@aifabrix/builder 2.44.0 → 2.44.1

package/lib/app/show.js

@@ -32,6 +32,11 @@ const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
 const { formatApiError } = require('../utils/api-error-handler');
 const { formatAuthenticationError } = require('../utils/error-formatters/http-status-errors');
 const { display: displayShow } = require('./show-display');
+const {
+  attachLocalCertification,
+  attachCertificationVerifyFromDataplane,
+  sanitizeCertificationForJson
+} = require('./certification-show-enrich');
 
 /** Truncate deployment key for display */
 const DEPLOYMENT_KEY_TRUNCATE_LEN = 12;
@@ -273,6 +278,69 @@ async function getShowAuthToken(controllerUrl, config) {
   throw new Error('Authentication required for --online. Run aifabrix login.');
 }
 
+/**
+ * Optional dataplane certificate verify rows on the show summary (external only).
+ * @param {Object} summary
+ * @param {string} appKey
+ * @param {boolean} verifyCert
+ * @param {{ token: string, controllerUrl: string }|null} [authBundleOptional]
+ */
+async function maybeAttachCertificationVerify(summary, appKey, verifyCert, authBundleOptional) {
+  if (!verifyCert || !summary.isExternal) return;
+  if (authBundleOptional && authBundleOptional.token && authBundleOptional.controllerUrl) {
+    await attachCertificationVerifyFromDataplane(summary, appKey, {
+      token: authBundleOptional.token,
+      controllerUrl: authBundleOptional.controllerUrl
+    });
+    return;
+  }
+  try {
+    const controllerUrl = await resolveControllerUrl();
+    if (!controllerUrl) {
+      summary.certificationVerifySkipped = true;
+      return;
+    }
+    const config = await getConfig();
+    const authResult = await getShowAuthToken(controllerUrl, config);
+    await attachCertificationVerifyFromDataplane(summary, appKey, {
+      token: authResult.token,
+      controllerUrl: authResult.actualControllerUrl
+    });
+  } catch {
+    summary.certificationVerifySkipped = true;
+  }
+}
+
+/**
+ * @param {Object} out - JSON payload (mutated)
+ * @param {Object} summary
+ */
+function appendCertificationJsonFields(out, summary) {
+  if (!summary.isExternal) return;
+  out.localCertification = sanitizeCertificationForJson(summary.localCertification);
+  if (summary.certificationVerifyRows) {
+    out.certificationVerify = summary.certificationVerifyRows;
+  }
+  if (summary.certificationVerifySkipped) {
+    out.certificationVerifySkipped = true;
+  }
+  if (summary.certificationVerifyError) {
+    out.certificationVerifyError = summary.certificationVerifyError;
+  }
+}
+
+/**
+ * @param {Object} summary
+ * @param {string} appKey
+ * @param {boolean} verifyCert
+ * @param {{ token: string, controllerUrl: string }|null} [authBundleOptional]
+ */
+async function enrichExternalShowSummary(summary, appKey, verifyCert, authBundleOptional) {
+  if (!summary.isExternal) return;
+  attachLocalCertification(summary, appKey);
+  await maybeAttachCertificationVerify(summary, appKey, verifyCert, authBundleOptional);
+}
+
 async function fetchOpenApiLists(dataplaneUrl, appKey, authConfig) {
   let openapiFiles = [];
   let openapiEndpoints = [];
@@ -566,22 +634,25 @@ function buildOnlineSummary(apiApp, controllerUrl, externalSystem) {
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
  * @param {boolean} [permissionsOnly] - When true, output only permissions
+ * @param {boolean} [verifyCert] - When true, attempt dataplane verify for external apps
  * @throws {Error} If application config not found or invalid
  */
-async function runOffline(appKey, json, permissionsOnly) {
-  let summary;
-
+async function loadOfflineShowSummary(appKey) {
   try {
     const { deployment, appPath } = await generator.buildDeploymentManifestInMemory(appKey);
     const sourcePath = path.relative(process.cwd(), appPath) || appPath;
-    summary = buildOfflineSummaryFromDeployJson(deployment, sourcePath);
+    return buildOfflineSummaryFromDeployJson(deployment, sourcePath);
   } catch (_err) {
     const { appPath } = await detectAppType(appKey);
     const configPath = resolveApplicationConfigPath(appPath);
     const variables = loadVariablesFromPath(appPath);
     const sourcePath = path.relative(process.cwd(), configPath) || configPath;
-    summary = buildOfflineSummary(variables, sourcePath);
+    return buildOfflineSummary(variables, sourcePath);
   }
+}
+
+async function runOffline(appKey, json, permissionsOnly, verifyCert = false) {
+  const summary = await loadOfflineShowSummary(appKey);
 
