@aifabrix/builder 2.41.0 → 2.42.0

package/lib/api/types/pipeline.types.js

@@ -121,5 +121,42 @@
  * @property {string} data.environment - Environment key
  */
 
+/**
+ * Dataplane pipeline upload request body (single upload → validate → publish).
+ * @typedef {Object} PipelineUploadRequest
+ * @property {string} version - Config version (e.g. "1.0.0")
+ * @property {Object} application - Application/system config (external-system schema)
+ * @property {Object[]} dataSources - Data source configs
+ * @property {string} [status="draft"] - "draft" or "published"; Builder uses "draft"
+ */
+
+/**
+ * Dataplane pipeline upload response (publication result; no uploadId).
+ * @typedef {Object} PipelineUploadResponse
+ * @property {boolean} success - Request success flag
+ * @property {Object} [data] - Publication result (system, datasources, warnings)
+ * @property {string} [data.systemKey] - Published system key
+ * @property {string[]} [data.datasourceKeys] - Published datasource keys
+ * @property {string[]} [data.warnings] - Warnings if any
+ * @property {string} [formattedError] - Formatted error message on failure
+ */
+
+/**
+ * Dataplane pipeline validate request body (dry-run validation only).
+ * @typedef {Object} PipelineValidateConfigRequest
+ * @property {Object} config - Full config to validate
+ * @property {string} config.version - Config version
+ * @property {Object} config.application - Application config
+ * @property {Object[]} config.dataSources - Data source configs
+ */
+
+/**
+ * Dataplane pipeline validate response.
+ * @typedef {Object} PipelineValidateConfigResponse
+ * @property {boolean} isValid - Whether config is valid
+ * @property {string[]} [errors] - Validation errors
+ * @property {string[]} [warnings] - Validation warnings
+ */
+
 module.exports = {};
 

package/lib/api/wizard-platform.api.js

@@ -0,0 +1,61 @@
+/**
+ * @fileoverview Wizard platform API - getPlatformDetails, discoverEntities
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { ApiClient } = require('./index');
+
+/**
+ * Get platform details including available datasources
+ * GET /api/v1/wizard/platforms/{platformKey}
+ * @requiresPermission {Dataplane} external-system:read
+ * @async
+ * @function getPlatformDetails
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} platformKey - Platform key (e.g. 'hubspot')
+ * @returns {Promise<Object>} Platform details including datasources: [{ key, displayName, entity }]
+ * @throws {Error} If request fails or platform not found (404)
+ */
+async function getPlatformDetails(dataplaneUrl, authConfig, platformKey) {
+  const client = new ApiClient(dataplaneUrl, authConfig);
+  const response = await client.get(`/api/v1/wizard/platforms/${encodeURIComponent(platformKey)}`);
+  if (!response.success) {
+    const msg = response.status === 404
+      ? `Platform '${platformKey}' not found`
+      : response.formattedError || response.error || 'Failed to get platform details';
+    const err = new Error(msg);
+    err.status = response.status;
+    throw err;
+  }
+  return response;
+}
+
+/**
+ * Discover entities from OpenAPI spec (for multi-entity flows)
+ * POST /api/v1/wizard/discover-entities
+ * @requiresPermission {Dataplane} external-system:create
+ * @async
+ * @function discoverEntities
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {Object} openapiSpec - OpenAPI specification object
+ * @returns {Promise<Object>} Response with entities: [{ name, pathCount, schemaMatch }]
+ * @throws {Error} If request fails
+ */
+async function discoverEntities(dataplaneUrl, authConfig, openapiSpec) {
+  const client = new ApiClient(dataplaneUrl, authConfig);
+  const response = await client.post('/api/v1/wizard/discover-entities', {
+    body: { openapiSpec }
+  });
+  if (!response.success) {
+    const msg = response.formattedError || response.error || 'Failed to discover entities';
+    const err = new Error(msg);
+    err.status = response.status;
+    throw err;
+  }
+  return response;
+}
+
+module.exports = { getPlatformDetails, discoverEntities };

package/lib/api/wizard.api.js

@@ -6,6 +6,7 @@
 
 const { ApiClient } = require('./index');
 const { uploadFile } = require('../utils/file-upload');
+const { getPlatformDetails, discoverEntities } = require('./wizard-platform.api');
 
