@aifabrix/builder 2.42.1 → 2.43.0

package/lib/schema/env-config.yaml

@@ -16,11 +16,19 @@ environments:
     REDIS_PORT: 6379  # Internal port (container-to-container). REDIS_PUBLIC_PORT calculated automatically.
     MISO_HOST: miso-controller
     MISO_PORT: 3000  # Internal port (container-to-container). MISO_PUBLIC_PORT calculated automatically.
+    MISO_PUBLIC_PORT: 3000
     KEYCLOAK_HOST: keycloak
-    KEYCLOAK_PORT: 8082  # Internal port (container-to-container). KEYCLOAK_PUBLIC_PORT calculated automatically.
+    KEYCLOAK_PORT: 8080  # Internal port (container-to-container). KEYCLOAK_PUBLIC_PORT calculated automatically.
     KEYCLOAK_PUBLIC_PORT: 8082
+    MORI_HOST: mori-controller
+    MORI_PORT: 3004
+    OPENWEBUI_HOST: openwebui
+    OPENWEBUI_PORT: 3003
+    FLOWISE_HOST: flowise
+    FLOWISE_PORT: 3002
     DATAPLANE_HOST: dataplane
-    DATAPLANE_PORT: 3001 # Internal port (container-to-container). DATAPLANE_PUBLIC_PORT calculated automatically.
+    DATAPLANE_PORT: 3001  # Internal port (container-to-container). DATAPLANE_PUBLIC_PORT calculated automatically.
+    DATAPLANE_PUBLIC_PORT: 3001
     NODE_ENV: production
     PYTHONUNBUFFERED: 1
     PYTHONDONTWRITEBYTECODE: 1
@@ -33,10 +41,19 @@ environments:
     REDIS_PORT: 6379
     MISO_HOST: localhost
     MISO_PORT: 3010
+    MISO_PUBLIC_PORT: 3010
     KEYCLOAK_HOST: localhost
     KEYCLOAK_PORT: 8082
+    KEYCLOAK_PUBLIC_PORT: 8082
+    MORI_HOST: localhost
+    MORI_PORT: 3014
+    OPENWEBUI_HOST: localhost
+    OPENWEBUI_PORT: 3013
+    FLOWISE_HOST: localhost
+    FLOWISE_PORT: 3012
     DATAPLANE_HOST: localhost
     DATAPLANE_PORT: 3011
+    DATAPLANE_PUBLIC_PORT: 3011
     NODE_ENV: development
     PYTHONUNBUFFERED: 1
     PYTHONDONTWRITEBYTECODE: 1

package/lib/schema/external-datasource.schema.json

@@ -544,7 +544,7 @@
         "properties":{
            "rejectIf":{
               "type":"array",
-              "description":"List of conditions that cause a record to be rejected.",
+              "description":"List of conditions that cause a record to be rejected. For lessThan: missing field is treated as reject. For greaterThan: missing field is not rejected. See quality docs for operator semantics.",
               "items":{
                  "type":"object",
                  "required":[
@@ -659,6 +659,11 @@
               "default":true,
               "description":"Enable two-phase sync pattern. When true: validates metadata first (quality rules, comparison with DocumentRecords), then fetches binaries via CIP for changed/new documents. When false: fetches binaries directly without metadata validation phase (single-phase sync). Note: Files are never synced back to external systems (one-way sync only: external → dataplane)."
            },
+           "ingestAfterSync":{
+              "type":"boolean",
+              "default":false,
+              "description":"When true, chunk and embed each document after store during sync so vector search returns hits immediately. When false, ingestion runs later (e.g. Celery task or on approval). Set true for E2E tests that validate vector step."
+           },
            "binaryOperationRef":{
               "type":"string",
               "default":"get",
@@ -700,6 +705,11 @@
                  },
                  "notifications":{
                     "type":"object"
+                 },
+                 "ingestAfterSync":{
+                    "type":"boolean",
+                    "default":false,
+                    "description":"When true, chunk and embed each document after store during sync so vector search returns hits."
                  }
               },
               "additionalProperties":false

