@aifabrix/builder 2.42.0 → 2.43.0

package/lib/utils/external-readme.js

@@ -91,6 +91,33 @@ function normalizeDatasources(datasources, systemKey, fileExt = '.json') {
   );
 }
 
+/**
+ * Builds secret path entries for README "Secrets" section per auth type.
+ * Path is the key for `aifabrix secret set <key> <value>` (no kv:// prefix; key format systemKey/secretKey in camelCase).
+ * @param {string} systemKey - System key
+ * @param {string} [authType] - Authentication type (oauth2, aad, apikey, basic, queryParam, hmac, bearer, token, none)
+ * @returns {Array<{path: string, description: string}>} secretPaths for template (path = key for secret set, no kv://)
+ */
+function buildSecretPaths(systemKey, authType) {
+  if (!systemKey || typeof systemKey !== 'string') return [];
+  const t = (authType && typeof authType === 'string') ? authType.toLowerCase() : 'apikey';
+  const map = {
+    oauth2: [{ path: `${systemKey}/clientId`, description: 'Client ID' }, { path: `${systemKey}/clientSecret`, description: 'Client Secret' }],
+    oauth: [{ path: `${systemKey}/clientId`, description: 'Client ID' }, { path: `${systemKey}/clientSecret`, description: 'Client Secret' }],
+    aad: [{ path: `${systemKey}/clientId`, description: 'Client ID' }, { path: `${systemKey}/clientSecret`, description: 'Client Secret' }],
+    apikey: [{ path: `${systemKey}/apiKey`, description: 'API Key' }],
+    apiKey: [{ path: `${systemKey}/apiKey`, description: 'API Key' }],
+    basic: [{ path: `${systemKey}/username`, description: 'Username' }, { path: `${systemKey}/password`, description: 'Password' }],
+    queryparam: [{ path: `${systemKey}/paramValue`, description: 'Query parameter value' }],
+    hmac: [{ path: `${systemKey}/signingSecret`, description: 'Signing secret' }],
+    bearer: [{ path: `${systemKey}/bearerToken`, description: 'Bearer token' }],
+    token: [{ path: `${systemKey}/bearerToken`, description: 'Bearer token' }],
+    oidc: [],
+    none: []
+  };
+  return map[t] || map.apikey;
+}
+
 /**
  * Builds the external system README template context
  * @function buildExternalReadmeContext
@@ -102,6 +129,8 @@ function normalizeDatasources(datasources, systemKey, fileExt = '.json') {
  * @param {string} [params.description] - Description
  * @param {Array} [params.datasources] - Datasource objects
  * @param {string} [params.fileExt] - File extension for config files (e.g. '.json', '.yaml'); default '.json'
+ * @param {string} [params.authType] - Authentication type for Secrets section (oauth2, aad, apikey, basic, etc.)
+ * @param {Object} [params.authentication] - Full authentication object (authType used if authType not set)
  * @returns {Object} Template context
  */
 function buildExternalReadmeContext(params = {}) {
@@ -112,6 +141,8 @@ function buildExternalReadmeContext(params = {}) {
   const systemType = params.systemType || 'openapi';
   const fileExt = params.fileExt !== undefined ? params.fileExt : '.json';
   const datasources = normalizeDatasources(params.datasources, systemKey, fileExt);
+  const authType = params.authType || params.authentication?.type || params.authentication?.method || params.authentication?.authType;
+  const secretPaths = buildSecretPaths(systemKey, authType);
 
   return {
     appName,
@@ -122,7 +153,8 @@ function buildExternalReadmeContext(params = {}) {
     fileExt: fileExt && fileExt.startsWith('.') ? fileExt : `.${fileExt || 'json'}`,
     datasourceCount: datasources.length,
     hasDatasources: datasources.length > 0,
-    datasources
+    datasources,
+    secretPaths
   };
 }
 

