npm - @aifabrix/builder - Versions diffs - 2.44.5 → 2.45.0 - Mend

@aifabrix/builder 2.44.5 → 2.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (249) hide show

package/.cursor/rules/cli-layout.mdc +8 -4
package/.cursor/rules/project-rules.mdc +1 -1
package/README.md +15 -23
package/integration/hubspot-test/README.md +2 -0
package/integration/hubspot-test/test.js +5 -3
package/jest.projects.js +104 -2
package/lib/api/controller-health.api.js +49 -0
package/lib/api/dimension-values.api.js +82 -0
package/lib/api/dimensions.api.js +114 -0
package/lib/api/external-systems.api.js +1 -0
package/lib/api/integration-clients.api.js +168 -0
package/lib/api/types/dimension-values.types.js +28 -0
package/lib/api/types/dimensions.types.js +31 -0
package/lib/api/types/integration-clients.types.js +45 -0
package/lib/api/validation-runner.js +46 -25
package/lib/app/deploy-config.js +11 -1
package/lib/app/deploy-status-display.js +3 -3
package/lib/app/deploy.js +36 -14
package/lib/app/display.js +15 -11
package/lib/app/helpers.js +3 -3
package/lib/app/index.js +3 -3
package/lib/app/push.js +46 -23
package/lib/app/register.js +7 -6
package/lib/app/restart-display.js +126 -0
package/lib/app/rotate-secret.js +7 -6
package/lib/app/run-container-start.js +12 -6
package/lib/app/run-env-compose.js +30 -1
package/lib/app/run-helpers.js +58 -19
package/lib/app/run-reload-sync.js +148 -0
package/lib/app/run-resolve-image.js +51 -1
package/lib/app/run.js +148 -74
package/lib/app/show-display.js +7 -0
package/lib/app/show.js +87 -5
package/lib/build/index.js +83 -49
package/lib/cli/doctor-check.js +117 -0
package/lib/cli/index.js +8 -2
package/lib/cli/infra-guided.js +460 -0
package/lib/cli/installation-log-command.js +73 -0
package/lib/cli/setup-app.js +31 -3
package/lib/cli/setup-auth.js +98 -27
package/lib/cli/setup-dev-path-commands.js +50 -3
package/lib/cli/setup-infra-up-dataplane-action.js +111 -0
package/lib/cli/setup-infra-up-platform-action.js +131 -0
package/lib/cli/setup-infra.js +132 -118
package/lib/cli/setup-integration-client.js +182 -0
package/lib/cli/setup-parameters.js +21 -2
package/lib/cli/setup-platform.js +102 -0
package/lib/cli/setup-secrets.js +18 -6
package/lib/cli/setup-utility-resolve.js +132 -0
package/lib/cli/setup-utility.js +143 -84
package/lib/commands/app-logs.js +81 -33
package/lib/commands/auth-config.js +116 -18
package/lib/commands/datasource-capability-dimension-cli.js +128 -0
package/lib/commands/datasource-capability-output.js +29 -0
package/lib/commands/datasource-capability-relate-cli.js +140 -0
package/lib/commands/datasource-capability.js +411 -0
package/lib/commands/datasource-unified-test-cli.options.js +1 -1
package/lib/commands/datasource.js +53 -13
package/lib/commands/dev-down.js +3 -3
package/lib/commands/dev-infra-gate.js +32 -0
package/lib/commands/dev-init.js +13 -7
package/lib/commands/dimension-value.js +179 -0
package/lib/commands/dimension.js +330 -0
package/lib/commands/integration-client.js +430 -0
package/lib/commands/login-device.js +65 -30
package/lib/commands/login.js +21 -10
package/lib/commands/parameters-validate.js +78 -13
package/lib/commands/repair-datasource-auto-rbac.js +166 -0
package/lib/commands/repair-datasource-keys.js +10 -5
package/lib/commands/repair-datasource.js +19 -7
package/lib/commands/repair-env-template.js +4 -1
package/lib/commands/repair-openapi-sync.js +172 -0
package/lib/commands/repair-persist.js +102 -0
package/lib/commands/repair-rbac-extract.js +27 -0
package/lib/commands/repair-rbac-migrate.js +186 -0
package/lib/commands/repair-rbac.js +214 -31
package/lib/commands/repair-system-alignment.js +246 -0
package/lib/commands/repair-system-permissions.js +168 -0
package/lib/commands/repair.js +120 -338
package/lib/commands/secure.js +1 -1
package/lib/commands/setup-modes.js +468 -0
package/lib/commands/setup-prompts.js +421 -0
package/lib/commands/setup.js +254 -0
package/lib/commands/teardown.js +277 -0
package/lib/commands/up-common.js +113 -19
package/lib/commands/up-dataplane.js +44 -19
package/lib/commands/up-miso.js +18 -18
package/lib/commands/upload.js +111 -23
package/lib/commands/wizard-core-helpers.js +14 -11
package/lib/commands/wizard-core.js +6 -5
package/lib/commands/wizard-dataplane.js +2 -2
package/lib/commands/wizard-entity-selection.js +4 -3
package/lib/commands/wizard-headless.js +2 -1
package/lib/commands/wizard.js +2 -1
package/lib/constants/infra-compose-service-names.js +40 -0
package/lib/core/audit-logger.js +1 -34
package/lib/core/config-admin-email.js +56 -0
package/lib/core/config-normalize.js +60 -0
package/lib/core/config-registered-controller-urls.js +54 -0
package/lib/core/config.js +33 -50
package/lib/core/env-reader.js +16 -3
package/lib/core/secrets-admin-env.js +101 -0
package/lib/core/secrets-ensure-infra.js +34 -1
package/lib/core/secrets-ensure.js +88 -66
package/lib/core/secrets-env-content.js +428 -0
package/lib/core/secrets-env-declarative-expand.js +170 -0
package/lib/core/secrets-env-write.js +29 -1
package/lib/core/secrets-load.js +252 -0
package/lib/core/secrets-names.js +32 -0
package/lib/core/secrets.js +17 -757
package/lib/datasource/capability/basic-exposure.js +76 -0
package/lib/datasource/capability/capability-diff-slice.js +41 -0
package/lib/datasource/capability/capability-key.js +34 -0
package/lib/datasource/capability/capability-resolve.js +172 -0
package/lib/datasource/capability/capability-storage-keys.js +22 -0
package/lib/datasource/capability/copy-operations.js +348 -0
package/lib/datasource/capability/copy-test-payload.js +139 -0
package/lib/datasource/capability/create-operations.js +235 -0
package/lib/datasource/capability/dimension-operations.js +151 -0
package/lib/datasource/capability/dimension-validate.js +219 -0
package/lib/datasource/capability/json-pointer.js +31 -0
package/lib/datasource/capability/reference-rewrite.js +51 -0
package/lib/datasource/capability/relate-operations.js +325 -0
package/lib/datasource/capability/relate-validate.js +219 -0
package/lib/datasource/capability/remove-operations.js +275 -0
package/lib/datasource/capability/run-capability-copy.js +152 -0
package/lib/datasource/capability/run-capability-diff.js +135 -0
