npm - @aifabrix/builder - Versions diffs - 2.42.0 → 2.43.0 - Mend

@aifabrix/builder 2.42.0 → 2.43.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/lib/commands/secrets-validate.js CHANGED Viewed

@@ -12,6 +12,7 @@ const chalk = require('chalk');
 const path = require('path');
 const logger = require('../utils/logger');
 const { validateSecretsFile } = require('../utils/secrets-validation');
+const { validateDataplaneSecrets } = require('../utils/token-manager');
 const pathsUtil = require('../utils/paths');
 const secretsEnsure = require('../core/secrets-ensure');
@@ -38,13 +39,25 @@ async function handleSecretsValidate(pathArg, options = {}) {
   }
   const result = validateSecretsFile(filePath, { checkNaming: Boolean(options.naming) });
+  const dataplaneResult = validateDataplaneSecrets(filePath);
+  const allValid = result.valid && dataplaneResult.valid;
   if (result.valid) {
     logger.log(chalk.green(`✓ Secrets file is valid: ${result.path}`));
-    return { valid: true, errors: [] };
+  } else {
+    logger.log(chalk.red(`✗ Validation failed: ${result.path}`));
+    result.errors.forEach((err) => logger.log(chalk.yellow(`  • ${err}`)));
   }
-  logger.log(chalk.red(`✗ Validation failed: ${result.path}`));
-  result.errors.forEach((err) => logger.log(chalk.yellow(`  • ${err}`)));
-  return { valid: false, errors: result.errors };
+  if (!dataplaneResult.valid) {
+    logger.log(chalk.yellow(`⚠ ${dataplaneResult.hint}`));
+    if (result.valid) {
+      logger.log(chalk.yellow('  Wizard/dataplane calls may fail until dataplane credentials are present.'));
+    }
+  }
+  return {
+    valid: allValid,
+    errors: allValid ? [] : [...result.errors, ...(dataplaneResult.valid ? [] : [dataplaneResult.hint])],
+    dataplaneValid: dataplaneResult.valid
+  };
 }
 module.exports = { handleSecretsValidate };

