@geekmidas/cli 0.10.0 → 0.13.0

package/README.md

@@ -9,6 +9,10 @@ A powerful CLI tool for building and managing TypeScript-based backend APIs with
 - **Development Server**: Hot-reload development server with file watching
 - **Telescope Integration**: Laravel-style debugging dashboard for inspecting requests, logs, and exceptions
 - **OpenAPI Generation**: Auto-generate OpenAPI 3.0 specifications from your endpoints
+- **Docker Support**: Generate optimized Dockerfiles with multi-stage builds, turbo prune for monorepos
+- **Secrets Management**: Secure credential generation, encryption, and stage-based secrets storage
+- **Deploy Commands**: One-command deployment to Docker registries and Dokploy with encrypted secrets
+- **Authentication**: Store credentials locally for seamless deployment without environment variables
 - **Type-Safe Configuration**: Configuration with TypeScript support and validation
 - **Endpoint Auto-Discovery**: Automatically find and load endpoints from your codebase
 - **Flexible Routing**: Support for glob patterns to discover route files
@@ -310,6 +314,7 @@ gkm build [options]
   - `aws-apigatewayv1`: AWS API Gateway v1 Lambda handlers
   - `aws-apigatewayv2`: AWS API Gateway v2 Lambda handlers
   - `server`: Server application with Hono
+- `--production`: Generate production-optimized bundle (server provider only)
 
 **Example:**
 ```bash
@@ -318,8 +323,18 @@ gkm build --provider aws-apigatewayv1
 
 # Generate server application
 gkm build --provider server
+
+# Generate production bundle for Docker
+gkm build --provider server --production
 ```
 
+**Production Builds:**
+
+When using `--production` with the server provider, the CLI generates an optimized bundle at `.gkm/server/dist/server.mjs`. This bundle:
+- Is minified and tree-shaken for smaller size
+- Includes all dependencies (single-file deployment)
+- Can be used with `gkm docker --slim` for minimal Docker images
+
 ### `gkm openapi`
 
 Generate OpenAPI TypeScript module from your endpoints. This is the recommended approach as it provides full type safety and a ready-to-use API client.
@@ -409,6 +424,135 @@ const { data } = api.useQuery('GET /users');
 const mutation = api.useMutation('POST /users');
 ```
 
+### `gkm docker`
+
+Generate Docker configuration files for containerized deployment.
+
+```bash
+gkm docker [options]
+```
+
+**Options:**
+- `--build`: Build Docker image after generating files
+- `--push`: Push image to registry after building
+- `--tag <tag>`: Image tag (default: `latest`)
+- `--registry <url>`: Container registry URL
+- `--slim`: Use slim Dockerfile (requires pre-built bundle from `gkm build --production`)
+- `--turbo`: Enable turbo prune for monorepo optimization
+- `--turbo-package <name>`: Package name for turbo prune (defaults to package.json name)
+
+**Generated Files:**
+- `.gkm/docker/Dockerfile` - Multi-stage or slim Dockerfile
+- `.gkm/docker/docker-compose.yml` - Docker Compose configuration
+- `.gkm/docker/docker-entrypoint.sh` - Entrypoint script
+- `.dockerignore` - Docker ignore file (project root)
+
+**Dockerfile Types:**
+
+| Type | Flag | Description |
+|------|------|-------------|
+| Multi-stage | (default) | Builds from source inside Docker, most reproducible |
+| Turbo | `--turbo` | Optimized for monorepos with turbo prune |
+| Slim | `--slim` | Uses pre-built bundle, requires prior `gkm build --production` |
+
+**Example:**
+```bash
+# Generate multi-stage Dockerfile (default, recommended)
+gkm docker
+
+# Generate and build image
+gkm docker --build --tag v1.0.0
+
+# Build and push to registry
+gkm docker --build --push --registry ghcr.io/myorg --tag v1.0.0
+
+# Use turbo prune for monorepo
+gkm docker --turbo --turbo-package my-api
+
+# Use slim Dockerfile (after running gkm build --production)
+gkm build --provider server --production
+gkm docker --slim
+```
+
+**Package Manager Support:**
+
+The CLI auto-detects your package manager from lockfiles and generates optimized Dockerfiles:
+- **pnpm**: Uses `pnpm fetch` for better layer caching
+- **npm**: Uses `npm ci` with cache mounts
