@aifabrix/builder 2.44.0 → 2.44.1

package/lib/cli/setup-app.test-commands.js

@@ -7,6 +7,7 @@
 const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { handleCommandError } = require('../utils/cli-utils');
+const { cliOptsSkipCertSync } = require('../certification/cli-cert-sync-skip');
 const { TEST_HELP_AFTER, TEST_E2E_HELP_AFTER } = require('./setup-app.help');
 
 function setupTestCommand(program) {
@@ -72,22 +73,31 @@ async function runTestE2ECommand(appName, options) {
       sync: options.sync === true
     });
     const { displayIntegrationTestResults } = require('../utils/external-system-display');
+    const datasourceResults = results.map(r => ({
+      key: r.key,
+      success: r.success,
+      error: r.error,
+      skipped: false,
+      datasourceTestRun: r.datasourceTestRun
+    }));
     displayIntegrationTestResults(
       {
         systemKey: appName,
         success,
-        datasourceResults: results.map(r => ({
-          key: r.key,
-          success: r.success,
-          error: r.error,
-          skipped: false,
-          datasourceTestRun: r.datasourceTestRun
-        }))
+        datasourceResults
       },
       options.verbose,
       { debug: options.debug, runType: 'e2e' }
     );
-    if (!success) process.exit(1);
+    const { computeSystemExitCodeFromDatasourceRows } = require('../utils/datasource-test-run-exit');
+    const exitCode = computeSystemExitCodeFromDatasourceRows(datasourceResults, {
+      warningsAsErrors: options.warningsAsErrors === true,
+      requireCert: options.requireCert === true
+    });
+    if (exitCode !== 0) process.exit(exitCode);
+    if (cliOptsSkipCertSync(options)) return;
+    const { trySyncCertificationFromDataplaneForExternalApp } = require('../certification/sync-after-external-command');
+    await trySyncCertificationFromDataplaneForExternalApp(appName, 'test-e2e');
     return;
   }
   const { runAppTestE2e } = require('../commands/app-test');
@@ -127,6 +137,12 @@ function setupTestE2eCommand(program) {
       '--sync',
       'Publish local system and datasource files to the dataplane before running E2E (same as aifabrix upload <systemKey>; external integration only)'
     )
+    .option('--warnings-as-errors', 'Treat aggregate warn as failure (exit 1)')
+    .option('--require-cert', 'Require certification passed on every datasource (exit 2 if not)')
+    .option(
+      '--no-cert-sync',
+      'Skip updating the system file certification block from the dataplane after a successful run'
+    )
     .addHelpText('after', TEST_E2E_HELP_AFTER)
     .action(async(appName, options, cmd) => {
       try {

package/lib/cli/setup-external-system.js

@@ -15,6 +15,7 @@
  */
 
 const { handleCommandError } = require('../utils/cli-utils');
+const { cliOptsSkipCertSync } = require('../certification/cli-cert-sync-skip');
 const { TEST_INTEGRATION_HELP_AFTER } = require('./setup-app.help');
 
 function setupDownloadCommand(program) {
@@ -47,6 +48,10 @@ function setupUploadCommand(program) {
     .option('--probe', 'After publish, run dataplane runtime checks (validation/run); slower')
     .option('--minimal', 'Print only a short readiness summary after upload')
     .option('--probe-timeout <ms>', 'Timeout for --probe (default: 120000)', '120000')
+    .option(
+      '--no-cert-sync',
+      'Skip updating the system file certification block from the dataplane active certificate after publish'
+    )
     .action(async(systemKey, options) => {
       try {
         const upload = require('../commands/upload');
@@ -56,6 +61,7 @@ function setupUploadCommand(program) {
             : Number(options.probeTimeout);
         await upload.uploadExternalSystem(systemKey, {
           ...options,
+          noCertSync: cliOptsSkipCertSync(options),
           probeTimeout: Number.isFinite(probeTimeout) ? probeTimeout : 120000
         });
       } catch (error) {
@@ -132,7 +138,16 @@ async function runExternalSystemTestIntegration(appName, options) {
   };
   const results = await test.testExternalSystemIntegration(appName, opts);
   test.displayIntegrationTestResults(results, options.verbose, { debug: options.debug, runType: 'integration' });
-  if (!results.success) process.exit(1);
+  const { computeSystemExitCodeFromDatasourceRows } = require('../utils/datasource-test-run-exit');
+  const rows = Array.isArray(results.datasourceResults) ? results.datasourceResults : [];
+  const exitCode = computeSystemExitCodeFromDatasourceRows(rows, {
+    warningsAsErrors: options.warningsAsErrors === true,
+    requireCert: options.requireCert === true
+  });
+  if (exitCode !== 0) process.exit(exitCode);
+  if (cliOptsSkipCertSync(options)) return;
+  const { trySyncCertificationFromDataplaneForExternalApp } = require('../certification/sync-after-external-command');
+  await trySyncCertificationFromDataplaneForExternalApp(appName, 'test-integration');
 }
 
