@aifabrix/builder 2.42.1 → 2.43.0

package/integration/{hubspot → hubspot-test}/test.js

@@ -23,8 +23,8 @@ const { resolveEnvironment } = require('../../lib/core/config');
 
 const execFileAsync = promisify(execFile);
 
-/** Single source for test config: integration/hubspot/.env */
-const HUBSPOT_DIR = path.join(process.cwd(), 'integration', 'hubspot');
+/** Single source for test config: integration/hubspot-test/.env */
+const HUBSPOT_DIR = path.join(process.cwd(), 'integration', 'hubspot-test');
 const LOCAL_ENV_PATH = path.join(HUBSPOT_DIR, '.env');
 const ARTIFACT_DIR = path.join(HUBSPOT_DIR, 'test-artifacts');
 const MAX_OUTPUT_BYTES = 10 * 1024 * 1024;
@@ -96,10 +96,10 @@ function printUsage() {
   // eslint-disable-next-line no-console
   console.log([
     'Usage:',
-    '  node integration/hubspot/test.js',
-    '  node integration/hubspot/test.js --test "1.1"',
-    '  node integration/hubspot/test.js --type positive',
-    '  node integration/hubspot/test.js --type negative --verbose',
+    '  node integration/hubspot-test/test.js',
+    '  node integration/hubspot-test/test.js --test "1.1"',
+    '  node integration/hubspot-test/test.js --type positive',
+    '  node integration/hubspot-test/test.js --type negative --verbose',
     '',
     'Options:',
     '  --test <id[,id]>       Run specific test IDs',
@@ -266,7 +266,7 @@ async function loadEnvFile(envPath, options) {
       process.env[key] = value;
     }
   }
-  // Map common .env keys so tests and wizard use credentials from integration/hubspot/.env
+  // Map common .env keys so tests and wizard use credentials from integration/hubspot-test/.env
   if (process.env.CLIENTID && process.env.HUBSPOT_CLIENT_ID === undefined) {
     process.env.HUBSPOT_CLIENT_ID = process.env.CLIENTID;
   }
@@ -280,7 +280,7 @@ async function loadEnvFile(envPath, options) {
 
 /**
  * Load test config (controller, environment, dataplane, openapi file).
- * Reads integration/hubspot/.env; missing CONTROLLER_URL/ENVIRONMENT fall back to
+ * Reads integration/hubspot-test/.env; missing CONTROLLER_URL/ENVIRONMENT fall back to
  * the same resolution as the CLI (af auth status) so tests use the same controller.
  * @async
  * @function loadTestConfigFromEnv
@@ -502,7 +502,20 @@ async function checkAppDirectory(appPath) {
 }
 
 /**
- * Validates required files exist
+ * Resolves application config path (application.json or application.yaml)
+ * @param {string} appPath - Application directory path
+ * @returns {string|null} Path to config file or null if neither exists
+ */
+async function resolveApplicationConfigPath(appPath) {
+  const jsonPath = path.join(appPath, 'application.json');
+  const yamlPath = path.join(appPath, 'application.yaml');
+  if (await fileExists(jsonPath)) return jsonPath;
+  if (await fileExists(yamlPath)) return yamlPath;
+  return null;
+}
+
+/**
+ * Validates required files exist (application config can be application.json or application.yaml)
  * @async
  * @function validateRequiredFiles
  * @param {string} appPath - Application directory path
@@ -511,8 +524,12 @@ async function checkAppDirectory(appPath) {
  * @throws {Error} If required files are missing
  */
 async function validateRequiredFiles(appPath, entries) {
-  const requiredFiles = ['application.yaml', 'env.template', 'README.md', 'deploy.js'];
+  const applicationConfigPath = await resolveApplicationConfigPath(appPath);
+  const requiredFiles = ['env.template', 'README.md', 'deploy.js'];
   const missingFiles = [];
+  if (!applicationConfigPath) {
+    missingFiles.push('application.yaml or application.json');
+  }
   for (const fileName of requiredFiles) {
     const filePath = path.join(appPath, fileName);
     const exists = await fileExists(filePath);
@@ -557,11 +574,19 @@ function validateDeployFiles(appPath, entries) {
  * @throws {Error} If file contents are invalid
  */
 async function validateFileContents(appPath, deployFiles) {
+  const configPath = await resolveApplicationConfigPath(appPath);
+  if (!configPath) {
+    throw new Error('Application config (application.yaml or application.json) not found');
+  }
   try {
-    const variablesContent = await fs.readFile(path.join(appPath, 'application.yaml'), 'utf8');
-    yaml.load(variablesContent);
+    const content = await fs.readFile(configPath, 'utf8');
+    if (configPath.endsWith('.json')) {
+      JSON.parse(content);
+    } else {
+      yaml.load(content);
+    }
   } catch (error) {
-    throw new Error(`Invalid YAML syntax in application.yaml: ${error.message}`);
+    throw new Error(`Invalid syntax in ${path.basename(configPath)}: ${error.message}`);
   }
   for (const fileName of deployFiles) {
     try {
@@ -597,22 +622,23 @@ async function validateGeneratedFiles(appName) {
  * @returns {Promise<Object>} Snapshot of file contents keyed by path
  */
 async function captureExternalSnapshot(appPath) {
-  const variablesPath = path.join(appPath, 'application.yaml');
-  const variablesContent = await fs.readFile(variablesPath, 'utf8');
-  const variables = yaml.load(variablesContent);
+  const configPath = await resolveApplicationConfigPath(appPath);
+  if (!configPath) {
+    throw new Error(`Application config not found in ${appPath}`);
+  }
+  const content = await fs.readFile(configPath, 'utf8');
+  const variables = configPath.endsWith('.json') ? JSON.parse(content) : yaml.load(content);
 
