@aifabrix/builder 2.43.0 → 2.44.1

package/lib/core/secrets.js

@@ -24,10 +24,14 @@ const {
   rewriteInfraEndpoints,
   readYamlAtPath,
   applyCanonicalSecretsOverride,
-  ensureNonEmptySecrets,
   validateSecrets
 } = require('../utils/secrets-helpers');
 const { buildEnvVarMap } = require('../utils/env-map');
+const {
+  mergeInfraParameterDefaultsForCli,
+  getInfraParameterCatalog,
+  readRelaxedCatalogDefaults
+} = require('../parameters/infra-parameter-catalog');
 const { resolveServicePortsInEnvContent } = require('../utils/secrets-url');
 const {
   updatePortForDocker,
@@ -35,7 +39,7 @@ const {
   applyDockerEnvOverride,
   getContainerPortFromDockerEnv
 } = require('./secrets-docker-env');
-const { getContainerPortFromPath } = require('../utils/port-resolver');
+const { getContainerPortFromPath, loadVariablesFromPath } = require('../utils/port-resolver');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -48,11 +52,21 @@ const {
 const {
   loadUserSecrets,
   loadPrimaryUserSecrets,
-  loadDefaultSecrets
+  loadDefaultSecrets,
+  ensurePrimaryUserSecretsFileExists
 } = require('../utils/secrets-utils');
 const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
 const pathsUtil = require('../utils/paths');
 const { ensureSecureFilePermissions } = require('../utils/secure-file-permissions');
+const { readAppEnvironmentScopedFlagForAppPath } = require('../utils/app-scoped-config');
+const { computeEffectiveEnvironmentScopedResources, redisDbIndexForScopedRunEnv } = require('../utils/environment-scoped-resources');
+const { applyRedisDbIndexToEnvContent } = require('../utils/redis-env-scope');
+const { expandDeclarativeUrlsInEnvContent } = require('../utils/url-declarative-resolve');
+const { rewriteInactiveDeclarativeVdirPublicContent } = require('../utils/url-declarative-vdir-inactive-env');
+const {
+  mergeDockerManifestPublishedPort,
+  rewriteDockerManifestPublicPortEnvLine
+} = require('../utils/docker-manifest-public-port');
 
 /**
  * Generates a canonical secret name from an environment variable key.
@@ -128,8 +142,8 @@ async function decryptSecretsObject(secrets) {
  * @function loadSecrets
  * @param {string} [secretsPath] - Path to secrets file (optional, for explicit override)
  * @param {string} [appName] - Application name (optional, for backward compatibility)
- * @returns {Promise<Object>} Loaded secrets object with decrypted values
- * @throws {Error} If no secrets file found and no fallback available
+ * @returns {Promise<Object>} Loaded secrets object with decrypted values (may be empty after bootstrap file create)
+ * @throws {Error} If explicit secretsPath is set but file is missing or invalid
  *
  * @example
  * const secrets = await loadSecrets('../../secrets.local.yaml');
@@ -172,16 +186,17 @@ function mergeUserWithConfigFile(userSecrets, resolvedConfigPath) {
 