 /**
@@ -180,6 +195,12 @@ function setupExternalSystemTestCommands(program) {
       '--sync',
       'Publish local system and datasource files to the dataplane before running tests (same as aifabrix upload <systemKey>)'
     )
+    .option('--warnings-as-errors', 'Treat aggregate warn as failure (exit 1)')
+    .option('--require-cert', 'Require certification passed on every datasource (exit 2 if not)')
+    .option(
+      '--no-cert-sync',
+      'Skip updating the system file certification block from the dataplane after a successful run'
+    )
     .addHelpText('after', TEST_INTEGRATION_HELP_AFTER)
     .action(async(appName, options, cmd) => {
       try {

package/lib/cli/setup-secrets.js

@@ -24,6 +24,10 @@ Subcommands:
 
 Also: aifabrix secure   Encrypt secrets.local.yaml (ISO 27001)
 
+Default "secret set" (no --shared): writes only to your user secrets.local.yaml next to
+  config.yaml (typically ~/.aifabrix/secrets.local.yaml). Use --shared to write the
+  shared store from config aifabrix-secrets (another file or https), not that user file.
+
 Examples:
   $ aifabrix secret list
   $ aifabrix secret set myapp/clientSecret "your-value"
@@ -41,6 +45,14 @@ Examples:
 `;
 
 const SECRET_SET_HELP_AFTER = `
+Where the value is stored:
+  No --shared   User file secrets.local.yaml in your aifabrix config directory (same
+                folder as config.yaml; often ~/.aifabrix/). Used for app/integration
+                secrets and kv:// resolution on your machine.
+  --shared      The store set in config.yaml as aifabrix-secrets: a YAML file path or
+                an https secrets API (never the user-only file above unless you point
+                aifabrix-secrets at that path deliberately).
+
 Examples:
   $ aifabrix secret set myapp/clientSecret "your-secret"
   $ aifabrix secret set hubspot/apiKey "$HUBSPOT_KEY"
@@ -144,22 +156,13 @@ function setupSecureCommand(program) {
     });
 }
 
-/**
- * Sets up secrets and security commands
- * @param {Command} program - Commander program instance
- */
-function setupSecretsCommands(program) {
-  const secretCmd = program
-    .command('secret')
-    .description('User and shared secrets (list, set, remove, remove-all, validate)')
-    .addHelpText('after', SECRET_GROUP_HELP_AFTER);
-
+function setupSecretListCommand(secretCmd) {
   secretCmd
     .command('list')
     .description('List secret keys (--shared for shared/remote)')
     .addHelpText('after', SECRET_LIST_HELP_AFTER)
     .option('--shared', 'List shared secrets (from config aifabrix-secrets or remote API)')
-    .action(async(options) => {
+    .action(async options => {
       try {
         await config.ensureSecretsEncryptionKey();
         await handleSecretsList(options);
@@ -168,12 +171,30 @@ function setupSecretsCommands(program) {
         process.exit(1);
       }
     });
+}
+
+/**
+ * Sets up secrets and security commands
+ * @param {Command} program - Commander program instance
+ */
+function setupSecretsCommands(program) {
+  const secretCmd = program
+    .command('secret')
+    .description('User and shared secrets (list, set, remove, remove-all, validate)')
+    .addHelpText('after', SECRET_GROUP_HELP_AFTER);
+
+  setupSecretListCommand(secretCmd);
 
