@aifabrix/builder 2.44.5 → 2.45.0

package/lib/utils/compose-generate-docker-compose.js

@@ -15,6 +15,99 @@ const paths = require('./paths');
 const { getInfraDirName } = require('../infrastructure/helpers');
 const { resolveMisoEnvironment } = require('./compose-miso-env');
 
+/**
+ * When running a pulled Python image (no bind-mounted source), the image CMD may invoke the
+ * `uvicorn` console script, which is not always on PATH. Derive a `python -m uvicorn` command from
+ * `build.reloadStart` so generated compose matches the same app entrypoint as hot-reload runs.
+ *
+ * @param {string|undefined} reloadStart - Value from application.yaml `build.reloadStart`
+ * @returns {string|null} Shell command fragment (no `cd`, no `exec`; image compose prepends `exec ` in JS)
+ */
+function derivePythonImageStartFromReload(reloadStart) {
+  if (typeof reloadStart !== 'string' || !reloadStart.trim()) {
+    return null;
+  }
+  const trimmed = reloadStart.trim().replace(/\s+--reload\b/g, '').trim();
+  if (/^python3?\s+-m\s+uvicorn\s+/i.test(trimmed)) {
+    return normalizeComposeShellPortRef(trimmed);
+  }
+  if (trimmed.startsWith('uvicorn ')) {
+    const rest = trimmed.slice('uvicorn '.length);
+    return normalizeComposeShellPortRef(`python -m uvicorn ${rest}`);
+  }
+  return null;
+}
+
+/**
+ * Compose sets `PORT` in the service environment; replace `${PORT:-...}` with `$$PORT` in the
+ * fragment so the compose file avoids ambiguous `:` parsing in flow scalars and Compose expands
+ * `$$` to `$` for the container shell (which then expands `PORT` from the service environment).
+ *
+ * @param {string} cmd - Shell command fragment
+ * @returns {string} Same fragment with `${PORT:-...}` replaced by `$$PORT` (Compose escapes `$$` → `$` for the shell)
+ */
+function normalizeComposeShellPortRef(cmd) {
+  return cmd.replace(/\$\{PORT:-[^}]+\}/g, () => '$$PORT');
+}
+
+/**
+ * Normalizes `build.reloadStart` for Python when using a bind-mounted source in compose.
+ *
+ * @param {string} raw - Trimmed reload command
+ * @returns {string} Command suitable for `cd /app && …` in compose
+ */
+function normalizePythonReloadForComposeMounted(raw) {
+  const s = normalizeComposeShellPortRef(raw);
+  if (/^python3?\s+-m\s+uvicorn\s+/i.test(s)) {
+    return s;
+  }
+  if (s.startsWith('uvicorn ')) {
+    return `python -m uvicorn ${s.slice('uvicorn '.length)}`;
+  }
+  return s;
+}
+
+/**
+ * Builds the single `reloadStartCommand` passed to compose templates (`command: …` when set).
+ *
+ * `applications.<app>.reload` in config.yaml (and `aifabrix run --reload`) only controls **bind-mount +
+ * `--reload`** via `devMountPath`. For pulled images without a mount, use optional `build.imageRun` in
+ * application.yaml, or (Python only) derive from `build.reloadStart` when `imageRun` is unset.
+ *
+ * @param {string} language - `application.yaml` build.language
+ * @param {string|null} devMountPath - Bind mount path when reload sync is active
+ * @param {string|undefined} reloadRaw - `build.reloadStart`
+ * @param {Object} [build] - `application.yaml` `build` object (`imageRun`, etc.)
+ * @returns {string|null}
+ */
+function buildReloadStartCommandForCompose(language, devMountPath, reloadRaw, build = {}) {
