@aifabrix/builder 2.42.1 → 2.44.0

package/templates/applications/dataplane/application.yaml

@@ -5,7 +5,7 @@ app:
   description: "AI Fabrix Dataplane is a secure, in-tenant integration and automation layer that supplies governed, normalized, and explainable enterprise data to AI agents. Using CIP as a declarative standard, it enforces RBAC and ABAC, executes integrations, and exposes trusted data via MCP and OpenAPI."
   type: webapp
   language: python  # Explicitly specify Python language
-  version: 1.8.0
+  version: 1.9.5
 
 # Image Configuration
 # Set tag to match your build (e.g. aifabrix build dataplane -t v1.0.0 then tag: v1.0.0)
@@ -18,6 +18,16 @@ image:
 
 # Port Configuration
 port: 3001
+environmentScopedResources: true
+
+# Public path behind Azure Front Door / reverse proxy (used by url://public and urls.local.yaml).
+# Traefik: host is expanded from developer-id + remote-server (hostname of `remote-server` in ~/.aifabrix/config.yaml).
+# Path uses pattern below plus optional /dev|/tst prefix when env-scoped resources are effective (plan 117).
+frontDoorRouting:
+  pattern: /data/*
+  enabled: true
+  host: ${DEV_USERNAME}.${REMOTE_HOST}
+  tls: ${TLS_ENABLED}
 
 # Azure Requirements
 requires:
@@ -51,7 +61,6 @@ build:
   context: ../..                  # Docker build context (relative to builder/dataplane/)
   dockerfile: builder/dataplane/Dockerfile  # Dockerfile path (relative to project root)
   envOutputPath: ../../.env       # Copy to repo root for local dev
-  localPort: 3011                 # Port for local development (different from Docker port)
   language: python                # Runtime language for template selection (typescript or python)
   reloadStart: uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-3001} --reload  # PORT set from port above at run time; default 3001 must match port
 
@@ -98,6 +107,47 @@ configuration:
         - detailed
         - explain
 
+  - name: TRUST_CUSTOMER_POLICY_LEVEL
+    portalInput:
+      field: select
+      label: "Trust policy level (no-policy defaults)"
+      options:
+        - strict
+        - standard
+        - relaxed
+
+  - name: TRUST_PUBLISH_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on datasource publish"
+      options:
+        - "false"
+        - "true"
+
+  - name: TRUST_PROMOTE_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on external system publish (promote scope)"
+      options:
+        - "false"
+        - "true"
+
+  - name: TRUST_RUNTIME_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on CIP execution (runtime scope)"
+      options:
+        - "false"
+        - "true"
+
+  - name: TRUST_AI_EXPOSURE_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on AI document-storage prompt generation"
+      options:
+        - "false"
+        - "true"
+
   # -------------------------------------------------------------------------
   # CIP Execution - Resource Limits
   # -------------------------------------------------------------------------

package/templates/applications/dataplane/env.template

@@ -24,21 +24,23 @@ LOG_FILE_PATH=/mnt/data/logs/app.log
 LOCAL_MODE=false
 
 # When API_KEY is set, a matching Bearer token bypasses OAuth2 validation
-API_KEY=kv://miso-controller-api-key-secretKeyVault
+# Same kv:// as miso-controller API_KEY so pipeline Bearer bypass uses one secrets.local entry
+API_KEY=kv://miso-controller-secrets-apiKeyVault
 
 # API Configuration
 API_V1_STR=/api/v1
-VERSION=1.8.0
+VERSION=1.9.5
 # Base URL for the dataplane web server (used for default OAuth2 callback URL when redirectUri is omitted)
-DATAPLANE_WEB_SERVER_URL=kv://dataplane-web-server-url
-DATAPLANE_INTERNAL_URL=kv://dataplane-internal-server-url
+# url:// resolves after kv://; includes front-door path from application.yaml (e.g. /data)
+DATAPLANE_WEB_SERVER_URL=url://public
+DATAPLANE_INTERNAL_URL=url://internal
 
 # CORS Configuration
-ALLOWED_ORIGINS=http://localhost:*
+ALLOWED_ORIGINS=http://localhost:*,url://host-public,url://host-private
 IDE_CORS_ORIGINS=
 
 # Encryption Configuration
-ENCRYPTION_KEY=kv://secrets-encryptionKeyVault
+ENCRYPTION_KEY=kv://miso-controller-secrets-encryptionKeyVault
 
