@aifabrix/builder 2.44.5 → 2.45.0

package/lib/app/push.js

@@ -1,4 +1,12 @@
-const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatSuccessParagraph,
+  sectionTitle,
+  headerKeyValue,
+  metadata,
+  formatWarningLine,
+  formatNextActions
+} = require('../utils/cli-test-layout-chalk');
 /**
  * Application Push Utilities
  *
@@ -9,9 +17,9 @@ const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test
  * @version 2.0.0
  */
 
-const chalk = require('chalk');
 const pushUtils = require('../deployment/push');
 const logger = require('../utils/logger');
+const { detectAppType } = require('../utils/paths');
 
 /**
  * Validate application name format
@@ -150,6 +158,33 @@ async function authenticateWithRegistry(registry) {
   }
 }
 
+/**
+ * Layout-aligned notice when push is skipped for external integrations.
+ * @param {string} appName
+ */
+function logExternalIntegrationPushNotice(appName) {
+  logger.log('');
+  logger.log(sectionTitle('Push'));
+  logger.log(headerKeyValue('Application:', appName));
+  logger.log(formatWarningLine('External integrations have no application image to push.'));
+  logger.log(metadata('Use upload or deploy for integration artifacts.'));
+  logger.log(formatNextActions([`aifabrix upload ${appName}`, `aifabrix deploy ${appName}`]));
+}
+
+/**
+ * Header after validation passes for a regular (non-external) push.
+ * @param {string} appName
+ * @param {string} registry
+ * @param {string} imageName
+ */
+function logPushCommandHeader(appName, registry, imageName) {
+  logger.log('');
+  logger.log(sectionTitle('Push'));
+  logger.log(headerKeyValue('Application:', appName));
+  logger.log(metadata(`Registry: ${registry}`));
+  logger.log(metadata(`Repository: ${imageName}`));
+}
+
 /**
  * Pushes image tags to registry
  * @async
@@ -171,7 +206,9 @@ async function pushImageTags(imageName, registry, tags) {
                         (errorMessage.includes('authentication') && errorMessage.includes('401'));
 
     if (isAuthError) {
-      logger.log(chalk.yellow('⚠ Authentication expired, re-authenticating...'));
+      logger.log(
+        formatWarningLine('Registry authentication expired; re-authenticating, then retrying push.')
+      );
       await authenticateWithRegistry(registry);
       // Retry push after re-authentication
       await Promise.all(tags.map(async(tag) => {
@@ -190,9 +227,9 @@ async function pushImageTags(imageName, registry, tags) {
  * @param {Array<string>} tags - Image tags
  */
 function displayPushResults(registry, imageName, tags) {
-  logger.log(formatSuccessParagraph(`Successfully pushed ${tags.length} tag(s) to ${registry}`));
-  logger.log(chalk.gray(`Image: ${registry}/${imageName}:*`));
-  logger.log(chalk.gray(`Tags: ${tags.join(', ')}`));
+  logger.log(formatSuccessParagraph(`Pushed ${tags.length} tag(s) to ${registry}`));
+  logger.log(headerKeyValue('Image:', `${registry}/${imageName}`));
+  logger.log(headerKeyValue('Tags:', tags.join(', ')));
 }
 
 /**
@@ -204,38 +241,25 @@ function displayPushResults(registry, imageName, tags) {
  * @returns {Promise<void>} Resolves when push is complete
  */
 async function pushApp(appName, options = {}) {
-  // Check if app type is external - skip push
-  const { detectAppType } = require('../utils/paths');
   try {
     const { isExternal } = await detectAppType(appName);
     if (isExternal) {
-      logger.log(chalk.yellow('⚠  External systems don\'t require Docker images. Skipping push...'));
+      logExternalIntegrationPushNotice(appName);
       return;
     }
-  } catch (error) {
+  } catch (_error) {
     // If detection fails, continue with normal push
     // (detectAppType throws if app doesn't exist, which is fine for push command)
   }
   try {
-    // Validate app name
     validateAppName(appName);
-
-    // Load configuration
     const { registry, imageName } = await loadPushConfig(appName, options);
-
-    // Validate push configuration
     await validatePushConfig(registry, imageName, appName);
-
-    // Authenticate with registry
+    logPushCommandHeader(appName, registry, imageName);
     await authenticateWithRegistry(registry);
-
-    // Push image tags
     const tags = options.tag ? options.tag.split(',').map(t => t.trim()) : ['latest'];
     await pushImageTags(imageName, registry, tags);
-
-    // Display results
     displayPushResults(registry, imageName, tags);
-
   } catch (error) {
     throw new Error(`Failed to push application: ${error.message}`);
   }
@@ -245,4 +269,3 @@ module.exports = {
   pushApp,
   validateAppName
 };
-

package/lib/app/register.js

@@ -94,19 +94,20 @@ async function saveLocalCredentials(responseData, apiUrl) {
     await saveLocalSecret(clientIdKey, responseData.credentials.clientId);
     await saveLocalSecret(clientSecretKey, responseData.credentials.clientSecret);
 