+  const buildObj = build && typeof build === 'object' ? build : {};
+  const imageRunRaw = typeof buildObj.imageRun === 'string' ? buildObj.imageRun.trim() : '';
+  const reloadTrimmed = typeof reloadRaw === 'string' ? reloadRaw.trim() : '';
+
+  if (devMountPath) {
+    if (!reloadTrimmed) {
+      return null;
+    }
+    return language === 'python' ? normalizePythonReloadForComposeMounted(reloadTrimmed) : reloadTrimmed;
+  }
+
+  if (imageRunRaw) {
+    return normalizeComposeShellPortRef(imageRunRaw);
+  }
+
+  if (!reloadTrimmed) {
+    return null;
+  }
+
+  if (language === 'python') {
+    const imageCmd = derivePythonImageStartFromReload(reloadTrimmed);
+    return imageCmd ? `exec ${imageCmd}` : null;
+  }
+
+  return null;
+}
+
 /**
  * Resolve infra `pgpass` path: prefer system config dir; when home differs, allow legacy layout.
  * @param {string|number} devId - Developer id (infra vs infra-dev{n})
@@ -119,14 +212,15 @@ async function loadComposeHead(deps, appName, appConfig, options) {
  * @param {object} head - From loadComposeHead
  * @returns {object}
  */
-function buildComposeLayouts(deps, appName, appConfig, head) {
+function buildComposeLayouts(deps, appName, appConfig, head, options) {
   const { buildNetworkAndContainerNames, buildServiceConfig, buildVolumesConfig, buildNetworksConfig } = deps;
   const { port, imageOverride, devId, idNum, scoped, remoteServer } = head;
   const { networkName, containerName } = buildNetworkAndContainerNames(appName, devId, idNum, scoped);
   const serviceConfig = buildServiceConfig(appName, appConfig, port, devId, {
     imageOverride,
     scopeOpts: scoped,
-    remoteServer
+    remoteServer,
+    omitAppTraefikLabels: options && options.omitAppTraefikLabels === true
   });
   const volumesConfig = buildVolumesConfig(appName);
   const networksConfig = buildNetworksConfig(appConfig);
@@ -161,8 +255,13 @@ async function resolveComposePathsAndSecrets(ctx) {
   );
   const devMountPath = resolveDevMountPath(options);
   const reloadRaw = appConfig.build?.reloadStart;
-  const reloadStartCommand =
-    devMountPath && typeof reloadRaw === 'string' && reloadRaw.trim().length > 0 ? reloadRaw.trim() : null;
+  const language = appConfig.build?.language || appConfig.language || 'typescript';
+  const reloadStartCommand = buildReloadStartCommandForCompose(
+    language,
+    devMountPath,
+    reloadRaw,
+    appConfig.build
+  );
   const infraPgpassPath = resolveInfraPgpassPath(devId, paths, fsSync.existsSync);
   const useInfraPgpass = serviceCf.requiresDatabase && fsSync.existsSync(infraPgpassPath);
   return {
@@ -185,7 +284,7 @@ async function resolveComposePathsAndSecrets(ctx) {
  */
 async function generateDockerComposeImpl(deps, appName, appConfig, options) {
   const head = await loadComposeHead(deps, appName, appConfig, options);
-  const layouts = buildComposeLayouts(deps, appName, appConfig, head);
+  const layouts = buildComposeLayouts(deps, appName, appConfig, head, options);
   const side = await resolveComposePathsAndSecrets({
     options,
     appName,
@@ -213,4 +312,10 @@ function createGenerateDockerCompose(deps) {
   return (appName, appConfig, options) => generateDockerComposeImpl(deps, appName, appConfig, options);
 }
 
