@aifabrix/builder 2.33.1 → 2.33.4

package/lib/core/secrets.js

@@ -11,7 +11,6 @@
 
 const fs = require('fs');
 const path = require('path');
-const yaml = require('js-yaml');
 const logger = require('../utils/logger');
 const config = require('./config');
 const {
@@ -30,6 +29,7 @@ const {
 const { processEnvVariables } = require('../utils/env-copy');
 const { buildEnvVarMap } = require('../utils/env-map');
 const { resolveServicePortsInEnvContent } = require('../utils/secrets-url');
+const { updatePortForDocker } = require('./secrets-docker-env');
 const {
   generateMissingSecrets,
   createDefaultSecrets
@@ -44,7 +44,6 @@ const {
 } = require('../utils/secrets-utils');
 const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
 const pathsUtil = require('../utils/paths');
-const { getContainerPortFromPath } = require('../utils/port-resolver');
 
 /**
  * Generates a canonical secret name from an environment variable key.
@@ -113,7 +112,7 @@ async function decryptSecretsObject(secrets) {
 /**
  * Loads secrets with cascading lookup
  * Supports both user secrets (~/.aifabrix/secrets.local.yaml) and project overrides
- * User's file takes priority, then falls back to aifabrix-secrets from config.yaml
+ * When aifabrix-secrets (or secrets-path) is set in config.yaml and that file exists, it is used as base; user's file (local) is strongest and overrides project for same key. Otherwise user's file first, then aifabrix-secrets as fallback.
  * Automatically decrypts values with secure:// prefix
  *
  * @async
@@ -126,9 +125,40 @@ async function decryptSecretsObject(secrets) {
  * @example
  * const secrets = await loadSecrets('../../secrets.local.yaml');
  * // Returns: { 'postgres-passwordKeyVault': 'admin123', ... }
+ *
+ * @example
+ * // When config.yaml has aifabrix-secrets: ./secrets.local.yaml, project file is base;
+ * // ~/.aifabrix/secrets.local.yaml overrides project for same key (local strongest).
+ * const secrets = await loadSecrets(undefined, 'myapp');
+ */
+
+/**
+ * Loads config secrets path, merges with user secrets (user overrides). Used by loadSecrets cascade.
+ * @async
+ * @returns {Promise<Object|null>} Merged secrets object or null
  */
+async function loadMergedConfigAndUserSecrets() {
+  try {
+    const configSecretsPath = await config.getSecretsPath();
+    if (!configSecretsPath) return null;
+    const resolvedConfigPath = path.isAbsolute(configSecretsPath)
+      ? configSecretsPath
+      : path.resolve(process.cwd(), configSecretsPath);
+    if (!fs.existsSync(resolvedConfigPath)) return null;
+    const configSecrets = readYamlAtPath(resolvedConfigPath);
+    if (!configSecrets || typeof configSecrets !== 'object') return null;
+    const merged = { ...configSecrets };
+    const userSecrets = loadUserSecrets();
+    for (const key of Object.keys(userSecrets)) {
+      merged[key] = userSecrets[key];
+    }
+    return merged;
+  } catch {
+    return null;
+  }
+}
+
 async function loadSecrets(secretsPath, _appName) {
-  // Explicit path branch
   if (secretsPath) {
     const resolvedPath = resolveSecretsPath(secretsPath);
     if (!fs.existsSync(resolvedPath)) {
@@ -141,9 +171,11 @@ async function loadSecrets(secretsPath, _appName) {
     return await decryptSecretsObject(explicitSecrets);
   }
 
-  // Cascading lookup branch
-  let mergedSecrets = loadUserSecrets();
-  mergedSecrets = await applyCanonicalSecretsOverride(mergedSecrets);
+  let mergedSecrets = await loadMergedConfigAndUserSecrets();
+  if (!mergedSecrets || Object.keys(mergedSecrets).length === 0) {
+    mergedSecrets = loadUserSecrets();
+    mergedSecrets = await applyCanonicalSecretsOverride(mergedSecrets);
+  }
   if (Object.keys(mergedSecrets).length === 0) {
     mergedSecrets = loadDefaultSecrets();
   }
@@ -174,14 +206,12 @@ async function loadSecrets(secretsPath, _appName) {
 async function resolveKvReferences(envTemplate, secrets, environment = 'local', secretsFilePaths = null, appName = null) {
   const os = require('os');
 