package/lib/datasource/capability/run-capability-dimension.js +291 -0
package/lib/datasource/capability/run-capability-edit.js +377 -0
package/lib/datasource/capability/run-capability-relate.js +193 -0
package/lib/datasource/capability/run-capability-remove.js +105 -0
package/lib/datasource/capability/templates/minimal-fetch.json +18 -0
package/lib/datasource/capability/validate-capability-slice.js +35 -0
package/lib/datasource/list.js +136 -23
package/lib/datasource/log-viewer.js +2 -4
package/lib/datasource/unified-validation-run.js +51 -16
package/lib/datasource/validate.js +53 -1
package/lib/deployment/deploy-poll-ui.js +60 -0
package/lib/deployment/deployer-status.js +29 -3
package/lib/deployment/deployer.js +48 -30
package/lib/deployment/environment.js +7 -2
package/lib/deployment/poll-interval.js +72 -0
package/lib/deployment/push.js +11 -9
package/lib/external-system/deploy.js +9 -2
package/lib/external-system/download.js +61 -32
package/lib/external-system/sync-deploy-manifest.js +33 -0
package/lib/infrastructure/index.js +49 -19
package/lib/infrastructure/orphan-infra-docker-teardown.js +177 -0
package/lib/internal/node-fs.js +2 -0
package/lib/parameters/infra-kv-discovery.js +29 -4
package/lib/parameters/infra-parameter-catalog.js +6 -3
package/lib/parameters/infra-parameter-validate.js +67 -19
package/lib/resolvers/datasource-resolver.js +53 -0
package/lib/resolvers/dimension-file.js +52 -0
package/lib/resolvers/manifest-resolver.js +133 -0
package/lib/schema/application-schema.json +4 -0
package/lib/schema/external-datasource.schema.json +183 -53
package/lib/schema/external-system.schema.json +23 -10
package/lib/schema/infra.parameter.yaml +26 -1
package/lib/schema/wizard-config.schema.json +1 -1
package/lib/utils/aifabrix-config-dir-walk.js +40 -0
package/lib/utils/aifabrix-runtime-config-dir.js +26 -3
package/lib/utils/app-config-resolver.js +24 -1
package/lib/utils/app-run-containers.js +2 -2
package/lib/utils/applications-config-defaults.js +206 -0
package/lib/utils/auth-config-validator.js +2 -12
package/lib/utils/bash-secret-env.js +59 -0
package/lib/utils/cli-secrets-error-format.js +78 -0
package/lib/utils/cli-test-layout-chalk.js +31 -9
package/lib/utils/cli-utils.js +4 -36
package/lib/utils/compose-generate-docker-compose.js +111 -6
package/lib/utils/compose-generator.js +17 -8
package/lib/utils/controller-url.js +50 -7
package/lib/utils/datasource-test-run-display.js +8 -0
package/lib/utils/dev-hosts-helper.js +3 -2
package/lib/utils/dev-init-ssh-merge.js +2 -1
package/lib/utils/docker-build.js +17 -9
package/lib/utils/docker-reload-mount.js +127 -0
package/lib/utils/env-copy.js +99 -14
package/lib/utils/env-template.js +5 -1
package/lib/utils/external-readme.js +71 -2
package/lib/utils/external-system-local-test-tty.js +3 -2
package/lib/utils/external-system-readiness-core.js +45 -12
package/lib/utils/external-system-readiness-deploy-display.js +3 -3
package/lib/utils/external-system-readiness-display-internals.js +33 -3
package/lib/utils/external-system-readiness-display.js +10 -1
package/lib/utils/file-upload.js +40 -3
package/lib/utils/health-check-db-init.js +107 -0
package/lib/utils/health-check-public-warn.js +69 -0
package/lib/utils/health-check-url.js +28 -10
package/lib/utils/health-check.js +139 -107
package/lib/utils/help-builder.js +5 -1
package/lib/utils/image-name.js +34 -7
package/lib/utils/infra-optional-service-flags.js +69 -0
package/lib/utils/installation-log-core.js +282 -0
package/lib/utils/installation-log-record.js +237 -0
package/lib/utils/installation-log.js +123 -0
package/lib/utils/integration-file-backup.js +74 -0
package/lib/utils/log-redaction.js +105 -0
package/lib/utils/manifest-location.js +164 -0
package/lib/utils/manifest-source-emit.js +162 -0
package/lib/utils/mutagen-install.js +30 -3
package/lib/utils/paths.js +308 -76
package/lib/utils/postgres-wipe.js +212 -0
package/lib/utils/register-aifabrix-shell-env.js +15 -0
package/lib/utils/remote-dev-auth.js +21 -5
package/lib/utils/remote-docker-env.js +9 -1
package/lib/utils/remote-secrets-loader.js +49 -4
package/lib/utils/resolve-docker-image-ref.js +9 -3
package/lib/utils/run-cli-flags.js +29 -0
package/lib/utils/secrets-ancestor-paths.js +47 -0
package/lib/utils/secrets-canonical.js +10 -3
package/lib/utils/secrets-helpers.js +17 -10
package/lib/utils/secrets-kv-refs.js +42 -0
package/lib/utils/secrets-kv-scope.js +19 -2
package/lib/utils/secrets-materialize-local.js +134 -0
package/lib/utils/secrets-path.js +26 -13
package/lib/utils/secrets-utils.js +20 -10
package/lib/utils/system-builder-root.js +42 -0
package/lib/utils/url-declarative-public-base.js +80 -12
package/lib/utils/url-declarative-resolve-build-urls.js +238 -0
package/lib/utils/url-declarative-resolve-build.js +24 -388
package/lib/utils/url-declarative-resolve-expand-token.js +189 -0
package/lib/utils/url-declarative-resolve-load-doc.js +12 -3
package/lib/utils/url-declarative-resolve-surface-state.js +102 -0
package/lib/utils/url-declarative-resolve.js +47 -7
package/lib/utils/url-declarative-runtime-base-path.js +52 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +2 -1
package/lib/utils/urls-local-registry-scan.js +103 -0
package/lib/utils/urls-local-registry.js +158 -76
package/lib/utils/validation-poll-ui.js +81 -0
package/lib/utils/validation-run-poll.js +29 -5
package/lib/utils/with-muted-logger.js +53 -0
package/package.json +3 -1
package/templates/applications/dataplane/application.yaml +5 -1
package/templates/applications/dataplane/rbac.yaml +10 -10
package/templates/applications/keycloak/env.template +8 -6
package/templates/applications/miso-controller/application.yaml +9 -0
package/templates/applications/miso-controller/env.template +27 -29
package/templates/applications/miso-controller/rbac.yaml +9 -9
package/templates/external-system/README.md.hbs +83 -123
package/.npmrc.token +0 -1
package/.nyc_output/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/index.json +0 -1
package/lib/api/service-users.api.js +0 -150
package/lib/api/types/service-users.types.js +0 -65
package/lib/cli/setup-service-user.js +0 -187
package/lib/commands/service-user.js +0 -429

