@geekmidas/cli 0.38.0 → 0.40.0

package/dist/index.mjs

@@ -1,10 +1,11 @@
 #!/usr/bin/env -S npx tsx
-import { __require, getAppBuildOrder, getDependencyEnvVars, getDeployTargetError, isDeployTargetSupported } from "./workspace-DFJ3sWfY.mjs";
-import { getAppNameFromCwd, loadAppConfig, loadConfig, loadWorkspaceConfig, parseModuleConfig } from "./config-BC5n1a2D.mjs";
-import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, OpenApiTsGenerator, generateOpenApi, openapiCommand, resolveOpenApiConfig } from "./openapi-CjYeF-Tg.mjs";
+import { __require, getAppBuildOrder, getDependencyEnvVars, getDeployTargetError, isDeployTargetSupported } from "./workspace-D_6ZCaR_.mjs";
+import { getAppNameFromCwd, loadAppConfig, loadConfig, loadWorkspaceConfig, parseModuleConfig } from "./config-C0b0jdmU.mjs";
+import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, OpenApiTsGenerator, generateOpenApi, openapiCommand, resolveOpenApiConfig } from "./openapi-D3pA6FfZ.mjs";
 import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-Dhst7BhI.mjs";
-import { DokployApi } from "./dokploy-api-B9qR2Yn1.mjs";
-import { generateReactQueryCommand } from "./openapi-react-query-5rSortLH.mjs";
+import { DokployApi } from "./dokploy-api-DWsqNjwP.mjs";
+import { encryptSecrets } from "./encryption-BC4MAODn.mjs";
+import { generateReactQueryCommand } from "./openapi-react-query-ZoP9DPbY.mjs";
 import { createRequire } from "node:module";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, unlinkSync } from "node:fs";
 import { basename, dirname, join, parse, relative, resolve } from "node:path";
@@ -22,11 +23,12 @@ import { Cron } from "@geekmidas/constructs/crons";
 import { Function } from "@geekmidas/constructs/functions";
 import { Subscriber } from "@geekmidas/constructs/subscribers";
 import { createHash, randomBytes } from "node:crypto";
+import { pathToFileURL } from "node:url";
 import prompts from "prompts";
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "0.38.0";
+var version = "0.40.0";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -225,7 +227,7 @@ const logger$10 = console;
 * Validate Dokploy token by making a test API call
 */
 async function validateDokployToken(endpoint, token) {
-	const { DokployApi: DokployApi$1 } = await import("./dokploy-api-B0w17y4_.mjs");
+	const { DokployApi: DokployApi$1 } = await import("./dokploy-api-tZSZaHd9.mjs");
 	const api = new DokployApi$1({
 		baseUrl: endpoint,
 		token
@@ -1028,6 +1030,15 @@ async function devCommand(options) {
 		workspaceAppName = appConfig.appName;
 		workspaceAppPort = appConfig.app.port;
 		logger$8.log(`📦 Running app: ${appConfig.appName} on port ${workspaceAppPort}`);
+		if (appConfig.app.entry) {
+			logger$8.log(`📄 Using entry point: ${appConfig.app.entry}`);
+			return entryDevCommand({
+				...options,
+				entry: appConfig.app.entry,
+				port: workspaceAppPort,
+				portExplicit: true
+			});
+		}
 	} catch {
 		const loadedConfig = await loadWorkspaceConfig();
 		if (loadedConfig.type === "workspace") {
@@ -1541,19 +1552,43 @@ function findSecretsRoot(startDir) {
 	return startDir;
 }
 /**
-* Create a wrapper script that injects secrets before importing the entry file.
-* @internal Exported for testing
+* Generate the credentials injection code snippet.
+* This is the common logic used by both entry wrapper and exec preload.
+* @internal
 */
-async function createEntryWrapper(wrapperPath, entryPath, secretsJsonPath) {
-	const credentialsInjection = secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
+function generateCredentialsInjection(secretsJsonPath) {
+	return `import { Credentials } from '@geekmidas/envkit/credentials';
 import { existsSync, readFileSync } from 'node:fs';
 
-// Inject dev secrets into Credentials (before app import)
+// Inject dev secrets into Credentials
 const secretsPath = '${secretsJsonPath}';
 if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  Object.assign(Credentials, secrets);
+  // Debug: uncomment to verify preload is running
+  // console.log('[gkm preload] Injected', Object.keys(secrets).length, 'credentials');
 }
-
+`;
+}
+/**
+* Create a preload script that injects secrets into Credentials.