   secretCmd
     .command('set <key> <value>')
-    .description('Set a secret value')
+    .description(
+      'Set a secret (default: user secrets.local.yaml beside config; --shared → aifabrix-secrets store)'
+    )
     .addHelpText('after', SECRET_SET_HELP_AFTER)
-    .option('--shared', 'Save to general secrets file (from config.yaml aifabrix-secrets) instead of user secrets')
+    .option(
+      '--shared',
+      'Write to shared secrets (config aifabrix-secrets: YAML path or https), not user secrets.local.yaml'
+    )
     .action(async(key, value, options) => {
       try {
         await config.ensureSecretsEncryptionKey();

package/lib/cli/setup-utility.js

@@ -25,6 +25,7 @@ Generates *-deploy.json (or application-schema.json) for commit before deploy.
 const VALIDATE_HELP_AFTER = `
 Examples:
   $ aifabrix validate myapp
+  $ aifabrix validate myapp --cert-sync
   $ aifabrix validate --integration
   $ aifabrix validate --builder
 `;
@@ -262,10 +263,18 @@ function setupShowCommand(program) {
     .description('Show app from local tree (default) or controller (--online)')
     .option('--online', 'Fetch application data from the controller')
     .option('--json', 'Output as JSON')
+    .option(
+      '--verify-cert',
+      'For external integrations, verify trust state on the dataplane when logged in (with --online uses current session; offline attempts the same if a controller URL is configured)'
+    )
     .action(async(appKey, options) => {
       try {
         const { showApp } = require('../app/show');
-        await showApp(appKey, { online: options.online, json: options.json });
+        await showApp(appKey, {
+          online: options.online,
+          json: options.json,
+          verifyCert: options.verifyCert === true
+        });
       } catch (error) {
         logger.error(chalk.red(`Error: ${error.message}`));
         process.exit(1);
@@ -307,7 +316,10 @@ async function runValidateCommand(appOrFile, options) {
     process.exit(1);
   }
 
-  const result = await validate.validateAppOrFile(appOrFile, opts);
+  const result = await validate.validateAppOrFile(appOrFile, {
+    ...opts,
+    certSync: opts.certSync === true
+  });
   if (outFormat === 'json') {
     logger.log(JSON.stringify(result, null, 2));
   } else {
@@ -323,6 +335,10 @@ function setupValidateDiffCommands(program) {
     .option('--format <format>', 'Output format: json | default (human-readable)')
     .option('--integration', 'Validate all applications under integration/')
     .option('--builder', 'Validate all applications under builder/')
+    .option(
+      '--cert-sync',
+      'After successful validation of an external integration, refresh the system file certification block from the dataplane (requires login)'
+    )
     .action((appOrFile, options) => {
       runValidateCommand(appOrFile, options).catch((error) => {
         handleCommandError(error, 'validate');

package/lib/commands/app.js

@@ -78,9 +78,18 @@ function setupAppShowCommand(app) {
     .option('--online', 'Fetch from controller (default for this command)')
     .option('--json', 'Output as JSON')
     .option('--permissions', 'Show only list of permissions')
+    .option(
+      '--verify-cert',
+      'For external integrations, verify trust state on the dataplane (requires login)'
+    )
     .action(async(appKey, options) => {
       try {
-        await showApp(appKey, { online: true, json: !!options.json, permissions: !!options.permissions });
+        await showApp(appKey, {
+          online: true,
+          json: !!options.json,
+          permissions: !!options.permissions,
+          verifyCert: options.verifyCert === true
+        });
       } catch (error) {
         logger.error(chalk.red(`Error: ${error.message}`));
         process.exit(1);

