@geekmidas/cli 0.29.0 → 0.31.0

package/src/dev/index.ts

@@ -1,8 +1,8 @@
 import { type ChildProcess, execSync, spawn } from 'node:child_process';
 import { existsSync } from 'node:fs';
-import { mkdir } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { createServer } from 'node:net';
-import { join, resolve } from 'node:path';
+import { dirname, join, resolve } from 'node:path';
 import chokidar from 'chokidar';
 import { config as dotenvConfig } from 'dotenv';
 import fg from 'fast-glob';
@@ -304,9 +304,18 @@ export interface DevOptions {
 	app?: string;
 	/** Filter apps by pattern (passed to turbo --filter) */
 	filter?: string;
+	/** Entry file to run (bypasses gkm config) */
+	entry?: string;
+	/** Watch for file changes (default: true with --entry) */
+	watch?: boolean;
 }
 
 export async function devCommand(options: DevOptions): Promise<void> {
+	// Handle --entry mode: run any file with secret injection
+	if (options.entry) {
+		return entryDevCommand(options);
+	}
+
 	// Load default .env file BEFORE loading config
 	// This ensures env vars are available when config and its dependencies are loaded
 	const defaultEnv = loadEnvFiles('.env');
@@ -318,6 +327,8 @@ export async function devCommand(options: DevOptions): Promise<void> {
 	const appName = getAppNameFromCwd();
 	let config: GkmConfig;
 	let appRoot: string = process.cwd();
+	let secretsRoot: string = process.cwd(); // Where .gkm/secrets/ lives
+	let workspaceAppName: string | undefined; // Set if in workspace mode
 
 	if (appName) {
 		// Try to load app-specific config from workspace
@@ -325,6 +336,8 @@ export async function devCommand(options: DevOptions): Promise<void> {
 			const appConfig = await loadAppConfig();
 			config = appConfig.gkmConfig;
 			appRoot = appConfig.appRoot;
+			secretsRoot = appConfig.workspaceRoot;
+			workspaceAppName = appConfig.appName;
 			logger.log(`📦 Running app: ${appConfig.appName}`);
 		} catch {
 			// Not in a workspace or app not found in workspace - fall back to regular loading
@@ -438,6 +451,17 @@ export async function devCommand(options: DevOptions): Promise<void> {
 	// Determine runtime (default to node)
 	const runtime: Runtime = config.runtime ?? 'node';
 
+	// Load secrets for dev mode and write to JSON file
+	let secretsJsonPath: string | undefined;
+	const appSecrets = await loadSecretsForApp(secretsRoot, workspaceAppName);
+	if (Object.keys(appSecrets).length > 0) {
+		const secretsDir = join(secretsRoot, '.gkm');
+		await mkdir(secretsDir, { recursive: true });
+		secretsJsonPath = join(secretsDir, 'dev-secrets.json');
+		await writeFile(secretsJsonPath, JSON.stringify(appSecrets, null, 2));
+		logger.log(`🔐 Loaded ${Object.keys(appSecrets).length} secret(s)`);
+	}
+
 	// Start the dev server
 	const devServer = new DevServer(
 		resolved.providers[0] as LegacyProvider,
@@ -448,6 +472,7 @@ export async function devCommand(options: DevOptions): Promise<void> {
 		studio,
 		runtime,
 		appRoot,
+		secretsJsonPath,
 	);
 
 	await devServer.start();
@@ -754,6 +779,54 @@ export async function loadDevSecrets(
 	return {};
 }
 
+/**
+ * Load secrets from a path for dev mode.
+ * For single app: returns secrets as-is.
+ * For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
+ * @internal Exported for testing
+ */
+export async function loadSecretsForApp(
+	secretsRoot: string,
+	appName?: string,
+): Promise<Record<string, string>> {
+	// Try 'dev' stage first, then 'development'
+	const stages = ['dev', 'development'];
+
+	let secrets: Record<string, string> = {};
+
+	for (const stage of stages) {
+		if (secretsExist(stage, secretsRoot)) {
+			const stageSecrets = await readStageSecrets(stage, secretsRoot);
+			if (stageSecrets) {
+				logger.log(`🔐 Loading secrets from stage: ${stage}`);
+				secrets = toEmbeddableSecrets(stageSecrets);
+				break;
+			}
+		}
+	}
+
+	if (Object.keys(secrets).length === 0) {
+		return {};
+	}
+
+	// Single app mode - no mapping needed
+	if (!appName) {
+		return secrets;
+	}
+
+	// Workspace app mode - map {APP}_* to generic names
+	const prefix = appName.toUpperCase();
+	const mapped = { ...secrets };
+
+	// Map {APP}_DATABASE_URL → DATABASE_URL
+	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
+	if (appDbUrl) {
+		mapped.DATABASE_URL = appDbUrl;
+	}
+
+	return mapped;
+}
+
 /**
  * Start docker-compose services for the workspace.
  * @internal Exported for testing
@@ -1178,6 +1251,242 @@ async function buildServer(
 	]);
 }
 
