@aifabrix/builder 2.43.0 → 2.44.1

package/scripts/install-local.js

@@ -10,38 +10,159 @@
  * @version 2.0.0
  */
 
-const { execSync } = require('child_process');
+const { execSync, execFileSync } = require('child_process');
 const fs = require('fs');
+const os = require('os');
 const path = require('path');
 
+const { runPnpmGlobalRemove } = require('./pnpm-global-remove');
+
+const PACKAGE_NAME = '@aifabrix/builder';
+/** Primary CLI name used for “current version” before link */
+const PRIMARY_BIN = 'aifabrix';
+
+/**
+ * Default PNPM_HOME when not set in the environment (matches `pnpm setup` on Linux/macOS; Windows uses LOCALAPPDATA).
+ * @returns {string} Resolved PNPM global bin home directory
+ */
+function defaultPnpmHome() {
+  if (process.env.PNPM_HOME) {
+    return process.env.PNPM_HOME;
+  }
+  if (process.platform === 'win32' && process.env.LOCALAPPDATA) {
+    return path.join(process.env.LOCALAPPDATA, 'pnpm');
+  }
+  return path.join(os.homedir(), '.local', 'share', 'pnpm');
+}
+
+/**
+ * Environment with PNPM_HOME and PATH set so `pnpm link --global` can find the global bin dir
+ * (same idea as aifabrix-setup/scripts/install-local.js).
+ * @returns {NodeJS.ProcessEnv} Copy of process.env with pnpm paths prepended
+ */
+function pnpmEnv() {
+  const env = { ...process.env };
+  const pnpmHome = defaultPnpmHome();
+  env.PNPM_HOME = pnpmHome;
+  env.PATH = [pnpmHome, env.PATH].filter(Boolean).join(path.delimiter);
+  return env;
+}
+
 /**
  * Detect which package manager is being used (pnpm or npm)
  * @returns {string} 'pnpm' or 'npm'
  */
 function detectPackageManager() {
   try {
-    // Check if pnpm is available
     execSync('which pnpm', { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });
     return 'pnpm';
   } catch {
-    // Fall back to npm
     return 'npm';
   }
 }
 
 /**
- * Get currently installed version of aifabrix CLI
- * @returns {string|null} Version string or null if not installed
+ * Reads package.json `bin` keys (or default primary bin).
+ * @returns {string[]} CLI executable names published by this package
  */
-function getCurrentVersion() {
+function listCliBinNames() {
   try {
-    const version = execSync('aifabrix --version', { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).trim();
-    return version;
+    const packageJsonPath = path.join(__dirname, '..', 'package.json');
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+    const bin = packageJson.bin;
+    if (!bin) return [PRIMARY_BIN];
+    if (typeof bin === 'string') return [PRIMARY_BIN];
+    return Object.keys(bin);
+  } catch {
+    return [PRIMARY_BIN];
+  }
+}
+
+/**
+ * @param {string} binName - CLI name on PATH
+ * @param {NodeJS.ProcessEnv} [env] - Optional env (e.g. pnpm-adjusted PATH)
+ * @returns {string|null} Trimmed `--version` output or null if command fails
+ */
+function getBinVersion(binName, env) {
+  try {
+    return execSync(`${binName} --version`, {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+      env: env || process.env
+    }).trim();
   } catch {
     return null;
   }
 }
 
