@aifabrix/builder 2.43.0 → 2.44.1

package/lib/app/show-display.js

@@ -11,6 +11,7 @@
 
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const { truncatePublicKeyPreview } = require('./certification-show-enrich');
 
 function logSourceAndHeader(summary) {
   const isOffline = summary.source === 'offline';
@@ -81,7 +82,7 @@ function logApplicationExternalIntegration(ei, options = {}) {
   logger.log(`    systems: [${(ei.systems || []).join(', ')}]`);
   logger.log(`    dataSources: [${(ei.dataSources || []).join(', ')}]`);
   if (!options.skipHint) {
-    logger.log(chalk.gray('\n  For external system data as on dataplane, run: aifabrix show <appKey> --online or aifabrix app show <appKey>.'));
+    logger.log(chalk.gray('\n  For external system data as on dataplane, run: aifabrix show <app> --online or aifabrix app show <app>.'));
   }
 }
 
@@ -261,6 +262,47 @@ function displayExternalAppBlock(summary) {
   }
 }
 
+/**
+ * Local certification + optional verify rows (external integrations).
+ * @param {Object} summary
+ */
+function logCertificationSection(summary) {
+  if (!summary.isExternal) return;
+  logger.log('');
+  logger.log('🪪  Certification (local system file)');
+  const c = summary.localCertification;
+  if (!c || typeof c !== 'object') {
+    logger.log('  (none or unreadable)');
+  } else {
+    logger.log(`  enabled:     ${c.enabled}`);
+    logger.log(`  algorithm:   ${c.algorithm ?? '—'}`);
+    logger.log(`  issuer:      ${c.issuer ?? '—'}`);
+    logger.log(`  version:     ${c.version ?? '—'}`);
+    logger.log(`  publicKey:   ${truncatePublicKeyPreview(c.publicKey, 64)}`);
+  }
+  if (summary.certificationVerifyRows && summary.certificationVerifyRows.length > 0) {
+    logger.log('');
+    logger.log('🪪  Certification verify (dataplane)');
+    summary.certificationVerifyRows.forEach((row) => {
+      if (row.error) {
+        logger.log(`  • ${row.datasourceKey}: ${row.error}`);
+        return;
+      }
+      const ok = row.overallValid ? chalk.green('ok') : chalk.yellow('not ok');
+      logger.log(
+        `  • ${row.datasourceKey}: ${ok}  signature=${row.validSignature} hash=${row.validHash}`
+      );
+      if (row.reasons && row.reasons.length) {
+        logger.log(chalk.gray(`    reasons: ${row.reasons.join('; ')}`));
+      }
+    });
+  } else if (summary.certificationVerifySkipped) {
+    logger.log(chalk.gray('\n  Certification verify skipped (not logged in or no controller URL).'));
+  } else if (summary.certificationVerifyError) {
+    logger.log(chalk.yellow(`\n  Certification verify error: ${summary.certificationVerifyError}`));
+  }
+}
+
 /**
  * Format and print human-readable show output (offline or online).
  * @param {Object} summary - Unified summary (buildOfflineSummaryFromDeployJson or buildOnlineSummary)
@@ -278,6 +320,7 @@ function display(summary, options = {}) {
   }
   logApplicationSection(ctx.a, summary);
   if (summary.isExternal) displayExternalAppBlock(summary);
+  if (summary.isExternal) logCertificationSection(summary);
   logRolesSection(ctx.roles);
   logAuthSection(ctx.authentication);
   logConfigurationsSection(ctx.portalInputConfigurations);

package/lib/app/show.js

@@ -32,6 +32,11 @@ const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
 const { formatApiError } = require('../utils/api-error-handler');
 const { formatAuthenticationError } = require('../utils/error-formatters/http-status-errors');
 const { display: displayShow } = require('./show-display');
+const {
+  attachLocalCertification,
+  attachCertificationVerifyFromDataplane,
+  sanitizeCertificationForJson
+} = require('./certification-show-enrich');
 
 /** Truncate deployment key for display */
 const DEPLOYMENT_KEY_TRUNCATE_LEN = 12;
@@ -273,6 +278,69 @@ async function getShowAuthToken(controllerUrl, config) {
   throw new Error('Authentication required for --online. Run aifabrix login.');
 }
 