package/lib/utils/app-config-resolver.js

@@ -49,4 +49,26 @@ function resolveApplicationConfigPath(appPath) {
   );
 }
 
-module.exports = { resolveApplicationConfigPath };
+const RBAC_NAMES = ['rbac.yaml', 'rbac.yml', 'rbac.json'];
+
+/**
+ * Resolves path to RBAC config file (rbac.yaml, rbac.yml, or rbac.json).
+ * Returns the first path that exists; no renames or migrations.
+ *
+ * @param {string} appPath - Absolute path to application directory
+ * @returns {string|null} Absolute path to RBAC file, or null if none exist
+ */
+function resolveRbacPath(appPath) {
+  if (!appPath || typeof appPath !== 'string') {
+    throw new Error('App path is required and must be a string');
+  }
+  for (const name of RBAC_NAMES) {
+    const candidate = path.join(appPath, name);
+    if (fs.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  return null;
+}
+
+module.exports = { resolveApplicationConfigPath, resolveRbacPath };

package/lib/utils/config-paths.js

@@ -56,30 +56,73 @@ async function setPathConfig(getConfigFn, saveConfigFn, key, value, errorMsg) {
   await saveConfigFn(config);
 }
 
+/**
+ * Clear a path config key (set to undefined so getPathConfig returns null).
+ * @param {Function} getConfigFn - Function to get config
+ * @param {Function} saveConfigFn - Function to save config
+ * @param {string} key - Configuration key
+ * @returns {Promise<void>}
+ */
+async function clearPathConfig(getConfigFn, saveConfigFn, key) {
+  const config = await getConfigFn();
+  config[key] = undefined;
+  await saveConfigFn(config);
+}
+
 function createHomeAndSecretsPathFunctions(getConfigFn, saveConfigFn) {
   return {
     async getAifabrixHomeOverride() {
       return getPathConfig(getConfigFn, 'aifabrix-home');
     },
     async setAifabrixHomeOverride(homePath) {
-      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-home', homePath, 'Home path is required and must be a string');
+      if (typeof homePath !== 'string') {
+        throw new Error('Home path is required and must be a string');
+      }
+      const trimmed = homePath.trim();
+      if (trimmed === '') {
+        await clearPathConfig(getConfigFn, saveConfigFn, 'aifabrix-home');
+        return;
+      }
+      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-home', trimmed, 'Home path must be a non-empty string');
     },
     async getAifabrixSecretsPath() {
       return getPathConfig(getConfigFn, 'aifabrix-secrets');
     },
     async setAifabrixSecretsPath(secretsPath) {
-      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-secrets', secretsPath, 'Secrets path is required and must be a string');
+      if (typeof secretsPath !== 'string') {
+        throw new Error('Secrets path is required and must be a string');
+      }
+      const trimmed = secretsPath.trim();
+      if (trimmed === '') {
+        await clearPathConfig(getConfigFn, saveConfigFn, 'aifabrix-secrets');
+        return;
+      }
+      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-secrets', trimmed, 'Secrets path must be a non-empty string');
     }
   };
 }
 
+/** Default env-config path when aifabrix-env-config is not set (builder schema). */
+function getDefaultEnvConfigPath() {
+  return path.join(__dirname, '..', 'schema', 'env-config.yaml');
+}
+
 function createEnvConfigPathFunctions(getConfigFn, saveConfigFn) {
   return {
     async getAifabrixEnvConfigPath() {
-      return getPathConfig(getConfigFn, 'aifabrix-env-config');
+      const value = await getPathConfig(getConfigFn, 'aifabrix-env-config');
+      return value || getDefaultEnvConfigPath();
     },
     async setAifabrixEnvConfigPath(envConfigPath) {
-      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-env-config', envConfigPath, 'Env config path is required and must be a string');
+      if (typeof envConfigPath !== 'string') {
+        throw new Error('Env config path is required and must be a string');
+      }
+      const trimmed = envConfigPath.trim();
+      if (trimmed === '') {
+        await clearPathConfig(getConfigFn, saveConfigFn, 'aifabrix-env-config');
+        return;
+      }
+      await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-env-config', trimmed, 'Env config path must be a non-empty string');
     },
     async getAifabrixBuilderDir() {
       const envConfigPath = await getPathConfig(getConfigFn, 'aifabrix-env-config');
@@ -214,6 +257,7 @@ module.exports = {
   getPathConfig,
   setPathConfig,
   createPathConfigFunctions,
+  getDefaultEnvConfigPath,
   SETTINGS_RESPONSE_KEYS
 };
 

