@aifabrix/builder 2.44.0 → 2.44.1

package/lib/commands/datasource-unified-test-e2e-cli-helpers.js

@@ -0,0 +1,106 @@
+/**
+ * @fileoverview E2E / envelope exit helpers for datasource unified test CLI (keeps main CLI file under max-lines).
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const logger = require('../utils/logger');
+const { displayIntegrationTestResults, displayE2EResults } = require('../utils/external-system-display');
+const { computeExitCodeFromDatasourceTestRun } = require('../utils/datasource-test-run-exit');
+const { analyzeCapabilityScope } = require('../utils/datasource-test-run-capability-scope');
+const {
+  resolveDebugDisplayMode,
+  formatDatasourceTestRunDebugBlock
+} = require('../utils/datasource-test-run-debug-display');
+const { formatCapabilityFocusSection } = require('../utils/datasource-test-run-display');
+const { emitCapabilityScopeDiagnostics } = require('./datasource-validation-cli');
+
+function logDatasourceTestRunDebugAppendix(envelope, debugOpt) {
+  const mode = resolveDebugDisplayMode(debugOpt);
+  if (!mode || !envelope) return;
+  const block = formatDatasourceTestRunDebugBlock(envelope, mode, process.stdout.isTTY);
+  if (block) logger.log(block);
+}
+
+function logE2eCapabilityFocusFromEnvelope(env, capabilityOpt) {
+  if (!env) return;
+  const capKey =
+    capabilityOpt !== undefined && capabilityOpt !== null
+      ? String(capabilityOpt).trim()
+      : '';
+  if (!capKey) return;
+  const sec = formatCapabilityFocusSection(env, capKey);
+  if (sec) logger.log(sec);
+}
+
+/**
+ * @param {Object|null|undefined} env
+ * @param {Object} options
+ * @returns {number|null} null if no envelope
+ */
+function exitCodeFromDatasourceTestRunEnvelope(env, options) {
+  if (!env || typeof env !== 'object') return null;
+  let code = computeExitCodeFromDatasourceTestRun(env, {
+    warningsAsErrors: options.warningsAsErrors === true,
+    requireCert: options.requireCert === true
+  });
+  const scope = analyzeCapabilityScope(env, options.capability);
+  if (options.strictCapabilityScope === true && scope.violated) {
+    code = Math.max(code, 1);
+  }
+  return code;
+}
+
+/**
+ * Legacy E2E display + exit code (no process.exit; watch mode).
+ * @param {Object} data
+ * @param {Object} options
+ * @returns {number}
+ */
+function finalizeDatasourceTestE2ELegacyPath(data, options) {
+  displayE2EResults(data, options.verbose);
+  logDatasourceTestRunDebugAppendix(data.datasourceTestRun, options.debug);
+  logE2eCapabilityFocusFromEnvelope(data.datasourceTestRun, options.capability);
+  const env = data.datasourceTestRun;
+  if (env) {
+    emitCapabilityScopeDiagnostics(env, { requestedCapabilityKey: options.capability });
+    const code = exitCodeFromDatasourceTestRunEnvelope(env, options);
+    return code === null ? 1 : code;
+  }
+  const steps = data.steps || data.completedActions || [];
+  const failed = data.success === false || steps.some(s => s.success === false || s.error);
+  return failed ? 1 : 0;
+}
+
+/**
+ * @param {string} datasourceKey
+ * @param {Object} env
+ * @param {Object} options
+ */
+function displayDatasourceTestE2EEnvelopeResults(datasourceKey, env, options) {
+  const success = env.status !== 'fail';
+  displayIntegrationTestResults(
+    {
+      systemKey: env.systemKey || 'unknown',
+      success,
+      datasourceResults: [{ key: datasourceKey, success, datasourceTestRun: env }]
+    },
+    options.verbose,
+    {
+      debug: options.debug,
+      runType: 'e2e',
+      requestedCapabilityKey: options.capability
+    }
+  );
+  logE2eCapabilityFocusFromEnvelope(env, options.capability);
+}
+
+module.exports = {
+  logDatasourceTestRunDebugAppendix,
+  logE2eCapabilityFocusFromEnvelope,
+  exitCodeFromDatasourceTestRunEnvelope,
+  finalizeDatasourceTestE2ELegacyPath,
+  displayDatasourceTestE2EEnvelopeResults
+};

