@aifabrix/builder 2.41.0 → 2.42.1

package/lib/commands/auth-config.js

@@ -19,34 +19,44 @@ const {
   validateEnvironment,
   checkUserLoggedIn
 } = require('../utils/auth-config-validator');
+const { getControllerUrlFromLoggedInUser } = require('../utils/controller-url');
 const logger = require('../utils/logger');
 
 /**
  * Handle set-controller command
+ * Allows setting the default controller when no credentials are stored, or when already logged in to that controller.
+ * If credentials exist for a different controller, throws with a clear message.
+ *
  * @async
  * @function handleSetController
  * @param {string} url - Controller URL to set
  * @returns {Promise<void>}
- * @throws {Error} If validation fails
+ * @throws {Error} If validation fails or credentials exist for another controller
  */
 async function handleSetController(url) {
   try {
-    // Validate URL format
     validateControllerUrl(url);
+    const normalizedUrl = url.trim().replace(/\/+$/, '');
 
-    // Check if user is logged in to that controller
-    const isLoggedIn = await checkUserLoggedIn(url);
-    if (!isLoggedIn) {
-      throw new Error(
-        `You are not logged in to controller ${url}.\n` +
-        'Please run "aifabrix login" first to authenticate with this controller.'
-      );
+    const loggedInControllerUrl = await getControllerUrlFromLoggedInUser();
+    if (!loggedInControllerUrl) {
+      // No stored credentials: allow setting controller so "aifabrix login" opens the right place
+      await setControllerUrl(url);
+      logger.log(chalk.green(`✓ Controller URL set to: ${url}`));
+      return;
     }
 
-    // Save controller URL
-    await setControllerUrl(url);
+    const normalizedLoggedIn = loggedInControllerUrl.trim().replace(/\/+$/, '');
+    if (normalizedLoggedIn === normalizedUrl) {
+      await setControllerUrl(url);
+      logger.log(chalk.green(`✓ Controller URL set to: ${url}`));
+      return;
+    }
 
-    logger.log(chalk.green(`✓ Controller URL set to: ${url}`));
+    throw new Error(
+      `You have credentials for another controller (${loggedInControllerUrl}).\n` +
+      `To use ${url} either run "aifabrix login" with that controller, or run "aifabrix logout" first to clear credentials, then set the new controller with --set-controller.`
+    );
   } catch (error) {
     logger.error(chalk.red(`✗ Failed to set controller URL: ${error.message}`));
     throw error;

