@aifabrix/builder 2.43.0 → 2.44.0

package/lib/external-system/test-system-level.js

@@ -1,17 +1,81 @@
 /**
- * System-level pipeline test - single API call for all datasources
- * @fileoverview System-level test execution for integration tests
- * @author AI Fabrix Team
- * @version 2.0.0
+ * @fileoverview System-level unified validation runner for external systems (aggregate layer).
+ *
+ * Preferred behavior is a single externalSystem-scoped POST that returns an aggregate body.
+ * Until that aggregate is guaranteed everywhere, this module performs the plan §2.2 “interim”
+ * strategy: fan-out datasource-scoped runs and merge into a single system result.
  */
-/* eslint-disable max-statements,complexity -- Map response to datasource results */
+
+'use strict';
 
 const path = require('path');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
-const { testSystemViaPipeline } = require('../api/pipeline.api');
 const { writeTestLog } = require('../utils/test-log-writer');
 const { getIntegrationPath } = require('../utils/paths');
+const { runUnifiedDatasourceValidation } = require('../datasource/unified-validation-run');
+
+async function runOneDatasourceKey(appName, datasourceKey, opts) {
+  const { environment, runType, debug, timeoutMs } = opts;
+  try {
+    const uni = await runUnifiedDatasourceValidation(datasourceKey, {
+      app: appName,
+      environment,
+      runType,
+      debug,
+      verbose: false,
+      timeout: timeoutMs,
+      async: true,
+      noAsync: false
+    });
+
+    if (uni.apiError) {
+      return {
+        key: datasourceKey,
+        success: false,
+        skipped: false,
+        error: uni.apiError.formattedError || uni.apiError.error || 'Request failed',
+        datasourceTestRun: null
+      };
+    }
+    if (uni.pollTimedOut) {
+      return {
+        key: datasourceKey,
+        success: false,
+        skipped: false,
+        error: 'Report incomplete: timeout',
+        datasourceTestRun: uni.envelope
+      };
+    }
+    if (uni.incompleteNoAsync) {
+      return {
+        key: datasourceKey,
+        success: false,
+        skipped: false,
+        error: 'Report incomplete (async required)',
+        datasourceTestRun: uni.envelope
+      };
+    }
+    const env = uni.envelope;
+    const ok = env && typeof env.status === 'string' ? env.status !== 'fail' : false;
+    return { key: datasourceKey, success: ok, skipped: false, datasourceTestRun: env };
+  } catch (err) {
+    return { key: datasourceKey, success: false, skipped: false, error: err.message };
+  }
+}
+
+async function maybeWriteSystemRunLog(appName, systemKey, datasourceKeys, runType, debug, payload) {
+  if (!debug) return;
+  const appPath = getIntegrationPath(appName);
+  const integrationDir = path.dirname(appPath);
+  const logPath = await writeTestLog(
+    appName,
+    { request: { systemKey, datasourceKeys, runType, includeDebug: true }, response: payload },
+    runType === 'e2e' ? 'test-e2e' : 'test-integration',
+    integrationDir
+  );
+  logger.log(chalk.gray(`  Debug log: ${logPath}`));
+}
 
 /**
  * Run system-level pipeline test and map response to datasource results
@@ -25,49 +89,24 @@ const { getIntegrationPath } = require('../utils/paths');
  * @param {number} [params.timeout] - Request timeout
  * @returns {Promise<{success: boolean, datasourceResults: Object[]}>}
  */
-async function runSystemLevelTest({ appName, systemKey, authConfig, dataplaneUrl, debug, timeout }) {
-  const testData = { includeDebug: !!debug };
-  const response = await testSystemViaPipeline(dataplaneUrl, systemKey, authConfig, testData, { timeout });
-  const data = response.data || response;
-
-  if (debug) {
-    const appPath = getIntegrationPath(appName);
-    const integrationDir = path.dirname(appPath);
-    const logPath = await writeTestLog(appName, { request: { systemKey, includeDebug: true }, response: data }, 'test-integration', integrationDir);
-    logger.log(chalk.gray(`  Debug log: ${logPath}`));
+async function runSystemLevelTest({ appName, systemKey, datasourceKeys, environment, runType, debug, timeout }) {
+  if (!Array.isArray(datasourceKeys) || datasourceKeys.length === 0) {
+    return { success: true, datasourceResults: [] };
   }
+  const timeoutMs = Number.isFinite(timeout) ? timeout : 30000;
 
