@geekmidas/cli 0.17.0 → 0.19.0

package/dist/index.mjs

@@ -1,9 +1,10 @@
 #!/usr/bin/env -S npx tsx
-import { loadConfig, parseModuleConfig } from "./config-DYULeEv8.mjs";
-import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, generateOpenApi, openapiCommand, resolveOpenApiConfig } from "./openapi-CZVcfxk-.mjs";
-import { DokployApi } from "./dokploy-api-CaETb2L6.mjs";
-import { generateReactQueryCommand } from "./openapi-react-query-CM2_qlW9.mjs";
-import { maskPassword, readStageSecrets, secretsExist, setCustomSecret, writeStageSecrets } from "./storage-BaOP55oq.mjs";
+import { __require, getAppBuildOrder, getDependencyEnvVars, getDeployTargetError, isDeployTargetSupported } from "./workspace-CPLEZDZf.mjs";
+import { loadConfig, loadWorkspaceConfig, parseModuleConfig } from "./config-BaYqrF3n.mjs";
+import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, OpenApiTsGenerator, generateOpenApi, openapiCommand, resolveOpenApiConfig } from "./openapi-CgqR6Jkw.mjs";
+import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-Dhst7BhI.mjs";
+import { DokployApi } from "./dokploy-api-B9qR2Yn1.mjs";
+import { generateReactQueryCommand } from "./openapi-react-query-5rSortLH.mjs";
 import { createRequire } from "node:module";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, unlinkSync } from "node:fs";
 import { basename, dirname, join, parse, relative, resolve } from "node:path";
@@ -20,16 +21,12 @@ import fg from "fast-glob";
 import { Cron } from "@geekmidas/constructs/crons";
 import { Function } from "@geekmidas/constructs/functions";
 import { Subscriber } from "@geekmidas/constructs/subscribers";
+import { createHash, randomBytes } from "node:crypto";
 import prompts from "prompts";
-import { randomBytes } from "node:crypto";
 
-//#region rolldown:runtime
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
-
-//#endregion
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "0.17.0";
+var version = "0.18.0";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -44,6 +41,11 @@ var exports = {
 		"import": "./dist/config.mjs",
 		"require": "./dist/config.cjs"
 	},
+	"./workspace": {
+		"types": "./dist/workspace/index.d.ts",
+		"import": "./dist/workspace/index.mjs",
+		"require": "./dist/workspace/index.cjs"
+	},
 	"./openapi": {
 		"types": "./dist/openapi.d.ts",
 		"import": "./dist/openapi.mjs",
@@ -218,12 +220,12 @@ async function getDokployRegistryId(options) {
 
 //#endregion
 //#region src/auth/index.ts
-const logger$9 = console;
+const logger$10 = console;
 /**
 * Validate Dokploy token by making a test API call
 */
 async function validateDokployToken(endpoint, token) {
-	const { DokployApi: DokployApi$1 } = await import("./dokploy-api-DHvfmWbi.mjs");
+	const { DokployApi: DokployApi$1 } = await import("./dokploy-api-B0w17y4_.mjs");
 	const api = new DokployApi$1({
 		baseUrl: endpoint,
 		token
@@ -286,36 +288,36 @@ async function prompt$1(message, hidden = false) {
 async function loginCommand(options) {
 	const { service, token: providedToken, endpoint: providedEndpoint } = options;
 	if (service === "dokploy") {
-		logger$9.log("\n🔐 Logging in to Dokploy...\n");
+		logger$10.log("\n🔐 Logging in to Dokploy...\n");
 		let endpoint = providedEndpoint;
 		if (!endpoint) endpoint = await prompt$1("Dokploy URL (e.g., https://dokploy.example.com): ");
 		endpoint = endpoint.replace(/\/$/, "");
 		try {
 			new URL(endpoint);
 		} catch {
-			logger$9.error("Invalid URL format");
+			logger$10.error("Invalid URL format");
 			process.exit(1);
 		}
 		let token = providedToken;
 		if (!token) {
-			logger$9.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
+			logger$10.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
 			token = await prompt$1("API Token: ", true);
 		}
 		if (!token) {
-			logger$9.error("Token is required");
+			logger$10.error("Token is required");
 			process.exit(1);
 		}
-		logger$9.log("\nValidating credentials...");
+		logger$10.log("\nValidating credentials...");
 		const isValid = await validateDokployToken(endpoint, token);
 		if (!isValid) {
-			logger$9.error("\n✗ Invalid credentials. Please check your token and try again.");
+			logger$10.error("\n✗ Invalid credentials. Please check your token and try again.");
 			process.exit(1);
 		}
 		await storeDokployCredentials(token, endpoint);
-		logger$9.log("\n✓ Successfully logged in to Dokploy!");
-		logger$9.log(`  Endpoint: ${endpoint}`);
-		logger$9.log(`  Credentials stored in: ${getCredentialsPath()}`);
-		logger$9.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
+		logger$10.log("\n✓ Successfully logged in to Dokploy!");
+		logger$10.log(`  Endpoint: ${endpoint}`);
+		logger$10.log(`  Credentials stored in: ${getCredentialsPath()}`);
+		logger$10.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
 	}
 }
 /**
@@ -325,28 +327,28 @@ async function logoutCommand(options) {
 	const { service = "dokploy" } = options;
 	if (service === "all") {
 		const dokployRemoved = await removeDokployCredentials();
-		if (dokployRemoved) logger$9.log("\n✓ Logged out from all services");
-		else logger$9.log("\nNo stored credentials found");
+		if (dokployRemoved) logger$10.log("\n✓ Logged out from all services");
+		else logger$10.log("\nNo stored credentials found");
 		return;
 	}
 	if (service === "dokploy") {
 		const removed = await removeDokployCredentials();
-		if (removed) logger$9.log("\n✓ Logged out from Dokploy");
-		else logger$9.log("\nNo Dokploy credentials found");
+		if (removed) logger$10.log("\n✓ Logged out from Dokploy");
+		else logger$10.log("\nNo Dokploy credentials found");
 	}
 }
 /**
 * Show current login status
 */
 async function whoamiCommand() {
-	logger$9.log("\n📋 Current credentials:\n");
+	logger$10.log("\n📋 Current credentials:\n");
 	const dokploy = await getDokployCredentials();
 	if (dokploy) {
-		logger$9.log("  Dokploy:");
-		logger$9.log(`    Endpoint: ${dokploy.endpoint}`);
-		logger$9.log(`    Token: ${maskToken(dokploy.token)}`);
-	} else logger$9.log("  Dokploy: Not logged in");
-	logger$9.log(`\n  Credentials file: ${getCredentialsPath()}`);
+		logger$10.log("  Dokploy:");
+		logger$10.log(`    Endpoint: ${dokploy.endpoint}`);
+		logger$10.log(`    Token: ${maskToken(dokploy.token)}`);
+	} else logger$10.log("  Dokploy: Not logged in");
+	logger$10.log(`\n  Credentials file: ${getCredentialsPath()}`);
 }
 /**
 * Mask a token for display
@@ -432,7 +434,7 @@ function isEnabled(config$1) {
 var CronGenerator = class extends ConstructGenerator {
 	async build(context, constructs, outputDir, options) {
 		const provider = options?.provider || "aws-lambda";
-		const logger$10 = console;
+		const logger$11 = console;
 		const cronInfos = [];
 		if (constructs.length === 0 || provider !== "aws-lambda") return cronInfos;
 		const cronsDir = join(outputDir, "crons");
@@ -447,7 +449,7 @@ var CronGenerator = class extends ConstructGenerator {
 				memorySize: construct.memorySize,
 				environment: await construct.getEnvironment()
 			});
-			logger$10.log(`Generated cron handler: ${key}`);
+			logger$11.log(`Generated cron handler: ${key}`);
 		}
 		return cronInfos;
 	}
@@ -483,7 +485,7 @@ var FunctionGenerator = class extends ConstructGenerator {
 	}
 	async build(context, constructs, outputDir, options) {
 		const provider = options?.provider || "aws-lambda";
-		const logger$10 = console;
+		const logger$11 = console;
 		const functionInfos = [];
 		if (constructs.length === 0 || provider !== "aws-lambda") return functionInfos;
 		const functionsDir = join(outputDir, "functions");
@@ -497,7 +499,7 @@ var FunctionGenerator = class extends ConstructGenerator {
 				memorySize: construct.memorySize,
 				environment: await construct.getEnvironment()
 			});
-			logger$10.log(`Generated function handler: ${key}`);
+			logger$11.log(`Generated function handler: ${key}`);
 		}
 		return functionInfos;
 	}
@@ -530,11 +532,11 @@ var SubscriberGenerator = class extends ConstructGenerator {
 	}
 	async build(context, constructs, outputDir, options) {
 		const provider = options?.provider || "aws-lambda";
-		const logger$10 = console;
+		const logger$11 = console;
 		const subscriberInfos = [];
 		if (provider === "server") {
 			await this.generateServerSubscribersFile(outputDir, constructs);
-			logger$10.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
+			logger$11.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
 			return subscriberInfos;
 		}
 		if (constructs.length === 0) return subscriberInfos;
@@ -551,7 +553,7 @@ var SubscriberGenerator = class extends ConstructGenerator {
 				memorySize: construct.memorySize,
 				environment: await construct.getEnvironment()
 			});
-			logger$10.log(`Generated subscriber handler: ${key}`);
+			logger$11.log(`Generated subscriber handler: ${key}`);
 		}
 		return subscriberInfos;
 	}
@@ -715,6 +717,148 @@ export async function setupSubscribers(
 	}
 };
 