   if (!variables || !variables.externalIntegration) {
-    throw new Error(`externalIntegration block not found in ${variablesPath}`);
+    throw new Error(`externalIntegration block not found in ${configPath}`);
   }
 
-  const systemFiles = variables.externalIntegration.systems || [];
-  const datasourceFiles = variables.externalIntegration.dataSources || [];
   const fileNames = [
-    'application.yaml',
+    path.basename(configPath),
     'env.template',
     'README.md',
-    ...systemFiles,
-    ...datasourceFiles
+    ...(variables.externalIntegration.systems || []),
+    ...(variables.externalIntegration.dataSources || [])
   ];
 
   const rbacPath = path.join(appPath, 'rbac.yml');
@@ -658,7 +684,7 @@ function compareSnapshots(before, after) {
  * @returns {boolean} True if test app name
  */
 function isTestAppName(appName) {
-  return appName.startsWith('hubspot-test-');
+  return appName.startsWith('wizard-e2e-');
 }
 
 /**
@@ -769,6 +795,20 @@ async function testDownloadAndSplit(appName, context, options) {
   logSuccess('Download and split workflow validated.');
 }
 
+/**
+ * Returns a skip message only when the wizard failure is due to dataplane unreachable (no service).
+ * Does not skip for auth/session errors when dataplane is up (so tests fail with the real error).
+ * @param {string} errorOutput - Combined stdout + stderr from wizard command
+ * @returns {string|null} Skip message or null
+ */
+function getWizardEnvironmentSkipMessage(errorOutput) {
+  if (errorOutput.includes('Failed to discover dataplane URL') ||
+      errorOutput.includes('Application not found')) {
+    return 'Dataplane service not found in environment. Deploy dataplane service to the controller.';
+  }
+  return null;
+}
+
 /**
  * Runs wizard and validates generated files
  * @async
@@ -778,12 +818,17 @@ async function testDownloadAndSplit(appName, context, options) {
  * @param {Object} context - Test context
  * @param {Object} options - Options object
  * @returns {Promise<void>} Resolves when wizard completes and files are validated
+ * @throws {SkipTestError} If wizard fails due to environment (dataplane/auth)
  * @throws {Error} If wizard fails or validation fails
  */
 async function runWizardAndValidate(configPath, appName, context, options) {
   const result = await runWizard(configPath, context, options);
   if (!result.success) {
     const errorOutput = `${result.stdout}\n${result.stderr}`;
+    const skipMsg = getWizardEnvironmentSkipMessage(errorOutput);
+    if (skipMsg) {
+      throw new SkipTestError(skipMsg);
+    }
     throw new Error(`Wizard failed for ${appName}:\n${errorOutput}`);
   }
 
