@aifabrix/builder 2.44.6 → 2.45.0

package/lib/cli/setup-utility.js

@@ -10,11 +10,11 @@ const { formatSuccessParagraph } = require('../utils/cli-test-layout-chalk');
 const path = require('path');
 const fs = require('fs');
 const chalk = require('chalk');
-const secrets = require('../core/secrets');
 const generator = require('../generator');
 const logger = require('../utils/logger');
 const { handleCommandError, logOfflinePathWhenType } = require('../utils/cli-utils');
 const { detectAppType, getDeployJsonPath, getResolveAppPath } = require('../utils/paths');
+const { setupResolveCommand } = require('./setup-utility-resolve');
 
 const JSON_HELP_AFTER = `
 Example:
@@ -121,46 +121,20 @@ function logSplitJsonResult(result) {
   }
 }
 
-function setupResolveCommand(program) {
-  program.command('resolve <app>')
-    .description('Generate .env from template; optional validate after')
-    .option('-f, --force', 'Generate missing secret keys in secrets file')
-    .option('--skip-validation', 'Skip file validation after generating .env')
-    .action(async(appName, options) => {
-      try {
-        const { appPath, envOnly } = await getResolveAppPath(appName);
-        const envPath = await secrets.generateEnvFile(
-          appName,
-          undefined,
-          'docker',
-          options.force,
-          { appPath, envOnly, skipOutputPath: false, preserveFromPath: null }
-        );
-        logger.log(`✔ Generated .env file: ${envPath}`);
-        if (envOnly) {
-          logger.log(chalk.gray('  (env-only mode: validation skipped; no application config file)'));
-        } else if (!options.skipValidation) {
-          const validate = require('../validation/validate');
-          const result = await validate.validateAppOrFile(appName);
-          validate.displayValidationResults(result);
-          if (!result.valid) {
-            logger.log(chalk.yellow('\n⚠  Validation found errors. Fix them before deploying.'));
-            process.exit(1);
-          }
-        }
-      } catch (error) {
-        handleCommandError(error, 'resolve');
-        process.exit(1);
-      }
-    });
-}
-
 function setupJsonCommand(program) {
   program.command('json <app>')
     .description('Write deployment JSON to disk for version control')
     .addHelpText('after', JSON_HELP_AFTER)
     .action(async(appName, options) => {
       try {
+        const resolved = await getResolveAppPath(appName);
+        const { emitManifestMetadataLineIfTTY } = require('../utils/manifest-source-emit');
+        emitManifestMetadataLineIfTTY(logger, {
+          appKey: appName,
+          appPath: resolved.appPath,
+          envOnly: resolved.envOnly,
+          json: false
+        });
         const result = await generator.generateDeployJsonWithValidation(appName, options);
         if (result.success) {
           const fileName = result.path.includes('application-schema.json') ? 'application-schema.json' : 'deployment JSON';
@@ -353,28 +327,56 @@ function setupSplitJsonConvertShowCommands(program) {
   setupShowCommand(program);
 }
 
-async function runValidateCommand(appOrFile, options) {
-  const validate = require('../validation/validate');
-  const opts = options.opts ? options.opts() : options;
+function emitManifestAfterValidateIfApplicable(appOrFile, result, outFormat) {
+  if (outFormat === 'json' || !result?.appPath || !appOrFile || typeof appOrFile !== 'string') {
+    return;
+  }
+  try {
+    if (fs.existsSync(appOrFile) && fs.statSync(appOrFile).isFile()) {
+      return;
+    }
+    const { emitManifestMetadataLineIfTTY } = require('../utils/manifest-source-emit');
+    emitManifestMetadataLineIfTTY(logger, {
+      appKey: appOrFile,
+      appPath: result.appPath,
+      envOnly: false,
+      json: false
+    });
+  } catch {
+    /* ignore emit failures */
+  }
+}
+
+async function runValidateBatchBranch(validate, opts) {
   const integration = opts.integration === true;
   const builder = opts.builder === true;
+  if (!integration && !builder) {
+    return false;
+  }
   const outFormat = (opts.format || 'default').toLowerCase();
+  const batchResult = integration && builder
+    ? await validate.validateAll(opts)
+    : integration
+      ? await validate.validateAllIntegrations(opts)
+      : await validate.validateAllBuilderApps(opts);
+  if (outFormat === 'json') {
+    logger.log(JSON.stringify(batchResult, null, 2));
+  } else {
+    validate.displayBatchValidationResults(batchResult);
+  }
+  if (!batchResult.valid) process.exit(1);
+  return true;
+}
 
