@aifabrix/builder 2.42.1 → 2.44.0

package/lib/commands/dev-down.js

@@ -1,3 +1,4 @@
+const { formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
 /**
  * dev down – stop Mutagen sync sessions and optionally app containers for this developer.
  *
@@ -38,7 +39,7 @@ async function stopMutagenSessions(developerId) {
     const toTerminate = sessions.filter(name => name.startsWith(prefix));
     for (const name of toTerminate) {
       await execAsync(`"${mutagenPath}" sync terminate "${name}"`, { timeout: 5000 });
-      logger.log(chalk.green(`  ✓ Stopped sync session: ${name}`));
+      logger.log(chalk.green(`  ✔ Stopped sync session: ${name}`));
     }
     if (toTerminate.length === 0 && sessions.length > 0) {
       logger.log(chalk.gray('No sync sessions for this developer.'));
@@ -98,7 +99,7 @@ async function handleDevDown(options = {}) {
       if (!appName) continue;
       try {
         await appLib.downApp(appName, {});
-        logger.log(chalk.green(`  ✓ Stopped app: ${appName}`));
+        logger.log(chalk.green(`  ✔ Stopped app: ${appName}`));
       } catch (err) {
         logger.log(chalk.yellow(`  ⚠ Could not stop ${appName}: ${err.message}`));
       }
@@ -108,7 +109,7 @@ async function handleDevDown(options = {}) {
     }
   }
 
-  logger.log(chalk.green('\n✓ dev down complete.\n'));
+  logger.log(formatSuccessParagraph('dev down complete.\n'));
 }
 
 module.exports = { handleDevDown };

package/lib/commands/dev-init.js

@@ -1,6 +1,7 @@
+const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
 /**
- * @fileoverview aifabrix dev init – onboard with Builder Server (issue-cert, save cert, get settings, add SSH key).
- * Auth: first call (issue-cert) uses no client cert; all other calls (getSettings, addSshKey, and every other dev API) send the client certificate.
+ * @fileoverview aifabrix dev init – onboard with Builder Server (issue-cert, save cert, get settings, add SSH key, SSH config alias).
+ * Auth: first call (issue-cert) uses no client cert; other calls send the client cert (mTLS on https, X-Client-Cert header on http for getSettings/addSshKey).
  * @author AI Fabrix Team
  * @version 2.0.0
  */
@@ -10,69 +11,138 @@ const path = require('path');
 const chalk = require('chalk');
 const config = require('../core/config');
 const { getConfigDirForPaths } = require('../utils/paths');
-const { generateCSR, getCertDir, readClientCertPem, readClientKeyPem, getCertValidNotAfter } = require('../utils/dev-cert-helper');
+const {
+  generateCSR,
+  getCertDir,
+  readClientCertPem,
+  readClientKeyPem,
+  getCertValidNotAfter,
+  normalizePemNewlines,
+  mergeCaPemBlocks
+} = require('../utils/dev-cert-helper');
 const { getOrCreatePublicKeyContent } = require('../utils/ssh-key-helper');
 const devApi = require('../api/dev.api');
 const logger = require('../utils/logger');
 const {
   isSslUntrustedError,
+  isSslHostnameMismatchError,
   fetchInstallCa,
   installCaPlatform,
-  promptInstallCa
+  promptInstallCa,
+  isLinuxCaSudoRequiredError
 } = require('../utils/dev-ca-install');
+const { runOptionalHostsSetup } = require('../utils/dev-hosts-helper');
+const { mergeDevSshConfigAfterInit } = require('../utils/dev-init-ssh-merge');
+const { resolveInitOptions } = require('../utils/dev-init-resolve');
+const { displayDevConfig } = require('./dev-show-display');
+const {
+  isHealthHttpServerError,
+  formatEnsureServerTrustedFailure
+} = require('../utils/dev-init-health-messages');
+const { getBadRequestHint, logCertTroubleshootingHint } = require('../utils/dev-init-cert-hints');
 