+* Used by `gkm exec` to inject secrets before running any command.
+* @internal Exported for testing
+*/
+async function createCredentialsPreload(preloadPath, secretsJsonPath) {
+	const content = `/**
+ * Credentials preload generated by 'gkm exec'
+ * This file is loaded via NODE_OPTIONS="--import <path>"
+ */
+${generateCredentialsInjection(secretsJsonPath)}`;
+	await writeFile(preloadPath, content);
+}
+/**
+* Create a wrapper script that injects secrets before importing the entry file.
+* @internal Exported for testing
+*/
+async function createEntryWrapper(wrapperPath, entryPath, secretsJsonPath) {
+	const credentialsInjection = secretsJsonPath ? `${generateCredentialsInjection(secretsJsonPath)}
 ` : "";
 	const content = `#!/usr/bin/env node
 /**
@@ -1859,6 +1894,59 @@ start({
 		await fsWriteFile(serverPath, content);
 	}
 };
+/**
+* Run a command with secrets injected into Credentials.
+* Uses Node's --import flag to preload a script that populates Credentials
+* before the command loads any modules that depend on them.
+*
+* @example
+* ```bash
+* gkm exec -- npx @better-auth/cli migrate
+* gkm exec -- npx prisma migrate dev
+* ```
+*/
+async function execCommand(commandArgs, options = {}) {
+	const cwd = options.cwd ?? process.cwd();
+	if (commandArgs.length === 0) throw new Error("No command specified. Usage: gkm exec -- <command>");
+	const defaultEnv = loadEnvFiles(".env");
+	if (defaultEnv.loaded.length > 0) logger$8.log(`📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
+	const { credentials, secretsJsonPath, appName } = await prepareEntryCredentials({ cwd });
+	if (appName) logger$8.log(`📦 App: ${appName}`);
+	const secretCount = Object.keys(credentials).filter((k) => k !== "PORT").length;
+	if (secretCount > 0) logger$8.log(`🔐 Loaded ${secretCount} secret(s)`);
+	const preloadDir = join(cwd, ".gkm");
+	await mkdir(preloadDir, { recursive: true });
+	const preloadPath = join(preloadDir, "credentials-preload.ts");
+	await createCredentialsPreload(preloadPath, secretsJsonPath);
+	const [cmd, ...args] = commandArgs;
+	if (!cmd) throw new Error("No command specified");
+	logger$8.log(`🚀 Running: ${commandArgs.join(" ")}`);
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
+	const tsxImport = "--import tsx";
+	const preloadImport = `--import ${preloadPath}`;
+	const nodeOptions = [
+		existingNodeOptions,
+		tsxImport,
+		preloadImport
+	].filter(Boolean).join(" ");
+	const child = spawn(cmd, args, {
+		cwd,
+		stdio: "inherit",
+		env: {
+			...process.env,
+			...credentials,
+			NODE_OPTIONS: nodeOptions
+		}
+	});
+	const exitCode = await new Promise((resolve$1) => {
+		child.on("close", (code) => resolve$1(code ?? 0));
+		child.on("error", (error) => {
+			logger$8.error(`Failed to run command: ${error.message}`);
+			resolve$1(1);
+		});
+	});
+	if (exitCode !== 0) process.exit(exitCode);
+}
 
 //#endregion
 //#region src/build/manifests.ts
@@ -1929,10 +2017,15 @@ const logger$6 = console;
 async function buildCommand(options) {
 	const loadedConfig = await loadWorkspaceConfig();
 	if (loadedConfig.type === "workspace") {
-		logger$6.log("📦 Detected workspace configuration");
-		return workspaceBuildCommand(loadedConfig.workspace, options);
+		const cwd = resolve(process.cwd());
+		const workspaceRoot = resolve(loadedConfig.workspace.root);
+		const isAtWorkspaceRoot = cwd === workspaceRoot;
+		if (isAtWorkspaceRoot) {
+			logger$6.log("📦 Detected workspace configuration");
+			return workspaceBuildCommand(loadedConfig.workspace, options);
+		}
 	}
-	const config$1 = await loadConfig();
+	const config$1 = loadedConfig.type === "workspace" ? (await loadAppConfig()).gkmConfig : await loadConfig();
 	const resolved = resolveProviders(config$1, options);
 	const productionConfigFromGkm = getProductionConfigFromGkm(config$1);
 	const production = normalizeProductionConfig(options.production ?? false, productionConfigFromGkm);