package/lib/utils/external-system-display.js

@@ -289,6 +289,20 @@ function displayE2EResults(data, verbose = false) {
     logger.log(`  ${ok ? chalk.green('✓') : chalk.red('✗')} ${name}`);
     if (!ok && (step.error || step.message)) logger.log(chalk.red(`    ${step.error || step.message}`));
     if (verbose && step.message && ok) logger.log(chalk.gray(`    ${step.message}`));
+    if (verbose && ok && (name === 'sync' || step.step === 'sync') && step.evidence && step.evidence.jobs) {
+      formatSyncStepEvidence(step.evidence.jobs);
+    }
+  }
+  if (verbose && data.auditLog && Array.isArray(data.auditLog) && data.auditLog.length > 0) {
+    const n = data.auditLog.length;
+    const first = data.auditLog[0];
+    const execId = (first && (first.executionId || first.id || first.traceId)) ? String(first.executionId || first.id || first.traceId) : null;
+    if (execId) {
+      const short = execId.length > 10 ? `${execId.slice(0, 8)}…` : execId;
+      logger.log(chalk.gray(`  CIP execution trace(s): ${n} (executionId: ${short})`));
+    } else {
+      logger.log(chalk.gray(`  CIP execution trace(s): ${n}`));
+    }
   }
   if (isRunning) {
     return;
@@ -297,6 +311,35 @@ function displayE2EResults(data, verbose = false) {
   logger.log(allPassed ? chalk.green('\n✅ E2E test passed!') : chalk.red('\n❌ E2E test failed'));
 }
 
+/**
+ * Log sync step job evidence (record counts) in verbose E2E output
+ * @param {Object[]} jobs - evidence.jobs from sync step
+ */
+function formatSyncStepEvidence(jobs) {
+  for (const job of jobs) {
+    const rec = job.recordsProcessed ?? job.totalProcessed;
+    const total = job.totalRecords ?? (job.audit && job.audit.totalProcessed);
+    const parts = [];
+    if (rec !== undefined && rec !== null) parts.push(`${rec} processed`);
+    if (total !== undefined && total !== null) parts.push(`total: ${total}`);
+    const audit = job.audit || {};
+    const ins = audit.inserted ?? job.insertedCount;
+    const upd = audit.updated ?? job.updatedCount;
+    const del = audit.deleted ?? job.deletedCount;
+    const tot = audit.totalProcessed ?? total;
+    if (ins !== undefined || upd !== undefined || del !== undefined || tot !== undefined) {
+      const a = [`inserted: ${ins ?? 0}`, `updated: ${upd ?? 0}`, `deleted: ${del ?? 0}`];
+      if (tot !== undefined) a.push(`totalProcessed: ${tot}`);
+      parts.push(`(${a.join(', ')})`);
+    }
+    if (job.skippedCount !== undefined) parts.push(`skipped: ${job.skippedCount}`);
+    if (job.rejectedByQualityCount !== undefined) parts.push(`rejectedByQuality: ${job.rejectedByQualityCount}`);
+    if (parts.length > 0) {
+      logger.log(chalk.gray(`    Managed records: ${parts.join(' ')}`));
+    }
+  }
+}
+
 module.exports = {
   displayTestResults,
   displayIntegrationTestResults,

package/lib/utils/external-system-validators.js

@@ -139,11 +139,11 @@ function validateDimensions(dimensions, results) {
   // Validate dimension keys and values
   for (const [dimensionKey, attributePath] of Object.entries(dimensions)) {
     if (!/^[a-zA-Z0-9_]+$/.test(dimensionKey)) {
-      results.errors.push(`Invalid dimension key '${dimensionKey}': must match pattern ^[a-zA-Z0-9_]+$`);
+      results.errors.push(`Invalid dimension key '${dimensionKey}': dimension key must contain only letters, numbers, and underscores`);
       results.valid = false;
     }
     if (typeof attributePath !== 'string' || !/^[a-zA-Z0-9_.]+$/.test(attributePath)) {
-      results.errors.push(`Invalid attribute path '${attributePath}' for dimension '${dimensionKey}': must match pattern ^[a-zA-Z0-9_.]+$`);
+      results.errors.push(`Invalid attribute path '${attributePath}' for dimension '${dimensionKey}': attribute path must contain only letters, numbers, underscores, and dots`);
       results.valid = false;
     }
   }

