@aifabrix/builder 2.43.0 → 2.44.0

package/templates/external-system/external-datasource.yaml.hbs

@@ -1,47 +1,89 @@
+# External datasource definition. Validate against lib/schema/external-datasource.schema.json (e.g. aifabrix validate / CI).
+# Normative usage (metadata, FKs, dimensions, expressions, execution vs query) aligns with schema v2.4.1 and the Datasource Rules baseline (Plan 346).
+# key: stable identifier (typically <systemKey>-<entity>); referenced by credentials, deploy, and datasource-chaining CIP steps.
 key: "{{fullDatasourceKey}}"
+# Short name and description shown in tooling and docs.
 displayName: "{{datasourceDisplayName}}"
 description: "{{datasourceDescription}}"
+# Parent external system this datasource belongs to (matches external-system key).
 systemKey: "{{systemKey}}"
+# entityType: recordStorage = structured rows in DB; documentStorage = same family + binary/large content outside metadata_json;
+# vectorStore = retrieval/embedding external store; messageService = channels/notifications; none = orchestration/API composition ONLY.
+# If none: do NOT add metadataSchema, primaryKey, labelKey, dimensions, fieldMappings, sync, documentStorage, etc. (schema forbids them).
 entityType: "{{schemaEntityType}}"
+# Fine-grained resource classification (e.g. customer, document); used for UX and policies.
 resourceType: "{{resourceType}}"
+enabled: true
+# File / config version for this YAML (distinct from execution.cip.version when you add CIP below).
+version: "1.0.0"
+{{#unless (eq schemaEntityType "none")}}
+# primaryKey: normalized attribute names used for get/update/delete and storage keys (must exist in metadataSchema + fieldMappings).
 primaryKey:
 {{#each primaryKey}}  - "{{this}}"
 {{/each}}
-enabled: true
-version: "1.0.0"
-fieldMappings:
-{{#if dimensions}}
-  dimensions:
-{{#each dimensions}}
-    {{@key}}: "{{this}}"
+# labelKey: attributes used for display labels (search, pickers); often includes primaryKey + human-readable fields.
+labelKey:
+{{#each labelKey}}  - "{{this}}"
+{{/each}}
+# metadataSchema: canonical normalized fields (camelCase). Only index=true / filter=true scalars materialize as DB columns; full shape lives in metadata_json.
+# Allowed on fields: type, format, index, filter, nullable, description, string/number validation keywords. Forbidden: anyOf/oneOf/allOf/not/enum/const in author trees.
+# Datetime: type string + format date-time, UTC. Max structural depth per product rules (~2); avoid deep JSON for filter/join paths.
+metadataSchema:
+  type: object
+  required:
+{{#each attributeKeysForMetadata}}    - "{{this}}"
+{{/each}}
+  properties:
+{{#each attributeKeysForMetadata}}
+    {{this}}:
+      type: string
+{{#if (eq this "externalId")}}      index: true
+{{else}}{{#if (eq this "id")}}      index: true
+{{else}}{{#if @first}}      index: true
+{{else}}      filter: true
+{{/if}}{{/if}}{{/if}}
+{{/each}}
+{{#if dimensionBindingEntries}}
+# dimensions: top-level only. type local binds to an indexed metadata field; type fk uses via: [{ fk, dimension }]. Optional for global reference data; expected when ABAC/FK joins apply (Plan 346 section 7).
+# Actors: displayName|email|userId → operator eq; groups|roles → in. If actor is omitted, operator should be omitted (operator has no effect without actor).
+dimensions:
+{{#each dimensionBindingEntries}}
+  {{dimKey}}:
+    type: local
+    field: "{{field}}"
+    actor: displayName
+    operator: eq
 {{/each}}
-{{else}}
-  dimensions: {}
-  # Optional: add country, department, organization for ABAC
 {{/if}}
+# fieldMappings: normalization-only. Each attribute allows only { expression }. Roots MUST be raw.*, fk.*, or dimension.* (e.g. raw.id, fk.company.metadata.name).
+# Heavy transforms belong upstream, in sync, or in entityType none orchestration — not here. Output keys MUST match metadataSchema properties.
+fieldMappings:
   attributes:
 {{#if attributes}}
 {{#each attributes}}
     {{@key}}:
       expression: "{{this.expression}}"
-      type: {{this.type}}
-      indexed: {{#if this.indexed}}true{{else}}false{{/if}}
 {{/each}}
 {{else}}
     id:
       expression: "{{raw.id}}"
-      type: string
-      indexed: true
     name:
       expression: "{{raw.name}}"
-      type: string
-      indexed: false
 {{/if}}
+# foreignKeys (optional): declare join graph to other storage datasources. name + fields[] (indexed metadata fields) + targetDatasource; acyclic; types must match (Plan 346 sections 6 and 8).
+# foreignKeys:
+#   - name: company
+#     fields: [companyId]
+#     targetDatasource: my-system-company
+{{/unless}}
 {{#if (eq systemType "openapi")}}
+# openapi: links this datasource to the generated OpenAPI document (same systemKey-api artifact). CIP fetch.openapiRef uses keys below: list, get, …
 openapi:
   enabled: true
+  # Must match the OpenAPI bundle key published for this system (wizard default: <systemKey>-api).
   documentKey: "{{systemKey}}-api"
   operations:
+    # Standard names list/get/create/update/delete; operationId and path should match your spec. CIP uses openapiRef: list | get.
     list:
       operationId: "list{{entityKey}}"
       method: GET
@@ -50,168 +92,205 @@ openapi:
       operationId: "get{{entityKey}}"
       method: GET
       path: "/{{entityKey}}/{id}"
+  # When true, runtime can derive RBAC hints from OpenAPI metadata where supported.
   autoRbac: true
 {{/if}}
 
