@aifabrix/builder 2.5.3 → 2.6.0

package/lib/cli.js

@@ -14,7 +14,6 @@ const app = require('./app');
 const secrets = require('./secrets');
 const generator = require('./generator');
 const validator = require('./validator');
-const keyGenerator = require('./key-generator');
 const config = require('./config');
 const devConfig = require('./utils/dev-config');
 const chalk = require('chalk');
@@ -306,9 +305,24 @@ function setupCommands(program) {
     .description('Generate deployment key')
     .action(async(appName) => {
       try {
-        const key = await keyGenerator.generateDeploymentKey(appName);
+        // Generate JSON first, then extract key from it
+        const jsonPath = await generator.generateDeployJson(appName);
+
+        // Read the generated JSON file
+        const fs = require('fs');
+        const jsonContent = fs.readFileSync(jsonPath, 'utf8');
+        const deployment = JSON.parse(jsonContent);
+
+        // Extract deploymentKey from JSON
+        const key = deployment.deploymentKey;
+
+        if (!key) {
+          throw new Error('deploymentKey not found in generated JSON');
+        }
+
         logger.log(`\nDeployment key for ${appName}:`);
         logger.log(key);
+        logger.log(chalk.gray(`\nGenerated from: ${jsonPath}`));
       } catch (error) {
         handleCommandError(error, 'genkey');
         process.exit(1);

package/lib/generator.js

@@ -16,6 +16,22 @@ const _secrets = require('./secrets');
 const _keyGenerator = require('./key-generator');
 const _validator = require('./validator');
 
+/**
+ * Sanitizes authentication type - map keycloak to azure (schema allows: azure, local, none)
+ * @function sanitizeAuthType
+ * @param {string} authType - Authentication type
+ * @returns {string} Sanitized authentication type
+ */
+function sanitizeAuthType(authType) {
+  if (authType === 'keycloak') {
+    return 'azure';
+  }
+  if (authType && !['azure', 'local', 'none'].includes(authType)) {
+    return 'azure'; // Default to azure if invalid type
+  }
+  return authType;
+}
+
 /**
  * Loads variables.yaml file
  * @param {string} variablesPath - Path to variables.yaml
@@ -129,11 +145,12 @@ function buildAuthenticationConfig(variables, rbac) {
 
     // When enableSSO is false, default type to 'none' and requiredRoles to []
     // When enableSSO is true, require type and requiredRoles
+    // Sanitize auth type (e.g., map keycloak to azure)
     if (auth.enableSSO === false) {
-      auth.type = variables.authentication.type || 'none';
+      auth.type = sanitizeAuthType(variables.authentication.type || 'none');
       auth.requiredRoles = variables.authentication.requiredRoles || [];
     } else {
-      auth.type = variables.authentication.type || 'azure';
+      auth.type = sanitizeAuthType(variables.authentication.type || 'azure');
       auth.requiredRoles = variables.authentication.requiredRoles || [];
     }
 
@@ -313,18 +330,21 @@ async function generateDeployJson(appName) {
   const jsonPath = path.join(builderPath, 'aifabrix-deploy.json');
 
   // Load configuration files
-  const { content: variablesContent, parsed: variables } = loadVariables(variablesPath);
+  const { parsed: variables } = loadVariables(variablesPath);
   const envTemplate = loadEnvTemplate(templatePath);
   const rbac = loadRbac(rbacPath);
 
-  // Generate deployment key
-  const deploymentKey = _keyGenerator.generateDeploymentKeyFromContent(variablesContent);
-
   // Parse environment variables from template
   const configuration = parseEnvironmentVariables(envTemplate);
 
-  // Build deployment manifest
-  const deployment = buildManifestStructure(appName, variables, deploymentKey, configuration, rbac);
+  // Build deployment manifest WITHOUT deploymentKey initially
+  const deployment = buildManifestStructure(appName, variables, null, configuration, rbac);
+
+  // Generate deploymentKey from the manifest object (excluding deploymentKey field)
+  const deploymentKey = _keyGenerator.generateDeploymentKeyFromJson(deployment);
+
+  // Add deploymentKey to manifest
+  deployment.deploymentKey = deploymentKey;
 
   // Validate deployment JSON against schema
   const validation = _validator.validateDeploymentJson(deployment);

package/lib/key-generator.js

@@ -64,6 +64,63 @@ function generateDeploymentKeyFromContent(content) {
   return hash.digest('hex');
 }
 
