@aifabrix/builder 2.44.6 → 2.45.0

package/lib/core/secrets-load.js

@@ -1,7 +1,9 @@
 /**
- * Secrets loading cascade (user file, aifabrix-secrets file or remote API, builder YAML, defaults).
+ * Secrets loading: primary user file plus configured `aifabrix-secrets` (shared YAML or remote API).
  *
- * @fileoverview Split from secrets.js for module size limits
+ * @fileoverview Default `kv://` resolution uses only `~/.aifabrix/secrets.local.yaml` and `aifabrix-secrets`
+ *   from config — not cwd-ancestor `.aifabrix/secrets.local.yaml`, not `builder/secrets.local.yaml`,
+ *   and not `~/.aifabrix/secrets.yaml`.
  * @author AI Fabrix Team
  * @version 1.0.0
  */
@@ -13,27 +15,75 @@ const path = require('path');
 const config = require('./config');
 const { readYamlAtPath, applyCanonicalSecretsOverride } = require('../utils/secrets-canonical');
 const { ensureSecureFilePermissions } = require('../utils/secure-file-permissions');
+const { resolveSecretsPath } = require('../utils/secrets-path');
 const {
-  resolveSecretsPath
-} = require('../utils/secrets-path');
-const {
-  loadUserSecrets,
   loadPrimaryUserSecrets,
   loadDefaultSecrets,
   ensurePrimaryUserSecretsFileExists
 } = require('../utils/secrets-utils');
-const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
 const pathsUtil = require('../utils/paths');
-const { collectAncestorAifabrixSecretsLocalYamlPaths } = require('../utils/secrets-ancestor-paths');
+const { decryptSecret, isEncrypted } = require('../utils/secrets-encryption');
+const logger = require('../utils/logger');
+const { isSecretKeyAllowedEmpty } = require('./secrets-ensure-infra');
+
+/** Dedupe optional decrypt warnings across repeated `loadSecrets` (and duplicate module instances). */
+function optionalDecryptWarnSeen(key) {
+  const g = globalThis;
+  if (!g.__aifabrixOptionalDecryptWarnOnce) {
+    g.__aifabrixOptionalDecryptWarnOnce = new Set();
+  }
+  const set = g.__aifabrixOptionalDecryptWarnOnce;
+  if (set.has(key)) return true;
+  set.add(key);
+  return false;
+}
+
+/**
+ * @param {string} key
+ * @param {unknown} value
+ * @param {string} encryptionKey
+ * @param {Record<string, string>} decryptedSecrets
+ * @param {string} [sourceHint] - File path or API label for decrypt errors / warnings
+ */
+function mergeDecryptedEntry(key, value, encryptionKey, decryptedSecrets, sourceHint) {
+  if (!isEncrypted(value)) {
+    decryptedSecrets[key] = value;
+    return;
+  }
+  try {
+    decryptedSecrets[key] = decryptSecret(value, encryptionKey);
+  } catch (error) {
+    const msg = error && error.message ? error.message : String(error);
+    if (!isSecretKeyAllowedEmpty(key)) {
+      const where =
+        sourceHint && String(sourceHint).trim().length > 0
+          ? ` (encrypted value loaded from: ${sourceHint})`
+          : ' (encrypted value source not recorded; check ~/.aifabrix/secrets.local.yaml and aifabrix-secrets)';
+      throw new Error(`Failed to decrypt secret '${key}'${where}: ${msg}`);
+    }
+    if (!optionalDecryptWarnSeen(key)) {
+      const where =
+        sourceHint && String(sourceHint).trim().length > 0
+          ? ` Encrypted value loaded from: ${sourceHint}.`
+          : '';
+      logger.warn(
+        `Optional secret '${key}' could not be decrypted (${msg}). Treating as empty.${where} ` +
+          'Remove the stale key from shared or local secrets, or fix secrets-encryption alignment.'
+      );
+    }
+    decryptedSecrets[key] = '';
+  }
+}
 
