@aifabrix/builder 2.42.1 → 2.44.0

package/lib/infrastructure/helpers.js

@@ -11,13 +11,31 @@
 
 const path = require('path');
 const fs = require('fs');
+const fsRealSync = require('../internal/fs-real-sync');
+const { nodeFs } = require('../internal/node-fs');
 const chalk = require('chalk');
 const handlebars = require('handlebars');
-const secrets = require('../core/secrets');
+const adminSecrets = require('../core/admin-secrets');
 const logger = require('../utils/logger');
 const dockerUtils = require('../utils/docker');
 const paths = require('../utils/paths');
 const secretsEnsure = require('../core/secrets-ensure');
+const {
+  mergeInfraParameterDefaultsForCli,
+  getInfraParameterCatalog,
+  readRelaxedCatalogDefaults
+} = require('../parameters/infra-parameter-catalog');
+const { ensureDevCertsIfNeededForRemoteDocker } = require('../utils/ensure-dev-certs-for-remote-docker');
+
+/**
+ * Lazy-load core/secrets at call time. A top-level require creates a circular dependency:
+ * secrets → url-declarative-resolve → compose-generator → compose-generate-docker-compose → this module,
+ * which left `generateAdminSecretsEnv` / `formatAdminSecretsContent` undefined on the captured export.
+ * @returns {Object} core/secrets module exports (loadSecrets, generateAdminSecretsEnv, …)
+ */
+function getCoreSecrets() {
+  return require('../core/secrets');
+}
 
 /**
  * Gets infrastructure directory name based on developer ID
@@ -42,21 +60,64 @@ function getInfraProjectName(devId) {
 }
 
 /**
- * Check Docker availability
+ * User-facing error when Docker/Compose checks fail (tailored by underlying message).
+ * @param {string} detail - Error message from ensureDockerAndCompose / Docker CLI
+ * @returns {string}
+ */
+function formatDockerInfrastructureFailure(detail) {
+  const cause = (detail || '').trim() || 'unknown error';
+
+  if (/Docker Compose is not available/i.test(cause)) {
+    return (
+      'Cannot use Docker for infrastructure: Docker Compose check failed (see Cause below).\n\n' +
+      `Cause: ${cause}\n\n` +
+      'If Cause mentions TLS, certificate, or handshake, fix client TLS for docker-endpoint (cert.pem, key.pem, ca.pem under ~/.aifabrix/certs/<developer-id>/) or docker-tls-skip-verify when appropriate. ' +
+      'If Cause suggests a missing plugin, install Docker Compose v2 for your user (docker CLI + plugin; no unix socket needed when using tcp:// docker-endpoint). ' +
+      'Or set AIFABRIX_COMPOSE_CMD. Run `aifabrix doctor` for diagnostics.'
+    );
+  }
+
+  if (/AIFABRIX_COMPOSE_CMD/i.test(cause) && /is set but failed/i.test(cause)) {
+    return (
+      'Cannot use Docker for infrastructure: AIFABRIX_COMPOSE_CMD failed.\n\n' +
+      `Cause: ${cause}\n\n` +
+      'Unset or fix AIFABRIX_COMPOSE_CMD, or install a working Compose. Run `aifabrix doctor` for diagnostics.'
+    );
+  }
+
+  return (
+    'Cannot use Docker for infrastructure (Docker CLI missing, Compose missing, or remote Docker misconfigured).\n\n' +
+      `Cause: ${cause}\n\n` +
+      'Install Docker Engine and Compose on this machine (or set AIFABRIX_COMPOSE_CMD). ' +
+      'If you use docker-endpoint in dev config: install cert.pem, key.pem, and ca.pem for full TLS verify; use `aifabrix dev pin` / ' +
+      '`dev init --pin` as needed; or enable TLS skip-verify (config or AIFABRIX_DOCKER_TLS_SKIP_VERIFY) when appropriate. ' +
+      'Run `aifabrix doctor` for diagnostics.'
+  );
+}
+
+/**
+ * Check Docker availability (local daemon or remote via docker-endpoint + TLS).
  * @async
  * @returns {Promise<void>}
- * @throws {Error} If Docker is not available
+ * @throws {Error} If Docker/Compose cannot be used (includes underlying cause)
  */
 async function checkDockerAvailability() {
+  await ensureDevCertsIfNeededForRemoteDocker();
   try {
     await dockerUtils.ensureDockerAndCompose();
   } catch (error) {
-    throw new Error('Docker or Docker Compose is not available. Please install and start Docker.');
+    const detail = (error && error.message) || String(error);
+    throw new Error(formatDockerInfrastructureFailure(detail));
   }
 }
 