+//#endregion
+//#region src/workspace/client-generator.ts
+const logger$9 = console;
+/**
+* Cache of OpenAPI spec hashes to detect changes.
+*/
+const specHashCache = /* @__PURE__ */ new Map();
+/**
+* Calculate hash of content for change detection.
+*/
+function hashContent(content) {
+	return createHash("sha256").update(content).digest("hex").slice(0, 16);
+}
+/**
+* Normalize routes to an array of patterns.
+* @internal Exported for use in dev command
+*/
+function normalizeRoutes(routes) {
+	if (!routes) return [];
+	return Array.isArray(routes) ? routes : [routes];
+}
+/**
+* Generate OpenAPI spec for a backend app.
+* Returns the spec content and endpoint count.
+*/
+async function generateBackendOpenApi(workspace, appName) {
+	const app = workspace.apps[appName];
+	if (!app || app.type !== "backend" || !app.routes) return null;
+	const appPath = join(workspace.root, app.path);
+	const routesPatterns = normalizeRoutes(app.routes);
+	if (routesPatterns.length === 0) return null;
+	const endpointGenerator = new EndpointGenerator();
+	const allLoadedEndpoints = [];
+	for (const pattern of routesPatterns) {
+		const fullPattern = join(appPath, pattern);
+		const loaded = await endpointGenerator.load(fullPattern);
+		allLoadedEndpoints.push(...loaded);
+	}
+	const loadedEndpoints = allLoadedEndpoints;
+	if (loadedEndpoints.length === 0) return null;
+	const endpoints = loadedEndpoints.map(({ construct }) => construct);
+	const tsGenerator = new OpenApiTsGenerator();
+	const content = await tsGenerator.generate(endpoints, {
+		title: `${appName} API`,
+		version: "1.0.0",
+		description: `Auto-generated API client for ${appName}`
+	});
+	return {
+		content,
+		endpointCount: loadedEndpoints.length
+	};
+}
+/**
+* Generate client for a frontend app from its backend dependencies.
+* Only regenerates if the OpenAPI spec has changed.
+*/
+async function generateClientForFrontend(workspace, frontendAppName, options = {}) {
+	const results = [];
+	const frontendApp = workspace.apps[frontendAppName];
+	if (!frontendApp || frontendApp.type !== "frontend") return results;
+	const dependencies$1 = frontendApp.dependencies || [];
+	const backendDeps = dependencies$1.filter((dep) => {
+		const depApp = workspace.apps[dep];
+		return depApp?.type === "backend" && depApp.routes;
+	});
+	if (backendDeps.length === 0) return results;
+	const clientOutput = frontendApp.client?.output || "src/api";
+	const frontendPath = join(workspace.root, frontendApp.path);
+	const outputDir = join(frontendPath, clientOutput);
+	for (const backendAppName of backendDeps) {
+		const result = {
+			frontendApp: frontendAppName,
+			backendApp: backendAppName,
+			outputPath: "",
+			endpointCount: 0,
+			generated: false
+		};
+		try {
+			const spec = await generateBackendOpenApi(workspace, backendAppName);
+			if (!spec) {
+				result.reason = "No endpoints found in backend";
+				results.push(result);
+				continue;
+			}
+			result.endpointCount = spec.endpointCount;
+			const cacheKey = `${backendAppName}:${frontendAppName}`;
+			const newHash = hashContent(spec.content);
+			const oldHash = specHashCache.get(cacheKey);
+			if (!options.force && oldHash === newHash) {
+				result.reason = "No schema changes detected";
+				results.push(result);
+				continue;
+			}
+			await mkdir(outputDir, { recursive: true });
+			const fileName = backendDeps.length === 1 ? "openapi.ts" : `${backendAppName}-api.ts`;
+			const outputPath = join(outputDir, fileName);
+			const backendRelPath = relative(dirname(outputPath), join(workspace.root, workspace.apps[backendAppName].path));
+			const clientContent = `/**
+ * Auto-generated API client for ${backendAppName}
+ * Generated from: ${backendRelPath}
+ *
+ * DO NOT EDIT - This file is automatically regenerated when backend schemas change.
+ */
+
+${spec.content}
+`;
+			await writeFile(outputPath, clientContent);
+			specHashCache.set(cacheKey, newHash);
+			result.outputPath = outputPath;
+			result.generated = true;
+			results.push(result);
+		} catch (error) {
+			result.reason = `Error: ${error.message}`;
+			results.push(result);
+		}
+	}
+	return results;
+}
+/**
+* Generate clients for all frontend apps in the workspace.
+*/
+async function generateAllClients(workspace, options = {}) {
+	const log = options.silent ? () => {} : logger$9.log.bind(logger$9);
+	const allResults = [];
+	for (const [appName, app] of Object.entries(workspace.apps)) if (app.type === "frontend" && app.dependencies.length > 0) {
+		const results = await generateClientForFrontend(workspace, appName, { force: options.force });
+		for (const result of results) {
+			if (result.generated) log(`📦 Generated client for ${result.frontendApp} from ${result.backendApp} (${result.endpointCount} endpoints)`);
+			allResults.push(result);
+		}
+	}
+	return allResults;
+}
+/**
+* Get frontend apps that depend on a backend app.
+*/
+function getDependentFrontends(workspace, backendAppName) {
+	const dependentApps = [];
+	for (const [appName, app] of Object.entries(workspace.apps)) if (app.type === "frontend" && app.dependencies.includes(backendAppName)) dependentApps.push(appName);
+	return dependentApps;
+}
+
 //#endregion
 //#region src/dev/index.ts
 const logger$8 = console;
@@ -869,7 +1013,12 @@ function getProductionConfigFromGkm(config$1) {
 async function devCommand(options) {
 	const defaultEnv = loadEnvFiles(".env");
 	if (defaultEnv.loaded.length > 0) logger$8.log(`📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
-	const config$1 = await loadConfig();
+	const loadedConfig = await loadWorkspaceConfig();
+	if (loadedConfig.type === "workspace") {
+		logger$8.log("📦 Detected workspace configuration");
+		return workspaceDevCommand(loadedConfig.workspace, options);
+	}
+	const config$1 = loadedConfig.raw;
 	if (config$1.env) {
 		const { loaded, missing } = loadEnvFiles(config$1.env);
 		if (loaded.length > 0) logger$8.log(`📦 Loaded env: ${loaded.join(", ")}`);
@@ -974,6 +1123,312 @@ async function devCommand(options) {
 	process.on("SIGINT", shutdown);
 	process.on("SIGTERM", shutdown);
 }
+/**
+* Generate all dependency environment variables for all apps.
+* Returns a flat object with all {APP_NAME}_URL variables.
+* @internal Exported for testing
+*/
+function generateAllDependencyEnvVars(workspace, urlPrefix = "http://localhost") {
+	const env = {};
+	for (const appName of Object.keys(workspace.apps)) {
+		const appEnv = getDependencyEnvVars(workspace, appName, urlPrefix);
+		Object.assign(env, appEnv);
+	}
+	return env;
+}
+/**
+* Check for port conflicts across all apps.
+* Returns list of conflicts if any ports are duplicated.
+* @internal Exported for testing
+*/
+function checkPortConflicts(workspace) {
+	const conflicts = [];
+	const portToApp = /* @__PURE__ */ new Map();
+	for (const [appName, app] of Object.entries(workspace.apps)) {
+		const existingApp = portToApp.get(app.port);
+		if (existingApp) conflicts.push({
+			app1: existingApp,
+			app2: appName,
+			port: app.port
+		});
+		else portToApp.set(app.port, appName);
+	}
+	return conflicts;
+}
+/**
+* Next.js config file patterns to check.
+*/
+const NEXTJS_CONFIG_FILES = [
+	"next.config.js",
+	"next.config.ts",
+	"next.config.mjs"
+];
+/**
+* Validate a frontend (Next.js) app configuration.
+* Checks for Next.js config file and dependency.
+* @internal Exported for testing
+*/
+async function validateFrontendApp(appName, appPath, workspaceRoot) {
+	const errors = [];
+	const warnings = [];
+	const fullPath = join(workspaceRoot, appPath);
+	const hasConfigFile = NEXTJS_CONFIG_FILES.some((file) => existsSync(join(fullPath, file)));
+	if (!hasConfigFile) errors.push(`Next.js config file not found. Expected one of: ${NEXTJS_CONFIG_FILES.join(", ")}`);
+	const packageJsonPath = join(fullPath, "package.json");
+	if (existsSync(packageJsonPath)) try {
+		const pkg$1 = __require(packageJsonPath);
+		const deps = {
+			...pkg$1.dependencies,
+			...pkg$1.devDependencies
+		};
+		if (!deps.next) errors.push("Next.js not found in dependencies. Run: pnpm add next react react-dom");
+		if (!pkg$1.scripts?.dev) warnings.push("No \"dev\" script found in package.json. Turbo expects a \"dev\" script to run.");
+	} catch {
+		errors.push(`Failed to read package.json at ${packageJsonPath}`);
+	}
+	else errors.push(`package.json not found at ${appPath}. Run: pnpm init in the app directory.`);
+	return {
+		appName,
+		valid: errors.length === 0,
+		errors,
+		warnings
+	};
+}
+/**
+* Validate all frontend apps in the workspace.
+* Returns validation results for each frontend app.
+* @internal Exported for testing
+*/
+async function validateFrontendApps(workspace) {
+	const results = [];
+	for (const [appName, app] of Object.entries(workspace.apps)) if (app.type === "frontend") {
+		const result = await validateFrontendApp(appName, app.path, workspace.root);
+		results.push(result);
+	}
+	return results;
+}
+/**
+* Load secrets for development stage.
+* Returns env vars to inject, or empty object if secrets not configured/found.
+* @internal Exported for testing
+*/
+async function loadDevSecrets(workspace) {
+	if (!workspace.secrets.enabled) return {};
+	const stages = ["dev", "development"];
+	for (const stage of stages) if (secretsExist(stage, workspace.root)) {
+		const secrets = await readStageSecrets(stage, workspace.root);
+		if (secrets) {
+			logger$8.log(`🔐 Loading secrets from stage: ${stage}`);
+			return toEmbeddableSecrets(secrets);
+		}
+	}
+	logger$8.warn("⚠️  Secrets enabled but no dev/development secrets found. Run \"gkm secrets:init --stage dev\"");
+	return {};
+}
+/**
+* Start docker-compose services for the workspace.
+* @internal Exported for testing
+*/
+async function startWorkspaceServices(workspace) {
+	const services = workspace.services;
+	if (!services.db && !services.cache && !services.mail) return;
+	const servicesToStart = [];
+	if (services.db) servicesToStart.push("postgres");
+	if (services.cache) servicesToStart.push("redis");
+	if (services.mail) servicesToStart.push("mailpit");
+	if (servicesToStart.length === 0) return;
+	logger$8.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
+	try {
+		const composeFile = join(workspace.root, "docker-compose.yml");
+		if (!existsSync(composeFile)) {
+			logger$8.warn("⚠️  No docker-compose.yml found. Services will not be started.");
+			return;
+		}
+		execSync(`docker-compose up -d ${servicesToStart.join(" ")}`, {
+			cwd: workspace.root,
+			stdio: "inherit"
+		});
+		logger$8.log("✅ Services started");
+	} catch (error) {
+		logger$8.error("❌ Failed to start services:", error.message);
+		throw error;
+	}
+}
+/**
+* Workspace dev command - orchestrates multi-app development using Turbo.
+*
+* Flow:
+* 1. Check for port conflicts
+* 2. Start docker-compose services (db, cache, mail)
+* 3. Generate dependency URLs ({APP_NAME}_URL)
+* 4. Spawn turbo run dev with injected env vars
+*/
+async function workspaceDevCommand(workspace, options) {
+	const appCount = Object.keys(workspace.apps).length;
+	const backendApps = Object.entries(workspace.apps).filter(([_, app]) => app.type === "backend");
+	const frontendApps = Object.entries(workspace.apps).filter(([_, app]) => app.type === "frontend");
+	logger$8.log(`\n🚀 Starting workspace: ${workspace.name}`);
+	logger$8.log(`   ${backendApps.length} backend app(s), ${frontendApps.length} frontend app(s)`);
+	const conflicts = checkPortConflicts(workspace);
+	if (conflicts.length > 0) {
+		for (const conflict of conflicts) logger$8.error(`❌ Port conflict: Apps "${conflict.app1}" and "${conflict.app2}" both use port ${conflict.port}`);
+		throw new Error("Port conflicts detected. Please assign unique ports to each app.");
+	}
+	if (frontendApps.length > 0) {
+		logger$8.log("\n🔍 Validating frontend apps...");
+		const validationResults = await validateFrontendApps(workspace);
+		let hasErrors = false;
+		for (const result of validationResults) {
+			if (!result.valid) {
+				hasErrors = true;
+				logger$8.error(`\n❌ Frontend app "${result.appName}" validation failed:`);
+				for (const error of result.errors) logger$8.error(`   • ${error}`);
+			}
+			for (const warning of result.warnings) logger$8.warn(`   ⚠️  ${result.appName}: ${warning}`);
+		}
+		if (hasErrors) throw new Error("Frontend app validation failed. Fix the issues above and try again.");
+		logger$8.log("✅ Frontend apps validated");
+	}
+	if (frontendApps.length > 0) {
+		const clientResults = await generateAllClients(workspace, { force: true });
+		const generatedCount = clientResults.filter((r) => r.generated).length;
+		if (generatedCount > 0) logger$8.log(`\n📦 Generated ${generatedCount} API client(s)`);
+	}
+	await startWorkspaceServices(workspace);
+	const secretsEnv = await loadDevSecrets(workspace);
+	if (Object.keys(secretsEnv).length > 0) logger$8.log(`   Loaded ${Object.keys(secretsEnv).length} secret(s)`);
+	const dependencyEnv = generateAllDependencyEnvVars(workspace);
+	if (Object.keys(dependencyEnv).length > 0) {
+		logger$8.log("📡 Dependency URLs:");
+		for (const [key, value] of Object.entries(dependencyEnv)) logger$8.log(`   ${key}=${value}`);
+	}
+	let turboFilter = [];
+	if (options.app) {
+		if (!workspace.apps[options.app]) {
+			const appNames = Object.keys(workspace.apps).join(", ");
+			throw new Error(`App "${options.app}" not found. Available apps: ${appNames}`);
+		}
+		turboFilter = ["--filter", options.app];
+		logger$8.log(`\n🎯 Running single app: ${options.app}`);
+	} else if (options.filter) {
+		turboFilter = ["--filter", options.filter];
+		logger$8.log(`\n🔍 Using filter: ${options.filter}`);
+	} else logger$8.log(`\n🎯 Running all ${appCount} apps`);
+	const buildOrder = getAppBuildOrder(workspace);
+	logger$8.log("\n📋 Apps (in dependency order):");
+	for (const appName of buildOrder) {
+		const app = workspace.apps[appName];
+		if (!app) continue;
+		const deps = app.dependencies.length > 0 ? ` (depends on: ${app.dependencies.join(", ")})` : "";
+		logger$8.log(`   ${app.type === "backend" ? "🔧" : "🌐"} ${appName} → http://localhost:${app.port}${deps}`);
+	}
+	const turboEnv = {
+		...process.env,
+		...secretsEnv,
+		...dependencyEnv,
+		NODE_ENV: "development"
+	};
+	logger$8.log("\n🏃 Starting turbo run dev...\n");
+	const turboProcess = spawn("pnpm", [
+		"turbo",
+		"run",
+		"dev",
+		...turboFilter
+	], {
+		cwd: workspace.root,
+		stdio: "inherit",
+		env: turboEnv
+	});
+	let endpointWatcher = null;
+	if (frontendApps.length > 0 && backendApps.length > 0) {
+		const watchPatterns = [];
+		const backendRouteMap = /* @__PURE__ */ new Map();
+		for (const [appName, app] of backendApps) {
+			const routePatterns = normalizeRoutes(app.routes);
+			for (const routePattern of routePatterns) {
+				const fullPattern = join(workspace.root, app.path, routePattern);
+				watchPatterns.push(fullPattern);
+				const patternKey = join(app.path, routePattern);
+				const existing = backendRouteMap.get(patternKey) || [];
+				backendRouteMap.set(patternKey, [...existing, appName]);
+			}
+		}
+		if (watchPatterns.length > 0) {
+			const resolvedFiles = await fg(watchPatterns, {
+				cwd: workspace.root,
+				absolute: true,
+				onlyFiles: true
+			});
+			if (resolvedFiles.length > 0) {
+				logger$8.log(`\n👀 Watching ${resolvedFiles.length} endpoint file(s) for schema changes`);
+				endpointWatcher = chokidar.watch(resolvedFiles, {
+					ignored: /(^|[/\\])\../,
+					persistent: true,
+					ignoreInitial: true
+				});
+				let regenerateTimeout = null;
+				endpointWatcher.on("change", async (changedPath) => {
+					if (regenerateTimeout) clearTimeout(regenerateTimeout);
+					regenerateTimeout = setTimeout(async () => {
+						const changedBackends = [];
+						for (const [appName, app] of backendApps) {
+							const routePatterns = normalizeRoutes(app.routes);
+							for (const routePattern of routePatterns) {
+								const routesDir = join(workspace.root, app.path, routePattern.split("*")[0] || "");
+								if (changedPath.startsWith(routesDir.replace(/\/$/, ""))) {
+									changedBackends.push(appName);
+									break;
+								}
+							}
+						}
+						if (changedBackends.length === 0) return;
+						const affectedFrontends = /* @__PURE__ */ new Set();
+						for (const backend of changedBackends) {
+							const dependents = getDependentFrontends(workspace, backend);
+							for (const frontend of dependents) affectedFrontends.add(frontend);
+						}
+						if (affectedFrontends.size === 0) return;
+						logger$8.log(`\n🔄 Detected schema change in ${changedBackends.join(", ")}`);
+						for (const frontend of affectedFrontends) try {
+							const results = await generateClientForFrontend(workspace, frontend);
+							for (const result of results) if (result.generated) logger$8.log(`   📦 Regenerated client for ${result.frontendApp} (${result.endpointCount} endpoints)`);
+						} catch (error) {
+							logger$8.error(`   ❌ Failed to regenerate client for ${frontend}: ${error.message}`);
+						}
+					}, 500);
+				});
+			}
+		}
+	}
+	let isShuttingDown = false;
+	const shutdown = () => {
+		if (isShuttingDown) return;
+		isShuttingDown = true;
+		logger$8.log("\n🛑 Shutting down workspace...");
+		if (endpointWatcher) endpointWatcher.close().catch(() => {});
+		if (turboProcess.pid) try {
+			process.kill(-turboProcess.pid, "SIGTERM");
+		} catch {
+			turboProcess.kill("SIGTERM");
+		}
+		setTimeout(() => {
+			process.exit(0);
+		}, 2e3);
+	};
+	process.on("SIGINT", shutdown);
+	process.on("SIGTERM", shutdown);
+	return new Promise((resolve$1, reject) => {
+		turboProcess.on("error", (error) => {
+			logger$8.error("❌ Turbo error:", error);
+			reject(error);
+		});
+		turboProcess.on("exit", (code) => {
+			if (endpointWatcher) endpointWatcher.close().catch(() => {});
+			if (code !== null && code !== 0) reject(new Error(`Turbo exited with code ${code}`));
+			else resolve$1();
+		});
+	});
+}
 async function buildServer(config$1, context, provider, enableOpenApi) {
 	const endpointGenerator = new EndpointGenerator();
 	const functionGenerator = new FunctionGenerator();
@@ -1201,6 +1656,11 @@ export type RoutePath = Route['path'];
 //#region src/build/index.ts
 const logger$6 = console;
 async function buildCommand(options) {
+	const loadedConfig = await loadWorkspaceConfig();
+	if (loadedConfig.type === "workspace") {
+		logger$6.log("📦 Detected workspace configuration");
+		return workspaceBuildCommand(loadedConfig.workspace, options);
+	}
 	const config$1 = await loadConfig();
 	const resolved = resolveProviders(config$1, options);
 	const productionConfigFromGkm = getProductionConfigFromGkm(config$1);
@@ -1297,7 +1757,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$6.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await import("./bundler-B6z6HEeh.mjs");
+			const { bundleServer } = await import("./bundler-DQIuE3Kn.mjs");
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -1326,6 +1786,101 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 	} else await generateAwsManifest(rootOutputDir, routes, functionInfos, cronInfos, subscriberInfos);
 	return {};
 }
+/**
+* Detect available package manager.
+* @internal Exported for testing
+*/
+function detectPackageManager$2() {
+	if (existsSync("pnpm-lock.yaml")) return "pnpm";
+	if (existsSync("yarn.lock")) return "yarn";
+	return "npm";
+}
+/**
+* Get the turbo command for running builds.
+* @internal Exported for testing
+*/
+function getTurboCommand(pm, filter) {
+	const filterArg = filter ? ` --filter=${filter}` : "";
+	switch (pm) {
+		case "pnpm": return `pnpm exec turbo run build${filterArg}`;
+		case "yarn": return `yarn turbo run build${filterArg}`;
+		case "npm": return `npx turbo run build${filterArg}`;
+	}
+}
+/**
+* Build all apps in a workspace using Turbo for dependency-ordered parallel builds.
+* @internal Exported for testing
+*/
+async function workspaceBuildCommand(workspace, options) {
+	const results = [];
+	const apps = Object.entries(workspace.apps);
+	const backendApps = apps.filter(([, app]) => app.type === "backend");
+	const frontendApps = apps.filter(([, app]) => app.type === "frontend");
+	logger$6.log(`\n🏗️  Building workspace: ${workspace.name}`);
+	logger$6.log(`   Backend apps: ${backendApps.map(([name$1]) => name$1).join(", ") || "none"}`);
+	logger$6.log(`   Frontend apps: ${frontendApps.map(([name$1]) => name$1).join(", ") || "none"}`);
+	if (options.production) logger$6.log(`   🏭 Production mode enabled`);
+	const buildOrder = getAppBuildOrder(workspace);
+	logger$6.log(`   Build order: ${buildOrder.join(" → ")}`);
+	const pm = detectPackageManager$2();
+	logger$6.log(`\n📦 Using ${pm} with Turbo for parallel builds...\n`);
+	try {
+		const turboCommand = getTurboCommand(pm);
+		logger$6.log(`Running: ${turboCommand}`);
+		await new Promise((resolve$1, reject) => {
+			const child = spawn(turboCommand, {
+				shell: true,
+				cwd: workspace.root,
+				stdio: "inherit",
+				env: {
+					...process.env,
+					NODE_ENV: options.production ? "production" : "development"
+				}
+			});
+			child.on("close", (code) => {
+				if (code === 0) resolve$1();
+				else reject(new Error(`Turbo build failed with exit code ${code}`));
+			});
+			child.on("error", (err) => {
+				reject(err);
+			});
+		});
+		for (const [appName, app] of apps) {
+			const outputPath = getAppOutputPath(workspace, appName, app);
+			results.push({
+				appName,
+				type: app.type,
+				success: true,
+				outputPath
+			});
+		}
+		logger$6.log(`\n✅ Workspace build complete!`);
+		logger$6.log(`\n📋 Build Summary:`);
+		for (const result of results) {
+			const icon = result.type === "backend" ? "⚙️" : "🌐";
+			logger$6.log(`   ${icon} ${result.appName}: ${result.outputPath || "built"}`);
+		}
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : "Build failed";
+		logger$6.log(`\n❌ Build failed: ${errorMessage}`);
+		for (const [appName, app] of apps) results.push({
+			appName,
+			type: app.type,
+			success: false,
+			error: errorMessage
+		});
+		throw error;
+	}
+	return { apps: results };
+}
+/**
+* Get the output path for a built app.
+*/
+function getAppOutputPath(workspace, _appName, app) {
+	const appPath = join(workspace.root, app.path);
+	if (app.type === "frontend") return join(appPath, ".next");
+	else return join(appPath, ".gkm");
+}
 
 //#endregion
 //#region src/docker/compose.ts
@@ -1513,6 +2068,163 @@ networks:
     driver: bridge
 `;
 }
+/**
+* Generate docker-compose.yml for a workspace with all apps as services.
+* Apps can communicate with each other via service names.
+* @internal Exported for testing
+*/
+function generateWorkspaceCompose(workspace, options = {}) {
+	const { registry } = options;
+	const apps = Object.entries(workspace.apps);
+	const services = workspace.services;
+	const hasPostgres = services.db !== void 0 && services.db !== false;
+	const hasRedis = services.cache !== void 0 && services.cache !== false;
+	const hasMail = services.mail !== void 0 && services.mail !== false;
+	const postgresImage = getInfraServiceImage("postgres", services.db);
+	const redisImage = getInfraServiceImage("redis", services.cache);
+	let yaml = `# Docker Compose for ${workspace.name} workspace
+# Generated by gkm - do not edit manually
+
+services:
+`;
+	for (const [appName, app] of apps) yaml += generateAppService(appName, app, apps, {
+		registry,
+		hasPostgres,
+		hasRedis
+	});
+	if (hasPostgres) yaml += `
+  postgres:
+    image: ${postgresImage}
+    container_name: ${workspace.name}-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: \${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: \${POSTGRES_DB:-app}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	if (hasRedis) yaml += `
+  redis:
+    image: ${redisImage}
+    container_name: ${workspace.name}-redis
+    restart: unless-stopped
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	if (hasMail) yaml += `
+  mailpit:
+    image: axllent/mailpit:latest
+    container_name: ${workspace.name}-mailpit
+    restart: unless-stopped
+    ports:
+      - "8025:8025"  # Web UI
+      - "1025:1025"  # SMTP
+    networks:
+      - workspace-network
+`;
+	yaml += `
+volumes:
+`;
+	if (hasPostgres) yaml += `  postgres_data:
+`;
+	if (hasRedis) yaml += `  redis_data:
+`;
+	yaml += `
+networks:
+  workspace-network:
+    driver: bridge
+`;
+	return yaml;
+}
+/**
+* Get infrastructure service image with version.
+*/
+function getInfraServiceImage(serviceName, config$1) {
+	const defaults = {
+		postgres: "postgres:16-alpine",
+		redis: "redis:7-alpine"
+	};
+	if (!config$1 || config$1 === true) return defaults[serviceName];
+	if (typeof config$1 === "object") {
+		if (config$1.image) return config$1.image;
+		if (config$1.version) {
+			const baseImage = serviceName === "postgres" ? "postgres" : "redis";
+			return `${baseImage}:${config$1.version}`;
+		}
+	}
+	return defaults[serviceName];
+}
+/**
+* Generate a service definition for an app.
+*/
+function generateAppService(appName, app, allApps, options) {
+	const { registry, hasPostgres, hasRedis } = options;
+	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
+	const healthCheckPath = app.type === "frontend" ? "/" : "/health";
+	const healthCheckCmd = app.type === "frontend" ? `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}/"]` : `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}${healthCheckPath}"]`;
+	let yaml = `
+  ${appName}:
+    build:
+      context: .
+      dockerfile: .gkm/docker/Dockerfile.${appName}
+    image: ${imageRef}\${${appName.toUpperCase()}_IMAGE:-${appName}}:\${TAG:-latest}
+    container_name: ${appName}
+    restart: unless-stopped
+    ports:
+      - "\${${appName.toUpperCase()}_PORT:-${app.port}}:${app.port}"
+    environment:
+      - NODE_ENV=production
+      - PORT=${app.port}
+`;
+	for (const dep of app.dependencies) {
+		const depApp = allApps.find(([name$1]) => name$1 === dep)?.[1];
+		if (depApp) yaml += `      - ${dep.toUpperCase()}_URL=http://${dep}:${depApp.port}
+`;
+	}
+	if (app.type === "backend") {
+		if (hasPostgres) yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
+`;
+		if (hasRedis) yaml += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
+`;
+	}
+	yaml += `    healthcheck:
+      test: ${healthCheckCmd}
+      interval: 30s
+      timeout: 3s
+      retries: 3
+`;
+	const dependencies$1 = [...app.dependencies];
+	if (app.type === "backend") {
+		if (hasPostgres) dependencies$1.push("postgres");
+		if (hasRedis) dependencies$1.push("redis");
+	}
+	if (dependencies$1.length > 0) {
+		yaml += `    depends_on:
+`;
+		for (const dep of dependencies$1) yaml += `      ${dep}:
+        condition: service_healthy
+`;
+	}
+	yaml += `    networks:
+      - workspace-network
+`;
+	return yaml;
+}
 
