@geekmidas/cli 0.38.0 → 0.40.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "0.38.0",
+  "version": "0.40.0",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -48,11 +48,11 @@
     "lodash.kebabcase": "^4.1.1",
     "openapi-typescript": "^7.4.2",
     "prompts": "~2.4.2",
-    "@geekmidas/schema": "~0.1.0",
-    "@geekmidas/constructs": "~0.6.0",
-    "@geekmidas/envkit": "~0.5.0",
     "@geekmidas/errors": "~0.1.0",
-    "@geekmidas/logger": "~0.4.0"
+    "@geekmidas/logger": "~0.4.0",
+    "@geekmidas/envkit": "~0.6.0",
+    "@geekmidas/constructs": "~0.7.0",
+    "@geekmidas/schema": "~0.1.0"
   },
   "devDependencies": {
     "@types/lodash.kebabcase": "^4.1.9",

package/src/build/index.ts

@@ -1,12 +1,17 @@
 import { spawn } from 'node:child_process';
 import { existsSync } from 'node:fs';
 import { mkdir } from 'node:fs/promises';
-import { join, relative } from 'node:path';
+import { join, relative, resolve } from 'node:path';
 import type { Cron } from '@geekmidas/constructs/crons';
 import type { Endpoint } from '@geekmidas/constructs/endpoints';
 import type { Function } from '@geekmidas/constructs/functions';
 import type { Subscriber } from '@geekmidas/constructs/subscribers';
-import { loadConfig, loadWorkspaceConfig, parseModuleConfig } from '../config';
+import {
+	loadAppConfig,
+	loadConfig,
+	loadWorkspaceConfig,
+	parseModuleConfig,
+} from '../config';
 import {
 	getProductionConfigFromGkm,
 	normalizeHooksConfig,
@@ -49,13 +54,25 @@ export async function buildCommand(
 	const loadedConfig = await loadWorkspaceConfig();
 
 	// Route to workspace build mode for multi-app workspaces
+	// BUT only if we're at the workspace root (prevents recursive builds when
+	// Turbo runs gkm build in each app subdirectory)
 	if (loadedConfig.type === 'workspace') {
-		logger.log('📦 Detected workspace configuration');
-		return workspaceBuildCommand(loadedConfig.workspace, options);
+		const cwd = resolve(process.cwd());
+		const workspaceRoot = resolve(loadedConfig.workspace.root);
+		const isAtWorkspaceRoot = cwd === workspaceRoot;
+
+		if (isAtWorkspaceRoot) {
+			logger.log('📦 Detected workspace configuration');
+			return workspaceBuildCommand(loadedConfig.workspace, options);
+		}
+		// When running from inside an app directory, use app-specific config
 	}
 
-	// Single-app build - use existing logic
-	const config = await loadConfig();
+	// Single-app build - use app config if in workspace, otherwise legacy config
+	const config =
+		loadedConfig.type === 'workspace'
+			? (await loadAppConfig()).gkmConfig
+			: await loadConfig();
 
 	// Resolve providers from new config format
 	const resolved = resolveProviders(config, options);

