@geekmidas/cli 0.28.0 → 0.30.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "0.28.0",
+  "version": "0.30.0",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -48,10 +48,10 @@
     "lodash.kebabcase": "^4.1.1",
     "openapi-typescript": "^7.4.2",
     "prompts": "~2.4.2",
-    "@geekmidas/logger": "~0.4.0",
     "@geekmidas/errors": "~0.1.0",
-    "@geekmidas/envkit": "~0.4.0",
+    "@geekmidas/logger": "~0.4.0",
     "@geekmidas/constructs": "~0.6.0",
+    "@geekmidas/envkit": "~0.5.0",
     "@geekmidas/schema": "~0.1.0"
   },
   "devDependencies": {

package/src/dev/__tests__/index.spec.ts

@@ -13,6 +13,7 @@ import {
 	findAvailablePort,
 	generateAllDependencyEnvVars,
 	isPortAvailable,
+	loadSecretsForApp,
 	normalizeHooksConfig,
 	normalizeProductionConfig,
 	normalizeStudioConfig,
@@ -967,3 +968,225 @@ describe('Workspace Dev Server', () => {
 		});
 	});
 });
+
+describe('loadSecretsForApp', () => {
+	let testDir: string;
+
+	beforeEach(() => {
+		testDir = join(
+			tmpdir(),
+			`gkm-secrets-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+		);
+		mkdirSync(testDir, { recursive: true });
+	});
+
+	afterEach(() => {
+		if (existsSync(testDir)) {
+			rmSync(testDir, { recursive: true, force: true });
+		}
+	});
+
+	/**
+	 * Helper to create a secrets file in legacy (unencrypted) format.
+	 * This matches the StageSecrets structure.
+	 */
+	function createSecretsFile(
+		stage: string,
+		secrets: Record<string, string>,
+		root = testDir,
+	) {
+		const secretsDir = join(root, '.gkm', 'secrets');
+		mkdirSync(secretsDir, { recursive: true });
+		const stageSecrets = {
+			stage,
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {},
+			custom: secrets,
+		};
+		writeFileSync(
+			join(secretsDir, `${stage}.json`),
+			JSON.stringify(stageSecrets, null, 2),
+		);
+	}
+
+	describe('single app mode (no appName)', () => {
+		it('should return secrets as-is without mapping', async () => {
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/mydb',
+				JWT_SECRET: 'super-secret',
+				NODE_ENV: 'development',
+			});
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets).toEqual({
+				DATABASE_URL: 'postgresql://localhost/mydb',
+				JWT_SECRET: 'super-secret',
+				NODE_ENV: 'development',
+			});
+		});
+
+		it('should try dev stage first, then development', async () => {
+			createSecretsFile('dev', {
+				DATABASE_URL: 'postgresql://localhost/devdb',
+			});
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/developmentdb',
+			});
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			// Should use 'dev' stage since it's checked first
+			expect(secrets.DATABASE_URL).toBe('postgresql://localhost/devdb');
+		});
+
+		it('should fallback to development if dev does not exist', async () => {
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/developmentdb',
+			});
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets.DATABASE_URL).toBe(
+				'postgresql://localhost/developmentdb',
+			);
+		});
+
+		it('should return empty object if no secrets exist', async () => {
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets).toEqual({});
+		});
+	});
+
+	describe('workspace app mode (with appName)', () => {
+		it('should map {APP}_DATABASE_URL to DATABASE_URL', async () => {
+			createSecretsFile('development', {
+				AUTH_DATABASE_URL: 'postgresql://auth_user:pass@localhost/authdb',
+				API_DATABASE_URL: 'postgresql://api_user:pass@localhost/apidb',
+				JWT_SECRET: 'shared-secret',
+			});
+
+			const authSecrets = await loadSecretsForApp(testDir, 'auth');
+
+			expect(authSecrets.DATABASE_URL).toBe(
+				'postgresql://auth_user:pass@localhost/authdb',
+			);
+			// Original prefixed secrets are also available
+			expect(authSecrets.AUTH_DATABASE_URL).toBe(
+				'postgresql://auth_user:pass@localhost/authdb',
+			);
+			expect(authSecrets.JWT_SECRET).toBe('shared-secret');
+		});
+
+		it('should map API secrets correctly', async () => {
+			createSecretsFile('development', {
+				AUTH_DATABASE_URL: 'postgresql://auth_user:pass@localhost/authdb',
+				API_DATABASE_URL: 'postgresql://api_user:pass@localhost/apidb',
+			});
+
+			const apiSecrets = await loadSecretsForApp(testDir, 'api');
+
+			expect(apiSecrets.DATABASE_URL).toBe(
+				'postgresql://api_user:pass@localhost/apidb',
+			);
+		});
+
+		it('should not override DATABASE_URL if no prefixed version exists', async () => {
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/maindb',
+				JWT_SECRET: 'secret',
+			});
+
+			// Asking for 'auth' app but AUTH_DATABASE_URL doesn't exist
+			const authSecrets = await loadSecretsForApp(testDir, 'auth');
+
+			// Should keep the original DATABASE_URL since there's no AUTH_DATABASE_URL
+			expect(authSecrets.DATABASE_URL).toBe('postgresql://localhost/maindb');
+		});
+
+		it('should handle uppercase app names in secrets', async () => {
+			createSecretsFile('development', {
+				MYSERVICE_DATABASE_URL: 'postgresql://localhost/myservicedb',
+			});
+
+			// App name is lowercase but secrets are uppercase prefixed
+			const secrets = await loadSecretsForApp(testDir, 'myservice');
+
+			expect(secrets.DATABASE_URL).toBe('postgresql://localhost/myservicedb');
+		});
+
+		it('should return empty object if no secrets exist for app', async () => {
+			const secrets = await loadSecretsForApp(testDir, 'api');
+
+			expect(secrets).toEqual({});
+		});
+	});
+
+	describe('service credentials mapping', () => {
+		it('should include postgres service credentials', async () => {
+			const secretsDir = join(testDir, '.gkm', 'secrets');
+			mkdirSync(secretsDir, { recursive: true });
+			const stageSecrets = {
+				stage: 'development',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {
+					postgres: {
+						username: 'postgres',
+						password: 'postgres123',
+						database: 'myapp',
+						host: 'localhost',
+						port: 5432,
+					},
+				},
+				urls: {},
+				custom: { NODE_ENV: 'development' },
+			};
+			writeFileSync(
+				join(secretsDir, 'development.json'),
+				JSON.stringify(stageSecrets, null, 2),
+			);
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets.POSTGRES_USER).toBe('postgres');
+			expect(secrets.POSTGRES_PASSWORD).toBe('postgres123');
+			expect(secrets.POSTGRES_DB).toBe('myapp');
+			expect(secrets.POSTGRES_HOST).toBe('localhost');
+			expect(secrets.POSTGRES_PORT).toBe('5432');
+			expect(secrets.NODE_ENV).toBe('development');
+		});
+
+		it('should include redis service credentials', async () => {
+			const secretsDir = join(testDir, '.gkm', 'secrets');
+			mkdirSync(secretsDir, { recursive: true });
+			const stageSecrets = {
+				stage: 'development',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {
+					redis: {
+						password: 'redis123',
+						host: 'localhost',
+						port: 6379,
+					},
+				},
+				urls: {},
+				custom: {},
+			};
+			writeFileSync(
+				join(secretsDir, 'development.json'),
+				JSON.stringify(stageSecrets, null, 2),
+			);
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets.REDIS_PASSWORD).toBe('redis123');
+			expect(secrets.REDIS_HOST).toBe('localhost');
+			expect(secrets.REDIS_PORT).toBe('6379');
+		});
+	});
+});

