)
  */
-async function resolveCredentialListDataplaneUrl(controllerUrl, authConfig, options) {
-  if (options.dataplane) {
-    return options.dataplane.replace(/\/$/, '');
-  }
+async function resolveCredentialListDataplaneUrl(controllerUrl, authConfig) {
   const environment = await resolveEnvironment();
   return await resolveDataplaneUrl(controllerUrl, environment, authConfig);
 }
@@ -127,12 +125,11 @@ async function fetchAndDisplayCredentials(dataplaneUrl, authConfig, listOptions)
  * @param {Object} options - CLI options
  * @returns {Promise<string>} Dataplane URL (never returns on failure; process.exit(1))
  */
-async function resolveDataplaneUrlOrExit(controllerUrl, authConfig, options) {
+async function resolveDataplaneUrlOrExit(controllerUrl, authConfig) {
   try {
-    return await resolveCredentialListDataplaneUrl(controllerUrl, authConfig, options);
+    return await resolveCredentialListDataplaneUrl(controllerUrl, authConfig);
   } catch (err) {
     logger.error(chalk.red(`❌ Could not resolve Dataplane URL: ${err.message}`));
-    logger.error(chalk.gray('Use --dataplane <url> to specify the Dataplane URL directly.'));
     process.exit(1);
   }
 }
@@ -141,15 +138,13 @@ async function resolveDataplaneUrlOrExit(controllerUrl, authConfig, options) {
  * Run credential list command: call GET /api/v1/credential on Dataplane and display results
  * @async
  * @param {Object} options - CLI options
- * @param {string} [options.controller] - Controller URL override
- * @param {string} [options.dataplane] - Dataplane URL override (default: resolved from controller + environment)
  * @param {boolean} [options.activeOnly] - List only active credentials
  * @param {number} [options.pageSize] - Items per page
  * @returns {Promise<void>}
  */
 async function runCredentialList(options = {}) {
   const { controllerUrl, authConfig } = await ensureControllerAndAuth(options);
-  const dataplaneUrl = await resolveDataplaneUrlOrExit(controllerUrl, authConfig, options);
+  const dataplaneUrl = await resolveDataplaneUrlOrExit(controllerUrl, authConfig);
   const listOptions = {
     pageSize: options.pageSize || DEFAULT_PAGE_SIZE,
     activeOnly: options.activeOnly

package/lib/commands/credential-push.js

@@ -0,0 +1,96 @@
+/**
+ * Credential push command – pushes KV_* from .env to dataplane.
+ * Used by `aifabrix credential push <system-key>`.
+ *
+ * @fileoverview Credential push command – push credential secrets to dataplane
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { getDeploymentAuth, requireBearerForDataplanePipeline } = require('../utils/token-manager');
+const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
+const { getIntegrationPath } = require('../utils/paths');
+const { pushCredentialSecrets } = require('../utils/credential-secrets-env');
+const { generateControllerManifest } = require('../generator/external-controller-manifest');
+
+/**
+ * Validates system-key format.
+ * @param {string} systemKey - System key
+ * @throws {Error} If invalid
+ */
+function validateSystemKeyFormat(systemKey) {
+  if (!systemKey || typeof systemKey !== 'string') {
+    throw new Error('System key is required and must be a string');
+  }
+  if (!/^[a-z0-9-_]+$/.test(systemKey)) {
+    throw new Error('System key must contain only lowercase letters, numbers, hyphens, and underscores');
+  }
+}
+
+/**
+ * Builds upload payload for credential push (same shape as upload).
+ * @param {string} systemKey - System key
+ * @returns {Promise<Object>} { version, application, dataSources }
+ */
+async function buildPayload(systemKey) {
+  const manifest = await generateControllerManifest(systemKey, { type: 'external' });
+  return {
+    version: manifest.version || '1.0.0',
+    application: manifest.system,
+    dataSources: manifest.dataSources || []
+  };
+}
+
+/**
+ * Runs credential push: push KV_* from .env to dataplane.
+ * @async
+ * @param {string} systemKey - External system key
+ * @returns {Promise<{ pushed: number }>} Count of secrets pushed
+ * @throws {Error} If auth or push fails
+ */
+function logPushResult(pushResult) {
+  if (pushResult.pushed > 0) {
+    const keyList = pushResult.keys?.length ? ` (${pushResult.keys.join(', ')})` : '';
+    logger.log(chalk.green(`✓ Pushed ${pushResult.pushed} credential secret(s) to dataplane${keyList}.`));
+  } else if (pushResult.skipped) {
+    logger.log(chalk.yellow('No credential secrets to push (empty .env or no KV_* vars with values).'));
+  } else {
+    logger.log(chalk.yellow('Secret push skipped'));
+  }
+  if (pushResult.warning) logger.log(chalk.yellow(`Warning: ${pushResult.warning}`));
+}
+
+async function runCredentialPush(systemKey) {
+  validateSystemKeyFormat(systemKey);
+  const appPath = getIntegrationPath(systemKey);
+  const envFilePath = path.join(appPath, '.env');
+
+  const { resolveEnvironment } = require('../core/config');
+  const environment = await resolveEnvironment();
+  const controllerUrl = await resolveControllerUrl();
+  const authConfig = await getDeploymentAuth(controllerUrl, environment, systemKey);
+
+  if (!authConfig.token && !authConfig.clientId) {
+    throw new Error('Authentication required. Run "aifabrix login" or "aifabrix app register <system-key>" first.');
+  }
+
+  requireBearerForDataplanePipeline(authConfig);
+  logger.log(chalk.blue('Resolving dataplane URL...'));
+  const dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
+
+  const payload = await buildPayload(systemKey);
+  const pushResult = await pushCredentialSecrets(dataplaneUrl, authConfig, {
+    envFilePath,
+    appName: systemKey,
+    payload
+  });
+
+  logPushResult(pushResult);
+  return { pushed: pushResult.pushed || 0 };
+}
+
+module.exports = { runCredentialPush, validateSystemKeyFormat, buildPayload };