-module.exports = { createGenerateDockerCompose, resolveInfraPgpassPath };
+module.exports = {
+  createGenerateDockerCompose,
+  resolveInfraPgpassPath,
+  derivePythonImageStartFromReload,
+  buildReloadStartCommandForCompose,
+  normalizePythonReloadForComposeMounted
+};

package/lib/utils/compose-generator.js

@@ -282,10 +282,16 @@ function buildRequiresConfig(config) {
  * @param {string} [runExtras.imageOverride] - Full image reference for run (e.g. from --image)
  * @param {Object|null} [runExtras.scopeOpts] - Traefik / scoped compose options
  * @param {string|null|undefined} [runExtras.remoteServer] - For ${REMOTE_HOST} in frontDoorRouting.host
+ * @param {boolean} [runExtras.omitAppTraefikLabels] - When true (user config `traefik: false`), omit Traefik labels and BASE_PATH env from compose even if application.yaml enables frontDoorRouting
  * @returns {Object} Service configuration
  */
 function buildServiceConfig(appName, config, port, devId, runExtras = {}) {
-  const { imageOverride = null, scopeOpts = null, remoteServer = null } = runExtras;
+  const {
+    imageOverride = null,
+    scopeOpts = null,
+    remoteServer = null,
+    omitAppTraefikLabels = false
+  } = runExtras;
   const containerPortValue = getContainerPort(config, 3000);
   const hostPort = port;
   const useTraefikScope =
@@ -305,13 +311,16 @@ function buildServiceConfig(appName, config, port, devId, runExtras = {}) {
     containerPort: containerPortValue, // Container port (always set, equals containerPort if exists, else port)
     hostPort: hostPort, // Host port (options.port if provided, else config.port)
     healthCheck,
-    traefik: buildTraefikConfig(
-      config,
-      devId,
-      scopeForHealthAndTraefik,
-      remoteServer,
-      healthCheck.path
-    ),
+    traefik:
+      omitAppTraefikLabels === true
+        ? { enabled: false }
+        : buildTraefikConfig(
+          config,
+          devId,
+          scopeForHealthAndTraefik,
+          remoteServer,
+          healthCheck.path
+        ),
     ...buildRequiresConfig(config)
   };
 }

package/lib/utils/controller-url.js

@@ -42,8 +42,38 @@ function normalizeUrl(url) {
 }
 
 /**
- * Get controller URL from logged-in user's device tokens
- * Returns the first available controller URL from device tokens stored in config
+ * True when `config.yaml` has a non-expired-looking device entry for this controller URL
+ * (normalized host/path comparison).
+ *
+ * @async
+ * @param {string} controllerUrl
+ * @returns {Promise<boolean>}
+ */
+async function hasStoredDeviceTokenForController(controllerUrl) {
+  if (!controllerUrl || typeof controllerUrl !== 'string') {
+    return false;
+  }
+  const want = normalizeUrl(controllerUrl);
+  if (!want) {
+    return false;
+  }
+  try {
+    const userConfig = await config.getConfig();
+    if (!userConfig.device || typeof userConfig.device !== 'object') {
+      return false;
+    }
+    return Object.keys(userConfig.device).some((key) => normalizeUrl(key) === want);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get controller URL from logged-in user's device tokens.
+ * Prefers the entry under {@link config.controller} when it matches a `device` key; otherwise a
+ * single `device` entry; with multiple unrelated entries and no matching default, returns **null**
+ * (callers must not treat arbitrary key order as the active controller).
+ *
  * @async
  * @function getControllerUrlFromLoggedInUser
  * @returns {Promise<string|null>} Controller URL from logged-in user, or null if not found
@@ -60,11 +90,23 @@ async function getControllerUrlFromLoggedInUser() {
       return null;
     }
 
-    // Return the first available controller URL (normalized)
-    const firstControllerUrl = deviceUrls[0];
-    return normalizeUrl(firstControllerUrl);
-  } catch (error) {
-    // If config doesn't exist or can't be read, return null
+    const cfgController =
+      userConfig.controller && typeof userConfig.controller === 'string'
+        ? normalizeUrl(userConfig.controller)
+        : '';
+    if (cfgController) {
+      const match = deviceUrls.find((u) => normalizeUrl(u) === cfgController);
+      if (match) {
+        return normalizeUrl(match);
+      }
+    }
+
+    if (deviceUrls.length === 1) {
+      return normalizeUrl(deviceUrls[0]);
+    }
+
+    return null;
+  } catch {
     return null;
   }
 }
@@ -109,6 +151,7 @@ async function resolveControllerUrl() {
 