package/lib/utils/env-copy.js CHANGED Viewed

@@ -11,6 +11,7 @@ const { formatSuccessLine } = require('./cli-test-layout-chalk');
 const fs = require('fs');
 const fsp = require('fs').promises;
+const fsRealSync = require('../internal/fs-real-sync');
 const path = require('path');
 const yaml = require('js-yaml');
 const logger = require('./logger');
@@ -98,22 +99,37 @@ function resolveEnvOutputPath(rawOutputPath, variablesPath) {
 }
 /**
- * Writes .env to envOutputPath for reload path: merge run .env into existing file.
+ * Writes .env to envOutputPath for `--reload`: merge container `.env.run` into the host file.
+ * Preserves comments when a file already exists (e.g. after `aifabrix resolve`). Keys present only
+ * in `.env.run` (compose-only such as DB_0_NAME) are **not** appended unless they already exist as
+ * `KEY=` lines in the base file. If the output file is missing, seeds from `generateEnvContent`
+ * (`local`) so the host file keeps template comments and localhost-oriented URLs.
+ *
  * @async
  * @param {string} outputPath - Resolved output path
  * @param {string} runEnvPath - Path to .env.run
+ * @param {string} appName - Application name (for template seed when output is absent)
  */
-async function writeEnvOutputForReload(outputPath, runEnvPath) {
-  const { parseEnvContentToMap, mergeEnvMapIntoContent } = require('../core/secrets');
+async function writeEnvOutputForReload(outputPath, runEnvPath, appName) {
+  const { parseEnvContentToMap, mergeEnvMapIntoContent, generateEnvContent } = require('../core/secrets');
   const runContent = await fsp.readFile(runEnvPath, 'utf8');
   const runMap = parseEnvContentToMap(runContent);
-  let toWrite = runContent;
-  if (fs.existsSync(outputPath)) {
-    const existingContent = await fsp.readFile(outputPath, 'utf8');
-    toWrite = mergeEnvMapIntoContent(existingContent, runMap);
+  let baseContent;
+  if (fsRealSync.existsSync(outputPath)) {
+    baseContent = await fsp.readFile(outputPath, 'utf8');
+  } else if (appName) {
+    baseContent = await generateEnvContent(appName, null, 'local', false);
+    baseContent = substituteMntDataForLocal(baseContent, outputPath);
+  } else {
+    baseContent = runContent;
   }
+  const toWrite = mergeEnvMapIntoContent(baseContent, runMap, { appendMissingFromNewMap: false });
   await fsp.writeFile(outputPath, toWrite, { mode: 0o600 });
-  logger.log(formatSuccessLine(`Wrote .env to envOutputPath (same as container, for --reload): ${outputPath}`));
+  logger.log(
+    formatSuccessLine(
+      `Wrote .env to envOutputPath (--reload: merged container env; no extra keys): ${outputPath}`
+    )
+  );
 }
 /**
@@ -245,6 +261,30 @@ async function patchEnvContentForLocal(envContent, variables) {
   return envContent;
 }
+/**
+ * Copy the just-written builder `<appPath>/.env` to `build.envOutputPath` so both files
+ * share the same resolution pass (no second `generateEnvContent` with a different environment).
+ * Applies {@link substituteMntDataForLocal} for host paths; merges into an existing output file
+ * when present (preserves comments).
+ *
+ * @async
+ * @param {string} envPath - Path to `<appPath>/.env` (already written)
+ * @param {string} outputPath - Resolved `build.envOutputPath`
+ * @param {string} envOutputPathLabel - Label for log (e.g. raw `build.envOutputPath` value)
+ */
+async function syncWrittenBuilderEnvToOutputPath(envPath, outputPath, envOutputPathLabel) {
+  const { parseEnvContentToMap, mergeEnvMapIntoContent } = require('../core/secrets');
+  const raw = fs.readFileSync(envPath, 'utf8');
+  const synced = substituteMntDataForLocal(raw, outputPath);
+  let toWrite = synced;
+  if (fs.existsSync(outputPath)) {
+    const existingContent = fs.readFileSync(outputPath, 'utf8');
+    toWrite = mergeEnvMapIntoContent(existingContent, parseEnvContentToMap(synced));
+  }
+  fs.writeFileSync(outputPath, toWrite, { mode: 0o600 });
+  logger.log(formatSuccessLine(`Copied resolved .env to envOutputPath (${envOutputPathLabel})`));
+}
 /**
  * Write regenerated local .env to output path (merge with existing if present).
  * @async
@@ -252,10 +292,12 @@ async function patchEnvContentForLocal(envContent, variables) {
  * @param {string} appName - Application name
