@aifabrix/builder 2.43.0 → 2.44.0

package/lib/utils/docker.js

@@ -3,6 +3,7 @@
  *
  * Detects availability of Docker and determines the correct Docker Compose command
  * across environments (Compose v2 plugin: "docker compose", Compose v1: "docker-compose").
+ * Uses docker-endpoint from dev config when set (see remote-docker-env / docker-exec).
  *
  * @fileoverview Docker/Compose detection helpers for AI Fabrix Builder
  * @author AI Fabrix Team
@@ -11,10 +12,65 @@
 
 'use strict';
 
-const { exec } = require('child_process');
-const { promisify } = require('util');
+const { execWithDockerEnv } = require('./docker-exec');
 
-const execAsync = promisify(exec);
+/** Env override: full compose CLI prefix, e.g. `docker compose` or `docker-compose` (validated with version). */
+const COMPOSE_CMD_ENV = 'AIFABRIX_COMPOSE_CMD';
+
+/**
+ * Short string from exec failure (message + stderr) for user-visible errors.
+ * @param {unknown} err - Rejected error from exec
+ * @returns {string}
+ */
+function formatExecFailure(err) {
+  if (!err) return '';
+  const e = err;
+  const msg = typeof e.message === 'string' ? e.message.trim() : '';
+  const stderr = typeof e.stderr === 'string' ? e.stderr.trim() : '';
+  const combined = [msg, stderr].filter(Boolean).join(' ').trim();
+  if (!combined) return '';
+  return combined.length > 280 ? `${combined.slice(0, 277)}...` : combined;
+}
+
+/**
+ * Hint when docker compose likely failed talking to a remote TLS daemon, not missing plugin.
+ * @param {string} detail - formatExecFailure output
+ * @returns {string}
+ */
+function remoteTlsComposeHint(detail) {
+  const d = detail.toLowerCase();
+  if (!d) return '';
+  const tlsish =
+    d.includes('tls') ||
+    d.includes('certificate') ||
+    d.includes('x509') ||
+    d.includes('cert') ||
+    d.includes('connection refused') ||
+    d.includes('2376') ||
+    d.includes('eof') ||
+    d.includes('handshake');
+  if (!tlsish) return '';
+  return (
+    ' This often means docker-endpoint TLS/client auth failed (place cert.pem, key.pem, ca.pem in ~/.aifabrix/certs/<developer-id>/, or set docker-tls-skip-verify only if appropriate), not a missing Compose plugin.'
+  );
+}
+
+/**
+ * @param {string} composeV2Failure - formatExecFailure from docker compose version
+ */
+function throwComposeCommandUnavailable(composeV2Failure) {
+  const v2bit = composeV2Failure
+    ? ` "docker compose version" failed: ${composeV2Failure}.${remoteTlsComposeHint(composeV2Failure)} `
+    : ' ';
+  throw new Error(
+    'Docker Compose is not available. Tried: "docker compose", "docker-compose", "podman compose".' +
+      v2bit +
+      'Install the Compose v2 plugin (needs only the docker CLI + plugin; no unix socket required when docker-endpoint is set). ' +
+      'Example: sudo apt-get install -y docker-compose-plugin. ' +
+      `Or set ${COMPOSE_CMD_ENV} to a working compose prefix. ` +
+      'up-infra uses the Docker CLI as a client to the Engine API (remote tcp://…:2376 is OK); there is no separate Builder-only compose API.'
+  );
+}
 
 /**
  * Checks that Docker CLI is available.
@@ -24,7 +80,29 @@ const execAsync = promisify(exec);
  * @throws {Error} If docker is unavailable
  */
 async function checkDockerCli() {
-  await execAsync('docker --version');
+  await execWithDockerEnv('docker --version');
+}
+
+/**
+ * @returns {Promise<string|null>} Resolved compose command prefix from env override, or null to auto-detect
+ */
+async function resolveComposeCmdOverride() {
+  const override =
+    typeof process.env[COMPOSE_CMD_ENV] === 'string' ? process.env[COMPOSE_CMD_ENV].trim() : '';
+  if (!override) return null;
+  try {
+    await execWithDockerEnv(`${override} version`);
+    return override;
+  } catch {
+    try {
+      await execWithDockerEnv(`${override} --version`);
+      return override;
+    } catch (err) {
+      throw new Error(
+        `${COMPOSE_CMD_ENV}="${override}" is set but failed (tried "version" and "--version"): ${err.message}`
+      );
+    }
+  }
 }
 