package/lib/commands/service-user.js CHANGED Viewed

@@ -12,7 +12,14 @@ const logger = require('../utils/logger');
 const { resolveControllerUrl } = require('../utils/controller-url');
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
 const { normalizeControllerUrl } = require('../core/config');
-const { createServiceUser } = require('../api/service-users.api');
+const {
+  createServiceUser,
+  listServiceUsers,
+  regenerateSecretServiceUser,
+  deleteServiceUser,
+  updateGroupsServiceUser,
+  updateRedirectUrisServiceUser
+} = require('../api/service-users.api');
 const ONE_TIME_WARNING =
   'Save this secret now; it will not be shown again.';
@@ -54,6 +61,12 @@ function extractCreateResponse(response) {
   return { clientId, clientSecret };
 }
+const ID_WIDTH = 38;
+const USERNAME_WIDTH = 22;
+const EMAIL_WIDTH = 28;
+const CLIENT_ID_WIDTH = 24;
+const TABLE_SEPARATOR_LENGTH = 130;
 /**
  * Log error for failed create response and exit
  * @param {Object} response - API response with success: false
@@ -74,6 +87,86 @@ function handleCreateError(response) {
   process.exit(1);
 }
+/**
+ * Log error for service-user API response and exit
+ * @param {Object} response - API response with success: false
+ * @param {string} permissionScope - Permission hint: 'read' | 'update' | 'delete'
+ */
+function handleServiceUserApiError(response, permissionScope) {
+  const status = response.status;
+  const msg = response.formattedError || response.error || 'Request failed';
+  if (status === 400) {
+    logger.error(chalk.red(`❌ Validation error: ${msg}`));
+  } else if (status === 401) {
+    logger.error(chalk.red('❌ Unauthorized. Run "aifabrix login" and try again.'));
+  } else if (status === 403) {
+    logger.error(chalk.red(`❌ Missing permission: service-user:${permissionScope}`));
+    logger.error(chalk.gray(`Your account needs the service-user:${permissionScope} permission on the controller.`));
+  } else if (status === 404) {
+    logger.error(chalk.red('❌ Service user not found.'));
+    const detail = response.error || '';
+    if (detail) {
+      logger.error(chalk.gray(detail));
+    }
+  } else {
+    logger.error(chalk.red(`❌ Request failed: ${msg}`));
+  }
+  process.exit(1);
+}
+/**
+ * Resolve controller URL and auth for list/rotate/delete/update (no create-specific validation)
+ * @async
+ * @param {Object} options - CLI options (controller optional)
+ * @returns {Promise<{ controllerUrl: string, authConfig: Object }>}
+ */
+async function resolveControllerAndAuth(options) {
+  const controllerUrl = options.controller || (await resolveControllerUrl());
+  if (!controllerUrl) {
+    logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
+    process.exit(1);
+  }
+  const authResult = await getServiceUserAuth(controllerUrl);
+  if (!authResult || !authResult.token) {
+    logger.error(chalk.red(`❌ No authentication token for controller: ${controllerUrl}`));
+    logger.error(chalk.gray('Run: aifabrix login'));
+    process.exit(1);
+  }
+  return {
+    controllerUrl: authResult.controllerUrl,
+    authConfig: { type: 'bearer', token: authResult.token }
+  };
+}
+/**
+ * Display service user list as a table (id, username, email, clientId, active).
+ * API shape: items have id, username, email, status, federatedIdentity.keycloakClientId.
+ * @param {Array<{ id?: string, username?: string, email?: string, status?: string, active?: boolean, clientId?: string, federatedIdentity?: { keycloakClientId?: string } }>} items - Service users
+ */
+function displayServiceUserList(items) {
+  logger.log(chalk.bold('\n📋 Service users:\n'));
+  if (!items || items.length === 0) {
+    logger.log(chalk.gray('  No service users found.\n'));
+    return;
+  }
+  const idCol = 'Id'.padEnd(ID_WIDTH);
+  const usernameCol = 'Username'.padEnd(USERNAME_WIDTH);
+  const emailCol = 'Email'.padEnd(EMAIL_WIDTH);
+  const clientIdCol = 'ClientId'.padEnd(CLIENT_ID_WIDTH);
+  const activeCol = 'Active';
+  logger.log(chalk.gray(`${idCol}${usernameCol}${emailCol}${clientIdCol}${activeCol}`));
+  logger.log(chalk.gray('-'.repeat(TABLE_SEPARATOR_LENGTH)));
+  items.forEach((row) => {
+    const id = (row.id ?? '').toString().padEnd(ID_WIDTH);
+    const username = (row.username ?? '—').padEnd(USERNAME_WIDTH);
+    const email = (row.email ?? '—').padEnd(EMAIL_WIDTH);
+    const clientId = (row.federatedIdentity?.keycloakClientId ?? row.clientId ?? '—').padEnd(CLIENT_ID_WIDTH);
+    const active = row.status === 'active' ? 'yes' : (row.status ?? (row.active === true ? 'yes' : row.active === false ? 'no' : '—'));
+    logger.log(`${id}${username}${email}${clientId}${active}`);
+  });
+  logger.log('');
+}
 /**
  * Display success output with clientId, clientSecret and one-time warning
  * @param {string} clientId - Service user client ID
@@ -194,6 +287,142 @@ async function runServiceUserCreate(options = {}) {
   displayCreateSuccess(clientId, clientSecret);
 }
+/**
+ * Require service user id option; exit with message if missing
+ * @param {string} [id] - Service user ID from options