package/lib/commands/credential-env.js

@@ -0,0 +1,162 @@
+/**
+ * Credential env command – prompts for KV_* values and writes .env.
+ * Used by `aifabrix credential env <system-key>`.
+ *
+ * @fileoverview Credential env command – interactive credential capture to .env
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const fs = require('fs');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { getIntegrationPath } = require('../utils/paths');
+const { kvEnvKeyToPath } = require('../utils/credential-secrets-env');
+const { parseEnvToMap } = require('../utils/credential-secrets-env');
+
+const KV_PREFIX = 'KV_';
+
+/**
+ * Secret var suffixes (use password prompt).
+ * @type {Set<string>}
+ */
+const SECRET_SUFFIXES = new Set([
+  'CLIENTID', 'CLIENTSECRET', 'APIKEY', 'USERNAME', 'PASSWORD', 'PARAMVALUE',
+  'SIGNINGSECRET', 'BEARERTOKEN'
+]);
+
+/**
+ * Validates system-key format.
+ * @param {string} systemKey - System key
+ * @throws {Error} If invalid
+ */
+function validateSystemKeyFormat(systemKey) {
+  if (!systemKey || typeof systemKey !== 'string') {
+    throw new Error('System key is required and must be a string');
+  }
+  if (!/^[a-z0-9-_]+$/.test(systemKey)) {
+    throw new Error('System key must contain only lowercase letters, numbers, hyphens, and underscores');
+  }
+}
+
+/**
+ * Extracts KV_* variable names from env.template content.
+ * @param {string} content - env.template content
+ * @returns {Array<{ key: string, isSecret: boolean }>} KV_* vars to prompt
+ */
+function extractKvVarsFromTemplate(content) {
+  if (!content || typeof content !== 'string') return [];
+  const vars = [];
+  const seen = new Set();
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eq = trimmed.indexOf('=');
+    if (eq <= 0) continue;
+    const key = trimmed.substring(0, eq).trim();
+    if (!key.toUpperCase().startsWith(KV_PREFIX)) continue;
+    if (kvEnvKeyToPath(key) && !seen.has(key)) {
+      seen.add(key);
+      const suffix = key.slice(KV_PREFIX.length).split('_').pop() || '';
+      vars.push({ key, isSecret: SECRET_SUFFIXES.has(suffix.toUpperCase()) });
+    }
+  }
+  return vars;
+}
+
+/**
+ * Prompts for KV_* values using inquirer.
+ * @async
+ * @param {Array<{ key: string, isSecret: boolean }>} vars - Variables to prompt
+ * @param {Object} existingMap - Existing .env key-value map (for default values)
+ * @returns {Promise<Object.<string, string>>} Key-value map from prompts
+ */
+async function promptForKvValues(vars, existingMap) {
+  if (vars.length === 0) return {};
+  const inquirer = require('inquirer');
+  const questions = vars.map(({ key, isSecret }) => ({
+    type: isSecret ? 'password' : 'input',
+    name: key,
+    message: key,
+    default: existingMap[key] || undefined
+  }));
+  return await inquirer.prompt(questions);
+}
+
+/**
+ * Builds .env content: template lines with KV_* values replaced/merged from prompts.
+ * Preserves comments, non-KV lines, and structure; updates KV_* with prompted values.
+ * @param {string} templateContent - env.template content
+ * @param {Object.<string, string>} promptValues - Values from prompts
+ * @returns {string} Final .env content
+ */
+function buildEnvContent(templateContent, promptValues) {
+  if (!templateContent || typeof templateContent !== 'string') return '';
+  const lines = templateContent.split(/\r?\n/);
+  const result = [];
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) {
+      result.push(line);
+      continue;
+    }
+    const eq = trimmed.indexOf('=');
+    if (eq <= 0) {
+      result.push(line);
+      continue;
+    }
+    const key = trimmed.substring(0, eq).trim();
+    if (key.toUpperCase().startsWith(KV_PREFIX) && key in promptValues) {
+      result.push(`${key}=${promptValues[key]}`);
+    } else {
+      result.push(line);
+    }
+  }
+  return result.join('\n');
+}
+
+/**
+ * Runs credential env command: prompt for KV_* values and write .env.
+ * @async
+ * @param {string} systemKey - External system key (integration/<system-key>/)
+ * @returns {Promise<string>} Path to written .env file
+ * @throws {Error} If env.template missing or write fails
+ */
+function loadExistingEnvMap(envPath) {
+  if (!fs.existsSync(envPath)) return {};
+  return parseEnvToMap(fs.readFileSync(envPath, 'utf8'));
+}
+
+async function runCredentialEnv(systemKey) {
+  validateSystemKeyFormat(systemKey);
+  const appPath = getIntegrationPath(systemKey);
+  const envTemplatePath = path.join(appPath, 'env.template');
+  const envPath = path.join(appPath, '.env');
+
+  if (!fs.existsSync(envTemplatePath)) {
+    throw new Error(`env.template not found at ${envTemplatePath}. Create the integration first (e.g. aifabrix wizard or download).`);
+  }
+
+  const templateContent = fs.readFileSync(envTemplatePath, 'utf8');
+  const vars = extractKvVarsFromTemplate(templateContent);
+
+  if (vars.length === 0) {
+    logger.log(chalk.yellow('No KV_* variables in env.template. Nothing to prompt.'));
+    return envPath;
+  }
+
+  const existingMap = loadExistingEnvMap(envPath);
+  logger.log(chalk.blue(`\nEnter credential values for ${systemKey} (integration/${systemKey}/):`));
+  const promptValues = await promptForKvValues(vars, existingMap);
+  const content = buildEnvContent(templateContent, promptValues);
+
+  const dir = path.dirname(envPath);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
+  fs.writeFileSync(envPath, content, { mode: 0o600 });
+  logger.log(chalk.green(`✓ Wrote ${envPath}`));
+  return envPath;
+}
+
+module.exports = { runCredentialEnv, validateSystemKeyFormat, extractKvVarsFromTemplate, buildEnvContent };

package/lib/commands/credential-list.js

@@ -1,7 +1,6 @@
 /**
  * Credential list command – list credentials from Dataplane
  * GET /api/v1/credential. Used by `aifabrix credential list`.
- * The Controller does not expose this endpoint; credentials are listed from the Dataplane.
  *
  * @fileoverview Credential list command implementation
  * @author AI Fabrix Team
@@ -10,6 +9,7 @@
 