+/**
+ * @param {string} binName - CLI name on PATH
+ * @param {NodeJS.ProcessEnv} [env] - Optional env for `which`
+ * @returns {string|null} First resolved path or null
+ */
+function getBinPath(binName, env) {
+  try {
+    const which = execSync(`which ${binName}`, {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+      env: env || process.env
+    }).trim();
+    return which || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * First executable `binName` on PATH (same resolution order as a POSIX shell).
+ * @param {string} binName - CLI name
+ * @param {string} pathString - PATH value (e.g. process.env.PATH)
+ * @returns {{ candidate: string, real: string }|null} First hit or null
+ */
+function firstExecutableOnPath(binName, pathString) {
+  if (process.platform === 'win32') {
+    return null;
+  }
+  const dirs = (pathString || '').split(path.delimiter).filter(Boolean);
+  for (const dir of dirs) {
+    const candidate = path.join(dir, binName);
+    try {
+      const st = fs.lstatSync(candidate);
+      if (!st.isFile() && !st.isSymbolicLink()) continue;
+      fs.accessSync(candidate, fs.constants.X_OK);
+      const real = fs.realpathSync(candidate);
+      return { candidate, real };
+    } catch {
+      // continue
+    }
+  }
+  return null;
+}
+
+/**
+ * @param {string} executablePath - Absolute path to CLI
+ * @returns {string|null} Trimmed --version or null
+ */
+function versionAtExecutablePath(executablePath) {
+  try {
+    return execFileSync(executablePath, ['--version'], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Get currently installed version of primary CLI (aifabrix)
+ * @param {NodeJS.ProcessEnv} [env] - Optional env for the version probe
+ * @returns {string|null} Trimmed version or null if not on PATH
+ */
+function getCurrentVersion(env) {
+  return getBinVersion(PRIMARY_BIN, env);
+}
+
 /**
  * Get version from local package.json
  * @returns {string|null} Version string or null if not found
@@ -81,53 +202,192 @@ function displayVersionInfo(currentVersion, packageVersion) {
   }
 }
 
