@aifabrix/builder 2.43.0 → 2.44.1

package/lib/infrastructure/helpers.js

@@ -11,14 +11,30 @@
 
 const path = require('path');
 const fs = require('fs');
+const fsRealSync = require('../internal/fs-real-sync');
+const { nodeFs } = require('../internal/node-fs');
 const chalk = require('chalk');
 const handlebars = require('handlebars');
-const secrets = require('../core/secrets');
 const adminSecrets = require('../core/admin-secrets');
 const logger = require('../utils/logger');
-const dockerUtils = require('../utils/docker');
 const paths = require('../utils/paths');
 const secretsEnsure = require('../core/secrets-ensure');
+const {
+  mergeInfraParameterDefaultsForCli,
+  getInfraParameterCatalog,
+  readRelaxedCatalogDefaults
+} = require('../parameters/infra-parameter-catalog');
+const { checkDockerAvailability } = require('./helpers-docker-check');
+
+/**
+ * Lazy-load core/secrets at call time. A top-level require creates a circular dependency:
+ * secrets → url-declarative-resolve → compose-generator → compose-generate-docker-compose → this module,
+ * which left `generateAdminSecretsEnv` / `formatAdminSecretsContent` undefined on the captured export.
+ * @returns {Object} core/secrets module exports (loadSecrets, generateAdminSecretsEnv, …)
+ */
+function getCoreSecrets() {
+  return require('../core/secrets');
+}
 
 /**
  * Gets infrastructure directory name based on developer ID
@@ -43,22 +59,13 @@ function getInfraProjectName(devId) {
 }
 
 /**
- * Check Docker availability
- * @async
- * @returns {Promise<void>}
- * @throws {Error} If Docker is not available
+ * Fallback for admin password/email when validated catalog load failed but YAML is still readable.
+ * @returns {Record<string, string>}
  */
-async function checkDockerAvailability() {
-  try {
-    await dockerUtils.ensureDockerAndCompose();
-  } catch (error) {
-    throw new Error('Docker or Docker Compose is not available. Please install and start Docker.');
-  }
+function readInfraDefaultScalars() {
+  return readRelaxedCatalogDefaults();
 }
 
-/** Default admin password for new local installations when admin-secrets.env is empty */
-const DEFAULT_ADMIN_PASSWORD = 'admin123';
-
 /**
  * Log hint to reset Postgres volume when admin password was changed after first init.
  * @param {string} infraDir - Path to infra directory
@@ -66,7 +73,7 @@ const DEFAULT_ADMIN_PASSWORD = 'admin123';
 function logVolumeResetHint(infraDir) {
   logger.log(chalk.yellow(
     'If Postgres was already started with a different password, login will fail until you reset the volume. ' +
-    `Run: cd ${infraDir} && docker compose -f compose.yaml -p aifabrix down -v , then run 'aifabrix up-infra --adminPwd <password>' again.`
+    `Run: cd ${infraDir} && docker compose -f compose.yaml -p aifabrix down -v , then run 'aifabrix up-infra --adminPassword <password>' again.`
   ));
 }
 
