@aifabrix/builder 2.33.0 → 2.33.3

package/lib/core/secrets.js

@@ -11,7 +11,6 @@
 
 const fs = require('fs');
 const path = require('path');
-const yaml = require('js-yaml');
 const logger = require('../utils/logger');
 const config = require('./config');
 const {
@@ -30,6 +29,7 @@ const {
 const { processEnvVariables } = require('../utils/env-copy');
 const { buildEnvVarMap } = require('../utils/env-map');
 const { resolveServicePortsInEnvContent } = require('../utils/secrets-url');
+const { updatePortForDocker } = require('./secrets-docker-env');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -44,7 +44,6 @@ const {
 } = require('../utils/secrets-utils');
 const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
 const pathsUtil = require('../utils/paths');
-const { getContainerPortFromPath } = require('../utils/port-resolver');
 
 /**
  * Generates a canonical secret name from an environment variable key.
@@ -113,7 +112,7 @@ async function decryptSecretsObject(secrets) {
 /**
  * Loads secrets with cascading lookup
  * Supports both user secrets (~/.aifabrix/secrets.local.yaml) and project overrides
- * User's file takes priority, then falls back to aifabrix-secrets from config.yaml
+ * When aifabrix-secrets (or secrets-path) is set in config.yaml and that file exists, it is used as base; user's file (local) is strongest and overrides project for same key. Otherwise user's file first, then aifabrix-secrets as fallback.
  * Automatically decrypts values with secure:// prefix
  *
  * @async
@@ -126,9 +125,40 @@ async function decryptSecretsObject(secrets) {
  * @example
  * const secrets = await loadSecrets('../../secrets.local.yaml');
  * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
+ *
+ * @example
+ * // When config.yaml has aifabrix-secrets: ./secrets.local.yaml, project file is base;
+ * // ~/.aifabrix/secrets.local.yaml overrides project for same key (local strongest).
+ * const secrets = await loadSecrets(undefined, 'myapp');
+ */
+
+/**
+ * Loads config secrets path, merges with user secrets (user overrides). Used by loadSecrets cascade.
+ * @async
+ * @returns {Promise<Object|null>} Merged secrets object or null
  */
+async function loadMergedConfigAndUserSecrets() {
+  try {
+    const configSecretsPath = await config.getSecretsPath();
+    if (!configSecretsPath) return null;
+    const resolvedConfigPath = path.isAbsolute(configSecretsPath)
+      ? configSecretsPath
+      : path.resolve(process.cwd(), configSecretsPath);
+    if (!fs.existsSync(resolvedConfigPath)) return null;
+    const configSecrets = readYamlAtPath(resolvedConfigPath);
+    if (!configSecrets || typeof configSecrets !== 'object') return null;
+    const merged = { ...configSecrets };
+    const userSecrets = loadUserSecrets();
+    for (const key of Object.keys(userSecrets)) {
+      merged[key] = userSecrets[key];
+    }
+    return merged;
+  } catch {
+    return null;
+  }
+}
+
 async function loadSecrets(secretsPath, _appName) {
-  // Explicit path branch
   if (secretsPath) {
     const resolvedPath = resolveSecretsPath(secretsPath);
     if (!fs.existsSync(resolvedPath)) {
@@ -141,9 +171,11 @@ async function loadSecrets(secretsPath, _appName) {
     return await decryptSecretsObject(explicitSecrets);
   }
 
-  // Cascading lookup branch
-  let mergedSecrets = loadUserSecrets();
-  mergedSecrets = await applyCanonicalSecretsOverride(mergedSecrets);
+  let mergedSecrets = await loadMergedConfigAndUserSecrets();
+  if (!mergedSecrets || Object.keys(mergedSecrets).length === 0) {
+    mergedSecrets = loadUserSecrets();
+    mergedSecrets = await applyCanonicalSecretsOverride(mergedSecrets);
+  }
   if (Object.keys(mergedSecrets).length === 0) {
     mergedSecrets = loadDefaultSecrets();
   }
@@ -174,14 +206,12 @@ async function loadSecrets(secretsPath, _appName) {
 async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
   const os = require('os');
 
