@aifabrix/builder 2.40.2 → 2.42.0

package/lib/infrastructure/helpers.js

@@ -11,11 +11,13 @@
 
 const path = require('path');
 const fs = require('fs');
+const chalk = require('chalk');
 const handlebars = require('handlebars');
 const secrets = require('../core/secrets');
 const logger = require('../utils/logger');
 const dockerUtils = require('../utils/docker');
 const paths = require('../utils/paths');
+const secretsEnsure = require('../core/secrets-ensure');
 
 /**
  * Gets infrastructure directory name based on developer ID
@@ -53,24 +55,92 @@ async function checkDockerAvailability() {
   }
 }
 
+/** Default admin password for new local installations when admin-secrets.env is empty */
+const DEFAULT_ADMIN_PASSWORD = 'admin123';
+
+/**
+ * Log hint to reset Postgres volume when admin password was changed after first init.
+ * @param {string} infraDir - Path to infra directory
+ */
+function logVolumeResetHint(infraDir) {
+  logger.log(chalk.yellow(
+    'If Postgres was already started with a different password, login will fail until you reset the volume. ' +
+    `Run: cd ${infraDir} && docker compose -f compose.yaml -p aifabrix down -v , then run 'aifabrix up-infra --adminPwd <password>' again.`
+  ));
+}
+
+/**
+ * Apply password to admin-secrets file content (all three password keys).
+ * @param {string} content - Current file content
+ * @param {string} password - Password to set
+ * @returns {string} Updated content
+ */
+function applyPasswordToAdminSecretsContent(content, password) {
+  return content
+    .replace(/^POSTGRES_PASSWORD=.*$/m, `POSTGRES_PASSWORD=${password}`)
+    .replace(/^PGADMIN_DEFAULT_PASSWORD=.*$/m, `PGADMIN_DEFAULT_PASSWORD=${password}`)
+    .replace(/^REDIS_COMMANDER_PASSWORD=.*$/m, `REDIS_COMMANDER_PASSWORD=${password}`);
+}
+
 /**
- * Ensure admin secrets file exists
+ * Sync postgres-passwordKeyVault to the main secrets store (file or remote).
+ * @param {string} password - Password to store
+ */
+async function syncPostgresPasswordToStore(password) {
+  try {
+    await secretsEnsure.setSecretInStore('postgres-passwordKeyVault', password);
+  } catch (err) {
+    logger.warn(`Could not sync postgres-passwordKeyVault to secrets store: ${err.message}`);
+  }
+}
+
+/**
+ * Ensure admin secrets file exists and set admin password.
+ * When adminPwd is provided, update POSTGRES_PASSWORD, PGADMIN_DEFAULT_PASSWORD, REDIS_COMMANDER_PASSWORD
+ * in admin-secrets.env (overwrites existing values). Otherwise only backfill empty fields.
+ *
  * @async
+ * @param {Object} [options] - Options
+ * @param {string} [options.adminPwd] - Override admin password for Postgres, pgAdmin, Redis Commander (updates file when provided)
  * @returns {Promise<string>} Path to admin secrets file
  */
-async function ensureAdminSecrets() {
+async function ensureAdminSecrets(options = {}) {
+  const adminPwdOverride = options.adminPwd && typeof options.adminPwd === 'string' && options.adminPwd.trim() !== ''
+    ? options.adminPwd.trim()
+    : null;
+  const passwordToUse = adminPwdOverride || DEFAULT_ADMIN_PASSWORD;
+
   const adminSecretsPath = path.join(paths.getAifabrixHome(), 'admin-secrets.env');
   if (!fs.existsSync(adminSecretsPath)) {
     logger.log('Generating admin-secrets.env...');
-    await secrets.generateAdminSecretsEnv();
+    await secrets.generateAdminSecretsEnv(undefined);
+  }
+  let content = fs.readFileSync(adminSecretsPath, 'utf8');
+  const needsBackfill = /^POSTGRES_PASSWORD=\s*$/m.test(content) ||
+    /^PGADMIN_DEFAULT_PASSWORD=\s*$/m.test(content) ||
+    /^REDIS_COMMANDER_PASSWORD=\s*$/m.test(content);
+  const shouldOverwriteWithAdminPwd = adminPwdOverride !== null;
+
+  if (shouldOverwriteWithAdminPwd) {
+    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
+    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
+    logger.log('Updated admin password in admin-secrets.env.');
+    await syncPostgresPasswordToStore(passwordToUse);
+    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
+  } else if (needsBackfill) {
+    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
+    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
+    logger.log('Set default admin password in admin-secrets.env for local use.');
   }
   return adminSecretsPath;
 }
 