@@ -2028,7 +2121,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$6.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await import("./bundler-DQIuE3Kn.mjs");
+			const { bundleServer } = await import("./bundler-Db83tLti.mjs");
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2933,11 +3026,13 @@ function resolveDockerConfig$1(config$1) {
 * @internal Exported for testing
 */
 function generateNextjsDockerfile(options) {
-	const { baseImage, port, appPath, turboPackage, packageManager } = options;
+	const { baseImage, port, appPath, turboPackage, packageManager, publicUrlArgs = ["NEXT_PUBLIC_API_URL", "NEXT_PUBLIC_AUTH_URL"] } = options;
 	const pm = getPmConfig(packageManager);
 	const installPm = pm.install ? `RUN ${pm.install}` : "";
 	const turboInstallCmd = getTurboInstallCmd(packageManager);
 	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	const publicUrlArgDeclarations = publicUrlArgs.map((arg) => `ARG ${arg}=""`).join("\n");
+	const publicUrlEnvDeclarations = publicUrlArgs.map((arg) => `ENV ${arg}=$${arg}`).join("\n");
 	return `# syntax=docker/dockerfile:1
 # Next.js standalone Dockerfile with turbo prune optimization
 
@@ -2973,6 +3068,13 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for public API URLs (populated by gkm deploy)
+# These get baked into the Next.js build as public environment variables
+${publicUrlArgDeclarations}
+
+# Convert ARGs to ENVs for Next.js build
+${publicUrlEnvDeclarations}
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
@@ -3063,9 +3165,20 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
+# Write encrypted credentials for gkm build to embed
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
 # Build production server using gkm
 RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
 
@@ -3096,6 +3209,107 @@ ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["node", "server.mjs"]
 `;
 }
+/**
+* Generate a Dockerfile for apps with a custom entry point.
+* Uses tsdown to bundle the entry point into dist/index.mjs.
+* This is used for apps that don't use gkm routes (e.g., Better Auth servers).
+* @internal Exported for testing
+*/
+function generateEntryDockerfile(options) {
+	const { baseImage, port, appPath, entry, turboPackage, packageManager, healthCheckPath = "/health" } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Entry-based Dockerfile with turbo prune + tsdown bundling
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build with tsdown
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Write encrypted credentials for tsdown to embed via define
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
+# Bundle entry point with tsdown (outputs to dist/index.mjs)
+# Use define to embed credentials if present
+RUN cd ${appPath} && \
+    if [ -f .gkm/credentials.enc ]; then \
+      CREDS=$(cat .gkm/credentials.enc) && \
+      IV=$(cat .gkm/credentials.iv) && \
+      npx tsdown ${entry} --outDir dist --format esm \
+        --define __GKM_ENCRYPTED_CREDENTIALS__="'\\"$CREDS\\"'" \
+        --define __GKM_CREDENTIALS_IV__="'\\"$IV\\"'"; \
+    else \
+      npx tsdown ${entry} --outDir dist --format esm; \
+    fi
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 app
+
+# Copy bundled output only (no node_modules needed - fully bundled)
+COPY --from=builder --chown=app:nodejs /app/${appPath}/dist/index.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \\
+  CMD wget -q --spider http://localhost:${port}${healthCheckPath} || exit 1
+
+USER app
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "index.mjs"]
+`;
+}
 
 //#endregion
 //#region src/docker/index.ts
@@ -3282,7 +3496,9 @@ async function workspaceDockerCommand(workspace, options) {
 		const fullAppPath = join(workspace.root, appPath);
 		const turboPackage = getAppPackageName(fullAppPath) ?? appName;
 		const imageName = appName;