package/src/deploy/__tests__/domain.spec.ts

@@ -0,0 +1,231 @@
+import { describe, expect, it } from 'vitest';
+import type { NormalizedAppConfig } from '../../workspace/types';
+import {
+	generatePublicUrlBuildArgs,
+	getPublicUrlArgNames,
+	isMainFrontendApp,
+	resolveHost,
+} from '../domain';
+
+describe('resolveHost', () => {
+	const dokployConfig = {
+		endpoint: 'https://dokploy.example.com',
+		projectId: 'test-project',
+		domains: {
+			development: 'dev.myapp.com',
+			staging: 'staging.myapp.com',
+			production: 'myapp.com',
+		},
+	};
+
+	const createApp = (
+		overrides: Partial<NormalizedAppConfig> = {},
+	): NormalizedAppConfig => ({
+		type: 'backend',
+		path: 'apps/api',
+		port: 3000,
+		dependencies: [],
+		resolvedDeployTarget: 'dokploy',
+		...overrides,
+	});
+
+	it('should return explicit app domain override (string)', () => {
+		const app = createApp({ domain: 'api.custom.com' });
+		const host = resolveHost('api', app, 'production', dokployConfig, false);
+		expect(host).toBe('api.custom.com');
+	});
+
+	it('should return stage-specific domain override', () => {
+		const app = createApp({
+			domain: {
+				production: 'login.myapp.com',
+				staging: 'login.staging.myapp.com',
+			},
+		});
+		const host = resolveHost('auth', app, 'production', dokployConfig, false);
+		expect(host).toBe('login.myapp.com');
+	});
+
+	it('should fallback to base domain pattern when no stage match in override', () => {
+		const app = createApp({
+			domain: { production: 'custom.myapp.com' },
+		});
+		const host = resolveHost('api', app, 'development', dokployConfig, false);
+		expect(host).toBe('api.dev.myapp.com');
+	});
+
+	it('should return base domain for main frontend app', () => {
+		const app = createApp({ type: 'frontend' });
+		const host = resolveHost('web', app, 'production', dokployConfig, true);
+		expect(host).toBe('myapp.com');
+	});
+
+	it('should return prefixed domain for non-main apps', () => {
+		const app = createApp();
+		const host = resolveHost('api', app, 'production', dokployConfig, false);
+		expect(host).toBe('api.myapp.com');
+	});
+
+	it('should use correct base domain for each stage', () => {
+		const app = createApp();
+
+		expect(resolveHost('api', app, 'development', dokployConfig, false)).toBe(
+			'api.dev.myapp.com',
+		);
+		expect(resolveHost('api', app, 'staging', dokployConfig, false)).toBe(
+			'api.staging.myapp.com',
+		);
+		expect(resolveHost('api', app, 'production', dokployConfig, false)).toBe(
+			'api.myapp.com',
+		);
+	});
+
+	it('should throw error when no domain configured for stage', () => {
+		const app = createApp();
+		expect(() =>
+			resolveHost('api', app, 'unknown-stage', dokployConfig, false),
+		).toThrow('No domain configured for stage "unknown-stage"');
+	});
+
+	it('should throw error when dokployConfig has no domains', () => {
+		const app = createApp();
+		const configWithoutDomains = {
+			endpoint: 'https://dokploy.example.com',
+			projectId: 'test-project',
+		};
+		expect(() =>
+			resolveHost('api', app, 'production', configWithoutDomains, false),
+		).toThrow('No domain configured for stage "production"');
+	});
+});
+
+describe('isMainFrontendApp', () => {
+	const createApp = (
+		type: 'backend' | 'frontend',
+	): NormalizedAppConfig => ({
+		type,
+		path: 'apps/test',
+		port: 3000,
+		dependencies: [],
+		resolvedDeployTarget: 'dokploy',
+	});
+
+	it('should return false for backend apps', () => {
+		const apps = {