 /**
- * Generates pgAdmin4 configuration files (servers.json and pgpass)
+ * Generates pgAdmin4 servers.json only. pgpass is not written to disk (ISO 27K);
+ * it is created temporarily in startDockerServicesAndConfigure and deleted after copy to container.
+ *
  * @param {string} infraDir - Infrastructure directory path
- * @param {string} postgresPassword - PostgreSQL password
+ * @param {string} postgresPassword - PostgreSQL password (for servers.json PassFile reference only; password not stored in file)
  */
 function generatePgAdminConfig(infraDir, postgresPassword) {
   const serversJsonTemplatePath = path.join(__dirname, '..', '..', 'templates', 'infra', 'servers.json.hbs');
@@ -83,10 +153,6 @@ function generatePgAdminConfig(infraDir, postgresPassword) {
   const serversJsonContent = serversJsonTemplate({ postgresPassword });
   const serversJsonPath = path.join(infraDir, 'servers.json');
   fs.writeFileSync(serversJsonPath, serversJsonContent, { mode: 0o644 });
-
-  const pgpassContent = `postgres:5432:postgres:pgadmin:${postgresPassword}\n`;
-  const pgpassPath = path.join(infraDir, 'pgpass');
-  fs.writeFileSync(pgpassPath, pgpassContent, { mode: 0o600 });
 }
 
 /**
@@ -117,10 +183,8 @@ function extractPasswordFromUrlOrValue(urlOrPassword) {
 
 /**
  * Ensures Postgres init script exists for miso-controller app (database miso, user miso_user).
- * Uses password from secrets (databases-miso-controller-0-passwordKeyVault) or default miso_pass123.
- * Init scripts run only when the Postgres data volume is first created. If infra was already
- * started before this script existed, run `aifabrix down-infra -v` then `aifabrix up-infra` to re-init, or
- * create the database and user manually (e.g. via pgAdmin or psql).
+ * Reads password from configured store (file or remote). Fails with clear message if secret is missing.
+ * Run ensureInfraSecrets before startInfra so databases-miso-controller-0-passwordKeyVault exists.
  *
  * @async
  * @param {string} infraDir - Infrastructure directory path
@@ -132,15 +196,24 @@ async function ensureMisoInitScript(infraDir) {
     fs.mkdirSync(initScriptsDir, { recursive: true });
   }
 
-  let password = 'miso_pass123';
+  const secretKey = 'databases-miso-controller-0-passwordKeyVault';
+  let password;
   try {
     const loaded = await secrets.loadSecrets(undefined);
-    const urlOrPassword = loaded['databases-miso-controller-0-passwordKeyVault'] ||
-      loaded['databases-miso-controller-0-urlKeyVault'];
+    const urlOrPassword = loaded[secretKey] || loaded['databases-miso-controller-0-urlKeyVault'];
     const extracted = extractPasswordFromUrlOrValue(urlOrPassword);
-    if (extracted !== null) password = extracted;
-  } catch {
-    // No secrets or load failed; use default
+    if (extracted !== null && extracted.trim() !== '') {
+      password = extracted;
+    }
+  } catch (err) {
+    throw new Error(
+      `Secret ${secretKey} not found or could not load secrets. Run "aifabrix up-infra" to ensure infra secrets, or add it to your secrets file. ${err.message}`
+    );
+  }
+  if (!password || password.trim() === '') {
+    throw new Error(
+      `Secret ${secretKey} is missing or empty. Run "aifabrix up-infra" to ensure infra secrets, or add it to your secrets file.`
+    );
   }
 
   const passwordEscaped = escapePgString(password);
@@ -183,9 +256,19 @@ function prepareInfraDirectory(devId, adminSecretsPath) {
     fs.mkdirSync(infraDir, { recursive: true });
   }
 