  * @param {string} [secretsPath] - Path to secrets file (optional)
  * @param {string} envOutputPathLabel - Label for log message (e.g. variables.build.envOutputPath)
+ * @param {Object} [extraOpts] - Optional: `appPath` for {@link module:lib/core/secrets-env-content.generateEnvContent}
  */
-async function writeLocalEnvToOutputPath(outputPath, appName, secretsPath, envOutputPathLabel) {
+async function writeLocalEnvToOutputPath(outputPath, appName, secretsPath, envOutputPathLabel, extraOpts = {}) {
   const { generateEnvContent, parseEnvContentToMap, mergeEnvMapIntoContent } = require('../core/secrets');
-  let localEnvContent = await generateEnvContent(appName, secretsPath, 'local', false);
+  const genOpts = extraOpts.appPath ? { appPath: extraOpts.appPath } : {};
+  let localEnvContent = await generateEnvContent(appName, secretsPath, 'local', false, genOpts);
   localEnvContent = substituteMntDataForLocal(localEnvContent, outputPath);
   let toWrite = localEnvContent;
   if (fs.existsSync(outputPath)) {
@@ -284,16 +326,45 @@ async function writePatchedEnvToOutputPath(envPath, outputPath, variables, envOu
 }
 /**
- * Process and optionally copy env file to envOutputPath if configured
- * Regenerates .env file with env=local for local development (apps/.env)
+ * Process and optionally copy env file to envOutputPath if configured.
+ * When `appName` is set and `preferLocalEnvOutputPath` is true, regenerates **local**-flavored env at
+ * `build.envOutputPath` (IDE/host). **False** only when `remote-server` and `applications.<app>.reload` are both set
+ * (docker flavor at env output). Otherwise, when `appName`
+ * is set and `envPath` exists, copies the same resolved `<appPath>/.env` content to the output path.
+ * Falls back to local regeneration when `envPath` is missing, or patched copy when `appName` is omitted.
+ *
  * @async
  * @function processEnvVariables
  * @param {string} envPath - Path to generated .env file
  * @param {string} variablesPath - Path to application config
  * @param {string} appName - Application name (for regenerating with local env)
  * @param {string} [secretsPath] - Path to secrets file (optional, for regenerating)
+ * @param {Object} [copyOptions] - Optional: `preferLocalEnvOutputPath` (IDE/host file gets **local** flavor
+ *   while `<appPath>/.env` may be docker); `appPath` overrides app root for local regeneration
  */
-async function processEnvVariables(envPath, variablesPath, appName, secretsPath) {
+async function copyOrRegenerateEnvForNamedApp(opts) {
+  const {
+    envPath,
+    outputPath,
+    appName,
+    secretsPath,
+    label,
+    preferLocal,
+    appPathForLocal
+  } = opts;
+  const localOpts = { appPath: appPathForLocal || undefined };
+  if (preferLocal) {
+    await writeLocalEnvToOutputPath(outputPath, appName, secretsPath, label, localOpts);
+    return;
+  }
+  if (fs.existsSync(envPath)) {
+    await syncWrittenBuilderEnvToOutputPath(envPath, outputPath, label);
+    return;
+  }
+  await writeLocalEnvToOutputPath(outputPath, appName, secretsPath, label, localOpts);
+}
+async function processEnvVariables(envPath, variablesPath, appName, secretsPath, copyOptions = {}) {
   if (!variablesPath || !fs.existsSync(variablesPath)) {
     return;
   }
@@ -310,8 +381,21 @@ async function processEnvVariables(envPath, variablesPath, appName, secretsPath)
   }
   const label = variables.build.envOutputPath;
+  const appPathForLocal =
+    (copyOptions && copyOptions.appPath) ||
+    (variablesPath ? path.dirname(variablesPath) : null);
+  const preferLocal =
+    copyOptions && typeof copyOptions === 'object' && copyOptions.preferLocalEnvOutputPath === true;
   if (appName) {
-    await writeLocalEnvToOutputPath(outputPath, appName, secretsPath, label);
+    await copyOrRegenerateEnvForNamedApp({
+      envPath,
+      outputPath,
+      appName,
+      secretsPath,
+      label,
+      preferLocal,
+      appPathForLocal
+    });
   } else {
     await writePatchedEnvToOutputPath(envPath, outputPath, variables, label);
   }
@@ -321,6 +405,7 @@ module.exports = {
   processEnvVariables,
   resolveEnvOutputPath,
   substituteMntDataForLocal,
+  syncWrittenBuilderEnvToOutputPath,
   writeEnvOutputForReload,
   writeEnvOutputForLocal
 };