 # --- Optional sections: uncomment or delete as needed ---
-# CIP (Custom Integration Pipeline) supports: fetch, paginate, map, filter, output, pythonInline steps.
-# Operations: list, get, create, update, delete. Pagination: cursor | page | offset.
+#
+# Query-time (v2.4): public list/get/filter are served from persisted Dataplane DB — not live external HTTP on every read (Plan 346 section 11).
+# External APIs: sync jobs and create/update/delete execution paths. CIP fetch→map is for ingestion, writes, or orchestration — populate storage before expecting query APIs.
+#
+# CIP (Composable Integration Pipeline): fetch → [paginate] → [map] → [filter] → output
+# Sources: openapi (openapi.operations.<name>), http (method + path), datasource (another datasource key + operation name). Operation names: ^[a-z][a-zA-Z0-9]*$
+# execution.cip requires version "1.0" and operations.<name>.steps ($defs.cipDefinition). Custom operation keys must match the same pattern as capabilities[].
+#
 {{#if (eq schemaEntityType "recordStorage")}}
+# sync: external APIs run during sync (Plan 346 section 11). Minimal contract: mode/schedule/batchSize per schema. FK fields on a record should update atomically in one logical write.
 # sync:
 #   pull:
 #     enabled: true
 #     schedule: "0 * * * *"
+#     batchSize: 500
+# validation: structural / pre-persistence checks; quality: post-mapping acceptance (e.g. rejectIf) — see schema when you enable them.
+# capabilities: standard names list, get, create, update, delete + custom names matching ^[a-z][a-zA-Z0-9]*$; must match execution.cip.operations / openapi.operations you implement.
 # capabilities: [list, get]
 {{/if}}
 {{#if (eq schemaEntityType "documentStorage")}}
+# documentStorage: binary/attachment flow — which operation fetches bytes and which metadata field holds extractable text for embeddings.
 # documentStorage:
 #   enabled: true
 #   binaryOperationRef: get
 #   embeddingField: content
 {{/if}}
 {{#if (eq schemaEntityType "vectorStore")}}
+# vectorStore: vector index settings (model id, dimensions, etc. per schema). Uncomment and set to match your embedding deployment.
 # vectorStore:
 #   enabled: true
 #   embeddingModel: "text-embedding-ada-002"
 {{/if}}
 {{#if (eq schemaEntityType "messageService")}}
+# messageService: channel-oriented messaging integration; channels list drives subscription/send surfaces.
 # messageService:
 #   enabled: true
 #   channels: []
 {{/if}}
 