package/lib/utils/credential-secrets-env.js

@@ -92,6 +92,17 @@ function kvPathInferred(segments) {
   return (namespace && pathVar) ? `kv://${namespace}/${pathVar}` : null;
 }
 
+/**
+ * Returns the path segment used in kv://<systemKey>/<segment> for a given security key.
+ * Uses the same derivation as env key → path (securityKeyToVar + varSegmentsToCamelCase).
+ * @param {string} securityKey - Security key (e.g. 'apiKey', 'clientId', 'clientSecret')
+ * @returns {string} Canonical path segment (e.g. 'apiKey', 'clientId')
+ */
+function getKvPathSegmentForSecurityKey(securityKey) {
+  if (!securityKey || typeof securityKey !== 'string') return '';
+  return varSegmentsToCamelCase([securityKeyToVar(securityKey)]);
+}
+
 /**
  * Converts KV_* env key to kv:// path in format kv://<system-key>/<variable>.
  * System-key uses hyphens (e.g. microsoft-teams); variable is camelCase (e.g. clientId).
@@ -220,7 +231,10 @@ function buildItemsFromEnv(envFilePath, secrets, itemsByKey) {
     const fromEnv = collectKvEnvVarsAsSecretItems(envMap);
     for (const { key, value } of fromEnv) {
       const resolved = resolveKvValue(secrets, value);
-      if (resolved !== null && resolved !== undefined && isValidKvPath(key)) itemsByKey.set(key, resolved);
+      // Skip placeholder: value that equals the kv path (e.g. from env.template) must not be pushed as the secret
+      if (resolved !== null && resolved !== undefined && isValidKvPath(key) && resolved.trim() !== key.trim()) {
+        itemsByKey.set(key, resolved);
+      }
     }
   } catch {
     // Best-effort: continue without .env items
@@ -349,6 +363,7 @@ module.exports = {
   collectKvRefsFromPayload,
   pushCredentialSecrets,
   kvEnvKeyToPath,
+  getKvPathSegmentForSecurityKey,
   systemKeyToKvPrefix,
   securityKeyToVar,
   isValidKvPath,

package/lib/utils/env-map.js

@@ -270,9 +270,13 @@ function calculateDockerPublicPorts(result, devIdNum, schemaBaseVars = {}) {
     // Match any variable ending with _PORT (e.g., MISO_PORT, KEYCLOAK_PORT, DB_PORT)
     if (/_PORT$/.test(key) && !/_PUBLIC_PORT$/.test(key)) {
       const publicPortKey = key.replace(/_PORT$/, '_PUBLIC_PORT');
-      // Use schema port when available so PUBLIC_PORT is canonical (e.g. 8082), not overridden (e.g. 8080)
-      const schemaPort = schemaBaseVars[key];
-      const sourceVal = schemaPort !== undefined && schemaPort !== null ? schemaPort : value;
+      // Prefer schema *_PUBLIC_PORT (e.g. KEYCLOAK_PUBLIC_PORT: 8082) so public port is canonical;
+      // fall back to schema *_PORT (e.g. KEYCLOAK_PORT: 8080) then merged value
+      const schemaPublic = schemaBaseVars[publicPortKey];
+      const schemaInternal = schemaBaseVars[key];
+      const sourceVal = schemaPublic !== undefined && schemaPublic !== null
+        ? schemaPublic
+        : (schemaInternal !== undefined && schemaInternal !== null ? schemaInternal : value);
       let portVal;
       if (typeof sourceVal === 'string') {
         portVal = parseInt(sourceVal, 10);

