@aws/ml-container-creator 0.2.5 → 0.3.0

package/src/lib/prompt-runner.js

@@ -17,8 +17,6 @@ import {
     modelServerPrompts,
     modelLoadStrategyPrompts,
     modelProfilePrompts,
-    hfTokenPrompts,
-    ngcApiKeyPrompts,
     modulePrompts,
     infraRegionAndTargetPrompts,
     infraInstancePrompts,
@@ -35,9 +33,13 @@ import {
 
 import fs from 'fs';
 import path from 'path';
+import { execSync } from 'node:child_process';
 import { fileURLToPath } from 'node:url';
 import RegistryLoader from './registry-loader.js';
 import { runPrompts } from '../prompt-adapter.js';
+import { SECRET_CLASSIFICATIONS } from './secret-classification.js';
+import { isSecretsManagerArn } from './arn-detection.js';
+import BootstrapConfig from './bootstrap-config.js';
 
 const __pr_filename = fileURLToPath(import.meta.url);
 const __pr_dirname = path.dirname(__pr_filename);
@@ -54,6 +56,14 @@ export default class PromptRunner {
 
     /**
      * Runs all prompting phases and returns combined answers
+     * 
+     * Phase ordering (MCP Catalog Consolidation):
+     *   Phase 1 (What): deployment config + model name/ID + quantization
+     *   Phase 2 (How): deployment target + serving profile + base image
+     *   Phase 3 (Where): region + instance-sizer query + instance type + CUDA/AMI auto-resolution + HyperPod + build target
+     *   Phase 4 (Details): framework version, model profile, modules
+     *   Phase 5 (Project): project name + destination
+     *
      * @returns {Promise<Object>} Combined answers from all phases
      */
     async run() {
@@ -70,39 +80,187 @@ export default class PromptRunner {
         // Get only explicit configuration (not defaults) for prompt skipping
         const explicitConfig = this.configManager ? this.configManager.getExplicitConfiguration() : {};
 
-        // Phase 1: Infrastructure & Deployment
-        // Requirements: 3.1 — infrastructure prompts run first
-        // Ordering: Region → Deployment Target → Instance (if managed) → HyperPod (if eks) → Build Target
+        // ══════════════════════════════════════════════════════════════════════
+        // Phase 1 — What (deployment config + model name/ID + quantization)
+        // Requirements: 4.1, 4.2 — model selection drives instance sizing
+        // ══════════════════════════════════════════════════════════════════════
+        console.log('\n🔧 Core ML Configuration');
+        const deploymentConfigAnswers = await this._runPhase(deploymentConfigPrompts, {}, explicitConfig, existingConfig);
+        
+        // Derive architecture, backend, and legacy framework/modelServer from deploymentConfig
+        let architecture, backend, framework, modelServer;
+        if (deploymentConfigAnswers.deploymentConfig) {
+            const parts = deploymentConfigAnswers.deploymentConfig.split('-');
+            architecture = parts[0];
+            backend = parts.slice(1).join('-');
+            // Legacy compatibility: derive framework and modelServer
+            framework = architecture;
+            modelServer = backend;
+        }
+        
+        // Add derived values to answers
+        const frameworkAnswers = {
+            ...deploymentConfigAnswers,
+            architecture: architecture || deploymentConfigAnswers.architecture,
+            backend: backend || deploymentConfigAnswers.backend,
+            framework: framework || deploymentConfigAnswers.framework,
+            modelServer: modelServer || deploymentConfigAnswers.modelServer
+        };
+        
+        // Engine prompt for http architecture
+        const engineAnswers = await this._runPhase(enginePrompts, { ...frameworkAnswers }, explicitConfig, existingConfig);
+        
+        // Auto-set model format for Triton backends with single format
+        const tritonAutoFormat = this._getTritonAutoModelFormat(architecture, backend);
+        
+        // Query model-picker MCP server for model choices
+        this._queryMcpForModels(frameworkAnswers.architecture);
+        if (this._mcpModelChoices) {
+            console.log('   🔍 Querying model-picker...');
+            console.log(`   ✓ ${this._mcpModelChoices.length} model(s) available from catalog`);
+        }
+        const modelFormatPreviousAnswers = {
+            ...frameworkAnswers,
+            ...engineAnswers,
+            ...(this._mcpModelChoices ? { _mcpModelChoices: this._mcpModelChoices } : {})
+        };
+        const modelFormatAnswers = await this._runPhase(
+            modelFormatPrompts, 
+            modelFormatPreviousAnswers, 
+            explicitConfig, 
+            existingConfig
+        );
+        
+        // Model server prompts are now deprecated (empty array)
+        const modelServerAnswers = await this._runPhase(
+            modelServerPrompts, 
+            {...frameworkAnswers, ...engineAnswers}, 
+            explicitConfig, 
+            existingConfig
+        );
+
+        // Resolve model ID early for instance-sizer query in Phase 3
+        const phase1ModelId = modelFormatAnswers.customModelName || modelFormatAnswers.modelName || explicitConfig.modelName;
+        
+        // Fetch model information from HuggingFace and Model Registry
+        if (phase1ModelId && phase1ModelId !== 'Custom (enter manually)') {
+            await this._fetchAndDisplayModelInfo(phase1ModelId);
+        }
+
+        // ══════════════════════════════════════════════════════════════════════
+        // Phase 2 — How (deployment target + serving profile + base image)
+        // Requirements: 4.3 — instance prompt appears AFTER base image is known
+        // ══════════════════════════════════════════════════════════════════════
         console.log('\n💪 Infrastructure & Deployment');
 
-        // 1a. Query region MCP, then prompt for region + deployment target
-        await this._queryMcpForRegion({}, explicitConfig);
+        // 2a. Deployment target (realtime, async, batch, hyperpod, local)
         const bootstrapRegion = existingConfig.awsRegion || explicitConfig.awsRegion;
         const regionPreviousAnswers = bootstrapRegion ? { _bootstrapRegion: bootstrapRegion } : {};
-        const regionAndTargetAnswers = await this._runPhase(infraRegionAndTargetPrompts, regionPreviousAnswers, explicitConfig, existingConfig);
+        const regionAndTargetAnswers = await this._runPhase(infraRegionAndTargetPrompts, { ...frameworkAnswers, ...regionPreviousAnswers }, explicitConfig, existingConfig);
+
+        // 2b. Query base-image-picker MCP server for base image choices
+        await this._queryMcpForBaseImage(frameworkAnswers, explicitConfig);
+        const baseImagePreviousAnswers = {
+            ...frameworkAnswers,
+            ...engineAnswers,
+            ...(this._mcpBaseImageChoices ? { _mcpBaseImageChoices: this._mcpBaseImageChoices } : {})
+        };
+        const baseImageAnswers = await this._runPhase(
+            baseImagePrompts,
+            baseImagePreviousAnswers,
+            explicitConfig,
+            existingConfig
+        );
+
+        // Requirements: 4.2-4.5 — Check model architecture compatibility after base image selection
+        this._checkModelArchitectureCompatibility(baseImageAnswers, frameworkAnswers);
 
