@aifabrix/builder 2.44.1 → 2.44.3

package/.npmrc.token

@@ -1 +1 @@
-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
+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

package/lib/api/types/certificates.types.js

@@ -22,7 +22,7 @@
  * @property {string} [issuedBy]
  * @property {string} [licenseLevelIssuer]
  * @property {string} [dataplaneVersion]
- * @property {('RS256'|'HS256')} [algorithm] RS256 production; HS256 local dev HMAC signer only
+ * @property {'RS256'} [algorithm] Integration certificate signing algorithm (RS256 only)
  * @property {string|null} [publicKey]
  * @property {string|null} [publicKeyFingerprint]
  * @property {Object} [metadata]

package/lib/app/show-display.js

@@ -11,7 +11,6 @@
 
 const chalk = require('chalk');
 const logger = require('../utils/logger');
-const { truncatePublicKeyPreview } = require('./certification-show-enrich');
 
 function logSourceAndHeader(summary) {
   const isOffline = summary.source === 'offline';
@@ -263,23 +262,51 @@ function displayExternalAppBlock(summary) {
 }
 
 /**
- * Local certification + optional verify rows (external integrations).
- * @param {Object} summary
+ * Colored certification outcome from `status` string.
+ * @param {string} raw - lowercased status
+ * @returns {string}
  */
-function logCertificationSection(summary) {
-  if (!summary.isExternal) return;
-  logger.log('');
-  logger.log('🪪  Certification (local system file)');
-  const c = summary.localCertification;
-  if (!c || typeof c !== 'object') {
-    logger.log('  (none or unreadable)');
-  } else {
-    logger.log(`  enabled:     ${c.enabled}`);
-    logger.log(`  algorithm:   ${c.algorithm ?? '—'}`);
-    logger.log(`  issuer:      ${c.issuer ?? '—'}`);
-    logger.log(`  version:     ${c.version ?? '—'}`);
-    logger.log(`  publicKey:   ${truncatePublicKeyPreview(c.publicKey, 64)}`);
+function formatCertificationOutcome(raw) {
+  if (raw === 'passed') return chalk.green('passed');
+  if (raw === 'not_passed') return chalk.red('not_passed');
+  if (raw === 'pending') return chalk.yellow('pending');
+  return raw || '—';
+}
+
+/**
+ * Certification status line: enabled ✔/✖ plus outcome (passed / not_passed / pending).
+ * @param {Object} c - certification block from system file
+ * @returns {string}
+ */
+function formatCertificationStatusLine(c) {
+  const enabledTrue = c.enabled === true;
+  const enabledSym = enabledTrue ? chalk.green('✔') : chalk.red('✖');
+  const raw = (c.status && String(c.status).toLowerCase()) || '';
+  const outcome = formatCertificationOutcome(raw);
+  return `  Status:     ${enabledSym}  ${outcome}`;
+}
+
+/**
+ * Local certification fields from system file (TTY block).
+ * @param {Object} c
+ */
+function logCertificationLocalFileDetails(c) {
+  logger.log(formatCertificationStatusLine(c));
+  const levelStr =
+    c.level === undefined || c.level === null ? '' : String(c.level).trim();
+  if (levelStr) {
+    logger.log(`  Level:      ${levelStr}`);
   }
+  logger.log(`  algorithm:  ${c.algorithm ?? '—'}`);
+  logger.log(`  issuer:     ${c.issuer ?? '—'}`);
+  logger.log(`  version:    ${c.version ?? '—'}`);
+}
+
+/**
+ * Dataplane certification verify rows (when `--verify-cert` populated summary).
+ * @param {Object} summary
+ */
+function logCertificationVerifySection(summary) {
   if (summary.certificationVerifyRows && summary.certificationVerifyRows.length > 0) {
     logger.log('');
     logger.log('🪪  Certification verify (dataplane)');
@@ -303,6 +330,23 @@ function logCertificationSection(summary) {
   }
 }
 
