npm - @aifabrix/builder - Versions diffs - 2.44.4 → 2.44.6 - Mend

@aifabrix/builder 2.44.4 → 2.44.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (214) hide show

package/.cursor/rules/cli-layout.mdc +1 -1
package/.cursor/rules/project-rules.mdc +1 -1
package/.npmrc.token +1 -1
package/README.md +15 -23
package/integration/hubspot-test/README.md +2 -0
package/integration/hubspot-test/test.js +5 -3
package/jest.projects.js +68 -17
package/lib/api/controller-health.api.js +49 -0
package/lib/api/dimension-values.api.js +82 -0
package/lib/api/dimensions.api.js +114 -0
package/lib/api/external-systems.api.js +1 -0
package/lib/api/integration-clients.api.js +168 -0
package/lib/api/types/dimension-values.types.js +28 -0
package/lib/api/types/dimensions.types.js +31 -0
package/lib/api/types/integration-clients.types.js +45 -0
package/lib/api/types/wizard.types.js +2 -1
package/lib/api/validation-runner.js +46 -25
package/lib/app/deploy-config.js +11 -1
package/lib/app/deploy-status-display.js +3 -3
package/lib/app/deploy.js +36 -14
package/lib/app/display.js +15 -11
package/lib/app/push.js +46 -23
package/lib/app/register.js +1 -1
package/lib/app/restart-display.js +95 -0
package/lib/app/rotate-secret.js +1 -1
package/lib/app/run-container-start.js +12 -6
package/lib/app/run-env-compose.js +30 -1
package/lib/app/run-helpers.js +44 -12
package/lib/app/run-reload-sync.js +148 -0
package/lib/app/run-resolve-image.js +51 -1
package/lib/app/run.js +99 -73
package/lib/build/index.js +75 -45
package/lib/cli/doctor-check.js +117 -0
package/lib/cli/index.js +8 -2
package/lib/cli/infra-guided.js +445 -0
package/lib/cli/setup-app.help.js +1 -1
package/lib/cli/setup-app.js +20 -2
package/lib/cli/setup-app.test-commands.js +9 -5
package/lib/cli/setup-auth.js +26 -0
package/lib/cli/setup-dev-path-commands.js +50 -3
package/lib/cli/setup-infra.js +138 -61
package/lib/cli/setup-integration-client.js +182 -0
package/lib/cli/setup-parameters.js +21 -2
package/lib/cli/setup-platform.js +102 -0
package/lib/cli/setup-secrets.js +18 -6
package/lib/cli/setup-utility.js +97 -33
package/lib/commands/datasource-capability-dimension-cli.js +128 -0
package/lib/commands/datasource-capability-output.js +29 -0
package/lib/commands/datasource-capability-relate-cli.js +140 -0
package/lib/commands/datasource-capability.js +411 -0
package/lib/commands/datasource-unified-test-cli.options.js +1 -1
package/lib/commands/datasource.js +53 -13
package/lib/commands/dev-down.js +3 -3
package/lib/commands/dev-infra-gate.js +32 -0
package/lib/commands/dev-init.js +13 -7
package/lib/commands/dimension-value.js +179 -0
package/lib/commands/dimension.js +330 -0
package/lib/commands/integration-client.js +430 -0
package/lib/commands/login-device.js +65 -30
package/lib/commands/login.js +21 -10
package/lib/commands/parameters-validate.js +78 -13
package/lib/commands/repair-datasource-auto-rbac.js +166 -0
package/lib/commands/repair-datasource-keys.js +10 -5
package/lib/commands/repair-datasource.js +19 -7
package/lib/commands/repair-env-template.js +4 -1
package/lib/commands/repair-openapi-sync.js +172 -0
package/lib/commands/repair-persist.js +102 -0
package/lib/commands/repair-rbac-extract.js +27 -0
package/lib/commands/repair-rbac-migrate.js +186 -0
package/lib/commands/repair-rbac.js +225 -19
package/lib/commands/repair-system-alignment.js +246 -0
package/lib/commands/repair-system-permissions.js +168 -0
package/lib/commands/repair.js +120 -354
package/lib/commands/secure.js +1 -1
package/lib/commands/setup-modes.js +455 -0
package/lib/commands/setup-prompts.js +388 -0
package/lib/commands/setup.js +149 -0
package/lib/commands/teardown.js +228 -0
package/lib/commands/test-e2e-external.js +4 -3
package/lib/commands/up-common.js +97 -12
package/lib/commands/up-dataplane.js +33 -11
package/lib/commands/up-miso.js +7 -11
package/lib/commands/upload.js +109 -23
package/lib/commands/wizard-core-helpers.js +14 -11
package/lib/commands/wizard-core.js +58 -15
package/lib/commands/wizard-dataplane.js +2 -2
package/lib/commands/wizard-entity-selection.js +72 -14
package/lib/commands/wizard-headless.js +7 -3
package/lib/commands/wizard-helpers.js +13 -1
package/lib/commands/wizard.js +210 -61
package/lib/constants/infra-compose-service-names.js +40 -0
package/lib/core/env-reader.js +16 -3
package/lib/core/secrets-admin-env.js +101 -0
package/lib/core/secrets-ensure-infra.js +34 -1
package/lib/core/secrets-ensure.js +88 -66
package/lib/core/secrets-env-content.js +432 -0
package/lib/core/secrets-env-write.js +27 -1
package/lib/core/secrets-load.js +248 -0
package/lib/core/secrets-names.js +32 -0
package/lib/core/secrets.js +17 -757
package/lib/datasource/capability/basic-exposure.js +76 -0
package/lib/datasource/capability/capability-diff-slice.js +41 -0
package/lib/datasource/capability/capability-key.js +34 -0
package/lib/datasource/capability/capability-resolve.js +172 -0
package/lib/datasource/capability/capability-storage-keys.js +22 -0
package/lib/datasource/capability/copy-operations.js +348 -0
package/lib/datasource/capability/copy-test-payload.js +139 -0
package/lib/datasource/capability/create-operations.js +235 -0
package/lib/datasource/capability/dimension-operations.js +151 -0
package/lib/datasource/capability/dimension-validate.js +219 -0
package/lib/datasource/capability/json-pointer.js +31 -0