   if (json) {
     if (permissionsOnly) {
@@ -607,9 +678,14 @@ async function runOffline(appKey, json, permissionsOnly) {
         databases: summary.databases
       }
     };
+    if (summary.isExternal) {
+      await enrichExternalShowSummary(summary, appKey, verifyCert, null);
+      appendCertificationJsonFields(out, summary);
+    }
     logger.log(JSON.stringify(out, null, 2));
     return;
   }
+  await enrichExternalShowSummary(summary, appKey, verifyCert, null);
   displayShow(summary, { permissionsOnly: !!permissionsOnly });
 }
 
@@ -680,6 +756,7 @@ function outputOnlineJson(summary, permissionsOnly) {
       ? { error: summary.externalSystem.error }
       : summary.externalSystem;
   }
+  appendCertificationJsonFields(out, summary);
   logger.log(JSON.stringify(out, null, 2));
 }
 
@@ -688,9 +765,10 @@ function outputOnlineJson(summary, permissionsOnly) {
  * @param {string} appKey - Application key
  * @param {boolean} json - Output as JSON
  * @param {boolean} [permissionsOnly] - When true, output only permissions
+ * @param {boolean} [verifyCert] - When true, attempt dataplane verify for external apps
  * @throws {Error} On auth failure, 404, or API error
  */
-async function runOnline(appKey, json, permissionsOnly) {
+async function runOnline(appKey, json, permissionsOnly, verifyCert = false) {
   const controllerUrl = await resolveControllerUrl();
   if (!controllerUrl) {
     throw new Error('Controller URL is required for --online. Run aifabrix login to set the controller URL in config.yaml.');
@@ -705,6 +783,10 @@ async function runOnline(appKey, json, permissionsOnly) {
     ? await fetchExternalSystemForOnline(controllerUrl, appKey, authConfig)
     : null;
   const summary = buildOnlineSummary(apiApp, authResult.actualControllerUrl, externalSystem);
+  await enrichExternalShowSummary(summary, appKey, verifyCert, {
+    token: authConfig.token,
+    controllerUrl: authResult.actualControllerUrl
+  });
   if (json) {
     outputOnlineJson(summary, permissionsOnly);
     return;
@@ -720,6 +802,7 @@ async function runOnline(appKey, json, permissionsOnly) {
  * @param {boolean} [options.online] - Fetch from controller
  * @param {boolean} [options.json] - Output as JSON
  * @param {boolean} [options.permissions] - When true, output only permissions (app show --permissions)
+ * @param {boolean} [options.verifyCert] - When true, attach dataplane certificate verify rows (external)
  * @throws {Error} If file missing/invalid (offline) or API/auth error (online)
  */
 async function showApp(appKey, options = {}) {
@@ -730,11 +813,12 @@ async function showApp(appKey, options = {}) {
   const online = Boolean(options.online);
   const json = Boolean(options.json);
   const permissions = Boolean(options.permissions);
+  const verifyCert = Boolean(options.verifyCert);
 
   if (online) {
-    await runOnline(appKey, json, permissions);
+    await runOnline(appKey, json, permissions, verifyCert);
   } else {
-    await runOffline(appKey, json, permissions);
+    await runOffline(appKey, json, permissions, verifyCert);
   }
 }
 

package/lib/certification/cli-cert-sync-skip.js

@@ -0,0 +1,21 @@
+/**
+ * @fileoverview Detect skip-cert-sync from Commander + legacy option shapes.
+ * Commander registers `--no-cert-sync` as `certSync` defaulting to true; `--no-cert-sync` sets `certSync: false`.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+/**
+ * @param {Object|null|undefined} options
+ * @returns {boolean}
+ */
+function cliOptsSkipCertSync(options) {
+  if (!options || typeof options !== 'object') return false;
+  if (options.noCertSync === true) return true;
+  if (options.certSync === false) return true;
+  return false;
+}
+
+module.exports = { cliOptsSkipCertSync };