+/**
+ * Local certification + optional verify rows (external integrations).
+ * @param {Object} summary
+ */
+function logCertificationSection(summary) {
+  if (!summary.isExternal) return;
+  logger.log('');
+  logger.log('🪪  Certification (local system file)');
+  const c = summary.localCertification;
+  if (!c || typeof c !== 'object') {
+    logger.log('  (none or unreadable)');
+  } else {
+    logCertificationLocalFileDetails(c);
+  }
+  logCertificationVerifySection(summary);
+}
+
 /**
  * Format and print human-readable show output (offline or online).
  * @param {Object} summary - Unified summary (buildOfflineSummaryFromDeployJson or buildOnlineSummary)

package/lib/certification/merge-certification-from-artifact.js

@@ -38,14 +38,14 @@ function pickArtifactForCertificationMerge(artifacts) {
 }
 
 /**
- * @param {string} algorithmUpper
  * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
  * @returns {string}
  */
-function hs256DevPublicKeyPlaceholder(algorithmUpper, art) {
-  if (algorithmUpper !== 'HS256') return '';
-  const cid = certificateIdToString(art.certificateId);
-  return `HS256-DEV-NO-PEM:${cid || 'integration-certificate'}`;
+function resolvePublicKey(art, ex) {
+  const fromArt = trimOrEmpty(art.publicKey);
+  if (fromArt) return fromArt;
+  return trimOrEmpty(ex.publicKey);
 }
 
 /**
@@ -53,13 +53,34 @@ function hs256DevPublicKeyPlaceholder(algorithmUpper, art) {
  * @param {Object} ex
  * @returns {string}
  */
-function resolvePublicKey(art, ex) {
-  const fromArt = trimOrEmpty(art.publicKey);
+function resolvePublicKeyFingerprint(art, ex) {
+  const fromArt = trimOrEmpty(art.publicKeyFingerprint);
   if (fromArt) return fromArt;
-  const fromExisting = trimOrEmpty(ex.publicKey);
-  if (fromExisting) return fromExisting;
-  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
-  return hs256DevPublicKeyPlaceholder(algorithmUpper, art);
+  return trimOrEmpty(ex.publicKeyFingerprint);
+}
+
+/**
+ * @param {string} raw
+ * @returns {string} Normalized digest or empty when invalid
+ */
+function normalizeContractHash(raw) {
+  const s = trimOrEmpty(raw);
+  return CONTRACT_HASH_PATTERN.test(s) ? s : '';
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveContractHash(art, ex) {
+  return (
+    normalizeContractHash(art.contractHash) ||
+    normalizeContractHash(art.integrationHash) ||
+    normalizeContractHash(ex.contractHash) ||
+    normalizeContractHash(ex.integrationHash) ||
+    ''
+  );
 }
 
 /**
@@ -92,6 +113,8 @@ function resolveVersion(art, ex) {
 
 const CERTIFICATION_LEVELS = new Set(['BRONZE', 'SILVER', 'GOLD', 'PLATINUM']);
 const CERTIFICATION_STATUSES = new Set(['passed', 'not_passed', 'pending']);
+/** Matches external-system.schema.json `certification.contractHash` pattern. */
+const CONTRACT_HASH_PATTERN = /^sha256:[0-9a-f]{64}$/;
 
 /**
  * @param {string} raw
@@ -138,9 +161,10 @@ function resolveStatus(_art, ex) {
 }
 
 /**
- * Build `certification` object matching **external-system.schema.json** (required: enabled, publicKey, algorithm, issuer, version; optional status, level).
+ * Build `certification` object matching **external-system.schema.json** (required: enabled, publicKey, algorithm, issuer, version; optional status, level, publicKeyFingerprint, contractHash).
  * Fills gaps from `existingCertification` when the artifact omits publishable fields (common when dataplane redacts `publicKey`).
- * For **HS256** dev certificates with no PEM, uses a non-secret placeholder `publicKey` so the system file stays schema-valid.
+ * Dataplane issues **RS256** certificates with PEM `publicKey` and optional `publicKeyFingerprint` (sha256:… of SPKI); merge output uses **RS256** only.
+ * Optional **contractHash** is copied from the certificate `contractHash` or legacy `integrationHash` when it matches `sha256:` + 64 hex.
  *
  * @param {import('../api/types/certificates.types').CertificateArtifactResponse|null} artifact
  * @param {Object|null|undefined} existingCertification - Current `system.certification`
@@ -160,13 +184,13 @@ function buildCertificationFromArtifact(artifact, existingCertification) {
   const versionStr = resolveVersion(art, ex);
   if (!versionStr) return null;
 