package/lib/datasource/capability/reference-rewrite.js +51 -0
package/lib/datasource/capability/relate-operations.js +325 -0
package/lib/datasource/capability/relate-validate.js +219 -0
package/lib/datasource/capability/remove-operations.js +275 -0
package/lib/datasource/capability/run-capability-copy.js +152 -0
package/lib/datasource/capability/run-capability-diff.js +135 -0
package/lib/datasource/capability/run-capability-dimension.js +291 -0
package/lib/datasource/capability/run-capability-edit.js +377 -0
package/lib/datasource/capability/run-capability-relate.js +193 -0
package/lib/datasource/capability/run-capability-remove.js +105 -0
package/lib/datasource/capability/templates/minimal-fetch.json +18 -0
package/lib/datasource/capability/validate-capability-slice.js +35 -0
package/lib/datasource/list.js +136 -23
package/lib/datasource/log-viewer.js +2 -4
package/lib/datasource/unified-validation-run.js +51 -16
package/lib/datasource/validate.js +53 -1
package/lib/deployment/deploy-poll-ui.js +60 -0
package/lib/deployment/deployer-status.js +29 -3
package/lib/deployment/deployer.js +48 -30
package/lib/deployment/environment.js +7 -2
package/lib/deployment/poll-interval.js +72 -0
package/lib/deployment/push.js +11 -9
package/lib/external-system/deploy.js +4 -1
package/lib/external-system/download.js +61 -32
package/lib/external-system/sync-deploy-manifest.js +33 -0
package/lib/generator/wizard-prompts.js +7 -1
package/lib/generator/wizard.js +34 -0
package/lib/infrastructure/index.js +49 -19
package/lib/infrastructure/orphan-infra-docker-teardown.js +177 -0
package/lib/parameters/infra-kv-discovery.js +29 -4
package/lib/parameters/infra-parameter-catalog.js +6 -3
package/lib/parameters/infra-parameter-validate.js +67 -19
package/lib/resolvers/datasource-resolver.js +53 -0
package/lib/resolvers/dimension-file.js +52 -0
package/lib/resolvers/manifest-resolver.js +133 -0
package/lib/schema/external-datasource.schema.json +183 -53
package/lib/schema/external-system.schema.json +23 -10
package/lib/schema/infra.parameter.yaml +26 -11
package/lib/schema/wizard-config.schema.json +2 -2
package/lib/utils/aifabrix-config-dir-walk.js +40 -0
package/lib/utils/aifabrix-runtime-config-dir.js +26 -3
package/lib/utils/app-run-containers.js +2 -2
package/lib/utils/bash-secret-env.js +59 -0
package/lib/utils/cli-secrets-error-format.js +78 -0
package/lib/utils/cli-test-layout-chalk.js +31 -9
package/lib/utils/cli-utils.js +4 -36
package/lib/utils/datasource-test-run-display.js +8 -0
package/lib/utils/dev-hosts-helper.js +3 -2
package/lib/utils/dev-init-ssh-merge.js +2 -1
package/lib/utils/docker-build.js +17 -9
package/lib/utils/docker-reload-mount.js +127 -0
package/lib/utils/external-readme.js +117 -4
package/lib/utils/external-system-local-test-tty.js +3 -2
package/lib/utils/external-system-readiness-core.js +45 -12
package/lib/utils/external-system-readiness-deploy-display.js +3 -3
package/lib/utils/external-system-readiness-display-internals.js +33 -3
package/lib/utils/external-system-readiness-display.js +10 -1
package/lib/utils/file-upload.js +40 -3
package/lib/utils/health-check-db-init.js +107 -0
package/lib/utils/health-check-public-warn.js +69 -0
package/lib/utils/health-check-url.js +19 -4
package/lib/utils/health-check.js +135 -105
package/lib/utils/help-builder.js +5 -1
package/lib/utils/image-name.js +34 -7
package/lib/utils/integration-file-backup.js +74 -0
package/lib/utils/mutagen-install.js +30 -3
package/lib/utils/paths.js +108 -25
package/lib/utils/postgres-wipe.js +212 -0
package/lib/utils/register-aifabrix-shell-env.js +15 -0
package/lib/utils/remote-dev-auth.js +21 -5
package/lib/utils/remote-docker-env.js +9 -1
package/lib/utils/remote-secrets-loader.js +42 -3
package/lib/utils/resolve-docker-image-ref.js +9 -3
package/lib/utils/secrets-ancestor-paths.js +47 -0
package/lib/utils/secrets-helpers.js +17 -10
package/lib/utils/secrets-kv-refs.js +42 -0
package/lib/utils/secrets-kv-scope.js +19 -2
package/lib/utils/secrets-materialize-local.js +134 -0
package/lib/utils/secrets-path.js +24 -10
package/lib/utils/secrets-utils.js +2 -2
package/lib/utils/system-builder-root.js +34 -0
package/lib/utils/url-declarative-resolve-build.js +6 -1
package/lib/utils/url-declarative-runtime-base-path.js +32 -0
package/lib/utils/url-declarative-vdir-inactive-env.js +2 -1
package/lib/utils/urls-local-registry.js +73 -20
package/lib/utils/validation-poll-ui.js +81 -0
package/lib/utils/validation-run-poll.js +29 -5
package/lib/utils/with-muted-logger.js +53 -0
package/package.json +1 -1
package/templates/applications/dataplane/application.yaml +1 -1
package/templates/applications/dataplane/rbac.yaml +10 -10
package/templates/applications/keycloak/env.template +8 -6
package/templates/applications/miso-controller/application.yaml +7 -0
package/templates/applications/miso-controller/env.template +7 -7
package/templates/applications/miso-controller/rbac.yaml +9 -9
package/templates/external-system/README.md.hbs +89 -102
package/.nyc_output/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/55e9d034-ddab-4579-a706-e02a91d75c91.json +0 -1
package/.nyc_output/processinfo/index.json +0 -1
package/lib/api/service-users.api.js +0 -150
package/lib/api/types/service-users.types.js +0 -65
package/lib/cli/setup-service-user.js +0 -187
package/lib/commands/service-user.js +0 -429