 /**
  * Loads config secrets path, merges with user secrets (user/master wins, public fills missing).
- * User/master = primary home (AIFABRIX_HOME or ~/.aifabrix) secrets.local.yaml.
+ * User/master = getPrimaryUserSecretsLocalPath() (config dir; same file as loadPrimaryUserSecrets).
  * Public = aifabrix-secrets path from config. Used by loadSecrets cascade.
- * When aifabrix-secrets is an http(s) URL, fetches shared secrets from API (never persisted to disk).
+ * When the effective shared-secrets target (after remote-dev resolution) is an http(s) URL,
+ * fetches shared secrets from API (never persisted to disk).
  *
  * @async
  * @returns {Promise<Object|null>} Merged secrets object or null
  */
 async function loadMergedConfigAndUserSecrets() {
   const { loadRemoteSharedSecrets, mergeUserWithRemoteSecrets } = require('../utils/remote-secrets-loader');
-  const { isRemoteSecretsUrl } = require('../utils/remote-dev-auth');
+  const remoteDevAuth = require('../utils/remote-dev-auth');
   const userSecrets = loadPrimaryUserSecrets();
   const hasKeys = (obj) => obj && Object.keys(obj).length > 0;
   const userOrNull = () => (hasKeys(userSecrets) ? userSecrets : null);
@@ -190,7 +205,8 @@ async function loadMergedConfigAndUserSecrets() {
     if (!configSecretsPath) {
       return userOrNull();
     }
-    if (isRemoteSecretsUrl(configSecretsPath)) {
+    const effectiveShared = await remoteDevAuth.resolveSharedSecretsEndpoint(configSecretsPath);
+    if (remoteDevAuth.isRemoteSecretsUrl(effectiveShared)) {
       const remoteSecrets = await loadRemoteSharedSecrets();
       const merged = mergeUserWithRemoteSecrets(userSecrets, remoteSecrets);
       return hasKeys(merged) ? merged : userOrNull();
@@ -254,9 +270,12 @@ async function loadSecrets(secretsPath, _appName) {
     }
     return await decryptSecretsObject(explicitSecrets);
   }
-  const mergedSecrets = await loadSecretsWithFallbacks();
-  ensureNonEmptySecrets(mergedSecrets);
-  return await decryptSecretsObject(mergedSecrets);
+  let mergedSecrets = await loadSecretsWithFallbacks();
+  if (!mergedSecrets || Object.keys(mergedSecrets).length === 0) {
+    ensurePrimaryUserSecretsFileExists();
+    mergedSecrets = await loadSecretsWithFallbacks();
+  }
+  return await decryptSecretsObject(mergedSecrets || {});
 }
 
 /**
@@ -279,7 +298,7 @@ async function loadSecrets(secretsPath, _appName) {
  * const resolved = await resolveKvReferences(template, secrets, 'local');
  * // Returns: 'DATABASE_URL=postgresql://user:pass@localhost:5432/db'
  */
-async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
+async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null, scopedKv = null) {
   const os = require('os');
 
   // Get developer-id for port variables (local and docker: *_PUBLIC_PORT = base + devId*100)
@@ -290,25 +309,56 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
     // ignore, buildEnvVarMap will use default
   }
 
-  let envVars = await buildEnvVarMap(environment, os, developerId);
+  const envKey = String(environment || 'local').toLowerCase();
+  const mapContext = envKey === 'docker' || envKey === 'local' ? envKey : 'local';
+
+  let envVars = await buildEnvVarMap(mapContext, os, developerId);
   if (!envVars || Object.keys(envVars).length === 0) {
     // Fallback to local environment variables if requested environment does not exist
     envVars = await buildEnvVarMap('local', os, developerId);
   }
   const resolved = interpolateEnvVars(envTemplate, envVars);
-  const missing = collectMissingSecrets(resolved, secrets);
+  const missing = collectMissingSecrets(resolved, secrets, scopedKv);
   if (missing.length > 0) {
     const fileInfo = formatMissingSecretsFileInfo(secretsFilePaths);
     const resolveCommand = appName ? `aifabrix resolve ${appName}` : 'aifabrix resolve <app-name>';
     throw new Error(`Missing secrets: ${missing.join(', ')}${fileInfo}\n\nRun "${resolveCommand}" to generate missing secrets.`);
   }
-  return replaceKvInContent(resolved, secrets, envVars);
+  return replaceKvInContent(resolved, secrets, envVars, scopedKv);
 }
 