-# --- execution: CIP pipeline ---
-# Steps: fetch (openapi/http) → paginate (cursor|page|offset) → map (useFieldMappings, inputPath) → filter (enforceAbac, expression) → output (mode: records)
-# Pagination: cursor=cursorField+cursorParam | page=pageParam+pageSizeParam | offset=offsetParam+pageSizeParam
-# Adjust inputPath to your API ($.results[*], $.items[*], $.value[*], etc.)
-{{#if (eq schemaEntityType "recordStorage")}}
+{{#unless (eq schemaEntityType "none")}}
+{{#if (eq systemType "openapi")}}
+# Example CIP (commented): matches openapi.operations list/get for "{{entityKey}}" above — copy, uncomment, tune inputPath/query.
+# Alternative engines: execution.engine python (custom handler) or datasource (chain); see schema execution.* properties.
+#
 # execution:
 #   engine: cip
 #   cip:
+#     version: "1.0"
+#     # Optional: idempotency / runtimeContext blocks live alongside version at this level (schema $defs.idempotencyConfig, cipRuntimeContext).
 #     operations:
 #       list:
 #         enabled: true
-#         description: "List all records"
+#         description: "List {{entityKey}} records"
 #         steps:
-#           - fetch: { source: openapi, openapiRef: list, query: {} }
-#           - paginate: { strategy: cursor, cursorField: "$.paging.next.after", cursorParam: after, pageSize: 100, maxPages: 100 }
-#           # Alternative: page → pageParam, pageSizeParam | offset → offsetParam, pageSizeParam
-#           - map: { useFieldMappings: true, inputPath: "$.results[*]" }
-#           - filter: { enforceAbac: true }
-#           # Optional: filter.expression for SQL or JSON filter, e.g. expression: "status = 'active'"
-#           - output: { mode: records }
+#           - fetch:
+#               source: openapi
+#               openapiRef: list
+#               query: {}
+#               # expectedItemsPath: "$.results"
+#           # - paginate:
+#           #     strategy: cursor
+#           #     cursorField: "next_cursor"
+#           #     cursorParam: "cursor"
+#           #     pageSize: 100
+#           #     maxPages: 50
+#           - map:
+#               useFieldMappings: true
+#               # inputPath: JSONPath-like slice over the fetch body; must match list payload (array of raw objects before fieldMappings).
+#               inputPath: "$.results[*]"
+#               # Try $.items[*], $.data[*], etc. if your list lives under a different key (schema default hint is $.items[*]).
+#               # inline: { customField: "\{{raw.custom}}" }  # optional field override beside useFieldMappings
+#           - filter:
+#               enforceAbac: true
+#               # expression "@": pass records through JMESPath after ABAC; replace with a predicate when you need server-side row filtering.
+#               expression: "@"
+#               expressionLanguage: jmespath
+#               # abac: { mode: mandatory, policyScope: datasource }
+#           - output:
+#               mode: records
+#               # limit: soft cap on list size; sync jobs may override.
+#               # limit: 500
+#               # includeConfidence: true  # optional per-record scoring when supported
 #       get:
 #         enabled: true
-#         description: "Get record by ID"
-#         steps:
-#           - fetch: { source: openapi, openapiRef: get, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - filter: { enforceAbac: true }
-#           - output: { mode: records }
-#       create:
-#         steps:
-#           - fetch: { source: openapi, openapiRef: create, bodyTemplate: "{{body}}" }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
-#       update:
-#         steps:
-#           - fetch: { source: openapi, openapiRef: update, bodyTemplate: "{{body}}" }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
-#       delete:
+#         description: "Single {{entityKey}} by id (path /{{entityKey}}/{id} on openapi.get)"
 #         steps:
-#           - fetch: { source: openapi, openapiRef: delete }
-#           - output: { mode: records }
-{{/if}}
-{{#if (eq schemaEntityType "documentStorage")}}
+#           - fetch:
+#               source: openapi
+#               openapiRef: get
+#               query:
+#                 id: "{{raw.id}}"
+#               # If your API uses a different param name, rename the key; path params are resolved per your OpenAPI operation.
+#               # onError: { retry: { maxAttempts: 3 } }  # optional per-step error policy (schema $defs.cipOnErrorConfig)
+#           - map:
+#               useFieldMappings: true
+#               # Single-object body: "$" or a path to the entity object inside a wrapper response.