 # =============================================================================
 # DATABASE CONFIGURATION
@@ -54,10 +56,14 @@ DATABASE_URL=kv://databases-dataplane-0-urlKeyVault
 DB_0_PASSWORD=kv://databases-dataplane-0-passwordKeyVault
 
 # Vector and document store DB: chunks, embeddings, vector indexes (pgvector).
-# Binaries path: config.processing.fileStoragePath or /data/documents.
 VECTOR_DATABASE_URL=kv://databases-dataplane-1-urlKeyVault
 DB_1_PASSWORD=kv://databases-dataplane-1-passwordKeyVault
 
+# Base path for document binary storage (used when datasource config has no processing.fileStoragePath).
+# Dataplane creates subdirs per datasource key (e.g. DOCUMENT_STORAGE_BASE_PATH/test-e2e-sharepoint-documents).
+# Production: use a writable path (e.g. /data/documents) and mount a volume. Local/Docker: use /tmp/documents or /app/data/documents.
+DOCUMENT_STORAGE_BASE_PATH=/mnt/data/documents
+
 # Logs Database Configuration (for execution, audit, ABAC traces)
 LOGS_DATABASE_URL=kv://databases-dataplane-2-urlKeyVault
 DB_2_PASSWORD=kv://databases-dataplane-2-passwordKeyVault
@@ -84,6 +90,14 @@ CACHE_CIP_EXECUTION_TTL=1800
 # TTL in seconds for metadata filter cache
 CACHE_METADATA_FILTER_TTL=3600
 
+# ABAC policy parse cache (in-memory)
+# Caches parsed PolicyLibrary.rules (Pydantic) by (policyKey, updatedAt)
+ABAC_POLICY_PARSE_CACHE_ENABLED=true
+# TTL in seconds for parsed policy entries
+ABAC_POLICY_PARSE_CACHE_TTL_SECONDS=300
+# Max entries before eviction (clears cache at capacity)
+ABAC_POLICY_PARSE_CACHE_MAX_ENTRIES=2048
+
 # =============================================================================
 # AUTHENTICATION CONFIGURATION
 # =============================================================================
@@ -93,22 +107,22 @@ MISO_CLIENTID=kv://dataplane-client-idKeyVault
 MISO_CLIENTSECRET=kv://dataplane-client-secretKeyVault
 
 # Keycloak Configuration (for OAuth2 endpoints)
-# Public: used by OpenAPI OAuth2 / browser (authorizationUrl, tokenUrl).
-KEYCLOAK_SERVER_URL=kv://keycloak-server-url
-# Internal (same role as MISO_CONTROLLER_URL): future server-side Keycloak (e.g. JWKS). Not used by dataplane today.
-KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-url
+# Public: browser / issuer (includes /auth when Keycloak uses KC_HTTP_RELATIVE_PATH=/auth).
+KEYCLOAK_SERVER_URL=url://keycloak-public
+# Internal: server-to-Keycloak HTTP (docker: service:port + /auth from keycloak application.yaml)
+KEYCLOAK_INTERNAL_SERVER_URL=url://keycloak-internal
 KEYCLOAK_REALM=aifabrix
 
 # =============================================================================
 # MISO CONTROLLER CONFIGURATION
 # =============================================================================
-# Public: browser redirects and CORS for client_token; set when controller is behind a different public URL.
-MISO_WEB_SERVER_URL=kv://miso-controller-web-server-url
-# Internal: server-to-controller API calls (auth, pipeline, status, RBAC).
-MISO_CONTROLLER_URL=http://${MISO_HOST}:${MISO_PORT}
+# Public: browser redirects and CORS (includes /controller front-door path from miso-controller application.yaml).
+MISO_WEB_SERVER_URL=url://miso-controller-public
+# Internal: server-to-controller API calls (Docker: service:port; local: host:port — no front-door path).
+MISO_CONTROLLER_URL=url://miso-controller-internal
 
-# Pipeline env key for controller URLs: /api/v1/pipeline/{envKey}/validate and /deploy.
-# Set MISO_PIPELINE_ENV_KEY=dev when controller uses dev (e.g. MISO_CLIENTID=miso-controller-dev-dataplane).
+# Environment key sent to miso-controller (e.g. environmentKey on RBAC/register) when not supplied in the payload.
+# Set MISO_PIPELINE_ENV_KEY=dev when the controller installation uses dev (e.g. MISO_CLIENTID=miso-controller-dev-dataplane).
 # If unset, derived from MISO_CLIENTID (e.g. dev from miso-controller-dev-dataplane).
 MISO_PIPELINE_ENV_KEY=
 