+- **yarn**: Uses `yarn install --frozen-lockfile`
+- **bun**: Uses `bun install --frozen-lockfile`
+
+**Configuration:**
+
+Configure Docker settings in `gkm.config.ts`:
+
+```typescript
+import { defineConfig } from '@geekmidas/cli/config';
+
+export default defineConfig({
+  routes: 'src/routes/**/*.ts',
+  envParser: './src/env.ts',
+  logger: './src/logger.ts',
+
+  docker: {
+    // Container registry
+    registry: 'ghcr.io/myorg',
+    // Image name (defaults to package.json name)
+    imageName: 'my-api',
+    // Base image (default: node:22-alpine)
+    baseImage: 'node:22-alpine',
+    // Port to expose (default: 3000)
+    port: 3000,
+    // Docker Compose services
+    compose: {
+      services: {
+        postgres: { image: 'postgis/postgis:16-3.4-alpine' },  // Custom image
+        redis: true,                                            // Default version
+        rabbitmq: { version: '3.12-management-alpine' },        // Custom version
+      },
+    },
+  },
+});
+```
+
+**Docker Compose Services:**
+
+Services can be configured with custom versions, custom images, or use defaults:
+
+```typescript
+// Object format (recommended)
+services: {
+  postgres: { version: '15-alpine' },              // Custom version
+  redis: true,                                      // Default: redis:7-alpine
+  rabbitmq: { version: '3.12-management-alpine' },
+}
+
+// Custom images (e.g., PostGIS, Redis Stack)
+services: {
+  postgres: { image: 'postgis/postgis:16-3.4-alpine' },  // Full image reference
+  redis: { image: 'redis/redis-stack:latest' },
+}
+
+// Legacy array format - uses default versions
+services: ['postgres', 'redis', 'rabbitmq']
+```
+
+**Service Configuration Options:**
+
+| Property | Description |
+|----------|-------------|
+| `true` | Use default image and version |
+| `{ version: string }` | Use default image with custom version/tag |
+| `{ image: string }` | Use completely custom image reference |
+
+**Default Images:**
+
+| Service | Default Image | Environment Variables |
+|---------|---------------|----------------------|
+| `postgres` | `postgres:16-alpine` | `DATABASE_URL`, `POSTGRES_USER`, `POSTGRES_PASSWORD`, `POSTGRES_DB` |
+| `redis` | `redis:7-alpine` | `REDIS_URL` |
+| `rabbitmq` | `rabbitmq:3-management-alpine` | `RABBITMQ_URL`, `RABBITMQ_USER`, `RABBITMQ_PASSWORD` |
+
 ### `gkm dev`
 
 Start a development server with hot-reload and optional Telescope debugging dashboard.
@@ -459,6 +603,369 @@ When files change, the server automatically rebuilds and restarts:
 ✅ Rebuild complete, restarting server...
 ```
 
+### `gkm secrets:init`
+
+Initialize secrets for a deployment stage. Generates secure random passwords for configured Docker Compose services.
+
+```bash
+gkm secrets:init --stage <stage> [options]
+```
+
+**Options:**
+- `--stage <stage>`: Stage name (e.g., `production`, `staging`)
+- `--force`: Overwrite existing secrets
+
+**Example:**
+```bash
+# Initialize production secrets
+gkm secrets:init --stage production
+
+# Overwrite existing secrets
+gkm secrets:init --stage production --force
+```
+
+**Generated:**
+- Secure passwords for postgres, redis, rabbitmq (based on `docker.compose.services` config)
+- Connection URLs (`DATABASE_URL`, `REDIS_URL`, `RABBITMQ_URL`)
+- Stored in `.gkm/secrets/<stage>.json` (gitignored)
+
+### `gkm secrets:set`
+
+Set a custom secret for a stage.
+
+```bash
+gkm secrets:set <key> [value] --stage <stage>
+```
+
+**Arguments:**
+- `<key>`: Secret key (e.g., `API_KEY`, `STRIPE_SECRET`)
+- `[value]`: Secret value (optional - reads from stdin if omitted)
+
+**Options:**
+- `--stage <stage>`: Stage name
+
+**Examples:**
+```bash
+# Direct value
+gkm secrets:set API_KEY sk_live_xxx --stage production
+
+# From stdin (pipe)
+echo "sk_live_xxx" | gkm secrets:set API_KEY --stage production
+
+# From file (for multiline secrets like private keys)
+gkm secrets:set PRIVATE_KEY --stage production < private_key.pem
+
+# From command output
+openssl rand -base64 32 | gkm secrets:set JWT_SECRET --stage production
+```
+
+### `gkm secrets:import`
+
+Import multiple secrets from a JSON file.