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const { formatCredentialWithStatus } = require('../utils/credential-display');
 const { resolveControllerUrl } = require('../utils/controller-url');
 const { getOrRefreshDeviceToken } = require('../utils/token-manager');
 const { normalizeControllerUrl, resolveEnvironment } = require('../core/config');
@@ -37,12 +37,14 @@ async function getCredentialListAuth(controllerUrl) {
 }
 
 /**
- * Extract credentials array from API response
- * @param {Object} response - API response
+ * Extract credentials array from API response.
+ * Handles: { data: { meta, data: [...] } } (paginated), { data: [...] }, { credentials: [...] }, { items: [...] }.
+ * @param {Object} response - API response (e.g. { success, data } from API client, or raw body)
  * @returns {Array}
  */
 function extractCredentials(response) {
-  const data = response?.data ?? response;
+  const body = response?.data ?? response;
+  const data = body?.data ?? body;
   const items = data?.credentials ?? data?.items ?? (Array.isArray(data) ? data : []);
   return Array.isArray(items) ? items : [];
 }
@@ -59,9 +61,10 @@ function displayCredentialList(list, baseUrl) {
     return;
   }
   list.forEach((c) => {
-    const key = c.key ?? c.id ?? c.credentialKey ?? '-';
-    const name = c.displayName ?? c.name ?? key;
-    logger.log(`  ${chalk.cyan(key)} - ${name}`);
+    const { key, name, statusFormatted, statusLabel } = formatCredentialWithStatus(c);
+    const prefix = statusFormatted ? `${statusFormatted} ` : '  ';
+    const line = `${prefix}${chalk.cyan(key)} - ${name}${statusLabel}`;
+    logger.log(line);
   });
   logger.log('');
 }
@@ -69,10 +72,10 @@ function displayCredentialList(list, baseUrl) {
 /**
  * Ensure controller URL and auth; exit on failure. Returns { controllerUrl, authConfig } when valid.
  * @async
- * @param {Object} options - CLI options with optional controller
+ * @param {Object} options - CLI options
  * @returns {Promise<{controllerUrl: string, authConfig: Object}>}
  */
-async function ensureControllerAndAuth(options) {
+async function ensureControllerAndAuth(options = {}) {
   const controllerUrl = options.controller || (await resolveControllerUrl());
   if (!controllerUrl) {
     logger.error(chalk.red('❌ Controller URL is required. Run "aifabrix login" first.'));
@@ -91,19 +94,14 @@ async function ensureControllerAndAuth(options) {
 }
 
 /**
- * Resolve Dataplane URL for credential list (override or discover from controller + environment)
+ * Resolve Dataplane URL for credential list (discover from controller + environment)
  * @async
  * @param {string} controllerUrl - Controller base URL
  * @param {Object} authConfig - Auth config with token
- * @param {Object} options - CLI options
- * @param {string} [options.dataplane] - Optional Dataplane URL override
  * @returns {Promise<string>} Dataplane base URL
  * @throws {Error} When resolution fails (caller should exit)
  */
-async function resolveCredentialListDataplaneUrl(controllerUrl, authConfig, options) {
-  if (options.dataplane) {
-    return options.dataplane.replace(/\/$/, '');
-  }
+async function resolveCredentialListDataplaneUrl(controllerUrl, authConfig) {
   const environment = await resolveEnvironment();
   return await resolveDataplaneUrl(controllerUrl, environment, authConfig);
 }
@@ -127,12 +125,11 @@ async function fetchAndDisplayCredentials(dataplaneUrl, authConfig, listOptions)
  * @param {Object} options - CLI options
  * @returns {Promise<string>} Dataplane URL (never returns on failure; process.exit(1))
  */
-async function resolveDataplaneUrlOrExit(controllerUrl, authConfig, options) {
+async function resolveDataplaneUrlOrExit(controllerUrl, authConfig) {
   try {
-    return await resolveCredentialListDataplaneUrl(controllerUrl, authConfig, options);
+    return await resolveCredentialListDataplaneUrl(controllerUrl, authConfig);
   } catch (err) {
     logger.error(chalk.red(`❌ Could not resolve Dataplane URL: ${err.message}`));
-    logger.error(chalk.gray('Use --dataplane <url> to specify the Dataplane URL directly.'));
     process.exit(1);
   }
 }
@@ -141,15 +138,13 @@ async function resolveDataplaneUrlOrExit(controllerUrl, authConfig, options) {
  * Run credential list command: call GET /api/v1/credential on Dataplane and display results
  * @async
  * @param {Object} options - CLI options
- * @param {string} [options.controller] - Controller URL override
- * @param {string} [options.dataplane] - Dataplane URL override (default: resolved from controller + environment)
  * @param {boolean} [options.activeOnly] - List only active credentials
  * @param {number} [options.pageSize] - Items per page
  * @returns {Promise<void>}
  */
 async function runCredentialList(options = {}) {
   const { controllerUrl, authConfig } = await ensureControllerAndAuth(options);
-  const dataplaneUrl = await resolveDataplaneUrlOrExit(controllerUrl, authConfig, options);
+  const dataplaneUrl = await resolveDataplaneUrlOrExit(controllerUrl, authConfig);
   const listOptions = {
     pageSize: options.pageSize || DEFAULT_PAGE_SIZE,
     activeOnly: options.activeOnly