+ * @returns {string} Trimmed id
+ */
+function requireServiceUserId(id) {
+  const trimmed = (id && typeof id === 'string' ? id.trim() : '') || '';
+  if (!trimmed) {
+    logger.error(chalk.red('❌ Service user ID is required. Use --id <uuid>.'));
+    process.exit(1);
+  }
+  return trimmed;
+}
+/**
+ * Run service-user list: call GET /api/v1/service-users and display table
+ * @async
+ * @param {Object} options - CLI options (controller, page, pageSize, sort, filter, search)
+ * @returns {Promise<void>}
+ */
+async function runServiceUserList(options = {}) {
+  const { controllerUrl, authConfig } = await resolveControllerAndAuth(options);
+  const listOptions = {
+    page: options.page,
+    pageSize: options.pageSize,
+    sort: options.sort,
+    filter: options.filter,
+    search: options.search
+  };
+  const response = await listServiceUsers(controllerUrl, authConfig, listOptions);
+  if (response && response.success === false) {
+    handleServiceUserApiError(response, 'read');
+    return;
+  }
+  const body = response?.data?.data ?? response?.data ?? response ?? {};
+  const items = Array.isArray(body) ? body : (body.data ?? []);
+  displayServiceUserList(items);
+}
+/**
+ * Run service-user rotate-secret: call POST .../regenerate-secret and print new secret once with warning
+ * @async
+ * @param {Object} options - CLI options (controller, id required)
+ * @returns {Promise<void>}
+ */
+async function runServiceUserRotateSecret(options = {}) {
+  const id = requireServiceUserId(options.id);
+  const { controllerUrl, authConfig } = await resolveControllerAndAuth(options);
+  const response = await regenerateSecretServiceUser(controllerUrl, authConfig, id);
+  if (response && response.success === false) {
+    handleServiceUserApiError(response, 'update');
+    return;
+  }
+  const payload = response?.data?.data ?? response?.data ?? response ?? {};
+  const clientSecret = payload?.clientSecret ?? '';
+  if (response && response.success === true) {
+    logger.log(chalk.bold('\n✓ Secret rotated\n'));
+    logger.log(chalk.cyan('  clientSecret: ') + clientSecret);
+    logger.log('');
+    logger.log(chalk.yellow('⚠ ' + ONE_TIME_WARNING));
+    logger.log('');
+  }
+}
+/**
+ * Run service-user delete: call DELETE .../service-users/{id} (deactivates the user)
+ * @async
+ * @param {Object} options - CLI options (controller, id required)
+ * @returns {Promise<void>}
+ */
+async function runServiceUserDelete(options = {}) {
+  const id = requireServiceUserId(options.id);
+  const { controllerUrl, authConfig } = await resolveControllerAndAuth(options);
+  const response = await deleteServiceUser(controllerUrl, authConfig, id);
+  if (response && response.success === false) {
+    handleServiceUserApiError(response, 'delete');
+    return;
+  }
+  if (response && response.success === true) {
+    logger.log(chalk.green('✓ Service user deactivated.\n'));
+  }
+}
+/**
+ * Run service-user update-groups: call PUT .../groups with groupNames
+ * @async
+ * @param {Object} options - CLI options (controller, id, groupNames required)
+ * @returns {Promise<void>}
+ */
+async function runServiceUserUpdateGroups(options = {}) {
+  const id = requireServiceUserId(options.id);
+  const groupNames = parseList(options.groupNames);
+  if (groupNames.length === 0) {
+    logger.error(chalk.red('❌ At least one group name is required. Use --group-names <name1,name2,...>.'));
+    process.exit(1);
+  }
+  const { controllerUrl, authConfig } = await resolveControllerAndAuth(options);
+  const response = await updateGroupsServiceUser(controllerUrl, authConfig, id, { groupNames });
+  if (response && response.success === false) {
+    handleServiceUserApiError(response, 'update');
+    return;
+  }
+  if (response && response.success === true) {
+    logger.log(chalk.green('✓ Service user groups updated.\n'));
+  }
+}
+/**
+ * Run service-user update-redirect-uris: call PUT .../redirect-uris (min 1 URI)
+ * @async
+ * @param {Object} options - CLI options (controller, id, redirectUris required, min 1)
+ * @returns {Promise<void>}
+ */
+async function runServiceUserUpdateRedirectUris(options = {}) {
+  const id = requireServiceUserId(options.id);
+  const redirectUris = parseList(options.redirectUris);
+  if (redirectUris.length === 0) {
+    logger.error(chalk.red('❌ At least one redirect URI is required. Use --redirect-uris <uri1,uri2,...>.'));
+    process.exit(1);
+  }
+  const { controllerUrl, authConfig } = await resolveControllerAndAuth(options);
+  const response = await updateRedirectUrisServiceUser(controllerUrl, authConfig, id, { redirectUris });
+  if (response && response.success === false) {
+    handleServiceUserApiError(response, 'update');
+    return;
+  }
+  if (response && response.success === true) {
+    logger.log(chalk.green('✓ Service user redirect URIs updated.\n'));
+  }
+}
 module.exports = {
-  runServiceUserCreate
+  runServiceUserCreate,
+  runServiceUserList,
+  runServiceUserRotateSecret,
+  runServiceUserDelete,
+  runServiceUserUpdateGroups,
+  runServiceUserUpdateRedirectUris
 };

