@aifabrix/builder 2.44.5 → 2.45.0

package/templates/applications/miso-controller/env.template

@@ -57,7 +57,6 @@ NODE_ENV=dev
 PORT=${PORT}
 AUTO_CREATE_TABLES=true
 FAST_STARTUP=false
-ALLOWED_ORIGINS=http://localhost:*,url://host-public,url://host-private,url://dataplane-host-public,url://dataplane-host-private
 ENABLE_API_DOCS=true
 
 # Rate Limiting Configuration (for local development)
@@ -141,6 +140,33 @@ KEYCLOAK_EVENTS_SECRET=kv://keycloak-events-secretKeyVault
 WAIT_FOR_KEYCLOAK=true
 # KEYCLOAK_WAIT_TIMEOUT=60
 
+# =============================================================================
+# MISO CONTROLLER CONFIGURATION
+# =============================================================================
+# Web Server URL (for OpenAPI documentation server URLs and Keycloak callbacks)
+# This is the PUBLIC-FACING URL that browsers/users access (e.g., http://localhost:3100)
+# Used to generate correct server URLs in OpenAPI spec and Keycloak callback URLs
+# For Docker: use localhost with mapped port (e.g., localhost:3100)
+# For production: use public domain (e.g., https://miso.example.com)
+# url://public includes front-door path from application.yaml (e.g. /controller).
+MISO_WEB_SERVER_URL=url://public
+MISO_CONTROLLER_URL=url://internal
+MISO_RELATIVE_PATH=url://vdir-public
+ALLOWED_ORIGINS=http://localhost:*,url://host-public,url://host-private,url://dataplane-host-public,url://dataplane-host-private
+
+# MISO Environment Configuration (miso, dev, tst, pro)
+MISO_ENVIRONMENT=miso
+
+# MISO Application Client Credentials (per application)
+MISO_CLIENTID=kv://miso-controller-client-idKeyVault
+MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
+
+# Evaluation mode (optional .env override of DB controller.configuration.evaluation):
+# When true (default if DB omits flag), infra deploy may coerce :envKey to `miso` — e2e poll on `dev` can 404.
+# Set false locally to force path envKey to match deploy + GET .../deployments/:id.
+# Unset = use DB only.
+CONTROLLER_EVALUATION=
+
 # =============================================================================
 # TENANT ACTIVATION (TA-3) — EXISTING LLM CATALOG
 # =============================================================================
@@ -301,34 +327,6 @@ JWT_SECRET=kv://miso-controller-jwt-secretKeyVault
 # When API_KEY is set, a matching Bearer token bypasses OAuth2 validation
 API_KEY=kv://miso-controller-secrets-apiKeyVault
 
-# NPM token for private package (npmjs.org)
-NPM_TOKEN=kv://BASH_NPM_TOKEN
-
-# =============================================================================
-# MISO CONTROLLER CONFIGURATION
-# =============================================================================
-# Web Server URL (for OpenAPI documentation server URLs and Keycloak callbacks)
-# This is the PUBLIC-FACING URL that browsers/users access (e.g., http://localhost:3100)
-# Used to generate correct server URLs in OpenAPI spec and Keycloak callback URLs
-# For Docker: use localhost with mapped port (e.g., localhost:3100)
-# For production: use public domain (e.g., https://miso.example.com)
-# url://public includes front-door path from application.yaml (e.g. /controller).
-MISO_WEB_SERVER_URL=url://public
-MISO_CONTROLLER_URL=url://internal
-
-# MISO Environment Configuration (miso, dev, tst, pro)
-MISO_ENVIRONMENT=miso
-
-# MISO Application Client Credentials (per application)
-MISO_CLIENTID=kv://miso-controller-client-idKeyVault
-MISO_CLIENTSECRET=kv://miso-controller-client-secretKeyVault
-
-# Evaluation mode (optional .env override of DB controller.configuration.evaluation):
-# When true (default if DB omits flag), infra deploy may coerce :envKey to `miso` — e2e poll on `dev` can 404.
-# Set false locally to force path envKey to match deploy + GET .../deployments/:id.
-# Unset = use DB only.
-CONTROLLER_EVALUATION=
-
 # =============================================================================
 # LICENSE CONFIGURATION
 # =============================================================================

package/templates/applications/miso-controller/rbac.yaml

@@ -35,22 +35,22 @@ roles:
     groups: ['AI-Fabrix-Observers']
 
 permissions:
-  # Service User Management
-  - name: 'service-user:create'
+  # Integration clients (Keycloak OIDC clients + control-plane metadata)
+  - name: 'integration-client:create'
     roles: ['aifabrix-platform-admin', 'aifabrix-security-admin']
-    description: 'Create service users and API clients'
+    description: 'Create integration clients and Keycloak OIDC clients'
 