+  const oldPgpassPath = path.join(infraDir, 'pgpass');
+  if (fs.existsSync(oldPgpassPath)) {
+    try {
+      fs.unlinkSync(oldPgpassPath);
+    } catch {
+      // Ignore
+    }
+  }
+
   const adminSecretsContent = fs.readFileSync(adminSecretsPath, 'utf8');
   const postgresPasswordMatch = adminSecretsContent.match(/^POSTGRES_PASSWORD=(.+)$/m);
-  const postgresPassword = postgresPasswordMatch ? postgresPasswordMatch[1] : '';
+  const raw = postgresPasswordMatch ? postgresPasswordMatch[1] : '';
+  const postgresPassword = (raw && raw.trim()) || DEFAULT_ADMIN_PASSWORD;
   generatePgAdminConfig(infraDir, postgresPassword);
 
   return { infraDir, postgresPassword };

package/lib/infrastructure/index.js

@@ -26,6 +26,7 @@ const {
   ensureMisoInitScript,
   registerHandlebarsHelper
 } = require('./helpers');
+const secretsEnsure = require('../core/secrets-ensure');
 const {
   buildTraefikConfig,
   validateTraefikConfig,
@@ -36,17 +37,22 @@ const {
   startDockerServicesAndConfigure,
   checkInfraHealth
 } = require('./services');
+// Lazy require to avoid circular dependency: infra -> app/down -> run-helpers -> infra
 
 /**
  * Prepares infrastructure environment
+ * Ensures infra secrets exist, then admin-secrets.env, then miso init script.
+ *
  * @async
  * @function prepareInfrastructureEnvironment
  * @param {string|number|null} developerId - Developer ID
+ * @param {Object} [options] - Options (traefik, adminPwd)
  * @returns {Promise<Object>} Prepared environment configuration
  */
-async function prepareInfrastructureEnvironment(developerId) {
+async function prepareInfrastructureEnvironment(developerId, options = {}) {
   await checkDockerAvailability();
-  const adminSecretsPath = await ensureAdminSecrets();
+  await secretsEnsure.ensureInfraSecrets({ adminPwd: options.adminPwd });
+  const adminSecretsPath = await ensureAdminSecrets({ adminPwd: options.adminPwd });
 
   const devId = developerId || await config.getDeveloperId();
   const devIdNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
@@ -82,8 +88,8 @@ async function prepareInfrastructureEnvironment(developerId) {
  * // Infrastructure services are now running
  */
 async function startInfra(developerId = null, options = {}) {
-  const { devId, idNum, ports, templatePath, infraDir, adminSecretsPath } = await prepareInfrastructureEnvironment(developerId);
-  const { traefik = false } = options;
+  const { devId, idNum, ports, templatePath, infraDir } = await prepareInfrastructureEnvironment(developerId, options);
+  const { traefik = false, pgadmin = true, redisCommander = true } = options;
   const traefikConfig = buildTraefikConfig(traefik);
   const validation = validateTraefikConfig(traefikConfig);
   if (!validation.valid) {
@@ -94,18 +100,67 @@ async function startInfra(developerId = null, options = {}) {
   registerHandlebarsHelper();
 
   // Generate compose file
-  const composePath = generateComposeFile(templatePath, devId, idNum, ports, infraDir, { traefik: traefikConfig });
+  const composePath = generateComposeFile(templatePath, devId, idNum, ports, infraDir, {
+    traefik: traefikConfig,
+    pgadmin: { enabled: !!pgadmin },
+    redisCommander: { enabled: !!redisCommander }
+  });
 
   try {
-    await startDockerServicesAndConfigure(composePath, devId, idNum, adminSecretsPath, infraDir);
+    await startDockerServicesAndConfigure(composePath, devId, idNum, infraDir, {
+      pgadmin: !!pgadmin,
+      redisCommander: !!redisCommander,
+      traefik: !!traefik
+    });
   } finally {
     // Keep the compose file for stop commands
   }
 }
 