+
+```bash
+gkm secrets:import <file> --stage <stage> [options]
+```
+
+**Arguments:**
+- `<file>`: Path to JSON file with key-value pairs
+
+**Options:**
+- `--stage <stage>`: Stage name
+- `--no-merge`: Replace all custom secrets instead of merging
+
+**JSON Format:**
+```json
+{
+  "API_KEY": "sk_live_xxx",
+  "STRIPE_WEBHOOK_SECRET": "whsec_xxx",
+  "SENDGRID_API_KEY": "SG.xxx"
+}
+```
+
+**Examples:**
+```bash
+# Import and merge with existing secrets (default)
+gkm secrets:import secrets.json --stage production
+
+# Replace all custom secrets
+gkm secrets:import secrets.json --stage production --no-merge
+```
+
+### `gkm secrets:show`
+
+Display secrets for a stage (passwords masked by default).
+
+```bash
+gkm secrets:show --stage <stage> [options]
+```
+
+**Options:**
+- `--stage <stage>`: Stage name
+- `--reveal`: Show actual secret values (not masked)
+
+**Example:**
+```bash
+# Show masked secrets
+gkm secrets:show --stage production
+
+# Show actual values
+gkm secrets:show --stage production --reveal
+```
+
+### `gkm secrets:rotate`
+
+Rotate passwords for services.
+
+```bash
+gkm secrets:rotate --stage <stage> [options]
+```
+
+**Options:**
+- `--stage <stage>`: Stage name
+- `--service <service>`: Specific service to rotate (`postgres`, `redis`, `rabbitmq`)
+
+**Examples:**
+```bash
+# Rotate all service passwords
+gkm secrets:rotate --stage production
+
+# Rotate only postgres password
+gkm secrets:rotate --stage production --service postgres
+```
+
+## Authentication
+
+Store credentials locally to avoid setting environment variables for every command.
+
+### `gkm login`
+
+Authenticate with a deployment service. Credentials are stored in `~/.gkm/credentials.json`.
+
+```bash
+gkm login [options]
+```
+
+**Options:**
+- `--service <service>`: Service to login to (`dokploy`) - default: `dokploy`
+- `--token <token>`: API token (will prompt interactively if not provided)
+- `--endpoint <url>`: Service endpoint URL (will prompt if not provided)
+
+**Examples:**
+```bash
+# Interactive login (prompts for endpoint and token)
+gkm login
+
+# Non-interactive login
+gkm login --endpoint https://dokploy.example.com --token your-api-token
+
+# Login with just endpoint (prompts for token)
+gkm login --endpoint https://dokploy.example.com
+```
+
+**After logging in:**
+```bash
+# These commands no longer need DOKPLOY_API_TOKEN
+gkm deploy:list
+gkm deploy:init --project my-project --app api
+gkm deploy --provider dokploy --stage production
+```
+
+### `gkm logout`
+
+Remove stored credentials.
+
+```bash
+gkm logout [options]
+```
+
+**Options:**
+- `--service <service>`: Service to logout from (`dokploy`, `all`) - default: `dokploy`
+
+**Examples:**
+```bash
+# Logout from Dokploy
+gkm logout
+
+# Logout from all services
+gkm logout --service all
+```
+
+### `gkm whoami`
+
+Show current authentication status.
+
+```bash
+gkm whoami
+```
+
+**Example output:**
+```
+📋 Current credentials:
+
+  Dokploy:
+    Endpoint: https://dokploy.example.com
+    Token: abc1...xyz9
+
+  Credentials file: /Users/you/.gkm/credentials.json
+```
+
+## Deployment
+
+### `gkm deploy`
+
+Deploy application to a provider. Builds for production, injects encrypted secrets, and deploys.