-  - name: 'service-user:read'
+  - name: 'integration-client:read'
     roles: ['aifabrix-platform-admin', 'aifabrix-security-admin', 'aifabrix-observer']
-    description: 'View service users and their configurations'
+    description: 'View integration clients and their configurations'
 
-  - name: 'service-user:update'
+  - name: 'integration-client:update'
     roles: ['aifabrix-platform-admin', 'aifabrix-security-admin']
-    description: 'Update service user configurations and regenerate secrets'
+    description: 'Update integration client configuration and regenerate secrets'
 
-  - name: 'service-user:delete'
+  - name: 'integration-client:delete'
     roles: ['aifabrix-platform-admin', 'aifabrix-security-admin']
-    description: 'Deactivate service users'
+    description: 'Deactivate integration clients'
 
   # User Management
   - name: 'users:create'

package/templates/external-system/README.md.hbs

@@ -2,147 +2,119 @@
 
 {{description}}
 
-## System Information
+## At a glance
 
-- **System Key**: `{{systemKey}}`
-- **System Type**: `{{systemType}}`
-- **Datasources**: {{datasourceCount}}
+| | |
+| --- | --- |
+| **System key** | `{{systemKey}}` |
+| **Type** | `{{systemType}}` |
+| **Datasources** | {{datasourceCount}} |
 
 ## Files
 
-- `application{{fileExt}}` – Application configuration with `app` and `externalIntegration` blocks
-- `{{systemKey}}-system{{fileExt}}` – External system definition (authentication, OpenAPI/MCP, RBAC)
+| File | Purpose |
+| --- | --- |
+| `application{{fileExt}}` | App manifest and `externalIntegration` |
+| `{{systemKey}}-system{{fileExt}}` | Auth, API definition, roles |
 {{#each datasources}}
-- `{{fileName}}` – Datasource: {{displayName}}
+| `{{fileName}}` | Datasource: {{displayName}} (**capabilities** here) |
 {{/each}}
-- `env.template` – Environment variables template (secrets, API keys)
-- `{{systemKey}}-deploy.json` – Deployment manifest (generated by `aifabrix json {{appName}}`)
-- `deploy.js` – Deploy script for the integration
-- `wizard.yaml` – Wizard configuration (if created via wizard)
+| `env.template` | Secrets and env placeholders |
+| `{{systemKey}}-deploy.json` | Deploy manifest (`aifabrix json {{appName}}`) |
+| `deploy.js` | Deploy helper |
+| `wizard.yaml` | Wizard input |
+| `{{rbacOptionalFile}}` | Roles and permissions |
 
-Optional: `{{rbacOptionalFile}}` – Roles and permissions merged into the system when
-present.
+## Typical workflow
 
-## Quick Start
+1. **Login** — `aifabrix login` (controller URL set via `aifabrix auth config` if needed).
+2. **Change config** — edit JSON/YAML under `integration/{{appName}}/`, or extend with `aifabrix wizard --app {{appName}}`.
+3. **Adjust operations** — use `aifabrix datasource capability …` to copy, add, or remove **capabilities** (see below).
+4. **Check locally** — `aifabrix validate {{appName}}` and `aifabrix datasource validate` on files you touched.
+5. **Align manifest** — `aifabrix repair {{appName}}` after bigger edits.
+6. **Publish** — `aifabrix upload {{appName}}` or `aifabrix deploy {{appName}}`.
 
-Login to your controller
+Rollback an experiment: `datasource capability remove …` → validate → upload/deploy again.
 
-```bash
-aifabrix auth config --set-controller URL --set-environment dev
-aifabrix login
-```
+## Capabilities (per datasource)
 
-### 1. Extend External System
+Each `*-datasource-*` file lists **capabilities**: named slices that tie together HTTP/API definitions and execution steps. Use the CLI to clone or drop them safely instead of editing huge JSON by hand.
 
-Use the interactive wizard to extend your existing system:
+**After any change:** run `aifabrix datasource validate <file-or-key>` (or `aifabrix validate {{appName}}` for the whole app).
 