@@ -82,9 +89,8 @@ async function syncPostgresPasswordToStore(password) {
   }
 }
 
-/** Default admin env keys and values when missing. */
+/** Non-email defaults for admin-secrets.env merge (email default comes from infra.parameter.yaml `defaults`). */
 const DEFAULT_ADMIN_OBJ = {
-  PGADMIN_DEFAULT_EMAIL: 'admin@aifabrix.dev',
   REDIS_HOST: 'local:redis:6379:0:',
   REDIS_COMMANDER_USER: 'admin'
 };
@@ -96,23 +102,87 @@ const DEFAULT_ADMIN_OBJ = {
  * @param {Object} adminObj - Decrypted admin secrets object
  * @param {string} passwordToUse - Password to set for Postgres, pgAdmin, Redis Commander
  * @param {boolean} shouldOverwriteWithAdminPwd - Whether this was an explicit admin password update
+ * @param {{ updateEmail?: boolean, emailToUse?: string }} [emailOpts]
  */
-async function applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse, shouldOverwriteWithAdminPwd) {
+async function applyAdminSecretsUpdate(
+  adminSecretsPath,
+  adminObj,
+  passwordToUse,
+  shouldOverwriteWithAdminPwd,
+  emailOpts
+) {
   const merged = { ...DEFAULT_ADMIN_OBJ, ...adminObj };
   merged.POSTGRES_PASSWORD = passwordToUse;
   merged.PGADMIN_DEFAULT_PASSWORD = passwordToUse;
   merged.REDIS_COMMANDER_PASSWORD = passwordToUse;
-  const content = await secrets.formatAdminSecretsContent(merged);
-  fs.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
+  if (emailOpts && emailOpts.updateEmail && emailOpts.emailToUse) {
+    merged.PGADMIN_DEFAULT_EMAIL = emailOpts.emailToUse;
+  }
+  const content = await getCoreSecrets().formatAdminSecretsContent(merged);
+  fsRealSync.writeFileSync(adminSecretsPath, content, { mode: 0o600 });
   if (shouldOverwriteWithAdminPwd) {
     logger.log('Updated admin password in admin-secrets.env.');
     await syncPostgresPasswordToStore(passwordToUse);
-    logVolumeResetHint(path.join(paths.getAifabrixHome(), getInfraDirName(0)));
+    logVolumeResetHint(path.join(paths.getAifabrixSystemDir(), getInfraDirName(0)));
+  } else if (emailOpts && emailOpts.updateEmail) {
+    logger.log('Updated admin email in admin-secrets.env.');
   } else {
     logger.log('Set default admin password in admin-secrets.env for local use.');
   }
 }
 
+function loadAdminMergedDefaultsForInfra(options) {
+  try {
+    return mergeInfraParameterDefaultsForCli(getInfraParameterCatalog().data, options);
+  } catch {
+    return mergeInfraParameterDefaultsForCli({}, options);
+  }
+}
+
+function resolveAdminPasswordAndEmailCli(options, mergedDefaults) {
+  const infraDefaults = readInfraDefaultScalars();
+  const adminPwdCli = String(options.adminPassword || options.adminPwd || '').trim();
+  const adminPwdOverride = adminPwdCli !== '' ? adminPwdCli : null;
+  const passwordToUse =
+    adminPwdOverride !== null
+      ? adminPwdOverride
+      : mergedDefaults.adminPassword || infraDefaults.adminPassword || '';
+  const emailCli = String(options.adminEmail || '').trim();
+  const emailOverride = emailCli !== '' ? emailCli : null;
+  const emailToUse =
+    emailOverride !== null
+      ? emailOverride
+      : mergedDefaults.adminEmail || infraDefaults.adminEmail || '';
+  return { adminPwdOverride, passwordToUse, emailOverride, emailToUse };
+}
+
+function computeAdminSecretsBackfillFlags(adminObj) {
+  const needsPasswordBackfill =
+    !(adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
+    !(adminObj.PGADMIN_DEFAULT_PASSWORD && adminObj.PGADMIN_DEFAULT_PASSWORD.trim()) ||
+    !(adminObj.REDIS_COMMANDER_PASSWORD && adminObj.REDIS_COMMANDER_PASSWORD.trim());
+  const needsEmailBackfill = !(adminObj.PGADMIN_DEFAULT_EMAIL && adminObj.PGADMIN_DEFAULT_EMAIL.trim());
+  return { needsPasswordBackfill, needsEmailBackfill };
+}
+
+function resolvePasswordForAdminFile(
+  shouldOverwriteWithAdminPwd,
+  needsPasswordBackfill,
+  passwordToUse,
+  adminObj,
+  mergedDefaults
+) {
+  if (shouldOverwriteWithAdminPwd || needsPasswordBackfill) {
+    return passwordToUse;
+  }
+  return (
+    String(adminObj.POSTGRES_PASSWORD || '').trim() ||
+    mergedDefaults.adminPassword ||
+    readInfraDefaultScalars().adminPassword ||
+    ''
+  );
+}
+
 /**
  * Ensure admin secrets file exists and set admin password.
  * When adminPwd is provided, update POSTGRES_PASSWORD, PGADMIN_DEFAULT_PASSWORD, REDIS_COMMANDER_PASSWORD
@@ -121,42 +191,82 @@ async function applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse
  *
  * @async
  * @param {Object} [options] - Options
- * @param {string} [options.adminPwd] - Override admin password for Postgres, pgAdmin, Redis Commander (updates file when provided)
+ * @param {string} [options.adminPassword] - Override admin password (alias: adminPwd)
+ * @param {string} [options.adminPwd] - Override admin password for Postgres, pgAdmin, Redis Commander
+ * @param {string} [options.adminEmail] - Override pgAdmin default email (matches {{adminEmail}} defaults)
+ * @param {string} [options.userPassword] - Reserved for Keycloak user template (secrets use ensureInfraSecrets)
  * @returns {Promise<string>} Path to admin secrets file
  */
 async function ensureAdminSecrets(options = {}) {
-  const adminPwdOverride = options.adminPwd && typeof options.adminPwd === 'string' && options.adminPwd.trim() !== ''
-    ? options.adminPwd.trim()
-    : null;
-  const passwordToUse = adminPwdOverride || DEFAULT_ADMIN_PASSWORD;
-  const adminSecretsPath = path.join(paths.getAifabrixHome(), 'admin-secrets.env');
+  const mergedDefaults = loadAdminMergedDefaultsForInfra(options);
+  const { adminPwdOverride, passwordToUse, emailOverride, emailToUse } = resolveAdminPasswordAndEmailCli(
+    options,
+    mergedDefaults
+  );
+  const adminSecretsPath = path.join(paths.getAifabrixSystemDir(), 'admin-secrets.env');
 