package/lib/app/push.js CHANGED Viewed

@@ -1,4 +1,12 @@
-const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatSuccessParagraph,
+  sectionTitle,
+  headerKeyValue,
+  metadata,
+  formatWarningLine,
+  formatNextActions
+} = require('../utils/cli-test-layout-chalk');
 /**
  * Application Push Utilities
  *
@@ -9,9 +17,9 @@ const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test
  * @version 2.0.0
  */
-const chalk = require('chalk');
 const pushUtils = require('../deployment/push');
 const logger = require('../utils/logger');
+const { detectAppType } = require('../utils/paths');
 /**
  * Validate application name format
@@ -150,6 +158,33 @@ async function authenticateWithRegistry(registry) {
   }
 }
+/**
+ * Layout-aligned notice when push is skipped for external integrations.
+ * @param {string} appName
+ */
+function logExternalIntegrationPushNotice(appName) {
+  logger.log('');
+  logger.log(sectionTitle('Push'));
+  logger.log(headerKeyValue('Application:', appName));
+  logger.log(formatWarningLine('External integrations have no application image to push.'));
+  logger.log(metadata('Use upload or deploy for integration artifacts.'));
+  logger.log(formatNextActions([`aifabrix upload ${appName}`, `aifabrix deploy ${appName}`]));
+}
+/**
+ * Header after validation passes for a regular (non-external) push.
+ * @param {string} appName
+ * @param {string} registry
+ * @param {string} imageName
+ */
+function logPushCommandHeader(appName, registry, imageName) {
+  logger.log('');
+  logger.log(sectionTitle('Push'));
+  logger.log(headerKeyValue('Application:', appName));
+  logger.log(metadata(`Registry: ${registry}`));
+  logger.log(metadata(`Repository: ${imageName}`));
+}
 /**
  * Pushes image tags to registry
  * @async
@@ -171,7 +206,9 @@ async function pushImageTags(imageName, registry, tags) {
                         (errorMessage.includes('authentication') && errorMessage.includes('401'));
     if (isAuthError) {
-      logger.log(chalk.yellow('⚠ Authentication expired, re-authenticating...'));
+      logger.log(
+        formatWarningLine('Registry authentication expired; re-authenticating, then retrying push.')
+      );
       await authenticateWithRegistry(registry);
       // Retry push after re-authentication
       await Promise.all(tags.map(async(tag) => {
@@ -190,9 +227,9 @@ async function pushImageTags(imageName, registry, tags) {
  * @param {Array<string>} tags - Image tags
  */
 function displayPushResults(registry, imageName, tags) {
-  logger.log(formatSuccessParagraph(`Successfully pushed ${tags.length} tag(s) to ${registry}`));
-  logger.log(chalk.gray(`Image: ${registry}/${imageName}:*`));
-  logger.log(chalk.gray(`Tags: ${tags.join(', ')}`));
+  logger.log(formatSuccessParagraph(`Pushed ${tags.length} tag(s) to ${registry}`));
+  logger.log(headerKeyValue('Image:', `${registry}/${imageName}`));
+  logger.log(headerKeyValue('Tags:', tags.join(', ')));
 }
 /**
@@ -204,38 +241,25 @@ function displayPushResults(registry, imageName, tags) {
  * @returns {Promise<void>} Resolves when push is complete
  */
 async function pushApp(appName, options = {}) {
-  // Check if app type is external - skip push
-  const { detectAppType } = require('../utils/paths');
   try {
     const { isExternal } = await detectAppType(appName);
     if (isExternal) {
-      logger.log(chalk.yellow('⚠  External systems don\'t require Docker images. Skipping push...'));
+      logExternalIntegrationPushNotice(appName);
       return;
     }
-  } catch (error) {
+  } catch (_error) {
     // If detection fails, continue with normal push
     // (detectAppType throws if app doesn't exist, which is fine for push command)
   }
   try {
-    // Validate app name
     validateAppName(appName);
-    // Load configuration
     const { registry, imageName } = await loadPushConfig(appName, options);
-    // Validate push configuration
     await validatePushConfig(registry, imageName, appName);
-    // Authenticate with registry
+    logPushCommandHeader(appName, registry, imageName);
     await authenticateWithRegistry(registry);
-    // Push image tags
     const tags = options.tag ? options.tag.split(',').map(t => t.trim()) : ['latest'];
     await pushImageTags(imageName, registry, tags);
-    // Display results
     displayPushResults(registry, imageName, tags);
   } catch (error) {
     throw new Error(`Failed to push application: ${error.message}`);
   }
@@ -245,4 +269,3 @@ module.exports = {
   pushApp,
   validateAppName
 };