 module.exports = {
   getDefaultControllerUrl,
+  hasStoredDeviceTokenForController,
   getControllerUrlFromLoggedInUser,
   getControllerFromConfig,
   resolveControllerUrl

package/lib/utils/datasource-test-run-display.js

@@ -300,12 +300,20 @@ function appendValidationIssueLines(lines, envelope, maxIssues = 5) {
     const code = iss && iss.code ? chalk.red(`[${iss.code}] `) : '';
     const msg = iss && iss.message ? String(iss.message) : JSON.stringify(iss);
     lines.push(`  ${code}${chalk.yellow(msg)}`);
+    appendDpSec013Details(lines, iss);
   }
   if (issues.length > cap) {
     lines.push(chalk.gray(`  … and ${issues.length - cap} more (see --json or debug full/raw)`));
   }
 }
 
+function appendDpSec013Details(lines, iss) {
+  if (!iss || iss.code !== 'DP-SEC-013') return;
+  const perm = iss.details && iss.details.resolvedPermission ? String(iss.details.resolvedPermission) : '';
+  if (!perm) return;
+  lines.push(`    ${chalk.gray('Missing permission:')} ${chalk.white(perm)}`);
+}
+
 /**
  * @param {string[]} lines
  * @param {Object} envelope

package/lib/utils/dev-hosts-helper.js

@@ -12,6 +12,7 @@ const path = require('path');
 const readline = require('readline');
 const chalk = require('chalk');
 const { nodeFs } = require('../internal/node-fs');
+const { formatSuccessLine } = require('./cli-layout-chalk');
 
 const IPV4_RE = /^(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)){3}$/;
 
@@ -238,7 +239,7 @@ async function resolveHostsIpForInit(hostname, hostsIp, logger) {
 async function appendHostsBlockOrPrintManual(hostsPath, block, line, logger) {
   try {
     await nodeFs().promises.appendFile(hostsPath, block, { encoding: 'utf8' });
-    logger.log(chalk.green(`  ✔ Updated ${hostsPath}\n`));
+    logger.log(chalk.green('  ') + formatSuccessLine(`Updated ${hostsPath}`) + '\n');
   } catch (e) {
     if (e.code === 'EACCES' || e.code === 'EPERM') {
       logger.log(chalk.yellow(`  ✖ Could not write ${hostsPath} (permission denied).`));
@@ -261,7 +262,7 @@ async function appendHostsBlockOrPrintManual(hostsPath, block, line, logger) {
 async function tryWriteHostsEntry(hostsPath, hostnames, ip, skipConfirm, logger) {
   const missing = hostnames.filter((h) => !hostsFileHasHostname(hostsPath, h));
   if (missing.length === 0) {
-    logger.log(chalk.green(`  ✔ Required hostnames are already listed in ${hostsPath}. Nothing to do.\n`));
+    logger.log(chalk.green('  ') + formatSuccessLine(`Required hostnames are already listed in ${hostsPath}. Nothing to do.`) + '\n');
     return;
   }
   const line = `${ip} ${missing.join(' ')}`;

package/lib/utils/dev-init-ssh-merge.js

@@ -6,6 +6,7 @@ const chalk = require('chalk');
 const config = require('../core/config');
 const logger = require('./logger');
 const { ensureDevSshConfigBlock } = require('./dev-ssh-config-helper');
+const { successGlyph } = require('./cli-layout-chalk');
 
