@geekmidas/cli 0.10.0 → 0.13.0

package/src/build/bundler.ts

@@ -0,0 +1,210 @@
+import { execSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { mkdir, rename, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import type { Construct } from '@geekmidas/constructs';
+
+export interface BundleOptions {
+	/** Entry point file (e.g., .gkm/server/server.ts) */
+	entryPoint: string;
+	/** Output directory for bundled files */
+	outputDir: string;
+	/** Minify the output (default: true) */
+	minify: boolean;
+	/** Generate sourcemaps (default: false) */
+	sourcemap: boolean;
+	/** Packages to exclude from bundling */
+	external: string[];
+	/** Stage for secrets injection (optional) */
+	stage?: string;
+	/** Constructs to validate environment variables for */
+	constructs?: Construct[];
+}
+
+export interface BundleResult {
+	/** Path to the bundled output */
+	outputPath: string;
+	/** Ephemeral master key for deployment (only if stage was provided) */
+	masterKey?: string;
+}
+
+/**
+ * Collect all required environment variables from constructs.
+ * Uses the SnifferEnvironmentParser to detect which env vars each service needs.
+ *
+ * @param constructs - Array of constructs to analyze
+ * @returns Deduplicated array of required environment variable names
+ */
+async function collectRequiredEnvVars(
+	constructs: Construct[],
+): Promise<string[]> {
+	const allEnvVars = new Set<string>();
+
+	for (const construct of constructs) {
+		const envVars = await construct.getEnvironment();
+		envVars.forEach((v) => allEnvVars.add(v));
+	}
+
+	return Array.from(allEnvVars).sort();
+}
+
+/**
+ * Bundle the server application using tsdown
+ *
+ * @param options - Bundle configuration options
+ * @returns Bundle result with output path and optional master key
+ */
+export async function bundleServer(
+	options: BundleOptions,
+): Promise<BundleResult> {
+	const {
+		entryPoint,
+		outputDir,
+		minify,
+		sourcemap,
+		external,
+		stage,
+		constructs,
+	} = options;
+
+	// Ensure output directory exists
+	await mkdir(outputDir, { recursive: true });
+
+	// Build command-line arguments for tsdown
+	const args = [
+		'npx',
+		'tsdown',
+		entryPoint,
+		'--no-config', // Don't use any config file from workspace
+		'--out-dir',
+		outputDir,
+		'--format',
+		'esm',
+		'--platform',
+		'node',
+		'--target',
+		'node22',
+		'--clean',
+	];
+
+	if (minify) {
+		args.push('--minify');
+	}
+
+	if (sourcemap) {
+		args.push('--sourcemap');
+	}
+
+	// Add external packages
+	for (const ext of external) {
+		args.push('--external', ext);
+	}
+
+	// Always exclude node: builtins
+	args.push('--external', 'node:*');
+
+	// Handle secrets injection if stage is provided
+	let masterKey: string | undefined;
+
+	if (stage) {
+		const {
+			readStageSecrets,
+			toEmbeddableSecrets,
+			validateEnvironmentVariables,
+		} = await import('../secrets/storage');
+		const { encryptSecrets, generateDefineOptions } = await import(
+			'../secrets/encryption'
+		);
+
+		const secrets = await readStageSecrets(stage);
+
+		if (!secrets) {
+			throw new Error(
+				`No secrets found for stage "${stage}". Run "gkm secrets:init --stage ${stage}" first.`,
+			);
+		}
+
+		// Validate environment variables if constructs are provided
+		if (constructs && constructs.length > 0) {
+			console.log('  Analyzing environment variable requirements...');
+			const requiredVars = await collectRequiredEnvVars(constructs);
+
+			if (requiredVars.length > 0) {
+				const validation = validateEnvironmentVariables(requiredVars, secrets);
+
+				if (!validation.valid) {