+/**
+ * Recursively sorts object keys for deterministic JSON stringification
+ * @param {*} obj - Object to sort
+ * @returns {*} Object with sorted keys
+ */
+function sortObjectKeys(obj) {
+  if (obj === null || typeof obj !== 'object') {
+    return obj;
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map(item => sortObjectKeys(item));
+  }
+
+  const sorted = {};
+  const keys = Object.keys(obj).sort();
+  for (const key of keys) {
+    sorted[key] = sortObjectKeys(obj[key]);
+  }
+  return sorted;
+}
+
+/**
+ * Generates deployment key from deployment manifest object
+ * Creates SHA256 hash of manifest (excluding deploymentKey field) for integrity verification
+ * Uses deterministic JSON stringification (sorted keys, no whitespace)
+ *
+ * @function generateDeploymentKeyFromJson
+ * @param {Object} deploymentObject - Deployment manifest object
+ * @returns {string} SHA256 hash of manifest (64-character hex string)
+ * @throws {Error} If deploymentObject is invalid
+ *
+ * @example
+ * const key = generateDeploymentKeyFromJson(deploymentManifest);
+ * // Returns: 'a1b2c3d4e5f6...' (64-character SHA256 hash)
+ */
+function generateDeploymentKeyFromJson(deploymentObject) {
+  if (!deploymentObject || typeof deploymentObject !== 'object') {
+    throw new Error('Deployment object is required and must be an object');
+  }
+
+  // Create a copy and remove deploymentKey field if present
+  const manifestCopy = { ...deploymentObject };
+  delete manifestCopy.deploymentKey;
+
+  // Sort all keys recursively for deterministic JSON stringification
+  const sortedManifest = sortObjectKeys(manifestCopy);
+
+  // Deterministic JSON stringification: sorted keys, no whitespace
+  const jsonString = JSON.stringify(sortedManifest);
+
+  // Generate SHA256 hash
+  const hash = crypto.createHash('sha256');
+  hash.update(jsonString, 'utf8');
+  return hash.digest('hex');
+}
+
 /**
  * Validates deployment key format
  * Ensures key is a valid SHA256 hash
@@ -89,5 +146,6 @@ function validateDeploymentKey(key) {
 module.exports = {
   generateDeploymentKey,
   generateDeploymentKeyFromContent,
+  generateDeploymentKeyFromJson,
   validateDeploymentKey
 };

package/lib/schema/application-schema.json

@@ -34,7 +34,7 @@
     ]
   },
   "type": "object",
-  "required": ["key", "displayName", "description", "type", "image", "registryMode", "port"],
+  "required": ["key", "displayName", "description", "type", "image", "registryMode", "port", "deploymentKey"],
   "properties": {
     "key": {
       "type": "string",
@@ -76,6 +76,11 @@
       "minimum": 1,
       "maximum": 65535
     },
+    "deploymentKey": {
+      "type": "string",
+      "description": "SHA256 hash of deployment manifest (excluding deploymentKey field)",
+      "pattern": "^[a-f0-9]{64}$"
+    },
     "requiresDatabase": {
       "type": "boolean",
       "description": "Whether application requires database"

package/lib/secrets.js

@@ -169,10 +169,21 @@ async function loadSecrets(secretsPath, _appName) {
  */
 async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
   const os = require('os');
-  let envVars = await buildEnvVarMap(environment, os);
+
+  // Get developer-id for local environment to adjust port variables
+  let developerId = null;
+  if (environment === 'local') {
+    try {
+      developerId = await config.getDeveloperId();
+    } catch {
+      // ignore, will use null (buildEnvVarMap will fetch it)
+    }
+  }
+
+  let envVars = await buildEnvVarMap(environment, os, developerId);
   if (!envVars || Object.keys(envVars).length === 0) {
     // Fallback to local environment variables if requested environment does not exist
-    envVars = await buildEnvVarMap('local', os);
+    envVars = await buildEnvVarMap('local', os, developerId);
   }
   const resolved = interpolateEnvVars(envTemplate, envVars);
   const missing = collectMissingSecrets(resolved, secrets);
@@ -282,6 +293,7 @@ async function applyEnvironmentTransformations(resolved, environment, variablesP
     resolved = await rewriteInfraEndpoints(resolved, 'docker');
     resolved = await updatePortForDocker(resolved, variablesPath);
   } else if (environment === 'local') {
+    // adjustLocalEnvPortsInContent handles both PORT and infra endpoints
     resolved = await adjustLocalEnvPortsInContent(resolved, variablesPath);
   }
   return resolved;

package/lib/utils/cli-utils.js

@@ -48,6 +48,9 @@ function formatError(error) {
   // Check for specific error patterns first (most specific to least specific)
   if (errorMsg.includes('Configuration not found')) {
     messages.push(`   ${errorMsg}`);
+  } else if (errorMsg.includes('does not match schema') || errorMsg.includes('Validation failed') || errorMsg.includes('Field "') || errorMsg.includes('Invalid format')) {
+    // Schema validation errors - show the actual error message
+    messages.push(`   ${errorMsg}`);
   } else if (errorMsg.includes('not found locally') || (errorMsg.includes('Docker image') && errorMsg.includes('not found'))) {
     messages.push('   Docker image not found.');
     messages.push('   Run: aifabrix build <app> first');
@@ -57,7 +60,8 @@ function formatError(error) {
   } else if (errorMsg.includes('port')) {
     messages.push('   Port conflict detected.');
     messages.push('   Run "aifabrix doctor" to check which ports are in use.');
-  } else if (errorMsg.includes('permission')) {
+  } else if ((errorMsg.includes('permission denied') || errorMsg.includes('EACCES') || errorMsg.includes('Permission denied')) && !errorMsg.includes('permissions/') && !errorMsg.includes('Field "permissions')) {
+    // Only match actual permission denied errors, not validation errors about permissions fields
     messages.push('   Permission denied.');
     messages.push('   Make sure you have the necessary permissions to run Docker commands.');
   } else if (errorMsg.includes('Azure CLI is not installed') || errorMsg.includes('az --version failed') || (errorMsg.includes('az') && errorMsg.includes('failed'))) {