+#               inputPath: "$"
+#               # Wrapped entity: use "$.data" or "$.result"
+#           - filter:
+#               enforceAbac: true
+#               expression: "@"
+#               expressionLanguage: jmespath
+#           - output:
+#               mode: records
+#       # Optional: delegate to another datasource's CIP
+#       # related:
+#       #   enabled: true
+#       #   steps:
+#       #     - fetch: { source: datasource, datasource: "other-system-entity", operation: list, parameters: {} }
+#       #     - output: { mode: records }
+{{else}}
+# Example CIP (commented): no openapi block in this file — use http fetch (or add openapi: first, then use the openapi example pattern).
+# http fetch: method + path are required; query holds static query params (runtime may merge ABAC params).
+#
 # execution:
 #   engine: cip
 #   cip:
+#     version: "1.0"
 #     operations:
 #       list:
 #         enabled: true
-#         description: "List documents"
 #         steps:
-#           - fetch: { source: openapi, openapiRef: list, query: {} }
-#           - paginate: { strategy: offset, offsetParam: skip, pageSizeParam: top, pageSize: 100, maxPages: 100 }
-#           - map: { useFieldMappings: true, inputPath: "$.value[*]" }
-#           - filter: { enforceAbac: true }
-#           - output: { mode: records }
+#           - fetch:
+#               source: http
+#               method: GET
+#               path: "/{{entityKey}}"
+#               query: {}
+#               # headers: { Accept: "application/json" }
+#           - map:
+#               useFieldMappings: true
+#               inputPath: "$.items[*]"
+#           - filter:
+#               enforceAbac: true
+#               expression: "@"
+#               expressionLanguage: jmespath
+#           - output:
+#               mode: records
 #       get:
 #         enabled: true
-#         description: "Get document by ID"
-#         steps:
-#           - fetch: { source: openapi, openapiRef: get, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - filter: { enforceAbac: true }
-#           - output: { mode: records }
-#       create:
-#         enabled: true
-#         description: "Upload document"
 #         steps:
-#           - fetch: { source: openapi, openapiRef: create, bodyTemplate: "{{fileContent}}" }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
-{{/if}}
-{{#if (eq schemaEntityType "vectorStore")}}
-# execution:
-#   engine: cip
-#   cip:
-#     operations:
-#       list:
-#         steps:
-#           - fetch: { source: openapi, openapiRef: list, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
-#       get:
-#         steps:
-#           - fetch: { source: openapi, openapiRef: get, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
-{{/if}}
-{{#if (eq schemaEntityType "messageService")}}
-# execution:
-#   engine: cip
-#   cip:
-#     operations:
-#       list:
-#         steps:
-#           - fetch: { source: openapi, openapiRef: list, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
+#           - fetch:
+#               source: http
+#               method: GET
+#               # Path template must match your API; {id} is illustrative — align with real route and param names.
+#               path: "/{{entityKey}}/{id}"
+#               query: {}
+#           - map:
+#               useFieldMappings: true
+#               inputPath: "$"
+#           - filter:
+#               enforceAbac: true
+#               expression: "@"
+#               expressionLanguage: jmespath
+#           - output:
+#               mode: records
 {{/if}}
+{{/unless}}
 {{#if (eq schemaEntityType "none")}}
-# execution:
+# execution (entityType none — orchestration / API composition only; no storage contract on this datasource):
+# Cross-datasource access without FK is not a query-time join: use FK graph, bridge recordStorage, pre-normalize, or fan-out here (Plan 346 section 5).
 #   engine: cip
 #   cip:
+#     version: "1.0"
 #     operations:
 #       list:
 #         steps:
 #           - fetch: { source: openapi, openapiRef: list, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
-#           - output: { mode: records }
-#       get:
-#         steps:
-#           - fetch: { source: openapi, openapiRef: get, query: {} }
-#           - map: { useFieldMappings: true, inputPath: "$" }
 #           - output: { mode: records }
+#       # Chain another datasource (no fieldMappings on this datasource):
+#       # chain:
+#       #   steps:
+#       #     - fetch: { source: datasource, datasource: "upstream-system-entity", operation: list, parameters: {} }
+#       #     - output: { mode: records }
 {{/if}}
 