-		logger$5.log(`\n   📄 Generating Dockerfile for ${appName} (${app.type})`);
+		const hasEntry = !!app.entry;
+		const buildType = hasEntry ? "entry" : app.type;
+		logger$5.log(`\n   📄 Generating Dockerfile for ${appName} (${buildType})`);
 		let dockerfile;
 		if (app.type === "frontend") dockerfile = generateNextjsDockerfile({
 			imageName,
@@ -3292,6 +3508,16 @@ async function workspaceDockerCommand(workspace, options) {
 			turboPackage,
 			packageManager
 		});
+		else if (app.entry) dockerfile = generateEntryDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			entry: app.entry,
+			turboPackage,
+			packageManager,
+			healthCheckPath: "/health"
+		});
 		else dockerfile = generateBackendDockerfile({
 			imageName,
 			baseImage: "node:22-alpine",
@@ -3376,28 +3602,34 @@ function getImageRef(registry, imageName, tag) {
 }
 /**
 * Build Docker image
+* @param imageRef - Full image reference (registry/name:tag)
+* @param appName - Name of the app (used for Dockerfile.{appName} in workspaces)
+* @param buildArgs - Build arguments to pass to docker build
 */
-async function buildImage(imageRef) {
+async function buildImage(imageRef, appName, buildArgs) {
 	logger$4.log(`\n🔨 Building Docker image: ${imageRef}`);
 	const cwd = process.cwd();
-	const inMonorepo = isMonorepo(cwd);
-	if (inMonorepo) logger$4.log("   Generating Dockerfile for monorepo (turbo prune)...");
+	const lockfilePath = findLockfilePath(cwd);
+	const lockfileDir = lockfilePath ? dirname(lockfilePath) : cwd;
+	const inMonorepo = lockfileDir !== cwd;
+	if (appName || inMonorepo) logger$4.log("   Generating Dockerfile for monorepo (turbo prune)...");
 	else logger$4.log("   Generating Dockerfile...");
 	await dockerCommand({});
-	let buildCwd = cwd;
-	let dockerfilePath = ".gkm/docker/Dockerfile";
-	if (inMonorepo) {
-		const lockfilePath = findLockfilePath(cwd);
-		if (lockfilePath) {
-			const monorepoRoot = dirname(lockfilePath);
-			const appRelPath = relative(monorepoRoot, cwd);
-			dockerfilePath = join(appRelPath, ".gkm/docker/Dockerfile");
-			buildCwd = monorepoRoot;
-			logger$4.log(`   Building from monorepo root: ${monorepoRoot}`);
-		}
-	}
+	const dockerfileSuffix = appName ? `.${appName}` : "";
+	const dockerfilePath = `.gkm/docker/Dockerfile${dockerfileSuffix}`;
+	const buildCwd = lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
+	if (buildCwd !== cwd) logger$4.log(`   Building from workspace root: ${buildCwd}`);
+	const buildArgsString = buildArgs && buildArgs.length > 0 ? buildArgs.map((arg) => `--build-arg "${arg}"`).join(" ") : "";
 	try {
-		execSync(`DOCKER_BUILDKIT=1 docker build --platform linux/amd64 -f ${dockerfilePath} -t ${imageRef} .`, {
+		const cmd = [
+			"DOCKER_BUILDKIT=1 docker build",
+			"--platform linux/amd64",
+			`-f ${dockerfilePath}`,
+			`-t ${imageRef}`,
+			buildArgsString,
+			"."
+		].filter(Boolean).join(" ");
+		execSync(cmd, {
 			cwd: buildCwd,
 			stdio: "inherit",
 			env: {
@@ -3429,10 +3661,10 @@ async function pushImage(imageRef) {
 * Deploy using Docker (build and optionally push image)
 */
 async function deployDocker(options) {
-	const { stage, tag, skipPush, masterKey, config: config$1 } = options;
+	const { stage, tag, skipPush, masterKey, config: config$1, buildArgs } = options;
 	const imageName = config$1.imageName;
 	const imageRef = getImageRef(config$1.registry, imageName, tag);
-	await buildImage(imageRef);
+	await buildImage(imageRef, config$1.appName, buildArgs);
 	if (!skipPush) if (!config$1.registry) logger$4.warn("\n⚠️  No registry configured. Use --skip-push or configure docker.registry in gkm.config.ts");
 	else await pushImage(imageRef);
 	logger$4.log("\n✅ Docker deployment ready!");
@@ -3553,6 +3785,81 @@ async function deployDokploy(options) {
 	};
 }
 
+//#endregion
+//#region src/deploy/domain.ts
+/**
+* Resolve the hostname for an app based on stage configuration.