package/lib/utils/env-endpoints.js

@@ -28,83 +28,76 @@ async function getEnvHosts(context) {
 }
 
 /**
- * Rewrites infra endpoints (REDIS_URL/REDIS_HOST/REDIS_PORT, DB_HOST/DB_PORT, etc.) based on env-config and context
- * Uses getEnvHosts() to get all service values dynamically, avoiding hardcoded values
- * @async
- * @function rewriteInfraEndpoints
- * @param {string} envContent - .env file content
- * @param {'docker'|'local'} context - Environment context
- * @param {{redis:number, postgres:number}} [devPorts] - Ports object with developer-id adjusted ports (optional)
- * @returns {Promise<string>} Updated content
+ * Split host:port value into host and port
+ * @function splitHost
+ * @param {string|number} value - Host:port string or plain value
+ * @returns {{host: string|undefined, port: number|undefined}} Split host and port
  */
-async function rewriteInfraEndpoints(envContent, context, devPorts) {
-  // Get all service values from config system (includes env-config.yaml + user env-config file)
-  let hosts = await getEnvHosts(context);
+function splitHost(value) {
+  if (typeof value !== 'string') return { host: undefined, port: undefined };
+  const m = value.match(/^([^:]+):(\d+)$/);
+  if (m) return { host: m[1], port: parseInt(m[2], 10) };
+  return { host: value, port: undefined };
+}
 
-  // Apply config.yaml → environments.{context} override (if exists)
+/**
+ * Get aifabrix-localhost override from config.yaml for local context
+ * @function getLocalhostOverride
+ * @param {'docker'|'local'} context - Environment context
+ * @returns {string|null} Localhost override value or null
+ */
+function getLocalhostOverride(context) {
+  if (context !== 'local') return null;
   try {
     const os = require('os');
     const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
     if (fs.existsSync(cfgPath)) {
       const cfgContent = fs.readFileSync(cfgPath, 'utf8');
       const cfg = yaml.load(cfgContent) || {};
-      if (cfg && cfg.environments && cfg.environments[context]) {
-        hosts = { ...hosts, ...cfg.environments[context] };
+      if (typeof cfg['aifabrix-localhost'] === 'string' && cfg['aifabrix-localhost'].trim().length > 0) {
+        return cfg['aifabrix-localhost'].trim();
       }
     }
   } catch {
-    // Ignore config.yaml read errors, continue with env-config values
+    // ignore override errors
   }
+  return null;
+}
 
-  // Helper to split host:port values
-  const splitHost = (value) => {
-    if (typeof value !== 'string') return { host: undefined, port: undefined };
-    const m = value.match(/^([^:]+):(\d+)$/);
-    if (m) return { host: m[1], port: parseInt(m[2], 10) };
-    return { host: value, port: undefined };
-  };
-
-  // Get aifabrix-localhost override for local context
-  let localhostOverride = null;
-  if (context === 'local') {
-    try {
-      const os = require('os');
-      const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
-      if (fs.existsSync(cfgPath)) {
-        const cfgContent = fs.readFileSync(cfgPath, 'utf8');
-        const cfg = yaml.load(cfgContent) || {};
-        if (typeof cfg['aifabrix-localhost'] === 'string' && cfg['aifabrix-localhost'].trim().length > 0) {
-          localhostOverride = cfg['aifabrix-localhost'].trim();
-        }
-      }
-    } catch {
-      // ignore override errors
-    }
+/**
+ * Get service port with developer-id adjustment (only for local context)
+ * @async
+ * @function getServicePort
+ * @param {string} portKey - Port key (e.g., 'REDIS_PORT', 'DB_PORT')
+ * @param {string} serviceName - Service name (e.g., 'redis', 'postgres')
+ * @param {Object} hosts - Hosts configuration object
+ * @param {'docker'|'local'} context - Environment context
+ * @param {Object} [devPorts] - Optional devPorts object with pre-adjusted ports
+ * @returns {Promise<number>} Service port with developer-id adjustment (for local context only)
+ */
+async function getServicePort(portKey, serviceName, hosts, context, devPorts) {
+  // If devPorts provided, use it (already has developer-id adjustment)
+  if (devPorts && typeof devPorts[serviceName] === 'number') {
+    return devPorts[serviceName];
   }
 