-  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
-  const algorithm = algorithmUpper === 'HS256' ? 'HS256' : 'RS256';
+  const publicKeyFingerprint = resolvePublicKeyFingerprint(art, ex);
+  const contractHash = resolveContractHash(art, ex);
 
   const out = {
     enabled: true,
     publicKey,
-    algorithm,
+    algorithm: 'RS256',
     issuer,
     version: versionStr,
     status: resolveStatus(art, ex)
@@ -175,6 +199,12 @@ function buildCertificationFromArtifact(artifact, existingCertification) {
   if (level) {
     out.level = level;
   }
+  if (publicKeyFingerprint) {
+    out.publicKeyFingerprint = publicKeyFingerprint;
+  }
+  if (contractHash) {
+    out.contractHash = contractHash;
+  }
   return out;
 }
 

package/lib/core/secrets.js

@@ -224,6 +224,52 @@ async function loadMergedConfigAndUserSecrets() {
   }
 }
 
+/**
+ * @returns {string[]}
+ */
+function collectBuilderSecretsYamlPaths() {
+  const projectRoot = pathsUtil.getProjectRoot();
+  const candidates = [];
+  if (projectRoot) {
+    candidates.push(path.join(projectRoot, 'builder', 'secrets.local.yaml'));
+  }
+  try {
+    const alt = path.join(pathsUtil.getBuilderRoot(), 'secrets.local.yaml');
+    if (!candidates.length || path.resolve(candidates[0]) !== path.resolve(alt)) {
+      candidates.push(alt);
+    }
+  } catch {
+    /* ignore */
+  }
+  return candidates;
+}
+
+/**
+ * Merge `builder/secrets.local.yaml` from project root and from {@link pathsUtil.getBuilderRoot} when distinct.
+ * @param {Object|null|undefined} merged
+ * @returns {Object|null|undefined}
+ */
+function mergeBuilderSecretsLocalFiles(merged) {
+  try {
+    const seen = new Set();
+    let out = merged;
+    for (const builderPath of collectBuilderSecretsYamlPaths()) {
+      if (!builderPath || seen.has(path.resolve(builderPath))) {
+        continue;
+      }
+      seen.add(path.resolve(builderPath));
+      if (fs.existsSync(builderPath)) {
+        ensureSecureFilePermissions(builderPath);
+        const builderSecrets = mergeUserWithConfigFile(out || {}, builderPath);
+        if (builderSecrets) out = builderSecrets;
+      }
+    }
+    return out;
+  } catch {
+    return merged;
+  }
+}
+
 /**
  * Loads merged secrets using config/user cascade, builder file merge, and default fallback.
  * @async
@@ -238,19 +284,7 @@ async function loadSecretsWithFallbacks() {
     }
     merged = await applyCanonicalSecretsOverride(merged);
   }
-  try {
-    const projectRoot = pathsUtil.getProjectRoot();
-    if (projectRoot) {
-      const builderPath = path.join(projectRoot, 'builder', 'secrets.local.yaml');
-      if (fs.existsSync(builderPath)) {
-        ensureSecureFilePermissions(builderPath);
-        const builderSecrets = mergeUserWithConfigFile(merged || {}, builderPath);
-        if (builderSecrets) merged = builderSecrets;
-      }
-    }
-  } catch {
-    // Ignore (e.g. no project root or read error)
-  }
+  merged = mergeBuilderSecretsLocalFiles(merged);
   if (Object.keys(merged).length === 0) {
     merged = loadDefaultSecrets();
   }

package/lib/datasource/log-viewer.js

@@ -278,6 +278,34 @@ function formatLogContent(parsed, logType, fileName) {
   }
 }
 