+					const errorMessage = [
+						`Missing environment variables for stage "${stage}":`,
+						'',
+						...validation.missing.map((v) => `  ❌ ${v}`),
+						'',
+						'To fix this, either:',
+						`  1. Add the missing variables to .gkm/secrets/${stage}.json using:`,
+						`     gkm secrets:set <KEY> <VALUE> --stage ${stage}`,
+						'',
+						`  2. Or import from a JSON file:`,
+						`     gkm secrets:import secrets.json --stage ${stage}`,
+						'',
+						'Required variables:',
+						...validation.required.map((v) =>
+							validation.missing.includes(v) ? `  ❌ ${v}` : `  ✓ ${v}`,
+						),
+					].join('\n');
+
+					throw new Error(errorMessage);
+				}
+
+				console.log(
+					`  ✓ All ${requiredVars.length} required environment variables found`,
+				);
+			}
+		}
+
+		// Convert to embeddable format and encrypt
+		const embeddable = toEmbeddableSecrets(secrets);
+		const encrypted = encryptSecrets(embeddable);
+		masterKey = encrypted.masterKey;
+
+		// Add define options for build-time injection
+		const defines = generateDefineOptions(encrypted);
+		for (const [key, value] of Object.entries(defines)) {
+			args.push('--define', `${key}=${value}`);
+		}
+
+		console.log(`  Secrets encrypted for stage "${stage}"`);
+	}
+
+	const mjsOutput = join(outputDir, 'server.mjs');
+
+	try {
+		// Run tsdown with command-line arguments
+		execSync(args.join(' '), {
+			cwd: process.cwd(),
+			stdio: 'inherit',
+		});
+
+		// Rename output to .mjs for explicit ESM
+		// tsdown outputs as server.js for ESM format
+		const jsOutput = join(outputDir, 'server.js');
+
+		if (existsSync(jsOutput)) {
+			await rename(jsOutput, mjsOutput);
+		}
+
+		// Add shebang to the bundled file
+		const { readFile } = await import('node:fs/promises');
+		const content = await readFile(mjsOutput, 'utf-8');
+		if (!content.startsWith('#!')) {
+			await writeFile(mjsOutput, `#!/usr/bin/env node\n${content}`);
+		}
+	} catch (error) {
+		throw new Error(
+			`Failed to bundle server: ${error instanceof Error ? error.message : 'Unknown error'}`,
+		);
+	}
+
+	return {
+		outputPath: mjsOutput,
+		masterKey,
+	};
+}

package/src/build/endpoint-analyzer.ts

@@ -0,0 +1,236 @@
+/**
+ * Endpoint Analyzer for Build-Time Feature Detection
+ *
+ * Analyzes endpoints at build time to determine their features and assign
+ * optimization tiers. This enables generating specialized handler code
+ * for maximum performance.
+ */
+import type { Endpoint } from '@geekmidas/constructs/endpoints';
+
+/**
+ * Features detected from an endpoint configuration
+ */
+export interface EndpointFeatures {
+	hasAuth: boolean;
+	hasServices: boolean;
+	hasDatabase: boolean;
+	hasBodyValidation: boolean;
+	hasQueryValidation: boolean;
+	hasParamValidation: boolean;
+	hasAudits: boolean;
+	hasEvents: boolean;
+	hasRateLimit: boolean;
+	hasRls: boolean;
+	hasOutputValidation: boolean;
+}
+
+/**
+ * Optimization tiers based on endpoint complexity
+ *
+ * - minimal: No auth, no services, no audits, no events - near-raw-Hono performance
+ * - standard: Some features enabled - uses middleware composition
+ * - full: Complex endpoints with many features - full handler chain
+ */
+export type EndpointTier = 'minimal' | 'standard' | 'full';
+
+/**
+ * Complete analysis of an endpoint for build-time optimization
+ */
+export interface EndpointAnalysis {
+	route: string;
+	method: string;
+	exportName: string;
+	features: EndpointFeatures;
+	tier: EndpointTier;
+	serviceNames: string[];
+	databaseServiceName?: string;
+}
+
+/**
+ * Analyze an endpoint to extract its features