package/lib/utils/env-template.js CHANGED Viewed

@@ -13,6 +13,7 @@ const fsSync = require('fs');
 const path = require('path');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const pathsUtil = require('./paths');
 /**
  * Updates env.template to add MISO_CLIENTID, MISO_CLIENTSECRET, and optionally MISO_CONTROLLER_URL.
@@ -105,7 +106,10 @@ ${missingEntries.join('\n')}
 }
 async function updateEnvTemplate(appKey, clientIdKey, clientSecretKey, _controllerUrl) {
-  const envTemplatePath = path.join(process.cwd(), 'builder', appKey, 'env.template');
+  // Use paths.getBuilderPath so the system builder root (e.g. ~/.aifabrix/builder/<app>) and
+  // AIFABRIX_BUILDER_DIR are respected. Falling back to process.cwd() previously made the binary
+  // CLI skip env.template updates whenever cwd was a non-builder repo (e.g. aifabrix-training).
+  const envTemplatePath = path.join(pathsUtil.getBuilderPath(appKey), 'env.template');
   if (!fsSync.existsSync(envTemplatePath)) {
     logger.warn(chalk.yellow(`⚠  env.template not found for ${appKey}, skipping update`));

package/lib/utils/external-readme.js CHANGED Viewed

@@ -15,6 +15,72 @@ const path = require('path');
 const handlebars = require('handlebars');
 const { getProjectRoot } = require('./paths');
+/**
+ * Extracts secret keys from integration/<appName>/env.template when present.
+ * Looks for values like `kv://systemKey/apiKey` and returns that key for
+ * `aifabrix secret set <key> <value>`.
+ *
+ * @param {object} args
+ * @param {string} args.projectRoot
+ * @param {string} args.appName
+ * @returns {Array<{path: string, description: string}>}
+ */
+function extractSecretPathsFromEnvTemplate({ projectRoot, appName }) {
+  if (!projectRoot || !appName) return [];
+  const envTemplatePath = path.join(projectRoot, 'integration', appName, 'env.template');
+  if (!fs.existsSync(envTemplatePath)) return [];
+  const raw = _tryReadTextOrNull(envTemplatePath);
+  if (raw === null) return [];
+  if (typeof raw !== 'string') return [];
+  function parseSecretKey(value) {
+    if (!value || typeof value !== 'string') return null;
+    const kvIdx = value.indexOf('kv://');
+    if (kvIdx === -1) return null;
+    const after = value.slice(kvIdx + 'kv://'.length);
+    const key = after.split(/[ \t#]/)[0]?.trim();
+    return key || null;
+  }
+  function parseLine(line) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) return null;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx <= 0) return null;
+    const varName = trimmed.slice(0, eqIdx).trim();
+    const value = trimmed.slice(eqIdx + 1).trim();
+    const key = parseSecretKey(value);
+    if (!key) return null;
+    return { varName: varName || 'Secret', key };
+  }
+  const out = [];
+  const seen = new Set();
+  for (const line of raw.split('\n')) {
+    const parsed = parseLine(line);
+    if (!parsed) continue;
+    const dedupeKey = `${parsed.varName}::${parsed.key}`;
+    if (seen.has(dedupeKey)) continue;
+    seen.add(dedupeKey);
+    out.push({ path: parsed.key, description: parsed.varName });
+  }
+  return out;
+}
+function _tryReadTextOrNull(p) {
+  try {
+    return fs.readFileSync(p, 'utf8');
+  } catch (e) {
+    // Some Jest suites partially mock fs.existsSync; treat missing files as absent templates.
+    if (e && e.code === 'ENOENT') return null;
+    throw e;
+  }
+}
 /**
  * Formats a display name from a key
  * @param {string} key - System or app key
@@ -179,7 +245,9 @@ function buildExternalReadmeContext(params = {}) {
   const normalizedExt = fileExt && fileExt.startsWith('.') ? fileExt : `.${fileExt || 'json'}`;
   const datasources = normalizeDatasources(params.datasources, systemKey, fileExt);
   const authType = params.authType || params.authentication?.type || params.authentication?.method || params.authentication?.authType;
-  const secretPaths = buildSecretPaths(systemKey, authType);
+  const projectRoot = getProjectRoot();
+  const secretPathsFromEnv = extractSecretPathsFromEnvTemplate({ projectRoot, appName });
+  const secretPaths = secretPathsFromEnv.length > 0 ? secretPathsFromEnv : buildSecretPaths(systemKey, authType);
   const rbacOptionalFile = rbacOptionalFilename(normalizedExt);
   return {
@@ -238,5 +306,6 @@ module.exports = {
   buildExternalReadmeContext,
   generateExternalReadmeContent,
   wrapPlainTextForMarkdown,
-  collapseConsecutiveBlankLines
+  collapseConsecutiveBlankLines,
+  extractSecretPathsFromEnvTemplate
 };

