npm - @aifabrix/builder - Versions diffs - 2.42.0 → 2.43.0 - Mend

@aifabrix/builder 2.42.0 → 2.43.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/lib/validation/validator.js CHANGED Viewed

@@ -11,7 +11,6 @@
 const fs = require('fs');
 const path = require('path');
-const yaml = require('js-yaml');
 const Ajv = require('ajv');
 const applicationSchema = require('../schema/application-schema.json');
 const externalSystemSchema = require('../schema/external-system.schema.json');
@@ -19,9 +18,9 @@ const externalDataSourceSchema = require('../schema/external-datasource.schema.j
 const { transformVariablesForValidation } = require('../utils/variable-transformer');
 const { checkEnvironment } = require('../utils/environment-checker');
 const { formatValidationErrors } = require('../utils/error-formatter');
-const { detectAppType, resolveApplicationConfigPath } = require('../utils/paths');
+const { detectAppType, resolveApplicationConfigPath, resolveRbacPath } = require('../utils/paths');
 const { loadConfigFile } = require('../utils/config-format');
-const { validateAuthKvCoverage } = require('./env-template-auth');
+const { validateAuthKvCoverage, validateAuthSecurityPathConsistency } = require('./env-template-auth');
 const { validateKvReferencesInLines } = require('./env-template-kv');
 /**
@@ -155,7 +154,7 @@ async function validateVariables(appName, options = {}) {
 function validateRoles(roles) {
   const errors = [];
   if (!roles || !Array.isArray(roles)) {
-    errors.push('rbac.yaml must contain a "roles" array');
+    errors.push('rbac file must contain a "roles" array');
     return errors;
   }
@@ -179,7 +178,7 @@ function validateRoles(roles) {
 function validatePermissions(permissions) {
   const errors = [];
   if (!permissions || !Array.isArray(permissions)) {
-    errors.push('rbac.yaml must contain a "permissions" array');
+    errors.push('rbac file must contain a "permissions" array');
     return errors;
   }
@@ -203,21 +202,18 @@ async function validateRbac(appName, options = {}) {
   // Support both builder/ and integration/ directories using detectAppType
   const { appPath } = await detectAppType(appName, options);
-  const rbacYaml = path.join(appPath, 'rbac.yaml');
-  const rbacYml = path.join(appPath, 'rbac.yml');
-  const rbacPath = fs.existsSync(rbacYaml) ? rbacYaml : (fs.existsSync(rbacYml) ? rbacYml : null);
+  const rbacPath = resolveRbacPath(appPath);
   if (!rbacPath) {
-    return { valid: true, errors: [], warnings: ['rbac.yaml not found - authentication disabled'] };
+    return { valid: true, errors: [], warnings: ['rbac file not found - authentication disabled'] };
   }
-  const content = fs.readFileSync(rbacPath, 'utf8');
   let rbac;
   try {
-    rbac = yaml.load(content);
+    rbac = loadConfigFile(rbacPath);
   } catch (error) {
-    throw new Error(`Invalid YAML syntax in rbac.yaml: ${error.message}`);
+    const basename = path.basename(rbacPath);
+    throw new Error(`Invalid syntax in ${basename}: ${error.message}`);
   }
   const errors = [
@@ -287,6 +283,7 @@ async function validateEnvTemplate(appName, options = {}) {
   if (isExternal) {
     await validateAuthKvCoverage(appPath, content, errors, warnings, options);
+    await validateAuthSecurityPathConsistency(appPath, errors, warnings);
   }
   return {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.42.0",
+  "version": "2.43.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {
@@ -10,13 +10,17 @@
   "scripts": {
     "test": "node tests/scripts/test-wrapper.js",
     "test:ci": "bash tests/scripts/ci-simulate.sh",
-    "test:same-as-github": "cross-env CI=true npm run lint && cross-env CI=true node tests/scripts/test-wrapper.js",
+    "test:same-as-github": "npm run build:ci",
     "test:coverage": "cross-env RUN_COVERAGE=1 node tests/scripts/test-wrapper.js",
     "test:coverage:nyc": "nyc --reporter=text --reporter=lcov --reporter=html jest --config jest.config.coverage.js --runInBand",
     "test:watch": "jest --watch",
     "test:integration": "jest --config jest.config.integration.js --runInBand",
     "test:integration:python": "cross-env TEST_LANGUAGE=python jest --config jest.config.integration.js --runInBand",
     "test:integration:typescript": "cross-env TEST_LANGUAGE=typescript jest --config jest.config.integration.js --runInBand",
+    "test:hubspot-wizard": "node integration/hubspot-test/test.js",
+    "test:hubspot-wizard:negative": "node integration/hubspot-test/test.js --type negative",
+    "test:hubspot-wizard:positive": "node integration/hubspot-test/test.js --type positive",
+    "test:hubspot-dataplane-down": "node integration/hubspot-test/test-dataplane-down.js",
     "test:manual": "jest --config jest.config.manual.js --runInBand",
     "lint": "eslint . --ext .js",
     "lint:fix": "eslint . --ext .js --fix",