-  const rawResults = data.datasourceResults || data.results || data.data?.datasourceResults || (Array.isArray(data) ? data : []);
-  const datasourceResults = [];
-  let success = true;
-
-  for (const r of rawResults) {
-    const dsKey = r.key || r.sourceKey || r.name || r.datasourceKey;
-    const dsResult = {
-      key: dsKey,
-      success: r.success !== false,
-      skipped: !!r.skipped,
-      reason: r.reason,
-      validationResults: r.validationResults || {},
-      fieldMappingResults: r.fieldMappingResults || {},
-      endpointTestResults: r.endpointTestResults || {}
-    };
-    if (r.error) dsResult.error = r.error;
-    if (!dsResult.success && !dsResult.skipped) success = false;
-    datasourceResults.push(dsResult);
+  const results = [];
+  for (const key of datasourceKeys) {
+    // Keep sequential to avoid spiking external APIs / dataplane concurrency in CLI runs.
+    // (Plan allows parallel later, but UX needs stable logs first.)
+    // eslint-disable-next-line no-await-in-loop -- intentional sequential execution
+    results.push(await runOneDatasourceKey(appName, key, { environment, runType, debug, timeoutMs }));
   }
 
-  if (rawResults.length === 0 && data.success === false) {
-    success = false;
-    datasourceResults.push({
-      key: 'system',
-      success: false,
-      skipped: false,
-      error: data.error || data.formattedError || 'System test failed'
-    });
-  }
+  const success = results.every(r => r.success);
+  await maybeWriteSystemRunLog(appName, systemKey, datasourceKeys, runType, debug, { success, results });
 
-  return { success, datasourceResults };
+  return { success, datasourceResults: results };
 }
 
 module.exports = { runSystemLevelTest };

package/lib/external-system/test.js

@@ -11,12 +11,14 @@ const fs = require('fs').promises;
 const fsSync = require('fs');
 const path = require('path');
 const chalk = require('chalk');
+const { infoLine, formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 const testHelpers = require('../utils/external-system-test-helpers');
 const { retryApiCall } = require('../utils/external-system-test-helpers');
 const { getConfig } = require('../core/config');
 const { detectAppType } = require('../utils/paths');
 const { setupIntegrationTestAuth } = require('./test-auth');
 const logger = require('../utils/logger');
+const { writeTestLog } = require('../utils/test-log-writer');
 const {
   validateFieldMappings,
   validateMetadataSchema,
@@ -35,6 +37,7 @@ const {
   testSingleDatasourceIntegration
 } = require('./test-execution');
 const { runSystemLevelTest } = require('./test-system-level');
+const { shouldUseSystemLevelIntegrationCall } = require('./integration-test-dispatch');
 
 /**
  * Loads and parses application config file
@@ -51,7 +54,7 @@ async function loadVariablesYamlFile(variablesPath) {
     if (!variables.externalIntegration) {
       throw new Error(
         'externalIntegration block not found in application config. ' +
-        'test-integration is for external systems only (integration/<app> with externalIntegration in application.yaml). ' +
+        'test-integration is for external systems only (integration/<systemKey> with externalIntegration in application.yaml). ' +
         'For builder apps use: aifabrix test <app> or aifabrix test-e2e <app>'
       );
     }
@@ -251,11 +254,15 @@ function validateSingleDatasource(datasourceFile, systemKey, externalDataSourceS
     errors: [],
     warnings: [],
     fieldMappingResults: null,
-    metadataSchemaResults: null
+    metadataSchemaResults: null,
+    structuralValid: true,
+    payloadTestsRan: false,
+    payloadTestsOk: true
   };
 