 /**
@@ -37,19 +115,29 @@ async function checkDockerCli() {
  * @throws {Error} If neither v2 nor v1 is available
  */
 async function getComposeCommand() {
-  // Prefer Compose v2 plugin if present
+  const fromEnv = await resolveComposeCmdOverride();
+  if (fromEnv) return fromEnv;
+
+  let composeV2Failure = '';
   try {
-    await execAsync('docker compose version');
+    await execWithDockerEnv('docker compose version');
     return 'docker compose';
-  } catch (_) {
-    // Fall back to legacy docker-compose
+  } catch (e) {
+    composeV2Failure = formatExecFailure(e);
   }
 
   try {
-    await execAsync('docker-compose --version');
+    await execWithDockerEnv('docker-compose --version');
     return 'docker-compose';
   } catch (_) {
-    throw new Error('Docker Compose is not available (neither "docker compose" nor "docker-compose" found). Install the Docker Compose v2 plugin (e.g., apt-get install docker-compose-plugin) or ensure docker-compose is on PATH.');
+    // Podman with compose (some hosts use podman-docker + podman compose)
+  }
+
+  try {
+    await execWithDockerEnv('podman compose version');
+    return 'podman compose';
+  } catch (_) {
+    throwComposeCommandUnavailable(composeV2Failure);
   }
 }
 
@@ -70,4 +158,3 @@ module.exports = {
   getComposeCommand,
   ensureDockerAndCompose
 };
-