-  // Get developer-id for local environment to adjust port variables
+  // Get developer-id for port variables (local and docker: *_PUBLIC_PORT = base + devId*100)
   let developerId = null;
-  if (environment === 'local') {
-    try {
-      developerId = await config.getDeveloperId();
-    } catch {
-      // ignore, will use null (buildEnvVarMap will fetch it)
-    }
+  try {
+    developerId = await config.getDeveloperId();
+  } catch {
+    // ignore, buildEnvVarMap will use default
   }
 
   let envVars = await buildEnvVarMap(environment, os, developerId);
@@ -199,103 +229,6 @@ async function resolveKvReferences(envTemplate, secrets, environment = 'local',
   return replaceKvInContent(resolved, secrets, envVars);
 }
 
-// resolveServicePortsInEnvContent, loadEnvTemplate, and processEnvVariables
-// are imported from ./utils/secrets-helpers above.
-
-/**
- * Generates .env file from template and secrets
- * Creates environment file for local development
- *
- * @async
- * @function generateEnvFile
- * @param {string} appName - Name of the application
- * @param {string} [secretsPath] - Path to secrets file (optional)
- * @param {string} [environment='local'] - Environment context
- * @param {boolean} [force=false] - Generate missing secret keys in secrets file
- * @param {boolean} [skipOutputPath=false] - Skip processing envOutputPath (to avoid recursion)
- * @returns {Promise<string>} Path to generated .env file
- * @throws {Error} If generation fails
- *
- * @example
- * const envPath = await generateEnvFile('myapp', '../../secrets.local.yaml', 'local', true);
- * // Returns: './builder/myapp/.env'
- */
-/**
- * Gets base docker environment config
- * @async
- * @function getBaseDockerEnv
- * @returns {Promise<Object>} Docker environment config
- */
-async function getBaseDockerEnv() {
-  const { getEnvHosts } = require('../utils/env-endpoints');
-  return await getEnvHosts('docker');
-}
-
-/**
- * Applies config.yaml override to docker environment
- * @function applyDockerEnvOverride
- * @param {Object} dockerEnv - Base docker environment config
- * @returns {Object} Updated docker environment config
- */
-function applyDockerEnvOverride(dockerEnv) {
-  try {
-    const os = require('os');
-    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
-    if (fs.existsSync(cfgPath)) {
-      const cfgContent = fs.readFileSync(cfgPath, 'utf8');
-      const cfg = yaml.load(cfgContent) || {};
-      if (cfg && cfg.environments && cfg.environments.docker) {
-        return { ...dockerEnv, ...cfg.environments.docker };
-      }
-    }
-  } catch {
-    // Ignore config.yaml read errors, continue with env-config values
-  }
-  return dockerEnv;
-}
-
-/**
- * Gets container port from docker environment config
- * @function getContainerPortFromDockerEnv
- * @param {Object} dockerEnv - Docker environment config
- * @returns {number} Container port (defaults to 3000)
- */
-function getContainerPortFromDockerEnv(dockerEnv) {
-  if (dockerEnv.PORT === undefined || dockerEnv.PORT === null) {
-    return 3000;
-  }
-  const portVal = typeof dockerEnv.PORT === 'number' ? dockerEnv.PORT : parseInt(dockerEnv.PORT, 10);
-  return Number.isNaN(portVal) ? 3000 : portVal;
-}
-
-/**
- * Updates PORT in resolved content for docker environment
- * Sets PORT to container port (build.containerPort or port from variables.yaml)
- * NOT the host port (which includes developer-id offset)
- * @async
- * @function updatePortForDocker
- * @param {string} resolved - Resolved environment content
- * @param {string} variablesPath - Path to variables.yaml file
- * @returns {Promise<string>} Updated content with PORT set
- */
-async function updatePortForDocker(resolved, variablesPath) {
-  // Step 1: Get base config from env-config.yaml
-  let dockerEnv = await getBaseDockerEnv();
-
-  // Step 2: Apply config.yaml → environments.docker override (if exists)
-  dockerEnv = applyDockerEnvOverride(dockerEnv);
-
-  // Step 3: Get PORT value for container (should be container port, NOT host port)
-  let containerPort = getContainerPortFromPath(variablesPath);
-  if (containerPort === null) {
-    containerPort = getContainerPortFromDockerEnv(dockerEnv);
-  }
-
-  // PORT in container should be the container port (no developer-id adjustment)
-  // Docker will map container port to host port via port mapping
-  return resolved.replace(/^PORT\s*=\s*.*$/m, `PORT=${containerPort}`);
-}
-
 /**
  * Applies environment-specific transformations to resolved content
  * @async
@@ -348,7 +281,7 @@ async function applyEnvironmentTransformations(resolved, environment, variablesP
  * @throws {Error} If generation fails
  */
 async function generateEnvContent(appName, secretsPath, environment = 'local', force = false) {
-  const builderPath = path.join(process.cwd(), 'builder', appName);
+  const builderPath = pathsUtil.getBuilderPath(appName);
   const templatePath = path.join(builderPath, 'env.template');
   const variablesPath = path.join(builderPath, 'variables.yaml');
 