@@ -884,18 +929,18 @@ function buildPositiveTestCases(context) {
           throw new Error(`OpenAPI file not found: ${context.openapiFile}`);
         }
         ensureEnvVar('CONTROLLER_URL', context.controllerUrl);
-        // Try to run wizard - if dataplane discovery fails, skip the test
+        // Try to run wizard - if dataplane/auth fails, skip the test
         const result = await runWizard(configPath, context, options);
         if (!result.success) {
           const errorOutput = `${result.stdout}\n${result.stderr}`;
-          if (errorOutput.includes('Failed to discover dataplane URL') ||
-              errorOutput.includes('Application not found')) {
-            throw new SkipTestError('Dataplane service not found in environment. Deploy dataplane service to the controller.');
+          const skipMsg = getWizardEnvironmentSkipMessage(errorOutput);
+          if (skipMsg) {
+            throw new SkipTestError(skipMsg);
           }
           throw new Error(`Wizard failed: ${errorOutput}`);
         }
-        await validateGeneratedFiles('hubspot-test-e2e');
-        await cleanupAppArtifacts('hubspot-test-e2e', options);
+        await validateGeneratedFiles('wizard-e2e-e2e');
+        await cleanupAppArtifacts('wizard-e2e-e2e', options);
       }
     },
     {
@@ -908,11 +953,11 @@ function buildPositiveTestCases(context) {
           throw new Error(`Missing config file: ${configPath}`);
         }
         try {
-          await ensureDataplaneUrl(context, 'hubspot-test-platform');
+          await ensureDataplaneUrl(context, 'wizard-e2e-platform');
         } catch (error) {
           throw new SkipTestError(`Dataplane service not found: ${error.message}`);
         }
-        await runWizardAndValidate(configPath, 'hubspot-test-platform', context, options);
+        await runWizardAndValidate(configPath, 'wizard-e2e-platform', context, options);
       }
     },
     {
@@ -922,14 +967,14 @@ function buildPositiveTestCases(context) {
       run: async(options) => {
         let dataplaneUrl;
         try {
-          dataplaneUrl = await ensureDataplaneUrl(context, 'hubspot-test-env-vars');
+          dataplaneUrl = await ensureDataplaneUrl(context, 'wizard-e2e-env-vars');
         } catch (error) {
           throw new SkipTestError(`Dataplane service not found: ${error.message}`);
         }
         ensureEnvVar('CONTROLLER_URL', context.controllerUrl);
         ensureEnvVar('DATAPLANE_URL', dataplaneUrl);
         const configPath = await writeWizardConfig('wizard-hubspot-env-vars', {
-          appName: 'hubspot-test-env-vars',
+          appName: 'wizard-e2e-env-vars',
           mode: 'create-system',
           source: {
             type: 'openapi-file',
@@ -941,7 +986,7 @@ function buildPositiveTestCases(context) {
             environment: context.environment
           }
         });
-        await runWizardAndValidate(configPath, 'hubspot-test-env-vars', context, options);
+        await runWizardAndValidate(configPath, 'wizard-e2e-env-vars', context, options);
       }
     }
   ];
@@ -966,7 +1011,7 @@ function buildRealDataTestCases(context) {
         requireEnvVars(['HUBSPOT_CLIENT_ID', 'HUBSPOT_CLIENT_SECRET']);
         ensureEnvVar('HUBSPOT_TOKEN_URL', 'https://api.hubapi.com/oauth/v1/token');
         const configPath = await writeWizardConfig('wizard-hubspot-credential-real', {
-          appName: 'hubspot-test-credential-real',
+          appName: 'wizard-e2e-credential-real',
           mode: 'create-system',
           source: {
             type: 'openapi-file',
@@ -975,7 +1020,7 @@ function buildRealDataTestCases(context) {
           credential: {
             action: 'create',
             config: {
-              key: 'hubspot-test-cred-real',
+              key: 'wizard-e2e-cred-real',
               displayName: 'HubSpot Test Credential (Real)',
               type: 'OAUTH2',
               config: {
@@ -992,7 +1037,7 @@ function buildRealDataTestCases(context) {
             }
           }
         });
-        await runWizardAndValidate(configPath, 'hubspot-test-credential-real', context, options);
+        await runWizardAndValidate(configPath, 'wizard-e2e-credential-real', context, options);
       }
     }
   ];
@@ -1038,7 +1083,7 @@ function buildNegativeConfigTestCases(context) {
       name: 'Missing source block',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-missing-source', {
-          appName: 'hubspot-test-negative-missing-source',
+          appName: 'wizard-e2e-negative-missing-source',
           mode: 'create-system'
         });
         await runWizardExpectFailure(configPath, context, options, 'Missing required field: source');
@@ -1050,7 +1095,7 @@ function buildNegativeConfigTestCases(context) {
       name: 'Invalid source type',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-source', {
-          appName: 'hubspot-test-negative-source',
+          appName: 'wizard-e2e-negative-source',
           mode: 'create-system',
           source: { type: 'invalid-type' }
         });
@@ -1063,7 +1108,7 @@ function buildNegativeConfigTestCases(context) {
       name: 'Invalid mode',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-mode', {
-          appName: 'hubspot-test-negative-mode',
+          appName: 'wizard-e2e-negative-mode',
           mode: 'invalid-mode',
           source: { type: 'known-platform', platform: 'hubspot' }
         });
@@ -1076,7 +1121,7 @@ function buildNegativeConfigTestCases(context) {
       name: 'Known platform missing platform',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-known-platform', {
-          appName: 'hubspot-test-negative-platform',
+          appName: 'wizard-e2e-negative-platform',
           mode: 'create-system',
           source: { type: 'known-platform' }