+/**
+ * Find the directory containing .gkm/secrets/.
+ * Walks up from cwd until it finds one, or returns cwd.
+ * @internal Exported for testing
+ */
+export function findSecretsRoot(startDir: string): string {
+	let dir = startDir;
+	while (dir !== '/') {
+		if (existsSync(join(dir, '.gkm', 'secrets'))) {
+			return dir;
+		}
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return startDir;
+}
+
+/**
+ * Create a wrapper script that injects secrets before importing the entry file.
+ * @internal Exported for testing
+ */
+export async function createEntryWrapper(
+	wrapperPath: string,
+	entryPath: string,
+	secretsJsonPath?: string,
+): Promise<void> {
+	const credentialsInjection = secretsJsonPath
+		? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (before app import)
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+`
+		: '';
+
+	const content = `#!/usr/bin/env node
+/**
+ * Entry wrapper generated by 'gkm dev --entry'
+ */
+${credentialsInjection}// Import and run the user's entry file
+import '${entryPath}';
+`;
+
+	await writeFile(wrapperPath, content);
+}
+
+/**
+ * Run any TypeScript file with secret injection.
+ * Does not require gkm.config.ts.
+ */
+async function entryDevCommand(options: DevOptions): Promise<void> {
+	const { entry, port = 3000, watch = true } = options;
+
+	if (!entry) {
+		throw new Error('--entry requires a file path');
+	}
+
+	const entryPath = resolve(process.cwd(), entry);
+
+	if (!existsSync(entryPath)) {
+		throw new Error(`Entry file not found: ${entryPath}`);
+	}
+
+	logger.log(`🚀 Starting entry file: ${entry}`);
+
+	// Load .env files
+	const defaultEnv = loadEnvFiles('.env');
+	if (defaultEnv.loaded.length > 0) {
+		logger.log(`📦 Loaded env: ${defaultEnv.loaded.join(', ')}`);
+	}
+
+	// Determine secrets root (current dir or workspace root)
+	const secretsRoot = findSecretsRoot(process.cwd());
+
+	// Determine app name for per-app secret mapping
+	const appName = getAppNameFromCwd() ?? undefined;
+
+	// Load secrets
+	const appSecrets = await loadSecretsForApp(secretsRoot, appName);
+	if (Object.keys(appSecrets).length > 0) {
+		logger.log(`🔐 Loaded ${Object.keys(appSecrets).length} secret(s)`);
+	}
+
+	// Write secrets to temp JSON file
+	let secretsJsonPath: string | undefined;
+	if (Object.keys(appSecrets).length > 0) {
+		const secretsDir = join(secretsRoot, '.gkm');
+		await mkdir(secretsDir, { recursive: true });
+		secretsJsonPath = join(secretsDir, 'dev-secrets.json');
+		await writeFile(secretsJsonPath, JSON.stringify(appSecrets, null, 2));
+	}
+
+	// Create wrapper entry that injects secrets before importing user's file
+	const wrapperDir = join(process.cwd(), '.gkm');
+	await mkdir(wrapperDir, { recursive: true });
+	const wrapperPath = join(wrapperDir, 'entry-wrapper.ts');
+	await createEntryWrapper(wrapperPath, entryPath, secretsJsonPath);
+
+	// Start with tsx
+	const runner = new EntryRunner(wrapperPath, entryPath, watch, port);
+	await runner.start();
+
+	// Handle graceful shutdown
+	let isShuttingDown = false;
+	const shutdown = () => {
+		if (isShuttingDown) return;
+		isShuttingDown = true;
+
+		logger.log('\n🛑 Shutting down...');