+/**
+ * Optional dataplane certificate verify rows on the show summary (external only).
+ * @param {Object} summary
+ * @param {string} appKey
+ * @param {boolean} verifyCert
+ * @param {{ token: string, controllerUrl: string }|null} [authBundleOptional]
+ */
+async function maybeAttachCertificationVerify(summary, appKey, verifyCert, authBundleOptional) {
+  if (!verifyCert || !summary.isExternal) return;
+  if (authBundleOptional && authBundleOptional.token && authBundleOptional.controllerUrl) {
+    await attachCertificationVerifyFromDataplane(summary, appKey, {
+      token: authBundleOptional.token,
+      controllerUrl: authBundleOptional.controllerUrl
+    });
+    return;
+  }
+  try {
+    const controllerUrl = await resolveControllerUrl();
+    if (!controllerUrl) {
+      summary.certificationVerifySkipped = true;
+      return;
+    }
+    const config = await getConfig();
+    const authResult = await getShowAuthToken(controllerUrl, config);
+    await attachCertificationVerifyFromDataplane(summary, appKey, {
+      token: authResult.token,
+      controllerUrl: authResult.actualControllerUrl
+    });
+  } catch {
+    summary.certificationVerifySkipped = true;
+  }
+}
+
+/**
+ * @param {Object} out - JSON payload (mutated)
+ * @param {Object} summary
+ */
+function appendCertificationJsonFields(out, summary) {
+  if (!summary.isExternal) return;
+  out.localCertification = sanitizeCertificationForJson(summary.localCertification);
+  if (summary.certificationVerifyRows) {
+    out.certificationVerify = summary.certificationVerifyRows;
+  }
+  if (summary.certificationVerifySkipped) {
+    out.certificationVerifySkipped = true;
+  }
+  if (summary.certificationVerifyError) {
+    out.certificationVerifyError = summary.certificationVerifyError;
+  }
+}
+
+/**
+ * @param {Object} summary
+ * @param {string} appKey
+ * @param {boolean} verifyCert
+ * @param {{ token: string, controllerUrl: string }|null} [authBundleOptional]
+ */
+async function enrichExternalShowSummary(summary, appKey, verifyCert, authBundleOptional) {
+  if (!summary.isExternal) return;
+  attachLocalCertification(summary, appKey);
+  await maybeAttachCertificationVerify(summary, appKey, verifyCert, authBundleOptional);
+}
+
 async function fetchOpenApiLists(dataplaneUrl, appKey, authConfig) {
   let openapiFiles = [];
   let openapiEndpoints = [];
@@ -440,7 +508,7 @@ function formatBuildForDisplay(build) {
   if (!build) return '—';
   const parts = [];
   if (build.language) parts.push(build.language);
-  const port = build.port ?? build.localPort;
+  const port = build.port;
   if (port !== undefined && port !== null) parts.push(`port ${port}`);
   if (build.dockerfile) parts.push('dockerfile');
   if (build.envOutputPath) parts.push(`envOutputPath: ${build.envOutputPath}`);
@@ -566,22 +634,25 @@ function buildOnlineSummary(apiApp, controllerUrl, externalSystem) {
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
  * @param {boolean} [permissionsOnly] - When true, output only permissions
+ * @param {boolean} [verifyCert] - When true, attempt dataplane verify for external apps
  * @throws {Error} If application config not found or invalid
  */
-async function runOffline(appKey, json, permissionsOnly) {
-  let summary;
-
+async function loadOfflineShowSummary(appKey) {
   try {
     const { deployment, appPath } = await generator.buildDeploymentManifestInMemory(appKey);
     const sourcePath = path.relative(process.cwd(), appPath) || appPath;
-    summary = buildOfflineSummaryFromDeployJson(deployment, sourcePath);
+    return buildOfflineSummaryFromDeployJson(deployment, sourcePath);
   } catch (_err) {
     const { appPath } = await detectAppType(appKey);
     const configPath = resolveApplicationConfigPath(appPath);
     const variables = loadVariablesFromPath(appPath);
     const sourcePath = path.relative(process.cwd(), configPath) || configPath;
-    summary = buildOfflineSummary(variables, sourcePath);
+    return buildOfflineSummary(variables, sourcePath);
   }
+}
+
+async function runOffline(appKey, json, permissionsOnly, verifyCert = false) {
+  const summary = await loadOfflineShowSummary(appKey);
 
   if (json) {
     if (permissionsOnly) {
@@ -607,9 +678,14 @@ async function runOffline(appKey, json, permissionsOnly) {
         databases: summary.databases
       }
     };
+    if (summary.isExternal) {
+      await enrichExternalShowSummary(summary, appKey, verifyCert, null);
+      appendCertificationJsonFields(out, summary);
+    }
     logger.log(JSON.stringify(out, null, 2));
     return;
   }
+  await enrichExternalShowSummary(summary, appKey, verifyCert, null);
   displayShow(summary, { permissionsOnly: !!permissionsOnly });
 }
 