package/src/dev/index.ts

@@ -1,6 +1,6 @@
 import { type ChildProcess, execSync, spawn } from 'node:child_process';
 import { existsSync } from 'node:fs';
-import { mkdir } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { createServer } from 'node:net';
 import { join, resolve } from 'node:path';
 import chokidar from 'chokidar';
@@ -318,6 +318,8 @@ export async function devCommand(options: DevOptions): Promise<void> {
 	const appName = getAppNameFromCwd();
 	let config: GkmConfig;
 	let appRoot: string = process.cwd();
+	let secretsRoot: string = process.cwd(); // Where .gkm/secrets/ lives
+	let workspaceAppName: string | undefined; // Set if in workspace mode
 
 	if (appName) {
 		// Try to load app-specific config from workspace
@@ -325,6 +327,8 @@ export async function devCommand(options: DevOptions): Promise<void> {
 			const appConfig = await loadAppConfig();
 			config = appConfig.gkmConfig;
 			appRoot = appConfig.appRoot;
+			secretsRoot = appConfig.workspaceRoot;
+			workspaceAppName = appConfig.appName;
 			logger.log(`📦 Running app: ${appConfig.appName}`);
 		} catch {
 			// Not in a workspace or app not found in workspace - fall back to regular loading
@@ -438,6 +442,17 @@ export async function devCommand(options: DevOptions): Promise<void> {
 	// Determine runtime (default to node)
 	const runtime: Runtime = config.runtime ?? 'node';
 