package/lib/utils/help-builder.js

@@ -46,9 +46,7 @@ const CATEGORIES = [
       { name: 'build', term: 'build <app>' },
       { name: 'run', term: 'run <app>' },
       { name: 'shell', term: 'shell <app>' },
-      { name: 'test', term: 'test <app>' },
       { name: 'install', term: 'install <app>' },
-      { name: 'test-e2e', term: 'test-e2e <app>' },
       { name: 'lint', term: 'lint <app>' },
       { name: 'logs', term: 'logs <app>' },
       { name: 'stop', term: 'stop <app>' },
@@ -65,15 +63,13 @@ const CATEGORIES = [
   {
     name: 'Environments',
     commands: [
-      { name: 'environment' },
       { name: 'env' }
     ]
   },
   {
-    name: 'Application & Datasource Management',
+    name: 'Application & Management',
     commands: [
       { name: 'app' },
-      { name: 'datasource' },
       { name: 'credential' },
       { name: 'deployment' },
       { name: 'service-user' }
@@ -98,7 +94,9 @@ const CATEGORIES = [
       { name: 'upload', term: 'upload <system-key>' },
       { name: 'delete', term: 'delete <system-key>' },
       { name: 'repair', term: 'repair <app>' },
+      { name: 'datasource' },
       { name: 'test', term: 'test <app>' },
+      { name: 'test-e2e', term: 'test-e2e <app>' },
       { name: 'test-integration', term: 'test-integration <app>' }
     ]
   },

package/lib/utils/local-secrets.js

@@ -15,10 +15,31 @@ const logger = require('../utils/logger');
 const pathsUtil = require('./paths');
 const { mergeSecretsIntoFile } = require('./secrets-generator');
 
+/** Bootstrap key name; never encrypt this key's value when writing (key is stored in config). */
+const ENCRYPTION_KEY_VAULT = 'secrets-encryptionKeyVault';
+
+/**
+ * Resolves value to write: encrypted (secure://) when encryption key is set and key is not the bootstrap key.
+ * @async
+ * @param {string} key - Secret key name
+ * @param {string} value - Secret value
+ * @returns {Promise<string>} Value to write (plaintext or secure://...)
+ */
+async function resolveValueForWrite(key, value) {
+  const config = require('../core/config');
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  if (!encryptionKey || key === ENCRYPTION_KEY_VAULT) {
+    return typeof value === 'string' ? value : String(value);
+  }
+  const { encryptSecret } = require('./secrets-encryption');
+  return encryptSecret(typeof value === 'string' ? value : String(value), encryptionKey);
+}
+
 /**
  * Saves a secret to ~/.aifabrix/secrets.local.yaml
  * Uses paths.getAifabrixHome() to respect config.yaml aifabrix-home override
- * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret)
+ * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret).
+ * Encrypts the value when a secrets-encryption key is configured (except for the bootstrap key).
  *
  * @async
  * @function saveLocalSecret
@@ -39,8 +60,9 @@ async function saveLocalSecret(key, value) {
     throw new Error('Secret value is required');
   }
 
+  const valueToWrite = await resolveValueForWrite(key, value);
   const secretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
-  mergeSecretsIntoFile(secretsPath, { [key]: value });
+  mergeSecretsIntoFile(secretsPath, { [key]: valueToWrite });
 }
 
 /**
@@ -121,8 +143,9 @@ function _loadExistingSecrets(resolvedPath) {
 async function saveSecret(key, value, secretsPath) {
   validateSaveSecretParams(key, value, secretsPath);
 
+  const valueToWrite = await resolveValueForWrite(key, value);
   const resolvedPath = resolveAndPrepareSecretsPath(secretsPath);
-  mergeSecretsIntoFile(resolvedPath, { [key]: value });
+  mergeSecretsIntoFile(resolvedPath, { [key]: valueToWrite });
 }
 
 /**

package/lib/utils/paths.js

@@ -430,7 +430,7 @@ function getDeployJsonPath(appName, appType, preferNew = false) {
   // If neither exists, return new naming (for generation)
   return newPath;
 }
-const { resolveApplicationConfigPath } = require('./app-config-resolver');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('./app-config-resolver');
 const { loadConfigFile } = require('./config-format');
 /**
  * Checks if app type is external from variables object
@@ -562,6 +562,7 @@ module.exports = {
   resolveBuildContext,
   getDeployJsonPath,
   resolveApplicationConfigPath,
+  resolveRbacPath,
   detectAppType,
   getResolveAppPath,
   resolveIntegrationAppKeyFromCwd,

package/lib/utils/secrets-generator.js

@@ -198,7 +198,7 @@ function saveSecretsFile(resolvedPath, secrets) {
 
   const yamlContent = yaml.dump(secrets, {
     indent: 2,
-    lineWidth: 120,
+    lineWidth: -1,
     noRefs: true,
     sortKeys: false
   });
@@ -206,7 +206,7 @@ function saveSecretsFile(resolvedPath, secrets) {
   fs.writeFileSync(resolvedPath, yamlContent, { mode: 0o600 });
 }
 