package/lib/commands/datasource-unified-test-cli.js

@@ -10,34 +10,31 @@ const logger = require('../utils/logger');
 const { runDatasourceTestIntegration } = require('../datasource/test-integration');
 const { runDatasourceTestE2E } = require('../datasource/test-e2e');
 const { runUnifiedDatasourceValidation } = require('../datasource/unified-validation-run');
-const { displayIntegrationTestResults, displayE2EResults } = require('../utils/external-system-display');
+const { displayIntegrationTestResults } = require('../utils/external-system-display');
 const path = require('path');
 const { getIntegrationPath } = require('../utils/paths');
 const { writeTestLog } = require('../utils/test-log-writer');
 const { includeDebugForRequest } = require('../utils/validation-run-request');
 const {
-  exitFromUnifiedValidationResult,
   finalizeUnifiedValidationResult,
   unifiedCliResultFromIntegrationReturn,
-  exitAfterIntegrationDisplay,
-  finalizeAfterIntegrationDisplay,
-  emitCapabilityScopeDiagnostics
+  finalizeAfterIntegrationDisplay
 } = require('./datasource-validation-cli');
+const { afterUnifiedValidationCertSync } = require('../certification/post-unified-cert-sync');
 const { resolveAppKeyForDatasource } = require('../datasource/resolve-app');
 const { runDatasourceValidationWatchLoop } = require('../utils/datasource-validation-watch');
-const { computeExitCodeFromDatasourceTestRun } = require('../utils/datasource-test-run-exit');
-const { analyzeCapabilityScope } = require('../utils/datasource-test-run-capability-scope');
 const {
-  resolveDebugDisplayMode,
-  formatDatasourceTestRunDebugBlock
-} = require('../utils/datasource-test-run-debug-display');
-const { formatCapabilityFocusSection } = require('../utils/datasource-test-run-display');
+  exitCodeFromDatasourceTestRunEnvelope,
+  finalizeDatasourceTestE2ELegacyPath,
+  displayDatasourceTestE2EEnvelopeResults
+} = require('./datasource-unified-test-e2e-cli-helpers');
 const {
   datasourceTestHelpAfter,
   datasourceTestIntegrationHelpAfter,
   datasourceTestE2eHelpAfter,
   attachDatasourceWatchOptions,
-  attachDatasourceTestCommonOptions
+  attachDatasourceTestCommonOptions,
+  attachDatasourceTestE2eExclusiveOptions
 } = require('./datasource-unified-test-cli.options');
 
 function integrationBaseDirForLogs(appKey) {
@@ -68,88 +65,6 @@ async function writeDatasourceTestDebugLogIfRequested(appKey, datasourceKey, res
   logger.log(chalk.gray(`  Debug log: ${logPath}`));
 }
 
-function logDatasourceTestRunDebugAppendix(envelope, debugOpt) {
-  const mode = resolveDebugDisplayMode(debugOpt);
-  if (!mode || !envelope) return;
-  const block = formatDatasourceTestRunDebugBlock(envelope, mode, process.stdout.isTTY);
-  if (block) logger.log(block);
-}
-
-function logE2eCapabilityFocusFromEnvelope(env, capabilityOpt) {
-  if (!env) return;
-  const capKey =
-    capabilityOpt !== undefined && capabilityOpt !== null
-      ? String(capabilityOpt).trim()
-      : '';
-  if (!capKey) return;
-  const sec = formatCapabilityFocusSection(env, capKey);
-  if (sec) logger.log(sec);
-}
-
-/**
- * Exit code from envelope only (no stderr diagnostics; use when TTY output already ran emit via logEnvelope).
- * @param {Object|null|undefined} env
- * @param {Object} options
- * @returns {number|null} null if no envelope
- */
-function exitCodeFromDatasourceTestRunEnvelope(env, options) {
-  if (!env || typeof env !== 'object') return null;
-  let code = computeExitCodeFromDatasourceTestRun(env, {
-    warningsAsErrors: false,
-    requireCert: false
-  });
-  const scope = analyzeCapabilityScope(env, options.capability);
-  if (options.strictCapabilityScope === true && scope.violated) {
-    code = Math.max(code, 1);
-  }
-  return code;
-}
-
-/**
- * Legacy E2E display + exit code (no process.exit; watch mode).
- * @param {Object} data
- * @param {Object} options
- * @returns {number}
- */
-function finalizeDatasourceTestE2ELegacyPath(data, options) {
-  displayE2EResults(data, options.verbose);
-  logDatasourceTestRunDebugAppendix(data.datasourceTestRun, options.debug);
-  logE2eCapabilityFocusFromEnvelope(data.datasourceTestRun, options.capability);
-  const env = data.datasourceTestRun;
-  if (env) {
-    emitCapabilityScopeDiagnostics(env, { requestedCapabilityKey: options.capability });
-    const code = exitCodeFromDatasourceTestRunEnvelope(env, options);
-    return code === null ? 1 : code;
-  }
-  const steps = data.steps || data.completedActions || [];
-  const failed = data.success === false || steps.some(s => s.success === false || s.error);
-  return failed ? 1 : 0;
-}
-
-/**
- * Human TTY for single-datasource E2E when DatasourceTestRun envelope is present.
- * @param {string} datasourceKey
- * @param {Object} env
- * @param {Object} options
- */
-function displayDatasourceTestE2EEnvelopeResults(datasourceKey, env, options) {
-  const success = env.status !== 'fail';
-  displayIntegrationTestResults(
-    {
-      systemKey: env.systemKey || 'unknown',
-      success,
-      datasourceResults: [{ key: datasourceKey, success, datasourceTestRun: env }]
-    },
-    options.verbose,
-    {
-      debug: options.debug,
-      runType: 'e2e',
-      requestedCapabilityKey: options.capability
-    }
-  );
-  logE2eCapabilityFocusFromEnvelope(env, options.capability);
-}
-
 function buildDatasourceTestRunOpts(options) {
   return {
     app: options.app,
@@ -175,11 +90,13 @@ function buildDatasourceTestDisplayOpts(options) {
   };
 }
 