+*
+* Domain resolution priority:
+* 1. Explicit app.domain override (string or stage-specific)
+* 2. Default pattern based on app type:
+*    - Main frontend app gets base domain (e.g., 'myapp.com')
+*    - Other apps get prefixed domain (e.g., 'api.myapp.com')
+*
+* @param appName - The name of the app
+* @param app - The normalized app configuration
+* @param stage - The deployment stage (e.g., 'production', 'development')
+* @param dokployConfig - Dokploy workspace configuration with domain mappings
+* @param isMainFrontend - Whether this is the main frontend app
+* @returns The resolved hostname for the app
+* @throws Error if no domain configuration is found for the stage
+*/
+function resolveHost(appName, app, stage, dokployConfig, isMainFrontend) {
+	if (app.domain) {
+		if (typeof app.domain === "string") return app.domain;
+		if (app.domain[stage]) return app.domain[stage];
+	}
+	const baseDomain = dokployConfig?.domains?.[stage];
+	if (!baseDomain) throw new Error(`No domain configured for stage "${stage}". Add deploy.dokploy.domains.${stage} to gkm.config.ts`);
+	if (isMainFrontend) return baseDomain;
+	return `${appName}.${baseDomain}`;
+}
+/**
+* Determine if an app is the "main" frontend (gets base domain).
+*
+* An app is considered the main frontend if:
+* 1. It's named 'web' and is a frontend type
+* 2. It's the first frontend app in the apps list
+*
+* @param appName - The name of the app to check
+* @param app - The app configuration
+* @param allApps - All apps in the workspace
+* @returns True if this is the main frontend app
+*/
+function isMainFrontendApp(appName, app, allApps) {
+	if (app.type !== "frontend") return false;
+	if (appName === "web") return true;
+	for (const [name$1, a] of Object.entries(allApps)) if (a.type === "frontend") return name$1 === appName;
+	return false;
+}
+/**
+* Generate public URL build args for a frontend app based on its dependencies.
+*
+* @param app - The frontend app configuration
+* @param deployedUrls - Map of app name to deployed public URL
+* @returns Array of build args like 'NEXT_PUBLIC_API_URL=https://api.example.com'
+*/
+function generatePublicUrlBuildArgs(app, deployedUrls) {
+	const buildArgs = [];
+	for (const dep of app.dependencies) {
+		const publicUrl = deployedUrls[dep];
+		if (publicUrl) {
+			const envVarName = `NEXT_PUBLIC_${dep.toUpperCase()}_URL`;
+			buildArgs.push(`${envVarName}=${publicUrl}`);
+		}
+	}
+	return buildArgs;
+}
+/**
+* Get public URL arg names from app dependencies.
+*
+* @param app - The frontend app configuration
+* @returns Array of arg names like 'NEXT_PUBLIC_API_URL'
+*/
+function getPublicUrlArgNames(app) {
+	return app.dependencies.map((dep) => `NEXT_PUBLIC_${dep.toUpperCase()}_URL`);
+}
+
 //#endregion
 //#region src/deploy/init.ts
 const logger$2 = console;
@@ -3726,6 +4033,214 @@ async function deployListCommand(options) {
 	}
 }
 
+//#endregion
+//#region src/deploy/secrets.ts
+/**
+* Filter secrets to only include the env vars that an app requires.
+*
+* @param stageSecrets - All secrets for the stage
+* @param sniffedEnv - The sniffed environment requirements for the app
+* @returns Filtered secrets with found/missing tracking
+*/
+function filterSecretsForApp(stageSecrets, sniffedEnv) {
+	const allSecrets = toEmbeddableSecrets(stageSecrets);
+	const filtered = {};
+	const found = [];
+	const missing = [];
+	for (const key of sniffedEnv.requiredEnvVars) if (key in allSecrets) {
+		filtered[key] = allSecrets[key];
+		found.push(key);
+	} else missing.push(key);
+	return {
+		appName: sniffedEnv.appName,
+		secrets: filtered,
+		found: found.sort(),
+		missing: missing.sort()
+	};
+}
+/**
+* Encrypt filtered secrets for an app.
+* Generates an ephemeral master key that should be injected into Dokploy.
+*
+* @param filteredSecrets - The filtered secrets for the app
+* @returns Encrypted payload with master key
+*/
+function encryptSecretsForApp(filteredSecrets) {
+	const payload = encryptSecrets(filteredSecrets.secrets);
+	return {
+		appName: filteredSecrets.appName,
+		payload,
+		masterKey: payload.masterKey,
+		secretCount: Object.keys(filteredSecrets.secrets).length,
+		missingSecrets: filteredSecrets.missing
+	};
+}
+/**
+* Filter and encrypt secrets for an app in one step.
