@geekmidas/cli 0.38.0 → 0.40.0

package/src/deploy/secrets.ts

@@ -0,0 +1,182 @@
+import { encryptSecrets } from '../secrets/encryption.js';
+import { toEmbeddableSecrets } from '../secrets/storage.js';
+import type { EmbeddableSecrets, EncryptedPayload, StageSecrets } from '../secrets/types.js';
+import type { SniffedEnvironment } from './sniffer.js';
+
+/**
+ * Result of filtering secrets for an app.
+ */
+export interface FilteredAppSecrets {
+	appName: string;
+	/** Secrets filtered to only include what the app needs */
+	secrets: EmbeddableSecrets;
+	/** List of required env vars that were found in secrets */
+	found: string[];
+	/** List of required env vars that were NOT found in secrets */
+	missing: string[];
+}
+
+/**
+ * Filter secrets to only include the env vars that an app requires.
+ *
+ * @param stageSecrets - All secrets for the stage
+ * @param sniffedEnv - The sniffed environment requirements for the app
+ * @returns Filtered secrets with found/missing tracking
+ */
+export function filterSecretsForApp(
+	stageSecrets: StageSecrets,
+	sniffedEnv: SniffedEnvironment,
+): FilteredAppSecrets {
+	// Convert stage secrets to flat embeddable format
+	const allSecrets = toEmbeddableSecrets(stageSecrets);
+	const filtered: EmbeddableSecrets = {};
+	const found: string[] = [];
+	const missing: string[] = [];
+
+	// Filter to only required env vars
+	for (const key of sniffedEnv.requiredEnvVars) {
+		if (key in allSecrets) {
+			filtered[key] = allSecrets[key]!;
+			found.push(key);
+		} else {
+			missing.push(key);
+		}
+	}
+
+	return {
+		appName: sniffedEnv.appName,
+		secrets: filtered,
+		found: found.sort(),
+		missing: missing.sort(),
+	};
+}
+
+/**
+ * Result of encrypting secrets for an app.
+ */
+export interface EncryptedAppSecrets {
+	appName: string;
+	/** Encrypted payload with credentials and IV */
+	payload: EncryptedPayload;
+	/** Master key for runtime decryption (hex encoded) */
+	masterKey: string;
+	/** Number of secrets encrypted */
+	secretCount: number;
+	/** List of required env vars that were NOT found in secrets */
+	missingSecrets: string[];
+}
+
+/**
+ * Encrypt filtered secrets for an app.
+ * Generates an ephemeral master key that should be injected into Dokploy.
+ *
+ * @param filteredSecrets - The filtered secrets for the app
+ * @returns Encrypted payload with master key
+ */
+export function encryptSecretsForApp(
+	filteredSecrets: FilteredAppSecrets,
+): EncryptedAppSecrets {
+	const payload = encryptSecrets(filteredSecrets.secrets);
+
+	return {
+		appName: filteredSecrets.appName,
+		payload,
+		masterKey: payload.masterKey,
+		secretCount: Object.keys(filteredSecrets.secrets).length,
+		missingSecrets: filteredSecrets.missing,