-# config: ABAC cross-system filters (SQL or JSON)
+# config.extensions: vendor-specific knobs; property names must match ^x[A-Z]… (e.g. xHubSpotFeature). Keeps core schema stable.
 # config:
-#   abac:
-#     crossSystemSql: "country = '{{actor.country}}'"
-#     # crossSystemJson: { "dimensions.country": { "eq": "{{actor.country}}" } }
+#   extensions:
+#     xHubSpotFeature: {}
 
-# capabilities: [list, get, create, update, delete]
-
-# exposed: attributes to expose via MCP/OpenAPI
+# exposed.schema: single public response shape for REST/MCP; values are expressions (metadata.*, dimension.*, fk.*.metadata.*). No implicit fields; use exposed.readonly[] / exposed.omit[] for writes (Plan 346 section 13). exposed.attributes is deprecated.
 # exposed:
-#   attributes: [id, name]
+#   schema:
+#     id: metadata.id
+#     name: metadata.name
+#     # nested objects and fk.* paths are allowed when foreignKeys exist and join rules pass join rules (section 8)
+#   # readonly: [status]
+#   # omit: [internalScore]
 
-# metadataSchema: JSON Schema for raw metadata validation
-# metadataSchema:
-#   type: object
-#   properties:
-#     id: { type: string }
-#     name: { type: string }
+# testPayload (optional): fixtures for static expression resolution (raw/fk/dimension); root keys are closed in schema — no typos at top level (Plan 346 section 16).
+# testPayload:
+#   mode: smoke
+#   payloadTemplate:
+#     raw: { id: "1", name: "Example" }
+
+# capabilities: root-level array preferred (v2.2+); names must match ^[a-z][a-zA-Z0-9]*$.
+# capabilities: [list, get, create, update, delete]

