@aifabrix/builder 2.7.0 → 2.8.0

package/lib/schema/external-datasource.schema.json

@@ -1,8 +1,50 @@
 {
    "$schema":"https://json-schema.org/draft/2020-12/schema",
-   "$id":"https://aifabrix.ai/schemas/external-datasource.schema.json",
+   "$id":"https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/external-datasource.schema.json",
    "title":"External Data Source",
    "description":"Configuration for AI Fabrix ExternalDataSource entities. Includes metadata schema, ABAC access fields, transformation mappings, OpenAPI/MCP exposure, and sync behavior.",
+   "metadata":{
+      "key":"external-datasource-schema",
+      "name":"External Data Source Configuration Schema",
+      "description":"JSON schema for validating ExternalDataSource configuration files",
+      "version":"1.0.0",
+      "type":"schema",
+      "category":"integration",
+      "author":"AI Fabrix Team",
+      "createdAt":"2024-01-01T00:00:00Z",
+      "updatedAt":"2024-01-01T00:00:00Z",
+      "compatibility":{
+         "minVersion":"1.0.0",
+         "maxVersion":"2.0.0",
+         "deprecated":false
+      },
+      "tags":[
+         "schema",
+         "external-datasource",
+         "dataplane",
+         "integration",
+         "validation"
+      ],
+      "dependencies":[
+         "external-system.schema.json"
+      ],
+      "changelog":[
+         {
+            "version":"1.0.0",
+            "date":"2024-01-01T00:00:00Z",
+            "changes":[
+               "Initial schema for External Data Sources",
+               "Added fieldMappings DSL with transformation expressions",
+               "Added metadataSchema validation",
+               "Added exposed fields configuration for MCP/OpenAPI",
+               "Added ABAC accessFields validation",
+               "Added OpenAPI and MCP operation configurations",
+               "Added sync configuration and validation rules"
+            ],
+            "breaking":false
+         }
+      ]
+   },
    "type":"object",
    "required":[
       "key",
@@ -38,6 +80,12 @@
          "type":"string",
          "pattern":"^[a-z0-9-]+$"
       },
+      "resourceType":{
+         "type":"string",
+         "enum":["customer","contact","person","document","deal"],
+         "default":"document",
+         "description":"Resource type for the datasource. Maps to database ResourceType enum."
+      },
       "version":{
          "type":"string",
          "pattern":"^[0-9]+\\.[0-9]+\\.[0-9]+$",

package/lib/schema/external-system.schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "https://aifabrix.ai/schemas/external-system.schema.json",
+  "$id": "https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/external-system.schema.json",
   "title": "AI Fabrix External System Configuration Schema",
   "description": "Schema for configuring an external system connected to the AI Fabrix Dataplane. This defines authentication, OpenAPI/MCP bindings, field mappings defaults, metadata handling and portal inputs.",
 
@@ -101,9 +101,9 @@
     "authentication": {
       "type": "object",
       "description": "Authentication configuration for the external system.",
-      "required": ["mode"],
+      "required": ["type"],
       "properties": {
-        "mode": {
+        "type": {
           "type": "string",
           "enum": ["oauth2", "apikey", "basic", "aad", "none"],
           "description": "Authentication method used for API access."
@@ -111,7 +111,7 @@
 
         "oauth2": {
           "type": "object",
-          "description": "OAuth2 configuration used when mode == 'oauth2'. All secrets are stored in Key Vault.",
+          "description": "OAuth2 configuration used when type == 'oauth2'. All secrets are stored in Key Vault.",
           "properties": {
             "tokenUrl": {
               "type": "string",

package/lib/schema/infrastructure-schema.json

@@ -1,6 +1,6 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
-  "$id": "https://docs.aifabrix.ai/schemas/Configuration-Schema-Infra.json",
+  "$id": "https://raw.githubusercontent.com/esystemsdev/aifabrix-builder/refs/heads/main/lib/schema/infrastructure-schema.json",
   "title": "AI Fabrix Infrastructure Configuration Schema",
   "description": "Infrastructure-level configuration schema for AI Fabrix deployment",
   "metadata": {