@@ -120,7 +134,7 @@ MISO_PIPELINE_ENV_KEY=
 OPENAI_API_KEY=kv://secrets-openaiApiKeyVault
 
 # Azure OpenAI Configuration
-AZURE_OPENAI_ENDPOINT=
+AZURE_OPENAI_ENDPOINT=kv://azure-openaiapi-urlKeyVault
 AZURE_OPENAI_API_KEY=kv://secrets-azureOpenaiApiKeyVault
 AZURE_OPENAI_API_VERSION=2024-02-15-preview
 AZURE_OPENAI_DEPLOYMENT_NAME=gpt-4o
@@ -147,6 +161,10 @@ RBAC_AUDIT_ENABLED=true
 RBAC_AUDIT_DETAIL_LEVEL=summary
 RBAC_EXPLAIN_MODE_ENABLED=false
 
+# Async audit: after sync CIP writes, rebuild AuditEvent and enqueue; worker
+# validates only (no second DB write). Default false.
+AUDIT_ASYNC_SHADOW_ENQUEUE=false
+
 # =============================================================================
 # OBSERVABILITY CONFIGURATION
 # =============================================================================
@@ -155,6 +173,18 @@ RBAC_EXPLAIN_MODE_ENABLED=false
 OPENTELEMETRY_ENABLED=false
 OPENTELEMETRY_ENDPOINT=
 
+# =============================================================================
+# INTEGRATION CERTIFICATE SIGNING (RS256 PEM)
+# =============================================================================
+# Read by PemRsaCertificateSigner.from_environment in app/validation/certificates/signer.py.
+# When CERTIFICATE_PRIVATE_KEY and CERTIFICATE_PUBLIC_KEY are both set (non-empty PEM), the
+# engine uses RS256; otherwise it falls back to local HS256 (see build_certificate_signer in engine).
+# PEM values are often multi-line; resolve via secret store / deploy pipeline (kv://) or inject as env.
+CERTIFICATE_PRIVATE_KEY=
+CERTIFICATE_PUBLIC_KEY=
+# Optional public key identifier for issued certificates; default if unset: dataplane-signing-key
+CERTIFICATE_PUBLIC_KEY_ID=
+
 # =============================================================================
 # CIP EXECUTION CONFIGURATION
 # =============================================================================
@@ -168,6 +198,10 @@ CIP_EXECUTION_MAX_RETRIES=3
 CIP_EXECUTION_RETRY_BACKOFF_FACTOR=2.0
 CIP_EXECUTION_RETRY_INITIAL_DELAY=1.0
 
+# CIP performance instrumentation (off by default)
+# When enabled, CipStepOrchestrator emits per-step timing aggregates in metrics.
+CIP_STEP_TIMINGS_ENABLED=true
+
 # Circuit Breaker Configuration
 CIP_EXECUTION_CIRCUIT_BREAKER_FAILURE_THRESHOLD=5
 CIP_EXECUTION_CIRCUIT_BREAKER_TIME_WINDOW=60
@@ -177,3 +211,31 @@ CIP_EXECUTION_CIRCUIT_BREAKER_HALF_OPEN_TIMEOUT=30
 # Rate Limiting Configuration
 CIP_EXECUTION_RATE_LIMIT_REQUESTS_PER_SECOND=10.0
 CIP_EXECUTION_RATE_LIMIT_BURST_SIZE=20
+
+# =============================================================================
+# TRUST POLICY AND ENFORCEMENT GATES (optional)
+# =============================================================================
+# Policies resolve by deployment ENVIRONMENT (dev | tst | pro) and trust scope
+# (publish | promote | runtime | aiExposure). When no registered policy matches,
+# fallbacks use whenNoPolicyMatches[<level>] from configs/trust-policy-defaults.yaml;
+# TRUST_CUSTOMER_POLICY_LEVEL picks that row and is orthogonal to ENVIRONMENT.
+#
+# Customer posture for no-match defaults (lowercase): strict | standard | relaxed
+TRUST_CUSTOMER_POLICY_LEVEL=standard
+#
+# Opt-in gates (default false). When true, trust is evaluated at the call site;
+# DENY/REVIEW can block the operation (e.g. datasource publish returns 403).
+# Datasource publish — scope publish; runs before marking the datasource published
+TRUST_PUBLISH_GATE_ENABLED=false
+# External system publish — scope promote; evaluated per active datasource first
+TRUST_PROMOTE_GATE_ENABLED=false
+# CIP operation execution — scope runtime; evaluation uses live/runtime checks
+TRUST_RUNTIME_GATE_ENABLED=false
+# Document-storage AI system prompt generation — scope aiExposure; before LLM call
+TRUST_AI_EXPOSURE_GATE_ENABLED=false
+
+# Certification baseline (346.6 §12.1). Empty CERTIFICATION_DATASOURCE_SCHEMA_VERSION uses bundled
+# app/schemas/json/external-datasource.schema.json metadata.version. Set CERTIFICATION_RULES_VERSION
+# when 346.rules / §17 revisions must invalidate existing certificates without matching rulesVersion.
+CERTIFICATION_DATASOURCE_SCHEMA_VERSION=
+CERTIFICATION_RULES_VERSION=

