@aifabrix/builder 2.42.1 → 2.43.0

package/lib/utils/secrets-generator.js

@@ -198,7 +198,7 @@ function saveSecretsFile(resolvedPath, secrets) {
 
   const yamlContent = yaml.dump(secrets, {
     indent: 2,
-    lineWidth: 120,
+    lineWidth: -1,
     noRefs: true,
     sortKeys: false
   });
@@ -206,7 +206,7 @@ function saveSecretsFile(resolvedPath, secrets) {
   fs.writeFileSync(resolvedPath, yamlContent, { mode: 0o600 });
 }
 
-const YAML_DUMP_OPTS = { indent: 2, lineWidth: 120, noRefs: true, sortKeys: false };
+const YAML_DUMP_OPTS = { indent: 2, lineWidth: -1, noRefs: true, sortKeys: false };
 
 /**
  * Merges secret keys into the secrets file (load existing, merge, overwrite file).

package/lib/utils/secrets-utils.js

@@ -14,6 +14,7 @@ const path = require('path');
 const yaml = require('js-yaml');
 const logger = require('./logger');
 const pathsUtil = require('./paths');
+const { ensureSecureFilePermissions } = require('./secure-file-permissions');
 const { getContainerPort } = require('./port-resolver');
 const { loadYamlTolerantOfDuplicateKeys } = require('./secrets-generator');
 
@@ -78,6 +79,7 @@ function loadPrimaryUserSecrets() {
   if (!fs.existsSync(userSecretsPath)) {
     return {};
   }
+  ensureSecureFilePermissions(userSecretsPath);
 
   try {
     const content = fs.readFileSync(userSecretsPath, 'utf8');
@@ -106,6 +108,7 @@ function loadUserSecrets() {
   if (!fs.existsSync(userSecretsPath)) {
     return {};
   }
+  ensureSecureFilePermissions(userSecretsPath);
 
   try {
     const content = fs.readFileSync(userSecretsPath, 'utf8');
@@ -134,6 +137,7 @@ function loadDefaultSecrets() {
   if (!fs.existsSync(defaultPath)) {
     return {};
   }
+  ensureSecureFilePermissions(defaultPath);
 
   try {
     const content = fs.readFileSync(defaultPath, 'utf8');

package/lib/utils/secure-file-permissions.js

@@ -0,0 +1,91 @@
+/**
+ * Secure file permissions for secrets and config (ISO 27001).
+ * Ensures sensitive files are restricted to owner-only (0o600) when read or written.
+ *
+ * @fileoverview Enforce restrictive permissions on secrets and config files
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+/** Mode for secrets and admin files: owner read/write only (no group/other). */
+const SECRET_FILE_MODE = 0o600;
+
+/** Mode for config file (may contain tokens): owner read/write only. */
+const CONFIG_FILE_MODE = 0o600;
+
+/**
+ * Ensures a file has restrictive permissions (0o600) when it exists.
+ * If the file has group or other read/write/execute bits set, chmods to owner-only.
+ * Safe to call on every read path; no-op when file is missing or already 0o600.
+ * On Windows, chmod restricts write access; mode bits are not fully supported.
+ *
+ * @param {string} filePath - Absolute or relative path to the file
+ * @param {number} [mode=0o600] - Desired mode (default SECRET_FILE_MODE)
+ * @returns {boolean} True if file existed and permissions were (or are now) secure
+ */
+function ensureSecureFilePermissions(filePath, mode = SECRET_FILE_MODE) {
+  if (!filePath || typeof filePath !== 'string') {
+    return false;
+  }
+  const resolved = path.isAbsolute(filePath) ? filePath : path.resolve(filePath);
+  try {
+    if (!fs.existsSync(resolved)) {
+      return false;
+    }
+    const stat = fs.statSync(resolved);
+    if (!stat.isFile()) {
+      return false;
+    }
+    const currentMode = stat.mode & 0o777;
+    if ((currentMode & 0o77) === 0) {
+      return true;
+    }
+    fs.chmodSync(resolved, mode);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Ensures a directory has restrictive permissions (0o700) when it exists.
+ * No-op when directory is missing or already 0o700 (no group/other).
+ *
+ * @param {string} dirPath - Absolute or relative path to the directory
+ * @returns {boolean} True if directory existed and permissions were (or are now) secure
+ */
+function ensureSecureDirPermissions(dirPath) {
+  if (!dirPath || typeof dirPath !== 'string') {
+    return false;
+  }
+  const resolved = path.isAbsolute(dirPath) ? dirPath : path.resolve(dirPath);
+  try {
+    if (!fs.existsSync(resolved)) {
+      return false;
+    }
+    const stat = fs.statSync(resolved);
+    if (!stat.isDirectory()) {
+      return false;
+    }
+    const currentMode = stat.mode & 0o777;
+    if ((currentMode & 0o77) === 0) {
+      return true;
+    }
+    fs.chmodSync(resolved, 0o700);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+module.exports = {
+  ensureSecureFilePermissions,
+  ensureSecureDirPermissions,
+  SECRET_FILE_MODE,
+  CONFIG_FILE_MODE
+};

