@aifabrix/builder 2.41.0 → 2.42.0

package/lib/validation/validate.js

@@ -16,11 +16,16 @@ const { resolveExternalFiles } = require('../utils/schema-resolver');
 const { loadExternalSystemSchema, loadExternalDataSourceSchema, detectSchemaType } = require('../utils/schema-loader');
 const { formatValidationErrors } = require('../utils/error-formatter');
 const { detectAppType } = require('../utils/paths');
+const batch = require('./validate-batch');
 const { logOfflinePathWhenType } = require('../utils/cli-utils');
 const { resolveApplicationConfigPath } = require('../utils/app-config-resolver');
-const { displayValidationResults } = require('./validate-display');
+const { displayValidationResults, displayBatchValidationResults } = require('./validate-display');
 const { generateControllerManifest } = require('../generator/external-controller-manifest');
 const { validateControllerManifest } = require('./external-manifest-validator');
+const {
+  validateOAuth2GrantTypeAndAuthorizationUrl,
+  validateConfigurationNoStandardAuthVariables
+} = require('./external-system-auth-rules');
 
 /**
  * Validates a file path (detects type and validates)
@@ -191,6 +196,8 @@ async function validateExternalFile(filePath, type) {
 
   if (normalizedType === 'system') {
     validateRoleReferences(parseResult.parsed, errors);
+    validateOAuth2GrantTypeAndAuthorizationUrl(parseResult.parsed, errors);
+    validateConfigurationNoStandardAuthVariables(parseResult.parsed, errors);
   }
 
   return {
@@ -398,6 +405,7 @@ async function validateExternalSystemComplete(appName, options = {}) {
     throw new Error('App name is required and must be a string');
   }
 
+  const { appPath } = await detectAppType(appName, options);
   const steps = {
     application: { valid: false, errors: [], warnings: [] },
     components: { valid: false, errors: [], warnings: [], files: [] },
@@ -414,11 +422,13 @@ async function validateExternalSystemComplete(appName, options = {}) {
 
   // If components have errors, return early (don't validate manifest)
   if (!steps.components.valid) {
+    steps.manifest = { valid: true, errors: [], warnings: [], skipped: true };
     return {
       valid: false,
       errors: [...steps.application.errors, ...steps.components.errors],
       warnings: [...steps.application.warnings, ...steps.components.warnings],
-      steps
+      steps,
+      appPath
     };
   }
 
@@ -433,7 +443,8 @@ async function validateExternalSystemComplete(appName, options = {}) {
     valid: allErrors.length === 0,
     errors: allErrors,
     warnings: allWarnings,
-    steps
+    steps,
+    appPath
   };
 }
 
@@ -451,29 +462,31 @@ async function validateAppOrFile(appOrFile, options = {}) {
   const { appPath, isExternal } = await detectAppType(appName);
   logOfflinePathWhenType(appPath);
 
-  if (isExternal) {
-    return await validateExternalSystemComplete(appName, options);
-  }
+  if (isExternal) return await validateExternalSystemComplete(appName, options);
 
   const appValidation = await validator.validateApplication(appName, options);
   const rbacValidation = await validateRbacForExternalSystem(isExternal, appName);
-
   const variablesPath = resolveApplicationConfigPath(appPath);
   const earlyReturn = loadVariablesAndCheckExternalIntegration(variablesPath, appValidation);
-  if (earlyReturn) {
-    return earlyReturn;
-  }
+  if (earlyReturn) return earlyReturn;
 
   const externalValidations = await validateExternalFilesForApp(appName, options);
-  return aggregateValidationResults(appValidation, externalValidations, rbacValidation);
+  const result = aggregateValidationResults(appValidation, externalValidations, rbacValidation);
+  result.appPath = appPath;
+  return result;
 }
 