package/lib/utils/error-formatter.js

@@ -19,6 +19,8 @@ const PATTERN_DESCRIPTIONS = {
   '^[a-z-]+$': 'lowercase letters and hyphens only',
   '^[A-Z_][A-Z0-9_]*$': 'uppercase letters, numbers, and underscores (must start with letter or underscore)',
   '^[a-zA-Z0-9_-]+$': 'letters, numbers, hyphens, and underscores only',
+  '^[a-zA-Z0-9_]+$': 'letters, numbers, and underscores only',
+  '^[a-zA-Z0-9_.]+$': 'letters, numbers, underscores, and dots only',
   '^(http|https)://.*$': 'valid HTTP or HTTPS URL',
   '^/[a-z0-9/-]*$': 'URL path starting with / (lowercase letters, numbers, hyphens, slashes)'
 };
@@ -132,6 +134,35 @@ function createKeywordFormatters(field, error) {
  * @param {Object} error - Raw validation error from Ajv
  * @returns {string} Formatted error message
  */
+/**
+ * Formats oneOf/anyOf validation errors with actionable message
+ * @param {string} field - Field name
+ * @param {Object} error - AJV error (keyword oneOf or anyOf)
+ * @returns {string} Formatted error message
+ */
+function formatOneOfAnyOfError(field, error) {
+  const instancePath = (error.instancePath || '').replace(/^\//, '');
+  if (instancePath === 'capabilities') {
+    return `${field}: must be either an array of operation names (e.g. ["list","get"]) or an object with boolean flags (e.g. { "list": true }).`;
+  }
+  return `${field}: value does not match any allowed shape. Check type and required fields.`;
+}
+
+/**
+ * Formats const validation errors
+ * @param {string} field - Field name
+ * @param {Object} error - AJV error (keyword const)
+ * @returns {string} Formatted error message
+ */
+function formatConstError(field, error) {
+  const allowed = error.params?.allowedValue;
+  if (allowed !== undefined) {
+    const display = typeof allowed === 'string' ? `"${allowed}"` : String(allowed);
+    return `${field}: must be exactly ${display}`;
+  }
+  return `${field}: invalid value (constraint violation)`;
+}
+
 function formatSingleError(error) {
   const field = getFieldName(error);
 
@@ -142,6 +173,12 @@ function formatSingleError(error) {
   if (error.keyword === 'additionalProperties') {
     return formatAdditionalPropertiesError(field, error);
   }
+  if (error.keyword === 'oneOf' || error.keyword === 'anyOf') {
+    return formatOneOfAnyOfError(field, error);
+  }
+  if (error.keyword === 'const') {
+    return formatConstError(field, error);
+  }
 
   // Use object lookup for keyword-specific messages
   const formatters = createKeywordFormatters(field, error);

