@aifabrix/builder 2.44.2 → 2.44.3

package/.npmrc.token

@@ -1 +1 @@
-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
+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

package/lib/api/types/certificates.types.js

@@ -22,7 +22,7 @@
  * @property {string} [issuedBy]
  * @property {string} [licenseLevelIssuer]
  * @property {string} [dataplaneVersion]
- * @property {('RS256'|'HS256')} [algorithm] RS256 production; HS256 local dev HMAC signer only
+ * @property {'RS256'} [algorithm] Integration certificate signing algorithm (RS256 only)
  * @property {string|null} [publicKey]
  * @property {string|null} [publicKeyFingerprint]
  * @property {Object} [metadata]

package/lib/app/show-display.js

@@ -11,7 +11,6 @@
 
 const chalk = require('chalk');
 const logger = require('../utils/logger');
-const { truncatePublicKeyPreview } = require('./certification-show-enrich');
 
 function logSourceAndHeader(summary) {
   const isOffline = summary.source === 'offline';
@@ -263,23 +262,51 @@ function displayExternalAppBlock(summary) {
 }
 
 /**
- * Local certification + optional verify rows (external integrations).
- * @param {Object} summary
+ * Colored certification outcome from `status` string.
+ * @param {string} raw - lowercased status
+ * @returns {string}
  */
-function logCertificationSection(summary) {
-  if (!summary.isExternal) return;
-  logger.log('');
-  logger.log('🪪  Certification (local system file)');
-  const c = summary.localCertification;
-  if (!c || typeof c !== 'object') {
-    logger.log('  (none or unreadable)');
-  } else {
-    logger.log(`  enabled:     ${c.enabled}`);
-    logger.log(`  algorithm:   ${c.algorithm ?? '—'}`);
-    logger.log(`  issuer:      ${c.issuer ?? '—'}`);
-    logger.log(`  version:     ${c.version ?? '—'}`);
-    logger.log(`  publicKey:   ${truncatePublicKeyPreview(c.publicKey, 64)}`);
+function formatCertificationOutcome(raw) {
+  if (raw === 'passed') return chalk.green('passed');
+  if (raw === 'not_passed') return chalk.red('not_passed');
+  if (raw === 'pending') return chalk.yellow('pending');
+  return raw || '—';
+}
+
+/**
+ * Certification status line: enabled ✔/✖ plus outcome (passed / not_passed / pending).
+ * @param {Object} c - certification block from system file
+ * @returns {string}
+ */
+function formatCertificationStatusLine(c) {
+  const enabledTrue = c.enabled === true;
+  const enabledSym = enabledTrue ? chalk.green('✔') : chalk.red('✖');
+  const raw = (c.status && String(c.status).toLowerCase()) || '';
+  const outcome = formatCertificationOutcome(raw);
+  return `  Status:     ${enabledSym}  ${outcome}`;
+}
+
+/**
+ * Local certification fields from system file (TTY block).
+ * @param {Object} c
+ */
+function logCertificationLocalFileDetails(c) {
+  logger.log(formatCertificationStatusLine(c));
+  const levelStr =
+    c.level === undefined || c.level === null ? '' : String(c.level).trim();
+  if (levelStr) {
+    logger.log(`  Level:      ${levelStr}`);
   }
+  logger.log(`  algorithm:  ${c.algorithm ?? '—'}`);
+  logger.log(`  issuer:     ${c.issuer ?? '—'}`);
+  logger.log(`  version:    ${c.version ?? '—'}`);
+}
+
+/**
+ * Dataplane certification verify rows (when `--verify-cert` populated summary).
+ * @param {Object} summary
+ */
+function logCertificationVerifySection(summary) {
   if (summary.certificationVerifyRows && summary.certificationVerifyRows.length > 0) {
     logger.log('');
     logger.log('🪪  Certification verify (dataplane)');
@@ -303,6 +330,23 @@ function logCertificationSection(summary) {
   }
 }
 