+	// Load secrets for dev mode and write to JSON file
+	let secretsJsonPath: string | undefined;
+	const appSecrets = await loadSecretsForApp(secretsRoot, workspaceAppName);
+	if (Object.keys(appSecrets).length > 0) {
+		const secretsDir = join(secretsRoot, '.gkm');
+		await mkdir(secretsDir, { recursive: true });
+		secretsJsonPath = join(secretsDir, 'dev-secrets.json');
+		await writeFile(secretsJsonPath, JSON.stringify(appSecrets, null, 2));
+		logger.log(`🔐 Loaded ${Object.keys(appSecrets).length} secret(s)`);
+	}
+
 	// Start the dev server
 	const devServer = new DevServer(
 		resolved.providers[0] as LegacyProvider,
@@ -448,6 +463,7 @@ export async function devCommand(options: DevOptions): Promise<void> {
 		studio,
 		runtime,
 		appRoot,
+		secretsJsonPath,
 	);
 
 	await devServer.start();
@@ -754,6 +770,54 @@ export async function loadDevSecrets(
 	return {};
 }
 
+/**
+ * Load secrets from a path for dev mode.
+ * For single app: returns secrets as-is.
+ * For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
+ * @internal Exported for testing
+ */
+export async function loadSecretsForApp(
+	secretsRoot: string,
+	appName?: string,
+): Promise<Record<string, string>> {
+	// Try 'dev' stage first, then 'development'
+	const stages = ['dev', 'development'];
+
+	let secrets: Record<string, string> = {};
+
+	for (const stage of stages) {
+		if (secretsExist(stage, secretsRoot)) {
+			const stageSecrets = await readStageSecrets(stage, secretsRoot);
+			if (stageSecrets) {
+				logger.log(`🔐 Loading secrets from stage: ${stage}`);
+				secrets = toEmbeddableSecrets(stageSecrets);
+				break;
+			}
+		}
+	}
+
+	if (Object.keys(secrets).length === 0) {
+		return {};
+	}
+
+	// Single app mode - no mapping needed
+	if (!appName) {
+		return secrets;
+	}
+
+	// Workspace app mode - map {APP}_* to generic names
+	const prefix = appName.toUpperCase();
+	const mapped = { ...secrets };
+
+	// Map {APP}_DATABASE_URL → DATABASE_URL
+	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
+	if (appDbUrl) {
+		mapped.DATABASE_URL = appDbUrl;
+	}
+
+	return mapped;
+}
+
 /**
  * Start docker-compose services for the workspace.
  * @internal Exported for testing
@@ -1192,6 +1256,7 @@ class DevServer {
 		private studio: NormalizedStudioConfig | undefined,
 		private runtime: Runtime = 'node',
 		private appRoot: string = process.cwd(),
+		private secretsJsonPath?: string,
 	) {
 		this.actualPort = requestedPort;
 	}
@@ -1341,7 +1406,7 @@ class DevServer {
 	}
 
 	private async createServerEntry(): Promise<void> {
-		const { writeFile } = await import('node:fs/promises');
+		const { writeFile: fsWriteFile } = await import('node:fs/promises');
 		const { relative, dirname } = await import('node:path');
 
 		const serverPath = join(this.appRoot, '.gkm', this.provider, 'server.ts');
@@ -1351,6 +1416,20 @@ class DevServer {
 			join(dirname(serverPath), 'app.js'),
 		);
 
+		// Generate credentials injection code if secrets are available
+		const credentialsInjection = this.secretsJsonPath
+			? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${this.secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+`
+			: '';
+
 		const serveCode =
 			this.runtime === 'bun'
 				? `Bun.serve({
@@ -1374,7 +1453,7 @@ class DevServer {
  * Development server entry point
  * This file is auto-generated by 'gkm dev'
  */
-import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
+${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
 
 const port = process.argv.includes('--port')
   ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
@@ -1395,6 +1474,6 @@ start({
 });
 `;
 