-/** Default admin password for new local installations when admin-secrets.env is empty */
-const DEFAULT_ADMIN_PASSWORD = 'admin123';
+/**
+ * Fallback for admin password/email when validated catalog load failed but YAML is still readable.
+ * @returns {Record<string, string>}
+ */
+function readInfraDefaultScalars() {
+  return readRelaxedCatalogDefaults();
+}
 
 /**
  * Log hint to reset Postgres volume when admin password was changed after first init.
@@ -65,23 +126,10 @@ const DEFAULT_ADMIN_PASSWORD = 'admin123';
 function logVolumeResetHint(infraDir) {
   logger.log(chalk.yellow(
     'If Postgres was already started with a different password, login will fail until you reset the volume. ' +
-    `Run: cd ${infraDir} && docker compose -f compose.yaml -p aifabrix down -v , then run 'aifabrix up-infra --adminPwd <password>' again.`
+    `Run: cd ${infraDir} && docker compose -f compose.yaml -p aifabrix down -v , then run 'aifabrix up-infra --adminPassword <password>' again.`
   ));
 }
 
-/**
- * Apply password to admin-secrets file content (all three password keys).
- * @param {string} content - Current file content
- * @param {string} password - Password to set
- * @returns {string} Updated content
- */
-function applyPasswordToAdminSecretsContent(content, password) {
-  return content
-    .replace(/^POSTGRES_PASSWORD=.*$/m, `POSTGRES_PASSWORD=${password}`)
-    .replace(/^PGADMIN_DEFAULT_PASSWORD=.*$/m, `PGADMIN_DEFAULT_PASSWORD=${password}`)
-    .replace(/^REDIS_COMMANDER_PASSWORD=.*$/m, `REDIS_COMMANDER_PASSWORD=${password}`);
-}
-
 /**
  * Sync postgres-passwordKeyVault to the main secrets store (file or remote).
  * @param {string} password - Password to store
@@ -94,44 +142,150 @@ async function syncPostgresPasswordToStore(password) {
   }
 }
 