+		runner.stop();
+		process.exit(0);
+	};
+
+	process.on('SIGINT', shutdown);
+	process.on('SIGTERM', shutdown);
+
+	// Keep the process alive
+	await new Promise(() => {});
+}
+
+/**
+ * Runs and watches a TypeScript entry file using tsx.
+ */
+class EntryRunner {
+	private childProcess: ChildProcess | null = null;
+	private watcher: ReturnType<typeof chokidar.watch> | null = null;
+	private isRunning = false;
+
+	constructor(
+		private wrapperPath: string,
+		private entryPath: string,
+		private watch: boolean,
+		private port: number,
+	) {}
+
+	async start(): Promise<void> {
+		await this.runProcess();
+
+		if (this.watch) {
+			// Watch the entry file's directory for changes
+			const watchDir = dirname(this.entryPath);
+
+			this.watcher = chokidar.watch(watchDir, {
+				ignored: /(^|[/\\])\../,
+				persistent: true,
+				ignoreInitial: true,
+			});
+
+			let restartTimeout: NodeJS.Timeout | null = null;
+
+			this.watcher.on('change', (path) => {
+				logger.log(`📝 File changed: ${path}`);
+
+				// Debounce restarts
+				if (restartTimeout) {
+					clearTimeout(restartTimeout);
+				}
+
+				restartTimeout = setTimeout(async () => {
+					logger.log('🔄 Restarting...');
+					await this.restart();
+				}, 300);
+			});
+
+			logger.log(`👀 Watching for changes in: ${watchDir}`);
+		}
+	}
+
+	private async runProcess(): Promise<void> {
+		// Pass PORT as environment variable
+		const env = { ...process.env, PORT: String(this.port) };
+
+		this.childProcess = spawn('npx', ['tsx', this.wrapperPath], {
+			stdio: 'inherit',
+			env,
+			detached: true,
+		});
+
+		this.isRunning = true;
+
+		this.childProcess.on('error', (error) => {
+			logger.error('❌ Process error:', error);
+		});
+
+		this.childProcess.on('exit', (code) => {
+			if (code !== null && code !== 0 && code !== 143) {
+				// 143 = SIGTERM
+				logger.error(`❌ Process exited with code ${code}`);
+			}
+			this.isRunning = false;
+		});
+
+		// Give the process a moment to start
+		await new Promise((resolve) => setTimeout(resolve, 500));
+
+		if (this.isRunning) {
+			logger.log(`\n🎉 Running at http://localhost:${this.port}`);
+		}
+	}
+
+	async restart(): Promise<void> {
+		this.stopProcess();
+		await new Promise((resolve) => setTimeout(resolve, 500));
+		await this.runProcess();
+	}
+
+	stop(): void {
+		this.watcher?.close();
+		this.stopProcess();
+	}
+
+	private stopProcess(): void {
+		if (this.childProcess && this.isRunning) {
+			const pid = this.childProcess.pid;
+			if (pid) {
+				try {
+					process.kill(-pid, 'SIGTERM');
+				} catch {
+					try {
+						process.kill(pid, 'SIGTERM');
+					} catch {
+						// Process already dead
+					}
+				}
+			}
+			this.childProcess = null;
+			this.isRunning = false;
+		}
+	}
+}
+
 class DevServer {
 	private serverProcess: ChildProcess | null = null;
 	private isRunning = false;
@@ -1192,6 +1501,7 @@ class DevServer {
 		private studio: NormalizedStudioConfig | undefined,
 		private runtime: Runtime = 'node',
 		private appRoot: string = process.cwd(),
+		private secretsJsonPath?: string,
 	) {
 		this.actualPort = requestedPort;
 	}
@@ -1341,7 +1651,7 @@ class DevServer {
 	}
 
