@aifabrix/builder 2.42.1 → 2.44.0

package/lib/schema/external-system.schema.json

@@ -1,18 +1,18 @@
 {
   "$schema":"http://json-schema.org/draft-07/schema#",
-  "$id":"https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/external-system.schema.json",
+  "$id":"aifabrix://schema/external-system.schema.json",
   "title":"AI Fabrix External System Configuration Schema",
   "description":"Schema for configuring an external system connected to the AI Fabrix Dataplane. This defines authentication, OpenAPI/MCP bindings, field mappings defaults, metadata handling and portal inputs.",
      "metadata":{
      "key":"external-system-schema",
      "name":"External System Configuration Schema",
      "description":"JSON schema for validating ExternalSystem configuration files",
-     "version":"1.5.0",
+     "version":"1.6.0",
      "type":"schema",
      "category":"integration",
      "author":"AI Fabrix Team",
      "createdAt":"2024-01-01T00:00:00Z",
-     "updatedAt":"2026-03-07T00:00:00Z",
+     "updatedAt":"2026-04-09T00:00:00Z",
      "compatibility":{
         "minVersion":"1.4.0",
         "maxVersion":"2.0.0",
@@ -29,6 +29,14 @@
         
      ],
      "changelog":[
+        {
+           "version":"1.6.0",
+           "date":"2026-04-09T00:00:00Z",
+           "changes":[
+              "Added identityPropagation configuration for impersonation, attribution, and system identity execution modes",
+              "Added tokenBroker mint endpoint and attribution field injection settings for runtime identity behavior"
+           ]
+        },
         {
            "version":"1.5.0",
            "date":"2026-03-07T00:00:00Z",
@@ -367,7 +375,7 @@
               "value":{
                  "type":"string",
                  "description":"Role identifier (used in JWT and ACL)",
-                 "pattern":"^[a-z-]+$"
+                 "pattern":"^[a-z0-9-]+$"
               },
               "description":{
                  "type":"string",
@@ -411,7 +419,7 @@
                  "description":"Roles that have this permission",
                  "items":{
                     "type":"string",
-                    "pattern":"^[a-z-]+$",
+                    "pattern":"^[a-z0-9-]+$",
                     "minLength":1,
                     "maxLength":50
                  },
@@ -484,6 +492,112 @@
         "description":"SHA256 hash of triggerPaths payload (64-char hex). Used to detect structural changes. Optional; Dataplane computes when absent.",
         "pattern":"^[a-f0-9]{64}$"
      },
+     "identityPropagation":{
+        "type":"object",
+        "description":"Declares supported identity propagation modes and defaults for outbound operations.",
+        "required":[
+           "modes",
+           "default"
+        ],
+        "properties":{
+           "modes":{
+              "type":"array",
+              "items":{
+                 "type":"string",
+                 "enum":[
+                    "impersonation",
+                    "attribution",
+                    "system"
+                 ]
+              },
+              "uniqueItems":true,
+              "minItems":1
+           },
+           "default":{
+              "type":"string",
+              "enum":[
+                 "impersonation",
+                 "attribution",
+                 "system"
+              ]
+           },
+           "impersonation":{
+              "type":"object",
+              "properties":{
+                 "tokenBroker":{
+                    "type":"object",
+                    "properties":{
+                       "mintEndpoint":{
+                          "type":"string",
+                          "default":"/api/v1/auth/token/mint",
+                          "description":"Controller endpoint for delegated token minting."
+                       }
+                    },
+                    "additionalProperties":false
+                 },
+                 "scopes":{
+                    "type":"array",
+                    "items":{
+                       "type":"string"
+                    }
+                 },
+                 "requiredUserConsent":{
+                    "type":"boolean",
+                    "default":false
+                 }
+              },
+              "additionalProperties":false
+           },
+           "attribution":{
+              "type":"object",
+              "properties":{
+                 "actorFieldMappings":{
+                    "type":"object",
+                    "description":"Map target fields to actor templates (supports {{actor.*}} and {{request.*}}).",
+                    "additionalProperties":{
+                       "type":[
+                          "string",
+                          "number",
+                          "boolean"
+                       ]
+                    }
+                 },
+                 "commentTemplate":{
+                    "type":"string",
+                    "description":"Optional comment template for attribution logs (supports {{actor.*}})."
+                 },
+                 "injectionLocations":{
+                    "type":"array",
+                    "items":{
+                       "type":"string",
+                       "enum":[
+                          "body",
+                          "headers",
+                          "query",
+                          "comment"
+                       ]
+                    },
+                    "default":[
+                       "body"
+                    ],
+                    "uniqueItems":true
+                 }
+              },
+              "additionalProperties":false
+           },
+           "system":{
+              "type":"object",
+              "properties":{
+                 "allowWrites":{
+                    "type":"boolean",
+                    "default":true
+                 }
+              },
+              "additionalProperties":false
+           }
+        },
+        "additionalProperties":false
+     },
      "rateLimit":{
         "type":"object",
         "description":"Outbound rate limit for requests from the dataplane to this external system. When set, the dataplane enforces the limit per base URL and handles HTTP 429 (wait and retry). When absent, global env defaults apply (CIP_EXECUTION_RATE_LIMIT_REQUESTS_PER_SECOND, CIP_EXECUTION_RATE_LIMIT_BURST_SIZE). Supports window-based (e.g. HubSpot 100/10s) or token-bucket style (requestsPerSecond + burstSize).",
@@ -522,6 +636,68 @@
            {"requestsPerWindow":100,"windowSeconds":10},
            {"requestsPerSecond":10,"burstSize":100}
         ]
+     },
+     "performance":{
+        "type":"object",
+        "description":"Performance defaults for runtime paths in this external system.",
+        "properties":{
+           "cacheDefaults":{
+              "type":"object",
+              "description":"Default cache policy inherited by datasources unless overridden under sync.cache.",
+              "properties":{
+                 "enabled":{
+                    "type":"boolean",
+                    "default":true
+                 },
+                 "ttlSeconds":{
+                    "type":"integer",
+                    "minimum":1,
+                    "maximum":604800,
+                    "default":1800
+                 }
+              },
+              "additionalProperties":false
+           }
+        },
+        "additionalProperties":false
+     },
+     "certification":{
+        "type":"object",
+        "description":"Public certification settings for external system version verification.",
+        "required":[
+           "enabled",
+           "publicKey",
+           "algorithm",
+           "issuer",
+           "version"
+        ],
+        "properties":{
+           "enabled":{
+              "type":"boolean",
+              "description":"Enable public certification metadata for this external system."
+           },
+           "publicKey":{
+              "type":"string",
+              "minLength":1,
+              "description":"Public key used to verify RS256 signatures. Private key must never appear in schema."
+           },
+           "algorithm":{
+              "type":"string",
+              "const":"RS256",
+              "description":"Signing algorithm. Must be RS256."
+           },
+           "issuer":{
+              "type":"string",
+              "minLength":1,
+              "description":"Certificate issuer identifier."
+           },
+           "version":{
+              "type":"string",
+              "minLength":1,
+              "description":"Certification version identifier; must align with external system versioning."
+           }
+        },
+        "additionalProperties":false
      }
   },
   "additionalProperties":false