package/templates/applications/dataplane/rbac.yaml

@@ -184,6 +184,10 @@ permissions:
   - name: "document-record:approve"
     roles: ["aifabrix-platform-admin", "aifabrix-compliance-admin"]
     description: "Approve document records"
+
+  - name: "document-record:triage-unowned"
+    roles: ["aifabrix-platform-admin", "aifabrix-compliance-admin"]
+    description: "Include unowned pending documents (createdBy null) in the pending validation queue"
   
   # External record management
   - name: "external-record:create"
@@ -250,6 +254,10 @@ permissions:
   - name: "record-relation:create"
     roles: ["aifabrix-platform-admin", "aifabrix-developer"]
     description: "Create record relations"
+
+  - name: "record-relation:update"
+    roles: ["aifabrix-platform-admin", "aifabrix-developer"]
+    description: "Update mutable fields on record relations (direction, confidence, catalogId, createdBy)"
   
   - name: "record-relation:read"
     roles: ["aifabrix-platform-admin", "aifabrix-security-admin", "aifabrix-deployment-admin", "aifabrix-compliance-admin", "aifabrix-developer", "aifabrix-observer"]

package/templates/applications/keycloak/application.yaml

@@ -16,6 +16,14 @@ image:
 # Port Configuration (base for host; host port = 8082 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 8082
 
+# Public path behind Azure Front Door / reverse proxy (used by url://public and urls.local.yaml).
+# Traefik: host is expanded from developer-id + remote-server (hostname of `remote-server` in ~/.aifabrix/config.yaml).
+frontDoorRouting:
+  pattern: /auth/*
+  enabled: true
+  host: ${DEV_USERNAME}.${REMOTE_HOST}
+  tls: ${TLS_ENABLED}
+
 # Azure Requirements
 requires:
   database: true
@@ -27,6 +35,7 @@ requires:
 # Health Check
 healthCheck:
   path: /health/ready
+  bashProbe: true
   interval: 30
   probePath: /health/ready
   probeRequestType: GET
@@ -41,6 +50,5 @@ authentication:
 build:
   context: .. # Docker build context (relative to builder/)
   dockerfile: builder/Dockerfile # Dockerfile name (empty = use template)
-  localPort: 8082 # Port for local development (different from Docker port)
   containerPort: 8080 # Container port (different from local port)
   language: typescript # Runtime language for template selection

package/templates/applications/keycloak/env.template

@@ -6,10 +6,14 @@
 # APPLICATION ENVIRONMENT
 # =============================================================================
 
-KEYCLOAK_ADMIN=admin
-KEYCLOAK_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
+KC_BOOTSTRAP_ADMIN_USERNAME=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
 KC_HOSTNAME_STRICT=false
-KC_HTTP_ENABLED=true
+KC_HTTP_ENABLED=${HTTP_ENABLED}
+# When Traefik + frontDoorRouting.enabled are on, same vdir as url://public. If the front door is off, env generation
+# rewrites url://vdir-public to "/" before expansion (empty path is invalid — Keycloak 26 SRCFG00040).
+# Docker-only templates may use url://vdir-internal instead.
+KC_HTTP_RELATIVE_PATH=url://vdir-public
 