 /**
- * Stops and removes local infrastructure services
- * Cleanly shuts down all infrastructure containers
+ * Stops and removes all app containers for the current developer (same network).
+ * @param {string} devId - Developer ID
+ * @returns {Promise<void>}
+ */
+async function stopAllAppContainers(devId) {
+  const containerNames = await statusHelpers.listAppContainerNamesForDeveloper(devId, { includeExited: true });
+  for (const name of containerNames) {
+    try {
+      await execAsyncWithCwd(`docker rm -f ${name}`);
+      logger.log(`Stopped and removed container: ${name}`);
+    } catch (err) {
+      logger.log(`Container ${name} not running or already removed`);
+    }
+  }
+}
+
+/**
+ * Removes Docker volumes for the given app names (current developer).
+ * @param {string[]} appNames - Application names
+ * @param {string} devId - Developer ID
+ * @returns {Promise<void>}
+ */
+async function removeAppVolumes(appNames, devId) {
+  const { getAppVolumeName } = require('../app/down');
+  const idNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
+  for (const appName of appNames) {
+    const primaryName = getAppVolumeName(appName, devId);
+    const legacyDev0Name = idNum === 0 ? `aifabrix_dev0_${appName}_data` : null;
+    const candidates = Array.from(new Set([primaryName, legacyDev0Name].filter(Boolean)));
+    for (const volumeName of candidates) {
+      try {
+        await execAsyncWithCwd(`docker volume rm -f ${volumeName}`);
+        logger.log(`Removed volume: ${volumeName}`);
+      } catch {
+        logger.log(`Volume ${volumeName} not found or already removed`);
+      }
+    }
+  }
+}
+
+/**
+ * Stops and removes local infrastructure services and all application containers
+ * on the same network. Cleanly shuts down infra and app containers.
  *
  * @async
  * @function stopInfra
@@ -114,7 +169,7 @@ async function startInfra(developerId = null, options = {}) {
  *
  * @example
  * await stopInfra();
- * // All infrastructure containers are stopped and removed
+ * // All infrastructure and app containers on the same network are stopped and removed
  */
 async function stopInfra() {
   const devId = await config.getDeveloperId();
@@ -130,6 +185,8 @@ async function stopInfra() {
   }
 
   try {
+    logger.log('Stopping application containers on the same network...');
+    await stopAllAppContainers(devId);
     logger.log('Stopping infrastructure services...');
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
@@ -141,8 +198,35 @@ async function stopInfra() {
 }
 
 /**
- * Stops and removes local infrastructure services with volumes
- * Cleanly shuts down all infrastructure containers and removes all data
+ * Stops all app containers on the network and removes their volumes.
+ * @param {string} devId - Developer ID
+ * @returns {Promise<void>}
+ */
+async function stopAllAppContainersAndVolumes(devId) {
+  const devIdNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
+  const containerNames = await statusHelpers.listAppContainerNamesForDeveloper(devId, { includeExited: true });
+  for (const name of containerNames) {
+    try {
+      await execAsyncWithCwd(`docker rm -f ${name}`);
+      logger.log(`Stopped and removed container: ${name}`);
+    } catch (err) {
+      logger.log(`Container ${name} not running or already removed`);
+    }
+  }
+  const appNames = [...new Set(
+    containerNames
+      .map(n => statusHelpers.extractAppName(n, devIdNum, devId))
+      .filter(Boolean)
+  )];
+  if (appNames.length > 0) {
+    logger.log('Removing application volumes...');
+    await removeAppVolumes(appNames, devId);
+  }
+}
+
+/**
+ * Stops and removes local infrastructure services and all application containers
+ * on the same network, and removes all volumes (infra and app data).
  *
  * @async
  * @function stopInfraWithVolumes
@@ -151,7 +235,7 @@ async function stopInfra() {
  *
  * @example
  * await stopInfraWithVolumes();
- * // All infrastructure containers and data are removed
+ * // All infrastructure and app containers and volumes are removed
  */
 async function stopInfraWithVolumes() {
   const devId = await config.getDeveloperId();
@@ -167,6 +251,8 @@ async function stopInfraWithVolumes() {
   }
 