+
+```bash
+gkm deploy --provider <provider> --stage <stage> [options]
+```
+
+**Options:**
+- `--provider <provider>`: Deploy provider (`docker`, `dokploy`, `aws-lambda`)
+- `--stage <stage>`: Deployment stage
+- `--tag <tag>`: Image tag (default: `stage-timestamp`)
+- `--skip-push`: Skip pushing image to registry
+- `--skip-build`: Skip build step (use existing build)
+
+**Examples:**
+```bash
+# Docker: build and push image
+gkm deploy --provider docker --stage production
+
+# Dokploy: build, push, and trigger deployment
+DOKPLOY_API_TOKEN=xxx gkm deploy --provider dokploy --stage production
+
+# Custom tag
+gkm deploy --provider docker --stage production --tag v1.0.0
+```
+
+**Workflow:**
+1. Builds production bundle with `gkm build --provider server --production --stage <stage>`
+2. Encrypts secrets from `.gkm/secrets/<stage>.json` into the bundle
+3. Generates Docker files with `gkm docker`
+4. Builds and pushes Docker image
+5. (Dokploy) Triggers deployment via API with `GKM_MASTER_KEY`
+
+**Configuration:**
+
+```typescript
+// gkm.config.ts
+export default defineConfig({
+  routes: 'src/endpoints/**/*.ts',
+  envParser: './src/env.ts',
+  logger: './src/logger.ts',
+
+  docker: {
+    registry: 'ghcr.io/myorg',
+    imageName: 'my-api',
+  },
+
+  // For Dokploy deployments
+  providers: {
+    dokploy: {
+      endpoint: 'https://dokploy.example.com',
+      projectId: 'proj_xxx',
+      applicationId: 'app_xxx',
+    },
+  },
+});
+```
+
+**Environment Variables:**
+- `DOKPLOY_API_TOKEN`: API token for Dokploy (not needed if logged in via `gkm login`)
+- `GKM_MASTER_KEY`: Automatically set by Dokploy, or manually for Docker deployments
+
+### `gkm deploy:init`
+
+Initialize a new Dokploy deployment by creating a project and application via the Dokploy API. Automatically updates `gkm.config.ts` with the configuration.
+
+```bash
+gkm deploy:init --project <name> --app <name> [options]
+```
+
+**Options:**
+- `--endpoint <url>`: Dokploy server URL (uses stored credentials if logged in)
+- `--project <name>`: Project name (creates if not exists)
+- `--app <name>`: Application name to create
+- `--project-id <id>`: Use existing project ID instead of finding/creating
+- `--registry-id <id>`: Configure a registry for the application
+
+**Examples:**
+```bash
+# After gkm login (no endpoint needed)
+gkm deploy:init --project my-project --app api
+
+# With explicit endpoint (or if not logged in)
+gkm deploy:init \
+  --endpoint https://dokploy.example.com \
+  --project my-project \
+  --app api
+
+# With registry configuration
+gkm deploy:init \
+  --project my-project \
+  --app api \
+  --registry-id reg_xyz789
+```
+
+**What it does:**
+1. Searches for existing project by name, or creates a new one
+2. Creates a new application in the project
+3. Configures registry if `--registry-id` is provided
+4. Updates `gkm.config.ts` with the Dokploy configuration
+5. Shows next steps for secrets and deployment
+
+### `gkm deploy:list`
+
+List available Dokploy resources (projects and registries).
+
+```bash
+gkm deploy:list [options]
+```
+
+**Options:**
+- `--endpoint <url>`: Dokploy server URL (uses stored credentials if logged in)
+- `--projects`: List projects only
+- `--registries`: List registries only
+
+**Examples:**
+```bash
+# After gkm login (no endpoint needed)
+gkm deploy:list
+gkm deploy:list --projects
+gkm deploy:list --registries
+
+# With explicit endpoint
+gkm deploy:list --endpoint https://dokploy.example.com
+```
+
+### Using Encrypted Credentials
+
+After deploying with secrets, your application decrypts credentials at runtime:
+
+```typescript
+// src/env.ts
+import { EnvironmentParser } from '@geekmidas/envkit';
+import { Credentials } from '@geekmidas/envkit/credentials';
+
+export const envParser = new EnvironmentParser({...process.env, ...Credentials})
+  .create((get) => ({
+    database: {
+      url: get('DATABASE_URL').string(),
+    },
+    stripe: {
+      key: get('STRIPE_KEY').string(),
+    },
+  }))
+  .parse();
+```
+
+**How it works:**
+- At build time, secrets are encrypted with AES-256-GCM and embedded in the bundle
+- An ephemeral master key is generated per build
+- At runtime, `Credentials` decrypts using `GKM_MASTER_KEY` environment variable
+- In development (no embedded secrets), `Credentials` returns `{}`
+
 ### Future Commands
 
 The following commands are planned for future releases:
@@ -1259,8 +1766,26 @@ interface GkmConfig {
   subscribers?: string | string[];
   runtime?: Runtime;
   telescope?: boolean | TelescopeConfig;
+  docker?: DockerConfig;
 }
 
+// Docker configuration
+interface DockerConfig {
+  registry?: string;        // Container registry URL
+  imageName?: string;       // Image name (defaults to package.json name)
+  baseImage?: string;       // Base image (default: node:22-alpine)
+  port?: number;            // Port to expose (default: 3000)
+  compose?: {
+    services?: ComposeServicesConfig | ComposeServiceName[];
+  };
+}
+
+// Service configuration for docker-compose
+type ComposeServiceName = 'postgres' | 'redis' | 'rabbitmq';
+type ComposeServicesConfig = {
+  [K in ComposeServiceName]?: boolean | { version?: string };
+};
+
 // Telescope configuration
 interface TelescopeConfig {
   enabled?: boolean;

package/dist/bundler-B1qy9b-j.cjs

@@ -0,0 +1,112 @@
+const require_chunk = require('./chunk-CUT6urMc.cjs');
+const node_fs = require_chunk.__toESM(require("node:fs"));
+const node_path = require_chunk.__toESM(require("node:path"));
+const node_fs_promises = require_chunk.__toESM(require("node:fs/promises"));
+const node_child_process = require_chunk.__toESM(require("node:child_process"));
+
+//#region src/build/bundler.ts
+/**
+* Collect all required environment variables from constructs.