 //#endregion
 //#region src/docker/templates.ts
@@ -1603,6 +2315,7 @@ function getPmConfig(pm) {
 			cacheTarget: "/root/.local/share/pnpm/store",
 			cacheId: "pnpm",
 			run: "pnpm",
+			exec: "pnpm exec",
 			dlx: "pnpm dlx",
 			addGlobal: "pnpm add -g"
 		},
@@ -1614,6 +2327,7 @@ function getPmConfig(pm) {
 			cacheTarget: "/root/.npm",
 			cacheId: "npm",
 			run: "npm run",
+			exec: "npx",
 			dlx: "npx",
 			addGlobal: "npm install -g"
 		},
@@ -1625,6 +2339,7 @@ function getPmConfig(pm) {
 			cacheTarget: "/root/.yarn/cache",
 			cacheId: "yarn",
 			run: "yarn",
+			exec: "yarn exec",
 			dlx: "yarn dlx",
 			addGlobal: "yarn global add"
 		},
@@ -1636,6 +2351,7 @@ function getPmConfig(pm) {
 			cacheTarget: "/root/.bun/install/cache",
 			cacheId: "bun",
 			run: "bun run",
+			exec: "bunx",
 			dlx: "bunx",
 			addGlobal: "bun add -g"
 		}
@@ -1692,8 +2408,14 @@ WORKDIR /app
 # Copy source (deps already installed)
 COPY . .
 
-# Build production server using CLI from npm
-RUN ${pm.dlx} @geekmidas/cli build --provider server --production
+# Debug: Show node_modules/.bin contents and build production server
+RUN echo "=== node_modules/.bin contents ===" && \
+    ls -la node_modules/.bin/ 2>/dev/null || echo "node_modules/.bin not found" && \
+    echo "=== Checking for gkm ===" && \
+    which gkm 2>/dev/null || echo "gkm not in PATH" && \
+    ls -la node_modules/.bin/gkm 2>/dev/null || echo "gkm binary not found in node_modules/.bin" && \
+    echo "=== Running build ===" && \
+    ./node_modules/.bin/gkm build --provider server --production
 
 # Stage 3: Production
 FROM ${baseImage} AS runner
@@ -1774,8 +2496,14 @@ WORKDIR /app
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
-# Build production server using CLI from npm
-RUN ${pm.dlx} @geekmidas/cli build --provider server --production
+# Debug: Show node_modules/.bin contents and build production server
+RUN echo "=== node_modules/.bin contents ===" && \
+    ls -la node_modules/.bin/ 2>/dev/null || echo "node_modules/.bin not found" && \
+    echo "=== Checking for gkm ===" && \
+    which gkm 2>/dev/null || echo "gkm not in PATH" && \
+    ls -la node_modules/.bin/gkm 2>/dev/null || echo "gkm binary not found in node_modules/.bin" && \
+    echo "=== Running build ===" && \
+    ./node_modules/.bin/gkm build --provider server --production
 
 # Stage 4: Production
 FROM ${baseImage} AS runner
@@ -1917,8 +2645,8 @@ function resolveDockerConfig$1(config$1) {
 	const docker = config$1.docker ?? {};
 	let defaultImageName = "api";
 	try {
-		const pkg = __require(`${process.cwd()}/package.json`);
-		if (pkg.name) defaultImageName = pkg.name.replace(/^@[^/]+\//, "");
+		const pkg$1 = __require(`${process.cwd()}/package.json`);
+		if (pkg$1.name) defaultImageName = pkg$1.name.replace(/^@[^/]+\//, "");
 	} catch {}
 	return {
 		registry: docker.registry ?? "",
@@ -1928,20 +2656,194 @@ function resolveDockerConfig$1(config$1) {
 		compose: docker.compose
 	};
 }
-
-//#endregion
-//#region src/docker/index.ts
-const logger$5 = console;
 /**
-* Docker command implementation
-* Generates Dockerfile, docker-compose.yml, and related files
-*
-* Default: Multi-stage Dockerfile that builds from source inside Docker
-* --slim: Slim Dockerfile that copies pre-built bundle (requires prior build)
+* Generate a Dockerfile for Next.js frontend apps using standalone output.
+* Uses turbo prune for monorepo optimization.
+* @internal Exported for testing
 */
-async function dockerCommand(options) {
-	const config$1 = await loadConfig();
-	const dockerConfig = resolveDockerConfig$1(config$1);
+function generateNextjsDockerfile(options) {
+	const { baseImage, port, appPath, turboPackage, packageManager } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Next.js standalone Dockerfile with turbo prune optimization
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build
+FROM deps AS builder
+
+WORKDIR /app
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Set Next.js to produce standalone output
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Build the application
+RUN ${turboCmd} run build --filter=${turboPackage}
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+# Install tini for proper signal handling
+RUN apk add --no-cache tini
+
+# Create non-root user
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 nextjs
+
+# Set environment
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV PORT=${port}
+ENV HOSTNAME="0.0.0.0"
+
+# Copy static files and standalone output
+COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/.next/static ./${appPath}/.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/public ./${appPath}/public
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \\
+  CMD wget -q --spider http://localhost:${port}/ || exit 1
+
+USER nextjs
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "${appPath}/server.js"]
+`;
+}
+/**
+* Generate a Dockerfile for backend apps in a workspace.
+* Uses turbo prune for monorepo optimization.
+* @internal Exported for testing
+*/
+function generateBackendDockerfile(options) {
+	const { baseImage, port, appPath, turboPackage, packageManager, healthCheckPath = "/health" } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Backend Dockerfile with turbo prune optimization
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build
+FROM deps AS builder
+
+WORKDIR /app
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Build production server using gkm
+RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 hono
+
+# Copy bundled server
+COPY --from=builder --chown=hono:nodejs /app/${appPath}/.gkm/server/dist/server.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \\
+  CMD wget -q --spider http://localhost:${port}${healthCheckPath} || exit 1
+
+USER hono
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "server.mjs"]
+`;
+}
+
+//#endregion
+//#region src/docker/index.ts
+const logger$5 = console;
+/**
+* Docker command implementation
+* Generates Dockerfile, docker-compose.yml, and related files
+*
+* Default: Multi-stage Dockerfile that builds from source inside Docker
+* --slim: Slim Dockerfile that copies pre-built bundle (requires prior build)
+*/
+async function dockerCommand(options) {
+	const loadedConfig = await loadWorkspaceConfig();
+	if (loadedConfig.type === "workspace") {
+		logger$5.log("📦 Detected workspace configuration");
+		return workspaceDockerCommand(loadedConfig.workspace, options);
+	}
+	const config$1 = await loadConfig();
+	const dockerConfig = resolveDockerConfig$1(config$1);
 	const serverConfig = typeof config$1.providers?.server === "object" ? config$1.providers.server : void 0;
 	const healthCheckPath = serverConfig?.production?.healthCheck ?? "/health";
 	const useSlim = options.slim === true;
@@ -1962,9 +2864,9 @@ async function dockerCommand(options) {
 	} else throw new Error("Monorepo detected but turbo.json not found.\n\nDocker builds in monorepos require Turborepo for proper dependency isolation.\n\nTo fix this:\n  1. Install turbo: pnpm add -Dw turbo\n  2. Create turbo.json in your monorepo root\n  3. Run this command again\n\nSee: https://turbo.build/repo/docs/guides/tools/docker");
 	let turboPackage = options.turboPackage ?? dockerConfig.imageName;
 	if (useTurbo && !options.turboPackage) try {
-		const pkg = __require(`${process.cwd()}/package.json`);
-		if (pkg.name) {
-			turboPackage = pkg.name;
+		const pkg$1 = __require(`${process.cwd()}/package.json`);
+		if (pkg$1.name) {
+			turboPackage = pkg$1.name;
 			logger$5.log(`   Turbo package: ${turboPackage}`);
 		}
 	} catch {}
@@ -2081,6 +2983,85 @@ async function pushDockerImage(imageName, options) {
 		throw new Error(`Failed to push Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
 	}
 }
+/**
+* Get the package name from package.json in an app directory.
+*/
+function getAppPackageName(appPath) {
+	try {
+		const pkg$1 = __require(`${appPath}/package.json`);
+		return pkg$1.name;
+	} catch {
+		return void 0;
+	}
+}
+/**
+* Generate Dockerfiles for all apps in a workspace.
+* @internal Exported for testing
+*/
+async function workspaceDockerCommand(workspace, options) {
+	const results = [];
+	const apps = Object.entries(workspace.apps);
+	logger$5.log(`\n🐳 Generating Dockerfiles for workspace: ${workspace.name}`);
+	const dockerDir = join(workspace.root, ".gkm", "docker");
+	await mkdir(dockerDir, { recursive: true });
+	const packageManager = detectPackageManager$1(workspace.root);
+	logger$5.log(`   Package manager: ${packageManager}`);
+	for (const [appName, app] of apps) {
+		const appPath = app.path;
+		const fullAppPath = join(workspace.root, appPath);
+		const turboPackage = getAppPackageName(fullAppPath) ?? appName;
+		const imageName = appName;
+		logger$5.log(`\n   📄 Generating Dockerfile for ${appName} (${app.type})`);
+		let dockerfile;
+		if (app.type === "frontend") dockerfile = generateNextjsDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			turboPackage,
+			packageManager
+		});
+		else dockerfile = generateBackendDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			turboPackage,
+			packageManager,
+			healthCheckPath: "/health"
+		});
+		const dockerfilePath = join(dockerDir, `Dockerfile.${appName}`);
+		await writeFile(dockerfilePath, dockerfile);
+		logger$5.log(`      Generated: .gkm/docker/Dockerfile.${appName}`);
+		results.push({
+			appName,
+			type: app.type,
+			dockerfile: dockerfilePath,
+			imageName
+		});
+	}
+	const dockerignore = generateDockerignore();
+	const dockerignorePath = join(workspace.root, ".dockerignore");
+	await writeFile(dockerignorePath, dockerignore);
+	logger$5.log(`\n   Generated: .dockerignore (workspace root)`);
+	const dockerCompose = generateWorkspaceCompose(workspace, { registry: options.registry });
+	const composePath = join(dockerDir, "docker-compose.yml");
+	await writeFile(composePath, dockerCompose);
+	logger$5.log(`   Generated: .gkm/docker/docker-compose.yml`);
+	logger$5.log(`\n✅ Generated ${results.length} Dockerfile(s) + docker-compose.yml`);
+	logger$5.log("\n📋 Build commands:");
+	for (const result of results) {
+		const icon = result.type === "backend" ? "⚙️" : "🌐";
+		logger$5.log(`   ${icon} docker build -f .gkm/docker/Dockerfile.${result.appName} -t ${result.imageName} .`);
+	}
+	logger$5.log("\n📋 Run all services:");
+	logger$5.log("   docker compose -f .gkm/docker/docker-compose.yml up --build");
+	return {
+		apps: results,
+		dockerCompose: composePath,
+		dockerignore: dockerignorePath
+	};
+}
 