+*
+* @param stageSecrets - All secrets for the stage
+* @param sniffedEnv - The sniffed environment requirements for the app
+* @returns Encrypted secrets with master key
+*/
+function prepareSecretsForApp(stageSecrets, sniffedEnv) {
+	const filtered = filterSecretsForApp(stageSecrets, sniffedEnv);
+	return encryptSecretsForApp(filtered);
+}
+/**
+* Prepare secrets for multiple apps.
+*
+* @param stageSecrets - All secrets for the stage
+* @param sniffedApps - Map of app name to sniffed environment
+* @returns Map of app name to encrypted secrets
+*/
+function prepareSecretsForAllApps(stageSecrets, sniffedApps) {
+	const results = /* @__PURE__ */ new Map();
+	for (const [appName, sniffedEnv] of sniffedApps) if (sniffedEnv.requiredEnvVars.length > 0) {
+		const encrypted = prepareSecretsForApp(stageSecrets, sniffedEnv);
+		results.set(appName, encrypted);
+	}
+	return results;
+}
+/**
+* Generate a report on secrets preparation.
+*/
+function generateSecretsReport(encryptedApps, sniffedApps) {
+	const appsWithSecrets = [];
+	const appsWithoutSecrets = [];
+	const appsWithMissingSecrets = [];
+	for (const [appName, sniffedEnv] of sniffedApps) {
+		if (sniffedEnv.requiredEnvVars.length === 0) {
+			appsWithoutSecrets.push(appName);
+			continue;
+		}
+		const encrypted = encryptedApps.get(appName);
+		if (encrypted) {
+			appsWithSecrets.push(appName);
+			if (encrypted.missingSecrets.length > 0) appsWithMissingSecrets.push({
+				appName,
+				missing: encrypted.missingSecrets
+			});
+		}
+	}
+	return {
+		totalApps: sniffedApps.size,
+		appsWithSecrets: appsWithSecrets.sort(),
+		appsWithoutSecrets: appsWithoutSecrets.sort(),
+		appsWithMissingSecrets
+	};
+}
+
+//#endregion
+//#region src/deploy/sniffer.ts
+/**
+* Get required environment variables for an app.
+*
+* Detection strategy:
+* - Frontend apps: Returns empty (no server secrets)
+* - Apps with `requiredEnv`: Uses explicit list from config
+* - Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
+* - Apps with neither: Returns empty
+*
+* This function handles "fire and forget" async operations gracefully,
+* capturing errors and unhandled rejections without failing the build.
+*
+* @param app - The normalized app configuration
+* @param appName - The name of the app
+* @param workspacePath - Absolute path to the workspace root
+* @param options - Optional configuration for sniffing behavior
+* @returns The sniffed environment with required variables
+*/
+async function sniffAppEnvironment(app, appName, workspacePath, options = {}) {
+	const { logWarnings = true } = options;
+	if (app.type === "frontend") return {
+		appName,
+		requiredEnvVars: []
+	};
+	if (app.requiredEnv && app.requiredEnv.length > 0) return {
+		appName,
+		requiredEnvVars: [...app.requiredEnv]
+	};
+	if (app.envParser) {
+		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
+		if (logWarnings) {
+			if (result.error) console.warn(`[sniffer] ${appName}: envParser threw error during sniffing (env vars still captured): ${result.error.message}`);
+			if (result.unhandledRejections.length > 0) console.warn(`[sniffer] ${appName}: Fire-and-forget rejections during sniffing (suppressed): ${result.unhandledRejections.map((e) => e.message).join(", ")}`);
+		}
+		return {
+			appName,
+			requiredEnvVars: result.envVars
+		};
+	}
+	return {
+		appName,
+		requiredEnvVars: []
+	};
+}
+/**
+* Run the SnifferEnvironmentParser on an envParser module to detect
+* which environment variables it accesses.
+*
+* This function handles "fire and forget" async operations by using
+* the shared sniffWithFireAndForget utility from @geekmidas/envkit.