         });
@@ -1089,7 +1134,7 @@ function buildNegativeConfigTestCases(context) {
       name: 'Missing OpenAPI file path',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-openapi-file', {
-          appName: 'hubspot-test-negative-openapi',
+          appName: 'wizard-e2e-negative-openapi',
           mode: 'create-system',
           source: { type: 'openapi-file', filePath: '/tmp/does-not-exist.json' }
         });
@@ -1102,7 +1147,7 @@ function buildNegativeConfigTestCases(context) {
       name: 'OpenAPI URL missing url',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-openapi-url', {
-          appName: 'hubspot-test-negative-openapi-url',
+          appName: 'wizard-e2e-negative-openapi-url',
           mode: 'create-system',
           source: { type: 'openapi-url' }
         });
@@ -1126,7 +1171,7 @@ function buildNegativeCredentialTestCases(context) {
       name: 'Add datasource missing systemIdOrKey',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-add-datasource', {
-          appName: 'hubspot-test-negative-add-datasource',
+          appName: 'wizard-e2e-negative-add-datasource',
           mode: 'add-datasource',
           source: { type: 'known-platform', platform: 'hubspot' }
         });
@@ -1139,7 +1184,7 @@ function buildNegativeCredentialTestCases(context) {
       name: 'Credential select missing credentialIdOrKey',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-credential-select', {
-          appName: 'hubspot-test-negative-credential-select',
+          appName: 'wizard-e2e-negative-credential-select',
           mode: 'create-system',
           source: { type: 'known-platform', platform: 'hubspot' },
           credential: { action: 'select' }
@@ -1153,7 +1198,7 @@ function buildNegativeCredentialTestCases(context) {
       name: 'Credential create missing config',
       run: async(options) => {
         const configPath = await writeWizardConfig('wizard-invalid-credential-create', {
-          appName: 'hubspot-test-negative-credential-create',
+          appName: 'wizard-e2e-negative-credential-create',
           mode: 'create-system',
           source: { type: 'known-platform', platform: 'hubspot' },
           credential: { action: 'create' }
@@ -1176,13 +1221,7 @@ function buildNegativeCredentialTestCases(context) {
  * @throws {Error} If validation succeeds or expected message not found
  */
 async function runValidationExpectFailure(appName, context, options, expectedMessage = null) {
-  const validateArgs = [
-    'bin/aifabrix.js',
-    'validate',
-    appName,
-    '--type',
-    'external'
-  ];
+  const validateArgs = ['bin/aifabrix.js', 'validate', appName];
   const result = await runCommand('node', validateArgs, options);
   if (result.success) {
     throw new Error('Expected validation to fail, but it succeeded.');
@@ -1363,7 +1402,7 @@ function buildNegativeRbacTestCases(context) {
       type: 'negative',
       name: 'RBAC missing role referenced in permissions',
       run: async(options) => {
-        const appName = 'hubspot-test-negative-rbac-missing-role';
+        const appName = 'wizard-e2e-negative-rbac-missing-role';
         const appPath = await createSystemForNegativeTest(appName, 'wizard-valid-for-rbac-test', context, options);
         await corruptSystemFileWithInvalidRole(appPath);
         await runValidationExpectFailure(appName, context, options, 'references role "non-existent-role" which does not exist');
@@ -1375,7 +1414,11 @@ function buildNegativeRbacTestCases(context) {
       type: 'negative',
       name: 'RBAC invalid YAML syntax',
       run: async(options) => {
-        const appName = 'hubspot-test-negative-rbac-invalid-yaml';
+        const appName = 'wizard-e2e-negative-rbac-invalid-yaml';
+        const appDir = path.join(process.cwd(), 'integration', appName);
+        if (fsSync.existsSync(appDir)) {
+          await fs.rm(appDir, { recursive: true, force: true });
+        }
         const appPath = await createSystemForNegativeTest(appName, 'wizard-valid-for-rbac-yaml-test', context, options);
         await corruptRbacFile(appPath);
         await runValidationExpectFailure(appName, context, options, 'Invalid YAML syntax in rbac.yaml');
@@ -1409,7 +1452,7 @@ function buildNegativeDimensionTestCases(context) {
     createTestCase(
       '2.14',
       'Datasource missing dimensions in fieldMappings',
-      'hubspot-test-negative-dimension-missing',
+      'wizard-e2e-negative-dimension-missing',
       'wizard-valid-for-dimension-test',
       corruptDatasourceRemoveDimensions,
       'Missing required property "dimensions"'
@@ -1417,7 +1460,7 @@ function buildNegativeDimensionTestCases(context) {
     createTestCase(
       '2.15',
       'Datasource invalid dimension key pattern',
-      'hubspot-test-negative-dimension-invalid-key',
+      'wizard-e2e-negative-dimension-invalid-key',
       'wizard-valid-for-dimension-key-test',
       corruptDatasourceInvalidDimensionKey,
       'Must be at most 40 characters'
@@ -1425,7 +1468,7 @@ function buildNegativeDimensionTestCases(context) {
     createTestCase(
       '2.16',
       'Datasource invalid attribute path pattern',
-      'hubspot-test-negative-dimension-invalid-path',
+      'wizard-e2e-negative-dimension-invalid-path',
       'wizard-valid-for-dimension-path-test',
       corruptDatasourceInvalidAttributePath,
       'must match pattern'
@@ -1433,7 +1476,7 @@ function buildNegativeDimensionTestCases(context) {
     createTestCase(
       '2.17',
       'Datasource dimensions as array instead of object',
-      'hubspot-test-negative-dimension-array',
+      'wizard-e2e-negative-dimension-array',
       'wizard-valid-for-dimension-array-test',
       corruptDatasourceDimensionsAsArray,
       'Expected object, got undefined'