package/lib/utils/token-manager.js

@@ -21,12 +21,43 @@ const {
 } = require('./token-manager-refresh');
 const { warnRefreshFailureOnce, warnRefreshTokenExpiredOnce } = require('./token-manager-messages');
 
+/** App key used for dataplane client credentials in secrets.local.yaml */
+const DATAPLANE_APP_KEY = 'dataplane';
+
 function getSecretsFilePath() {
   return path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
 }
 
 /**
- * Load client credentials from secrets.local.yaml or process.env (e.g. integration/hubspot/.env).
+ * Validate that secrets.local.yaml contains dataplane client credentials.
+ * If missing, the developer should run: aifabrix app rotate-secret dataplane
+ * @param {string} [secretsFilePath] - Path to secrets file; defaults to ~/.aifabrix/secrets.local.yaml
+ * @returns {{ valid: boolean, hint?: string }}
+ */
+function validateDataplaneSecrets(secretsFilePath) {
+  const filePath = secretsFilePath || getSecretsFilePath();
+  const hint = 'Dataplane credentials are missing. Run: aifabrix app rotate-secret dataplane';
+  try {
+    if (!fs.existsSync(filePath)) {
+      return { valid: false, hint };
+    }
+    const content = fs.readFileSync(filePath, 'utf8');
+    const secrets = yaml.load(content) || {};
+    const clientIdKey = `${DATAPLANE_APP_KEY}-client-idKeyVault`;
+    const clientSecretKey = `${DATAPLANE_APP_KEY}-client-secretKeyVault`;
+    const hasId = secrets[clientIdKey] !== null && secrets[clientIdKey] !== undefined && String(secrets[clientIdKey]).trim() !== '';
+    const hasSecret = secrets[clientSecretKey] !== null && secrets[clientSecretKey] !== undefined && String(secrets[clientSecretKey]).trim() !== '';
+    if (hasId && hasSecret) {
+      return { valid: true };
+    }
+    return { valid: false, hint };
+  } catch {
+    return { valid: false, hint };
+  }
+}
+
+/**
+ * Load client credentials from secrets.local.yaml or process.env (e.g. integration/hubspot-test/.env).
  * Reads secrets file using pattern: <app-name>-client-idKeyVault and <app-name>-client-secretKeyVault.
  * If not found, checks process.env.CLIENTID and process.env.CLIENTSECRET (set when .env is loaded).
  * @param {string} appName - Application name
@@ -60,7 +91,7 @@ async function loadClientCredentials(appName) {
     logger.warn(`Failed to load credentials from secrets.local.yaml: ${error.message}`);
   }
 
-  // Fallback: use CLIENTID/CLIENTSECRET from process.env (e.g. from integration/hubspot/.env)
+  // Fallback: use CLIENTID/CLIENTSECRET from process.env (e.g. from integration/hubspot-test/.env)
   const envClientId = process.env.CLIENTID || process.env.CLIENT_ID;
   const envClientSecret = process.env.CLIENTSECRET || process.env.CLIENT_SECRET;
   if (envClientId && envClientSecret) {
@@ -439,6 +470,7 @@ function requireBearerForDataplanePipeline(authConfig) {
 }
 
 module.exports = {
+  DATAPLANE_APP_KEY,
   getDeviceToken,
   getClientToken,
   isTokenExpired,
@@ -452,5 +484,6 @@ module.exports = {
   getDeploymentAuth,
   getDeviceOnlyAuth,
   extractClientCredentials,
-  requireBearerForDataplanePipeline
+  requireBearerForDataplanePipeline,
+  validateDataplaneSecrets
 };

package/lib/utils/yaml-preserve.js

@@ -185,6 +185,9 @@ function formatValue(value, quoted, quoteChar) {
  * const result = encryptYamlValues(yamlContent, encryptionKey);
  * // Returns: { content: '...', encrypted: 5, total: 10 }
  */
+/** Pattern for YAML block scalar indicator (e.g. key: >- or key: |) */
+const BLOCK_SCALAR_PATTERN = /^(\s*)([^#:\n]+?):\s*(\|[-+]?|>[-+]?)(\s*)(#.*)?$/;
+
 /**
  * Processes a single line for encryption
  * @function processLineForEncryption
@@ -221,13 +224,68 @@ function processLineForEncryption(line, encryptionKey, stats) {
   return line;
 }
 