+ */
+export function analyzeEndpointFeatures(
+	endpoint: Endpoint<
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any
+	>,
+): EndpointFeatures {
+	return {
+		hasAuth: !!endpoint.authorizer,
+		hasServices: endpoint.services.length > 0,
+		hasDatabase: !!endpoint.databaseService,
+		hasBodyValidation: !!endpoint.input?.body,
+		hasQueryValidation: !!endpoint.input?.query,
+		hasParamValidation: !!endpoint.input?.params,
+		// Only declarative audits (.audit([...])) require full tier with transaction wrapping
+		// Having auditorStorageService just makes auditor available to handler (like other services)
+		hasAudits: (endpoint.audits?.length ?? 0) > 0,
+		hasEvents: (endpoint.events?.length ?? 0) > 0,
+		hasRateLimit: !!endpoint.rateLimit,
+		hasRls: !!endpoint.rlsConfig && !endpoint.rlsBypass,
+		hasOutputValidation: !!endpoint.outputSchema,
+	};
+}
+
+/**
+ * Determine the optimization tier for an endpoint based on its features
+ */
+export function determineEndpointTier(
+	features: EndpointFeatures,
+): EndpointTier {
+	const {
+		hasAuth,
+		hasServices,
+		hasDatabase,
+		hasAudits,
+		hasEvents,
+		hasRateLimit,
+		hasRls,
+	} = features;
+
+	// Minimal tier: No complex features
+	// These endpoints can use near-raw-Hono handlers
+	if (
+		!hasAuth &&
+		!hasServices &&
+		!hasDatabase &&
+		!hasAudits &&
+		!hasEvents &&
+		!hasRateLimit &&
+		!hasRls
+	) {
+		return 'minimal';
+	}
+
+	// Full tier: Has audits, RLS, or rate limiting (complex state management)
+	if (hasAudits || hasRls || hasRateLimit) {
+		return 'full';
+	}
+
+	// Standard tier: Auth and/or services, but no complex state
+	return 'standard';
+}
+
+/**
+ * Perform complete analysis of an endpoint
+ */
+export function analyzeEndpoint(
+	endpoint: Endpoint<
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any,
+		any
+	>,
+	exportName: string,
+): EndpointAnalysis {
+	const features = analyzeEndpointFeatures(endpoint);
+	const tier = determineEndpointTier(features);
+
+	return {
+		route: endpoint.route,
+		method: endpoint.method,
+		exportName,
+		features,
+		tier,
+		serviceNames: endpoint.services.map(
+			(s: { serviceName: string }) => s.serviceName,
+		),
+		databaseServiceName: endpoint.databaseService?.serviceName,
+	};
+}
+
+/**
+ * Analyze multiple endpoints and return analysis results
+ */
+export function analyzeEndpoints(
+	endpoints: Array<{
+		endpoint: Endpoint<
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any,
+			any
+		>;
+		exportName: string;
+	}>,
+): EndpointAnalysis[] {
+	return endpoints.map(({ endpoint, exportName }) =>
+		analyzeEndpoint(endpoint, exportName),
+	);
+}
+
+/**
+ * Generate a summary of endpoint analysis for logging
+ */
+export function summarizeAnalysis(analyses: EndpointAnalysis[]): {
+	total: number;
+	byTier: Record<EndpointTier, number>;
+	byFeature: Record<keyof EndpointFeatures, number>;
+} {
+	const byTier: Record<EndpointTier, number> = {
+		minimal: 0,
+		standard: 0,
+		full: 0,
+	};
+
+	const byFeature: Record<keyof EndpointFeatures, number> = {
+		hasAuth: 0,
+		hasServices: 0,
+		hasDatabase: 0,
+		hasBodyValidation: 0,
+		hasQueryValidation: 0,
+		hasParamValidation: 0,
+		hasAudits: 0,
+		hasEvents: 0,
+		hasRateLimit: 0,
+		hasRls: 0,
+		hasOutputValidation: 0,
+	};
+
+	for (const analysis of analyses) {
+		byTier[analysis.tier]++;
+
+		for (const [feature, enabled] of Object.entries(analysis.features)) {
+			if (enabled) {
+				byFeature[feature as keyof EndpointFeatures]++;
+			}
+		}
+	}
+
+	return {
+		total: analyses.length,
+		byTier,
+		byFeature,
+	};
+}