package/lib/utils/external-system-local-test-tty.js CHANGED Viewed

@@ -19,6 +19,7 @@ const {
   headerKeyValue,
   formatStatusKeyValue,
   colorRollupPrefixedLine,
+  formatSuccessLine,
   metadata: metaGray
 } = require('./cli-test-layout-chalk');
@@ -338,7 +339,7 @@ function displayLocalExternalTestPlanLayout(results, verbose, appName) {
 function logVerboseSystemRows(systemResults) {
   for (const s of systemResults || []) {
     const ok = s.valid;
-    logger.log(ok ? chalk.green(`  ✔ ${s.file}`) : chalk.red(`  ✖ ${s.file}`));
+    logger.log(ok ? (chalk.green('  ') + formatSuccessLine(s.file)) : chalk.red(`  ✖ ${s.file}`));
     (s.errors || []).forEach(e => logger.log(chalk.red(`    - ${e}`)));
   }
 }
@@ -346,7 +347,7 @@ function logVerboseSystemRows(systemResults) {
 function logVerboseDatasourceRows(datasourceResults) {
   for (const d of datasourceResults || []) {
     const ok = d.valid;
-    logger.log(ok ? chalk.green(`  ✔ ${d.key} (${d.file})`) : chalk.red(`  ✖ ${d.key} (${d.file})`));
+    logger.log(ok ? (chalk.green('  ') + formatSuccessLine(`${d.key} (${d.file})`)) : chalk.red(`  ✖ ${d.key} (${d.file})`));
     (d.errors || []).forEach(e => logger.log(chalk.red(`    - ${e}`)));
     (d.warnings || []).forEach(w => logger.log(chalk.yellow(`    ⚠ ${w}`)));
     if (d.fieldMappingResults && d.fieldMappingResults.mappedFields) {