@@ -375,14 +308,108 @@ async function generateEnvContent(appName, secretsPath, environment = 'local', f
   return resolved;
 }
 
-async function generateEnvFile(appName, secretsPath, environment = 'local', force = false, skipOutputPath = false) {
-  const builderPath = path.join(process.cwd(), 'builder', appName);
+/**
+ * Parses .env file content into a key-to-value map.
+ * Only includes lines that look like KEY=value (first = separates key and value).
+ *
+ * @function parseEnvContentToMap
+ * @param {string} content - Raw .env file content
+ * @returns {Object.<string, string>} Map of variable name to value
+ */
+function parseEnvContentToMap(content) {
+  if (!content || typeof content !== 'string') {
+    return {};
+  }
+  const map = {};
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+      continue;
+    }
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      const value = trimmed.substring(eq + 1);
+      map[key] = value;
+    }
+  }
+  return map;
+}
+
+/**
+ * Merges new .env content with existing .env: newly resolved content wins for keys it
+ * defines (so project secrets take effect when re-running). Keys only in existing .env
+ * are appended so manual additions are kept.
+ *
+ * @function mergeEnvContentPreservingExisting
+ * @param {string} newContent - Newly generated .env content (from template + loadSecrets)
+ * @param {Object.<string, string>} existingMap - Existing key-to-value map from current .env
+ * @returns {string} Merged content: new values for keys in newContent, plus extra existing keys
+ */
+function mergeEnvContentPreservingExisting(newContent, existingMap) {
+  const lines = newContent.split(/\r?\n/);
+  const newKeys = new Set();
+  const out = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+      out.push(line);
+      continue;
+    }
+    const eq = trimmed.indexOf('=');
+    if (eq > 0) {
+      const key = trimmed.substring(0, eq).trim();
+      newKeys.add(key);
+    }
+    out.push(line);
+  }
+  if (existingMap && Object.keys(existingMap).length > 0) {
+    for (const key of Object.keys(existingMap)) {
+      if (!newKeys.has(key)) {
+        out.push(`${key}=${existingMap[key]}`);
+      }
+    }
+  }
+  return out.join('\n');
+}
+
+/**
+ * Generates and writes .env file. Newly resolved values (from template + secrets) win over
+ * existing .env so that project secrets (e.g. from config aifabrix-secrets) take effect on
+ * re-run. Extra variables only in existing .env are kept.
+ *
+ * @async
+ * @function generateEnvFile
+ * @param {string} appName - Name of the application
+ * @param {string} [secretsPath] - Path to secrets file (optional)
+ * @param {string} [environment='local'] - Environment context ('local' or 'docker')
+ * @param {boolean} [force=false] - Generate missing secret keys in secrets file
+ * @param {boolean} [skipOutputPath=false] - Skip copying to envOutputPath
+ * @param {string} [preserveFromPath=null] - Path to existing .env to preserve values from (defaults to builder .env)
+ * @returns {Promise<string>} Path to generated .env file
+ * @throws {Error} If generation fails
+ *
+ * @example
+ * const envPath = await generateEnvFile('myapp', undefined, 'docker');
+ * // When builder/myapp/.env already exists, existing values are preserved
+ */
+async function generateEnvFile(appName, secretsPath, environment = 'local', force = false, skipOutputPath = false, preserveFromPath = null) {
+  const builderPath = pathsUtil.getBuilderPath(appName);
   const variablesPath = path.join(builderPath, 'variables.yaml');
   const envPath = path.join(builderPath, '.env');
 
   const resolved = await generateEnvContent(appName, secretsPath, environment, force);
 
-  fs.writeFileSync(envPath, resolved, { mode: 0o600 });
+  let toWrite = resolved;
+  const pathToPreserve = preserveFromPath || envPath;
+  if (pathToPreserve && fs.existsSync(pathToPreserve)) {
+    const existingContent = fs.readFileSync(pathToPreserve, 'utf8');
+    const existingMap = parseEnvContentToMap(existingContent);
+    toWrite = mergeEnvContentPreservingExisting(resolved, existingMap);
+  }
+
+  fs.writeFileSync(envPath, toWrite, { mode: 0o600 });
 