-  if (!fs.existsSync(adminSecretsPath)) {
+  if (!fsRealSync.existsSync(adminSecretsPath)) {
     logger.log('Generating admin-secrets.env...');
-    await secrets.generateAdminSecretsEnv(undefined);
+    await getCoreSecrets().generateAdminSecretsEnv(undefined);
     return adminSecretsPath;
   }
 
   const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
-  const needsBackfill = !(adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
-    !(adminObj.PGADMIN_DEFAULT_PASSWORD && adminObj.PGADMIN_DEFAULT_PASSWORD.trim()) ||
-    !(adminObj.REDIS_COMMANDER_PASSWORD && adminObj.REDIS_COMMANDER_PASSWORD.trim());
+  const { needsPasswordBackfill, needsEmailBackfill } = computeAdminSecretsBackfillFlags(adminObj);
   const shouldOverwriteWithAdminPwd = adminPwdOverride !== null;
+  const shouldOverwriteEmail = emailOverride !== null;
+  const updateEmail = shouldOverwriteEmail || needsEmailBackfill;
 
-  if (!shouldOverwriteWithAdminPwd && !needsBackfill) {
+  if (!shouldOverwriteWithAdminPwd && !needsPasswordBackfill && !updateEmail) {
     return adminSecretsPath;
   }
 
-  await applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordToUse, shouldOverwriteWithAdminPwd);
+  const passwordForFile = resolvePasswordForAdminFile(
+    shouldOverwriteWithAdminPwd,
+    needsPasswordBackfill,
+    passwordToUse,
+    adminObj,
+    mergedDefaults
+  );
+
+  await applyAdminSecretsUpdate(adminSecretsPath, adminObj, passwordForFile, shouldOverwriteWithAdminPwd, {
+    updateEmail,
+    emailToUse
+  });
   return adminSecretsPath;
 }
 