package/lib/commands/datasource-validation-cli.js

@@ -103,10 +103,24 @@ function finalizeAfterIntegrationDisplay(integrationResult, exitOpts = {}) {
   if (!env) {
     return integrationResult.success ? 0 : 1;
   }
-  return computeExitCodeFromDatasourceTestRun(env, {
+  let exitCode = computeExitCodeFromDatasourceTestRun(env, {
     warningsAsErrors: exitOpts.warningsAsErrors === true,
     requireCert: exitOpts.requireCert === true
   });
+  if (exitOpts.strictCapabilityScope === true) {
+    const scope = analyzeCapabilityScope(env, exitOpts.requestedCapabilityKey);
+    if (scope.violated) {
+      exitCode = Math.max(exitCode, 1);
+    }
+  }
+  if (
+    exitCode === 2 &&
+    exitOpts.requireCert &&
+    !env.certificate
+  ) {
+    logger.error(formatBlockingError('Certification not returned; cannot verify.'));
+  }
+  return exitCode;
 }
 
 /**

package/lib/commands/datasource.js

@@ -2,7 +2,7 @@
  * AI Fabrix Builder - Datasource Commands
  *
  * Handles datasource validation, listing, comparison, deployment, and online validation runs.
- * Subcommands `test`, `test-integration`, and `test-e2e` call the dataplane unified validation API; permissions are summarized in `docs/commands/permissions.md`.
+ * Subcommands `test`, `test-integration`, and `test-e2e` call the dataplane unified validation API; `log-test` / `log-integration` / `log-e2e` read saved debug JSON locally. Permissions are summarized in `docs/commands/permissions.md`.
  *
  * @fileoverview Datasource management commands for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -32,7 +32,7 @@ Subcommands:
   diff                         Compare two datasource JSON files
   test <key>                   Structural/policy validation via unified dataplane API (DatasourceTestRun)
   test-integration / test-e2e  Integration or E2E run via the same unified validation API
-  log-integration / log-e2e    Show saved test logs
+  log-test / log-integration / log-e2e  Show saved debug logs (structural, integration, E2E)
 `;
 
 const DATASOURCE_VALIDATE_HELP_AFTER = `
@@ -187,6 +187,28 @@ function setupDatasourceLogIntegrationCommand(datasource) {
     });
 }
 
+function setupDatasourceLogTestCommand(datasource) {
+  datasource.command('log-test <datasourceKey>')
+    .description('Show structural validation log from datasource test (latest test-*.json or --file)')
+    .option(
+      '-a, --app <app>',
+      'Integration folder name (optional: resolve from cwd or datasource key if single match)'
+    )
+    .option('-f, --file <path>', 'Path to log file (default: latest structural log in app logs folder)')
+    .action(async(datasourceKey, options) => {
+      try {
+        await runLogViewer(datasourceKey, {
+          app: options.app,
+          file: options.file,
+          logType: 'test'
+        });
+      } catch (error) {
+        logger.error(formatBlockingError('log-test failed:'), error.message);
+        process.exit(1);
+      }
+    });
+}
+
 /**
  * Setup datasource management commands
  * @param {Command} program - Commander program instance
@@ -208,6 +230,7 @@ function setupDatasourceCommands(program) {
   setupDatasourceTestE2ECommand(datasource);
   setupDatasourceLogE2ECommand(datasource);
   setupDatasourceLogIntegrationCommand(datasource);
+  setupDatasourceLogTestCommand(datasource);
 }
 
 module.exports = { setupDatasourceCommands };

package/lib/commands/upload.js

@@ -35,6 +35,8 @@ const {
   logServerValidationWarnings,
   logProbeRuntimeBlock
 } = require('../utils/external-system-readiness-display');
+const { maybeSyncSystemCertificationFromDataplane } = require('../certification/sync-system-certification');
+const { cliOptsSkipCertSync } = require('../certification/cli-cert-sync-skip');
 