+/**
+ * @typedef {{ name: string, path: string|null, real: string|null, version: string|null }} PathBinRow
+ */
+
+/**
+ * @param {string[]} binNames - CLI names from package.json
+ * @returns {PathBinRow[]} Resolution rows for current PATH
+ */
+function collectPathResolutionRows(binNames) {
+  const rows = [];
+  if (process.platform === 'win32') {
+    for (const name of binNames) {
+      const p = getBinPath(name, process.env);
+      const version = p
+        ? versionAtExecutablePath(p) || getBinVersion(name, process.env)
+        : getBinVersion(name, process.env);
+      rows.push({ name, path: p, real: p, version });
+    }
+    return rows;
+  }
+  for (const name of binNames) {
+    const hit = firstExecutableOnPath(name, process.env.PATH);
+    if (!hit) {
+      rows.push({ name, path: null, real: null, version: null });
+      continue;
+    }
+    const version =
+      versionAtExecutablePath(hit.candidate) || getBinVersion(name, process.env);
+    rows.push({ name, path: hit.candidate, real: hit.real, version });
+  }
+  return rows;
+}
+
+/**
+ * @param {PathBinRow[]} rows - Rows from collectPathResolutionRows
+ * @param {boolean} multipleBins - Whether package exposes more than one CLI name
+ * @returns {void}
+ */
+function printPathResolutionTable(rows, multipleBins) {
+  const label = multipleBins
+    ? 'First match on your PATH for each command (what new programs see):'
+    : 'First match on your PATH (what new programs see):';
+  console.log(`\n${label}`);
+  for (const r of rows) {
+    if (!r.path) {
+      console.log(`   ${r.name}: (not found on PATH)`);
+      continue;
+    }
+    const ver = r.version !== null && r.version !== undefined ? r.version : '(could not run --version)';
+    const arrow = r.real !== r.path ? ` → ${r.real}` : '';
+    console.log(`   ${r.name}: ${r.path}${arrow}  →  ${ver}`);
+  }
+}
+
+/**
+ * @param {PathBinRow[]} rows - Rows from collectPathResolutionRows
+ * @param {string|null} expectedVersion - Linked package version
+ * @param {string[]} binNames - Bin names (length for multi-alias tip)
+ * @returns {void}
+ */
+function printPathResolutionWarnings(rows, expectedVersion, binNames) {
+  const versions = rows
+    .map((r) => r.version)
+    .filter((v) => v !== null && v !== undefined && v !== '(could not run --version)');
+  const uniq = [...new Set(versions)];
+  const mismatchAliases = uniq.length > 1;
+  const hasStaleVers =
+    Boolean(expectedVersion) &&
+    rows.some(
+      (r) => r.version !== null && r.version !== undefined && r.version !== expectedVersion
+    );
+
+  if (hasStaleVers) {
+    console.log(`\n⚠️  At least one command above is not ${expectedVersion} (linked package version).`);
+    console.log('   Another install is winning on PATH for that name — often an old npm global copy.');
+    console.log('   Try:  pnpm run diagnose:cli');
+    console.log(`   Then: npm uninstall -g ${PACKAGE_NAME}`);
+    console.log('   Put PNPM_HOME (or ~/.local/share/pnpm) before other global bin dirs in PATH if needed.');
+  }
+
+  if (mismatchAliases) {
+    console.log('\n⚠️  `af` and `aifabrix` resolve to different installs on PATH.');
+    console.log('   Fix PATH as above, or if PATH looks correct, your shell may be using a stale location for one of them.');
+    console.log('   Bash: hash -r    Zsh: rehash    Then run both with --version again.');
+  } else if (binNames.length > 1 && expectedVersion && uniq.length === 1 && uniq[0] === expectedVersion) {
+    console.log('\nTip: Bash caches `af` and `aifabrix` separately. If your terminal shows a wrong version for only one, run: hash -r');
+  }
+}
+
+/**
+ * Report first PATH hit per bin (matches new subprocesses). Warn on mismatch vs link or between aliases.
+ * Bash/zsh cache each command name separately — `af` can stay stale while `aifabrix` updates; suggest hash -r.
+ * @param {string|null} expectedVersion - Version from the linked package (pnpm env probe)
+ * @param {string[]} binNames - All bin entries from package.json
+ * @returns {void}
+ */
+function reportCliAliasesOnPath(expectedVersion, binNames) {
+  if (!binNames.length) return;
+  const rows = collectPathResolutionRows(binNames);
+  printPathResolutionTable(rows, binNames.length > 1);
+  printPathResolutionWarnings(rows, expectedVersion, binNames);
+}
+
+/**
+ * Prints pnpm-specific hints when shell PATH still resolves an old binary.
+ * @param {boolean} usedPnpm - Whether link used pnpm
+ * @param {string|null} newVersion - Version after link
+ * @param {Object} [pathInfo] - Shell vs linked path probe
+ * @param {string|null} [pathInfo.versionInShell] - Version from default shell env
+ * @param {string|null} [pathInfo.linkedPath] - Path under pnpm env
+ * @returns {void}
+ */
+function printPnpmPathHints(usedPnpm, newVersion, pathInfo) {
+  if (!usedPnpm) return;
+  const shellVersion = pathInfo && pathInfo.versionInShell;
+  const linkedPath = pathInfo && pathInfo.linkedPath;
+  if (newVersion && shellVersion !== newVersion) {
+    console.log(`\n⚠️  Your shell is still running an older ${PRIMARY_BIN} (${shellVersion || 'unknown'}).`);
+    console.log(`   The linked binary is at: ${linkedPath || 'unknown'}`);
+    console.log('   Fix: run  source ~/.bashrc  (or open a new terminal).');
+    console.log('   If it still shows the old version, put pnpm\'s global bin first in PATH, or run:');
+    console.log(`   npm uninstall -g ${PACKAGE_NAME}`);
+  } else {
+    console.log('If you still see an old version, run: source ~/.bashrc  (or open a new terminal)');
+  }
+}
+
 /**
  * Display success message with version information
  * @param {string|null} currentVersion - Version before linking
  * @param {string|null} newVersion - Version after linking
+ * @param {boolean} [usedPnpm] - Link used pnpm
+ * @param {Object} [pathInfo] - Optional shell vs linked path info
+ * @param {string|null} [pathInfo.versionInShell] - Version from default shell env
+ * @param {string|null} [pathInfo.linkedPath] - Path under pnpm env
+ * @param {string[]} [binNames] - Bin names from package.json
  * @returns {void}
  */
-function displaySuccessMessage(currentVersion, newVersion) {
-  console.log('\n✅ Successfully linked!');
+function displaySuccessMessage(currentVersion, newVersion, usedPnpm, pathInfo, binNames) {
+  const bins = binNames && binNames.length ? binNames : [PRIMARY_BIN];
+  console.log('\n✔ Successfully linked!');
   if (currentVersion && newVersion && currentVersion !== newVersion) {
     console.log(`📊 Version updated: ${currentVersion} → ${newVersion}`);
   } else if (newVersion) {
     console.log(`📊 Installed version: ${newVersion}`);
   }
-  console.log('Run "aifabrix --version" to verify.');
+  const verifyHint =
+    bins.length > 1
+      ? bins.map((b) => `${b} --version`).join('" or "')
+      : `${bins[0]} --version`;
+  console.log(`Run "${verifyHint}" to verify.`);
+  if (bins.length > 1) {
+    console.log(
+      'If only one alias shows the wrong version in your terminal, clear the shell command cache (bash: hash -r, zsh: rehash).'
+    );
+  }
+
+  printPnpmPathHints(usedPnpm, newVersion, pathInfo);
+  reportCliAliasesOnPath(newVersion, bins);
 }
 
