@geekmidas/cli 0.12.0 → 0.13.0

package/dist/storage-BOOpAF8N.cjs

@@ -0,0 +1,5 @@
+const require_storage = require('./storage-Bj1E26lU.cjs');
+
+exports.readStageSecrets = require_storage.readStageSecrets;
+exports.toEmbeddableSecrets = require_storage.toEmbeddableSecrets;
+exports.validateEnvironmentVariables = require_storage.validateEnvironmentVariables;

package/dist/{storage-BXoJvmv2.cjs → storage-Bj1E26lU.cjs}

@@ -96,6 +96,38 @@ function maskPassword(password) {
 	if (password.length <= 8) return "********";
 	return `${password.slice(0, 4)}${"*".repeat(password.length - 6)}${password.slice(-2)}`;
 }
+/**
+* Validate that all required environment variables are present in secrets.
+*
+* @param requiredVars - Array of environment variable names required by the application
+* @param secrets - Stage secrets to validate against
+* @returns Validation result with missing and provided variables
+*
+* @example
+* ```typescript
+* const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];
+* const secrets = await readStageSecrets('production');
+* const result = validateEnvironmentVariables(required, secrets);
+*
+* if (!result.valid) {
+*   console.error(`Missing environment variables: ${result.missing.join(', ')}`);
+* }
+* ```
+*/
+function validateEnvironmentVariables(requiredVars, secrets) {
+	const embeddable = toEmbeddableSecrets(secrets);
+	const availableVars = new Set(Object.keys(embeddable));
+	const missing = [];
+	const provided = [];
+	for (const varName of requiredVars) if (availableVars.has(varName)) provided.push(varName);
+	else missing.push(varName);
+	return {
+		valid: missing.length === 0,
+		missing: missing.sort(),
+		provided: provided.sort(),
+		required: [...requiredVars].sort()
+	};
+}
 
 //#endregion
 Object.defineProperty(exports, 'getSecretsDir', {
@@ -140,10 +172,16 @@ Object.defineProperty(exports, 'toEmbeddableSecrets', {
     return toEmbeddableSecrets;
   }
 });
+Object.defineProperty(exports, 'validateEnvironmentVariables', {
+  enumerable: true,
+  get: function () {
+    return validateEnvironmentVariables;
+  }
+});
 Object.defineProperty(exports, 'writeStageSecrets', {
   enumerable: true,
   get: function () {
     return writeStageSecrets;
   }
 });
-//# sourceMappingURL=storage-BXoJvmv2.cjs.map
+//# sourceMappingURL=storage-Bj1E26lU.cjs.map

package/dist/storage-Bj1E26lU.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage-Bj1E26lU.cjs","names":["stage: string","secrets: StageSecrets","key: string","value: string","updated: StageSecrets","password: string","requiredVars: string[]","missing: string[]","provided: string[]"],"sources":["../src/secrets/storage.ts"],"sourcesContent":["import { existsSync } from 'node:fs';\nimport { mkdir, readFile, writeFile } from 'node:fs/promises';\nimport { join } from 'node:path';\nimport type { EmbeddableSecrets, StageSecrets } from './types';\n\n/** Default secrets directory relative to project root */\nconst SECRETS_DIR = '.gkm/secrets';\n\n/**\n * Get the secrets directory path.\n */\nexport function getSecretsDir(cwd = process.cwd()): string {\n\treturn join(cwd, SECRETS_DIR);\n}\n\n/**\n * Get the secrets file path for a stage.\n */\nexport function getSecretsPath(stage: string, cwd = process.cwd()): string {\n\treturn join(getSecretsDir(cwd), `${stage}.json`);\n}\n\n/**\n * Check if secrets exist for a stage.\n */\nexport function secretsExist(stage: string, cwd = process.cwd()): boolean {\n\treturn existsSync(getSecretsPath(stage, cwd));\n}\n\n/**\n * Read secrets for a stage.