 //#endregion
 //#region src/deploy/docker.ts
@@ -2092,8 +3073,8 @@ function getAppNameFromCwd() {
 	const packageJsonPath = join(process.cwd(), "package.json");
 	if (!existsSync(packageJsonPath)) return void 0;
 	try {
-		const pkg = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
-		if (pkg.name) return pkg.name.replace(/^@[^/]+\//, "");
+		const pkg$1 = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+		if (pkg$1.name) return pkg$1.name.replace(/^@[^/]+\//, "");
 	} catch {}
 	return void 0;
 }
@@ -2109,8 +3090,8 @@ function getAppNameFromPackageJson() {
 	const packageJsonPath = join(projectRoot, "package.json");
 	if (!existsSync(packageJsonPath)) return void 0;
 	try {
-		const pkg = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
-		if (pkg.name) return pkg.name.replace(/^@[^/]+\//, "");
+		const pkg$1 = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+		if (pkg$1.name) return pkg$1.name.replace(/^@[^/]+\//, "");
 	} catch {}
 	return void 0;
 }
@@ -2583,7 +3564,7 @@ async function provisionServices(api, projectId, environmentId, appName, service
 */
 async function ensureDokploySetup(config$1, dockerConfig, stage, services) {
 	logger$1.log("\n🔧 Checking Dokploy setup...");
-	const { readStageSecrets: readStageSecrets$1 } = await import("./storage-nkGIjeXt.mjs");
+	const { readStageSecrets: readStageSecrets$1 } = await import("./storage-DNj_I11J.mjs");
 	const existingSecrets = await readStageSecrets$1(stage);
 	const existingUrls = {
 		DATABASE_URL: existingSecrets?.urls?.DATABASE_URL,
@@ -2761,94 +3742,335 @@ function generateTag(stage) {
 	return `${stage}-${timestamp}`;
 }
 /**
-* Main deploy command
+* Deploy all apps in a workspace to Dokploy.
+* - Workspace maps to one Dokploy project
+* - Each app maps to one Dokploy application
+* - Deploys in dependency order (backends before dependent frontends)
+* - Syncs environment variables including {APP_NAME}_URL
+* @internal Exported for testing
 */
-async function deployCommand(options) {
-	const { provider, stage, tag, skipPush, skipBuild } = options;
-	logger$1.log(`\n🚀 Deploying to ${provider}...`);
+async function workspaceDeployCommand(workspace, options) {
+	const { provider, stage, tag, skipBuild, apps: selectedApps } = options;
+	if (provider !== "dokploy") throw new Error(`Workspace deployment only supports Dokploy. Got: ${provider}`);
+	logger$1.log(`\n🚀 Deploying workspace "${workspace.name}" to Dokploy...`);
 	logger$1.log(`   Stage: ${stage}`);
-	const config$1 = await loadConfig();
 	const imageTag = tag ?? generateTag(stage);
 	logger$1.log(`   Tag: ${imageTag}`);
-	const dockerConfig = resolveDockerConfig(config$1);
-	const imageName = dockerConfig.imageName;
-	const registry = dockerConfig.registry;
-	const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
-	let dokployConfig;
-	let finalRegistry = registry;
-	if (provider === "dokploy") {
-		const composeServices = config$1.docker?.compose?.services;
-		logger$1.log(`\n🔍 Docker compose config: ${JSON.stringify(config$1.docker?.compose)}`);
-		const dockerServices = composeServices ? Array.isArray(composeServices) ? {
-			postgres: composeServices.includes("postgres"),
-			redis: composeServices.includes("redis"),
-			rabbitmq: composeServices.includes("rabbitmq")
-		} : {
-			postgres: Boolean(composeServices.postgres),
-			redis: Boolean(composeServices.redis),
-			rabbitmq: Boolean(composeServices.rabbitmq)
-		} : void 0;
-		const setupResult = await ensureDokploySetup(config$1, dockerConfig, stage, dockerServices);
-		dokployConfig = setupResult.config;
-		finalRegistry = dokployConfig.registry ?? dockerConfig.registry;
-		if (setupResult.serviceUrls) {
-			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await import("./storage-nkGIjeXt.mjs");
-			let secrets = await readStageSecrets$1(stage);
-			if (!secrets) {
-				logger$1.log(`   Creating secrets file for stage "${stage}"...`);
-				secrets = initStageSecrets(stage);
-			}
-			let updated = false;
-			const urlFields = [
-				"DATABASE_URL",
-				"REDIS_URL",
-				"RABBITMQ_URL"
-			];
-			for (const [key, value] of Object.entries(setupResult.serviceUrls)) {
-				if (!value) continue;
-				if (urlFields.includes(key)) {
-					const urlKey = key;
-					if (!secrets.urls[urlKey]) {
-						secrets.urls[urlKey] = value;
-						logger$1.log(`   Saved ${key} to secrets.urls`);
-						updated = true;
-					}
-				} else if (!secrets.custom[key]) {
-					secrets.custom[key] = value;
-					logger$1.log(`   Saved ${key} to secrets.custom`);
-					updated = true;
-				}
-			}
-			if (updated) await writeStageSecrets$1(secrets);
+	const buildOrder = getAppBuildOrder(workspace);
+	let appsToDeployNames = buildOrder;
+	if (selectedApps && selectedApps.length > 0) {
+		const invalidApps = selectedApps.filter((name$1) => !workspace.apps[name$1]);
+		if (invalidApps.length > 0) throw new Error(`Unknown apps: ${invalidApps.join(", ")}\nAvailable apps: ${Object.keys(workspace.apps).join(", ")}`);
+		appsToDeployNames = buildOrder.filter((name$1) => selectedApps.includes(name$1));
+		logger$1.log(`   Deploying apps: ${appsToDeployNames.join(", ")}`);
+	} else logger$1.log(`   Deploying all apps: ${appsToDeployNames.join(", ")}`);
+	const dokployApps = appsToDeployNames.filter((name$1) => {
+		const app = workspace.apps[name$1];
+		const target = app.resolvedDeployTarget;
+		if (!isDeployTargetSupported(target)) {
+			logger$1.log(`   ⚠️  Skipping ${name$1}: ${getDeployTargetError(target, name$1)}`);
+			return false;
 		}
+		return true;
+	});
+	if (dokployApps.length === 0) throw new Error("No apps to deploy. All selected apps have unsupported deploy targets.");
+	if (dokployApps.length !== appsToDeployNames.length) {
+		const skipped = appsToDeployNames.filter((name$1) => !dokployApps.includes(name$1));
+		logger$1.log(`   📌 ${skipped.length} app(s) skipped due to unsupported targets`);
 	}
-	let masterKey;
-	if (!skipBuild) {
-		logger$1.log(`\n📦 Building for production...`);
-		const buildResult = await buildCommand({
-			provider: "server",
-			production: true,
-			stage
-		});
-		masterKey = buildResult.masterKey;
-	} else logger$1.log(`\n⏭️  Skipping build (--skip-build)`);
-	let result;
-	switch (provider) {
-		case "docker": {
-			result = await deployDocker({
-				stage,
-				tag: imageTag,
-				skipPush,
-				masterKey,
-				config: dockerConfig
-			});
-			break;
-		}
-		case "dokploy": {
-			if (!dokployConfig) throw new Error("Dokploy config not initialized");
-			const finalImageRef = finalRegistry ? `${finalRegistry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
-			await deployDocker({
-				stage,
+	appsToDeployNames = dokployApps;
+	let creds = await getDokployCredentials();
+	if (!creds) {
+		logger$1.log("\n📋 Dokploy credentials not found. Let's set them up.");
+		const endpoint = await prompt("Dokploy URL (e.g., https://dokploy.example.com): ");
+		const normalizedEndpoint = endpoint.replace(/\/$/, "");
+		try {
+			new URL(normalizedEndpoint);
+		} catch {
+			throw new Error("Invalid URL format");
+		}
+		logger$1.log(`\nGenerate a token at: ${normalizedEndpoint}/settings/profile\n`);
+		const token = await prompt("API Token: ", true);
+		logger$1.log("\nValidating credentials...");
+		const isValid = await validateDokployToken(normalizedEndpoint, token);
+		if (!isValid) throw new Error("Invalid credentials. Please check your token.");
+		await storeDokployCredentials(token, normalizedEndpoint);
+		creds = {
+			token,
+			endpoint: normalizedEndpoint
+		};
+		logger$1.log("✓ Credentials saved");
+	}
+	const api = new DokployApi({
+		baseUrl: creds.endpoint,
+		token: creds.token
+	});
+	logger$1.log("\n📁 Setting up Dokploy project...");
+	const projectName = workspace.name;
+	const projects = await api.listProjects();
+	let project = projects.find((p) => p.name.toLowerCase() === projectName.toLowerCase());
+	let environmentId;
+	if (project) {
+		logger$1.log(`   Found existing project: ${project.name}`);
+		const projectDetails = await api.getProject(project.projectId);
+		const environments = projectDetails.environments ?? [];
+		const matchingEnv = environments.find((e) => e.name.toLowerCase() === stage.toLowerCase());
+		if (matchingEnv) {
+			environmentId = matchingEnv.environmentId;
+			logger$1.log(`   Using environment: ${matchingEnv.name}`);
+		} else {
+			logger$1.log(`   Creating "${stage}" environment...`);
+			const env = await api.createEnvironment(project.projectId, stage);
+			environmentId = env.environmentId;
+			logger$1.log(`   ✓ Created environment: ${stage}`);
+		}
+	} else {
+		logger$1.log(`   Creating project: ${projectName}`);
+		const result = await api.createProject(projectName);
+		project = result.project;
+		if (result.environment.name.toLowerCase() !== stage.toLowerCase()) {
+			logger$1.log(`   Creating "${stage}" environment...`);
+			const env = await api.createEnvironment(project.projectId, stage);
+			environmentId = env.environmentId;
+		} else environmentId = result.environment.environmentId;
+		logger$1.log(`   ✓ Created project: ${project.projectId}`);
+	}
+	logger$1.log("\n🐳 Checking registry...");
+	let registryId = await getDokployRegistryId();
+	const registry = workspace.deploy.dokploy?.registry;
+	if (registryId) try {
+		const reg = await api.getRegistry(registryId);
+		logger$1.log(`   Using registry: ${reg.registryName}`);
+	} catch {
+		logger$1.log("   ⚠ Stored registry not found, clearing...");
+		registryId = void 0;
+		await storeDokployRegistryId("");
+	}
+	if (!registryId) {
+		const registries = await api.listRegistries();
+		if (registries.length > 0) {
+			registryId = registries[0].registryId;
+			await storeDokployRegistryId(registryId);
+			logger$1.log(`   Using registry: ${registries[0].registryName}`);
+		} else if (registry) {
+			logger$1.log("   No registries found in Dokploy. Let's create one.");
+			logger$1.log(`   Registry URL: ${registry}`);
+			const username = await prompt("Registry username: ");
+			const password = await prompt("Registry password/token: ", true);
+			const reg = await api.createRegistry("Default Registry", registry, username, password);
+			registryId = reg.registryId;
+			await storeDokployRegistryId(registryId);
+			logger$1.log(`   ✓ Registry created: ${registryId}`);
+		} else logger$1.log("   ⚠ No registry configured. Set deploy.dokploy.registry in workspace config");
+	}
+	const services = workspace.services;
+	const dockerServices = {
+		postgres: services.db !== void 0 && services.db !== false,
+		redis: services.cache !== void 0 && services.cache !== false
+	};
+	if (dockerServices.postgres || dockerServices.redis) {
+		logger$1.log("\n🔧 Provisioning infrastructure services...");
+		await provisionServices(api, project.projectId, environmentId, workspace.name, dockerServices);
+	}
+	const deployedAppUrls = {};
+	logger$1.log("\n📦 Deploying applications...");
+	const results = [];
+	for (const appName of appsToDeployNames) {
+		const app = workspace.apps[appName];
+		const appPath = app.path;
+		logger$1.log(`\n   ${app.type === "backend" ? "⚙️" : "🌐"} Deploying ${appName}...`);
+		try {
+			const dokployAppName = `${workspace.name}-${appName}`;
+			let application;
+			try {
+				application = await api.createApplication(dokployAppName, project.projectId, environmentId);
+				logger$1.log(`      Created application: ${application.applicationId}`);
+			} catch (error) {
+				const message = error instanceof Error ? error.message : "Unknown error";
+				if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
+				else throw error;
+			}
+			if (!skipBuild) {
+				logger$1.log(`      Building ${appName}...`);
+				const originalCwd = process.cwd();
+				const fullAppPath = `${workspace.root}/${appPath}`;
+				try {
+					process.chdir(fullAppPath);
+					await buildCommand({
+						provider: "server",
+						production: true,
+						stage
+					});
+				} finally {
+					process.chdir(originalCwd);
+				}
+			}
+			const imageName = `${workspace.name}-${appName}`;
+			const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+			logger$1.log(`      Building Docker image: ${imageRef}`);
+			await deployDocker({
+				stage,
+				tag: imageTag,
+				skipPush: false,
+				config: {
+					registry,
+					imageName
+				}
+			});
+			const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
+			for (const dep of app.dependencies) {
+				const depUrl = deployedAppUrls[dep];
+				if (depUrl) envVars.push(`${dep.toUpperCase()}_URL=${depUrl}`);
+			}
+			if (app.type === "backend") {
+				if (dockerServices.postgres) envVars.push(`DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@${workspace.name}-db:5432/app}`);
+				if (dockerServices.redis) envVars.push(`REDIS_URL=\${REDIS_URL:-redis://${workspace.name}-cache:6379}`);
+			}
+			if (application) {
+				await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
+				await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
+				logger$1.log(`      Deploying to Dokploy...`);
+				await api.deployApplication(application.applicationId);
+				const appUrl = `http://${dokployAppName}:${app.port}`;
+				deployedAppUrls[appName] = appUrl;
+				results.push({
+					appName,
+					type: app.type,
+					success: true,
+					applicationId: application.applicationId,
+					imageRef
+				});
+				logger$1.log(`      ✓ ${appName} deployed successfully`);
+			} else {
+				const appUrl = `http://${dokployAppName}:${app.port}`;
+				deployedAppUrls[appName] = appUrl;
+				results.push({
+					appName,
+					type: app.type,
+					success: true,
+					imageRef
+				});
+				logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
+			}
+		} catch (error) {
+			const message = error instanceof Error ? error.message : "Unknown error";
+			logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
+			results.push({
+				appName,
+				type: app.type,
+				success: false,
+				error: message
+			});
+		}
+	}
+	const successCount = results.filter((r) => r.success).length;
+	const failedCount = results.filter((r) => !r.success).length;
+	logger$1.log(`\n${"─".repeat(50)}`);
+	logger$1.log(`\n✅ Workspace deployment complete!`);
+	logger$1.log(`   Project: ${project.projectId}`);
+	logger$1.log(`   Successful: ${successCount}`);
+	if (failedCount > 0) logger$1.log(`   Failed: ${failedCount}`);
+	return {
+		apps: results,
+		projectId: project.projectId,
+		successCount,
+		failedCount
+	};
+}
+/**
+* Main deploy command
+*/
+async function deployCommand(options) {
+	const { provider, stage, tag, skipPush, skipBuild } = options;
+	const loadedConfig = await loadWorkspaceConfig();
+	if (loadedConfig.type === "workspace") {
+		logger$1.log("📦 Detected workspace configuration");
+		return workspaceDeployCommand(loadedConfig.workspace, options);
+	}
+	logger$1.log(`\n🚀 Deploying to ${provider}...`);
+	logger$1.log(`   Stage: ${stage}`);
+	const config$1 = await loadConfig();
+	const imageTag = tag ?? generateTag(stage);
+	logger$1.log(`   Tag: ${imageTag}`);
+	const dockerConfig = resolveDockerConfig(config$1);
+	const imageName = dockerConfig.imageName;
+	const registry = dockerConfig.registry;
+	const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+	let dokployConfig;
+	let finalRegistry = registry;
+	if (provider === "dokploy") {
+		const composeServices = config$1.docker?.compose?.services;
+		logger$1.log(`\n🔍 Docker compose config: ${JSON.stringify(config$1.docker?.compose)}`);
+		const dockerServices = composeServices ? Array.isArray(composeServices) ? {
+			postgres: composeServices.includes("postgres"),
+			redis: composeServices.includes("redis"),
+			rabbitmq: composeServices.includes("rabbitmq")
+		} : {
+			postgres: Boolean(composeServices.postgres),
+			redis: Boolean(composeServices.redis),
+			rabbitmq: Boolean(composeServices.rabbitmq)
+		} : void 0;
+		const setupResult = await ensureDokploySetup(config$1, dockerConfig, stage, dockerServices);
+		dokployConfig = setupResult.config;
+		finalRegistry = dokployConfig.registry ?? dockerConfig.registry;
+		if (setupResult.serviceUrls) {
+			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await import("./storage-DNj_I11J.mjs");
+			let secrets = await readStageSecrets$1(stage);
+			if (!secrets) {
+				logger$1.log(`   Creating secrets file for stage "${stage}"...`);
+				secrets = initStageSecrets(stage);
+			}
+			let updated = false;
+			const urlFields = [
+				"DATABASE_URL",
+				"REDIS_URL",
+				"RABBITMQ_URL"
+			];
+			for (const [key, value] of Object.entries(setupResult.serviceUrls)) {
+				if (!value) continue;
+				if (urlFields.includes(key)) {
+					const urlKey = key;
+					if (!secrets.urls[urlKey]) {
+						secrets.urls[urlKey] = value;
+						logger$1.log(`   Saved ${key} to secrets.urls`);
+						updated = true;
+					}
+				} else if (!secrets.custom[key]) {
+					secrets.custom[key] = value;
+					logger$1.log(`   Saved ${key} to secrets.custom`);
+					updated = true;
+				}
+			}
+			if (updated) await writeStageSecrets$1(secrets);
+		}
+	}
+	let masterKey;
+	if (!skipBuild) {
+		logger$1.log(`\n📦 Building for production...`);
+		const buildResult = await buildCommand({
+			provider: "server",
+			production: true,
+			stage
+		});
+		masterKey = buildResult.masterKey;
+	} else logger$1.log(`\n⏭️  Skipping build (--skip-build)`);
+	let result;
+	switch (provider) {
+		case "docker": {
+			result = await deployDocker({
+				stage,
+				tag: imageTag,
+				skipPush,
+				masterKey,
+				config: dockerConfig
+			});
+			break;
+		}
+		case "dokploy": {
+			if (!dokployConfig) throw new Error("Dokploy config not initialized");
+			const finalImageRef = finalRegistry ? `${finalRegistry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+			await deployDocker({
+				stage,
 				tag: imageTag,
 				skipPush: false,
 				masterKey,
@@ -2875,10 +4097,361 @@ async function deployCommand(options) {
 			};
 			break;
 		}
-		default: throw new Error(`Unknown deploy provider: ${provider}\nSupported providers: docker, dokploy, aws-lambda`);
-	}
-	logger$1.log("\n✅ Deployment complete!");
-	return result;
+		default: throw new Error(`Unknown deploy provider: ${provider}\nSupported providers: docker, dokploy, aws-lambda`);
+	}
+	logger$1.log("\n✅ Deployment complete!");
+	return result;
+}
+
+//#endregion
+//#region src/secrets/generator.ts
+/**
+* Generate a secure random password using URL-safe base64 characters.
+* @param length Password length (default: 32)
+*/
+function generateSecurePassword(length = 32) {
+	return randomBytes(Math.ceil(length * 3 / 4)).toString("base64url").slice(0, length);
+}
+/** Default service configurations */
+const SERVICE_DEFAULTS = {
+	postgres: {
+		host: "postgres",
+		port: 5432,
+		username: "app",
+		database: "app"
+	},
+	redis: {
+		host: "redis",
+		port: 6379,
+		username: "default"
+	},
+	rabbitmq: {
+		host: "rabbitmq",
+		port: 5672,
+		username: "app",
+		vhost: "/"
+	}
+};
+/**
+* Generate credentials for a specific service.
+*/
+function generateServiceCredentials(service) {
+	const defaults = SERVICE_DEFAULTS[service];
+	return {
+		...defaults,
+		password: generateSecurePassword()
+	};
+}
+/**
+* Generate credentials for multiple services.
+*/
+function generateServicesCredentials(services) {
+	const result = {};
+	for (const service of services) result[service] = generateServiceCredentials(service);
+	return result;
+}
+/**
+* Generate connection URL for PostgreSQL.
+*/
+function generatePostgresUrl(creds) {
+	const { username, password, host, port, database } = creds;
+	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
+}
+/**
+* Generate connection URL for Redis.
+*/
+function generateRedisUrl(creds) {
+	const { password, host, port } = creds;
+	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
+}
+/**
+* Generate connection URL for RabbitMQ.
+*/
+function generateRabbitmqUrl(creds) {
+	const { username, password, host, port, vhost } = creds;
+	const encodedVhost = encodeURIComponent(vhost ?? "/");
+	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
+}
+/**
+* Generate connection URLs from service credentials.
+*/
+function generateConnectionUrls(services) {
+	const urls = {};
+	if (services.postgres) urls.DATABASE_URL = generatePostgresUrl(services.postgres);
+	if (services.redis) urls.REDIS_URL = generateRedisUrl(services.redis);
+	if (services.rabbitmq) urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
+	return urls;
+}
+/**
+* Create a new StageSecrets object with generated credentials.
+*/
+function createStageSecrets(stage, services) {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const serviceCredentials = generateServicesCredentials(services);
+	const urls = generateConnectionUrls(serviceCredentials);
+	return {
+		stage,
+		createdAt: now,
+		updatedAt: now,
+		services: serviceCredentials,
+		urls,
+		custom: {}
+	};
+}
+/**
+* Rotate password for a specific service.
+*/
+function rotateServicePassword(secrets, service) {
+	const currentCreds = secrets.services[service];
+	if (!currentCreds) throw new Error(`Service "${service}" not configured in secrets`);
+	const newCreds = {
+		...currentCreds,
+		password: generateSecurePassword()
+	};
+	const newServices = {
+		...secrets.services,
+		[service]: newCreds
+	};
+	return {
+		...secrets,
+		updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+		services: newServices,
+		urls: generateConnectionUrls(newServices)
+	};
+}
+
+//#endregion
+//#region src/init/versions.ts
+const require$1 = createRequire(import.meta.url);
+const pkg = require$1("../package.json");
+/**
+* CLI version from package.json (used for scaffolded projects)
+*/
+const CLI_VERSION = `~${pkg.version}`;
+/**
+* Current released versions of @geekmidas packages
+* Update these when publishing new versions
+* Note: CLI version is read from package.json via CLI_VERSION
+*/
+const GEEKMIDAS_VERSIONS = {
+	"@geekmidas/audit": "~0.2.0",
+	"@geekmidas/auth": "~0.2.0",
+	"@geekmidas/cache": "~0.2.0",
+	"@geekmidas/cli": CLI_VERSION,
+	"@geekmidas/client": "~0.5.0",
+	"@geekmidas/cloud": "~0.2.0",
+	"@geekmidas/constructs": "~0.6.0",
+	"@geekmidas/db": "~0.3.0",
+	"@geekmidas/emailkit": "~0.2.0",
+	"@geekmidas/envkit": "~0.4.0",
+	"@geekmidas/errors": "~0.1.0",
+	"@geekmidas/events": "~0.2.0",
+	"@geekmidas/logger": "~0.4.0",
+	"@geekmidas/rate-limit": "~0.3.0",
+	"@geekmidas/schema": "~0.1.0",
+	"@geekmidas/services": "~0.2.0",
+	"@geekmidas/storage": "~0.1.0",
+	"@geekmidas/studio": "~0.4.0",
+	"@geekmidas/telescope": "~0.4.0",
+	"@geekmidas/testkit": "~0.6.0"
+};
+
+//#endregion
+//#region src/init/generators/auth.ts
+/**
+* Generate auth app files for fullstack template
+* Uses better-auth with magic link authentication
+*/
+function generateAuthAppFiles(options) {
+	if (!options.monorepo || options.template !== "fullstack") return [];
+	const packageName = `@${options.name}/auth`;
+	const modelsPackage = `@${options.name}/models`;
+	const packageJson = {
+		name: packageName,
+		version: "0.0.1",
+		private: true,
+		type: "module",
+		scripts: {
+			dev: "tsx watch src/index.ts",
+			build: "tsc",
+			start: "node dist/index.js",
+			typecheck: "tsc --noEmit"
+		},
+		dependencies: {
+			[modelsPackage]: "workspace:*",
+			"@geekmidas/envkit": GEEKMIDAS_VERSIONS["@geekmidas/envkit"],
+			"@geekmidas/logger": GEEKMIDAS_VERSIONS["@geekmidas/logger"],
+			"@hono/node-server": "~1.13.0",
+			"better-auth": "~1.2.0",
+			hono: "~4.8.0",
+			kysely: "~0.27.0",
+			pg: "~8.13.0"
+		},
+		devDependencies: {
+			"@types/node": "~22.0.0",
+			"@types/pg": "~8.11.0",
+			tsx: "~4.20.0",
+			typescript: "~5.8.2"
+		}
+	};
+	const tsConfig = {
+		extends: "../../tsconfig.json",
+		compilerOptions: {
+			noEmit: true,
+			baseUrl: ".",
+			paths: { [`@${options.name}/*`]: ["../../packages/*/src"] }
+		},
+		include: ["src/**/*.ts"],
+		exclude: ["node_modules", "dist"]
+	};
+	const envTs = `import { Credentials } from '@geekmidas/envkit/credentials';
+import { EnvironmentParser } from '@geekmidas/envkit';
+
+export const envParser = new EnvironmentParser({ ...process.env, ...Credentials });
+
+// Global config - only minimal shared values
+// Service-specific config should be parsed where needed
+export const config = envParser
+  .create((get) => ({
+    nodeEnv: get('NODE_ENV').enum(['development', 'test', 'production']).default('development'),
+    stage: get('STAGE').enum(['development', 'staging', 'production']).default('development'),
+  }))
+  .parse();
+`;
+	const loggerTs = `import { createLogger } from '@geekmidas/logger/${options.loggerType}';
+
+export const logger = createLogger();
+`;
+	const authTs = `import { betterAuth } from 'better-auth';
+import { magicLink } from 'better-auth/plugins';
+import { Pool } from 'pg';
+import { envParser } from './config/env.js';
+import { logger } from './config/logger.js';
+
+// Parse auth-specific config (no defaults - values from secrets)
+const authConfig = envParser
+  .create((get) => ({
+    databaseUrl: get('DATABASE_URL').string(),
+    baseUrl: get('BETTER_AUTH_URL').string(),
+    trustedOrigins: get('BETTER_AUTH_TRUSTED_ORIGINS').string(),
+    secret: get('BETTER_AUTH_SECRET').string(),
+  }))
+  .parse();
+
+export const auth = betterAuth({
+  database: new Pool({
+    connectionString: authConfig.databaseUrl,
+  }),
+  baseURL: authConfig.baseUrl,
+  trustedOrigins: authConfig.trustedOrigins.split(','),
+  secret: authConfig.secret,
+  plugins: [
+    magicLink({
+      sendMagicLink: async ({ email, url }) => {
+        // TODO: Implement email sending using @geekmidas/emailkit
+        // For development, log the magic link
+        logger.info({ email, url }, 'Magic link generated');
+        console.log('\\n================================');
+        console.log('MAGIC LINK FOR:', email);
+        console.log(url);
+        console.log('================================\\n');
+      },
+      expiresIn: 300, // 5 minutes
+    }),
+  ],
+  emailAndPassword: {
+    enabled: false, // Only magic link for now
+  },
+});
+
+export type Auth = typeof auth;
+`;
+	const indexTs = `import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { serve } from '@hono/node-server';
+import { auth } from './auth.js';
+import { envParser } from './config/env.js';
+import { logger } from './config/logger.js';
+
+// Parse server config (no defaults - values from secrets)
+const serverConfig = envParser
+  .create((get) => ({
+    port: get('PORT').string().transform(Number),
+    trustedOrigins: get('BETTER_AUTH_TRUSTED_ORIGINS').string(),
+  }))
+  .parse();
+
+const app = new Hono();
+
+// CORS must be registered before routes
+app.use(
+  '/api/auth/*',
+  cors({
+    origin: serverConfig.trustedOrigins.split(','),
+    allowHeaders: ['Content-Type', 'Authorization'],
+    allowMethods: ['POST', 'GET', 'OPTIONS'],
+    credentials: true,
+  }),
+);
+
+// Health check endpoint
+app.get('/health', (c) => {
+  return c.json({
+    status: 'ok',
+    service: 'auth',
+    timestamp: new Date().toISOString(),
+  });
+});
+
+// Mount better-auth handler
+app.on(['POST', 'GET'], '/api/auth/*', (c) => {
+  return auth.handler(c.req.raw);
+});
+
+logger.info({ port: serverConfig.port }, 'Starting auth server');
+
+serve({
+  fetch: app.fetch,
+  port: serverConfig.port,
+}, (info) => {
+  logger.info({ port: info.port }, 'Auth server running');
+});
+`;
+	const gitignore = `node_modules/
+dist/
+.env.local
+*.log
+`;
+	return [
+		{
+			path: "apps/auth/package.json",
+			content: `${JSON.stringify(packageJson, null, 2)}\n`
+		},
+		{
+			path: "apps/auth/tsconfig.json",
+			content: `${JSON.stringify(tsConfig, null, 2)}\n`
+		},
+		{
+			path: "apps/auth/src/config/env.ts",
+			content: envTs
+		},
+		{
+			path: "apps/auth/src/config/logger.ts",
+			content: loggerTs
+		},
+		{
+			path: "apps/auth/src/auth.ts",
+			content: authTs
+		},
+		{
+			path: "apps/auth/src/index.ts",
+			content: indexTs
+		},
+		{
+			path: "apps/auth/.gitignore",
+			content: gitignore
+		}
+	];
 }
 