package/templates/applications/dataplane/env.template CHANGED Viewed

@@ -54,10 +54,14 @@ DATABASE_URL=kv://databases-dataplane-0-urlKeyVault
 DB_0_PASSWORD=kv://databases-dataplane-0-passwordKeyVault
 # Vector and document store DB: chunks, embeddings, vector indexes (pgvector).
-# Binaries path: config.processing.fileStoragePath or /data/documents.
 VECTOR_DATABASE_URL=kv://databases-dataplane-1-urlKeyVault
 DB_1_PASSWORD=kv://databases-dataplane-1-passwordKeyVault
+# Base path for document binary storage (used when datasource config has no processing.fileStoragePath).
+# Dataplane creates subdirs per datasource key (e.g. DOCUMENT_STORAGE_BASE_PATH/test-e2e-sharepoint-documents).
+# Production: use a writable path (e.g. /data/documents) and mount a volume. Local/Docker: use /tmp/documents or /app/data/documents.
+DOCUMENT_STORAGE_BASE_PATH=/mnt/data/documents
 # Logs Database Configuration (for execution, audit, ABAC traces)
 LOGS_DATABASE_URL=kv://databases-dataplane-2-urlKeyVault
 DB_2_PASSWORD=kv://databases-dataplane-2-passwordKeyVault

package/templates/applications/miso-controller/application.yaml CHANGED Viewed

@@ -4,7 +4,7 @@ app:
   displayName: 'Miso Controller'
   description: 'Miso is the AI Fabrix in-tenant controller and portal layer for securely operating enterprise AI apps inside a customer’s Azure tenant. It provides Entra ID SSO, RBAC, audit logs, environment/app configuration via schemas, and safe secret handling via Key Vault references—ensuring governance, traceability, and predictable UX across portal, SDK, and CLI.'
   type: webapp
-  version: '1.8.0'
+  version: '1.9.0'
 # Image Configuration
 image:

package/templates/applications/miso-controller/env.template CHANGED Viewed

@@ -111,6 +111,10 @@ REDIS_PERMISSIONS_TTL=900
 KEYCLOAK_REALM=aifabrix
 KEYCLOAK_SERVER_URL=kv://keycloak-server-url
 KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-url
+# Docker/internal host and port: used when config from DB has localhost (getDockerKeycloakInternalUrl).
+# Resolved from env-config (e.g. KEYCLOAK_HOST=keycloak, KEYCLOAK_PORT=8080 for docker).
+KEYCLOAK_HOST=${KEYCLOAK_HOST}
+KEYCLOAK_PORT=${KEYCLOAK_PORT}
 KEYCLOAK_CLIENT_ID=miso-controller
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
@@ -306,8 +310,14 @@ MISO_ALLOWED_ORIGINS=http://localhost:*
 # =============================================================================
 # LICENSE CONFIGURATION
 # =============================================================================
-# Temporary development bypass: set LICENSE_JWT=DEVELOPMENT to skip Mori validation.
-# Will be replaced by JWT license validation (see plan 131-jwt_license_offline_validation).
+# Offline JWT license (optional):
+# - If set, controller validates license offline (RS256) without Mori subscription status call.
+# - Value can be literal JWT or kv:// reference.
+# - If not set, controller falls back to existing Mori subscription validation flow.
+#
+# Development: set to DEVELOPMENT to disable license validation (no Mori/JWT required):
+#   LICENSE_JWT=DEVELOPMENT
+# - Use only for local development; do not use in production.
 LICENSE_JWT=DEVELOPMENT
 # =============================================================================
@@ -315,6 +325,7 @@ LICENSE_JWT=DEVELOPMENT
 # =============================================================================
 MORI_BASE_URL=kv://mori-controller-url
+MORI_AUTH_METHOD=apiKey
 MORI_API_KEY=kv://mori-controller-api-keyKeyVault
 MORI_USERNAME=kv://mori-controller-basic-usernameKeyVault
 MORI_PASSWORD=kv://mori-controller-basic-passwordKeyVault