   // Process and copy to envOutputPath if configured (uses localPort for copied file)
   if (!skipOutputPath) {

package/lib/infrastructure/helpers.js

@@ -73,7 +73,7 @@ async function ensureAdminSecrets() {
  * @param {string} postgresPassword - PostgreSQL password
  */
 function generatePgAdminConfig(infraDir, postgresPassword) {
-  const serversJsonTemplatePath = path.join(__dirname, '..', 'templates', 'infra', 'servers.json.hbs');
+  const serversJsonTemplatePath = path.join(__dirname, '..', '..', 'templates', 'infra', 'servers.json.hbs');
   if (!fs.existsSync(serversJsonTemplatePath)) {
     return;
   }
@@ -89,6 +89,86 @@ function generatePgAdminConfig(infraDir, postgresPassword) {
   fs.writeFileSync(pgpassPath, pgpassContent, { mode: 0o600 });
 }
 
+/**
+ * Escape single quotes for use in PostgreSQL string literal (double each single quote)
+ * @param {string} s - Raw string
+ * @returns {string} Escaped string
+ */
+function escapePgString(s) {
+  if (s === null || s === undefined || typeof s !== 'string') return '';
+  return s.replace(/'/g, '\'\'');
+}
+
+/**
+ * Extract password from a URL string or plain password value
+ * @param {string} urlOrPassword - URL (with ://) or plain password
+ * @returns {string|null} Extracted password or null to keep default
+ */
+function extractPasswordFromUrlOrValue(urlOrPassword) {
+  if (typeof urlOrPassword !== 'string' || urlOrPassword.length === 0) return null;
+  if (!urlOrPassword.includes('://')) return urlOrPassword;
+  try {
+    const u = new URL(urlOrPassword.replace(/\$\{DB_HOST\}/g, 'postgres').replace(/\$\{DB_PORT\}/g, '5432'));
+    return u.password || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Ensures Postgres init script exists for miso-controller app (database miso, user miso_user).
+ * Uses password from secrets (databases-miso-controller-0-passwordKeyVault) or default miso_pass123.
+ * Init scripts run only when the Postgres data volume is first created. If infra was already
+ * started before this script existed, run `aifabrix down -v` then `aifabrix up` to re-init, or
+ * create the database and user manually (e.g. via pgAdmin or psql).
+ *
+ * @async
+ * @param {string} infraDir - Infrastructure directory path
+ * @returns {Promise<void>}
+ */
+async function ensureMisoInitScript(infraDir) {
+  const initScriptsDir = path.join(infraDir, 'init-scripts');
+  if (!fs.existsSync(initScriptsDir)) {
+    fs.mkdirSync(initScriptsDir, { recursive: true });
+  }
+
+  let password = 'miso_pass123';
+  try {
+    const loaded = await secrets.loadSecrets(undefined);
+    const urlOrPassword = loaded['databases-miso-controller-0-passwordKeyVault'] ||
+      loaded['databases-miso-controller-0-urlKeyVault'];
+    const extracted = extractPasswordFromUrlOrValue(urlOrPassword);
+    if (extracted !== null) password = extracted;
+  } catch {
+    // No secrets or load failed; use default
+  }
+
+  const passwordEscaped = escapePgString(password);
+
+  const sh = `#!/bin/bash
+set -e
+# Miso-controller app database and user (matches DATABASE_URL in env)
+# Runs on first Postgres volume init only
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<EOSQL
+DO \\$\\$
+BEGIN
+  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'miso_user') THEN
+    CREATE USER miso_user WITH PASSWORD '${passwordEscaped}';
+  ELSE
+    ALTER USER miso_user WITH PASSWORD '${passwordEscaped}';
+  END IF;
+END
+\\$\\$;
+EOSQL
+if ! psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" -tAc "SELECT 1 FROM pg_database WHERE datname = 'miso'" | grep -q 1; then
+  psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" -c "CREATE DATABASE miso OWNER miso_user;"
+fi
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "miso" -c "GRANT ALL ON SCHEMA public TO miso_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO miso_user;"
+`;
+  const initPath = path.join(initScriptsDir, '02-miso-app.sh');
+  fs.writeFileSync(initPath, sh, { mode: 0o755 });
+}
+
 /**
  * Prepare infrastructure directory and extract postgres password
  * @param {string} devId - Developer ID
@@ -135,5 +215,6 @@ module.exports = {
   ensureAdminSecrets,
   generatePgAdminConfig,
   prepareInfraDirectory,
+  ensureMisoInitScript,
   registerHandlebarsHelper
 };

package/lib/infrastructure/index.js

@@ -23,6 +23,7 @@ const {
   checkDockerAvailability,
   ensureAdminSecrets,
   prepareInfraDirectory,
+  ensureMisoInitScript,
   registerHandlebarsHelper
 } = require('./helpers');
 const {
@@ -59,6 +60,7 @@ async function prepareInfrastructureEnvironment(developerId) {
 