 /**
  * Hostname from Builder Server URL (for sync-ssh-host fallback).
@@ -46,7 +47,7 @@ async function mergeDevSshConfigAfterInit(baseUrl, devId) {
         );
       } else {
         logger.log(
-          chalk.green('  ✔ SSH config updated: ') +
+          `${chalk.green('  ')}${successGlyph()}${chalk.green(' SSH config updated: ')}` +
             chalk.cyan(`Host ${res.hostAlias}`) +
             chalk.gray(` → ${res.configPath}`)
         );

package/lib/utils/docker-build.js

@@ -1,4 +1,4 @@
-const { formatSuccessLine } = require('./cli-test-layout-chalk');
+const { formatSuccessLine, headerKeyValue, formatWarningLine } = require('./cli-test-layout-chalk');
 /**
  * Docker Build Utilities
  *
@@ -177,7 +177,6 @@ async function executeDockerBuild(imageName, dockerfilePath, contextPath, tag, b
   const spinner = ora({ text: 'Starting Docker build...', spinner: 'dots' }).start();
   const fsSync = require('fs');
   const path = require('path');
-  const { getRemoteDockerEnv } = require('./remote-docker-env');
   dockerfilePath = path.resolve(dockerfilePath);
   contextPath = path.resolve(contextPath);
 
@@ -196,7 +195,8 @@ async function executeDockerBuild(imageName, dockerfilePath, contextPath, tag, b
   }
 
   const isTest = process.env.NODE_ENV === 'test' || process.env.JEST_WORKER_ID !== undefined;
-  const remoteEnv = isTest ? {} : await getRemoteDockerEnv();
+  const { getDockerExecEnv } = require('./remote-docker-env');
+  const dockerCliEnv = isTest ? { ...process.env } : await getDockerExecEnv();
   const resolvedBuildArgs = buildArgs && typeof buildArgs === 'object' ? buildArgs : {};
   return new Promise((resolve, reject) => {
     runDockerBuildProcess({
@@ -207,7 +207,7 @@ async function executeDockerBuild(imageName, dockerfilePath, contextPath, tag, b
       spinner,
       resolve,
       reject,
-      env: remoteEnv,
+      env: dockerCliEnv,
       buildArgs: resolvedBuildArgs,
       noCache
     });
@@ -258,14 +258,20 @@ async function executeBuild(imageName, dockerfilePath, contextPath, tag, options
  */
 async function executeDockerBuildWithTag(effectiveImageName, imageName, dockerfilePath, contextPath, tag, options) {
   const logger = require('../utils/logger');
-  const chalk = require('chalk');
 
-  logger.log(chalk.blue(`Using Dockerfile: ${dockerfilePath}`));
-  logger.log(chalk.blue(`Using build context: ${contextPath}`));
+  logger.log(headerKeyValue('Dockerfile:', dockerfilePath));
+  logger.log(headerKeyValue('Build context:', contextPath));
 
   await executeBuild(effectiveImageName, dockerfilePath, contextPath, tag, options);
 
-  // Back-compat: also tag the built dev image as the base image name
+  const wantCompatTag =
+    effectiveImageName !== imageName &&
+    options &&
+    options.base === true;
+  if (!wantCompatTag) {
+    return;
+  }
+
   try {
     const { promisify } = require('util');
     const { exec } = require('child_process');
@@ -275,7 +281,9 @@ async function executeDockerBuildWithTag(effectiveImageName, imageName, dockerfi
     await run(`docker tag ${effectiveImageName}:${tag} ${imageName}:${tag}`, { env });
     logger.log(formatSuccessLine(`Tagged image: ${imageName}:${tag}`));
   } catch (err) {
-    logger.log(chalk.yellow(`⚠  Warning: Could not create compatibility tag ${imageName}:${tag} - ${err.message}`));
+    logger.log(
+      formatWarningLine(`Could not create compatibility tag ${imageName}:${tag} - ${err.message}`)
+    );
   }
 }
 