-```bash
-aifabrix wizard --app {{appName}}
-```
+| Command | What it does |
+| --- | --- |
+| `datasource capability copy` | Clone one capability to a new name (`--from` / `--as`). Supports `--dry-run`, `--overwrite`, backups. If `exposed.profiles.<from>` exists, it’s copied to `exposed.profiles.<as>`. |
+| `datasource capability create` (or `add`) | New capability from `--from`, `--template`, or `--openapi-operation`. |
+| `datasource capability remove` | Remove one capability (`--capability`; optional `--profile`). Use `--dry-run` first. |
+| `datasource capability validate` | Schema check for the file or one `--capability`. |
+| `datasource capability diff` | Compare two files for one capability. |
+| `datasource capability edit` | Edit one capability’s API definition, runtime steps, or exposure profile in your editor (TTY). |
+| `datasource capability relate` | Link this datasource to another (foreign-key style metadata). See `--help` for flags. |
 
-### 2. Configure Authentication and Datasources
+Short alias (recommended): `af ds cap <command> …`  
+Full command: `aifabrix datasource capability <command> …`
 
-Edit files in `integration/{{appName}}/`:
-
-- **Authentication**: `{{systemKey}}-system{{fileExt}}` (auth type, credentials placeholders)
-- **Field mappings**: `{{systemKey}}-datasource-*{{fileExt}}` (dimensions, attributes, operations)
-- **Credential and configuration**: `env.template` (security settings and configuration variables)
-{{#if secretPaths}}{{#if secretPaths.length}}
-
-### Secrets
-
-Secrets are resolved from `.aifabrix` or key vault. Set them with:
+Examples (use the first datasource from the Files table):
 
 ```bash
-{{#each secretPaths}}
-aifabrix secret set {{path}} VALUE   # {{description}}
-{{/each}}
-```
-{{/if}}{{/if}}
-
-### 3. Validate configuration (local only)
-
-`aifabrix validate` runs **on your machine**: it loads files under
-`integration/{{appName}}/`, checks them against the application and
-external-system / external-datasource JSON schemas, and runs related manifest rules.
-It does **not** call the dataplane or any other remote API.
-
-```bash
-aifabrix validate {{appName}}
-```
+# Preview cloning "create" to "createBasic" (no write)
+af ds cap copy {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}} --from create --as createBasic --dry-run
 
-Use this before upload or deploy to catch structural and policy errors early.
+# Apply the copy, then validate
+af ds cap copy {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}} --from create --as createBasic
+af ds validate {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}}
 
-### 4. Repair Deployment Manifest
-
-**Run repair regularly.** It keeps naming conventions, filenames, and the deployment
-manifest aligned with AI Fabrix platform best practices. Use it after editing
-datasources, env.template, or system config—and run it often to catch drift early.
-
-```bash
-aifabrix repair {{appName}}
+# Remove a capability you no longer need
+af ds cap remove {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}} --capability createBasic --dry-run
 ```
 
-Options:
+For flags, run `af ds cap <command> --help`.
 
-- `--auth METHOD` — Set authentication method (`oauth2`, `aad`, `apikey`, `basic`,
-     `queryParam`, `oidc`, `hmac`, `none`); updates system file and env.template
-- `--dry-run` — Report changes only; do not write
-- `--rbac` — Ensure RBAC permissions per datasource and add default Admin/Reader roles if none exist
-- `--expose` — Set `exposed.attributes` on each datasource to all `fieldMappings.attributes` keys
-- `--sync` — Add default sync section to datasources that lack it
-- `--test` — Generate `testPayload.payloadTemplate` and `testPayload.expectedResult` from attributes
+## Single datasource lifecycle (production-ready)
 
-### 5. Upload to dataplane
+Start with one datasource and iterate until it’s stable.
 
 ```bash
-aifabrix upload {{appName}}
+af ds validate {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}}
+af ds test {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}} --debug --sync
+af ds test-integration {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}} --sync
+af ds test-e2e {{#if hasDatasources}}{{datasources.[0].datasourceKey}}{{else}}<datasource-key>{{/if}} --debug --sync
 ```
 
-## Testing
-
-| Command | Where it runs | Calls dataplane? |
-| --- | --- | --- |
-| `aifabrix validate {{appName}}` | Local (schemas / files) | No |
-| `aifabrix test {{appName}}` | Local (manifest / payload checks) | No |
-| `aifabrix test-integration {{appName}}` | Auth + dataplane | Yes |
-| `aifabrix test-e2e {{appName}}` | Auth + dataplane | Yes |
-| Datasource `test` / `test-integration` / `test-e2e` | Auth + dataplane | Yes |
+{{#if secretPaths}}{{#if secretPaths.length}}
 