+*
+* @param envParserPath - The envParser config (e.g., './src/config/env#envParser')
+* @param appPath - The app's path relative to workspace
+* @param workspacePath - Absolute path to workspace root
+* @returns SniffResult with env vars and any errors encountered
+*/
+async function sniffEnvParser(envParserPath, appPath, workspacePath) {
+	const [modulePath, exportName = "default"] = envParserPath.split("#");
+	if (!modulePath) return {
+		envVars: [],
+		unhandledRejections: []
+	};
+	const fullPath = resolve(workspacePath, appPath, modulePath);
+	let SnifferEnvironmentParser;
+	let sniffWithFireAndForget;
+	try {
+		const envkitModule = await import("@geekmidas/envkit/sniffer");
+		SnifferEnvironmentParser = envkitModule.SnifferEnvironmentParser;
+		sniffWithFireAndForget = envkitModule.sniffWithFireAndForget;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.warn(`[sniffer] Failed to import SnifferEnvironmentParser: ${message}`);
+		return {
+			envVars: [],
+			unhandledRejections: []
+		};
+	}
+	const sniffer = new SnifferEnvironmentParser();
+	return sniffWithFireAndForget(sniffer, async () => {
+		const moduleUrl = pathToFileURL(fullPath).href;
+		const module = await import(moduleUrl);
+		const envParser = module[exportName];
+		if (typeof envParser !== "function") {
+			console.warn(`[sniffer] Export "${exportName}" from "${modulePath}" is not a function`);
+			return;
+		}
+		const result = envParser(sniffer);
+		if (result && typeof result.parse === "function") try {
+			result.parse();
+		} catch {}
+	});
+}
+/**
+* Sniff environment requirements for multiple apps.
+*
+* @param apps - Map of app name to app config
+* @param workspacePath - Absolute path to workspace root
+* @param options - Optional configuration for sniffing behavior
+* @returns Map of app name to sniffed environment
+*/
+async function sniffAllApps(apps, workspacePath, options = {}) {
+	const results = /* @__PURE__ */ new Map();
+	for (const [appName, app] of Object.entries(apps)) {
+		const sniffed = await sniffAppEnvironment(app, appName, workspacePath, options);
+		results.set(appName, sniffed);
+	}
+	return results;
+}
+
 //#endregion
 //#region src/deploy/index.ts
 const logger$1 = console;
@@ -4014,14 +4529,20 @@ function generateTag(stage) {
 }
 /**
 * Deploy all apps in a workspace to Dokploy.
-* - Workspace maps to one Dokploy project
-* - Each app maps to one Dokploy application
-* - Deploys in dependency order (backends before dependent frontends)
-* - Syncs environment variables including {APP_NAME}_URL
+*
+* Two-phase orchestration:
+* - PHASE 1: Deploy backend apps (with encrypted secrets)
+* - PHASE 2: Deploy frontend apps (with public URLs from backends)
+*
+* Security model:
+* - Backend apps get encrypted secrets embedded at build time
+* - Only GKM_MASTER_KEY is injected as Dokploy env var
+* - Frontend apps get public URLs baked in at build time (no secrets)
+*
 * @internal Exported for testing
 */
 async function workspaceDeployCommand(workspace, options) {
-	const { provider, stage, tag, skipBuild, apps: selectedApps } = options;
+	const { provider, stage, tag, apps: selectedApps } = options;
 	if (provider !== "dokploy") throw new Error(`Workspace deployment only supports Dokploy. Got: ${provider}`);
 	logger$1.log(`\n🚀 Deploying workspace "${workspace.name}" to Dokploy...`);
 	logger$1.log(`   Stage: ${stage}`);
@@ -4045,11 +4566,20 @@ async function workspaceDeployCommand(workspace, options) {
 		return true;
 	});
 	if (dokployApps.length === 0) throw new Error("No apps to deploy. All selected apps have unsupported deploy targets.");
-	if (dokployApps.length !== appsToDeployNames.length) {
-		const skipped = appsToDeployNames.filter((name$1) => !dokployApps.includes(name$1));
-		logger$1.log(`   📌 ${skipped.length} app(s) skipped due to unsupported targets`);
-	}
 	appsToDeployNames = dokployApps;
+	logger$1.log("\n🔐 Loading secrets and analyzing environment requirements...");
+	const stageSecrets = await readStageSecrets(stage, workspace.root);
+	if (!stageSecrets) {
+		logger$1.log(`   ⚠️  No secrets found for stage "${stage}"`);