-  // Helper to get port value from config or devPorts, with developer-id adjustment
-  const getServicePort = async(portKey, serviceName) => {
-    // If devPorts provided, use it (already has developer-id adjustment)
-    if (devPorts && typeof devPorts[serviceName] === 'number') {
-      return devPorts[serviceName];
-    }
-
-    // Get base port from config
-    let basePort = null;
-    if (hosts[portKey] !== undefined && hosts[portKey] !== null) {
-      const portVal = typeof hosts[portKey] === 'number' ? hosts[portKey] : parseInt(hosts[portKey], 10);
-      if (!Number.isNaN(portVal)) {
-        basePort = portVal;
-      }
+  // Get base port from config
+  let basePort = null;
+  if (hosts[portKey] !== undefined && hosts[portKey] !== null) {
+    const portVal = typeof hosts[portKey] === 'number' ? hosts[portKey] : parseInt(hosts[portKey], 10);
+    if (!Number.isNaN(portVal)) {
+      basePort = portVal;
     }
+  }
 
-    // Last resort fallback to devConfig (only if not in config)
-    if (basePort === null || basePort === undefined) {
-      const basePorts = devConfig.getBasePorts();
-      basePort = basePorts[serviceName];
-    }
+  // Last resort fallback to devConfig (only if not in config)
+  if (basePort === null || basePort === undefined) {
+    const basePorts = devConfig.getBasePorts();
+    basePort = basePorts[serviceName];
+  }
 
-    // Apply developer-id adjustment
+  // Apply developer-id adjustment only for local context
+  if (context === 'local') {
     try {
       const devId = await config.getDeveloperId();
       let devIdNum = 0;
@@ -118,29 +111,40 @@ async function rewriteInfraEndpoints(envContent, context, devPorts) {
     } catch {
       return basePort;
     }
-  };
-
-  // Get Redis configuration
-  const redisParts = splitHost(hosts.REDIS_HOST);
-  let redisHost = redisParts.host || hosts.REDIS_HOST;
-  // Fallback to default if not in config
-  if (!redisHost) {
-    redisHost = context === 'docker' ? 'redis' : 'localhost';
-  }
-  if (context === 'local' && localhostOverride && redisHost === 'localhost') {
-    redisHost = localhostOverride;
   }
-  const redisPort = await getServicePort('REDIS_PORT', 'redis');
 
-  // Get DB configuration
-  let dbHost = hosts.DB_HOST;
-  // Fallback to default if not in config
-  if (!dbHost) {
-    dbHost = context === 'docker' ? 'postgres' : 'localhost';
+  // For docker context, return base port without adjustment
+  return basePort;
+}
+
+/**
+ * Get service host with localhost override applied
+ * @function getServiceHost
+ * @param {string|undefined} host - Host value from config
+ * @param {'docker'|'local'} context - Environment context
+ * @param {string} defaultHost - Default host if not in config
+ * @param {string|null} localhostOverride - Localhost override value
+ * @returns {string} Final host value
+ */
+function getServiceHost(host, context, defaultHost, localhostOverride) {
+  const finalHost = host || defaultHost;
+  if (context === 'local' && localhostOverride && finalHost === 'localhost') {
+    return localhostOverride;
   }
-  const finalDbHost = (context === 'local' && localhostOverride && dbHost === 'localhost') ? localhostOverride : dbHost;
-  const dbPort = await getServicePort('DB_PORT', 'postgres');
+  return finalHost;
+}
 
+/**
+ * Update endpoint variables in env content
+ * @function updateEndpointVariables
+ * @param {string} envContent - Environment content
+ * @param {string} redisHost - Redis host
+ * @param {number} redisPort - Redis port
+ * @param {string} dbHost - Database host
+ * @param {number} dbPort - Database port
+ * @returns {string} Updated content
+ */
+function updateEndpointVariables(envContent, redisHost, redisPort, dbHost, dbPort) {
   let updated = envContent;
 
   // Update REDIS_URL if present
@@ -180,7 +184,7 @@ async function rewriteInfraEndpoints(envContent, context, devPorts) {
 
   // Update DB_HOST if present
   if (/^DB_HOST\s*=.*$/m.test(updated)) {
-    updated = updated.replace(/^DB_HOST\s*=\s*.*$/m, `DB_HOST=${finalDbHost}`);
+    updated = updated.replace(/^DB_HOST\s*=\s*.*$/m, `DB_HOST=${dbHost}`);
   }
 
   // Update DB_PORT if present
@@ -202,8 +206,59 @@ async function rewriteInfraEndpoints(envContent, context, devPorts) {
   return updated;
 }
 