package/lib/utils/docker-reload-mount.js

@@ -0,0 +1,127 @@
+/**
+ * Decide whether `aifabrix run --reload` can bind-mount workspace without Mutagen.
+ * Mutagen is only needed when the CLI filesystem and the Docker engine host differ.
+ *
+ * @fileoverview Co-located Docker detection for reload mounts
+ * @author AI Fabrix Team
+ * @version 2.0.0
+ */
+
+'use strict';
+
+const os = require('os');
+
+/**
+ * @param {string} host
+ * @returns {string}
+ */
+function normalizeHost(host) {
+  return String(host || '')
+    .trim()
+    .toLowerCase()
+    .replace(/^\[|\]$/g, '');
+}
+
+/**
+ * @param {string} host
+ * @returns {boolean}
+ */
+function isLocalLoopbackHost(host) {
+  const h = normalizeHost(host);
+  return h === 'localhost' || h === '127.0.0.1' || h === '::1' || h === '0:0:0:0:0:0:0:1';
+}
+
+/**
+ * @param {string} rest - after "tcp://"
+ * @returns {string|null}
+ */
+function tcpHostFromRest(rest) {
+  if (rest.startsWith('[')) {
+    const end = rest.indexOf(']');
+    if (end === -1) return null;
+    return normalizeHost(rest.slice(1, end));
+  }
+  const hostPort = rest.split('/')[0];
+  const colonIdx = hostPort.lastIndexOf(':');
+  if (colonIdx === -1) {
+    return normalizeHost(hostPort);
+  }
+  const maybePort = hostPort.slice(colonIdx + 1);
+  if (/^\d+$/.test(maybePort)) {
+    return normalizeHost(hostPort.slice(0, colonIdx));
+  }
+  return normalizeHost(hostPort);
+}
+
+/**
+ * Extract host from docker-endpoint (tcp, optional URL form).
+ * @param {string} endpoint
+ * @returns {string|null} normalized host, or null for unix socket paths / empty
+ */
+function extractHostFromDockerEndpoint(endpoint) {
+  const s = String(endpoint || '').trim();
+  if (!s) return null;
+  const lower = s.toLowerCase();
+  if (lower.startsWith('unix:')) {
+    return null;
+  }
+  if (lower.startsWith('tcp://')) {
+    return tcpHostFromRest(s.slice(6));
+  }
+  try {
+    const u = new URL(s.includes('://') ? s : `tcp://${s}`);
+    return normalizeHost(u.hostname);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * sync-ssh-host localhost check (same rules as run.js isLocalhostHost for reload gate).
+ * @param {string} host
+ * @returns {boolean}
+ */
+function isLocalhostSyncSshHost(host) {
+  if (!host || typeof host !== 'string') return false;
+  const h = host.trim().toLowerCase();
+  return h === 'localhost' || h === '127.0.0.1';
+}
+
+/**
+ * True when docker API host is this machine (first label or FQDN match).
+ * @param {string} dockerHost - from extractHostFromDockerEndpoint
+ * @returns {boolean}
+ */
+function hostnameMatchesDockerHost(dockerHost) {
+  const h = normalizeHost(dockerHost);
+  if (!h) return true;
+  if (isLocalLoopbackHost(h)) return true;
+  const hn = normalizeHost(os.hostname());
+  if (h === hn) return true;
+  const hnShort = hn.split('.')[0];
+  const hShort = h.split('.')[0];
+  if (h === hnShort || hn === hShort) return true;
+  return false;
+}
+
+/**
+ * When true, use a direct bind mount for --reload; Mutagen is not required.
+ * @param {string|null|undefined} dockerEndpoint - config `docker-endpoint`
+ * @returns {boolean}
+ */
+function isReloadBindMountOnEngineHost(dockerEndpoint) {
+  const e = String(dockerEndpoint || '').trim();
+  if (!e) return true;
+  if (e.toLowerCase().startsWith('unix:')) return true;
+  const host = extractHostFromDockerEndpoint(e);
+  if (host === null) {
+    return false;
+  }
+  return hostnameMatchesDockerHost(host);
+}
+
+module.exports = {
+  extractHostFromDockerEndpoint,
+  isReloadBindMountOnEngineHost,
+  isLocalhostSyncSshHost
+};