-        // 1b. Instance type — query MCP and prompt for realtime-inference, async-inference, batch-transform, and hyperpod-eks
+        // Extract CUDA version from selected base image for instance-sizer context
+        const selectedBaseImageCuda = this._extractCudaFromBaseImage(baseImageAnswers);
+
+        // ══════════════════════════════════════════════════════════════════════
+        // Phase 3 — Where (region + instance [derived] + CUDA/AMI + HyperPod + build target)
+        // Requirements: 4.4, 4.5, 4.7, 3.6, 3.7 — sizer query with full context
+        // ══════════════════════════════════════════════════════════════════════
+
+        // 3a. Region query
+        await this._queryMcpForRegion(frameworkAnswers, explicitConfig);
+
+        // 3b. Instance type — query instance-sizer with full context (model + profile + CUDA)
         let instanceAnswers = {};
-        if (regionAndTargetAnswers.deploymentTarget === 'realtime-inference' ||
+        const needsInstance = regionAndTargetAnswers.deploymentTarget === 'realtime-inference' ||
             regionAndTargetAnswers.deploymentTarget === 'async-inference' ||
             regionAndTargetAnswers.deploymentTarget === 'batch-transform' ||
-            regionAndTargetAnswers.deploymentTarget === 'hyperpod-eks') {
-            await this._queryMcpForInstance({}, explicitConfig);
-            const mcpInstanceChoices = this.configManager?.mcpChoices?.instanceType;
+            regionAndTargetAnswers.deploymentTarget === 'hyperpod-eks';
+
+        if (needsInstance) {
+            // Determine architecture type for heuristic fallback
+            const modelArchitecture = frameworkAnswers.architecture || frameworkAnswers.deploymentConfig?.split('-')[0];
+
+            // Skip sizer query if --instance-type was provided via CLI
+            if (!explicitConfig.instanceType) {
+                // Skip sizer for predictor models (CPU-only)
+                if (modelArchitecture === 'predictor' || modelArchitecture === 'http') {
+                    // Architecture heuristic: predictor → ml.m5.large
+                    console.log('   ℹ️  Predictor model: defaulting to CPU instance (ml.m5.large)');
+                    this._architectureHeuristicDefault = 'ml.m5.large';
+                } else if (phase1ModelId && phase1ModelId !== 'Custom (enter manually)') {
+                    // Query instance-sizer with full context
+                    await this._queryMcpForInstanceSizing(frameworkAnswers, modelFormatAnswers, explicitConfig, {
+                        cudaVersion: selectedBaseImageCuda,
+                        profileEnvVars: this._selectedProfileEnvVars || {}
+                    });
+                } else {
+                    // No model known — use architecture heuristic
+                    await this._queryMcpForInstance(frameworkAnswers, explicitConfig);
+                }
+            }
+
+            // Build instance prompt choices from sizer results
+            const mcpInstanceChoices = this._mcpInstanceSizerChoices || this.configManager?.mcpChoices?.instanceType;
             const instancePreviousAnswers = {
                 ...regionAndTargetAnswers,
-                ...(mcpInstanceChoices && mcpInstanceChoices.length > 0 ? { _mcpInstanceChoices: mcpInstanceChoices } : {})
+                ...(mcpInstanceChoices && mcpInstanceChoices.length > 0 ? { _mcpInstanceChoices: mcpInstanceChoices } : {}),
+                ...(this._architectureHeuristicDefault ? { _architectureHeuristicDefault: this._architectureHeuristicDefault } : {})
             };
             instanceAnswers = await this._runPhase(infraInstancePrompts, instancePreviousAnswers, explicitConfig, existingConfig);
+
+            // Apply architecture heuristic fallback when sizer returns empty
+            if (!instanceAnswers.instanceType && !explicitConfig.instanceType && this._architectureHeuristicDefault) {
+                instanceAnswers.instanceType = this._architectureHeuristicDefault;
+            }
+        }
+
+        // In auto-prompt mode, use instance-sizer's top recommendation as the instance type
+        if (this.configManager?.isAutoPrompt() && this._mcpInstanceSizerChoices && this._mcpInstanceSizerChoices.length > 0) {
+            const sizerRecommendation = this._mcpInstanceSizerChoices[0];
+            if (!explicitConfig.instanceType) {
+                instanceAnswers.instanceType = sizerRecommendation;
+                console.log(`   ✓ Auto-prompt: using instance-sizer recommendation: ${sizerRecommendation}`);
+            }
         }
 
-        // 1b-async. Async-specific prompts (only when deploymentTarget === 'async-inference')
+        // Auto-set tensor parallelism when sizer recommends TP > 1
+        // Requirements: 4.8
+        if (this._instanceSizerMetadata) {
+            const sizerRecs = this._instanceSizerMetadata.recommendations || [];
+            const finalInstanceType = instanceAnswers.customInstanceType || instanceAnswers.instanceType;
+            const matchingRec = sizerRecs.find(r => r.instanceType === finalInstanceType);
+            const tpRec = matchingRec || sizerRecs[0];
+            if (tpRec && tpRec.tensorParallelism > 1) {
+                this._autoTensorParallelism = tpRec.tensorParallelism;
+                this._autoGpuCount = tpRec.gpuCount;
+                console.log(`   ✓ Auto-set tensor parallelism: TP=${tpRec.tensorParallelism} (${tpRec.gpuCount} GPUs)`);
+            }
+        }
+
+        // 3c. Async-specific prompts (only when deploymentTarget === 'async-inference')
         let asyncAnswers = {};
         if (regionAndTargetAnswers.deploymentTarget === 'async-inference') {
             asyncAnswers = await this._runPhase(infraAsyncPrompts, { ...regionAndTargetAnswers }, explicitConfig, existingConfig);
         }
 
-        // 1b-batch. Batch transform-specific prompts (only when deploymentTarget === 'batch-transform')
+        // 3d. Batch transform-specific prompts (only when deploymentTarget === 'batch-transform')
         let batchTransformAnswers = {};
         if (regionAndTargetAnswers.deploymentTarget === 'batch-transform') {
             batchTransformAnswers = await this._runPhase(
@@ -113,16 +271,24 @@ export default class PromptRunner {
             );
         }
 
-        // 1c. HyperPod prompts — only query MCP and prompt when deployment target is hyperpod-eks
+        // 3e. CUDA/AMI auto-resolution
+        const instanceType = instanceAnswers.customInstanceType || instanceAnswers.instanceType;
+        const cudaAnswer = await this._promptCudaVersion(
+            instanceType,
+            frameworkAnswers.framework,
+            null, // frameworkVersion not yet known in Phase 3
+            selectedBaseImageCuda // base image CUDA version for intersection
+        );
+
+        // 3f. HyperPod prompts — only query MCP and prompt when deployment target is hyperpod-eks
         let hyperPodAnswers = {};
         if (regionAndTargetAnswers.deploymentTarget === 'hyperpod-eks') {
-            // Resolve the actual region (handle 'custom' selection)
             const resolvedRegion = regionAndTargetAnswers.customAwsRegion || regionAndTargetAnswers.awsRegion;
             await this._queryMcpForHyperPod({ ...regionAndTargetAnswers, awsRegion: resolvedRegion }, explicitConfig);
             hyperPodAnswers = await this._runPhase(infraHyperPodPrompts, { ...regionAndTargetAnswers }, explicitConfig, existingConfig);
         }
 