 /**
  * Decrypts encrypted values in secrets object
  *
  * @async
  * @param {Object} secrets - Secrets object with potentially encrypted values
+ * @param {{ keySources?: Record<string, string>, defaultSourceLabel?: string }} [options] - Per-key file/API path for errors
  * @returns {Promise<Object>} Secrets object with decrypted values
  */
-async function decryptSecretsObject(secrets) {
+async function decryptSecretsObject(secrets, options) {
   if (!secrets || typeof secrets !== 'object') {
     return secrets;
   }
@@ -49,17 +99,13 @@ async function decryptSecretsObject(secrets) {
     return secrets;
   }
 
+  const keySources = options && options.keySources ? options.keySources : null;
+  const defaultLabel = options && options.defaultSourceLabel ? options.defaultSourceLabel : '';
+
   const decryptedSecrets = {};
   for (const [key, value] of Object.entries(secrets)) {
-    if (isEncrypted(value)) {
-      try {
-        decryptedSecrets[key] = decryptSecret(value, encryptionKey);
-      } catch (error) {
-        throw new Error(`Failed to decrypt secret '${key}': ${error.message}`);
-      }
-    } else {
-      decryptedSecrets[key] = value;
-    }
+    const sourceHint = (keySources && keySources[key]) || defaultLabel || '';
+    mergeDecryptedEntry(key, value, encryptionKey, decryptedSecrets, sourceHint);
   }
 
   return decryptedSecrets;
@@ -67,8 +113,9 @@ async function decryptSecretsObject(secrets) {
 
 /**
  * Merges config file secrets into user secrets (user wins). Returns null if path missing or config empty.
+ * @param {Record<string, string>} [keySources] - Mutated: path for keys filled from this file
  */
-function mergeUserWithConfigFile(userSecrets, resolvedConfigPath) {
+function mergeUserWithConfigFile(userSecrets, resolvedConfigPath, keySources) {
   if (!fs.existsSync(resolvedConfigPath)) {
     return null;
   }
@@ -86,6 +133,9 @@ function mergeUserWithConfigFile(userSecrets, resolvedConfigPath) {
   for (const key of Object.keys(configSecrets)) {
     if (!(key in merged) || merged[key] === undefined || merged[key] === null || merged[key] === '') {
       merged[key] = configSecrets[key];
+      if (keySources) {
+        keySources[key] = resolvedConfigPath;
+      }
     }
   }
   return merged;
@@ -99,122 +149,74 @@ function createMergeHelpers(userSecrets) {
   };
 }
 
-async function mergeFromConfiguredSecretsPath(configSecretsPath, userSecrets, helpers) {
+async function mergeFromConfiguredSecretsPath(configSecretsPath, userSecrets, helpers, keySources) {
   const remoteDevAuth = require('../utils/remote-dev-auth');
   const effectiveShared = await remoteDevAuth.resolveSharedSecretsEndpoint(configSecretsPath);
 
   if (remoteDevAuth.isRemoteSecretsUrl(effectiveShared)) {
     const { loadRemoteSharedSecrets, mergeUserWithRemoteSecrets } = require('../utils/remote-secrets-loader');
     const remoteSecrets = await loadRemoteSharedSecrets();
-    const merged = mergeUserWithRemoteSecrets(userSecrets, remoteSecrets);
+    const remoteLabel = `shared secrets API (${effectiveShared})`;
+    const merged = mergeUserWithRemoteSecrets(userSecrets, remoteSecrets, keySources, remoteLabel);
     return helpers.hasKeys(merged) ? merged : helpers.userOrNull();
   }
 
   const resolvedConfigPath = path.isAbsolute(configSecretsPath)
     ? configSecretsPath
     : path.resolve(process.cwd(), configSecretsPath);
-  const merged = mergeUserWithConfigFile(userSecrets, resolvedConfigPath);
+  const merged = mergeUserWithConfigFile(userSecrets, resolvedConfigPath, keySources);
   return merged !== null ? merged : helpers.userOrNull();
 }
 
 async function loadMergedConfigAndUserSecrets() {
   const userSecrets = loadPrimaryUserSecrets();
   const helpers = createMergeHelpers(userSecrets);
+  const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+  /** @type {Record<string, string>} */
+  const keySources = {};
+  for (const k of Object.keys(userSecrets || {})) {
+    keySources[k] = userPath;
+  }
 