package/lib/certification/merge-certification-from-artifact.js

@@ -0,0 +1,185 @@
+/**
+ * @fileoverview Map dataplane certificate artifacts into **certification** (external-system.schema.json).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+/**
+ * @param {unknown} id - certificateId field (string or FK-shaped object)
+ * @returns {string}
+ */
+function certificateIdToString(id) {
+  if (id === undefined || id === null) return '';
+  if (typeof id === 'string') return id.trim();
+  if (typeof id === 'object' && id !== null && typeof id.id === 'string') return String(id.id).trim();
+  return String(id).trim();
+}
+
+/**
+ * @param {string|undefined|null} s
+ * @returns {string}
+ */
+function trimOrEmpty(s) {
+  return s !== undefined && s !== null ? String(s).trim() : '';
+}
+
+/**
+ * Prefer an artifact that includes PEM/JWK **publicKey** material for verify-publish.
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse[]} artifacts
+ * @returns {import('../api/types/certificates.types').CertificateArtifactResponse|null}
+ */
+function pickArtifactForCertificationMerge(artifacts) {
+  const list = Array.isArray(artifacts) ? artifacts.filter((a) => a && typeof a === 'object') : [];
+  if (list.length === 0) return null;
+  const withKey = list.find((a) => a.publicKey && String(a.publicKey).trim());
+  return withKey || list[0];
+}
+
+/**
+ * @param {string} algorithmUpper
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @returns {string}
+ */
+function hs256DevPublicKeyPlaceholder(algorithmUpper, art) {
+  if (algorithmUpper !== 'HS256') return '';
+  const cid = certificateIdToString(art.certificateId);
+  return `HS256-DEV-NO-PEM:${cid || 'integration-certificate'}`;
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolvePublicKey(art, ex) {
+  const fromArt = trimOrEmpty(art.publicKey);
+  if (fromArt) return fromArt;
+  const fromExisting = trimOrEmpty(ex.publicKey);
+  if (fromExisting) return fromExisting;
+  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
+  return hs256DevPublicKeyPlaceholder(algorithmUpper, art);
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveIssuer(art, ex) {
+  return (
+    trimOrEmpty(art.licenseLevelIssuer) ||
+    trimOrEmpty(art.issuedBy) ||
+    trimOrEmpty(ex.issuer) ||
+    'dataplane'
+  );
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveVersion(art, ex) {
+  return (
+    trimOrEmpty(art.version) ||
+    trimOrEmpty(art.certificateVersion) ||
+    trimOrEmpty(ex.version) ||
+    certificateIdToString(art.certificateId)
+  );
+}
+
+const CERTIFICATION_LEVELS = new Set(['BRONZE', 'SILVER', 'GOLD', 'PLATINUM']);
+const CERTIFICATION_STATUSES = new Set(['passed', 'not_passed', 'pending']);
+
+/**
+ * @param {string} raw
+ * @returns {string}
+ */
+function normalizeCertificationLevel(raw) {
+  const s = trimOrEmpty(raw).toUpperCase();
+  return CERTIFICATION_LEVELS.has(s) ? s : '';
+}
+
+/**
+ * @param {string} raw
+ * @returns {string}
+ */
+function normalizeCertificationStatus(raw) {
+  const s = trimOrEmpty(raw).toLowerCase();
+  return CERTIFICATION_STATUSES.has(s) ? s : '';
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveLevel(art, ex) {
+  return (
+    normalizeCertificationLevel(ex.level) ||
+    normalizeCertificationLevel(art.certificationLevel) ||
+    ''
+  );
+}
+
+/**
+ * Prefer existing file status when valid; otherwise **passed** for an active dataplane artifact.
+ *
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveStatus(_art, ex) {
+  const fromEx = normalizeCertificationStatus(ex.status);
+  if (fromEx) return fromEx;
+  return 'passed';
+}
+
+/**
+ * Build `certification` object matching **external-system.schema.json** (required: enabled, publicKey, algorithm, issuer, version; optional status, level).
+ * Fills gaps from `existingCertification` when the artifact omits publishable fields (common when dataplane redacts `publicKey`).
+ * For **HS256** dev certificates with no PEM, uses a non-secret placeholder `publicKey` so the system file stays schema-valid.
+ *
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse|null} artifact
+ * @param {Object|null|undefined} existingCertification - Current `system.certification`
+ * @returns {Object|null} Full certification object, or null if **publicKey** or **version** cannot be satisfied
+ */
+function buildCertificationFromArtifact(artifact, existingCertification) {
+  const ex = existingCertification && typeof existingCertification === 'object' ? existingCertification : {};
+  const art = artifact && typeof artifact === 'object' ? artifact : null;
+  if (!art) return null;
+
+  const publicKey = resolvePublicKey(art, ex);
+  if (!publicKey) return null;
+
+  const issuer = resolveIssuer(art, ex);
+  if (!issuer) return null;
+
+  const versionStr = resolveVersion(art, ex);
+  if (!versionStr) return null;
+
+  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
+  const algorithm = algorithmUpper === 'HS256' ? 'HS256' : 'RS256';
+
+  const out = {
+    enabled: true,
+    publicKey,
+    algorithm,
+    issuer,
+    version: versionStr,
+    status: resolveStatus(art, ex)
+  };
+  const level = resolveLevel(art, ex);
+  if (level) {
+    out.level = level;
+  }
+  return out;
+}
+
+module.exports = {
+  buildCertificationFromArtifact,
+  pickArtifactForCertificationMerge,
+  certificateIdToString
+};