 # =============================================================================
 # HOSTNAME / ISSUER (Docker vs localhost)
@@ -22,9 +26,14 @@ KC_HTTP_ENABLED=true
 # - Server calls Keycloak at http://keycloak:8080 for token exchange and refresh
 # - Controller sends Host: localhost:${KEYCLOAK_PUBLIC_PORT} so Keycloak validates issuer
 #   against public URL (requires KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true)
-# When KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true, hostname must be a full URL
-KC_HOSTNAME=http://localhost:${KEYCLOAK_PUBLIC_PORT}
-KC_HOSTNAME_PORT=${KEYCLOAK_PUBLIC_PORT}
+# When KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true, hostname must be a full URL.
+# Use host-only origin (no /auth); KC_HTTP_RELATIVE_PATH carries the front-door path (url://vdir-public).
+# Hostname v2: port belongs in KC_HOSTNAME (url://host-public expands to e.g. http://localhost:8182 or
+# https://devNN.example.com). Do not set KC_HOSTNAME_PORT (deprecated v1; triggers Quarkus warnings).
+# KEYCLOAK_PUBLIC_PORT = application.yaml `port` (host-published) + dev×100; used by other apps / docs.
+KC_HOSTNAME=url://host-public
+# nginx / Traefik send X-Forwarded-*; required when using an edge proxy (Keycloak 26+).
+KC_PROXY_HEADERS=xforwarded
 # Required for Host header to work: Keycloak resolves backchannel URL from request headers
 KC_HOSTNAME_BACKCHANNEL_DYNAMIC=true
 

package/templates/applications/miso-controller/application.yaml

@@ -4,17 +4,26 @@ app:
   displayName: 'Miso Controller'
   description: 'Miso is the AI Fabrix in-tenant controller and portal layer for securely operating enterprise AI apps inside a customer’s Azure tenant. It provides Entra ID SSO, RBAC, audit logs, environment/app configuration via schemas, and safe secret handling via Key Vault references—ensuring governance, traceability, and predictable UX across portal, SDK, and CLI.'
   type: webapp
-  version: '1.8.0'
+  version: '1.9.5'
 
 # Image Configuration
 image:
   name: aifabrix/miso-controller
+  tag: latest
   registry: aifabrixdevacr.azurecr.io
   registryMode: acr
 
 # Port Configuration (container port; host port = 3000 + developer_id*100 from ~/.aifabrix/config.yaml)
 port: 3000
 
+# Public path behind Azure Front Door / reverse proxy (used by url://public and urls.local.yaml).
+# Traefik: host is expanded from developer-id + remote-server (hostname of `remote-server` in ~/.aifabrix/config.yaml).
+frontDoorRouting:
+  pattern: /miso/*
+  enabled: true
+  host: ${DEV_USERNAME}.${REMOTE_HOST}
+  tls: ${TLS_ENABLED}
+
 # Azure Requirements
 requires:
   database: true
@@ -45,7 +54,6 @@ build:
   context: ../.. # Docker build context (relative to builder/miso-controller/)
   dockerfile: builder/miso-controller/Dockerfile # Dockerfile name (relative to project root)
   envOutputPath: ../../packages/miso-controller/.env # Copy .env to repo root for local dev (relative to builder/) (if null, no .env file is copied) (if empty, .env file is copied to repo root)
-  localPort: 3010 # Port for local development (different from Docker port)
   language: typescript # Runtime language for template selection (typescript or python)
   reloadStart: pnpm run start:reload # When running with --reload
 

package/templates/applications/miso-controller/env.template

@@ -53,7 +53,7 @@ NODE_ENV=dev
 PORT=${PORT}
 AUTO_CREATE_TABLES=true
 FAST_STARTUP=false
-ALLOWED_ORIGINS=http://localhost:*
+ALLOWED_ORIGINS=http://localhost:*,url://host-public,url://host-private,url://dataplane-host-public,url://dataplane-host-private
 ENABLE_API_DOCS=true
 
 # Rate Limiting Configuration (for local development)
@@ -109,9 +109,15 @@ REDIS_PERMISSIONS_TTL=900
 # KEYCLOAK_SKIP_AZURE_ENTRA_SSO=false
 