 module.exports = {
   validateAppOrFile,
   validateExternalSystemComplete,
   displayValidationResults,
+  displayBatchValidationResults,
   validateExternalFile,
   validateExternalFilesForApp,
-  validateFilePath
+  validateFilePath,
+  validateAllIntegrations: (opts = {}) => batch.validateAllIntegrations(validateAppOrFile, opts),
+  validateAllBuilderApps: (opts = {}) => batch.validateAllBuilderApps(validateAppOrFile, opts),
+  validateAll: (opts = {}) => batch.validateAll(validateAppOrFile, opts),
+  buildBatchResult: batch.buildBatchResult
 };
 

package/lib/validation/validator.js

@@ -21,6 +21,8 @@ const { checkEnvironment } = require('../utils/environment-checker');
 const { formatValidationErrors } = require('../utils/error-formatter');
 const { detectAppType, resolveApplicationConfigPath } = require('../utils/paths');
 const { loadConfigFile } = require('../utils/config-format');
+const { validateAuthKvCoverage } = require('./env-template-auth');
+const { validateKvReferencesInLines } = require('./env-template-kv');
 
 /**
  * Validates application config file against application schema
@@ -250,7 +252,7 @@ async function validateEnvTemplate(appName, options = {}) {
   }
 
   // Support both builder/ and integration/ directories using detectAppType
-  const { appPath } = await detectAppType(appName, options);
+  const { appPath, isExternal } = await detectAppType(appName, options);
   const templatePath = path.join(appPath, 'env.template');
 
   if (!fs.existsSync(templatePath)) {
@@ -281,14 +283,10 @@ async function validateEnvTemplate(appName, options = {}) {
     }
   });
 
-  // Check for kv:// reference format
-  const kvPattern = /kv:\/\/([a-zA-Z0-9-_]+)/g;
-  let match;
-  while ((match = kvPattern.exec(content)) !== null) {
-    const secretKey = match[1];
-    if (!secretKey) {
-      errors.push('Invalid kv:// reference format');
-    }
+  validateKvReferencesInLines(lines, errors);
+
+  if (isExternal) {
+    await validateAuthKvCoverage(appPath, content, errors, warnings, options);
   }
 