-const YAML_DUMP_OPTS = { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false };
+const YAML_DUMP_OPTS = { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false };
 
 /**
  * Merges secret keys into the secrets file (load existing, merge, overwrite file).

package/lib/utils/secrets-utils.js

@@ -14,6 +14,7 @@ const path = require('path');
 const yaml = require('js-yaml');
 const logger = require('./logger');
 const pathsUtil = require('./paths');
+const { ensureSecureFilePermissions } = require('./secure-file-permissions');
 const { getContainerPort } = require('./port-resolver');
 const { loadYamlTolerantOfDuplicateKeys } = require('./secrets-generator');
 
@@ -78,6 +79,7 @@ function loadPrimaryUserSecrets() {
   if (!fs.existsSync(userSecretsPath)) {
     return {};
   }
+  ensureSecureFilePermissions(userSecretsPath);
 
   try {
     const content = fs.readFileSync(userSecretsPath, 'utf8');
@@ -106,6 +108,7 @@ function loadUserSecrets() {
   if (!fs.existsSync(userSecretsPath)) {
     return {};
   }
+  ensureSecureFilePermissions(userSecretsPath);
 
   try {
     const content = fs.readFileSync(userSecretsPath, 'utf8');
@@ -134,6 +137,7 @@ function loadDefaultSecrets() {
   if (!fs.existsSync(defaultPath)) {
     return {};
   }
+  ensureSecureFilePermissions(defaultPath);
 
   try {
     const content = fs.readFileSync(defaultPath, 'utf8');

package/lib/utils/secure-file-permissions.js

@@ -0,0 +1,91 @@
+/**
+ * Secure file permissions for secrets and config (ISO 27001).
+ * Ensures sensitive files are restricted to owner-only (0o600) when read or written.
+ *
+ * @fileoverview Enforce restrictive permissions on secrets and config files
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+/** Mode for secrets and admin files: owner read/write only (no group/other). */
+const SECRET_FILE_MODE = 0o600;
+
+/** Mode for config file (may contain tokens): owner read/write only. */
+const CONFIG_FILE_MODE = 0o600;
+
+/**
+ * Ensures a file has restrictive permissions (0o600) when it exists.
+ * If the file has group or other read/write/execute bits set, chmods to owner-only.
+ * Safe to call on every read path; no-op when file is missing or already 0o600.
+ * On Windows, chmod restricts write access; mode bits are not fully supported.
+ *
+ * @param {string} filePath - Absolute or relative path to the file
+ * @param {number} [mode=0o600] - Desired mode (default SECRET_FILE_MODE)
+ * @returns {boolean} True if file existed and permissions were (or are now) secure
+ */
+function ensureSecureFilePermissions(filePath, mode = SECRET_FILE_MODE) {
+  if (!filePath || typeof filePath !== 'string') {
+    return false;
+  }
+  const resolved = path.isAbsolute(filePath) ? filePath : path.resolve(filePath);
+  try {
+    if (!fs.existsSync(resolved)) {
+      return false;
+    }
+    const stat = fs.statSync(resolved);
+    if (!stat.isFile()) {
+      return false;
+    }
+    const currentMode = stat.mode & 0o777;
+    if ((currentMode & 0o77) === 0) {
+      return true;
+    }
+    fs.chmodSync(resolved, mode);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Ensures a directory has restrictive permissions (0o700) when it exists.
+ * No-op when directory is missing or already 0o700 (no group/other).
+ *
+ * @param {string} dirPath - Absolute or relative path to the directory
+ * @returns {boolean} True if directory existed and permissions were (or are now) secure
+ */
+function ensureSecureDirPermissions(dirPath) {
+  if (!dirPath || typeof dirPath !== 'string') {
+    return false;
+  }
+  const resolved = path.isAbsolute(dirPath) ? dirPath : path.resolve(dirPath);
+  try {
+    if (!fs.existsSync(resolved)) {
+      return false;
+    }
+    const stat = fs.statSync(resolved);
+    if (!stat.isDirectory()) {
+      return false;
+    }
+    const currentMode = stat.mode & 0o777;
+    if ((currentMode & 0o77) === 0) {
+      return true;
+    }
+    fs.chmodSync(resolved, 0o700);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+module.exports = {
+  ensureSecureFilePermissions,
+  ensureSecureDirPermissions,
+  SECRET_FILE_MODE,
+  CONFIG_FILE_MODE
+};

package/lib/utils/token-manager.js

@@ -21,12 +21,43 @@ const {
 } = require('./token-manager-refresh');
 const { warnRefreshFailureOnce, warnRefreshTokenExpiredOnce } = require('./token-manager-messages');
 