@@ -680,6 +756,7 @@ function outputOnlineJson(summary, permissionsOnly) {
       ? { error: summary.externalSystem.error }
       : summary.externalSystem;
   }
+  appendCertificationJsonFields(out, summary);
   logger.log(JSON.stringify(out, null, 2));
 }
 
@@ -688,9 +765,10 @@ function outputOnlineJson(summary, permissionsOnly) {
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
  * @param {boolean} [permissionsOnly] - When true, output only permissions
+ * @param {boolean} [verifyCert] - When true, attempt dataplane verify for external apps
  * @throws {Error} On auth failure, 404, or API error
  */
-async function runOnline(appKey, json, permissionsOnly) {
+async function runOnline(appKey, json, permissionsOnly, verifyCert = false) {
   const controllerUrl = await resolveControllerUrl();
   if (!controllerUrl) {
     throw new Error('Controller URL is required for --online. Run aifabrix login to set the controller URL in config.yaml.');
@@ -705,6 +783,10 @@ async function runOnline(appKey, json, permissionsOnly) {
     ? await fetchExternalSystemForOnline(controllerUrl, appKey, authConfig)
     : null;
   const summary = buildOnlineSummary(apiApp, authResult.actualControllerUrl, externalSystem);
+  await enrichExternalShowSummary(summary, appKey, verifyCert, {
+    token: authConfig.token,
+    controllerUrl: authResult.actualControllerUrl
+  });
   if (json) {
     outputOnlineJson(summary, permissionsOnly);
     return;
@@ -720,6 +802,7 @@ async function runOnline(appKey, json, permissionsOnly) {
  * @param {boolean} [options.online] - Fetch from controller
  * @param {boolean} [options.json] - Output as JSON
  * @param {boolean} [options.permissions] - When true, output only permissions (app show --permissions)
+ * @param {boolean} [options.verifyCert] - When true, attach dataplane certificate verify rows (external)
  * @throws {Error} If file missing/invalid (offline) or API/auth error (online)
  */
 async function showApp(appKey, options = {}) {
@@ -730,11 +813,12 @@ async function showApp(appKey, options = {}) {
   const online = Boolean(options.online);
   const json = Boolean(options.json);
   const permissions = Boolean(options.permissions);
+  const verifyCert = Boolean(options.verifyCert);
 
   if (online) {
-    await runOnline(appKey, json, permissions);
+    await runOnline(appKey, json, permissions, verifyCert);
   } else {
-    await runOffline(appKey, json, permissions);
+    await runOffline(appKey, json, permissions, verifyCert);
   }
 }
 

package/lib/build/index.js

@@ -1,3 +1,4 @@
+const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
 /**
  * AI Fabrix Builder Build Functions
  *
@@ -127,7 +128,9 @@ async function generateDockerfile(appNameOrPath, language, config, buildConfig =
 
   const template = dockerfileUtils.loadDockerfileTemplate(language);
   const isAppFlag = buildConfig.context === '../..';
-  const appSourcePath = isAppFlag ? `apps/${appName}/` : '.';
+  // Use "./" (not ".") so Dockerfile lines are "COPY ./requirements*.txt" — a bare "."
+  // concatenates with "requirements" and becomes ".requirements*.txt", which matches nothing.
+  const appSourcePath = isAppFlag ? `apps/${appName}/` : './';
 
   const templateVars = {
     port: config.port || 3000,
@@ -185,11 +188,11 @@ async function generateDockerfile(appNameOrPath, language, config, buildConfig =
 async function postBuildTasks(appName, buildConfig) {
   try {
     const envPath = await secrets.generateEnvFile(appName, buildConfig.secrets, 'docker');
-    logger.log(chalk.green(`✓ Generated .env file: ${envPath}`));
+    logger.log(formatSuccessLine(`Generated .env file: ${envPath}`));
     // Note: processEnvVariables is already called by generateEnvFile to generate local .env
     // at the envOutputPath, so we don't need to manually copy the docker .env file
   } catch (error) {
-    logger.log(chalk.yellow(`⚠️  Warning: Could not generate .env file: ${error.message}`));
+    logger.log(chalk.yellow(`⚠  Warning: Could not generate .env file: ${error.message}`));
   }
 }
 