+/**
+ * Collects continuation lines for a YAML block scalar (value on next lines).
+ * @param {string[]} lines - All lines
+ * @param {number} startIndex - Index of line after the key: >- line
+ * @param {number} keyIndentLen - Number of leading spaces on the key line
+ * @returns {{ value: string, endIndex: number }} Combined value and index after last continuation line
+ */
+function collectBlockScalarLines(lines, startIndex, keyIndentLen) {
+  const parts = [];
+  let i = startIndex;
+  while (i < lines.length) {
+    const line = lines[i];
+    const contentTrimmed = line.trim();
+    if (contentTrimmed === '' || contentTrimmed.startsWith('#')) {
+      i++;
+      continue;
+    }
+    const indentLen = line.length - line.trimStart().length;
+    if (indentLen <= keyIndentLen) {
+      break;
+    }
+    parts.push(contentTrimmed);
+    i++;
+  }
+  return { value: parts.join(' '), endIndex: i };
+}
+
 function encryptYamlValues(content, encryptionKey) {
   const lines = content.split(/\r?\n/);
   const encryptedLines = [];
   const stats = { encrypted: 0, total: 0 };
+  let i = 0;
+
+  while (i < lines.length) {
+    const line = lines[i];
+    const trimmed = line.trim();
+
+    if (trimmed === '' || trimmed.startsWith('#')) {
+      encryptedLines.push(line);
+      i++;
+      continue;
+    }
+
+    const blockMatch = line.match(BLOCK_SCALAR_PATTERN);
+    if (blockMatch) {
+      const [, indent, key, blockIndicator, trailingWhitespace, comment] = blockMatch;
+      const keyIndentLen = indent.length;
+      const folded = blockIndicator.startsWith('>');
+      const { value: rawValue, endIndex } = collectBlockScalarLines(lines, i + 1, keyIndentLen);
+      const value = folded ? rawValue.replace(/\s+/g, ' ').trim() : rawValue;
+      stats.total++;
+      const outValue = shouldEncryptValue(value) ? encryptSecret(value, encryptionKey) : value;
+      if (shouldEncryptValue(value)) {
+        stats.encrypted++;
+      }
+      encryptedLines.push(`${indent}${key}: ${outValue}${trailingWhitespace || ''}${comment || ''}`);
+      i = endIndex;
+      continue;
+    }
 
-  for (const line of lines) {
     encryptedLines.push(processLineForEncryption(line, encryptionKey, stats));
+    i++;
   }
 
   return {

package/lib/validation/env-template-auth.js

@@ -10,6 +10,7 @@
  */
 
 const { loadExternalIntegrationConfig, loadSystemFile } = require('../generator/external');
+const { getKvPathSegmentForSecurityKey } = require('../utils/credential-secrets-env');
 
 /**
  * Extracts all kv:// paths from env.template content (RHS of VAR=value lines).
@@ -93,7 +94,7 @@ function setHasPathIgnoreCase(pathSet, requiredPath) {
  * @returns {Promise<{ requiredPaths: Set<string>, warning?: string }>} Required kv paths and optional warning
  *
  * @example
- * const { requiredPaths } = await collectRequiredAuthKvPaths('/path/to/integration/hubspot');
+ * const { requiredPaths } = await collectRequiredAuthKvPaths('/path/to/integration/hubspot-test');
  * // requiredPaths has kv:// paths from authentication.security
  */
 async function collectRequiredAuthKvPaths(appPath, _options = {}) {
@@ -148,10 +149,57 @@ async function validateAuthKvCoverage(appPath, content, errors, warnings, option
   }
 }
 