package/lib/utils/ensure-dev-certs-for-remote-docker.js

@@ -0,0 +1,192 @@
+/**
+ * When `docker-endpoint` is set but dev cert.pem/key.pem are missing, optionally call
+ * POST /api/dev/issue-cert using a one-time PIN from the environment (same flow as `aifabrix dev init`).
+ * There is no unauthenticated cert download; the PIN must be created from an enrolled machine.
+ *
+ * @fileoverview Auto issue-cert for remote Docker before infra / docker checks
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+const { formatSuccessLine } = require('./cli-test-layout-chalk');
+
+const path = require('path');
+const fsSync = require('node:fs');
+const fsRealSync = require('../internal/fs-real-sync');
+const { nodeFs } = require('../internal/node-fs');
+const chalk = require('chalk');
+const config = require('../core/config');
+const logger = require('./logger');
+const devApi = require('../api/dev.api');
+const { getConfigDirForPaths } = require('./paths');
+const {
+  generateCSR,
+  getCertDir,
+  mergeCaPemBlocks,
+  normalizePemNewlines
+} = require('./dev-cert-helper');
+const { isSslUntrustedError, fetchInstallCa } = require('./dev-ca-install');
+
+/**
+ * Read one-time issue-cert PIN from env or first non-empty line of AIFABRIX_DEV_ISSUE_PIN_FILE.
+ * @returns {string|null}
+ */
+function readIssueCertPin() {
+  const a = process.env.AIFABRIX_DEV_ISSUE_PIN;
+  const b = process.env.AIFABRIX_ISSUE_CERT_PIN;
+  const fromEnv =
+    typeof a === 'string' && a.trim() ? a.trim() : typeof b === 'string' && b.trim() ? b.trim() : '';
+  if (fromEnv) return fromEnv;
+  const fp = process.env.AIFABRIX_DEV_ISSUE_PIN_FILE;
+  if (!fp || typeof fp !== 'string' || !fp.trim()) return null;
+  try {
+    const raw = fsRealSync.readFileSyncDirect(path.normalize(fp.trim()), { encoding: 'utf8' });
+    let content;
+    if (typeof raw === 'string') {
+      content = raw;
+    } else if (Buffer.isBuffer(raw)) {
+      content = raw.toString('utf8');
+    } else {
+      throw new Error('readFileSync did not return string content');
+    }
+    const line = content.split(/\r?\n/).find((l) => l.trim());
+    return line ? line.trim() : null;
+  } catch (e) {
+    throw new Error(`AIFABRIX_DEV_ISSUE_PIN_FILE (${fp}): ${e.message}`);
+  }
+}
+
+async function resolveServerCaForIssueCert(baseUrl) {
+  try {
+    await devApi.getHealth(baseUrl);
+    return null;
+  } catch (err) {
+    if (isSslUntrustedError(err)) {
+      const caBuf = await fetchInstallCa(baseUrl);
+      const caPemStr = caBuf.toString('utf8').trim();
+      await devApi.getHealth(baseUrl, caPemStr);
+      return caPemStr;
+    }
+    throw err;
+  }
+}
+
+async function requestIssueCert(baseUrl, devId, pin, csrPem, serverCaPem) {
+  try {
+    return await devApi.issueCert(
+      baseUrl,
+      { developerId: devId, pin: pin.trim(), csr: csrPem },
+      serverCaPem || undefined
+    );
+  } catch (err) {
+    if (err.status === 401) {
+      throw new Error(
+        'Invalid or expired PIN (AIFABRIX_DEV_ISSUE_PIN / AIFABRIX_ISSUE_CERT_PIN). ' +
+          'Create a new PIN from an enrolled machine, e.g. `aifabrix dev pin <developerId>`.'
+      );
+    }
+    if (err.status === 404) {
+      throw new Error(`Developer ${devId} not found on Builder Server.`);
+    }
+    if (err.status === 503) {
+      throw new Error('Certificate signing is temporarily unavailable. Try again later.');
+    }
+    throw err;
+  }
+}
+
+async function saveDevCertMaterial(configDir, devId, certificatePem, keyPem, caPem) {
+  const fsp = nodeFs().promises;