   return {

package/lib/validation/wizard-datasource-validation.js

@@ -0,0 +1,50 @@
+/**
+ * @fileoverview Wizard datasource validation helpers - validate datasourceKeys and entityName against dataplane
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+/**
+ * Validate that all datasourceKeys exist in the platform's available datasources
+ * @function validateDatasourceKeysForPlatform
+ * @param {string[]} datasourceKeys - User-provided datasource keys
+ * @param {Array<{key: string, displayName?: string, entity?: string}>} availableDatasources - Platform datasources
+ * @returns {{ valid: boolean, invalidKeys: string[] }} Validation result
+ */
+function validateDatasourceKeysForPlatform(datasourceKeys, availableDatasources) {
+  if (!Array.isArray(datasourceKeys) || datasourceKeys.length === 0) {
+    return { valid: true, invalidKeys: [] };
+  }
+  const availableKeys = Array.isArray(availableDatasources)
+    ? availableDatasources.map(d => (d && typeof d === 'object' && d.key) ? d.key : null).filter(Boolean)
+    : [];
+  const invalidKeys = datasourceKeys.filter(k => !availableKeys.includes(k));
+  return {
+    valid: invalidKeys.length === 0,
+    invalidKeys
+  };
+}
+
+/**
+ * Validate that entityName exists in the discovered entities list
+ * @function validateEntityNameForOpenApi
+ * @param {string} entityName - User-provided entity name
+ * @param {Array<{name: string}>} entities - Discovered entities from OpenAPI
+ * @returns {{ valid: boolean }} Validation result
+ */
+function validateEntityNameForOpenApi(entityName, entities) {
+  if (!entityName || typeof entityName !== 'string' || entityName.trim() === '') {
+    return { valid: true };
+  }
+  const entityNames = Array.isArray(entities)
+    ? entities.map(e => (e && typeof e === 'object' && e.name) ? e.name : null).filter(Boolean)
+    : [];
+  return {
+    valid: entityNames.includes(entityName)
+  };
+}
+
+module.exports = {
+  validateDatasourceKeysForPlatform,
+  validateEntityNameForOpenApi
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.41.0",
+  "version": "2.42.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {
@@ -10,6 +10,7 @@
   "scripts": {
     "test": "node tests/scripts/test-wrapper.js",
     "test:ci": "bash tests/scripts/ci-simulate.sh",
+    "test:same-as-github": "cross-env CI=true npm run lint && cross-env CI=true node tests/scripts/test-wrapper.js",
     "test:coverage": "cross-env RUN_COVERAGE=1 node tests/scripts/test-wrapper.js",
     "test:coverage:nyc": "nyc --reporter=text --reporter=lcov --reporter=html jest --config jest.config.coverage.js --runInBand",
     "test:watch": "jest --watch",
@@ -71,13 +72,16 @@
   },
   "dependencies": {
     "ajv": "^8.12.0",
+    "ajv-formats": "^3.0.1",
     "axios": "^1.6.0",
     "chalk": "^4.1.2",
     "commander": "^11.1.0",
     "handlebars": "^4.7.8",
     "inquirer": "^8.2.5",
+    "inquirer-autocomplete-prompt": "^2.0.0",
     "js-yaml": "^4.1.0",
-    "ora": "^5.4.1"
+    "ora": "^5.4.1",
+    "yaml": "^2.4.0"
   },
   "devDependencies": {
     "@babel/preset-env": "^7.29.0",
@@ -86,6 +90,7 @@
     "cross-env": "^10.1.0",
     "eslint": "^8.55.0",
     "jest": "^30.2.0",
+    "markdownlint-cli": "^0.47.0",
     "nyc": "^17.1.0"
   },
   "repository": {

package/templates/applications/dataplane/application.yaml

@@ -5,7 +5,7 @@ app:
   description: "AI Fabrix Dataplane is a secure, in-tenant integration and automation layer that supplies governed, normalized, and explainable enterprise data to AI agents. Using CIP as a declarative standard, it enforces RBAC and ABAC, executes integrations, and exposes trusted data via MCP and OpenAPI."
   type: webapp
   language: python  # Explicitly specify Python language
-  version: 1.7.0
+  version: 1.8.0
 
 # Image Configuration
 # Set tag to match your build (e.g. aifabrix build dataplane -t v1.0.0 then tag: v1.0.0)

package/templates/applications/dataplane/env.template

@@ -1,5 +1,5 @@
 # Environment Variables Template
-# Use kv:// references for secrets (resolved from .aifabrix/secrets.yaml)
+# Use key-value refs (format: kv://secret-key) for secrets (resolved from .aifabrix/secrets.yaml)
 # Use ${VAR} for environment-specific values
 
 # =============================================================================
@@ -8,8 +8,8 @@
 
 # HTTP port for the app
 PORT=${PORT}
-# development | staging | production
-ENVIRONMENT=development
+# dev | tst | pro
+ENVIRONMENT=dev
 # Enable debug mode
 DEBUG=false
 # Logging level: DEBUG, INFO, WARNING, ERROR, CRITICAL
@@ -28,7 +28,7 @@ API_KEY=kv://miso-controller-api-key-secretKeyVault
 
 # API Configuration
 API_V1_STR=/api/v1
-VERSION=1.7.0
+VERSION=1.8.0
 # Base URL for the dataplane web server (used for default OAuth2 callback URL when redirectUri is omitted)
 DATAPLANE_WEB_SERVER_URL=kv://dataplane-web-server-url
 DATAPLANE_INTERNAL_URL=kv://dataplane-internal-server-url
@@ -105,7 +105,7 @@ KEYCLOAK_REALM=aifabrix
 # Public: browser redirects and CORS for client_token; set when controller is behind a different public URL.
 MISO_WEB_SERVER_URL=kv://miso-controller-web-server-url
 # Internal: server-to-controller API calls (auth, pipeline, status, RBAC).
-MISO_CONTROLLER_URL=kv://miso-controller-internal-server-url
+MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
 