-    // Update env.template
+    // Update env.template (kv:// refs only; no resolved values touch disk)
     await updateEnvTemplate(registeredAppKey, clientIdKey, clientSecretKey, apiUrl);
 
-    // Regenerate .env file with updated credentials
+    // Resolve in-memory so any missing-secret / kv:// error surfaces here, but never
+    // materialize <appPath>/.env or envOutputPath — that is only done by `aifabrix resolve`.
     try {
-      await generateEnvFile(registeredAppKey, null, 'local');
-      logger.log(formatSuccessLine('.env file updated with new credentials'));
+      await generateEnvFile(registeredAppKey, null, 'local', true, { noWrite: true });
     } catch (error) {
-      logger.warn(chalk.yellow(`⚠  Could not regenerate .env file: ${error.message}`));
+      logger.warn(chalk.yellow(`⚠  Could not validate env resolution: ${error.message}`));
     }
 
     logger.log(formatSuccessParagraph('Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-    logger.log(formatSuccessLine('env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
+    logger.log(formatSuccessLine('env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL'));
+    logger.log(formatSuccessLine('Run "aifabrix resolve ' + registeredAppKey + '" to materialize an on-disk .env\n'));
   } catch (error) {
     logger.warn(chalk.yellow(`⚠  Could not save credentials locally: ${error.message}`));
   }

package/lib/app/restart-display.js

@@ -0,0 +1,126 @@
+/**
+ * After `docker restart`, describe dev workspace mounts for developer clarity.
+ *
+ * @fileoverview Bind mount vs remote-engine hints (aligns with run --reload messaging)
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const logger = require('../utils/logger');
+const config = require('../core/config');
+const { execWithDockerEnv } = require('../utils/docker-exec');
+const { sectionTitle, headerKeyValue, metadata } = require('../utils/cli-test-layout-chalk');
+const { isReloadBindMountOnEngineHost } = require('../utils/docker-reload-mount');
+const { isApplicationsReloadDefaultOn } = require('../utils/applications-config-defaults');
+
+/**
+ * @param {unknown} mounts - docker inspect .Mounts
+ * @returns {{ Type: string, Source: string, Destination: string }|null}
+ */
+function findAppBindMount(mounts) {
+  if (!Array.isArray(mounts)) {
+    return null;
+  }
+  const hit = mounts.find((m) => m && m.Type === 'bind' && m.Destination === '/app');
+  return hit && typeof hit.Source === 'string' ? hit : null;
+}
+
+/**
+ * @param {string} stdout
+ * @returns {unknown|null}
+ */
+function parseInspectMountsStdout(stdout) {
+  try {
+    return JSON.parse(String(stdout || '').trim());
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * @param {string} containerName
+ * @returns {Promise<unknown|null>}
+ */
+async function fetchContainerMountsJson(containerName) {
+  try {
+    const { stdout } = await execWithDockerEnv(
+      `docker inspect --format '{{json .Mounts}}' ${containerName}`,
+      { maxBuffer: 2 * 1024 * 1024 }
+    );
+    return parseInspectMountsStdout(stdout);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Log saved reload default for the app (same source as `aifabrix run` dev persist / `aifabrix show`).
+ * @param {string|null|undefined} appName - Application key (e.g. miso-controller)
+ * @returns {Promise<void>}
+ */
+async function logReloadConfigSummaryForRestart(appName) {
+  if (!appName || typeof appName !== 'string') {
+    return;
+  }
+  const userCfg = await config.getConfig();
+  const reloadOn = isApplicationsReloadDefaultOn(userCfg, appName);
+  logger.log('');
+  logger.log(sectionTitle('Reload (config)'));
+  logger.log(
+    headerKeyValue(
+      'Next dev run:',
+      reloadOn ? 'reload on (applications.<app>.reload in config)' : 'reload off'
+    )
+  );
+  logger.log(
+    metadata(
+      'Persisted when you last ran this app in dev with or without --reload. Use aifabrix show <app> to inspect.'
+    )
+  );
+  logger.log('');
+}
+
+/**
+ * Log workspace transport after a successful container restart (mounts unchanged).
+ * @param {string} containerName - Docker container name
+ * @param {string|null} [appName] - Application key; when set, logs reload default from config after mount info
+ * @returns {Promise<void>}
+ */
+async function logRestartDevMountSummary(containerName, appName = null) {
+  if (!containerName || typeof containerName !== 'string') {
+    await logReloadConfigSummaryForRestart(appName);
+    return;
+  }
+  const mounts = await fetchContainerMountsJson(containerName);
+  const appBind = findAppBindMount(mounts);
+  if (appBind) {
+    const endpoint = await config.getDockerEndpoint();
+    const localEngine = isReloadBindMountOnEngineHost(endpoint);
+
+    logger.log('');
+    logger.log(sectionTitle('Dev workspace (unchanged by restart)'));
+    if (localEngine) {
+      logger.log(headerKeyValue('Transport:', 'Direct bind mount on the Docker host (no Mutagen).'));
+      logger.log(headerKeyValue('Host path → container:', `${appBind.Source} → /app`));
+      logger.log(metadata('Edits under the host path are visible inside the container immediately.'));
+    } else {
+      logger.log(
+        headerKeyValue(
+          'Transport:',
+          'Bind mount on the Docker engine (see path below; Mutagen may sync to this path when using --reload).'
+        )
+      );
+      logger.log(headerKeyValue('Engine path → container:', `${appBind.Source} → /app`));
+    }
+    logger.log('');
+  }
+  await logReloadConfigSummaryForRestart(appName);
+}
+
+module.exports = {
+  findAppBindMount,
+  logReloadConfigSummaryForRestart,
+  logRestartDevMountSummary
+};