 /**
  * Create wizard session
@@ -178,8 +179,36 @@ async function detectType(dataplaneUrl, authConfig, openapiSpec) {
 }
 
 /**
- * Generate configuration via AI
+ * Get platform configuration for a known platform (no OpenAPI parsing)
+ * POST /api/v1/wizard/platforms/{platformKey}/config
+ * Use this when sourceType=known-platform; do NOT use generate-config which requires openapiSpec.
+ * @requiresPermission {Dataplane} external-system:create
+ * @async
+ * @function getPlatformConfig
+ * @param {string} dataplaneUrl - Dataplane base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} platformKey - Platform key (e.g. 'hubspot')
+ * @param {Object} config - Configuration payload (no openapiSpec)
+ * @param {string} config.mode - Wizard mode ('create-system' | 'add-datasource')
+ * @param {string} [config.systemIdOrKey] - Existing system ID/key (required for add-datasource)
+ * @param {string} [config.credentialIdOrKey] - Credential ID or key
+ * @param {string} [config.intent] - User intent
+ * @param {string} [config.fieldOnboardingLevel] - Field onboarding level ('full' | 'standard' | 'minimal')
+ * @param {Object} [config.userPreferences] - User preferences
+ * @returns {Promise<Object>} Generated configuration response
+ * @throws {Error} If request fails
+ */
+async function getPlatformConfig(dataplaneUrl, authConfig, platformKey, config) {
+  const client = new ApiClient(dataplaneUrl, authConfig);
+  return await client.post(`/api/v1/wizard/platforms/${encodeURIComponent(platformKey)}/config`, {
+    body: config
+  });
+}
+
+/**
+ * Generate configuration via AI (OpenAPI-based)
  * POST /api/v1/wizard/generate-config
+ * Do NOT use for sourceType=known-platform; use getPlatformConfig instead.
  * @requiresPermission {Dataplane} external-system:create
  * @async
  * @function generateConfig
@@ -198,6 +227,7 @@ async function detectType(dataplaneUrl, authConfig, openapiSpec) {
  * @param {boolean} [config.userPreferences.enableMCP] - Enable MCP
  * @param {boolean} [config.userPreferences.enableABAC] - Enable ABAC
  * @param {boolean} [config.userPreferences.enableRBAC] - Enable RBAC
+ * @param {string} [config.entityName] - Entity for multi-entity OpenAPI (from discover-entities)
  * @returns {Promise<Object>} Generated configuration response
  * @throws {Error} If request fails
  */
@@ -417,6 +447,9 @@ module.exports = {
   parseOpenApi,
   credentialSelection,
   detectType,
+  getPlatformDetails,
+  discoverEntities,
+  getPlatformConfig,
   generateConfig,
   generateConfigStream,
   validateWizardConfig,

package/lib/app/config.js

@@ -15,6 +15,7 @@ const { generateVariablesYaml, generateEnvTemplate, generateRbacYaml } = require
 const { generateEnvTemplate: generateEnvTemplateFromReader } = require('../core/env-reader');
 const { generateReadmeMdFile } = require('./readme');
 const logger = require('../utils/logger');
+const { systemKeyToKvPrefix } = require('../utils/credential-secrets-env');
 
 /**
  * Checks if a file exists
@@ -73,7 +74,8 @@ async function generateVariablesYamlFile(appPath, appName, config) {
 }
 
 /**
- * Generates env.template content for external systems based on authentication type
+ * Generates env.template content for external systems based on authentication type.
+ * Uses KV_<APPKEY>_<VAR> convention (e.g. KV_HUBSPOT_CLIENTID) for credential push.
  * @param {Object} config - Application configuration with authType and systemKey
  * @param {string} appName - Application name (used as fallback for systemKey)
  * @returns {string} Environment template content
@@ -81,23 +83,33 @@ async function generateVariablesYamlFile(appPath, appName, config) {
 function generateExternalSystemEnvTemplate(config, appName) {
   const systemKey = config.systemKey || appName;
   const authType = config.authType || 'apikey';
+  const prefix = systemKeyToKvPrefix(systemKey);
+  if (!prefix) return '';
+
   const lines = [
-    `# ${systemKey} ${authType.toUpperCase()} Configuration`,
-    '# These values are set via the Miso Controller interface or Dataplane portal',
-    '# Values are stored in Key Vault automatically by the platform',
+    `# ${systemKey} ${String(authType).toUpperCase()} Configuration`,
+    '# Use KV_* variables for credential push (aifabrix credential push).',
+    '# Values are stored in Key Vault automatically by the platform.',
     ''
   ];
 