 	private async createServerEntry(): Promise<void> {
-		const { writeFile } = await import('node:fs/promises');
+		const { writeFile: fsWriteFile } = await import('node:fs/promises');
 		const { relative, dirname } = await import('node:path');
 
 		const serverPath = join(this.appRoot, '.gkm', this.provider, 'server.ts');
@@ -1351,6 +1661,20 @@ class DevServer {
 			join(dirname(serverPath), 'app.js'),
 		);
 
+		// Generate credentials injection code if secrets are available
+		const credentialsInjection = this.secretsJsonPath
+			? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${this.secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+`
+			: '';
+
 		const serveCode =
 			this.runtime === 'bun'
 				? `Bun.serve({
@@ -1374,7 +1698,7 @@ class DevServer {
  * Development server entry point
  * This file is auto-generated by 'gkm dev'
  */
-import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
+${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
 
 const port = process.argv.includes('--port')
   ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
@@ -1395,6 +1719,6 @@ start({
 });
 `;
 
-		await writeFile(serverPath, content);
+		await fsWriteFile(serverPath, content);
 	}
 }

package/src/index.ts

@@ -136,28 +136,42 @@ program
 	.command('dev')
 	.description('Start development server with automatic reload')
 	.option('-p, --port <port>', 'Port to run the development server on')
+	.option('--entry <file>', 'Entry file to run (bypasses gkm config)')
+	.option('--watch', 'Watch for file changes (default: true with --entry)')
+	.option('--no-watch', 'Disable file watching')
 	.option(
 		'--enable-openapi',
 		'Enable OpenAPI documentation for development server',
 		true,
 	)
-	.action(async (options: { port?: string; enableOpenapi?: boolean }) => {
-		try {
-			const globalOptions = program.opts();
-			if (globalOptions.cwd) {
-				process.chdir(globalOptions.cwd);
-			}
+	.action(
+		async (options: {
+			port?: string;
+			entry?: string;
+			watch?: boolean;
+			enableOpenapi?: boolean;
+		}) => {
+			try {
+				const globalOptions = program.opts();
+				if (globalOptions.cwd) {
+					process.chdir(globalOptions.cwd);
+				}
 
-			await devCommand({
-				port: options.port ? Number.parseInt(options.port, 10) : 3000,
-				portExplicit: !!options.port,
-				enableOpenApi: options.enableOpenapi ?? true,
-			});
-		} catch (error) {
-			console.error(error instanceof Error ? error.message : 'Command failed');
-			process.exit(1);
-		}
-	});
+				await devCommand({
+					port: options.port ? Number.parseInt(options.port, 10) : 3000,
+					portExplicit: !!options.port,
+					enableOpenApi: options.enableOpenapi ?? true,
+					entry: options.entry,
+					watch: options.watch,
+				});
+			} catch (error) {
+				console.error(
+					error instanceof Error ? error.message : 'Command failed',
+				);
+				process.exit(1);
+			}
+		},
+	);
 
 program
 	.command('test')

package/src/init/__tests__/generators.spec.ts

@@ -15,9 +15,14 @@ const baseOptions: TemplateOptions = {
 	template: 'minimal',
 	telescope: true,
 	database: true,
-	routeStyle: 'file-based',
+	studio: true,
+	loggerType: 'pino',
+	routesStructure: 'centralized-endpoints',
 	monorepo: false,
 	apiPath: '',
+	packageManager: 'pnpm',
+	deployTarget: 'dokploy',
+	services: { db: true, cache: true, mail: false },
 };
 
 describe('generatePackageJson', () => {
@@ -161,7 +166,8 @@ describe('generateConfigFiles', () => {
 		};
 		const files = generateConfigFiles(options, minimalTemplate);
 		const tsConfig = files.find((f) => f.path === 'tsconfig.json');
-		const config = JSON.parse(tsConfig?.content);
+		expect(tsConfig).toBeDefined();
+		const config = JSON.parse(tsConfig!.content);
 		expect(config.extends).toBe('../../tsconfig.json');
 		expect(config.compilerOptions.paths).toBeDefined();
 		expect(config.compilerOptions.paths['@test-project/*']).toBeDefined();
@@ -274,7 +280,8 @@ describe('generateMonorepoFiles', () => {
 		};
 		const files = generateMonorepoFiles(options, minimalTemplate);
 		const pkgJson = files.find((f) => f.path === 'package.json');
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.scripts.dev).toBe('turbo dev');
 		expect(pkg.scripts.build).toBe('turbo build');
 		expect(pkg.scripts.lint).toBe('biome lint .');
@@ -311,7 +318,8 @@ describe('generateModelsPackage', () => {
 		const pkgJson = files.find(
 			(f) => f.path === 'packages/models/package.json',
 		);
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.name).toBe('@test-project/models');
 	});
 
@@ -325,7 +333,8 @@ describe('generateModelsPackage', () => {
 		const pkgJson = files.find(
 			(f) => f.path === 'packages/models/package.json',
 		);
-		const pkg = JSON.parse(pkgJson?.content);
+		expect(pkgJson).toBeDefined();
+		const pkg = JSON.parse(pkgJson!.content);
 		expect(pkg.dependencies.zod).toBeDefined();
 	});
 