package/lib/utils/external-system-readiness-core.js CHANGED Viewed

@@ -43,30 +43,57 @@ function unwrapPublicationResult(res) {
  * Rules: inactive/archived → Failed; MCP expected but missing → Partial; draft → Partial; published/deployed + active → Ready.
  * @param {Object} ds - ExternalDataSourceResponse-like
  * @param {boolean} generateMcpContract - From application config
- * @returns {'ready'|'partial'|'failed'}
+ * @returns {{ tier: 'ready'|'partial'|'failed', partialReason: string|null }}
  */
-function classifyDatasourceTierA(ds, generateMcpContract) {
+function classifyDatasourceTierADetail(ds, generateMcpContract) {
   const active = ds.isActive !== false;
   const status = String(ds.status || '').toLowerCase();
   if (!active || status === 'archived') {
-    return 'failed';
+    return { tier: 'failed', partialReason: null };
   }
   if (generateMcpContract === true && !ds.mcpContract) {
-    return 'partial';
+    return { tier: 'partial', partialReason: 'mcp_missing' };
   }
   if (status === 'draft') {
-    return 'partial';
+    return { tier: 'partial', partialReason: 'draft' };
   }
   if (status === 'published' || status === 'deployed') {
-    return 'ready';
+    return { tier: 'ready', partialReason: null };
+  }
+  return { tier: 'partial', partialReason: 'unknown_status' };
+}
+/**
+ * @param {Object} ds - ExternalDataSourceResponse-like
+ * @param {boolean} generateMcpContract - From application config
+ * @returns {'ready'|'partial'|'failed'}
+ */
+function classifyDatasourceTierA(ds, generateMcpContract) {
+  return classifyDatasourceTierADetail(ds, generateMcpContract).tier;
+}
+/**
+ * Short hint for CLI when Tier A is partial (machine codes from classifyDatasourceTierADetail).
+ * @param {string|null} partialReason
+ * @returns {string}
+ */
+function formatTierAPartialHint(partialReason) {
+  if (partialReason === 'mcp_missing') {
+    return 'no MCP contract stored (OpenAPI link or generation)';
+  }
+  if (partialReason === 'draft') {
+    return 'status draft (trigger paths / certification gate)';
   }
-  return 'partial';
+  if (partialReason === 'unknown_status') {
+    return 'unexpected lifecycle status';
+  }
+  return '';
 }
 /**
  * @param {Array<Object>} datasources - Datasource list
  * @param {boolean} generateMcpContract
- * @returns {{ rows: Array<{ key: string, tier: string }>, ready: number, partial: number, failed: number }}
+ * @returns {{ rows: Array<{ key: string, tier: string, partialReason?: string|null }>, ready: number, partial: number, failed: number }}
  */
 function summarizeDatasourceTiersA(datasources, generateMcpContract) {
   const rows = [];
@@ -75,10 +102,14 @@ function summarizeDatasourceTiersA(datasources, generateMcpContract) {
   let failed = 0;
   for (const ds of datasources || []) {
     const key = ds.key || ds.sourceKey || 'unknown';
-    const tier = classifyDatasourceTierA(ds, generateMcpContract);
-    rows.push({ key, tier });
-    if (tier === 'ready') ready += 1;
-    else if (tier === 'partial') partial += 1;
+    const detail = classifyDatasourceTierADetail(ds, generateMcpContract);
+    const row = { key, tier: detail.tier };
+    if (detail.tier === 'partial' && detail.partialReason) {
+      row.partialReason = detail.partialReason;
+    }
+    rows.push(row);
+    if (detail.tier === 'ready') ready += 1;
+    else if (detail.tier === 'partial') partial += 1;
     else failed += 1;
   }
   return { rows, ready, partial, failed };
@@ -401,7 +432,9 @@ module.exports = {
   unwrapApiData,
   unwrapPublicationResult,
   isPublicationResultShape,
+  classifyDatasourceTierADetail,
   classifyDatasourceTierA,
+  formatTierAPartialHint,
   summarizeDatasourceTiersA,
   aggregateVerdictFromCounts,
   classifyDatasourceTierB,

package/lib/utils/external-system-readiness-deploy-display.js CHANGED Viewed

@@ -83,7 +83,7 @@ function logDeployProbeDatasourceSection(probeData) {
  * @param {Object|null} systemFromDataplane
  * @param {boolean} genMcp
  */
-function logDeployContractsSection(systemFromDataplane, genMcp) {
+function logDeployContractsSection(systemFromDataplane, genMcp, dataplaneUrl, systemKey) {
   if (!systemFromDataplane) return;
   logSeparator();
   logSectionTitle('Contracts:');
@@ -94,7 +94,7 @@ function logDeployContractsSection(systemFromDataplane, genMcp) {
   } else {
     logger.log(chalk.gray('○ OpenAPI docs URL not available'));
   }
-  logDocsBlock(systemFromDataplane);
+  logDocsBlock(systemFromDataplane, { dataplaneUrl, systemKey, genMcp: mcpOk });
 }
 /**
@@ -260,7 +260,7 @@ function logDeployReadinessSummary(ctx) {
   logDeployIdentityAndCredentialBlocks(systemCfg, !!probeData);
-  logDeployContractsSection(systemFromDataplane, genMcp);
+  logDeployContractsSection(systemFromDataplane, genMcp, dataplaneUrl, systemKey);
   logDeployNextActionsSection(systemKey, probeData, summary, genMcp);
 }