+			api: createApp('backend'),
+			web: createApp('frontend'),
+		};
+		expect(isMainFrontendApp('api', apps.api, apps)).toBe(false);
+	});
+
+	it('should return true for app named "web" if it is frontend', () => {
+		const apps = {
+			api: createApp('backend'),
+			web: createApp('frontend'),
+			admin: createApp('frontend'),
+		};
+		expect(isMainFrontendApp('web', apps.web, apps)).toBe(true);
+	});
+
+	it('should return true for first frontend app when no "web" app', () => {
+		const apps = {
+			api: createApp('backend'),
+			dashboard: createApp('frontend'),
+			admin: createApp('frontend'),
+		};
+		expect(isMainFrontendApp('dashboard', apps.dashboard, apps)).toBe(true);
+		expect(isMainFrontendApp('admin', apps.admin, apps)).toBe(false);
+	});
+
+	it('should return false for non-first frontend when no "web" app', () => {
+		const apps = {
+			api: createApp('backend'),
+			dashboard: createApp('frontend'),
+			admin: createApp('frontend'),
+		};
+		expect(isMainFrontendApp('admin', apps.admin, apps)).toBe(false);
+	});
+});
+
+describe('generatePublicUrlBuildArgs', () => {
+	const createApp = (dependencies: string[]): NormalizedAppConfig => ({
+		type: 'frontend',
+		path: 'apps/web',
+		port: 3001,
+		dependencies,
+		resolvedDeployTarget: 'dokploy',
+	});
+
+	it('should generate build args for dependencies', () => {
+		const app = createApp(['api', 'auth']);
+		const deployedUrls = {
+			api: 'https://api.myapp.com',
+			auth: 'https://auth.myapp.com',
+		};
+
+		const buildArgs = generatePublicUrlBuildArgs(app, deployedUrls);
+
+		expect(buildArgs).toEqual([
+			'NEXT_PUBLIC_API_URL=https://api.myapp.com',
+			'NEXT_PUBLIC_AUTH_URL=https://auth.myapp.com',
+		]);
+	});
+
+	it('should skip missing dependencies', () => {
+		const app = createApp(['api', 'auth', 'missing']);
+		const deployedUrls = {
+			api: 'https://api.myapp.com',
+			// auth and missing are not deployed yet
+		};
+
+		const buildArgs = generatePublicUrlBuildArgs(app, deployedUrls);
+
+		expect(buildArgs).toEqual(['NEXT_PUBLIC_API_URL=https://api.myapp.com']);
+	});
+
+	it('should return empty array when no dependencies', () => {
+		const app = createApp([]);
+		const deployedUrls = { api: 'https://api.myapp.com' };
+
+		const buildArgs = generatePublicUrlBuildArgs(app, deployedUrls);
+
+		expect(buildArgs).toEqual([]);
+	});
+
+	it('should handle uppercase conversion correctly', () => {
+		const app = createApp(['my-api', 'auth-service']);
+		const deployedUrls = {
+			'my-api': 'https://my-api.myapp.com',
+			'auth-service': 'https://auth-service.myapp.com',
+		};
+
+		const buildArgs = generatePublicUrlBuildArgs(app, deployedUrls);
+
+		expect(buildArgs).toEqual([
+			'NEXT_PUBLIC_MY-API_URL=https://my-api.myapp.com',
+			'NEXT_PUBLIC_AUTH-SERVICE_URL=https://auth-service.myapp.com',
+		]);
+	});
+});
+
+describe('getPublicUrlArgNames', () => {
+	const createApp = (dependencies: string[]): NormalizedAppConfig => ({
+		type: 'frontend',
+		path: 'apps/web',
+		port: 3001,
+		dependencies,
+		resolvedDeployTarget: 'dokploy',
+	});
+
+	it('should return arg names for dependencies', () => {
+		const app = createApp(['api', 'auth']);
+		const argNames = getPublicUrlArgNames(app);
+		expect(argNames).toEqual(['NEXT_PUBLIC_API_URL', 'NEXT_PUBLIC_AUTH_URL']);
+	});
+
+	it('should return empty array when no dependencies', () => {
+		const app = createApp([]);
+		const argNames = getPublicUrlArgNames(app);
+		expect(argNames).toEqual([]);
+	});
+});

