@geekmidas/cli 0.38.0 → 0.39.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "0.38.0",
+  "version": "0.39.0",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -48,9 +48,9 @@
     "lodash.kebabcase": "^4.1.1",
     "openapi-typescript": "^7.4.2",
     "prompts": "~2.4.2",
-    "@geekmidas/schema": "~0.1.0",
     "@geekmidas/constructs": "~0.6.0",
     "@geekmidas/envkit": "~0.5.0",
+    "@geekmidas/schema": "~0.1.0",
     "@geekmidas/errors": "~0.1.0",
     "@geekmidas/logger": "~0.4.0"
   },

package/src/build/index.ts

@@ -1,12 +1,17 @@
 import { spawn } from 'node:child_process';
 import { existsSync } from 'node:fs';
 import { mkdir } from 'node:fs/promises';
-import { join, relative } from 'node:path';
+import { join, relative, resolve } from 'node:path';
 import type { Cron } from '@geekmidas/constructs/crons';
 import type { Endpoint } from '@geekmidas/constructs/endpoints';
 import type { Function } from '@geekmidas/constructs/functions';
 import type { Subscriber } from '@geekmidas/constructs/subscribers';
-import { loadConfig, loadWorkspaceConfig, parseModuleConfig } from '../config';
+import {
+	loadAppConfig,
+	loadConfig,
+	loadWorkspaceConfig,
+	parseModuleConfig,
+} from '../config';
 import {
 	getProductionConfigFromGkm,
 	normalizeHooksConfig,
@@ -49,13 +54,25 @@ export async function buildCommand(
 	const loadedConfig = await loadWorkspaceConfig();
 
 	// Route to workspace build mode for multi-app workspaces
+	// BUT only if we're at the workspace root (prevents recursive builds when
+	// Turbo runs gkm build in each app subdirectory)
 	if (loadedConfig.type === 'workspace') {
-		logger.log('📦 Detected workspace configuration');
-		return workspaceBuildCommand(loadedConfig.workspace, options);
+		const cwd = resolve(process.cwd());
+		const workspaceRoot = resolve(loadedConfig.workspace.root);
+		const isAtWorkspaceRoot = cwd === workspaceRoot;
+
+		if (isAtWorkspaceRoot) {
+			logger.log('📦 Detected workspace configuration');
+			return workspaceBuildCommand(loadedConfig.workspace, options);
+		}
+		// When running from inside an app directory, use app-specific config
 	}
 
-	// Single-app build - use existing logic
-	const config = await loadConfig();
+	// Single-app build - use app config if in workspace, otherwise legacy config
+	const config =
+		loadedConfig.type === 'workspace'
+			? (await loadAppConfig()).gkmConfig
+			: await loadConfig();
 
 	// Resolve providers from new config format
 	const resolved = resolveProviders(config, options);

package/src/deploy/docker.ts

@@ -1,8 +1,8 @@
 import { execSync } from 'node:child_process';
 import { existsSync, readFileSync } from 'node:fs';
-import { dirname, join, relative } from 'node:path';
+import { dirname, join } from 'node:path';
 import type { GkmConfig } from '../config';
-import { dockerCommand, findLockfilePath, isMonorepo } from '../docker';
+import { dockerCommand, findLockfilePath } from '../docker';
 import type { DeployResult, DockerDeployConfig } from './types';
 
 /**
@@ -94,15 +94,19 @@ export function getImageRef(
 
 /**
  * Build Docker image
+ * @param imageRef - Full image reference (registry/name:tag)
+ * @param appName - Name of the app (used for Dockerfile.{appName} in workspaces)
  */
-async function buildImage(imageRef: string): Promise<void> {
+async function buildImage(imageRef: string, appName?: string): Promise<void> {
 	logger.log(`\n🔨 Building Docker image: ${imageRef}`);
 
 	const cwd = process.cwd();
-	const inMonorepo = isMonorepo(cwd);
+	const lockfilePath = findLockfilePath(cwd);
+	const lockfileDir = lockfilePath ? dirname(lockfilePath) : cwd;
+	const inMonorepo = lockfileDir !== cwd;
 
 	// Generate appropriate Dockerfile
-	if (inMonorepo) {
+	if (appName || inMonorepo) {
 		logger.log('   Generating Dockerfile for monorepo (turbo prune)...');
 	} else {
 		logger.log('   Generating Dockerfile...');
@@ -110,19 +114,15 @@ async function buildImage(imageRef: string): Promise<void> {
 	await dockerCommand({});
 