+/**
+ * Local certification + optional verify rows (external integrations).
+ * @param {Object} summary
+ */
+function logCertificationSection(summary) {
+  if (!summary.isExternal) return;
+  logger.log('');
+  logger.log('🪪  Certification (local system file)');
+  const c = summary.localCertification;
+  if (!c || typeof c !== 'object') {
+    logger.log('  (none or unreadable)');
+  } else {
+    logCertificationLocalFileDetails(c);
+  }
+  logCertificationVerifySection(summary);
+}
+
 /**
  * Format and print human-readable show output (offline or online).
  * @param {Object} summary - Unified summary (buildOfflineSummaryFromDeployJson or buildOnlineSummary)

package/lib/certification/merge-certification-from-artifact.js

@@ -38,14 +38,14 @@ function pickArtifactForCertificationMerge(artifacts) {
 }
 
 /**
- * @param {string} algorithmUpper
  * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
  * @returns {string}
  */
-function hs256DevPublicKeyPlaceholder(algorithmUpper, art) {
-  if (algorithmUpper !== 'HS256') return '';
-  const cid = certificateIdToString(art.certificateId);
-  return `HS256-DEV-NO-PEM:${cid || 'integration-certificate'}`;
+function resolvePublicKey(art, ex) {
+  const fromArt = trimOrEmpty(art.publicKey);
+  if (fromArt) return fromArt;
+  return trimOrEmpty(ex.publicKey);
 }
 
 /**
@@ -53,13 +53,34 @@ function hs256DevPublicKeyPlaceholder(algorithmUpper, art) {
  * @param {Object} ex
  * @returns {string}
  */
-function resolvePublicKey(art, ex) {
-  const fromArt = trimOrEmpty(art.publicKey);
+function resolvePublicKeyFingerprint(art, ex) {
+  const fromArt = trimOrEmpty(art.publicKeyFingerprint);
   if (fromArt) return fromArt;
-  const fromExisting = trimOrEmpty(ex.publicKey);
-  if (fromExisting) return fromExisting;
-  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
-  return hs256DevPublicKeyPlaceholder(algorithmUpper, art);
+  return trimOrEmpty(ex.publicKeyFingerprint);
+}
+
+/**
+ * @param {string} raw
+ * @returns {string} Normalized digest or empty when invalid
+ */
+function normalizeContractHash(raw) {
+  const s = trimOrEmpty(raw);
+  return CONTRACT_HASH_PATTERN.test(s) ? s : '';
+}
+
+/**
+ * @param {import('../api/types/certificates.types').CertificateArtifactResponse} art
+ * @param {Object} ex
+ * @returns {string}
+ */
+function resolveContractHash(art, ex) {
+  return (
+    normalizeContractHash(art.contractHash) ||
+    normalizeContractHash(art.integrationHash) ||
+    normalizeContractHash(ex.contractHash) ||
+    normalizeContractHash(ex.integrationHash) ||
+    ''
+  );
 }
 
 /**
@@ -92,6 +113,8 @@ function resolveVersion(art, ex) {
 
 const CERTIFICATION_LEVELS = new Set(['BRONZE', 'SILVER', 'GOLD', 'PLATINUM']);
 const CERTIFICATION_STATUSES = new Set(['passed', 'not_passed', 'pending']);
+/** Matches external-system.schema.json `certification.contractHash` pattern. */
+const CONTRACT_HASH_PATTERN = /^sha256:[0-9a-f]{64}$/;
 
 /**
  * @param {string} raw
@@ -138,9 +161,10 @@ function resolveStatus(_art, ex) {
 }
 