+/**
+ * Parse saved debug log JSON (strict). Always throws an Error whose message starts with
+ * "Invalid JSON" so CLI/tests get a stable contract.
+ * @param {string} content
+ * @param {string} logPath
+ * @returns {Object}
+ */
+function parseDatasourceLogJson(content, logPath) {
+  if (content === undefined || content === null) {
+    throw new Error(`Invalid JSON in ${logPath}: empty content`);
+  }
+  const text = String(content).replace(/^\uFEFF/, '').trim();
+  if (!text) {
+    throw new Error(`Invalid JSON in ${logPath}: empty file`);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch (err) {
+    const detail = err instanceof Error ? err.message : String(err);
+    throw new Error(`Invalid JSON in ${logPath}: ${detail}`);
+  }
+  if (parsed === null || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    throw new Error(`Invalid JSON in ${logPath}: expected a JSON object at the root`);
+  }
+  return parsed;
+}
+
 /**
  * Run log viewer: resolve log file, read, parse, format and print
  * @async
@@ -322,12 +350,7 @@ async function runLogViewer(datasourceKey, options) {
     fileName = path.basename(logPath);
   }
   const content = await fsp.readFile(logPath, 'utf8');
-  let parsed;
-  try {
-    parsed = JSON.parse(content);
-  } catch (err) {
-    throw new Error(`Invalid JSON in ${logPath}: ${err.message}`);
-  }
+  const parsed = parseDatasourceLogJson(content, logPath);
   formatLogContent(parsed, logType, fileName);
 }
 
@@ -339,5 +362,6 @@ module.exports = {
   formatE2ELog,
   formatIntegrationLog,
   formatStructuralTestLog,
+  parseDatasourceLogJson,
   runLogViewer
 };

package/lib/schema/external-system.schema.json

@@ -7,12 +7,12 @@
      "key":"external-system-schema",
      "name":"External System Configuration Schema",
      "description":"JSON schema for validating ExternalSystem configuration files",
-     "version":"1.6.0",
+     "version":"1.6.2",
      "type":"schema",
      "category":"integration",
      "author":"AI Fabrix Team",
      "createdAt":"2024-01-01T00:00:00Z",
-     "updatedAt":"2026-04-09T00:00:00Z",
+     "updatedAt":"2026-04-23T00:00:00Z",
      "compatibility":{
         "minVersion":"1.4.0",
         "maxVersion":"2.0.0",
@@ -29,6 +29,20 @@
         
      ],
      "changelog":[
+        {
+           "version":"1.6.2",
+           "date":"2026-04-23T00:00:00Z",
+           "changes":[
+              "certification.algorithm: RS256 only (removed HS256 from enum)"
+           ]
+        },
+        {
+           "version":"1.6.1",
+           "date":"2026-04-22T00:00:00Z",
+           "changes":[
+              "Optional certification.publicKeyFingerprint (sha256: hex of SPKI DER) for RS256 public key verification"
+           ]
+        },
         {
            "version":"1.6.0",
            "date":"2026-04-09T00:00:00Z",
@@ -679,15 +693,24 @@
            "publicKey":{
               "type":"string",
               "minLength":1,
-              "description":"Public verification material (SPKI PEM for RS256; dev placeholder for HS256). Private keys must never appear in config."
+              "description":"Public verification material (SPKI PEM for RS256). Private keys must never appear in config."
+           },
+           "publicKeyFingerprint":{
+              "type":"string",
+              "pattern":"^sha256:[0-9a-f]{64}$",
+              "description":"SHA-256 fingerprint of the SubjectPublicKeyInfo DER (same convention as integration certificate publicKeyFingerprint); must match embedded publicKey."
+           },
+           "contractHash":{
+              "type":"string",
+              "pattern":"^sha256:[0-9a-f]{64}$",
+              "description":"Optional copy of the active integration certificate contractHash (certification contract material digest) for drift checks; should match the dataplane active trusted certificate when present."
            },
            "algorithm":{
               "type":"string",
               "enum":[
-                 "RS256",
-                 "HS256"
+                 "RS256"
               ],
-              "description":"Signing algorithm for certificate verification (RS256 in production; HS256 only for local dev when the dataplane uses the dev HMAC signer)."
+              "description":"Signing algorithm for integration certificate verification (RS256 only)."
            },
            "issuer":{
               "type":"string",

package/lib/utils/app-service-env-from-builder.js

@@ -12,8 +12,21 @@
 const path = require('path');
 const yaml = require('js-yaml');
 const fsRealSync = require('../internal/fs-real-sync');
+const pathsUtil = require('./paths');
 const { localHostPort } = require('./declarative-url-ports');
 
+/**
+ * @param {string} p
+ * @returns {boolean}
+ */
+function isExistingDirSync(p) {
+  try {
+    return Boolean(p && fsRealSync.existsSync(p) && fsRealSync.statSync(p).isDirectory());
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Maps application.yaml `app.key` to env var prefix (MISO_HOST, DATAPLANE_PORT, …).
  * Generic keys not listed are skipped (no guessed PREFIX).
@@ -110,12 +123,11 @@ function mergeDocIntoOverlay(overlayDocker, overlayLocal, doc, folderName) {
 }
 