package/lib/app/rotate-secret.js

@@ -281,20 +281,21 @@ async function saveCredentialsLocally(appKey, credentials, actualControllerUrl)
     await saveLocalSecret(clientIdKey, credentials.clientId);
     await saveLocalSecret(clientSecretKey, credentials.clientSecret);
 
-    // Update env.template if localhost
+    // Update env.template if localhost (kv:// refs only; no resolved values touch disk)
     if (isLocalhost(actualControllerUrl)) {
       await updateEnvTemplate(appKey, clientIdKey, clientSecretKey, actualControllerUrl);
 
-      // Regenerate .env file with updated credentials
+      // Resolve in-memory so any missing-secret / kv:// error surfaces here, but never
+      // materialize <appPath>/.env or envOutputPath — that is only done by `aifabrix resolve`.
       try {
-        await generateEnvFile(appKey, null, 'local');
-        logger.log(formatSuccessLine('.env file updated with new credentials'));
+        await generateEnvFile(appKey, null, 'local', true, { noWrite: true });
       } catch (error) {
-        logger.warn(chalk.yellow(`⚠  Could not regenerate .env file: ${error.message}`));
+        logger.warn(chalk.yellow(`⚠  Could not validate env resolution: ${error.message}`));
       }
 
       logger.log(formatSuccessParagraph('Credentials saved to ~/.aifabrix/secrets.local.yaml'));
-      logger.log(formatSuccessLine('env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL\n'));
+      logger.log(formatSuccessLine('env.template updated with MISO_CLIENTID, MISO_CLIENTSECRET, and MISO_CONTROLLER_URL'));
+      logger.log(formatSuccessLine('Run "aifabrix resolve ' + appKey + '" to materialize an on-disk .env\n'));
     } else {
       logger.log(formatSuccessParagraph('Credentials saved to ~/.aifabrix/secrets.local.yaml\n'));
     }

package/lib/app/run-container-start.js

@@ -5,7 +5,11 @@
  */
 
 'use strict';
-const { formatSuccessLine } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatProgress,
+  formatWarningLine
+} = require('../utils/cli-test-layout-chalk');
 
