@geekmidas/cli 0.38.0 → 0.40.0

package/src/docker/templates.ts

@@ -25,6 +25,12 @@ export interface FrontendDockerfileOptions {
 	turboPackage: string;
 	/** Detected package manager */
 	packageManager: PackageManager;
+	/**
+	 * Public URL build args to include in the Dockerfile.
+	 * These will be declared as ARG and converted to ENV for Next.js build.
+	 * Example: ['NEXT_PUBLIC_API_URL', 'NEXT_PUBLIC_AUTH_URL']
+	 */
+	publicUrlArgs?: string[];
 }
 
 export interface MultiStageDockerfileOptions extends DockerTemplateOptions {
@@ -568,7 +574,14 @@ export function resolveDockerConfig(
 export function generateNextjsDockerfile(
 	options: FrontendDockerfileOptions,
 ): string {
-	const { baseImage, port, appPath, turboPackage, packageManager } = options;
+	const {
+		baseImage,
+		port,
+		appPath,
+		turboPackage,
+		packageManager,
+		publicUrlArgs = ['NEXT_PUBLIC_API_URL', 'NEXT_PUBLIC_AUTH_URL'],
+	} = options;
 
 	const pm = getPmConfig(packageManager);
 	const installPm = pm.install ? `RUN ${pm.install}` : '';
@@ -580,6 +593,14 @@ export function generateNextjsDockerfile(
 	// Use pnpm dlx for pnpm (avoids global bin dir issues in Docker)
 	const turboCmd = packageManager === 'pnpm' ? 'pnpm dlx turbo' : 'npx turbo';
 
+	// Generate ARG and ENV declarations for public URLs
+	const publicUrlArgDeclarations = publicUrlArgs
+		.map((arg) => `ARG ${arg}=""`)
+		.join('\n');
+	const publicUrlEnvDeclarations = publicUrlArgs
+		.map((arg) => `ENV ${arg}=$${arg}`)
+		.join('\n');
+
 	return `# syntax=docker/dockerfile:1
 # Next.js standalone Dockerfile with turbo prune optimization
 
@@ -615,6 +636,13 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for public API URLs (populated by gkm deploy)
+# These get baked into the Next.js build as public environment variables
+${publicUrlArgDeclarations}
+
+# Convert ARGs to ENVs for Next.js build
+${publicUrlEnvDeclarations}
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
@@ -717,9 +745,20 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
+# Write encrypted credentials for gkm build to embed
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
 # Build production server using gkm
 RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
 
@@ -750,3 +789,134 @@ ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["node", "server.mjs"]
 `;
 }
+
+/**
+ * Options for entry-based Dockerfile generation.
+ */
+export interface EntryDockerfileOptions {
+	imageName: string;
+	baseImage: string;
+	port: number;
+	/** App path relative to workspace root */
+	appPath: string;
+	/** Entry file path relative to app path (e.g., './src/index.ts') */
+	entry: string;
+	/** Package name for turbo prune */
+	turboPackage: string;
+	/** Detected package manager */
+	packageManager: PackageManager;
+	/** Health check path (default: '/health') */
+	healthCheckPath?: string;
+}
+
+/**
+ * Generate a Dockerfile for apps with a custom entry point.
+ * Uses tsdown to bundle the entry point into dist/index.mjs.
+ * This is used for apps that don't use gkm routes (e.g., Better Auth servers).
+ * @internal Exported for testing
+ */
+export function generateEntryDockerfile(options: EntryDockerfileOptions): string {
+	const {
+		baseImage,
+		port,
+		appPath,
+		entry,
+		turboPackage,
+		packageManager,
+		healthCheckPath = '/health',
+	} = options;
+
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : '';
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === 'pnpm' ? 'pnpm dlx turbo' : 'npx turbo';
+
+	return `# syntax=docker/dockerfile:1
+# Entry-based Dockerfile with turbo prune + tsdown bundling
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build with tsdown
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Write encrypted credentials for tsdown to embed via define
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
+# Bundle entry point with tsdown (outputs to dist/index.mjs)
+# Use define to embed credentials if present
+RUN cd ${appPath} && \
+    if [ -f .gkm/credentials.enc ]; then \
+      CREDS=$(cat .gkm/credentials.enc) && \
+      IV=$(cat .gkm/credentials.iv) && \
+      npx tsdown ${entry} --outDir dist --format esm \
+        --define __GKM_ENCRYPTED_CREDENTIALS__="'\\"$CREDS\\"'" \
+        --define __GKM_CREDENTIALS_IV__="'\\"$IV\\"'"; \
+    else \
+      npx tsdown ${entry} --outDir dist --format esm; \
+    fi
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 app
+
+# Copy bundled output only (no node_modules needed - fully bundled)
+COPY --from=builder --chown=app:nodejs /app/${appPath}/dist/index.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \\
+  CMD wget -q --spider http://localhost:${port}${healthCheckPath} || exit 1
+
+USER app
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "index.mjs"]
+`;
+}