-async function runDatasourceUnifiedTestOnceForWatch(datasourceKey, runOpts, displayOpts) {
+async function runDatasourceUnifiedTestOnceForWatch(datasourceKey, runOpts, displayOpts, certCliOptions = {}) {
   try {
     const result = await runUnifiedDatasourceValidation(datasourceKey, runOpts);
+    const exitCode = finalizeUnifiedValidationResult(result, displayOpts);
+    await afterUnifiedValidationCertSync(exitCode, datasourceKey, certCliOptions, 'datasource test');
     return {
-      exitCode: finalizeUnifiedValidationResult(result, displayOpts),
+      exitCode,
       envelope: result.envelope
     };
   } catch (err) {
@@ -203,8 +120,10 @@ async function datasourceTestCommandAction(datasourceKey, options) {
         runOnce: async() => {
           const result = await runUnifiedDatasourceValidation(datasourceKey, runOpts);
           await writeDatasourceTestDebugLogIfRequested(appKey, datasourceKey, result, options);
+          const exitCode = finalizeUnifiedValidationResult(result, displayOpts);
+          await afterUnifiedValidationCertSync(exitCode, datasourceKey, options, 'datasource test (watch)');
           return {
-            exitCode: finalizeUnifiedValidationResult(result, displayOpts),
+            exitCode,
             envelope: result.envelope
           };
         }
@@ -220,7 +139,9 @@ async function datasourceTestCommandAction(datasourceKey, options) {
         logger.warn(chalk.yellow(`⚠ Could not write debug log: ${e.message}`));
       }
     }
-    exitFromUnifiedValidationResult(result, displayOpts);
+    const exitCode = finalizeUnifiedValidationResult(result, displayOpts);
+    await afterUnifiedValidationCertSync(exitCode, datasourceKey, options, 'datasource test');
+    process.exit(exitCode);
   } catch (error) {
     logger.error(formatBlockingError('Datasource test failed:'), error.message);
     process.exit(4);
@@ -274,6 +195,7 @@ async function runIntegrationOnceForWatch(datasourceKey, integOpts, options, uni
     if (unifiedModes) {
       const uni = unifiedCliResultFromIntegrationReturn(result);
       const exitCode = finalizeUnifiedValidationResult(uni, unifiedDisplayOpts);
+      await afterUnifiedValidationCertSync(exitCode, datasourceKey, options, 'datasource test-integration (watch)');
       return { exitCode, envelope: uni.envelope };
     }
     displayIntegrationTestResults(
@@ -285,7 +207,11 @@ async function runIntegrationOnceForWatch(datasourceKey, integOpts, options, uni
       options.verbose,
       { debug: options.debug, runType: 'integration' }
     );
-    const exitCode = finalizeAfterIntegrationDisplay(result, {});
+    const exitCode = finalizeAfterIntegrationDisplay(result, {
+      warningsAsErrors: unifiedDisplayOpts.warningsAsErrors === true,
+      requireCert: unifiedDisplayOpts.requireCert === true
+    });
+    await afterUnifiedValidationCertSync(exitCode, datasourceKey, options, 'datasource test-integration (watch)');
     return { exitCode, envelope: result.datasourceTestRun || null };
   } catch (err) {
     logger.error(formatBlockingError('Integration test failed:'), err.message);
@@ -313,7 +239,12 @@ async function integrationTestCommandAction(datasourceKey, options) {
     const unifiedModes =
       options.json || options.summary || options.warningsAsErrors || options.requireCert;
     if (unifiedModes) {
-      exitFromUnifiedValidationResult(unifiedCliResultFromIntegrationReturn(result), unifiedDisplayOpts);
+      const exitCode = finalizeUnifiedValidationResult(
+        unifiedCliResultFromIntegrationReturn(result),
+        unifiedDisplayOpts
+      );
+      await afterUnifiedValidationCertSync(exitCode, datasourceKey, options, 'datasource test-integration');
+      process.exit(exitCode);
       return;
     }
     displayIntegrationTestResults(
@@ -325,7 +256,12 @@ async function integrationTestCommandAction(datasourceKey, options) {
       options.verbose,
       { debug: options.debug, runType: 'integration' }
     );
-    exitAfterIntegrationDisplay(result, {});
+    const integExit = finalizeAfterIntegrationDisplay(result, {
+      warningsAsErrors: unifiedDisplayOpts.warningsAsErrors === true,
+      requireCert: unifiedDisplayOpts.requireCert === true
+    });
+    await afterUnifiedValidationCertSync(integExit, datasourceKey, options, 'datasource test-integration');
+    process.exit(integExit);
   } catch (error) {
     logger.error(formatBlockingError('Integration test failed:'), error.message);
     process.exit(4);
@@ -364,6 +300,9 @@ async function runDatasourceTestE2ECliOnce(datasourceKey, options) {
     recordId: options.recordId,
     cleanup: options.cleanup,
     primaryKeyValue: options.primaryKeyValue,
+    minVectorHits: options.minVectorHits,
+    minProcessed: options.minProcessed,
+    minRecordCount: options.minRecordCount,
     timeout: options.timeout,
     capabilityKey: options.capability,
     sync: options.sync === true
@@ -402,6 +341,7 @@ async function runDatasourceTestE2ECliOnce(datasourceKey, options) {
 