 # Pipeline env key for controller URLs: /api/v1/pipeline/{envKey}/validate and /deploy.
 # Set MISO_PIPELINE_ENV_KEY=dev when controller uses dev (e.g. MISO_CLIENTID=miso-controller-dev-dataplane).

package/templates/applications/dataplane/rbac.yaml

@@ -38,8 +38,8 @@ roles:
 permissions:
   # Credential management
   - name: "credential:create"
-    roles: ["aifabrix-platform-admin"]
-    description: "Create credentials"
+    roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
+    description: "Create credentials (and store kv:// secrets for upload/publish)"
   
   - name: "credential:read"
     roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-compliance-admin", "aifabrix-observer"]

package/templates/applications/miso-controller/env.template

@@ -59,7 +59,7 @@ ENABLE_API_DOCS=true
 # Rate Limiting Configuration (for local development)
 # Set DISABLE_RATE_LIMIT=true to disable rate limiting entirely (local development only)
 DISABLE_RATE_LIMIT=true
-# RATE_LIMIT_WINDOW_MS=900000  # 15 minutes in milliseconds (default: 900000)
+# RATE_LIMIT_WINDOW_MS=600000  # 10 minutes in milliseconds (default: 600000)
 # RATE_LIMIT_MAX=100           # Max requests per window (default: 100)
 
 # Package Version (auto-set by npm/pnpm, optional override)

package/templates/external-system/README.md.hbs

@@ -10,25 +10,29 @@
 
 ## Files
 
-- `application.yaml` – Application configuration with `app` and `externalIntegration` blocks
-- `{{systemKey}}-system.yaml` – External system definition (authentication, OpenAPI/MCP, RBAC)
+- `application{{fileExt}}` – Application configuration with `app` and `externalIntegration` blocks
+- `{{systemKey}}-system{{fileExt}}` – External system definition (authentication, OpenAPI/MCP, RBAC)
 {{#each datasources}}
 - `{{fileName}}` – Datasource: {{displayName}}
 {{/each}}
 - `env.template` – Environment variables template (secrets, API keys)
-- `{{systemKey}}-deploy.json` – Deployment manifest (generated by `aifabrix json`)
+- `{{systemKey}}-deploy.json` – Deployment manifest (generated by `aifabrix json {{appName}}`)
+- `deploy.js` – Deploy script for the integration
+- `wizard.yaml` – Wizard configuration (if created via wizard)
 
 Optional: `rbac.yaml` – Roles and permissions merged into the system when present.
 
 ## Quick Start
 
-### 1. Create External System
-
+Login to your controller
 ```bash
-aifabrix create {{appName}} --type external
+aifabrix auth config --set-controller <url> --set-environment dev
+aifabrix login
 ```
 
-Or use the interactive wizard:
+### 1. Extend External System
+
+Use the interactive wizard to extend your existing system:
 
 ```bash
 aifabrix wizard --app {{appName}}
@@ -38,36 +42,35 @@ aifabrix wizard --app {{appName}}
 
 Edit files in `integration/{{appName}}/`:
 
-- **Authentication**: `{{systemKey}}-system.yaml` (auth type, credentials placeholders)
-- **Field mappings**: `{{systemKey}}-datasource-*.yaml` (dimensions, attributes, operations)
+- **Authentication**: `{{systemKey}}-system{{fileExt}}` (auth type, credentials placeholders)
+- **Field mappings**: `{{systemKey}}-datasource-*-datasource{{fileExt}}` (dimensions, attributes, operations)
+- **Credential and configuration**: `env.template` (security settings and configuration variables)
 
 ### 3. Validate Configuration
 
 ```bash
-aifabrix validate {{appName}} --type external
-```
-
-### 4. Generate Deployment Manifest
-
-```bash
-aifabrix json {{appName}} --type external
+aifabrix validate {{appName}}
 ```
 
-This creates `{{systemKey}}-deploy.json` in `integration/{{appName}}/`.
-
-### 5. Deploy
+### 4. Repair Deployment Manifest
 
-Controller URL and environment are read from config. Configure and log in first:
+**Run repair regularly.** It keeps naming conventions, filenames, and the deployment manifest aligned with AI Fabrix platform best practices. Use it after editing datasources, env.template, or system config—and run it often to catch drift early.
 