 //#endregion
@@ -2890,6 +4463,7 @@ function generateConfigFiles(options, template) {
 	const { telescope, studio, routesStructure } = options;
 	const isServerless = template.name === "serverless";
 	const hasWorker = template.name === "worker";
+	const isFullstack = options.template === "fullstack";
 	const getRoutesGlob = () => {
 		switch (routesStructure) {
 			case "centralized-endpoints": return "./src/endpoints/**/*.ts";
@@ -2897,6 +4471,14 @@ function generateConfigFiles(options, template) {
 			case "domain-based": return "./src/**/routes/*.ts";
 		}
 	};
+	if (isFullstack) return generateSingleAppConfigFiles(options, template, {
+		telescope,
+		studio,
+		routesStructure,
+		isServerless,
+		hasWorker,
+		getRoutesGlob
+	});
 	let gkmConfig = `import { defineConfig } from '@geekmidas/cli/config';
 
 export default defineConfig({
@@ -2925,8 +4507,7 @@ export default defineConfig({
 	const tsConfig = options.monorepo ? {
 		extends: "../../tsconfig.json",
 		compilerOptions: {
-			outDir: "./dist",
-			rootDir: "./src",
+			noEmit: true,
 			baseUrl: ".",
 			paths: { [`@${options.name}/*`]: ["../../packages/*/src"] }
 		},
@@ -2959,7 +4540,7 @@ export default defineConfig({
 		content: `${JSON.stringify(tsConfig, null, 2)}\n`
 	}];
 	const biomeConfig = {
-		$schema: "https://biomejs.dev/schemas/1.9.4/schema.json",
+		$schema: "https://biomejs.dev/schemas/2.3.0/schema.json",
 		vcs: {
 			enabled: true,
 			clientKind: "git",
@@ -3042,23 +4623,46 @@ export default defineConfig({
 		}
 	];
 }
+function generateSingleAppConfigFiles(options, _template, _helpers) {
+	const tsConfig = {
+		extends: "../../tsconfig.json",
+		compilerOptions: {
+			noEmit: true,
+			baseUrl: ".",
+			paths: { [`@${options.name}/*`]: ["../../packages/*/src"] }
+		},
+		include: ["src/**/*.ts"],
+		exclude: ["node_modules", "dist"]
+	};
+	return [{
+		path: "tsconfig.json",
+		content: `${JSON.stringify(tsConfig, null, 2)}\n`
+	}];
+}
 
 //#endregion
 //#region src/init/generators/docker.ts
 /**
 * Generate docker-compose.yml based on template and options
 */
-function generateDockerFiles(options, template) {
+function generateDockerFiles(options, template, dbApps) {
 	const { database } = options;
 	const isServerless = template.name === "serverless";
 	const hasWorker = template.name === "worker";
+	const isFullstack = options.template === "fullstack";
 	const services = [];
 	const volumes = [];
+	const files = [];
 	if (database) {
+		const initVolume = isFullstack && dbApps?.length ? `
+      - ./docker/postgres/init.sh:/docker-entrypoint-initdb.d/init.sh:ro` : "";
+		const envFile = isFullstack && dbApps?.length ? `
+    env_file:
+      - ./docker/.env` : "";
 		services.push(`  postgres:
     image: postgres:16-alpine
     container_name: ${options.name}-postgres
-    restart: unless-stopped
+    restart: unless-stopped${envFile}
     environment:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
@@ -3066,13 +4670,23 @@ function generateDockerFiles(options, template) {
     ports:
       - '5432:5432'
     volumes:
-      - postgres_data:/var/lib/postgresql/data
+      - postgres_data:/var/lib/postgresql/data${initVolume}
     healthcheck:
       test: ['CMD-SHELL', 'pg_isready -U postgres']
       interval: 5s
       timeout: 5s
       retries: 5`);
 		volumes.push("  postgres_data:");
+		if (isFullstack && dbApps?.length) {
+			files.push({
+				path: "docker/postgres/init.sh",
+				content: generatePostgresInitScript(dbApps)
+			});
+			files.push({
+				path: "docker/.env",
+				content: generateDockerEnv(dbApps)
+			});
+		}
 	}
 	if (isServerless) {
 		services.push(`  redis:
@@ -3148,105 +4762,85 @@ ${services.join("\n\n")}
 volumes:
 ${volumes.join("\n")}
 `;
-	return [{
+	files.push({
 		path: "docker-compose.yml",
 		content: dockerCompose
-	}];
+	});
+	return files;
 }
-
-//#endregion
-//#region src/init/generators/env.ts
 /**
-* Generate environment files (.env, .env.example, .env.development, .env.test, .gitignore)
+* Generate .env file for docker-compose with database passwords
 */
-function generateEnvFiles(options, template) {
-	const { database } = options;
-	const isServerless = template.name === "serverless";
-	const hasWorker = template.name === "worker";
-	let baseEnv = `# Application
-NODE_ENV=development
-PORT=3000
-LOG_LEVEL=info
-`;
-	if (isServerless) baseEnv = `# AWS
-STAGE=dev
-AWS_REGION=us-east-1
-LOG_LEVEL=info
-`;
-	if (database) baseEnv += `
-# Database
-DATABASE_URL=postgresql://user:password@localhost:5432/mydb
-`;
-	if (hasWorker) baseEnv += `
-# Message Queue
-RABBITMQ_URL=amqp://localhost:5672
-`;
-	baseEnv += `
-# Authentication
-JWT_SECRET=your-secret-key-change-in-production
-`;
-	let devEnv = `# Development Environment
-NODE_ENV=development
-PORT=3000
-LOG_LEVEL=debug
-`;
-	if (isServerless) devEnv = `# Development Environment
-STAGE=dev
-AWS_REGION=us-east-1
-LOG_LEVEL=debug
-`;
-	if (database) devEnv += `
-# Database
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/mydb_dev
-`;
-	if (hasWorker) devEnv += `
-# Message Queue
-RABBITMQ_URL=amqp://localhost:5672
-`;
-	devEnv += `
-# Authentication
-JWT_SECRET=dev-secret-not-for-production
-`;
-	let testEnv = `# Test Environment
-NODE_ENV=test
-PORT=3001
-LOG_LEVEL=error
-`;
-	if (isServerless) testEnv = `# Test Environment
-STAGE=test
-AWS_REGION=us-east-1
-LOG_LEVEL=error
+function generateDockerEnv(apps) {
+	const envVars = apps.map((app) => {
+		const envVar = `${app.name.toUpperCase()}_DB_PASSWORD`;
+		return `${envVar}=${app.password}`;
+	});
+	return `# Auto-generated docker environment file
+# Contains database passwords for docker-compose postgres init
+# This file is gitignored - do not commit to version control
+${envVars.join("\n")}
 `;
-	if (database) testEnv += `
-# Database
-DATABASE_URL=postgresql://postgres:postgres@localhost:5432/mydb_test
+}
+/**
+* Generate PostgreSQL init shell script that creates per-app users with separate schemas
+* Uses environment variables for passwords (more secure than hardcoded values)
+* - api user: uses public schema
+* - auth user: uses auth schema with search_path=auth
+*/
+function generatePostgresInitScript(apps) {
+	const userCreations = apps.map((app) => {
+		const userName = app.name.replace(/-/g, "_");
+		const envVar = `${app.name.toUpperCase()}_DB_PASSWORD`;
+		const isApi = app.name === "api";
+		const schemaName = isApi ? "public" : userName;
+		if (isApi) return `
+# Create ${app.name} user (uses public schema)
+echo "Creating user ${userName}..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+    GRANT ALL ON SCHEMA public TO ${userName};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO ${userName};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO ${userName};
+EOSQL
 `;
-	if (hasWorker) testEnv += `
-# Message Queue
-RABBITMQ_URL=amqp://localhost:5672
+		return `
+# Create ${app.name} user with dedicated schema
+echo "Creating user ${userName} with schema ${schemaName}..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+    CREATE SCHEMA ${schemaName} AUTHORIZATION ${userName};
+    ALTER USER ${userName} SET search_path TO ${schemaName};
+    GRANT USAGE ON SCHEMA ${schemaName} TO ${userName};
+    GRANT ALL ON ALL TABLES IN SCHEMA ${schemaName} TO ${userName};
+    GRANT ALL ON ALL SEQUENCES IN SCHEMA ${schemaName} TO ${userName};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA ${schemaName} GRANT ALL ON TABLES TO ${userName};
+    ALTER DEFAULT PRIVILEGES IN SCHEMA ${schemaName} GRANT ALL ON SEQUENCES TO ${userName};
+EOSQL
 `;
-	testEnv += `
-# Authentication
-JWT_SECRET=test-secret-not-for-production
+	});
+	return `#!/bin/bash
+set -e
+
+# Auto-generated PostgreSQL init script
+# Creates per-app users with separate schemas in a single database
+# - api: uses public schema
+# - auth: uses auth schema (search_path=auth)
+${userCreations.join("\n")}
+echo "Database initialization complete!"
 `;
-	const files = [
-		{
-			path: ".env.example",
-			content: baseEnv
-		},
-		{
-			path: ".env",
-			content: baseEnv
-		},
-		{
-			path: ".env.development",
-			content: devEnv
-		},
-		{
-			path: ".env.test",
-			content: testEnv
-		}
-	];
+}
+
+//#endregion
+//#region src/init/generators/env.ts
+/**
+* Generate environment-related files (.gitignore only).
+* Note: .env files are no longer generated. Use `gkm secrets:init` to initialize
+* encrypted secrets stored in `.gkm/secrets/{stage}.json` with keys stored at
+* `~/.gkm/{project-name}/{stage}.key`.
+*/
+function generateEnvFiles(options, _template) {
+	const files = [];
 	if (!options.monorepo) {
 		const gitignore = `# Dependencies
 node_modules/
@@ -3255,7 +4849,7 @@ node_modules/
 dist/
 .gkm/
 