 async function runDatasourceTestE2ECliAction(datasourceKey, options) {
   const { exitCode } = await runDatasourceTestE2ECliOnce(datasourceKey, options);
+  await afterUnifiedValidationCertSync(exitCode, datasourceKey, options, 'datasource test-e2e');
   process.exit(exitCode);
 }
 
@@ -430,7 +370,9 @@ async function e2eTestCommandAction(datasourceKey, capabilityKey, options) {
         watchFullDiff: mergedOptions.watchFullDiff === true,
         runOnce: async() => {
           try {
-            return await runDatasourceTestE2ECliOnce(datasourceKey, mergedOptions);
+            const r = await runDatasourceTestE2ECliOnce(datasourceKey, mergedOptions);
+            await afterUnifiedValidationCertSync(r.exitCode, datasourceKey, mergedOptions, 'datasource test-e2e (watch)');
+            return r;
           } catch (err) {
             logger.error(formatBlockingError('E2E test failed:'), err.message);
             return { exitCode: 3, envelope: null };
@@ -456,23 +398,14 @@ function chainDatasourceTestE2ECommand(datasource) {
     appHelp: 'Integration folder name (default: resolve from cwd if inside integration/<systemKey>/)',
     verboseHelp: 'Audit / explain-oriented request flags where applicable',
     debugHelp: 'includeDebug + log under integration/<systemKey>/logs/; TTY appendix: summary, full, or raw',
-    timeoutHelp: 'Aggregate timeout for POST + polls (default 15m)',
+    timeoutHelp:
+      'Wall-clock budget for validation (ms); also raises per-request HTTP wait for slow E2E POST/polls (default 15m)',
     timeoutDefault: String(15 * 60 * 1000)
   });
-  return cmd
-    .option('--test-crud', 'Enable CRUD lifecycle test (e2eOptions.testCrud)')
-    .option('--record-id <id>', 'Record ID for test (e2eOptions.recordId)')
-    .option('--no-cleanup', 'Disable cleanup after test (e2eOptions.cleanup: false)')
-    .option(
-      '--primary-key-value <value|@path>',
-      'Primary key value or path to JSON file (e.g. @pk.json) for e2eOptions.primaryKeyValue'
-    )
-    .option('--capability <key>', 'Capability drill-down (deprecated; use positional [capabilityKey])')
-    .option(
-      '--strict-capability-scope',
-      'Exit 1 if a capability drill-down is requested but the report lists more than one capabilities[] row (plan §2.3)'
-    )
-    .addHelpText('after', datasourceTestE2eHelpAfter());
+  return attachDatasourceTestE2eExclusiveOptions(cmd).addHelpText(
+    'after',
+    datasourceTestE2eHelpAfter()
+  );
 }
 