package/lib/templates.js

@@ -16,6 +16,37 @@ const yaml = require('js-yaml');
  */
 function generateVariablesYaml(appName, config) {
   const displayName = appName.replace(/-/g, ' ').replace(/\b\w/g, l => l.toUpperCase());
+  const appType = config.type || 'webapp';
+
+  // For external type, create minimal variables.yaml
+  if (appType === 'external') {
+    const variables = {
+      app: {
+        key: appName,
+        displayName: displayName,
+        description: `${appName.replace(/-/g, ' ')} external system`,
+        type: 'external'
+      },
+      deployment: {
+        controllerUrl: '',
+        environment: 'dev'
+      },
+      externalIntegration: {
+        schemaBasePath: './schemas',
+        systems: [],
+        dataSources: [],
+        autopublish: true,
+        version: '1.0.0'
+      }
+    };
+
+    return yaml.dump(variables, {
+      indent: 2,
+      lineWidth: 120,
+      noRefs: true,
+      sortKeys: false
+    });
+  }
 
   // Parse image name to separate name and tag
   let imageName = appName;
@@ -32,7 +63,7 @@ function generateVariablesYaml(appName, config) {
       key: appName,
       displayName: displayName,
       description: `${appName.replace(/-/g, ' ')} application`,
-      type: 'webapp'
+      type: appType
     },
     image: {
       name: imageName,

package/lib/utils/device-code.js

@@ -61,20 +61,28 @@ function parseDeviceCodeResponse(response) {
  * @function initiateDeviceCodeFlow
  * @param {string} controllerUrl - Base URL of the controller
  * @param {string} environment - Environment key (e.g., 'miso', 'dev', 'tst', 'pro')
+ * @param {string} [scope] - OAuth2 scope string (default: 'openid profile email')
  * @returns {Promise<Object>} Device code response with device_code, user_code, verification_uri, expires_in, interval
  * @throws {Error} If initiation fails
  */
-async function initiateDeviceCodeFlow(controllerUrl, environment) {
+async function initiateDeviceCodeFlow(controllerUrl, environment, scope) {
   if (!environment || typeof environment !== 'string') {
     throw new Error('Environment key is required');
   }
 
+  // Default scope for backward compatibility
+  const defaultScope = 'openid profile email';
+  const requestScope = scope || defaultScope;
+
   const url = `${controllerUrl}/api/v1/auth/login?environment=${encodeURIComponent(environment)}`;
   const response = await getMakeApiCall()(url, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json'
-    }
+    },
+    body: JSON.stringify({
+      scope: requestScope
+    })
   });
 
   if (!response.success) {

package/lib/utils/token-encryption.js

@@ -0,0 +1,68 @@
+/**
+ * AI Fabrix Builder Token Encryption Utilities
+ *
+ * This module provides encryption and decryption functions for authentication tokens
+ * using AES-256-GCM algorithm for ISO 27001 compliance.
+ * Reuses the same encryption infrastructure as secrets encryption.
+ *
+ * @fileoverview Token encryption utilities for AI Fabrix Builder
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const { encryptSecret, decryptSecret, isEncrypted } = require('./secrets-encryption');
+
+/**
+ * Encrypts a token value using AES-256-GCM
+ * Returns encrypted value in format: secure://<iv>:<ciphertext>:<authTag>
+ * All components are base64 encoded
+ *
+ * @function encryptToken
+ * @param {string} value - Plaintext token value to encrypt
+ * @param {string} key - Encryption key (hex or base64, 32 bytes)
+ * @returns {string} Encrypted value with secure:// prefix
+ * @throws {Error} If encryption fails or key is invalid
+ *
+ * @example
+ * const encrypted = encryptToken('my-token', 'a1b2c3...');
+ * // Returns: 'secure://<iv>:<ciphertext>:<authTag>'
+ */
+function encryptToken(value, key) {
+  return encryptSecret(value, key);
+}
+
+/**
+ * Decrypts an encrypted token value
+ * Handles secure:// prefixed values and extracts IV, ciphertext, and auth tag
+ *
+ * @function decryptToken
+ * @param {string} encryptedValue - Encrypted value with secure:// prefix
+ * @param {string} key - Encryption key (hex or base64, 32 bytes)
+ * @returns {string} Decrypted plaintext value
+ * @throws {Error} If decryption fails, key is invalid, or format is incorrect
+ *
+ * @example
+ * const decrypted = decryptToken('secure://<iv>:<ciphertext>:<authTag>', 'a1b2c3...');
+ * // Returns: 'my-token'
+ */
+function decryptToken(encryptedValue, key) {
+  return decryptSecret(encryptedValue, key);
+}
+
+/**
+ * Checks if a token value is encrypted (starts with secure://)
+ *
+ * @function isTokenEncrypted
+ * @param {string} value - Value to check
+ * @returns {boolean} True if value is encrypted
+ */
+function isTokenEncrypted(value) {
+  return isEncrypted(value);
+}
+
+module.exports = {
+  encryptToken,
+  decryptToken,
+  isTokenEncrypted
+};
+