-# Environment
+# Environment (legacy - use gkm secrets instead)
 .env
 .env.local
 .env.*.local
@@ -3324,6 +4918,8 @@ function generateModelsPackage(options) {
 	const tsConfig = {
 		extends: "../../tsconfig.json",
 		compilerOptions: {
+			declaration: true,
+			declarationMap: true,
 			outDir: "./dist",
 			rootDir: "./src"
 		},
@@ -3410,23 +5006,27 @@ export type UpdateUser = z.infer<typeof updateUserSchema>;
 */
 function generateMonorepoFiles(options, _template) {
 	if (!options.monorepo) return [];
+	const isFullstack = options.template === "fullstack";
 	const rootPackageJson = {
 		name: options.name,
 		version: "0.0.1",
 		private: true,
 		type: "module",
+		packageManager: "pnpm@10.13.1",
 		scripts: {
-			dev: "turbo dev",
-			build: "turbo build",
-			test: "turbo test",
-			"test:once": "turbo test:once",
+			dev: isFullstack ? "gkm dev" : "turbo dev",
+			build: isFullstack ? "gkm build" : "turbo build",
+			test: isFullstack ? "gkm test" : "turbo test",
+			"test:once": isFullstack ? "gkm test --run" : "turbo test:once",
 			typecheck: "turbo typecheck",
 			lint: "biome lint .",
 			fmt: "biome format . --write",
-			"fmt:check": "biome format ."
+			"fmt:check": "biome format .",
+			...options.deployTarget === "dokploy" ? { deploy: "gkm deploy --provider dokploy --stage production" } : {}
 		},
 		devDependencies: {
-			"@biomejs/biome": "~1.9.4",
+			"@biomejs/biome": "~2.3.0",
+			"@geekmidas/cli": GEEKMIDAS_VERSIONS["@geekmidas/cli"],
 			turbo: "~2.3.0",
 			typescript: "~5.8.2",
 			vitest: "~4.0.0"
@@ -3439,7 +5039,7 @@ function generateMonorepoFiles(options, _template) {
   - 'packages/*'
 `;
 	const biomeConfig = {
-		$schema: "https://biomejs.dev/schemas/1.9.4/schema.json",
+		$schema: "https://biomejs.dev/schemas/2.3.0/schema.json",
 		vcs: {
 			enabled: true,
 			clientKind: "git",
@@ -3514,6 +5114,7 @@ dist/
 .env
 .env.local
 .env.*.local
+docker/.env
 
 # IDE
 .idea/
@@ -3550,14 +5151,27 @@ coverage/
 			esModuleInterop: true,
 			skipLibCheck: true,
 			forceConsistentCasingInFileNames: true,
-			resolveJsonModule: true,
-			declaration: true,
-			declarationMap: true,
-			composite: true
+			resolveJsonModule: true
 		},
 		exclude: ["node_modules", "dist"]
 	};
-	return [
+	const vitestConfig = `import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    environment: 'node',
+    include: ['apps/**/*.{test,spec}.ts', 'packages/**/*.{test,spec}.ts'],
+    exclude: ['**/node_modules/**', '**/dist/**'],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'json', 'html'],
+      exclude: ['**/node_modules/**', '**/dist/**', '**/*.d.ts'],
+    },
+  },
+});
+`;
+	const files = [
 		{
 			path: "package.json",
 			content: `${JSON.stringify(rootPackageJson, null, 2)}\n`
@@ -3578,11 +5192,100 @@ coverage/
 			path: "turbo.json",
 			content: `${JSON.stringify(turboConfig, null, 2)}\n`
 		},
+		{
+			path: "vitest.config.ts",
+			content: vitestConfig
+		},
 		{
 			path: ".gitignore",
 			content: gitignore
 		}
 	];
+	if (isFullstack) files.push({
+		path: "gkm.config.ts",
+		content: generateWorkspaceConfig(options)
+	});
+	return files;
+}
+/**
+* Generate gkm.config.ts with defineWorkspace for fullstack template
+*/
+function generateWorkspaceConfig(options) {
+	const { telescope, services, deployTarget, routesStructure } = options;
+	const getRoutesGlob = () => {
+		switch (routesStructure) {
+			case "centralized-endpoints": return "./src/endpoints/**/*.ts";
+			case "centralized-routes": return "./src/routes/**/*.ts";
+			case "domain-based": return "./src/**/routes/*.ts";
+		}
+	};
+	let config$1 = `import { defineWorkspace } from '@geekmidas/cli/config';
+
+export default defineWorkspace({
+  name: '${options.name}',
+  apps: {
+    api: {
+      type: 'backend',
+      path: 'apps/api',
+      port: 3000,
+      routes: '${getRoutesGlob()}',
+      envParser: './src/config/env#envParser',
+      logger: './src/config/logger#logger',`;
+	if (telescope) config$1 += `
+      telescope: {
+        enabled: true,
+        path: '/__telescope',
+      },`;
+	config$1 += `
+      openapi: {
+        enabled: true,
+      },
+    },
+    auth: {
+      type: 'backend',
+      path: 'apps/auth',
+      port: 3002,
+      envParser: './src/config/env#envParser',
+      logger: './src/config/logger#logger',
+    },
+    web: {
+      type: 'frontend',
+      framework: 'nextjs',
+      path: 'apps/web',
+      port: 3001,
+      dependencies: ['api', 'auth'],
+      client: {
+        output: './src/api',
+      },
+    },
+  },
+  shared: {
+    packages: ['packages/*'],
+    models: {
+      path: 'packages/models',
+      schema: 'zod',
+    },
+  },`;
+	if (services.db || services.cache || services.mail) {
+		config$1 += `
+  services: {`;
+		if (services.db) config$1 += `
+    db: true,`;
+		if (services.cache) config$1 += `
+    cache: true,`;
+		if (services.mail) config$1 += `
+    mail: true,`;
+		config$1 += `
+  },`;
+	}
+	if (deployTarget === "dokploy") config$1 += `
+  deploy: {
+    default: 'dokploy',
+  },`;
+	config$1 += `
+});
+`;
+	return config$1;
 }
 
 //#endregion
@@ -3591,18 +5294,18 @@ const apiTemplate = {
 	name: "api",
 	description: "Full API with auth, database, services",
 	dependencies: {
-		"@geekmidas/constructs": "workspace:*",
-		"@geekmidas/envkit": "workspace:*",
-		"@geekmidas/logger": "workspace:*",
-		"@geekmidas/services": "workspace:*",
-		"@geekmidas/errors": "workspace:*",
-		"@geekmidas/auth": "workspace:*",
+		"@geekmidas/constructs": GEEKMIDAS_VERSIONS["@geekmidas/constructs"],
+		"@geekmidas/envkit": GEEKMIDAS_VERSIONS["@geekmidas/envkit"],
+		"@geekmidas/logger": GEEKMIDAS_VERSIONS["@geekmidas/logger"],
+		"@geekmidas/services": GEEKMIDAS_VERSIONS["@geekmidas/services"],
+		"@geekmidas/errors": GEEKMIDAS_VERSIONS["@geekmidas/errors"],
+		"@geekmidas/auth": GEEKMIDAS_VERSIONS["@geekmidas/auth"],
 		hono: "~4.8.2",
 		pino: "~9.6.0"
 	},
 	devDependencies: {
-		"@biomejs/biome": "~1.9.4",
-		"@geekmidas/cli": "workspace:*",
+		"@biomejs/biome": "~2.3.0",
+		"@geekmidas/cli": GEEKMIDAS_VERSIONS["@geekmidas/cli"],
 		"@types/node": "~22.0.0",
 		tsx: "~4.20.0",
 		turbo: "~2.3.0",
@@ -3639,18 +5342,17 @@ export const logger = createLogger();
 		const files = [
 			{
 				path: "src/config/env.ts",
-				content: `import { EnvironmentParser } from '@geekmidas/envkit';
+				content: `import { Credentials } from '@geekmidas/envkit/credentials';
+import { EnvironmentParser } from '@geekmidas/envkit';
 
-export const envParser = new EnvironmentParser(process.env);
+export const envParser = new EnvironmentParser({ ...process.env, ...Credentials });
 
+// Global config - only minimal shared values
+// Service-specific config should be parsed in each service
 export const config = envParser
   .create((get) => ({
-    port: get('PORT').string().transform(Number).default(3000),
-    nodeEnv: get('NODE_ENV').string().default('development'),
-    jwtSecret: get('JWT_SECRET').string().default('change-me-in-production'),${options.database ? `
-    database: {
-      url: get('DATABASE_URL').string().default('postgresql://localhost:5432/mydb'),
-    },` : ""}
+    nodeEnv: get('NODE_ENV').enum(['development', 'test', 'production']).default('development'),
+    stage: get('STAGE').enum(['development', 'staging', 'production']).default('development'),
   }))
   .parse();
 `
@@ -3663,7 +5365,7 @@ export const config = envParser
 				path: getRoutePath("health.ts"),
 				content: `import { e } from '@geekmidas/constructs/endpoints';
 
-export default e
+export const healthEndpoint = e
   .get('/health')
   .handle(async () => ({
     status: 'ok',
@@ -3675,7 +5377,7 @@ export default e
 				path: getRoutePath("users/list.ts"),
 				content: `import { e } from '@geekmidas/constructs/endpoints';
 
-export default e
+export const listUsersEndpoint = e
   .get('/users')
   .handle(async () => ({
     users: [
@@ -3690,7 +5392,7 @@ export default e
 				content: `import { e } from '@geekmidas/constructs/endpoints';
 import { z } from 'zod';
 
-export default e
+export const getUserEndpoint = e
   .get('/users/:id')
   .params(z.object({ id: z.string() }))
   .handle(async ({ params }) => ({
@@ -3703,7 +5405,7 @@ export default e
 		];
 		if (options.database) files.push({
 			path: "src/services/database.ts",
-			content: `import type { Service } from '@geekmidas/services';
+			content: `import type { Service, ServiceRegisterOptions } from '@geekmidas/services';
 import { Kysely, PostgresDialect } from 'kysely';
 import pg from 'pg';
 
@@ -3719,18 +5421,24 @@ export interface Database {
 
 export const databaseService = {
   serviceName: 'database' as const,
-  async register(envParser) {
+  async register({ envParser, context }: ServiceRegisterOptions) {
+    const logger = context.getLogger();
+    logger.info('Connecting to database');
+
     const config = envParser
       .create((get) => ({
         url: get('DATABASE_URL').string(),
       }))
       .parse();
 
-    return new Kysely<Database>({
+    const db = new Kysely<Database>({
       dialect: new PostgresDialect({
         pool: new pg.Pool({ connectionString: config.url }),
       }),
     });
+
+    logger.info('Database connection established');
+    return db;
   },
 } satisfies Service<'database', Kysely<Database>>;
 `
@@ -3751,13 +5459,20 @@ export const telescope = new Telescope({
 			content: `import { Direction, InMemoryMonitoringStorage, Studio } from '@geekmidas/studio';
 import { Kysely, PostgresDialect } from 'kysely';
 import pg from 'pg';
-import type { Database } from '../services/database';
-import { config } from './env';
+import type { Database } from '../services/database.js';
+import { envParser } from './env.js';
+
+// Parse database config for Studio
+const studioConfig = envParser
+  .create((get) => ({
+    databaseUrl: get('DATABASE_URL').string(),
+  }))
+  .parse();
 
 // Create a Kysely instance for Studio
 const db = new Kysely<Database>({
   dialect: new PostgresDialect({
-    pool: new pg.Pool({ connectionString: config.database.url }),
+    pool: new pg.Pool({ connectionString: studioConfig.databaseUrl }),
   }),
 });
 
@@ -3783,15 +5498,15 @@ const minimalTemplate = {
 	name: "minimal",
 	description: "Basic health endpoint",
 	dependencies: {
-		"@geekmidas/constructs": "workspace:*",
-		"@geekmidas/envkit": "workspace:*",
-		"@geekmidas/logger": "workspace:*",
+		"@geekmidas/constructs": GEEKMIDAS_VERSIONS["@geekmidas/constructs"],
+		"@geekmidas/envkit": GEEKMIDAS_VERSIONS["@geekmidas/envkit"],
+		"@geekmidas/logger": GEEKMIDAS_VERSIONS["@geekmidas/logger"],
 		hono: "~4.8.2",
 		pino: "~9.6.0"
 	},
 	devDependencies: {
-		"@biomejs/biome": "~1.9.4",
-		"@geekmidas/cli": "workspace:*",
+		"@biomejs/biome": "~2.3.0",
+		"@geekmidas/cli": GEEKMIDAS_VERSIONS["@geekmidas/cli"],
 		"@types/node": "~22.0.0",
 		tsx: "~4.20.0",
 		turbo: "~2.3.0",
@@ -3824,14 +5539,17 @@ export const logger = createLogger();
 		const files = [
 			{
 				path: "src/config/env.ts",
-				content: `import { EnvironmentParser } from '@geekmidas/envkit';
+				content: `import { Credentials } from '@geekmidas/envkit/credentials';
+import { EnvironmentParser } from '@geekmidas/envkit';
 
-export const envParser = new EnvironmentParser(process.env);
+export const envParser = new EnvironmentParser({ ...process.env, ...Credentials });
 
+// Global config - only minimal shared values
+// Service-specific config should be parsed in each service
 export const config = envParser
   .create((get) => ({
-    port: get('PORT').string().transform(Number).default(3000),
-    nodeEnv: get('NODE_ENV').string().default('development'),
+    nodeEnv: get('NODE_ENV').enum(['development', 'test', 'production']).default('development'),
+    stage: get('STAGE').enum(['development', 'staging', 'production']).default('development'),
   }))
   .parse();
 `
@@ -3844,7 +5562,7 @@ export const config = envParser
 				path: getRoutePath("health.ts"),
 				content: `import { e } from '@geekmidas/constructs/endpoints';
 
-export default e
+export const healthEndpoint = e
   .get('/health')
   .handle(async () => ({
     status: 'ok',
@@ -3853,27 +5571,9 @@ export default e
 `
 			}
 		];
-		if (options.database) {
-			files[0] = {
-				path: "src/config/env.ts",
-				content: `import { EnvironmentParser } from '@geekmidas/envkit';
-
-export const envParser = new EnvironmentParser(process.env);
-
-export const config = envParser
-  .create((get) => ({
-    port: get('PORT').string().transform(Number).default(3000),
-    nodeEnv: get('NODE_ENV').string().default('development'),
-    database: {
-      url: get('DATABASE_URL').string().default('postgresql://localhost:5432/mydb'),
-    },
-  }))
-  .parse();
-`
-			};
-			files.push({
-				path: "src/services/database.ts",
-				content: `import type { Service } from '@geekmidas/services';
+		if (options.database) files.push({
+			path: "src/services/database.ts",
+			content: `import type { Service, ServiceRegisterOptions } from '@geekmidas/services';
 import { Kysely, PostgresDialect } from 'kysely';
 import pg from 'pg';
 
@@ -3884,23 +5584,28 @@ export interface Database {
 
 export const databaseService = {
   serviceName: 'database' as const,
-  async register(envParser) {
+  async register({ envParser, context }: ServiceRegisterOptions) {
+    const logger = context.getLogger();
+    logger.info('Connecting to database');
+
     const config = envParser
       .create((get) => ({
         url: get('DATABASE_URL').string(),
       }))
       .parse();
 
-    return new Kysely<Database>({
+    const db = new Kysely<Database>({
       dialect: new PostgresDialect({
         pool: new pg.Pool({ connectionString: config.url }),
       }),
     });
+
+    logger.info('Database connection established');
+    return db;
   },
 } satisfies Service<'database', Kysely<Database>>;
 `
-			});
-		}
+		});
 		if (options.telescope) files.push({
 			path: "src/config/telescope.ts",
 			content: `import { Telescope } from '@geekmidas/telescope';
@@ -3917,13 +5622,20 @@ export const telescope = new Telescope({
 			content: `import { Direction, InMemoryMonitoringStorage, Studio } from '@geekmidas/studio';
 import { Kysely, PostgresDialect } from 'kysely';
 import pg from 'pg';
-import type { Database } from '../services/database';
-import { config } from './env';
+import type { Database } from '../services/database.js';
+import { envParser } from './env.js';
+
+// Parse database config for Studio
+const studioConfig = envParser
+  .create((get) => ({
+    databaseUrl: get('DATABASE_URL').string(),
+  }))
+  .parse();
 
 // Create a Kysely instance for Studio
 const db = new Kysely<Database>({
   dialect: new PostgresDialect({
-    pool: new pg.Pool({ connectionString: config.database.url }),
+    pool: new pg.Pool({ connectionString: studioConfig.databaseUrl }),
   }),
 });
 
@@ -3949,16 +5661,16 @@ const serverlessTemplate = {
 	name: "serverless",
 	description: "AWS Lambda handlers",
 	dependencies: {
-		"@geekmidas/constructs": "workspace:*",
-		"@geekmidas/envkit": "workspace:*",
-		"@geekmidas/logger": "workspace:*",
-		"@geekmidas/cloud": "workspace:*",
+		"@geekmidas/constructs": GEEKMIDAS_VERSIONS["@geekmidas/constructs"],
+		"@geekmidas/envkit": GEEKMIDAS_VERSIONS["@geekmidas/envkit"],
+		"@geekmidas/logger": GEEKMIDAS_VERSIONS["@geekmidas/logger"],
+		"@geekmidas/cloud": GEEKMIDAS_VERSIONS["@geekmidas/cloud"],
 		hono: "~4.8.2",
 		pino: "~9.6.0"
 	},
 	devDependencies: {
-		"@biomejs/biome": "~1.9.4",
-		"@geekmidas/cli": "workspace:*",
+		"@biomejs/biome": "~2.3.0",
+		"@geekmidas/cli": GEEKMIDAS_VERSIONS["@geekmidas/cli"],
 		"@types/aws-lambda": "~8.10.92",
 		"@types/node": "~22.0.0",
 		tsx: "~4.20.0",
@@ -3992,17 +5704,17 @@ export const logger = createLogger();
 		const files = [
 			{
 				path: "src/config/env.ts",
-				content: `import { EnvironmentParser } from '@geekmidas/envkit';
+				content: `import { Credentials } from '@geekmidas/envkit/credentials';
+import { EnvironmentParser } from '@geekmidas/envkit';
 
-export const envParser = new EnvironmentParser(process.env);
+export const envParser = new EnvironmentParser({ ...process.env, ...Credentials });
 