+  const certDir = getCertDir(configDir, devId);
+  await fsp.mkdir(certDir, { recursive: true });
+  await fsp.writeFile(
+    path.join(certDir, 'cert.pem'),
+    normalizePemNewlines(certificatePem),
+    { mode: 0o600 }
+  );
+  await fsp.writeFile(
+    path.join(certDir, 'key.pem'),
+    normalizePemNewlines(keyPem),
+    { mode: 0o600 }
+  );
+  if (caPem && typeof caPem === 'string' && caPem.trim()) {
+    await fsp.writeFile(
+      path.join(certDir, 'ca.pem'),
+      normalizePemNewlines(caPem.trim()),
+      { mode: 0o600 }
+    );
+  }
+  await config.setDeveloperId(devId);
+}
+
+/**
+ * @returns {Promise<{ baseUrl: string, devId: string, certDir: string, configDir: string }|null>}
+ */
+async function readEnsureIssueCertContext() {
+  const endpoint = await config.getDockerEndpoint();
+  if (!endpoint || typeof endpoint !== 'string' || !endpoint.trim()) return null;
+
+  const remoteServer = await config.getRemoteServer();
+  if (!remoteServer || typeof remoteServer !== 'string' || !remoteServer.trim()) return null;
+
+  const devIdRaw = await config.getDeveloperId();
+  if (!devIdRaw || typeof devIdRaw !== 'string' || !String(devIdRaw).trim()) return null;
+  const devId = String(devIdRaw).trim();
+
+  const configDir = getConfigDirForPaths();
+  const certDir = getCertDir(configDir, devId);
+  if (
+    fsSync.existsSync(path.join(certDir, 'cert.pem')) &&
+    fsSync.existsSync(path.join(certDir, 'key.pem'))
+  ) {
+    return null;
+  }
+
+  return {
+    baseUrl: remoteServer.trim().replace(/\/+$/, ''),
+    devId,
+    certDir,
+    configDir
+  };
+}
+
+function missingTlsFilesError(certDir, devId) {
+  return new Error(
+    `docker-endpoint is set but client TLS files are missing in ${certDir}. ` +
+      'On a PC that already has a client certificate to the Builder Server, run: aifabrix dev pin ' +
+      devId +
+      '. Then on this host: aifabrix dev init --pin <pin> if remote-server and developer-id are in config, ' +
+      'or export AIFABRIX_DEV_ISSUE_PIN=<pin> before retrying. ' +
+      'Alternatively, if the Docker engine does not require client certificates, set docker-tls-skip-verify or AIFABRIX_DOCKER_TLS_SKIP_VERIFY.'
+  );
+}
+
+/**
+ * If remote Docker is configured and TLS files are missing, run issue-cert when a PIN is supplied via env.
+ * If no PIN and TLS skip-verify is set in config or env, returns without error.
+ * If no PIN and verify is required, throws with instructions.
+ * @returns {Promise<void>}
+ */
+async function ensureDevCertsIfNeededForRemoteDocker() {
+  const ctx = await readEnsureIssueCertContext();
+  if (!ctx) return;
+
+  const pin = readIssueCertPin();
+  if (!pin) {
+    if (await config.getDockerTlsSkipVerify()) return;
+    throw missingTlsFilesError(ctx.certDir, ctx.devId);
+  }
+
+  logger.log(chalk.blue('\n🔐 Fetching developer certificate from Builder Server (issue-cert)...\n'));
+  const serverCaPem = await resolveServerCaForIssueCert(ctx.baseUrl);
+  const { csrPem, keyPem } = generateCSR(ctx.devId);
+  const issueResponse = await requestIssueCert(ctx.baseUrl, ctx.devId, pin, csrPem, serverCaPem);
+  const caPem = mergeCaPemBlocks(serverCaPem, issueResponse.caCertificate, issueResponse.ca);
+  await saveDevCertMaterial(ctx.configDir, ctx.devId, issueResponse.certificate, keyPem, caPem);
+  logger.log(
+    formatSuccessLine('Saved TLS material to ') + chalk.cyan(ctx.certDir) + chalk.green(' for remote Docker.\n')
+  );
+}
+
+module.exports = { ensureDevCertsIfNeededForRemoteDocker, readIssueCertPin };