 ```bash
-aifabrix auth config --set-controller <url> --set-environment dev
-aifabrix login
+aifabrix repair {{appName}}
 ```
 
-Then deploy:
+Options:
+  --dry-run   Report changes only; do not write
+  --rbac      Ensure RBAC permissions per datasource and add default Admin/Reader roles if none exist
+  --expose    Set exposed.attributes on each datasource to all fieldMappings.attributes keys
+  --sync      Add default sync section to datasources that lack it
+  --test      Generate testPayload.payloadTemplate and testPayload.expectedResult from attributes
+
+### 5. Upload to dataplane
 
 ```bash
-aifabrix deploy {{appName}}
+aifabrix upload {{appName}}
 ```
 
 ## Testing
@@ -84,6 +87,43 @@ aifabrix test {{appName}}
 aifabrix test-integration {{appName}}
 ```
 
+### End-to-end Tests (Via Dataplane)
+
+```bash
+aifabrix test-e2e {{appName}}
+```
+
+Options:
+  -e, --env <env>  Environment: dev, tst, or pro (builder: dev/tst for container)
+  -v, --verbose    Show detailed step output and poll progress
+  --debug          Include debug output and write log to integration/{{appName}}/logs/
+  --no-async       Use sync mode (no polling); single POST per datasource
+
+### E2E tests per datasource
+
+To run a full E2E test for a single datasource (config, credential, sync, data, CIP), use `aifabrix datasource test-e2e` with the datasource key and app:
+
+{{#if hasDatasources}}
+```bash
+{{#each datasources}}
+# {{displayName}}
+aifabrix datasource test-e2e {{datasourceKey}} --app {{../appName}}
+
+{{/each}}
+```
+{{/if}}
+
+Options:
+  -a, --app {{appName}}              App key (default: resolve from cwd if inside integration/{{appName}}/)
+  -e, --env <env>                    Environment: dev, tst, or pro
+  -v, --verbose                      Show detailed step output and poll progress
+  --debug                            Include debug output and write log to integration/{{appName}}/logs/
+  --test-crud                        Enable CRUD lifecycle test (body testCrud: true)
+  --record-id <id>                   Record ID for test (body recordId)
+  --no-cleanup                       Disable cleanup after test (body cleanup: false)
+  --primary-key-value <value|@path>  Primary key value or path to JSON file (e.g. @pk.json) for body primaryKeyValue
+  --no-async                         Use sync mode (no polling); single POST, no asyncRun
+
 ## Deployment
 
 Deploy via miso-controller pipeline (same as regular apps). Auth and controller come from `aifabrix login` and `aifabrix auth config`:
@@ -94,6 +134,6 @@ aifabrix deploy {{appName}}
 
 ## Troubleshooting
 
-- **Validation errors**: Run `aifabrix validate {{appName}} --type external` to see schema and manifest errors.
+- **Validation errors**: Run `aifabrix validate {{appName}}` to see schema and manifest errors.
 - **Deployment / auth**: Run `aifabrix auth config --set-controller <url> --set-environment <env>` and `aifabrix login` before `aifabrix deploy`.
 - **File not found**: Run commands from the project root (where `package.json` and `integration/` live).