 /**
- * Ensure the Builder Server is trusted: run health check; on SSL untrusted error,
- * optionally fetch and install CA, then retry.
+ * Install dev CA into the OS trust store. On Linux without sudo, log and return false so the caller can use in-process PEM.
+ * @param {Buffer} caBuf - CA PEM buffer
+ * @param {string} baseUrlForInstall - Builder Server base URL (for install-ca-help paths)
+ * @returns {Promise<boolean>} true if the OS store was updated
+ */
+async function tryInstallDevCaToOsStoreOrWarnLinuxSudo(caBuf, baseUrlForInstall) {
+  try {
+    await installCaPlatform(caBuf, baseUrlForInstall);
+    return true;
+  } catch (installErr) {
+    if (isLinuxCaSudoRequiredError(installErr)) {
+      logger.log(
+        chalk.yellow(
+          '  ⚠ Could not install the development CA into the system trust store (sudo/root required). ' +
+            'Continuing with the downloaded CA for this CLI session; browsers and curl may still warn until you install it manually.\n' +
+            '  ' +
+            (installErr.message || String(installErr))
+        )
+      );
+      return false;
+    }
+    throw installErr;
+  }
+}
+
+/**
+ * Prompt, fetch dev CA, install into OS store, verify health with PEM for Node TLS.
  * @param {string} baseUrl - Builder Server base URL
- * @param {Object} options - Commander options (yes, y, no-install-ca)
- * @returns {Promise<void>}
+ * @param {Object} options - Commander options
+ * @returns {Promise<string>} Dev root CA PEM
  */
-async function ensureServerTrusted(baseUrl, options) {
+async function installDevCaAndRetryHealth(baseUrl, options) {
   const skipInstall = options['no-install-ca'];
   const autoInstall = options.yes || options.y;
-  try {
-    await devApi.getHealth(baseUrl);
-  } catch (err) {
-    if (!isSslUntrustedError(err)) throw err;
-    const manualUrl = `${baseUrl.replace(/\/+$/, '')}/install-ca`;
-    if (skipInstall) {
+  const manualUrl = `${baseUrl.replace(/\/+$/, '')}/install-ca`;
+  if (skipInstall) {
+    throw new Error(`Server certificate not trusted. Install CA manually: ${manualUrl}`);
+  }
+  if (!autoInstall) {
+    const install = await promptInstallCa();
+    if (!install) {
       throw new Error(`Server certificate not trusted. Install CA manually: ${manualUrl}`);
     }
-    if (!autoInstall) {
-      const install = await promptInstallCa();
-      if (!install) {
-        throw new Error(`Server certificate not trusted. Install CA manually: ${manualUrl}`);
-      }
+  }
+  logger.log(chalk.gray('  Downloading and installing CA...'));
+  const caBuf = await fetchInstallCa(baseUrl);
+  const caPemStr = caBuf.toString('utf8').trim();
+  const installedToOsStore = await tryInstallDevCaToOsStoreOrWarnLinuxSudo(caBuf, baseUrl);
+  logger.log(
+    chalk.gray(
+      installedToOsStore ? '  CA installed. Retrying...' : '  Retrying with downloaded CA (in-process trust)...'
+    )
+  );
+  try {
+    await devApi.getHealth(baseUrl, caPemStr);
+  } catch (healthErr) {
+    if (isHealthHttpServerError(healthErr)) {
+      logger.log(
+        chalk.yellow(
+          `  ⚠ GET /health returned HTTP ${healthErr.status} (${healthErr.message || 'Server Error'}). ` +
+            'TLS is verified; continuing with certificate onboarding.'
+        )
+      );
+    } else {
+      throw healthErr;
     }
-    logger.log(chalk.gray('  Downloading and installing CA...'));
-    const caPem = await fetchInstallCa(baseUrl);
-    await installCaPlatform(caPem, baseUrl);
-    logger.log(chalk.gray('  CA installed. Retrying...'));
-    await devApi.getHealth(baseUrl);
   }
+  return caPemStr;
 }
 