package/integration/{hubspot → hubspot-test}/wizard-hubspot-e2e.yaml

@@ -1,8 +1,8 @@
-appName: hubspot-test-e2e
+appName: wizard-e2e-e2e
 mode: create-system
 source:
   type: openapi-file
-  filePath: /workspace/aifabrix-builder/integration/hubspot/companies.json
+  filePath: /workspace/aifabrix-builder/integration/hubspot-test/companies.json
 credential:
   action: skip
 preferences:

package/integration/{hubspot → hubspot-test}/wizard-hubspot-platform.yaml

@@ -1,4 +1,4 @@
-appName: hubspot-test-platform
+appName: wizard-e2e-platform
 mode: create-system
 source:
   type: known-platform

package/lib/api/external-test.api.js

@@ -17,7 +17,7 @@ const { ApiClient } = require('./index');
  * @async
  * @function testDatasourceE2E
  * @param {string} dataplaneUrl - Dataplane base URL
- * @param {string} sourceIdOrKey - Source ID or datasource key (e.g. hubspot-test-v4-contacts)
+ * @param {string} sourceIdOrKey - Source ID or datasource key (e.g. hubspot-test-contacts)
  * @param {Object} authConfig - Authentication configuration (must have token or apiKey; client creds rejected)
  * @param {Object} [body] - Optional request body (e.g. includeDebug, testCrud, recordId, cleanup, primaryKeyValue)
  * @param {Object} [options] - Optional options

package/lib/api/service-users.api.js

@@ -1,5 +1,5 @@
 /**
- * @fileoverview Service users API functions (create service user with one-time secret)
+ * @fileoverview Service users API functions (create, list, rotate-secret, delete, update)
  * @author AI Fabrix Team
  * @version 2.0.0
  */
@@ -36,6 +36,115 @@ async function createServiceUser(controllerUrl, authConfig, body) {
   });
 }
 