-  if (integration || builder) {
-    const batchResult = integration && builder
-      ? await validate.validateAll(opts)
-      : integration
-        ? await validate.validateAllIntegrations(opts)
-        : await validate.validateAllBuilderApps(opts);
-    if (outFormat === 'json') {
-      logger.log(JSON.stringify(batchResult, null, 2));
-    } else {
-      validate.displayBatchValidationResults(batchResult);
-    }
-    if (!batchResult.valid) process.exit(1);
+async function runValidateCommand(appOrFile, options) {
+  const validate = require('../validation/validate');
+  const opts = options.opts ? options.opts() : options;
+  if (await runValidateBatchBranch(validate, opts)) {
     return;
   }
 
+  const outFormat = (opts.format || 'default').toLowerCase();
+
   if (!appOrFile || typeof appOrFile !== 'string') {
     logger.log(chalk.red('App name or file path is required, or use --integration / --builder'));
     process.exit(1);
@@ -384,8 +386,20 @@ async function runValidateCommand(appOrFile, options) {
     ...opts,
     certSync: opts.certSync === true
   });
+  emitManifestAfterValidateIfApplicable(appOrFile, result, outFormat);
   if (outFormat === 'json') {
-    logger.log(JSON.stringify(result, null, 2));
+    let payload = result;
+    try {
+      if (result?.appPath && appOrFile && typeof appOrFile === 'string') {
+        if (!(fs.existsSync(appOrFile) && fs.statSync(appOrFile).isFile())) {
+          const { getManifestSourcePayload } = require('../utils/manifest-source-emit');
+          payload = { ...result, manifestSource: getManifestSourcePayload(appOrFile, result.appPath) };
+        }
+      }
+    } catch {
+      /* keep plain result */
+    }
+    logger.log(JSON.stringify(payload, null, 2));
   } else {
     validate.displayValidationResults(result);
   }

package/lib/commands/app-logs.js

@@ -15,6 +15,7 @@ const containerHelpers = require('../utils/app-run-containers');
 const { validateAppName } = require('../app/push');
 
 const { execWithDockerEnv } = require('../utils/docker-exec');
+const { maskEnvLine } = require('../utils/log-redaction');
 
 /** Default number of log lines */
 const DEFAULT_TAIL_LINES = 100;
@@ -43,36 +44,11 @@ const LEVEL_JSON_NUMERIC_REGEX = /"level"\s*:\s*(\d+)/;
 /** Fallback: line contains whole-word "error" or "Error" when no other level detected (catches stack traces, "Error: msg", etc.) */
 const ERROR_WORD_FALLBACK_REGEX = /\berror\b/i;
 
-/** Env key patterns that indicate a secret (mask value) */
-const SECRET_KEY_PATTERN = /password|secret|token|credential|api[_-]?key/i;
+/** Keycloak / Java style: validation failure without the word "error" (would be dropped by `-l error` otherwise) */
+const VALIDATION_FAILURE_LINE_REGEX = /\bvalidation\s+failed\b/i;
 