 /**
  * Validates system-key format (same as download).
@@ -192,13 +194,12 @@ async function maybeRunVerboseServerValidation(dataplaneUrl, authConfig, payload
 }
 
 /**
- * Empty payload template for POST /validation/run: selects dataplane **payload test** path
- * (per-datasource template / connectivity), not the full validation-engine run.
- * Avoids false RBAC failures right after upload: engine security checks autoRbac vs
- * `system.permissions[]` before the controller has synced permissions (deploy --probe
- * still uses the engine path without payloadTemplate).
+ * Omit payloadTemplate so POST /validation/run uses the **validation-engine** path
+ * (same as deploy --probe). Needed for certification and dataplane auto-issue of integration
+ * certificates after a successful run. If RBAC/live checks fail right after upload until the
+ * controller syncs permissions, skip --probe or retry once permissions are visible.
  */
-const UPLOAD_PROBE_TEST_DATA = { payloadTemplate: {} };
+const UPLOAD_PROBE_TEST_DATA = {};
 
 /**
  * Optional POST validation/run after successful upload.
@@ -281,6 +282,16 @@ async function runUploadPublishAndSummary(systemKey, options, manifest, payload)
   if (options.probe) {
     await maybeRunUploadProbe(dataplaneUrl, systemKey, authConfig, options.probeTimeout);
   }
+
+  const dsKeys = (payload.dataSources || []).map((ds) => ds && ds.key).filter(Boolean);
+  await maybeSyncSystemCertificationFromDataplane({
+    label: 'upload',
+    noCertSync: cliOptsSkipCertSync(options),
+    systemKey,
+    dataplaneUrl,
+    authConfig,
+    datasourceKeys: dsKeys
+  });
 }
 
 /**

package/lib/datasource/log-viewer.js

@@ -1,13 +1,14 @@
 /**
- * Log viewer for E2E and integration test logs - format and display JSON logs.
- * @fileoverview Read and format test-e2e / test-integration debug logs for terminal
+ * Log viewer for E2E, integration, and structural (`datasource test`) debug logs.
+ * @fileoverview Read and format saved JSON logs under integration/<app>/logs/
  * @author AI Fabrix Team
  * @version 2.0.0
  */
 /* eslint-disable max-statements, complexity, max-depth -- Formatter functions; display branches by design */
 
 const path = require('path');
-const fs = require('fs').promises;
+// Use node:fs so suites that jest.mock('fs') do not break real-disk log resolution (structural tests, CI).
+const fsp = require('node:fs').promises;
 const chalk = require('chalk');
 const logger = require('../utils/logger');
 const { resolveAppKeyForDatasource } = require('./resolve-app');
@@ -23,7 +24,7 @@ const { sectionTitle, headerKeyValue, formatBlockingError, successGlyph, failure
 async function getLatestLogPath(logsDir, pattern) {
   let entries;
   try {
-    entries = await fs.readdir(logsDir, { withFileTypes: true });
+    entries = await fsp.readdir(logsDir, { withFileTypes: true });
   } catch (err) {
     if (err.code === 'ENOENT') return null;
     throw err;
@@ -34,12 +35,46 @@ async function getLatestLogPath(logsDir, pattern) {
     .map(e => path.join(logsDir, e.name));
   if (files.length === 0) return null;
   const withStats = await Promise.all(
-    files.map(async f => ({ path: f, mtime: (await fs.stat(f)).mtimeMs }))
+    files.map(async f => ({ path: f, mtime: (await fsp.stat(f)).mtimeMs }))
   );
   withStats.sort((a, b) => b.mtime - a.mtime);
   return withStats[0].path;
 }
 