+/**
+ * List service users with optional pagination and search
+ * GET /api/v1/service-users
+ * @requiresPermission {Controller} service-user:read
+ * @async
+ * @function listServiceUsers
+ * @param {string} controllerUrl - Controller base URL
+ * @param {Object} authConfig - Authentication configuration (bearer or client-credentials)
+ * @param {Object} [options] - Query options
+ * @param {number} [options.page] - Page number
+ * @param {number} [options.pageSize] - Items per page
+ * @param {string} [options.sort] - Sort field/direction
+ * @param {string} [options.filter] - Filter expression
+ * @param {string} [options.search] - Search term
+ * @returns {Promise<Object>} Response with data (array), meta, links
+ * @throws {Error} If request fails (401/403 or network)
+ */
+async function listServiceUsers(controllerUrl, authConfig, options = {}) {
+  const client = new ApiClient(controllerUrl, authConfig);
+  const params = {};
+  if (options.page !== undefined && options.page !== null) params.page = options.page;
+  if (options.pageSize !== undefined && options.pageSize !== null) params.pageSize = options.pageSize;
+  if (options.sort) params.sort = options.sort;
+  if (options.filter) params.filter = options.filter;
+  if (options.search) params.search = options.search;
+  return await client.get('/api/v1/service-users', { params });
+}
+
+/**
+ * Regenerate (rotate) secret for a service user. New secret is returned once only.
+ * POST /api/v1/service-users/{id}/regenerate-secret
+ * @requiresPermission {Controller} service-user:update
+ * @async
+ * @function regenerateSecretServiceUser
+ * @param {string} controllerUrl - Controller base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} id - Service user ID (UUID)
+ * @returns {Promise<Object>} Response with data.clientSecret
+ * @throws {Error} If request fails (401/403/404 or network)
+ */
+async function regenerateSecretServiceUser(controllerUrl, authConfig, id) {
+  const client = new ApiClient(controllerUrl, authConfig);
+  return await client.post(`/api/v1/service-users/${encodeURIComponent(id)}/regenerate-secret`);
+}
+
+/**
+ * Delete (deactivate) a service user
+ * DELETE /api/v1/service-users/{id}
+ * @requiresPermission {Controller} service-user:delete
+ * @async
+ * @function deleteServiceUser
+ * @param {string} controllerUrl - Controller base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} id - Service user ID (UUID)
+ * @returns {Promise<Object>} Response (data may be null)
+ * @throws {Error} If request fails (401/403/404 or network)
+ */
+async function deleteServiceUser(controllerUrl, authConfig, id) {
+  const client = new ApiClient(controllerUrl, authConfig);
+  return await client.delete(`/api/v1/service-users/${encodeURIComponent(id)}`);
+}
+
+/**
+ * Update group assignments for a service user
+ * PUT /api/v1/service-users/{id}/groups
+ * @requiresPermission {Controller} service-user:update
+ * @async
+ * @function updateGroupsServiceUser
+ * @param {string} controllerUrl - Controller base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} id - Service user ID (UUID)
+ * @param {Object} body - Request body
+ * @param {string[]} body.groupNames - Group names to set
+ * @returns {Promise<Object>} Response with data.id, data.groupNames
+ * @throws {Error} If request fails (400/401/403/404 or network)
+ */
+async function updateGroupsServiceUser(controllerUrl, authConfig, id, body) {
+  const client = new ApiClient(controllerUrl, authConfig);
+  return await client.put(`/api/v1/service-users/${encodeURIComponent(id)}/groups`, {
+    body: { groupNames: body.groupNames }
+  });
+}
+
+/**
+ * Update redirect URIs for a service user (min 1). Controller merges in its callback URL.
+ * PUT /api/v1/service-users/{id}/redirect-uris
+ * @requiresPermission {Controller} service-user:update
+ * @async
+ * @function updateRedirectUrisServiceUser
+ * @param {string} controllerUrl - Controller base URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {string} id - Service user ID (UUID)
+ * @param {Object} body - Request body
+ * @param {string[]} body.redirectUris - Redirect URIs (min 1)
+ * @returns {Promise<Object>} Response with data.id, data.redirectUris
+ * @throws {Error} If request fails (400/401/403/404 or network)
+ */
+async function updateRedirectUrisServiceUser(controllerUrl, authConfig, id, body) {
+  const client = new ApiClient(controllerUrl, authConfig);
+  return await client.put(`/api/v1/service-users/${encodeURIComponent(id)}/redirect-uris`, {
+    body: { redirectUris: body.redirectUris }
+  });
+}
+
 module.exports = {
-  createServiceUser
+  createServiceUser,
+  listServiceUsers,
+  regenerateSecretServiceUser,
+  deleteServiceUser,
+  updateGroupsServiceUser,
+  updateRedirectUrisServiceUser
 };

