@aifabrix/builder 2.44.5 → 2.44.6

package/lib/app/run-env-compose.js

@@ -14,9 +14,36 @@ const fs = require('fs').promises;
 const fsSync = require('fs');
 const pathsUtil = require('../utils/paths');
 const adminSecrets = require('../core/admin-secrets');
+const secretsEnsure = require('../core/secrets-ensure');
 const secretsEnvWrite = require('../core/secrets-env-write');
 const { getContainerPort } = require('../utils/port-resolver');
 
+/**
+ * Backfill only secrets needed for `aifabrix run <app>`: kv:// keys from that app's env.template
+ * (catalog defaults via placeholderContext). Does not run full `ensureInfraSecrets`.
+ *
+ * Docker Postgres admin password for compose/db-init comes from **admin-secrets.env** (see
+ * `ensureAdminSecrets` / `readAndDecryptAdminSecrets`), not from `postgres-passwordKeyVault` on every run.
+ * The kv key is used when **generating** admin-secrets (e.g. first `up-infra`) via `generateAdminSecretsEnv`;
+ * we do not duplicate it here when an admin file already exists.
+ *
+ * @async
+ * @param {string} appName - Builder application key
+ * @returns {Promise<void>}
+ */
+async function ensureRunSecretsForApp(appName) {
+  const placeholderContext = secretsEnsure.buildInfraPlaceholderContext({});
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const templatePath = path.join(pathsUtil.getBuilderPath(appName), 'env.template');
+  if (fsSync.existsSync(templatePath)) {
+    await secretsEnsure.ensureSecretsFromEnvTemplate(templatePath, {
+      placeholderContext,
+      preferredFilePath: userSecretsPath,
+      useMergedSecretsForMissingKeys: true
+    });
+  }
+}
+
 /**
  * Clean applications directory: remove generated docker-compose.yaml and .env.* files.
  * @param {string|number} developerId - Developer ID
@@ -204,6 +231,7 @@ async function buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId
   const ensureAdminSecretsFn = typeof infra.ensureAdminSecrets === 'function'
     ? infra.ensureAdminSecrets
     : require('../infrastructure/helpers').ensureAdminSecrets;
+  await ensureRunSecretsForApp(appName);
   await ensureAdminSecretsFn();
   const adminObj = await adminSecrets.readAndDecryptAdminSecrets();
   const runEnvKey = scopeOpts && scopeOpts.runEnvKey ? String(scopeOpts.runEnvKey).toLowerCase() : 'dev';
@@ -248,5 +276,6 @@ function assertNoPasswordLiteralsInCompose(composeContent) {
 module.exports = {
   cleanApplicationsDir,
   buildMergedRunEnvAndWrite,
-  assertNoPasswordLiteralsInCompose
+  assertNoPasswordLiteralsInCompose,
+  ensureRunSecretsForApp
 };

package/lib/app/run-helpers.js

@@ -1,4 +1,12 @@
-const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatSuccessParagraph,
+  formatProgress,
+  formatNextActions,
+  headerKeyValue,
+  metadata,
+  infoLine
+} = require('../utils/cli-test-layout-chalk');
 /**
  * AI Fabrix Builder - App Run Helpers
  *
@@ -28,6 +36,8 @@ const { resolveRunImage } = require('./run-resolve-image');
 const { startContainer } = require('./run-container-start');
 const { resolveEnvOutputPath, writeEnvOutputForReload, writeEnvOutputForLocal } = require('../utils/env-copy');
 const { resolveVersionForApp } = require('../utils/image-version');
+const healthCheckUtil = require('../utils/health-check');
+const { computeTraefikPublicAppUrl } = require('../utils/health-check-url');
 
 /** Template apps (keycloak, miso-controller, dataplane) - never update application config when running */
 const TEMPLATE_APP_KEYS = ['keycloak', 'miso-controller', 'dataplane'];
@@ -179,7 +189,7 @@ async function checkPrerequisites(appName, appConfig, debug = false, skipInfraCh
     logger.log(chalk.gray(`[DEBUG] Image name: ${imageName}, tag: ${imageTag}`));
   }
 