-/** Prefixes to strip before checking key (avoids masking KEYCLOAK_SERVER_URL etc.) */
-const KEY_PREFIXES_TO_STRIP = /^KEYCLOAK_|^KEY_VAULT_/;
-
-/** URL with embedded credentials: scheme://user:password@host → scheme://user:***@host */
-const URL_CREDENTIAL_PATTERN = /(\w+:\/\/)([^:@]*):([^@]+)@/g;
-
-/**
- * Masks a single env line if the key looks like a secret or value contains URL credentials
- * @param {string} line - Line in form KEY=value
- * @returns {string} Same line or KEY=*** or value with masked URL credentials
- */
-function maskEnvLine(line) {
-  const eq = line.indexOf('=');
-  if (eq <= 0) return line;
-  const key = line.slice(0, eq);
-  const value = line.slice(eq + 1);
-
-  const keyForCheck = key.replace(KEY_PREFIXES_TO_STRIP, '');
-  const isSecretKey = SECRET_KEY_PATTERN.test(keyForCheck);
-
-  const maskedValue = value.replace(URL_CREDENTIAL_PATTERN, '$1$2:***@');
-  const hasUrlCredentials = maskedValue !== value;
-
-  if (isSecretKey) return `${key}=***`;
-  if (hasUrlCredentials) return `${key}=${maskedValue}`;
-  return line;
-}
+/** Other failure phrases treated as error severity for level filtering */
+const FAILURE_PHRASE_AS_ERROR_REGEX = /\b(fatal|failed to run|unable to (start|run)|exception in thread)\b/i;
 
 /** Normalize level string to canonical 'debug'|'info'|'warn'|'error'. */
 function normalizeLevel(raw) {
@@ -104,9 +80,66 @@ function getLogLevel(line) {
   const jsonNum = line.match(LEVEL_JSON_NUMERIC_REGEX);
   if (jsonNum) return numericLevelToName(parseInt(jsonNum[1], 10));
   if (ERROR_WORD_FALLBACK_REGEX.test(line)) return 'error';
+  if (VALIDATION_FAILURE_LINE_REGEX.test(line)) return 'error';
+  if (FAILURE_PHRASE_AS_ERROR_REGEX.test(line)) return 'error';
+  return null;
+}
+
+/** Lines after an `error`-level line often have no level prefix (e.g. Keycloak config validation details). */
+const ERROR_FILTER_CONTEXT_UNCLASSIFIED_MAX = 50;
+
+/**
+ * Whether to show a log line when `--level` filtering is on. After an emitted error line, includes
+ * up to {@link ERROR_FILTER_CONTEXT_UNCLASSIFIED_MAX} following lines with no parseable level so
+ * stack traces and multi-line validation output are not dropped.
+ *
+ * @param {string} line
+ * @param {string|null} minLevel - normalized LOG_LEVELS value or null
+ * @param {{ pendingAfterError: number }} state - mutable; only used when minLevel is `error`
+ * @returns {boolean}
+ */
+/**
+ * @param {string|null} level
+ * @param {string} minLevel
+ * @param {{ pendingAfterError: number }} state
+ * @returns {boolean|null} true if line shown by sticky rule; null to continue
+ */
+function tryStickyErrorContinuation(level, minLevel, state) {
+  if (minLevel !== 'error' || state.pendingAfterError <= 0) {
+    return null;
+  }
+  if (level === null || level === undefined) {
+    state.pendingAfterError -= 1;
+    return true;
+  }
+  if (level !== 'error') {
+    state.pendingAfterError = 0;
+  }
   return null;
 }
 
+function shouldShowFilteredLogLine(line, minLevel, state) {
+  if (minLevel === null || minLevel === undefined || minLevel === '' || !LOG_LEVELS.includes(minLevel)) {
+    return true;
+  }
+  if (line.trim() === '' && minLevel === 'error' && state.pendingAfterError > 0) {
+    return true;
+  }
+  const level = getLogLevel(line);
+  const sticky = tryStickyErrorContinuation(level, minLevel, state);
+  if (sticky === true) {
+    return true;
+  }
+
+  if (passesLevelFilter(level, minLevel)) {
+    if (minLevel === 'error' && level === 'error') {
+      state.pendingAfterError = ERROR_FILTER_CONTEXT_UNCLASSIFIED_MAX;
+    }
+    return true;
+  }
+  return false;
+}
+
 /**
  * Whether a line's level passes the minimum level filter (show this level and above).
  * @param {string|null} lineLevel - Level from getLogLevel (null treated as 'info')
@@ -143,7 +176,12 @@ async function dumpMaskedEnv(containerName) {
     lines.forEach((line) => logger.log(maskEnvLine(line)));
     logger.log(chalk.gray('\n--- Logs ---\n'));
   } catch (err) {
-    logger.log(chalk.gray('(Could not read container env; container may be stopped)\n'));
+    logger.log(
+      chalk.gray(
+        '(Could not read container env — the container may be stopped, restarting, or not ready yet. ' +
+          'Docker log output below is still shown.)\n'
+      )
+    );
   }
 }
 