-  if (authType === 'oauth2') {
-    lines.push('CLIENTID=kv://' + systemKey + '-clientidKeyVault');
-    lines.push('CLIENTSECRET=kv://' + systemKey + '-clientsecretKeyVault');
-    lines.push('TOKENURL=https://api.example.com/oauth/token');
+  if (authType === 'oauth2' || authType === 'aad') {
+    lines.push(`KV_${prefix}_CLIENTID=`);
+    lines.push(`KV_${prefix}_CLIENTSECRET=`);
+    lines.push('TOKEN_URL=https://api.example.com/oauth/token');
   } else if (authType === 'apikey') {
-    lines.push('API_KEY=kv://' + systemKey + '-api-keyKeyVault');
+    lines.push(`KV_${prefix}_APIKEY=`);
   } else if (authType === 'basic') {
-    lines.push('USERNAME=kv://' + systemKey + '-usernameKeyVault');
-    lines.push('PASSWORD=kv://' + systemKey + '-passwordKeyVault');
+    lines.push(`KV_${prefix}_USERNAME=`);
+    lines.push(`KV_${prefix}_PASSWORD=`);
+  } else if (authType === 'queryParam') {
+    lines.push(`KV_${prefix}_PARAMVALUE=`);
+  } else if (authType === 'oidc') {
+    lines.push('# OIDC: variables only (openIdConfigUrl, clientId); no security keys');
+  } else if (authType === 'hmac') {
+    lines.push(`KV_${prefix}_SIGNINGSECRET=`);
   }
+  // none: no security keys
 
   return lines.join('\n');
 }

package/lib/app/index.js

@@ -141,8 +141,10 @@ async function generateApplicationFiles(finalAppPath, appName, config, options)
 
   // Generate external system files if type is external
   if (config.type === 'external') {
+    const configModule = require('../core/config');
+    const format = (await configModule.getFormat()) || 'yaml';
     const externalGenerator = require('../external-system/generator');
-    await externalGenerator.generateExternalSystemFiles(finalAppPath, appName, config);
+    await externalGenerator.generateExternalSystemFiles(finalAppPath, appName, config, format);
   }
 
   if (options.app) {

package/lib/app/prompts.js

@@ -176,8 +176,13 @@ function buildExternalSystemTypeQuestions(options) {
       message: 'What authentication type does the system use?',
       choices: [
         { name: 'OAuth2', value: 'oauth2' },
+        { name: 'Azure AD', value: 'aad' },
         { name: 'API Key', value: 'apikey' },
-        { name: 'Basic Auth', value: 'basic' }
+        { name: 'Basic Auth', value: 'basic' },
+        { name: 'Query Parameter', value: 'queryParam' },
+        { name: 'OpenID Connect', value: 'oidc' },
+        { name: 'HMAC Signature', value: 'hmac' },
+        { name: 'None', value: 'none' }
       ],
       default: 'apikey'
     });
@@ -185,6 +190,28 @@ function buildExternalSystemTypeQuestions(options) {
   return questions;
 }
 
+/**
+ * Build entityType question for external system datasources
+ * @param {Object} options - Provided options
+ * @returns {Array} Array of question objects
+ */
+function buildEntityTypeQuestion(options) {
+  if (options.entityType) return [];
+  return [{
+    type: 'list',
+    name: 'entityType',
+    message: 'What entity type do the datasources represent?',
+    choices: [
+      { name: 'Record storage (CRM, deals, contacts)', value: 'recordStorage' },
+      { name: 'Document storage (with vector)', value: 'documentStorage' },
+      { name: 'Vector store', value: 'vectorStore' },
+      { name: 'Message service', value: 'messageService' },
+      { name: 'None', value: 'none' }
+    ],
+    default: 'recordStorage'
+  }];
+}
+
 function buildExternalSystemDatasourceQuestion(options) {
   if (options.datasourceCount) return [];
   return [{
@@ -210,6 +237,7 @@ function buildExternalSystemQuestions(options, appName) {
   return [
     ...buildExternalSystemIdentityQuestions(options, appName),
     ...buildExternalSystemTypeQuestions(options),
+    ...buildEntityTypeQuestion(options),
     ...buildExternalSystemDatasourceQuestion(options)
   ];
 }
@@ -325,6 +353,16 @@ function resolveExternalSystemField(options, answers, fieldName, defaultValue) {
   return null;
 }
 