+	};
+}
+
+/**
+ * Filter and encrypt secrets for an app in one step.
+ *
+ * @param stageSecrets - All secrets for the stage
+ * @param sniffedEnv - The sniffed environment requirements for the app
+ * @returns Encrypted secrets with master key
+ */
+export function prepareSecretsForApp(
+	stageSecrets: StageSecrets,
+	sniffedEnv: SniffedEnvironment,
+): EncryptedAppSecrets {
+	const filtered = filterSecretsForApp(stageSecrets, sniffedEnv);
+	return encryptSecretsForApp(filtered);
+}
+
+/**
+ * Prepare secrets for multiple apps.
+ *
+ * @param stageSecrets - All secrets for the stage
+ * @param sniffedApps - Map of app name to sniffed environment
+ * @returns Map of app name to encrypted secrets
+ */
+export function prepareSecretsForAllApps(
+	stageSecrets: StageSecrets,
+	sniffedApps: Map<string, SniffedEnvironment>,
+): Map<string, EncryptedAppSecrets> {
+	const results = new Map<string, EncryptedAppSecrets>();
+
+	for (const [appName, sniffedEnv] of sniffedApps) {
+		// Only prepare secrets for apps that have required env vars
+		if (sniffedEnv.requiredEnvVars.length > 0) {
+			const encrypted = prepareSecretsForApp(stageSecrets, sniffedEnv);
+			results.set(appName, encrypted);
+		}
+	}
+
+	return results;
+}
+
+/**
+ * Report on secrets preparation status for all apps.
+ */
+export interface SecretsReport {
+	/** Total number of apps processed */
+	totalApps: number;
+	/** Apps with encrypted secrets */
+	appsWithSecrets: string[];
+	/** Apps without secrets (frontends or no env requirements) */
+	appsWithoutSecrets: string[];
+	/** Apps with missing secrets (warnings) */
+	appsWithMissingSecrets: Array<{
+		appName: string;
+		missing: string[];
+	}>;
+}
+
+/**
+ * Generate a report on secrets preparation.
+ */
+export function generateSecretsReport(
+	encryptedApps: Map<string, EncryptedAppSecrets>,
+	sniffedApps: Map<string, SniffedEnvironment>,
+): SecretsReport {
+	const appsWithSecrets: string[] = [];
+	const appsWithoutSecrets: string[] = [];
+	const appsWithMissingSecrets: Array<{ appName: string; missing: string[] }> = [];
+
+	for (const [appName, sniffedEnv] of sniffedApps) {
+		if (sniffedEnv.requiredEnvVars.length === 0) {
+			appsWithoutSecrets.push(appName);
+			continue;
+		}
+
+		const encrypted = encryptedApps.get(appName);
+		if (encrypted) {
+			appsWithSecrets.push(appName);
+
+			if (encrypted.missingSecrets.length > 0) {
+				appsWithMissingSecrets.push({
+					appName,
+					missing: encrypted.missingSecrets,
+				});
+			}
+		}
+	}
+
+	return {
+		totalApps: sniffedApps.size,
+		appsWithSecrets: appsWithSecrets.sort(),
+		appsWithoutSecrets: appsWithoutSecrets.sort(),
+		appsWithMissingSecrets,
+	};
+}