package/lib/utils/external-env-template.js

@@ -0,0 +1,180 @@
+/**
+ * Builds Handlebars context and generates env.template content for external systems.
+ * Single source for create, download, split, and repair so env.template structure is consistent.
+ *
+ * @fileoverview External system env.template generation
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const fs = require('fs');
+const Handlebars = require('handlebars');
+const { systemKeyToKvPrefix, kvEnvKeyToPath, securityKeyToVar } = require('./credential-secrets-env');
+
+/**
+ * Builds hint string from portalInput (options → enum, validation → min-max or pattern).
+ * @param {Object} portalInput - Portal input config (label, options, validation)
+ * @returns {string} Hint suffix for comment
+ */
+function buildPortalInputHint(portalInput) {
+  if (!portalInput || typeof portalInput !== 'object') return '';
+  const parts = [];
+  if (Array.isArray(portalInput.options) && portalInput.options.length > 0) {
+    parts.push(`enum ${portalInput.options.join(',')}`);
+  }
+  const v = portalInput.validation;
+  if (v && typeof v === 'object') {
+    if (typeof v.minLength === 'number' || typeof v.maxLength === 'number') {
+      parts.push('min-max');
+    } else if (typeof v.pattern === 'string' && v.pattern) {
+      parts.push('pattern');
+    }
+  }
+  return parts.length ? ` - ${parts.join(', ')}` : '';
+}
+
+/** Fallback security keys by auth method when authentication.security is absent. */
+const FALLBACK_SECURITY_BY_AUTH = {
+  oauth2: ['clientId', 'clientSecret'],
+  oauth: ['clientId', 'clientSecret'],
+  aad: ['clientId', 'clientSecret'],
+  apikey: ['apiKey'],
+  apiKey: ['apiKey'],
+  basic: ['username', 'password'],
+  queryParam: ['paramValue'],
+  oidc: [],
+  hmac: ['signingSecret'],
+  bearer: ['bearerToken'],
+  token: ['bearerToken'],
+  none: []
+};
+
+/**
+ * Builds authSecureVars array from system authentication.security (or fallback by auth type).
+ * @param {Object} system - System object with key and authentication
+ * @returns {Array<{name: string, value: string}>}
+ */
+function buildAuthSecureVarsFromSystem(system) {
+  const authSecureVars = [];
+  const systemKey = system?.key || 'external-system';
+  const prefix = systemKeyToKvPrefix(systemKey);
+  if (!prefix) return authSecureVars;
+  const security = system?.authentication?.security || system?.auth?.security;
+  const authMethod = (system?.authentication?.method || system?.authentication?.type ||
+    system?.auth?.method || system?.auth?.type || 'apikey').toLowerCase();
+  if (security && typeof security === 'object' && Object.keys(security).length > 0) {
+    for (const key of Object.keys(security)) {
+      const envName = `KV_${prefix}_${securityKeyToVar(key)}`;
+      const pathVal = kvEnvKeyToPath(envName, systemKey);
+      authSecureVars.push({ name: envName, value: pathVal || `kv://${systemKey}/${key}` });
+    }
+  } else {
+    const keys = FALLBACK_SECURITY_BY_AUTH[authMethod] || FALLBACK_SECURITY_BY_AUTH.apikey;
+    for (const key of keys) {
+      authSecureVars.push({
+        name: `KV_${prefix}_${securityKeyToVar(key)}`,
+        value: `kv://${systemKey}/${key}`
+      });
+    }
+  }
+  return authSecureVars;
+}
+
+/**
+ * Builds configuration array with name, value, comment from system.configuration.
+ * @param {Object} system - System object with configuration array
+ * @returns {Array<{name: string, value: string, comment: string}>}
+ */
+function buildConfigurationEntries(system) {
+  const configuration = [];
+  const configList = Array.isArray(system?.configuration) ? system.configuration : [];
+  for (const entry of configList) {
+    if (!entry || !entry.name) continue;
+    const label = entry.portalInput?.label || entry.name;
+    const hint = buildPortalInputHint(entry.portalInput || {});
+    let value = entry.value !== undefined && entry.value !== null ? String(entry.value) : '';
+    if (entry.location === 'keyvault' && value && !value.startsWith('kv://')) value = `kv://${value}`;
+    configuration.push({ name: entry.name, value, comment: `${label}${hint}` });
+  }
+  return configuration;
+}
+
+/**
+ * Builds template context from system object for env.template.hbs.
+ * @param {Object} system - Full system object (e.g. deployment.system or parsed system file)
+ * @returns {{ authMethod: string, authSecureVars: Array<{name: string, value: string}>, authNonSecureVarNames: string[], configuration: Array<{name: string, value: string, comment: string}> }}
+ */
+function buildExternalEnvTemplateContext(system) {
+  const authMethod = (system?.authentication?.method ||
+    system?.authentication?.type ||
+    system?.auth?.method ||
+    system?.auth?.type ||
+    'apikey').toLowerCase();
+  const authSecureVars = buildAuthSecureVarsFromSystem(system);
+  const authVars = system?.authentication?.variables || system?.auth?.variables || {};
+  const authNonSecureVarNames = Object.keys(authVars);
+  const configuration = buildConfigurationEntries(system);
+  return {
+    authMethod,
+    authSecureVars,
+    authNonSecureVarNames,
+    configuration
+  };
+}
+
+/** Inline fallback when env.template.hbs is missing or unreadable (e.g. CI path or bundled). */
+const DEFAULT_ENV_TEMPLATE_HBS = `# Environment variables for external system integration
+# Use kv:// (or aifabrix secret set) for sensitive values; plain values for non-sensitive configuration.
+#
+
+{{#if authMethod}}
+# Authentication
+# Type: {{authMethod}}
+{{#each authSecureVars}}
+{{name}}={{value}}
+{{/each}}
+{{#if authNonSecureVarNames}}
+# Non-secure (e.g. URLs): {{#each authNonSecureVarNames}}{{this}}{{#unless @last}}, {{/unless}}{{/each}}
+{{/if}}
+
+{{/if}}
+{{#if configuration.length}}
+# Configuration
+{{#each configuration}}
+# {{comment}}
+{{name}}={{value}}
+{{/each}}
+{{/if}}
+`;
+
+/**
+ * Generates env.template content from system using the Handlebars template.
+ * @param {Object} system - Full system object (e.g. deployment.system or parsed system file)
+ * @returns {string} Rendered env.template content
+ */
+function generateExternalEnvTemplateContent(system) {
+  if (!system || typeof system !== 'object') {
+    return '# Environment variables for external system integration\n# Use kv:// (or aifabrix secret set) for sensitive values.\n\n';
+  }
+  let templateContent;
+  try {
+    const templatePath = path.join(__dirname, '..', '..', 'templates', 'external-system', 'env.template.hbs');
+    templateContent = fs.readFileSync(templatePath, 'utf8');
+  } catch (_) {
+    templateContent = undefined;
+  }
+  if (typeof templateContent !== 'string' || !templateContent.trim()) {
+    templateContent = DEFAULT_ENV_TEMPLATE_HBS;
+  }
+  const template = Handlebars.compile(templateContent);
+  const context = buildExternalEnvTemplateContext(system);
+  return template(context);
+}
+
+module.exports = {
+  buildExternalEnvTemplateContext,
+  generateExternalEnvTemplateContent
+};