package/lib/app/register.js CHANGED Viewed

@@ -99,7 +99,7 @@ async function saveLocalCredentials(responseData, apiUrl) {
     // Regenerate .env file with updated credentials
     try {
-      await generateEnvFile(registeredAppKey, null, 'local');
+      await generateEnvFile(registeredAppKey, null, 'local', true);
       logger.log(formatSuccessLine('.env file updated with new credentials'));
     } catch (error) {
       logger.warn(chalk.yellow(`⚠  Could not regenerate .env file: ${error.message}`));

package/lib/app/restart-display.js ADDED Viewed

@@ -0,0 +1,95 @@
+/**
+ * After `docker restart`, describe dev workspace mounts for developer clarity.
+ *
+ * @fileoverview Bind mount vs remote-engine hints (aligns with run --reload messaging)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+'use strict';
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const { execWithDockerEnv } = require('../utils/docker-exec');
+const { sectionTitle, headerKeyValue, metadata } = require('../utils/cli-test-layout-chalk');
+const { isReloadBindMountOnEngineHost } = require('../utils/docker-reload-mount');
+/**
+ * @param {unknown} mounts - docker inspect .Mounts
+ * @returns {{ Type: string, Source: string, Destination: string }|null}
+ */
+function findAppBindMount(mounts) {
+  if (!Array.isArray(mounts)) {
+    return null;
+  }
+  const hit = mounts.find((m) => m && m.Type === 'bind' && m.Destination === '/app');
+  return hit && typeof hit.Source === 'string' ? hit : null;
+}
+/**
+ * @param {string} stdout
+ * @returns {unknown|null}
+ */
+function parseInspectMountsStdout(stdout) {
+  try {
+    return JSON.parse(String(stdout || '').trim());
+  } catch {
+    return null;
+  }
+}
+/**
+ * @param {string} containerName
+ * @returns {Promise<unknown|null>}
+ */
+async function fetchContainerMountsJson(containerName) {
+  try {
+    const { stdout } = await execWithDockerEnv(
+      `docker inspect --format '{{json .Mounts}}' ${containerName}`,
+      { maxBuffer: 2 * 1024 * 1024 }
+    );
+    return parseInspectMountsStdout(stdout);
+  } catch {
+    return null;
+  }
+}
+/**
+ * Log workspace transport after a successful container restart (mounts unchanged).
+ * @param {string} containerName - Docker container name
+ * @returns {Promise<void>}
+ */
+async function logRestartDevMountSummary(containerName) {
+  if (!containerName || typeof containerName !== 'string') {
+    return;
+  }
+  const mounts = await fetchContainerMountsJson(containerName);
+  const appBind = findAppBindMount(mounts);
+  if (!appBind) {
+    return;
+  }
+  const endpoint = await config.getDockerEndpoint();
+  const localEngine = isReloadBindMountOnEngineHost(endpoint);
+  logger.log('');
+  logger.log(sectionTitle('Dev workspace (unchanged by restart)'));
+  if (localEngine) {
+    logger.log(headerKeyValue('Transport:', 'Direct bind mount on the Docker host (no Mutagen).'));
+    logger.log(headerKeyValue('Host path → container:', `${appBind.Source} → /app`));
+    logger.log(metadata('Edits under the host path are visible inside the container immediately.'));
+  } else {
+    logger.log(
+      headerKeyValue(
+        'Transport:',
+        'Bind mount on the Docker engine (see path below; Mutagen may sync to this path when using --reload).'
+      )
+    );
+    logger.log(headerKeyValue('Engine path → container:', `${appBind.Source} → /app`));
+  }
+  logger.log('');
+}
+module.exports = {
+  findAppBindMount,
+  logRestartDevMountSummary
+};