+/**
+ * Rewrites infra endpoints (REDIS_URL/REDIS_HOST/REDIS_PORT, DB_HOST/DB_PORT, etc.) based on env-config and context
+ * Uses getEnvHosts() to get all service values dynamically, avoiding hardcoded values
+ * @async
+ * @function rewriteInfraEndpoints
+ * @param {string} envContent - .env file content
+ * @param {'docker'|'local'} context - Environment context
+ * @param {{redis:number, postgres:number}} [devPorts] - Ports object with developer-id adjusted ports (optional)
+ * @param {Object} [adjustedHosts] - Optional adjusted hosts object (with developer-id adjusted ports) to use instead of loading from config
+ * @returns {Promise<string>} Updated content
+ */
+async function rewriteInfraEndpoints(envContent, context, devPorts, adjustedHosts) {
+  // Get all service values from config system (includes env-config.yaml + user env-config file)
+  // Use adjustedHosts if provided, otherwise load from config
+  let hosts = adjustedHosts || await getEnvHosts(context);
+
+  // Apply config.yaml → environments.{context} override (if exists)
+  try {
+    const os = require('os');
+    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
+    if (fs.existsSync(cfgPath)) {
+      const cfgContent = fs.readFileSync(cfgPath, 'utf8');
+      const cfg = yaml.load(cfgContent) || {};
+      if (cfg && cfg.environments && cfg.environments[context]) {
+        hosts = { ...hosts, ...cfg.environments[context] };
+      }
+    }
+  } catch {
+    // Ignore config.yaml read errors, continue with env-config values
+  }
+
+  // Get localhost override for local context
+  const localhostOverride = getLocalhostOverride(context);
+
+  // Get Redis configuration
+  const redisParts = splitHost(hosts.REDIS_HOST);
+  const redisHost = getServiceHost(redisParts.host || hosts.REDIS_HOST, context, context === 'docker' ? 'redis' : 'localhost', localhostOverride);
+  const redisPort = await getServicePort('REDIS_PORT', 'redis', hosts, context, devPorts);
+
+  // Get DB configuration
+  const dbHost = getServiceHost(hosts.DB_HOST, context, context === 'docker' ? 'postgres' : 'localhost', localhostOverride);
+  const dbPort = await getServicePort('DB_PORT', 'postgres', hosts, context, devPorts);
+
+  // Update endpoint variables
+  return updateEndpointVariables(envContent, redisHost, redisPort, dbHost, dbPort);
+}
+
 module.exports = {
   rewriteInfraEndpoints,
-  getEnvHosts
+  getEnvHosts,
+  splitHost,
+  getServicePort,
+  getServiceHost,
+  updateEndpointVariables
 };
 

package/lib/utils/env-map.js

@@ -12,19 +12,22 @@ const fs = require('fs');
 const path = require('path');
 const yaml = require('js-yaml');
 const { loadEnvConfig } = require('./env-config-loader');
+const config = require('../config');
 
 /**
  * Build environment variable map for interpolation based on env-config.yaml
  * - Supports values like "host:port" by splitting into *_HOST (host) and *_PORT (port)
  * - Merges overrides from ~/.aifabrix/config.yaml under environments.{env}
  * - Applies aifabrix-localhost override for local context if configured
+ * - Applies developer-id adjustment to port variables for local context
  * @async
  * @function buildEnvVarMap
  * @param {'docker'|'local'} context - Environment context
  * @param {Object} [osModule] - Optional os module (for testing). If not provided, requires 'os'
+ * @param {number|null} [developerId] - Optional developer ID for port adjustment. If not provided, will be fetched from config for local context.
  * @returns {Promise<Object>} Map of variables for interpolation
  */
-async function buildEnvVarMap(context, osModule = null) {
+async function buildEnvVarMap(context, osModule = null, developerId = null) {
   // Load env-config (base + user override if configured)
   let baseVars = {};
   try {
@@ -107,6 +110,50 @@ async function buildEnvVarMap(context, osModule = null) {
       result[key] = val;
     }
   }
+
+  // Apply developer-id adjustment to port variables for local context
+  if (context === 'local') {
+    let devIdNum = 0;
+    if (developerId !== null && developerId !== undefined) {
+      const parsed = typeof developerId === 'number' ? developerId : parseInt(developerId, 10);
+      if (!Number.isNaN(parsed)) {
+        devIdNum = parsed;
+      }
+    } else {
+      // Get developer-id from config if not provided
+      try {
+        const devId = await config.getDeveloperId();
+        if (devId !== null && devId !== undefined) {
+          const parsed = parseInt(devId, 10);
+          if (!Number.isNaN(parsed)) {
+            devIdNum = parsed;
+          }
+        }
+      } catch {
+        // ignore, will use 0
+      }
+    }
+
+    // Apply adjustment to all *_PORT variables
+    if (devIdNum !== 0) {
+      for (const [key, value] of Object.entries(result)) {
+        if (/_PORT$/.test(key)) {
+          let portVal;
+          if (typeof value === 'string') {
+            portVal = parseInt(value, 10);
+          } else if (typeof value === 'number') {
+            portVal = value;
+          } else {
+            continue;
+          }
+          if (!Number.isNaN(portVal)) {
+            result[key] = String(portVal + (devIdNum * 100));
+          }
+        }
+      }
+    }
+  }
+
   return result;
 }
 

package/lib/utils/secrets-helpers.js

@@ -13,7 +13,6 @@ const path = require('path');
 const yaml = require('js-yaml');
 const config = require('../config');
 const { buildHostnameToServiceMap, resolveUrlPort } = require('./secrets-utils');
-const devConfig = require('../utils/dev-config');
 const { rewriteInfraEndpoints, getEnvHosts } = require('./env-endpoints');
 const { loadEnvConfig } = require('./env-config-loader');
 const { processEnvVariables } = require('./env-copy');
@@ -132,45 +131,18 @@ function loadEnvTemplate(templatePath) {
 }
 