-		await writeFile(serverPath, content);
+		await fsWriteFile(serverPath, content);
 	}
 }

package/src/init/__tests__/generators.spec.ts

@@ -15,9 +15,14 @@ const baseOptions: TemplateOptions = {
 	template: 'minimal',
 	telescope: true,
 	database: true,
-	routeStyle: 'file-based',
+	studio: true,
+	loggerType: 'pino',
+	routesStructure: 'centralized-endpoints',
 	monorepo: false,
 	apiPath: '',
+	packageManager: 'pnpm',
+	deployTarget: 'dokploy',
+	services: { db: true, cache: true, mail: false },
 };
 
 describe('generatePackageJson', () => {
@@ -161,7 +166,8 @@ describe('generateConfigFiles', () => {
 		};
 		const files = generateConfigFiles(options, minimalTemplate);
 		const tsConfig = files.find((f) => f.path === 'tsconfig.json');
-		const config = JSON.parse(tsConfig?.content);
+		expect(tsConfig).toBeDefined();
+		const config = JSON.parse(tsConfig!.content);
 		expect(config.extends).toBe('../../tsconfig.json');
 		expect(config.compilerOptions.paths).toBeDefined();
 		expect(config.compilerOptions.paths['@test-project/*']).toBeDefined();
@@ -274,7 +280,8 @@ describe('generateMonorepoFiles', () => {
 		};
 		const files = generateMonorepoFiles(options, minimalTemplate);
 		const pkgJson = files.find((f) => f.path === 'package.json');
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.scripts.dev).toBe('turbo dev');
 		expect(pkg.scripts.build).toBe('turbo build');
 		expect(pkg.scripts.lint).toBe('biome lint .');
@@ -311,7 +318,8 @@ describe('generateModelsPackage', () => {
 		const pkgJson = files.find(
 			(f) => f.path === 'packages/models/package.json',
 		);
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.name).toBe('@test-project/models');
 	});
 
@@ -325,7 +333,8 @@ describe('generateModelsPackage', () => {
 		const pkgJson = files.find(
 			(f) => f.path === 'packages/models/package.json',
 		);
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.dependencies.zod).toBeDefined();
 	});
 
@@ -336,9 +345,7 @@ describe('generateModelsPackage', () => {
 			apiPath: 'apps/api',
 		};
 		const files = generateModelsPackage(options);
-		const userTs = files.find(
-			(f) => f.path === 'packages/models/src/user.ts',
-		);
+		const userTs = files.find((f) => f.path === 'packages/models/src/user.ts');
 		const commonTs = files.find(
 			(f) => f.path === 'packages/models/src/common.ts',
 		);
@@ -359,7 +366,8 @@ describe('generateModelsPackage', () => {
 		const tsConfig = files.find(
 			(f) => f.path === 'packages/models/tsconfig.json',
 		);
-		const config = JSON.parse(tsConfig?.content);
+		expect(tsConfig).toBeDefined();
+		const config = JSON.parse(tsConfig!.content);
 		expect(config.extends).toBe('../../tsconfig.json');
 	});
 });

package/src/init/generators/web.ts

@@ -1,4 +1,5 @@
 import type { GeneratedFile, TemplateOptions } from '../templates/index.js';
+import { GEEKMIDAS_VERSIONS } from '../versions.js';
 
 /**
  * Generate Next.js web app files for fullstack template
@@ -25,6 +26,8 @@ export function generateWebAppFiles(options: TemplateOptions): GeneratedFile[] {
 		},
 		dependencies: {
 			[modelsPackage]: 'workspace:*',
+			'@geekmidas/client': GEEKMIDAS_VERSIONS['@geekmidas/client'],
+			'@tanstack/react-query': '~5.80.0',
 			next: '~16.1.0',
 			react: '~19.2.0',
 			'react-dom': '~19.2.0',
@@ -82,8 +85,73 @@ export default nextConfig;
 		exclude: ['node_modules'],
 	};
 