 /**
- * Run pnpm link --global and npm link from project root (handles pnpm global bin not set).
- * @param {string} projectRoot - Path to project root
+ * Runs global link and reports success (throws on failure).
+ * @param {string} pm - 'pnpm' or 'npm'
+ * @param {string|null} currentVersion - Version before link
+ * @param {string[]} binNames - CLI bin names
  * @returns {void}
- * @throws {Error} If linking fails when pnpm global bin is not configured
  */
-function runPnpmLink(projectRoot) {
-  let pnpmLinked = false;
-  try {
-    execSync('pnpm link --global', { stdio: 'inherit', cwd: projectRoot });
-    pnpmLinked = true;
-  } catch (pnpmErr) {
-    const msg = (pnpmErr.message || String(pnpmErr));
-    if (msg.includes('global bin directory') || msg.includes('ERR_PNPM_NO_GLOBAL_BIN_DIR')) {
-      console.log(
-        '⚠️  pnpm global bin is not set up. Run "pnpm setup" and add PNPM_HOME to PATH, or we will use npm link.\n'
-      );
-    } else {
-      throw pnpmErr;
-    }
-  }
-  try {
+function runGlobalLink(pm, currentVersion, binNames) {
+  const projectRoot = path.join(__dirname, '..');
+  const env = pm === 'pnpm' ? pnpmEnv() : undefined;
+  if (pm === 'pnpm') {
+    execSync('pnpm link --global', { stdio: 'inherit', cwd: projectRoot, env });
+  } else {
     execSync('npm link', { stdio: 'inherit', cwd: projectRoot });
-  } catch {
-    if (!pnpmLinked) {
-      console.error(
-        '\n💡 To fix: run "pnpm setup" and add the suggested line to your shell config, then run install:local again.'
-      );
-      throw new Error('Linking failed. pnpm global bin not configured and npm link failed.');
-    }
   }
+
+  const newVersion = getCurrentVersion(env);
+  let pathInfo;
+  if (pm === 'pnpm') {
+    pathInfo = {
+      versionInShell: getCurrentVersion(),
+      linkedPath: getBinPath(PRIMARY_BIN, env)
+    };
+  }
+  displaySuccessMessage(currentVersion, newVersion, pm === 'pnpm', pathInfo, binNames);
 }
 
 /**
@@ -137,23 +397,17 @@ function runPnpmLink(projectRoot) {
 function installLocal() {
   const pm = detectPackageManager();
   const packageVersion = getPackageVersion();
+  const binNames = listCliBinNames();
   const currentVersion = getCurrentVersion();
 
   console.log(`Detected package manager: ${pm}\n`);
   displayVersionInfo(currentVersion, packageVersion);
-  console.log('Linking @aifabrix/builder globally...\n');
+  console.log(`Linking ${PACKAGE_NAME} globally...\n`);
 
   try {
-    const projectRoot = path.join(__dirname, '..');
-    if (pm === 'pnpm') {
-      runPnpmLink(projectRoot);
-    } else {
-      execSync('npm link', { stdio: 'inherit', cwd: projectRoot });
-    }
-    const newVersion = getCurrentVersion();
-    displaySuccessMessage(currentVersion, newVersion);
+    runGlobalLink(pm, currentVersion, binNames);
   } catch (error) {
-    console.error('\n❌ Failed to link package:', error.message);
+    console.error('\n✖ Failed to link package:', error.message);
     process.exit(1);
   }
 }
@@ -192,7 +446,7 @@ function displayUninstallVersionInfo(currentVersion, packageVersion) {
  * @returns {void}
  */
 function displayUninstallSuccess(pm, currentVersion) {
-  console.log(`\n✅ Successfully unlinked with ${pm}!`);
+  console.log(`\n✔ Successfully unlinked with ${pm}!`);
   if (currentVersion) {
     console.log(`📊 Uninstalled version: ${currentVersion}`);
   }
@@ -208,22 +462,20 @@ function uninstallLocal() {
   const packageVersion = getPackageVersion();
 