\n * @returns StageSecrets or null if not found\n */\nexport async function readStageSecrets(\n\tstage: string,\n\tcwd = process.cwd(),\n): Promise<StageSecrets | null> {\n\tconst path = getSecretsPath(stage, cwd);\n\n\tif (!existsSync(path)) {\n\t\treturn null;\n\t}\n\n\tconst content = await readFile(path, 'utf-8');\n\treturn JSON.parse(content) as StageSecrets;\n}\n\n/**\n * Write secrets for a stage.\n */\nexport async function writeStageSecrets(\n\tsecrets: StageSecrets,\n\tcwd = process.cwd(),\n): Promise<void> {\n\tconst dir = getSecretsDir(cwd);\n\tconst path = getSecretsPath(secrets.stage, cwd);\n\n\t// Ensure directory exists\n\tawait mkdir(dir, { recursive: true });\n\n\t// Write with pretty formatting\n\tawait writeFile(path, JSON.stringify(secrets, null, 2), 'utf-8');\n}\n\n/**\n * Convert StageSecrets to embeddable format (flat key-value pairs).\n * This is what gets encrypted and embedded in the bundle.\n */\nexport function toEmbeddableSecrets(secrets: StageSecrets): EmbeddableSecrets {\n\treturn {\n\t\t...secrets.urls,\n\t\t...secrets.custom,\n\t\t// Also include individual service credentials if needed\n\t\t...(secrets.services.postgres && {\n\t\t\tPOSTGRES_USER: secrets.services.postgres.username,\n\t\t\tPOSTGRES_PASSWORD: secrets.services.postgres.password,\n\t\t\tPOSTGRES_DB: secrets.services.postgres.database ?? 'app',\n\t\t\tPOSTGRES_HOST: secrets.services.postgres.host,\n\t\t\tPOSTGRES_PORT: String(secrets.services.postgres.port),\n\t\t}),\n\t\t...(secrets.services.redis && {\n\t\t\tREDIS_PASSWORD: secrets.services.redis.password,\n\t\t\tREDIS_HOST: secrets.services.redis.host,\n\t\t\tREDIS_PORT: String(secrets.services.redis.port),\n\t\t}),\n\t\t...(secrets.services.rabbitmq && {\n\t\t\tRABBITMQ_USER: secrets.services.rabbitmq.username,\n\t\t\tRABBITMQ_PASSWORD: secrets.services.rabbitmq.password,\n\t\t\tRABBITMQ_HOST: secrets.services.rabbitmq.host,\n\t\t\tRABBITMQ_PORT: String(secrets.services.rabbitmq.port),\n\t\t\tRABBITMQ_VHOST: secrets.services.rabbitmq.vhost ?? '/',\n\t\t}),\n\t};\n}\n\n/**\n * Update a custom secret in the secrets file.\n */\nexport async function setCustomSecret(\n\tstage: string,\n\tkey: string,\n\tvalue: string,\n\tcwd = process.cwd(),\n): Promise<StageSecrets> {\n\tconst secrets = await readStageSecrets(stage, cwd);\n\n\tif (!secrets) {\n\t\tthrow new Error(\n\t\t\t`Secrets not found for stage \"${stage}\". Run \"gkm secrets:init --stage ${stage}\" first.`,\n\t\t);\n\t}\n\n\tconst updated: StageSecrets = {\n\t\t...secrets,\n\t\tupdatedAt: new Date().toISOString(),\n\t\tcustom: {\n\t\t\t...secrets.custom,\n\t\t\t[key]: value,\n\t\t},\n\t};\n\n\tawait writeStageSecrets(updated, cwd);\n\treturn updated;\n}\n\n/**\n * Mask a password for display (show first 4 and last 2 chars).\n */\nexport function maskPassword(password: string): string {\n\tif (password.length <= 8) {\n\t\treturn '********';\n\t}\n\treturn `${password.slice(0, 4)}${'*'.repeat(password.length - 6)}${password.slice(-2)}`;\n}\n\n/**\n * Result of environment variable validation.\n */\nexport interface EnvValidationResult {\n\t/** Whether all required environment variables are present */\n\tvalid: boolean;\n\t/** List of missing environment variable names */\n\tmissing: string[];\n\t/** List of environment variables that are provided */\n\tprovided: string[];\n\t/** List of environment variables that were required */\n\trequired: string[];\n}\n\n/**\n * Validate that all required environment variables are present in secrets.