   try {
     const configSecretsPath = await config.getSecretsPath();
     if (!configSecretsPath) {
-      return helpers.userOrNull();
+      return { merged: helpers.userOrNull(), keySources };
     }
-    return await mergeFromConfiguredSecretsPath(configSecretsPath, userSecrets, helpers);
+    const merged = await mergeFromConfiguredSecretsPath(configSecretsPath, userSecrets, helpers, keySources);
+    return { merged, keySources };
   } catch (error) {
     if (error.message && error.message.startsWith('Failed to load secrets file')) {
       throw error;
     }
-    return null;
-  }
-}
-
-function collectBuilderSecretsYamlPaths() {
-  const projectRoot = pathsUtil.getProjectRoot();
-  const candidates = [];
-  if (projectRoot) {
-    candidates.push(path.join(projectRoot, 'builder', 'secrets.local.yaml'));
-  }
-  try {
-    const alt = path.join(pathsUtil.getBuilderRoot(), 'secrets.local.yaml');
-    if (!candidates.length || path.resolve(candidates[0]) !== path.resolve(alt)) {
-      candidates.push(alt);
-    }
-  } catch {
-    /* ignore */
-  }
-  return candidates;
-}
-
-function mergeBuilderSecretsLocalFiles(merged) {
-  try {
-    const seen = new Set();
-    let out = merged;
-    for (const builderPath of collectBuilderSecretsYamlPaths()) {
-      if (!builderPath || seen.has(path.resolve(builderPath))) {
-        continue;
-      }
-      seen.add(path.resolve(builderPath));
-      if (fs.existsSync(builderPath)) {
-        ensureSecureFilePermissions(builderPath);
-        const builderSecrets = mergeUserWithConfigFile(out || {}, builderPath);
-        if (builderSecrets) out = builderSecrets;
-      }
-    }
-    return out;
-  } catch {
-    return merged;
-  }
-}
-
-/**
- * Merge each `cwd/.aifabrix/secrets.local.yaml` found walking up to filesystem root.
- * Later files only fill keys missing or empty on the merged object (same as shared merge).
- * Skips the primary user file path when it appears on the walk (already loaded in merge chain).
- *
- * @param {Object|null|undefined} merged - Current secrets map
- * @returns {Object}
- */
-function mergeAncestorAifabrixSecretsLocalFiles(merged) {
-  try {
-    const primaryUser = path.resolve(pathsUtil.getPrimaryUserSecretsLocalPath());
-    let out = merged && typeof merged === 'object' ? merged : {};
-    const ancestorPaths = collectAncestorAifabrixSecretsLocalYamlPaths(process.cwd(), fs.existsSync);
-    for (const secretsPath of ancestorPaths) {
-      if (path.resolve(secretsPath) === primaryUser) {
-        continue;
-      }
-      ensureSecureFilePermissions(secretsPath);
-      const next = mergeUserWithConfigFile(out, secretsPath);
-      if (next) out = next;
-    }
-    return out;
-  } catch {
-    return merged && typeof merged === 'object' ? merged : {};
+    return { merged: null, keySources };
   }
 }
 
 async function loadSecretsWithFallbacks() {
-  let merged = await loadMergedConfigAndUserSecrets();
+  const mergedResult = await loadMergedConfigAndUserSecrets();
+  let merged = mergedResult.merged;
+  const keySources = mergedResult.keySources;
   if (!merged || Object.keys(merged).length === 0) {
     merged = loadPrimaryUserSecrets();
-    if (Object.keys(merged).length === 0) {
-      merged = loadUserSecrets();
+    const userPath = pathsUtil.getPrimaryUserSecretsLocalPath();
+    for (const k of Object.keys(merged || {})) {
+      keySources[k] = userPath;
     }
-    merged = await applyCanonicalSecretsOverride(merged);
+    merged = await applyCanonicalSecretsOverride(merged || {}, keySources);
   }
-  merged = mergeAncestorAifabrixSecretsLocalFiles(merged);
-  merged = mergeBuilderSecretsLocalFiles(merged);
-  if (Object.keys(merged).length === 0) {
+  const configuredShared = await config.getSecretsPath();
+  if ((!merged || Object.keys(merged).length === 0) && !configuredShared) {
     merged = loadDefaultSecrets();
+    const defaultPath = path.join(pathsUtil.getAifabrixHome(), 'secrets.yaml');
+    for (const k of Object.keys(merged || {})) {
+      keySources[k] = defaultPath;
+    }
   }
-  return merged;
+  if (!merged || Object.keys(merged).length === 0) {
+    return { merged: {}, keySources };
+  }
+  return { merged, keySources };
 }
 