 /**
- * Validate init options and return normalized baseUrl and devId.
- * @param {Object} options - Commander options
- * @returns {{ baseUrl: string, devId: string }}
+ * Ensure the Builder Server is trusted: run health check; on SSL untrusted error,
+ * optionally fetch and install CA, then retry using the PEM in-process (Node does not use Windows user ROOT for fetch).
+ * @param {string} baseUrl - Builder Server base URL
+ * @param {Object} options - Commander options (yes, y, no-install-ca)
+ * @returns {Promise<string|null>} Dev root CA PEM to pass to dev API for TLS, or null if no install-ca path was used
  */
-function validateInitOptions(options) {
-  const devId = options.developerId || options['developer-id'];
-  const server = options.server;
-  const pin = options.pin;
-
-  if (!devId || typeof devId !== 'string' || !/^[0-9]+$/.test(devId)) {
-    throw new Error('--developer-id is required and must be a non-empty digit string (e.g. 01)');
-  }
-  if (!server || typeof server !== 'string' || !server.trim()) {
-    throw new Error('--server is required and must be the Builder Server base URL (e.g. https://dev.aifabrix.dev)');
-  }
-  if (!pin || typeof pin !== 'string' || !pin.trim()) {
-    throw new Error('--pin is required (one-time PIN from your admin)');
+async function ensureServerTrusted(baseUrl, options) {
+  try {
+    await devApi.getHealth(baseUrl);
+    return null;
+  } catch (err) {
+    if (isSslHostnameMismatchError(err)) {
+      throw new Error(
+        `TLS hostname does not match the server certificate for ${baseUrl}. Open the site in a browser only after accepting a warning, or the certificate may list a different DNS name. Use a URL whose hostname is in the certificate (SAN), or reissue the server certificate for this host.`
+      );
+    }
+    if (!isSslUntrustedError(err)) {
+      if (isHealthHttpServerError(err)) {
+        logger.log(
+          chalk.yellow(
+            `  ⚠ GET /health returned HTTP ${err.status} (${err.message || 'Server Error'}). ` +
+              'Continuing certificate onboarding; fix server health if later steps fail.'
+          )
+        );
+        return null;
+      }
+      throw err;
+    }
+    return installDevCaAndRetryHealth(baseUrl, options);
   }
-  return { baseUrl: server.trim().replace(/\/+$/, ''), devId };
 }
 
 /**
@@ -81,15 +151,16 @@ function validateInitOptions(options) {
  * @param {string} devId - Developer ID
  * @param {string} pin - One-time PIN
  * @param {string} csrPem - PEM CSR
+ * @param {string} [serverCaPem] - Dev root CA for Node TLS (after install-ca)
  * @returns {Promise<Object>} IssueCertResponseDto
  */
-async function requestCertificate(baseUrl, devId, pin, csrPem) {
+async function requestCertificate(baseUrl, devId, pin, csrPem, serverCaPem) {
   try {
     return await devApi.issueCert(baseUrl, {
       developerId: devId,
       pin: pin.trim(),
       csr: csrPem
-    });
+    }, serverCaPem);
   } catch (err) {
     if (err.status === 401) {
       throw new Error('Invalid or expired PIN. Ask your admin for a new PIN (aifabrix dev pin <developerId>).');
@@ -104,17 +175,6 @@ async function requestCertificate(baseUrl, devId, pin, csrPem) {
   }
 }
 