-  // Get developer-id for local environment to adjust port variables
+  // Get developer-id for port variables (local and docker: *_PUBLIC_PORT = base + devId*100)
   let developerId = null;
-  if (environment === 'local') {
-    try {
-      developerId = await config.getDeveloperId();
-    } catch {
-      // ignore, will use null (buildEnvVarMap will fetch it)
-    }
+  try {
+    developerId = await config.getDeveloperId();
+  } catch {
+    // ignore, buildEnvVarMap will use default
   }
 
   let envVars = await buildEnvVarMap(environment, os, developerId);
@@ -199,103 +229,6 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
   return replaceKvInContent(resolved, secrets, envVars);
 }
 
-// resolveServicePortsInEnvContent, loadEnvTemplate, and processEnvVariables
-// are imported from ./utils/secrets-helpers above.
-
-/**
- * Generates .env file from template and secrets
- * Creates environment file for local development
- *
- * @async
- * @function generateEnvFile
- * @param {string} appName - Name of the application
- * @param {string} [secretsPath] - Path to secrets file (optional)
- * @param {string} [environment='local'] - Environment context
- * @param {boolean} [force=false] - Generate missing secret keys in secrets file
- * @param {boolean} [skipOutputPath=false] - Skip processing envOutputPath (to avoid recursion)
- * @returns {Promise<string>} Path to generated .env file
- * @throws {Error} If generation fails
- *
- * @example
- * const envPath = await generateEnvFile('myapp', '../../secrets.local.yaml', 'local', true);
- * // Returns: './builder/myapp/.env'
- */
-/**
- * Gets base docker environment config
- * @async
- * @function getBaseDockerEnv
- * @returns {Promise<Object>} Docker environment config
- */
-async function getBaseDockerEnv() {
-  const { getEnvHosts } = require('../utils/env-endpoints');
-  return await getEnvHosts('docker');
-}
-
-/**
- * Applies config.yaml override to docker environment
- * @function applyDockerEnvOverride
- * @param {Object} dockerEnv - Base docker environment config
- * @returns {Object} Updated docker environment config
- */
-function applyDockerEnvOverride(dockerEnv) {
-  try {
-    const os = require('os');
-    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
-    if (fs.existsSync(cfgPath)) {
-      const cfgContent = fs.readFileSync(cfgPath, 'utf8');
-      const cfg = yaml.load(cfgContent) || {};
-      if (cfg && cfg.environments && cfg.environments.docker) {
-        return { ...dockerEnv, ...cfg.environments.docker };
-      }
-    }
-  } catch {
-    // Ignore config.yaml read errors, continue with env-config values
-  }
-  return dockerEnv;
-}
-
-/**
- * Gets container port from docker environment config
- * @function getContainerPortFromDockerEnv
- * @param {Object} dockerEnv - Docker environment config
- * @returns {number} Container port (defaults to 3000)
- */
-function getContainerPortFromDockerEnv(dockerEnv) {
-  if (dockerEnv.PORT === undefined || dockerEnv.PORT === null) {
-    return 3000;
-  }
-  const portVal = typeof dockerEnv.PORT === 'number' ? dockerEnv.PORT : parseInt(dockerEnv.PORT, 10);
-  return Number.isNaN(portVal) ? 3000 : portVal;
-}
-
-/**
- * Updates PORT in resolved content for docker environment
- * Sets PORT to container port (build.containerPort or port from variables.yaml)
- * NOT the host port (which includes developer-id offset)
- * @async
- * @function updatePortForDocker
- * @param {string} resolved - Resolved environment content
- * @param {string} variablesPath - Path to variables.yaml file
- * @returns {Promise<string>} Updated content with PORT set
- */
-async function updatePortForDocker(resolved, variablesPath) {
-  // Step 1: Get base config from env-config.yaml
-  let dockerEnv = await getBaseDockerEnv();
-
-  // Step 2: Apply config.yaml → environments.docker override (if exists)
-  dockerEnv = applyDockerEnvOverride(dockerEnv);
-
-  // Step 3: Get PORT value for container (should be container port, NOT host port)
-  let containerPort = getContainerPortFromPath(variablesPath);
-  if (containerPort === null) {
-    containerPort = getContainerPortFromDockerEnv(dockerEnv);
-  }
-
-  // PORT in container should be the container port (no developer-id adjustment)
-  // Docker will map container port to host port via port mapping
-  return resolved.replace(/^PORT\s*=\s*.*$/m, `PORT=${containerPort}`);
-}
-
 /**
  * Applies environment-specific transformations to resolved content
  * @async
@@ -348,7 +281,7 @@ async function applyEnvironmentTransformations(resolved, environment, variablesP
  * @throws {Error} If generation fails
  */
 async function generateEnvContent(appName, secretsPath, environment = 'local', force = false) {
-  const builderPath = path.join(process.cwd(), 'builder', appName);
+  const builderPath = pathsUtil.getBuilderPath(appName);
   const templatePath = path.join(builderPath, 'env.template');
   const variablesPath = path.join(builderPath, 'variables.yaml');
 