 KEYCLOAK_REALM=aifabrix
-KEYCLOAK_SERVER_URL=kv://keycloak-server-url
-KEYCLOAK_INTERNAL_SERVER_URL=kv://keycloak-internal-server-url
-KEYCLOAK_CLIENT_ID=miso-controller
+# Public issuer / browser URL (includes /auth when Keycloak uses KC_HTTP_RELATIVE_PATH=/auth).
+KEYCLOAK_SERVER_URL=url://keycloak-public
+# Internal token/JWKS calls: url://keycloak-internal (includes /auth when Keycloak uses KC_HTTP_RELATIVE_PATH).
+KEYCLOAK_INTERNAL_SERVER_URL=url://keycloak-internal
+# Docker/internal host and port: used when config from DB has localhost (getDockerKeycloakInternalUrl).
+# Resolved from env-config (e.g. KEYCLOAK_HOST=keycloak, KEYCLOAK_PORT=8080 for docker).
+KEYCLOAK_HOST=${KEYCLOAK_HOST}
+KEYCLOAK_PORT=${KEYCLOAK_PORT}
+KEYCLOAK_CLIENT_ID=kv://keycloak-client-idKeyVault
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
 KEYCLOAK_ADMIN_PASSWORD=kv://keycloak-admin-passwordKeyVault
@@ -131,6 +137,19 @@ KEYCLOAK_EVENTS_SECRET=kv://keycloak-events-secretKeyVault
 WAIT_FOR_KEYCLOAK=true
 # KEYCLOAK_WAIT_TIMEOUT=60
 
+# =============================================================================
+# TENANT ACTIVATION (TA-3) — EXISTING LLM CATALOG
+# =============================================================================
+# Optional JSON array for GET /api/v1/tenant/existing-llm-configurations (and
+# access-model.existingLlmConfigurations). Merge order: env entries first, then
+# entries derived from saved activation LLM (same id in saved overrides).
+# When unset and no saved LLM, the list can be empty — use this for real endpoints.
+#
+# Example (minify to one line in production):
+# EXISTING_LLM_CONFIGURATIONS=[{"id":"prod","name":"Azure Prod","type":"azure-openai","endpoint":"https://my.openai.azure.com","deploymentName":"gpt-4o"}]
+#
+# EXISTING_LLM_CONFIGURATIONS=
+
 # =============================================================================
 # AZURE AD PROVIDER CONFIGURATION
 # =============================================================================
@@ -265,7 +284,7 @@ DEPLOYMENT=database
 # =============================================================================
 
 # Encryption Key for Database Secrets
-ENCRYPTION_KEY=kv://secrets-encryptionKeyVault
+ENCRYPTION_KEY=kv://miso-controller-secrets-encryptionKeyVault
 
 # Key Vault Integration (for security parameter encryption)
 # Set to true to enable Azure Key Vault for storing security parameters
@@ -276,10 +295,10 @@ KEY_VAULT_ENABLED=false
 JWT_SECRET=kv://miso-controller-jwt-secretKeyVault
 
 # When API_KEY is set, a matching Bearer token bypasses OAuth2 validation
-API_KEY=kv://miso-controller-api-key-secretKeyVault
+API_KEY=kv://miso-controller-secrets-apiKeyVault
 
 # NPM token for private package (npmjs.org)
-NPM_TOKEN=kv://npm-token-secretKeyVault
+NPM_TOKEN=kv://BASH_NPM_TOKEN
 
 # =============================================================================
 # MISO CONTROLLER CONFIGURATION
@@ -289,8 +308,9 @@ NPM_TOKEN=kv://npm-token-secretKeyVault
 # Used to generate correct server URLs in OpenAPI spec and Keycloak callback URLs
 # For Docker: use localhost with mapped port (e.g., localhost:3100)
 # For production: use public domain (e.g., https://miso.example.com)
-MISO_WEB_SERVER_URL=kv://miso-controller-web-server-url
-MISO_CONTROLLER_URL=kv://miso-controller-internal-server-url
+# url://public includes front-door path from application.yaml (e.g. /controller).
+MISO_WEB_SERVER_URL=url://public
+MISO_CONTROLLER_URL=url://internal
 
 # MISO Environment Configuration (miso, dev, tst, pro)
 MISO_ENVIRONMENT=miso
@@ -301,20 +321,41 @@ MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
 
 # Allowed origins for CORS validation (comma-separated)
 # Use wildcards for ports: http://localhost:*
-MISO_ALLOWED_ORIGINS=http://localhost:*
+MISO_ALLOWED_ORIGINS=http://localhost:*,url://host-public,url://host-private,url://dataplane-host-public,url://dataplane-host-private
+
+# Evaluation mode (optional .env override of DB controller.configuration.evaluation):
+# When true (default if DB omits flag), infra deploy may coerce :envKey to `miso` — e2e poll on `dev` can 404.
+# Set false locally to force path envKey to match deploy + GET .../deployments/:id.
+# Unset = use DB only.
+CONTROLLER_EVALUATION=
 