 const fs = require('fs').promises;
 const chalk = require('chalk');
@@ -31,8 +35,8 @@ const execAsync = promisify(exec);
 async function emitAndRunDockerFallback(appName, appConfig, port, opts) {
   const { debug, runEnvPath, runOptions, misoEnvironment } = opts;
   logger.log(
-    chalk.yellow(
-      'Docker Compose not found; using docker run (apps without database/redis only). ' +
+    formatWarningLine(
+      'Docker Compose not found; using docker run (apps without Postgres/Redis only). ' +
         'Install docker-compose-plugin for full compose support.'
     )
   );
@@ -116,7 +120,7 @@ async function waitForHealthyAndCleanupEnvFiles(appName, port, appConfig, o) {
   const displayUrl = (healthUrl && typeof healthUrl === 'string')
     ? healthUrl
     : `http://localhost:${port}${healthCheckPath}`;
-  logger.log(chalk.blue(`Waiting for application to be healthy at ${displayUrl}...`));
+  logger.log(formatProgress(`Waiting for healthy: ${displayUrl}…`));
   await healthCheck.waitForHealthCheck(appName, 90, port, appConfig, debug, ro);
 
   for (const p of [runEnvPath, runEnvAdminPath]) {
@@ -124,7 +128,9 @@ async function waitForHealthyAndCleanupEnvFiles(appName, port, appConfig, o) {
       try {
         await fs.unlink(p);
       } catch (err) {
-        if (err.code !== 'ENOENT') logger.log(chalk.yellow(`Warning: could not remove run .env: ${err.message}`));
+        if (err.code !== 'ENOENT') {
+          logger.log(formatWarningLine(`Could not remove run .env: ${err.message}`));
+        }
       }
     }
   }
@@ -148,7 +154,7 @@ async function startContainer(appName, composePath, port, appConfig = null, opts
     devMountPath = null,
     misoEnvironment = 'dev'
   } = opts;
-  logger.log(chalk.blue(`Starting ${appName}...`));
+  logger.log(formatProgress(`Starting ${appName}…`));
 
   let composeCmdBase;
   let usedDockerRunFallback = false;

package/lib/app/run-env-compose.js

@@ -14,9 +14,36 @@ const fs = require('fs').promises;
 const fsSync = require('fs');
 const pathsUtil = require('../utils/paths');
 const adminSecrets = require('../core/admin-secrets');
+const secretsEnsure = require('../core/secrets-ensure');
 const secretsEnvWrite = require('../core/secrets-env-write');
 const { getContainerPort } = require('../utils/port-resolver');
 
+/**
+ * Backfill only secrets needed for `aifabrix run <app>`: kv:// keys from that app's env.template
+ * (catalog defaults via placeholderContext). Does not run full `ensureInfraSecrets`.
+ *
+ * Docker Postgres admin password for compose/db-init comes from **admin-secrets.env** (see
+ * `ensureAdminSecrets` / `readAndDecryptAdminSecrets`), not from `postgres-passwordKeyVault` on every run.
+ * The kv key is used when **generating** admin-secrets (e.g. first `up-infra`) via `generateAdminSecretsEnv`;
+ * we do not duplicate it here when an admin file already exists.
+ *
+ * @async
+ * @param {string} appName - Builder application key
+ * @returns {Promise<void>}
+ */
+async function ensureRunSecretsForApp(appName) {
+  const placeholderContext = secretsEnsure.buildInfraPlaceholderContext({});
+  const userSecretsPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  const templatePath = path.join(pathsUtil.getBuilderPath(appName), 'env.template');
+  if (fsSync.existsSync(templatePath)) {
+    await secretsEnsure.ensureSecretsFromEnvTemplate(templatePath, {
+      placeholderContext,
+      preferredFilePath: userSecretsPath,
+      useMergedSecretsForMissingKeys: true
+    });
+  }
+}
+
 /**
  * Clean applications directory: remove generated docker-compose.yaml and .env.* files.
  * @param {string|number} developerId - Developer ID
@@ -204,6 +231,7 @@ async function buildMergedRunEnvAndWrite(appName, appConfig, devDir, developerId
   const ensureAdminSecretsFn = typeof infra.ensureAdminSecrets === 'function'
     ? infra.ensureAdminSecrets
     : require('../infrastructure/helpers').ensureAdminSecrets;
+  await ensureRunSecretsForApp(appName);
   await ensureAdminSecretsFn();
   const adminObj = await adminSecrets.readAndDecryptAdminSecrets();
   const runEnvKey = scopeOpts && scopeOpts.runEnvKey ? String(scopeOpts.runEnvKey).toLowerCase() : 'dev';
@@ -248,5 +276,6 @@ function assertNoPasswordLiteralsInCompose(composeContent) {
 module.exports = {
   cleanApplicationsDir,
   buildMergedRunEnvAndWrite,
-  assertNoPasswordLiteralsInCompose
+  assertNoPasswordLiteralsInCompose,
+  ensureRunSecretsForApp
 };