package/lib/api/types/service-users.types.js

@@ -22,3 +22,44 @@
  * @property {boolean} [success] - Optional wrapper flag
  * @property {string} [createdAt] - Optional creation timestamp (ISO 8601)
  */
+
+/**
+ * Single service user item in list response
+ * @typedef {Object} ListServiceUserItem
+ * @property {string} id - Service user ID (UUID)
+ * @property {string} [username] - Username
+ * @property {string} [email] - Email
+ * @property {string} [clientId] - OAuth2 client ID
+ * @property {boolean} [active] - Whether the service user is active
+ */
+
+/**
+ * List service users response (Controller GET /api/v1/service-users)
+ * @typedef {Object} ListServiceUsersResponse
+ * @property {ListServiceUserItem[]} data - Array of service users
+ * @property {Object} [meta] - Pagination metadata (e.g. total, page, pageSize)
+ * @property {Object} [links] - Pagination links
+ */
+
+/**
+ * Regenerate secret response (Controller POST .../regenerate-secret). clientSecret is one-time-only.
+ * @typedef {Object} RegenerateSecretServiceUserResponse
+ * @property {Object} data - Response data
+ * @property {string} data.clientSecret - New client secret (shown once only)
+ */
+
+/**
+ * Update groups response (Controller PUT .../groups)
+ * @typedef {Object} UpdateGroupsServiceUserResponse
+ * @property {Object} data - Response data
+ * @property {string} data.id - Service user ID
+ * @property {string[]} data.groupNames - Updated group names
+ */
+
+/**
+ * Update redirect URIs response (Controller PUT .../redirect-uris)
+ * @typedef {Object} UpdateRedirectUrisServiceUserResponse
+ * @property {Object} data - Response data
+ * @property {string} data.id - Service user ID
+ * @property {string[]} data.redirectUris - Updated redirect URIs
+ */

package/lib/app/register.js

@@ -150,7 +150,9 @@ async function registerApplication(appKey, options = {}) {
   logger.log(chalk.blue('📋 Registering application...\n'));
 
   const { resolveControllerUrl } = require('../utils/controller-url');
-  const { resolveEnvironment } = require('../core/config');
+  const config = require('../core/config');
+  await config.ensureSecretsEncryptionKey();
+  const { resolveEnvironment } = config;
 
   // Load application config
   const { variables, created } = await loadVariablesYaml(appKey);

package/lib/app/rotate-secret.js

@@ -339,6 +339,9 @@ async function executeRotation(appKey, actualControllerUrl, environment, token)
 async function rotateSecret(appKey, _options = {}) {
   logger.log(chalk.yellow('⚠️  This will invalidate the old ClientSecret!\n'));
 
+  const { ensureSecretsEncryptionKey } = require('../core/config');
+  await ensureSecretsEncryptionKey();
+
   const { controllerUrl, environment } = await resolveControllerAndEnvironment();
   const config = await getConfig();
   const { token, actualControllerUrl } = await getRotationAuthToken(controllerUrl, config);

package/lib/cli/setup-app.js

@@ -140,12 +140,12 @@ Examples:
   $ aifabrix wizard my-integration --silent  Run headless with integration/my-integration/wizard.yaml (no prompts)
   $ aifabrix wizard -a my-integration   Same as above (app name set)
   $ aifabrix wizard --config wizard.yaml  Run headless from a wizard config file
-  $ aifabrix wizard hubspot-test-v2 --debug  Enable debug output and save debug manifests on validation failure
+  $ aifabrix wizard hubspot-test --debug  Enable debug output and save debug manifests on validation failure
 
 Config path: When appName is provided, integration/<appName>/wizard.yaml is used for load/save and error.log.
 To change settings after a run, edit that file and run "aifabrix wizard <app>" again.
 Headless config must include: appName, mode (create-system|add-datasource), source (type + filePath/url/platform).
-See integration/hubspot/wizard-hubspot-e2e.yaml for an example.`;
+See integration/hubspot-test/wizard-hubspot-e2e.yaml for an example.`;
   program.command('wizard [appName]')
     .description('Create or extend external systems (OpenAPI, MCP, or known platforms like HubSpot) via guided steps or a config file')
     .option('-a, --app <app>', 'Application name (synonym for positional appName)')