-  logger.log(chalk.blue(`Checking if image ${fullImageName} exists...`));
+  logger.log(formatProgress(`Checking image ${fullImageName}…`));
   const imageExists = await checkImageExists(imageName, imageTag, debug);
   if (!imageExists) {
     const isTemplateApp = TEMPLATE_APP_KEYS.includes(appName);
@@ -208,12 +218,12 @@ async function checkInfraHealthOrThrow(debug, appConfig) {
   const requirements = getAppInfraRequirements(appConfig);
   if (requirements && !requirements.needsPostgres && !requirements.needsRedis) {
     logger.log(
-      chalk.blue('Skipping infrastructure check (application does not require database or redis)...')
+      infoLine('Skipping Postgres/Redis health check (not required by this application).')
     );
     return;
   }
 
-  logger.log(chalk.blue('Checking infrastructure health...'));
+  logger.log(formatProgress('Checking infrastructure health…'));
   const infra = require('../infrastructure');
   const healthOptions =
     requirements === null
@@ -280,7 +290,7 @@ function calculateComposePort(options, appConfig, developerId) {
  * @returns {Promise<string>} Path to compose file
  */
 async function generateComposeFile(appName, appConfig, composeOptions, devDir) {
-  logger.log(chalk.blue('Generating Docker Compose configuration...'));
+  logger.log(formatProgress('Generating Docker Compose configuration…'));
   const composeContent = await composeGenerator.generateDockerCompose(appName, appConfig, composeOptions);
   runEnvCompose.assertNoPasswordLiteralsInCompose(composeContent);
   const tempComposePath = path.join(devDir, 'docker-compose.yaml');
@@ -338,7 +348,7 @@ async function prepareEnvironment(appName, appConfig, options) {
   );
 
   runEnvCompose.cleanApplicationsDir(developerId);
-  logger.log(chalk.blue('Building merged .env (admin + app secrets)...'));
+  logger.log(formatProgress('Building merged .env (admin + app secrets)…'));
   const { runEnvPath, runEnvAdminPath } = await runEnvCompose.buildMergedRunEnvAndWrite(
     appName,
     appConfig,
@@ -367,15 +377,37 @@ async function prepareEnvironment(appName, appConfig, options) {
  * @param {string} appName - Application name
  * @param {number} port - Application port
  * @param {Object} appConfig - Application configuration (with developerId property)
+ * @param {Object|null} [runScopeOpts] - Optional env-scoped container naming
+ * @param {Object} [runOptions] - Run options (traefikEnabled / probeViaTraefik for public URL)
  */
-async function displayRunStatus(appName, port, appConfig, runScopeOpts = null) {
+async function displayRunStatus(appName, port, appConfig, runScopeOpts = null, runOptions = {}) {
   const containerName = containerHelpers.getContainerName(appName, appConfig.developerId, runScopeOpts);
-  const healthCheckPath = appConfig?.healthCheck?.path || '/health';
-  const healthCheckUrl = `http://localhost:${port}${healthCheckPath}`;
+  const ro = runOptions && typeof runOptions === 'object' ? runOptions : {};
+  const wantsPublic = Boolean(ro.probeViaTraefik === true || ro.traefikEnabled === true);
 