\n *\n * @param requiredVars - Array of environment variable names required by the application\n * @param secrets - Stage secrets to validate against\n * @returns Validation result with missing and provided variables\n *\n * @example\n * ```typescript\n * const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];\n * const secrets = await readStageSecrets('production');\n * const result = validateEnvironmentVariables(required, secrets);\n *\n * if (!result.valid) {\n *   console.error(`Missing environment variables: ${result.missing.join(', ')}`);\n * }\n * ```\n */\nexport function validateEnvironmentVariables(\n\trequiredVars: string[],\n\tsecrets: StageSecrets,\n): EnvValidationResult {\n\tconst embeddable = toEmbeddableSecrets(secrets);\n\tconst availableVars = new Set(Object.keys(embeddable));\n\n\tconst missing: string[] = [];\n\tconst provided: string[] = [];\n\n\tfor (const varName of requiredVars) {\n\t\tif (availableVars.has(varName)) {\n\t\t\tprovided.push(varName);\n\t\t} else {\n\t\t\tmissing.push(varName);\n\t\t}\n\t}\n\n\treturn {\n\t\tvalid: missing.length === 0,\n\t\tmissing: missing.sort(),\n\t\tprovided: provided.sort(),\n\t\trequired: [...requiredVars].sort(),\n\t};\n}\n"],"mappings":";;;;;;;AAMA,MAAM,cAAc;;;;AAKpB,SAAgB,cAAc,MAAM,QAAQ,KAAK,EAAU;AAC1D,QAAO,oBAAK,KAAK,YAAY;AAC7B;;;;AAKD,SAAgB,eAAeA,OAAe,MAAM,QAAQ,KAAK,EAAU;AAC1E,QAAO,oBAAK,cAAc,IAAI,GAAG,EAAE,MAAM,OAAO;AAChD;;;;AAKD,SAAgB,aAAaA,OAAe,MAAM,QAAQ,KAAK,EAAW;AACzE,QAAO,wBAAW,eAAe,OAAO,IAAI,CAAC;AAC7C;;;;;AAMD,eAAsB,iBACrBA,OACA,MAAM,QAAQ,KAAK,EACY;CAC/B,MAAM,OAAO,eAAe,OAAO,IAAI;AAEvC,MAAK,wBAAW,KAAK,CACpB,QAAO;CAGR,MAAM,UAAU,MAAM,+BAAS,MAAM,QAAQ;AAC7C,QAAO,KAAK,MAAM,QAAQ;AAC1B;;;;AAKD,eAAsB,kBACrBC,SACA,MAAM,QAAQ,KAAK,EACH;CAChB,MAAM,MAAM,cAAc,IAAI;CAC9B,MAAM,OAAO,eAAe,QAAQ,OAAO,IAAI;AAG/C,OAAM,4BAAM,KAAK,EAAE,WAAW,KAAM,EAAC;AAGrC,OAAM,gCAAU,MAAM,KAAK,UAAU,SAAS,MAAM,EAAE,EAAE,QAAQ;AAChE;;;;;AAMD,SAAgB,oBAAoBA,SAA0C;AAC7E,QAAO;EACN,GAAG,QAAQ;EACX,GAAG,QAAQ;EAEX,GAAI,QAAQ,SAAS,YAAY;GAChC,eAAe,QAAQ,SAAS,SAAS;GACzC,mBAAmB,QAAQ,SAAS,SAAS;GAC7C,aAAa,QAAQ,SAAS,SAAS,YAAY;GACnD,eAAe,QAAQ,SAAS,SAAS;GACzC,eAAe,OAAO,QAAQ,SAAS,SAAS,KAAK;EACrD;EACD,GAAI,QAAQ,SAAS,SAAS;GAC7B,gBAAgB,QAAQ,SAAS,MAAM;GACvC,YAAY,QAAQ,SAAS,MAAM;GACnC,YAAY,OAAO,QAAQ,SAAS,MAAM,KAAK;EAC/C;EACD,GAAI,QAAQ,SAAS,YAAY;GAChC,eAAe,QAAQ,SAAS,SAAS;GACzC,mBAAmB,QAAQ,SAAS,SAAS;GAC7C,eAAe,QAAQ,SAAS,SAAS;GACzC,eAAe,OAAO,QAAQ,SAAS,SAAS,KAAK;GACrD,gBAAgB,QAAQ,SAAS,SAAS,SAAS;EACnD;CACD;AACD;;;;AAKD,eAAsB,gBACrBD,OACAE,KACAC,OACA,MAAM,QAAQ,KAAK,EACK;CACxB,MAAM,UAAU,MAAM,iBAAiB,OAAO,IAAI;AAElD,MAAK,QACJ,OAAM,IAAI,OACR,+BAA+B,MAAM,mCAAmC,MAAM;CAIjF,MAAMC,UAAwB;EAC7B,GAAG;EACH,WAAW,qBAAI,QAAO,aAAa;EACnC,QAAQ;GACP,GAAG,QAAQ;IACV,MAAM;EACP;CACD;AAED,OAAM,kBAAkB,SAAS,IAAI;AACrC,QAAO;AACP;;;;AAKD,SAAgB,aAAaC,UAA0B;AACtD,KAAI,SAAS,UAAU,EACtB,QAAO;AAER,SAAQ,EAAE,SAAS,MAAM,GAAG,EAAE,CAAC,EAAE,IAAI,OAAO,SAAS,SAAS,EAAE,CAAC,EAAE,SAAS,MAAM,GAAG,CAAC;AACtF;;;;;;;;;;;;;;;;;;;AAkCD,SAAgB,6BACfC,cACAL,SACsB;CACtB,MAAM,aAAa,oBAAoB,QAAQ;CAC/C,MAAM,gBAAgB,IAAI,IAAI,OAAO,KAAK,WAAW;CAErD,MAAMM,UAAoB,CAAE;CAC5B,MAAMC,WAAqB,CAAE;AAE7B,MAAK,MAAM,WAAW,aACrB,KAAI,cAAc,IAAI,QAAQ,CAC7B,UAAS,KAAK,QAAQ;KAEtB,SAAQ,KAAK,QAAQ;AAIvB,QAAO;EACN,OAAO,QAAQ,WAAW;EAC1B,SAAS,QAAQ,MAAM;EACvB,UAAU,SAAS,MAAM;EACzB,UAAU,CAAC,GAAG,YAAa,EAAC,MAAM;CAClC;AACD"}

package/dist/{storage-C9PU_30f.mjs → storage-kSxTjkNb.mjs}

@@ -95,7 +95,39 @@ function maskPassword(password) {
 	if (password.length <= 8) return "********";
 	return `${password.slice(0, 4)}${"*".repeat(password.length - 6)}${password.slice(-2)}`;
 }
+/**
+* Validate that all required environment variables are present in secrets.