+/**
+ * Structural validation logs use prefix `test-` but must not pick up `test-e2e-` or `test-integration-`.
+ * @param {string} name - File name only
+ * @returns {boolean}
+ */
+function isStructuralTestLogFileName(name) {
+  if (!name || typeof name !== 'string' || !name.endsWith('.json')) return false;
+  if (name.startsWith('test-e2e-') || name.startsWith('test-integration-')) return false;
+  return name.startsWith('test-');
+}
+
+/**
+ * Latest structural `datasource test --debug` log in logsDir.
+ * @param {string} logsDir
+ * @returns {Promise<string|null>}
+ */
+async function getLatestStructuralTestLogPath(logsDir) {
+  let entries;
+  try {
+    entries = await fsp.readdir(logsDir, { withFileTypes: true });
+  } catch (err) {
+    if (err.code === 'ENOENT') return null;
+    throw err;
+  }
+  const names = entries
+    .filter(e => e.isFile() && isStructuralTestLogFileName(e.name))
+    .map(e => e.name);
+  if (names.length === 0) return null;
+  // Structural logs embed a sortable timestamp in the filename (`test-YYYY-...Z.json`).
+  // Prefer lexicographic ordering to avoid filesystem timestamp resolution issues in CI.
+  names.sort((a, b) => b.localeCompare(a));
+  return path.join(logsDir, names[0]);
+}
+
 /**
  * Truncate string for display
  * @param {string} s - String
@@ -185,13 +220,57 @@ function formatIntegrationLog(data, fileName) {
   }
 }
 
+function structuralEnvelopeStatusLine(status) {
+  if (status === 'ok' || status === 'skipped') return `${successGlyph()} ${chalk.gray('status:')} ${status}`;
+  if (status === 'warn') return `${chalk.yellow('⚠')} ${chalk.gray('status:')} ${status}`;
+  if (status === 'fail') return `${failureGlyph()} ${chalk.gray('status:')} ${status}`;
+  return `${chalk.gray('?')} ${chalk.gray('status:')} ${status ?? '—'}`;
+}
+
+/**
+ * Format structural validation log (`datasource test --debug` → `test-*.json`).
+ * @param {Object} data - Parsed JSON { request, response?, error? }
+ * @param {string} [fileName] - Log file name for header
+ */
+function formatStructuralTestLog(data, fileName) {
+  logger.log('');
+  logger.log(sectionTitle('Structural validation log'));
+  if (fileName) logger.log(chalk.gray(fileName));
+  const req = data.request || {};
+  logger.log('');
+  logger.log(sectionTitle('Request:'));
+  logger.log(headerKeyValue('datasourceKey:', String(req.datasourceKey ?? '—')));
+  if (req.runType) logger.log(headerKeyValue('runType:', String(req.runType)));
+  if (req.includeDebug !== undefined) {
+    logger.log(chalk.gray(`  includeDebug: ${req.includeDebug}`));
+  }
+  if (data.error) {
+    logger.log('');
+    logger.log(formatBlockingError(`Error: ${data.error}`));
+    return;
+  }
+  const res = data.response || {};
+  logger.log('');
+  logger.log(sectionTitle('Response (envelope):'));
+  logger.log(`  ${structuralEnvelopeStatusLine(res.status)}`);
+  if (res.reportCompleteness) {
+    logger.log(chalk.gray(`  reportCompleteness: ${res.reportCompleteness}`));
+  }
+  if (res.runId) logger.log(chalk.gray(`  runId: ${res.runId}`));
+  if (res.systemKey) logger.log(chalk.gray(`  systemKey: ${res.systemKey}`));
+}
+
 /**
  * Format log content by type
  * @param {Object} parsed - Parsed JSON log
- * @param {'test-e2e'|'test-integration'} logType - Log type
+ * @param {'test'|'test-e2e'|'test-integration'} logType - Log type
  * @param {string} [fileName] - File name for header
  */
 function formatLogContent(parsed, logType, fileName) {
+  if (logType === 'test') {
+    formatStructuralTestLog(parsed, fileName);
+    return;
+  }
   if (logType === 'test-e2e') {
     formatE2ELog(parsed, fileName);
   } else {
@@ -206,7 +285,7 @@ function formatLogContent(parsed, logType, fileName) {
  * @param {Object} options - Options
  * @param {string} [options.app] - App key (optional, resolved from key if omitted)
  * @param {string} [options.file] - Path to log file (overrides app resolution)
- * @param {'test-e2e'|'test-integration'} options.logType - Log type
+ * @param {'test'|'test-e2e'|'test-integration'} options.logType - Log type
  * @throws {Error} When file not found or invalid JSON
  */
 /* eslint-disable-next-line max-statements -- Resolve path, read, parse, format */
@@ -224,16 +303,25 @@ async function runLogViewer(datasourceKey, options) {
     const { appKey } = await resolveAppKeyForDatasource(datasourceKey.trim(), app);
     const appPath = getIntegrationPath(appKey);
     const logsDir = path.join(appPath, 'logs');
-    const pattern = logType === 'test-e2e' ? 'test-e2e-' : 'test-integration-';
-    logPath = await getLatestLogPath(logsDir, pattern);
-    if (!logPath) {
-      throw new Error(
-        `No ${logType} log found in ${logsDir}. Run the test with --debug first.`
-      );
+    if (logType === 'test') {
+      logPath = await getLatestStructuralTestLogPath(logsDir);
+      if (!logPath) {
+        throw new Error(
+          `No structural validation log found in ${logsDir}. Run: aifabrix datasource test <key> --debug`
+        );
+      }
+    } else {
+      const pattern = logType === 'test-e2e' ? 'test-e2e-' : 'test-integration-';
+      logPath = await getLatestLogPath(logsDir, pattern);
+      if (!logPath) {
+        throw new Error(
+          `No ${logType} log found in ${logsDir}. Run the test with --debug first.`
+        );
+      }
     }
     fileName = path.basename(logPath);
   }
-  const content = await fs.readFile(logPath, 'utf8');
+  const content = await fsp.readFile(logPath, 'utf8');
   let parsed;
   try {
     parsed = JSON.parse(content);
@@ -245,8 +333,11 @@ async function runLogViewer(datasourceKey, options) {
 