   try {
+    logger.log('Stopping application containers on the same network...');
+    await stopAllAppContainersAndVolumes(devId);
     logger.log('Stopping infrastructure services and removing all data...');
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();

package/lib/infrastructure/services.js

@@ -17,6 +17,7 @@ const containerUtils = require('../utils/infra-containers');
 const dockerUtils = require('../utils/docker');
 const config = require('../core/config');
 const { getInfraProjectName } = require('./helpers');
+const adminSecrets = require('../core/admin-secrets');
 
 const execAsync = promisify(exec);
 
@@ -74,42 +75,102 @@ async function copyPgAdminConfig(pgadminContainerName, serversJsonPath, pgpassPa
 }
 
 /**
- * Starts Docker services and configures pgAdmin
+ * Prepare run env file from decrypted admin secrets.
+ * @async
+ * @param {string} infraDir - Infrastructure directory
+ * @returns {Promise<{ adminObj: Object, runEnvPath: string }>}
+ */
+async function prepareRunEnv(infraDir) {
+  const runEnvPath = path.join(infraDir, '.env.run');
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets();
+  const content = adminSecrets.envObjectToContent(adminObj);
+  fs.writeFileSync(runEnvPath, content, { mode: 0o600 });
+  return { adminObj, runEnvPath };
+}
+
+/**
+ * Write pgpass file and copy pgAdmin config into container.
+ * @async
+ * @param {string} infraDir - Infrastructure directory
+ * @param {Object} adminObj - Decrypted admin secrets object
+ * @param {string} devId - Developer ID
+ * @param {number} idNum - Developer ID number
+ * @returns {Promise<string>} Path to pgpass run file
+ */
+async function writePgpassAndCopyPgAdminConfig(infraDir, adminObj, devId, idNum) {
+  const pgpassRunPath = path.join(infraDir, '.pgpass.run');
+  const pgadminContainerName = idNum === 0 ? 'aifabrix-pgadmin' : `aifabrix-dev${devId}-pgadmin`;
+  const serversJsonPath = path.join(infraDir, 'servers.json');
+  const postgresPassword = adminObj.POSTGRES_PASSWORD || '';
+  const pgpassContent = `postgres:5432:postgres:pgadmin:${postgresPassword}\n`;
+  fs.writeFileSync(pgpassRunPath, pgpassContent, { mode: 0o600 });
+  await copyPgAdminConfig(pgadminContainerName, serversJsonPath, pgpassRunPath);
+  return pgpassRunPath;
+}
+
+/**
+ * Remove temporary run files (env and pgpass) if they exist.
+ * @param {string} runEnvPath - Path to .env.run
+ * @param {string} [pgpassRunPath] - Path to .pgpass.run
+ */
+function cleanupRunFiles(runEnvPath, pgpassRunPath) {
+  try {
+    if (fs.existsSync(runEnvPath)) fs.unlinkSync(runEnvPath);
+    if (pgpassRunPath && fs.existsSync(pgpassRunPath)) fs.unlinkSync(pgpassRunPath);
+  } catch {
+    // Ignore unlink errors
+  }
+}
+
+/**
+ * Starts Docker services and configures pgAdmin (when enabled).
+ * Writes decrypted admin secrets to a temporary .env in infra dir, runs compose, then deletes the file (ISO 27K).
+ *
  * @async
  * @function startDockerServicesAndConfigure
  * @param {string} composePath - Compose file path
  * @param {string} devId - Developer ID
  * @param {number} idNum - Developer ID number
- * @param {string} adminSecretsPath - Admin secrets path
  * @param {string} infraDir - Infrastructure directory
+ * @param {Object} [opts] - Options (pgadmin, redisCommander, traefik)
  */
-async function startDockerServicesAndConfigure(composePath, devId, idNum, adminSecretsPath, infraDir) {
-  // Start Docker services
-  const projectName = getInfraProjectName(devId);
-  await startDockerServices(composePath, projectName, adminSecretsPath, infraDir);
-
-  // Copy pgAdmin4 config files
-  const pgadminContainerName = idNum === 0 ? 'aifabrix-pgadmin' : `aifabrix-dev${devId}-pgadmin`;
-  const serversJsonPath = path.join(infraDir, 'servers.json');
-  const pgpassPath = path.join(infraDir, 'pgpass');
-  await copyPgAdminConfig(pgadminContainerName, serversJsonPath, pgpassPath);
+async function startDockerServicesAndConfigure(composePath, devId, idNum, infraDir, opts = {}) {
+  let runEnvPath;
+  let pgpassRunPath;
+  let adminObj;
+  const { pgadmin = true, redisCommander = true, traefik = false } = opts;
+  try {
+    ({ adminObj, runEnvPath } = await prepareRunEnv(infraDir));
+  } catch (err) {
+    throw new Error(`Failed to prepare infra env: ${err.message}`);
+  }
 