package/src/index.ts

@@ -6,7 +6,7 @@ import { loginCommand, logoutCommand, whoamiCommand } from './auth';
 import { buildCommand } from './build/index';
 import { type DeployProvider, deployCommand } from './deploy/index';
 import { deployInitCommand, deployListCommand } from './deploy/init';
-import { devCommand } from './dev/index';
+import { devCommand, execCommand } from './dev/index';
 import { type DockerOptions, dockerCommand } from './docker/index';
 import { type InitOptions, initCommand } from './init/index';
 import { openapiCommand } from './openapi';
@@ -173,6 +173,23 @@ program
 		},
 	);
 
+program
+	.command('exec')
+	.description('Run a command with secrets injected into Credentials')
+	.argument('<command...>', 'Command to run (use -- before command)')
+	.action(async (commandArgs: string[]) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+			await execCommand(commandArgs);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 program
 	.command('test')
 	.description('Run tests with secrets loaded from environment')

package/src/init/generators/auth.ts

@@ -26,6 +26,8 @@ export function generateAuthAppFiles(
 			build: 'tsc',
 			start: 'node dist/index.js',
 			typecheck: 'tsc --noEmit',
+			'db:migrate': 'gkm exec -- npx @better-auth/cli migrate',
+			'db:generate': 'gkm exec -- npx @better-auth/cli generate',
 		},
 		dependencies: {
 			[modelsPackage]: 'workspace:*',

package/src/init/versions.ts

@@ -32,10 +32,10 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/cli': CLI_VERSION,
 	'@geekmidas/client': '~0.5.0',
 	'@geekmidas/cloud': '~0.2.0',
-	'@geekmidas/constructs': '~0.6.0',
+	'@geekmidas/constructs': '~0.7.0',
 	'@geekmidas/db': '~0.3.0',
 	'@geekmidas/emailkit': '~0.2.0',
-	'@geekmidas/envkit': '~0.5.0',
+	'@geekmidas/envkit': '~0.6.0',
 	'@geekmidas/errors': '~0.1.0',
 	'@geekmidas/events': '~0.2.0',
 	'@geekmidas/logger': '~0.4.0',

package/src/workspace/index.ts

@@ -34,11 +34,13 @@ export type {
 	AppConfigInput,
 	AppInput,
 	AppsRecord,
+	BackendFramework,
 	ClientConfig,
 	ConstrainedApps,
 	DeployConfig,
 	DeployTarget,
 	DokployWorkspaceConfig,
+	FrontendFramework,
 	InferAppNames,
 	InferredWorkspaceConfig,
 	LoadedConfig,

package/src/workspace/schema.ts

@@ -57,6 +57,26 @@ const ClientConfigSchema = z.object({
  */
 const AuthProviderSchema = z.enum(['better-auth']);
 
+/**
+ * Backend framework schema for non-gkm apps.
+ */
+const BackendFrameworkSchema = z.enum([
+	'hono',
+	'better-auth',
+	'express',
+	'fastify',
+]);
+
+/**
+ * Frontend framework schema.
+ */
+const FrontendFrameworkSchema = z.enum(['nextjs', 'remix', 'vite']);
+
+/**
+ * Combined framework schema (backend or frontend).
+ */
+const FrameworkSchema = z.union([BackendFrameworkSchema, FrontendFrameworkSchema]);
+
 /**
  * Deploy target schema.
  * Currently only 'dokploy' is supported.
@@ -205,8 +225,11 @@ const AppConfigSchema = z
 		runtime: z.enum(['node', 'bun']).optional(),
 		env: z.union([z.string(), z.array(z.string())]).optional(),
 
-		// Frontend-specific
-		framework: z.enum(['nextjs']).optional(),
+		// Entry point for non-gkm apps (used by dev and docker build)
+		entry: z.string().optional(),
+
+		// Framework (backend or frontend)
+		framework: FrameworkSchema.optional(),
 		client: ClientConfigSchema.optional(),
 