+const EXTERNAL_SYSTEM_FIELD_SPECS = [
+  { key: 'systemKey', default: undefined },
+  { key: 'systemDisplayName', default: undefined },
+  { key: 'systemDescription', default: undefined },
+  { key: 'systemType', default: 'openapi' },
+  { key: 'authType', default: 'apikey' },
+  { key: 'entityType', default: 'recordStorage' },
+  { key: 'datasourceCount', default: 1, transform: (v) => parseInt(v, 10) }
+];
+
 /**
  * Resolve external system fields and add to config
  * @function resolveExternalSystemFields
@@ -334,34 +372,11 @@ function resolveExternalSystemField(options, answers, fieldName, defaultValue) {
  * @returns {void}
  */
 function resolveExternalSystemFields(options, answers, config) {
-  const systemKey = resolveExternalSystemField(options, answers, 'systemKey', undefined);
-  if (systemKey !== null) {
-    config.systemKey = systemKey;
-  }
-
-  const systemDisplayName = resolveExternalSystemField(options, answers, 'systemDisplayName', undefined);
-  if (systemDisplayName !== null) {
-    config.systemDisplayName = systemDisplayName;
-  }
-
-  const systemDescription = resolveExternalSystemField(options, answers, 'systemDescription', undefined);
-  if (systemDescription !== null) {
-    config.systemDescription = systemDescription;
-  }
-
-  const systemType = resolveExternalSystemField(options, answers, 'systemType', 'openapi');
-  if (systemType !== null) {
-    config.systemType = systemType;
-  }
-
-  const authType = resolveExternalSystemField(options, answers, 'authType', 'apikey');
-  if (authType !== null) {
-    config.authType = authType;
-  }
-
-  const datasourceCount = resolveExternalSystemField(options, answers, 'datasourceCount', 1);
-  if (datasourceCount !== null) {
-    config.datasourceCount = parseInt(datasourceCount, 10);
+  for (const { key, default: defaultValue, transform } of EXTERNAL_SYSTEM_FIELD_SPECS) {
+    const value = resolveExternalSystemField(options, answers, key, defaultValue);
+    if (value !== null) {
+      config[key] = transform ? transform(value) : value;
+    }
   }
 }
 

package/lib/app/readme.js

@@ -92,20 +92,23 @@ function extractServiceFlags(config) {
 /**
  * Builds placeholder datasources for external README generation
  * @function buildExternalDatasourcePlaceholders
+ * @param {string} systemKey - System key
  * @param {number} datasourceCount - Datasource count
+ * @param {string} [fileExt='.json'] - File extension (e.g. '.json', '.yaml')
  * @returns {Array<Object>} Datasource placeholders
  */
-function buildExternalDatasourcePlaceholders(systemKey, datasourceCount) {
+function buildExternalDatasourcePlaceholders(systemKey, datasourceCount, fileExt = '.json') {
   const normalizedCount = Number.isInteger(datasourceCount)
     ? datasourceCount
     : parseInt(datasourceCount, 10);
   const total = Number.isFinite(normalizedCount) && normalizedCount > 0 ? normalizedCount : 0;
+  const ext = fileExt && fileExt.startsWith('.') ? fileExt : `.${fileExt || 'json'}`;
   return Array.from({ length: total }, (_value, index) => {
     const entityType = `entity${index + 1}`;
     return {
       entityType,
       displayName: `Datasource ${index + 1}`,
-      fileName: `${systemKey}-datasource-${entityType}.yaml`
+      fileName: `${systemKey}-datasource-${entityType}${ext}`
     };
   });
 }
@@ -143,15 +146,17 @@ function buildReadmeContext(appName, config) {
 function generateReadmeMd(appName, config) {
   if (config.type === 'external') {
     const systemKey = config.systemKey || appName;
+    const fileExt = config.fileExt !== undefined ? config.fileExt : '.json';
     const datasources = Array.isArray(config.datasources) && config.datasources.length > 0
       ? config.datasources
-      : buildExternalDatasourcePlaceholders(systemKey, config.datasourceCount);
+      : buildExternalDatasourcePlaceholders(systemKey, config.datasourceCount, fileExt);
     return generateExternalReadmeContent({
       appName,
       systemKey,
       systemType: config.systemType,
       displayName: config.systemDisplayName,
       description: config.systemDescription,
+      fileExt: config.fileExt,
       datasources
     });
   }