package/lib/schema/flag-map-validation-run.json

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Validation run CLI flag map",
+  "description": "Machine-readable mapping from CLI flags to ValidationRunRequest intent (plan §4). Exact JSON field names are defined in Dataplane OpenAPI.",
+  "operationId": "runValidation",
+  "flags": [
+    { "cliFlag": "test | test-integration | test-e2e (subcommand)", "requestField": "runType", "values": ["test", "integration", "e2e"] },
+    { "cliFlag": "-a, --app <app>", "requestField": null, "note": "Resolution only; paths and auth context" },
+    { "cliFlag": "-e, --env <env>", "requestField": null, "note": "Controller/dataplane URL and token selection" },
+    { "cliFlag": "-p, --payload <file>", "requestField": "payloadTemplate", "note": "Loaded object merged into request when integration-style test" },
+    { "cliFlag": "--timeout <ms>", "requestField": null, "note": "Client aggregate HTTP budget (POST + polls)" },
+    { "cliFlag": "--debug [level]", "requestField": "includeDebug", "default": false, "note": "summary|full|raw affects TTY appendix only; any presence sets includeDebug" },
+    { "cliFlag": "--no-async", "requestField": "asyncRun", "note": "When true on CLI, omit asyncRun or set false; sync-only POST" },
+    { "cliFlag": "--test-crud", "requestField": "e2eOptions.testCrud", "runType": "e2e" },
+    { "cliFlag": "--record-id", "requestField": "e2eOptions.recordId", "runType": "e2e" },
+    { "cliFlag": "--no-cleanup", "requestField": "e2eOptions.cleanup", "runType": "e2e" },
+    { "cliFlag": "--primary-key-value", "requestField": "e2eOptions.primaryKeyValue", "runType": "e2e" },
+    { "cliFlag": "--capability <key>", "requestField": "e2eOptions.capabilityKeys", "runType": "e2e", "note": "Single key forwarded as capabilityKeys array in request body when set" },
+    { "cliFlag": "--strict-capability-scope", "requestField": null, "runType": "e2e", "note": "Client-only: exit ≥1 when capabilities[] has >1 row while --capability is set (plan §2.3)" },
+    { "cliFlag": "--require-cert", "requestField": null, "note": "Client-only exit code 2 gate" },
+    { "cliFlag": "--warnings-as-errors", "requestField": null, "note": "Client-only exit code 1 on warn" },
+    { "cliFlag": "--json", "requestField": null, "note": "Stdout prints raw DatasourceTestRun" },
+    { "cliFlag": "--summary", "requestField": null, "note": "Compact machine-oriented lines (plan §16.9)" },
+    { "cliFlag": "-v, --verbose", "requestField": "e2eOptions.audit", "runType": "e2e", "note": "Also poll progress in legacy E2E path" },
+    { "cliFlag": "--watch", "requestField": null, "note": "Client-only: re-run test / test-integration / test-e2e when watched paths change (debounced; plan §3.14)" },
+    { "cliFlag": "--watch-path <path>", "requestField": null, "note": "Client-only: extra file or dir to watch (repeatable)" },
+    { "cliFlag": "--watch-application-yaml", "requestField": null, "note": "Client-only: ensure integration/<app>/application.yaml is in the watch set" },
+    { "cliFlag": "--watch-ci", "requestField": null, "note": "Client-only: exit after first validation run (normal exit code) for CI-style one-shot" },
+    { "cliFlag": "--watch-full-diff", "requestField": null, "note": "Client-only: print full before/after fingerprint lines on change" }
+  ]
+}