package/lib/utils/external-system-readiness-display-internals.js CHANGED Viewed

@@ -9,7 +9,11 @@
 const chalk = require('chalk');
 const { failureGlyph, successGlyph } = require('./cli-test-layout-chalk');
 const logger = require('./logger');
-const { extractIdentitySummary, resolveCredentialTestEndpointDisplay } = require('./external-system-readiness-core');
+const {
+  extractIdentitySummary,
+  resolveCredentialTestEndpointDisplay,
+  formatTierAPartialHint
+} = require('./external-system-readiness-core');
 const SEP = chalk.gray('────────────────────────────────');
@@ -56,8 +60,12 @@ function logDatasourceTable(rows, counts, title) {
   logSectionTitle(title && String(title).trim() ? String(title).trim() : 'Datasources:');
   for (const r of rows) {
     const statusLabel = r.tier === 'ready' ? 'Ready' : r.tier === 'failed' ? 'Failed' : 'Partial';
+    const hint =
+      r.tier === 'partial' && r.partialReason
+        ? chalk.gray(` — ${formatTierAPartialHint(r.partialReason)}`)
+        : '';
     logger.log(
-      `${tierGlyph(r.tier)} ${r.key.padEnd(14, ' ')} ${chalk.gray('(' + statusLabel + ')')}`
+      `${tierGlyph(r.tier)} ${r.key.padEnd(14, ' ')} ${chalk.gray('(' + statusLabel + ')')}${hint}`
     );
   }
   logger.log('');
@@ -120,14 +128,35 @@ function logNextActions(actions, extraLine) {
   }
 }
+/**
+ * Dataplane serves MCP OpenAPI docs at /api/v1/mcp/{systemKey}/docs.
+ *
+ * @param {Object} sys - ExternalSystemResponse
+ * @param {{ dataplaneUrl?: string, systemKey?: string, genMcp?: boolean }} [opts]
+ * @returns {string|null}
+ */
+function deriveMcpDocsPageUrl(sys, opts) {
+  if (!sys || !opts) return null;
+  if (sys.mcpDocsPageUrl) return String(sys.mcpDocsPageUrl);
+  const { dataplaneUrl, systemKey, genMcp } = opts;
+  if (!genMcp || !dataplaneUrl || !systemKey) return null;
+  if (!sys.mcpServerUrl) return null;
+  if (!sys.openApiDocsPageUrl && !sys.apiDocumentUrl) return null;
+  const base = String(dataplaneUrl).replace(/\/+$/, '');
+  return `${base}/api/v1/mcp/${encodeURIComponent(systemKey)}/docs`;
+}
 /**
  * @param {Object} sys - ExternalSystemResponse
+ * @param {{ dataplaneUrl?: string, systemKey?: string, genMcp?: boolean }} [opts]
  */
-function logDocsBlock(sys) {
+function logDocsBlock(sys, opts) {
   if (!sys) return;
   const urls = [];
   if (sys.openApiDocsPageUrl) urls.push({ label: 'OpenAPI Docs Page', url: sys.openApiDocsPageUrl });
   if (sys.apiDocumentUrl) urls.push({ label: 'API Docs', url: sys.apiDocumentUrl });
+  const mcpDocs = deriveMcpDocsPageUrl(sys, opts);
+  if (mcpDocs) urls.push({ label: 'MCP Docs Page', url: mcpDocs });
   if (sys.mcpServerUrl) urls.push({ label: 'MCP Server', url: sys.mcpServerUrl });
   if (urls.length === 0) return;
   logSeparator();
@@ -147,5 +176,6 @@ module.exports = {
   logIdentityBlock,
   logCredentialIntentBlock,
   logNextActions,
+  deriveMcpDocsPageUrl,
   logDocsBlock
 };

package/lib/utils/external-system-readiness-display.js CHANGED Viewed

@@ -44,7 +44,16 @@ function logPublishResultBlock(publication) {
   }
   logSeparator();
   logSectionTitle('MCP Contract:');
-  logger.log(genMcp ? formatSuccessLine('Generated') : chalk.gray('○ Not requested (generateMcpContract false)'));
+  if (genMcp) {
+    logger.log(formatSuccessLine('Generation requested (manifest generateMcpContract)'));
+    logger.log(
+      chalk.gray(
+        '  Per-datasource MCP appears when dataplane stores mcpContract (OpenAPI resolves + generation succeeds).'
+      )
+    );
+  } else {
+    logger.log(chalk.gray('○ Not requested (generateMcpContract false)'));
+  }
 }
 /**

package/lib/utils/file-upload.js CHANGED Viewed

@@ -33,10 +33,10 @@ async function validateFileExists(filePath) {
  * @param {Object} additionalFields - Additional fields
  * @returns {Promise<FormData>} FormData object
  */
-async function buildFormData(filePath, fieldName, additionalFields) {
+async function buildFormData(filePath, fieldName, additionalFields, opts = {}) {
   const formData = new FormData();
   const fileContent = await fs.readFile(filePath);
-  const fileName = path.basename(filePath);
+  const fileName = opts.filenameOverride ? String(opts.filenameOverride) : path.basename(filePath);
   const fileBlob = new Blob([fileContent], { type: 'application/octet-stream' });
   formData.append(fieldName, fileBlob, fileName);
@@ -74,6 +74,43 @@ async function uploadFile(url, filePath, fieldName = 'file', authConfig = {}, ad
   return await client.postFormData(endpointPath, formData);
 }
+/**
+ * Upload a file using multipart/form-data but override the filename sent to the server.
+ * Useful when the server derives a key from the upload filename.
+ *
+ * @async
+ * @function uploadFileAs
+ * @param {string} url - Full API endpoint URL
+ * @param {string} filePath - Path to file to upload
+ * @param {string} filenameOverride - Filename to present to server (e.g. 'my-key.json')
+ * @param {string} fieldName - Form field name for the file (default: 'file')
+ * @param {Object} [authConfig] - Authentication configuration
+ * @param {Object} [additionalFields] - Additional form fields to include
+ * @returns {Promise<Object>} API response
+ */
+async function uploadFileAs(
+  url,
+  filePath,
+  filenameOverride,
+  fieldName = 'file',
+  authConfig = {},
+  additionalFields = {}
+) {
+  await validateFileExists(filePath);
+  if (!filenameOverride || typeof filenameOverride !== 'string') {
+    throw new Error('filenameOverride is required and must be a string');
+  }
+  const parsed = new URL(url);
+  const baseUrl = parsed.origin;
+  const endpointPath = parsed.pathname + parsed.search;
+  const formData = await buildFormData(filePath, fieldName, additionalFields, { filenameOverride });
+  const client = new ApiClient(baseUrl, authConfig);
+  return await client.postFormData(endpointPath, formData);
+}
 module.exports = {
-  uploadFile
+  uploadFile,
+  uploadFileAs
 };