 	// Determine build context and Dockerfile path
-	let buildCwd = cwd;
-	let dockerfilePath = '.gkm/docker/Dockerfile';
-
-	if (inMonorepo) {
-		// For monorepos, build from root so turbo prune can access all packages
-		const lockfilePath = findLockfilePath(cwd);
-		if (lockfilePath) {
-			const monorepoRoot = dirname(lockfilePath);
-			const appRelPath = relative(monorepoRoot, cwd);
-			dockerfilePath = join(appRelPath, '.gkm/docker/Dockerfile');
-			buildCwd = monorepoRoot;
-			logger.log(`   Building from monorepo root: ${monorepoRoot}`);
-		}
+	// For workspaces with multiple apps, use per-app Dockerfile (Dockerfile.api, etc.)
+	const dockerfileSuffix = appName ? `.${appName}` : '';
+	const dockerfilePath = `.gkm/docker/Dockerfile${dockerfileSuffix}`;
+
+	// Build from workspace/monorepo root when we have a lockfile elsewhere or appName is provided
+	const buildCwd =
+		lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
+	if (buildCwd !== cwd) {
+		logger.log(`   Building from workspace root: ${buildCwd}`);
 	}
 
 	try {
@@ -174,8 +174,8 @@ export async function deployDocker(
 	const imageName = config.imageName!;
 	const imageRef = getImageRef(config.registry, imageName, tag);
 
-	// Build image
-	await buildImage(imageRef);
+	// Build image (pass appName for workspace Dockerfile selection)
+	await buildImage(imageRef, config.appName);
 
 	// Push to registry if not skipped
 	if (!skipPush) {

package/src/deploy/index.ts

@@ -781,13 +781,29 @@ export async function workspaceDeployCommand(
 	// Track deployed app URLs for environment variable injection
 	const deployedAppUrls: Record<string, string> = {};
 
+	// Build the entire workspace once (not per-app to avoid Turbo/Next.js lock conflicts)
+	if (!skipBuild) {
+		logger.log('\n🏗️  Building workspace...');
+		try {
+			await buildCommand({
+				provider: 'server',
+				production: true,
+				stage,
+			});
+			logger.log('   ✓ Workspace build complete');
+		} catch (error) {
+			const message = error instanceof Error ? error.message : 'Unknown error';
+			logger.log(`   ✗ Workspace build failed: ${message}`);
+			throw error;
+		}
+	}
+
 	// Deploy apps in dependency order
 	logger.log('\n📦 Deploying applications...');
 	const results: AppDeployResult[] = [];
 
 	for (const appName of appsToDeployNames) {
 		const app = workspace.apps[appName]!;
-		const appPath = app.path;
 
 		logger.log(
 			`\n   ${app.type === 'backend' ? '⚙️' : '🌐'} Deploying ${appName}...`,
@@ -822,24 +838,8 @@ export async function workspaceDeployCommand(
 				}
 			}
 
-			// Build the app if not skipped
-			if (!skipBuild) {
-				logger.log(`      Building ${appName}...`);
-				// For workspace, we need to build from the app directory
-				const originalCwd = process.cwd();
-				const fullAppPath = `${workspace.root}/${appPath}`;
-
-				try {
-					process.chdir(fullAppPath);
-					await buildCommand({
-						provider: 'server',
-						production: true,
-						stage,
-					});
-				} finally {
-					process.chdir(originalCwd);
-				}
-			}
+			// Note: Workspace was already built once at the start of deployment
+			// to avoid Turbo/Next.js lock conflicts from concurrent builds
 
 			// Build Docker image
 			const imageName = `${workspace.name}-${appName}`;
@@ -856,6 +856,7 @@ export async function workspaceDeployCommand(
 				config: {
 					registry,
 					imageName,
+					appName, // Pass appName for Dockerfile.{appName} selection
 				},
 			});
 

package/src/dev/index.ts

@@ -1272,6 +1272,44 @@ export function findSecretsRoot(startDir: string): string {
 	return startDir;
 }
 
+/**
+ * Generate the credentials injection code snippet.
+ * This is the common logic used by both entry wrapper and exec preload.
+ * @internal
+ */
+function generateCredentialsInjection(secretsJsonPath: string): string {
+	return `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  Object.assign(Credentials, secrets);
+  // Debug: uncomment to verify preload is running
+  // console.log('[gkm preload] Injected', Object.keys(secrets).length, 'credentials');
+}
+`;
+}
+
+/**
+ * Create a preload script that injects secrets into Credentials.
+ * Used by `gkm exec` to inject secrets before running any command.
+ * @internal Exported for testing
+ */
+export async function createCredentialsPreload(
+	preloadPath: string,
+	secretsJsonPath: string,
+): Promise<void> {
+	const content = `/**
+ * Credentials preload generated by 'gkm exec'
+ * This file is loaded via NODE_OPTIONS="--import <path>"
+ */
+${generateCredentialsInjection(secretsJsonPath)}`;
+
+	await writeFile(preloadPath, content);
+}
+
 /**
  * Create a wrapper script that injects secrets before importing the entry file.
  * @internal Exported for testing
@@ -1282,15 +1320,7 @@ export async function createEntryWrapper(
 	secretsJsonPath?: string,
 ): Promise<void> {
 	const credentialsInjection = secretsJsonPath
-		? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets into Credentials (before app import)
-const secretsPath = '${secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
-}
-
+		? `${generateCredentialsInjection(secretsJsonPath)}
 `
 		: '';
 