+/** Non-email defaults for admin-secrets.env merge (email default comes from infra.parameter.yaml `defaults`). */
+const DEFAULT_ADMIN_OBJ = {
+  REDIS_HOST: 'local:redis:6379:0:',
+  REDIS_COMMANDER_USER: 'admin'
+};
+
+/**
+ * Writes merged admin secrets to disk and logs/syncs as needed.
+ * @async
+ * @param {string} adminSecretsPath - Path to admin-secrets.env
+ * @param {Object} adminObj - Decrypted admin secrets object
+ * @param {string} passwordToUse - Password to set for Postgres, pgAdmin, Redis Commander
+ * @param {boolean} shouldOverwriteWithAdminPwd - Whether this was an explicit admin password update
+ * @param {{ updateEmail?: boolean, emailToUse?: string }} [emailOpts]
+ */
+async function applyAdminSecretsUpdate(
+  adminSecretsPath,
+  adminObj,
+  passwordToUse,
+  shouldOverwriteWithAdminPwd,
+  emailOpts
+) {
+  const merged = { ...DEFAULT_ADMIN_OBJ, ...adminObj };
+  merged.POSTGRES_PASSWORD = passwordToUse;
+  merged.PGADMIN_DEFAULT_PASSWORD = passwordToUse;
+  merged.REDIS_COMMANDER_PASSWORD = passwordToUse;
+  if (emailOpts && emailOpts.updateEmail && emailOpts.emailToUse) {
+    merged.PGADMIN_DEFAULT_EMAIL = emailOpts.emailToUse;
+  }
+  const content = await getCoreSecrets().formatAdminSecretsContent(merged);
+  fsRealSync.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
+  if (shouldOverwriteWithAdminPwd) {
+    logger.log('Updated admin password in admin-secrets.env.');
+    await syncPostgresPasswordToStore(passwordToUse);
+    logVolumeResetHint(path.join(paths.getAifabrixSystemDir(), getInfraDirName(0)));
+  } else if (emailOpts && emailOpts.updateEmail) {
+    logger.log('Updated admin email in admin-secrets.env.');
+  } else {
+    logger.log('Set default admin password in admin-secrets.env for local use.');
+  }
+}
+
+function loadAdminMergedDefaultsForInfra(options) {
+  try {
+    return mergeInfraParameterDefaultsForCli(getInfraParameterCatalog().data, options);
+  } catch {
+    return mergeInfraParameterDefaultsForCli({}, options);
+  }
+}
+
+function resolveAdminPasswordAndEmailCli(options, mergedDefaults) {
+  const infraDefaults = readInfraDefaultScalars();
+  const adminPwdCli = String(options.adminPassword || options.adminPwd || '').trim();
+  const adminPwdOverride = adminPwdCli !== '' ? adminPwdCli : null;
+  const passwordToUse =
+    adminPwdOverride !== null
+      ? adminPwdOverride
+      : mergedDefaults.adminPassword || infraDefaults.adminPassword || '';
+  const emailCli = String(options.adminEmail || '').trim();
+  const emailOverride = emailCli !== '' ? emailCli : null;
+  const emailToUse =
+    emailOverride !== null
+      ? emailOverride
+      : mergedDefaults.adminEmail || infraDefaults.adminEmail || '';
+  return { adminPwdOverride, passwordToUse, emailOverride, emailToUse };
+}
+
+function computeAdminSecretsBackfillFlags(adminObj) {
+  const needsPasswordBackfill =
+    !(adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
+    !(adminObj.PGADMIN_DEFAULT_PASSWORD && adminObj.PGADMIN_DEFAULT_PASSWORD.trim()) ||
+    !(adminObj.REDIS_COMMANDER_PASSWORD && adminObj.REDIS_COMMANDER_PASSWORD.trim());
+  const needsEmailBackfill = !(adminObj.PGADMIN_DEFAULT_EMAIL && adminObj.PGADMIN_DEFAULT_EMAIL.trim());
+  return { needsPasswordBackfill, needsEmailBackfill };
+}
+
+function resolvePasswordForAdminFile(
+  shouldOverwriteWithAdminPwd,
+  needsPasswordBackfill,
+  passwordToUse,
+  adminObj,
+  mergedDefaults
+) {
+  if (shouldOverwriteWithAdminPwd || needsPasswordBackfill) {
+    return passwordToUse;
+  }
+  return (
+    String(adminObj.POSTGRES_PASSWORD || '').trim() ||
+    mergedDefaults.adminPassword ||
+    readInfraDefaultScalars().adminPassword ||
+    ''
+  );
+}
+
 /**
  * Ensure admin secrets file exists and set admin password.
  * When adminPwd is provided, update POSTGRES_PASSWORD, PGADMIN_DEFAULT_PASSWORD, REDIS_COMMANDER_PASSWORD
  * in admin-secrets.env (overwrites existing values). Otherwise only backfill empty fields.
+ * Reads and writes using decrypted values; writes encrypted when secrets-encryption key is set.
  *
  * @async
  * @param {Object} [options] - Options
- * @param {string} [options.adminPwd] - Override admin password for Postgres, pgAdmin, Redis Commander (updates file when provided)
+ * @param {string} [options.adminPassword] - Override admin password (alias: adminPwd)
+ * @param {string} [options.adminPwd] - Override admin password for Postgres, pgAdmin, Redis Commander
+ * @param {string} [options.adminEmail] - Override pgAdmin default email (matches {{adminEmail}} defaults)
+ * @param {string} [options.userPassword] - Reserved for Keycloak user template (secrets use ensureInfraSecrets)
  * @returns {Promise<string>} Path to admin secrets file
  */
 async function ensureAdminSecrets(options = {}) {
-  const adminPwdOverride = options.adminPwd && typeof options.adminPwd === 'string' && options.adminPwd.trim() !== ''
-    ? options.adminPwd.trim()
-    : null;
-  const passwordToUse = adminPwdOverride || DEFAULT_ADMIN_PASSWORD;
+  const mergedDefaults = loadAdminMergedDefaultsForInfra(options);
+  const { adminPwdOverride, passwordToUse, emailOverride, emailToUse } = resolveAdminPasswordAndEmailCli(
+    options,
+    mergedDefaults
+  );
+  const adminSecretsPath = path.join(paths.getAifabrixSystemDir(), 'admin-secrets.env');
 