package/lib/utils/env-config-loader.js

@@ -1,113 +1,32 @@
 /**
- * Environment config loader
+ * Environment config loader — infra defaults live in code ({@link module:lib/utils/infra-env-defaults}).
  *
- * @fileoverview Loads lib/schema/env-config.yaml for env variable interpolation
- * Merges with user's env-config file if configured in ~/.aifabrix/config.yaml
+ * @fileoverview Replaces lib/schema/env-config.yaml + user merge
  * @author AI Fabrix Team
- * @version 2.0.0
+ * @version 2.1.0
  */
 
 'use strict';
 
-const fs = require('fs');
-const path = require('path');
-const yaml = require('js-yaml');
-const config = require('../core/config');
+const { getDefaultEnvConfig } = require('./infra-env-defaults');
 
 /**
- * Loads user env-config file if configured
- * @async
- * @function loadUserEnvConfig
- * @returns {Promise<Object|null>} Parsed user env-config or null if not configured
- */
-async function loadUserEnvConfig() {
-  try {
-    const userEnvConfigPath = await config.getAifabrixEnvConfigPath();
-    if (!userEnvConfigPath) {
-      return null;
-    }
-
-    // Resolve path (support absolute and relative paths)
-    const resolvedPath = path.isAbsolute(userEnvConfigPath)
-      ? userEnvConfigPath
-      : path.resolve(process.cwd(), userEnvConfigPath);
-
-    if (!fs.existsSync(resolvedPath)) {
-      return null;
-    }
-
-    const content = fs.readFileSync(resolvedPath, 'utf8');
-    const userConfig = yaml.load(content);
-    return userConfig && typeof userConfig === 'object' ? userConfig : null;
-  } catch (error) {
-    // Gracefully handle errors - fallback to base config only
-    return null;
-  }
-}
-
-/**
- * Merges user env-config with base env-config
- * User values override/extend base values
- * @function mergeEnvConfigs
- * @param {Object} baseConfig - Base env-config from lib/schema/env-config.yaml
- * @param {Object|null} userConfig - User env-config or null
- * @returns {Object} Merged env-config
- */
-function mergeEnvConfigs(baseConfig, userConfig) {
-  if (!userConfig || typeof userConfig !== 'object') {
-    return baseConfig || {};
-  }
-
-  // Deep merge environments
-  const merged = { ...baseConfig };
-  if (userConfig.environments && typeof userConfig.environments === 'object') {
-    merged.environments = { ...(baseConfig.environments || {}) };
-    for (const [env, envVars] of Object.entries(userConfig.environments)) {
-      if (envVars && typeof envVars === 'object') {
-        merged.environments[env] = {
-          ...(merged.environments[env] || {}),
-          ...envVars
-        };
-      }
-    }
-  }
-
-  return merged;
-}
-
-/**
- * Load schema-only env-config (no user merge). Used for *_PUBLIC_PORT calculation
- * so public ports always use canonical base (e.g. KEYCLOAK_PUBLIC_PORT = 8082 + devId*100).
- *
- * @function loadSchemaEnvConfig
- * @returns {Object} Parsed schema env-config (environments.docker / .local only)
+ * Schema-only env-config (sync). Used for *_PUBLIC_PORT canonical bases.
+ * @returns {Object}
  */
 function loadSchemaEnvConfig() {
-  const envConfigPath = path.join(__dirname, '..', 'schema', 'env-config.yaml');
-  const content = fs.readFileSync(envConfigPath, 'utf8');
-  return yaml.load(content) || {};
+  return getDefaultEnvConfig();
 }
 
 /**
- * Load env config YAML used for environment variable interpolation
- * Loads base config from lib/schema/env-config.yaml and merges with user config if configured
- * @async
- * @function loadEnvConfig
- * @returns {Promise<Object>} Parsed and merged env-config YAML
- * @throws {Error} If base file cannot be read or parsed
+ * Load env config for interpolation (same as schema; no external YAML).
+ * @returns {Promise<Object>}
  */
 async function loadEnvConfig() {
-  const baseConfig = loadSchemaEnvConfig();
-
-  // Load user env-config if configured
-  const userConfig = await loadUserEnvConfig();
-
-  // Merge user config with base (user overrides/extends base)
-  return mergeEnvConfigs(baseConfig, userConfig);
+  return getDefaultEnvConfig();
 }
 
 module.exports = {
   loadEnvConfig,
   loadSchemaEnvConfig
 };
-

package/lib/utils/env-copy.js

@@ -7,12 +7,12 @@
  */
 
 'use strict';
+const { formatSuccessLine } = require('./cli-test-layout-chalk');
 
 const fs = require('fs');
 const fsp = require('fs').promises;
 const path = require('path');
 const yaml = require('js-yaml');
-const chalk = require('chalk');
 const logger = require('./logger');
 const config = require('../core/config');
 const devConfig = require('../utils/dev-config');
@@ -58,7 +58,12 @@ function readDeveloperIdFromConfig(config) {
  */
 function substituteMntDataForLocal(content, outputPath) {
   const outputDir = path.dirname(outputPath);
-  const localMountPath = path.resolve(outputDir, 'mount');
+  // Avoid introducing a drive letter for root-relative paths (e.g. "\tmp\out"),
+  // which are common in unit tests and some Windows path constructions.
+  const isWinRootRelative = process.platform === 'win32' && /^\\(?!\\)/.test(outputDir);
+  const localMountPath = isWinRootRelative
+    ? path.win32.normalize(path.win32.join(outputDir, 'mount'))
+    : path.resolve(outputDir, 'mount');
   if (!fs.existsSync(localMountPath)) {
     fs.mkdirSync(localMountPath, { recursive: true });
   }
@@ -77,7 +82,10 @@ function resolveEnvOutputPath(rawOutputPath, variablesPath) {
     outputPath = rawOutputPath;
   } else {
     const variablesDir = path.dirname(variablesPath);
-    outputPath = path.resolve(variablesDir, rawOutputPath);
+    const isWinRootRelative = process.platform === 'win32' && /^\\(?!\\)/.test(variablesDir);
+    outputPath = isWinRootRelative
+      ? path.win32.normalize(path.win32.join(variablesDir, rawOutputPath))
+      : path.resolve(variablesDir, rawOutputPath);
   }
   if (!outputPath.endsWith('.env')) {
     if (fs.existsSync(outputPath) && fs.statSync(outputPath).isDirectory()) {
@@ -105,7 +113,7 @@ async function writeEnvOutputForReload(outputPath, runEnvPath) {
     toWrite = mergeEnvMapIntoContent(existingContent, runMap);
   }
   await fsp.writeFile(outputPath, toWrite, { mode: 0o600 });
-  logger.log(chalk.green(`✓ Wrote .env to envOutputPath (same as container, for --reload): ${outputPath}`));
+  logger.log(formatSuccessLine(`Wrote .env to envOutputPath (same as container, for --reload): ${outputPath}`));
 }
 