-/** Docker env transformations: ports, infra endpoints, PORT. */
-async function applyDockerTransformations(resolved, variablesPath) {
-  resolved = await resolveServicePortsInEnvContent(resolved, 'docker');
-  resolved = await rewriteInfraEndpoints(resolved, 'docker');
+/**
+ * Resolve run env key and effective env-scoped kv/redis behavior for generateEnvContent.
+ *
+ * @async
+ * @param {string} appPath - Builder application directory
+ * @param {Object} [options] - generateEnvContent options; may set runEnvKey
+ * @returns {Promise<{ runEnvKey: string, effective: boolean }>}
+ */
+async function buildScopedKvContext(appPath, options = {}) {
+  let runEnvKey;
+  if (options.runEnvKey !== undefined && options.runEnvKey !== null) {
+    runEnvKey = String(options.runEnvKey).toLowerCase();
+  } else if (typeof config.getCurrentEnvironment === 'function') {
+    runEnvKey = String((await config.getCurrentEnvironment()) || 'dev').toLowerCase();
+  } else {
+    runEnvKey = 'dev';
+  }
+  const userCfg =
+    typeof config.getConfig === 'function'
+      ? await config.getConfig()
+      : { useEnvironmentScopedResources: false };
+  const useGate = Boolean(userCfg.useEnvironmentScopedResources);
+  const appFlag = readAppEnvironmentScopedFlagForAppPath(appPath);
+  const effective = computeEffectiveEnvironmentScopedResources(useGate, appFlag, runEnvKey);
+  return { runEnvKey, effective };
+}
+
+/**
+ * Redis/DB service endpoints for docker env interpolation.
+ * @returns {Promise<{ redisHost: string, redisPort: number, dbHost: string, dbPort: number }>}
+ */
+async function getDockerRedisDbEndpoints() {
   const { getEnvHosts, getServiceHost, getServicePort, getLocalhostOverride } = require('../utils/env-endpoints');
   const hosts = await getEnvHosts('docker');
   const localhostOverride = getLocalhostOverride('docker');
@@ -316,16 +366,97 @@ async function applyDockerTransformations(resolved, variablesPath) {
   const redisPort = await getServicePort('REDIS_PORT', 'redis', hosts, 'docker', null);
   const dbHost = getServiceHost(hosts.DB_HOST, 'docker', 'postgres', localhostOverride);
   const dbPort = await getServicePort('DB_PORT', 'postgres', hosts, 'docker', null);
+  return { redisHost, redisPort, dbHost, dbPort };
+}
+
+/**
+ * Config inputs for declarative url:// expansion (keeps expandDeclarativeUrlsIfPresent small).
+ * @param {string} appPath
+ * @returns {Promise<Object>}
+ */
+async function loadDeclarativeUrlExpandInputs(appPath) {
+  const userCfg = await config.getConfig();
+  let remoteServer = null;
+  try {
+    const rs = await config.getRemoteServer();
+    if (rs && String(rs).trim()) {
+      remoteServer = String(rs).trim();
+    }
+  } catch {
+    remoteServer = null;
+  }
+  let developerIdRaw = null;
+  try {
+    developerIdRaw = await config.getDeveloperId();
+  } catch {
+    developerIdRaw = null;
+  }
+  let infraTlsEnabled = false;
+  try {
+    infraTlsEnabled = await config.getTlsEnabled();
+  } catch {
+    infraTlsEnabled = false;
+  }
+  return {
+    userCfg,
+    remoteServer,
+    developerIdRaw,
+    infraTlsEnabled,
+    appScopedFlag: readAppEnvironmentScopedFlagForAppPath(appPath)
+  };
+}
+
+/**
+ * After kv:// resolution, expand url:// references when application config exists.
+ * @param {string} resolved
+ * @param {string} appName
+ * @param {string} appPath
+ * @param {string|null} variablesPath
+ * @param {string} environment
+ * @param {boolean} envOnly
+ * @returns {Promise<string>}
+ */
+async function expandDeclarativeUrlsIfPresent(resolved, appName, appPath, variablesPath, environment, envOnly) {
+  if (envOnly || !variablesPath) {
+    return resolved;
+  }
+  const { userCfg, remoteServer, developerIdRaw, infraTlsEnabled, appScopedFlag } =
+    await loadDeclarativeUrlExpandInputs(appPath);
+  resolved = rewriteInactiveDeclarativeVdirPublicContent(resolved, variablesPath, userCfg);
+  if (!resolved.includes('url://')) {
+    return resolved;
+  }
+  return expandDeclarativeUrlsInEnvContent(resolved, {
+    profile: environment === 'docker' ? 'docker' : 'local',
+    currentAppKey: appName,
+    variablesPath,
+    useEnvironmentScopedResources: Boolean(userCfg.useEnvironmentScopedResources),
+    appEnvironmentScopedResources: appScopedFlag,
+    remoteServer,
+    developerIdRaw,
+    traefik: Boolean(userCfg.traefik),
+    infraTlsEnabled
+  });
+}
+
+/** Docker env transformations: ports, infra endpoints, PORT. */
+async function applyDockerTransformations(resolved, variablesPath) {
+  resolved = await resolveServicePortsInEnvContent(resolved, 'docker');
+  resolved = await rewriteInfraEndpoints(resolved, 'docker');
+  const { redisHost, redisPort, dbHost, dbPort } = await getDockerRedisDbEndpoints();
   let dockerEnv = await getBaseDockerEnv();
   dockerEnv = applyDockerEnvOverride(dockerEnv);
   const containerPort = getContainerPortFromPath(variablesPath) ?? getContainerPortFromDockerEnv(dockerEnv) ?? 3000;
   const envVars = await buildEnvVarMap('docker', null, null, { appPort: containerPort });
+  const appDoc = loadVariablesFromPath(variablesPath);
+  await mergeDockerManifestPublishedPort(envVars, appDoc);
   envVars.REDIS_HOST = redisHost;
   envVars.REDIS_PORT = String(redisPort);
   envVars.DB_HOST = dbHost;
   envVars.DB_PORT = String(dbPort);
   envVars.PORT = String(containerPort);
   resolved = interpolateEnvVars(resolved, envVars);
+  resolved = rewriteDockerManifestPublicPortEnvLine(resolved, envVars, appDoc);
   return updatePortForDocker(resolved, variablesPath);
 }
 /** Environment-specific transformations to resolved content. */
@@ -357,8 +488,22 @@ async function generateEnvContent(appName, secretsPath, environment = 'local', f
     await secretsEnsure.ensureSecretsFromEnvTemplate(templatePath, { preferredFilePath: preferredPath });
   }
   const secrets = await loadSecrets(secretsPath, appName);
-  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths, appName);
+  const { runEnvKey, effective } = await buildScopedKvContext(appPath, options);
+  const scopedKv = { envKey: runEnvKey, effective };
+  let resolved = await resolveKvReferences(template, secrets, environment, secretsPaths, appName, scopedKv);
+  resolved = await expandDeclarativeUrlsIfPresent(
+    resolved,
+    appName,
+    appPath,
+    variablesPath,
+    environment,
+    Boolean(options.envOnly)
+  );
   resolved = await applyEnvironmentTransformations(resolved, environment, variablesPath);
+  if (effective) {
+    const idx = redisDbIndexForScopedRunEnv(runEnvKey);
+    resolved = applyRedisDbIndexToEnvContent(resolved, idx);
+  }
 