@@ -1789,3 +1819,108 @@ start({
 		await fsWriteFile(serverPath, content);
 	}
 }
+
+/**
+ * Options for the exec command.
+ */
+export interface ExecOptions {
+	/** Working directory */
+	cwd?: string;
+}
+
+/**
+ * Run a command with secrets injected into Credentials.
+ * Uses Node's --import flag to preload a script that populates Credentials
+ * before the command loads any modules that depend on them.
+ *
+ * @example
+ * ```bash
+ * gkm exec -- npx @better-auth/cli migrate
+ * gkm exec -- npx prisma migrate dev
+ * ```
+ */
+export async function execCommand(
+	commandArgs: string[],
+	options: ExecOptions = {},
+): Promise<void> {
+	const cwd = options.cwd ?? process.cwd();
+
+	if (commandArgs.length === 0) {
+		throw new Error('No command specified. Usage: gkm exec -- <command>');
+	}
+
+	// Load .env files
+	const defaultEnv = loadEnvFiles('.env');
+	if (defaultEnv.loaded.length > 0) {
+		logger.log(`📦 Loaded env: ${defaultEnv.loaded.join(', ')}`);
+	}
+
+	// Prepare credentials (loads workspace config and secrets)
+	// Don't inject PORT for exec since we're not running a server
+	const { credentials, secretsJsonPath, appName } =
+		await prepareEntryCredentials({ cwd });
+
+	if (appName) {
+		logger.log(`📦 App: ${appName}`);
+	}
+
+	const secretCount = Object.keys(credentials).filter(
+		(k) => k !== 'PORT',
+	).length;
+	if (secretCount > 0) {
+		logger.log(`🔐 Loaded ${secretCount} secret(s)`);
+	}
+
+	// Create preload script that injects Credentials
+	// Create in cwd so package resolution works (finds node_modules in app directory)
+	const preloadDir = join(cwd, '.gkm');
+	await mkdir(preloadDir, { recursive: true });
+	const preloadPath = join(preloadDir, 'credentials-preload.ts');
+	await createCredentialsPreload(preloadPath, secretsJsonPath);
+
+	// Build command
+	const [cmd, ...args] = commandArgs;
+
+	if (!cmd) {
+		throw new Error('No command specified');
+	}
+
+	logger.log(`🚀 Running: ${commandArgs.join(' ')}`);
+
+	// Merge NODE_OPTIONS with existing value (if any)
+	// Add tsx loader first so our .ts preload can be loaded
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? '';
+	const tsxImport = '--import tsx';
+	const preloadImport = `--import ${preloadPath}`;
+
+	// Build NODE_OPTIONS: existing + tsx loader + our preload
+	const nodeOptions = [existingNodeOptions, tsxImport, preloadImport]
+		.filter(Boolean)
+		.join(' ');
+
+	// Spawn the command with secrets in both:
+	// 1. Environment variables (for tools that read process.env directly)
+	// 2. Preload script (for tools that use Credentials object)
+	const child = spawn(cmd, args, {
+		cwd,
+		stdio: 'inherit',
+		env: {
+			...process.env,
+			...credentials, // Inject secrets as env vars
+			NODE_OPTIONS: nodeOptions,
+		},
+	});
+
+	// Wait for the command to complete
+	const exitCode = await new Promise<number>((resolve) => {
+		child.on('close', (code: number | null) => resolve(code ?? 0));
+		child.on('error', (error: Error) => {
+			logger.error(`Failed to run command: ${error.message}`);
+			resolve(1);
+		});
+	});
+
+	if (exitCode !== 0) {
+		process.exit(exitCode);
+	}
+}

package/src/index.ts

@@ -6,7 +6,7 @@ import { loginCommand, logoutCommand, whoamiCommand } from './auth';
 import { buildCommand } from './build/index';
 import { type DeployProvider, deployCommand } from './deploy/index';
 import { deployInitCommand, deployListCommand } from './deploy/init';
-import { devCommand } from './dev/index';
+import { devCommand, execCommand } from './dev/index';
 import { type DockerOptions, dockerCommand } from './docker/index';
 import { type InitOptions, initCommand } from './init/index';
 import { openapiCommand } from './openapi';
@@ -173,6 +173,23 @@ program
 		},
 	);
 
+program
+	.command('exec')
+	.description('Run a command with secrets injected into Credentials')
+	.argument('<command...>', 'Command to run (use -- before command)')
+	.action(async (commandArgs: string[]) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+			await execCommand(commandArgs);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 program
 	.command('test')
 	.description('Run tests with secrets loaded from environment')

package/src/init/generators/auth.ts

@@ -26,6 +26,8 @@ export function generateAuthAppFiles(
 			build: 'tsc',
 			start: 'node dist/index.js',
 			typecheck: 'tsc --noEmit',
+			'db:migrate': 'gkm exec -- npx @better-auth/cli migrate',
+			'db:generate': 'gkm exec -- npx @better-auth/cli generate',
 		},
 		dependencies: {
 			[modelsPackage]: 'workspace:*',