+/** Host-side pgpass for pgAdmin bind mount (must exist before container starts so servers.json import succeeds). */
+const PGPASS_BOOTSTRAP_BASENAME = '.pgpass.bootstrap';
+
+/**
+ * Writes pgpass next to servers.json for Docker bind mount into /pgadmin4 (not under /var/lib/pgadmin volume).
+ * Prefer chown to pgAdmin UID so mode 600 is readable in the container; fall back to 644 if not root.
+ *
+ * @param {string} infraDir - Infrastructure directory path
+ * @param {string} postgresPassword - PostgreSQL password for the pgpass line
+ */
+function writePgpassBootstrap(infraDir, postgresPassword) {
+  const line = `postgres:5432:postgres:pgadmin:${postgresPassword}\n`;
+  const dest = path.join(infraDir, PGPASS_BOOTSTRAP_BASENAME);
+  fs.writeFileSync(dest, line, { mode: 0o600 });
+  try {
+    fs.chownSync(dest, 5050, 5050);
+  } catch {
+    try {
+      fs.chmodSync(dest, 0o644);
+    } catch {
+      // Ignore — container may still read depending on daemon / user namespace
+    }
+  }
+}
+
 /**
- * Generates pgAdmin4 servers.json only. pgpass is not written to disk (ISO 27K);
- * it is created temporarily in startDockerServicesAndConfigure and deleted after copy to container.
+ * Generates pgAdmin4 servers.json only. pgpass for the container is supplied via bind-mounted
+ * `.pgpass.bootstrap` (written by writePgpassBootstrap); not embedded in servers.json.
  *
  * @param {string} infraDir - Infrastructure directory path
- * @param {string} postgresPassword - PostgreSQL password (for servers.json PassFile reference only; password not stored in file)
+ * @param {string} postgresPassword - Used only for consistency / future template fields (password is not written into servers.json)
  */
 function generatePgAdminConfig(infraDir, postgresPassword) {
   const serversJsonTemplatePath = path.join(__dirname, '..', '..', 'templates', 'infra', 'servers.json.hbs');
@@ -215,7 +325,7 @@ async function ensureMisoInitScript(infraDir) {
   const secretKey = 'databases-miso-controller-0-passwordKeyVault';
   let password;
   try {
-    const loaded = await secrets.loadSecrets(undefined);
+    const loaded = await getCoreSecrets().loadSecrets(undefined);
     const urlOrPassword = loaded[secretKey] || loaded['databases-miso-controller-0-urlKeyVault'];
     const extracted = extractPasswordFromUrlOrValue(urlOrPassword);
     if (extracted !== null && extracted.trim() !== '') {
@@ -263,10 +373,11 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "miso" -c "GRANT AL
  * @async
  * @param {string} devId - Developer ID
  * @param {string} adminSecretsPath - Path to admin secrets file
+ * @param {{ pgpassBootstrap?: boolean }} [prepOptions] - When pgpassBootstrap is false, skip/remove host pgpass bootstrap file (pgAdmin disabled)
  * @returns {Promise<Object>} Object with infraDir and postgresPassword
  */
-async function prepareInfraDirectory(devId, adminSecretsPath) {
-  const aifabrixDir = paths.getAifabrixHome();
+async function prepareInfraDirectory(devId, adminSecretsPath, prepOptions = {}) {
+  const aifabrixDir = paths.getAifabrixSystemDir();
   const infraDirName = getInfraDirName(devId);
   const infraDir = path.join(aifabrixDir, infraDirName);
   if (!fs.existsSync(infraDir)) {
@@ -283,12 +394,59 @@ async function prepareInfraDirectory(devId, adminSecretsPath) {
   }
 
   const adminObj = await adminSecrets.readAndDecryptAdminSecrets(adminSecretsPath);
-  const postgresPassword = (adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) || DEFAULT_ADMIN_PASSWORD;
+  const postgresPassword =
+    (adminObj.POSTGRES_PASSWORD && adminObj.POSTGRES_PASSWORD.trim()) ||
+    readInfraDefaultScalars().adminPassword ||
+    '';
   generatePgAdminConfig(infraDir, postgresPassword);
 
+  const pgpassBootstrap = prepOptions.pgpassBootstrap !== false;
+  const bootstrapPath = path.join(infraDir, PGPASS_BOOTSTRAP_BASENAME);
+  if (pgpassBootstrap) {
+    writePgpassBootstrap(infraDir, postgresPassword);
+  } else {
+    try {
+      if (fs.existsSync(bootstrapPath)) {
+        fs.unlinkSync(bootstrapPath);
+      }
+    } catch {
+      // Ignore
+    }
+  }
+
   return { infraDir, postgresPassword };
 }
 