-  logger.log(formatSuccessParagraph(`App running at http://localhost:${port}`));
-  logger.log(chalk.blue(`Health check: ${healthCheckUrl}`));
-  logger.log(chalk.gray(`Container: ${containerName}`));
+  let primaryAppUrl = `http://localhost:${port}`;
+  if (wantsPublic) {
+    const pub = await computeTraefikPublicAppUrl(appName, port, appConfig);
+    if (pub) primaryAppUrl = pub;
+  }
+
+  const healthTipUrl = await healthCheckUtil.computeHealthCheckUrl(appName, port, appConfig, {
+    runOptions: ro
+  });
+
+  logger.log(formatSuccessParagraph(`App running at ${primaryAppUrl}`));
+  if (wantsPublic && primaryAppUrl.indexOf('localhost') === -1) {
+    logger.log(metadata(`Local direct: http://localhost:${port}`));
+  }
+  logger.log(headerKeyValue('Health check:', healthTipUrl));
+  logger.log(headerKeyValue('Container:', containerName));
+  logger.log('');
+  logger.log(
+    formatNextActions([
+      `Validate errors: aifabrix logs ${appName} -l error`,
+      `Follow output: aifabrix logs ${appName} -f -t 100`
+    ])
+  );
 }
 
 module.exports = {

package/lib/app/run-reload-sync.js

@@ -0,0 +1,148 @@
+/**
+ * Mutagen sync for `aifabrix run --reload` when Docker runs on another host.
+ *
+ * @fileoverview ensureReloadSync extracted from run.js (size limits)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const chalk = require('chalk');
+const { formatProgress } = require('../utils/cli-test-layout-chalk');
+const config = require('../core/config');
+const logger = require('../utils/logger');
+const mutagen = require('../utils/mutagen');
+const pathsUtil = require('../utils/paths');
+const {
+  isReloadBindMountOnEngineHost,
+  isLocalhostSyncSshHost
+} = require('../utils/docker-reload-mount');
+const { sectionTitle, headerKeyValue, metadata } = require('../utils/cli-test-layout-chalk');
+
+/**
+ * @typedef {Object} ReloadSyncSummaryBind
+ * @property {'bind-mount'} transport
+ * @property {string} hostPath - Host directory bind-mounted to /app in the container
+ */
+
+/**
+ * @typedef {Object} ReloadSyncSummaryMutagen
+ * @property {'mutagen'} transport
+ * @property {string} remotePath - Path on sync host used for Docker -v
+ * @property {string} sessionName - Mutagen session name
+ * @property {string} localPath - Local folder synced (same as build context)
+ * @property {string} syncSshHost - sync-ssh-host from config
+ * @property {string} sshUrl - Mutagen endpoint (user@host:path)
+ */
+
+/**
+ * @typedef {ReloadSyncSummaryBind|ReloadSyncSummaryMutagen} ReloadSyncSummary
+ */
+
+/**
+ * Install Mutagen if needed, create sync session, return summary for compose and UX.
+ * @param {string} appName
+ * @param {string} developerId
+ * @param {boolean} debug
+ * @param {string} codePath
+ * @param {string} [remoteSyncPath]
+ * @param {string} syncSshHost
+ * @returns {Promise<ReloadSyncSummaryMutagen>}
+ */
+async function startMutagenReloadSync(
+  appName,
+  developerId,
+  debug,
+  codePath,
+  remoteSyncPath,
+  syncSshHost
+) {
+  const [userMutagenFolder, syncSshUser] = await Promise.all([
+    config.getUserMutagenFolder(),
+    config.getSyncSshUser()
+  ]);
+  if (!userMutagenFolder || !syncSshUser || !syncSshHost) {
+    throw new Error(
+      'run --reload requires remote server sync settings. Run "aifabrix dev init" or set user-mutagen-folder, sync-ssh-user, sync-ssh-host in config.'
+    );
+  }
+  const mutagenPath = await mutagen.ensureMutagenPath(logger.log);
+  const remotePath = mutagen.getRemotePath(userMutagenFolder, appName, remoteSyncPath);
+  const sshUrl = mutagen.getSyncSshUrl(syncSshUser, syncSshHost, remotePath);
+  const sessionName = mutagen.getSessionName(developerId, appName);