package/src/deploy/sniffer.ts

@@ -0,0 +1,180 @@
+import { resolve } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import type { SniffResult } from '@geekmidas/envkit/sniffer';
+import type { NormalizedAppConfig } from '../workspace/types.js';
+
+// Re-export SniffResult for consumers
+export type { SniffResult } from '@geekmidas/envkit/sniffer';
+
+/**
+ * Result of sniffing an app's environment requirements.
+ */
+export interface SniffedEnvironment {
+	appName: string;
+	requiredEnvVars: string[];
+}
+
+/**
+ * Options for sniffing an app's environment.
+ */
+export interface SniffAppOptions {
+	/** Whether to log warnings for errors encountered during sniffing. Defaults to true. */
+	logWarnings?: boolean;
+}
+
+/**
+ * Get required environment variables for an app.
+ *
+ * Detection strategy:
+ * - Frontend apps: Returns empty (no server secrets)
+ * - Apps with `requiredEnv`: Uses explicit list from config
+ * - Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
+ * - Apps with neither: Returns empty
+ *
+ * This function handles "fire and forget" async operations gracefully,
+ * capturing errors and unhandled rejections without failing the build.
+ *
+ * @param app - The normalized app configuration
+ * @param appName - The name of the app
+ * @param workspacePath - Absolute path to the workspace root
+ * @param options - Optional configuration for sniffing behavior
+ * @returns The sniffed environment with required variables
+ */
+export async function sniffAppEnvironment(
+	app: NormalizedAppConfig,
+	appName: string,
+	workspacePath: string,
+	options: SniffAppOptions = {},
+): Promise<SniffedEnvironment> {
+	const { logWarnings = true } = options;
+
+	// Frontend apps don't have server-side secrets
+	if (app.type === 'frontend') {
+		return { appName, requiredEnvVars: [] };
+	}
+
+	// Entry-based apps with explicit env list
+	if (app.requiredEnv && app.requiredEnv.length > 0) {
+		return { appName, requiredEnvVars: [...app.requiredEnv] };
+	}
+
+	// Apps with envParser - run sniffer to detect env var usage
+	if (app.envParser) {
+		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
+
+		// Log any issues for debugging
+		if (logWarnings) {
+			if (result.error) {
+				console.warn(
+					`[sniffer] ${appName}: envParser threw error during sniffing (env vars still captured): ${result.error.message}`,
+				);
+			}
+			if (result.unhandledRejections.length > 0) {
+				console.warn(
+					`[sniffer] ${appName}: Fire-and-forget rejections during sniffing (suppressed): ${result.unhandledRejections.map((e) => e.message).join(', ')}`,
+				);
+			}
+		}
+
+		return { appName, requiredEnvVars: result.envVars };
+	}
+
+	// No env detection method available
+	return { appName, requiredEnvVars: [] };
+}
+
+/**
+ * Run the SnifferEnvironmentParser on an envParser module to detect
+ * which environment variables it accesses.
+ *
+ * This function handles "fire and forget" async operations by using
+ * the shared sniffWithFireAndForget utility from @geekmidas/envkit.
+ *
+ * @param envParserPath - The envParser config (e.g., './src/config/env#envParser')
+ * @param appPath - The app's path relative to workspace
+ * @param workspacePath - Absolute path to workspace root
+ * @returns SniffResult with env vars and any errors encountered
+ */
+async function sniffEnvParser(
+	envParserPath: string,
+	appPath: string,
+	workspacePath: string,
+): Promise<SniffResult> {
+	// Parse the envParser path: './src/config/env#envParser' or './src/config/env'
+	const [modulePath, exportName = 'default'] = envParserPath.split('#');
+	if (!modulePath) {
+		return { envVars: [], unhandledRejections: [] };
+	}
+
+	// Resolve the full path to the module
+	const fullPath = resolve(workspacePath, appPath, modulePath);
+
+	// Dynamically import the sniffer utilities
+	let SnifferEnvironmentParser: any;
+	let sniffWithFireAndForget: any;
+	try {
+		const envkitModule = await import('@geekmidas/envkit/sniffer');
+		SnifferEnvironmentParser = envkitModule.SnifferEnvironmentParser;
+		sniffWithFireAndForget = envkitModule.sniffWithFireAndForget;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.warn(`[sniffer] Failed to import SnifferEnvironmentParser: ${message}`);
+		return { envVars: [], unhandledRejections: [] };
+	}
+
+	const sniffer = new SnifferEnvironmentParser();
+
+	return sniffWithFireAndForget(sniffer, async () => {
+		// Import the envParser module
+		const moduleUrl = pathToFileURL(fullPath).href;
+		const module = await import(moduleUrl);
+
+		// Get the envParser function
+		const envParser = module[exportName];
+		if (typeof envParser !== 'function') {
+			console.warn(
+				`[sniffer] Export "${exportName}" from "${modulePath}" is not a function`,
+			);
+			return;
+		}
+
+		// The envParser function typically creates and configures an EnvironmentParser.
+		// We pass our sniffer which implements the same interface.
+		const result = envParser(sniffer);
+
+		// If the result is a ConfigParser, call parse() to trigger env var access
+		if (result && typeof result.parse === 'function') {
+			try {
+				result.parse();
+			} catch {
+				// Parsing may fail due to mock values, that's expected
+			}
+		}
+	});
+}
+
+/**
+ * Sniff environment requirements for multiple apps.
+ *
+ * @param apps - Map of app name to app config
+ * @param workspacePath - Absolute path to workspace root
+ * @param options - Optional configuration for sniffing behavior
+ * @returns Map of app name to sniffed environment
+ */
+export async function sniffAllApps(
+	apps: Record<string, NormalizedAppConfig>,
+	workspacePath: string,
+	options: SniffAppOptions = {},
+): Promise<Map<string, SniffedEnvironment>> {
+	const results = new Map<string, SniffedEnvironment>();
+
+	for (const [appName, app] of Object.entries(apps)) {
+		const sniffed = await sniffAppEnvironment(app, appName, workspacePath, options);
+		results.set(appName, sniffed);
+	}
+
+	return results;
+}
+
+// Export for testing
+export { sniffEnvParser as _sniffEnvParser };