+/** App key used for dataplane client credentials in secrets.local.yaml */
+const DATAPLANE_APP_KEY = 'dataplane';
+
 function getSecretsFilePath() {
   return path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
 }
 
 /**
- * Load client credentials from secrets.local.yaml or process.env (e.g. integration/hubspot/.env).
+ * Validate that secrets.local.yaml contains dataplane client credentials.
+ * If missing, the developer should run: aifabrix app rotate-secret dataplane
+ * @param {string} [secretsFilePath] - Path to secrets file; defaults to ~/.aifabrix/secrets.local.yaml
+ * @returns {{ valid: boolean, hint?: string }}
+ */
+function validateDataplaneSecrets(secretsFilePath) {
+  const filePath = secretsFilePath || getSecretsFilePath();
+  const hint = 'Dataplane credentials are missing. Run: aifabrix app rotate-secret dataplane';
+  try {
+    if (!fs.existsSync(filePath)) {
+      return { valid: false, hint };
+    }
+    const content = fs.readFileSync(filePath, 'utf8');
+    const secrets = yaml.load(content) || {};
+    const clientIdKey = `${DATAPLANE_APP_KEY}-client-idKeyVault`;
+    const clientSecretKey = `${DATAPLANE_APP_KEY}-client-secretKeyVault`;
+    const hasId = secrets[clientIdKey] !== null && secrets[clientIdKey] !== undefined && String(secrets[clientIdKey]).trim() !== '';
+    const hasSecret = secrets[clientSecretKey] !== null && secrets[clientSecretKey] !== undefined && String(secrets[clientSecretKey]).trim() !== '';
+    if (hasId && hasSecret) {
+      return { valid: true };
+    }
+    return { valid: false, hint };
+  } catch {
+    return { valid: false, hint };
+  }
+}
+
+/**
+ * Load client credentials from secrets.local.yaml or process.env (e.g. integration/hubspot-test/.env).
  * Reads secrets file using pattern: <app-name>-client-idKeyVault and <app-name>-client-secretKeyVault.
  * If not found, checks process.env.CLIENTID and process.env.CLIENTSECRET (set when .env is loaded).
  * @param {string} appName - Application name
@@ -60,7 +91,7 @@ async function loadClientCredentials(appName) {
     logger.warn(`Failed to load credentials from secrets.local.yaml: ${error.message}`);
   }
 
-  // Fallback: use CLIENTID/CLIENTSECRET from process.env (e.g. from integration/hubspot/.env)
+  // Fallback: use CLIENTID/CLIENTSECRET from process.env (e.g. from integration/hubspot-test/.env)
   const envClientId = process.env.CLIENTID || process.env.CLIENT_ID;
   const envClientSecret = process.env.CLIENTSECRET || process.env.CLIENT_SECRET;
   if (envClientId && envClientSecret) {
@@ -439,6 +470,7 @@ function requireBearerForDataplanePipeline(authConfig) {
 }
 
 module.exports = {
+  DATAPLANE_APP_KEY,
   getDeviceToken,
   getClientToken,
   isTokenExpired,
@@ -452,5 +484,6 @@ module.exports = {
   getDeploymentAuth,
   getDeviceOnlyAuth,
   extractClientCredentials,
-  requireBearerForDataplanePipeline
+  requireBearerForDataplanePipeline,
+  validateDataplaneSecrets
 };

package/lib/utils/yaml-preserve.js

@@ -185,6 +185,9 @@ function formatValue(value, quoted, quoteChar) {
  * const result = encryptYamlValues(yamlContent, encryptionKey);
  * // Returns: { content: '...', encrypted: 5, total: 10 }
  */
+/** Pattern for YAML block scalar indicator (e.g. key: >- or key: |) */
+const BLOCK_SCALAR_PATTERN = /^(\s*)([^#:\n]+?):\s*(\|[-+]?|>[-+]?)(\s*)(#.*)?$/;
+
 /**
  * Processes a single line for encryption
  * @function processLineForEncryption
@@ -221,13 +224,68 @@ function processLineForEncryption(line, encryptionKey, stats) {
   return line;
 }
 