package/templates/infra/compose.yaml.hbs

@@ -17,7 +17,9 @@ services:
       - "{{postgresPort}}:5432"
     volumes:
       - {{#if (eq devId 0)}}postgres_data{{else}}dev{{devId}}_postgres_data{{/if}}:/var/lib/postgresql/data
-      - ./init-scripts:/docker-entrypoint-initdb.d
+      - type: bind
+        source: "{{initScriptsBind}}"
+        target: /docker-entrypoint-initdb.d
     networks:
       - {{networkName}}
     healthcheck:
@@ -61,7 +63,10 @@ services:
       - "{{pgadminPort}}:80"
     volumes:
       - {{#if (eq devId 0)}}pgadmin_data{{else}}dev{{devId}}_pgadmin_data{{/if}}:/var/lib/pgadmin
-      - {{infraDir}}:/host-config:ro
+      - type: bind
+        source: "{{infraDirBind}}"
+        target: /host-config
+        read_only: true
     command: >
       sh -c "
       if [ -f /host-config/servers.json ]; then
@@ -110,8 +115,13 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--providers.docker.network={{networkName}}"
+      - "--providers.docker.allowEmptyServices=true"
+      - "--log.level=INFO"
       - "--entrypoints.web.address=:80"
       - "--entrypoints.websecure.address=:443"
+{{#if traefik.trustForwardedHeaders}}
+      - "--entrypoints.web.forwardedHeaders.insecure=true"
+{{/if}}
 {{#if traefik.certStore}}
 {{#if traefik.certFile}}
       - "--certificatesstores.{{traefik.certStore}}.defaultcertificate.certfile={{traefik.certFile}}"
@@ -126,10 +136,16 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
 {{#if traefik.certFile}}
-      - {{traefik.certFile}}:{{traefik.certFile}}:ro
+      - type: bind
+        source: "{{traefik.certFile}}"
+        target: "{{traefik.certFile}}"
+        read_only: true
 {{/if}}
 {{#if traefik.keyFile}}
-      - {{traefik.keyFile}}:{{traefik.keyFile}}:ro
+      - type: bind
+        source: "{{traefik.keyFile}}"
+        target: "{{traefik.keyFile}}"
+        read_only: true
 {{/if}}
     networks:
       - {{networkName}}

package/templates/python/docker-compose.hbs

@@ -13,16 +13,28 @@ services:
       {{#if traefik.tls}}
       - "traefik.http.routers.{{app.key}}.entrypoints=websecure"
       - "traefik.http.routers.{{app.key}}.tls=true"
+      - "traefik.http.routers.{{app.key}}.service={{app.key}}"
       {{#if traefik.certStore}}
       - "traefik.http.routers.{{app.key}}.tls.certstore={{traefik.certStore}}"
       {{/if}}
+      - "traefik.http.routers.{{app.key}}-http.rule=Host(`{{traefik.host}}`) && PathPrefix(`{{traefik.path}}`)"
+      - "traefik.http.routers.{{app.key}}-http.entrypoints=web"
+      {{#unless (eq traefik.path "/")}}
+      {{#if traefik.stripPathPrefix}}
+      - "traefik.http.routers.{{app.key}}-http.middlewares={{app.key}}-stripprefix"
+      {{/if}}
+      {{/unless}}
+      - "traefik.http.routers.{{app.key}}-http.service={{app.key}}"
       {{else}}
       - "traefik.http.routers.{{app.key}}.entrypoints=web"
+      - "traefik.http.routers.{{app.key}}.service={{app.key}}"
       {{/if}}
       - "traefik.http.services.{{app.key}}.loadbalancer.server.port={{containerPort}}"
       {{#unless (eq traefik.path "/")}}
+      {{#if traefik.stripPathPrefix}}
       - "traefik.http.middlewares.{{app.key}}-stripprefix.stripprefix.prefixes={{traefik.path}}"
       - "traefik.http.routers.{{app.key}}.middlewares={{app.key}}-stripprefix"
+      {{/if}}
       {{/unless}}
     {{/if}}
     environment:
@@ -59,7 +71,11 @@ services:
     {{/if}}
     {{/if}}
     healthcheck:
+      {{#if healthCheck.bashProbe}}
+      test: ["CMD-SHELL", "bash -c 'exec 3<>/dev/tcp/127.0.0.1/{{port}} && printf \"GET {{healthCheck.path}} HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \"200 OK\"'"]
+      {{else}}
       test: ["CMD", "curl", "-f", "http://localhost:{{port}}{{healthCheck.path}}"]
+      {{/if}}
       interval: {{healthCheck.interval}}s
       timeout: 10s
       retries: 3