 module.exports = {
   getLatestLogPath,
+  getLatestStructuralTestLogPath,
+  isStructuralTestLogFileName,
   formatLogContent,
   formatE2ELog,
   formatIntegrationLog,
+  formatStructuralTestLog,
   runLogViewer
 };

package/lib/datasource/test-e2e.js

@@ -19,6 +19,33 @@ const { writeTestLog } = require('../utils/test-log-writer');
 
 const DEFAULT_POLL_TIMEOUT_MS = 15 * 60 * 1000;
 
+/**
+ * @param {Object} options
+ * @param {string|number} timeoutMs
+ * @param {string|Object|null} pk
+ */
+function buildUnifiedE2eRunOptions(options, timeoutMs, pk) {
+  return {
+    app: options.app,
+    environment: options.environment,
+    runType: 'e2e',
+    debug: options.debug,
+    verbose: options.verbose,
+    async: options.async !== false,
+    noAsync: options.async === false,
+    testCrud: options.testCrud,
+    recordId: options.recordId,
+    cleanup: options.cleanup,
+    primaryKeyValue: pk,
+    minVectorHits: options.minVectorHits,
+    minProcessed: options.minProcessed,
+    minRecordCount: options.minRecordCount,
+    capabilityKey: options.capabilityKey,
+    timeout: timeoutMs,
+    sync: options.sync === true
+  };
+}
+
 function logE2eDatasourceBanner(datasourceKey, verbose) {
   if (!verbose) return;
   logger.log('');
@@ -115,25 +142,16 @@ async function runDatasourceTestE2E(datasourceKey, options = {}) {
     testCrud: options.testCrud,
     recordId: options.recordId,
     cleanup: options.cleanup,
-    primaryKeyValue: pk !== undefined && pk !== null
+    primaryKeyValue: pk !== undefined && pk !== null,
+    minVectorHits: options.minVectorHits,
+    minProcessed: options.minProcessed,
+    minRecordCount: options.minRecordCount
   };
 