-        // 1d. Build target + role ARN (always)
+        // 3g. Build target + role ARN (always)
         const buildAnswers = await this._runPhase(infraBuildPrompts, { ...regionAndTargetAnswers, ...instanceAnswers, ...hyperPodAnswers }, explicitConfig, existingConfig);
 
         // Combine all infrastructure answers
@@ -135,54 +301,16 @@ export default class PromptRunner {
             ...buildAnswers
         };
 
-        // Phase 2: Core ML Configuration
-        // Requirements: 3.1, 3.2 — ML configuration prompts run after infrastructure
-        console.log('\n🔧 Core ML Configuration');
-        const deploymentConfigAnswers = await this._runPhase(deploymentConfigPrompts, { ...infraAnswers }, explicitConfig, existingConfig);
-        
-        // Derive architecture, backend, and legacy framework/modelServer from deploymentConfig
-        // Requirements: 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7
-        let architecture, backend, framework, modelServer;
-        if (deploymentConfigAnswers.deploymentConfig) {
-            const parts = deploymentConfigAnswers.deploymentConfig.split('-');
-            architecture = parts[0];
-            backend = parts.slice(1).join('-');
-            // Legacy compatibility: derive framework and modelServer
-            framework = architecture;
-            modelServer = backend;
+        // Apply CUDA resolution to infra answers
+        if (cudaAnswer) {
+            infraAnswers._selectedCudaVersion = cudaAnswer.cudaVersion;
+            infraAnswers._resolvedInferenceAmiVersion = cudaAnswer.inferenceAmiVersion;
         }
-        
-        // Add derived values to answers
-        const frameworkAnswers = {
-            ...deploymentConfigAnswers,
-            architecture: architecture || deploymentConfigAnswers.architecture,
-            backend: backend || deploymentConfigAnswers.backend,
-            framework: framework || deploymentConfigAnswers.framework,
-            modelServer: modelServer || deploymentConfigAnswers.modelServer
-        };
-        
-        // Engine prompt for http architecture
-        // Requirements: 3.7
-        const engineAnswers = await this._runPhase(enginePrompts, { ...frameworkAnswers }, explicitConfig, existingConfig);
-        
-        // Auto-set model format for Triton backends with single format
-        // Requirements: 3.3, 3.4, 3.5
-        const tritonAutoFormat = this._getTritonAutoModelFormat(architecture, backend);
-        
-        // Query base-image-picker MCP server for base image choices
-        // Requirements: 5.1, 5.2, 5.3
-        await this._queryMcpForBaseImage(frameworkAnswers, explicitConfig);
-        const baseImagePreviousAnswers = {
-            ...frameworkAnswers,
-            ...engineAnswers,
-            ...(this._mcpBaseImageChoices ? { _mcpBaseImageChoices: this._mcpBaseImageChoices } : {})
-        };
-        const baseImageAnswers = await this._runPhase(
-            baseImagePrompts,
-            baseImagePreviousAnswers,
-            explicitConfig,
-            existingConfig
-        );
+
+        // ══════════════════════════════════════════════════════════════════════
+        // Phase 4 — Details (framework version, model profile, modules)
+        // ══════════════════════════════════════════════════════════════════════
+        console.log('\n📦 Module Selection');
 
         // Populate framework version choices from registry
         const frameworkVersionChoices = this._getFrameworkVersionChoices(frameworkAnswers.framework);
@@ -209,44 +337,10 @@ export default class PromptRunner {
             explicitConfig,
             existingConfig
         );
-        
-        // Query model-picker MCP server for model choices
-        this._queryMcpForModels(frameworkAnswers.architecture);
-        if (this._mcpModelChoices) {
-            console.log('   🔍 Querying model-picker...');
-            console.log(`   ✓ ${this._mcpModelChoices.length} model(s) available from catalog`);
-        }
-        const modelFormatPreviousAnswers = {
-            ...frameworkAnswers,
-            ...engineAnswers,
-            ...frameworkVersionAnswers,
-            ...frameworkProfileAnswers,
-            ...(this._mcpModelChoices ? { _mcpModelChoices: this._mcpModelChoices } : {})
-        };
-        const modelFormatAnswers = await this._runPhase(
-            modelFormatPrompts, 
-            modelFormatPreviousAnswers, 
-            explicitConfig, 
-            existingConfig
-        );
-        
-        // Model server prompts are now deprecated (empty array)
-        const modelServerAnswers = await this._runPhase(
-            modelServerPrompts, 
-            {...frameworkAnswers, ...engineAnswers, ...frameworkVersionAnswers, ...frameworkProfileAnswers}, 
-            explicitConfig, 
-            existingConfig
-        );
-        
+
         // Populate model profile choices from registry (if model ID is available)
+        const modelId = phase1ModelId;
         const currentAnswers = {...frameworkAnswers, ...engineAnswers, ...frameworkVersionAnswers, ...frameworkProfileAnswers, ...modelFormatAnswers, ...modelServerAnswers};
-        const modelId = currentAnswers.customModelName || currentAnswers.modelName || explicitConfig.modelName;
-        
-        // Fetch model information from HuggingFace and Model Registry
-        // Requirements: 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 5.11, 11.1, 11.2, 11.3, 11.5, 11.6, 11.7
-        if (modelId && modelId !== 'Custom (enter manually)') {
-            await this._fetchAndDisplayModelInfo(modelId);
-        }
         
         const modelProfileChoices = this._getModelProfileChoices(modelId);
         const modelProfileAnswers = await this._runPhase(
@@ -257,7 +351,6 @@ export default class PromptRunner {
         );
 
         // Model loading strategy prompt (build-time vs runtime)
-        // Requirements: 13.1, 13.2, 13.3, 13.4, 13.5
         const modelLoadStrategyAnswers = await this._runPhase(
             modelLoadStrategyPrompts,
             { ...frameworkAnswers, ...engineAnswers, ...modelFormatAnswers, ...modelServerAnswers, ...modelProfileAnswers },
@@ -265,40 +358,13 @@ export default class PromptRunner {
             existingConfig
         );
 
-        const hfTokenAnswers = await this._runPhase(hfTokenPrompts, 
-            { ...frameworkAnswers, ...engineAnswers, ...frameworkVersionAnswers, ...frameworkProfileAnswers, ...modelFormatAnswers, ...modelServerAnswers, ...modelProfileAnswers }, 
-            explicitConfig, existingConfig);
-
-        const ngcApiKeyAnswers = await this._runPhase(ngcApiKeyPrompts,
-            { ...frameworkAnswers, ...engineAnswers, ...frameworkVersionAnswers, ...frameworkProfileAnswers, ...modelFormatAnswers, ...modelServerAnswers, ...modelProfileAnswers },
-            explicitConfig, existingConfig);
-
-        // Validate instance type against framework requirements (now that framework is known)
-        // Requirements: 4.1, 4.2, 4.3, 4.4, 4.5, 4.6
-        const instanceType = infraAnswers.customInstanceType || infraAnswers.instanceType;
-        if (instanceType && frameworkVersionAnswers.frameworkVersion) {
-            await this._validateAndDisplayInstanceType(
-                instanceType,
-                frameworkAnswers.framework,
-                frameworkVersionAnswers.frameworkVersion
-            );
-        }
+        // Secret prompts — registry-driven secret selection (replaces hardcoded hfToken/ngcApiKey prompts)
+        const secretPreviousAnswers = { ...frameworkAnswers, ...engineAnswers, ...frameworkVersionAnswers, ...frameworkProfileAnswers, ...modelFormatAnswers, ...modelServerAnswers, ...modelProfileAnswers };
+        const secretAnswers = await this._runSecretPrompts(secretPreviousAnswers, explicitConfig, existingConfig);
+        const hfTokenAnswers = { hfToken: secretAnswers.hfToken, hfTokenArn: secretAnswers.hfTokenArn };
+        const ngcApiKeyAnswers = { ngcApiKey: secretAnswers.ngcApiKey, ngcTokenArn: secretAnswers.ngcTokenArn };
 