+*
+* @param requiredVars - Array of environment variable names required by the application
+* @param secrets - Stage secrets to validate against
+* @returns Validation result with missing and provided variables
+*
+* @example
+* ```typescript
+* const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];
+* const secrets = await readStageSecrets('production');
+* const result = validateEnvironmentVariables(required, secrets);
+*
+* if (!result.valid) {
+*   console.error(`Missing environment variables: ${result.missing.join(', ')}`);
+* }
+* ```
+*/
+function validateEnvironmentVariables(requiredVars, secrets) {
+	const embeddable = toEmbeddableSecrets(secrets);
+	const availableVars = new Set(Object.keys(embeddable));
+	const missing = [];
+	const provided = [];
+	for (const varName of requiredVars) if (availableVars.has(varName)) provided.push(varName);
+	else missing.push(varName);
+	return {
+		valid: missing.length === 0,
+		missing: missing.sort(),
+		provided: provided.sort(),
+		required: [...requiredVars].sort()
+	};
+}
 
 //#endregion
-export { getSecretsDir, getSecretsPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets };
-//# sourceMappingURL=storage-C9PU_30f.mjs.map
+export { getSecretsDir, getSecretsPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, validateEnvironmentVariables, writeStageSecrets };
+//# sourceMappingURL=storage-kSxTjkNb.mjs.map

package/dist/storage-kSxTjkNb.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage-kSxTjkNb.mjs","names":["stage: string","secrets: StageSecrets","key: string","value: string","updated: StageSecrets","password: string","requiredVars: string[]","missing: string[]","provided: string[]"],"sources":["../src/secrets/storage.ts"],"sourcesContent":["import { existsSync } from 'node:fs';\nimport { mkdir, readFile, writeFile } from 'node:fs/promises';\nimport { join } from 'node:path';\nimport type { EmbeddableSecrets, StageSecrets } from './types';\n\n/** Default secrets directory relative to project root */\nconst SECRETS_DIR = '.gkm/secrets';\n\n/**\n * Get the secrets directory path.\n */\nexport function getSecretsDir(cwd = process.cwd()): string {\n\treturn join(cwd, SECRETS_DIR);\n}\n\n/**\n * Get the secrets file path for a stage.\n */\nexport function getSecretsPath(stage: string, cwd = process.cwd()): string {\n\treturn join(getSecretsDir(cwd), `${stage}.json`);\n}\n\n/**\n * Check if secrets exist for a stage.\n */\nexport function secretsExist(stage: string, cwd = process.cwd()): boolean {\n\treturn existsSync(getSecretsPath(stage, cwd));\n}\n\n/**\n * Read secrets for a stage.\n * @returns StageSecrets or null if not found\n */\nexport async function readStageSecrets(\n\tstage: string,\n\tcwd = process.cwd(),\n): Promise<StageSecrets | null> {\n\tconst path = getSecretsPath(stage, cwd);\n\n\tif (!existsSync(path)) {\n\t\treturn null;\n\t}\n\n\tconst content = await readFile(path, 'utf-8');\n\treturn JSON.parse(content) as StageSecrets;\n}\n\n/**\n * Write secrets for a stage.\n */\nexport async function writeStageSecrets(\n\tsecrets: StageSecrets,\n\tcwd = process.cwd(),\n): Promise<void> {\n\tconst dir = getSecretsDir(cwd);\n\tconst path = getSecretsPath(secrets.stage, cwd);\n\n\t// Ensure directory exists\n\tawait mkdir(dir, { recursive: true });\n\n\t// Write with pretty formatting\n\tawait writeFile(path, JSON.stringify(secrets, null, 2), 'utf-8');\n}\n\n/**\n * Convert StageSecrets to embeddable format (flat key-value pairs).\n * This is what gets encrypted and embedded in the bundle.\n */\nexport function toEmbeddableSecrets(secrets: StageSecrets): EmbeddableSecrets {\n\treturn {\n\t\t...secrets.urls,\n\t\t...secrets.custom,\n\t\t// Also include individual service credentials if needed\n\t\t...(secrets.services.postgres && {\n\t\t\tPOSTGRES_USER: secrets.services.postgres.username,\n\t\t\tPOSTGRES_PASSWORD: secrets.services.postgres.password,\n\t\t\tPOSTGRES_DB: secrets.services.postgres.database ?? 