package/src/dev/index.ts

@@ -341,6 +341,17 @@ export async function devCommand(options: DevOptions): Promise<void> {
 			workspaceAppName = appConfig.appName;
 			workspaceAppPort = appConfig.app.port;
 			logger.log(`📦 Running app: ${appConfig.appName} on port ${workspaceAppPort}`);
+
+			// Check if app has an entry point (non-gkm app like better-auth)
+			if (appConfig.app.entry) {
+				logger.log(`📄 Using entry point: ${appConfig.app.entry}`);
+				return entryDevCommand({
+					...options,
+					entry: appConfig.app.entry,
+					port: workspaceAppPort,
+					portExplicit: true,
+				});
+			}
 		} catch {
 			// Not in a workspace or app not found in workspace - fall back to regular loading
 			const loadedConfig = await loadWorkspaceConfig();
@@ -1272,6 +1283,44 @@ export function findSecretsRoot(startDir: string): string {
 	return startDir;
 }
 
+/**
+ * Generate the credentials injection code snippet.
+ * This is the common logic used by both entry wrapper and exec preload.
+ * @internal
+ */
+function generateCredentialsInjection(secretsJsonPath: string): string {
+	return `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  Object.assign(Credentials, secrets);
+  // Debug: uncomment to verify preload is running
+  // console.log('[gkm preload] Injected', Object.keys(secrets).length, 'credentials');
+}
+`;
+}
+
+/**
+ * Create a preload script that injects secrets into Credentials.
+ * Used by `gkm exec` to inject secrets before running any command.
+ * @internal Exported for testing
+ */
+export async function createCredentialsPreload(
+	preloadPath: string,
+	secretsJsonPath: string,
+): Promise<void> {
+	const content = `/**
+ * Credentials preload generated by 'gkm exec'
+ * This file is loaded via NODE_OPTIONS="--import <path>"
+ */
+${generateCredentialsInjection(secretsJsonPath)}`;
+
+	await writeFile(preloadPath, content);
+}
+
 /**
  * Create a wrapper script that injects secrets before importing the entry file.
  * @internal Exported for testing
@@ -1282,15 +1331,7 @@ export async function createEntryWrapper(
 	secretsJsonPath?: string,
 ): Promise<void> {
 	const credentialsInjection = secretsJsonPath
-		? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets into Credentials (before app import)
-const secretsPath = '${secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
-}
-
+		? `${generateCredentialsInjection(secretsJsonPath)}
 `
 		: '';
 