package/lib/app/rotate-secret.js CHANGED Viewed

@@ -287,7 +287,7 @@ async function saveCredentialsLocally(appKey, credentials, actualControllerUrl)
       // Regenerate .env file with updated credentials
       try {
-        await generateEnvFile(appKey, null, 'local');
+        await generateEnvFile(appKey, null, 'local', true);
         logger.log(formatSuccessLine('.env file updated with new credentials'));
       } catch (error) {
         logger.warn(chalk.yellow(`⚠  Could not regenerate .env file: ${error.message}`));

package/lib/app/run-container-start.js CHANGED Viewed

@@ -5,7 +5,11 @@
  */
 'use strict';
-const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatProgress,
+  formatWarningLine
+} = require('../utils/cli-test-layout-chalk');
 const fs = require('fs').promises;
 const chalk = require('chalk');
@@ -31,8 +35,8 @@ const execAsync = promisify(exec);
 async function emitAndRunDockerFallback(appName, appConfig, port, opts) {
   const { debug, runEnvPath, runOptions, misoEnvironment } = opts;
   logger.log(
-    chalk.yellow(
-      'Docker Compose not found; using docker run (apps without database/redis only). ' +
+    formatWarningLine(
+      'Docker Compose not found; using docker run (apps without Postgres/Redis only). ' +
         'Install docker-compose-plugin for full compose support.'
     )
   );
@@ -116,7 +120,7 @@ async function waitForHealthyAndCleanupEnvFiles(appName, port, appConfig, o) {
   const displayUrl = (healthUrl && typeof healthUrl === 'string')
     ? healthUrl
     : `http://localhost:${port}${healthCheckPath}`;
-  logger.log(chalk.blue(`Waiting for application to be healthy at ${displayUrl}...`));
+  logger.log(formatProgress(`Waiting for healthy: ${displayUrl}…`));
   await healthCheck.waitForHealthCheck(appName, 90, port, appConfig, debug, ro);
   for (const p of [runEnvPath, runEnvAdminPath]) {
@@ -124,7 +128,9 @@ async function waitForHealthyAndCleanupEnvFiles(appName, port, appConfig, o) {
       try {
         await fs.unlink(p);
       } catch (err) {
-        if (err.code !== 'ENOENT') logger.log(chalk.yellow(`Warning: could not remove run .env: ${err.message}`));
+        if (err.code !== 'ENOENT') {
+          logger.log(formatWarningLine(`Could not remove run .env: ${err.message}`));
+        }
       }
     }
   }
@@ -148,7 +154,7 @@ async function startContainer(appName, composePath, port, appConfig = null, opts
     devMountPath = null,
     misoEnvironment = 'dev'
   } = opts;
-  logger.log(chalk.blue(`Starting ${appName}...`));
+  logger.log(formatProgress(`Starting ${appName}…`));
   let composeCmdBase;
   let usedDockerRunFallback = false;

package/lib/app/run-env-compose.js CHANGED Viewed

@@ -14,9 +14,36 @@ const fs = require('fs').promises;
 const fsSync = require('fs');
 const pathsUtil = require('../utils/paths');
 const adminSecrets = require('../core/admin-secrets');
+const secretsEnsure = require('../core/secrets-ensure');
 const secretsEnvWrite = require('../core/secrets-env-write');
 const { getContainerPort } = require('../utils/port-resolver');
+/**
+ * Backfill only secrets needed for `aifabrix run <app>`: kv:// keys from that app's env.template
+ * (catalog defaults via placeholderContext). Does not run full `ensureInfraSecrets`.
+ *
+ * Docker Postgres admin password for compose/db-init comes from **admin-secrets.env** (see
+ * `ensureAdminSecrets` / `readAndDecryptAdminSecrets`), not from `postgres-passwordKeyVault` on every run.
+ * The kv key is used when **generating** admin-secrets (e.g. first `up-infra`) via `generateAdminSecretsEnv`;
+ * we do not duplicate it here when an admin file already exists.
+ *
+ * @async
+ * @param {string} appName - Builder application key
+ * @returns {Promise<void>}
+ */
+async function ensureRunSecretsForApp(appName) {
+  const placeholderContext = secretsEnsure.buildInfraPlaceholderContext({});
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const templatePath = path.join(pathsUtil.getBuilderPath(appName), 'env.template');
+  if (fsSync.existsSync(templatePath)) {
+    await secretsEnsure.ensureSecretsFromEnvTemplate(templatePath, {
+      placeholderContext,
+      preferredFilePath: userSecretsPath,
+      useMergedSecretsForMissingKeys: true
+    });
+  }
+}
 /**
  * Clean applications directory: remove generated docker-compose.yaml and .env.* files.
  * @param {string|number} developerId - Developer ID
@@ -204,6 +231,7 @@ async function buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId
   const ensureAdminSecretsFn = typeof infra.ensureAdminSecrets === 'function'
     ? infra.ensureAdminSecrets
     : require('../infrastructure/helpers').ensureAdminSecrets;
+  await ensureRunSecretsForApp(appName);
   await ensureAdminSecretsFn();
   const adminObj = await adminSecrets.readAndDecryptAdminSecrets();
   const runEnvKey = scopeOpts && scopeOpts.runEnvKey ? String(scopeOpts.runEnvKey).toLowerCase() : 'dev';
@@ -248,5 +276,6 @@ function assertNoPasswordLiteralsInCompose(composeContent) {
 module.exports = {
   cleanApplicationsDir,
   buildMergedRunEnvAndWrite,
-  assertNoPasswordLiteralsInCompose
+  assertNoPasswordLiteralsInCompose,
+  ensureRunSecretsForApp
 };

