@geekmidas/cli 0.29.0 → 0.30.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "0.29.0",
+  "version": "0.30.0",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -49,10 +49,10 @@
     "openapi-typescript": "^7.4.2",
     "prompts": "~2.4.2",
     "@geekmidas/errors": "~0.1.0",
-    "@geekmidas/envkit": "~0.4.0",
+    "@geekmidas/logger": "~0.4.0",
     "@geekmidas/constructs": "~0.6.0",
-    "@geekmidas/schema": "~0.1.0",
-    "@geekmidas/logger": "~0.4.0"
+    "@geekmidas/envkit": "~0.5.0",
+    "@geekmidas/schema": "~0.1.0"
   },
   "devDependencies": {
     "@types/lodash.kebabcase": "^4.1.9",

package/src/dev/__tests__/index.spec.ts

@@ -13,6 +13,7 @@ import {
 	findAvailablePort,
 	generateAllDependencyEnvVars,
 	isPortAvailable,
+	loadSecretsForApp,
 	normalizeHooksConfig,
 	normalizeProductionConfig,
 	normalizeStudioConfig,
@@ -967,3 +968,225 @@ describe('Workspace Dev Server', () => {
 		});
 	});
 });
+
+describe('loadSecretsForApp', () => {
+	let testDir: string;
+
+	beforeEach(() => {
+		testDir = join(
+			tmpdir(),
+			`gkm-secrets-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+		);
+		mkdirSync(testDir, { recursive: true });
+	});
+
+	afterEach(() => {
+		if (existsSync(testDir)) {
+			rmSync(testDir, { recursive: true, force: true });
+		}
+	});
+
+	/**
+	 * Helper to create a secrets file in legacy (unencrypted) format.
+	 * This matches the StageSecrets structure.
+	 */
+	function createSecretsFile(
+		stage: string,
+		secrets: Record<string, string>,
+		root = testDir,
+	) {
+		const secretsDir = join(root, '.gkm', 'secrets');
+		mkdirSync(secretsDir, { recursive: true });
+		const stageSecrets = {
+			stage,
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {},
+			custom: secrets,
+		};
+		writeFileSync(
+			join(secretsDir, `${stage}.json`),
+			JSON.stringify(stageSecrets, null, 2),
+		);
+	}
+
+	describe('single app mode (no appName)', () => {
+		it('should return secrets as-is without mapping', async () => {
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/mydb',
+				JWT_SECRET: 'super-secret',
+				NODE_ENV: 'development',
+			});
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets).toEqual({
+				DATABASE_URL: 'postgresql://localhost/mydb',
+				JWT_SECRET: 'super-secret',
+				NODE_ENV: 'development',
+			});
+		});
+
+		it('should try dev stage first, then development', async () => {
+			createSecretsFile('dev', {
+				DATABASE_URL: 'postgresql://localhost/devdb',
+			});
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/developmentdb',
+			});
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			// Should use 'dev' stage since it's checked first
+			expect(secrets.DATABASE_URL).toBe('postgresql://localhost/devdb');
+		});
+
+		it('should fallback to development if dev does not exist', async () => {
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/developmentdb',
+			});
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets.DATABASE_URL).toBe(
+				'postgresql://localhost/developmentdb',
+			);
+		});
+
+		it('should return empty object if no secrets exist', async () => {
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets).toEqual({});
+		});
+	});
+
+	describe('workspace app mode (with appName)', () => {
+		it('should map {APP}_DATABASE_URL to DATABASE_URL', async () => {
+			createSecretsFile('development', {
+				AUTH_DATABASE_URL: 'postgresql://auth_user:pass@localhost/authdb',
+				API_DATABASE_URL: 'postgresql://api_user:pass@localhost/apidb',
+				JWT_SECRET: 'shared-secret',
+			});
+
+			const authSecrets = await loadSecretsForApp(testDir, 'auth');
+