   console.log(`Detected package manager: ${pm}\n`);
-
-  // Show version information before unlinking
   displayUninstallVersionInfo(currentVersion, packageVersion);
-
-  console.log('Unlinking @aifabrix/builder globally...\n');
+  console.log(`Unlinking ${PACKAGE_NAME} globally...\n`);
 
   try {
     if (pm === 'pnpm') {
-      execSync('pnpm unlink --global @aifabrix/builder', { stdio: 'inherit' });
+      const env = { ...pnpmEnv(), CI: 'true' };
+      runPnpmGlobalRemove(env, PACKAGE_NAME);
       displayUninstallSuccess(pm, currentVersion);
     } else {
-      execSync('npm unlink -g @aifabrix/builder', { stdio: 'inherit' });
+      execSync(`npm unlink -g ${PACKAGE_NAME}`, { stdio: 'inherit' });
       displayUninstallSuccess(pm, currentVersion);
     }
   } catch (error) {
-    console.error('\n❌ Failed to unlink package:', error.message);
+    console.error('\n✖ Failed to unlink package:', error.message);
     process.exit(1);
   }
 }

package/scripts/pnpm-global-remove.js

@@ -0,0 +1,48 @@
+#!/usr/bin/env node
+/* eslint-disable no-console */
+
+/**
+ * pnpm global remove with virtual-store repair retry (pnpm 9+ global layout).
+ * @fileoverview Used by install-local.js uninstall path
+ * @author AI Fabrix Team
+ */
+
+const { execSync } = require('child_process');
+
+/**
+ * @param {unknown} error - Thrown from execSync
+ * @returns {boolean} True when `pnpm i -g` repair may fix the failure
+ */
+function isPnpmUnexpectedVirtualStoreError(error) {
+  const msg =
+    error && typeof error === 'object' && 'message' in error ? String(error.message) : String(error);
+  return msg.includes('ERR_PNPM_UNEXPECTED_VIRTUAL_STORE');
+}
+
+/**
+ * @param {NodeJS.ProcessEnv} env - Environment
+ * @returns {void} Nothing
+ */
+function repairPnpmGlobalInstall(env) {
+  execSync('pnpm i -g', { stdio: 'inherit', env });
+}
+
+/**
+ * @param {NodeJS.ProcessEnv} env - pnpm env (e.g. pnpmEnv + CI)
+ * @param {string} packageName - Scoped package name to remove globally
+ * @returns {void} Nothing
+ */
+function runPnpmGlobalRemove(env, packageName) {
+  try {
+    execSync(`pnpm remove -g ${packageName}`, { stdio: 'inherit', env });
+  } catch (firstError) {
+    if (!isPnpmUnexpectedVirtualStoreError(firstError)) throw firstError;
+    console.log(
+      '\n⚠️  pnpm global virtual store layout mismatch. Running `pnpm i -g` to repair, then retrying remove...\n'
+    );
+    repairPnpmGlobalInstall(env);
+    execSync(`pnpm remove -g ${packageName}`, { stdio: 'inherit', env });
+  }
+}
+
+module.exports = { runPnpmGlobalRemove };

package/templates/README.md

@@ -8,7 +8,7 @@ The templates directory is organized as follows:
 
 ### Application Templates (for `--template` flag)
 
-Application templates are folder-based and located under `templates/applications/`. When you use `--template <name>`, the tool looks for `templates/applications/<name>/` and copies all files from that folder to `builder/<app>/`.
+Application templates are folder-based and located under `templates/applications/`. When you use `--template <name>`, the tool looks for `templates/applications/<name>/` and copies all files from that folder to `builder/<appKey>/`.
 
 **Example:**
 - `templates/applications/miso-controller/` - Miso Controller application template
@@ -18,7 +18,7 @@ Application templates are folder-based and located under `templates/applications
 - Template folder must exist in `templates/applications/<name>/`
 - Template folder must contain at least one file
 - Hidden files (starting with `.`) are skipped
-- If a template includes a `Dockerfile`, it will be copied to `builder/<app>/Dockerfile` along with other files
+- If a template includes a `Dockerfile`, it will be copied to `builder/<appKey>/Dockerfile` along with other files
 