package/lib/app/run-env-compose.js

@@ -16,6 +16,7 @@ const pathsUtil = require('../utils/paths');
 const adminSecrets = require('../core/admin-secrets');
 const secretsEnvWrite = require('../core/secrets-env-write');
 const { getContainerPort } = require('../utils/port-resolver');
+const { getInfraDirName } = require('../infrastructure/helpers');
 
 /**
  * Clean applications directory: remove generated docker-compose.yaml and .env.* files.
@@ -145,16 +146,74 @@ function buildDbInitOnlyEnv(merged) {
   return dbInit;
 }
 
+/**
+ * Return pgpass paths under infra-dev* directories in aifabrix home (for fallback lookup).
+ * @param {string} aifabrixDir - Aifabrix home directory
+ * @returns {string[]} Paths to pgpass files
+ */
+function getInfraDevPgpassPaths(aifabrixDir) {
+  if (!fsSync.existsSync(aifabrixDir)) return [];
+  let entries;
+  try {
+    entries = fsSync.readdirSync(aifabrixDir).sort();
+  } catch {
+    return [];
+  }
+  return entries
+    .filter((name) => name.startsWith('infra-dev'))
+    .map((name) => path.join(aifabrixDir, name, 'pgpass'));
+}
+
+/**
+ * Read first password from a pgpass file (format host:port:db:user:password).
+ * @param {string} pgpassPath - Path to pgpass file
+ * @returns {Promise<string|undefined>} Password or undefined
+ */
+async function readPasswordFromPgpassFile(pgpassPath) {
+  const content = await fs.readFile(pgpassPath, 'utf8');
+  const line = content.split('\n')[0];
+  if (!line) return undefined;
+  const parts = line.split(':');
+  return parts.length >= 5 ? parts[4].trim() : undefined;
+}
+
+/**
+ * Read POSTGRES_PASSWORD from an existing infra pgpass so db-init uses the same password as running Postgres.
+ * Tries dev-specific, then default infra, then any infra-dev* dir (e.g. dev 1 run when only infra-dev06 has pgpass).
+ * @param {number|string} developerId - Developer ID
+ * @returns {Promise<string|undefined>} Password or undefined
+ */
+async function readPostgresPasswordFromPgpass(developerId) {
+  const home = pathsUtil.getAifabrixHome();
+  const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
+  const candidates = [path.join(home, getInfraDirName(developerId), 'pgpass')];
+  if (idNum !== 0) candidates.push(path.join(home, getInfraDirName(0), 'pgpass'));
+  const extra = getInfraDevPgpassPaths(home).filter((p) => !candidates.includes(p));
+  candidates.push(...extra);
+  for (const pgpassPath of candidates) {
+    if (!fsSync.existsSync(pgpassPath)) continue;
+    try {
+      const pwd = await readPasswordFromPgpassFile(pgpassPath);
+      if (pwd !== undefined) return pwd;
+    } catch {
+      // ignore
+    }
+  }
+  return undefined;
+}
+
 /**
  * Build two run env files: .env.run (app-only, no admin secrets) and .env.run.admin (start-only, for db-init).
  * Admin password is never set in the app container; .env.run.admin is used only for start and then deleted.
+ * When an infra pgpass exists, POSTGRES_PASSWORD is taken from it so db-init matches the running Postgres.
  * @async
  * @param {string} appName - Application name
  * @param {Object} appConfig - Application configuration
  * @param {string} devDir - Applications directory path
+ * @param {number|string} [developerId] - Developer ID (for pgpass lookup)
  * @returns {Promise<{ runEnvPath: string, runEnvAdminPath: string }>} Paths to .env.run and .env.run.admin
  */
-async function buildMergedRunEnvAndWrite(appName, appConfig, devDir) {
+async function buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId) {
   const infra = require('../infrastructure');
   const ensureAdminSecretsFn = typeof infra.ensureAdminSecrets === 'function'
     ? infra.ensureAdminSecrets
@@ -167,6 +226,10 @@ async function buildMergedRunEnvAndWrite(appName, appConfig, devDir) {
     force: false
   });
   const merged = { ...adminObj, ...appObj };
+  if (developerId !== undefined) {
+    const pgpassPwd = await readPostgresPasswordFromPgpass(developerId);
+    if (pgpassPwd !== undefined) merged.POSTGRES_PASSWORD = pgpassPwd;
+  }
   injectDatabaseNamesAndUsers(merged, appConfig);
   injectContainerPortForRun(merged, appConfig, appName);
 