 /**
- * @param {string} projectRoot
+ * @param {string} builderDir
  * @returns {Array<{ doc: object, folderName: string }>}
  */
-function listBuilderApplicationDocs(projectRoot) {
-  const builderDir = path.join(projectRoot, 'builder');
-  if (!fsRealSync.existsSync(builderDir) || !fsRealSync.statSync(builderDir).isDirectory()) {
+function listBuilderApplicationDocsInDir(builderDir) {
+  if (!isExistingDirSync(builderDir)) {
     return [];
   }
   const out = [];
@@ -140,6 +152,33 @@ function listBuilderApplicationDocs(projectRoot) {
   return out;
 }
 
+/**
+ * Prefer projectRoot/builder when present (unit tests, in-repo runs). When missing but projectRoot
+ * is the detected CLI package root (global npm install omits builder/), fall back to
+ * {@link pathsUtil.getBuilderRoot}.
+ *
+ * @param {string} projectRoot
+ * @returns {string[]}
+ */
+function collectBuilderScanDirs(projectRoot) {
+  const legacy = path.join(projectRoot, 'builder');
+  if (isExistingDirSync(legacy)) {
+    return [legacy];
+  }
+  try {
+    const detected = pathsUtil.getProjectRoot();
+    if (detected && path.resolve(projectRoot) === path.resolve(detected)) {
+      const br = pathsUtil.getBuilderRoot();
+      if (isExistingDirSync(br)) {
+        return [br];
+      }
+    }
+  } catch {
+    /* ignore */
+  }
+  return [];
+}
+
 /**
  * @param {string|null|undefined} projectRoot
  * @returns {{ docker: Record<string, unknown>, local: Record<string, unknown> }}
@@ -150,8 +189,10 @@ function buildAppServiceEnvOverlay(projectRoot) {
   if (!projectRoot || !fsRealSync.existsSync(projectRoot)) {
     return { docker: overlayDocker, local: overlayLocal };
   }
-  for (const { doc, folderName } of listBuilderApplicationDocs(projectRoot)) {
-    mergeDocIntoOverlay(overlayDocker, overlayLocal, doc, folderName);
+  for (const builderDir of collectBuilderScanDirs(projectRoot)) {
+    for (const { doc, folderName } of listBuilderApplicationDocsInDir(builderDir)) {
+      mergeDocIntoOverlay(overlayDocker, overlayLocal, doc, folderName);
+    }
   }
   return { docker: overlayDocker, local: overlayLocal };
 }

package/lib/utils/config-paths.js

@@ -216,6 +216,10 @@ function createEnvConfigPathFunctions(getConfigFn, saveConfigFn) {
       if (fromProject) {
         return fromProject;
       }
+      const fromEffective = tryDir(pathsMod.getBuilderRoot());
+      if (fromEffective) {
+        return fromEffective;
+      }
       const work = pathsMod.getAifabrixWork();
       return tryDir(work);
     }

package/lib/utils/url-declarative-resolve-load-doc.js

@@ -8,10 +8,50 @@ const path = require('path');
 const yaml = require('js-yaml');
 const fsRealSync = require('../internal/fs-real-sync');
 