   return resolved;
 }
@@ -538,39 +683,57 @@ async function formatAdminSecretsContent(adminObj) {
   return lines.join('\n');
 }
 
-/** Generates admin secrets for infrastructure (~/.aifabrix/admin-secrets.env). Uses admin123 when no postgres password. */
-async function generateAdminSecretsEnv(secretsPath) {
-  let secrets;
-
+async function loadSecretsOrBootstrapForAdmin(secretsPath) {
   try {
-    secrets = await loadSecrets(secretsPath);
+    return await loadSecrets(secretsPath);
   } catch (error) {
     const defaultSecretsPath = secretsPath || path.join(pathsUtil.getAifabrixHome(), 'secrets.yaml');
     if (!fs.existsSync(defaultSecretsPath)) {
       logger.log('Creating default secrets file...');
       await createDefaultSecrets(defaultSecretsPath);
-      secrets = await loadSecrets(secretsPath);
-    } else {
-      throw error;
+      return await loadSecrets(secretsPath);
     }
+    throw error;
   }
-  const aifabrixDir = pathsUtil.getAifabrixHome();
-  const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
-  if (!fs.existsSync(aifabrixDir)) {
-    fs.mkdirSync(aifabrixDir, { recursive: true, mode: 0o700 });
+}
+
+function getInfraDefaultsMergedForAdmin() {
+  try {
+    return mergeInfraParameterDefaultsForCli(getInfraParameterCatalog().data, {});
+  } catch {
+    return {};
   }
+}
 