 # =============================================================================
 # LICENSE CONFIGURATION
 # =============================================================================
-# Temporary development bypass: set LICENSE_JWT=DEVELOPMENT to skip Mori validation.
-# Will be replaced by JWT license validation (see plan 131-jwt_license_offline_validation).
+# Offline JWT license (optional):
+# - If set, controller validates license offline (RS256) without Mori subscription status call.
+# - Value can be literal JWT or kv:// reference.
+# - If not set, controller falls back to existing Mori subscription validation flow.
+#
+# Development: set to DEVELOPMENT to disable license validation (no Mori/JWT required):
+#   LICENSE_JWT=DEVELOPMENT
+# - Use only for local development; do not use in production.
 LICENSE_JWT=DEVELOPMENT
 
+# =============================================================================
+# ENTRA ID ONBOARDING (delegated Graph via Mori)
+# =============================================================================
+# Must match a Web redirect URI on the vendor multi-tenant app and Mori’s route
+# …/entra-graph-delegated/callback. Example (001 dev Mori API):
+# ENTRA_GRAPH_DELEGATED_REDIRECT_URI=https://aifabrix001-mori-web-we.azurewebsites.net/entra-graph-delegated/callback
+ENTRA_GRAPH_DELEGATED_REDIRECT_URI=
+
 # =============================================================================
 # MORI SERVICE CONFIGURATION
 # =============================================================================
 
-MORI_BASE_URL=kv://mori-controller-url
+MORI_BASE_URL=url://mori-controller-public
+MORI_AUTH_METHOD=apiKey
 MORI_API_KEY=kv://mori-controller-api-keyKeyVault
 MORI_USERNAME=kv://mori-controller-basic-usernameKeyVault
 MORI_PASSWORD=kv://mori-controller-basic-passwordKeyVault
@@ -335,7 +376,7 @@ LOG_FILE_PATH=./logs
 # Azure Application Insights connection string (required for OpenTelemetry)
 # If not set, OpenTelemetry will be disabled gracefully
 # Get this from Azure Portal: Application Insights > Overview > Connection String
-APPLICATIONINSIGHTS_CONNECTION_STRING=kv://applicationinsights-connection-stringKeyVault
+APPLICATIONINSIGHTS_CONNECTION_STRING=kv://appinsights-connectionStringKeyVault
 
 # OpenTelemetry service name (optional, defaults to miso-controller)
 OTEL_SERVICE_NAME=miso-controller

package/templates/applications/miso-controller/rbac.yaml

@@ -367,3 +367,8 @@ permissions:
   - name: 'onboarding:config'
     roles: ['aifabrix-platform-admin', 'aifabrix-infrastructure-admin']
     description: 'Configure onboarding (license, Entra ID, subscription config)'
+
+  # Reserved for routes that use non-OAuth verification (e.g. future webhooks); keep for routes.csv compatibility
+  - name: 'system:callback'
+    roles: ['aifabrix-platform-admin', 'aifabrix-infrastructure-admin']
+    description: 'Routes.csv / OpenAPI marker for routes without standard OAuth scopes'

package/templates/external-system/README.md.hbs

@@ -20,7 +20,7 @@
 - `deploy.js` – Deploy script for the integration
 - `wizard.yaml` – Wizard configuration (if created via wizard)
 
-Optional: `rbac.yaml` – Roles and permissions merged into the system when present.
+Optional: `{{rbacOptionalFile}}` – Roles and permissions merged into the system when present.
 
 ## Quick Start
 
@@ -43,7 +43,7 @@ aifabrix wizard --app {{appName}}
 Edit files in `integration/{{appName}}/`:
 
 - **Authentication**: `{{systemKey}}-system{{fileExt}}` (auth type, credentials placeholders)
-- **Field mappings**: `{{systemKey}}-datasource-*-datasource{{fileExt}}` (dimensions, attributes, operations)
+- **Field mappings**: `{{systemKey}}-datasource-*{{fileExt}}` (dimensions, attributes, operations)
 - **Credential and configuration**: `env.template` (security settings and configuration variables)
 
 {{#if secretPaths}}{{#if secretPaths.length}}
@@ -58,12 +58,16 @@ aifabrix secret set {{path}} <your value>   # {{description}}
 ```
 {{/if}}{{/if}}
 
-### 3. Validate Configuration
+### 3. Validate configuration (local only)
+
+`aifabrix validate` runs **on your machine**: it loads files under `integration/{{appName}}/`, checks them against the application and external-system / external-datasource JSON schemas, and runs related manifest rules. It does **not** call the dataplane or any other remote API.
 