+			expect(authSecrets.DATABASE_URL).toBe(
+				'postgresql://auth_user:pass@localhost/authdb',
+			);
+			// Original prefixed secrets are also available
+			expect(authSecrets.AUTH_DATABASE_URL).toBe(
+				'postgresql://auth_user:pass@localhost/authdb',
+			);
+			expect(authSecrets.JWT_SECRET).toBe('shared-secret');
+		});
+
+		it('should map API secrets correctly', async () => {
+			createSecretsFile('development', {
+				AUTH_DATABASE_URL: 'postgresql://auth_user:pass@localhost/authdb',
+				API_DATABASE_URL: 'postgresql://api_user:pass@localhost/apidb',
+			});
+
+			const apiSecrets = await loadSecretsForApp(testDir, 'api');
+
+			expect(apiSecrets.DATABASE_URL).toBe(
+				'postgresql://api_user:pass@localhost/apidb',
+			);
+		});
+
+		it('should not override DATABASE_URL if no prefixed version exists', async () => {
+			createSecretsFile('development', {
+				DATABASE_URL: 'postgresql://localhost/maindb',
+				JWT_SECRET: 'secret',
+			});
+
+			// Asking for 'auth' app but AUTH_DATABASE_URL doesn't exist
+			const authSecrets = await loadSecretsForApp(testDir, 'auth');
+
+			// Should keep the original DATABASE_URL since there's no AUTH_DATABASE_URL
+			expect(authSecrets.DATABASE_URL).toBe('postgresql://localhost/maindb');
+		});
+
+		it('should handle uppercase app names in secrets', async () => {
+			createSecretsFile('development', {
+				MYSERVICE_DATABASE_URL: 'postgresql://localhost/myservicedb',
+			});
+
+			// App name is lowercase but secrets are uppercase prefixed
+			const secrets = await loadSecretsForApp(testDir, 'myservice');
+
+			expect(secrets.DATABASE_URL).toBe('postgresql://localhost/myservicedb');
+		});
+
+		it('should return empty object if no secrets exist for app', async () => {
+			const secrets = await loadSecretsForApp(testDir, 'api');
+
+			expect(secrets).toEqual({});
+		});
+	});
+
+	describe('service credentials mapping', () => {
+		it('should include postgres service credentials', async () => {
+			const secretsDir = join(testDir, '.gkm', 'secrets');
+			mkdirSync(secretsDir, { recursive: true });
+			const stageSecrets = {
+				stage: 'development',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {
+					postgres: {
+						username: 'postgres',
+						password: 'postgres123',
+						database: 'myapp',
+						host: 'localhost',
+						port: 5432,
+					},
+				},
+				urls: {},
+				custom: { NODE_ENV: 'development' },
+			};
+			writeFileSync(
+				join(secretsDir, 'development.json'),
+				JSON.stringify(stageSecrets, null, 2),
+			);
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets.POSTGRES_USER).toBe('postgres');
+			expect(secrets.POSTGRES_PASSWORD).toBe('postgres123');
+			expect(secrets.POSTGRES_DB).toBe('myapp');
+			expect(secrets.POSTGRES_HOST).toBe('localhost');
+			expect(secrets.POSTGRES_PORT).toBe('5432');
+			expect(secrets.NODE_ENV).toBe('development');
+		});
+
+		it('should include redis service credentials', async () => {
+			const secretsDir = join(testDir, '.gkm', 'secrets');
+			mkdirSync(secretsDir, { recursive: true });
+			const stageSecrets = {
+				stage: 'development',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {
+					redis: {
+						password: 'redis123',
+						host: 'localhost',
+						port: 6379,
+					},
+				},
+				urls: {},
+				custom: {},
+			};
+			writeFileSync(
+				join(secretsDir, 'development.json'),
+				JSON.stringify(stageSecrets, null, 2),
+			);
+
+			const secrets = await loadSecretsForApp(testDir);
+
+			expect(secrets.REDIS_PASSWORD).toBe('redis123');
+			expect(secrets.REDIS_HOST).toBe('localhost');
+			expect(secrets.REDIS_PORT).toBe('6379');
+		});
+	});
+});