+/**
+ * @param {string} cfgPath
+ * @returns {object|null}
+ */
+function tryReadApplicationYamlAt(cfgPath) {
+  try {
+    if (!fsRealSync.existsSync(cfgPath)) {
+      return null;
+    }
+    const raw = fsRealSync.readFileSync(cfgPath, 'utf8');
+    const doc = yaml.load(raw);
+    return doc && typeof doc === 'object' ? doc : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Prefer projectRoot/builder (fixtures, tests); then {@link pathsUtil.getBuilderPath} (global npm).
+ * @param {string} appKey
+ * @param {object} pathsUtil
+ * @returns {string[]}
+ */
+function collectApplicationYamlPathsForUrlResolve(appKey, pathsUtil) {
+  const list = [];
+  const root = pathsUtil.getProjectRoot();
+  if (root) {
+    list.push(path.resolve(path.join(root, 'builder', appKey, 'application.yaml')));
+  }
+  try {
+    const viaBuilder = path.resolve(path.join(pathsUtil.getBuilderPath(appKey), 'application.yaml'));
+    if (!list.length || path.resolve(list[0]) !== viaBuilder) {
+      list.push(viaBuilder);
+    }
+  } catch {
+    /* ignore getBuilderPath errors */
+  }
+  return list;
+}
+
 /**
  * @param {string} appKey
  * @param {Object} ctx
- * @param {object} pathsUtil - paths module (getProjectRoot)
+ * @param {object} pathsUtil - paths module (getProjectRoot, getBuilderPath)
  * @returns {object|null}
  */
 function loadApplicationYamlDocForUrlResolve(appKey, ctx, pathsUtil) {
@@ -19,28 +59,18 @@ function loadApplicationYamlDocForUrlResolve(appKey, ctx, pathsUtil) {
     const current = ctx.currentAppKey || '';
     if (appKey === current && ctx.variablesPath) {
       const vp = path.resolve(String(ctx.variablesPath));
-      try {
-        const raw = fsRealSync.readFileSync(vp, 'utf8');
-        const doc = yaml.load(raw);
-        if (doc && typeof doc === 'object') {
-          return doc;
-        }
-      } catch {
-        // Fall through to builder-relative resolution
+      const fromVars = tryReadApplicationYamlAt(vp);
+      if (fromVars) {
+        return fromVars;
       }
     }
-    const root = pathsUtil.getProjectRoot();
-    if (!root) {
-      return null;
-    }
-    const cfgPath = path.resolve(path.join(root, 'builder', appKey, 'application.yaml'));
-    try {
-      const raw = fsRealSync.readFileSync(cfgPath, 'utf8');
-      const doc = yaml.load(raw);
-      return doc && typeof doc === 'object' ? doc : null;
-    } catch {
-      return null;
+    for (const cfgPath of collectApplicationYamlPathsForUrlResolve(appKey, pathsUtil)) {
+      const doc = tryReadApplicationYamlAt(cfgPath);
+      if (doc) {
+        return doc;
+      }
     }
+    return null;
   } catch {
     return null;
   }

package/lib/utils/urls-local-registry.js

@@ -156,19 +156,12 @@ function mergeDocIntoRegistry(merged, doc, folderName) {
 }
 
 /**
- * Merge scan results into registry (does not remove stale keys).
- * @param {string|null} projectRoot - getProjectRoot() or null
- * @returns {Object} Updated registry
+ * @param {Object} merged
+ * @param {string} builderDir
  */
-function refreshUrlsLocalRegistryFromBuilder(projectRoot) {
-  const root = projectRoot || pathsUtil.getProjectRoot();
-  const merged = { ...readUrlsLocalRegistrySync() };
-  if (!root) {
-    return writeMergedRegistry(merged);
-  }
-  const builderDir = path.join(root, 'builder');
-  if (!fsRealSync.existsSync(builderDir) || !fsRealSync.statSync(builderDir).isDirectory()) {
-    return writeMergedRegistry(merged);
+function mergeBuilderDirIntoRegistry(merged, builderDir) {
+  if (!builderDir || !fsRealSync.existsSync(builderDir) || !fsRealSync.statSync(builderDir).isDirectory()) {
+    return;
   }
   for (const ent of fsRealSync.readdirSync(builderDir, { withFileTypes: true })) {
     if (!ent.isDirectory()) {
@@ -180,6 +173,37 @@ function refreshUrlsLocalRegistryFromBuilder(projectRoot) {
     }
     mergeDocIntoRegistry(merged, doc, ent.name);
   }
+}
+
+/**
+ * Merge scan results into registry (does not remove stale keys).
+ * @param {string|null} projectRoot - getProjectRoot() or null (same semantics as projectRoot || getProjectRoot())
+ * @returns {Object} Updated registry
+ */
+function refreshUrlsLocalRegistryFromBuilder(projectRoot) {
+  const root = projectRoot || pathsUtil.getProjectRoot();
+  const merged = { ...readUrlsLocalRegistrySync() };
+  if (!root) {
+    return writeMergedRegistry(merged);
+  }
+  // Published npm tarball omits builder/ under the package root (.npmignore). Global installs must
+  // still refresh from the real builder tree (AIFABRIX_BUILDER_DIR or integration base + builder).
+  const legacyBuilderDir = path.join(root, 'builder');
+  const effectiveBuilderDir = pathsUtil.getBuilderRoot();
+  const builderDirs = [legacyBuilderDir];
+  try {
+    if (
+      effectiveBuilderDir &&
+      path.resolve(effectiveBuilderDir) !== path.resolve(legacyBuilderDir)
+    ) {
+      builderDirs.push(effectiveBuilderDir);
+    }
+  } catch {
+    /* ignore path resolution errors */
+  }
+  for (const builderDir of builderDirs) {
+    mergeBuilderDirIntoRegistry(merged, builderDir);
+  }
   return writeMergedRegistry(merged);
 }
 