+* Uses the SnifferEnvironmentParser to detect which env vars each service needs.
+*
+* @param constructs - Array of constructs to analyze
+* @returns Deduplicated array of required environment variable names
+*/
+async function collectRequiredEnvVars(constructs) {
+	const allEnvVars = /* @__PURE__ */ new Set();
+	for (const construct of constructs) {
+		const envVars = await construct.getEnvironment();
+		envVars.forEach((v) => allEnvVars.add(v));
+	}
+	return Array.from(allEnvVars).sort();
+}
+/**
+* Bundle the server application using tsdown
+*
+* @param options - Bundle configuration options
+* @returns Bundle result with output path and optional master key
+*/
+async function bundleServer(options) {
+	const { entryPoint, outputDir, minify, sourcemap, external, stage, constructs } = options;
+	await (0, node_fs_promises.mkdir)(outputDir, { recursive: true });
+	const args = [
+		"npx",
+		"tsdown",
+		entryPoint,
+		"--no-config",
+		"--out-dir",
+		outputDir,
+		"--format",
+		"esm",
+		"--platform",
+		"node",
+		"--target",
+		"node22",
+		"--clean"
+	];
+	if (minify) args.push("--minify");
+	if (sourcemap) args.push("--sourcemap");
+	for (const ext of external) args.push("--external", ext);
+	args.push("--external", "node:*");
+	let masterKey;
+	if (stage) {
+		const { readStageSecrets, toEmbeddableSecrets, validateEnvironmentVariables } = await Promise.resolve().then(() => require("./storage-BOOpAF8N.cjs"));
+		const { encryptSecrets, generateDefineOptions } = await Promise.resolve().then(() => require("./encryption-Dyf_r1h-.cjs"));
+		const secrets = await readStageSecrets(stage);
+		if (!secrets) throw new Error(`No secrets found for stage "${stage}". Run "gkm secrets:init --stage ${stage}" first.`);
+		if (constructs && constructs.length > 0) {
+			console.log("  Analyzing environment variable requirements...");
+			const requiredVars = await collectRequiredEnvVars(constructs);
+			if (requiredVars.length > 0) {
+				const validation = validateEnvironmentVariables(requiredVars, secrets);
+				if (!validation.valid) {
+					const errorMessage = [
+						`Missing environment variables for stage "${stage}":`,
+						"",
+						...validation.missing.map((v) => `  ❌ ${v}`),
+						"",
+						"To fix this, either:",
+						`  1. Add the missing variables to .gkm/secrets/${stage}.json using:`,
+						`     gkm secrets:set <KEY> <VALUE> --stage ${stage}`,
+						"",
+						`  2. Or import from a JSON file:`,
+						`     gkm secrets:import secrets.json --stage ${stage}`,
+						"",
+						"Required variables:",
+						...validation.required.map((v) => validation.missing.includes(v) ? `  ❌ ${v}` : `  ✓ ${v}`)
+					].join("\n");
+					throw new Error(errorMessage);
+				}
+				console.log(`  ✓ All ${requiredVars.length} required environment variables found`);
+			}
+		}
+		const embeddable = toEmbeddableSecrets(secrets);
+		const encrypted = encryptSecrets(embeddable);
+		masterKey = encrypted.masterKey;
+		const defines = generateDefineOptions(encrypted);
+		for (const [key, value] of Object.entries(defines)) args.push("--define", `${key}=${value}`);
