@aifabrix/builder 2.44.4 → 2.44.5

package/jest.projects.js

@@ -57,24 +57,28 @@ const defaultProject = {
       '/tests/lib/utils/cli-utils.test.js',
       '/tests/lib/utils/external-system-display.test.js',
       '/tests/lib/utils/dev-hosts-helper.test.js',
-      '/tests/lib/utils/declarative-url-matrix-d-reload.test.js',
+      '/tests/lib/utils/register-aifabrix-shell-env.test.js',
       '/tests/lib/utils/datasource-validation-watch.test.js',
       '\\\\tests\\\\lib\\\\utils\\\\cli-utils.test.js',
       '\\\\tests\\\\lib\\\\utils\\\\external-system-display.test.js',
       '\\\\tests\\\\lib\\\\utils\\\\dev-hosts-helper.test.js',
-      '\\\\tests\\\\lib\\\\utils\\\\declarative-url-matrix-d-reload.test.js',
+      '\\\\tests\\\\lib\\\\utils\\\\register-aifabrix-shell-env.test.js',
       '\\\\tests\\\\lib\\\\utils\\\\datasource-validation-watch.test.js',
       'lib/utils/dev-hosts-helper.test.js',
-      'lib/utils/declarative-url-matrix-d-reload.test.js',
+      'lib/utils/register-aifabrix-shell-env.test.js',
       'lib/utils/datasource-validation-watch.test.js',
       'dev-hosts-helper\\.test\\.js',
-      'declarative-url-matrix-d-reload\\.test\\.js',
+      'register-aifabrix-shell-env\\.test\\.js',
       '/tests/lib/datasource/log-viewer.test.js',
       '\\\\tests\\\\lib\\\\datasource\\\\log-viewer.test.js',
       'lib/datasource/log-viewer.test.js',
       '/tests/lib/datasource/log-viewer-structural.test.js',
+      '/tests/lib/datasource/log-viewer-run.test.js',
       '\\\\tests\\\\lib\\\\datasource\\\\log-viewer-structural.test.js',
+      '\\\\tests\\\\lib\\\\datasource\\\\log-viewer-run.test.js',
       'lib/datasource/log-viewer-structural.test.js',
+      'lib/datasource/log-viewer-run.test.js',
+      'log-viewer-run\\.test\\.js',
       '/tests/lib/commands/parameters-validate.test.js',
       '\\\\tests\\\\lib\\\\commands\\\\parameters-validate.test.js',
       'lib/commands/parameters-validate.test.js',
@@ -153,10 +157,6 @@ const defaultProject = {
       '\\\\tests\\\\lib\\\\utils\\\\paths-app-listing.test.js',
       'lib/utils/paths-app-listing.test.js',
       'paths-app-listing\\.test\\.js',
-      '/tests/lib/utils/url-declarative-truth-table-124.test.js',
-      '\\\\tests\\\\lib\\\\utils\\\\url-declarative-truth-table-124.test.js',
-      'lib/utils/url-declarative-truth-table-124.test.js',
-      'url-declarative-truth-table-124\\.test\\.js',
       '/tests/lib/generator/generator-external-rbac.test.js',
       '\\\\tests\\\\lib\\\\generator\\\\generator-external-rbac.test.js',
       'lib/generator/generator-external-rbac.test.js',
@@ -200,6 +200,10 @@ const defaultProject = {
       '/tests/lib/app/app.test.js',
       '\\\\tests\\\\lib\\\\app\\\\app.test.js',