@@ -175,8 +213,9 @@ async function runDockerLogs(containerName, options) {
     const proc = spawn('docker', args, { stdio: ['inherit', 'pipe', 'pipe'], env: dockerEnv });
     proc.on('error', reject);
 
+    const filterState = { pendingAfterError: 0 };
     function onLine(line) {
-      if (passesLevelFilter(getLogLevel(line), minLevel)) {
+      if (shouldShowFilteredLogLine(line, minLevel, filterState)) {
         process.stdout.write(line + '\n');
       }
     }
@@ -241,8 +280,11 @@ async function runDockerLogsFollow(containerName, tail, minLevel) {
     logger.log(chalk.red(`Error: ${err.message}`));
     process.exit(1);
   });
+  const filterState = { pendingAfterError: 0 };
   function onLine(line) {
-    if (passesLevelFilter(getLogLevel(line), level)) process.stdout.write(line + '\n');
+    if (shouldShowFilteredLogLine(line, level, filterState)) {
+      process.stdout.write(line + '\n');
+    }
   }
   const rlOut = readline.createInterface({ input: proc.stdout, crlfDelay: Infinity });
   rlOut.on('line', onLine);
@@ -301,4 +343,10 @@ async function runAppLogs(appKey, options = {}) {
   }
 }
 
-module.exports = { runAppLogs, maskEnvLine, getLogLevel, passesLevelFilter };
+module.exports = {
+  runAppLogs,
+  maskEnvLine,
+  getLogLevel,
+  passesLevelFilter,
+  shouldShowFilteredLogLine
+};

package/lib/commands/auth-config.js

@@ -8,53 +8,144 @@
  * @version 2.0.0
  */
 
+const chalk = require('chalk');
 const { formatBlockingError, formatSuccessLine } = require('../utils/cli-test-layout-chalk');
 const {
   setControllerUrl,
   setCurrentEnvironment,
-  getControllerUrl
+  getControllerUrl,
+  getRegisteredControllerUrls,
+  getConfig
 } = require('../core/config');
 const {
   validateControllerUrl,
   validateEnvironment,
   checkUserLoggedIn
 } = require('../utils/auth-config-validator');
-const { getControllerUrlFromLoggedInUser } = require('../utils/controller-url');
+const { hasStoredDeviceTokenForController } = require('../utils/controller-url');
 const logger = require('../utils/logger');
 