package/src/deploy/__tests__/secrets.spec.ts

@@ -0,0 +1,300 @@
+import { describe, expect, it } from 'vitest';
+import type { StageSecrets } from '../../secrets/types';
+import {
+	encryptSecretsForApp,
+	filterSecretsForApp,
+	generateSecretsReport,
+	prepareSecretsForAllApps,
+	prepareSecretsForApp,
+} from '../secrets';
+import type { SniffedEnvironment } from '../sniffer';
+
+describe('filterSecretsForApp', () => {
+	const createStageSecrets = (
+		custom: Record<string, string> = {},
+	): StageSecrets => ({
+		stage: 'production',
+		createdAt: '2024-01-01T00:00:00Z',
+		updatedAt: '2024-01-01T00:00:00Z',
+		services: {},
+		urls: {
+			DATABASE_URL: 'postgresql://localhost:5432/db',
+			REDIS_URL: 'redis://localhost:6379',
+		},
+		custom,
+	});
+
+	it('should filter secrets to only required env vars', () => {
+		const secrets = createStageSecrets({ API_KEY: 'secret123' });
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'API_KEY'],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.appName).toBe('api');
+		expect(result.secrets).toEqual({
+			DATABASE_URL: 'postgresql://localhost:5432/db',
+			API_KEY: 'secret123',
+		});
+		expect(result.found).toEqual(['API_KEY', 'DATABASE_URL']);
+		expect(result.missing).toEqual([]);
+	});
+
+	it('should track missing secrets', () => {
+		const secrets = createStageSecrets();
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'STRIPE_KEY', 'JWT_SECRET'],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.found).toEqual(['DATABASE_URL']);
+		expect(result.missing).toEqual(['JWT_SECRET', 'STRIPE_KEY']);
+	});
+
+	it('should return empty secrets when no env vars required', () => {
+		const secrets = createStageSecrets({ API_KEY: 'secret' });
+		const sniffed: SniffedEnvironment = {
+			appName: 'web',
+			requiredEnvVars: [],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.secrets).toEqual({});
+		expect(result.found).toEqual([]);
+		expect(result.missing).toEqual([]);
+	});
+
+	it('should include service credentials when referenced', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: '2024-01-01T00:00:00Z',
+			updatedAt: '2024-01-01T00:00:00Z',
+			services: {
+				postgres: {
+					host: 'localhost',
+					port: 5432,
+					username: 'user',
+					password: 'pass',
+					database: 'mydb',
+				},
+			},
+			urls: { DATABASE_URL: 'postgresql://user:pass@localhost:5432/mydb' },
+			custom: {},
+		};
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'POSTGRES_PASSWORD'],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.secrets.DATABASE_URL).toBe(
+			'postgresql://user:pass@localhost:5432/mydb',
+		);
+		expect(result.secrets.POSTGRES_PASSWORD).toBe('pass');
+		expect(result.found).toContain('DATABASE_URL');
+		expect(result.found).toContain('POSTGRES_PASSWORD');
+	});
+});
+
+describe('encryptSecretsForApp', () => {
+	it('should encrypt filtered secrets and return master key', () => {
+		const filtered = {
+			appName: 'api',
+			secrets: { DATABASE_URL: 'postgresql://localhost:5432/db' },
+			found: ['DATABASE_URL'],
+			missing: [],
+		};
+
+		const result = encryptSecretsForApp(filtered);
+
+		expect(result.appName).toBe('api');
+		expect(result.masterKey).toHaveLength(64); // 32 bytes hex
+		expect(result.payload.encrypted).toBeTruthy();
+		expect(result.payload.iv).toBeTruthy();
+		expect(result.secretCount).toBe(1);
+		expect(result.missingSecrets).toEqual([]);
+	});
+
+	it('should track missing secrets in result', () => {
+		const filtered = {
+			appName: 'api',
+			secrets: { DATABASE_URL: 'postgresql://localhost:5432/db' },
+			found: ['DATABASE_URL'],
+			missing: ['STRIPE_KEY', 'JWT_SECRET'],
+		};
+
+		const result = encryptSecretsForApp(filtered);
+
+		expect(result.missingSecrets).toEqual(['STRIPE_KEY', 'JWT_SECRET']);
+	});
+
+	it('should handle empty secrets', () => {
+		const filtered = {
+			appName: 'web',
+			secrets: {},
+			found: [],
+			missing: [],
+		};
+
+		const result = encryptSecretsForApp(filtered);
+