@@ -375,14 +308,108 @@ async function generateEnvContent(appName, secretsPath, environment = 'local', f
   return resolved;
 }
 
-async function generateEnvFile(appName, secretsPath, environment = 'local', force = false, skipOutputPath = false) {
-  const builderPath = path.join(process.cwd(), 'builder', appName);
+/**
+ * Parses .env file content into a key-to-value map.
+ * Only includes lines that look like KEY=value (first = separates key and value).
+ *
+ * @function parseEnvContentToMap
+ * @param {string} content - Raw .env file content
+ * @returns {Object.<string, string>} Map of variable name to value
+ */
+function parseEnvContentToMap(content) {
+  if (!content || typeof content !== 'string') {
+    return {};
+  }
+  const map = {};
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+      continue;
+    }
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      const value = trimmed.substring(eq + 1);
+      map[key] = value;
+    }
+  }
+  return map;
+}
+
+/**
+ * Merges new .env content with existing .env: newly resolved content wins for keys it
+ * defines (so project secrets take effect when re-running). Keys only in existing .env
+ * are appended so manual additions are kept.
+ *
+ * @function mergeEnvContentPreservingExisting
+ * @param {string} newContent - Newly generated .env content (from template + loadSecrets)
+ * @param {Object.<string, string>} existingMap - Existing key-to-value map from current .env
+ * @returns {string} Merged content: new values for keys in newContent, plus extra existing keys
+ */
+function mergeEnvContentPreservingExisting(newContent, existingMap) {
+  const lines = newContent.split(/\r?\n/);
+  const newKeys = new Set();
+  const out = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+      out.push(line);
+      continue;
+    }
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      newKeys.add(key);
+    }
+    out.push(line);
+  }
+  if (existingMap && Object.keys(existingMap).length > 0) {
+    for (const key of Object.keys(existingMap)) {
+      if (!newKeys.has(key)) {
+        out.push(`${key}=${existingMap[key]}`);
+      }
+    }
+  }
+  return out.join('\n');
+}
+
+/**
+ * Generates and writes .env file. Newly resolved values (from template + secrets) win over
+ * existing .env so that project secrets (e.g. from config aifabrix-secrets) take effect on
+ * re-run. Extra variables only in existing .env are kept.
+ *
+ * @async
+ * @function generateEnvFile
+ * @param {string} appName - Name of the application
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [environment='local'] - Environment context ('local' or 'docker')
+ * @param {boolean} [force=false] - Generate missing secret keys in secrets file
+ * @param {boolean} [skipOutputPath=false] - Skip copying to envOutputPath
+ * @param {string} [preserveFromPath=null] - Path to existing .env to preserve values from (defaults to builder .env)
+ * @returns {Promise<string>} Path to generated .env file
+ * @throws {Error} If generation fails
+ *
+ * @example
+ * const envPath = await generateEnvFile('myapp', undefined, 'docker');
+ * // When builder/myapp/.env already exists, existing values are preserved
+ */
+async function generateEnvFile(appName, secretsPath, environment = 'local', force = false, skipOutputPath = false, preserveFromPath = null) {
+  const builderPath = pathsUtil.getBuilderPath(appName);
   const variablesPath = path.join(builderPath, 'variables.yaml');
   const envPath = path.join(builderPath, '.env');
 
   const resolved = await generateEnvContent(appName, secretsPath, environment, force);
 