-        // CUDA version selection: if the selected instance supports multiple CUDA versions,
-        // let the user pick which one. This transparently sets the inference AMI version.
-        const cudaAnswer = await this._promptCudaVersion(
-            instanceType,
-            frameworkAnswers.framework,
-            frameworkVersionAnswers.frameworkVersion
-        );
-        if (cudaAnswer) {
-            infraAnswers._selectedCudaVersion = cudaAnswer.cudaVersion;
-            infraAnswers._resolvedInferenceAmiVersion = cudaAnswer.inferenceAmiVersion;
-        }
-
-        // Phase 3: Module Selection
-        // Requirements: 3.3 — module selection after ML configuration
-        console.log('\n📦 Module Selection');
+        // Module selection
         const moduleAnswers = await this._runPhase(modulePrompts, { ...frameworkAnswers, ...engineAnswers }, explicitConfig, existingConfig);
         
         // Ensure transformers, diffusors, and ineligible Triton backends don't get sample model
@@ -309,8 +375,19 @@ export default class PromptRunner {
             moduleAnswers.includeSampleModel = false;
         }
 
-        // Phase 4: Project Configuration
-        // Requirements: 3.4 — project configuration last
+        // Validate instance type against framework requirements (now that framework version is known)
+        const finalInstanceType = infraAnswers.customInstanceType || infraAnswers.instanceType;
+        if (finalInstanceType && frameworkVersionAnswers.frameworkVersion) {
+            await this._validateAndDisplayInstanceType(
+                finalInstanceType,
+                frameworkAnswers.framework,
+                frameworkVersionAnswers.frameworkVersion
+            );
+        }
+
+        // ══════════════════════════════════════════════════════════════════════
+        // Phase 5 — Project (project name + destination)
+        // ══════════════════════════════════════════════════════════════════════
         console.log('\n📋 Project Configuration');
         const allTechnicalAnswers = {
             ...frameworkAnswers,
@@ -439,6 +516,21 @@ export default class PromptRunner {
             delete combinedAnswers.customInstanceType;
         }
 
+        // Propagate tensor parallelism from instance-sizer to templates
+        // Requirements: 4.8 — auto-set TP when sizer recommends > 1
+        if (this._autoTensorParallelism) {
+            combinedAnswers.tensorParallelSize = this._autoTensorParallelism;
+            combinedAnswers.gpuCount = this._autoGpuCount;
+        } else if (this._instanceSizerMetadata) {
+            const sizerInstanceType = combinedAnswers.instanceType;
+            const sizerRecs = this._instanceSizerMetadata.recommendations || [];
+            const matchingRec = sizerRecs.find(r => r.instanceType === sizerInstanceType);
+            if (matchingRec && matchingRec.tensorParallelism > 1) {
+                combinedAnswers.tensorParallelSize = matchingRec.tensorParallelism;
+                combinedAnswers.gpuCount = matchingRec.gpuCount;
+            }
+        }
+
         // Handle custom HyperPod cluster name
         if (combinedAnswers.customHyperPodCluster) {
             combinedAnswers.hyperPodCluster = combinedAnswers.customHyperPodCluster;
@@ -623,6 +715,118 @@ export default class PromptRunner {
         return null;
     }
 
+    /**
+     * Extract CUDA version from the selected base image.
+     * Looks at the MCP base image metadata for accelerator.version or labels.cuda_version.
+     * @param {object} baseImageAnswers - Answers from the base image prompt
+     * @returns {string|null} CUDA version string (e.g., "12.1") or null
+     * @private
+     */
+    _extractCudaFromBaseImage(baseImageAnswers) {
+        if (!this._mcpBaseImageChoices) return null;
+
+        const selectedImage = baseImageAnswers.baseImage || baseImageAnswers.customBaseImage;
+        if (!selectedImage) return null;
+
+        // Find the matching entry in the MCP choices
+        const matchingChoice = this._mcpBaseImageChoices.find(c => c.value === selectedImage);
+        if (!matchingChoice) return null;
+
+        // Try to extract CUDA version from the choice metadata
+        // The formatImageChoices function stores labels in the choice object
+        if (matchingChoice._meta?.labels?.cuda_version) {
+            return matchingChoice._meta.labels.cuda_version;
+        }
+        if (matchingChoice._meta?.accelerator?.version) {
+            return matchingChoice._meta.accelerator.version;
+        }
+
+        return null;
+    }
+
+    /**
+     * Check model architecture compatibility against the selected base image.
+     * Emits an advisory warning if the model's model_type is not in the server's
+     * supportedModelTypes. Skips silently if supportedModelTypes is empty (sync not run).
+     * Requirements: 4.2, 4.3, 4.4, 4.5
+     * @param {Object} baseImageAnswers - Answers from base image selection phase
+     * @param {Object} frameworkAnswers - Answers from framework/deployment config phase
+     * @private
+     */
+    _checkModelArchitectureCompatibility(baseImageAnswers, frameworkAnswers) {
+        // Requirement 4.5: skip if no model_type was resolved
+        if (!this._modelType) return;
+
+        // Determine the selected image
+        const selectedImage = baseImageAnswers.baseImage || baseImageAnswers.customBaseImage;
+        if (!selectedImage || selectedImage === 'custom') return;
+
+        // Resolve the matching choice from MCP base image choices
+        if (!this._mcpBaseImageChoices) return;
+        const matchingChoice = this._mcpBaseImageChoices.find(c => c.value === selectedImage);
+        if (!matchingChoice) return;
+
+        // Determine the server name from framework answers
+        const server = frameworkAnswers.modelServer || frameworkAnswers.backend;
+        if (!server) return;
+
+        // Load the model-servers catalog to find the entry with supportedModelTypes
+        try {
+            const catalogPath = path.resolve(GENERATOR_ROOT, 'servers', 'lib', 'catalogs', 'model-servers.json');
+            const catalog = JSON.parse(fs.readFileSync(catalogPath, 'utf8'));
+
+            const serverEntries = catalog[server];
+            if (!Array.isArray(serverEntries)) return;
+
+            // Find the catalog entry matching the selected image
+            const entry = serverEntries.find(e => e.image === selectedImage);
+            if (!entry) return;
+
+            const supported = entry.supportedModelTypes;
+            // Requirement 4.5: skip silently when supportedModelTypes is empty (sync not run)
+            if (!supported || supported.length === 0) return;
+
+            // Requirement 4.2-4.3: cross-reference model_type (case-insensitive)
+            const modelTypeLower = this._modelType.toLowerCase();
+            if (!supported.includes(modelTypeLower)) {
+                const version = entry.labels?.framework_version || entry.tag || 'unknown';
+                const docsUrls = {
+                    vllm: 'https://docs.vllm.ai/en/latest/models/supported_models.html',
+                    sglang: 'https://sgl-project.github.io/references/supported_models.html',
+                    'tensorrt-llm': 'https://nvidia.github.io/TensorRT-LLM/reference/support-matrix.html'
+                };
+                const docsUrl = docsUrls[server] || `https://github.com/search?q=${server}+supported+models`;
+
+                // Requirement 4.3-4.4: emit advisory warning (does not block generation)
+                console.log(`\n   ⚠️  Model architecture "${this._modelType}" may not be supported by ${server} ${version}`);
+                console.log('      Consider upgrading to a newer base image, or verify compatibility at:');
+                console.log(`      ${docsUrl}`);
+            }
+        } catch (err) {
+            // Graceful degradation: if catalog can't be read, skip silently
+        }
+    }
+
+    /**
+     * Get architecture-based heuristic default instance type.
+     * Used when the instance-sizer cannot produce a recommendation.
+     * Requirements: 3.9, 4.6
+     * @param {string} architecture - Model architecture type
+     * @returns {string} Default instance type
+     * @private
+     */
+    _getArchitectureHeuristicDefault(architecture) {
+        const HEURISTIC_DEFAULTS = {
+            'transformers': 'ml.g5.xlarge',
+            'transformer': 'ml.g5.xlarge',
+            'diffusors': 'ml.g5.2xlarge',
+            'diffusor': 'ml.g5.2xlarge',
+            'predictor': 'ml.m5.large',
+            'http': 'ml.m5.large'
+        };
+        return Object.hasOwn(HEURISTIC_DEFAULTS, architecture) ? HEURISTIC_DEFAULTS[architecture] : 'ml.g5.xlarge';
+    }
+
     /**
      * Query MCP region-picker server before infrastructure prompts.
      * Populates configManager.mcpChoices so _runPhase injects them into list prompts.
@@ -671,8 +875,8 @@ export default class PromptRunner {
     }
 