+/**
+ * Derives system key from system file name (e.g. hubspot-system.yaml -> hubspot).
+ * @param {string} systemFileName - System file name
+ * @returns {string}
+ */
+function systemKeyFromFileName(systemFileName) {
+  if (!systemFileName || typeof systemFileName !== 'string') return '';
+  return systemFileName.replace(/-system\.(yaml|yml|json)$/i, '');
+}
+
+/**
+ * Validates that authentication.security paths in system files match the canonical path
+ * (kv://<systemKey>/<getKvPathSegmentForSecurityKey(securityKey)>). Pushes errors when they differ.
+ *
+ * @async
+ * @function validateAuthSecurityPathConsistency
+ * @param {string} appPath - Application path (integration or builder dir)
+ * @param {string[]} errors - Errors array to push to
+ * @param {string[]} warnings - Warnings array to push to (unused; for API consistency)
+ */
+async function validateAuthSecurityPathConsistency(appPath, errors, _warnings) {
+  try {
+    const { schemaBasePath, systemFiles } = await loadExternalIntegrationConfig(appPath);
+    for (const systemFileName of systemFiles) {
+      const systemKey = systemKeyFromFileName(systemFileName);
+      if (!systemKey) continue;
+      const systemJson = await loadSystemFile(appPath, schemaBasePath, systemFileName);
+      const security = systemJson.authentication?.security;
+      if (!security || typeof security !== 'object') continue;
+      for (const [key, value] of Object.entries(security)) {
+        if (typeof value !== 'string' || !/^kv:\/\/.+/.test(value)) continue;
+        const canonicalSegment = getKvPathSegmentForSecurityKey(key);
+        const canonicalPath = canonicalSegment ? `kv://${systemKey}/${canonicalSegment}` : null;
+        if (canonicalPath && value !== canonicalPath) {
+          errors.push(
+            `authentication.security.${key} has path ${value}; canonical path is ${canonicalPath}. Run \`aifabrix repair <app>\` to normalize.`
+          );
+        }
+      }
+    }
+  } catch (error) {
+    _warnings.push(`Could not validate auth path consistency: ${error.message}`);
+  }
+}
+
 module.exports = {
   extractKvPathsFromEnvTemplate,
   extractKvPathsFromCommentedLines,
   setHasPathIgnoreCase,
   collectRequiredAuthKvPaths,
-  validateAuthKvCoverage
+  validateAuthKvCoverage,
+  validateAuthSecurityPathConsistency,
+  systemKeyFromFileName
 };

package/lib/validation/external-manifest-validator.js

@@ -13,6 +13,8 @@ const Ajv = require('ajv');
 const fs = require('fs');
 const path = require('path');
 const { formatValidationErrors } = require('../utils/error-formatter');
+const { validateFieldReferences } = require('../datasource/field-reference-validator');
+const { validateAbac } = require('../datasource/abac-validator');
 
 /**
  * Sets up AJV validator with external schemas
@@ -113,6 +115,12 @@ function validateDatasources(manifest, ajv, externalDatasourceSchema, errors, wa
         if (!datasourceValid) {
           const datasourceErrors = formatValidationErrors(validateDatasource.errors);
           errors.push(...datasourceErrors.map(err => `Datasource ${index + 1} (${datasource.key || 'unknown'}): ${err}`));
+        } else {
+          const fieldRefErrors = validateFieldReferences(datasource);
+          const abacErrors = validateAbac(datasource);
+          const prefix = `Datasource ${index + 1} (${datasource.key || 'unknown'}): `;
+          fieldRefErrors.forEach(e => errors.push(prefix + e));
+          abacErrors.forEach(e => errors.push(prefix + e));
         }
       });
     }

package/lib/validation/validate.js

@@ -15,6 +15,8 @@ const validator = require('./validator');
 const { resolveExternalFiles } = require('../utils/schema-resolver');
 const { loadExternalSystemSchema, loadExternalDataSourceSchema, detectSchemaType } = require('../utils/schema-loader');
 const { formatValidationErrors } = require('../utils/error-formatter');
+const { validateFieldReferences } = require('../datasource/field-reference-validator');
+const { validateAbac } = require('../datasource/abac-validator');
 const { detectAppType } = require('../utils/paths');
 const batch = require('./validate-batch');
 const { logOfflinePathWhenType } = require('../utils/cli-utils');
@@ -200,6 +202,12 @@ async function validateExternalFile(filePath, type) {
     validateConfigurationNoStandardAuthVariables(parseResult.parsed, errors);
   }
 