package/lib/validator.js

@@ -14,6 +14,8 @@ const path = require('path');
 const yaml = require('js-yaml');
 const Ajv = require('ajv');
 const applicationSchema = require('./schema/application-schema.json');
+const externalSystemSchema = require('./schema/external-system.schema.json');
+const externalDataSourceSchema = require('./schema/external-datasource.schema.json');
 const { transformVariablesForValidation } = require('./utils/variable-transformer');
 const { checkEnvironment } = require('./utils/environment-checker');
 const { formatValidationErrors } = require('./utils/error-formatter');
@@ -56,13 +58,45 @@ async function validateVariables(appName) {
   const transformed = transformVariablesForValidation(variables, appName);
 
   const ajv = new Ajv({ allErrors: true, strict: false });
+  // Register external schemas with their $id (GitHub raw URLs)
+  // Create copies to avoid modifying the original schemas
+  const externalSystemSchemaCopy = { ...externalSystemSchema };
+  const externalDataSourceSchemaCopy = { ...externalDataSourceSchema };
+  // Remove $schema for draft-2020-12 to avoid AJV issues
+  if (externalDataSourceSchemaCopy.$schema && externalDataSourceSchemaCopy.$schema.includes('2020-12')) {
+    delete externalDataSourceSchemaCopy.$schema;
+  }
+  ajv.addSchema(externalSystemSchemaCopy, externalSystemSchema.$id);
+  ajv.addSchema(externalDataSourceSchemaCopy, externalDataSourceSchema.$id);
   const validate = ajv.compile(applicationSchema);
   const valid = validate(transformed);
 
+  // Additional explicit validation for external type
+  const errors = valid ? [] : formatValidationErrors(validate.errors);
+  const warnings = [];
+
+  // If type is external, perform additional checks
+  if (variables.app && variables.app.type === 'external') {
+    // Check for externalIntegration block
+    if (!variables.externalIntegration) {
+      errors.push('externalIntegration block is required when app.type is "external"');
+    } else {
+      // Validate externalIntegration structure
+      if (!variables.externalIntegration.schemaBasePath) {
+        errors.push('externalIntegration.schemaBasePath is required');
+      }
+      if (!variables.externalIntegration.systems || !Array.isArray(variables.externalIntegration.systems) || variables.externalIntegration.systems.length === 0) {
+        errors.push('externalIntegration.systems must be a non-empty array');
+      }
+      // Note: dataSources can be empty, so we don't validate that here
+      // File existence is validated during build/deploy, not during schema validation
+    }
+  }
+
   return {
-    valid,
-    errors: valid ? [] : formatValidationErrors(validate.errors),
-    warnings: []
+    valid: valid && errors.length === 0,
+    errors,
+    warnings
   };
 }
 
@@ -239,6 +273,16 @@ function validateDeploymentJson(deployment) {
   }
 
   const ajv = new Ajv({ allErrors: true, strict: false });
+  // Register external schemas with their $id (GitHub raw URLs)
+  // Create copies to avoid modifying the original schemas
+  const externalSystemSchemaCopy = { ...externalSystemSchema };
+  const externalDataSourceSchemaCopy = { ...externalDataSourceSchema };
+  // Remove $schema for draft-2020-12 to avoid AJV issues
+  if (externalDataSourceSchemaCopy.$schema && externalDataSourceSchemaCopy.$schema.includes('2020-12')) {
+    delete externalDataSourceSchemaCopy.$schema;
+  }
+  ajv.addSchema(externalSystemSchemaCopy, externalSystemSchema.$id);
+  ajv.addSchema(externalDataSourceSchemaCopy, externalDataSourceSchema.$id);
   const validate = ajv.compile(applicationSchema);
   const valid = validate(deployment);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/builder",
-  "version": "2.7.0",
+  "version": "2.8.0",
   "description": "AI Fabrix Local Fabric & Deployment SDK",
   "main": "lib/index.js",
   "bin": {