package/lib/app/run-helpers.js CHANGED Viewed

@@ -1,4 +1,12 @@
-const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatSuccessParagraph,
+  formatProgress,
+  formatNextActions,
+  headerKeyValue,
+  metadata,
+  infoLine
+} = require('../utils/cli-test-layout-chalk');
 /**
  * AI Fabrix Builder - App Run Helpers
  *
@@ -28,6 +36,8 @@ const { resolveRunImage } = require('./run-resolve-image');
 const { startContainer } = require('./run-container-start');
 const { resolveEnvOutputPath, writeEnvOutputForReload, writeEnvOutputForLocal } = require('../utils/env-copy');
 const { resolveVersionForApp } = require('../utils/image-version');
+const healthCheckUtil = require('../utils/health-check');
+const { computeTraefikPublicAppUrl } = require('../utils/health-check-url');
 /** Template apps (keycloak, miso-controller, dataplane) - never update application config when running */
 const TEMPLATE_APP_KEYS = ['keycloak', 'miso-controller', 'dataplane'];
@@ -179,7 +189,7 @@ async function checkPrerequisites(appName, appConfig, debug = false, skipInfraCh
     logger.log(chalk.gray(`[DEBUG] Image name: ${imageName}, tag: ${imageTag}`));
   }
-  logger.log(chalk.blue(`Checking if image ${fullImageName} exists...`));
+  logger.log(formatProgress(`Checking image ${fullImageName}…`));
   const imageExists = await checkImageExists(imageName, imageTag, debug);
   if (!imageExists) {
     const isTemplateApp = TEMPLATE_APP_KEYS.includes(appName);
@@ -208,12 +218,12 @@ async function checkInfraHealthOrThrow(debug, appConfig) {
   const requirements = getAppInfraRequirements(appConfig);
   if (requirements && !requirements.needsPostgres && !requirements.needsRedis) {
     logger.log(
-      chalk.blue('Skipping infrastructure check (application does not require database or redis)...')
+      infoLine('Skipping Postgres/Redis health check (not required by this application).')
     );
     return;
   }
-  logger.log(chalk.blue('Checking infrastructure health...'));
+  logger.log(formatProgress('Checking infrastructure health…'));
   const infra = require('../infrastructure');
   const healthOptions =
     requirements === null
@@ -280,7 +290,7 @@ function calculateComposePort(options, appConfig, developerId) {
  * @returns {Promise<string>} Path to compose file
  */
 async function generateComposeFile(appName, appConfig, composeOptions, devDir) {
-  logger.log(chalk.blue('Generating Docker Compose configuration...'));
+  logger.log(formatProgress('Generating Docker Compose configuration…'));
   const composeContent = await composeGenerator.generateDockerCompose(appName, appConfig, composeOptions);
   runEnvCompose.assertNoPasswordLiteralsInCompose(composeContent);
   const tempComposePath = path.join(devDir, 'docker-compose.yaml');
@@ -338,7 +348,7 @@ async function prepareEnvironment(appName, appConfig, options) {
   );
   runEnvCompose.cleanApplicationsDir(developerId);
-  logger.log(chalk.blue('Building merged .env (admin + app secrets)...'));
+  logger.log(formatProgress('Building merged .env (admin + app secrets)…'));
   const { runEnvPath, runEnvAdminPath } = await runEnvCompose.buildMergedRunEnvAndWrite(
     appName,
     appConfig,
@@ -367,15 +377,37 @@ async function prepareEnvironment(appName, appConfig, options) {
  * @param {string} appName - Application name
  * @param {number} port - Application port
  * @param {Object} appConfig - Application configuration (with developerId property)
+ * @param {Object|null} [runScopeOpts] - Optional env-scoped container naming
+ * @param {Object} [runOptions] - Run options (traefikEnabled / probeViaTraefik for public URL)
  */
-async function displayRunStatus(appName, port, appConfig, runScopeOpts = null) {
+async function displayRunStatus(appName, port, appConfig, runScopeOpts = null, runOptions = {}) {
   const containerName = containerHelpers.getContainerName(appName, appConfig.developerId, runScopeOpts);
-  const healthCheckPath = appConfig?.healthCheck?.path || '/health';
-  const healthCheckUrl = `http://localhost:${port}${healthCheckPath}`;
+  const ro = runOptions && typeof runOptions === 'object' ? runOptions : {};
+  const wantsPublic = Boolean(ro.probeViaTraefik === true || ro.traefikEnabled === true);
-  logger.log(formatSuccessParagraph(`App running at http://localhost:${port}`));
-  logger.log(chalk.blue(`Health check: ${healthCheckUrl}`));
-  logger.log(chalk.gray(`Container: ${containerName}`));
+  let primaryAppUrl = `http://localhost:${port}`;
+  if (wantsPublic) {
+    const pub = await computeTraefikPublicAppUrl(appName, port, appConfig);
+    if (pub) primaryAppUrl = pub;
+  }
+  const healthTipUrl = await healthCheckUtil.computeHealthCheckUrl(appName, port, appConfig, {
+    runOptions: ro
+  });
+  logger.log(formatSuccessParagraph(`App running at ${primaryAppUrl}`));
+  if (wantsPublic && primaryAppUrl.indexOf('localhost') === -1) {
+    logger.log(metadata(`Local direct: http://localhost:${port}`));
+  }
+  logger.log(headerKeyValue('Health check:', healthTipUrl));
+  logger.log(headerKeyValue('Container:', containerName));
+  logger.log('');
+  logger.log(
+    formatNextActions([
+      `Validate errors: aifabrix logs ${appName} -l error`,
+      `Follow output: aifabrix logs ${appName} -f -t 100`
+    ])
+  );
 }
 module.exports = {