'app',\n\t\t\tPOSTGRES_HOST: secrets.services.postgres.host,\n\t\t\tPOSTGRES_PORT: String(secrets.services.postgres.port),\n\t\t}),\n\t\t...(secrets.services.redis && {\n\t\t\tREDIS_PASSWORD: secrets.services.redis.password,\n\t\t\tREDIS_HOST: secrets.services.redis.host,\n\t\t\tREDIS_PORT: String(secrets.services.redis.port),\n\t\t}),\n\t\t...(secrets.services.rabbitmq && {\n\t\t\tRABBITMQ_USER: secrets.services.rabbitmq.username,\n\t\t\tRABBITMQ_PASSWORD: secrets.services.rabbitmq.password,\n\t\t\tRABBITMQ_HOST: secrets.services.rabbitmq.host,\n\t\t\tRABBITMQ_PORT: String(secrets.services.rabbitmq.port),\n\t\t\tRABBITMQ_VHOST: secrets.services.rabbitmq.vhost ?? '/',\n\t\t}),\n\t};\n}\n\n/**\n * Update a custom secret in the secrets file.\n */\nexport async function setCustomSecret(\n\tstage: string,\n\tkey: string,\n\tvalue: string,\n\tcwd = process.cwd(),\n): Promise<StageSecrets> {\n\tconst secrets = await readStageSecrets(stage, cwd);\n\n\tif (!secrets) {\n\t\tthrow new Error(\n\t\t\t`Secrets not found for stage \"${stage}\". Run \"gkm secrets:init --stage ${stage}\" first.`,\n\t\t);\n\t}\n\n\tconst updated: StageSecrets = {\n\t\t...secrets,\n\t\tupdatedAt: new Date().toISOString(),\n\t\tcustom: {\n\t\t\t...secrets.custom,\n\t\t\t[key]: value,\n\t\t},\n\t};\n\n\tawait writeStageSecrets(updated, cwd);\n\treturn updated;\n}\n\n/**\n * Mask a password for display (show first 4 and last 2 chars).\n */\nexport function maskPassword(password: string): string {\n\tif (password.length <= 8) {\n\t\treturn '********';\n\t}\n\treturn `${password.slice(0, 4)}${'*'.repeat(password.length - 6)}${password.slice(-2)}`;\n}\n\n/**\n * Result of environment variable validation.\n */\nexport interface EnvValidationResult {\n\t/** Whether all required environment variables are present */\n\tvalid: boolean;\n\t/** List of missing environment variable names */\n\tmissing: string[];\n\t/** List of environment variables that are provided */\n\tprovided: string[];\n\t/** List of environment variables that were required */\n\trequired: string[];\n}\n\n/**\n * Validate that all required environment variables are present in secrets.\n *\n * @param requiredVars - Array of environment variable names required by the application\n * @param secrets - Stage secrets to validate against\n * @returns Validation result with missing and provided variables\n *\n * @example\n * ```typescript\n * const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];\n * const secrets = await readStageSecrets('production');\n * const result = validateEnvironmentVariables(required, secrets);\n *\n * if (!result.valid) {\n *   console.error(`Missing environment variables: ${result.missing.join(', ')}`);\n * }\n * ```\n */\nexport function validateEnvironmentVariables(\n\trequiredVars: string[],\n\tsecrets: StageSecrets,\n): EnvValidationResult {\n\tconst embeddable = toEmbeddableSecrets(secrets);\n\tconst availableVars = new Set(Object.keys(embeddable));\n\n\tconst missing: string[] = [];\n\tconst provided: string[] = [];\n\n\tfor (const varName of requiredVars) {\n\t\tif (availableVars.has(varName)) {\n\t\t\tprovided.push(varName);\n\t\t} else {\n\t\t\tmissing.push(varName);\n\t\t}\n\t}\n\n\treturn {\n\t\tvalid: missing.length === 0,\n\t\tmissing: missing.sort(),\n\t\tprovided: provided.sort(),\n\t\trequired: [...requiredVars].sort(),\n\t};\n}\n"],"mappings":";;;;;;AAMA,MAAM,cAAc;;;;AAKpB,SAAgB,cAAc,MAAM,QAAQ,KAAK,EAAU;AAC1D,QAAO,KAAK,KAAK,YAAY;AAC7B;;;;AAKD,SAAgB,eAAeA,OAAe,MAAM,QAAQ,KAAK,EAAU;AAC1E,QAAO,KAAK,cAAc,IAAI,GAAG,EAAE,MAAM,OAAO;AAChD;;;;AAKD,SAAgB,aAAaA,OAAe,MAAM,QAAQ,KAAK,EAAW;AACzE,QAAO,WAAW,eAAe,OAAO,IAAI,CAAC;AAC7C;;;;;AAMD,eAAsB,iBACrBA,OACA,MAAM,QAAQ,KAAK,EACY;CAC/B,MAAM,OAAO,eAAe,OAAO,IAAI;AAEvC,MAAK,WAAW,KAAK,CACpB,QAAO;CAGR,MAAM,UAAU,MAAM,SAAS,MAAM,QAAQ;AAC7C,QAAO,KAAK,MAAM,QAAQ;AAC1B;;;;AAKD,eAAsB,kBACrBC,SACA,MAAM,QAAQ,KAAK,EACH;CAChB,MAAM,MAAM,cAAc,IAAI;CAC9B,MAAM,OAAO,eAAe,QAAQ,OAAO,IAAI;AAG/C,OAAM,MAAM,KAAK,EAAE,WAAW,KAAM,EAAC;AAGrC,OAAM,UAAU,MAAM,KAAK,UAAU,SAAS,MAAM,EAAE,EAAE,QAAQ;AAChE;;;;;AAMD,SAAgB,oBAAoBA,SAA0C;AAC7E,QAAO;EACN,GAAG,QAAQ;