   // Validate against schema
   const schemaValidation = validateDatasourceSchema(datasource, systemKey, externalDataSourceSchema);
+  datasourceResult.structuralValid = schemaValidation.valid;
   if (!schemaValidation.valid) {
     datasourceResult.valid = false;
     datasourceResult.errors.push(...schemaValidation.errors);
@@ -263,16 +270,22 @@ function validateSingleDatasource(datasourceFile, systemKey, externalDataSourceS
 
   // Test with testPayload if available
   if (datasource.testPayload && datasource.testPayload.payloadTemplate) {
-    logger.log(chalk.blue(`  Testing datasource: ${datasource.key}`));
+    if (verbose) {
+      logger.log(`${chalk.cyan('  ℹ')} ${chalk.gray('Testing datasource:')} ${chalk.white.bold(datasource.key)}`);
+    }
+    datasourceResult.payloadTestsRan = true;
     const payloadTestResults = testDatasourceWithPayload(datasource, verbose);
     datasourceResult.fieldMappingResults = payloadTestResults.fieldMappingResults;
     datasourceResult.metadataSchemaResults = payloadTestResults.metadataSchemaResults;
+    datasourceResult.payloadTestsOk = payloadTestResults.valid;
     if (!payloadTestResults.valid) {
       datasourceResult.valid = false;
       datasourceResult.errors.push(...payloadTestResults.errors);
     }
     datasourceResult.warnings.push(...payloadTestResults.warnings);
   } else {
+    datasourceResult.payloadTestsRan = false;
+    datasourceResult.payloadTestsOk = true;
     datasourceResult.warnings.push('No testPayload.payloadTemplate found - skipping field mapping and metadata schema tests');
   }
 
@@ -302,7 +315,8 @@ async function testExternalSystem(appName, options = {}) {
   }
 
   try {
-    logger.log(chalk.blue(`\n🧪 Running unit tests for: ${appName}`));
+    logger.log('');
+    logger.log(infoLine(`Local test: ${appName}`));
 
     // Load files
     const { variables: _variables, systemFiles, datasourceFiles } = await loadExternalSystemFiles(appName);
@@ -312,6 +326,23 @@ async function testExternalSystem(appName, options = {}) {
     validateSystemFilesForTest(systemFiles, results);
     validateDatasourceFilesForTest(datasourceFiles, systemFiles, results, options, validateSingleDatasource, determineDatasourcesToTest);
 
+    results.systemKey = systemFiles.length > 0 ? systemFiles[0].data.key : appName;
+    results.appName = appName;
+
+    if (options.debug) {
+      try {
+        const logPath = await writeTestLog(
+          appName,
+          {
+            request: { appName, datasource: options.datasource || null, verbose: !!options.verbose },
+            response: results
+          },
+          'test'
+        );
+        logger.log(chalk.gray(`  Debug log: ${logPath}`));
+      } catch (_) { /* ignore */ }
+    }
+
     return results;
   } catch (error) {
     // Preserve original error message for better test compatibility
@@ -371,11 +402,13 @@ function determineDatasourcesToTest(datasourceFiles, datasourceFilter) {
  * @param {string} appName - Application name
  * @param {Object} options - Test options
  * @param {string} [options.datasource] - Test specific datasource only
+ * @param {boolean} [options.perDatasource] - When multiple datasources, run POST /validation/run per datasource instead of one externalSystem call
  * @param {string} [options.payload] - Path to custom test payload file
  * @param {string} [options.environment] - Environment (dev, tst, pro)
  * @param {string} [options.controller] - Controller URL
  * @param {boolean} [options.verbose] - Show detailed test output
  * @param {number} [options.timeout] - Request timeout in milliseconds
+ * @param {boolean} [options.sync] - When true, run full `aifabrix upload`-equivalent publish before tests
  * @returns {Promise<Object>} Integration test results
  * @throws {Error} If testing fails
  */
@@ -415,23 +448,41 @@ async function testExternalSystemIntegration(appName, options = {}) {
   }
 
   try {
-    logger.log(chalk.blue(`\n🔗 Running integration tests for: ${appName}`));
+    logger.log('');
+    logger.log(infoLine(`🔗 Running integration tests for: ${appName}`));
 
     const { systemKey, authConfig, dataplaneUrl, datasourcesToTest, customPayload } = await prepareIntegrationTestEnvironment(appName, options);
 