-  fs.writeFileSync(envPath, resolved, { mode: 0o600 });
+  let toWrite = resolved;
+  const pathToPreserve = preserveFromPath || envPath;
+  if (pathToPreserve && fs.existsSync(pathToPreserve)) {
+    const existingContent = fs.readFileSync(pathToPreserve, 'utf8');
+    const existingMap = parseEnvContentToMap(existingContent);
+    toWrite = mergeEnvContentPreservingExisting(resolved, existingMap);
+  }
+
+  fs.writeFileSync(envPath, toWrite, { mode: 0o600 });
 
   // Process and copy to envOutputPath if configured (uses localPort for copied file)
   if (!skipOutputPath) {

package/lib/datasource/deploy.js

@@ -118,10 +118,27 @@ async function setupDeploymentAuth(controllerUrl, environment, appKey) {
   logger.log(chalk.green('✓ Authentication successful'));
 
   logger.log(chalk.blue('🌐 Resolving dataplane URL...'));
-  const dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
-  logger.log(chalk.green(`✓ Dataplane URL: ${dataplaneUrl}`));
+  let dataplaneUrl;
+  try {
+    dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
+    logger.log(chalk.green(`✓ Dataplane URL: ${dataplaneUrl}`));
+  } catch (error) {
+    logger.error(chalk.red('❌ Failed to resolve dataplane URL:'), error.message);
+    logger.error(chalk.gray('\nThe dataplane URL is automatically discovered from the controller.'));
+    logger.error(chalk.gray('If discovery fails, ensure you are logged in and the controller is accessible:'));
+    logger.error(chalk.gray('   aifabrix login'));
+    throw error;
+  }
+
+  // Validate dataplane URL
+  if (!dataplaneUrl || !dataplaneUrl.trim()) {
+    logger.error(chalk.red('❌ Dataplane URL is empty.'));
+    logger.error(chalk.gray('The dataplane URL could not be discovered from the controller.'));
+    logger.error(chalk.gray('Ensure the dataplane service is registered in the controller.'));
+    throw new Error('Dataplane URL is empty');
+  }
 
-  return { authConfig, dataplaneUrl };
+  return { authConfig, dataplaneUrl: dataplaneUrl.trim() };
 }
 
 /**
@@ -143,6 +160,17 @@ async function publishDatasourceToDataplane(dataplaneUrl, systemKey, authConfig,
     const formattedError = publishResponse.formattedError || formatApiError(publishResponse);
     logger.error(chalk.red('❌ Publish failed:'));
     logger.error(formattedError);
+
+    // Show dataplane URL and endpoint information
+    if (publishResponse.errorData && publishResponse.errorData.endpointUrl) {
+      logger.error(chalk.gray(`\nEndpoint URL: ${publishResponse.errorData.endpointUrl}`));
+    } else if (dataplaneUrl) {
+      logger.error(chalk.gray(`\nDataplane URL: ${dataplaneUrl}`));
+      logger.error(chalk.gray(`System Key: ${systemKey}`));
+    }
+
+    logger.error(chalk.gray('\nFull response for debugging:'));
+    logger.error(chalk.gray(JSON.stringify(publishResponse, null, 2)));
     throw new Error(`Dataplane publish failed: ${formattedError}`);
   }
 

package/lib/datasource/list.js

@@ -1,7 +1,8 @@
 /**
  * Datasource List Command
  *
- * Lists datasources from an environment via controller API.
+ * Lists datasources from an environment via dataplane API.
+ * Gets dataplane URL from controller, then lists datasources from dataplane.
  *
  * @fileoverview Datasource listing for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -11,7 +12,8 @@
 const chalk = require('chalk');
 const { getConfig, resolveEnvironment } = require('../core/config');
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
-const { listEnvironmentDatasources } = require('../api/environments.api');
+const { listDatasources: listDatasourcesFromDataplane } = require('../api/datasources-core.api');
+const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
 const { formatApiError } = require('../utils/api-error-handler');
 const logger = require('../utils/logger');
 