-  const adminSecretsPath = path.join(paths.getAifabrixHome(), 'admin-secrets.env');
-  if (!fs.existsSync(adminSecretsPath)) {
+  if (!fsRealSync.existsSync(adminSecretsPath)) {
     logger.log('Generating admin-secrets.env...');
-    await secrets.generateAdminSecretsEnv(undefined);
+    await getCoreSecrets().generateAdminSecretsEnv(undefined);
+    return adminSecretsPath;
   }
-  let content = fs.readFileSync(adminSecretsPath, 'utf8');
-  const needsBackfill = /^POSTGRES_PASSWORD=\s*$/m.test(content) ||
-    /^PGADMIN_DEFAULT_PASSWORD=\s*$/m.test(content) ||
-    /^REDIS_COMMANDER_PASSWORD=\s*$/m.test(content);
+
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+  const { needsPasswordBackfill, needsEmailBackfill } = computeAdminSecretsBackfillFlags(adminObj);
   const shouldOverwriteWithAdminPwd = adminPwdOverride !== null;
+  const shouldOverwriteEmail = emailOverride !== null;
+  const updateEmail = shouldOverwriteEmail || needsEmailBackfill;
 
-  if (shouldOverwriteWithAdminPwd) {
-    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
-    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
-    logger.log('Updated admin password in admin-secrets.env.');
-    await syncPostgresPasswordToStore(passwordToUse);
-    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
-  } else if (needsBackfill) {
-    content = applyPasswordToAdminSecretsContent(content, passwordToUse);
-    fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
-    logger.log('Set default admin password in admin-secrets.env for local use.');
+  if (!shouldOverwriteWithAdminPwd && !needsPasswordBackfill && !updateEmail) {
+    return adminSecretsPath;
   }
+
+  const passwordForFile = resolvePasswordForAdminFile(
+    shouldOverwriteWithAdminPwd,
+    needsPasswordBackfill,
+    passwordToUse,
+    adminObj,
+    mergedDefaults
+  );
+
+  await applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordForFile, shouldOverwriteWithAdminPwd, {
+    updateEmail,
+    emailToUse
+  });
   return adminSecretsPath;
 }
 
@@ -199,7 +353,7 @@ async function ensureMisoInitScript(infraDir) {
   const secretKey = 'databases-miso-controller-0-passwordKeyVault';
   let password;
   try {
-    const loaded = await secrets.loadSecrets(undefined);
+    const loaded = await getCoreSecrets().loadSecrets(undefined);
     const urlOrPassword = loaded[secretKey] || loaded['databases-miso-controller-0-urlKeyVault'];
     const extracted = extractPasswordFromUrlOrValue(urlOrPassword);
     if (extracted !== null && extracted.trim() !== '') {
@@ -243,13 +397,14 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "miso" -c "GRANT AL
 }
 
 /**
- * Prepare infrastructure directory and extract postgres password
+ * Prepare infrastructure directory and extract postgres password from decrypted admin secrets.
+ * @async
  * @param {string} devId - Developer ID
  * @param {string} adminSecretsPath - Path to admin secrets file
- * @returns {Object} Object with infraDir and postgresPassword
+ * @returns {Promise<Object>} Object with infraDir and postgresPassword
  */
-function prepareInfraDirectory(devId, adminSecretsPath) {
-  const aifabrixDir = paths.getAifabrixHome();
+async function prepareInfraDirectory(devId, adminSecretsPath) {
+  const aifabrixDir = paths.getAifabrixSystemDir();
   const infraDirName = getInfraDirName(devId);
   const infraDir = path.join(aifabrixDir, infraDirName);
   if (!fs.existsSync(infraDir)) {
@@ -265,15 +420,46 @@ function prepareInfraDirectory(devId, adminSecretsPath) {
     }
   }
 