package/lib/commands/credential-push.js

@@ -0,0 +1,96 @@
+/**
+ * Credential push command – pushes KV_* from .env to dataplane.
+ * Used by `aifabrix credential push <system-key>`.
+ *
+ * @fileoverview Credential push command – push credential secrets to dataplane
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+const path = require('path');
+const chalk = require('chalk');
+const logger = require('../utils/logger');
+const { resolveControllerUrl } = require('../utils/controller-url');
+const { getDeploymentAuth, requireBearerForDataplanePipeline } = require('../utils/token-manager');
+const { resolveDataplaneUrl } = require('../utils/dataplane-resolver');
+const { getIntegrationPath } = require('../utils/paths');
+const { pushCredentialSecrets } = require('../utils/credential-secrets-env');
+const { generateControllerManifest } = require('../generator/external-controller-manifest');
+
+/**
+ * Validates system-key format.
+ * @param {string} systemKey - System key
+ * @throws {Error} If invalid
+ */
+function validateSystemKeyFormat(systemKey) {
+  if (!systemKey || typeof systemKey !== 'string') {
+    throw new Error('System key is required and must be a string');
+  }
+  if (!/^[a-z0-9-_]+$/.test(systemKey)) {
+    throw new Error('System key must contain only lowercase letters, numbers, hyphens, and underscores');
+  }
+}
+
+/**
+ * Builds upload payload for credential push (same shape as upload).
+ * @param {string} systemKey - System key
+ * @returns {Promise<Object>} { version, application, dataSources }
+ */
+async function buildPayload(systemKey) {
+  const manifest = await generateControllerManifest(systemKey, { type: 'external' });
+  return {
+    version: manifest.version || '1.0.0',
+    application: manifest.system,
+    dataSources: manifest.dataSources || []
+  };
+}
+
+/**
+ * Runs credential push: push KV_* from .env to dataplane.
+ * @async
+ * @param {string} systemKey - External system key
+ * @returns {Promise<{ pushed: number }>} Count of secrets pushed
+ * @throws {Error} If auth or push fails
+ */
+function logPushResult(pushResult) {
+  if (pushResult.pushed > 0) {
+    const keyList = pushResult.keys?.length ? ` (${pushResult.keys.join(', ')})` : '';
+    logger.log(chalk.green(`✓ Pushed ${pushResult.pushed} credential secret(s) to dataplane${keyList}.`));
+  } else if (pushResult.skipped) {
+    logger.log(chalk.yellow('No credential secrets to push (empty .env or no KV_* vars with values).'));
+  } else {
+    logger.log(chalk.yellow('Secret push skipped'));
+  }
+  if (pushResult.warning) logger.log(chalk.yellow(`Warning: ${pushResult.warning}`));
+}
+
+async function runCredentialPush(systemKey) {
+  validateSystemKeyFormat(systemKey);
+  const appPath = getIntegrationPath(systemKey);
+  const envFilePath = path.join(appPath, '.env');
+
+  const { resolveEnvironment } = require('../core/config');
+  const environment = await resolveEnvironment();
+  const controllerUrl = await resolveControllerUrl();
+  const authConfig = await getDeploymentAuth(controllerUrl, environment, systemKey);
+
+  if (!authConfig.token && !authConfig.clientId) {
+    throw new Error('Authentication required. Run "aifabrix login" or "aifabrix app register <system-key>" first.');
+  }
+
+  requireBearerForDataplanePipeline(authConfig);
+  logger.log(chalk.blue('Resolving dataplane URL...'));
+  const dataplaneUrl = await resolveDataplaneUrl(controllerUrl, environment, authConfig);
+
+  const payload = await buildPayload(systemKey);
+  const pushResult = await pushCredentialSecrets(dataplaneUrl, authConfig, {
+    envFilePath,
+    appName: systemKey,
+    payload
+  });
+
+  logPushResult(pushResult);
+  return { pushed: pushResult.pushed || 0 };
+}
+
+module.exports = { runCredentialPush, validateSystemKeyFormat, buildPayload };