@@ -103,14 +105,19 @@ function extractDatasources(response) {
  * @function displayDatasources
  * @param {Array} datasources - Array of datasource objects
  * @param {string} environment - Environment key
+ * @param {string} dataplaneUrl - Dataplane URL for header display
  */
-function displayDatasources(datasources, environment) {
+function displayDatasources(datasources, environment, dataplaneUrl) {
+  const environmentName = environment || 'dev';
+  const header = `Datasources in ${environmentName} environment${dataplaneUrl ? ` (${dataplaneUrl})` : ''}`;
+
   if (datasources.length === 0) {
-    logger.log(chalk.yellow(`\nNo datasources found in environment: ${environment}`));
+    logger.log(chalk.bold(`\n📋 ${header}:\n`));
+    logger.log(chalk.gray('  No datasources found in this environment.\n'));
     return;
   }
 
-  logger.log(chalk.blue(`\n📋 Datasources in environment: ${environment}\n`));
+  logger.log(chalk.bold(`\n📋 ${header}:\n`));
   logger.log(chalk.gray('Key'.padEnd(30) + 'Display Name'.padEnd(30) + 'System Key'.padEnd(20) + 'Version'.padEnd(15) + 'Status'));
   logger.log(chalk.gray('-'.repeat(120)));
 
@@ -169,7 +176,7 @@ async function getDeviceTokenFromConfig(config) {
  * @param {string|null} controllerUrl - Controller URL
  */
 function validateDatasourceListingAuth(token, controllerUrl) {
-  if (!token || !controllerUrl) {
+  if (!token || !controllerUrl || (typeof controllerUrl === 'string' && !controllerUrl.trim())) {
     logger.error(chalk.red('❌ Not logged in. Run: aifabrix login'));
     logger.error(chalk.gray('   Use device code flow: aifabrix login --method device --controller <url>'));
     process.exit(1);
@@ -181,14 +188,92 @@ function validateDatasourceListingAuth(token, controllerUrl) {
  * @function handleDatasourceApiError
  * @param {Object} response - API response
  */
-function handleDatasourceApiError(response) {
+function handleDatasourceApiError(response, dataplaneUrl = null) {
   const formattedError = response.formattedError || formatApiError(response);
   logger.error(formattedError);
+
+  // Show endpoint URL from error data if available (more specific than dataplane URL)
+  if (response.errorData && response.errorData.endpointUrl) {
+    logger.error(chalk.gray(`\nEndpoint URL: ${response.errorData.endpointUrl}`));
+  } else if (response.errorData && response.errorData.controllerUrl) {
+    logger.error(chalk.gray(`\nDataplane URL: ${response.errorData.controllerUrl}`));
+  } else if (dataplaneUrl) {
+    logger.error(chalk.gray(`\nDataplane URL: ${dataplaneUrl}`));
+  }
+
   logger.error(chalk.gray('\nFull response for debugging:'));
   logger.error(chalk.gray(JSON.stringify(response, null, 2)));
   process.exit(1);
 }
 