+  const localPath = (codePath && typeof codePath === 'string') ? codePath : pathsUtil.getBuilderPath(appName);
+  if (debug) logger.log(chalk.gray(`[DEBUG] Mutagen sync: ${sessionName} ${localPath} <-> ${sshUrl}`));
+  logger.log(formatProgress('Reload: ensuring Mutagen sync (remote Docker engine)…'));
+  await mutagen.ensureSyncSession(mutagenPath, sessionName, localPath, sshUrl);
+  return {
+    transport: 'mutagen',
+    remotePath,
+    sessionName,
+    localPath,
+    syncSshHost,
+    sshUrl
+  };
+}
+
+/**
+ * When run --reload in dev with remote: ensure Mutagen sync session; return summary for mounts and CLI copy.
+ * Uses codePath (resolved build.context) as Mutagen local path so one config field drives both local and remote.
+ * Skips Mutagen when docker-endpoint targets this host (bind mount) or sync-ssh-host is localhost.
+ *
+ * @param {string} appName - Application name
+ * @param {string} developerId - Developer ID
+ * @param {boolean} debug - Debug flag
+ * @param {string} codePath - Resolved build.context (absolute path to app code)
+ * @param {string} [remoteSyncPath] - Optional relative path under user-mutagen-folder (from build.remoteSyncPath); when unset, defaults to dev/<appKey>
+ * @returns {Promise<ReloadSyncSummary>}
+ * @throws {Error} If --reload but remote not configured, or Mutagen install fails
+ */
+async function ensureReloadSync(appName, developerId, debug, codePath, remoteSyncPath) {
+  const endpoint = await config.getDockerEndpoint();
+  if (isReloadBindMountOnEngineHost(endpoint)) {
+    if (debug) {
+      logger.log(
+        chalk.gray('[DEBUG] Docker engine shares this host filesystem; skipping Mutagen for --reload')
+      );
+    }
+    return { transport: 'bind-mount', hostPath: codePath };
+  }
+  const syncSshHost = await config.getSyncSshHost();
+  if (isLocalhostSyncSshHost(syncSshHost || '')) {
+    if (debug) {
+      logger.log(chalk.gray('[DEBUG] sync-ssh-host is localhost; skipping Mutagen, using local path'));
+    }
+    return { transport: 'bind-mount', hostPath: codePath };
+  }
+  return startMutagenReloadSync(appName, developerId, debug, codePath, remoteSyncPath, syncSshHost);
+}
+
+/**
+ * Log how --reload is wired (bind vs Mutagen) after compose/env prep, before container start.
+ * @param {boolean} reload
+ * @param {ReloadSyncSummary|undefined} summary
+ */
+function logReloadDevSummary(reload, summary) {
+  if (!reload || !summary) {
+    return;
+  }
+  logger.log('');
+  logger.log(sectionTitle('Reload (dev)'));
+  if (summary.transport === 'bind-mount') {
+    logger.log(headerKeyValue('Transport:', 'Direct bind mount on the Docker host (no Mutagen).'));
+    logger.log(headerKeyValue('Host path → container:', `${summary.hostPath} → /app`));
+    logger.log(metadata('Edits under the host path are visible inside the container immediately.'));
+    logger.log('');
+    return;
+  }
+  logger.log(headerKeyValue('Transport:', 'Mutagen two-way sync (Docker engine on another host).'));
+  logger.log(headerKeyValue('Session:', summary.sessionName));
+  logger.log(headerKeyValue('Sync host:', summary.syncSshHost));
+  logger.log(headerKeyValue('Local folder:', summary.localPath));
+  logger.log(headerKeyValue('Remote mount (-v):', summary.remotePath));
+  logger.log(metadata(`Mutagen endpoint: ${summary.sshUrl}`));
+  logger.log('');
+}
+
+module.exports = { ensureReloadSync, logReloadDevSummary };

package/lib/app/run-resolve-image.js

@@ -6,7 +6,10 @@
 
 'use strict';
 
+const config = require('../core/config');
 const { resolveDockerImageRef } = require('../utils/resolve-docker-image-ref');
+const { checkImageExists } = require('../utils/app-run-containers');
+const { buildDevImageRepositoryPath } = require('../utils/image-name');
 