package/lib/commands/up-common.js CHANGED Viewed

@@ -165,6 +165,30 @@ function patchEnvOutputPathForDeployOnly(appName) {
   }
 }
+/**
+ * Removes builder app directories for the given app names. Only removes paths under the builder root
+ * to prevent path traversal. Uses getBuilderPath for each app and validates before removal.
+ *
+ * @param {string[]} appNames - Application names (e.g. ['keycloak', 'miso-controller', 'dataplane'])
+ * @returns {Promise<void>}
+ * @throws {Error} If any path is outside builder root (path traversal attempt)
+ */
+async function cleanBuilderAppDirs(appNames) {
+  if (!Array.isArray(appNames) || appNames.length === 0) return;
+  const builderRoot = path.resolve(pathsUtil.getBuilderRoot());
+  for (const appName of appNames) {
+    if (!appName || typeof appName !== 'string') continue;
+    const appPath = path.resolve(pathsUtil.getBuilderPath(appName));
+    if (!appPath.startsWith(builderRoot + path.sep) && appPath !== builderRoot) {
+      throw new Error(`Path ${appPath} is outside builder root ${builderRoot}; refusing to clean`);
+    }
+    if (fs.existsSync(appPath)) {
+      fs.rmSync(appPath, { recursive: true });
+      logger.log(chalk.blue(`Cleaned builder/${appName}`));
+    }
+  }
+}
 /**
  * Ensures builder app directory exists from template if application config is missing.
  * If builder/<appName>/application config does not exist, copies from templates/applications/<appName>.
@@ -206,6 +230,7 @@ async function ensureAppFromTemplate(appName) {
 }
 module.exports = {
+  cleanBuilderAppDirs,
   ensureAppFromTemplate,
   patchEnvOutputPathForDeployOnly,
   validateEnvOutputPathFolderOrNull,