EACX,GAAG,QAAQ;EAEX,GAAI,QAAQ,SAAS,YAAY;GAChC,eAAe,QAAQ,SAAS,SAAS;GACzC,mBAAmB,QAAQ,SAAS,SAAS;GAC7C,aAAa,QAAQ,SAAS,SAAS,YAAY;GACnD,eAAe,QAAQ,SAAS,SAAS;GACzC,eAAe,OAAO,QAAQ,SAAS,SAAS,KAAK;EACrD;EACD,GAAI,QAAQ,SAAS,SAAS;GAC7B,gBAAgB,QAAQ,SAAS,MAAM;GACvC,YAAY,QAAQ,SAAS,MAAM;GACnC,YAAY,OAAO,QAAQ,SAAS,MAAM,KAAK;EAC/C;EACD,GAAI,QAAQ,SAAS,YAAY;GAChC,eAAe,QAAQ,SAAS,SAAS;GACzC,mBAAmB,QAAQ,SAAS,SAAS;GAC7C,eAAe,QAAQ,SAAS,SAAS;GACzC,eAAe,OAAO,QAAQ,SAAS,SAAS,KAAK;GACrD,gBAAgB,QAAQ,SAAS,SAAS,SAAS;EACnD;CACD;AACD;;;;AAKD,eAAsB,gBACrBD,OACAE,KACAC,OACA,MAAM,QAAQ,KAAK,EACK;CACxB,MAAM,UAAU,MAAM,iBAAiB,OAAO,IAAI;AAElD,MAAK,QACJ,OAAM,IAAI,OACR,+BAA+B,MAAM,mCAAmC,MAAM;CAIjF,MAAMC,UAAwB;EAC7B,GAAG;EACH,WAAW,qBAAI,QAAO,aAAa;EACnC,QAAQ;GACP,GAAG,QAAQ;IACV,MAAM;EACP;CACD;AAED,OAAM,kBAAkB,SAAS,IAAI;AACrC,QAAO;AACP;;;;AAKD,SAAgB,aAAaC,UAA0B;AACtD,KAAI,SAAS,UAAU,EACtB,QAAO;AAER,SAAQ,EAAE,SAAS,MAAM,GAAG,EAAE,CAAC,EAAE,IAAI,OAAO,SAAS,SAAS,EAAE,CAAC,EAAE,SAAS,MAAM,GAAG,CAAC;AACtF;;;;;;;;;;;;;;;;;;;AAkCD,SAAgB,6BACfC,cACAL,SACsB;CACtB,MAAM,aAAa,oBAAoB,QAAQ;CAC/C,MAAM,gBAAgB,IAAI,IAAI,OAAO,KAAK,WAAW;CAErD,MAAMM,UAAoB,CAAE;CAC5B,MAAMC,WAAqB,CAAE;AAE7B,MAAK,MAAM,WAAW,aACrB,KAAI,cAAc,IAAI,QAAQ,CAC7B,UAAS,KAAK,QAAQ;KAEtB,SAAQ,KAAK,QAAQ;AAIvB,QAAO;EACN,OAAO,QAAQ,WAAW;EAC1B,SAAS,QAAQ,MAAM;EACvB,UAAU,SAAS,MAAM;EACzB,UAAU,CAAC,GAAG,YAAa,EAAC,MAAM;CAClC;AACD"}

package/dist/storage-tgZSUnKl.mjs

@@ -0,0 +1,3 @@
+import { getSecretsDir, getSecretsPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, validateEnvironmentVariables, writeStageSecrets } from "./storage-kSxTjkNb.mjs";
+
+export { readStageSecrets, toEmbeddableSecrets, validateEnvironmentVariables };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "0.12.0",
+  "version": "0.13.0",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -54,9 +54,9 @@
   },
   "peerDependencies": {
     "@geekmidas/constructs": "~0.5.0",
+    "@geekmidas/envkit": "~0.3.0",
     "@geekmidas/logger": "~0.4.0",
     "@geekmidas/schema": "~0.1.0",
-    "@geekmidas/envkit": "~0.3.0",
     "@geekmidas/telescope": "~0.4.0"
   },
   "peerDependenciesMeta": {

package/src/build/__tests__/bundler.spec.ts

@@ -0,0 +1,444 @@
+import { mkdir, writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import type { Construct } from '@geekmidas/constructs';
+import { itWithDir } from '@geekmidas/testkit/os';
+import { beforeEach, describe, expect, vi } from 'vitest';
+import type { StageSecrets } from '../../secrets/types';
+import { bundleServer } from '../bundler';
+
+// Mock child_process to avoid actually running tsdown
+vi.mock('node:child_process', () => ({
+	execSync: vi.fn(),
+}));
+
+// Mock construct that returns specific environment variables
+function createMockConstruct(envVars: string[]): Construct {
+	return {
+		getEnvironment: vi.fn().mockResolvedValue(envVars),
+	} as unknown as Construct;
+}
+
+// Helper to create a minimal secrets file
+async function createSecretsFile(
+	dir: string,
+	stage: string,
+	secrets: Partial<StageSecrets>,
+): Promise<void> {
+	const secretsDir = join(dir, '.gkm', 'secrets');
+	await mkdir(secretsDir, { recursive: true });
+
+	const fullSecrets: StageSecrets = {
+		stage,
+		createdAt: new Date().toISOString(),
+		updatedAt: new Date().toISOString(),
+		services: {},
+		urls: {},
+		custom: {},
+		...secrets,
+	};
+
+	await writeFile(
+		join(secretsDir, `${stage}.json`),
+		JSON.stringify(fullSecrets, null, 2),
+	);
+}
+
+// Helper to create a minimal entry point file and mock the bundle output
+async function createEntryPoint(dir: string): Promise<string> {
+	const outputDir = join(dir, '.gkm', 'server');
+	const distDir = join(outputDir, 'dist');
+	await mkdir(outputDir, { recursive: true });
+	await mkdir(distDir, { recursive: true });
+
+	const entryPoint = join(outputDir, 'server.ts');
+	await writeFile(entryPoint, 'console.log("hello");');
+
+	// Create the output file that tsdown would normally create
+	// (since we're mocking execSync, the file won't be created automatically)