+    if (options.sync === true) {
+      logger.log(chalk.cyan('Syncing local config to dataplane…'));
+      const { uploadExternalSystem } = require('../commands/upload');
+      await uploadExternalSystem(systemKey, {
+        verbose: !!options.verbose,
+        minimal: true
+      });
+      logger.log(formatSuccessLine('Sync complete'));
+    }
+
     const results = {
       success: true,
       systemKey,
       datasourceResults: []
     };
 
-    const useSystemLevel = !options.datasource && datasourcesToTest.length > 0 && !customPayload;
     const timeout = parseInt(options.timeout, 10) || 30000;
+    const useSystemLevel = shouldUseSystemLevelIntegrationCall(options, datasourcesToTest, customPayload);
 
-    if (useSystemLevel && datasourcesToTest.length > 1) {
+    if (useSystemLevel) {
       try {
+        const datasourceKeys = datasourcesToTest.map(ds => ds?.data?.key).filter(Boolean);
         const systemResult = await runSystemLevelTest({
-          appName, systemKey, authConfig, dataplaneUrl, debug: options.debug, timeout
+          appName,
+          systemKey,
+          datasourceKeys,
+          environment: options.environment,
+          runType: 'integration',
+          debug: options.debug,
+          timeout
         });
         results.success = systemResult.success;
         results.datasourceResults = systemResult.datasourceResults;

package/lib/generator/builders.js

@@ -59,24 +59,33 @@ function buildImageReference(variables) {
   return `${imageName}:${tag}`;
 }
 
+/**
+ * Deployment JSON health paths mirror `application.yaml`: probes target the workload (container),
+ * not the public Front Door / Traefik URL. Vdir is carried by `frontDoorRouting` and url://
+ * expansion elsewhere — do not prepend pattern base here (see dataplane `/health`, Keycloak `/health/ready`).
+ *
+ * @param {Object} variables - Transformed application variables
+ * @returns {Object} healthCheck block for deploy manifest
+ */
 function buildHealthCheck(variables) {
+  const hc = variables.healthCheck || {};
+  const path = typeof hc.path === 'string' && hc.path.startsWith('/') ? hc.path : '/health';
   const healthCheck = {
-    path: variables.healthCheck?.path || '/health',
-    interval: variables.healthCheck?.interval || 30
+    path,
+    interval: hc.interval || 30
   };
 
-  // Add optional probe fields if present
-  if (variables.healthCheck?.probePath) {
-    healthCheck.probePath = variables.healthCheck.probePath;
+  if (hc.probePath) {
+    healthCheck.probePath = hc.probePath;
   }
-  if (variables.healthCheck?.probeRequestType) {
-    healthCheck.probeRequestType = variables.healthCheck.probeRequestType;
+  if (hc.probeRequestType) {
+    healthCheck.probeRequestType = hc.probeRequestType;
   }
-  if (variables.healthCheck?.probeProtocol) {
-    healthCheck.probeProtocol = variables.healthCheck.probeProtocol;
+  if (hc.probeProtocol) {
+    healthCheck.probeProtocol = hc.probeProtocol;
   }
-  if (variables.healthCheck?.probeIntervalInSeconds) {
-    healthCheck.probeIntervalInSeconds = variables.healthCheck.probeIntervalInSeconds;
+  if (hc.probeIntervalInSeconds) {
+    healthCheck.probeIntervalInSeconds = hc.probeIntervalInSeconds;
   }
 