package/lib/commands/up-dataplane.js CHANGED Viewed

@@ -11,6 +11,7 @@
  * @version 2.0.0
  */
+const readline = require('readline');
 const chalk = require('chalk');
 const pathsUtil = require('../utils/paths');
 const { loadConfigFile } = require('../utils/config-format');
@@ -18,13 +19,87 @@ const logger = require('../utils/logger');
 const config = require('../core/config');
 const { checkAuthentication } = require('../utils/app-register-auth');
 const { resolveControllerUrl } = require('../utils/controller-url');
-const { resolveEnvironment } = require('../core/config');
+const { resolveEnvironment, setControllerUrl } = require('../core/config');
 const { registerApplication } = require('../app/register');
 const { rotateSecret } = require('../app/rotate-secret');
 const { checkApplicationExists } = require('../utils/app-existence');
+const { checkHealthEndpoint } = require('../utils/health-check');
+const { validateControllerUrl } = require('../utils/auth-config-validator');
 const app = require('../app');
 const { ensureAppFromTemplate, validateEnvOutputPathFolderOrNull } = require('./up-common');
+const CONTROLLER_HEALTH_PATH = '/health';
+/**
+ * Check if controller is reachable (health endpoint).
+ * @param {string} baseUrl - Controller base URL (no trailing slash)
+ * @returns {Promise<boolean>} True if healthy
+ */
+async function isControllerHealthy(baseUrl) {
+  const healthUrl = `${baseUrl.replace(/\/+$/, '')}${CONTROLLER_HEALTH_PATH}`;
+  try {
+    return await checkHealthEndpoint(healthUrl, false);
+  } catch {
+    return false;
+  }
+}
+/**
+ * Prompt user for controller URL when current controller is not available.
+ * @param {string} currentUrl - Current controller URL that failed health check
+ * @returns {Promise<string|null>} New URL or null if user aborted (empty input)
+ */
+function promptForControllerUrl(currentUrl) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(
+      chalk.yellow(`Controller at ${currentUrl} is not available. Enter controller URL (or press Enter to abort): `),
+      (answer) => {
+        rl.close();
+        const trimmed = (answer || '').trim();
+        resolve(trimmed === '' ? null : trimmed);
+      }
+    );
+  });
+}
+/**
+ * Resolve controller URL and ensure it is healthy; if not, prompt once for new URL.
+ * @returns {Promise<string>} Controller URL to use
+ * @throws {Error} If controller unavailable and user aborts or new URL still unhealthy
+ */
+async function resolveControllerUrlWithHealthCheck() {
+  let controllerUrl = await resolveControllerUrl();
+  controllerUrl = controllerUrl.replace(/\/+$/, '');
+  let healthy = await isControllerHealthy(controllerUrl);
+  if (healthy) {
+    return controllerUrl;
+  }
+  logger.log(chalk.yellow(`\nController at ${controllerUrl} is not responding (health check failed).\n`));
+  const newUrl = await promptForControllerUrl(controllerUrl);
+  if (!newUrl) {
+    throw new Error('Controller URL is required. Run "aifabrix up-dataplane" again and enter a valid controller URL, or set it with: aifabrix auth --set-controller <url>');
+  }
+  try {
+    validateControllerUrl(newUrl);
+  } catch (err) {
+    throw new Error(`Invalid controller URL: ${err.message}`);
+  }
+  await setControllerUrl(newUrl);
+  const normalizedNew = newUrl.trim().replace(/\/+$/, '');
+  healthy = await isControllerHealthy(normalizedNew);
+  if (!healthy) {
+    throw new Error(`Controller at ${normalizedNew} is not responding. Ensure the controller is running and reachable, then run "aifabrix up-dataplane" again.`);
+  }
+  logger.log(chalk.green(`✓ Using controller: ${normalizedNew}`));
+  return normalizedNew;
+}
 /**
  * Register or rotate dataplane: if app exists in controller, rotate secret; otherwise register.
  * @async
@@ -45,6 +120,17 @@ async function registerOrRotateDataplane(options, controllerUrl, environmentKey,
   }
 }
+/**
+ * Deploy dataplane app (send manifest to controller).
+ * @param {Object} options - Commander options (registry, registryMode, image)
+ * @returns {Promise<void>}
+ */
+async function deployDataplaneToController(options) {
+  const imageOverride = options.image || (options.registry ? buildDataplaneImageRef(options.registry) : undefined);
+  const deployOpts = { imageOverride, image: imageOverride, registryMode: options.registryMode };
+  await app.deployApp('dataplane', deployOpts);
+}
 /**
  * Build full image ref from registry and dataplane config (registry/name:tag)
  * @param {string} registry - Registry URL
@@ -85,14 +171,15 @@ async function handleUpDataplane(options = {}) {
   }
   logger.log(chalk.blue('Starting up-dataplane (register/rotate, deploy, then run dataplane locally)...\n'));
-  const [controllerUrl, environmentKey] = await Promise.all([resolveControllerUrl(), resolveEnvironment()]);
+  const controllerUrl = await resolveControllerUrlWithHealthCheck();
+  const environmentKey = await resolveEnvironment();
   const authConfig = await checkAuthentication(controllerUrl, environmentKey, { throwOnFailure: true });
   const cfg = await config.getConfig();
   const environment = (cfg && cfg.environment) ? cfg.environment : 'dev';
   if (environment !== 'dev') {
     throw new Error(
-      'Dataplane is only supported in dev environment. Set with: aifabrix auth config --set-environment dev.'
+      'Dataplane is only supported in dev environment. Set with: aifabrix auth --set-environment dev.'
     );
   }
   logger.log(chalk.green('✓ Logged in and environment is dev'));
@@ -103,10 +190,7 @@ async function handleUpDataplane(options = {}) {
   await registerOrRotateDataplane(options, controllerUrl, environmentKey, authConfig);
-  const imageOverride = options.image || (options.registry ? buildDataplaneImageRef(options.registry) : undefined);
-  const deployOpts = { imageOverride, image: imageOverride, registryMode: options.registryMode };
-  await app.deployApp('dataplane', deployOpts);
+  await deployDataplaneToController(options);
   logger.log('');
   await app.runApp('dataplane', { skipEnvOutputPath: true });