@@ -1789,3 +1830,108 @@ start({
 		await fsWriteFile(serverPath, content);
 	}
 }
+
+/**
+ * Options for the exec command.
+ */
+export interface ExecOptions {
+	/** Working directory */
+	cwd?: string;
+}
+
+/**
+ * Run a command with secrets injected into Credentials.
+ * Uses Node's --import flag to preload a script that populates Credentials
+ * before the command loads any modules that depend on them.
+ *
+ * @example
+ * ```bash
+ * gkm exec -- npx @better-auth/cli migrate
+ * gkm exec -- npx prisma migrate dev
+ * ```
+ */
+export async function execCommand(
+	commandArgs: string[],
+	options: ExecOptions = {},
+): Promise<void> {
+	const cwd = options.cwd ?? process.cwd();
+
+	if (commandArgs.length === 0) {
+		throw new Error('No command specified. Usage: gkm exec -- <command>');
+	}
+
+	// Load .env files
+	const defaultEnv = loadEnvFiles('.env');
+	if (defaultEnv.loaded.length > 0) {
+		logger.log(`📦 Loaded env: ${defaultEnv.loaded.join(', ')}`);
+	}
+
+	// Prepare credentials (loads workspace config and secrets)
+	// Don't inject PORT for exec since we're not running a server
+	const { credentials, secretsJsonPath, appName } =
+		await prepareEntryCredentials({ cwd });
+
+	if (appName) {
+		logger.log(`📦 App: ${appName}`);
+	}
+
+	const secretCount = Object.keys(credentials).filter(
+		(k) => k !== 'PORT',
+	).length;
+	if (secretCount > 0) {
+		logger.log(`🔐 Loaded ${secretCount} secret(s)`);
+	}
+
+	// Create preload script that injects Credentials
+	// Create in cwd so package resolution works (finds node_modules in app directory)
+	const preloadDir = join(cwd, '.gkm');
+	await mkdir(preloadDir, { recursive: true });
+	const preloadPath = join(preloadDir, 'credentials-preload.ts');
+	await createCredentialsPreload(preloadPath, secretsJsonPath);
+
+	// Build command
+	const [cmd, ...args] = commandArgs;
+
+	if (!cmd) {
+		throw new Error('No command specified');
+	}
+
+	logger.log(`🚀 Running: ${commandArgs.join(' ')}`);
+
+	// Merge NODE_OPTIONS with existing value (if any)
+	// Add tsx loader first so our .ts preload can be loaded
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? '';
+	const tsxImport = '--import tsx';
+	const preloadImport = `--import ${preloadPath}`;
+
+	// Build NODE_OPTIONS: existing + tsx loader + our preload
+	const nodeOptions = [existingNodeOptions, tsxImport, preloadImport]
+		.filter(Boolean)
+		.join(' ');
+
+	// Spawn the command with secrets in both:
+	// 1. Environment variables (for tools that read process.env directly)
+	// 2. Preload script (for tools that use Credentials object)
+	const child = spawn(cmd, args, {
+		cwd,
+		stdio: 'inherit',
+		env: {
+			...process.env,
+			...credentials, // Inject secrets as env vars
+			NODE_OPTIONS: nodeOptions,
+		},
+	});
+
+	// Wait for the command to complete
+	const exitCode = await new Promise<number>((resolve) => {
+		child.on('close', (code: number | null) => resolve(code ?? 0));
+		child.on('error', (error: Error) => {
+			logger.error(`Failed to run command: ${error.message}`);
+			resolve(1);
+		});
+	});
+
+	if (exitCode !== 0) {
+		process.exit(exitCode);
+	}
+}

package/src/docker/index.ts

@@ -15,6 +15,7 @@ import {
 	generateBackendDockerfile,
 	generateDockerEntrypoint,
 	generateDockerignore,
+	generateEntryDockerfile,
 	generateMultiStageDockerfile,
 	generateNextjsDockerfile,
 	generateSlimDockerfile,
@@ -400,7 +401,9 @@ export async function workspaceDockerCommand(
 		// Determine image name
 		const imageName = appName;
 
-		logger.log(`\n   📄 Generating Dockerfile for ${appName} (${app.type})`);
+		const hasEntry = !!app.entry;
+		const buildType = hasEntry ? 'entry' : app.type;
+		logger.log(`\n   📄 Generating Dockerfile for ${appName} (${buildType})`);
 
 		let dockerfile: string;
 
@@ -414,8 +417,20 @@ export async function workspaceDockerCommand(
 				turboPackage,
 				packageManager,
 			});
+		} else if (app.entry) {
+			// Backend with custom entry point - use tsdown bundling
+			dockerfile = generateEntryDockerfile({
+				imageName,
+				baseImage: 'node:22-alpine',
+				port: app.port,
+				appPath,
+				entry: app.entry,
+				turboPackage,
+				packageManager,
+				healthCheckPath: '/health',
+			});
 		} else {
-			// Generate backend Dockerfile
+			// Backend with gkm routes - use gkm build
 			dockerfile = generateBackendDockerfile({
 				imageName,
 				baseImage: 'node:22-alpine',