+function buildLocalAdminSecretsObject(secrets, infraDefaults) {
   const raw = secrets['postgres-passwordKeyVault'];
-  const postgresPassword = (raw && String(raw).trim()) || 'admin123';
-
-  const adminObj = {
+  const relaxed = readRelaxedCatalogDefaults();
+  const postgresPassword =
+    (raw && String(raw).trim()) ||
+    infraDefaults.adminPassword ||
+    relaxed.adminPassword ||
+    '';
+  const pgAdminEmail = infraDefaults.adminEmail || relaxed.adminEmail || '';
+  return {
     POSTGRES_PASSWORD: postgresPassword,
-    PGADMIN_DEFAULT_EMAIL: 'admin@aifabrix.dev',
+    PGADMIN_DEFAULT_EMAIL: pgAdminEmail,
     PGADMIN_DEFAULT_PASSWORD: postgresPassword,
     REDIS_HOST: 'local:redis:6379:0:',
     REDIS_COMMANDER_USER: 'admin',
     REDIS_COMMANDER_PASSWORD: postgresPassword
   };
+}
+
+/** Generates admin secrets for infrastructure (beside config.yaml, typically ~/.aifabrix/admin-secrets.env). Defaults from infra.parameter.yaml `defaults`. */
+async function generateAdminSecretsEnv(secretsPath) {
+  const secrets = await loadSecretsOrBootstrapForAdmin(secretsPath);
+  const infraDefaults = getInfraDefaultsMergedForAdmin();
+  const adminObj = buildLocalAdminSecretsObject(secrets, infraDefaults);
+  const aifabrixDir = pathsUtil.getAifabrixSystemDir();
+  const adminEnvPath = path.join(aifabrixDir, 'admin-secrets.env');
+  if (!fs.existsSync(aifabrixDir)) {
+    fs.mkdirSync(aifabrixDir, { recursive: true, mode: 0o700 });
+  }
   const adminSecrets = await formatAdminSecretsContent(adminObj);
   fs.writeFileSync(adminEnvPath, adminSecrets, { mode: 0o600 });
   return adminEnvPath;

package/lib/core/templates-env.js

@@ -106,9 +106,10 @@ function buildMonitoringEnv(config) {
   return {
     'MISO_CONTROLLER_URL': config.controllerUrl || 'https://controller.aifabrix.dev',
     'MISO_ENVIRONMENT': 'dev',
-    'MISO_CLIENTID': 'kv://miso-controller-client-idKeyVault',
-    'MISO_CLIENTSECRET': 'kv://miso-controller-client-secretKeyVault',
-    'MISO_WEB_SERVER_URL': 'kv://miso-controller-web-server-url'
+    // Filled after `aifabrix register <app>`; empty avoids bogus kv placeholders in new apps
+    'MISO_CLIENTID': '',
+    'MISO_CLIENTSECRET': '',
+    'MISO_WEB_SERVER_URL': 'url://miso-controller-public'
   };
 }
 

package/lib/datasource/abac-validator.js

@@ -99,7 +99,7 @@ function validateCrossSystemJson(crossSystemJson) {
 
 /**
  * Validates ABAC configuration for a parsed datasource.
- * Checks dimensions (from config.abac or fieldMappings), crossSystemJson, and rejects legacy crossSystem.
+ * Checks dimensions from config.abac, crossSystemJson, and rejects legacy crossSystem.
  *
  * @function validateAbac
  * @param {Object} parsed - Parsed datasource object (after JSON parse)
@@ -134,15 +134,6 @@ function validateAbac(parsed) {
     ));
   }
 