       'lib/app/app.test.js',
+      '/tests/lib/templates/application-frontdoor-paths.contract.test.js',
+      '\\\\tests\\\\lib\\\\templates\\\\application-frontdoor-paths.contract.test.js',
+      'lib/templates/application-frontdoor-paths.contract.test.js',
+      'application-frontdoor-paths\\.contract\\.test\\.js',
       '/tests/lib/core/admin-secrets.test.js',
       '\\\\tests\\\\lib\\\\core\\\\admin-secrets.test.js',
       'lib/core/admin-secrets.test.js'
@@ -221,9 +225,6 @@ const isolatedProjects = [
   makeIsolatedProject('cli-utils', ['**/tests/lib/utils/cli-utils.test.js']),
   makeIsolatedProject('external-system-display', ['**/tests/lib/utils/external-system-display.test.js']),
   makeIsolatedProject('dev-hosts-helper', ['**/tests/lib/utils/dev-hosts-helper.test.js']),
-  makeIsolatedProject('declarative-url-matrix-d-reload', [
-    '**/tests/lib/utils/declarative-url-matrix-d-reload.test.js'
-  ]),
   makeIsolatedProject('parameters-validate', ['**/tests/lib/commands/parameters-validate.test.js']),
   makeIsolatedProject('paths-app-listing', ['**/tests/lib/utils/paths-app-listing.test.js']),
   makeIsolatedProject('datasource-validation-watch', [
@@ -231,7 +232,11 @@ const isolatedProjects = [
   ]),
   makeIsolatedProject('log-viewer', [
     '**/tests/lib/datasource/log-viewer.test.js',
-    '**/tests/lib/datasource/log-viewer-structural.test.js'
+    '**/tests/lib/datasource/log-viewer-structural.test.js',
+    '**/tests/lib/datasource/log-viewer-run.test.js'
+  ]),
+  makeIsolatedProject('register-aifabrix-shell-env', [
+    '**/tests/lib/utils/register-aifabrix-shell-env.test.js'
   ]),
   makeIsolatedProject('datasource-test-run-schema-sync', [
     '**/tests/lib/utils/datasource-test-run-schema-sync.test.js'
@@ -239,6 +244,9 @@ const isolatedProjects = [
   makeIsolatedProject('infra-platform-contract', [
     '**/tests/lib/parameters/infra-platform-contract.test.js'
   ]),
+  makeIsolatedProject('application-frontdoor-paths-contract', [
+    '**/tests/lib/templates/application-frontdoor-paths.contract.test.js'
+  ]),
   makeIsolatedProject('database-secret-values', [
     '**/tests/lib/parameters/database-secret-values.test.js'
   ]),
@@ -283,9 +291,6 @@ const isolatedProjects = [
   makeIsolatedProject('helpers-ensure-admin-secrets', [
     '**/tests/lib/infrastructure/helpers-ensure-admin-secrets.test.js'
   ]),
-  makeIsolatedProject('url-declarative-truth-table-124', [
-    '**/tests/lib/utils/url-declarative-truth-table-124.test.js'
-  ]),
   makeIsolatedProject('secrets-generator', ['**/tests/lib/utils/secrets-generator.test.js']),
   makeIsolatedProject('app-uncovered-lines', ['**/tests/lib/app/app-uncovered-lines.test.js']),
   makeIsolatedProject('ensure-dev-certs-for-remote-docker', [