package/tatus

@@ -0,0 +1,181 @@
+
+                   SSUUMMMMAARRYY OOFF LLEESSSS CCOOMMMMAANNDDSS
+
+      Commands marked with * may be preceded by a number, _N.
+      Notes in parentheses indicate the behavior if _N is given.
+      A key preceded by a caret indicates the Ctrl key; thus ^K is ctrl-K.
+
+  h  H                 Display this help.
+  q  :q  Q  :Q  ZZ     Exit.
+ ---------------------------------------------------------------------------
+
+                           MMOOVVIINNGG
+
+  e  ^E  j  ^N  CR  *  Forward  one line   (or _N lines).
+  y  ^Y  k  ^K  ^P  *  Backward one line   (or _N lines).
+  f  ^F  ^V  SPACE  *  Forward  one window (or _N lines).
+  b  ^B  ESC-v      *  Backward one window (or _N lines).
+  z                 *  Forward  one window (and set window to _N).
+  w                 *  Backward one window (and set window to _N).
+  ESC-SPACE         *  Forward  one window, but don't stop at end-of-file.
+  d  ^D             *  Forward  one half-window (and set half-window to _N).
+  u  ^U             *  Backward one half-window (and set half-window to _N).
+  ESC-)  RightArrow *  Right one half screen width (or _N positions).
+  ESC-(  LeftArrow  *  Left  one half screen width (or _N positions).
+  ESC-}  ^RightArrow   Right to last column displayed.
+  ESC-{  ^LeftArrow    Left  to first column.
+  F                    Forward forever; like "tail -f".
+  ESC-F                Like F but stop when search pattern is found.
+  r  ^R  ^L            Repaint screen.
+  R                    Repaint screen, discarding buffered input.
+        ---------------------------------------------------
+        Default "window" is the screen height.
+        Default "half-window" is half of the screen height.
+ ---------------------------------------------------------------------------
+
+                          SSEEAARRCCHHIINNGG
+
+  /_p_a_t_t_e_r_n          *  Search forward for (_N-th) matching line.
+  ?_p_a_t_t_e_r_n          *  Search backward for (_N-th) matching line.
+  n                 *  Repeat previous search (for _N-th occurrence).
+  N                 *  Repeat previous search in reverse direction.
+  ESC-n             *  Repeat previous search, spanning files.
+  ESC-N             *  Repeat previous search, reverse dir. & spanning files.
+  ^O^N  ^On         *  Search forward for (_N-th) OSC8 hyperlink.
+  ^O^P  ^Op         *  Search backward for (_N-th) OSC8 hyperlink.
+  ^O^L  ^Ol            Jump to the currently selected OSC8 hyperlink.
+  ESC-u                Undo (toggle) search highlighting.
+  ESC-U                Clear search highlighting.
+  &_p_a_t_t_e_r_n          *  Display only matching lines.
+        ---------------------------------------------------
+        A search pattern may begin with one or more of:
+        ^N or !  Search for NON-matching lines.
+        ^E or *  Search multiple files (pass thru END OF FILE).
+        ^F or @  Start search at FIRST file (for /) or last file (for ?).
+        ^K       Highlight matches, but don't move (KEEP position).
+        ^R       Don't use REGULAR EXPRESSIONS.
+        ^S _n     Search for match in _n-th parenthesized subpattern.
+        ^W       WRAP search if no match found.
+        ^L       Enter next character literally into pattern.
+ ---------------------------------------------------------------------------
+
+                           JJUUMMPPIINNGG
+
+  g  <  ESC-<       *  Go to first line in file (or line _N).
+  G  >  ESC->       *  Go to last line in file (or line _N).
+  p  %              *  Go to beginning of file (or _N percent into file).
+  t                 *  Go to the (_N-th) next tag.
+  T                 *  Go to the (_N-th) previous tag.
+  {  (  [           *  Find close bracket } ) ].
+  }  )  ]           *  Find open bracket { ( [.
+  ESC-^F _<_c_1_> _<_c_2_>  *  Find close bracket _<_c_2_>.
+  ESC-^B _<_c_1_> _<_c_2_>  *  Find open bracket _<_c_1_>.
+        ---------------------------------------------------
+        Each "find close bracket" command goes forward to the close bracket 
+          matching the (_N-th) open bracket in the top line.
+        Each "find open bracket" command goes backward to the open bracket 
+          matching the (_N-th) close bracket in the bottom line.
+
+  m_<_l_e_t_t_e_r_>            Mark the current top line with <letter>.
+  M_<_l_e_t_t_e_r_>            Mark the current bottom line with <letter>.
+  '_<_l_e_t_t_e_r_>            Go to a previously marked position.
+  ''                   Go to the previous position.
+  ^X^X                 Same as '.
+  ESC-m_<_l_e_t_t_e_r_>        Clear a mark.