+/**
+ * Validates and trims controller URL
+ * @function validateControllerUrl
+ * @param {string} controllerUrl - Controller URL to validate
+ * @returns {string} Trimmed controller URL
+ */
+function validateControllerUrl(controllerUrl) {
+  const trimmed = controllerUrl.trim();
+  if (!trimmed) {
+    logger.error(chalk.red('❌ Controller URL is empty.'));
+    logger.error(chalk.gray(`   Controller URL from config: ${JSON.stringify(controllerUrl)}`));
+    logger.error(chalk.gray('   Run: aifabrix login --method device --controller <url>'));
+    process.exit(1);
+  }
+  return trimmed;
+}
+
+/**
+ * Resolves and validates dataplane URL from controller
+ * @async
+ * @function resolveAndValidateDataplaneUrl
+ * @param {string} controllerUrl - Controller URL
+ * @param {string} environment - Environment key
+ * @param {Object} authConfig - Authentication configuration
+ * @returns {Promise<string>} Validated dataplane URL
+ */
+async function resolveAndValidateDataplaneUrl(controllerUrl, environment, authConfig) {
+  let dataplaneUrl;
+  try {
+    // discoverDataplaneUrl already logs progress and success messages
+    dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
+  } catch (error) {
+    logger.error(chalk.red('❌ Failed to resolve dataplane URL:'), error.message);
+    logger.error(chalk.gray('\nThe dataplane URL is automatically discovered from the controller.'));
+    logger.error(chalk.gray('If discovery fails, ensure you are logged in and the controller is accessible:'));
+    logger.error(chalk.gray('   aifabrix login'));
+    process.exit(1);
+    // eslint-disable-next-line no-unreachable
+    throw error; // Never reached in production, but needed for tests when process.exit is mocked
+  }
+
+  if (!dataplaneUrl || typeof dataplaneUrl !== 'string' || !dataplaneUrl.trim()) {
+    logger.error(chalk.red('❌ Dataplane URL is empty.'));
+    logger.error(chalk.gray('The dataplane URL could not be discovered from the controller.'));
+    logger.error(chalk.gray('Ensure the dataplane service is registered in the controller.'));
+    process.exit(1);
+    // eslint-disable-next-line no-unreachable
+    throw new Error('Dataplane URL is empty'); // Never reached in production, but needed for tests
+  }
+
+  return dataplaneUrl.trim();
+}
+
+/**
+ * Sets up authentication configuration for dataplane API calls
+ * @function setupAuthConfig
+ * @param {string} token - Authentication token
+ * @param {string} controllerUrl - Controller URL
+ * @returns {Object} Authentication configuration
+ */
+function setupAuthConfig(token, controllerUrl) {
+  return {
+    type: 'bearer',
+    token: token,
+    controller: controllerUrl
+  };
+}
+
 async function listDatasources(_options) {
   const config = await getConfig();
 
@@ -199,22 +284,24 @@ async function listDatasources(_options) {
   const authInfo = await getDeviceTokenFromConfig(config);
   validateDatasourceListingAuth(authInfo?.token, authInfo?.controllerUrl);
 
-  // Call controller API using centralized API client
-  // Note: validateDatasourceListingAuth will exit if auth is missing, so this check is defensive
   if (!authInfo || !authInfo.token || !authInfo.controllerUrl) {
-    validateDatasourceListingAuth(null, null); // This will exit
-    return; // Never reached, but satisfies linter
+    validateDatasourceListingAuth(null, null);
+    return;
   }
-  const authConfig = { type: 'bearer', token: authInfo.token };
-  const response = await listEnvironmentDatasources(authInfo.controllerUrl, environment, authConfig);
+
+  const controllerUrl = validateControllerUrl(authInfo.controllerUrl);
+  const authConfig = setupAuthConfig(authInfo.token, controllerUrl);
+  const dataplaneUrl = await resolveAndValidateDataplaneUrl(controllerUrl, environment, authConfig);
+
+  const response = await listDatasourcesFromDataplane(dataplaneUrl, authConfig);
 
   if (!response.success || !response.data) {
-    handleDatasourceApiError(response);
+    handleDatasourceApiError(response, dataplaneUrl);
     return; // Ensure we don't continue after exit
   }
 
   const datasources = extractDatasources(response);
-  displayDatasources(datasources, environment);
+  displayDatasources(datasources, environment, dataplaneUrl);
 }
 
 module.exports = {

package/lib/infrastructure/helpers.js

@@ -73,7 +73,7 @@ async function ensureAdminSecrets() {
  * @param {string} postgresPassword - PostgreSQL password
  */
 function generatePgAdminConfig(infraDir, postgresPassword) {
-  const serversJsonTemplatePath = path.join(__dirname, '..', 'templates', 'infra', 'servers.json.hbs');
+  const serversJsonTemplatePath = path.join(__dirname, '..', '..', 'templates', 'infra', 'servers.json.hbs');
   if (!fs.existsSync(serversJsonTemplatePath)) {
     return;
   }
@@ -89,6 +89,86 @@ function generatePgAdminConfig(infraDir, postgresPassword) {
   fs.writeFileSync(pgpassPath, pgpassContent, { mode: 0o600 });
 }
 