@@ -229,7 +232,7 @@ async function copyApplicationSourceFiles(appName, devDir) {
   const appsPath = path.join(process.cwd(), 'apps', appName);
   if (fsSync.existsSync(appsPath)) {
     await buildCopy.copyAppSourceFiles(appsPath, devDir);
-    logger.log(chalk.green(`✓ Copied application source files from apps/${appName}`));
+    logger.log(formatSuccessLine(`Copied application source files from apps/${appName}`));
     return true;
   }
   return false;
@@ -253,12 +256,12 @@ async function copyTemplateFilesIfNeeded(devDir, language, buildConfig, options)
     const projectRoot = getProjectRoot();
     const templatePath = path.join(projectRoot, 'templates', 'typescript');
     await buildCopy.copyTemplateFilesToDevDir(templatePath, devDir, detectedLanguage);
-    logger.log(chalk.green(`✓ Generated application files from ${detectedLanguage} template`));
+    logger.log(formatSuccessLine(`Generated application files from ${detectedLanguage} template`));
   } else if (detectedLanguage === 'python' && !fsSync.existsSync(requirementsPath)) {
     const projectRoot = getProjectRoot();
     const templatePath = path.join(projectRoot, 'templates', 'python');
     await buildCopy.copyTemplateFilesToDevDir(templatePath, devDir, detectedLanguage);
-    logger.log(chalk.green(`✓ Generated application files from ${detectedLanguage} template`));
+    logger.log(formatSuccessLine(`Generated application files from ${detectedLanguage} template`));
   }
 }
 
@@ -268,7 +271,7 @@ async function prepareDevDirectory(appName, buildConfig, options) {
   const directoryName = idNum === 0 ? 'applications' : `dev-${developerId}`;
   logger.log(chalk.blue(`Copying files to developer-specific directory (${directoryName})...`));
   const devDir = await buildCopy.copyBuilderToDevDirectory(appName, developerId);
-  logger.log(chalk.green(`✓ Files copied to: ${devDir}`));
+  logger.log(formatSuccessLine(`Files copied to: ${devDir}`));
 
   const { config: appConfig, imageName } = await buildHelpers.loadAndValidateConfig(appName);
   const effectiveImageName = buildDevImageName(imageName, developerId);
@@ -294,7 +297,7 @@ function prepareBuildContext(buildConfig, devDir) {
   // Check if context is using old format (../appName) - these are incompatible with dev directory structure
   if (buildConfig.context && buildConfig.context.startsWith('../') && buildConfig.context !== '../..') {
     // Old format detected - always use devDir instead
-    logger.log(chalk.yellow(`⚠️  Warning: Build context uses old format: ${buildConfig.context}`));
+    logger.log(chalk.yellow(`⚠  Warning: Build context uses old format: ${buildConfig.context}`));
     logger.log(chalk.yellow(`   Using dev directory instead: ${devDir}`));
     contextPath = devDir;
   } else if (buildConfig.context && buildConfig.context !== '../..') {
@@ -353,7 +356,7 @@ async function handleDockerfileGeneration(appName, params, options, buildHelpers
     language = 'typescript';
   }
   if (!hasExistingDockerfile) {
-    logger.log(chalk.green(`✓ Detected language: ${language}`));
+    logger.log(formatSuccessLine(`Detected language: ${language}`));
   }
 
   // Determine Dockerfile (needs context path to generate in correct location)
@@ -425,7 +428,7 @@ async function buildApp(appName, options = {}) {
     // 7. Post-build tasks
     await postBuildTasks(appName, buildConfig);
 
-    logger.log(chalk.green('\n✅ Build completed successfully!'));
+    logger.log(formatSuccessParagraph('Build completed successfully!'));
     return `${imageName}:${tag}`;
 