package/lib/certification/post-unified-cert-sync.js

@@ -0,0 +1,33 @@
+/**
+ * @fileoverview After successful unified datasource validation, optionally sync system certification.
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { trySyncCertificationFromDataplaneForExternalApp } = require('./sync-after-external-command');
+const { cliOptsSkipCertSync } = require('./cli-cert-sync-skip');
+
+/**
+ * @async
+ * @param {number} exitCode
+ * @param {string} datasourceKey
+ * @param {Object} options - CLI flags (app, noCertSync)
+ * @param {string} label - Log label
+ * @returns {Promise<void>}
+ */
+async function afterUnifiedValidationCertSync(exitCode, datasourceKey, options, label) {
+  if (exitCode !== 0 || cliOptsSkipCertSync(options)) return;
+  try {
+    const { resolveAppKeyForDatasource } = require('../datasource/resolve-app');
+    const { appKey } = await resolveAppKeyForDatasource(datasourceKey, options.app);
+    await trySyncCertificationFromDataplaneForExternalApp(appKey, label);
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync (${label}) skipped: ${e.message}`));
+  }
+}
+
+module.exports = { afterUnifiedValidationCertSync };

package/lib/certification/sync-after-external-command.js

@@ -0,0 +1,52 @@
+/**
+ * @fileoverview Optional certification sync after external flows (validate, tests).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+
+/**
+ * After a successful external integration flow, refresh `certification` on the primary system file from dataplane.
+ * Best-effort: skips non-external apps, missing Bearer token, or resolver errors (warn only).
+ *
+ * @async
+ * @param {string} appKey - Integration / system key
+ * @param {string} label - Short label for logs (e.g. "validate", "datasource test")
+ * @returns {Promise<void>}
+ */
+async function trySyncCertificationFromDataplaneForExternalApp(appKey, label) {
+  try {
+    const { detectAppType } = require('../utils/paths');
+    const t = await detectAppType(appKey).catch(() => null);
+    if (!t || !t.isExternal) return;
+
+    const { resolveDataplaneAndAuth, validateSystemKeyFormat } = require('../commands/upload');
+    const { generateControllerManifest } = require('../generator/external-controller-manifest');
+    const { maybeSyncSystemCertificationFromDataplane } = require('./sync-system-certification');
+
+    validateSystemKeyFormat(appKey);
+    const { dataplaneUrl, authConfig } = await resolveDataplaneAndAuth(appKey);
+    if (!authConfig.token) {
+      logger.log(chalk.gray(`Certification sync (${label}) skipped: no Bearer token (run aifabrix login).`));
+      return;
+    }
+    const manifest = await generateControllerManifest(appKey, { type: 'external' });
+    const dsKeys = (manifest.dataSources || []).map((ds) => ds && ds.key).filter(Boolean);
+    await maybeSyncSystemCertificationFromDataplane({
+      label,
+      noCertSync: false,
+      systemKey: manifest.key,
+      dataplaneUrl,
+      authConfig,
+      datasourceKeys: dsKeys
+    });
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync (${label}) skipped: ${e.message}`));
+  }
+}
+
+module.exports = { trySyncCertificationFromDataplaneForExternalApp };