+/**
+ * Escape single quotes for use in PostgreSQL string literal (double each single quote)
+ * @param {string} s - Raw string
+ * @returns {string} Escaped string
+ */
+function escapePgString(s) {
+  if (s === null || s === undefined || typeof s !== 'string') return '';
+  return s.replace(/'/g, '\'\'');
+}
+
+/**
+ * Extract password from a URL string or plain password value
+ * @param {string} urlOrPassword - URL (with ://) or plain password
+ * @returns {string|null} Extracted password or null to keep default
+ */
+function extractPasswordFromUrlOrValue(urlOrPassword) {
+  if (typeof urlOrPassword !== 'string' || urlOrPassword.length === 0) return null;
+  if (!urlOrPassword.includes('://')) return urlOrPassword;
+  try {
+    const u = new URL(urlOrPassword.replace(/\$\{DB_HOST\}/g, 'postgres').replace(/\$\{DB_PORT\}/g, '5432'));
+    return u.password || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Ensures Postgres init script exists for miso-controller app (database miso, user miso_user).
+ * Uses password from secrets (databases-miso-controller-0-passwordKeyVault) or default miso_pass123.
+ * Init scripts run only when the Postgres data volume is first created. If infra was already
+ * started before this script existed, run `aifabrix down -v` then `aifabrix up` to re-init, or
+ * create the database and user manually (e.g. via pgAdmin or psql).
+ *
+ * @async
+ * @param {string} infraDir - Infrastructure directory path
+ * @returns {Promise<void>}
+ */
+async function ensureMisoInitScript(infraDir) {
+  const initScriptsDir = path.join(infraDir, 'init-scripts');
+  if (!fs.existsSync(initScriptsDir)) {
+    fs.mkdirSync(initScriptsDir, { recursive: true });
+  }
+
+  let password = 'miso_pass123';
+  try {
+    const loaded = await secrets.loadSecrets(undefined);
+    const urlOrPassword = loaded['databases-miso-controller-0-passwordKeyVault'] ||
+      loaded['databases-miso-controller-0-urlKeyVault'];
+    const extracted = extractPasswordFromUrlOrValue(urlOrPassword);
+    if (extracted !== null) password = extracted;
+  } catch {
+    // No secrets or load failed; use default
+  }
+
+  const passwordEscaped = escapePgString(password);
+
+  const sh = `#!/bin/bash
+set -e
+# Miso-controller app database and user (matches DATABASE_URL in env)
+# Runs on first Postgres volume init only
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOSQL
+DO \\$\\$
+BEGIN
+  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'miso_user') THEN
+    CREATE USER miso_user WITH PASSWORD '${passwordEscaped}';
+  ELSE
+    ALTER USER miso_user WITH PASSWORD '${passwordEscaped}';
+  END IF;
+END
+\\$\\$;
+EOSQL
+if ! psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" -tAc "SELECT 1 FROM pg_database WHERE datname = 'miso'" | grep -q 1; then
+  psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" -c "CREATE DATABASE miso OWNER miso_user;"
+fi
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "miso" -c "GRANT ALL ON SCHEMA public TO miso_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO miso_user;"
+`;
+  const initPath = path.join(initScriptsDir, '02-miso-app.sh');
+  fs.writeFileSync(initPath, sh, { mode: 0o755 });
+}
+
 /**
  * Prepare infrastructure directory and extract postgres password
  * @param {string} devId - Developer ID
@@ -135,5 +215,6 @@ module.exports = {
   ensureAdminSecrets,
   generatePgAdminConfig,
   prepareInfraDirectory,
+  ensureMisoInitScript,
   registerHandlebarsHelper
 };

package/lib/infrastructure/index.js

@@ -23,6 +23,7 @@ const {
   checkDockerAvailability,
   ensureAdminSecrets,
   prepareInfraDirectory,
+  ensureMisoInitScript,
   registerHandlebarsHelper
 } = require('./helpers');
 const {
@@ -59,6 +60,7 @@ async function prepareInfrastructureEnvironment(developerId) {
 
   // Prepare infrastructure directory
   const { infraDir } = prepareInfraDirectory(devId, adminSecretsPath);
+  await ensureMisoInitScript(infraDir);
 
   return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath };
 }