+	await writeFile(join(distDir, 'server.js'), 'console.log("bundled");');
+
+	return entryPoint;
+}
+
+describe('bundleServer environment validation', () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	itWithDir(
+		'should pass validation when all required env vars are present',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				urls: { DATABASE_URL: 'postgresql://localhost/db' },
+				custom: { API_KEY: 'sk_test_123' },
+			});
+
+			const constructs = [
+				createMockConstruct(['DATABASE_URL']),
+				createMockConstruct(['API_KEY']),
+			];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				// Should not throw
+				const result = await bundleServer({
+					entryPoint,
+					outputDir: join(dir, '.gkm', 'server', 'dist'),
+					minify: false,
+					sourcemap: false,
+					external: [],
+					stage: 'production',
+					constructs,
+				});
+
+				expect(result.masterKey).toBeDefined();
+				expect(constructs[0].getEnvironment).toHaveBeenCalled();
+				expect(constructs[1].getEnvironment).toHaveBeenCalled();
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should throw error when required env vars are missing',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				urls: { DATABASE_URL: 'postgresql://localhost/db' },
+				custom: {},
+			});
+
+			const constructs = [
+				createMockConstruct(['DATABASE_URL', 'API_KEY', 'JWT_SECRET']),
+			];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				await expect(
+					bundleServer({
+						entryPoint,
+						outputDir: join(dir, '.gkm', 'server', 'dist'),
+						minify: false,
+						sourcemap: false,
+						external: [],
+						stage: 'production',
+						constructs,
+					}),
+				).rejects.toThrow('Missing environment variables');
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should include missing variables in error message',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'staging', {
+				custom: { EXISTING_VAR: 'value' },
+			});
+
+			const constructs = [
+				createMockConstruct(['EXISTING_VAR', 'MISSING_VAR_1', 'MISSING_VAR_2']),
+			];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				await expect(
+					bundleServer({
+						entryPoint,
+						outputDir: join(dir, '.gkm', 'server', 'dist'),
+						minify: false,
+						sourcemap: false,
+						external: [],
+						stage: 'staging',
+						constructs,
+					}),
+				).rejects.toThrow(/MISSING_VAR_1/);
+
+				await expect(
+					bundleServer({
+						entryPoint,
+						outputDir: join(dir, '.gkm', 'server', 'dist'),
+						minify: false,
+						sourcemap: false,
+						external: [],
+						stage: 'staging',
+						constructs,
+					}),
+				).rejects.toThrow(/MISSING_VAR_2/);
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should collect env vars from multiple constructs',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				urls: { DATABASE_URL: 'postgresql://localhost/db' },
+				custom: {
+					API_KEY: 'key',
+					REDIS_URL: 'redis://localhost',
+					JWT_SECRET: 'secret',
+				},
+			});
+
+			const constructs = [
+				createMockConstruct(['DATABASE_URL']),
+				createMockConstruct(['API_KEY', 'REDIS_URL']),
+				createMockConstruct(['JWT_SECRET']),
+			];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				const result = await bundleServer({
+					entryPoint,
+					outputDir: join(dir, '.gkm', 'server', 'dist'),
+					minify: false,
+					sourcemap: false,
+					external: [],
+					stage: 'production',
+					constructs,
+				});
+
+				expect(result.masterKey).toBeDefined();
+
+				// All constructs should have been checked
+				for (const construct of constructs) {
+					expect(construct.getEnvironment).toHaveBeenCalled();
+				}
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should deduplicate env vars from multiple constructs',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				custom: { SHARED_VAR: 'value' },
+			});
+
+			// Multiple constructs requiring the same variable
+			const constructs = [
+				createMockConstruct(['SHARED_VAR']),
+				createMockConstruct(['SHARED_VAR']),
+				createMockConstruct(['SHARED_VAR']),