package/templates/external-system/deploy.js.hbs

@@ -10,6 +10,8 @@ const { execSync } = require('child_process');
 const path = require('path');
 
 const scriptDir = __dirname;
+// Project root (repo containing integration/ and builder/) so deploy/test-integration resolve app paths correctly
+const projectRoot = path.join(scriptDir, '..', '..');
 const appKey = '{{systemKey}}';
 const env = process.env.ENVIRONMENT || 'dev';
 // Controller URL: from config (aifabrix auth config) or set CONTROLLER env before running
@@ -57,12 +59,12 @@ run('aifabrix validate "' + path.join(scriptDir, '{{this}}') + '"');
 console.log('✅ Validation passed');
 
 console.log('🚀 Deploying ' + appKey + '...');
-run('aifabrix deploy ' + appKey);
+run('aifabrix deploy ' + appKey, { cwd: projectRoot });
 console.log('✅ Deployment complete');
 
 if (process.env.RUN_TESTS !== 'false') {
   console.log('🧪 Running integration tests...');
-  run('aifabrix test-integration ' + appKey);
+  run('aifabrix test-integration ' + appKey, { cwd: projectRoot });
   console.log('✅ Tests passed');
 }
 

package/templates/external-system/external-datasource.yaml.hbs

@@ -0,0 +1,217 @@
+key: "{{fullDatasourceKey}}"
+displayName: "{{datasourceDisplayName}}"
+description: "{{datasourceDescription}}"
+systemKey: "{{systemKey}}"
+entityType: "{{schemaEntityType}}"
+resourceType: "{{resourceType}}"
+primaryKey:
+{{#each primaryKey}}  - "{{this}}"
+{{/each}}
+enabled: true
+version: "1.0.0"
+fieldMappings:
+{{#if dimensions}}
+  dimensions:
+{{#each dimensions}}
+    {{@key}}: "{{this}}"
+{{/each}}
+{{else}}
+  dimensions: {}
+  # Optional: add country, department, organization for ABAC
+{{/if}}
+  attributes:
+{{#if attributes}}
+{{#each attributes}}
+    {{@key}}:
+      expression: "{{this.expression}}"
+      type: {{this.type}}
+      indexed: {{#if this.indexed}}true{{else}}false{{/if}}
+{{/each}}
+{{else}}
+    id:
+      expression: "{{raw.id}}"
+      type: string
+      indexed: true
+    name:
+      expression: "{{raw.name}}"
+      type: string
+      indexed: false
+{{/if}}
+{{#if (eq systemType "openapi")}}
+openapi:
+  enabled: true
+  documentKey: "{{systemKey}}-api"
+  operations:
+    list:
+      operationId: "list{{entityKey}}"
+      method: GET
+      path: "/{{entityKey}}"
+    get:
+      operationId: "get{{entityKey}}"
+      method: GET
+      path: "/{{entityKey}}/{id}"
+  autoRbac: true
+{{/if}}
+
+# --- Optional sections: uncomment or delete as needed ---
+# CIP (Custom Integration Pipeline) supports: fetch, paginate, map, filter, output, pythonInline steps.
+# Operations: list, get, create, update, delete. Pagination: cursor | page | offset.
+{{#if (eq schemaEntityType "recordStorage")}}
+# sync:
+#   pull:
+#     enabled: true
+#     schedule: "0 * * * *"
+# capabilities: [list, get]
+{{/if}}
+{{#if (eq schemaEntityType "documentStorage")}}
+# documentStorage:
+#   enabled: true
+#   binaryOperationRef: get
+#   embeddingField: content
+{{/if}}
+{{#if (eq schemaEntityType "vectorStore")}}
+# vectorStore:
+#   enabled: true
+#   embeddingModel: "text-embedding-ada-002"
+{{/if}}
+{{#if (eq schemaEntityType "messageService")}}
+# messageService:
+#   enabled: true
+#   channels: []
+{{/if}}
+
+# --- execution: CIP pipeline ---
+# Steps: fetch (openapi/http) → paginate (cursor|page|offset) → map (useFieldMappings, inputPath) → filter (enforceAbac, expression) → output (mode: records)
+# Pagination: cursor=cursorField+cursorParam | page=pageParam+pageSizeParam | offset=offsetParam+pageSizeParam
+# Adjust inputPath to your API ($.results[*], $.items[*], $.value[*], etc.)
+{{#if (eq schemaEntityType "recordStorage")}}
+# execution:
+#   engine: cip
+#   cip:
+#     operations:
+#       list:
+#         enabled: true
+#         description: "List all records"
+#         steps:
+#           - fetch: { source: openapi, openapiRef: list, query: {} }