package/lib/api/types/wizard.types.js

@@ -260,12 +260,13 @@
  * @property {string} [source.serverUrl] - MCP server URL (for mcp-server)
  * @property {string} [source.token] - MCP token (for mcp-server, supports ${ENV_VAR})
  * @property {string} [source.platform] - Known platform (for known-platform)
+ * @property {string} [source.entityName] - Entity from discover-entities (openapi-file / openapi-url); skips interactive Step 4.5 when valid
  * @property {Object} [credential] - Credential configuration
  * @property {string} credential.action - Action ('create' | 'select' | 'skip')
  * @property {string} [credential.credentialIdOrKey] - Credential ID/key (for select)
  * @property {Object} [credential.config] - Credential config (for create)
  * @property {Object} [preferences] - Generation preferences
- * @property {string} [preferences.intent] - User intent (any descriptive text)
+ * @property {string} [preferences.intent] - User intent (any descriptive text, max 1000 chars)
  * @property {string} [preferences.fieldOnboardingLevel] - Field level ('full' | 'standard' | 'minimal')
  * @property {boolean} [preferences.enableOpenAPIGeneration] - Enable OpenAPI generation
  * @property {boolean} [preferences.enableMCP] - Enable MCP

package/lib/cli/setup-app.help.js

@@ -56,7 +56,7 @@ Examples:
 Notes:
   - To run E2E for one datasource, use:
       aifabrix datasource test-e2e <datasourceKey>
-  - Optional --sync publishes local files to the dataplane first (external integration only).
+  - External integration: local system and datasource files are published to the dataplane before E2E (same as upload). Use --no-sync to exercise only config already deployed. The old --sync flag is a no-op (kept for scripts).
 `;
 