-  // Wait for services to be healthy
-  await waitForServices(devId);
-  logger.log('All services are healthy and ready');
+  try {
+    const projectName = getInfraProjectName(devId);
+    await startDockerServices(composePath, projectName, runEnvPath, infraDir);
+    if (pgadmin) {
+      pgpassRunPath = await writePgpassAndCopyPgAdminConfig(infraDir, adminObj, devId, idNum);
+    }
+    await waitForServices(devId, { pgadmin, redisCommander, traefik });
+    logger.log('All services are healthy and ready');
+  } finally {
+    cleanupRunFiles(runEnvPath, pgpassRunPath);
+  }
 }
 
 /**
  * Waits for services to be healthy
  * @private
- * @param {number} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {number|string|null} [devId] - Developer ID (optional, will be loaded from config if not provided)
+ * @param {Object} [opts] - Options (pgadmin, redisCommander, traefik) - which optional services to expect
  */
-async function waitForServices(devId = null) {
+async function waitForServices(devId = null, opts = {}) {
   const maxAttempts = 30;
   const delay = 2000; // 2 seconds
+  const { pgadmin = true, redisCommander = true, traefik = false } = opts;
 
   for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-    const health = await checkInfraHealth(devId);
+    const health = await checkInfraHealth(devId, { pgadmin, redisCommander, traefik });
     const allHealthy = Object.values(health).every(status => status === 'healthy');
 
     if (allHealthy) {
@@ -127,15 +188,17 @@ async function waitForServices(devId = null) {
 
 /**
  * Checks if infrastructure services are running
- * Validates that all required services are healthy and accessible
+ * Validates that all expected services are healthy and accessible
  *
  * @async
  * @function checkInfraHealth
  * @param {number|string|null} [devId] - Developer ID (null = use current)
  * @param {Object} [options] - Options
  * @param {boolean} [options.strict=false] - When true, only consider current dev's containers (no fallback to dev 0); use for up-miso and status consistency
+ * @param {boolean} [options.pgadmin=true] - Include pgAdmin in health check
+ * @param {boolean} [options.redisCommander=true] - Include Redis Commander in health check
+ * @param {boolean} [options.traefik=false] - Include Traefik in health check
  * @returns {Promise<Object>} Health status of each service
- * @throws {Error} If health check fails
  *
  * @example
  * const health = await checkInfraHealth();
@@ -144,7 +207,10 @@ async function waitForServices(devId = null) {
 async function checkInfraHealth(devId = null, options = {}) {
   const developerId = devId || await config.getDeveloperId();
   const servicesWithHealthCheck = ['postgres', 'redis'];
-  const servicesWithoutHealthCheck = ['pgadmin', 'redis-commander'];
+  const servicesWithoutHealthCheck = [];
+  if (options.pgadmin !== false) servicesWithoutHealthCheck.push('pgadmin');
+  if (options.redisCommander !== false) servicesWithoutHealthCheck.push('redis-commander');
+  if (options.traefik === true) servicesWithoutHealthCheck.push('traefik');
   const health = {};
   const lookupOptions = options.strict ? { strict: true } : {};
 