-  const adminSecretsContent = fs.readFileSync(adminSecretsPath, 'utf8');
-  const postgresPasswordMatch = adminSecretsContent.match(/^POSTGRES_PASSWORD=(.+)$/m);
-  const raw = postgresPasswordMatch ? postgresPasswordMatch[1] : '';
-  const postgresPassword = (raw && raw.trim()) || DEFAULT_ADMIN_PASSWORD;
+  const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+  const postgresPassword =
+    (adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
+    readInfraDefaultScalars().adminPassword ||
+    '';
   generatePgAdminConfig(infraDir, postgresPassword);
 
   return { infraDir, postgresPassword };
 }
 
+/**
+ * Resolve infra working directory and admin-secrets path for stop/restart.
+ * Infra dir: prefer system dir compose; if missing, use legacy home when compose exists there.
+ * Admin secrets: prefer `admin-secrets.env` under system dir; if missing, use legacy home (covers mixed layouts).
+ *
+ * @param {string|number} devId - Developer ID
+ * @returns {{ infraDir: string, adminSecretsPath: string }}
+ */
+function resolveInfraStatePaths(devId) {
+  const syncFs = nodeFs();
+  const name = getInfraDirName(devId);
+  const systemBase = paths.getAifabrixSystemDir();
+  const legacyBase = paths.getAifabrixHome();
+  const sysInfra = path.join(systemBase, name);
+  const legInfra = path.join(legacyBase, name);
+  const sysCompose = path.join(sysInfra, 'compose.yaml');
+  const legCompose = path.join(legInfra, 'compose.yaml');
+  let infraDir = sysInfra;
+  if (!syncFs.existsSync(sysCompose) && syncFs.existsSync(legCompose) && legacyBase !== systemBase) {
+    infraDir = legInfra;
+  }
+  const sysAdmin = path.join(systemBase, 'admin-secrets.env');
+  const legAdmin = path.join(legacyBase, 'admin-secrets.env');
+  let adminSecretsPath = sysAdmin;
+  if (!syncFs.existsSync(sysAdmin) && syncFs.existsSync(legAdmin) && legacyBase !== systemBase) {
+    adminSecretsPath = legAdmin;
+  }
+  return { infraDir, adminSecretsPath };
+}
+
 /**
  * Register Handlebars helper for equality comparison
  */
@@ -298,6 +484,7 @@ module.exports = {
   ensureAdminSecrets,
   generatePgAdminConfig,
   prepareInfraDirectory,
+  resolveInfraStatePaths,
   ensureMisoInitScript,
   registerHandlebarsHelper
 };

package/lib/infrastructure/index.js

@@ -15,14 +15,13 @@ const config = require('../core/config');
 const devConfig = require('../utils/dev-config');
 const logger = require('../utils/logger');
 const dockerUtils = require('../utils/docker');
-const paths = require('../utils/paths');
 const statusHelpers = require('../utils/infra-status');
 const {
-  getInfraDirName,
   getInfraProjectName,
   checkDockerAvailability,
   ensureAdminSecrets,
   prepareInfraDirectory,
+  resolveInfraStatePaths,
   ensureMisoInitScript,
   registerHandlebarsHelper
 } = require('./helpers');
@@ -37,8 +36,34 @@ const {
   startDockerServicesAndConfigure,
   checkInfraHealth
 } = require('./services');
+const adminSecrets = require('../core/admin-secrets');
 // Lazy require to avoid circular dependency: infra -> app/down -> run-helpers -> infra
 