 /**
@@ -125,7 +133,7 @@ async function writeEnvOutputForLocal(appName, outputPath) {
     toWrite = mergeEnvMapIntoContent(existingContent, localMap);
   }
   await fsp.writeFile(outputPath, toWrite, { mode: 0o600 });
-  logger.log(chalk.green(`✓ Wrote .env to envOutputPath (localPort): ${outputPath}`));
+  logger.log(formatSuccessLine(`Wrote .env to envOutputPath (localPort): ${outputPath}`));
 }
 
 /**
@@ -134,16 +142,17 @@ async function writeEnvOutputForLocal(appName, outputPath) {
  * @returns {number} Developer-specific app port
  */
 function calculateDevAppPort(baseAppPort) {
+  const { localHostPort, parseDeveloperIdNum } = require('./declarative-url-ports');
   const devIdRaw = process.env.AIFABRIX_DEVELOPERID;
   let devIdNum = Number.isFinite(parseInt(devIdRaw, 10)) ? parseInt(devIdRaw, 10) : null;
   try {
     if (devIdNum === null) {
-      devIdNum = readDeveloperIdFromConfig(config) || 0;
+      devIdNum = readDeveloperIdFromConfig(config);
     }
   } catch {
-    devIdNum = 0;
+    devIdNum = null;
   }
-  return devIdNum === 0 ? baseAppPort : (baseAppPort + (devIdNum * 100));
+  return localHostPort(baseAppPort, parseDeveloperIdNum(devIdNum));
 }
 
 /**
@@ -255,7 +264,7 @@ async function writeLocalEnvToOutputPath(outputPath, appName, secretsPath, envOu
     toWrite = mergeEnvMapIntoContent(existingContent, localMap);
   }
   fs.writeFileSync(outputPath, toWrite, { mode: 0o600 });
-  logger.log(chalk.green(`✓ Generated local .env at: ${envOutputPathLabel}`));
+  logger.log(formatSuccessLine(`Generated local .env at: ${envOutputPathLabel}`));
 }
 
 /**
@@ -271,7 +280,7 @@ async function writePatchedEnvToOutputPath(envPath, outputPath, variables, envOu
   let patchedContent = await patchEnvContentForLocal(envContent, variables);
   patchedContent = substituteMntDataForLocal(patchedContent, outputPath);
   fs.writeFileSync(outputPath, patchedContent, { mode: 0o600 });
-  logger.log(chalk.green(`✓ Copied .env to: ${envOutputPathLabel}`));
+  logger.log(formatSuccessLine(`Copied .env to: ${envOutputPathLabel}`));
 }
 
 /**

package/lib/utils/env-map.js

@@ -292,6 +292,38 @@ function calculateDockerPublicPorts(result, devIdNum, schemaBaseVars = {}) {
   }
 }
 