-  const unifiedResult = await runUnifiedDatasourceValidation(datasourceKey, {
-    app: options.app,
-    environment: options.environment,
-    runType: 'e2e',
-    debug: options.debug,
-    verbose: options.verbose,
-    async: options.async !== false,
-    noAsync: options.async === false,
-    testCrud: options.testCrud,
-    recordId: options.recordId,
-    cleanup: options.cleanup,
-    primaryKeyValue: pk,
-    capabilityKey: options.capabilityKey,
-    timeout: timeoutMs,
-    sync: options.sync === true
-  });
+  const unifiedResult = await runUnifiedDatasourceValidation(
+    datasourceKey,
+    buildUnifiedE2eRunOptions(options, timeoutMs, pk)
+  );
 
   await throwIfUnifiedE2EBlocked(unifiedResult, appKey, options, requestMeta);
 

package/lib/datasource/unified-validation-run-body.js

@@ -46,6 +46,9 @@ async function buildUnifiedValidationBody(params) {
         recordId: options.recordId,
         cleanup: options.cleanup,
         primaryKeyValue: options.primaryKeyValue,
+        minVectorHits: options.minVectorHits,
+        minProcessed: options.minProcessed,
+        minRecordCount: options.minRecordCount,
         e2eOptionsExtra: e2eExtra
       })
       : undefined;

package/lib/datasource/unified-validation-run.js

@@ -82,7 +82,8 @@ async function runUnifiedDatasourceValidation(datasourceKey, options) {
     body,
     timeoutMs,
     useAsync,
-    noAsync: options.noAsync === true || options.async === false
+    noAsync: options.noAsync === true || options.async === false,
+    verbosePoll: options.verbose === true
   });
 }
 

package/lib/external-system/deploy.js

@@ -27,6 +27,8 @@ const { parseControllerDeploymentOutcome } = require('../utils/controller-deploy
 const { generateControllerManifest } = require('../generator/external-controller-manifest');
 const { validateExternalSystemComplete } = require('../validation/validate');
 const { displayValidationResults } = require('../validation/validate-display');
+const { maybeSyncSystemCertificationFromDataplane } = require('../certification/sync-system-certification');
+const { cliOptsSkipCertSync } = require('../certification/cli-cert-sync-skip');
 
 /**
  * Lists datasources for a system and loads system record for docs URLs.
@@ -97,6 +99,54 @@ async function fetchDataplaneDeployReadiness(controllerUrl, environment, authCon
 /**
  * @param {Object} deploymentOutcome - from parseControllerDeploymentOutcome
  */
+/**
+ * Optional dataplane validation/run after external deploy (--probe).
+ * @async
+ * @param {{ dataplaneUrl: string|null, error: Error|null }} ctx
+ * @param {string} systemKey
+ * @param {Object} authConfig
+ * @param {Object} options
+ * @returns {Promise<Object|null>} Unwrapped probe payload or null
+ */
+async function runOptionalExternalDeployProbe(ctx, systemKey, authConfig, options) {
+  if (!options.probe || !ctx.dataplaneUrl || ctx.error) return null;
+  logger.log(chalk.blue('\nRunning runtime checks (--probe)...'));
+  try {
+    const pr = await testSystemViaPipeline(ctx.dataplaneUrl, systemKey, authConfig, {}, {
+      timeout: options.probeTimeout || 120000
+    });
+    if (pr.success === false) {
+      logger.log(chalk.yellow(`⚠ Probe request failed: ${pr.formattedError || pr.error || 'unknown error'}`));
+      return null;
+    }
+    return unwrapApiData(pr);
+  } catch (e) {
+    logger.log(chalk.yellow(`⚠ Probe failed: ${e.message}`));
+    return null;
+  }
+}
+
+/**
+ * @param {Object} deploymentOutcome
+ * @param {{ dataplaneUrl: string|null, error: Error|null }} ctx
+ * @param {Object} manifest
+ * @param {Object} options
+ * @param {Object} authConfig
+ * @returns {Promise<void>}
+ */
+async function maybeSyncCertificationAfterExternalDeploy(deploymentOutcome, ctx, manifest, options, authConfig) {
+  if (!deploymentOutcome.ok || !ctx.dataplaneUrl || ctx.error) return;
+  const dsKeys = (manifest.dataSources || []).map((ds) => ds && ds.key).filter(Boolean);
+  await maybeSyncSystemCertificationFromDataplane({
+    label: 'deploy',
+    noCertSync: cliOptsSkipCertSync(options),
+    systemKey: manifest.key,
+    dataplaneUrl: ctx.dataplaneUrl,
+    authConfig,
+    datasourceKeys: dsKeys
+  });
+}
+
 function logImmediateControllerDeploymentOutcome(deploymentOutcome) {
   if (deploymentOutcome.ok) {
     logger.log(formatSuccessParagraph('Controller deployment OK'));
@@ -148,24 +198,7 @@ async function executeDeployAndDisplay(manifest, controllerUrl, environment, aut
     manifest.key
   );
 