+/**
+ * Resolve infra working directory and admin-secrets path for stop/restart.
+ * Infra dir: prefer system dir compose; if missing, use legacy home when compose exists there.
+ * Admin secrets: prefer `admin-secrets.env` under system dir; if missing, use legacy home (covers mixed layouts).
+ *
+ * @param {string|number} devId - Developer ID
+ * @returns {{ infraDir: string, adminSecretsPath: string }}
+ */
+function resolveInfraStatePaths(devId) {
+  const syncFs = nodeFs();
+  const name = getInfraDirName(devId);
+  const systemBase = paths.getAifabrixSystemDir();
+  const legacyBase = paths.getAifabrixHome();
+  const sysInfra = path.join(systemBase, name);
+  const legInfra = path.join(legacyBase, name);
+  const sysCompose = path.join(sysInfra, 'compose.yaml');
+  const legCompose = path.join(legInfra, 'compose.yaml');
+  let infraDir = sysInfra;
+  if (!syncFs.existsSync(sysCompose) && syncFs.existsSync(legCompose) && legacyBase !== systemBase) {
+    infraDir = legInfra;
+  }
+  const sysAdmin = path.join(systemBase, 'admin-secrets.env');
+  const legAdmin = path.join(legacyBase, 'admin-secrets.env');
+  let adminSecretsPath = sysAdmin;
+  if (!syncFs.existsSync(sysAdmin) && syncFs.existsSync(legAdmin) && legacyBase !== systemBase) {
+    adminSecretsPath = legAdmin;
+  }
+  return { infraDir, adminSecretsPath };
+}
+
 /**
  * Register Handlebars helper for equality comparison
  */
@@ -312,7 +470,10 @@ module.exports = {
   checkDockerAvailability,
   ensureAdminSecrets,
   generatePgAdminConfig,
+  writePgpassBootstrap,
+  PGPASS_BOOTSTRAP_BASENAME,
   prepareInfraDirectory,
+  resolveInfraStatePaths,
   ensureMisoInitScript,
   registerHandlebarsHelper
 };

package/lib/infrastructure/index.js

@@ -15,14 +15,13 @@ const config = require('../core/config');
 const devConfig = require('../utils/dev-config');
 const logger = require('../utils/logger');
 const dockerUtils = require('../utils/docker');
-const paths = require('../utils/paths');
 const statusHelpers = require('../utils/infra-status');
 const {
-  getInfraDirName,
   getInfraProjectName,
   checkDockerAvailability,
   ensureAdminSecrets,
   prepareInfraDirectory,
+  resolveInfraStatePaths,
   ensureMisoInitScript,
   registerHandlebarsHelper
 } = require('./helpers');
@@ -72,18 +71,35 @@ async function withRunEnv(infraDir, adminSecretsPath, fn) {
  * @async
  * @function prepareInfrastructureEnvironment
  * @param {string|number|null} developerId - Developer ID
- * @param {Object} [options] - Options (traefik, adminPwd)
+ * @param {Object} [options] - Options (traefik, adminPwd, tlsEnabled)
  * @returns {Promise<Object>} Prepared environment configuration
  */
 async function prepareInfrastructureEnvironment(developerId, options = {}) {
   await checkDockerAvailability();
-  await secretsEnsure.ensureInfraSecrets({ adminPwd: options.adminPwd });
-  const adminSecretsPath = await ensureAdminSecrets({ adminPwd: options.adminPwd });
+  const adminPass = options.adminPassword || options.adminPwd;
+  const tlsEnabled = options.tlsEnabled === true;
+  const infraOpts = {
+    adminPassword: adminPass,
+    adminPwd: adminPass,
+    adminEmail: options.adminEmail,
+    userPassword: options.userPassword,
+    tlsEnabled
+  };
+  await secretsEnsure.ensureInfraSecrets(infraOpts);
+  const adminSecretsPath = await ensureAdminSecrets(infraOpts);
 