package/lib/utils/external-system-display.js

@@ -289,6 +289,20 @@ function displayE2EResults(data, verbose = false) {
     logger.log(`  ${ok ? chalk.green('✓') : chalk.red('✗')} ${name}`);
     if (!ok && (step.error || step.message)) logger.log(chalk.red(`    ${step.error || step.message}`));
     if (verbose && step.message && ok) logger.log(chalk.gray(`    ${step.message}`));
+    if (verbose && ok && (name === 'sync' || step.step === 'sync') && step.evidence && step.evidence.jobs) {
+      formatSyncStepEvidence(step.evidence.jobs);
+    }
+  }
+  if (verbose && data.auditLog && Array.isArray(data.auditLog) && data.auditLog.length > 0) {
+    const n = data.auditLog.length;
+    const first = data.auditLog[0];
+    const execId = (first && (first.executionId || first.id || first.traceId)) ? String(first.executionId || first.id || first.traceId) : null;
+    if (execId) {
+      const short = execId.length > 10 ? `${execId.slice(0, 8)}…` : execId;
+      logger.log(chalk.gray(`  CIP execution trace(s): ${n} (executionId: ${short})`));
+    } else {
+      logger.log(chalk.gray(`  CIP execution trace(s): ${n}`));
+    }
   }
   if (isRunning) {
     return;
@@ -297,6 +311,35 @@ function displayE2EResults(data, verbose = false) {
   logger.log(allPassed ? chalk.green('\n✅ E2E test passed!') : chalk.red('\n❌ E2E test failed'));
 }
 