   return healthCheck;
@@ -341,6 +350,9 @@ function addSimpleOptionalFields(deployment, variables) {
   if (variables.frontDoorRouting) {
     deployment.frontDoorRouting = variables.frontDoorRouting;
   }
+  if (variables.environmentScopedResources === true) {
+    deployment.environmentScopedResources = true;
+  }
 }
 
 function buildOptionalFields(deployment, variables, rbac) {

package/lib/generator/deploy-manifest-azure-kv.js

@@ -0,0 +1,81 @@
+/**
+ * Map url:// placeholders and Traefik host templates to Azure Key Vault secret names
+ * in deployment manifests (Miso Controller / App Service @Microsoft.KeyVault references).
+ *
+ * @fileoverview Plan 122 — deploy JSON must not ship url:// or ${DEV_USERNAME} for Azure
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+const { parseUrlToken } = require('../utils/url-declarative-token-parse');
+
+/**
+ * @param {string|undefined} surface
+ * @param {string} subject
+ * @param {boolean} isPublic
+ * @returns {string|undefined} Secret name when surface is vdir/host
+ */
+function secretNameFromSurface(surface, subject, isPublic) {
+  if (surface === 'vdir') {
+    return `${subject}-vdir-${isPublic ? 'public' : 'internal'}`;
+  }
+  if (surface === 'host') {
+    return `${subject}-host-${isPublic ? 'public' : 'internal'}`;
+  }
+  return undefined;
+}
+
+/**
+ * Key Vault secret name for a url:// token (path after url://).
+ * Aligns with infrastructure/bicep (e.g. keycloak-web-server-url, miso-controller-web-server-url).
+ *
+ * @param {string} ownerAppKey - application.yaml app.key for the manifest being generated
+ * @param {string} token - Token after url:// (no scheme)
+ * @returns {string}
+ */
+function urlTokenToKeyVaultSecretName(ownerAppKey, token) {
+  const selfKey = String(ownerAppKey || '').trim() || 'app';
+  const t = String(token || '').trim();
+  if (!t) {
+    throw new Error('Empty url:// reference (expected a token after url://)');
+  }
+  const { targetKey, kind, surface } = parseUrlToken(t);
+  const isPublic = kind === 'public';
+  const subject = targetKey ? String(targetKey).trim() : selfKey;
+
+  const fromSurface = secretNameFromSurface(surface, subject, isPublic);
+  if (fromSurface !== undefined) {
+    return fromSurface;
+  }
+  if (targetKey === 'keycloak' || (!targetKey && selfKey === 'keycloak')) {
+    return isPublic ? 'keycloak-web-server-url' : 'keycloak-internal-server-url';
+  }
+  if (!targetKey) {
+    return isPublic ? `${selfKey}-web-server-url` : `${selfKey}-internal-server-url`;
+  }
+  return isPublic ? `${subject}-web-server-url` : `${subject}-internal-server-url`;
+}
+
+/**
+ * Replace Traefik-style host templates with a Key Vault secret name consumed by Azure provisioning.
+ *
+ * @param {Object} deployment - Deployment manifest (mutated in place)
+ * @returns {void}
+ */
+function rewriteFrontDoorHostForAzureDeploy(deployment) {
+  if (!deployment || !deployment.frontDoorRouting || typeof deployment.frontDoorRouting.host !== 'string') {
+    return;
+  }
+  const h = deployment.frontDoorRouting.host;
+  if (/\$\{(DEV_USERNAME|REMOTE_HOST)\}/.test(h)) {
+    const key = deployment.key || 'app';
+    deployment.frontDoorRouting.host = `${key}-frontdoor-routing-host`;
+  }
+}
+
+module.exports = {
+  urlTokenToKeyVaultSecretName,
+  rewriteFrontDoorHostForAzureDeploy
+};