 module.exports = {

package/lib/cli/setup-app.test-commands.js

@@ -91,7 +91,7 @@ async function runExternalIntegrationE2EAndCertSync(appName, options) {
     debug: options.debug,
     verbose: options.verbose,
     async: options.async !== false,
-    sync: options.sync === true
+    noSync: options.noSync === true
   });
   const { displayIntegrationTestResults } = require('../utils/external-system-display');
   const datasourceResults = results.map(r => ({
@@ -121,10 +121,10 @@ async function runExternalIntegrationE2EAndCertSync(appName, options) {
 async function runTestE2ECommand(appName, options) {
   const pathsUtil = require('../utils/paths');
   const appType = await pathsUtil.detectAppType(appName).catch(() => null);
-  if (options.sync === true && appType && appType.baseDir === 'builder') {
+  if (options.noSync === true && appType && appType.baseDir === 'builder') {
     throw new Error(
-      'Option --sync applies only to external integration E2E (integration/<systemKey>/). ' +
-        'Remove --sync for builder app E2E, or use aifabrix upload from the integration folder first.'
+      'Option --no-sync applies only to external integration E2E (integration/<systemKey>/). ' +
+        'Remove --no-sync for builder app E2E.'
     );
   }
   if (appType && appType.baseDir === 'integration') {
@@ -166,7 +166,11 @@ function setupTestE2eCommand(program) {
     .option('-d, --debug', 'Include debug output and write log to integration/<systemKey>/logs/')
     .option(
       '--sync',
-      'Publish local system and datasource files to the dataplane before running E2E (same as aifabrix upload <systemKey>; external integration only)'
+      '(Deprecated; no-op.) Local integration files are published before E2E by default; use --no-sync to skip.'
+    )
+    .option(
+      '--no-sync',
+      'Skip publishing local integration files; E2E uses the system config already on the dataplane (external integration only)'
     )
     .option('--warnings-as-errors', 'Treat aggregate warn as failure (exit 1)')
     .option('--require-cert', 'Require certification passed on every datasource (exit 2 if not)')

package/lib/cli/setup-infra.js

@@ -18,7 +18,7 @@ const { resolveControllerUrl } = require('../utils/controller-url');
 const { handleLogin } = require('../commands/login');
 const { handleUpMiso } = require('../commands/up-miso');
 const { handleUpDataplane } = require('../commands/up-dataplane');
-const { cleanBuilderAppDirs } = require('../commands/up-common');
+const { applyUpPlatformForceConfig, cleanBuilderAppDirs } = require('../commands/up-common');
 const {
   loadInfraStatusSummary,
   formatInfraStatusTitleLine,
@@ -184,10 +184,14 @@ function setupUpPlatformCommand(program) {
     .option('-r, --registry <url>', 'Override registry for all apps (e.g. myacr.azurecr.io)')
     .option('--registry-mode <mode>', 'Override registry mode (acr|external)')
     .option('-i, --image <key>=<value>', 'Override image (e.g. keycloak=myreg/k:v1, miso-controller=myreg/m:v1, dataplane=myreg/d:v1); can be repeated', (v, prev) => (prev || []).concat([v]))
-    .option('-f, --force', 'Clean builder/keycloak, builder/miso-controller, builder/dataplane and re-fetch from templates')
+    .option(
+      '-f, --force',
+      'Reset CLI auth (clear all device/client tokens, set environment to dev, set default controller URL from developer-id), clean builder/keycloak, builder/miso-controller, builder/dataplane, then re-fetch from templates'
+    )
     .action(async(options) => {
       try {
         if (options.force) {
+          await applyUpPlatformForceConfig();
           await cleanBuilderAppDirs(['keycloak', 'miso-controller', 'dataplane']);
         }
         await handleUpMiso(options);

package/lib/cli/setup-utility.js

@@ -30,6 +30,24 @@ Examples:
   $ aifabrix validate --builder
 `;
 