@@ -153,7 +219,7 @@ async function checkInfraHealth(devId = null, options = {}) {
     health[service] = await containerUtils.checkServiceWithHealthCheck(service, developerId, lookupOptions);
   }
 
-  // Check if services without health checks are running
+  // Check if optional services without health checks are running
   for (const service of servicesWithoutHealthCheck) {
     health[service] = await containerUtils.checkServiceWithoutHealthCheck(service, developerId, lookupOptions);
   }

package/lib/schema/application-schema.json

@@ -115,11 +115,6 @@
       "minimum": 1,
       "maximum": 65535
     },
-    "deploymentKey": {
-      "type": "string",
-      "description": "SHA256 hash of deployment manifest (excluding deploymentKey field)",
-      "pattern": "^[a-f0-9]{64}$"
-    },
     "requiresDatabase": {
       "type": "boolean",
       "description": "Whether application requires database"
@@ -137,6 +132,14 @@
             "type": "string",
             "description": "Database name",
             "pattern": "^[a-z0-9_-]+$"
+          },
+          "extensions": {
+            "type": "array",
+            "description": "PostgreSQL extension names to create in this database during db-init (e.g. pgcrypto, uuid-ossp, vector, btree_gin, btree_gist). If the database name ends with 'vector', the vector extension is still added automatically if not listed.",
+            "items": {
+              "type": "string",
+              "pattern": "^[a-z0-9_-]+$"
+            }
           }
         },
         "additionalProperties": false
@@ -736,13 +739,13 @@
       "properties": {
         "envOutputPath": {
           "type": "string",
-          "description": "Path where .env file is copied for local development (relative to builder/)",
+          "description": "Path where .env file is written for local development (relative to config dir); single .env for run",
           "pattern": "^[^/].*"
         },
         "localPort": {
           "type": "integer",
-          "description": "Port for local development (different from Docker port)",
-          "minimum": 1000,
+          "description": "Port for local development (host and .env PORT); when set and > 0, overrides port for run and local .env. Container/deployment still use port/containerPort.",
+          "minimum": 1,
           "maximum": 65535
         },
         "containerPort": {
@@ -768,6 +771,27 @@
           "type": "string",
           "description": "Dockerfile name (empty or missing = use auto-generated template)",
           "pattern": "^[^/].*"
+        },
+        "remoteSyncPath": {
+          "type": "string",
+          "description": "Relative path under user-mutagen-folder for remote sync and Docker -v; when unset, defaults to dev/<appKey>. No leading slash.",
+          "pattern": "^[^/].*"
+        },
+        "reloadStart": {
+          "type": "string",
+          "description": "When running with --reload, override the container command with this command (run from the mounted app root /app). Examples: TypeScript pnpm run reloadStart, Python make reloadStart."
+        },
+        "scripts": {
+          "type": "object",
+          "description": "Override CLI script commands (aifabrix test, install, lint, test-e2e, test-integration). When a key is missing, language default is used (TypeScript: pnpm test/install/lint/test:e2e/test:integration, Python: make test/install/lint/test:e2e/test-integration).",
+          "properties": {
+            "test": { "type": "string", "description": "Command for aifabrix test <app>" },
+            "install": { "type": "string", "description": "Command for aifabrix install <app>" },
+            "lint": { "type": "string", "description": "Command for aifabrix lint <app>" },
+            "testE2e": { "type": "string", "description": "Command for aifabrix test-e2e <app> (YAML may use test:e2e)" },
+            "testIntegration": { "type": "string", "description": "Command for aifabrix test-integration <app> (YAML may use test:integration). Defaults to testE2e when unset." }
+          },
+          "additionalProperties": true
         }
       },
       "additionalProperties": false