-/**
- * Normalize PEM string: turn literal \n (backslash-n) into real newlines so Docker/OpenSSL accept it.
- * Some servers return JSON with escaped newlines in the PEM string.
- * @param {string} pem - PEM string (certificate or CA)
- * @returns {string} PEM with real newlines
- */
-function normalizePemNewlines(pem) {
-  if (typeof pem !== 'string') return pem;
-  return pem.replace(/\\n/g, '\n');
-}
-
 /**
  * Save certificate, key, and optional CA to cert dir; set developer-id in config.
  * Remote Docker requires ca.pem in the cert dir; if the server provides it (e.g. issue-cert
@@ -135,34 +195,12 @@ async function saveCertAndConfig(configDir, devId, certificatePem, keyPem, caPem
   if (caPem && typeof caPem === 'string' && caPem.trim()) {
     const caNormalized = normalizePemNewlines(caPem.trim());
     await fs.writeFile(path.join(certDir, 'ca.pem'), caNormalized, { mode: 0o600 });
-    logger.log(chalk.green('  ✓ Certificate and CA saved to ') + chalk.cyan(path.join(certDir, 'cert.pem')));
+    logger.log(chalk.green('  ✔ Certificate and CA saved to ') + chalk.cyan(path.join(certDir, 'cert.pem')));
   } else {
-    logger.log(chalk.green('  ✓ Certificate saved to ') + chalk.cyan(path.join(certDir, 'cert.pem')));
+    logger.log(chalk.green('  ✔ Certificate saved to ') + chalk.cyan(path.join(certDir, 'cert.pem')));
   }
   await config.setDeveloperId(devId);
-  logger.log(chalk.green('  ✓ Developer ID set to ') + chalk.cyan(devId));
-}
-
-/**
- * Message for 400 Bad Request: nginx often forwards X-Client-Cert with literal newlines.
- * @returns {string} Hint for server-side nginx fix
- */
-function getBadRequestHint() {
-  return 'Bad Request (400) often means the server\'s nginx is forwarding the client certificate with literal newlines in X-Client-Cert. On the server, use nginx njs to escape newlines (see .cursor/plans/builder-cli.md §5).';
-}
-
-/**
- * Log a one-line hint for cert troubleshooting (curl test and docs).
- * @param {string} configDir - Config directory
- * @param {string} devId - Developer ID
- * @param {string} baseUrl - Builder Server base URL
- */
-function logCertTroubleshootingHint(configDir, devId, baseUrl) {
-  const certDir = getCertDir(configDir, devId);
-  const certPath = path.join(certDir, 'cert.pem');
-  const keyPath = path.join(certDir, 'key.pem');
-  logger.log(chalk.gray(`  Test with: curl -v --cert ${certPath} --key ${keyPath} ${baseUrl}/api/dev/settings`));
-  logger.log(chalk.gray('  See .cursor/plans/builder-cli.md §5 for 200 vs 401 vs 400 and nginx/server fix.'));
+  logger.log(chalk.green('  ✔ Developer ID set to ') + chalk.cyan(devId));
 }
 