+/**
+ * Apply *_PUBLIC_PORT from schema env for local or docker context.
+ * @param {Object} result - Normalized env map (mutated)
+ * @param {'docker'|'local'} context
+ * @param {number} devIdNum
+ */
+function applyPublicPortAdjustmentsForContext(result, context, devIdNum) {
+  if (context !== 'local' && context !== 'docker') return;
+  const schemaCfg = loadSchemaEnvConfig();
+  const schemaBaseVars =
+    schemaCfg && schemaCfg.environments && schemaCfg.environments[context]
+      ? schemaCfg.environments[context]
+      : {};
+  calculateDockerPublicPorts(result, devIdNum, schemaBaseVars);
+}
+
+/**
+ * Set TLS_ENABLED / HTTP_ENABLED from ~/.aifabrix/config.yaml (tlsEnabled).
+ * @param {Object} result - Env map (mutated)
+ */
+async function applyTlsHttpManifestFlags(result) {
+  let tlsOn = false;
+  try {
+    const userCfg = await config.getConfig();
+    tlsOn = Boolean(userCfg && userCfg.tlsEnabled === true);
+  } catch {
+    tlsOn = false;
+  }
+  result.TLS_ENABLED = tlsOn ? 'true' : 'false';
+  result.HTTP_ENABLED = tlsOn ? 'false' : 'true';
+}
+
 /**
  * Build environment variable map for interpolation based on env-config.yaml
  * - Supports values like "host:port" by splitting into *_HOST (host) and *_PORT (port)
@@ -300,6 +332,7 @@ function calculateDockerPublicPorts(result, devIdNum, schemaBaseVars = {}) {
  * - Applies aifabrix-localhost override for local context if configured
  * - Applies developer-id adjustment to port variables for local context
  * - Calculates *_PUBLIC_PORT for both local and docker context (basePort + developer-id * 100)
+ * - Adds TLS_ENABLED and HTTP_ENABLED ("true" / "false"); HTTP_ENABLED = !TLS_ENABLED for manifest ${...} substitution
  * @async
  * @function buildEnvVarMap
  * @param {'docker'|'local'} context - Environment context
@@ -323,15 +356,9 @@ async function buildEnvVarMap(context, osModule = null, developerId = null, opti
   const devIdNum = await getDeveloperIdNumber(developerId);
   if (context === 'local') {
     applyLocalPortAdjustment(result, devIdNum);
-    const schemaCfg = loadSchemaEnvConfig();
-    const schemaBaseVars = (schemaCfg && schemaCfg.environments && schemaCfg.environments.local) ? schemaCfg.environments.local : {};
-    calculateDockerPublicPorts(result, devIdNum, schemaBaseVars);
-  } else if (context === 'docker') {
-    const schemaCfg = loadSchemaEnvConfig();
-    const schemaBaseVars = (schemaCfg && schemaCfg.environments && schemaCfg.environments[context]) ? schemaCfg.environments[context] : {};
-    calculateDockerPublicPorts(result, devIdNum, schemaBaseVars);
   }
-
+  applyPublicPortAdjustmentsForContext(result, context, devIdNum);
+  await applyTlsHttpManifestFlags(result);
   return result;
 }
 

package/lib/utils/env-template.js

@@ -108,7 +108,7 @@ async function updateEnvTemplate(appKey, clientIdKey, clientSecretKey, _controll
   const envTemplatePath = path.join(process.cwd(), 'builder', appKey, 'env.template');
 
   if (!fsSync.existsSync(envTemplatePath)) {
-    logger.warn(chalk.yellow(`⚠️  env.template not found for ${appKey}, skipping update`));
+    logger.warn(chalk.yellow(`⚠  env.template not found for ${appKey}, skipping update`));
     return;
   }
 
@@ -126,7 +126,7 @@ async function updateEnvTemplate(appKey, clientIdKey, clientSecretKey, _controll
 
     await fs.writeFile(envTemplatePath, content, 'utf8');
   } catch (error) {
-    logger.warn(chalk.yellow(`⚠️  Could not update env.template: ${error.message}`));
+    logger.warn(chalk.yellow(`⚠  Could not update env.template: ${error.message}`));
   }
 }