+/**
+ * Runs a callback with a temporary .env.run file in infraDir (created from admin-secrets).
+ * Removes the file in a finally block.
+ * @async
+ * @param {string} infraDir - Infrastructure directory path
+ * @param {string} adminSecretsPath - Path to admin-secrets.env
+ * @param {function(string): Promise<void>} fn - Callback receiving runEnvPath
+ * @returns {Promise<void>}
+ */
+async function withRunEnv(infraDir, adminSecretsPath, fn) {
+  const runEnvPath = path.join(infraDir, '.env.run');
+  try {
+    const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
+    const content = adminSecrets.envObjectToContent(adminObj);
+    fs.writeFileSync(runEnvPath, content, { mode: 0o600 });
+    await fn(runEnvPath);
+  } finally {
+    try {
+      if (fs.existsSync(runEnvPath)) fs.unlinkSync(runEnvPath);
+    } catch {
+      // Ignore unlink errors
+    }
+  }
+}
+
 /**
  * Prepares infrastructure environment
  * Ensures infra secrets exist, then admin-secrets.env, then miso init script.
@@ -46,18 +71,35 @@ const {
  * @async
  * @function prepareInfrastructureEnvironment
  * @param {string|number|null} developerId - Developer ID
- * @param {Object} [options] - Options (traefik, adminPwd)
+ * @param {Object} [options] - Options (traefik, adminPwd, tlsEnabled)
  * @returns {Promise<Object>} Prepared environment configuration
  */
 async function prepareInfrastructureEnvironment(developerId, options = {}) {
   await checkDockerAvailability();
-  await secretsEnsure.ensureInfraSecrets({ adminPwd: options.adminPwd });
-  const adminSecretsPath = await ensureAdminSecrets({ adminPwd: options.adminPwd });
+  const adminPass = options.adminPassword || options.adminPwd;
+  const tlsEnabled = options.tlsEnabled === true;
+  const infraOpts = {
+    adminPassword: adminPass,
+    adminPwd: adminPass,
+    adminEmail: options.adminEmail,
+    userPassword: options.userPassword,
+    tlsEnabled
+  };
+  await secretsEnsure.ensureInfraSecrets(infraOpts);
+  const adminSecretsPath = await ensureAdminSecrets(infraOpts);
 
   const devId = developerId || await config.getDeveloperId();
+  const remoteServer = await config.getRemoteServer();
+  const {
+    assertRemoteBuilderDeveloperId,
+    remoteServerHostIsNonLocalhost
+  } = require('../utils/remote-builder-validation');
+  assertRemoteBuilderDeveloperId(remoteServer, devId);
+
   const devIdNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
   const ports = devConfig.getDevPorts(devIdNum);
   const idNum = devIdNum;
+  const trustForwardedHeaders = remoteServerHostIsNonLocalhost(remoteServer);
 
   const templatePath = path.join(__dirname, '..', '..', 'templates', 'infra', 'compose.yaml.hbs');
   if (!fs.existsSync(templatePath)) {
@@ -65,10 +107,10 @@ async function prepareInfrastructureEnvironment(developerId, options = {}) {
   }
 
   // Prepare infrastructure directory
-  const { infraDir } = prepareInfraDirectory(devId, adminSecretsPath);
+  const { infraDir } = await prepareInfraDirectory(devId, adminSecretsPath);
   await ensureMisoInitScript(infraDir);
 
-  return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath };
+  return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath, trustForwardedHeaders };
 }
 
 /**
@@ -88,9 +130,10 @@ async function prepareInfrastructureEnvironment(developerId, options = {}) {
  * // Infrastructure services are now running
  */
 async function startInfra(developerId = null, options = {}) {
-  const { devId, idNum, ports, templatePath, infraDir } = await prepareInfrastructureEnvironment(developerId, options);
+  const { devId, idNum, ports, templatePath, infraDir, trustForwardedHeaders } =
+    await prepareInfrastructureEnvironment(developerId, options);
   const { traefik = false, pgadmin = true, redisCommander = true } = options;
-  const traefikConfig = buildTraefikConfig(traefik);
+  const traefikConfig = { ...buildTraefikConfig(traefik), trustForwardedHeaders };
   const validation = validateTraefikConfig(traefikConfig);
   if (!validation.valid) {
     throw new Error(validation.errors.join('\n'));
@@ -173,28 +216,23 @@ async function removeAppVolumes(appNames, devId) {
  */
 async function stopInfra() {
   const devId = await config.getDeveloperId();
-  const aifabrixDir = paths.getAifabrixHome();
-  const infraDirName = getInfraDirName(devId);
-  const infraDir = path.join(aifabrixDir, infraDirName);
+  const { infraDir, adminSecretsPath } = resolveInfraStatePaths(devId);
   const composePath = path.join(infraDir, 'compose.yaml');
-  const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(composePath) || !fs.existsSync(adminSecretsPath)) {
     logger.log('Infrastructure not running or not properly configured');
     return;
   }
 