+// Global config - only minimal shared values
+// Service-specific config should be parsed in each service
 export const config = envParser
   .create((get) => ({
-    stage: get('STAGE').string().default('dev'),
-    region: get('AWS_REGION').string().default('us-east-1'),${options.database ? `
-    database: {
-      url: get('DATABASE_URL').string(),
-    },` : ""}
+    nodeEnv: get('NODE_ENV').enum(['development', 'test', 'production']).default('development'),
+    stage: get('STAGE').enum(['dev', 'staging', 'prod']).default('dev'),
   }))
   .parse();
 `
@@ -4015,7 +5727,7 @@ export const config = envParser
 				path: getRoutePath("health.ts"),
 				content: `import { e } from '@geekmidas/constructs/endpoints';
 
-export default e
+export const healthEndpoint = e
   .get('/health')
   .handle(async () => ({
     status: 'ok',
@@ -4029,7 +5741,7 @@ export default e
 				content: `import { f } from '@geekmidas/constructs/functions';
 import { z } from 'zod';
 
-export default f
+export const helloFunction = f
   .input(z.object({ name: z.string() }))
   .output(z.object({ message: z.string() }))
   .handle(async ({ input }) => ({
@@ -4060,16 +5772,16 @@ const workerTemplate = {
 	name: "worker",
 	description: "Background job processing",
 	dependencies: {
-		"@geekmidas/constructs": "workspace:*",
-		"@geekmidas/envkit": "workspace:*",
-		"@geekmidas/logger": "workspace:*",
-		"@geekmidas/events": "workspace:*",
+		"@geekmidas/constructs": GEEKMIDAS_VERSIONS["@geekmidas/constructs"],
+		"@geekmidas/envkit": GEEKMIDAS_VERSIONS["@geekmidas/envkit"],
+		"@geekmidas/logger": GEEKMIDAS_VERSIONS["@geekmidas/logger"],
+		"@geekmidas/events": GEEKMIDAS_VERSIONS["@geekmidas/events"],
 		hono: "~4.8.2",
 		pino: "~9.6.0"
 	},
 	devDependencies: {
-		"@biomejs/biome": "~1.9.4",
-		"@geekmidas/cli": "workspace:*",
+		"@biomejs/biome": "~2.3.0",
+		"@geekmidas/cli": GEEKMIDAS_VERSIONS["@geekmidas/cli"],
 		"@types/node": "~22.0.0",
 		tsx: "~4.20.0",
 		turbo: "~2.3.0",
@@ -4102,20 +5814,17 @@ export const logger = createLogger();
 		const files = [
 			{
 				path: "src/config/env.ts",
-				content: `import { EnvironmentParser } from '@geekmidas/envkit';
+				content: `import { Credentials } from '@geekmidas/envkit/credentials';
+import { EnvironmentParser } from '@geekmidas/envkit';
 
-export const envParser = new EnvironmentParser(process.env);
+export const envParser = new EnvironmentParser({ ...process.env, ...Credentials });
 
+// Global config - only minimal shared values
+// Service-specific config should be parsed in each service
 export const config = envParser
   .create((get) => ({
-    port: get('PORT').string().transform(Number).default(3000),
-    nodeEnv: get('NODE_ENV').string().default('development'),
-    rabbitmq: {
-      url: get('RABBITMQ_URL').string().default('amqp://localhost:5672'),
-    },${options.database ? `
-    database: {
-      url: get('DATABASE_URL').string().default('postgresql://localhost:5432/mydb'),
-    },` : ""}
+    nodeEnv: get('NODE_ENV').enum(['development', 'test', 'production']).default('development'),
+    stage: get('STAGE').enum(['development', 'staging', 'production']).default('development'),
   }))
   .parse();
 `
@@ -4128,7 +5837,7 @@ export const config = envParser
 				path: getRoutePath("health.ts"),
 				content: `import { e } from '@geekmidas/constructs/endpoints';
 
-export default e
+export const healthEndpoint = e
   .get('/health')
   .handle(async () => ({
     status: 'ok',
@@ -4145,15 +5854,44 @@ export type AppEvents =
   | PublishableMessage<'user.created', { userId: string; email: string }>
   | PublishableMessage<'user.updated', { userId: string; changes: Record<string, unknown> }>
   | PublishableMessage<'order.placed', { orderId: string; userId: string; total: number }>;
+`
+			},
+			{
+				path: "src/events/publisher.ts",
+				content: `import type { Service, ServiceRegisterOptions } from '@geekmidas/services';
+import { Publisher, type EventPublisher } from '@geekmidas/events';
+import type { AppEvents } from './types.js';
+
+export const eventsPublisherService = {
+  serviceName: 'events' as const,
+  async register({ envParser, context }: ServiceRegisterOptions) {
+    const logger = context.getLogger();
+    logger.info('Connecting to message broker');
+
+    const config = envParser
+      .create((get) => ({
+        url: get('RABBITMQ_URL').string().default('amqp://localhost:5672'),
+      }))
+      .parse();
+
+    const publisher = await Publisher.fromConnectionString<AppEvents>(
+      \`rabbitmq://\${config.url.replace('amqp://', '')}?exchange=events\`
+    );
+
+    logger.info('Message broker connection established');
+    return publisher;
+  },
+} satisfies Service<'events', EventPublisher<AppEvents>>;
 `
 			},
 			{
 				path: "src/subscribers/user-events.ts",
 				content: `import { s } from '@geekmidas/constructs/subscribers';
-import type { AppEvents } from '../events/types.js';
+import { eventsPublisherService } from '../events/publisher.js';
 
-export default s<AppEvents>()
-  .events(['user.created', 'user.updated'])
+export const userEventsSubscriber = s
+  .publisher(eventsPublisherService)
+  .subscribe(['user.created', 'user.updated'])
   .handle(async ({ event, logger }) => {
     logger.info({ type: event.type, payload: event.payload }, 'Processing user event');
 
@@ -4175,7 +5913,7 @@ export default s<AppEvents>()
 				content: `import { cron } from '@geekmidas/constructs/crons';
 
 // Run every day at midnight
-export default cron('0 0 * * *')
+export const cleanupCron = cron('0 0 * * *')
   .handle(async ({ logger }) => {
     logger.info('Running cleanup job');
 
@@ -4218,30 +5956,17 @@ const templates = {
 	worker: workerTemplate
 };
 /**
-* Template choices for prompts
+* Template choices for prompts (Story 1.11 simplified to api + fullstack)
 */
-const templateChoices = [
-	{
-		title: "Minimal",
-		value: "minimal",
-		description: "Basic health endpoint"
-	},
-	{
-		title: "API",
-		value: "api",
-		description: "Full API with auth, database, services"
-	},
-	{
-		title: "Serverless",
-		value: "serverless",
-		description: "AWS Lambda handlers"
-	},
-	{
-		title: "Worker",
-		value: "worker",
-		description: "Background job processing"
-	}
-];
+const templateChoices = [{
+	title: "API",
+	value: "api",
+	description: "Single backend API with endpoints"
+}, {
+	title: "Fullstack",
+	value: "fullstack",
+	description: "Monorepo with API + Next.js + shared models"
+}];
 /**
 * Logger type choices for prompts
 */
@@ -4275,13 +6000,77 @@ const routesStructureChoices = [
 	}
 ];
 /**
+* Package manager choices for prompts
+*/
+const packageManagerChoices = [
+	{
+		title: "pnpm",
+		value: "pnpm",
+		description: "Fast, disk space efficient (recommended)"
+	},
+	{
+		title: "npm",
+		value: "npm",
+		description: "Node.js default package manager"
+	},
+	{
+		title: "yarn",
+		value: "yarn",
+		description: "Yarn package manager"
+	},
+	{
+		title: "bun",
+		value: "bun",
+		description: "Fast JavaScript runtime and package manager"
+	}
+];
+/**
+* Deploy target choices for prompts
+*/
+const deployTargetChoices = [{
+	title: "Dokploy",
+	value: "dokploy",
+	description: "Deploy to Dokploy (Docker-based hosting)"
+}, {
+	title: "Configure later",
+	value: "none",
+	description: "Skip deployment setup for now"
+}];
+/**
+* Services choices for multi-select prompt
+*/
+const servicesChoices = [
+	{
+		title: "PostgreSQL",
+		value: "db",
+		description: "PostgreSQL database"
+	},
+	{
+		title: "Redis",
+		value: "cache",
+		description: "Redis cache"
+	},
+	{
+		title: "Mailpit",
+		value: "mail",
+		description: "Email testing service (dev only)"
+	}
+];
+/**
 * Get a template by name
 */
 function getTemplate(name$1) {
+	if (name$1 === "fullstack") return templates.api;
 	const template = templates[name$1];
 	if (!template) throw new Error(`Unknown template: ${name$1}`);
 	return template;
 }
+/**
+* Check if a template is the fullstack monorepo template
+*/
+function isFullstackTemplate(name$1) {
+	return name$1 === "fullstack";
+}
 
 //#endregion
 //#region src/init/generators/package.ts
@@ -4293,10 +6082,10 @@ function generatePackageJson(options, template) {
 	const dependencies$1 = { ...template.dependencies };
 	const devDependencies$1 = { ...template.devDependencies };
 	const scripts$1 = { ...template.scripts };
-	if (telescope) dependencies$1["@geekmidas/telescope"] = "workspace:*";
-	if (studio) dependencies$1["@geekmidas/studio"] = "workspace:*";
+	if (telescope) dependencies$1["@geekmidas/telescope"] = GEEKMIDAS_VERSIONS["@geekmidas/telescope"];
+	if (studio) dependencies$1["@geekmidas/studio"] = GEEKMIDAS_VERSIONS["@geekmidas/studio"];
 	if (database) {
-		dependencies$1["@geekmidas/db"] = "workspace:*";
+		dependencies$1["@geekmidas/db"] = GEEKMIDAS_VERSIONS["@geekmidas/db"];
 		dependencies$1.kysely = "~0.28.2";
 		dependencies$1.pg = "~8.16.0";
 		devDependencies$1["@types/pg"] = "~8.15.0";
@@ -4331,19 +6120,219 @@ function generatePackageJson(options, template) {
 		dependencies: sortObject(dependencies$1),
 		devDependencies: sortObject(devDependencies$1)
 	};
-	return [{
-		path: "package.json",
-		content: `${JSON.stringify(packageJson, null, 2)}\n`
-	}];
+	return [{
+		path: "package.json",
+		content: `${JSON.stringify(packageJson, null, 2)}\n`
+	}];
+}
+
+//#endregion
+//#region src/init/generators/source.ts
+/**
+* Generate source files from template
+*/
+function generateSourceFiles(options, template) {
+	return template.files(options);
+}
+
+//#endregion
+//#region src/init/generators/web.ts
+/**
+* Generate Next.js web app files for fullstack template
+*/
+function generateWebAppFiles(options) {
+	if (!options.monorepo || options.template !== "fullstack") return [];
+	const packageName = `@${options.name}/web`;
+	const modelsPackage = `@${options.name}/models`;
+	const packageJson = {
+		name: packageName,
+		version: "0.0.1",
+		private: true,
+		type: "module",
+		scripts: {
+			dev: "next dev -p 3001",
+			build: "next build",
+			start: "next start",
+			typecheck: "tsc --noEmit"
+		},
+		dependencies: {
+			[modelsPackage]: "workspace:*",
+			next: "~16.1.0",
+			react: "~19.2.0",
+			"react-dom": "~19.2.0"
+		},
+		devDependencies: {
+			"@types/node": "~22.0.0",
+			"@types/react": "~19.0.0",
+			"@types/react-dom": "~19.0.0",
+			typescript: "~5.8.2"
+		}
+	};
+	const nextConfig = `import type { NextConfig } from 'next';
+
+const nextConfig: NextConfig = {
+  output: 'standalone',
+  reactStrictMode: true,
+  transpilePackages: ['${modelsPackage}'],
+};
+
+export default nextConfig;
+`;
+	const tsConfig = {
+		extends: "../../tsconfig.json",
+		compilerOptions: {
+			lib: [
+				"dom",
+				"dom.iterable",
+				"ES2022"
+			],
+			allowJs: true,
+			skipLibCheck: true,
+			strict: true,
+			noEmit: true,
+			esModuleInterop: true,
+			module: "ESNext",
+			moduleResolution: "bundler",
+			resolveJsonModule: true,
+			isolatedModules: true,
+			jsx: "preserve",
+			incremental: true,
+			plugins: [{ name: "next" }],
+			paths: {
+				"@/*": ["./src/*"],
+				[`${modelsPackage}`]: ["../../packages/models/src"],
+				[`${modelsPackage}/*`]: ["../../packages/models/src/*"]
+			},
+			baseUrl: "."
+		},
+		include: [
+			"next-env.d.ts",
+			"**/*.ts",
+			"**/*.tsx",
+			".next/types/**/*.ts"
+		],
+		exclude: ["node_modules"]
+	};
+	const layoutTsx = `import type { Metadata } from 'next';
+
+export const metadata: Metadata = {
+  title: '${options.name}',
+  description: 'Created with gkm init',
+};
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
+  return (
+    <html lang="en">
+      <body>{children}</body>
+    </html>
+  );
 }
+`;
+	const pageTsx = `import type { User } from '${modelsPackage}';
 
-//#endregion
-//#region src/init/generators/source.ts
-/**
-* Generate source files from template
-*/
-function generateSourceFiles(options, template) {
-	return template.files(options);
+export default async function Home() {
+  // Example: Fetch from API
+  const apiUrl = process.env.API_URL || 'http://localhost:3000';
+  let health = null;
+
+  try {
+    const response = await fetch(\`\${apiUrl}/health\`, {
+      cache: 'no-store',
+    });
+    health = await response.json();
+  } catch (error) {
+    console.error('Failed to fetch health:', error);
+  }
+
+  // Example: Type-safe model usage
+  const exampleUser: User = {
+    id: '123e4567-e89b-12d3-a456-426614174000',
+    email: 'user@example.com',
+    name: 'Example User',
+    createdAt: new Date(),
+    updatedAt: new Date(),
+  };
+
+  return (
+    <main style={{ padding: '2rem', fontFamily: 'system-ui' }}>
+      <h1>Welcome to ${options.name}</h1>
+
+      <section style={{ marginTop: '2rem' }}>
+        <h2>API Status</h2>
+        {health ? (
+          <pre style={{ background: '#f0f0f0', padding: '1rem', borderRadius: '8px' }}>
+            {JSON.stringify(health, null, 2)}
+          </pre>
+        ) : (
+          <p>Unable to connect to API at {apiUrl}</p>
+        )}
+      </section>
+
+      <section style={{ marginTop: '2rem' }}>
+        <h2>Shared Models</h2>
+        <p>This user object is typed from @${options.name}/models:</p>
+        <pre style={{ background: '#f0f0f0', padding: '1rem', borderRadius: '8px' }}>
+          {JSON.stringify(exampleUser, null, 2)}
+        </pre>
+      </section>
+
+      <section style={{ marginTop: '2rem' }}>
+        <h2>Next Steps</h2>
+        <ul>
+          <li>Edit <code>apps/web/src/app/page.tsx</code> to customize this page</li>
+          <li>Add API routes in <code>apps/api/src/endpoints/</code></li>
+          <li>Define shared schemas in <code>packages/models/src/</code></li>
+        </ul>
+      </section>
+    </main>
+  );
+}
+`;
+	const envLocal = `# API URL (injected automatically in workspace mode)
+API_URL=http://localhost:3000
+
+# Other environment variables
+# NEXT_PUBLIC_API_URL=http://localhost:3000
+`;
+	const gitignore = `.next/
+node_modules/
+.env.local
+*.log
+`;
+	return [
+		{
+			path: "apps/web/package.json",
+			content: `${JSON.stringify(packageJson, null, 2)}\n`
+		},
+		{
+			path: "apps/web/next.config.ts",
+			content: nextConfig
+		},
+		{
+			path: "apps/web/tsconfig.json",
+			content: `${JSON.stringify(tsConfig, null, 2)}\n`
+		},
+		{
+			path: "apps/web/src/app/layout.tsx",
+			content: layoutTsx
+		},
+		{
+			path: "apps/web/src/app/page.tsx",
+			content: pageTsx
+		},
+		{
+			path: "apps/web/.env.local",
+			content: envLocal
+		},
+		{
+			path: "apps/web/.gitignore",
+			content: gitignore
+		}
+	];
 }
 