     /**
-     * Query MCP instance-recommender server after deployment target is known.
-     * Only runs when deploymentTarget is realtime-inference.
+     * Query MCP instance-sizer server with tag-based search after deployment target is known.
+     * Used when no model name is available for VRAM-based sizing.
      * Populates configManager.mcpChoices so _runPhase injects them into list prompts.
      * @private
      */
@@ -686,7 +890,7 @@ export default class PromptRunner {
         const smart = this.options.smart === true;
 
         // Instance type: query if not already provided via CLI/config
-        if (!explicitConfig.instanceType && mcpServers.includes('instance-recommender')) {
+        if (!explicitConfig.instanceType && mcpServers.includes('instance-sizer')) {
             const { instanceSearch } = await this._runPrompts([{
                 type: 'input',
                 name: 'instanceSearch',
@@ -695,8 +899,8 @@ export default class PromptRunner {
             }]);
 
             if (instanceSearch && instanceSearch.trim()) {
-                console.log(`   🔍 Querying instance-recommender${smart ? ' [smart]' : ''}...`);
-                const result = await cm.queryMcpServer('instance-recommender', {
+                console.log(`   🔍 Querying instance-sizer [search]${smart ? ' [smart]' : ''}...`);
+                const result = await cm.queryMcpServer('instance-sizer', {
                     ...frameworkAnswers,
                     instanceSearch: instanceSearch.trim()
                 });
@@ -713,6 +917,150 @@ export default class PromptRunner {
         }
     }
 
+    /**
+     * Query the instance-sizer MCP server after model is known.
+     * Estimates VRAM requirements and returns filtered, ranked instance recommendations.
+     * Stores results in this._mcpInstanceSizerChoices and this._instanceSizerMetadata.
+     * Requirements: 4.4, 4.5, 4.7, 3.6, 3.7
+     * @param {object} frameworkAnswers - Framework/architecture answers
+     * @param {object} modelFormatAnswers - Model format answers (contains modelName)
+     * @param {object} explicitConfig - Explicit CLI/config values
+     * @param {object} [sizerContext={}] - Additional context for the sizer query
+     * @param {string} [sizerContext.cudaVersion] - CUDA version from base image
+     * @param {object} [sizerContext.profileEnvVars] - Profile ENV overrides
+     * @private
+     */
+    async _queryMcpForInstanceSizing(frameworkAnswers, modelFormatAnswers, explicitConfig, sizerContext = {}) {
+        const cm = this.configManager;
+        if (!cm) return;
+
+        const mcpServers = cm.getMcpServerNames();
+        if (!mcpServers.includes('instance-sizer')) return;
+
+        // Resolve model name from answers or explicit config
+        const modelName = modelFormatAnswers.customModelName || modelFormatAnswers.modelName || explicitConfig.modelName;
+        if (!modelName || modelName === 'Custom (enter manually)') return;
+
+        const smart = this.options.smart === true;
+        const discover = this.options.discover === true;
+
+        const modeLabel = [smart && '[smart]', discover && '[discover]'].filter(Boolean).join(' ');
+        console.log(`   🔍 Querying instance-sizer${modeLabel ? ` ${modeLabel}` : ''}...`);
+
+        try {
+            const mcpConfigPath = path.join(GENERATOR_ROOT, 'config', 'mcp.json');
+            if (!fs.existsSync(mcpConfigPath)) return;
+
+            const mcpConfig = JSON.parse(fs.readFileSync(mcpConfigPath, 'utf8'));
+            const serverConfig = mcpConfig.mcpServers?.['instance-sizer'];
+            if (!serverConfig) return;
+
+            const { Client } = await import('@modelcontextprotocol/sdk/client/index.js');
+            const { StdioClientTransport } = await import('@modelcontextprotocol/sdk/client/stdio.js');
+
+            const serverArgs = [...(serverConfig.args || [])];
+            if (discover && !serverArgs.includes('--discover')) {
+                serverArgs.push('--discover');
+            }
+
+            const transport = new StdioClientTransport({
+                command: serverConfig.command,
+                args: serverArgs,
+                env: {
+                    ...process.env,
+                    ...(serverConfig.env || {}),
+                    ...(smart ? { BEDROCK_SMART: 'true' } : {})
+                },
+                stderr: 'pipe'
+            });
+
+            const mcpClient = new Client(
+                { name: 'ml-container-creator', version: '1.0.0' },
+                { capabilities: {} }
+            );
+
+            await mcpClient.connect(transport);
+
+            const toolArgs = {
+                modelName,
+                limit: 10,
+                context: {
+                    architecture: frameworkAnswers.architecture || undefined,
+                    backend: frameworkAnswers.backend || undefined,
+                    deploymentTarget: frameworkAnswers.deploymentTarget || undefined,
+                    profileEnvVars: sizerContext.profileEnvVars || undefined
+                }
+            };
+
+            // Add CUDA version from base image for filtering
+            if (sizerContext.cudaVersion) {
+                toolArgs.cudaVersion = sizerContext.cudaVersion;
+            }
+
+            // Add quantization if available from model format answers
+            if (modelFormatAnswers.quantization) {
+                toolArgs.quantization = modelFormatAnswers.quantization;
+            }
+
+            const result = await mcpClient.callTool({
+                name: 'get_instance_recommendation',
+                arguments: toolArgs
+            });
+
+            await mcpClient.close();
+
+            // Parse the response
+            const textBlock = result?.content?.find(b => b.type === 'text');
+            if (textBlock) {
+                const parsed = JSON.parse(textBlock.text);
+
+                if (parsed.choices?.instanceType?.length > 0) {
+                    this._instanceSizerMetadata = parsed.metadata || null;
+
+                    // Build display labels with VRAM estimate and utilization percentage
+                    const recommendations = parsed.metadata?.recommendations || [];
+                    const estimatedVramGb = parsed.metadata?.estimatedVramGb;
+                    
+                    // Store choices with display labels for the instance prompt
+                    this._mcpInstanceSizerChoices = parsed.choices.instanceType;
+                    this._mcpInstanceSizerDisplayChoices = recommendations.map(rec => ({
+                        name: rec.displayLabel || `${rec.instanceType} (${estimatedVramGb ? estimatedVramGb.toFixed(1) : '?'}GB / ${rec.totalVramGb || '?'}GB — ${rec.utilizationPercent || '?'}% utilization)`,
+                        value: rec.instanceType,
+                        short: rec.instanceType
+                    }));
+
+                    const choices = parsed.choices.instanceType;
+                    const topRec = recommendations[0];
+                    const vramInfo = estimatedVramGb
+                        ? ` (model needs ~${estimatedVramGb.toFixed(1)}GB VRAM)`
+                        : '';
+
+                    console.log(`   ✓ ${choices.length} compatible instance(s) found${vramInfo}`);
+                    // Display compact recommendation table
+                    for (const rec of recommendations) {
+                        const tp = rec.tensorParallelism > 1 ? ` TP=${rec.tensorParallelism}` : '';
+                        const vram = rec.totalVramGb ? `${rec.totalVramGb}GB` : '?';
+                        const util = rec.utilizationPercent ? `${rec.utilizationPercent}%` : '?';
+                        console.log(`     ${rec === topRec ? '→' : ' '} ${rec.instanceType.padEnd(20)} ${vram.padStart(5)} VRAM  ${util.padStart(4)} util${tp}`);
+                    }
+                } else if (parsed.metadata?.warning) {
+                    console.log(`   ⚠️  ${parsed.metadata.warning}`);
+                } else {
+                    // Apply architecture heuristic fallback when sizer returns empty
+                    const archForHeuristic = frameworkAnswers.architecture || frameworkAnswers.deploymentConfig?.split('-')[0];
+                    this._architectureHeuristicDefault = this._getArchitectureHeuristicDefault(archForHeuristic);
+                    console.log(`   ↳ No instance-sizer results, using heuristic default: ${this._architectureHeuristicDefault}`);
+                }
+            }
+        } catch (err) {
+            // Sizer unavailable — apply architecture heuristic fallback
+            const archForHeuristic = frameworkAnswers.architecture || frameworkAnswers.deploymentConfig?.split('-')[0];
+            this._architectureHeuristicDefault = this._getArchitectureHeuristicDefault(archForHeuristic);
+            console.log(`   ⚠️  instance-sizer: ${err.message}`);
+            console.log(`   ↳ Using heuristic default: ${this._architectureHeuristicDefault}`);
+        }
+    }
+
     /**
      * Query the hyperpod-cluster-picker MCP server for available HyperPod EKS clusters.
      * Populates configManager.mcpChoices.hyperPodCluster so _runPhase injects them into the list prompt.
@@ -1098,6 +1446,12 @@ export default class PromptRunner {
                                         modelFamily = vals.family;
                                     }
 