package/templates/external-system/README.md.hbs CHANGED Viewed

@@ -46,6 +46,18 @@ Edit files in `integration/{{appName}}/`:
 - **Field mappings**: `{{systemKey}}-datasource-*-datasource{{fileExt}}` (dimensions, attributes, operations)
 - **Credential and configuration**: `env.template` (security settings and configuration variables)
+{{#if secretPaths}}{{#if secretPaths.length}}
+### Secrets
+Secrets are resolved from `.aifabrix` or key vault. Set them with:
+```bash
+{{#each secretPaths}}
+aifabrix secret set {{path}} <your value>   # {{description}}
+{{/each}}
+```
+{{/if}}{{/if}}
 ### 3. Validate Configuration
 ```bash
@@ -61,11 +73,12 @@ aifabrix repair {{appName}}
 ```
 Options:
-  --dry-run   Report changes only; do not write
-  --rbac      Ensure RBAC permissions per datasource and add default Admin/Reader roles if none exist
-  --expose    Set exposed.attributes on each datasource to all fieldMappings.attributes keys
-  --sync      Add default sync section to datasources that lack it
-  --test      Generate testPayload.payloadTemplate and testPayload.expectedResult from attributes
+  --auth <method>  Set authentication method (oauth2, aad, apikey, basic, queryParam, oidc, hmac, none); updates system file and env.template
+  --dry-run        Report changes only; do not write
+  --rbac           Ensure RBAC permissions per datasource and add default Admin/Reader roles if none exist
+  --expose         Set exposed.attributes on each datasource to all fieldMappings.attributes keys
+  --sync           Add default sync section to datasources that lack it
+  --test           Generate testPayload.payloadTemplate and testPayload.expectedResult from attributes
 ### 5. Upload to dataplane

package/templates/external-system/env.template.hbs ADDED Viewed

@@ -0,0 +1,22 @@
+# Environment variables for external system integration
+# Use kv:// (or aifabrix secret set) for sensitive values; plain values for non-sensitive configuration.
+#
+{{#if authMethod}}
+# Authentication
+# Type: {{authMethod}}
+{{#each authSecureVars}}
+{{name}}={{value}}
+{{/each}}
+{{#if authNonSecureVarNames}}
+# Non-secure (e.g. URLs): {{#each authNonSecureVarNames}}{{this}}{{#unless @last}}, {{/unless}}{{/each}}
+{{/if}}
+{{/if}}
+{{#if configuration.length}}
+# Configuration
+{{#each configuration}}
+# {{comment}}
+{{name}}={{value}}
+{{/each}}
+{{/if}}

package/integration/hubspot/README.md DELETED Viewed

@@ -1,100 +0,0 @@
-# HubSpot CRM
-HubSpot CRM integration with OpenAPI support for companies, contacts, and deals
-## System Information
-- **System Key**: `hubspot`
-- **System Type**: `openapi`
-- **Datasources**: 4
-## Files
-- `application.yaml` – Application configuration with `app` and `externalIntegration` blocks
-- `hubspot-system.yaml` – External system definition (authentication, OpenAPI/MCP, RBAC)
-- `hubspot-datasource-deal.yaml` – Datasource: HubSpot Deal
-- `hubspot-datasource-contact.yaml` – Datasource: HubSpot Contact
-- `hubspot-datasource-users-datasource.yaml` – Datasource: HubSpot Users
-- `hubspot-datasource-company.yaml` – Datasource: HubSpot Company
-- `env.template` – Environment variables template (secrets, API keys)
-- `hubspot-deploy.json` – Deployment manifest (generated by `aifabrix json`)
-Optional: `rbac.yaml` – Roles and permissions merged into the system when present.
-## Quick Start
-### 1. Create External System
-```bash
-aifabrix create hubspot --type external
-```
-Or use the interactive wizard:
-```bash
-aifabrix wizard --app hubspot
-```
-### 2. Configure Authentication and Datasources
-Edit files in `integration/hubspot/`:
-- **Authentication**: `hubspot-system.yaml` (auth type, credentials placeholders)
-- **Field mappings**: `hubspot-datasource-*.yaml` (dimensions, attributes, operations)
-### 3. Validate Configuration
-```bash
-aifabrix validate hubspot --type external
-```
-### 4. Generate Deployment Manifest
-```bash
-aifabrix json hubspot --type external
-```
-This creates `hubspot-deploy.json` in `integration/hubspot/`.
-### 5. Deploy
-Controller URL and environment are read from config. Configure and log in first:
-```bash
-aifabrix auth config --set-controller <url> --set-environment dev
-aifabrix login
-```
-Then deploy:
-```bash
-aifabrix deploy hubspot
-```
-## Testing
-### Unit Tests (Local Validation, No API)
-```bash
-aifabrix test hubspot
-```
-### Integration Tests (Via Dataplane)
-```bash
-aifabrix test-integration hubspot
-```
-## Deployment
-Deploy via miso-controller pipeline (same as regular apps). Auth and controller come from `aifabrix login` and `aifabrix auth config`:
-```bash
-aifabrix deploy hubspot
-```
-## Troubleshooting
-- **Validation errors**: Run `aifabrix validate hubspot --type external` to see schema and manifest errors.
-- **Deployment / auth**: Run `aifabrix auth config --set-controller <url> --set-environment <env>` and `aifabrix login` before `aifabrix deploy`.
-- **File not found**: Run commands from the project root (where `package.json` and `integration/` live).

package/integration/hubspot/env.template DELETED Viewed

@@ -1,4 +0,0 @@
-HUBSPOT_API_VERSION=v3
-MAX_PAGE_SIZE=100
-KV_HUBSPOT_CLIENTID=kv://hubspot/clientid
-KV_HUBSPOT_CLIENTSECRET=kv://hubspot/clientsecret