 /**
- * Adjust infra-related ports in resolved .env content for local environment
- * Follows flow: getEnvHosts() → config.yaml override → variables.yaml override → developer-id adjustment
+ * Calculate application port following override chain and developer-id adjustment
+ * Override chain: env-config.yaml → config.yaml → variables.yaml build.localPort → variables.yaml port
  * @async
- * @function adjustLocalEnvPortsInContent
- * @param {string} envContent - Resolved .env content
- * @param {string} [variablesPath] - Path to variables.yaml (to read build.localPort)
- * @returns {Promise<string>} Updated content with local ports
+ * @function calculateAppPort
+ * @param {string} [variablesPath] - Path to variables.yaml
+ * @param {Object} localEnv - Local environment config from env-config.yaml and config.yaml
+ * @param {string} envContent - Environment content for fallback
+ * @param {number} devIdNum - Developer ID number
+ * @returns {Promise<number>} Final application port with developer-id adjustment
  */
-async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
-  // Get developer-id for port adjustment
-  const devId = await config.getDeveloperId();
-  let devIdNum = 0;
-  if (devId !== null && devId !== undefined) {
-    const parsed = parseInt(devId, 10);
-    if (!Number.isNaN(parsed)) {
-      devIdNum = parsed;
-    }
-  }
-
-  // Step 1: Get base config from env-config.yaml (includes user env-config file if configured)
-  let localEnv = await getEnvHosts('local');
-
-  // Step 2: Apply config.yaml → environments.local override (if exists)
-  try {
-    const os = require('os');
-    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
-    if (fs.existsSync(cfgPath)) {
-      const cfgContent = fs.readFileSync(cfgPath, 'utf8');
-      const cfg = yaml.load(cfgContent) || {};
-      if (cfg && cfg.environments && cfg.environments.local) {
-        localEnv = { ...localEnv, ...cfg.environments.local };
-      }
-    }
-  } catch {
-    // Ignore config.yaml read errors, continue with env-config values
-  }
-
-  // Step 3: Get PORT value following override chain
-  // Start with env-config value, override with variables.yaml build.localPort, then port
+async function calculateAppPort(variablesPath, localEnv, envContent, devIdNum) {
+  // Start with env-config value
   let baseAppPort = null;
   if (localEnv.PORT !== undefined && localEnv.PORT !== null) {
     const portVal = typeof localEnv.PORT === 'number' ? localEnv.PORT : parseInt(localEnv.PORT, 10);
@@ -179,7 +151,7 @@ async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
     }
   }
 
-  // Override with variables.yaml → build.localPort (if exists)
+  // Override with variables.yaml → build.localPort (strongest)
   if (variablesPath && fs.existsSync(variablesPath)) {
     try {
       const variablesContent = fs.readFileSync(variablesPath, 'utf8');
@@ -188,7 +160,7 @@ async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
       if (typeof localPort === 'number' && localPort > 0) {
         baseAppPort = localPort;
       } else if (baseAppPort === null || baseAppPort === undefined) {
-        // Fallback to variables.yaml → port if baseAppPort still not set
+        // Fallback to variables.yaml → port
         baseAppPort = variables?.port || 3000;
       }
     } catch {
@@ -206,29 +178,75 @@ async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
     }
   }
 