package/lib/app/run-helpers.js

@@ -337,7 +337,7 @@ async function prepareEnvironment(appName, appConfig, options) {
 
   runEnvCompose.cleanApplicationsDir(developerId);
   logger.log(chalk.blue('Building merged .env (admin + app secrets)...'));
-  const { runEnvPath, runEnvAdminPath } = await runEnvCompose.buildMergedRunEnvAndWrite(appName, appConfig, devDir);
+  const { runEnvPath, runEnvAdminPath } = await runEnvCompose.buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId);
 
   const composeOptions = {
     ...options,

package/lib/app/show-display.js

@@ -161,7 +161,7 @@ function logExternalSystemMain(ext) {
   logger.log(`  Credential:    ${ext.credentialId ?? '—'}`);
   logger.log(`  Status:        ${ext.status ?? '—'}`);
   logger.log(`  API docs:      ${ext.openApiDocsPageUrl ?? ext.apiDocumentUrl ?? '—'}`);
-  logger.log(`  MCP server:   ${ext.mcpServerUrl ?? '—'}`);
+  logger.log(`  MCP server:    ${ext.mcpServerUrl ?? '—'}`);
   logger.log(`  OpenAPI spec:  ${ext.apiDocumentUrl ?? '—'}`);
 }
 

package/lib/cli/setup-app.js

@@ -17,12 +17,20 @@ const { handleCommandError } = require('../utils/cli-utils');
  * @param {Object} options - Raw CLI options
  * @returns {Object} Normalized options
  */
+const VALID_ENTITY_TYPES = ['recordStorage', 'documentStorage', 'vectorStore', 'messageService', 'none'];
+
 function normalizeExternalOptions(options) {
   const normalized = { ...options };
   if (options.displayName) normalized.systemDisplayName = options.displayName;
   if (options.description) normalized.systemDescription = options.description;
   if (options.systemType) normalized.systemType = options.systemType;
   if (options.authType) normalized.authType = options.authType;
+  if (options.entityType) {
+    if (!VALID_ENTITY_TYPES.includes(options.entityType)) {
+      throw new Error(`Invalid --entity-type. Must be one of: ${VALID_ENTITY_TYPES.join(', ')}`);
+    }
+    normalized.entityType = options.entityType;
+  }
   if (options.datasources !== undefined) {
     const parsedCount = parseInt(options.datasources, 10);
     if (Number.isNaN(parsedCount) || parsedCount < 1 || parsedCount > 10) {
@@ -48,6 +56,7 @@ function validateNonInteractiveExternalOptions(normalizedOptions) {
   if (!normalizedOptions.systemDescription) missing.push('--description');
   if (!normalizedOptions.systemType) missing.push('--system-type');
   if (!normalizedOptions.authType) missing.push('--auth-type');
+  if (!normalizedOptions.entityType) missing.push('--entity-type');
   if (!normalizedOptions.datasourceCount) missing.push('--datasources');
   if (missing.length > 0) {
     throw new Error(`Missing required options for non-interactive external create: ${missing.join(', ')}`);
@@ -110,7 +119,8 @@ function setupCreateCommand(program) {
     .option('--display-name <name>', 'External system display name')
     .option('--description <desc>', 'External system description')
     .option('--system-type <type>', 'External system type (openapi, mcp, custom)')
-    .option('--auth-type <type>', 'External system auth type (oauth2, apikey, basic)')
+    .option('--auth-type <type>', 'External system auth type (oauth2, aad, apikey, basic, queryParam, oidc, hmac, none)')
+    .option('--entity-type <type>', 'Entity type for datasources (recordStorage, documentStorage, vectorStore, messageService, none)')
     .option('--datasources <count>', 'Number of datasources to create')
     .action(async(appName, options) => {
       try {
@@ -130,6 +140,7 @@ Examples:
   $ aifabrix wizard my-integration --silent  Run headless with integration/my-integration/wizard.yaml (no prompts)
   $ aifabrix wizard -a my-integration   Same as above (app name set)
   $ aifabrix wizard --config wizard.yaml  Run headless from a wizard config file
+  $ aifabrix wizard hubspot-test-v2 --debug  Enable debug output and save debug manifests on validation failure
 