@@ -336,9 +345,7 @@ describe('generateModelsPackage', () => {
 			apiPath: 'apps/api',
 		};
 		const files = generateModelsPackage(options);
-		const userTs = files.find(
-			(f) => f.path === 'packages/models/src/user.ts',
-		);
+		const userTs = files.find((f) => f.path === 'packages/models/src/user.ts');
 		const commonTs = files.find(
 			(f) => f.path === 'packages/models/src/common.ts',
 		);
@@ -359,7 +366,8 @@ describe('generateModelsPackage', () => {
 		const tsConfig = files.find(
 			(f) => f.path === 'packages/models/tsconfig.json',
 		);
-		const config = JSON.parse(tsConfig?.content);
+		expect(tsConfig).toBeDefined();
+		const config = JSON.parse(tsConfig!.content);
 		expect(config.extends).toBe('../../tsconfig.json');
 	});
 });

package/src/init/versions.ts

@@ -35,7 +35,7 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/constructs': '~0.6.0',
 	'@geekmidas/db': '~0.3.0',
 	'@geekmidas/emailkit': '~0.2.0',
-	'@geekmidas/envkit': '~0.4.0',
+	'@geekmidas/envkit': '~0.5.0',
 	'@geekmidas/errors': '~0.1.0',
 	'@geekmidas/events': '~0.2.0',
 	'@geekmidas/logger': '~0.4.0',

package/src/workspace/__tests__/schema.spec.ts

@@ -478,6 +478,120 @@ describe('WorkspaceConfigSchema', () => {
 		});
 	});
 
+	describe('auth app configuration', () => {
+		it('should accept auth app with provider', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'better-auth' as const,
+					},
+				},
+			};
+
+			const result = validateWorkspaceConfig(config);
+
+			expect(result.apps.auth.type).toBe('auth');
+			expect(result.apps.auth.provider).toBe('better-auth');
+		});
+
+		it('should reject auth app without provider', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						// Missing provider
+					},
+				},
+			};
+
+			const result = safeValidateWorkspaceConfig(config);
+
+			expect(result.success).toBe(false);
+			if (result.error) {
+				const formatted = formatValidationErrors(result.error);
+				expect(formatted).toContain('Auth apps must have provider defined');
+			}
+		});
+
+		it('should allow auth app with backend properties', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'better-auth' as const,
+						envParser: './src/config/env',
+						logger: './src/logger',
+						telescope: true,
+					},
+				},
+			};
+
+			const result = validateWorkspaceConfig(config);
+
+			expect(result.apps.auth.type).toBe('auth');
+			expect(result.apps.auth.envParser).toBe('./src/config/env');
+			expect(result.apps.auth.telescope).toBe(true);
+		});
+
+		it('should validate fullstack workspace with auth app', () => {
+			const config = {
+				name: 'fullstack-app',
+				apps: {
+					api: {
+						type: 'backend' as const,
+						path: 'apps/api',
+						port: 3000,
+						routes: './src/endpoints/**/*.ts',
+						dependencies: ['auth'],
+					},
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'better-auth' as const,
+					},
+					web: {
+						type: 'frontend' as const,
+						path: 'apps/web',
+						port: 3001,
+						framework: 'nextjs' as const,
+						dependencies: ['api', 'auth'],
+					},
+				},
+			};
+
+			const result = validateWorkspaceConfig(config);
+
+			expect(result.apps.api.dependencies).toEqual(['auth']);
+			expect(result.apps.auth.type).toBe('auth');
+			expect(result.apps.web.dependencies).toEqual(['api', 'auth']);
+		});
+
+		it('should reject invalid auth provider', () => {
+			const config = {
+				apps: {
+					auth: {
+						type: 'auth' as const,
+						path: 'apps/auth',
+						port: 3002,
+						provider: 'invalid-provider',
+					},
+				},
+			};
+
+			const result = safeValidateWorkspaceConfig(config);
+
+			expect(result.success).toBe(false);
+		});
+	});
+
 	describe('deploy target helpers', () => {
 		it('isDeployTargetSupported should return true for dokploy', () => {
 			expect(isDeployTargetSupported('dokploy')).toBe(true);