+		console.log(`  Secrets encrypted for stage "${stage}"`);
+	}
+	const mjsOutput = (0, node_path.join)(outputDir, "server.mjs");
+	try {
+		(0, node_child_process.execSync)(args.join(" "), {
+			cwd: process.cwd(),
+			stdio: "inherit"
+		});
+		const jsOutput = (0, node_path.join)(outputDir, "server.js");
+		if ((0, node_fs.existsSync)(jsOutput)) await (0, node_fs_promises.rename)(jsOutput, mjsOutput);
+		const { readFile } = await import("node:fs/promises");
+		const content = await readFile(mjsOutput, "utf-8");
+		if (!content.startsWith("#!")) await (0, node_fs_promises.writeFile)(mjsOutput, `#!/usr/bin/env node\n${content}`);
+	} catch (error) {
+		throw new Error(`Failed to bundle server: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
+	return {
+		outputPath: mjsOutput,
+		masterKey
+	};
+}
+
+//#endregion
+exports.bundleServer = bundleServer;
+//# sourceMappingURL=bundler-B1qy9b-j.cjs.map

package/dist/bundler-B1qy9b-j.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundler-B1qy9b-j.cjs","names":["constructs: Construct[]","options: BundleOptions","masterKey: string | undefined"],"sources":["../src/build/bundler.ts"],"sourcesContent":["import { execSync } from 'node:child_process';\nimport { existsSync } from 'node:fs';\nimport { mkdir, rename, writeFile } from 'node:fs/promises';\nimport { join } from 'node:path';\nimport type { Construct } from '@geekmidas/constructs';\n\nexport interface BundleOptions {\n\t/** Entry point file (e.g., .gkm/server/server.ts) */\n\tentryPoint: string;\n\t/** Output directory for bundled files */\n\toutputDir: string;\n\t/** Minify the output (default: true) */\n\tminify: boolean;\n\t/** Generate sourcemaps (default: false) */\n\tsourcemap: boolean;\n\t/** Packages to exclude from bundling */\n\texternal: string[];\n\t/** Stage for secrets injection (optional) */\n\tstage?: string;\n\t/** Constructs to validate environment variables for */\n\tconstructs?: Construct[];\n}\n\nexport interface BundleResult {\n\t/** Path to the bundled output */\n\toutputPath: string;\n\t/** Ephemeral master key for deployment (only if stage was provided) */\n\tmasterKey?: string;\n}\n\n/**\n * Collect all required environment variables from constructs.\n * Uses the SnifferEnvironmentParser to detect which env vars each service needs.\n *\n * @param constructs - Array of constructs to analyze\n * @returns Deduplicated array of required environment variable names\n */\nasync function collectRequiredEnvVars(\n\tconstructs: Construct[],\n): Promise<string[]> {\n\tconst allEnvVars = new Set<string>();\n\n\tfor (const construct of constructs) {\n\t\tconst envVars = await construct.getEnvironment();\n\t\tenvVars.forEach((v) => allEnvVars.add(v));\n\t}\n\n\treturn Array.from(allEnvVars).sort();\n}\n\n/**\n * Bundle the server application using tsdown\n *\n * @param options - Bundle configuration options\n * @returns Bundle result with output path and optional master key\n */\nexport async function bundleServer(\n\toptions: BundleOptions,\n): Promise<BundleResult> {\n\tconst {\n\t\tentryPoint,\n\t\toutputDir,\n\t\tminify,\n\t\tsourcemap,\n\t\texternal,\n\t\tstage,\n\t\tconstructs,\n\t} = options;\n\n\t// Ensure output directory exists\n\tawait mkdir(outputDir, { recursive: true });\n\n\t// Build command-line arguments for tsdown\n\tconst args = [\n\t\t'npx',\n\t\t'tsdown',\n\t\tentryPoint,\n\t\t'--no-config', // Don't use any config file from workspace\n\t\t'--out-dir',\n\t\toutputDir,\n\t\t'--format',\n\t\t'esm',\n\t\t'--platform',\n\t\t'node',\n\t\t'--target',\n\t\t'node22',\n\t\t'--clean',\n\t];\n\n\tif (minify) {\n\t\targs.push('--minify');\n\t}\n\n\tif (sourcemap) {\n\t\targs.push('--sourcemap');\n\t}\n\n\t// Add external packages\n\tfor (const ext of external) {\n\t\targs.push('--external', ext);\n\t}\n\n\t// Always exclude node: builtins\n\targs.push('--external', 'node:*');\n\n\t// Handle secrets injection if stage is provided\n\tlet masterKey: string | undefined;\n\n\tif (stage) {\n\t\tconst {\n\t\t\treadStageSecrets,\n\t\t\ttoEmbeddableSecrets,\n\t\t\tvalidateEnvironmentVariables,\n\t\t} = await import('../secrets/storage');\n\t\tconst { encryptSecrets, generateDefineOptions } = await import(\n\t\t\t'../secrets/encryption'\n\t\t);\n\n\t\tconst secrets = await readStageSecrets(stage);\n\n\t\tif (!secrets) {\n\t\t\tthrow new Error(\n\t\t\t\t`No secrets found for stage \"${stage}\". Run \"gkm secrets:init --stage ${stage}\" first.`,\n\t\t\t);\n\t\t}\n\n\t\t// Validate environment variables if constructs are provided\n\t\tif (constructs && constructs.length > 0) {\n\t\t\tconsole.log('  Analyzing environment variable requirements...');\n\t\t\tconst requiredVars = await collectRequiredEnvVars(constructs);\n\n\t\t\tif (requiredVars.length > 0) {\n\t\t\t\tconst validation = validateEnvironmentVariables(requiredVars, secrets);\n\n\t\t\t\tif (!validation.valid) {\n\t\t\t\t\tconst errorMessage = [\n\t\t\t\t\t\t`Missing environment variables for stage \"${stage}\":`,\n\t\t\t\t\t\t'',\n\t\t\t\t\t\t...validation.missing.map((v) => `  ❌ ${v}`),\n\t\t\t\t\t\t'',\n\t\t\t\t\t\t'To fix this, either:',\n\t\t\t\t\t\t`  1. Add the missing variables to .gkm/secrets/${stage}.json using:`,\n\t\t\t\t\t\t`     gkm secrets:set <KEY> <VALUE> --stage ${stage}`,\n\t\t\t\t\t\t'',\n\t\t\t\t\t\t`  2. Or import from a JSON file:`,\n\t\t\t\t\t\t`     gkm secrets:import secrets.json --stage ${stage}`,\n\t\t\t\t\t\t'',\n\t\t\t\t\t\t'Required variables:',\n\t\t\t\t\t\t...validation.required.map((v) =>\n\t\t\t\t\t\t\tvalidation.missing.includes(v) ? `  ❌ ${v}` : `  ✓ ${v}`,\n\t\t\t\t\t\t),\n\t\t\t\t\t].join('\\n');\n\n\t\t\t\t\tthrow new Error(errorMessage);\n\t\t\t\t}\n\n\t\t\t\tconsole.log(\n\t\t\t\t\t`  ✓ All ${requiredVars.length} required environment variables found`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// Convert to embeddable format and encrypt\n\t\tconst embeddable = toEmbeddableSecrets(secrets);\n\t\tconst encrypted = encryptSecrets(embeddable);\n\t\tmasterKey = encrypted.masterKey;\n\n\t\t// Add define options for build-time injection\n\t\tconst defines = generateDefineOptions(encrypted);\n\t\tfor (const [key, value] of