   // Prepare infrastructure directory
   const { infraDir } = prepareInfraDirectory(devId, adminSecretsPath);
+  await ensureMisoInitScript(infraDir);
 
   return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath };
 }

package/lib/schema/env-config.yaml

@@ -18,6 +18,9 @@ environments:
     MISO_PORT: 3000  # Internal port (container-to-container). MISO_PUBLIC_PORT calculated automatically.
     KEYCLOAK_HOST: keycloak
     KEYCLOAK_PORT: 8082  # Internal port (container-to-container). KEYCLOAK_PUBLIC_PORT calculated automatically.
+    KEYCLOAK_PUBLIC_PORT: 8082
+    DATAPLANE_HOST: dataplane
+    DATAPLANE_PORT: 3001
     NODE_ENV: production
     PYTHONUNBUFFERED: 1
     PYTHONDONTWRITEBYTECODE: 1
@@ -30,8 +33,12 @@ environments:
     REDIS_PORT: 6379
     MISO_HOST: localhost
     MISO_PORT: 3010
+    MISO_PUBLIC_PORT: 3010
     KEYCLOAK_HOST: localhost
     KEYCLOAK_PORT: 8082
+    KEYCLOAK_PUBLIC_PORT: 8082
+    DATAPLANE_HOST: localhost
+    DATAPLANE_PORT: 3011
     NODE_ENV: development
     PYTHONUNBUFFERED: 1
     PYTHONDONTWRITEBYTECODE: 1

package/lib/utils/compose-generator.js

@@ -17,6 +17,7 @@ const config = require('../core/config');
 const buildCopy = require('./build-copy');
 const { formatMissingDbPasswordError } = require('./error-formatter');
 const { getContainerPort } = require('./port-resolver');
+const { parseImageOverride } = require('./parse-image-ref');
 
 // Register commonly used helpers
 handlebars.registerHelper('eq', (a, b) => a === b);
@@ -129,9 +130,14 @@ function buildAppConfig(appName, config) {
  * Builds image configuration section
  * @param {Object} config - Application configuration
  * @param {string} appName - Application name
+ * @param {string} [imageOverride] - Optional full image reference (registry/name:tag) to use instead of config
  * @returns {Object} Image configuration
  */
-function buildImageConfig(config, appName) {
+function buildImageConfig(config, appName, imageOverride) {
+  const parsed = imageOverride ? parseImageOverride(imageOverride) : null;
+  if (parsed) {
+    return { name: parsed.name, tag: parsed.tag };
+  }
   const imageName = getImageName(config, appName);
   const imageTag = config.image?.tag || 'latest';
   return {
@@ -237,14 +243,15 @@ function buildRequiresConfig(config) {
  * @param {Object} config - Application configuration
  * @param {number} port - Application port
  * @param {string|number} devId - Developer ID
+ * @param {string} [imageOverride] - Optional full image reference for run (e.g. from --image)
  * @returns {Object} Service configuration
  */
-function buildServiceConfig(appName, config, port, devId) {
+function buildServiceConfig(appName, config, port, devId, imageOverride) {
   const containerPortValue = getContainerPort(config, 3000);
   const hostPort = port;
   return {
     app: buildAppConfig(appName, config),
-    image: buildImageConfig(config, appName),
+    image: buildImageConfig(config, appName, imageOverride),
     port: containerPortValue, // Container port (for health check and template)
     containerPort: containerPortValue, // Container port (always set, equals containerPort if exists, else port)
     hostPort: hostPort, // Host port (options.port if provided, else config.port)
@@ -275,14 +282,7 @@ function buildNetworksConfig(config) {
   return { databases: config.requires?.databases || config.databases || [] };
 }
 