package/lib/commands/datasource.js

@@ -2,7 +2,7 @@
  * AI Fabrix Builder - Datasource Commands
  *
  * Handles datasource validation, listing, comparison, and deployment
- * Commands: datasource validate, datasource list, datasource diff, datasource deploy
+ * Commands: datasource validate, datasource list, datasource diff, datasource upload
  *
  * @fileoverview Datasource management commands for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -15,6 +15,9 @@ const { validateDatasourceFile } = require('../datasource/validate');
 const { listDatasources } = require('../datasource/list');
 const { compareDatasources } = require('../datasource/diff');
 const { deployDatasource } = require('../datasource/deploy');
+const { runDatasourceTestIntegration } = require('../datasource/test-integration');
+const { runDatasourceTestE2E } = require('../datasource/test-e2e');
+const { displayIntegrationTestResults, displayE2EResults } = require('../utils/external-system-display');
 
 function setupDatasourceValidateCommand(datasource) {
   datasource.command('validate <file>')
@@ -62,14 +65,80 @@ function setupDatasourceDiffCommand(datasource) {
     });
 }
 
-function setupDatasourceDeployCommand(datasource) {
-  datasource.command('deploy <myapp> <file>')
-    .description('Deploy datasource to dataplane')
+function setupDatasourceUploadCommand(datasource) {
+  datasource.command('upload <myapp> <file>')
+    .description('Upload datasource to dataplane')
     .action(async(myapp, file, options) => {
       try {
         await deployDatasource(myapp, file, options);
       } catch (error) {
-        logger.error(chalk.red('❌ Deployment failed:'), error.message);
+        logger.error(chalk.red('❌ Upload failed:'), error.message);
+        process.exit(1);
+      }
+    });
+}
+
+function setupDatasourceTestIntegrationCommand(datasource) {
+  datasource.command('test-integration <datasourceKey>')
+    .description('Run integration (config) test for one datasource via dataplane pipeline')
+    .option('-a, --app <appKey>', 'App key (default: resolve from cwd if inside integration/<appKey>/)')
+    .option('-p, --payload <file>', 'Path to custom test payload file')
+    .option('-e, --env <env>', 'Environment: dev, tst, or pro')
+    .option('--debug', 'Include debug output and write log to integration/<appKey>/logs/')
+    .option('--timeout <ms>', 'Request timeout in milliseconds', '30000')
+    .action(async(datasourceKey, options) => {
+      try {
+        const result = await runDatasourceTestIntegration(datasourceKey, {
+          app: options.app,
+          payload: options.payload,
+          environment: options.env,
+          debug: options.debug,
+          timeout: options.timeout
+        });
+        displayIntegrationTestResults({
+          systemKey: result.systemKey || 'unknown',
+          datasourceResults: [result],
+          success: result.success
+        }, options.verbose);
+        if (!result.success) process.exit(1);
+      } catch (error) {
+        logger.error(chalk.red('❌ Integration test failed:'), error.message);
+        process.exit(1);
+      }
+    });
+}
+
+function setupDatasourceTestE2ECommand(datasource) {
+  datasource.command('test-e2e <datasourceKey>')
+    .description('Run E2E test for one datasource (config, credential, sync, data, CIP) via dataplane')
+    .option('-a, --app <appKey>', 'App key (default: resolve from cwd if inside integration/<appKey>/)')
+    .option('-e, --env <env>', 'Environment: dev, tst, or pro')
+    .option('-v, --verbose', 'Show detailed step output and poll progress')
+    .option('--debug', 'Include debug output and write log to integration/<appKey>/logs/')
+    .option('--test-crud', 'Enable CRUD lifecycle test (body testCrud: true)')
+    .option('--record-id <id>', 'Record ID for test (body recordId)')
+    .option('--no-cleanup', 'Disable cleanup after test (body cleanup: false)')
+    .option('--primary-key-value <value|@path>', 'Primary key value or path to JSON file (e.g. @pk.json) for body primaryKeyValue')
+    .option('--no-async', 'Use sync mode (no polling); single POST, no asyncRun')
+    .action(async(datasourceKey, options) => {
+      try {
+        const data = await runDatasourceTestE2E(datasourceKey, {
+          app: options.app,
+          environment: options.env,
+          debug: options.debug,
+          verbose: options.verbose,
+          async: options.async !== false,
+          testCrud: options.testCrud,
+          recordId: options.recordId,
+          cleanup: options.cleanup,
+          primaryKeyValue: options.primaryKeyValue
+        });
+        displayE2EResults(data, options.verbose);
+        const steps = data.steps || data.completedActions || [];
+        const failed = data.success === false || steps.some(s => s.success === false || s.error);
+        if (failed) process.exit(1);
+      } catch (error) {
+        logger.error(chalk.red('❌ E2E test failed:'), error.message);
         process.exit(1);
       }
     });
@@ -84,7 +153,9 @@ function setupDatasourceCommands(program) {
   setupDatasourceValidateCommand(datasource);
   setupDatasourceListCommand(datasource);
   setupDatasourceDiffCommand(datasource);
-  setupDatasourceDeployCommand(datasource);
+  setupDatasourceUploadCommand(datasource);
+  setupDatasourceTestIntegrationCommand(datasource);
+  setupDatasourceTestE2ECommand(datasource);
 }
 