 /**
- * Build `certification` object matching **external-system.schema.json** (required: enabled, publicKey, algorithm, issuer, version; optional status, level).
+ * Build `certification` object matching **external-system.schema.json** (required: enabled, publicKey, algorithm, issuer, version; optional status, level, publicKeyFingerprint, contractHash).
  * Fills gaps from `existingCertification` when the artifact omits publishable fields (common when dataplane redacts `publicKey`).
- * For **HS256** dev certificates with no PEM, uses a non-secret placeholder `publicKey` so the system file stays schema-valid.
+ * Dataplane issues **RS256** certificates with PEM `publicKey` and optional `publicKeyFingerprint` (sha256:… of SPKI); merge output uses **RS256** only.
+ * Optional **contractHash** is copied from the certificate `contractHash` or legacy `integrationHash` when it matches `sha256:` + 64 hex.
  *
  * @param {import('../api/types/certificates.types').CertificateArtifactResponse|null} artifact
  * @param {Object|null|undefined} existingCertification - Current `system.certification`
@@ -160,13 +184,13 @@ function buildCertificationFromArtifact(artifact, existingCertification) {
   const versionStr = resolveVersion(art, ex);
   if (!versionStr) return null;
 
-  const algorithmUpper = trimOrEmpty(art.algorithm).toUpperCase();
-  const algorithm = algorithmUpper === 'HS256' ? 'HS256' : 'RS256';
+  const publicKeyFingerprint = resolvePublicKeyFingerprint(art, ex);
+  const contractHash = resolveContractHash(art, ex);
 
   const out = {
     enabled: true,
     publicKey,
-    algorithm,
+    algorithm: 'RS256',
     issuer,
     version: versionStr,
     status: resolveStatus(art, ex)
@@ -175,6 +199,12 @@ function buildCertificationFromArtifact(artifact, existingCertification) {
   if (level) {
     out.level = level;
   }
+  if (publicKeyFingerprint) {
+    out.publicKeyFingerprint = publicKeyFingerprint;
+  }
+  if (contractHash) {
+    out.contractHash = contractHash;
+  }
   return out;
 }
 

package/lib/schema/external-system.schema.json

@@ -7,12 +7,12 @@
      "key":"external-system-schema",
      "name":"External System Configuration Schema",
      "description":"JSON schema for validating ExternalSystem configuration files",
-     "version":"1.6.0",
+     "version":"1.6.2",
      "type":"schema",
      "category":"integration",
      "author":"AI Fabrix Team",
      "createdAt":"2024-01-01T00:00:00Z",
-     "updatedAt":"2026-04-09T00:00:00Z",
+     "updatedAt":"2026-04-23T00:00:00Z",
      "compatibility":{
         "minVersion":"1.4.0",
         "maxVersion":"2.0.0",
@@ -29,6 +29,20 @@
         
      ],
      "changelog":[
+        {
+           "version":"1.6.2",
+           "date":"2026-04-23T00:00:00Z",
+           "changes":[
+              "certification.algorithm: RS256 only (removed HS256 from enum)"
+           ]
+        },
+        {
+           "version":"1.6.1",
+           "date":"2026-04-22T00:00:00Z",
+           "changes":[
+              "Optional certification.publicKeyFingerprint (sha256: hex of SPKI DER) for RS256 public key verification"
+           ]
+        },
         {
            "version":"1.6.0",
            "date":"2026-04-09T00:00:00Z",
@@ -679,15 +693,24 @@
            "publicKey":{
               "type":"string",
               "minLength":1,
-              "description":"Public verification material (SPKI PEM for RS256; dev placeholder for HS256). Private keys must never appear in config."
+              "description":"Public verification material (SPKI PEM for RS256). Private keys must never appear in config."
+           },
+           "publicKeyFingerprint":{
+              "type":"string",
+              "pattern":"^sha256:[0-9a-f]{64}$",
+              "description":"SHA-256 fingerprint of the SubjectPublicKeyInfo DER (same convention as integration certificate publicKeyFingerprint); must match embedded publicKey."
+           },
+           "contractHash":{
+              "type":"string",
+              "pattern":"^sha256:[0-9a-f]{64}$",
+              "description":"Optional copy of the active integration certificate contractHash (certification contract material digest) for drift checks; should match the dataplane active trusted certificate when present."
            },
            "algorithm":{
               "type":"string",
               "enum":[
-                 "RS256",
-                 "HS256"
+                 "RS256"
               ],
-              "description":"Signing algorithm for certificate verification (RS256 in production; HS256 only for local dev when the dataplane uses the dev HMAC signer)."
+              "description":"Signing algorithm for integration certificate verification (RS256 only)."
            },
            "issuer":{
               "type":"string",