   const devId = developerId || await config.getDeveloperId();
+  const remoteServer = await config.getRemoteServer();
+  const {
+    assertRemoteBuilderDeveloperId,
+    remoteServerHostIsNonLocalhost
+  } = require('../utils/remote-builder-validation');
+  assertRemoteBuilderDeveloperId(remoteServer, devId);
+
   const devIdNum = typeof devId === 'string' ? parseInt(devId, 10) : devId;
   const ports = devConfig.getDevPorts(devIdNum);
   const idNum = devIdNum;
+  const trustForwardedHeaders = remoteServerHostIsNonLocalhost(remoteServer);
 
   const templatePath = path.join(__dirname, '..', '..', 'templates', 'infra', 'compose.yaml.hbs');
   if (!fs.existsSync(templatePath)) {
@@ -91,10 +107,12 @@ async function prepareInfrastructureEnvironment(developerId, options = {}) {
   }
 
   // Prepare infrastructure directory
-  const { infraDir } = await prepareInfraDirectory(devId, adminSecretsPath);
+  const { infraDir } = await prepareInfraDirectory(devId, adminSecretsPath, {
+    pgpassBootstrap: options.pgadmin !== false
+  });
   await ensureMisoInitScript(infraDir);
 
-  return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath };
+  return { devId, idNum, ports, templatePath, infraDir, adminSecretsPath, trustForwardedHeaders };
 }
 
 /**
@@ -114,9 +132,10 @@ async function prepareInfrastructureEnvironment(developerId, options = {}) {
  * // Infrastructure services are now running
  */
 async function startInfra(developerId = null, options = {}) {
-  const { devId, idNum, ports, templatePath, infraDir } = await prepareInfrastructureEnvironment(developerId, options);
+  const { devId, idNum, ports, templatePath, infraDir, trustForwardedHeaders } =
+    await prepareInfrastructureEnvironment(developerId, options);
   const { traefik = false, pgadmin = true, redisCommander = true } = options;
-  const traefikConfig = buildTraefikConfig(traefik);
+  const traefikConfig = { ...buildTraefikConfig(traefik), trustForwardedHeaders };
   const validation = validateTraefikConfig(traefikConfig);
   if (!validation.valid) {
     throw new Error(validation.errors.join('\n'));
@@ -199,10 +218,8 @@ async function removeAppVolumes(appNames, devId) {
  */
 async function stopInfra() {
   const devId = await config.getDeveloperId();
-  const aifabrixDir = paths.getAifabrixHome();
-  const infraDir = path.join(aifabrixDir, getInfraDirName(devId));
+  const { infraDir, adminSecretsPath } = resolveInfraStatePaths(devId);
   const composePath = path.join(infraDir, 'compose.yaml');
-  const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(composePath) || !fs.existsSync(adminSecretsPath)) {
     logger.log('Infrastructure not running or not properly configured');
@@ -262,10 +279,8 @@ async function stopAllAppContainersAndVolumes(devId) {
  */
 async function stopInfraWithVolumes() {
   const devId = await config.getDeveloperId();
-  const aifabrixDir = paths.getAifabrixHome();
-  const infraDir = path.join(aifabrixDir, getInfraDirName(devId));
+  const { infraDir, adminSecretsPath } = resolveInfraStatePaths(devId);
   const composePath = path.join(infraDir, 'compose.yaml');
-  const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(composePath) || !fs.existsSync(adminSecretsPath)) {
     logger.log('Infrastructure not running or not properly configured');
@@ -307,10 +322,8 @@ async function restartService(serviceName) {
   }
 
   const devId = await config.getDeveloperId();
-  const aifabrixDir = paths.getAifabrixHome();
-  const infraDir = path.join(aifabrixDir, getInfraDirName(devId));
+  const { infraDir, adminSecretsPath } = resolveInfraStatePaths(devId);
   const composePath = path.join(infraDir, 'compose.yaml');
-  const adminSecretsPath = path.join(aifabrixDir, 'admin-secrets.env');
 
   if (!fs.existsSync(composePath) || !fs.existsSync(adminSecretsPath)) {
     throw new Error('Infrastructure not properly configured');

package/lib/infrastructure/services.js

@@ -9,7 +9,6 @@
  */
 
 const { exec } = require('child_process');
-const { promisify } = require('util');
 const path = require('path');
 const fs = require('fs');
 const logger = require('../utils/logger');
@@ -19,13 +18,13 @@ const config = require('../core/config');
 const { getInfraProjectName } = require('./helpers');
 const adminSecrets = require('../core/admin-secrets');
 