package/templates/typescript/docker-compose.hbs

@@ -13,16 +13,28 @@ services:
       {{#if traefik.tls}}
       - "traefik.http.routers.{{app.key}}.entrypoints=websecure"
       - "traefik.http.routers.{{app.key}}.tls=true"
+      - "traefik.http.routers.{{app.key}}.service={{app.key}}"
       {{#if traefik.certStore}}
       - "traefik.http.routers.{{app.key}}.tls.certstore={{traefik.certStore}}"
       {{/if}}
+      - "traefik.http.routers.{{app.key}}-http.rule=Host(`{{traefik.host}}`) && PathPrefix(`{{traefik.path}}`)"
+      - "traefik.http.routers.{{app.key}}-http.entrypoints=web"
+      {{#unless (eq traefik.path "/")}}
+      {{#if traefik.stripPathPrefix}}
+      - "traefik.http.routers.{{app.key}}-http.middlewares={{app.key}}-stripprefix"
+      {{/if}}
+      {{/unless}}
+      - "traefik.http.routers.{{app.key}}-http.service={{app.key}}"
       {{else}}
       - "traefik.http.routers.{{app.key}}.entrypoints=web"
+      - "traefik.http.routers.{{app.key}}.service={{app.key}}"
       {{/if}}
       - "traefik.http.services.{{app.key}}.loadbalancer.server.port={{containerPort}}"
       {{#unless (eq traefik.path "/")}}
+      {{#if traefik.stripPathPrefix}}
       - "traefik.http.middlewares.{{app.key}}-stripprefix.stripprefix.prefixes={{traefik.path}}"
       - "traefik.http.routers.{{app.key}}.middlewares={{app.key}}-stripprefix"
+      {{/if}}
       {{/unless}}
     {{/if}}
     environment:
@@ -59,7 +71,11 @@ services:
     {{/if}}
     {{/if}}
     healthcheck:
+      {{#if healthCheck.bashProbe}}
+      test: ["CMD-SHELL", "bash -c 'exec 3<>/dev/tcp/127.0.0.1/{{port}} && printf \"GET {{healthCheck.path}} HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \"200 OK\"'"]
+      {{else}}
       test: ["CMD", "curl", "-f", "http://localhost:{{port}}{{healthCheck.path}}"]
+      {{/if}}
       interval: {{healthCheck.interval}}s
       timeout: 10s
       retries: 3