 /**
@@ -172,14 +210,14 @@ function logCertTroubleshootingHint(configDir, devId, baseUrl) {
  * @param {string} clientKeyPem - Client private key PEM (for mTLS)
  * @param {string} devId - Developer ID
  */
-async function registerSshKey(baseUrl, clientCertPem, clientKeyPem, devId) {
+async function registerSshKey(baseUrl, clientCertPem, clientKeyPem, devId, serverCaPem) {
   const publicKey = getOrCreatePublicKeyContent();
   try {
     await devApi.addSshKey(baseUrl, clientCertPem, devId, {
       publicKey,
       label: 'aifabrix-init'
-    }, clientKeyPem);
-    logger.log(chalk.green('  ✓ SSH key registered'));
+    }, clientKeyPem, serverCaPem);
+    logger.log(chalk.green('  ✔ SSH key registered'));
   } catch (err) {
     if (err.status === 409) {
       logger.log(chalk.yellow('  ⚠ SSH key already registered'));
@@ -198,13 +236,13 @@ async function registerSshKey(baseUrl, clientCertPem, clientKeyPem, devId) {
  * @param {string} devId - Developer ID
  * @private
  */
-async function _runSshKeyRegistrationStep(baseUrl, issueResponse, keyPem, configDir, devId) {
+async function _runSshKeyRegistrationStep(baseUrl, issueResponse, keyPem, configDir, devId, serverCaPem) {
   logger.log(chalk.gray('  Registering SSH key for Mutagen sync...'));
   try {
     if (keyPem && typeof keyPem === 'string') {
       logger.log(chalk.gray('  Using client certificate for TLS'));
     }
-    await registerSshKey(baseUrl, issueResponse.certificate, keyPem, devId);
+    await registerSshKey(baseUrl, issueResponse.certificate, keyPem, devId, serverCaPem);
   } catch (err) {
     const msg = err.status === 400 ? getBadRequestHint() : (err.message || String(err));
     logger.log(chalk.yellow('  ⚠ Could not register SSH key: ' + msg));
@@ -218,12 +256,13 @@ async function _runSshKeyRegistrationStep(baseUrl, issueResponse, keyPem, config
  * @param {string} devId - Developer ID
  * @param {Object} issueResponse - IssueCert response (certificate, settings)
  * @param {string} keyPem - Client key PEM
+ * @param {string} [serverCaPem] - Dev root CA for Node TLS
  */
-async function applySettingsFromServer(baseUrl, devId, issueResponse, keyPem) {
+async function applySettingsFromServer(baseUrl, devId, issueResponse, keyPem, serverCaPem) {
   const configDir = getConfigDirForPaths();
   if (issueResponse.settings && typeof issueResponse.settings === 'object') {
     await config.mergeRemoteSettings(issueResponse.settings);
-    logger.log(chalk.green('  ✓ Config updated from server (issue-cert response)'));
+    logger.log(chalk.green('  ✔ Config updated from server (issue-cert response)'));
     return;
   }
   logger.log(chalk.gray('  Fetching settings...'));
@@ -231,9 +270,9 @@ async function applySettingsFromServer(baseUrl, devId, issueResponse, keyPem) {
     if (keyPem && typeof keyPem === 'string') {
       logger.log(chalk.gray('  Using client certificate for TLS'));
     }
-    const settings = await devApi.getSettings(baseUrl, issueResponse.certificate, keyPem);
+    const settings = await devApi.getSettings(baseUrl, issueResponse.certificate, keyPem, serverCaPem);
     await config.mergeRemoteSettings(settings);
-    logger.log(chalk.green('  ✓ Config updated from server'));
+    logger.log(chalk.green('  ✔ Config updated from server'));
   } catch (err) {
     const msg = err.status === 400 ? getBadRequestHint() : (err.message || String(err));
     logger.log(chalk.yellow('  ⚠ Could not fetch settings (server may not support cert yet): ' + msg));
@@ -241,36 +280,94 @@ async function applySettingsFromServer(baseUrl, devId, issueResponse, keyPem) {
   }
 }
 
+/**
+ * @param {Object} options - Commander options
+ * @param {string} baseUrl
+ * @param {string} devId - Developer ID (--developer-id) for devNN.hosts line
+ */
+async function maybeAddHostsDuringInit(options, baseUrl, devId) {
+  if (!options.addHosts && !options['add-hosts']) return;
+  const hostsIp = options.hostsIp || options['hosts-ip'];
+  await runOptionalHostsSetup({
+    baseUrl,
+    developerId: devId,
+    hostsIp: typeof hostsIp === 'string' ? hostsIp : undefined,
+    skipConfirm: Boolean(options.yes || options.y),
+    logger
+  });
+}
+
+/**
+ * @param {string} baseUrl
+ * @param {Object} options
+ * @returns {Promise<string|null>}
+ */
+async function resolveServerCaPemForTls(baseUrl, options) {
+  try {
+    return await ensureServerTrusted(baseUrl, options);
+  } catch (err) {
+    throw new Error(formatEnsureServerTrustedFailure(baseUrl, err));
+  }
+}
+
+/**
+ * @param {{ hostAlias: string|null, syncUser: string, syncHost: string|null }} p
+ */
+function logOnboardingFinished({ hostAlias, syncUser, syncHost }) {
+  logger.log(formatSuccessParagraph('Onboarding complete. You can use remote Docker and Mutagen sync.'));
+  if (hostAlias) {
+    logger.log(
+      chalk.gray('  You can also open an SSH session on the builder with ') +
+        chalk.cyan(`ssh ${hostAlias}`) +
+        chalk.gray(' (uses your registered SSH key; see ~/.ssh/config).')
+    );
+  } else if (syncHost && syncUser) {
+    logger.log(
+      chalk.gray('  You can SSH to the builder with ') +
+        chalk.cyan(`ssh ${syncUser}@${syncHost}`) +
+        chalk.gray(' when your key is authorized there.')
+    );
+  }
+  logger.log('');
+}
+
 /**
  * Run dev init: validate PIN via issue-cert, save certificate, fetch settings, add SSH key.
  * @param {Object} options - Commander options (devId, server, pin)
  * @returns {Promise<void>}
  */
 async function runDevInit(options) {
-  const { baseUrl, devId } = validateInitOptions(options);
+  const { baseUrl, devId } = await resolveInitOptions(options);
+
+  // Save developer-id and remote-server before TLS / issue-cert so ~/.aifabrix/config.yaml
+  // matches the CLI even if onboarding fails later (PIN, network, etc.). User can retry init.
+  await config.setDeveloperId(devId);
+  await config.setRemoteServer(baseUrl);
+  process.env.AIFABRIX_DEVELOPERID = devId;
+
   logger.log(chalk.blue('\n🔐 Onboarding with Builder Server...\n'));
 