-const execAsync = promisify(exec);
-
-// Wrapper to support cwd option
-function execAsyncWithCwd(command, options = {}) {
+// Wrapper to support cwd option and dev-config remote Docker (docker-endpoint + TLS)
+async function execAsyncWithCwd(command, options = {}) {
+  const { getDockerExecEnv } = require('../utils/remote-docker-env');
+  const { cwd, env: extraEnv, ...execOptions } = options;
+  const env = { ...(await getDockerExecEnv()), ...(extraEnv || {}) };
   return new Promise((resolve, reject) => {
-    const { cwd, ...execOptions } = options;
-    exec(command, { ...execOptions, cwd }, (error, stdout, stderr) => {
+    exec(command, { ...execOptions, cwd, env }, (error, stdout, stderr) => {
       if (error) {
         reject(error);
       } else {
@@ -51,29 +50,6 @@ async function startDockerServices(composePath, projectName, adminSecretsPath, i
   logger.log('Infrastructure services started successfully');
 }
 
-/**
- * Copy pgAdmin4 configuration files into container
- * @async
- * @param {string} pgadminContainerName - pgAdmin container name
- * @param {string} serversJsonPath - Path to servers.json file
- * @param {string} pgpassPath - Path to pgpass file
- */
-async function copyPgAdminConfig(pgadminContainerName, serversJsonPath, pgpassPath) {
-  try {
-    await new Promise(resolve => setTimeout(resolve, 2000)); // Wait for container to be ready
-    if (fs.existsSync(serversJsonPath)) {
-      await execAsync(`docker cp "${serversJsonPath}" ${pgadminContainerName}:/pgadmin4/servers.json`);
-    }
-    if (fs.existsSync(pgpassPath)) {
-      await execAsync(`docker cp "${pgpassPath}" ${pgadminContainerName}:/pgpass`);
-      await execAsync(`docker exec ${pgadminContainerName} chmod 600 /pgpass`);
-    }
-  } catch (error) {
-    // Ignore copy errors - files might already be there or container not ready
-    logger.log('Note: Could not copy pgAdmin4 config files (this is OK if container was just restarted)');
-  }
-}
-
 /**
  * Prepare run env file from decrypted admin secrets.
  * @async
@@ -89,34 +65,12 @@ async function prepareRunEnv(infraDir) {
 }
 
 /**
- * Write pgpass file and copy pgAdmin config into container.
- * @async
- * @param {string} infraDir - Infrastructure directory
- * @param {Object} adminObj - Decrypted admin secrets object
- * @param {string} devId - Developer ID
- * @param {number} idNum - Developer ID number
- * @returns {Promise<string>} Path to pgpass run file
- */
-async function writePgpassAndCopyPgAdminConfig(infraDir, adminObj, devId, idNum) {
-  const pgpassRunPath = path.join(infraDir, '.pgpass.run');
-  const pgadminContainerName = idNum === 0 ? 'aifabrix-pgadmin' : `aifabrix-dev${devId}-pgadmin`;
-  const serversJsonPath = path.join(infraDir, 'servers.json');
-  const postgresPassword = adminObj.POSTGRES_PASSWORD || '';
-  const pgpassContent = `postgres:5432:postgres:pgadmin:${postgresPassword}\n`;
-  fs.writeFileSync(pgpassRunPath, pgpassContent, { mode: 0o600 });
-  await copyPgAdminConfig(pgadminContainerName, serversJsonPath, pgpassRunPath);
-  return pgpassRunPath;
-}
-
-/**
- * Remove temporary run files (env and pgpass) if they exist.
+ * Remove temporary run files (env) if they exist.
  * @param {string} runEnvPath - Path to .env.run
- * @param {string} [pgpassRunPath] - Path to .pgpass.run
  */
-function cleanupRunFiles(runEnvPath, pgpassRunPath) {
+function cleanupRunFiles(runEnvPath) {
   try {
     if (fs.existsSync(runEnvPath)) fs.unlinkSync(runEnvPath);
-    if (pgpassRunPath && fs.existsSync(pgpassRunPath)) fs.unlinkSync(pgpassRunPath);
   } catch {
     // Ignore unlink errors
   }
@@ -136,11 +90,9 @@ function cleanupRunFiles(runEnvPath, pgpassRunPath) {
  */
 async function startDockerServicesAndConfigure(composePath, devId, idNum, infraDir, opts = {}) {
   let runEnvPath;
-  let pgpassRunPath;
-  let adminObj;
   const { pgadmin = true, redisCommander = true, traefik = false } = opts;
   try {
-    ({ adminObj, runEnvPath } = await prepareRunEnv(infraDir));
+    ({ runEnvPath } = await prepareRunEnv(infraDir));
   } catch (err) {
     throw new Error(`Failed to prepare infra env: ${err.message}`);
   }
@@ -148,13 +100,10 @@ async function startDockerServicesAndConfigure(composePath, devId, idNum, infraD
   try {
     const projectName = getInfraProjectName(devId);
     await startDockerServices(composePath, projectName, runEnvPath, infraDir);
-    if (pgadmin) {
-      pgpassRunPath = await writePgpassAndCopyPgAdminConfig(infraDir, adminObj, devId, idNum);
-    }
     await waitForServices(devId, { pgadmin, redisCommander, traefik });
     logger.log('All services are healthy and ready');
   } finally {
-    cleanupRunFiles(runEnvPath, pgpassRunPath);
+    cleanupRunFiles(runEnvPath);
   }
 }
 