package/lib/app/run-helpers.js

@@ -1,4 +1,12 @@
-const { formatSuccessLine, formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
+const {
+  formatSuccessLine,
+  formatSuccessParagraph,
+  formatProgress,
+  formatNextActions,
+  headerKeyValue,
+  metadata,
+  infoLine
+} = require('../utils/cli-test-layout-chalk');
 /**
  * AI Fabrix Builder - App Run Helpers
  *
@@ -28,6 +36,9 @@ const { resolveRunImage } = require('./run-resolve-image');
 const { startContainer } = require('./run-container-start');
 const { resolveEnvOutputPath, writeEnvOutputForReload, writeEnvOutputForLocal } = require('../utils/env-copy');
 const { resolveVersionForApp } = require('../utils/image-version');
+const healthCheckUtil = require('../utils/health-check');
+const { computeTraefikPublicAppUrl } = require('../utils/health-check-url');
+const { isFrontDoorRoutingEnabledInDoc } = require('../utils/url-declarative-vdir-inactive-env');
 
 /** Template apps (keycloak, miso-controller, dataplane) - never update application config when running */
 const TEMPLATE_APP_KEYS = ['keycloak', 'miso-controller', 'dataplane'];
@@ -62,7 +73,7 @@ function checkBuilderDirectory(appName) {
 
 /**
  * Load and validate config file exists
- * Uses paths.getBuilderPath so AIFABRIX_BUILDER_DIR (e.g. from up-miso) is respected.
+ * Uses paths.getBuilderPath (cwd / material `builder/` only; no `AIFABRIX_BUILDER_DIR` override).
  * @param {string} appName - Application name
  * @returns {Object} Application configuration
  * @throws {Error} If config file not found
@@ -179,7 +190,7 @@ async function checkPrerequisites(appName, appConfig, debug = false, skipInfraCh
     logger.log(chalk.gray(`[DEBUG] Image name: ${imageName}, tag: ${imageTag}`));
   }
 
-  logger.log(chalk.blue(`Checking if image ${fullImageName} exists...`));
+  logger.log(formatProgress(`Checking image ${fullImageName}…`));
   const imageExists = await checkImageExists(imageName, imageTag, debug);
   if (!imageExists) {
     const isTemplateApp = TEMPLATE_APP_KEYS.includes(appName);
@@ -208,12 +219,12 @@ async function checkInfraHealthOrThrow(debug, appConfig) {
   const requirements = getAppInfraRequirements(appConfig);
   if (requirements && !requirements.needsPostgres && !requirements.needsRedis) {
     logger.log(
-      chalk.blue('Skipping infrastructure check (application does not require database or redis)...')
+      infoLine('Skipping Postgres/Redis health check (not required by this application).')
     );
     return;
   }
 
-  logger.log(chalk.blue('Checking infrastructure health...'));
+  logger.log(formatProgress('Checking infrastructure health…'));
   const infra = require('../infrastructure');
   const healthOptions =
     requirements === null
@@ -280,7 +291,7 @@ function calculateComposePort(options, appConfig, developerId) {
  * @returns {Promise<string>} Path to compose file
  */
 async function generateComposeFile(appName, appConfig, composeOptions, devDir) {
-  logger.log(chalk.blue('Generating Docker Compose configuration...'));
+  logger.log(formatProgress('Generating Docker Compose configuration…'));
   const composeContent = await composeGenerator.generateDockerCompose(appName, appConfig, composeOptions);
   runEnvCompose.assertNoPasswordLiteralsInCompose(composeContent);
   const tempComposePath = path.join(devDir, 'docker-compose.yaml');
@@ -289,12 +300,15 @@ async function generateComposeFile(appName, appConfig, composeOptions, devDir) {
 }
 