+  if (normalizedType === 'datasource') {
+    const fieldRefErrors = validateFieldReferences(parseResult.parsed);
+    const abacErrors = validateAbac(parseResult.parsed);
+    errors.push(...fieldRefErrors, ...abacErrors);
+  }
+
   return {
     valid: errors.length === 0,
     errors,

package/lib/validation/validator.js

@@ -11,7 +11,6 @@
 
 const fs = require('fs');
 const path = require('path');
-const yaml = require('js-yaml');
 const Ajv = require('ajv');
 const applicationSchema = require('../schema/application-schema.json');
 const externalSystemSchema = require('../schema/external-system.schema.json');
@@ -19,9 +18,9 @@ const externalDataSourceSchema = require('../schema/external-datasource.schema.j
 const { transformVariablesForValidation } = require('../utils/variable-transformer');
 const { checkEnvironment } = require('../utils/environment-checker');
 const { formatValidationErrors } = require('../utils/error-formatter');
-const { detectAppType, resolveApplicationConfigPath } = require('../utils/paths');
+const { detectAppType, resolveApplicationConfigPath, resolveRbacPath } = require('../utils/paths');
 const { loadConfigFile } = require('../utils/config-format');
-const { validateAuthKvCoverage } = require('./env-template-auth');
+const { validateAuthKvCoverage, validateAuthSecurityPathConsistency } = require('./env-template-auth');
 const { validateKvReferencesInLines } = require('./env-template-kv');
 
 /**
@@ -155,7 +154,7 @@ async function validateVariables(appName, options = {}) {
 function validateRoles(roles) {
   const errors = [];
   if (!roles || !Array.isArray(roles)) {
-    errors.push('rbac.yaml must contain a "roles" array');
+    errors.push('rbac file must contain a "roles" array');
     return errors;
   }
 
@@ -179,7 +178,7 @@ function validateRoles(roles) {
 function validatePermissions(permissions) {
   const errors = [];
   if (!permissions || !Array.isArray(permissions)) {
-    errors.push('rbac.yaml must contain a "permissions" array');
+    errors.push('rbac file must contain a "permissions" array');
     return errors;
   }
 
@@ -203,21 +202,18 @@ async function validateRbac(appName, options = {}) {
 
   // Support both builder/ and integration/ directories using detectAppType
   const { appPath } = await detectAppType(appName, options);
-  const rbacYaml = path.join(appPath, 'rbac.yaml');
-  const rbacYml = path.join(appPath, 'rbac.yml');
-  const rbacPath = fs.existsSync(rbacYaml) ? rbacYaml : (fs.existsSync(rbacYml) ? rbacYml : null);
+  const rbacPath = resolveRbacPath(appPath);
 
   if (!rbacPath) {
-    return { valid: true, errors: [], warnings: ['rbac.yaml not found - authentication disabled'] };
+    return { valid: true, errors: [], warnings: ['rbac file not found - authentication disabled'] };
   }
 
-  const content = fs.readFileSync(rbacPath, 'utf8');
   let rbac;
-
   try {
-    rbac = yaml.load(content);
+    rbac = loadConfigFile(rbacPath);
   } catch (error) {
-    throw new Error(`Invalid YAML syntax in rbac.yaml: ${error.message}`);
+    const basename = path.basename(rbacPath);
+    throw new Error(`Invalid syntax in ${basename}: ${error.message}`);
   }
 
   const errors = [
@@ -287,6 +283,7 @@ async function validateEnvTemplate(appName, options = {}) {
 
   if (isExternal) {
     await validateAuthKvCoverage(appPath, content, errors, warnings, options);
+    await validateAuthSecurityPathConsistency(appPath, errors, warnings);
   }
 
   return {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.42.1",
+  "version": "2.43.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {
@@ -17,6 +17,10 @@
     "test:integration": "jest --config jest.config.integration.js --runInBand",
     "test:integration:python": "cross-env TEST_LANGUAGE=python jest --config jest.config.integration.js --runInBand",
     "test:integration:typescript": "cross-env TEST_LANGUAGE=typescript jest --config jest.config.integration.js --runInBand",
+    "test:hubspot-wizard": "node integration/hubspot-test/test.js",
+    "test:hubspot-wizard:negative": "node integration/hubspot-test/test.js --type negative",
+    "test:hubspot-wizard:positive": "node integration/hubspot-test/test.js --type positive",
+    "test:hubspot-dataplane-down": "node integration/hubspot-test/test-dataplane-down.js",
     "test:manual": "jest --config jest.config.manual.js --runInBand",
     "lint": "eslint . --ext .js",
     "lint:fix": "eslint . --ext .js --fix",

package/templates/applications/dataplane/env.template

@@ -54,10 +54,14 @@ DATABASE_URL=kv://databases-dataplane-0-urlKeyVault
 DB_0_PASSWORD=kv://databases-dataplane-0-passwordKeyVault
 