package/lib/app/run-reload-sync.js ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * Mutagen sync for `aifabrix run --reload` when Docker runs on another host.
+ *
+ * @fileoverview ensureReloadSync extracted from run.js (size limits)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+'use strict';
+const chalk = require('chalk');
+const { formatProgress } = require('../utils/cli-test-layout-chalk');
+const config = require('../core/config');
+const logger = require('../utils/logger');
+const mutagen = require('../utils/mutagen');
+const pathsUtil = require('../utils/paths');
+const {
+  isReloadBindMountOnEngineHost,
+  isLocalhostSyncSshHost
+} = require('../utils/docker-reload-mount');
+const { sectionTitle, headerKeyValue, metadata } = require('../utils/cli-test-layout-chalk');
+/**
+ * @typedef {Object} ReloadSyncSummaryBind
+ * @property {'bind-mount'} transport
+ * @property {string} hostPath - Host directory bind-mounted to /app in the container
+ */
+/**
+ * @typedef {Object} ReloadSyncSummaryMutagen
+ * @property {'mutagen'} transport
+ * @property {string} remotePath - Path on sync host used for Docker -v
+ * @property {string} sessionName - Mutagen session name
+ * @property {string} localPath - Local folder synced (same as build context)
+ * @property {string} syncSshHost - sync-ssh-host from config
+ * @property {string} sshUrl - Mutagen endpoint (user@host:path)
+ */
+/**
+ * @typedef {ReloadSyncSummaryBind|ReloadSyncSummaryMutagen} ReloadSyncSummary
+ */
+/**
+ * Install Mutagen if needed, create sync session, return summary for compose and UX.
+ * @param {string} appName
+ * @param {string} developerId
+ * @param {boolean} debug
+ * @param {string} codePath
+ * @param {string} [remoteSyncPath]
+ * @param {string} syncSshHost
+ * @returns {Promise<ReloadSyncSummaryMutagen>}
+ */
+async function startMutagenReloadSync(
+  appName,
+  developerId,
+  debug,
+  codePath,
+  remoteSyncPath,
+  syncSshHost
+) {
+  const [userMutagenFolder, syncSshUser] = await Promise.all([
+    config.getUserMutagenFolder(),
+    config.getSyncSshUser()
+  ]);
+  if (!userMutagenFolder || !syncSshUser || !syncSshHost) {
+    throw new Error(
+      'run --reload requires remote server sync settings. Run "aifabrix dev init" or set user-mutagen-folder, sync-ssh-user, sync-ssh-host in config.'
+    );
+  }
+  const mutagenPath = await mutagen.ensureMutagenPath(logger.log);
+  const remotePath = mutagen.getRemotePath(userMutagenFolder, appName, remoteSyncPath);
+  const sshUrl = mutagen.getSyncSshUrl(syncSshUser, syncSshHost, remotePath);
+  const sessionName = mutagen.getSessionName(developerId, appName);
+  const localPath = (codePath && typeof codePath === 'string') ? codePath : pathsUtil.getBuilderPath(appName);
+  if (debug) logger.log(chalk.gray(`[DEBUG] Mutagen sync: ${sessionName} ${localPath} <-> ${sshUrl}`));
+  logger.log(formatProgress('Reload: ensuring Mutagen sync (remote Docker engine)…'));
+  await mutagen.ensureSyncSession(mutagenPath, sessionName, localPath, sshUrl);
+  return {
+    transport: 'mutagen',
+    remotePath,
+    sessionName,
+    localPath,
+    syncSshHost,
+    sshUrl
+  };
+}
+/**
+ * When run --reload in dev with remote: ensure Mutagen sync session; return summary for mounts and CLI copy.
+ * Uses codePath (resolved build.context) as Mutagen local path so one config field drives both local and remote.
+ * Skips Mutagen when docker-endpoint targets this host (bind mount) or sync-ssh-host is localhost.
+ *
+ * @param {string} appName - Application name
+ * @param {string} developerId - Developer ID
+ * @param {boolean} debug - Debug flag
+ * @param {string} codePath - Resolved build.context (absolute path to app code)
+ * @param {string} [remoteSyncPath] - Optional relative path under user-mutagen-folder (from build.remoteSyncPath); when unset, defaults to dev/<appKey>
+ * @returns {Promise<ReloadSyncSummary>}
+ * @throws {Error} If --reload but remote not configured, or Mutagen install fails
+ */
+async function ensureReloadSync(appName, developerId, debug, codePath, remoteSyncPath) {
+  const endpoint = await config.getDockerEndpoint();
+  if (isReloadBindMountOnEngineHost(endpoint)) {
+    if (debug) {
+      logger.log(
+        chalk.gray('[DEBUG] Docker engine shares this host filesystem; skipping Mutagen for --reload')
+      );
+    }
+    return { transport: 'bind-mount', hostPath: codePath };
+  }
+  const syncSshHost = await config.getSyncSshHost();
+  if (isLocalhostSyncSshHost(syncSshHost || '')) {
+    if (debug) {
+      logger.log(chalk.gray('[DEBUG] sync-ssh-host is localhost; skipping Mutagen, using local path'));
+    }
+    return { transport: 'bind-mount', hostPath: codePath };
+  }
+  return startMutagenReloadSync(appName, developerId, debug, codePath, remoteSyncPath, syncSshHost);
+}
+/**
+ * Log how --reload is wired (bind vs Mutagen) after compose/env prep, before container start.
+ * @param {boolean} reload
+ * @param {ReloadSyncSummary|undefined} summary
+ */
+function logReloadDevSummary(reload, summary) {
+  if (!reload || !summary) {
+    return;
+  }
+  logger.log('');
+  logger.log(sectionTitle('Reload (dev)'));
+  if (summary.transport === 'bind-mount') {
+    logger.log(headerKeyValue('Transport:', 'Direct bind mount on the Docker host (no Mutagen).'));
+    logger.log(headerKeyValue('Host path → container:', `${summary.hostPath} → /app`));
+    logger.log(metadata('Edits under the host path are visible inside the container immediately.'));
+    logger.log('');
+    return;
+  }
+  logger.log(headerKeyValue('Transport:', 'Mutagen two-way sync (Docker engine on another host).'));
+  logger.log(headerKeyValue('Session:', summary.sessionName));
+  logger.log(headerKeyValue('Sync host:', summary.syncSshHost));
+  logger.log(headerKeyValue('Local folder:', summary.localPath));
+  logger.log(headerKeyValue('Remote mount (-v):', summary.remotePath));
+  logger.log(metadata(`Mutagen endpoint: ${summary.sshUrl}`));
+  logger.log('');
+}
+module.exports = { ensureReloadSync, logReloadDevSummary };