package/lib/commands/wizard-core-helpers.js CHANGED Viewed

@@ -3,6 +3,7 @@
  * @author AI Fabrix Team
  * @version 2.0.0
  */
+/* eslint-disable max-lines -- 502 lines; wizard payload and helpers */
 const chalk = require('chalk');
 const ora = require('ora');
@@ -181,11 +182,12 @@ function buildConfigPreferences(configPrefs) {
  * @param {string} params.mode - Selected mode
  * @param {Object} params.prefs - Configuration preferences
  * @param {string} [params.credentialIdOrKey] - Credential ID or key
- * @param {string} [params.systemIdOrKey] - System ID or key
+ * @param {string} [params.systemIdOrKey] - System ID or key (application/system key, not datasource/entity key)
  * @param {string} [params.entityName] - Entity name for multi-entity OpenAPI (from discover-entities)
+ * @param {string|null} [params.systemDisplayName] - System-level display name for credential (e.g. 'Hubspot Demo')
  * @returns {Object} Configuration payload
  */
-function buildConfigPayload({ openapiSpec, detectedType, mode, prefs, credentialIdOrKey, systemIdOrKey, entityName }) {
+function buildConfigPayload({ openapiSpec, detectedType, mode, prefs, credentialIdOrKey, systemIdOrKey, entityName, systemDisplayName }) {
   const detectedTypeValue = detectedType?.recommendedType || detectedType?.apiType || detectedType?.selectedType || 'record-based';
   const payload = {
     openapiSpec,
@@ -199,6 +201,7 @@ function buildConfigPayload({ openapiSpec, detectedType, mode, prefs, credential
   if (credentialIdOrKey) payload.credentialIdOrKey = credentialIdOrKey;
   if (systemIdOrKey) payload.systemIdOrKey = systemIdOrKey;
   if (entityName) payload.entityName = entityName;
+  if (systemDisplayName) payload.systemDisplayName = systemDisplayName;
   if (prefs.debug) payload.debug = true;
   return payload;
 }

package/lib/commands/wizard-core.js CHANGED Viewed

@@ -298,7 +298,8 @@ async function callGenerateApi(dataplaneUrl, authConfig, options, prefs) {
     prefs,
     credentialIdOrKey: options.credentialIdOrKey,
     systemIdOrKey: options.systemIdOrKey,
-    entityName: options.entityName
+    entityName: options.entityName,
+    systemDisplayName: options.systemDisplayName
   });
   return await generateConfig(dataplaneUrl, authConfig, configPayload);
 }

package/lib/commands/wizard-headless.js CHANGED Viewed

@@ -24,6 +24,7 @@ const {
 } = require('./wizard-core');
 const { discoverEntities } = require('../api/wizard.api');
 const { validateEntityNameForOpenApi } = require('../validation/wizard-datasource-validation');
+const { humanizeAppKey } = require('../generator/wizard-prompts-secondary');
 /**
  * Validate entityName for headless config (throws if invalid)
@@ -80,6 +81,9 @@ async function executeWizardFromConfig(wizardConfig, dataplaneUrl, authConfig, o
   await validateHeadlessEntityName(source?.entityName, openapiSpec, sourceType, dataplaneUrl, authConfig);
+  const systemDisplayName = wizardConfig.systemDisplayName ||
+    (mode === 'create-system' ? humanizeAppKey(appName) : undefined);
   // Step 5: Generate Configuration
   const { systemConfig, datasourceConfigs, systemKey } = await handleConfigurationGeneration(dataplaneUrl, authConfig, {
     mode,
@@ -93,7 +97,8 @@ async function executeWizardFromConfig(wizardConfig, dataplaneUrl, authConfig, o
     datasourceKeys: source?.datasourceKeys,
     configurationValues: source?.configurationValues,
     entityName: source?.entityName,
-    appName
+    appName,
+    systemDisplayName
   });
   // Step 6: Validate Configuration