+		expect(result.secretCount).toBe(0);
+		expect(result.masterKey).toHaveLength(64);
+	});
+});
+
+describe('prepareSecretsForApp', () => {
+	it('should filter and encrypt in one step', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: '2024-01-01T00:00:00Z',
+			updatedAt: '2024-01-01T00:00:00Z',
+			services: {},
+			urls: { DATABASE_URL: 'postgresql://localhost:5432/db' },
+			custom: { API_KEY: 'key123' },
+		};
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'API_KEY'],
+		};
+
+		const result = prepareSecretsForApp(secrets, sniffed);
+
+		expect(result.appName).toBe('api');
+		expect(result.secretCount).toBe(2);
+		expect(result.masterKey).toHaveLength(64);
+	});
+});
+
+describe('prepareSecretsForAllApps', () => {
+	const secrets: StageSecrets = {
+		stage: 'production',
+		createdAt: '2024-01-01T00:00:00Z',
+		updatedAt: '2024-01-01T00:00:00Z',
+		services: {},
+		urls: {
+			DATABASE_URL: 'postgresql://localhost:5432/db',
+			REDIS_URL: 'redis://localhost:6379',
+		},
+		custom: { BETTER_AUTH_SECRET: 'auth-secret' },
+	};
+
+	it('should prepare secrets for multiple apps', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL', 'REDIS_URL'] }],
+			[
+				'auth',
+				{
+					appName: 'auth',
+					requiredEnvVars: ['DATABASE_URL', 'BETTER_AUTH_SECRET'],
+				},
+			],
+		]);
+
+		const results = prepareSecretsForAllApps(secrets, sniffedApps);
+
+		expect(results.size).toBe(2);
+		expect(results.get('api')?.secretCount).toBe(2);
+		expect(results.get('auth')?.secretCount).toBe(2);
+	});
+
+	it('should skip apps with no required env vars', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+			['web', { appName: 'web', requiredEnvVars: [] }], // Frontend - no secrets
+		]);
+
+		const results = prepareSecretsForAllApps(secrets, sniffedApps);
+
+		expect(results.size).toBe(1);
+		expect(results.has('api')).toBe(true);
+		expect(results.has('web')).toBe(false);
+	});
+
+	it('should generate unique master keys per app', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+			['auth', { appName: 'auth', requiredEnvVars: ['DATABASE_URL'] }],
+		]);
+
+		const results = prepareSecretsForAllApps(secrets, sniffedApps);
+
+		const apiKey = results.get('api')?.masterKey;
+		const authKey = results.get('auth')?.masterKey;
+
+		expect(apiKey).not.toBe(authKey);
+	});
+});
+
+describe('generateSecretsReport', () => {
+	it('should generate report for apps with and without secrets', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+			['auth', { appName: 'auth', requiredEnvVars: ['DATABASE_URL'] }],
+			['web', { appName: 'web', requiredEnvVars: [] }],
+		]);
+
+		const encryptedApps = new Map([
+			[
+				'api',
+				{
+					appName: 'api',
+					payload: { encrypted: '', iv: '', masterKey: '' },
+					masterKey: 'key1',
+					secretCount: 1,
+					missingSecrets: [],
+				},
+			],
+			[
+				'auth',
+				{
+					appName: 'auth',
+					payload: { encrypted: '', iv: '', masterKey: '' },
+					masterKey: 'key2',
+					secretCount: 1,
+					missingSecrets: ['MISSING_VAR'],
+				},
+			],
+		]);
+
+		const report = generateSecretsReport(encryptedApps, sniffedApps);
+
+		expect(report.totalApps).toBe(3);
+		expect(report.appsWithSecrets).toEqual(['api', 'auth']);
+		expect(report.appsWithoutSecrets).toEqual(['web']);
+		expect(report.appsWithMissingSecrets).toEqual([
+			{ appName: 'auth', missing: ['MISSING_VAR'] },
+		]);
+	});
+
+	it('should handle all apps having secrets', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+		]);
+
+		const encryptedApps = new Map([
+			[
+				'api',
+				{
+					appName: 'api',
+					payload: { encrypted: '', iv: '', masterKey: '' },
+					masterKey: 'key1',
+					secretCount: 1,
+					missingSecrets: [],
+				},
+			],
+		]);
+
+		const report = generateSecretsReport(encryptedApps, sniffedApps);
+
+		expect(report.appsWithSecrets).toEqual(['api']);
+		expect(report.appsWithoutSecrets).toEqual([]);
+		expect(report.appsWithMissingSecrets).toEqual([]);
+	});
+});