 /**
  * @param {string} appName
@@ -18,4 +21,51 @@ function resolveRunImage(appName, appConfig, runOptions) {
   return resolveDockerImageRef(appName, appConfig, runOptions);
 }
 
-module.exports = { resolveRunImage };
+/**
+ * Resolves which local image to run: developer-scoped ref first when present, else manifest base.
+ * With {@link runOptions.base} true, uses manifest base only (no dev-first probe).
+ *
+ * @async
+ * @param {string} appName
+ * @param {Object} appConfig
+ * @param {Object} [runOptions]
+ * @param {string} [runOptions.image] - Full override (skips fallback logic)
+ * @param {boolean} [runOptions.base] - When true, manifest base ref only
+ * @returns {Promise<{ imageName: string, imageTag: string }>}
+ */
+async function resolveRunImageWithLocalFallback(appName, appConfig, runOptions = {}) {
+  const opts = runOptions || {};
+  if (opts.image) {
+    return resolveDockerImageRef(appName, appConfig, opts);
+  }
+
+  const baseRef = resolveDockerImageRef(appName, appConfig, opts);
+
+  if (opts.base === true) {
+    return baseRef;
+  }
+
+  const developerId = await config.getDeveloperId();
+  const idNum = typeof developerId === 'string' ? parseInt(developerId, 10) : developerId;
+  if (!Number.isFinite(idNum) || idNum === 0) {
+    return baseRef;
+  }
+
+  const tag = baseRef.imageTag;
+  const devRepo = buildDevImageRepositoryPath(baseRef.imageName, developerId);
+  const devExists = await checkImageExists(devRepo, tag, false);
+  if (devExists) {
+    return { imageName: devRepo, imageTag: tag };
+  }
+  const baseExists = await checkImageExists(baseRef.imageName, tag, false);
+  if (baseExists) {
+    return baseRef;
+  }
+
+  throw new Error(
+    `Docker image not found (tried ${devRepo}:${tag} then ${baseRef.imageName}:${tag})\n` +
+      `Run 'aifabrix build ${appName}' or pull the manifest image, or use --base after pulling the base image.`
+  );
+}
+
+module.exports = { resolveRunImage, resolveRunImageWithLocalFallback };

package/lib/app/run.js

@@ -10,15 +10,23 @@
  */
 
 const chalk = require('chalk');
+const {
+  formatWarningLine,
+  sectionTitle,
+  headerKeyValue,
+  metadata,
+  formatNextActions
+} = require('../utils/cli-test-layout-chalk');
 const config = require('../core/config');
 const logger = require('../utils/logger');
 const pathsUtil = require('../utils/paths');
 const { checkPortAvailable, waitForHealthCheck } = require('../utils/health-check');
 const composeGenerator = require('../utils/compose-generator');
 const containerHelpers = require('../utils/app-run-containers');
-const mutagen = require('../utils/mutagen');
 // Helper functions extracted to reduce file size and complexity
 const helpers = require('./run-helpers');
+const { ensureReloadSync, logReloadDevSummary } = require('./run-reload-sync');
+const { logRestartDevMountSummary } = require('./restart-display');
 const { execWithDockerEnv } = require('../utils/docker-exec');
 
 /**
@@ -73,8 +81,16 @@ async function validateAppForRun(appName, _debug) {
   try {
     const { isExternal, baseDir } = await detectAppType(appName);
     if (baseDir !== 'builder' || isExternal) {
-      logger.log(chalk.yellow('⚠  External systems don\'t run as Docker containers.'));
-      logger.log(chalk.blue('Use "aifabrix build" to deploy to dataplane, then test via OpenAPI endpoints.'));
+      logger.log('');
+      logger.log(sectionTitle('Run'));
+      logger.log(headerKeyValue('Application:', appName));
+      logger.log(
+        formatWarningLine('External integrations are not started as local Docker containers.')
+      );
+      logger.log(
+        metadata('Build and deploy the integration, then use its APIs from your environment.')
+      );
+      logger.log(formatNextActions([`aifabrix build ${appName}`]));
       return false;
     }
   } catch (error) {
@@ -114,7 +130,7 @@ async function checkAndStopContainer(appName, appConfig, options, debug) {
   }
 
   const containerName = containerHelpers.getContainerName(appName, developerId, scopeOpts);
-  logger.log(chalk.yellow(`Container ${containerName} is already running`));
+  logger.log(formatWarningLine(`Container ${containerName} is already running`));
   await helpers.stopAndRemoveContainer(appName, developerId, debug, scopeOpts);
 }
 