package/src/dev/index.ts

@@ -1,6 +1,6 @@
 import { type ChildProcess, execSync, spawn } from 'node:child_process';
 import { existsSync } from 'node:fs';
-import { mkdir } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { createServer } from 'node:net';
 import { join, resolve } from 'node:path';
 import chokidar from 'chokidar';
@@ -318,6 +318,8 @@ export async function devCommand(options: DevOptions): Promise<void> {
 	const appName = getAppNameFromCwd();
 	let config: GkmConfig;
 	let appRoot: string = process.cwd();
+	let secretsRoot: string = process.cwd(); // Where .gkm/secrets/ lives
+	let workspaceAppName: string | undefined; // Set if in workspace mode
 
 	if (appName) {
 		// Try to load app-specific config from workspace
@@ -325,6 +327,8 @@ export async function devCommand(options: DevOptions): Promise<void> {
 			const appConfig = await loadAppConfig();
 			config = appConfig.gkmConfig;
 			appRoot = appConfig.appRoot;
+			secretsRoot = appConfig.workspaceRoot;
+			workspaceAppName = appConfig.appName;
 			logger.log(`📦 Running app: ${appConfig.appName}`);
 		} catch {
 			// Not in a workspace or app not found in workspace - fall back to regular loading
@@ -438,6 +442,17 @@ export async function devCommand(options: DevOptions): Promise<void> {
 	// Determine runtime (default to node)
 	const runtime: Runtime = config.runtime ?? 'node';
 
+	// Load secrets for dev mode and write to JSON file
+	let secretsJsonPath: string | undefined;
+	const appSecrets = await loadSecretsForApp(secretsRoot, workspaceAppName);
+	if (Object.keys(appSecrets).length > 0) {
+		const secretsDir = join(secretsRoot, '.gkm');
+		await mkdir(secretsDir, { recursive: true });
+		secretsJsonPath = join(secretsDir, 'dev-secrets.json');
+		await writeFile(secretsJsonPath, JSON.stringify(appSecrets, null, 2));
+		logger.log(`🔐 Loaded ${Object.keys(appSecrets).length} secret(s)`);
+	}
+
 	// Start the dev server
 	const devServer = new DevServer(
 		resolved.providers[0] as LegacyProvider,
@@ -448,6 +463,7 @@ export async function devCommand(options: DevOptions): Promise<void> {
 		studio,
 		runtime,
 		appRoot,
+		secretsJsonPath,
 	);
 
 	await devServer.start();
@@ -754,6 +770,54 @@ export async function loadDevSecrets(
 	return {};
 }
 
+/**
+ * Load secrets from a path for dev mode.
+ * For single app: returns secrets as-is.
+ * For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
+ * @internal Exported for testing
+ */
+export async function loadSecretsForApp(
+	secretsRoot: string,
+	appName?: string,
+): Promise<Record<string, string>> {
+	// Try 'dev' stage first, then 'development'
+	const stages = ['dev', 'development'];
+
+	let secrets: Record<string, string> = {};
+
+	for (const stage of stages) {
+		if (secretsExist(stage, secretsRoot)) {
+			const stageSecrets = await readStageSecrets(stage, secretsRoot);
+			if (stageSecrets) {
+				logger.log(`🔐 Loading secrets from stage: ${stage}`);
+				secrets = toEmbeddableSecrets(stageSecrets);
+				break;
+			}
+		}
+	}
+
+	if (Object.keys(secrets).length === 0) {
+		return {};
+	}
+
+	// Single app mode - no mapping needed
+	if (!appName) {
+		return secrets;
+	}
+
+	// Workspace app mode - map {APP}_* to generic names
+	const prefix = appName.toUpperCase();
+	const mapped = { ...secrets };
+
+	// Map {APP}_DATABASE_URL → DATABASE_URL
+	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
+	if (appDbUrl) {
+		mapped.DATABASE_URL = appDbUrl;
+	}
+
+	return mapped;
+}
+
 /**
  * Start docker-compose services for the workspace.
  * @internal Exported for testing
@@ -1192,6 +1256,7 @@ class DevServer {
 		private studio: NormalizedStudioConfig | undefined,
 		private runtime: Runtime = 'node',
 		private appRoot: string = process.cwd(),
+		private secretsJsonPath?: string,
 	) {
 		this.actualPort = requestedPort;
 	}
@@ -1341,7 +1406,7 @@ class DevServer {
 	}
 
 	private async createServerEntry(): Promise<void> {
-		const { writeFile } = await import('node:fs/promises');
+		const { writeFile: fsWriteFile } = await import('node:fs/promises');
 		const { relative, dirname } = await import('node:path');
 
 		const serverPath = join(this.appRoot, '.gkm', this.provider, 'server.ts');
@@ -1351,6 +1416,20 @@ class DevServer {
 			join(dirname(serverPath), 'app.js'),
 		);
 