package/lib/commands/wizard.js CHANGED Viewed

@@ -48,6 +48,7 @@ const {
   showWizardConfigSummary,
   ensureIntegrationDir
 } = require('./wizard-helpers');
+const { humanizeAppKey } = require('../generator/wizard-prompts-secondary');
 /**
  * Create wizard session with given mode and optional systemIdOrKey (no prompts)
@@ -150,7 +151,8 @@ async function handleInteractiveConfigGeneration(options) {
     sourceType: options.sourceType,
     platformKey: options.sourceType === 'known-platform' ? options.sourceData : undefined,
     entityName: options.entityName,
-    appName: options.appName
+    appName: options.appName,
+    systemDisplayName: options.systemDisplayName
   });
   return {
@@ -190,7 +192,7 @@ async function handleConfigurationReview(dataplaneUrl, authConfig, sessionId, sy
     logger.warn('Preview unavailable, showing full configuration.');
   }
-  const reviewResult = await promptForConfigReview({ preview, systemConfig, datasourceConfigs });
+  const reviewResult = await promptForConfigReview({ preview, systemConfig, datasourceConfigs, appKey: opts.appKey });
   if (reviewResult.action === 'cancel') {
     logger.log(chalk.yellow('Wizard cancelled.'));
@@ -251,7 +253,8 @@ async function doWizardSteps(appKey, dataplaneUrl, authConfig, sessionId, flowOp
     sourceData,
     entityName: entityName || undefined,
     appName: appKey,
-    debug
+    debug,
+    systemDisplayName: flowOpts.systemDisplayName
   });
   const { systemConfig, datasourceConfigs, systemKey, preferences: savedPrefs } = genResult;
   state.preferences = savedPrefs || {};
@@ -314,7 +317,7 @@ async function runWizardStepsAfterSession(appKey, dataplaneUrl, authConfig, sess
  * @returns {Promise<void>} Resolves when wizard flow completes
  */
 async function executeWizardFlow(appKey, dataplaneUrl, authConfig, flowOpts = {}) {
-  const { mode, systemIdOrKey, configPath, debug } = flowOpts;
+  const { mode, systemIdOrKey, configPath, debug, systemDisplayName } = flowOpts;
   if (debug) {
     logger.log(chalk.gray(`[DEBUG] Wizard debug mode enabled for app: ${appKey}`));
@@ -329,7 +332,8 @@ async function executeWizardFlow(appKey, dataplaneUrl, authConfig, flowOpts = {}
     systemIdOrKey,
     platforms,
     configPath,
-    debug: flowOpts.debug
+    debug: flowOpts.debug,
+    systemDisplayName
   });
   if (!state) return;
@@ -474,12 +478,15 @@ async function handleWizardInteractive(options) {
   if (!resolved) return;
   const { appKey, configPath, dataplaneUrl, authConfig } = resolved;
   const systemIdOrKey = mode === 'add-datasource' ? resolved.systemIdOrKey : undefined;
+  const systemDisplayName = options.systemDisplayName || options.displayName ||
+    (mode === 'create-system' ? humanizeAppKey(appKey) : undefined);
   try {
     await executeWizardFlow(appKey, dataplaneUrl, authConfig, {
       mode,
       systemIdOrKey,
       configPath,
-      debug: options.debug
+      debug: options.debug,
+      systemDisplayName
     });
     logger.log(chalk.gray(`To change settings, edit integration/${appKey}/wizard.yaml and run: aifabrix wizard ${appKey}`));
   } catch (error) {

package/lib/core/admin-secrets.js CHANGED Viewed

@@ -14,6 +14,7 @@ const path = require('path');
 const fs = require('fs');
 const config = require('./config');
 const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
+const { ensureSecureFilePermissions } = require('../utils/secure-file-permissions');
 /**
  * Parse .env-style content into key-value map (excludes comments and empty lines).
@@ -57,6 +58,7 @@ async function readAndDecryptAdminSecrets(adminSecretsPath) {
   if (!fs.existsSync(resolvedPath)) {
     throw new Error(`Admin secrets file not found: ${resolvedPath}. Run 'aifabrix up-infra' or ensure admin-secrets.env exists.`);
   }
+  ensureSecureFilePermissions(resolvedPath);
   const content = fs.readFileSync(resolvedPath, 'utf8');
   const raw = parseAdminEnvContent(content);
   const encryptionKey = await config.getSecretsEncryptionKey();