 /**
- * Writes .env to envOutputPath when application.yaml build.envOutputPath is set.
+ * Writes `build.envOutputPath` after each `aifabrix run`: **local**-flavored env for the host/IDE
+ * when not using `--reload`; with **`--reload`**, merges container `.env.run` into the existing file
+ * (preserves resolve comments) without appending run-only keys missing from the template.
+ *
  * @async
  * @param {string} appName - Application name
  * @param {Object} appConfig - Application configuration
- * @param {string} runEnvPath - Path to .env.run
- * @param {Object} options - Run options (reload flag)
+ * @param {string} runEnvPath - Path to `.env.run`
+ * @param {Object} options - Run options (`reload`, `skipEnvOutputPath`)
  */
 async function writeEnvOutputIfConfigured(appName, appConfig, runEnvPath, options) {
   if (options && options.skipEnvOutputPath === true) return;
@@ -308,8 +322,8 @@ async function writeEnvOutputIfConfigured(appName, appConfig, runEnvPath, option
   if (!fsSync.existsSync(outputDir)) {
     await fs.mkdir(outputDir, { recursive: true });
   }
-  if (options.reload) {
-    await writeEnvOutputForReload(outputPath, runEnvPath);
+  if (options && options.reload === true) {
+    await writeEnvOutputForReload(outputPath, runEnvPath, appName);
   } else {
     await writeEnvOutputForLocal(appName, outputPath);
   }
@@ -338,7 +352,7 @@ async function prepareEnvironment(appName, appConfig, options) {
   );
 
   runEnvCompose.cleanApplicationsDir(developerId);
-  logger.log(chalk.blue('Building merged .env (admin + app secrets)...'));
+  logger.log(formatProgress('Building merged .env (admin + app secrets)…'));
   const { runEnvPath, runEnvAdminPath } = await runEnvCompose.buildMergedRunEnvAndWrite(
     appName,
     appConfig,
@@ -352,7 +366,8 @@ async function prepareEnvironment(appName, appConfig, options) {
     envFilePath: runEnvPath,
     dbInitEnvFilePath: runEnvAdminPath,
     effectiveEnvironmentScopedResources,
-    env: runEnvKey
+    env: runEnvKey,
+    omitAppTraefikLabels: userCfg.traefik === false
   };
   composeOptions.port = calculateComposePort(composeOptions, appConfig, developerId);
   const composePath = await generateComposeFile(appName, appConfig, composeOptions, devDir);
@@ -367,15 +382,39 @@ async function prepareEnvironment(appName, appConfig, options) {
  * @param {string} appName - Application name
  * @param {number} port - Application port
  * @param {Object} appConfig - Application configuration (with developerId property)
+ * @param {Object|null} [runScopeOpts] - Optional env-scoped container naming
+ * @param {Object} [runOptions] - Run options (traefikEnabled / probeViaTraefik for public URL)
  */
-async function displayRunStatus(appName, port, appConfig, runScopeOpts = null) {
+async function displayRunStatus(appName, port, appConfig, runScopeOpts = null, runOptions = {}) {
   const containerName = containerHelpers.getContainerName(appName, appConfig.developerId, runScopeOpts);
-  const healthCheckPath = appConfig?.healthCheck?.path || '/health';
-  const healthCheckUrl = `http://localhost:${port}${healthCheckPath}`;
+  const ro = runOptions && typeof runOptions === 'object' ? runOptions : {};
+  const frontDoorOn = isFrontDoorRoutingEnabledInDoc(appConfig);
+  const wantsPublic =
+    frontDoorOn && Boolean(ro.probeViaTraefik === true || ro.traefikEnabled === true);
+
+  let primaryAppUrl = `http://localhost:${port}`;
+  if (wantsPublic) {
+    const pub = await computeTraefikPublicAppUrl(appName, port, appConfig);
+    if (pub) primaryAppUrl = pub;
+  }
+
+  const healthTipUrl = await healthCheckUtil.computeHealthCheckUrl(appName, port, appConfig, {
+    runOptions: ro
+  });
 
-  logger.log(formatSuccessParagraph(`App running at http://localhost:${port}`));
-  logger.log(chalk.blue(`Health check: ${healthCheckUrl}`));
-  logger.log(chalk.gray(`Container: ${containerName}`));
+  logger.log(formatSuccessParagraph(`App running at ${primaryAppUrl}`));
+  if (wantsPublic && primaryAppUrl.indexOf('localhost') === -1) {
+    logger.log(metadata(`Local direct: http://localhost:${port}`));
+  }
+  logger.log(headerKeyValue('Health check:', healthTipUrl));
+  logger.log(headerKeyValue('Container:', containerName));
+  logger.log('');
+  logger.log(
+    formatNextActions([
+      `Validate errors: aifabrix logs ${appName} -l error`,
+      `Follow output: aifabrix logs ${appName} -f -t 100`
+    ])
+  );
 }
 
 module.exports = {