-  try {
+  await withRunEnv(infraDir, adminSecretsPath, async(runEnvPath) => {
     logger.log('Stopping application containers on the same network...');
     await stopAllAppContainers(devId);
     logger.log('Stopping infrastructure services...');
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
-    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${adminSecretsPath}" down`, { cwd: infraDir });
+    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${runEnvPath}" down`, { cwd: infraDir });
     logger.log('Infrastructure services stopped');
-  } finally {
-    // Keep the compose file for future use
-  }
+  });
 }
 
 /**
@@ -239,28 +277,23 @@ async function stopAllAppContainersAndVolumes(devId) {
  */
 async function stopInfraWithVolumes() {
   const devId = await config.getDeveloperId();
-  const aifabrixDir = paths.getAifabrixHome();
-  const infraDirName = getInfraDirName(devId);
-  const infraDir = path.join(aifabrixDir, infraDirName);
+  const { infraDir, adminSecretsPath } = resolveInfraStatePaths(devId);
   const composePath = path.join(infraDir, 'compose.yaml');
-  const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(composePath) || !fs.existsSync(adminSecretsPath)) {
     logger.log('Infrastructure not running or not properly configured');
     return;
   }
 
-  try {
+  await withRunEnv(infraDir, adminSecretsPath, async(runEnvPath) => {
     logger.log('Stopping application containers on the same network...');
     await stopAllAppContainersAndVolumes(devId);
     logger.log('Stopping infrastructure services and removing all data...');
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
-    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${adminSecretsPath}" down -v`, { cwd: infraDir });
+    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${runEnvPath}" down -v`, { cwd: infraDir });
     logger.log('Infrastructure services stopped and all data removed');
-  } finally {
-    // Keep the compose file for future use
-  }
+  });
 }
 
 /**
@@ -281,32 +314,26 @@ async function restartService(serviceName) {
   if (!serviceName || typeof serviceName !== 'string') {
     throw new Error('Service name is required and must be a string');
   }
-
   const validServices = ['postgres', 'redis', 'pgadmin', 'redis-commander', 'traefik'];
   if (!validServices.includes(serviceName)) {
     throw new Error(`Invalid service name. Must be one of: ${validServices.join(', ')}`);
   }
 
   const devId = await config.getDeveloperId();
-  const aifabrixDir = paths.getAifabrixHome();
-  const infraDirName = getInfraDirName(devId);
-  const infraDir = path.join(aifabrixDir, infraDirName);
+  const { infraDir, adminSecretsPath } = resolveInfraStatePaths(devId);
   const composePath = path.join(infraDir, 'compose.yaml');
-  const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(composePath) || !fs.existsSync(adminSecretsPath)) {
     throw new Error('Infrastructure not properly configured');
   }
 
-  try {
+  await withRunEnv(infraDir, adminSecretsPath, async(runEnvPath) => {
     logger.log(`Restarting ${serviceName} service...`);
     const projectName = getInfraProjectName(devId);
     const composeCmd = await dockerUtils.getComposeCommand();
-    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${adminSecretsPath}" restart ${serviceName}`, { cwd: infraDir });
+    await execAsyncWithCwd(`${composeCmd} -f "${composePath}" -p ${projectName} --env-file "${runEnvPath}" restart ${serviceName}`, { cwd: infraDir });
     logger.log(`${serviceName} service restarted successfully`);
-  } finally {
-    // Keep the compose file for future use
-  }
+  });
 }
 
 // Re-export status helper functions