   } catch (error) {

package/lib/certification/cli-cert-sync-skip.js

@@ -0,0 +1,21 @@
+/**
+ * @fileoverview Detect skip-cert-sync from Commander + legacy option shapes.
+ * Commander registers `--no-cert-sync` as `certSync` defaulting to true; `--no-cert-sync` sets `certSync: false`.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+/**
+ * @param {Object|null|undefined} options
+ * @returns {boolean}
+ */
+function cliOptsSkipCertSync(options) {
+  if (!options || typeof options !== 'object') return false;
+  if (options.noCertSync === true) return true;
+  if (options.certSync === false) return true;
+  return false;
+}
+
+module.exports = { cliOptsSkipCertSync };

package/lib/certification/merge-certification-from-artifact.js

@@ -0,0 +1,185 @@
+/**
+ * @fileoverview Map dataplane certificate artifacts into **certification** (external-system.schema.json).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+/**
+ * @param {unknown} id - certificateId field (string or FK-shaped object)
+ * @returns {string}
+ */
+function certificateIdToString(id) {
+  if (id === undefined || id === null) return '';
+  if (typeof id === 'string') return id.trim();
+  if (typeof id === 'object' && id !== null && typeof id.id === 'string') return String(id.id).trim();
+  return String(id).trim();
+}
+
+/**
+ * @param {string|undefined|null} s
+ * @returns {string}
+ */
+function trimOrEmpty(s) {
+  return s !== undefined && s !== null ? String(s).trim() : '';
+}
+
+/**
+ * Prefer an artifact that includes PEM/JWK **publicKey** material for verify-publish.
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse[]} artifacts
+ * @returns {import('../api/types/certificates.types').CertificateArtifactResponse|null}
+ */
+function pickArtifactForCertificationMerge(artifacts) {
+  const list = Array.isArray(artifacts) ? artifacts.filter((a) => a && typeof a === 'object') : [];
+  if (list.length === 0) return null;
+  const withKey = list.find((a) => a.publicKey && String(a.publicKey).trim());
+  return withKey || list[0];
+}
+
+/**
+ * @param {string} algorithmUpper
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @returns {string}
+ */
+function hs256DevPublicKeyPlaceholder(algorithmUpper, art) {
+  if (algorithmUpper !== 'HS256') return '';
+  const cid = certificateIdToString(art.certificateId);
+  return `HS256-DEV-NO-PEM:${cid || 'integration-certificate'}`;
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolvePublicKey(art, ex) {
+  const fromArt = trimOrEmpty(art.publicKey);
+  if (fromArt) return fromArt;
+  const fromExisting = trimOrEmpty(ex.publicKey);
+  if (fromExisting) return fromExisting;
+  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
+  return hs256DevPublicKeyPlaceholder(algorithmUpper, art);
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveIssuer(art, ex) {
+  return (
+    trimOrEmpty(art.licenseLevelIssuer) ||
+    trimOrEmpty(art.issuedBy) ||
+    trimOrEmpty(ex.issuer) ||
+    'dataplane'
+  );
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveVersion(art, ex) {
+  return (
+    trimOrEmpty(art.version) ||
+    trimOrEmpty(art.certificateVersion) ||
+    trimOrEmpty(ex.version) ||
+    certificateIdToString(art.certificateId)
+  );
+}
+
+const CERTIFICATION_LEVELS = new Set(['BRONZE', 'SILVER', 'GOLD', 'PLATINUM']);
+const CERTIFICATION_STATUSES = new Set(['passed', 'not_passed', 'pending']);
+
+/**
+ * @param {string} raw
+ * @returns {string}
+ */
+function normalizeCertificationLevel(raw) {
+  const s = trimOrEmpty(raw).toUpperCase();
+  return CERTIFICATION_LEVELS.has(s) ? s : '';
+}
+
+/**
+ * @param {string} raw
+ * @returns {string}
+ */
+function normalizeCertificationStatus(raw) {
+  const s = trimOrEmpty(raw).toLowerCase();
+  return CERTIFICATION_STATUSES.has(s) ? s : '';
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveLevel(art, ex) {
+  return (
+    normalizeCertificationLevel(ex.level) ||
+    normalizeCertificationLevel(art.certificationLevel) ||
+    ''
+  );
+}
+
+/**
+ * Prefer existing file status when valid; otherwise **passed** for an active dataplane artifact.
+ *
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveStatus(_art, ex) {
+  const fromEx = normalizeCertificationStatus(ex.status);
+  if (fromEx) return fromEx;
+  return 'passed';
+}
+
+/**
+ * Build `certification` object matching **external-system.schema.json** (required: enabled, publicKey, algorithm, issuer, version; optional status, level).
+ * Fills gaps from `existingCertification` when the artifact omits publishable fields (common when dataplane redacts `publicKey`).
+ * For **HS256** dev certificates with no PEM, uses a non-secret placeholder `publicKey` so the system file stays schema-valid.
+ *
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse|null} artifact
+ * @param {Object|null|undefined} existingCertification - Current `system.certification`
+ * @returns {Object|null} Full certification object, or null if **publicKey** or **version** cannot be satisfied
+ */
+function buildCertificationFromArtifact(artifact, existingCertification) {
+  const ex = existingCertification && typeof existingCertification === 'object' ? existingCertification : {};
+  const art = artifact && typeof artifact === 'object' ? artifact : null;
+  if (!art) return null;
+
+  const publicKey = resolvePublicKey(art, ex);
+  if (!publicKey) return null;
+
+  const issuer = resolveIssuer(art, ex);
+  if (!issuer) return null;
+
+  const versionStr = resolveVersion(art, ex);
+  if (!versionStr) return null;
+
+  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
+  const algorithm = algorithmUpper === 'HS256' ? 'HS256' : 'RS256';
+
+  const out = {
+    enabled: true,
+    publicKey,
+    algorithm,
+    issuer,
+    version: versionStr,
+    status: resolveStatus(art, ex)
+  };
+  const level = resolveLevel(art, ex);
+  if (level) {
+    out.level = level;
+  }
+  return out;
+}
+
+module.exports = {
+  buildCertificationFromArtifact,
+  pickArtifactForCertificationMerge,
+  certificateIdToString
+};