-  const fieldMappingsDimensions = parsed?.fieldMappings?.dimensions;
-  if (fieldMappingsDimensions && typeof fieldMappingsDimensions === 'object') {
-    errors.push(...validateDimensionsObject(
-      fieldMappingsDimensions,
-      'fieldMappings.dimensions',
-      attributeNames
-    ));
-  }
-
   if (abac.crossSystemJson) {
     errors.push(...validateCrossSystemJson(abac.crossSystemJson));
   }

package/lib/datasource/deploy.js

@@ -17,6 +17,16 @@ const { publishDatasourceViaPipeline } = require('../api/pipeline.api');
 const { formatApiError } = require('../utils/api-error-handler');
 const logger = require('../utils/logger');
 const { logDataplanePipelineWarning } = require('../utils/dataplane-pipeline-warning');
+const {
+  sectionTitle,
+  headerKeyValue,
+  metadata,
+  infoLine,
+  formatStatusKeyValue,
+  formatBlockingError,
+  successGlyph,
+  failureGlyph
+} = require('../utils/cli-test-layout-chalk');
 const {
   buildResolvedEnvMapForIntegration,
   resolveConfigurationValues
@@ -64,41 +74,41 @@ async function getDataplaneUrl(controllerUrl, appKey, environment, authConfig) {
 }
 
 /**
- * Validate deployment inputs
- * @param {string} appKey - Application key
- * @param {string} filePath - File path
- * @param {Object} options - Options
+ * Validate deploy CLI input (file path or datasource key, same rules as `datasource validate`).
+ * @param {string} fileOrKey - Path to JSON or datasource `key` under integration/<app>/
  * @throws {Error} If validation fails
  */
-function validateDeploymentInputs(appKey, filePath) {
-  if (!appKey || typeof appKey !== 'string') {
-    throw new Error('Application key is required');
-  }
-  if (!filePath || typeof filePath !== 'string') {
-    throw new Error('File path is required');
+function validateDeployFileOrKeyInput(fileOrKey) {
+  if (!fileOrKey || typeof fileOrKey !== 'string' || !fileOrKey.trim()) {
+    throw new Error('File path or datasource key is required');
   }
 }
 
 /**
- * Validate and load datasource file
+ * Validate and load datasource file (path or datasource key, resolved like `datasource validate`).
  * @async
- * @param {string} filePath - Path to datasource file
+ * @param {string} filePathOrKey - Path to datasource JSON or datasource `key`
  * @returns {Promise<Object>} Datasource configuration
  * @throws {Error} If validation or loading fails
  */
-async function validateAndLoadDatasourceFile(filePath) {
-  logger.log(chalk.blue('🔍 Validating datasource file...'));
-  const validation = await validateDatasourceFile(filePath);
+async function validateAndLoadDatasourceFile(filePathOrKey) {
+  logger.log(infoLine('ℹ Validating datasource file'));
+  const validation = await validateDatasourceFile(filePathOrKey);
   if (!validation.valid) {
-    logger.error(chalk.red('❌ Datasource validation failed:'));
+    logger.log('');
+    logger.error(formatBlockingError('Datasource validation failed'));
     validation.errors.forEach(error => {
-      logger.error(chalk.red(`  • ${error}`));
+      logger.error(formatBlockingError(error));
     });
     throw new Error('Datasource file validation failed');
   }
-  logger.log(chalk.green('✓ Datasource file is valid'));
 
-  const content = fs.readFileSync(filePath, 'utf8');
+  const resolvedPath = validation.resolvedPath;
+  logger.log(headerKeyValue('File:', resolvedPath));
+  logger.log(`${successGlyph()} ${chalk.white('Datasource file is valid.')}`);
+  logger.log('');
+
+  const content = fs.readFileSync(resolvedPath, 'utf8');
   try {
     return JSON.parse(content);
   } catch (error) {
@@ -116,28 +126,28 @@ async function validateAndLoadDatasourceFile(filePath) {
  */
 async function setupDeploymentAuth(controllerUrl, environment, appKey) {
   const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
-  logger.log(chalk.blue('🔐 Getting authentication...'));
+  logger.log(infoLine('ℹ Resolving authentication'));
   const authConfig = await getDeploymentAuth(controllerUrl, environment, appKey);
-  logger.log(chalk.green('✓ Authentication successful'));
+  logger.log(`${successGlyph()} ${chalk.white('Authentication ready')}`);
 