package/lib/certification/sync-system-certification.js

@@ -0,0 +1,197 @@
+/**
+ * @fileoverview Sync `certification` on *-system.json|yaml from dataplane active certificate(s).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const path = require('path');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { getIntegrationPath } = require('../utils/paths');
+const { discoverIntegrationFiles } = require('../commands/repair-internal');
+const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
+const { unwrapApiData } = require('../utils/external-system-readiness-core');
+const { getActiveIntegrationCertificate } = require('../api/certificates.api');
+const {
+  buildCertificationFromArtifact,
+  pickArtifactForCertificationMerge
+} = require('./merge-certification-from-artifact');
+
+/**
+ * @param {string} systemKey
+ * @returns {{ systemFilePath: string }|null}
+ */
+function resolvePrimarySystemFilePath(systemKey) {
+  const appPath = getIntegrationPath(systemKey);
+  const { systemFiles } = discoverIntegrationFiles(appPath);
+  if (!systemFiles || systemFiles.length === 0) return null;
+  return { systemFilePath: path.join(appPath, systemFiles[0]) };
+}
+
+/**
+ * @async
+ * @param {Object} ctx
+ * @returns {Promise<Array<import('../api/types/certificates.types').CertificateArtifactResponse>>}
+ */
+async function collectActiveArtifacts(ctx) {
+  const { dataplaneUrl, authConfig, systemKey, datasourceKeys } = ctx;
+  const out = [];
+  for (const dk of datasourceKeys || []) {
+    if (!dk || typeof dk !== 'string') continue;
+    try {
+      const res = await getActiveIntegrationCertificate(dataplaneUrl, authConfig, systemKey, dk);
+      if (res && res.success === false) continue;
+      const art = unwrapApiData(res);
+      if (art && typeof art === 'object') out.push(art);
+    } catch {
+      /* skip datasource */
+    }
+  }
+  return out;
+}
+
+/**
+ * @param {string} systemFilePath
+ * @returns {Object|null}
+ */
+function readSystemObject(systemFilePath) {
+  try {
+    return loadConfigFile(systemFilePath);
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync: could not read system file: ${e.message}`));
+    return null;
+  }
+}
+
+/**
+ * @param {string} systemFilePath
+ * @param {Object} systemObj
+ * @param {Object} nextCert
+ * @returns {{ ok: true } | { ok: false }}
+ */
+function tryWriteSystemCertification(systemFilePath, systemObj, nextCert) {
+  try {
+    writeConfigFile(systemFilePath, { ...systemObj, certification: nextCert });
+    return { ok: true };
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync: could not write system file: ${e.message}`));
+    return { ok: false };
+  }
+}
+
+/**
+ * @param {Object|null} chosen
+ * @param {'no_active'|'no_public_key'} detail
+ */
+function logSkippedCertification(chosen, detail) {
+  if (detail === 'no_active' || !chosen) {
+    logger.log(
+      chalk.yellow(
+        '⚠ Certification not written: dataplane has no active trusted certificate for this system/datasource scope yet. ' +
+          'Run a successful validation or E2E that issues a certificate, then upload or run cert sync again.'
+      )
+    );
+    return;
+  }
+  logger.log(
+    chalk.yellow(
+      '⚠ Certification not written: active certificate has no publicKey and your system file has none to merge. ' +
+        'The dataplane must return publicKey (or add certification.publicKey locally once) to satisfy the schema.'
+    )
+  );
+}
+
+/**
+ * Read system file, merge **certification** from dataplane, write back. Does not modify other top-level keys.
+ * @async
+ * @param {Object} params
+ * @param {string} params.systemKey
+ * @param {string} params.dataplaneUrl
+ * @param {Object} params.authConfig
+ * @param {string[]} params.datasourceKeys