package/lib/certification/post-unified-cert-sync.js

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview After successful unified datasource validation, optionally sync system certification.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { trySyncCertificationFromDataplaneForExternalApp } = require('./sync-after-external-command');
+const { cliOptsSkipCertSync } = require('./cli-cert-sync-skip');
+
+/**
+ * @async
+ * @param {number} exitCode
+ * @param {string} datasourceKey
+ * @param {Object} options - CLI flags (app, noCertSync)
+ * @param {string} label - Log label
+ * @returns {Promise<void>}
+ */
+async function afterUnifiedValidationCertSync(exitCode, datasourceKey, options, label) {
+  if (exitCode !== 0 || cliOptsSkipCertSync(options)) return;
+  try {
+    const { resolveAppKeyForDatasource } = require('../datasource/resolve-app');
+    const { appKey } = await resolveAppKeyForDatasource(datasourceKey, options.app);
+    await trySyncCertificationFromDataplaneForExternalApp(appKey, label);
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync (${label}) skipped: ${e.message}`));
+  }
+}
+
+module.exports = { afterUnifiedValidationCertSync };

package/lib/certification/sync-after-external-command.js

@@ -0,0 +1,52 @@
+/**
+ * @fileoverview Optional certification sync after external flows (validate, tests).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * After a successful external integration flow, refresh `certification` on the primary system file from dataplane.
+ * Best-effort: skips non-external apps, missing Bearer token, or resolver errors (warn only).
+ *
+ * @async
+ * @param {string} appKey - Integration / system key
+ * @param {string} label - Short label for logs (e.g. "validate", "datasource test")
+ * @returns {Promise<void>}
+ */
+async function trySyncCertificationFromDataplaneForExternalApp(appKey, label) {
+  try {
+    const { detectAppType } = require('../utils/paths');
+    const t = await detectAppType(appKey).catch(() => null);
+    if (!t || !t.isExternal) return;
+
+    const { resolveDataplaneAndAuth, validateSystemKeyFormat } = require('../commands/upload');
+    const { generateControllerManifest } = require('../generator/external-controller-manifest');
+    const { maybeSyncSystemCertificationFromDataplane } = require('./sync-system-certification');
+
+    validateSystemKeyFormat(appKey);
+    const { dataplaneUrl, authConfig } = await resolveDataplaneAndAuth(appKey);
+    if (!authConfig.token) {
+      logger.log(chalk.gray(`Certification sync (${label}) skipped: no Bearer token (run aifabrix login).`));
+      return;
+    }
+    const manifest = await generateControllerManifest(appKey, { type: 'external' });
+    const dsKeys = (manifest.dataSources || []).map((ds) => ds && ds.key).filter(Boolean);
+    await maybeSyncSystemCertificationFromDataplane({
+      label,
+      noCertSync: false,
+      systemKey: manifest.key,
+      dataplaneUrl,
+      authConfig,
+      datasourceKeys: dsKeys
+    });
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync (${label}) skipped: ${e.message}`));
+  }
+}
+
+module.exports = { trySyncCertificationFromDataplaneForExternalApp };