+		// Generate credentials injection code if secrets are available
+		const credentialsInjection = this.secretsJsonPath
+			? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${this.secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+`
+			: '';
+
 		const serveCode =
 			this.runtime === 'bun'
 				? `Bun.serve({
@@ -1374,7 +1453,7 @@ class DevServer {
  * Development server entry point
  * This file is auto-generated by 'gkm dev'
  */
-import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
+${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
 
 const port = process.argv.includes('--port')
   ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
@@ -1395,6 +1474,6 @@ start({
 });
 `;
 
-		await writeFile(serverPath, content);
+		await fsWriteFile(serverPath, content);
 	}
 }

package/src/init/__tests__/generators.spec.ts

@@ -15,9 +15,14 @@ const baseOptions: TemplateOptions = {
 	template: 'minimal',
 	telescope: true,
 	database: true,
-	routeStyle: 'file-based',
+	studio: true,
+	loggerType: 'pino',
+	routesStructure: 'centralized-endpoints',
 	monorepo: false,
 	apiPath: '',
+	packageManager: 'pnpm',
+	deployTarget: 'dokploy',
+	services: { db: true, cache: true, mail: false },
 };
 
 describe('generatePackageJson', () => {
@@ -161,7 +166,8 @@ describe('generateConfigFiles', () => {
 		};
 		const files = generateConfigFiles(options, minimalTemplate);
 		const tsConfig = files.find((f) => f.path === 'tsconfig.json');
-		const config = JSON.parse(tsConfig?.content);
+		expect(tsConfig).toBeDefined();
+		const config = JSON.parse(tsConfig!.content);
 		expect(config.extends).toBe('../../tsconfig.json');
 		expect(config.compilerOptions.paths).toBeDefined();
 		expect(config.compilerOptions.paths['@test-project/*']).toBeDefined();
@@ -274,7 +280,8 @@ describe('generateMonorepoFiles', () => {
 		};
 		const files = generateMonorepoFiles(options, minimalTemplate);
 		const pkgJson = files.find((f) => f.path === 'package.json');
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.scripts.dev).toBe('turbo dev');
 		expect(pkg.scripts.build).toBe('turbo build');
 		expect(pkg.scripts.lint).toBe('biome lint .');
@@ -311,7 +318,8 @@ describe('generateModelsPackage', () => {
 		const pkgJson = files.find(
 			(f) => f.path === 'packages/models/package.json',
 		);
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.name).toBe('@test-project/models');
 	});
 
@@ -325,7 +333,8 @@ describe('generateModelsPackage', () => {
 		const pkgJson = files.find(
 			(f) => f.path === 'packages/models/package.json',
 		);
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.dependencies.zod).toBeDefined();
 	});
 
@@ -336,9 +345,7 @@ describe('generateModelsPackage', () => {
 			apiPath: 'apps/api',
 		};
 		const files = generateModelsPackage(options);
-		const userTs = files.find(
-			(f) => f.path === 'packages/models/src/user.ts',
-		);
+		const userTs = files.find((f) => f.path === 'packages/models/src/user.ts');
 		const commonTs = files.find(
 			(f) => f.path === 'packages/models/src/common.ts',
 		);
@@ -359,7 +366,8 @@ describe('generateModelsPackage', () => {
 		const tsConfig = files.find(
 			(f) => f.path === 'packages/models/tsconfig.json',
 		);
-		const config = JSON.parse(tsConfig?.content);
+		expect(tsConfig).toBeDefined();
+		const config = JSON.parse(tsConfig!.content);
 		expect(config.extends).toBe('../../tsconfig.json');
 	});
 });

package/src/workspace/__tests__/schema.spec.ts

@@ -478,6 +478,120 @@ describe('WorkspaceConfigSchema', () => {
 		});
 	});
 