-  try {
-    await ensureServerTrusted(baseUrl, options);
-  } catch (err) {
-    throw new Error(`Cannot reach Builder Server at ${baseUrl}. Check URL and network. ${err.message}`);
-  }
+  await maybeAddHostsDuringInit(options, baseUrl, devId);
+  const serverCaPemForTls = await resolveServerCaPemForTls(baseUrl, options);
 
   logger.log(chalk.gray('  Generating certificate request...'));
   const { csrPem, keyPem } = generateCSR(devId);
 
   logger.log(chalk.gray('  Requesting certificate (issue-cert)...'));
-  const issueResponse = await requestCertificate(baseUrl, devId, options.pin, csrPem);
+  const issueResponse = await requestCertificate(baseUrl, devId, options.pin, csrPem, serverCaPemForTls || undefined);
 
   const configDir = getConfigDirForPaths();
-  const caPem = issueResponse.caCertificate || issueResponse.ca;
+  const caPem = mergeCaPemBlocks(
+    serverCaPemForTls,
+    issueResponse.caCertificate,
+    issueResponse.ca
+  );
   await saveCertAndConfig(configDir, devId, issueResponse.certificate, keyPem, caPem);
 
-  await config.setRemoteServer(baseUrl);
-
-  await applySettingsFromServer(baseUrl, devId, issueResponse, keyPem);
-  await _runSshKeyRegistrationStep(baseUrl, issueResponse, keyPem, configDir, devId);
-  logger.log(chalk.green('\n✓ Onboarding complete. You can use remote Docker and Mutagen sync.\n'));
+  await applySettingsFromServer(baseUrl, devId, issueResponse, keyPem, serverCaPemForTls || undefined);
+  await _runSshKeyRegistrationStep(baseUrl, issueResponse, keyPem, configDir, devId, serverCaPemForTls || undefined);
+  const sshInfo = await mergeDevSshConfigAfterInit(baseUrl, devId);
+  logOnboardingFinished(sshInfo);
 }
 
 /** Days before cert expiry at which we auto-refresh on dev refresh. */
@@ -291,25 +388,47 @@ function shouldRefreshDevCert(certDir) {
 