+/**
+ * Collects continuation lines for a YAML block scalar (value on next lines).
+ * @param {string[]} lines - All lines
+ * @param {number} startIndex - Index of line after the key: >- line
+ * @param {number} keyIndentLen - Number of leading spaces on the key line
+ * @returns {{ value: string, endIndex: number }} Combined value and index after last continuation line
+ */
+function collectBlockScalarLines(lines, startIndex, keyIndentLen) {
+  const parts = [];
+  let i = startIndex;
+  while (i < lines.length) {
+    const line = lines[i];
+    const contentTrimmed = line.trim();
+    if (contentTrimmed === '' || contentTrimmed.startsWith('#')) {
+      i++;
+      continue;
+    }
+    const indentLen = line.length - line.trimStart().length;
+    if (indentLen <= keyIndentLen) {
+      break;
+    }
+    parts.push(contentTrimmed);
+    i++;
+  }
+  return { value: parts.join(' '), endIndex: i };
+}
+
 function encryptYamlValues(content, encryptionKey) {
   const lines = content.split(/\r?\n/);
   const encryptedLines = [];
   const stats = { encrypted: 0, total: 0 };
+  let i = 0;
+
+  while (i < lines.length) {
+    const line = lines[i];
+    const trimmed = line.trim();
+
+    if (trimmed === '' || trimmed.startsWith('#')) {
+      encryptedLines.push(line);
+      i++;
+      continue;
+    }
+
+    const blockMatch = line.match(BLOCK_SCALAR_PATTERN);
+    if (blockMatch) {
+      const [, indent, key, blockIndicator, trailingWhitespace, comment] = blockMatch;
+      const keyIndentLen = indent.length;
+      const folded = blockIndicator.startsWith('>');
+      const { value: rawValue, endIndex } = collectBlockScalarLines(lines, i + 1, keyIndentLen);
+      const value = folded ? rawValue.replace(/\s+/g, ' ').trim() : rawValue;
+      stats.total++;
+      const outValue = shouldEncryptValue(value) ? encryptSecret(value, encryptionKey) : value;
+      if (shouldEncryptValue(value)) {
+        stats.encrypted++;
+      }
+      encryptedLines.push(`${indent}${key}: ${outValue}${trailingWhitespace || ''}${comment || ''}`);
+      i = endIndex;
+      continue;
+    }
 
-  for (const line of lines) {
     encryptedLines.push(processLineForEncryption(line, encryptionKey, stats));
+    i++;
   }
 
   return {

package/lib/validation/env-template-auth.js

@@ -10,6 +10,7 @@
  */
 
 const { loadExternalIntegrationConfig, loadSystemFile } = require('../generator/external');
+const { getKvPathSegmentForSecurityKey } = require('../utils/credential-secrets-env');
 
 /**
  * Extracts all kv:// paths from env.template content (RHS of VAR=value lines).
@@ -93,7 +94,7 @@ function setHasPathIgnoreCase(pathSet, requiredPath) {
  * @returns {Promise<{ requiredPaths: Set<string>, warning?: string }>} Required kv paths and optional warning
  *
  * @example
- * const { requiredPaths } = await collectRequiredAuthKvPaths('/path/to/integration/hubspot');
+ * const { requiredPaths } = await collectRequiredAuthKvPaths('/path/to/integration/hubspot-test');
  * // requiredPaths has kv:// paths from authentication.security
  */
 async function collectRequiredAuthKvPaths(appPath, _options = {}) {
@@ -148,10 +149,57 @@ async function validateAuthKvCoverage(appPath, content, errors, warnings, option
   }
 }
 