 ```bash
 aifabrix validate {{appName}}
 ```
 
+Use this before upload or deploy to catch structural and policy errors early.
+
 ### 4. Repair Deployment Manifest
 
 **Run repair regularly.** It keeps naming conventions, filenames, and the deployment manifest aligned with AI Fabrix platform best practices. Use it after editing datasources, env.template, or system config—and run it often to catch drift early.
@@ -88,19 +92,28 @@ aifabrix upload {{appName}}
 
 ## Testing
 
-### Unit Tests (Local Validation, No API)
+| Command | Where it runs | Calls dataplane? |
+|--------|----------------|------------------|
+| `aifabrix validate {{appName}}` | Local (schemas / files) | No |
+| `aifabrix test {{appName}}` | Local (manifest / payload checks) | No |
+| `aifabrix test-integration {{appName}}`, `aifabrix test-e2e {{appName}}`, `aifabrix datasource test …`, `aifabrix datasource test-integration …`, `aifabrix datasource test-e2e …` | Through configured auth | Yes — unified validation / pipeline API |
+
+So: **validate** (and **`test`**) stay offline; **all integration and E2E test commands** exercise the system **via the API** (after login and a reachable dataplane).
+
+### Local checks (no API)
 
 ```bash
+aifabrix validate {{appName}}
 aifabrix test {{appName}}
 ```
 
-### Integration Tests (Via Dataplane)
+### Integration tests (dataplane API)
 
 ```bash
 aifabrix test-integration {{appName}}
 ```
 
-### End-to-end Tests (Via Dataplane)
+### End-to-end tests (dataplane API)
 
 ```bash
 aifabrix test-e2e {{appName}}
@@ -147,6 +160,6 @@ aifabrix deploy {{appName}}
 
 ## Troubleshooting
 
-- **Validation errors**: Run `aifabrix validate {{appName}}` to see schema and manifest errors.
+- **Local validation errors**: Run `aifabrix validate {{appName}}` (and `aifabrix test {{appName}}`) — these only inspect files on disk, not the dataplane.
 - **Deployment / auth**: Run `aifabrix auth config --set-controller <url> --set-environment <env>` and `aifabrix login` before `aifabrix deploy`.
 - **File not found**: Run commands from the project root (where `package.json` and `integration/` live).

package/templates/external-system/deploy.js.hbs

@@ -48,7 +48,7 @@ function isLoggedIn() {
 
 console.log('🔍 Checking authentication...');
 if (!isLoggedIn()) {
-  console.log('⚠️  Not logged in. Run login (e.g. aifabrix login --controller <url> --method device --environment ' + env + ').');
+  console.log('⚠  Not logged in. Run login (e.g. aifabrix login --controller <url> --method device --environment ' + env + ').');
   run('aifabrix login --environment ' + env);
 }
 
@@ -56,16 +56,16 @@ console.log('🔍 Validating configuration...');
 {{#each allJsonFiles}}
 run('aifabrix validate "' + path.join(scriptDir, '{{this}}') + '"');
 {{/each}}
-console.log('✅ Validation passed');
+console.log('✔ Validation passed');
 
 console.log('🚀 Deploying ' + appKey + '...');
 run('aifabrix deploy ' + appKey, { cwd: projectRoot });
-console.log('✅ Deployment complete');
+console.log('✔ Deployment complete');
 
 if (process.env.RUN_TESTS !== 'false') {
   console.log('🧪 Running integration tests...');
   run('aifabrix test-integration ' + appKey, { cwd: projectRoot });
-  console.log('✅ Tests passed');
+  console.log('✔ Tests passed');
 }
 
-console.log('✅ Done.');
+console.log('✔ Done.');

package/templates/external-system/env.template.hbs

@@ -0,0 +1,22 @@
+# Environment variables for external system integration
+# Use kv:// (or aifabrix secret set) for sensitive values; plain values for non-sensitive configuration.
+#
+
+{{#if authMethod}}
+# Authentication
+# Type: {{authMethod}}
+{{#each authSecureVars}}
+{{name}}={{value}}
+{{/each}}
+{{#if authNonSecureVarNames}}
+# Non-secure (e.g. URLs): {{#each authNonSecureVarNames}}{{this}}{{#unless @last}}, {{/unless}}{{/each}}
+{{/if}}
+
+{{/if}}
+{{#if configuration.length}}
+# Configuration
+{{#each configuration}}
+# {{comment}}
+{{name}}={{value}}
+{{/each}}
+{{/if}}