+                                    // Extract model_type for architecture validation
+                                    // Requirements: 4.1
+                                    if (vals.model_type) {
+                                        this._modelType = vals.model_type;
+                                    }
+
                                     // Extract model source metadata for loading adapter
                                     // Requirements: 2.1, 2.2, 2.3, 2.4
                                     if (vals.provider) {
@@ -1149,6 +1503,11 @@ export default class PromptRunner {
                             if (hfData.chatTemplate) {
                                 chatTemplate = hfData.chatTemplate;
                             }
+                            // Extract model_type for architecture validation
+                            // Requirements: 4.1
+                            if (hfData.modelConfig?.model_type) {
+                                this._modelType = hfData.modelConfig.model_type;
+                            }
                             console.log('   ✅ Found on HuggingFace Hub');
                         } else {
                             console.log('   ℹ️  Not found on HuggingFace Hub (may be private or offline)');
@@ -1276,6 +1635,332 @@ export default class PromptRunner {
         }
     }
 
+    /**
+     * Run secret prompts using the Secret_Classification registry.
+     * For each secret type whose stages apply to the current context:
+     * - Query for managed secrets of that type
+     * - If managed secrets exist: show selection list (secrets + "Enter plaintext token" + "Skip")
+     * - If no managed secrets exist: fall back to existing plaintext prompt
+     * 
+     * Requirements: 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8, 8.9
+     * @param {object} previousAnswers - Answers from previous prompt phases
+     * @param {object} explicitConfig - Explicit CLI/config values
+     * @param {object} existingConfig - Existing project configuration
+     * @returns {Promise<object>} Object with token/ARN values keyed by config field names
+     * @private
+     */
+    async _runSecretPrompts(previousAnswers, explicitConfig, existingConfig) {
+        const results = {};
+
+        for (const classification of SECRET_CLASSIFICATIONS) {
+            // Check if this secret type's stages apply to the current context
+            if (!this._secretStagesApply(classification, previousAnswers)) continue;
+
+            // Determine the config keys for this classification
+            const arnConfigKey = this._getArnConfigKey(classification);
+            const plaintextConfigKey = this._getPlaintextConfigKey(classification);
+
+            // Skip if ARN already provided via CLI flag
+            if (explicitConfig[arnConfigKey]) {
+                results[arnConfigKey] = explicitConfig[arnConfigKey];
+                continue;
+            }
+
+            // Skip if plaintext already provided via CLI flag
+            if (explicitConfig[plaintextConfigKey]) {
+                results[plaintextConfigKey] = explicitConfig[plaintextConfigKey];
+                continue;
+            }
+
+            // Query for existing managed secrets of this type
+            const managedSecrets = await this._listManagedSecrets(classification.identifier);
+
+            if (managedSecrets.length > 0) {
+                // Show selection list: managed secrets + plaintext entry + skip
+                const answer = await this._promptSecretSelection(classification, managedSecrets, previousAnswers);
+                Object.assign(results, answer);
+            } else {
+                // Fall back to existing plaintext prompt
+                const answer = await this._promptPlaintextFallback(classification, previousAnswers, explicitConfig, existingConfig);
+                Object.assign(results, answer);
+            }
+        }
+
+        return results;
+    }
+
+    /**
+     * Determine if a secret classification's stages apply to the current generation context.
+     * Build-time secrets apply when the project involves a Docker build step.
+     * Runtime secrets apply when the architecture uses HuggingFace Hub models.
+     * Requirements: 8.9
+     * @param {object} classification - Secret classification entry
+     * @param {object} answers - Current answers from previous phases
+     * @returns {boolean} True if the secret type is applicable
+     * @private
+     */
+    _secretStagesApply(classification, answers) {
+        const architecture = answers.architecture || answers.deploymentConfig?.split('-')[0];
+        const backend = answers.backend || answers.deploymentConfig?.split('-').slice(1).join('-');
+
+        if (classification.identifier === 'hf-token') {
+            // HF token applies to transformers, diffusors, and Triton LLM backends
+            const isTransformers = architecture === 'transformers';
+            const isDiffusors = architecture === 'diffusors';
+            const isTritonLlm = architecture === 'triton' && (backend === 'vllm' || backend === 'tensorrtllm');
+
+            if (!isTransformers && !isDiffusors && !isTritonLlm) return false;
+
+            // Skip for non-HuggingFace model sources
+            const modelSource = answers.modelSource;
+            if (modelSource && modelSource !== 'huggingface') return false;
+
+            return true;
+        }
+
+        if (classification.identifier === 'ngc-token') {
+            // NGC token only applies to transformers-tensorrt-llm (build-time only)
+            if (architecture === 'triton') return false;
+            if (architecture === 'diffusors') return false;
+            return architecture === 'transformers' && backend === 'tensorrt-llm';
+        }
+
+        // For future secret types, check if any stage applies
+        // Build-time applies to all Docker-based deployments
+        // Runtime applies to architectures that download at startup
+        return classification.stages.length > 0;
+    }
+
+    /**
+     * Get the ARN config key for a classification.
+     * Maps classification identifiers to config field names.
+     * @param {object} classification - Secret classification entry
+     * @returns {string} Config key for the ARN value
+     * @private
+     */
+    _getArnConfigKey(classification) {
+        const keyMap = {
+            'hf-token': 'hfTokenArn',
+            'ngc-token': 'ngcTokenArn'
+        };
+        return keyMap[classification.identifier] || `${classification.identifier.replace(/-([a-z])/g, (_, c) => c.toUpperCase())}Arn`;
+    }
+
+    /**
+     * Get the plaintext config key for a classification.
+     * Maps classification identifiers to config field names.
+     * @param {object} classification - Secret classification entry
+     * @returns {string} Config key for the plaintext value
+     * @private
+     */
+    _getPlaintextConfigKey(classification) {
+        const keyMap = {
+            'hf-token': 'hfToken',
+            'ngc-token': 'ngcApiKey'
+        };
+        return keyMap[classification.identifier] || classification.identifier.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
+    }
+
+    /**
+     * List managed secrets of a given type from AWS Secrets Manager.
+     * Uses the active bootstrap profile to query for secrets tagged with
+     * the mlcc:secret-type matching the given identifier.
+     * @param {string} secretType - The secret type identifier (e.g., 'hf-token')
+     * @returns {Promise<Array<{name: string, arn: string}>>} Array of managed secrets
+     * @private
+     */
+    async _listManagedSecrets(secretType) {
+        try {
+            const bootstrapConfig = new BootstrapConfig();
+            const activeProfile = bootstrapConfig.getActiveProfile();
+            if (!activeProfile) return [];
+
+            const profile = activeProfile.config.awsProfile;
+            const region = activeProfile.config.awsRegion;
+            if (!profile || !region) return [];
+
+            const command = `aws secretsmanager list-secrets --filters Key=tag-key,Values=mlcc:managed-by Key=tag-value,Values=ml-container-creator --region ${region} --profile ${profile} --output json`;
+            const output = execSync(command, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'], timeout: 10000 });
+            const trimmed = output.trim();
+            if (!trimmed) return [];
+
+            const result = JSON.parse(trimmed);
+            const secrets = result.SecretList || [];
+