+ * @returns {Promise<{ written: boolean, reason?: string }>}
+ */
+async function syncSystemCertificationFromDataplane(params) {
+  const { systemKey, dataplaneUrl, authConfig, datasourceKeys } = params;
+  const resolved = resolvePrimarySystemFilePath(systemKey);
+  if (!resolved) return { written: false, reason: 'no_system_file' };
+  if (!dataplaneUrl || !authConfig || !authConfig.token) {
+    return { written: false, reason: 'no_auth' };
+  }
+
+  const systemObj = readSystemObject(resolved.systemFilePath);
+  if (!systemObj || typeof systemObj !== 'object') {
+    return { written: false, reason: 'invalid_system' };
+  }
+
+  const existing = systemObj.certification;
+  const artifacts = await collectActiveArtifacts({
+    dataplaneUrl,
+    authConfig,
+    systemKey,
+    datasourceKeys
+  });
+  const chosen = pickArtifactForCertificationMerge(artifacts);
+  const nextCert = buildCertificationFromArtifact(chosen, existing);
+  if (!nextCert) {
+    const detail = chosen ? 'no_public_key' : 'no_active';
+    logSkippedCertification(chosen, detail);
+    return { written: false, reason: 'incomplete_certification', detail };
+  }
+
+  const writeResult = tryWriteSystemCertification(resolved.systemFilePath, systemObj, nextCert);
+  if (!writeResult.ok) return { written: false, reason: 'write_error' };
+  return { written: true };
+}
+
+/**
+ * Non-throwing entry for upload/deploy: failures are warnings only.
+ * @async
+ * @param {Object} params
+ * @param {string} [params.label] - e.g. "upload"
+ * @param {boolean} [params.noCertSync]
+ * @returns {Promise<void>}
+ */
+function logCertificationSyncNotWritten(r, label) {
+  const prefix = label ? ` (${label})` : '';
+  const map = {
+    no_system_file: `No *-system* file found under integration folder for this key${prefix}.`,
+    no_auth: `No Bearer token for dataplane${prefix}; run aifabrix login.`,
+    invalid_system: `Could not read or parse the primary system file${prefix}.`,
+    incomplete_certification: 'Could not build certification (see message above).',
+    write_error: 'Write to system file failed (see message above).'
+  };
+  const msg = (r && r.reason && map[r.reason]) || `Certification block not updated${prefix}.`;
+  logger.log(chalk.yellow(`⚠ ${msg}`));
+}
+
+async function maybeSyncSystemCertificationFromDataplane(params) {
+  const { label, noCertSync, systemKey, dataplaneUrl, authConfig, datasourceKeys } = params;
+  if (noCertSync === true) return;
+  try {
+    const r = await syncSystemCertificationFromDataplane({
+      systemKey,
+      dataplaneUrl,
+      authConfig,
+      datasourceKeys
+    });
+    if (r.written) {
+      logger.log(
+        chalk.gray(`Updated certification block from dataplane${label ? ` (${label})` : ''} in system file.`)
+      );
+    } else if (r.reason) {
+      logCertificationSyncNotWritten(r, label);
+    }
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Certification sync skipped: ${e.message}`));
+  }
+}
+
+module.exports = {
+  syncSystemCertificationFromDataplane,
+  maybeSyncSystemCertificationFromDataplane,
+  resolvePrimarySystemFilePath,
+  collectActiveArtifacts
+};

package/lib/cli/setup-app.js

@@ -332,6 +332,10 @@ function setupPushDeployDockerfileCommands(program) {
     .option('--no-poll', 'Do not poll for status')
     .option('--probe', 'After external deploy, run dataplane runtime checks (validation/run); slower')
     .option('--probe-timeout <ms>', 'Timeout for --probe on external deploy (default: 120000)', '120000')
+    .option(
+      '--no-cert-sync',
+      'Skip updating integration certification in the system file from the dataplane after external deploy'
+    )
     .action(async(appName, options) => {
       try {
         const probeTimeout =