 Config path: When appName is provided, integration/<appName>/wizard.yaml is used for load/save and error.log.
 To change settings after a run, edit that file and run "aifabrix wizard <app>" again.
@@ -140,6 +151,7 @@ See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`;
     .option('-a, --app <app>', 'Application name (synonym for positional appName)')
     .option('--config <file>', 'Run headless using a wizard.yaml file (appName, mode, source, credential, preferences)')
     .option('--silent', 'Run with saved integration/<app>/wizard.yaml only; no prompts (requires app name and existing wizard.yaml)')
+    .option('--debug', 'Enable debug output and save debug manifests on validation failure')
     .addHelpText('after', wizardHelp)
     .action(async(positionalAppName, options) => {
       try {
@@ -280,6 +292,29 @@ function setupShellTestStopCommands(program) {
     });
 }
 
+async function runTestE2ECommand(appName, options) {
+  const pathsUtil = require('../utils/paths');
+  const appType = await pathsUtil.detectAppType(appName).catch(() => null);
+  if (appType && appType.baseDir === 'integration') {
+    const { runTestE2EForExternalSystem } = require('../commands/test-e2e-external');
+    const { success, results } = await runTestE2EForExternalSystem(appName, {
+      env: options.env,
+      debug: options.debug,
+      verbose: options.verbose,
+      async: options.async !== false
+    });
+    results.forEach(r => {
+      const icon = r.success ? chalk.green('✓') : chalk.red('✗');
+      const msg = r.error ? `${r.key}: ${r.error}` : r.key;
+      logger.log(`  ${icon} ${msg}`);
+    });
+    if (!success) process.exit(1);
+    return;
+  }
+  const { runAppTestE2e } = require('../commands/app-test');
+  await runAppTestE2e(appName, { env: options.env });
+}
+
 function setupInstallTestE2eLintCommands(program) {
   program.command('install <app>')
     .description('Install dependencies in container (builder apps only)')
@@ -301,18 +336,14 @@ function setupInstallTestE2eLintCommands(program) {
     });
 
   program.command('test-e2e <app>')
-    .description('Run e2e tests in container (builder apps only)')
-    .option('--env <env>', 'dev (running container) or tst (ephemeral with .env)', 'dev')
+    .description('Run e2e tests (builder: in container; external system: all datasources via dataplane)')
+    .option('-e, --env <env>', 'Environment: dev, tst, or pro (builder: dev/tst for container)')
+    .option('-v, --verbose', 'Show detailed step output and poll progress')
+    .option('--debug', 'Include debug output and write log to integration/<app>/logs/')
+    .option('--no-async', 'Use sync mode (no polling); single POST per datasource')
     .action(async(appName, options) => {
       try {
-        const pathsUtil = require('../utils/paths');
-        const appType = await pathsUtil.detectAppType(appName).catch(() => null);
-        if (appType && appType.baseDir === 'integration') {
-          logger.log(chalk.gray('test-e2e is for builder applications only. Use aifabrix shell <app> then make test:e2e or pnpm test:e2e.'));
-          return;
-        }
-        const { runAppTestE2e } = require('../commands/app-test');
-        await runAppTestE2e(appName, { env: options.env });
+        await runTestE2ECommand(appName, options);
       } catch (error) {
         handleCommandError(error, 'test-e2e');
         process.exit(1);