-  // Step 4: Apply developer-id adjustment: finalPort = basePort + (developerId * 100)
-  const appPort = devIdNum === 0 ? baseAppPort : (baseAppPort + (devIdNum * 100));
+  // Apply developer-id adjustment
+  return devIdNum === 0 ? baseAppPort : (baseAppPort + (devIdNum * 100));
+}
+
+/**
+ * Update localhost URLs that point to base app port to use developer-specific app port
+ * @function updateLocalhostUrls
+ * @param {string} content - Environment content
+ * @param {number} baseAppPort - Base application port
+ * @param {number} appPort - Developer-specific application port
+ * @returns {string} Updated content with adjusted localhost URLs
+ */
+function updateLocalhostUrls(content, baseAppPort, appPort) {
+  const localhostUrlPattern = /(https?:\/\/localhost:)(\d+)(\b[^ \n]*)?/g;
+  return content.replace(localhostUrlPattern, (match, prefix, portNum, rest = '') => {
+    const num = parseInt(portNum, 10);
+    if (num === baseAppPort) {
+      return `${prefix}${appPort}${rest || ''}`;
+    }
+    return match;
+  });
+}
+
+/**
+ * Adjust infra-related ports in resolved .env content for local environment
+ * Only handles PORT variable (other ports handled by interpolation)
+ * Follows flow: getEnvHosts() → config.yaml override → variables.yaml override → developer-id adjustment
+ * @async
+ * @function adjustLocalEnvPortsInContent
+ * @param {string} envContent - Resolved .env content
+ * @param {string} [variablesPath] - Path to variables.yaml (to read build.localPort)
+ * @returns {Promise<string>} Updated content with local ports
+ */
+async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
+  // Get developer-id for port adjustment
+  const devId = await config.getDeveloperId();
+  let devIdNum = 0;
+  if (devId !== null && devId !== undefined) {
+    const parsed = parseInt(devId, 10);
+    if (!Number.isNaN(parsed)) {
+      devIdNum = parsed;
+    }
+  }
+
+  // Get base config from env-config.yaml (includes user env-config file if configured)
+  let localEnv = await getEnvHosts('local');
 
-  // Step 5: Get infra service ports from config and apply developer-id adjustment
-  // All infra ports (REDIS_PORT, DB_PORT, etc.) come from localEnv and get developer-id adjustment
-  const getInfraPort = (portKey, defaultValue) => {
-    let port = defaultValue;
-    if (localEnv[portKey] !== undefined && localEnv[portKey] !== null) {
-      const portVal = typeof localEnv[portKey] === 'number' ? localEnv[portKey] : parseInt(localEnv[portKey], 10);
-      if (!Number.isNaN(portVal)) {
-        port = portVal;
+  // Apply config.yaml → environments.local override (if exists)
+  try {
+    const os = require('os');
+    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
+    if (fs.existsSync(cfgPath)) {
+      const cfgContent = fs.readFileSync(cfgPath, 'utf8');
+      const cfg = yaml.load(cfgContent) || {};
+      if (cfg && cfg.environments && cfg.environments.local) {
+        localEnv = { ...localEnv, ...cfg.environments.local };
       }
     }
-    // Apply developer-id adjustment (infra ports are similar to docker)
-    return devIdNum === 0 ? port : (port + (devIdNum * 100));
-  };
+  } catch {
+    // Ignore config.yaml read errors, continue with env-config values
+  }
 
-  // Get default ports from devConfig as last resort fallback
-  const basePorts = devConfig.getBasePorts();
-  const redisPort = getInfraPort('REDIS_PORT', basePorts.redis);
-  const dbPort = getInfraPort('DB_PORT', basePorts.postgres);
+  // Calculate base port (without developer-id adjustment) for URL matching
+  const baseAppPort = await calculateAppPort(variablesPath, localEnv, envContent, 0);
+  // Calculate final port with developer-id adjustment
+  const appPort = await calculateAppPort(variablesPath, localEnv, envContent, devIdNum);
 
-  // Update .env content
+  // Update .env content - only handle PORT variable
+  // Other port variables (DB_PORT, REDIS_PORT, etc.) are handled by interpolation
   let updated = envContent;
 
   // Update PORT
@@ -238,24 +256,11 @@ async function adjustLocalEnvPortsInContent(envContent, variablesPath) {
     updated = `${updated}\nPORT=${appPort}\n`;
   }
 
-  // Update DATABASE_PORT
-  if (/^DATABASE_PORT\s*=.*$/m.test(updated)) {
-    updated = updated.replace(/^DATABASE_PORT\s*=\s*.*$/m, `DATABASE_PORT=${dbPort}`);
-  }
-
-  // Update localhost URLs that point to the base app port to the dev-specific app port
-  const localhostUrlPattern = /(https?:\/\/localhost:)(\d+)(\b[^ \n]*)?/g;
-  updated = updated.replace(localhostUrlPattern, (match, prefix, portNum, rest = '') => {
-    const num = parseInt(portNum, 10);
-    if (num === baseAppPort) {
-      return `${prefix}${appPort}${rest || ''}`;
-    }
-    return match;
-  });
+  // Update localhost URLs
+  updated = updateLocalhostUrls(updated, baseAppPort, appPort);
 
-  // Rewrite infra endpoints using env-config mapping for local context
-  // This handles REDIS_HOST, REDIS_PORT, REDIS_URL, DB_HOST, etc.
-  updated = await rewriteInfraEndpoints(updated, 'local', { redis: redisPort, postgres: dbPort });
+  // Update infra endpoints with developer-id adjusted ports for local context
+  updated = await rewriteInfraEndpoints(updated, 'local');
 
   return updated;
 }

package/lib/utils/variable-transformer.js

@@ -73,6 +73,12 @@ function transformFlatStructure(variables, appName) {
     result.authentication = auth;
   }
 