+const REPAIR_HELP_AFTER = `
+Examples:
+  $ aifabrix repair hubspot-demo
+    Align manifest, system/datasource files, RBAC extract, env.template, and deploy JSON under integration/<systemKey>/.
+
+  $ aifabrix repair hubspot-demo --dry-run
+    Show what would change without writing files.
+
+  $ aifabrix repair hubspot-demo --auth oauth2
+    Set authentication method; updates the system file and env.template (oauth2, aad, apikey, basic, …).
+
+  $ aifabrix repair hubspot-demo --rbac --expose --sync --test
+    Optional datasource fixes: RBAC roles/permissions, exposed.schema from attributes, default sync block, testPayload stubs.
+
+  $ aifabrix repair hubspot-demo --doc
+    Regenerate README.md from the current deployment manifest only (other drift fixes unchanged).
+`;
+
 /**
  * Resolve app path and type for split-json (integration first, then builder).
  *
@@ -185,6 +203,7 @@ function setupRepairCommand(program) {
     .option('--expose', 'Set exposed.schema on each datasource from all fieldMappings.attributes keys (metadata.<key>); removes deprecated exposed.attributes if present')
     .option('--sync', 'Add default sync section to datasources that lack it')
     .option('--test', 'Generate testPayload.payloadTemplate and testPayload.expectedResult from attributes')
+    .addHelpText('after', REPAIR_HELP_AFTER)
     .action(async(appName, options) => {
       try {
         const { repairExternalIntegration } = require('../commands/repair');

package/lib/commands/repair-rbac.js

@@ -17,6 +17,22 @@ const { resolveRbacPath } = require('../utils/app-config-resolver');
 
 const DEFAULT_CAPABILITIES = ['list', 'get', 'create', 'update', 'delete'];
 
+/**
+ * Extracts roles and permissions from external system JSON for rbac.yaml (same rules as repair).
+ * @param {Object} system - Parsed system config
+ * @returns {Object|null} RBAC object or null
+ */
+function extractRbacFromSystem(system) {
+  if (!system || typeof system !== 'object') return null;
+  const hasRoles = system.roles && Array.isArray(system.roles) && system.roles.length > 0;
+  const hasPermissions = system.permissions && Array.isArray(system.permissions) && system.permissions.length > 0;
+  if (!hasRoles && !hasPermissions) return null;
+  const rbac = {};
+  if (hasRoles) rbac.roles = system.roles;
+  if (hasPermissions) rbac.permissions = system.permissions;
+  return rbac;
+}
+
 /**
  * Resolves capabilities from datasource (array or legacy object).
  * @param {Object} parsed - Parsed datasource
@@ -24,9 +40,15 @@ const DEFAULT_CAPABILITIES = ['list', 'get', 'create', 'update', 'delete'];
  */
 function getCapabilitiesFromDatasource(parsed) {
   const cap = parsed?.capabilities;
-  if (Array.isArray(cap)) return cap.filter(c => typeof c === 'string');
+  if (Array.isArray(cap)) {
+    const arr = cap.filter(c => typeof c === 'string');
+    if (arr.length > 0) return arr;
+    return [...DEFAULT_CAPABILITIES];
+  }
   if (cap && typeof cap === 'object') {
-    return Object.keys(cap).filter(k => cap[k] === true);
+    const keys = Object.keys(cap).filter(k => cap[k] === true);
+    if (keys.length > 0) return keys;
+    return [...DEFAULT_CAPABILITIES];
   }
   return [...DEFAULT_CAPABILITIES];
 }
@@ -159,6 +181,7 @@ function mergeRbacFromDatasources(appPath, systemParsed, datasourceFiles, extrac
 }
 
 module.exports = {
+  extractRbacFromSystem,
   getCapabilitiesFromDatasource,
   mergeRbacFromDatasources
 };

package/lib/commands/repair.js

@@ -26,7 +26,7 @@ const generator = require('../generator');
 const { repairEnvTemplate, normalizeSystemFileAuthAndConfig } = require('./repair-env-template');
 const { generateReadmeFromDeployJson } = require('../generator/split-readme');
 const { repairDatasourceFile } = require('./repair-datasource');
-const { mergeRbacFromDatasources } = require('./repair-rbac');
+const { mergeRbacFromDatasources, extractRbacFromSystem } = require('./repair-rbac');
 const { discoverIntegrationFiles, buildEffectiveDatasourceFiles } = require('./repair-internal');
 const { normalizeDatasourceKeysAndFilenames } = require('./repair-datasource-keys');
 
@@ -49,22 +49,6 @@ function inferExternalReadmeFileExt(appPath) {
   return '.json';
 }
 