 		// Auth-specific
@@ -215,14 +238,17 @@ const AppConfigSchema = z
 	// Note: routes is optional for backend apps - some backends like auth servers don't use routes
 	.refine(
 		(data) => {
-			// Frontend apps must have framework
-			if (data.type === 'frontend' && !data.framework) {
-				return false;
+			// Frontend apps must have a frontend framework
+			if (data.type === 'frontend') {
+				const frontendFrameworks = ['nextjs', 'remix', 'vite'];
+				if (!data.framework || !frontendFrameworks.includes(data.framework)) {
+					return false;
+				}
 			}
 			return true;
 		},
 		{
-			message: 'Frontend apps must have framework defined',
+			message: 'Frontend apps must have a valid frontend framework (nextjs, remix, vite)',
 			path: ['framework'],
 		},
 	)

package/src/workspace/types.ts

@@ -16,6 +16,16 @@ import type {
  */
 export type DeployTarget = 'dokploy' | 'vercel' | 'cloudflare';
 
+/**
+ * Backend framework types for apps that don't use gkm routes.
+ */
+export type BackendFramework = 'hono' | 'better-auth' | 'express' | 'fastify';
+
+/**
+ * Frontend framework types.
+ */
+export type FrontendFramework = 'nextjs' | 'remix' | 'vite';
+
 /**
  * Service image configuration for custom Docker images.
  */
@@ -51,6 +61,20 @@ export interface ServicesConfig {
 	mail?: boolean | MailServiceConfig;
 }
 
+/**
+ * Stage-based domain configuration.
+ * Maps deployment stages to base domains.
+ * @example { development: 'dev.myapp.com', production: 'myapp.com' }
+ */
+export type DokployDomainsConfig = Record<string, string>;
+
+/**
+ * Per-app domain override configuration.
+ * Can be a single domain string or stage-specific domains.
+ * @example 'api.custom.com' or { production: 'api.custom.com', staging: 'api.staging.com' }
+ */
+export type AppDomainConfig = string | Record<string, string>;
+
 /**
  * Dokploy workspace deployment configuration.
  */
@@ -63,6 +87,13 @@ export interface DokployWorkspaceConfig {
 	registry?: string;
 	/** Registry ID in Dokploy */
 	registryId?: string;
+	/**
+	 * Stage-based domain configuration.
+	 * The main frontend app gets the base domain.
+	 * Other apps get {appName}.{baseDomain} by default.
+	 * @example { development: 'dev.myapp.com', production: 'myapp.com' }
+	 */
+	domains?: DokployDomainsConfig;
 }
 
 /**
@@ -163,11 +194,34 @@ interface AppConfigBase {
 	/** Environment file(s) to load */
 	env?: string | string[];
 
+	// Entry point for non-gkm apps
+	/**
+	 * Entry file path for apps that don't use gkm routes.
+	 * Used by both `gkm dev` (runs with tsx) and Docker builds (bundles with tsdown).
+	 * @example './src/index.ts'
+	 */
+	entry?: string;
+
 	// Frontend-specific
-	/** Frontend framework (currently only 'nextjs') */
-	framework?: 'nextjs';
+	/** Framework for the app (frontend or backend without gkm routes) */
+	framework?: BackendFramework | FrontendFramework;
 	/** Client generation configuration */
 	client?: ClientConfig;
+
+	// Deployment
+	/**
+	 * Override domain for this app (per-stage or single value).
+	 * @example 'api.custom.com' or { production: 'api.custom.com', staging: 'api.staging.com' }
+	 */
+	domain?: AppDomainConfig;
+
+	/**
+	 * Required environment variables for entry-based apps.
+	 * Use this instead of envParser for apps that don't use gkm routes.
+	 * The deploy command uses this to filter which secrets to embed.
+	 * @example ['DATABASE_URL', 'BETTER_AUTH_SECRET']
+	 */
+	requiredEnv?: string[];
 }
 
 /**
@@ -294,6 +348,14 @@ export interface NormalizedAppConfig extends Omit<AppConfigBase, 'type'> {
 	dependencies: string[];
 	/** Resolved deploy target (app.deploy > deploy.default > 'dokploy') */
 	resolvedDeployTarget: DeployTarget;
+	/** Entry file path for non-gkm apps */
+	entry?: string;
+	/** Framework for the app */
+	framework?: BackendFramework | FrontendFramework;
+	/** Override domain for this app */
+	domain?: AppDomainConfig;
+	/** Required environment variables for entry-based apps */
+	requiredEnv?: string[];
 }
 
 /**