package/lib/api/external-test.api.js

@@ -1,111 +0,0 @@
-/**
- * @fileoverview External test API - dataplane external endpoints (test, test-e2e)
- * @author AI Fabrix Team
- * @version 2.0.0
- */
-
-const { ApiClient } = require('./index');
-
-/**
- * Run E2E test for one datasource (config, credential, sync, data, CIP) via dataplane external API.
- * Requires Bearer token or API key; client credentials are not accepted.
- * When asyncRun is true, POST returns 202 with { testRunId, status, startedAt }; caller must poll
- * getE2ETestRun until status is 'completed' or 'failed'. When asyncRun is false, POST returns 200
- * with sync body { steps, success, error?, ... }.
- *
- * @requiresPermission {Dataplane} external-data-source:read
- * @async
- * @function testDatasourceE2E
- * @param {string} dataplaneUrl - Dataplane base URL
- * @param {string} sourceIdOrKey - Source ID or datasource key (e.g. hubspot-test-contacts)
- * @param {Object} authConfig - Authentication configuration (must have token or apiKey; client creds rejected)
- * @param {Object} [body] - Optional request body (e.g. includeDebug, testCrud, recordId, cleanup, primaryKeyValue)
- * @param {Object} [options] - Optional options
- * @param {boolean} [options.asyncRun] - If true, request async run (query param asyncRun=true); response may be 202 with testRunId
- * @returns {Promise<Object>} Response with success, data (sync: steps/success/error; async start: testRunId/status/startedAt), status
- * @throws {Error} If auth lacks Bearer/API_KEY or if test fails
- */
-async function testDatasourceE2E(dataplaneUrl, sourceIdOrKey, authConfig, body = {}, options = {}) {
-  if (!authConfig.token && !authConfig.apiKey) {
-    throw new Error(
-      'E2E tests require Bearer token or API key. Run \'aifabrix login\' or configure API key. ' +
-      'Client credentials are not supported for external test endpoints.'
-    );
-  }
-  const client = new ApiClient(dataplaneUrl, authConfig);
-  const postOptions = { body };
-  if (options.asyncRun === true) {
-    postOptions.params = { asyncRun: 'true' };
-  }
-  return await client.post(`/api/v1/external/${encodeURIComponent(sourceIdOrKey)}/test-e2e`, postOptions);
-}
-
-/**
- * Poll E2E test run status. Call after testDatasourceE2E with asyncRun true when response has testRunId.
- * Same auth as E2E (Bearer or API key).
- *
- * @requiresPermission {Dataplane} external-data-source:read
- * @async
- * @function getE2ETestRun
- * @param {string} dataplaneUrl - Dataplane base URL
- * @param {string} sourceIdOrKey - Source ID or datasource key
- * @param {string} testRunId - Test run ID from async start response
- * @param {Object} authConfig - Authentication configuration (must have token or apiKey)
- * @returns {Promise<Object>} Poll response: { status, completedActions?, steps?, success?, error?, durationSeconds?, debug? }
- * @throws {Error} If auth lacks Bearer/API_KEY, or if run not found/expired (404)
- */
-async function getE2ETestRun(dataplaneUrl, sourceIdOrKey, testRunId, authConfig) {
-  if (!authConfig.token && !authConfig.apiKey) {
-    throw new Error(
-      'E2E poll requires Bearer token or API key. Run \'aifabrix login\' or configure API key.'
-    );
-  }
-  if (!testRunId || typeof testRunId !== 'string') {
-    throw new Error('testRunId is required for E2E poll');
-  }
-  const client = new ApiClient(dataplaneUrl, authConfig);
-  const response = await client.get(
-    `/api/v1/external/${encodeURIComponent(sourceIdOrKey)}/test-e2e/${encodeURIComponent(testRunId)}`
-  );
-  if (!response.success) {
-    if (response.status === 404) {
-      throw new Error(
-        `E2E test run not found or expired (run ID: ${testRunId}). The run may have been purged or the ID is invalid.`
-      );
-    }
-    throw new Error(response.formattedError || response.error || 'E2E poll failed');
-  }
-  return response.data || response;
-}
-
-/**
- * Run config test for one datasource via dataplane external API.
- * Requires Bearer token or API key; client credentials are not accepted.
- *
- * @requiresPermission {Dataplane} external-data-source:read
- * @async
- * @function testDatasourceConfig
- * @param {string} dataplaneUrl - Dataplane base URL
- * @param {string} sourceIdOrKey - Source ID or datasource key
- * @param {Object} authConfig - Authentication configuration
- * @param {Object} [body] - Optional request body
- * @returns {Promise<Object>} Config test response
- * @throws {Error} If auth lacks Bearer/API_KEY or if test fails
- */
-async function testDatasourceConfig(dataplaneUrl, sourceIdOrKey, authConfig, body = {}) {
-  if (!authConfig.token && !authConfig.apiKey) {
-    throw new Error(
-      'External config tests require Bearer token or API key. Run \'aifabrix login\' or configure API key.'
-    );
-  }
-  const client = new ApiClient(dataplaneUrl, authConfig);
-  return await client.post(`/api/v1/external/${encodeURIComponent(sourceIdOrKey)}/test`, {
-    body
-  });
-}
-
-module.exports = {
-  testDatasourceE2E,
-  getE2ETestRun,
-  testDatasourceConfig
-};