 ### Language Templates
 
@@ -63,6 +63,19 @@ Extra workflow steps are located in `templates/github/steps/`. When you use `--g
 ### Health Check Configuration
 - `{{healthCheck.path}}` - Health check endpoint path (e.g., "/health")
 - `{{healthCheck.interval}}` - Health check interval in seconds
+- `{{healthCheck.bashProbe}}` - When true, generated Docker Compose uses a bash TCP probe (no `curl` dependency) instead of `curl -f`.
+
+**Why `bashProbe` exists**
+
+Some application images intentionally do not ship with `curl` (for smaller images or stricter runtime environments). If Compose uses a `curl`-based healthcheck in those images, Docker will mark the container as **unhealthy** even when the app is actually serving traffic.
+
+Set `healthCheck.bashProbe: true` to make Compose healthchecks work without `curl` by performing a minimal HTTP request over `/dev/tcp`.
+
+### Traefik (Docker Compose labels)
+
+Generated compose includes `traefik.http.routers.<app>.service=<app>` so Traefik’s Docker provider always binds the router to the in-compose service (required for HTTP-only routers when TLS terminates at nginx).
+
+Infra Traefik is started with `--providers.docker.allowEmptyServices=true` so routes are published while a container is still in Docker’s `starting` / `unhealthy` health state (common during slow boots or when a health probe differs from real readiness).
 
 ### Service Requirements
 - `{{requiresDatabase}}` - Database requirement flag (conditional db-init service)

package/templates/applications/dataplane/application.yaml

@@ -5,7 +5,7 @@ app:
   description: "AI Fabrix Dataplane is a secure, in-tenant integration and automation layer that supplies governed, normalized, and explainable enterprise data to AI agents. Using CIP as a declarative standard, it enforces RBAC and ABAC, executes integrations, and exposes trusted data via MCP and OpenAPI."
   type: webapp
   language: python  # Explicitly specify Python language
-  version: 1.8.0
+  version: 1.9.5
 
 # Image Configuration
 # Set tag to match your build (e.g. aifabrix build dataplane -t v1.0.0 then tag: v1.0.0)
@@ -18,6 +18,16 @@ image:
 
 # Port Configuration
 port: 3001
+environmentScopedResources: true
+
+# Public path behind Azure Front Door / reverse proxy (used by url://public and urls.local.yaml).
+# Traefik: host is expanded from developer-id + remote-server (hostname of `remote-server` in ~/.aifabrix/config.yaml).
+# Path uses pattern below plus optional /dev|/tst prefix when env-scoped resources are effective (plan 117).
+frontDoorRouting:
+  pattern: /data/*
+  enabled: true
+  host: ${DEV_USERNAME}.${REMOTE_HOST}
+  tls: ${TLS_ENABLED}
 
 # Azure Requirements
 requires:
@@ -51,7 +61,6 @@ build:
   context: ../..                  # Docker build context (relative to builder/dataplane/)
   dockerfile: builder/dataplane/Dockerfile  # Dockerfile path (relative to project root)
   envOutputPath: ../../.env       # Copy to repo root for local dev
-  localPort: 3011                 # Port for local development (different from Docker port)
   language: python                # Runtime language for template selection (typescript or python)
   reloadStart: uvicorn app.main:app --host 0.0.0.0 --port ${PORT:-3001} --reload  # PORT set from port above at run time; default 3001 must match port
 
@@ -98,6 +107,47 @@ configuration:
         - detailed
         - explain
 
+  - name: TRUST_CUSTOMER_POLICY_LEVEL
+    portalInput:
+      field: select
+      label: "Trust policy level (no-policy defaults)"
+      options:
+        - strict
+        - standard
+        - relaxed
+
+  - name: TRUST_PUBLISH_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on datasource publish"
+      options:
+        - "false"
+        - "true"
+
+  - name: TRUST_PROMOTE_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on external system publish (promote scope)"
+      options:
+        - "false"
+        - "true"
+
+  - name: TRUST_RUNTIME_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on CIP execution (runtime scope)"
+      options:
+        - "false"
+        - "true"
+
+  - name: TRUST_AI_EXPOSURE_GATE_ENABLED
+    portalInput:
+      field: select
+      label: "Enforce trust gate on AI document-storage prompt generation"
+      options:
+        - "false"
+        - "true"
+
   # -------------------------------------------------------------------------
   # CIP Execution - Resource Limits
   # -------------------------------------------------------------------------