+#           - paginate: { strategy: cursor, cursorField: "$.paging.next.after", cursorParam: after, pageSize: 100, maxPages: 100 }
+#           # Alternative: page → pageParam, pageSizeParam | offset → offsetParam, pageSizeParam
+#           - map: { useFieldMappings: true, inputPath: "$.results[*]" }
+#           - filter: { enforceAbac: true }
+#           # Optional: filter.expression for SQL or JSON filter, e.g. expression: "status = 'active'"
+#           - output: { mode: records }
+#       get:
+#         enabled: true
+#         description: "Get record by ID"
+#         steps:
+#           - fetch: { source: openapi, openapiRef: get, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - filter: { enforceAbac: true }
+#           - output: { mode: records }
+#       create:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: create, bodyTemplate: "{{body}}" }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+#       update:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: update, bodyTemplate: "{{body}}" }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+#       delete:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: delete }
+#           - output: { mode: records }
+{{/if}}
+{{#if (eq schemaEntityType "documentStorage")}}
+# execution:
+#   engine: cip
+#   cip:
+#     operations:
+#       list:
+#         enabled: true
+#         description: "List documents"
+#         steps:
+#           - fetch: { source: openapi, openapiRef: list, query: {} }
+#           - paginate: { strategy: offset, offsetParam: skip, pageSizeParam: top, pageSize: 100, maxPages: 100 }
+#           - map: { useFieldMappings: true, inputPath: "$.value[*]" }
+#           - filter: { enforceAbac: true }
+#           - output: { mode: records }
+#       get:
+#         enabled: true
+#         description: "Get document by ID"
+#         steps:
+#           - fetch: { source: openapi, openapiRef: get, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - filter: { enforceAbac: true }
+#           - output: { mode: records }
+#       create:
+#         enabled: true
+#         description: "Upload document"
+#         steps:
+#           - fetch: { source: openapi, openapiRef: create, bodyTemplate: "{{fileContent}}" }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+{{/if}}
+{{#if (eq schemaEntityType "vectorStore")}}
+# execution:
+#   engine: cip
+#   cip:
+#     operations:
+#       list:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: list, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+#       get:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: get, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+{{/if}}
+{{#if (eq schemaEntityType "messageService")}}
+# execution:
+#   engine: cip
+#   cip:
+#     operations:
+#       list:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: list, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+{{/if}}
+{{#if (eq schemaEntityType "none")}}
+# execution:
+#   engine: cip
+#   cip:
+#     operations:
+#       list:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: list, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+#       get:
+#         steps:
+#           - fetch: { source: openapi, openapiRef: get, query: {} }
+#           - map: { useFieldMappings: true, inputPath: "$" }
+#           - output: { mode: records }
+{{/if}}
+
+# config: ABAC cross-system filters (SQL or JSON)
+# config:
+#   abac:
+#     crossSystemSql: "country = '{{actor.country}}'"
+#     # crossSystemJson: { "dimensions.country": { "eq": "{{actor.country}}" } }
+
+# capabilities: [list, get, create, update, delete]
+
+# exposed: attributes to expose via MCP/OpenAPI
+# exposed:
+#   attributes: [id, name]
+
+# metadataSchema: JSON Schema for raw metadata validation
+# metadataSchema:
+#   type: object
+#   properties:
+#     id: { type: string }
+#     name: { type: string }