 /**
  * Refresh developer certificate: create PIN (with current cert), issue new cert, save and apply settings.
- * @param {{ serverUrl: string, clientCertPem: string }} auth - Current auth from getRemoteDevAuth
+ * @param {{ serverUrl: string, clientCertPem: string, serverCaPem?: string|null }} auth - Current auth from getRemoteDevAuth
  * @returns {Promise<void>}
  */
 async function runCertificateRefresh(auth) {
   const devId = await config.getDeveloperId();
   if (!devId) throw new Error('developer-id not set in config.');
   const configDir = getConfigDirForPaths();
+  const serverCaPem = auth.serverCaPem || undefined;
   logger.log(chalk.blue('\n🔄 Refreshing certificate (create PIN + issue-cert)...\n'));
-  const pinRes = await devApi.createPin(auth.serverUrl, auth.clientCertPem, devId);
+  const pinRes = await devApi.createPin(auth.serverUrl, auth.clientCertPem, devId, serverCaPem);
   const pin = pinRes.pin;
   if (!pin || typeof pin !== 'string') throw new Error('Server did not return a PIN.');
   logger.log(chalk.gray('  Generating new certificate request...'));
   const { csrPem, keyPem } = generateCSR(devId);
   logger.log(chalk.gray('  Requesting new certificate (issue-cert)...'));
-  const issueResponse = await requestCertificate(auth.serverUrl, devId, pin, csrPem);
-  const caPem = issueResponse.caCertificate || issueResponse.ca;
+  const issueResponse = await requestCertificate(auth.serverUrl, devId, pin, csrPem, serverCaPem);
+  const caPem = mergeCaPemBlocks(serverCaPem, issueResponse.caCertificate, issueResponse.ca);
   await saveCertAndConfig(configDir, devId, issueResponse.certificate, keyPem, caPem);
-  await applySettingsFromServer(auth.serverUrl, devId, issueResponse, keyPem);
-  logger.log(chalk.green('✓ Certificate refreshed and config updated from server.\n'));
+  await applySettingsFromServer(auth.serverUrl, devId, issueResponse, keyPem, serverCaPem);
+  logger.log(formatSuccessLine('Certificate refreshed and config updated from server.\n'));
+}
+
+/**
+ * GET /api/dev/settings and merge into local config (used by dev refresh when cert is still valid).
+ * @param {{ serverUrl: string, serverCaPem?: string|null }} auth
+ * @param {string} clientCertPem
+ * @param {string|null|undefined} clientKeyPem
+ * @param {string} devId
+ * @returns {Promise<void>}
+ */
+async function fetchAndMergeRemoteSettings(auth, clientCertPem, clientKeyPem, devId) {
+  logger.log(chalk.blue('\n🔄 Fetching settings from Builder Server...\n'));
+  const settings = await devApi.getSettings(
+    auth.serverUrl,
+    clientCertPem,
+    clientKeyPem || undefined,
+    auth.serverCaPem || undefined
+  );
+  await config.mergeRemoteSettings(settings);
+  logger.log(formatSuccessLine('Config updated from server.\n'));
+  await displayDevConfig(devId);
 }
 
 /**
@@ -326,22 +445,18 @@ async function runDevRefresh(options = {}) {
     throw new Error('Remote server is not configured. Set remote-server and run "aifabrix dev init" first.');
   }
   const devId = await config.getDeveloperId();
-  const configDir = getConfigDirForPaths();
-  const certDir = getCertDir(configDir, devId);
+  const certDir = getCertDir(getConfigDirForPaths(), devId);
   const clientCertPem = readClientCertPem(certDir);
   const clientKeyPem = readClientKeyPem(certDir);
   if (!clientCertPem) {
     throw new Error('Client certificate not found. Run "aifabrix dev init" first.');
   }
-  const forceCertRefresh = Boolean(options.cert);
-  if (forceCertRefresh || shouldRefreshDevCert(certDir)) {
+  if (Boolean(options.cert) || shouldRefreshDevCert(certDir)) {
     await runCertificateRefresh(auth);
+    await displayDevConfig(devId);
     return;
   }
-  logger.log(chalk.blue('\n🔄 Fetching settings from Builder Server...\n'));
-  const settings = await devApi.getSettings(auth.serverUrl, clientCertPem, clientKeyPem || undefined);
-  await config.mergeRemoteSettings(settings);
-  logger.log(chalk.green('✓ Config updated from server. Run "aifabrix dev config" to verify.\n'));
+  await fetchAndMergeRemoteSettings(auth, clientCertPem, clientKeyPem, devId);
 }
 
 module.exports = { runDevInit, runDevRefresh };