 /**
@@ -232,14 +234,16 @@ async function loadSecrets(secretsPath, _appName) {
     if (!explicitSecrets || typeof explicitSecrets !== 'object') {
       throw new Error(`Invalid secrets file format: ${resolvedPath}`);
     }
-    return await decryptSecretsObject(explicitSecrets);
+    return await decryptSecretsObject(explicitSecrets, { defaultSourceLabel: resolvedPath });
   }
-  let mergedSecrets = await loadSecretsWithFallbacks();
+  let { merged: mergedSecrets, keySources } = await loadSecretsWithFallbacks();
   if (!mergedSecrets || Object.keys(mergedSecrets).length === 0) {
     ensurePrimaryUserSecretsFileExists();
-    mergedSecrets = await loadSecretsWithFallbacks();
+    const again = await loadSecretsWithFallbacks();
+    mergedSecrets = again.merged;
+    keySources = again.keySources;
   }
-  return await decryptSecretsObject(mergedSecrets || {});
+  return await decryptSecretsObject(mergedSecrets || {}, { keySources });
 }
 
 module.exports = {

package/lib/external-system/deploy.js

@@ -169,7 +169,7 @@ function logImmediateControllerDeploymentOutcome(deploymentOutcome) {
     );
     return;
   }
-  logger.log(chalk.gray('   See Deployment section below for details.'));
+  logger.log(chalk.gray('   Check the controller deployment job or logs for details.'));
 }
 
 async function executeDeployAndDisplay(manifest, controllerUrl, environment, authConfig, options) {
@@ -192,6 +192,10 @@ async function executeDeployAndDisplay(manifest, controllerUrl, environment, aut
   const deploymentOutcome = parseControllerDeploymentOutcome(result);
   logImmediateControllerDeploymentOutcome(deploymentOutcome);
 
+  if (!deploymentOutcome.ok) {
+    return result;
+  }
+
   const ctx = await fetchDataplaneDeployReadiness(
     controllerUrl,
     environment,

package/lib/internal/node-fs.js

@@ -72,6 +72,7 @@ function buildBoundFs() {
       mkdirSync: snap.mkdirSync,
       readdirSync: snap.readdirSync,
       statSync: snap.statSync,
+      renameSync: snap.renameSync,
       watch: (...args) => live.watch(...args),
       promises: boundPromises
     };
@@ -83,6 +84,7 @@ function buildBoundFs() {
     mkdirSync: bindSync(rf, 'mkdirSync'),
     readdirSync: bindSync(rf, 'readdirSync'),
     statSync: bindSync(rf, 'statSync'),
+    renameSync: bindSync(rf, 'renameSync'),
     watch: (...args) => live.watch(...args),
     promises: boundPromises
   };

package/lib/schema/application-schema.json

@@ -534,6 +534,10 @@
           "pattern": "^[a-zA-Z.$\\{\\}_-]+$",
           "default": true
         },
+        "internalDockerUseOriginOnly": {
+          "type": "boolean",
+          "description": "When true, declarative url://*-internal full URLs in Docker profile use http://service:containerPort only (omit frontDoorRouting.pattern). Use when the ingress path (e.g. /miso) is not part of in-container routes. Omit or false to keep pattern on internal URLs (e.g. Keycloak /auth)."
+        },
         "certStore": {
           "type": "string",
           "description": "Certificate store name for wildcard certificates. Optional - only needed when using a pre-configured certificate store in Traefik.",

package/lib/schema/infra.parameter.yaml

@@ -342,6 +342,16 @@ parameters:
     azure:
       notes: Empty until set; user-supplied Azure OpenAI API key (not auto-generated).
 