+            // Filter by secret type tag
+            return secrets
+                .filter(secret => {
+                    const typeTag = (secret.Tags || []).find(t => t.Key === 'mlcc:secret-type');
+                    return typeTag && typeTag.Value === secretType;
+                })
+                .map(secret => ({
+                    name: secret.Name,
+                    arn: secret.ARN
+                }));
+        } catch {
+            // If AWS CLI fails (not configured, no credentials, etc.), return empty
+            return [];
+        }
+    }
+
+    /**
+     * Display a selection list for managed secrets of a given type.
+     * Shows available secrets plus options for plaintext entry and skip.
+     * Requirements: 8.1, 8.2, 8.3, 8.4, 8.5, 8.6
+     * @param {object} classification - Secret classification entry
+     * @param {Array<{name: string, arn: string}>} managedSecrets - Available managed secrets
+     * @param {object} previousAnswers - Answers from previous phases
+     * @returns {Promise<object>} Object with the selected value keyed by config field name
+     * @private
+     */
+    async _promptSecretSelection(classification, managedSecrets, previousAnswers) {
+        const arnConfigKey = this._getArnConfigKey(classification);
+
+        console.log(`\n🔐 ${classification.displayName}`);
+        console.log(`   ${classification.purpose}`);
+
+        // Build choices: managed secrets + enter plaintext + skip
+        const choices = [
+            ...managedSecrets.map(secret => ({
+                name: `🔒 ${secret.name} (${secret.arn})`,
+                value: secret.arn,
+                short: secret.name
+            })),
+            { name: '✏️  Enter plaintext token', value: '__plaintext__', short: 'Plaintext' },
+            { name: '⏭️  Skip (use environment variable)', value: '__skip__', short: 'Skip' }
+        ];
+
+        const { secretSelection } = await this._runPrompts([{
+            type: 'list',
+            name: 'secretSelection',
+            message: `Select ${classification.promptLabel}:`,
+            choices
+        }]);
+
+        if (secretSelection === '__skip__') {
+            return {};
+        }
+
+        if (secretSelection === '__plaintext__') {
+            // Use existing plaintext flow
+            return this._promptPlaintextEntry(classification, previousAnswers);
+        }
+
+        // User selected a managed secret ARN
+        return { [arnConfigKey]: secretSelection };
+    }
+
+    /**
+     * Prompt for plaintext token entry with ARN detection.
+     * If the user enters an ARN, store it as an ARN reference.
+     * Requirements: 8.4, 8.5, 8.6
+     * @param {object} classification - Secret classification entry
+     * @param {object} previousAnswers - Answers from previous phases
+     * @returns {Promise<object>} Object with the value keyed by config field name
+     * @private
+     */
+    async _promptPlaintextEntry(classification, _previousAnswers) {
+        const arnConfigKey = this._getArnConfigKey(classification);
+        const plaintextConfigKey = this._getPlaintextConfigKey(classification);
+
+        const { tokenValue } = await this._runPrompts([{
+            type: 'input',
+            name: 'tokenValue',
+            message: `${classification.promptLabel} (enter token, ARN, or leave empty):`,
+            validate: (input) => {
+                // Empty is valid
+                if (!input || input.trim() === '') return true;
+                // Environment variable reference is valid
+                if (input.trim().startsWith('$')) return true;
+                return true;
+            }
+        }]);
+
+        if (!tokenValue || tokenValue.trim() === '') {
+            return {};
+        }
+
+        const value = tokenValue.trim();
+
+        // ARN detection: if the value is a Secrets Manager ARN, store as ARN
+        if (isSecretsManagerArn(value)) {
+            return { [arnConfigKey]: value };
+        }
+
+        // Otherwise store as plaintext
+        return { [plaintextConfigKey]: value };
+    }
+
+    /**
+     * Fall back to existing plaintext prompt when no managed secrets exist.
+     * Uses the same prompts as the original hfTokenPrompts/ngcApiKeyPrompts
+     * but with ARN detection on the input.
+     * Requirements: 8.7
+     * @param {object} classification - Secret classification entry
+     * @param {object} previousAnswers - Answers from previous phases
+     * @param {object} explicitConfig - Explicit CLI/config values
+     * @param {object} existingConfig - Existing project configuration
+     * @returns {Promise<object>} Object with the value keyed by config field name
+     * @private
+     */
+    async _promptPlaintextFallback(classification, _previousAnswers, _explicitConfig, _existingConfig) {
+        const arnConfigKey = this._getArnConfigKey(classification);
+        const plaintextConfigKey = this._getPlaintextConfigKey(classification);
+
+        // If in auto-prompt mode, skip
+        if (this.configManager?.isAutoPrompt()) {
+            return {};
+        }
+
+        // Display context-appropriate security message
+        if (classification.identifier === 'hf-token') {
+            console.log('\n🔐 HuggingFace Authentication');
+            console.log('   Many models (e.g. Llama, Mistral) are gated and require a token.');
+            console.log('   💡 Tip: Use `ml-container-creator secrets create --type hf-token` to store');
+            console.log('   your token in AWS Secrets Manager for zero-knowledge operation.');
+            console.log('   For CI/CD pipelines, use "$HF_TOKEN" to reference an environment variable.\n');
+        } else if (classification.identifier === 'ngc-token') {
+            console.log('\n🔐 NVIDIA NGC Authentication');
+            console.log('   TensorRT-LLM base images are hosted on NVIDIA NGC and require an API key.');
+            console.log('   💡 Tip: Use `ml-container-creator secrets create --type ngc-token` to store');
+            console.log('   your key in AWS Secrets Manager for zero-knowledge operation.');
+            console.log('   For CI/CD pipelines, use "$NGC_API_KEY" to reference an environment variable.\n');
+        } else {
+            console.log(`\n🔐 ${classification.displayName}`);
+            console.log(`   ${classification.purpose}\n`);
+        }
+
+        const { tokenValue } = await this._runPrompts([{
+            type: 'input',
+            name: 'tokenValue',
+            message: `${classification.promptLabel} (enter token, ARN, "$${classification.envVar}" for env var, or leave empty):`,
+            validate: (input) => {
+                if (!input || input.trim() === '') return true;
+                if (input.trim().startsWith('$')) return true;
+                // Warn about HF token format
+                if (classification.identifier === 'hf-token' && !input.startsWith('hf_') && !isSecretsManagerArn(input)) {
+                    console.warn('\n⚠️  Warning: HuggingFace tokens typically start with "hf_"');
+                    console.warn('   If this is intentional, you can ignore this warning.');
+                }
+                return true;
+            }
+        }]);
+
+        if (!tokenValue || tokenValue.trim() === '') {
+            return {};
+        }
+
+        const value = tokenValue.trim();
+
+        // ARN detection: if the value is a Secrets Manager ARN, store as ARN
+        if (isSecretsManagerArn(value)) {
+            return { [arnConfigKey]: value };
+        }
+
+        // Otherwise store as plaintext
+        return { [plaintextConfigKey]: value };
+    }
+
     /**
      * CUDA-to-AMI mapping.
      * Maps CUDA major.minor versions to the SageMaker inference AMI that provides
@@ -1283,13 +1968,13 @@ export default class PromptRunner {
      * @private
      */
     static CUDA_AMI_MAP = {
-        '11.0': 'al2-ami-sagemaker-inference-gpu-2-1',
+        '11.0': 'al2-ami-sagemaker-inference-gpu-2',
         '11.4': 'al2-ami-sagemaker-inference-gpu-2-1',
-        '11.8': 'al2-ami-sagemaker-inference-gpu-3-1',
+        '11.8': 'al2-ami-sagemaker-inference-gpu-2-1',
         '12.1': 'al2-ami-sagemaker-inference-gpu-3-1',
-        '12.2': 'al2-ami-sagemaker-inference-gpu-3-2',
-        '12.4': 'al2-ami-sagemaker-inference-gpu-3-2',
-        '12.6': 'al2-ami-sagemaker-inference-gpu-3-2'
+        '12.2': 'al2023-ami-sagemaker-inference-gpu-4-1',
+        '12.4': 'al2023-ami-sagemaker-inference-gpu-4-1',
+        '12.6': 'al2023-ami-sagemaker-inference-gpu-4-1'
     };
 