package/lib/validation/external-manifest-validator.js

@@ -18,27 +18,16 @@ const { validateFieldReferences } = require('../datasource/field-reference-valid
 const { validateAbac } = require('../datasource/abac-validator');
 
 /**
- * Sets up AJV validator with external schemas
- * @async
- * @function setupAjvWithSchemas
- * @returns {Promise<Object>} AJV instance and schemas
+ * Load and normalize external-system + external-datasource schema objects for manifest AJV.
+ * @returns {{ externalSystemSchema: object, externalDatasourceSchema: object }}
  */
-async function setupAjvWithSchemas() {
-  const ajv = new Ajv({
-    allErrors: true,
-    strict: false,
-    removeAdditional: false
-  });
-  addFormats(ajv);
-
-  // Load raw schema objects (not compiled validators)
+function loadManifestExternalSchemas() {
   const externalSystemSchemaPath = path.join(__dirname, '..', 'schema', 'external-system.schema.json');
   const externalDatasourceSchemaPath = path.join(__dirname, '..', 'schema', 'external-datasource.schema.json');
 
   const externalSystemSchema = JSON.parse(fs.readFileSync(externalSystemSchemaPath, 'utf8'));
   let externalDatasourceSchema = JSON.parse(fs.readFileSync(externalDatasourceSchemaPath, 'utf8'));
 
-  // Remove $schema for draft-2020-12 to avoid AJV issues
   if (externalDatasourceSchema.$schema && externalDatasourceSchema.$schema.includes('2020-12')) {
     const schemaCopy = { ...externalDatasourceSchema };
     delete schemaCopy.$schema;
@@ -52,7 +41,25 @@ async function setupAjvWithSchemas() {
     throw new Error('External datasource schema is missing required $id');
   }
 
-  // external-datasource.schema.json references these by $id (aifabrix://schema/type/*)
+  return { externalSystemSchema, externalDatasourceSchema };
+}
+
+/**
+ * Sets up AJV validator with external schemas
+ * @async
+ * @function setupAjvWithSchemas
+ * @returns {Promise<Object>} AJV instance and schemas
+ */
+async function setupAjvWithSchemas() {
+  const ajv = new Ajv({
+    allErrors: true,
+    strict: false,
+    removeAdditional: false
+  });
+  addFormats(ajv);
+
+  const { externalSystemSchema, externalDatasourceSchema } = loadManifestExternalSchemas();
+
   ajv.addSchema(require('../schema/type/document-storage.json'));
   ajv.addSchema(require('../schema/type/message-service.json'));
   ajv.addSchema(require('../schema/type/vector-store.json'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.44.2",
+  "version": "2.44.3",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/dataplane/env.template

@@ -178,7 +178,8 @@ OPENTELEMETRY_ENDPOINT=
 # =============================================================================
 # Read by PemRsaCertificateSigner.from_environment in app/validation/certificates/signer.py.
 # When CERTIFICATE_PRIVATE_KEY and CERTIFICATE_PUBLIC_KEY are both set (non-empty PEM), the
-# engine uses RS256; otherwise it falls back to local HS256 (see build_certificate_signer in engine).
+# engine uses RS256. When unset and LOCAL_MODE=true, a process-local ephemeral RSA keypair is used
+# (still RS256, with publicKey + publicKeyFingerprint on issued certs). Non-local requires PEM keys.
 # PEM values are often multi-line; resolve via secret store / deploy pipeline (kv://) or inject as env.
 CERTIFICATE_PRIVATE_KEY=
 CERTIFICATE_PUBLIC_KEY=