 module.exports = { setupDatasourceCommands };

package/lib/commands/dev-init.js

@@ -14,6 +14,44 @@ const { generateCSR, getCertDir, readClientCertPem, readClientKeyPem, getCertVal
 const { getOrCreatePublicKeyContent } = require('../utils/ssh-key-helper');
 const devApi = require('../api/dev.api');
 const logger = require('../utils/logger');
+const {
+  isSslUntrustedError,
+  fetchInstallCa,
+  installCaPlatform,
+  promptInstallCa
+} = require('../utils/dev-ca-install');
+
+/**
+ * Ensure the Builder Server is trusted: run health check; on SSL untrusted error,
+ * optionally fetch and install CA, then retry.
+ * @param {string} baseUrl - Builder Server base URL
+ * @param {Object} options - Commander options (yes, y, no-install-ca)
+ * @returns {Promise<void>}
+ */
+async function ensureServerTrusted(baseUrl, options) {
+  const skipInstall = options['no-install-ca'];
+  const autoInstall = options.yes || options.y;
+  try {
+    await devApi.getHealth(baseUrl);
+  } catch (err) {
+    if (!isSslUntrustedError(err)) throw err;
+    const manualUrl = `${baseUrl.replace(/\/+$/, '')}/install-ca`;
+    if (skipInstall) {
+      throw new Error(`Server certificate not trusted. Install CA manually: ${manualUrl}`);
+    }
+    if (!autoInstall) {
+      const install = await promptInstallCa();
+      if (!install) {
+        throw new Error(`Server certificate not trusted. Install CA manually: ${manualUrl}`);
+      }
+    }
+    logger.log(chalk.gray('  Downloading and installing CA...'));
+    const caPem = await fetchInstallCa(baseUrl);
+    await installCaPlatform(caPem, baseUrl);
+    logger.log(chalk.gray('  CA installed. Retrying...'));
+    await devApi.getHealth(baseUrl);
+  }
+}
 
 /**
  * Validate init options and return normalized baseUrl and devId.
@@ -213,7 +251,7 @@ async function runDevInit(options) {
   logger.log(chalk.blue('\n🔐 Onboarding with Builder Server...\n'));
 
   try {
-    await devApi.getHealth(baseUrl);
+    await ensureServerTrusted(baseUrl, options);
   } catch (err) {
     throw new Error(`Cannot reach Builder Server at ${baseUrl}. Check URL and network. ${err.message}`);
   }