+/**
+ * True when user ran --set-controller with no URL (pick from config.yaml).
+ * @param {unknown} setController - Commander option value
+ * @returns {boolean}
+ */
+function isInteractiveControllerPick(setController) {
+  return (
+    setController === true ||
+    (typeof setController === 'string' && setController.trim() === '')
+  );
+}
+
+/**
+ * True when a non-empty controller URL string was passed.
+ * @param {unknown} setController - Commander option value
+ * @returns {boolean}
+ */
+function hasExplicitControllerUrl(setController) {
+  return typeof setController === 'string' && setController.trim() !== '';
+}
+
+/**
+ * Normalize controller URL for equality checks (trailing slashes).
+ * @param {string|null|undefined} url - URL or empty
+ * @returns {string}
+ */
+function normalizeForCompare(url) {
+  if (!url || typeof url !== 'string') return '';
+  return url.trim().replace(/\/+$/, '');
+}
+
+function throwNoRegisteredControllers() {
+  const msg =
+    'No controllers are registered in config. Run "aifabrix login" first, or set a controller with "aifabrix auth --set-controller <url>".';
+  logger.error(formatBlockingError(msg));
+  throw new Error(msg);
+}
+
+function throwNonInteractiveControllerPick() {
+  const msg =
+    'Cannot choose a controller without a URL in non-interactive mode. Run: aifabrix auth --set-controller <url>';
+  logger.error(formatBlockingError(msg));
+  throw new Error(msg);
+}
+
+/**
+ * Pick default controller from URLs in config (`controller` + `device` keys), or set the only one.
+ * @async
+ * @returns {Promise<void>}
+ */
+async function handleSelectRegisteredController() {
+  const urls = await getRegisteredControllerUrls();
+
+  if (urls.length === 0) {
+    throwNoRegisteredControllers();
+  }
+
+  if (!process.stdin.isTTY) {
+    throwNonInteractiveControllerPick();
+  }
+
+  if (urls.length === 1) {
+    const sole = urls[0];
+    const current = await getControllerUrl();
+    if (normalizeForCompare(current) === normalizeForCompare(sole)) {
+      logger.log(formatSuccessLine(`Default controller is already set to ${sole}.`));
+      logger.log(
+        chalk.white('To add another controller, run: aifabrix auth --set-controller <url>')
+      );
+      return;
+    }
+    await handleSetController(sole);
+    return;
+  }
+
+  const inquirer = require('inquirer');
+  const { controllerUrl } = await inquirer.prompt([
+    {
+      type: 'list',
+      name: 'controllerUrl',
+      message: 'Select default controller:',
+      choices: urls
+    }
+  ]);
+  await handleSetController(controllerUrl);
+}
+
 /**
  * Handle set-controller command
- * Allows setting the default controller when no credentials are stored, or when already logged in to that controller.
- * If credentials exist for a different controller, throws with a clear message.
+ * Allows setting the default controller when there are no device tokens, or when a token exists
+ * for the target URL (including switching among multiple logged-in controllers). If device tokens
+ * exist only for other controller URLs, throws with a clear message.
  *
  * @async
  * @function handleSetController
  * @param {string} url - Controller URL to set
  * @returns {Promise<void>}
- * @throws {Error} If validation fails or credentials exist for another controller
+ * @throws {Error} If validation fails or credentials exist only for other controllers
  */
 async function handleSetController(url) {
   try {
     validateControllerUrl(url);
     const normalizedUrl = url.trim().replace(/\/+$/, '');
 
-    const loggedInControllerUrl = await getControllerUrlFromLoggedInUser();
-    if (!loggedInControllerUrl) {
-      // No stored credentials: allow setting controller so "aifabrix login" opens the right place
-      await setControllerUrl(url);
-      logger.log(formatSuccessLine(`Controller URL set to: ${url}`));
-      return;
-    }
+    const userConfig = await getConfig();
+    const device =
+      userConfig.device && typeof userConfig.device === 'object' ? userConfig.device : {};
+    const deviceKeys = Object.keys(device);
+    const hasTokenForTarget = await hasStoredDeviceTokenForController(normalizedUrl);
 
-    const normalizedLoggedIn = loggedInControllerUrl.trim().replace(/\/+$/, '');
-    if (normalizedLoggedIn === normalizedUrl) {
+    if (deviceKeys.length === 0 || hasTokenForTarget) {
       await setControllerUrl(url);
       logger.log(formatSuccessLine(`Controller URL set to: ${url}`));
       return;
     }
 
+    const otherKey =
+      deviceKeys.find((k) => normalizeForCompare(k) !== normalizeForCompare(normalizedUrl)) ||
+      deviceKeys[0];
     throw new Error(
-      `You have credentials for another controller (${loggedInControllerUrl}).\n` +
+      `You have credentials for another controller (${otherKey.trim().replace(/\/+$/, '')}).\n` +
       'To use a different controller either run "aifabrix login" with that controller, or run "aifabrix logout" first to clear credentials, then set the new controller with "aifabrix auth --set-controller <url>".'
     );
   } catch (error) {
@@ -107,20 +198,27 @@ async function handleSetEnvironment(environment) {
  * @async
  * @function handleAuthConfig
  * @param {Object} options - Command options
- * @param {string} [options.setController] - Controller URL to set
+ * @param {string|boolean} [options.setController] - Controller URL, or true when flag has no value
  * @param {string} [options.setEnvironment] - Environment to set
  * @returns {Promise<void>}
  * @throws {Error} If command fails
  */
 async function handleAuthConfig(options) {
-  if (!options.setController && !options.setEnvironment) {
+  const pick = isInteractiveControllerPick(options.setController);
+  const hasUrl = hasExplicitControllerUrl(options.setController);
+
+  if (!pick && !hasUrl && !options.setEnvironment) {
     throw new Error(
       'No action specified. Use "aifabrix auth --set-controller <url>" or "aifabrix auth --set-environment <env>".'
     );
   }
-  if (options.setController) {
+
+  if (pick) {
+    await handleSelectRegisteredController();
+  } else if (hasUrl) {
     await handleSetController(options.setController);
   }
+
   if (options.setEnvironment) {
     await handleSetEnvironment(options.setEnvironment);
   }