-  logger.log(chalk.blue('🌐 Resolving dataplane URL...'));
+  logger.log(infoLine('ℹ Resolving dataplane URL'));
   let dataplaneUrl;
   try {
     dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
-    logger.log(chalk.green(`✓ Dataplane URL: ${dataplaneUrl}`));
+    logger.log(`${metadata('Dataplane:')} ${chalk.cyan(dataplaneUrl)}`);
   } catch (error) {
-    logger.error(chalk.red('❌ Failed to resolve dataplane URL:'), error.message);
-    logger.error(chalk.gray('\nThe dataplane URL is automatically discovered from the controller.'));
-    logger.error(chalk.gray('If discovery fails, ensure you are logged in and the controller is accessible:'));
-    logger.error(chalk.gray('   aifabrix login'));
+    logger.error(`${failureGlyph()} ${chalk.red('Failed to resolve dataplane URL:')} ${chalk.red(error.message)}`);
+    logger.error(metadata('The dataplane URL is automatically discovered from the controller.'));
+    logger.error(metadata('If discovery fails, ensure you are logged in and the controller is accessible:'));
+    logger.error(metadata('aifabrix login'));
     throw error;
   }
 
   // Validate dataplane URL
   if (!dataplaneUrl || !dataplaneUrl.trim()) {
-    logger.error(chalk.red('❌ Dataplane URL is empty.'));
-    logger.error(chalk.gray('The dataplane URL could not be discovered from the controller.'));
-    logger.error(chalk.gray('Ensure the dataplane service is registered in the controller.'));
+    logger.error(`${failureGlyph()} ${chalk.red('Dataplane URL is empty.')}`);
+    logger.error(metadata('The dataplane URL could not be discovered from the controller.'));
+    logger.error(metadata('Ensure the dataplane service is registered in the controller.'));
     throw new Error('Dataplane URL is empty');
   }
 
@@ -156,30 +166,32 @@ async function setupDeploymentAuth(controllerUrl, environment, appKey) {
  */
 async function publishDatasourceToDataplane(dataplaneUrl, systemKey, authConfig, datasourceConfig) {
   requireBearerForDataplanePipeline(authConfig);
-  logger.log(chalk.blue('\n🚀 Publishing datasource to dataplane...'));
+  logger.log('');
+  logger.log(sectionTitle('Publish'));
   logDataplanePipelineWarning();
 
   const publishResponse = await publishDatasourceViaPipeline(dataplaneUrl, systemKey, authConfig, datasourceConfig);
 
   if (!publishResponse.success) {
     const formattedError = publishResponse.formattedError || formatApiError(publishResponse);
-    logger.error(chalk.red('❌ Publish failed:'));
-    logger.error(formattedError);
+    logger.error(`${failureGlyph()} ${chalk.red('Publish failed:')} ${chalk.red(formattedError)}`);
 
     // Show dataplane URL and endpoint information
     if (publishResponse.errorData && publishResponse.errorData.endpointUrl) {
-      logger.error(chalk.gray(`\nEndpoint URL: ${publishResponse.errorData.endpointUrl}`));
+      logger.error(
+        `\n${metadata('Endpoint URL:')} ${chalk.cyan(publishResponse.errorData.endpointUrl)}`
+      );
     } else if (dataplaneUrl) {
-      logger.error(chalk.gray(`\nDataplane URL: ${dataplaneUrl}`));
-      logger.error(chalk.gray(`System Key: ${systemKey}`));
+      logger.error(`\n${metadata('Dataplane URL:')} ${chalk.cyan(dataplaneUrl)}`);
+      logger.error(headerKeyValue('System Key:', systemKey));
     }
 
-    logger.error(chalk.gray('\nFull response for debugging:'));
-    logger.error(chalk.gray(JSON.stringify(publishResponse, null, 2)));
+    logger.error(metadata('\nFull response for debugging:'));
+    logger.error(metadata(JSON.stringify(publishResponse, null, 2)));
     throw new Error(`Dataplane publish failed: ${formattedError}`);
   }
 