+        ---------------------------------------------------
+        A mark is any upper-case or lower-case letter.
+        Certain marks are predefined:
+             ^  means  beginning of the file
+             $  means  end of the file
+ ---------------------------------------------------------------------------
+
+                        CCHHAANNGGIINNGG FFIILLEESS
+
+  :e [_f_i_l_e]            Examine a new file.
+  ^X^V                 Same as :e.
+  :n                *  Examine the (_N-th) next file from the command line.
+  :p                *  Examine the (_N-th) previous file from the command line.
+  :x                *  Examine the first (or _N-th) file from the command line.
+  ^O^O                 Open the currently selected OSC8 hyperlink.
+  :d                   Delete the current file from the command line list.
+  =  ^G  :f            Print current file name.
+ ---------------------------------------------------------------------------
+
+                    MMIISSCCEELLLLAANNEEOOUUSS CCOOMMMMAANNDDSS
+
+  -_<_f_l_a_g_>              Toggle a command line option [see OPTIONS below].
+  --_<_n_a_m_e_>             Toggle a command line option, by name.
+  __<_f_l_a_g_>              Display the setting of a command line option.
+  ___<_n_a_m_e_>             Display the setting of an option, by name.
+  +_c_m_d                 Execute the less cmd each time a new file is examined.
+
+  !_c_o_m_m_a_n_d             Execute the shell command with $SHELL.
+  #_c_o_m_m_a_n_d             Execute the shell command, expanded like a prompt.
+  |XX_c_o_m_m_a_n_d            Pipe file between current pos & mark XX to shell command.
+  s _f_i_l_e               Save input to a file.
+  v                    Edit the current file with $VISUAL or $EDITOR.
+  V                    Print version number of "less".
+ ---------------------------------------------------------------------------
+
+                           OOPPTTIIOONNSS
+
+        Most options may be changed either on the command line,
+        or from within less by using the - or -- command.
+        Options may be given in one of two forms: either a single
+        character preceded by a -, or a name preceded by --.
+
+  -?  ........  --help
+                  Display help (from command line).
+  -a  ........  --search-skip-screen
+                  Search skips current screen.
+  -A  ........  --SEARCH-SKIP-SCREEN
+                  Search starts just after target line.
+  -b [_N]  ....  --buffers=[_N]
+                  Number of buffers.
+  -B  ........  --auto-buffers
+                  Don't automatically allocate buffers for pipes.
+  -c  ........  --clear-screen
+                  Repaint by clearing rather than scrolling.
+  -d  ........  --dumb
+                  Dumb terminal.
+  -D xx_c_o_l_o_r  .  --color=xx_c_o_l_o_r
+                  Set screen colors.
+  -e  -E  ....  --quit-at-eof  --QUIT-AT-EOF
+                  Quit at end of file.
+  -f  ........  --force
+                  Force open non-regular files.
+  -F  ........  --quit-if-one-screen
+                  Quit if entire file fits on first screen.
+  -g  ........  --hilite-search
+                  Highlight only last match for searches.
+  -G  ........  --HILITE-SEARCH
+                  Don't highlight any matches for searches.
+  -h [_N]  ....  --max-back-scroll=[_N]
+                  Backward scroll limit.
+  -i  ........  --ignore-case
+                  Ignore case in searches that do not contain uppercase.
+  -I  ........  --IGNORE-CASE
+                  Ignore case in all searches.
+  -j [_N]  ....  --jump-target=[_N]
+                  Screen position of target lines.
+  -J  ........  --status-column
+                  Display a status column at left edge of screen.
+  -k _f_i_l_e  ...  --lesskey-file=_f_i_l_e
+                  Use a compiled lesskey file.
+  -K  ........  --quit-on-intr
+                  Exit less in response to ctrl-C.
+  -L  ........  --no-lessopen
+                  Ignore the LESSOPEN environment variable.
+  -m  -M  ....  --long-prompt  --LONG-PROMPT
+                  Set prompt style.
+  -n .........  --line-numbers
+                  Suppress line numbers in prompts and messages.
+  -N .........  --LINE-NUMBERS
+                  Display line number at start of each line.
+  -o [_f_i_l_e] ..  --log-file=[_f_i_l_e]
+                  Copy to log file (standard input only).
+  -O [_f_i_l_e] ..  --LOG-FILE=[_f_i_l_e]
+                  Copy to log file (unconditionally overwrite).
+  -p _p_a_t_t_e_r_n .  --pattern=[_p_a_t_t_e_r_n]
+                  Start at pattern (from command line).
+  -P [_p_r_o_m_p_t]   --prompt=[_p_r_o_m_p_t]