+/**
+ * Log sync step job evidence (record counts) in verbose E2E output
+ * @param {Object[]} jobs - evidence.jobs from sync step
+ */
+function formatSyncStepEvidence(jobs) {
+  for (const job of jobs) {
+    const rec = job.recordsProcessed ?? job.totalProcessed;
+    const total = job.totalRecords ?? (job.audit && job.audit.totalProcessed);
+    const parts = [];
+    if (rec !== undefined && rec !== null) parts.push(`${rec} processed`);
+    if (total !== undefined && total !== null) parts.push(`total: ${total}`);
+    const audit = job.audit || {};
+    const ins = audit.inserted ?? job.insertedCount;
+    const upd = audit.updated ?? job.updatedCount;
+    const del = audit.deleted ?? job.deletedCount;
+    const tot = audit.totalProcessed ?? total;
+    if (ins !== undefined || upd !== undefined || del !== undefined || tot !== undefined) {
+      const a = [`inserted: ${ins ?? 0}`, `updated: ${upd ?? 0}`, `deleted: ${del ?? 0}`];
+      if (tot !== undefined) a.push(`totalProcessed: ${tot}`);
+      parts.push(`(${a.join(', ')})`);
+    }
+    if (job.skippedCount !== undefined) parts.push(`skipped: ${job.skippedCount}`);
+    if (job.rejectedByQualityCount !== undefined) parts.push(`rejectedByQuality: ${job.rejectedByQualityCount}`);
+    if (parts.length > 0) {
+      logger.log(chalk.gray(`    Managed records: ${parts.join(' ')}`));
+    }
+  }
+}
+
 module.exports = {
   displayTestResults,
   displayIntegrationTestResults,

package/lib/utils/external-system-validators.js

@@ -139,11 +139,11 @@ function validateDimensions(dimensions, results) {
   // Validate dimension keys and values
   for (const [dimensionKey, attributePath] of Object.entries(dimensions)) {
     if (!/^[a-zA-Z0-9_]+$/.test(dimensionKey)) {
-      results.errors.push(`Invalid dimension key '${dimensionKey}': must match pattern ^[a-zA-Z0-9_]+$`);
+      results.errors.push(`Invalid dimension key '${dimensionKey}': dimension key must contain only letters, numbers, and underscores`);
       results.valid = false;
     }
     if (typeof attributePath !== 'string' || !/^[a-zA-Z0-9_.]+$/.test(attributePath)) {
-      results.errors.push(`Invalid attribute path '${attributePath}' for dimension '${dimensionKey}': must match pattern ^[a-zA-Z0-9_.]+$`);
+      results.errors.push(`Invalid attribute path '${attributePath}' for dimension '${dimensionKey}': attribute path must contain only letters, numbers, underscores, and dots`);
       results.valid = false;
     }
   }

package/lib/utils/help-builder.js

@@ -46,9 +46,7 @@ const CATEGORIES = [
       { name: 'build', term: 'build <app>' },
       { name: 'run', term: 'run <app>' },
       { name: 'shell', term: 'shell <app>' },
-      { name: 'test', term: 'test <app>' },
       { name: 'install', term: 'install <app>' },
-      { name: 'test-e2e', term: 'test-e2e <app>' },
       { name: 'lint', term: 'lint <app>' },
       { name: 'logs', term: 'logs <app>' },
       { name: 'stop', term: 'stop <app>' },
@@ -65,15 +63,13 @@ const CATEGORIES = [
   {
     name: 'Environments',
     commands: [
-      { name: 'environment' },
       { name: 'env' }
     ]
   },
   {
-    name: 'Application & Datasource Management',
+    name: 'Application & Management',
     commands: [
       { name: 'app' },
-      { name: 'datasource' },
       { name: 'credential' },
       { name: 'deployment' },
       { name: 'service-user' }
@@ -98,7 +94,9 @@ const CATEGORIES = [
       { name: 'upload', term: 'upload <system-key>' },
       { name: 'delete', term: 'delete <system-key>' },
       { name: 'repair', term: 'repair <app>' },
+      { name: 'datasource' },
       { name: 'test', term: 'test <app>' },
+      { name: 'test-e2e', term: 'test-e2e <app>' },
       { name: 'test-integration', term: 'test-integration <app>' }
     ]
   },