     /**
@@ -1297,16 +1982,21 @@ export default class PromptRunner {
      * supports multiple versions. The choice transparently resolves to the
      * correct SageMaker inference AMI.
      *
+     * When a base image CUDA version is provided, auto-resolves by intersecting
+     * with the instance's supported versions. Removes the CUDA prompt from the
+     * interactive flow when auto-resolution succeeds.
+     *
      * Skipped for CPU instances, non-CUDA accelerators, or when only one
      * compatible CUDA version exists.
      *
      * @param {string} instanceType - Selected instance type (e.g. "ml.g5.2xlarge")
      * @param {string} framework - Selected framework name
      * @param {string} frameworkVersion - Selected framework version
+     * @param {string} [baseImageCuda] - CUDA version from selected base image (for auto-resolution)
      * @returns {Promise<{cudaVersion: string, inferenceAmiVersion: string}|null>}
      * @private
      */
-    async _promptCudaVersion(instanceType, framework, frameworkVersion) {
+    async _promptCudaVersion(instanceType, framework, frameworkVersion, baseImageCuda) {
         if (!instanceType) return null;
 
         // Look up instance in accelerator mapping
@@ -1316,6 +2006,33 @@ export default class PromptRunner {
         const instanceCudaVersions = instanceInfo.accelerator.versions;
         if (!instanceCudaVersions || instanceCudaVersions.length === 0) return null;
 
+        // Auto-resolution: when base image specifies a CUDA version, intersect with instance support
+        // Requirements: 3.11, 4.9, 4.10, 4.11
+        if (baseImageCuda) {
+            const majorRequired = baseImageCuda.split('.')[0];
+            const intersection = instanceCudaVersions.filter(v => {
+                if (v === baseImageCuda) return true;
+                if (v.startsWith(`${majorRequired  }.`)) return true;
+                return false;
+            });
+
+            if (intersection.length > 0) {
+                // Auto-select: pick exact match or highest compatible
+                const exactMatch = intersection.find(v => v === baseImageCuda);
+                const selectedVersion = exactMatch || intersection.sort().pop();
+                const inferenceAmiVersion = PromptRunner.CUDA_AMI_MAP[selectedVersion];
+                if (inferenceAmiVersion) {
+                    console.log(`\n🔧 CUDA ${selectedVersion} auto-resolved from base image (requires ${baseImageCuda})`);
+                    console.log(`   AMI: ${inferenceAmiVersion}`);
+                    return { cudaVersion: selectedVersion, inferenceAmiVersion };
+                }
+            } else {
+                // No intersection — warn and fall through to manual prompt
+                console.log(`\n   ⚠️  Base image requires CUDA ${baseImageCuda} but instance ${instanceType} supports: ${instanceCudaVersions.join(', ')}`);
+                console.log('   No compatible CUDA version found. Falling back to manual selection.');
+            }
+        }
+
         // Get framework CUDA requirements (if available)
         const registryConfigManager = this.registryConfigManager;
         const frameworkConfig = registryConfigManager?.frameworkRegistry?.[framework]?.[frameworkVersion];