@@ -149,48 +165,6 @@ async function calculateHostPort(appConfig, options, debug) {
   return hostPort;
 }
 
-/**
- * When run --reload in dev with remote: ensure Mutagen sync session; return remote path for compose mount.
- * Uses codePath (resolved build.context) as Mutagen local path so one config field drives both local and remote.
- * When Docker endpoint, remote-server, or sync-ssh-host is localhost/127.0.0.1, returns null (no sync; use local path).
- *
- * @param {string} appName - Application name
- * @param {string} developerId - Developer ID
- * @param {boolean} debug - Debug flag
- * @param {string} codePath - Resolved build.context (absolute path to app code)
- * @param {string} [remoteSyncPath] - Optional relative path under user-mutagen-folder (from build.remoteSyncPath); when unset, defaults to dev/<appKey>
- * @returns {Promise<string|null>} Remote path for -v mount or null if not remote/reload or already on server (localhost)
- * @throws {Error} If --reload but remote not configured, or Mutagen install fails
- */
-async function ensureReloadSync(appName, developerId, debug, codePath, remoteSyncPath) {
-  const endpoint = await config.getDockerEndpoint();
-  const serverUrl = await config.getRemoteServer();
-  if (!endpoint && !serverUrl) return null;
-  const syncSshHost = await config.getSyncSshHost();
-  if (isLocalhostEndpoint(endpoint) || isLocalhostEndpoint(serverUrl) || isLocalhostHost(syncSshHost || '')) {
-    if (debug) logger.log(chalk.gray('[DEBUG] Docker/remote/sync host is localhost; skipping Mutagen, using local path'));
-    return null;
-  }
-  const [userMutagenFolder, syncSshUser] = await Promise.all([
-    config.getUserMutagenFolder(),
-    config.getSyncSshUser()
-  ]);
-  if (!userMutagenFolder || !syncSshUser || !syncSshHost) {
-    throw new Error(
-      'run --reload requires remote server sync settings. Run "aifabrix dev init" or set user-mutagen-folder, sync-ssh-user, sync-ssh-host in config.'
-    );
-  }
-  const mutagenPath = await mutagen.ensureMutagenPath(logger.log);
-  const remotePath = mutagen.getRemotePath(userMutagenFolder, appName, remoteSyncPath);
-  const sshUrl = mutagen.getSyncSshUrl(syncSshUser, syncSshHost, remotePath);
-  const sessionName = mutagen.getSessionName(developerId, appName);
-  const localPath = (codePath && typeof codePath === 'string') ? codePath : pathsUtil.getBuilderPath(appName);
-  if (debug) logger.log(chalk.gray(`[DEBUG] Mutagen sync: ${sessionName} ${localPath} <-> ${sshUrl}`));
-  logger.log(chalk.blue('Ensuring Mutagen sync session...'));
-  await mutagen.ensureSyncSession(mutagenPath, sessionName, localPath, sshUrl);
-  return remotePath;
-}
-
 /**
  * Load and configure application
  * @async
@@ -238,12 +212,21 @@ async function startAppContainer(appName, tempComposePath, hostPort, appConfig,
       devMountPath,
       misoEnvironment
     });
-    await helpers.displayRunStatus(appName, hostPort, appConfig, opts.runScopeOpts || null);
+    await helpers.displayRunStatus(
+      appName,
+      hostPort,
+      appConfig,
+      opts.runScopeOpts || null,
+      runOptions || {}
+    );
   } catch (error) {
-    logger.log(chalk.yellow(`\n⚠️  Compose file preserved at: ${tempComposePath}`));
-    logger.log(chalk.yellow('   Review the file to debug issues'));
+    logger.log('');
+    logger.log(formatWarningLine(`Compose file preserved at ${tempComposePath}`));
+    logger.log(metadata('  Review the compose file, fix the issue, then run again.'));
     if (runEnvPath || runEnvAdminPath) {
-      logger.log(chalk.yellow('   Run .env file(s) (contain secrets) were not deleted; remove them manually if desired.'));
+      logger.log(
+        metadata('  Run .env file(s) contain secrets and were not deleted; remove manually if needed.')
+      );
     }
     if (debug) {
       logger.log(chalk.gray(`[DEBUG] Error during container start: ${error.message}`));
@@ -271,30 +254,46 @@ async function resolveRunOptions(appName, appConfig, options, envKey, debug, eff
   const codePath = pathsUtil.resolveBuildContext(builderPath, appConfig.build?.context || '.');
   if (options.reload && envKey === 'dev') {
     const remoteSyncPath = appConfig.build?.remoteSyncPath;
-    const remotePath = await ensureReloadSync(appName, appConfig.developerId, debug, codePath, remoteSyncPath);
-    runOptions.devMountPath = remotePath || codePath;
+    const reloadSummary = await ensureReloadSync(appName, appConfig.developerId, debug, codePath, remoteSyncPath);
+    runOptions.reloadSyncSummary = reloadSummary;
+    runOptions.devMountPath =
+      reloadSummary.transport === 'mutagen' ? reloadSummary.remotePath : codePath;
   }
   return runOptions;
 }
 