package/lib/validation/external-manifest-validator.js

@@ -18,27 +18,16 @@ const { validateFieldReferences } = require('../datasource/field-reference-valid
 const { validateAbac } = require('../datasource/abac-validator');
 
 /**
- * Sets up AJV validator with external schemas
- * @async
- * @function setupAjvWithSchemas
- * @returns {Promise<Object>} AJV instance and schemas
+ * Load and normalize external-system + external-datasource schema objects for manifest AJV.
+ * @returns {{ externalSystemSchema: object, externalDatasourceSchema: object }}
  */
-async function setupAjvWithSchemas() {
-  const ajv = new Ajv({
-    allErrors: true,
-    strict: false,
-    removeAdditional: false
-  });
-  addFormats(ajv);
-
-  // Load raw schema objects (not compiled validators)
+function loadManifestExternalSchemas() {
   const externalSystemSchemaPath = path.join(__dirname, '..', 'schema', 'external-system.schema.json');
   const externalDatasourceSchemaPath = path.join(__dirname, '..', 'schema', 'external-datasource.schema.json');
 
   const externalSystemSchema = JSON.parse(fs.readFileSync(externalSystemSchemaPath, 'utf8'));
   let externalDatasourceSchema = JSON.parse(fs.readFileSync(externalDatasourceSchemaPath, 'utf8'));
 
-  // Remove $schema for draft-2020-12 to avoid AJV issues
   if (externalDatasourceSchema.$schema && externalDatasourceSchema.$schema.includes('2020-12')) {
     const schemaCopy = { ...externalDatasourceSchema };
     delete schemaCopy.$schema;
@@ -52,7 +41,25 @@ async function setupAjvWithSchemas() {
     throw new Error('External datasource schema is missing required $id');
   }
 
-  // external-datasource.schema.json references these by $id (aifabrix://schema/type/*)
+  return { externalSystemSchema, externalDatasourceSchema };
+}
+
+/**
+ * Sets up AJV validator with external schemas
+ * @async
+ * @function setupAjvWithSchemas
+ * @returns {Promise<Object>} AJV instance and schemas
+ */
+async function setupAjvWithSchemas() {
+  const ajv = new Ajv({
+    allErrors: true,
+    strict: false,
+    removeAdditional: false
+  });
+  addFormats(ajv);
+
+  const { externalSystemSchema, externalDatasourceSchema } = loadManifestExternalSchemas();
+
   ajv.addSchema(require('../schema/type/document-storage.json'));
   ajv.addSchema(require('../schema/type/message-service.json'));
   ajv.addSchema(require('../schema/type/vector-store.json'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.44.1",
+  "version": "2.44.3",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/dataplane/env.template

@@ -178,7 +178,8 @@ OPENTELEMETRY_ENDPOINT=
 # =============================================================================
 # Read by PemRsaCertificateSigner.from_environment in app/validation/certificates/signer.py.
 # When CERTIFICATE_PRIVATE_KEY and CERTIFICATE_PUBLIC_KEY are both set (non-empty PEM), the
-# engine uses RS256; otherwise it falls back to local HS256 (see build_certificate_signer in engine).
+# engine uses RS256. When unset and LOCAL_MODE=true, a process-local ephemeral RSA keypair is used
+# (still RS256, with publicKey + publicKeyFingerprint on issued certs). Non-local requires PEM keys.
 # PEM values are often multi-line; resolve via secret store / deploy pipeline (kv://) or inject as env.
 CERTIFICATE_PRIVATE_KEY=
 CERTIFICATE_PUBLIC_KEY=