 function setupDatasourceTestE2ECommand(datasource) {

package/lib/commands/datasource-unified-test-cli.options.js

@@ -42,6 +42,7 @@ function datasourceTestE2eHelpAfter() {
 Examples:
   $ aifabrix datasource test-e2e hubspot-users
   $ aifabrix datasource test-e2e hubspot-users --app test-e2e-hubspot -v --debug
+  $ aifabrix datasource test-e2e my-documents-ds --min-vector-hits 7 -v --debug
   $ aifabrix datasource test-e2e hubspot-users -a test-e2e-hubspot --no-async
   $ aifabrix datasource test-e2e hubspot-users read
 
@@ -129,7 +130,11 @@ function attachDatasourceTestCommonOptions(cmd, opts) {
     .option('--json', 'Print raw DatasourceTestRun JSON to stdout')
     .option('--summary', 'Print compact summary line')
     .option('--warnings-as-errors', 'Exit 1 when root status is warn')
-    .option('--require-cert', 'Exit 2 when certificate missing or not_passed');
+    .option('--require-cert', 'Exit 2 when certificate missing or not_passed')
+    .option(
+      '--no-cert-sync',
+      'Skip updating system file certification from the dataplane after a successful run'
+    );
 
   if (includeNoAsync) {
     cmd.option('--no-async', 'Do not poll; fail if report is not complete in first response');
@@ -139,11 +144,48 @@ function attachDatasourceTestCommonOptions(cmd, opts) {
   return cmd;
 }
 
+/**
+ * E2E-only Commander flags (kept out of datasource-unified-test-cli.js for file size limits).
+ * @param {object} cmd
+ * @returns {object}
+ */
+function attachDatasourceTestE2eExclusiveOptions(cmd) {
+  return cmd
+    .option(
+      '--min-vector-hits <n>',
+      'Assert at least N vector search hits after sync (e2eOptions.minVectorHits)',
+      (v) => parseInt(String(v), 10)
+    )
+    .option(
+      '--min-processed <n>',
+      'Minimum records processed in sync step (e2eOptions.minProcessed)',
+      (v) => parseInt(String(v), 10)
+    )
+    .option(
+      '--min-record-count <n>',
+      'Minimum record count assertion (e2eOptions.minRecordCount)',
+      (v) => parseInt(String(v), 10)
+    )
+    .option('--test-crud', 'Enable CRUD lifecycle test (e2eOptions.testCrud)')
+    .option('--record-id <id>', 'Record ID for test (e2eOptions.recordId)')
+    .option('--no-cleanup', 'Disable cleanup after test (e2eOptions.cleanup: false)')
+    .option(
+      '--primary-key-value <value|@path>',
+      'Primary key value or path to JSON file (e.g. @pk.json) for e2eOptions.primaryKeyValue'
+    )
+    .option('--capability <key>', 'Capability drill-down (deprecated; use positional [capabilityKey])')
+    .option(
+      '--strict-capability-scope',
+      'Exit 1 if a capability drill-down is requested but the report lists more than one capabilities[] row (plan §2.3)'
+    );
+}
+
 module.exports = {
   datasourceTestHelpAfter,
   datasourceTestIntegrationHelpAfter,
   datasourceTestE2eHelpAfter,
   attachDatasourceWatchOptions,
-  attachDatasourceTestCommonOptions
+  attachDatasourceTestCommonOptions,
+  attachDatasourceTestE2eExclusiveOptions
 };