package/lib/commands/setup-modes.js

@@ -9,7 +9,9 @@
  *   - {@link runUpdateImages}     — Mode 4: docker pull infra + platform images, up-infra, up-platform.
  *
  * Every handler ends with `up-infra` (idempotent, reads flags from
- * `config.yaml`) followed by `up-platform`. Modes 1/2/3 also remove
+ * `config.yaml`) followed by `up-platform`. Optional service keys
+ * (`traefik`, `pgadmin`, `redisCommander`) are written when missing so the
+ * file matches effective compose defaults. Modes 1/2/3 also remove
  * `secrets.local.yaml` so the next platform bootstrap re-resolves
  * service secrets from the catalog and re-prompts the AI tool wizard.
  *
@@ -49,6 +51,10 @@ const postgresWipe = require('../utils/postgres-wipe');
 const setupPrompts = require('./setup-prompts');
 const { handleLogin } = require('./login');
 const infraGuided = require('../cli/infra-guided');
+const {
+  computeEffectiveInfraOptionalFlags,
+  persistMissingInfraOptionalServiceFlags
+} = require('../utils/infra-optional-service-flags');
 
 /** Builder app keys touched by `up-platform --force`. */
 const PLATFORM_APPS = ['keycloak', 'miso-controller', 'dataplane'];
@@ -203,7 +209,9 @@ function stopSpinnerSuccess(spinner, text) {
 /**
  * Start infrastructure using the developer's `config.yaml` flags.
  * Mirrors the relevant slice of `runUpInfraCommand` from `lib/cli/setup-infra.js`
- * without re-applying CLI flag persistence (we never receive flags here).
+ * without re-applying CLI flag persistence (setup passes no Commander flags).
+ * After a successful start, missing `traefik` / `pgadmin` / `redisCommander`
+ * keys are written to match effective {@link infra.startInfra} options.
  *
  * @async
  * @param {Object} [overrides] - Optional admin overrides (fresh install only)
@@ -214,17 +222,22 @@ function stopSpinnerSuccess(spinner, text) {
 async function startInfraFromConfig(overrides = {}) {
   await config.ensureSecretsEncryptionKey();
   const cfg = await config.getConfig();
+  const emailOverride = String(overrides.adminEmail || '').trim();
+  const emailFromConfig = typeof cfg.adminEmail === 'string' ? cfg.adminEmail.trim() : '';
+  const adminEmailMerged = emailOverride || emailFromConfig || undefined;
+  const effective = computeEffectiveInfraOptionalFlags(cfg, {});
   await withMutedLogger(async() => {
     await infra.startInfra(null, {
-      traefik: cfg.traefik === true,
-      pgadmin: cfg.pgadmin !== false,
-      redisCommander: cfg.redisCommander !== false,
+      traefik: effective.traefik,
+      pgadmin: effective.pgadmin,
+      redisCommander: effective.redisCommander,
       adminPassword: overrides.adminPassword,
       adminPwd: overrides.adminPassword,
-      adminEmail: overrides.adminEmail,
+      adminEmail: adminEmailMerged,
       tlsEnabled: cfg.tlsEnabled === true
     });
   });
+  await persistMissingInfraOptionalServiceFlags(cfg, effective);
 }
 