+  # Legacy unprefixed name (scaffold / old env.template); prefer *KeyVault suffix or {appKey}-secrets-apiKeyVault (keyvault.md).
+  - key: api-key
+    scope: app
+    generator:
+      type: randomBytes32
+    ensureOn: [resolveApp]
+    azure:
+      notes: >-
+        Legacy kv://api-key; new apps should use kv://api-keyKeyVault or {appKey}-secrets-apiKeyVault.
+
   # Legacy unprefixed name; prefer kv://{appKey}-secrets-apiKeyVault in env.template (keyvault.md secrets.apiKeyVault).
   - key: miso-controller-secrets-apiKeyVault
     scope: app

package/lib/utils/app-config-resolver.js

@@ -12,7 +12,28 @@
 'use strict';
 
 const path = require('path');
-const fs = require('fs');
+const defaultFs = require('fs');
+const { nodeFs } = require('../internal/node-fs');
+
+const realFs = nodeFs();
+
+/**
+ * Prefer real disk when `fs` is not mocked (avoids `jest.mock('fs')` bleed in other suites).
+ * Use `require('fs')` when Jest replaced it so tests with virtual file stores still work.
+ *
+ * @returns {Pick<import('fs'), 'existsSync'|'renameSync'>}
+ */
+function getResolverFs() {
+  if (
+    typeof jest !== 'undefined' &&
+    defaultFs.existsSync &&
+    typeof jest.isMockFunction === 'function' &&
+    jest.isMockFunction(defaultFs.existsSync)
+  ) {
+    return defaultFs;
+  }
+  return realFs;
+}
 
 /**
  * Resolves path to application config file (application.yaml, application.json, or legacy variables.yaml).
@@ -23,6 +44,7 @@ const fs = require('fs');
  * @throws {Error} If no config file found
  */
 function resolveApplicationConfigPath(appPath) {
+  const fs = getResolverFs();
   if (!appPath || typeof appPath !== 'string') {
     throw new Error('App path is required and must be a string');
   }
@@ -59,6 +81,7 @@ const RBAC_NAMES = ['rbac.yaml', 'rbac.yml', 'rbac.json'];
  * @returns {string|null} Absolute path to RBAC file, or null if none exist
  */
 function resolveRbacPath(appPath) {
+  const fs = getResolverFs();
   if (!appPath || typeof appPath !== 'string') {
     throw new Error('App path is required and must be a string');
   }