-  logger.log(chalk.green('\n✓ Datasource published successfully!'));
+  logger.log(`${successGlyph()} ${chalk.white('Configuration published to dataplane.')}`);
   return publishResponse;
 }
 
@@ -190,9 +202,21 @@ async function publishDatasourceToDataplane(dataplaneUrl, systemKey, authConfig,
  * @param {string} environment - Environment key
  */
 function displayDeploymentResults(datasourceConfig, systemKey, environment) {
-  logger.log(chalk.blue(`\nDatasource: ${datasourceConfig.key || datasourceConfig.displayName}`));
-  logger.log(chalk.blue(`System: ${systemKey}`));
-  logger.log(chalk.blue(`Environment: ${environment}`));
+  const datasourceLabel = datasourceConfig.key || datasourceConfig.displayName || '(unknown)';
+  logger.log('');
+  logger.log(sectionTitle('Result'));
+  logger.log(headerKeyValue('Datasource:', datasourceLabel));
+  logger.log(headerKeyValue('System:', systemKey));
+  logger.log(headerKeyValue('Environment:', environment));
+  logger.log('');
+  logger.log(formatStatusKeyValue('ok', '✔'));
+}
+
+function logDatasourceUploadSectionHeader() {
+  logger.log('');
+  logger.log(sectionTitle('Datasource upload'));
+  logger.log(metadata('Publish one datasource JSON to the dataplane'));
+  logger.log('');
 }
 
 /**
@@ -201,18 +225,17 @@ function displayDeploymentResults(datasourceConfig, systemKey, environment) {
  *
  * @async
  * @function deployDatasource
- * @param {string} appKey - Application key
- * @param {string} filePath - Path to datasource JSON file
+ * @param {string} fileOrKey - Path to datasource JSON file, or datasource `key` under integration/<app>/ (same resolution as `datasource validate`)
  * @param {Object} [_options] - Deployment options (reserved)
  * @returns {Promise<Object>} Deployment result
  * @throws {Error} If deployment fails
  */
-async function deployDatasource(appKey, filePath, _options) {
+async function deployDatasource(fileOrKey, _options) {
   const { resolveControllerUrl } = require('../utils/controller-url');
   const { resolveEnvironment } = require('../core/config');
   const { displayCommandHeader } = require('../utils/command-header');
 
-  validateDeploymentInputs(appKey, filePath);
+  validateDeployFileOrKeyInput(fileOrKey);
 
   // Resolve controller and environment from config
   const controllerUrl = await resolveControllerUrl();
@@ -220,13 +243,12 @@ async function deployDatasource(appKey, filePath, _options) {
 
   // Display command header
   displayCommandHeader(controllerUrl, environment);
+  logDatasourceUploadSectionHeader();
 
-  logger.log(chalk.blue('📋 Deploying datasource...\n'));
-
-  // Validate and load datasource file
-  const datasourceConfig = await validateAndLoadDatasourceFile(filePath);
+  // Validate and load datasource file (resolves key → path like validate)
+  const datasourceConfig = await validateAndLoadDatasourceFile(fileOrKey.trim());
 
-  // Extract systemKey
+  // Extract systemKey (required in JSON; also used as controller app key for external systems)
   const systemKey = datasourceConfig.systemKey;
   if (!systemKey) {
     throw new Error('systemKey is required in datasource configuration');
@@ -237,8 +259,8 @@ async function deployDatasource(appKey, filePath, _options) {
     resolveConfigurationValues(datasourceConfig.configuration, envMap, secrets, systemKey);
   }
 
-  // Setup authentication and get dataplane URL
-  const { authConfig, dataplaneUrl } = await setupDeploymentAuth(controllerUrl, environment, appKey);
+  // Setup authentication and get dataplane URL (application key matches systemKey for external integrations)
+  const { authConfig, dataplaneUrl } = await setupDeploymentAuth(controllerUrl, environment, systemKey);
 
   // Publish to dataplane
   await publishDatasourceToDataplane(dataplaneUrl, systemKey, authConfig, datasourceConfig);