-/**
- * Extracts roles and permissions from system object for rbac.yaml
- * @param {Object} system - Parsed system config
- * @returns {Object|null} RBAC object or null
- */
-function extractRbacFromSystem(system) {
-  if (!system || typeof system !== 'object') return null;
-  const hasRoles = system.roles && Array.isArray(system.roles) && system.roles.length > 0;
-  const hasPermissions = system.permissions && Array.isArray(system.permissions) && system.permissions.length > 0;
-  if (!hasRoles && !hasPermissions) return null;
-  const rbac = {};
-  if (hasRoles) rbac.roles = system.roles;
-  if (hasPermissions) rbac.permissions = system.permissions;
-  return rbac;
-}
-
 /**
  * Loads first system file and returns parsed object with key
  * @param {string} appPath - Application path

package/lib/commands/test-e2e-external.js

@@ -85,13 +85,14 @@ function getDatasourceKeys(appPath, configPath, variables, systemKey, systemPars
 }
 
 /**
- * Full upload to dataplane when --sync (same path as `aifabrix upload <systemKey>`).
+ * Publish local integration files to the dataplane before E2E (same path as `aifabrix upload <systemKey>`),
+ * unless ``options.noSync`` is true.
  * @param {string} systemKey
  * @param {Object} options
  * @returns {Promise<void>}
  */
 async function syncLocalIfRequested(systemKey, options) {
-  if (options.sync !== true) return;
+  if (options.noSync === true) return;
   logger.log(chalk.cyan('Syncing local config to dataplane…'));
   const { uploadExternalSystem } = require('./upload');
   await uploadExternalSystem(systemKey, {
@@ -112,7 +113,7 @@ async function syncLocalIfRequested(systemKey, options) {
  * @param {boolean} [options.debug] - Include debug, write log
  * @param {boolean} [options.verbose] - Verbose output
  * @param {boolean} [options.async] - If false, sync mode (default true)
- * @param {boolean} [options.sync] - When true, run full upload (`uploadExternalSystem`) before per-datasource E2E
+ * @param {boolean} [options.noSync] - When true, skip upload (E2E uses dataplane config already deployed)
  * @returns {Promise<{ success: boolean, results: Array<{ key: string, success: boolean, error?: string }> }>}
  */
 async function runTestE2EForExternalSystem(externalSystem, options = {}) {

package/lib/commands/up-common.js

@@ -13,6 +13,8 @@ const path = require('path');
 const fs = require('fs');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const config = require('../core/config');
+const { getDefaultControllerUrl } = require('../utils/controller-url');
 const pathsUtil = require('../utils/paths');
 const { loadConfigFile, writeConfigFile } = require('../utils/config-format');
 const { isYamlPath } = require('../utils/config-format');
@@ -166,6 +168,28 @@ function patchEnvOutputPathForDeployOnly(appName) {
   }
 }
 
+/**
+ * For ``up-platform --force`` only: clear all stored auth tokens, set ``environment`` to ``dev``,
+ * set ``controller`` to the default URL for the current ``developer-id`` (``http://localhost`` +
+ * app port = 3000 + developerId × 100), and persist config. Does not change ``developer-id``.
+ * Builder dirs (keycloak, miso-controller, dataplane) are cleaned separately.
+ *
+ * @returns {Promise<void>}
+ */
+async function applyUpPlatformForceConfig() {
+  const deviceCleared = await config.clearAllDeviceTokens();
+  const clientCleared = await config.clearAllClientTokens();
+  await config.setCurrentEnvironment('dev');
+  const defaultControllerUrl = await getDefaultControllerUrl();
+  await config.setControllerUrl(defaultControllerUrl);
+  logger.log(
+    chalk.blue(
+      `--force: cleared ${deviceCleared} device token(s) and ${clientCleared} client token(s); ` +
+        `environment set to dev; default controller set to ${defaultControllerUrl} (run aifabrix login after platform is up)`
+    )
+  );
+}
+
 /**
  * Removes builder app directories for the given app names. Only removes paths under the builder root
  * to prevent path traversal. Uses getBuilderPath for each app and validates before removal.
@@ -231,6 +255,7 @@ async function ensureAppFromTemplate(appName) {
 }
 
 module.exports = {
+  applyUpPlatformForceConfig,
   cleanBuilderAppDirs,
   ensureAppFromTemplate,
   patchEnvOutputPathForDeployOnly,