-  let probeData = null;
-  if (options.probe && ctx.dataplaneUrl && !ctx.error) {
-    logger.log(chalk.blue('\nRunning runtime checks (--probe)...'));
-    try {
-      const pr = await testSystemViaPipeline(ctx.dataplaneUrl, manifest.key, authConfig, {}, {
-        timeout: options.probeTimeout || 120000
-      });
-      if (pr.success === false) {
-        logger.log(
-          chalk.yellow(`⚠ Probe request failed: ${pr.formattedError || pr.error || 'unknown error'}`)
-        );
-      } else {
-        probeData = unwrapApiData(pr);
-      }
-    } catch (e) {
-      logger.log(chalk.yellow(`⚠ Probe failed: ${e.message}`));
-    }
-  }
+  const probeData = await runOptionalExternalDeployProbe(ctx, manifest.key, authConfig, options);
 
   logDeployReadinessSummary({
     environment,
@@ -179,6 +212,8 @@ async function executeDeployAndDisplay(manifest, controllerUrl, environment, aut
     probeData
   });
 
+  await maybeSyncCertificationAfterExternalDeploy(deploymentOutcome, ctx, manifest, options, authConfig);
+
   return result;
 }
 

package/lib/infrastructure/compose.js

@@ -109,13 +109,23 @@ function generateComposeFile(templatePath, devId, idNum, ports, infraDir, option
   const template = handlebars.compile(templateContent);
   const networkName = idNum === 0 ? 'infra-aifabrix-network' : `infra-dev${devId}-aifabrix-network`;
   const serversJsonPath = path.join(infraDir, 'servers.json');
+  const serversJsonBind = toDockerBindMountSource(serversJsonPath);
   const pgpassPath = path.join(infraDir, 'pgpass');
   const traefikConfig = typeof options.traefik === 'object'
     ? options.traefik
     : buildTraefikConfig(!!options.traefik);
-  const pgadminConfig = options.pgadmin && typeof options.pgadmin.enabled === 'boolean'
+  const pgadminConfigRaw = options.pgadmin && typeof options.pgadmin.enabled === 'boolean'
     ? options.pgadmin
     : { enabled: true };
+  const pgadminEnabled = !!pgadminConfigRaw.enabled;
+  const pgpassBootstrapPath = path.join(infraDir, '.pgpass.bootstrap');
+  const pgadminConfig = {
+    ...pgadminConfigRaw,
+    enabled: pgadminEnabled,
+    ...(pgadminEnabled
+      ? { pgpassBootstrapBind: toDockerBindMountSource(pgpassBootstrapPath) }
+      : {})
+  };
   const redisCommanderConfig = options.redisCommander && typeof options.redisCommander.enabled === 'boolean'
     ? options.redisCommander
     : { enabled: true };
@@ -132,7 +142,6 @@ function generateComposeFile(templatePath, devId, idNum, ports, infraDir, option
     }
     : traefikConfig;
   const initScriptsBind = toDockerBindMountSource(path.join(infraDir, 'init-scripts'));
-  const infraDirBind = toDockerBindMountSource(infraDir);
   const composeContent = template({
     devId: devId,
     postgresPort: ports.postgres,
@@ -143,10 +152,10 @@ function generateComposeFile(templatePath, devId, idNum, ports, infraDir, option
     traefikHttpsPort: ports.traefikHttps,
     networkName: networkName,
     serversJsonPath: serversJsonPath,
+    serversJsonBind: serversJsonBind,
     pgpassPath: pgpassPath,
     infraDir: infraDir,
     initScriptsBind: initScriptsBind,
-    infraDirBind: infraDirBind,
     traefik: traefikForCompose,
     pgadmin: pgadminConfig,
     redisCommander: redisCommanderConfig