-So: **validate** (and **`test`**) stay offline; **all integration and E2E test
-commands** exercise the system **via the API** (after login and a reachable
-dataplane).
+## Secrets
 
-### Local checks (no API)
+Store values the CLI expects (no secrets in Git):
 
 ```bash
-aifabrix validate {{appName}}
-aifabrix test {{appName}}
+{{#each secretPaths}}
+aifabrix secret set {{path}} <your value>   # {{description}}
+{{/each}}
 ```
+{{/if}}{{/if}}
 
-### Integration tests (dataplane API)
-
-```bash
-aifabrix test-integration {{appName}}
-```
+## Repair
 
-### End-to-end tests (dataplane API)
+Keeps filenames, lists, and deploy manifest in sync after manual edits.
 
 ```bash
-aifabrix test-e2e {{appName}}
+aifabrix repair {{appName}}
 ```
 
-Options:
+Useful flags: `--dry-run`, `--auth <method>`, `--rbac`, `--expose`, `--sync`, `--test`.
 
-- `-e`, `--env ENV` — Environment: `dev`, `tst`, or `pro` (builder: dev/tst for container)
-- `-v`, `--verbose` — Show detailed step output and poll progress
-- `-d`, `--debug` — Include debug output and write log to `integration/{{appName}}/logs/`
-- `--no-async` — Use sync mode (no polling); single POST per datasource
+## Validate and test
 
-### E2E tests per datasource
+| Command | Network |
+| --- | --- |
+| `aifabrix validate {{appName}}` | Off — schemas and files only |
+| `aifabrix test {{appName}}` | Off — local checks |
+| `aifabrix test-integration {{appName}}` | On — needs login + dataplane |
+| `aifabrix test-e2e {{appName}}` | On — full pipeline per datasource |
 
-To run a full E2E test for a single datasource (config, credential, sync, data,
-CIP), use `aifabrix datasource test-e2e` with the datasource key and app:
+Single datasource E2E:
 
 {{#if hasDatasources}}
 ```bash
@@ -152,40 +124,28 @@ aifabrix datasource test-e2e {{datasourceKey}} --app {{../appName}}
 
 {{/each}}
 ```
+{{else}}
+```bash
+aifabrix datasource test-e2e <datasource-key> --app {{appName}}
+```
 {{/if}}
 
-Options:
-
-- `-a`, `--app {{appName}}` — App key (default: resolve from cwd if inside `integration/{{appName}}/`)
-- `-e`, `--env ENV` — Environment: `dev`, `tst`, or `pro`
-- `-v`, `--verbose` — Show detailed step output and poll progress
-- `-d`, `--debug` — Include debug output and write log to `integration/{{appName}}/logs/`
-- `--no-run-scenarios` — Skip expanding `testPayload.scenarios` in capacity step
-- `--no-cleanup` — Disable cleanup after test (body cleanup: false)
-- `--primary-key-value VALUE` — Primary key value or path to JSON file (e.g.
-  `@pk.json`) for body `primaryKeyValue`
-- `--no-async` — Use sync mode (no polling); single POST, no asyncRun
-
-## Deployment
+Common E2E flags: `-v` / `--verbose`, `-d` / `--debug`, `--no-async`.
 
-Deploy via miso-controller pipeline (same as regular apps). Auth and controller
-come from `aifabrix login` and `aifabrix auth config`:
+## Deploy
 
 ```bash
 aifabrix deploy {{appName}}
 ```
 
-## Delete
+## Remove app
 
 ```bash
 aifabrix delete {{appName}}
 ```
 
-## Troubleshooting
+## When something fails
 
-- **Local validation errors**: Run `aifabrix validate {{appName}}` (and
-  `aifabrix test {{appName}}`) — these only inspect files on disk, not the dataplane.
-- **Deployment / auth**: Run
-  `aifabrix auth config --set-controller URL --set-environment ENV` and
-  `aifabrix login` before `aifabrix deploy`.
-- **File not found**: Run commands from the project root (where `package.json` and `integration/` live).
+- **Validation errors** — Fix JSON/schema issues; run `aifabrix validate {{appName}}` and `aifabrix datasource validate` on the file you changed.
+- **Auth** — `aifabrix auth config` + `aifabrix login` before upload, deploy, or remote tests.
+- **Wrong folder** — Run CLI from the project root (where `integration/{{appName}}/` lives).

package/.npmrc.token

@@ -1 +0,0 @@
-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