+	// Providers with QueryClient
+	const providersTsx = `'use client';
+
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { useState } from 'react';
+
+export function Providers({ children }: { children: React.ReactNode }) {
+  const [queryClient] = useState(
+    () =>
+      new QueryClient({
+        defaultOptions: {
+          queries: {
+            staleTime: 60 * 1000,
+          },
+        },
+      }),
+  );
+
+  return (
+    <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>
+  );
+}
+`;
+
+	// API client setup
+	const apiIndexTs = `import { TypedFetcher } from '@geekmidas/client/fetcher';
+import { createEndpointHooks } from '@geekmidas/client/endpoint-hooks';
+
+// TODO: Run 'gkm openapi' to generate typed paths from your API
+// This is a placeholder that will be replaced by the generated openapi.ts
+interface paths {
+  '/health': {
+    get: {
+      responses: {
+        200: {
+          content: {
+            'application/json': { status: string; timestamp: string };
+          };
+        };
+      };
+    };
+  };
+  '/users': {
+    get: {
+      responses: {
+        200: {
+          content: {
+            'application/json': { users: Array<{ id: string; name: string }> };
+          };
+        };
+      };
+    };
+  };
+}
+
+const baseURL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3000';
+
+const fetcher = new TypedFetcher<paths>({ baseURL });
+
+const hooks = createEndpointHooks<paths>(fetcher.request.bind(fetcher));
+
+export const api = Object.assign(fetcher.request.bind(fetcher), hooks);
+`;
+
 	// App layout
 	const layoutTsx = `import type { Metadata } from 'next';
+import { Providers } from './providers';
 
 export const metadata: Metadata = {
   title: '${options.name}',
@@ -97,37 +165,20 @@ export default function RootLayout({
 }) {
   return (
     <html lang="en">
-      <body>{children}</body>
+      <body>
+        <Providers>{children}</Providers>
+      </body>
     </html>
   );
 }
 `;
 
 	// Home page with API example
-	const pageTsx = `import type { User } from '${modelsPackage}';
+	const pageTsx = `import { api } from '@/api';
 
 export default async function Home() {
-  // Example: Fetch from API
-  const apiUrl = process.env.API_URL || 'http://localhost:3000';
-  let health = null;
-
-  try {
-    const response = await fetch(\`\${apiUrl}/health\`, {
-      cache: 'no-store',
-    });
-    health = await response.json();
-  } catch (error) {
-    console.error('Failed to fetch health:', error);
-  }
-
-  // Example: Type-safe model usage
-  const exampleUser: User = {
-    id: '123e4567-e89b-12d3-a456-426614174000',
-    email: 'user@example.com',
-    name: 'Example User',
-    createdAt: new Date(),
-    updatedAt: new Date(),
-  };
+  // Type-safe API call using the generated client
+  const health = await api('GET /health').catch(() => null);
 
   return (
     <main style={{ padding: '2rem', fontFamily: 'system-ui' }}>
@@ -140,21 +191,14 @@ export default async function Home() {
             {JSON.stringify(health, null, 2)}
           </pre>
         ) : (
-          <p>Unable to connect to API at {apiUrl}</p>
+          <p>Unable to connect to API</p>
         )}
       </section>
 
-      <section style={{ marginTop: '2rem' }}>
-        <h2>Shared Models</h2>
-        <p>This user object is typed from @${options.name}/models:</p>
-        <pre style={{ background: '#f0f0f0', padding: '1rem', borderRadius: '8px' }}>
-          {JSON.stringify(exampleUser, null, 2)}
-        </pre>
-      </section>
-
       <section style={{ marginTop: '2rem' }}>
         <h2>Next Steps</h2>
         <ul>
+          <li>Run <code>gkm openapi</code> to generate typed API client</li>
           <li>Edit <code>apps/web/src/app/page.tsx</code> to customize this page</li>
           <li>Add API routes in <code>apps/api/src/endpoints/</code></li>
           <li>Define shared schemas in <code>packages/models/src/</code></li>
@@ -166,11 +210,8 @@ export default async function Home() {
 `;
 
 	// Environment file for web app
-	const envLocal = `# API URL (injected automatically in workspace mode)
-API_URL=http://localhost:3000
-
-# Other environment variables
-# NEXT_PUBLIC_API_URL=http://localhost:3000
+	const envLocal = `# API URL for client-side requests
+NEXT_PUBLIC_API_URL=http://localhost:3000
 `;
 
 	// .gitignore for Next.js
@@ -197,10 +238,18 @@ node_modules/
 			path: 'apps/web/src/app/layout.tsx',
 			content: layoutTsx,
 		},
+		{
+			path: 'apps/web/src/app/providers.tsx',
+			content: providersTsx,
+		},
 		{
 			path: 'apps/web/src/app/page.tsx',
 			content: pageTsx,
 		},
+		{
+			path: 'apps/web/src/api/index.ts',
+			content: apiIndexTs,
+		},
 		{
 			path: 'apps/web/.env.local',
 			content: envLocal,