+/**
+ * Derives system key from system file name (e.g. hubspot-system.yaml -> hubspot).
+ * @param {string} systemFileName - System file name
+ * @returns {string}
+ */
+function systemKeyFromFileName(systemFileName) {
+  if (!systemFileName || typeof systemFileName !== 'string') return '';
+  return systemFileName.replace(/-system\.(yaml|yml|json)$/i, '');
+}
+
+/**
+ * Validates that authentication.security paths in system files match the canonical path
+ * (kv://<systemKey>/<getKvPathSegmentForSecurityKey(securityKey)>). Pushes errors when they differ.
+ *
+ * @async
+ * @function validateAuthSecurityPathConsistency
+ * @param {string} appPath - Application path (integration or builder dir)
+ * @param {string[]} errors - Errors array to push to
+ * @param {string[]} warnings - Warnings array to push to (unused; for API consistency)
+ */
+async function validateAuthSecurityPathConsistency(appPath, errors, _warnings) {
+  try {
+    const { schemaBasePath, systemFiles } = await loadExternalIntegrationConfig(appPath);
+    for (const systemFileName of systemFiles) {
+      const systemKey = systemKeyFromFileName(systemFileName);
+      if (!systemKey) continue;
+      const systemJson = await loadSystemFile(appPath, schemaBasePath, systemFileName);
+      const security = systemJson.authentication?.security;
+      if (!security || typeof security !== 'object') continue;
+      for (const [key, value] of Object.entries(security)) {
+        if (typeof value !== 'string' || !/^kv:\/\/.+/.test(value)) continue;
+        const canonicalSegment = getKvPathSegmentForSecurityKey(key);
+        const canonicalPath = canonicalSegment ? `kv://${systemKey}/${canonicalSegment}` : null;
+        if (canonicalPath && value !== canonicalPath) {
+          errors.push(
+            `authentication.security.${key} has path ${value}; canonical path is ${canonicalPath}. Run \`aifabrix repair <app>\` to normalize.`
+          );
+        }
+      }
+    }
+  } catch (error) {
+    _warnings.push(`Could not validate auth path consistency: ${error.message}`);
+  }
+}
+
 module.exports = {
   extractKvPathsFromEnvTemplate,
   extractKvPathsFromCommentedLines,
   setHasPathIgnoreCase,
   collectRequiredAuthKvPaths,
-  validateAuthKvCoverage
+  validateAuthKvCoverage,
+  validateAuthSecurityPathConsistency,
+  systemKeyFromFileName
 };

package/lib/validation/external-manifest-validator.js

@@ -13,6 +13,8 @@ const Ajv = require('ajv');
 const fs = require('fs');
 const path = require('path');
 const { formatValidationErrors } = require('../utils/error-formatter');
+const { validateFieldReferences } = require('../datasource/field-reference-validator');
+const { validateAbac } = require('../datasource/abac-validator');
 
 /**
  * Sets up AJV validator with external schemas
@@ -113,6 +115,12 @@ function validateDatasources(manifest, ajv, externalDatasourceSchema, errors, wa
         if (!datasourceValid) {
           const datasourceErrors = formatValidationErrors(validateDatasource.errors);
           errors.push(...datasourceErrors.map(err => `Datasource ${index + 1} (${datasource.key || 'unknown'}): ${err}`));
+        } else {
+          const fieldRefErrors = validateFieldReferences(datasource);
+          const abacErrors = validateAbac(datasource);
+          const prefix = `Datasource ${index + 1} (${datasource.key || 'unknown'}): `;
+          fieldRefErrors.forEach(e => errors.push(prefix + e));
+          abacErrors.forEach(e => errors.push(prefix + e));
         }
       });
     }

package/lib/validation/validate.js

@@ -15,6 +15,8 @@ const validator = require('./validator');
 const { resolveExternalFiles } = require('../utils/schema-resolver');
 const { loadExternalSystemSchema, loadExternalDataSourceSchema, detectSchemaType } = require('../utils/schema-loader');
 const { formatValidationErrors } = require('../utils/error-formatter');
+const { validateFieldReferences } = require('../datasource/field-reference-validator');
+const { validateAbac } = require('../datasource/abac-validator');
 const { detectAppType } = require('../utils/paths');
 const batch = require('./validate-batch');
 const { logOfflinePathWhenType } = require('../utils/cli-utils');
@@ -200,6 +202,12 @@ async function validateExternalFile(filePath, type) {
     validateConfigurationNoStandardAuthVariables(parseResult.parsed, errors);
   }
 
+  if (normalizedType === 'datasource') {
+    const fieldRefErrors = validateFieldReferences(parseResult.parsed);
+    const abacErrors = validateAbac(parseResult.parsed);
+    errors.push(...fieldRefErrors, ...abacErrors);
+  }
+
   return {
     valid: errors.length === 0,
     errors,