 //#endregion
@@ -4411,21 +6400,36 @@ function getRunCommand(pkgManager, script) {
 //#endregion
 //#region src/init/index.ts
 /**
+* Generate a secure random password for database users
+*/
+function generateDbPassword() {
+	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
+}
+/**
+* Generate database URL for an app
+* All apps connect to the same database, but use different users/schemas
+*/
+function generateDbUrl(appName, password, projectName, host = "localhost", port = 5432) {
+	const userName = appName.replace(/-/g, "_");
+	const dbName = `${projectName.replace(/-/g, "_")}_dev`;
+	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
+}
+/**
 * Main init command - scaffolds a new project
 */
 async function initCommand(projectName, options = {}) {
 	const cwd = process.cwd();
-	const pkgManager = detectPackageManager(cwd);
+	const detectedPkgManager = detectPackageManager(cwd);
 	prompts.override({});
 	const onCancel = () => {
 		process.exit(0);
 	};
 	const answers = await prompts([
 		{
-			type: projectName ? null : "text",
+			type: projectName || options.name ? null : "text",
 			name: "name",
 			message: "Project name:",
-			initial: "my-api",
+			initial: "my-app",
 			validate: (value) => {
 				const nameValid = validateProjectName(value);
 				if (nameValid !== true) return nameValid;
@@ -4442,21 +6446,33 @@ async function initCommand(projectName, options = {}) {
 			initial: 0
 		},
 		{
-			type: options.yes ? null : "confirm",
-			name: "telescope",
-			message: "Include Telescope (debugging dashboard)?",
-			initial: true
+			type: options.yes ? null : "multiselect",
+			name: "services",
+			message: "Services (space to select, enter to confirm):",
+			choices: servicesChoices.map((c) => ({
+				...c,
+				selected: true
+			})),
+			hint: "- Space to select. Return to submit"
 		},
 		{
-			type: options.yes ? null : "confirm",
-			name: "database",
-			message: "Include database support (Kysely)?",
-			initial: true
+			type: options.yes ? null : "select",
+			name: "packageManager",
+			message: "Package manager:",
+			choices: packageManagerChoices,
+			initial: packageManagerChoices.findIndex((c) => c.value === detectedPkgManager)
+		},
+		{
+			type: options.yes ? null : "select",
+			name: "deployTarget",
+			message: "Deployment target:",
+			choices: deployTargetChoices,
+			initial: 0
 		},
 		{
-			type: (prev) => options.yes ? null : prev ? "confirm" : null,
-			name: "studio",
-			message: "Include Studio (database browser)?",
+			type: options.yes ? null : "confirm",
+			name: "telescope",
+			message: "Include Telescope (debugging dashboard)?",
 			initial: true
 		},
 		{
@@ -4472,74 +6488,146 @@ async function initCommand(projectName, options = {}) {
 			message: "Routes structure:",
 			choices: routesStructureChoices,
 			initial: 0
-		},
-		{
-			type: options.yes || options.monorepo !== void 0 ? null : "confirm",
-			name: "monorepo",
-			message: "Setup as monorepo?",
-			initial: false
-		},
-		{
-			type: (prev) => (prev === true || options.monorepo) && !options.apiPath ? "text" : null,
-			name: "apiPath",
-			message: "API app path:",
-			initial: "apps/api"
 		}
 	], { onCancel });
-	const name$1 = projectName || answers.name;
-	if (!name$1) process.exit(1);
-	if (projectName) {
-		const nameValid = validateProjectName(projectName);
-		if (nameValid !== true) process.exit(1);
-		const dirValid = checkDirectoryExists(projectName, cwd);
-		if (dirValid !== true) process.exit(1);
-	}
-	const monorepo = options.monorepo ?? (options.yes ? false : answers.monorepo ?? false);
-	const database = options.yes ? true : answers.database ?? true;
+	const name$1 = projectName || options.name || answers.name;
+	if (!name$1) {
+		console.error("Project name is required");
+		process.exit(1);
+	}
+	if (projectName || options.name) {
+		const nameToValidate = projectName || options.name;
+		const nameValid = validateProjectName(nameToValidate);
+		if (nameValid !== true) {
+			console.error(nameValid);
+			process.exit(1);
+		}
+		const dirValid = checkDirectoryExists(nameToValidate, cwd);
+		if (dirValid !== true) {
+			console.error(dirValid);
+			process.exit(1);
+		}
+	}
+	const template = options.template || answers.template || "api";
+	const isFullstack = isFullstackTemplate(template);
+	const monorepo = isFullstack || options.monorepo || false;
+	const servicesArray = options.yes ? [
+		"db",
+		"cache",
+		"mail"
+	] : answers.services || [];
+	const services = {
+		db: servicesArray.includes("db"),
+		cache: servicesArray.includes("cache"),
+		mail: servicesArray.includes("mail")
+	};
+	const pkgManager = options.pm ? options.pm : options.yes ? "pnpm" : answers.packageManager ?? detectedPkgManager;
+	const deployTarget = options.yes ? "dokploy" : answers.deployTarget ?? "dokploy";
+	const database = services.db;
 	const templateOptions = {
 		name: name$1,
-		template: options.template || answers.template || "minimal",
+		template,
 		telescope: options.yes ? true : answers.telescope ?? true,
 		database,
-		studio: database && (options.yes ? true : answers.studio ?? true),
+		studio: database,
 		loggerType: options.yes ? "pino" : answers.loggerType ?? "pino",
 		routesStructure: options.yes ? "centralized-endpoints" : answers.routesStructure ?? "centralized-endpoints",
 		monorepo,
-		apiPath: monorepo ? options.apiPath ?? answers.apiPath ?? "apps/api" : ""
+		apiPath: monorepo ? options.apiPath ?? "apps/api" : "",
+		packageManager: pkgManager,
+		deployTarget,
+		services
 	};
 	const targetDir = join(cwd, name$1);
-	const template = getTemplate(templateOptions.template);
+	const baseTemplate = getTemplate(templateOptions.template);
 	const isMonorepo$1 = templateOptions.monorepo;
 	const apiPath = templateOptions.apiPath;
+	console.log("\n🚀 Creating your project...\n");
 	await mkdir(targetDir, { recursive: true });
 	const appDir = isMonorepo$1 ? join(targetDir, apiPath) : targetDir;
 	if (isMonorepo$1) await mkdir(appDir, { recursive: true });
-	const appFiles = [
-		...generatePackageJson(templateOptions, template),
-		...generateConfigFiles(templateOptions, template),
-		...generateEnvFiles(templateOptions, template),
-		...generateSourceFiles(templateOptions, template),
-		...generateDockerFiles(templateOptions, template)
-	];
-	const rootFiles = [...generateMonorepoFiles(templateOptions, template), ...generateModelsPackage(templateOptions)];
+	const dbApps = [];
+	if (isFullstack && services.db) dbApps.push({
+		name: "api",
+		password: generateDbPassword()
+	}, {
+		name: "auth",
+		password: generateDbPassword()
+	});
+	const appFiles = baseTemplate ? [
+		...generatePackageJson(templateOptions, baseTemplate),
+		...generateConfigFiles(templateOptions, baseTemplate),
+		...generateEnvFiles(templateOptions, baseTemplate),
+		...generateSourceFiles(templateOptions, baseTemplate),
+		...isMonorepo$1 ? [] : generateDockerFiles(templateOptions, baseTemplate, dbApps)
+	] : [];
+	const dockerFiles = isMonorepo$1 && baseTemplate ? generateDockerFiles(templateOptions, baseTemplate, dbApps) : [];
+	const rootFiles = baseTemplate ? [...generateMonorepoFiles(templateOptions, baseTemplate), ...generateModelsPackage(templateOptions)] : [];
+	const webAppFiles = isFullstack ? generateWebAppFiles(templateOptions) : [];
+	const authAppFiles = isFullstack ? generateAuthAppFiles(templateOptions) : [];
 	for (const { path, content } of rootFiles) {
 		const fullPath = join(targetDir, path);
 		await mkdir(dirname(fullPath), { recursive: true });
 		await writeFile(fullPath, content);
 	}
+	for (const { path, content } of dockerFiles) {
+		const fullPath = join(targetDir, path);
+		await mkdir(dirname(fullPath), { recursive: true });
+		await writeFile(fullPath, content);
+	}
 	for (const { path, content } of appFiles) {
 		const fullPath = join(appDir, path);
-		const _displayPath = isMonorepo$1 ? `${apiPath}/${path}` : path;
 		await mkdir(dirname(fullPath), { recursive: true });
 		await writeFile(fullPath, content);
 	}
+	for (const { path, content } of webAppFiles) {
+		const fullPath = join(targetDir, path);
+		await mkdir(dirname(fullPath), { recursive: true });
+		await writeFile(fullPath, content);
+	}
+	for (const { path, content } of authAppFiles) {
+		const fullPath = join(targetDir, path);
+		await mkdir(dirname(fullPath), { recursive: true });
+		await writeFile(fullPath, content);
+	}
+	console.log("🔐 Initializing encrypted secrets...\n");
+	const secretServices = [];
+	if (services.db) secretServices.push("postgres");
+	if (services.cache) secretServices.push("redis");
+	const devSecrets = createStageSecrets("development", secretServices);
+	const customSecrets = {
+		NODE_ENV: "development",
+		PORT: "3000",
+		LOG_LEVEL: "debug",
+		JWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`
+	};
+	if (isFullstack && dbApps.length > 0) {
+		for (const app of dbApps) {
+			const urlKey = `${app.name.toUpperCase()}_DATABASE_URL`;
+			customSecrets[urlKey] = generateDbUrl(app.name, app.password, name$1);
+			const passwordKey = `${app.name.toUpperCase()}_DB_PASSWORD`;
+			customSecrets[passwordKey] = app.password;
+		}
+		customSecrets.AUTH_PORT = "3002";
+		customSecrets.BETTER_AUTH_SECRET = `better-auth-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+		customSecrets.BETTER_AUTH_URL = "http://localhost:3002";
+		customSecrets.BETTER_AUTH_TRUSTED_ORIGINS = "http://localhost:3000,http://localhost:3001";
+	}
+	devSecrets.custom = customSecrets;
+	await writeStageSecrets(devSecrets, targetDir);
+	const keyPath = getKeyPath("development", name$1);
+	console.log(`  Secrets: .gkm/secrets/development.json (encrypted)`);
+	console.log(`  Key: ${keyPath}\n`);
 	if (!options.skipInstall) {
+		console.log("\n📦 Installing dependencies...\n");
 		try {
 			execSync(getInstallCommand(pkgManager), {
 				cwd: targetDir,
 				stdio: "inherit"
 			});
-		} catch {}
+		} catch {
+			console.error("Failed to install dependencies");
+		}
 		try {
 			execSync("npx @biomejs/biome format --write --unsafe .", {
 				cwd: targetDir,
@@ -4547,124 +6635,52 @@ async function initCommand(projectName, options = {}) {
 			});
 		} catch {}
 	}
-	const _devCommand = getRunCommand(pkgManager, "dev");
+	printNextSteps(name$1, templateOptions, pkgManager);
 }
-
-//#endregion
-//#region src/secrets/generator.ts
 /**
-* Generate a secure random password using URL-safe base64 characters.
-* @param length Password length (default: 32)
+* Print success message with next steps
 */
-function generateSecurePassword(length = 32) {
-	return randomBytes(Math.ceil(length * 3 / 4)).toString("base64url").slice(0, length);
-}
-/** Default service configurations */
-const SERVICE_DEFAULTS = {
-	postgres: {
-		host: "postgres",
-		port: 5432,
-		username: "app",
-		database: "app"
-	},
-	redis: {
-		host: "redis",
-		port: 6379,
-		username: "default"
-	},
-	rabbitmq: {
-		host: "rabbitmq",
-		port: 5672,
-		username: "app",
-		vhost: "/"
+function printNextSteps(projectName, options, pkgManager) {
+	const devCommand$1 = getRunCommand(pkgManager, "dev");
+	const cdCommand = `cd ${projectName}`;
+	console.log(`\n${"─".repeat(50)}`);
+	console.log("\n✅ Project created successfully!\n");
+	console.log("Next steps:\n");
+	console.log(`  ${cdCommand}`);
+	if (options.services.db) {
+		console.log(`  # Start PostgreSQL (if not running)`);
+		console.log(`  docker compose up -d postgres`);
 	}
-};
-/**
-* Generate credentials for a specific service.
-*/
-function generateServiceCredentials(service) {
-	const defaults = SERVICE_DEFAULTS[service];
-	return {
-		...defaults,
-		password: generateSecurePassword()
-	};
-}
-/**
-* Generate credentials for multiple services.
-*/
-function generateServicesCredentials(services) {
-	const result = {};
-	for (const service of services) result[service] = generateServiceCredentials(service);
-	return result;
-}
-/**
-* Generate connection URL for PostgreSQL.
-*/
-function generatePostgresUrl(creds) {
-	const { username, password, host, port, database } = creds;
-	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
-}
-/**
-* Generate connection URL for Redis.
-*/
-function generateRedisUrl(creds) {
-	const { password, host, port } = creds;
-	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
-}
-/**
-* Generate connection URL for RabbitMQ.
-*/
-function generateRabbitmqUrl(creds) {
-	const { username, password, host, port, vhost } = creds;
-	const encodedVhost = encodeURIComponent(vhost ?? "/");
-	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
-}
-/**
-* Generate connection URLs from service credentials.
-*/
-function generateConnectionUrls(services) {
-	const urls = {};
-	if (services.postgres) urls.DATABASE_URL = generatePostgresUrl(services.postgres);
-	if (services.redis) urls.REDIS_URL = generateRedisUrl(services.redis);
-	if (services.rabbitmq) urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
-	return urls;
-}
-/**
-* Create a new StageSecrets object with generated credentials.
-*/
-function createStageSecrets(stage, services) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const serviceCredentials = generateServicesCredentials(services);
-	const urls = generateConnectionUrls(serviceCredentials);
-	return {
-		stage,
-		createdAt: now,
-		updatedAt: now,
-		services: serviceCredentials,
-		urls,
-		custom: {}
-	};
-}
-/**
-* Rotate password for a specific service.
-*/
-function rotateServicePassword(secrets, service) {
-	const currentCreds = secrets.services[service];
-	if (!currentCreds) throw new Error(`Service "${service}" not configured in secrets`);
-	const newCreds = {
-		...currentCreds,
-		password: generateSecurePassword()
-	};
-	const newServices = {
-		...secrets.services,
-		[service]: newCreds
-	};
-	return {
-		...secrets,
-		updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-		services: newServices,
-		urls: generateConnectionUrls(newServices)
-	};
+	console.log(`  ${devCommand$1}`);
+	console.log("");
+	if (options.monorepo) {
+		console.log("📁 Project structure:");
+		console.log(`  ${projectName}/`);
+		console.log(`  ├── apps/`);
+		console.log(`  │   ├── api/          # Backend API`);
+		if (isFullstackTemplate(options.template)) {
+			console.log(`  │   ├── auth/         # Auth service (better-auth)`);
+			console.log(`  │   └── web/          # Next.js frontend`);
+		}
+		console.log(`  ├── packages/`);
+		console.log(`  │   └── models/       # Shared Zod schemas`);
+		console.log(`  ├── .gkm/secrets/     # Encrypted secrets`);
+		console.log(`  ├── gkm.config.ts     # Workspace config`);
+		console.log(`  └── turbo.json        # Turbo config`);
+		console.log("");
+	}
+	console.log("🔐 Secrets management:");
+	console.log(`  gkm secrets:show --stage development  # View secrets`);
+	console.log(`  gkm secrets:set KEY VALUE --stage development  # Add secret`);
+	console.log(`  gkm secrets:init --stage production  # Create production secrets`);
+	console.log("");
+	if (options.deployTarget === "dokploy") {
+		console.log("🚀 Deployment:");
+		console.log(`  ${getRunCommand(pkgManager, "deploy")}`);
+		console.log("");
+	}
+	console.log("📚 Documentation: https://docs.geekmidas.dev");
+	console.log("");
 }
 
 //#endregion
@@ -4853,11 +6869,57 @@ function maskUrl(url) {
 	}
 }
 
+//#endregion
+//#region src/test/index.ts
+/**
+* Run tests with secrets loaded from the specified stage.
+* Secrets are decrypted and injected into the environment.
+*/
+async function testCommand(options = {}) {
+	const stage = options.stage ?? "development";
+	console.log(`\n🧪 Running tests with ${stage} secrets...\n`);
+	let envVars = {};
+	try {
+		const secrets = await readStageSecrets(stage);
+		if (secrets) {
+			envVars = toEmbeddableSecrets(secrets);
+			console.log(`  Loaded ${Object.keys(envVars).length} secrets from ${stage}\n`);
+		} else console.log(`  No secrets found for ${stage}, running without secrets\n`);
+	} catch (error) {
+		if (error instanceof Error && error.message.includes("key not found")) console.log(`  Decryption key not found for ${stage}, running without secrets\n`);
+		else throw error;
+	}
+	const args = [];
+	if (options.run) args.push("run");
+	else if (options.watch) args.push("--watch");
+	if (options.coverage) args.push("--coverage");
+	if (options.ui) args.push("--ui");
+	if (options.pattern) args.push(options.pattern);
+	const vitestProcess = spawn("npx", ["vitest", ...args], {
+		cwd: process.cwd(),
+		stdio: "inherit",
+		env: {
+			...process.env,
+			...envVars,
+			NODE_ENV: "test"
+		}
+	});
+	return new Promise((resolve$1, reject) => {
+		vitestProcess.on("close", (code) => {
+			if (code === 0) resolve$1();
+			else reject(new Error(`Tests failed with exit code ${code}`));
+		});
+		vitestProcess.on("error", (error) => {
+			reject(error);
+		});
+	});
+}
+
 //#endregion
 //#region src/index.ts
 const program = new Command();
 program.name("gkm").description("GeekMidas backend framework CLI").version(package_default.version).option("--cwd <path>", "Change working directory");
-program.command("init").description("Scaffold a new project").argument("[name]", "Project name").option("--template <template>", "Project template (minimal, api, serverless, worker)").option("--skip-install", "Skip dependency installation", false).option("-y, --yes", "Skip prompts, use defaults", false).option("--monorepo", "Setup as monorepo with packages/models", false).option("--api-path <path>", "API app path in monorepo (default: apps/api)").action(async (name$1, options) => {
+program.command("init").description("Scaffold a new project").argument("[name]", "Project name").option("--template <template>", "Project template (minimal, api, serverless, worker)").option("--skip-install", "Skip dependency installation", false).option("-y, --yes", "Skip prompts, use defaults", false).option("--monorepo", "Setup as monorepo with packages/models", false).option("--api-path <path>", "API app path in monorepo (default: apps/api)").option("--pm <manager>", "Package manager (pnpm, npm, yarn, bun)").action(async (name$1, options) => {
 	try {
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
@@ -4914,6 +6976,19 @@ program.command("dev").description("Start development server with automatic relo
 		process.exit(1);
 	}
 });
+program.command("test").description("Run tests with secrets loaded from environment").option("--stage <stage>", "Stage to load secrets from", "development").option("--run", "Run tests once without watch mode").option("--watch", "Enable watch mode").option("--coverage", "Generate coverage report").option("--ui", "Open Vitest UI").argument("[pattern]", "Pattern to filter tests").action(async (pattern, options) => {
+	try {
+		const globalOptions = program.opts();
+		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
+		await testCommand({
+			...options,
+			pattern
+		});
+	} catch (error) {
+		console.error(error instanceof Error ? error.message : "Command failed");
+		process.exit(1);
+	}
+});
 program.command("cron").description("Manage cron jobs").action(() => {
 	const globalOptions = program.opts();
 	if (globalOptions.cwd) process.chdir(globalOptions.cwd);