-/**
- * Reads and parses .env file
- * @async
- * @function readEnvFile
- * @param {string} envPath - Path to .env file
- * @returns {Promise<Object>} Object with environment variables
- * @throws {Error} If file not found or read fails
- */
+/** Reads and parses .env file. @param {string} envPath - Path to .env file. @returns {Promise<Object>} env vars. @throws {Error} If file not found. */
 async function readEnvFile(envPath) {
   if (!fsSync.existsSync(envPath)) {
     throw new Error(`.env file not found: ${envPath}`);
@@ -458,9 +458,10 @@ async function generateDockerCompose(appName, appConfig, options) {
   const language = appConfig.build?.language || appConfig.language || 'typescript';
   const template = loadDockerComposeTemplate(language);
   const port = options.port || appConfig.port || 3000;
+  const imageOverride = options.image || options.imageOverride;
   const { devId, idNum } = await getDeveloperIdAndNumeric();
   const { networkName, containerName } = buildNetworkAndContainerNames(appName, devId, idNum);
-  const serviceConfig = buildServiceConfig(appName, appConfig, port, devId);
+  const serviceConfig = buildServiceConfig(appName, appConfig, port, devId, imageOverride);
   const volumesConfig = buildVolumesConfig(appName);
   const networksConfig = buildNetworksConfig(appConfig);
 
@@ -495,4 +496,3 @@ module.exports = {
   buildTraefikConfig,
   buildDevUsername
 };
-

package/lib/utils/config-paths.js

@@ -8,6 +8,8 @@
  * @version 2.0.0
  */
 
+const path = require('path');
+
 /**
  * Get path configuration value
  * @async
@@ -102,6 +104,17 @@ function createPathConfigFunctions(getConfigFn, saveConfigFn) {
      */
     async setAifabrixEnvConfigPath(envConfigPath) {
       await setPathConfig(getConfigFn, saveConfigFn, 'aifabrix-env-config', envConfigPath, 'Env config path is required and must be a string');
+    },
+
+    /**
+     * Get builder root directory (dirname of aifabrix-env-config when set).
+     * When set, app dirs and generated .env use this instead of cwd/builder.
+     * @async
+     * @returns {Promise<string|null>} Builder root path or null to use cwd/builder
+     */
+    async getAifabrixBuilderDir() {
+      const envConfigPath = await getPathConfig(getConfigFn, 'aifabrix-env-config');
+      return envConfigPath && typeof envConfigPath === 'string' ? path.dirname(envConfigPath) : null;
     }
   };
 }

package/lib/utils/device-code.js

@@ -469,12 +469,13 @@ async function refreshDeviceToken(controllerUrl, refreshToken) {
   }
 
   const url = `${controllerUrl}/api/v1/auth/login/device/refresh`;
+  // Send both refresh_token (OAuth2 RFC 6749 / Keycloak) and refreshToken (camelCase) so controller accepts either
   const response = await getMakeApiCall()(url, {
     method: 'POST',
     headers: {
       'Content-Type': 'application/json'
     },
-    body: JSON.stringify({ refreshToken })
+    body: JSON.stringify({ refresh_token: refreshToken, refreshToken })
   });
 
   if (!response.success) {
@@ -490,7 +491,6 @@ async function refreshDeviceToken(controllerUrl, refreshToken) {
 
   return tokenResponse;
 }
-
 module.exports = {
   initiateDeviceCodeFlow,
   pollDeviceCodeToken,

package/lib/utils/env-endpoints.js

@@ -9,7 +9,6 @@
 'use strict';
 
 const fs = require('fs');
-const path = require('path');
 const yaml = require('js-yaml');
 const config = require('../core/config');
 const devConfig = require('../utils/dev-config');
@@ -49,8 +48,7 @@ function splitHost(value) {
 function getLocalhostOverride(context) {
   if (context !== 'local') return null;
   try {
-    const os = require('os');
-    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
+    const cfgPath = config.CONFIG_FILE;
     if (fs.existsSync(cfgPath)) {
       const cfgContent = fs.readFileSync(cfgPath, 'utf8');
       const cfg = yaml.load(cfgContent) || {};
@@ -310,8 +308,7 @@ async function rewriteInfraEndpoints(envContent, context, devPorts, adjustedHost
 
   // Apply config.yaml → environments.{context} override (if exists)
   try {
-    const os = require('os');
-    const cfgPath = path.join(os.homedir(), '.aifabrix', 'config.yaml');
+    const cfgPath = config.CONFIG_FILE;
     if (fs.existsSync(cfgPath)) {
       const cfgContent = fs.readFileSync(cfgPath, 'utf8');
       const cfg = yaml.load(cfgContent) || {};