 /**

package/lib/commands/setup-prompts.js

@@ -3,7 +3,8 @@
  *
  * Three small prompt helpers:
  *   1. {@link promptModeSelection} - Mode menu shown when infra is already up.
- *   2. {@link promptAdminCredentials} - Admin email + password (fresh install only).
+ *   2. {@link promptAdminCredentials} - Admin email + password (fresh install only); email default
+ *      from {@link module:lib/core/config.getAdminEmail} when `adminEmail` exists in config.yaml.
  *   3. {@link promptAiTool} - AI tool provider + keys, only when the merged
  *      secret cascade (user-local + shared) does not already provide the keys.
  *
@@ -23,9 +24,11 @@
 
 'use strict';
 
+const path = require('path');
 const inquirer = require('inquirer');
 const chalk = require('chalk');
 const logger = require('../utils/logger');
+const config = require('../core/config');
 const secretsCore = require('../core/secrets');
 const secretsEnsure = require('../core/secrets-ensure');
 const { formatSuccessLine, infoLine } = require('../utils/cli-test-layout-chalk');
@@ -133,6 +136,8 @@ function validatePassword(input) {
 
 /**
  * Prompt for admin email + password (fresh install only).
+ * Reads {@link module:lib/core/config.getAdminEmail} so a previous `aifabrix setup` can prefill the
+ * email field (user may change it before continuing).
  * Asks once for the password and once for confirmation; returns trimmed email
  * and the verbatim password (never logged).
  *
@@ -140,13 +145,24 @@ function validatePassword(input) {
  * @returns {Promise<{ adminEmail: string, adminPassword: string }>}
  */
 async function promptAdminCredentials() {
+  let defaultEmail;
+  try {
+    const saved = await config.getAdminEmail();
+    defaultEmail = saved && saved.trim() ? saved.trim() : undefined;
+  } catch {
+    defaultEmail = undefined;
+  }
+  const emailQuestion = {
+    type: 'input',
+    name: 'adminEmail',
+    message: 'Admin email (Keycloak / pgAdmin login):',
+    validate: validateEmail
+  };
+  if (defaultEmail !== undefined) {
+    emailQuestion.default = defaultEmail;
+  }
   const answers = await inquirer.prompt([
-    {
-      type: 'input',
-      name: 'adminEmail',
-      message: 'Admin email (Keycloak / pgAdmin login):',
-      validate: validateEmail
-    },
+    emailQuestion,
     {
       type: 'password',
       name: 'adminPassword',
@@ -323,6 +339,22 @@ async function promptAiTool(options = {}) {
   );
 }
 
+/**
+ * Absolute directory paths (with trailing sep) shown when setup will replace platform apps.
+ *
+ * @param {string} builderRoot - Absolute or relative builder root
+ * @param {string[]} platformApps - App folder names (e.g. `keycloak`)
+ * @returns {string[]}
+ */
+function formatBuilderPlatformReplaceLines(builderRoot, platformApps) {
+  const root = builderRoot && typeof builderRoot === 'string' ? builderRoot : 'builder/';
+  const apps = Array.isArray(platformApps) ? platformApps : [];
+  return apps.map((a) => {
+    const full = path.resolve(path.join(root, a));
+    return full.endsWith(path.sep) ? full : `${full}${path.sep}`;
+  });
+}
+
 /**
  * When `aifabrix setup` is about to run `up-platform --force`, it will wipe
  * platform app directories under `builder/`. If the builder root already
@@ -356,7 +388,7 @@ async function promptBuilderDirConflict(info) {
     systemNote +
     '\n\n' +
     'This setup path will REPLACE the platform app folders under:\n' +
-    `  ${platformApps.map(a => `builder/${a}/`).join('\n  ')}`;
+    `  ${formatBuilderPlatformReplaceLines(builderRoot, platformApps).join('\n  ')}`;
 
   const { action } = await inquirer.prompt([
     {
@@ -379,6 +411,7 @@ module.exports = {
   MODE,
   AI_KEYS,
   BUILDER_DIR_ACTION,
+  formatBuilderPlatformReplaceLines,
   promptModeSelection,
   confirmDestructiveMode,
   promptAdminCredentials,