package/lib/generator/external.js

@@ -11,6 +11,7 @@
 const fs = require('fs');
 const path = require('path');
 const Ajv = require('ajv');
+const addFormats = require('ajv-formats');
 const { detectAppType, getDeployJsonPath } = require('../utils/paths');
 const { resolveApplicationConfigPath, resolveRbacPath } = require('../utils/app-config-resolver');
 const { loadConfigFile } = require('../utils/config-format');
@@ -255,8 +256,10 @@ function formatValidationErrors(errors) {
  * @throws {Error} If validation fails
  */
 function validateSystemSchema(systemJson, externalSystemSchema, ajv) {
-  const externalSystemSchemaId = externalSystemSchema.$id || 'https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/external-system.schema.json';
-  ajv.addSchema(externalSystemSchema, externalSystemSchemaId);
+  if (!externalSystemSchema.$id || typeof externalSystemSchema.$id !== 'string') {
+    throw new Error('External system schema is missing required $id');
+  }
+  ajv.addSchema(externalSystemSchema, externalSystemSchema.$id);
   const validateSystem = ajv.compile(externalSystemSchema);
   const systemValid = validateSystem(systemJson);
 
@@ -277,8 +280,16 @@ function validateSystemSchema(systemJson, externalSystemSchema, ajv) {
  * @throws {Error} If validation fails
  */
 function validateDatasourceSchemas(datasourceJsons, externalDatasourceSchema, ajv) {
-  const externalDatasourceSchemaId = externalDatasourceSchema.$id || 'https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/external-datasource.schema.json';
-  ajv.addSchema(externalDatasourceSchema, externalDatasourceSchemaId);
+  if (!externalDatasourceSchema.$id || typeof externalDatasourceSchema.$id !== 'string') {
+    throw new Error('External datasource schema is missing required $id');
+  }
+
+  // external-datasource.schema.json references these by $id (aifabrix://schema/type/*)
+  ajv.addSchema(require('../schema/type/document-storage.json'));
+  ajv.addSchema(require('../schema/type/message-service.json'));
+  ajv.addSchema(require('../schema/type/vector-store.json'));
+
+  ajv.addSchema(externalDatasourceSchema, externalDatasourceSchema.$id);
   const validateDatasource = ajv.compile(externalDatasourceSchema);
 
   for (let i = 0; i < datasourceJsons.length; i++) {
@@ -353,6 +364,7 @@ function prepareSchemasForValidation() {
  */
 function validateApplicationSchemaComponents(systemJson, datasourceJsons, externalSystemSchema, datasourceSchemaToAdd) {
   const ajv = new Ajv({ allErrors: true, strict: false, removeAdditional: false });
+  addFormats(ajv);
 
   // Validate system against external-system schema
   validateSystemSchema(systemJson, externalSystemSchema, ajv);

package/lib/generator/helpers.js

@@ -11,6 +11,7 @@
 const fs = require('fs');
 const path = require('path');
 const { loadConfigFile } = require('../utils/config-format');
+const { urlTokenToKeyVaultSecretName } = require('./deploy-manifest-azure-kv');
 
 /**
  * Loads application config file (application.yaml, application.json, or legacy path) via converter.
@@ -218,6 +219,9 @@ function determineVariableLocation(value, key) {
   if (value.startsWith('kv://')) {
     location = 'keyvault';
     required = true;
+  } else if (value.startsWith('url://')) {
+    location = 'keyvault';
+    required = true;
   }
 
   // Check if it's a sensitive variable
@@ -229,6 +233,31 @@ function determineVariableLocation(value, key) {
   return { location, required };
 }
 