 /**
- * Prepare run: validate app, load config, check prereqs, stop existing container, resolve port and reload, prepare env.
- * @param {string} appName - Application name
- * @param {Object} options - Run options
- * @param {boolean} debug - Debug flag
- * @returns {Promise<{ appConfig: Object, tempComposePath: string, hostPort: number }|null>} Prepared run context or null if should not continue
+ * When Traefik is enabled in user config, pass through for health checks (DNS + localhost order).
+ * @param {Object} runOptions
+ * @param {Object} userCfg
  */
-async function prepareAppRun(appName, options, debug) {
-  const envKey = (options.env || 'dev').toLowerCase();
+function applyTraefikFlagToRunOptions(runOptions, userCfg) {
+  if (userCfg && userCfg.traefik === true) {
+    runOptions.traefikEnabled = true;
+  }
+}
+
+/**
+ * @param {string} envKey
+ * @throws {Error} If env is not dev, tst, or pro
+ */
+function assertValidRunEnvKey(envKey) {
   if (envKey !== 'dev' && envKey !== 'tst' && envKey !== 'pro') {
     throw new Error('--env must be dev, tst, or pro');
   }
-  const shouldContinue = await validateAppForRun(appName, debug);
-  if (!shouldContinue) {
-    return null;
-  }
-  const appConfig = await loadAndConfigureApp(appName, debug);
-  const userCfg = await config.getConfig();
+}
+
+/**
+ * Image resolution, prereqs, port, compose env — after app config and user config are loaded.
+ * @param {string} appName
+ * @param {Object} appConfig
+ * @param {Object} options - Original run options
+ * @param {string} envKey
+ * @param {Object} userCfg - getConfig() result
+ * @param {boolean} debug
+ * @returns {Promise<Object>} Prepared run context (same shape as prepareAppRun return)
+ */
+async function computeRunPreparationCore(appName, appConfig, options, envKey, userCfg, debug) {
   const { computeEffectiveEnvironmentScopedResources } = require('../utils/environment-scoped-resources');
   const effectiveEnvironmentScopedResources = computeEffectiveEnvironmentScopedResources(
     Boolean(userCfg.useEnvironmentScopedResources),
@@ -304,17 +303,24 @@ async function prepareAppRun(appName, options, debug) {
   const runScopeOpts = effectiveEnvironmentScopedResources
     ? { effectiveEnvironmentScopedResources: true, env: envKey }
     : null;
-  await helpers.checkPrerequisites(appName, appConfig, debug, options.skipInfraCheck === true, options);
-  await checkAndStopContainer(appName, appConfig, options, debug);
-  const hostPort = await calculateHostPort(appConfig, options, debug);
+  const { resolveRunImageWithLocalFallback } = require('./run-resolve-image');
+  const resolvedRef = await resolveRunImageWithLocalFallback(appName, appConfig, options);
+  const effectiveRunOptions = {
+    ...options,
+    image: `${resolvedRef.imageName}:${resolvedRef.imageTag}`
+  };
+  await helpers.checkPrerequisites(appName, appConfig, debug, effectiveRunOptions.skipInfraCheck === true, effectiveRunOptions);
+  await checkAndStopContainer(appName, appConfig, effectiveRunOptions, debug);
+  const hostPort = await calculateHostPort(appConfig, effectiveRunOptions, debug);
   const runOptions = await resolveRunOptions(
     appName,
     appConfig,
-    options,
+    effectiveRunOptions,
     envKey,
     debug,
     effectiveEnvironmentScopedResources
   );
+  applyTraefikFlagToRunOptions(runOptions, userCfg);
   const { composePath: tempComposePath, runEnvPath, runEnvAdminPath } = await helpers.prepareEnvironment(appName, appConfig, runOptions);
   const result = {
     appConfig,
@@ -329,6 +335,28 @@ async function prepareAppRun(appName, options, debug) {
   return result;
 }
 