@@ -195,8 +144,10 @@ async function waitForServices(devId = null, opts = {}) {
  * @param {number|string|null} [devId] - Developer ID (null = use current)
  * @param {Object} [options] - Options
  * @param {boolean} [options.strict=false] - When true, only consider current dev's containers (no fallback to dev 0); use for up-miso and status consistency
- * @param {boolean} [options.pgadmin=true] - Include pgAdmin in health check
- * @param {boolean} [options.redisCommander=true] - Include Redis Commander in health check
+ * @param {boolean} [options.postgres=true] - When false, skip Postgres (and pgAdmin) checks — for apps with requires.database: false
+ * @param {boolean} [options.redis=true] - When false, skip Redis (and Redis Commander) checks — for apps with requires.redis: false
+ * @param {boolean} [options.pgadmin=true] - Include pgAdmin in health check (only when Postgres is checked)
+ * @param {boolean} [options.redisCommander=true] - Include Redis Commander in health check (only when Redis is checked)
  * @param {boolean} [options.traefik=false] - Include Traefik in health check
  * @returns {Promise<Object>} Health status of each service
  *
@@ -206,10 +157,14 @@ async function waitForServices(devId = null, opts = {}) {
  */
 async function checkInfraHealth(devId = null, options = {}) {
   const developerId = devId || await config.getDeveloperId();
-  const servicesWithHealthCheck = ['postgres', 'redis'];
+  const includePostgres = options.postgres !== false;
+  const includeRedis = options.redis !== false;
+  const servicesWithHealthCheck = [];
+  if (includePostgres) servicesWithHealthCheck.push('postgres');
+  if (includeRedis) servicesWithHealthCheck.push('redis');
   const servicesWithoutHealthCheck = [];
-  if (options.pgadmin !== false) servicesWithoutHealthCheck.push('pgadmin');
-  if (options.redisCommander !== false) servicesWithoutHealthCheck.push('redis-commander');
+  if (includePostgres && options.pgadmin !== false) servicesWithoutHealthCheck.push('pgadmin');
+  if (includeRedis && options.redisCommander !== false) servicesWithoutHealthCheck.push('redis-commander');
   if (options.traefik === true) servicesWithoutHealthCheck.push('traefik');
   const health = {};
   const lookupOptions = options.strict ? { strict: true } : {};
@@ -230,7 +185,6 @@ async function checkInfraHealth(devId = null, options = {}) {
 module.exports = {
   execAsyncWithCwd,
   startDockerServices,
-  copyPgAdminConfig,
   startDockerServicesAndConfigure,
   waitForServices,
   checkInfraHealth