+/**
+ * Maps env.template url:// value(s) to Key Vault secret name(s) for deploy JSON.
+ * Comma-separated lists are supported (e.g. CORS ALLOWED_ORIGINS): each segment
+ * starting with url:// is mapped; other segments are left unchanged (e.g. http://localhost:*).
+ *
+ * @param {string} appKey - application.yaml app.key
+ * @param {string} value - Full value after KEY= (must start with url:// for caller)
+ * @returns {string} Comma-joined secret names / literals
+ */
+function mapUrlTemplateValueToKeyVaultNames(appKey, value) {
+  const segments = value
+    .split(',')
+    .map((s) => s.trim())
+    .filter((s) => s.length > 0);
+  return segments
+    .map((seg) => {
+      if (seg.startsWith('url://')) {
+        const token = seg.slice('url://'.length).trim();
+        return urlTokenToKeyVaultSecretName(appKey, token);
+      }
+      return seg;
+    })
+    .join(',');
+}
+
 /**
  * Creates a configuration item from parsed variable
  * @function createConfigItem
@@ -237,12 +266,27 @@ function determineVariableLocation(value, key) {
  * @param {string} location - Variable location
  * @param {boolean} required - Whether variable is required
  * @param {Map} portalInputMap - Map of portalInput configurations
+ * @param {string|null} appKey - application.yaml app.key (required when value uses url://)
  * @returns {Object} Configuration item
  */
-function createConfigItem(key, value, location, required, portalInputMap) {
+function createConfigItem(key, value, location, required, portalInputMap, appKey) {
+  let storedValue = value;
+  if (location === 'keyvault') {
+    if (value.startsWith('kv://')) {
+      storedValue = value.replace('kv://', '');
+    } else if (value.startsWith('url://')) {
+      if (!appKey) {
+        throw new Error(
+          `Cannot resolve ${key}=${value}: application app.key is required to map url:// to a Key Vault secret name`
+        );
+      }
+      storedValue = mapUrlTemplateValueToKeyVaultNames(appKey, value);
+    }
+  }
+
   const configItem = {
     name: key,
-    value: value.replace('kv://', ''), // Remove kv:// prefix for KeyVault
+    value: storedValue,
     location,
     required
   };
@@ -259,6 +303,10 @@ function parseEnvironmentVariables(envTemplate, variablesConfig = null) {
   const configuration = [];
   const lines = envTemplate.split('\n');
   const portalInputMap = createPortalInputMap(variablesConfig);
+  const appKey =
+    variablesConfig && variablesConfig.app && variablesConfig.app.key
+      ? String(variablesConfig.app.key).trim()
+      : null;
 
   for (const line of lines) {
     const parsed = parseEnvironmentVariableLine(line);
@@ -267,7 +315,14 @@ function parseEnvironmentVariables(envTemplate, variablesConfig = null) {
     }
 
     const { location, required } = determineVariableLocation(parsed.value, parsed.key);
-    const configItem = createConfigItem(parsed.key, parsed.value, location, required, portalInputMap);
+    const configItem = createConfigItem(
+      parsed.key,
+      parsed.value,
+      location,
+      required,
+      portalInputMap,
+      appKey
+    );
     configuration.push(configItem);
   }
 

package/lib/generator/index.js

@@ -22,6 +22,7 @@ const { generateControllerManifest } = require('./external-controller-manifest')
 const { resolveVersionForApp } = require('../utils/image-version');
 const { getContainerPort } = require('../utils/port-resolver');
 const { buildEnvVarMap } = require('../utils/env-map');
+const { rewriteFrontDoorHostForAzureDeploy } = require('./deploy-manifest-azure-kv');
 
 /**
  * Generates deployment JSON from application configuration files
@@ -191,6 +192,8 @@ function buildAndValidateDeployment(appName, variables, envTemplate, rbac, optio
     substituteEnvVarsInDeployment(deployment, envVarMap);
   }
 
+  rewriteFrontDoorHostForAzureDeploy(deployment);
+
   // Ensure no other ${...} placeholders remain in manifest
   _validator.validateNoUnresolvedVariablesInDeployment(deployment);
 
@@ -236,6 +239,7 @@ async function buildDeploymentManifestInMemory(appName, options = {}) {
   }
   const envVarMap = await buildEnvVarMap('docker', null, null, { appPort: effectivePort });
   substituteEnvVarsInDeployment(deployment, envVarMap);
+  rewriteFrontDoorHostForAzureDeploy(deployment);
   _validator.validateNoUnresolvedVariablesInDeployment(deployment);
   return { deployment, appPath };
 }