+/**
+ * Prepare run: validate app, load config, check prereqs, stop existing container, resolve port and reload, prepare env.
+ * @param {string} appName - Application name
+ * @param {Object} options - Run options
+ * @param {boolean} debug - Debug flag
+ * @returns {Promise<{ appConfig: Object, tempComposePath: string, hostPort: number }|null>} Prepared run context or null if should not continue
+ */
+async function prepareAppRun(appName, options, debug) {
+  const envKey = (options.env || 'dev').toLowerCase();
+  assertValidRunEnvKey(envKey);
+  const shouldContinue = await validateAppForRun(appName, debug);
+  if (!shouldContinue) {
+    return null;
+  }
+  logger.log('');
+  logger.log(sectionTitle('Run'));
+  logger.log(headerKeyValue('Application:', appName));
+  const appConfig = await loadAndConfigureApp(appName, debug);
+  const userCfg = await config.getConfig();
+  return computeRunPreparationCore(appName, appConfig, options, envKey, userCfg, debug);
+}
+
 /**
  * Runs the application locally using Docker
  * Starts container with proper port mapping and environment
@@ -360,10 +388,7 @@ async function runApp(appName, options = {}) {
     if (debug) {
       logger.log(chalk.gray(`[DEBUG] Compose file generated: ${prepared.tempComposePath}`));
     }
-    if (options.reload && prepared.devMountPath) {
-      logger.log(chalk.gray('With --reload: workspace mounted from host at /app (container runs as your user for write access).'));
-      logger.log(chalk.gray(`  Host path: ${prepared.devMountPath}`));
-    }
+    logReloadDevSummary(Boolean(options.reload), prepared.mergedRunOptions.reloadSyncSummary);
     await startAppContainer(appName, prepared.tempComposePath, prepared.hostPort, prepared.appConfig, {
       debug,
       runEnvPath: prepared.runEnvPath,
@@ -401,6 +426,7 @@ async function restartApp(appName) {
   const containerName = containerHelpers.getContainerName(appName, developerId);
   try {
     await execWithDockerEnv(`docker restart ${containerName}`);
+    await logRestartDevMountSummary(containerName);
   } catch (error) {
     const msg = (error.stderr || error.stdout || error.message || '').toLowerCase();
     if (msg.includes('no such container') || msg.includes('is not running')) {