package/lib/commands/wizard-core.js

@@ -275,7 +275,8 @@ async function handleTypeDetection(dataplaneUrl, authConfig, openapiSpec) {
  * @param {string} [options.systemIdOrKey] - System ID or key (optional)
  * @param {string} [options.sourceType] - Source type (use 'known-platform' to call platforms config endpoint)
  * @param {string} [options.platformKey] - Platform key for known-platform (e.g. 'hubspot')
- * @param {string} [options.appName] - App name for writing debug.log when debug=true
+ * @param {string} [options.appName] - Integration app key; for create-system, used as systemIdOrKey
+ *   when not set so kv paths match the folder (avoids spec-title keys like "companies")
  * @returns {Promise<Object>} Generated configuration
  */
 async function callGenerateApi(dataplaneUrl, authConfig, options, prefs) {
@@ -291,13 +292,19 @@ async function callGenerateApi(dataplaneUrl, authConfig, options, prefs) {
     });
     return await getPlatformConfig(dataplaneUrl, authConfig, options.platformKey, platformPayload);
   }
+  // Headless/interactive create-system uses appName as integration folder key; OpenAPI title alone
+  // can yield a wrong system key (e.g. title "Companies" → "companies"). Prefer appName when set.
+  let systemIdOrKeyForPayload = options.systemIdOrKey;
+  if (options.mode === 'create-system' && options.appName) {
+    systemIdOrKeyForPayload = systemIdOrKeyForPayload || options.appName;
+  }
   const configPayload = buildConfigPayload({
     openapiSpec: options.openapiSpec,
     detectedType: options.detectedType,
     mode: options.mode,
     prefs,
     credentialIdOrKey: options.credentialIdOrKey,
-    systemIdOrKey: options.systemIdOrKey,
+    systemIdOrKey: systemIdOrKeyForPayload,
     entityName: options.entityName,
     systemDisplayName: options.systemDisplayName
   });
@@ -410,6 +417,39 @@ async function tryUpdateReadmeFromDeploymentDocs(appPath, appName, dataplaneUrl,
   }
 }
 
+/**
+ * Writes rbac.yaml / rbac.json from datasource resourceType + capabilities (same as `af repair --rbac`).
+ * @param {Object} generatedFiles - Result of generateWizardFiles (appPath, systemFilePath, datasourceFilePaths)
+ * @param {string} format - Project format: yaml | json
+ */
+function logWizardFileSaveFooter(appName, generatedFiles) {
+  logger.log(chalk.green('\n\u2713 Wizard completed successfully!'));
+  logger.log(chalk.green(`\nFiles created in: ${generatedFiles.appPath}`));
+  logger.log(chalk.blue('\nNext steps:'));
+  logger.log(chalk.gray(`  1. Review the generated files in integration/${appName}/`));
+  logger.log(chalk.gray('  2. Update env.template with your authentication details'));
+  logger.log(chalk.gray(`  3. Deploy using: node deploy.js or aifabrix deploy ${appName}`));
+}
+
+function mergeRbacAfterWizardFilesWritten(generatedFiles, format) {
+  const { mergeRbacFromDatasources, extractRbacFromSystem } = require('./repair-rbac');
+  const { loadConfigFile } = require('../utils/config-format');
+  const systemParsedForRbac = loadConfigFile(generatedFiles.systemFilePath);
+  const datasourceFileNames = (generatedFiles.datasourceFilePaths || []).map((p) => path.basename(p));
+  const rbacChanges = [];
+  const rbacUpdated = mergeRbacFromDatasources(
+    generatedFiles.appPath,
+    systemParsedForRbac,
+    datasourceFileNames,
+    extractRbacFromSystem,
+    { format: format === 'json' ? 'json' : 'yaml', dryRun: false, changes: rbacChanges }
+  );
+  if (rbacUpdated && rbacChanges.length) {
+    rbacChanges.forEach((c) => logger.log(chalk.gray(`  RBAC: ${c}`)));
+    logger.log(chalk.green('  RBAC file updated from datasource capabilities (enableRBAC).'));
+  }
+}
+
 /**
  * Handle file saving step
  * @async
@@ -418,17 +458,24 @@ async function tryUpdateReadmeFromDeploymentDocs(appPath, appName, dataplaneUrl,
  * @param {Object} systemConfig - System configuration
  * @param {Object[]} datasourceConfigs - Datasource configurations
  * @param {string} systemKey - System key
- * @param {string} dataplaneUrl - Dataplane URL
- * @param {Object} authConfig - Authentication configuration
+ * @param {{ dataplaneUrl: string, authConfig: Object, enableRBAC?: boolean }} ctx - Dataplane auth + optional RBAC generation
  * @returns {Promise<Object>} Generated files information
  */
-async function handleFileSaving(appName, systemConfig, datasourceConfigs, systemKey, dataplaneUrl, authConfig) {
+async function handleFileSaving(appName, systemConfig, datasourceConfigs, systemKey, ctx) {
+  const { dataplaneUrl, authConfig, enableRBAC = false } = ctx || {};
   logger.log(chalk.blue('\n\uD83D\uDCCB Step 7: Save Files'));
   const spinner = ora('Saving files...').start();
   try {
     const config = require('../core/config');
     const format = (await config.getFormat()) || 'yaml';
     const generatedFiles = await generateWizardFiles(appName, systemConfig, datasourceConfigs, systemKey, { aiGeneratedReadme: null, format });
+    if (enableRBAC && generatedFiles.appPath && generatedFiles.systemFilePath) {
+      try {
+        mergeRbacAfterWizardFilesWritten(generatedFiles, format);
+      } catch (e) {
+        logger.log(chalk.yellow(`  Could not generate RBAC file: ${e.message}`));
+      }
+    }
     if (systemKey && dataplaneUrl && authConfig && generatedFiles.appPath) {
       try {
         await tryUpdateReadmeFromDeploymentDocs(generatedFiles.appPath, appName, dataplaneUrl, authConfig, systemKey);
@@ -437,12 +484,7 @@ async function handleFileSaving(appName, systemConfig, datasourceConfigs, system
       }
     }
     spinner.stop();
-    logger.log(chalk.green('\n\u2713 Wizard completed successfully!'));
-    logger.log(chalk.green(`\nFiles created in: ${generatedFiles.appPath}`));
-    logger.log(chalk.blue('\nNext steps:'));
-    logger.log(chalk.gray(`  1. Review the generated files in integration/${appName}/`));
-    logger.log(chalk.gray('  2. Update env.template with your authentication details'));
-    logger.log(chalk.gray(`  3. Deploy using: node deploy.js or aifabrix deploy ${appName}`));
+    logWizardFileSaveFooter(appName, generatedFiles);
     return generatedFiles;
   } catch (error) {
     spinner.stop();