package/lib/utils/local-secrets.js

@@ -15,10 +15,31 @@ const logger = require('../utils/logger');
 const pathsUtil = require('./paths');
 const { mergeSecretsIntoFile } = require('./secrets-generator');
 
+/** Bootstrap key name; never encrypt this key's value when writing (key is stored in config). */
+const ENCRYPTION_KEY_VAULT = 'secrets-encryptionKeyVault';
+
+/**
+ * Resolves value to write: encrypted (secure://) when encryption key is set and key is not the bootstrap key.
+ * @async
+ * @param {string} key - Secret key name
+ * @param {string} value - Secret value
+ * @returns {Promise<string>} Value to write (plaintext or secure://...)
+ */
+async function resolveValueForWrite(key, value) {
+  const config = require('../core/config');
+  const encryptionKey = await config.getSecretsEncryptionKey();
+  if (!encryptionKey || key === ENCRYPTION_KEY_VAULT) {
+    return typeof value === 'string' ? value : String(value);
+  }
+  const { encryptSecret } = require('./secrets-encryption');
+  return encryptSecret(typeof value === 'string' ? value : String(value), encryptionKey);
+}
+
 /**
  * Saves a secret to ~/.aifabrix/secrets.local.yaml
  * Uses paths.getAifabrixHome() to respect config.yaml aifabrix-home override
- * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret)
+ * Merges the key into the file (updates in place if key already exists, e.g. after rotate-secret).
+ * Encrypts the value when a secrets-encryption key is configured (except for the bootstrap key).
  *
  * @async
  * @function saveLocalSecret
@@ -39,8 +60,9 @@ async function saveLocalSecret(key, value) {
     throw new Error('Secret value is required');
   }
 
+  const valueToWrite = await resolveValueForWrite(key, value);
   const secretsPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.local.yaml');
-  mergeSecretsIntoFile(secretsPath, { [key]: value });
+  mergeSecretsIntoFile(secretsPath, { [key]: valueToWrite });
 }
 
 /**
@@ -121,8 +143,9 @@ function _loadExistingSecrets(resolvedPath) {
 async function saveSecret(key, value, secretsPath) {
   validateSaveSecretParams(key, value, secretsPath);
 
+  const valueToWrite = await resolveValueForWrite(key, value);
   const resolvedPath = resolveAndPrepareSecretsPath(secretsPath);
-  mergeSecretsIntoFile(resolvedPath, { [key]: value });
+  mergeSecretsIntoFile(resolvedPath, { [key]: valueToWrite });
 }
 
 /**

package/lib/utils/paths.js

@@ -430,7 +430,7 @@ function getDeployJsonPath(appName, appType, preferNew = false) {
   // If neither exists, return new naming (for generation)
   return newPath;
 }
-const { resolveApplicationConfigPath } = require('./app-config-resolver');
+const { resolveApplicationConfigPath, resolveRbacPath } = require('./app-config-resolver');
 const { loadConfigFile } = require('./config-format');
 /**
  * Checks if app type is external from variables object
@@ -562,6 +562,7 @@ module.exports = {
   resolveBuildContext,
   getDeployJsonPath,
   resolveApplicationConfigPath,
+  resolveRbacPath,
   detectAppType,
   getResolveAppPath,
   resolveIntegrationAppKeyFromCwd,