package/lib/utils/applications-config-defaults.js

@@ -0,0 +1,206 @@
+/**
+ * User `applications` entries in config.yaml (read by `aifabrix resolve`, written by `aifabrix run` dev).
+ *
+ * @fileoverview Per-app reload and `proxy` (Traefik/public URL hints) in ~/.aifabrix/config.yaml
+ * @author AI Fabrix Team
+ * @version 1.0.0
+ */
+
+'use strict';
+
+const config = require('../core/config');
+
+/**
+ * Persist `applications.<appKey>.reload` from the last `aifabrix run` (dev only; CLI is source of truth).
+ *
+ * @async
+ * @param {string} appKey - Application key
+ * @param {boolean} reload - Same as passing `--reload` on run
+ * @returns {Promise<void>}
+ */
+async function persistApplicationReloadFlag(appKey, reload) {
+  if (!appKey || typeof appKey !== 'string') {
+    return;
+  }
+  const cfg = await config.getConfig();
+  if (!cfg.applications || typeof cfg.applications !== 'object') {
+    cfg.applications = {};
+  }
+  const prev = cfg.applications[appKey];
+  const nextEntry =
+    prev && typeof prev === 'object' && !Array.isArray(prev) ? { ...prev, reload: Boolean(reload) } : { reload: Boolean(reload) };
+  cfg.applications[appKey] = nextEntry;
+  await config.saveConfig(cfg);
+}
+
+/**
+ * True when `applications.<appKey>.reload` is explicitly **true** (bind-mount + hot reload for `aifabrix run`).
+ * Does **not** control other compose overrides (e.g. Python image `command` when the image lacks `uvicorn` on PATH).
+ *
+ * @param {Object|null|undefined} userConfig - Parsed config.yaml root
+ * @param {string} appKey - Application key (folder / app.key)
+ * @returns {boolean} True when `applications.<appKey>.reload` is explicitly true
+ */
+function isApplicationsReloadDefaultOn(userConfig, appKey) {
+  if (!userConfig || !appKey || typeof appKey !== 'string') {
+    return false;
+  }
+  const apps = userConfig.applications;
+  if (!apps || typeof apps !== 'object') {
+    return false;
+  }
+  const entry = apps[appKey];
+  if (!entry || typeof entry !== 'object') {
+    return false;
+  }
+  return entry.reload === true;
+}
+
+/**
+ * True when `remote-server` is a non-empty string (after trim).
+ *
+ * @param {string|null|undefined} remoteServer
+ * @returns {boolean}
+ */
+function isRemoteServerConfigured(remoteServer) {
+  return Boolean(remoteServer && String(remoteServer).trim());
+}
+
+/**
+ * Whether `build.envOutputPath` should be regenerated with the **local** profile (`generateEnvContent(..., 'local')`).
+ * **False** only when **both** `remote-server` is set and `applications.<appKey>.reload` is true — then the host file
+ * uses the same **docker**-flavor expansion as `builder/<app>/.env` (copy path). All other cases use **local**.
+ *
+ * @param {Object|null|undefined} userConfig - Parsed config.yaml root
+ * @param {string} appKey - Application key
+ * @param {string|null|undefined} remoteServer - `remote-server` value (or null)
+ * @returns {boolean}
+ */
+function isPreferLocalEnvOutputPath(userConfig, appKey, remoteServer) {
+  if (!isRemoteServerConfigured(remoteServer)) {
+    return true;
+  }
+  return !isApplicationsReloadDefaultOn(userConfig, appKey);
+}
+
+/**
+ * For `aifabrix resolve`: reads `remote-server` and returns {@link isPreferLocalEnvOutputPath}.
+ *
+ * @async
+ * @param {Object|null|undefined} userConfig
+ * @param {string} appKey
+ * @returns {Promise<boolean>}
+ */
+async function resolvePreferLocalEnvOutputPathFlag(userConfig, appKey) {
+  let remoteServer = null;
+  try {
+    const rs = await config.getRemoteServer();
+    if (rs && String(rs).trim()) {
+      remoteServer = String(rs).trim();
+    }
+  } catch {
+    remoteServer = null;
+  }
+  return isPreferLocalEnvOutputPath(userConfig, appKey, remoteServer);
+}
+
+/**
+ * Normalize YAML boolean-ish values.
+ * @param {unknown} v
+ * @returns {boolean|undefined} undefined if absent / not coercible
+ */
+function coerceTriStateBool(v) {
+  if (v === true || v === 'true' || v === 'yes' || v === 'on' || v === 1 || v === '1') {
+    return true;
+  }
+  if (v === false || v === 'false' || v === 'no' || v === 'off' || v === 0 || v === '0') {
+    return false;
+  }
+  return undefined;
+}
+
+/**
+ * Whether `aifabrix run` / resolve should use Traefik-style public URL hints for this app when infra allows.
+ * Default **false** when unset. Legacy `noProxy: true` ⇒ false; legacy `noProxy: false` with no `proxy` ⇒ true.
+ *
+ * @param {Object|null|undefined} userConfig - Parsed config.yaml root
+ * @param {string} appKey - Application key
+ * @returns {boolean}
+ */
+function getApplicationsRunProxyHint(userConfig, appKey) {
+  if (!userConfig || !appKey || typeof appKey !== 'string') {
+    return false;
+  }
+  const apps = userConfig.applications;
+  if (!apps || typeof apps !== 'object') {
+    return false;
+  }
+  const entry = apps[appKey];
+  if (!entry || typeof entry !== 'object') {
+    return false;
+  }
+  const proxyCoerced = coerceTriStateBool(entry.proxy);
+  if (proxyCoerced !== undefined) {
+    return proxyCoerced;
+  }
+  const legacyNo = coerceTriStateBool(entry.noProxy);
+  if (legacyNo === true) {
+    return false;
+  }
+  if (legacyNo === false) {
+    return true;
+  }
+  return false;
+}
+
+/**
+ * Persist `applications.<appKey>.proxy` from each `aifabrix run` (same pattern as `reload` for dev-only reload flag).
+ * `proxy: true` means use Traefik/front-door URL hints when infra + that app's `application.yaml` allow; `false` means docker `url://` **public** bases for **that app** use localhost + published port. During `resolve`/`run`, each `url://` token uses the **target** app's `applications.<targetKey>.proxy`, not only the app whose `env.template` is being expanded.
+ * Removes legacy `noProxy` on the same entry when present.
+ *
+ * @async
+ * @param {string} appKey - Application key
+ * @param {boolean} proxyEnabled - Same as a normal `aifabrix run` with proxy hints on (`!isRunCliNoProxy(options)`)
+ * @returns {Promise<void>}
+ */
+async function persistApplicationRunProxyFlag(appKey, proxyEnabled) {
+  if (!appKey || typeof appKey !== 'string') {
+    return;
+  }
+  const cfg = await config.getConfig();
+  if (!cfg.applications || typeof cfg.applications !== 'object') {
+    cfg.applications = {};
+  }
+  const prev = cfg.applications[appKey];
+  const nextEntry =
+    prev && typeof prev === 'object' && !Array.isArray(prev)
+      ? { ...prev, proxy: Boolean(proxyEnabled) }
+      : { proxy: Boolean(proxyEnabled) };
+  if (Object.prototype.hasOwnProperty.call(nextEntry, 'noProxy')) {
+    delete nextEntry.noProxy;
+  }
+  cfg.applications[appKey] = nextEntry;
+  await config.saveConfig(cfg);
+}
+
+/**
+ * Whether declarative `url://*` expansion should treat Traefik as on (infra Traefik + per-app `proxy: true`).
+ *
+ * @param {Object|null|undefined} userConfig
+ * @param {string} appKey
+ * @returns {boolean}
+ */
+function isDeclarativeTraefikUrlsEnabled(userConfig, appKey) {
+  return Boolean(userConfig && userConfig.traefik === true) && getApplicationsRunProxyHint(userConfig, appKey);
+}
+
+module.exports = {
+  getApplicationsRunProxyHint,
+  isApplicationsReloadDefaultOn,
+  isDeclarativeTraefikUrlsEnabled,
+  isPreferLocalEnvOutputPath,
+  isRemoteServerConfigured,
+  persistApplicationRunProxyFlag,
+  persistApplicationReloadFlag,
+  resolvePreferLocalEnvOutputPathFlag
+};