package/lib/commands/wizard-entity-selection.js

@@ -10,30 +10,87 @@ const { discoverEntities } = require('../api/wizard.api');
 const { validateEntityNameForOpenApi } = require('../validation/wizard-datasource-validation');
 const { promptForEntitySelection } = require('../generator/wizard-prompts');
 
+/**
+ * If wizard.yaml entity name matches discover-entities list, use it; else warn.
+ * @param {string} trimmed - Trimmed entity name from prefill
+ * @param {Array<{name: string}>} entities - Discovered entities
+ * @returns {string|null} Resolved name or null to prompt
+ */
+function resolvePrefillEntityName(trimmed, entities) {
+  const prefillCheck = validateEntityNameForOpenApi(trimmed, entities);
+  if (prefillCheck.valid) {
+    logger.log(chalk.gray(
+      `Using entity from wizard.yaml (${trimmed}). Skipping entity prompts.`
+    ));
+    logger.log(chalk.green(`\u2713 Selected entity: ${trimmed}`));
+    return trimmed;
+  }
+  logger.log(chalk.yellow(
+    `Warning: wizard.yaml source.entityName '${trimmed}' is not in the discover-entities list; choose manually.`
+  ));
+  return null;
+}
+
+/**
+ * Prompt for entity and validate against list.
+ * @param {Array<{name: string}>} entities - Discovered entities
+ * @returns {Promise<string>} Valid entity name
+ */
+async function promptForValidatedEntity(entities) {
+  const entityName = await promptForEntitySelection(entities);
+  const validation = validateEntityNameForOpenApi(entityName, entities);
+  if (!validation.valid) {
+    throw new Error(`Invalid entity '${entityName}'. Available: ${entities.map(e => e.name).join(', ')}`);
+  }
+  logger.log(chalk.green(`\u2713 Selected entity: ${entityName}`));
+  return entityName;
+}
+
+/**
+ * Discover entities and select one (single-entity shortcut, prefill, or prompt).
+ * @param {string} dataplaneUrl - Dataplane URL
+ * @param {Object} authConfig - Authentication configuration
+ * @param {Object} openapiSpec - OpenAPI specification
+ * @param {string} [prefillEntityName] - From wizard.yaml `source.entityName` when valid
+ * @returns {Promise<string|null>} Selected entity name or null (skip)
+ */
+async function discoverAndSelectEntity(dataplaneUrl, authConfig, openapiSpec, prefillEntityName) {
+  const response = await discoverEntities(dataplaneUrl, authConfig, openapiSpec);
+  const entities = response?.data?.entities;
+  if (!Array.isArray(entities) || entities.length === 0) return null;
+
+  logger.log(chalk.blue('\n\uD83D\uDCCB Step 4.5: Select Entity'));
+
+  if (entities.length === 1) {
+    const only = entities[0].name;
+    logger.log(chalk.green(`\u2713 Only one entity discovered; using: ${only}`));
+    return only;
+  }
+
+  const trimmed =
+    typeof prefillEntityName === 'string' ? prefillEntityName.trim() : '';
+  if (trimmed) {
+    const resolved = resolvePrefillEntityName(trimmed, entities);
+    if (resolved) return resolved;
+  }
+
+  return promptForValidatedEntity(entities);
+}
+
 /**
  * Handle entity selection step (OpenAPI multi-entity).
- * Calls discover-entities; if entities found, prompts user to select one.
+ * Calls discover-entities; prompts unless prefill or a single entity applies.
  * @async
  * @param {string} dataplaneUrl - Dataplane URL
  * @param {Object} authConfig - Authentication configuration
  * @param {Object} openapiSpec - OpenAPI specification
+ * @param {string} [prefillEntityName] - From wizard.yaml `source.entityName` when valid
  * @returns {Promise<string|null>} Selected entity name or null (skip)
  */
-async function handleEntitySelection(dataplaneUrl, authConfig, openapiSpec) {
+async function handleEntitySelection(dataplaneUrl, authConfig, openapiSpec, prefillEntityName) {
   if (!openapiSpec || typeof openapiSpec !== 'object') return null;
   try {
-    const response = await discoverEntities(dataplaneUrl, authConfig, openapiSpec);
-    const entities = response?.data?.entities;
-    if (!Array.isArray(entities) || entities.length === 0) return null;
-
-    logger.log(chalk.blue('\n\uD83D\uDCCB Step 4.5: Select Entity'));
-    const entityName = await promptForEntitySelection(entities);
-    const validation = validateEntityNameForOpenApi(entityName, entities);
-    if (!validation.valid) {
-      throw new Error(`Invalid entity '${entityName}'. Available: ${entities.map(e => e.name).join(', ')}`);
-    }
-    logger.log(chalk.green(`\u2713 Selected entity: ${entityName}`));
-    return entityName;
+    return await discoverAndSelectEntity(dataplaneUrl, authConfig, openapiSpec, prefillEntityName);
   } catch (error) {
     logger.log(chalk.yellow(`Warning: Entity discovery failed, using default: ${error.message}`));
     return null;

package/lib/commands/wizard-headless.js

@@ -111,8 +111,11 @@ async function executeWizardFromConfig(wizardConfig, dataplaneUrl, authConfig, o
     systemConfig,
     datasourceConfigs,
     systemKey || appName,
-    dataplaneUrl,
-    authConfig
+    {
+      dataplaneUrl,
+      authConfig,
+      enableRBAC: Boolean(preferences?.enableRBAC)
+    }
   );
 }
 

package/lib/commands/wizard-helpers.js

@@ -47,6 +47,12 @@ function buildSourceForSave(source) {
     out.token = source.token ? '(set)' : undefined;
   }
   if (source.type === 'known-platform' && source.platform) out.platform = source.platform;
+  if (
+    (source.type === 'openapi-file' || source.type === 'openapi-url') &&
+    source.entityName
+  ) {
+    out.entityName = source.entityName;
+  }
   return out;
 }
 
@@ -75,7 +81,13 @@ function buildWizardStateForSave(opts) {
 function formatSourceLine(source) {
   if (!source) return null;
   const s = source;
-  return s.type + (s.filePath ? ` (${s.filePath})` : s.url ? ` (${s.url})` : s.platform ? ` (${s.platform})` : '');
+  let line =
+    s.type +
+    (s.filePath ? ` (${s.filePath})` : s.url ? ` (${s.url})` : s.platform ? ` (${s.platform})` : '');
+  if (s.entityName && (s.type === 'openapi-file' || s.type === 'openapi-url')) {
+    line += ` [entity: ${s.entityName}]`;
+  }
+  return line;
 }
 
 /**