package/lib/app/run-resolve-image.js CHANGED Viewed

@@ -6,7 +6,10 @@
 'use strict';
+const config = require('../core/config');
 const { resolveDockerImageRef } = require('../utils/resolve-docker-image-ref');
+const { checkImageExists } = require('../utils/app-run-containers');
+const { buildDevImageRepositoryPath } = require('../utils/image-name');
 /**
  * @param {string} appName
@@ -18,4 +21,51 @@ function resolveRunImage(appName, appConfig, runOptions) {
   return resolveDockerImageRef(appName, appConfig, runOptions);
 }
-module.exports = { resolveRunImage };
+/**
+ * Resolves which local image to run: developer-scoped ref first when present, else manifest base.
+ * With {@link runOptions.base} true, uses manifest base only (no dev-first probe).
+ *
+ * @async
+ * @param {string} appName
+ * @param {Object} appConfig
+ * @param {Object} [runOptions]
+ * @param {string} [runOptions.image] - Full override (skips fallback logic)
+ * @param {boolean} [runOptions.base] - When true, manifest base ref only
+ * @returns {Promise<{ imageName: string, imageTag: string }>}
+ */
+async function resolveRunImageWithLocalFallback(appName, appConfig, runOptions = {}) {
+  const opts = runOptions || {};
+  if (opts.image) {
+    return resolveDockerImageRef(appName, appConfig, opts);
+  }
+  const baseRef = resolveDockerImageRef(appName, appConfig, opts);
+  if (opts.base === true) {
+    return baseRef;
+  }
+  const developerId = await config.getDeveloperId();
+  const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
+  if (!Number.isFinite(idNum) || idNum === 0) {
+    return baseRef;
+  }
+  const tag = baseRef.imageTag;
+  const devRepo = buildDevImageRepositoryPath(baseRef.imageName, developerId);
+  const devExists = await checkImageExists(devRepo, tag, false);
+  if (devExists) {
+    return { imageName: devRepo, imageTag: tag };
+  }
+  const baseExists = await checkImageExists(baseRef.imageName, tag, false);
+  if (baseExists) {
+    return baseRef;
+  }
+  throw new Error(
+    `Docker image not found (tried ${devRepo}:${tag} then ${baseRef.imageName}:${tag})\n` +
+      `Run 'aifabrix build ${appName}' or pull the manifest image, or use --base after pulling the base image.`
+  );
+}
+module.exports = { resolveRunImage, resolveRunImageWithLocalFallback };