 # Vector and document store DB: chunks, embeddings, vector indexes (pgvector).
-# Binaries path: config.processing.fileStoragePath or /data/documents.
 VECTOR_DATABASE_URL=kv://databases-dataplane-1-urlKeyVault
 DB_1_PASSWORD=kv://databases-dataplane-1-passwordKeyVault
 
+# Base path for document binary storage (used when datasource config has no processing.fileStoragePath).
+# Dataplane creates subdirs per datasource key (e.g. DOCUMENT_STORAGE_BASE_PATH/test-e2e-sharepoint-documents).
+# Production: use a writable path (e.g. /data/documents) and mount a volume. Local/Docker: use /tmp/documents or /app/data/documents.
+DOCUMENT_STORAGE_BASE_PATH=/mnt/data/documents
+
 # Logs Database Configuration (for execution, audit, ABAC traces)
 LOGS_DATABASE_URL=kv://databases-dataplane-2-urlKeyVault
 DB_2_PASSWORD=kv://databases-dataplane-2-passwordKeyVault

package/templates/applications/miso-controller/application.yaml

@@ -4,7 +4,7 @@ app:
   displayName: 'Miso Controller'
   description: 'Miso is the AI Fabrix in-tenant controller and portal layer for securely operating enterprise AI apps inside a customer’s Azure tenant. It provides Entra ID SSO, RBAC, audit logs, environment/app configuration via schemas, and safe secret handling via Key Vault references—ensuring governance, traceability, and predictable UX across portal, SDK, and CLI.'
   type: webapp
-  version: '1.8.0'
+  version: '1.9.0'
 
 # Image Configuration
 image:

package/templates/applications/miso-controller/env.template

@@ -111,6 +111,10 @@ REDIS_PERMISSIONS_TTL=900
 KEYCLOAK_REALM=aifabrix
 KEYCLOAK_SERVER_URL=kv://keycloak-server-url
 KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-url
+# Docker/internal host and port: used when config from DB has localhost (getDockerKeycloakInternalUrl).
+# Resolved from env-config (e.g. KEYCLOAK_HOST=keycloak, KEYCLOAK_PORT=8080 for docker).
+KEYCLOAK_HOST=${KEYCLOAK_HOST}
+KEYCLOAK_PORT=${KEYCLOAK_PORT}
 KEYCLOAK_CLIENT_ID=miso-controller
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
@@ -306,8 +310,14 @@ MISO_ALLOWED_ORIGINS=http://localhost:*
 # =============================================================================
 # LICENSE CONFIGURATION
 # =============================================================================
-# Temporary development bypass: set LICENSE_JWT=DEVELOPMENT to skip Mori validation.
-# Will be replaced by JWT license validation (see plan 131-jwt_license_offline_validation).
+# Offline JWT license (optional):
+# - If set, controller validates license offline (RS256) without Mori subscription status call.
+# - Value can be literal JWT or kv:// reference.
+# - If not set, controller falls back to existing Mori subscription validation flow.
+#
+# Development: set to DEVELOPMENT to disable license validation (no Mori/JWT required):
+#   LICENSE_JWT=DEVELOPMENT
+# - Use only for local development; do not use in production.
 LICENSE_JWT=DEVELOPMENT
 
 # =============================================================================
@@ -315,6 +325,7 @@ LICENSE_JWT=DEVELOPMENT
 # =============================================================================
 
 MORI_BASE_URL=kv://mori-controller-url
+MORI_AUTH_METHOD=apiKey
 MORI_API_KEY=kv://mori-controller-api-keyKeyVault
 MORI_USERNAME=kv://mori-controller-basic-usernameKeyVault
 MORI_PASSWORD=kv://mori-controller-basic-passwordKeyVault

package/templates/external-system/env.template.hbs

@@ -0,0 +1,22 @@
+# Environment variables for external system integration
+# Use kv:// (or aifabrix secret set) for sensitive values; plain values for non-sensitive configuration.
+#
+
+{{#if authMethod}}
+# Authentication
+# Type: {{authMethod}}
+{{#each authSecureVars}}
+{{name}}={{value}}
+{{/each}}
+{{#if authNonSecureVarNames}}
+# Non-secure (e.g. URLs): {{#each authNonSecureVarNames}}{{this}}{{#unless @last}}, {{/unless}}{{/each}}
+{{/if}}
+
+{{/if}}
+{{#if configuration.length}}
+# Configuration
+{{#each configuration}}
+# {{comment}}
+{{name}}={{value}}
+{{/each}}
+{{/if}}