package/lib/schema/infra-parameter.schema.json

@@ -0,0 +1,106 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://aifabrix.dev/schemas/infra-parameter.schema.json",
+  "title": "Infra parameter catalog",
+  "type": "object",
+  "required": ["version", "parameters"],
+  "additionalProperties": false,
+  "properties": {
+    "version": {
+      "type": "integer",
+      "minimum": 1
+    },
+    "standardUpInfraEnsureKeys": {
+      "type": "array",
+      "items": { "type": "string", "minLength": 1 },
+      "description": "Extra keys always merged on up-infra (e.g. default miso-controller DB pair when no workspace template lists them)."
+    },
+    "defaults": {
+      "type": "object",
+      "additionalProperties": false,
+      "description": "Default values for {{adminPassword}}, {{adminEmail}}, {{userPassword}} in literal generator values; overridden by aifabrix up-infra flags.",
+      "properties": {
+        "adminEmail": { "type": "string" },
+        "adminPassword": { "type": "string" },
+        "userPassword": { "type": "string" }
+      }
+    },
+    "parameters": {
+      "type": "array",
+      "items": { "$ref": "#/definitions/parameterEntry" }
+    }
+  },
+  "definitions": {
+    "ensureOnEnum": {
+      "type": "string",
+      "enum": ["upInfra", "resolveApp", "appRegister"]
+    },
+    "scopeEnum": {
+      "type": "string",
+      "enum": ["infra", "app", "shared-service"]
+    },
+    "generator": {
+      "type": "object",
+      "required": ["type"],
+      "additionalProperties": false,
+      "properties": {
+        "type": {
+          "type": "string",
+          "enum": [
+            "randomBytes32",
+            "randomAlphanumeric",
+            "password",
+            "emptyString",
+            "emptyAllowed",
+            "literal",
+            "databaseUrl",
+            "databasePassword"
+          ]
+        },
+        "value": {
+          "type": "string"
+        },
+        "length": {
+          "type": "integer",
+          "minimum": 1,
+          "maximum": 512,
+          "description": "For randomAlphanumeric: character count (default 32). For password: default 8. Charset [a-zA-Z0-9]."
+        }
+      }
+    },
+    "azureBlock": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "vaultSecretName": { "type": "string" },
+        "vaultSecretNamePattern": { "type": "string" },
+        "notes": { "type": "string" }
+      }
+    },
+    "parameterEntry": {
+      "type": "object",
+      "required": ["scope", "generator", "ensureOn"],
+      "additionalProperties": false,
+      "properties": {
+        "key": {
+          "type": "string",
+          "minLength": 1
+        },
+        "keyPattern": {
+          "type": "string",
+          "minLength": 1
+        },
+        "scope": { "$ref": "#/definitions/scopeEnum" },
+        "generator": { "$ref": "#/definitions/generator" },
+        "ensureOn": {
+          "type": "array",
+          "minItems": 1,
+          "items": { "$ref": "#/definitions/ensureOnEnum" }
+        },
+        "requiredForLocal": { "type": "boolean" },
+        "azure": { "$ref": "#/definitions/azureBlock" },
+        "notes": { "type": "string" }
+      }
+    }
+  }
+}