+			];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				// Should pass since SHARED_VAR is provided once
+				const result = await bundleServer({
+					entryPoint,
+					outputDir: join(dir, '.gkm', 'server', 'dist'),
+					minify: false,
+					sourcemap: false,
+					external: [],
+					stage: 'production',
+					constructs,
+				});
+
+				expect(result.masterKey).toBeDefined();
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should skip validation when no constructs provided',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				custom: {},
+			});
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				// Should not throw even with empty secrets
+				const result = await bundleServer({
+					entryPoint,
+					outputDir: join(dir, '.gkm', 'server', 'dist'),
+					minify: false,
+					sourcemap: false,
+					external: [],
+					stage: 'production',
+					constructs: [],
+				});
+
+				expect(result.masterKey).toBeDefined();
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should skip validation when constructs is undefined',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				custom: {},
+			});
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				const result = await bundleServer({
+					entryPoint,
+					outputDir: join(dir, '.gkm', 'server', 'dist'),
+					minify: false,
+					sourcemap: false,
+					external: [],
+					stage: 'production',
+					// No constructs provided
+				});
+
+				expect(result.masterKey).toBeDefined();
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should recognize service credentials as provided',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'production', {
+				services: {
+					postgres: {
+						host: 'localhost',
+						port: 5432,
+						username: 'app',
+						password: 'secret',
+						database: 'mydb',
+					},
+				},
+			});
+
+			const constructs = [
+				createMockConstruct([
+					'POSTGRES_HOST',
+					'POSTGRES_PORT',
+					'POSTGRES_USER',
+					'POSTGRES_PASSWORD',
+					'POSTGRES_DB',
+				]),
+			];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				const result = await bundleServer({
+					entryPoint,
+					outputDir: join(dir, '.gkm', 'server', 'dist'),
+					minify: false,
+					sourcemap: false,
+					external: [],
+					stage: 'production',
+					constructs,
+				});
+
+				expect(result.masterKey).toBeDefined();
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should throw when secrets file does not exist',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			// Don't create secrets file
+
+			const constructs = [createMockConstruct(['DATABASE_URL'])];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				await expect(
+					bundleServer({
+						entryPoint,
+						outputDir: join(dir, '.gkm', 'server', 'dist'),
+						minify: false,
+						sourcemap: false,
+						external: [],
+						stage: 'production',
+						constructs,
+					}),
+				).rejects.toThrow('No secrets found for stage "production"');
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+
+	itWithDir(
+		'should include helpful instructions in error message',
+		async ({ dir }) => {
+			const entryPoint = await createEntryPoint(dir);
+			await createSecretsFile(dir, 'myapp', {
+				custom: {},
+			});
+
+			const constructs = [createMockConstruct(['MISSING_VAR'])];
+
+			const originalCwd = process.cwd();
+			process.chdir(dir);
+
+			try {
+				await expect(
+					bundleServer({
+						entryPoint,
+						outputDir: join(dir, '.gkm', 'server', 'dist'),
+						minify: false,
+						sourcemap: false,
+						external: [],
+						stage: 'myapp',
+						constructs,
+					}),
+				).rejects.toThrow(/gkm secrets:set/);
+
+				await expect(
+					bundleServer({
+						entryPoint,
+						outputDir: join(dir, '.gkm', 'server', 'dist'),
+						minify: false,
+						sourcemap: false,
+						external: [],
+						stage: 'myapp',
+						constructs,
+					}),
+				).rejects.toThrow(/gkm secrets:import/);
+			} finally {
+				process.chdir(originalCwd);
+			}
+		},
+	);
+});