+	describe('auth app configuration', () => {
+		it('should accept auth app with provider', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'better-auth' as const,
+					},
+				},
+			};
+
+			const result = validateWorkspaceConfig(config);
+
+			expect(result.apps.auth.type).toBe('auth');
+			expect(result.apps.auth.provider).toBe('better-auth');
+		});
+
+		it('should reject auth app without provider', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						// Missing provider
+					},
+				},
+			};
+
+			const result = safeValidateWorkspaceConfig(config);
+
+			expect(result.success).toBe(false);
+			if (result.error) {
+				const formatted = formatValidationErrors(result.error);
+				expect(formatted).toContain('Auth apps must have provider defined');
+			}
+		});
+
+		it('should allow auth app with backend properties', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'better-auth' as const,
+						envParser: './src/config/env',
+						logger: './src/logger',
+						telescope: true,
+					},
+				},
+			};
+
+			const result = validateWorkspaceConfig(config);
+
+			expect(result.apps.auth.type).toBe('auth');
+			expect(result.apps.auth.envParser).toBe('./src/config/env');
+			expect(result.apps.auth.telescope).toBe(true);
+		});
+
+		it('should validate fullstack workspace with auth app', () => {
+			const config = {
+				name: 'fullstack-app',
+				apps: {
+					api: {
+						type: 'backend' as const,
+						path: 'apps/api',
+						port: 3000,
+						routes: './src/endpoints/**/*.ts',
+						dependencies: ['auth'],
+					},
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'better-auth' as const,
+					},
+					web: {
+						type: 'frontend' as const,
+						path: 'apps/web',
+						port: 3001,
+						framework: 'nextjs' as const,
+						dependencies: ['api', 'auth'],
+					},
+				},
+			};
+
+			const result = validateWorkspaceConfig(config);
+
+			expect(result.apps.api.dependencies).toEqual(['auth']);
+			expect(result.apps.auth.type).toBe('auth');
+			expect(result.apps.web.dependencies).toEqual(['api', 'auth']);
+		});
+
+		it('should reject invalid auth provider', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'invalid-provider',
+					},
+				},
+			};
+
+			const result = safeValidateWorkspaceConfig(config);
+
+			expect(result.success).toBe(false);
+		});
+	});
+
 	describe('deploy target helpers', () => {
 		it('isDeployTargetSupported should return true for dokploy', () => {
 			expect(isDeployTargetSupported('dokploy')).toBe(true);

package/src/workspace/schema.ts

@@ -51,6 +51,12 @@ const ClientConfigSchema = z.object({
 	output: z.string().optional(),
 });
 
+/**
+ * Auth provider schema.
+ * Currently only 'better-auth' is supported.
+ */
+const AuthProviderSchema = z.enum(['better-auth']);
+
 /**
  * Deploy target schema.
  * Currently only 'dokploy' is supported.
@@ -177,7 +183,7 @@ const SecretsConfigSchema = z.object({
 const AppConfigSchema = z
 	.object({
 		// Core properties
-		type: z.enum(['backend', 'frontend']).optional().default('backend'),
+		type: z.enum(['backend', 'frontend', 'auth']).optional().default('backend'),
 		path: z.string().min(1, 'App path is required'),
 		port: z.number().int().positive('Port must be a positive integer'),
 		dependencies: z.array(z.string()).optional(),
@@ -202,6 +208,9 @@ const AppConfigSchema = z
 		// Frontend-specific
 		framework: z.enum(['nextjs']).optional(),
 		client: ClientConfigSchema.optional(),
+
+		// Auth-specific
+		provider: AuthProviderSchema.optional(),
 	})
 	// Note: routes is optional for backend apps - some backends like auth servers don't use routes
 	.refine(
@@ -216,6 +225,19 @@ const AppConfigSchema = z
 			message: 'Frontend apps must have framework defined',
 			path: ['framework'],
 		},
+	)
+	.refine(
+		(data) => {
+			// Auth apps must have provider
+			if (data.type === 'auth' && !data.provider) {
+				return false;
+			}
+			return true;
+		},
+		{
+			message: 'Auth apps must have provider defined',
+			path: ['provider'],
+		},
 	);
 
 /**