Object.entries(defines)) {\n\t\t\targs.push('--define', `${key}=${value}`);\n\t\t}\n\n\t\tconsole.log(`  Secrets encrypted for stage \"${stage}\"`);\n\t}\n\n\tconst mjsOutput = join(outputDir, 'server.mjs');\n\n\ttry {\n\t\t// Run tsdown with command-line arguments\n\t\texecSync(args.join(' '), {\n\t\t\tcwd: process.cwd(),\n\t\t\tstdio: 'inherit',\n\t\t});\n\n\t\t// Rename output to .mjs for explicit ESM\n\t\t// tsdown outputs as server.js for ESM format\n\t\tconst jsOutput = join(outputDir, 'server.js');\n\n\t\tif (existsSync(jsOutput)) {\n\t\t\tawait rename(jsOutput, mjsOutput);\n\t\t}\n\n\t\t// Add shebang to the bundled file\n\t\tconst { readFile } = await import('node:fs/promises');\n\t\tconst content = await readFile(mjsOutput, 'utf-8');\n\t\tif (!content.startsWith('#!')) {\n\t\t\tawait writeFile(mjsOutput, `#!/usr/bin/env node\\n${content}`);\n\t\t}\n\t} catch (error) {\n\t\tthrow new Error(\n\t\t\t`Failed to bundle server: ${error instanceof Error ? error.message : 'Unknown error'}`,\n\t\t);\n\t}\n\n\treturn {\n\t\toutputPath: mjsOutput,\n\t\tmasterKey,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;;;AAqCA,eAAe,uBACdA,YACoB;CACpB,MAAM,6BAAa,IAAI;AAEvB,MAAK,MAAM,aAAa,YAAY;EACnC,MAAM,UAAU,MAAM,UAAU,gBAAgB;AAChD,UAAQ,QAAQ,CAAC,MAAM,WAAW,IAAI,EAAE,CAAC;CACzC;AAED,QAAO,MAAM,KAAK,WAAW,CAAC,MAAM;AACpC;;;;;;;AAQD,eAAsB,aACrBC,SACwB;CACxB,MAAM,EACL,YACA,WACA,QACA,WACA,UACA,OACA,YACA,GAAG;AAGJ,OAAM,4BAAM,WAAW,EAAE,WAAW,KAAM,EAAC;CAG3C,MAAM,OAAO;EACZ;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;CACA;AAED,KAAI,OACH,MAAK,KAAK,WAAW;AAGtB,KAAI,UACH,MAAK,KAAK,cAAc;AAIzB,MAAK,MAAM,OAAO,SACjB,MAAK,KAAK,cAAc,IAAI;AAI7B,MAAK,KAAK,cAAc,SAAS;CAGjC,IAAIC;AAEJ,KAAI,OAAO;EACV,MAAM,EACL,kBACA,qBACA,8BACA,GAAG,2CAAM;EACV,MAAM,EAAE,gBAAgB,uBAAuB,GAAG,2CAAM;EAIxD,MAAM,UAAU,MAAM,iBAAiB,MAAM;AAE7C,OAAK,QACJ,OAAM,IAAI,OACR,8BAA8B,MAAM,mCAAmC,MAAM;AAKhF,MAAI,cAAc,WAAW,SAAS,GAAG;AACxC,WAAQ,IAAI,mDAAmD;GAC/D,MAAM,eAAe,MAAM,uBAAuB,WAAW;AAE7D,OAAI,aAAa,SAAS,GAAG;IAC5B,MAAM,aAAa,6BAA6B,cAAc,QAAQ;AAEtE,SAAK,WAAW,OAAO;KACtB,MAAM,eAAe;OACnB,2CAA2C,MAAM;MAClD;MACA,GAAG,WAAW,QAAQ,IAAI,CAAC,OAAO,MAAM,EAAE,EAAE;MAC5C;MACA;OACC,iDAAiD,MAAM;OACvD,6CAA6C,MAAM;MACpD;OACC;OACA,+CAA+C,MAAM;MACtD;MACA;MACA,GAAG,WAAW,SAAS,IAAI,CAAC,MAC3B,WAAW,QAAQ,SAAS,EAAE,IAAI,MAAM,EAAE,KAAK,MAAM,EAAE,EACvD;KACD,EAAC,KAAK,KAAK;AAEZ,WAAM,IAAI,MAAM;IAChB;AAED,YAAQ,KACN,UAAU,aAAa,OAAO,uCAC/B;GACD;EACD;EAGD,MAAM,aAAa,oBAAoB,QAAQ;EAC/C,MAAM,YAAY,eAAe,WAAW;AAC5C,cAAY,UAAU;EAGtB,MAAM,UAAU,sBAAsB,UAAU;AAChD,OAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,QAAQ,CACjD,MAAK,KAAK,aAAa,EAAE,IAAI,GAAG,MAAM,EAAE;AAGzC,UAAQ,KAAK,iCAAiC,MAAM,GAAG;CACvD;CAED,MAAM,YAAY,oBAAK,WAAW,aAAa;AAE/C,KAAI;AAEH,mCAAS,KAAK,KAAK,IAAI,EAAE;GACxB,KAAK,QAAQ,KAAK;GAClB,OAAO;EACP,EAAC;EAIF,MAAM,WAAW,oBAAK,WAAW,YAAY;AAE7C,MAAI,wBAAW,SAAS,CACvB,OAAM,6BAAO,UAAU,UAAU;EAIlC,MAAM,EAAE,UAAU,GAAG,MAAM,OAAO;EAClC,MAAM,UAAU,MAAM,SAAS,WAAW,QAAQ;AAClD,OAAK,QAAQ,WAAW,KAAK,CAC5B,OAAM,gCAAU,YAAY,uBAAuB,QAAQ,EAAE;CAE9D,SAAQ,OAAO;AACf,QAAM,IAAI,OACR,2BAA2B,iBAAiB,QAAQ,MAAM,UAAU,gBAAgB;CAEtF;AAED,QAAO;EACN,YAAY;EACZ;CACA;AACD"}