+  // Add placeholder deploymentKey for validation (will be generated from JSON later)
+  // This is a 64-character hex string matching the SHA256 pattern
+  if (!result.deploymentKey) {
+    result.deploymentKey = '0000000000000000000000000000000000000000000000000000000000000000';
+  }
+
   return result;
 }
 
@@ -284,7 +290,15 @@ function transformVariablesForValidation(variables, appName) {
     databases: requires.databases || (requires.database ? [{ name: variables.app?.key || appName }] : [])
   };
 
-  return transformOptionalFields(variables, transformed);
+  const result = transformOptionalFields(variables, transformed);
+
+  // Add placeholder deploymentKey for validation (will be generated from JSON later)
+  // This is a 64-character hex string matching the SHA256 pattern
+  if (!result.deploymentKey) {
+    result.deploymentKey = '0000000000000000000000000000000000000000000000000000000000000000';
+  }
+
+  return result;
 }
 
 module.exports = {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.5.3",
+  "version": "2.6.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/templates/applications/keycloak/variables.yaml

@@ -44,9 +44,3 @@ build:
   localPort: 8082                                       # Port for local development (different from Docker port)
   containerPort: 8080                                   # Container port (different from local port)
   language: typescript                                  # Runtime language for template selection
-  secrets:                                              # Path to secrets file (optional)
-
-# Docker Compose
-compose:
-  file: docker-compose.yaml
-  service: keycloak

package/templates/applications/miso-controller/env.template

@@ -71,7 +71,7 @@ REDIS_PERMISSIONS_TTL=900
 # Connects to external keycloak from aifabrix-setup
 
 KEYCLOAK_REALM=aifabrix
-KEYCLOAK_AUTH_SERVER_URL=kv://keycloak-auth-server-urlKeyVault
+KEYCLOAK_SERVER_URL=kv://keycloak-server-urlKeyVault
 KEYCLOAK_CLIENT_ID=miso-controller
 KEYCLOAK_CLIENT_SECRET=kv://keycloak-client-secretKeyVault
 KEYCLOAK_ADMIN_USERNAME=admin
@@ -107,7 +107,7 @@ MOCK=true
 ENCRYPTION_KEY=kv://secrets-encryptionKeyVault
 
 # JWT Configuration (for client token generation)
-JWT_SECRET=kv://miso-controller-jwt-secretKeyVaultKeyVault
+JWT_SECRET=kv://miso-controller-jwt-secretKeyVault
 
 # When API_KEY is set, a matching Bearer token bypasses OAuth2 validation
 API_KEY=kv://miso-controller-api-key-secretKeyVault
@@ -149,6 +149,4 @@ LOG_FILE_PATH=/mnt/data/logs
 # =============================================================================
 
 # Mount Volume Configuration
-MOUNT_VOLUME=C:/git/esystemsdev/aifabrix-miso/mount
-
-
+MOUNT_VOLUME=/mnt/data/

package/templates/applications/miso-controller/rbac.yaml

@@ -134,19 +134,19 @@ permissions:
     description: "Delete environments"
   
   # Environment Applications
-  - name: "environments_applications:create"
+  - name: "environments-applications:create"
     roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
     description: "Create applications within environments"
   
-  - name: "environments_applications:read"
+  - name: "environments-applications:read"
     roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer", "aifabrix-observer"]
     description: "View applications within environments"
   
-  - name: "environments_applications:update"
+  - name: "environments-applications:update"
     roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin", "aifabrix-developer"]
     description: "Update applications within environments"
   
-  - name: "environments_applications:delete"
+  - name: "environments-applications:delete"
     roles: ["aifabrix-platform-admin", "aifabrix-deployment-admin"]
     description: "Remove applications from environments"
   
@@ -207,11 +207,11 @@ permissions:
     description: "Administrative export access to all data"
   
   # Admin Operations
-  - name: "admin.sync"
+  - name: "admin:sync"
     roles: ["aifabrix-platform-admin", "aifabrix-infrastructure-admin"]
     description: "Full system synchronization operations"
   
-  - name: "admin.keycloak"
+  - name: "admin:keycloak"
     roles: ["aifabrix-platform-admin", "aifabrix-security-admin"]
     description: "Keycloak administration and configuration"
   

package/templates/applications/miso-controller/variables.yaml

@@ -34,7 +34,7 @@ healthCheck:
 
 # Authentication
 authentication:
-  type: keycloak
+  type: local
   enableSSO: true
   requiredRoles:
     - aifabrix-user
@@ -48,10 +48,4 @@ build:
   envOutputPath:          	                                # Copy .env to repo root for local dev (relative to builder/) (if null, no .env file is copied) (if empty, .env file is copied to repo root)
   localPort: 3010                                           # Port for local development (different from Docker port)
   language: typescript                                  		# Runtime language for template selection (typescript or python)
-  secrets:                                                 	# Path to secrets file
-  envFilePath: .env                                     		# Generated in builder/
 
-# Docker Compose
-compose:
-  file: docker-compose.yaml
-  service: miso-controller