package/lib/utils/auth-config-validator.js

@@ -8,7 +8,7 @@
  * @version 2.0.0
  */
 
-const { getControllerUrlFromLoggedInUser } = require('./controller-url');
+const { hasStoredDeviceTokenForController } = require('./controller-url');
 
 /**
  * Validate controller URL format
@@ -72,17 +72,7 @@ async function checkUserLoggedIn(controllerUrl) {
   if (!controllerUrl) {
     return false;
   }
-
-  const normalizedUrl = controllerUrl.trim().replace(/\/+$/, '');
-  const loggedInControllerUrl = await getControllerUrlFromLoggedInUser();
-
-  if (!loggedInControllerUrl) {
-    return false;
-  }
-
-  // Normalize both URLs for comparison
-  const normalizedLoggedIn = loggedInControllerUrl.trim().replace(/\/+$/, '');
-  return normalizedLoggedIn === normalizedUrl;
+  return hasStoredDeviceTokenForController(controllerUrl);
 }
 
 module.exports = {

package/lib/utils/bash-secret-env.js

@@ -41,7 +41,7 @@ function collectBashPrefixedEnv(secrets) {
 }
 
 /**
- * Overlay for `child_process` `env`: values from user + shared + ancestor `secrets.local.yaml`
+ * Overlay for `child_process` `env`: values from primary user `secrets.local.yaml` plus `aifabrix-secrets`
  * for every `BASH_*` key (merged via {@link secretsLoad.loadSecrets}).
  *
  * @param {string|null} [secretsPath] - Optional explicit secrets file (same as resolve)