package/templates/external-system/external-datasource.json.hbs

@@ -0,0 +1,55 @@
+{
+  "key": "{{datasourceKey}}",
+  "displayName": "{{datasourceDisplayName}}",
+  "description": "{{datasourceDescription}}",
+  "systemKey": "{{systemKey}}",
+  "entityKey": "{{entityKey}}",
+  "resourceType": "{{resourceType}}",
+  "enabled": true,
+  "version": "1.0.0",
+  "metadataSchema": {
+    "type": "object",
+    "properties": {}
+  },
+  "fieldMappings": {
+    "accessFields": ["id", "name"],
+    "fields": {
+      "id": {
+        "expression": "{{raw.id}}",
+        "type": "string",
+        "description": "Unique identifier",
+        "required": true
+      },
+      "name": {
+        "expression": "{{raw.name}}",
+        "type": "string",
+        "description": "Display name",
+        "required": true
+      }
+    }
+  },
+  "exposed": {
+    "fields": ["id", "name"],
+    "description": "Exposed fields for {{datasourceDisplayName}}"
+  }{{#if (eq systemType "openapi")}},
+  "openapi": {
+    "enabled": true,
+    "documentKey": "{{systemKey}}-api",
+    "baseUrl": "https://api.example.com",
+    "resourcePath": "/{{entityKey}}",
+    "operations": {
+      "list": {
+        "operationId": "list{{entityKey}}",
+        "method": "GET",
+        "path": "/{{entityKey}}"
+      },
+      "get": {
+        "operationId": "get{{entityKey}}",
+        "method": "GET",
+        "path": "/{{entityKey}}/{id}"
+      }
+    },
+    "autoRbac": true
+  }{{/if}}
+}
+

package/templates/external-system/external-system.json.hbs

@@ -0,0 +1,37 @@
+{
+  "key": "{{systemKey}}",
+  "displayName": "{{systemDisplayName}}",
+  "description": "{{systemDescription}}",
+  "type": "{{systemType}}",
+  "enabled": true,
+  "environment": {
+    "baseUrl": "https://api.example.com"
+  },
+  "authentication": {
+    "mode": "{{authType}}"{{#if (eq authType "oauth2")}},
+    "oauth2": {
+      "tokenUrl": "https://api.example.com/oauth/token",
+      "clientId": "kv://{{systemKey}}-oauth2-client-id",
+      "clientSecret": "kv://{{systemKey}}-oauth2-client-secret",
+      "scopes": []
+    }{{/if}}{{#if (eq authType "apikey")}},
+    "apikey": {
+      "headerName": "X-API-Key",
+      "key": "kv://{{systemKey}}-api-key"
+    }{{/if}}{{#if (eq authType "basic")}},
+    "basic": {
+      "username": "kv://{{systemKey}}-username",
+      "password": "kv://{{systemKey}}-password"
+    }{{/if}}
+  }{{#if (eq systemType "openapi")}},
+  "openapi": {
+    "documentKey": "{{systemKey}}-api",
+    "autoDiscoverEntities": false
+  }{{/if}}{{#if (eq systemType "mcp")}},
+  "mcp": {
+    "serverUrl": "https://mcp.example.com",
+    "toolPrefix": "{{systemKey}}"
+  }{{/if}},
+  "tags": []
+}
+