+		logger$1.log(`      Run "gkm secrets:init --stage ${stage}" to create secrets`);
+	}
+	const sniffedApps = await sniffAllApps(workspace.apps, workspace.root);
+	const encryptedSecrets = stageSecrets ? prepareSecretsForAllApps(stageSecrets, sniffedApps) : /* @__PURE__ */ new Map();
+	if (stageSecrets) {
+		const report = generateSecretsReport(encryptedSecrets, sniffedApps);
+		if (report.appsWithSecrets.length > 0) logger$1.log(`   ✓ Encrypted secrets for: ${report.appsWithSecrets.join(", ")}`);
+		if (report.appsWithMissingSecrets.length > 0) for (const { appName, missing } of report.appsWithMissingSecrets) logger$1.log(`   ⚠️  ${appName}: Missing secrets: ${missing.join(", ")}`);
+	}
 	let creds = await getDokployCredentials();
 	if (!creds) {
 		logger$1.log("\n📋 Dokploy credentials not found. Let's set them up.");
@@ -4143,95 +4673,191 @@ async function workspaceDeployCommand(workspace, options) {
 		logger$1.log("\n🔧 Provisioning infrastructure services...");
 		await provisionServices(api, project.projectId, environmentId, workspace.name, dockerServices);
 	}
-	const deployedAppUrls = {};
-	logger$1.log("\n📦 Deploying applications...");
+	const backendApps = appsToDeployNames.filter((name$1) => workspace.apps[name$1].type === "backend");
+	const frontendApps = appsToDeployNames.filter((name$1) => workspace.apps[name$1].type === "frontend");
+	const publicUrls = {};
 	const results = [];
-	for (const appName of appsToDeployNames) {
-		const app = workspace.apps[appName];
-		const appPath = app.path;
-		logger$1.log(`\n   ${app.type === "backend" ? "⚙️" : "🌐"} Deploying ${appName}...`);
-		try {
-			const dokployAppName = `${workspace.name}-${appName}`;
-			let application;
+	const dokployConfig = workspace.deploy.dokploy;
+	if (backendApps.length > 0) {
+		logger$1.log("\n📦 PHASE 1: Deploying backend applications...");
+		for (const appName of backendApps) {
+			const app = workspace.apps[appName];
+			logger$1.log(`\n   ⚙️  Deploying ${appName}...`);
 			try {
-				application = await api.createApplication(dokployAppName, project.projectId, environmentId);
-				logger$1.log(`      Created application: ${application.applicationId}`);
-			} catch (error) {
-				const message = error instanceof Error ? error.message : "Unknown error";
-				if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
-				else throw error;
-			}
-			if (!skipBuild) {
-				logger$1.log(`      Building ${appName}...`);
-				const originalCwd = process.cwd();
-				const fullAppPath = `${workspace.root}/${appPath}`;
+				const dokployAppName = `${workspace.name}-${appName}`;
+				let application;
 				try {
-					process.chdir(fullAppPath);
-					await buildCommand({
-						provider: "server",
-						production: true,
-						stage
-					});
-				} finally {
-					process.chdir(originalCwd);
+					application = await api.createApplication(dokployAppName, project.projectId, environmentId);
+					logger$1.log(`      Created application: ${application.applicationId}`);
+				} catch (error) {
+					const message = error instanceof Error ? error.message : "Unknown error";
+					if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
+					else throw error;
 				}
-			}
-			const imageName = `${workspace.name}-${appName}`;
-			const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
-			logger$1.log(`      Building Docker image: ${imageRef}`);
-			await deployDocker({
-				stage,
-				tag: imageTag,
-				skipPush: false,
-				config: {
-					registry,
-					imageName
+				const appSecrets = encryptedSecrets.get(appName);
+				const buildArgs = [];
+				if (appSecrets && appSecrets.secretCount > 0) {
+					buildArgs.push(`GKM_ENCRYPTED_CREDENTIALS=${appSecrets.payload.encrypted}`);
+					buildArgs.push(`GKM_CREDENTIALS_IV=${appSecrets.payload.iv}`);
+					logger$1.log(`      Encrypted ${appSecrets.secretCount} secrets`);
 				}
-			});
-			const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
-			for (const dep of app.dependencies) {
-				const depUrl = deployedAppUrls[dep];
-				if (depUrl) envVars.push(`${dep.toUpperCase()}_URL=${depUrl}`);
-			}
-			if (app.type === "backend") {
-				if (dockerServices.postgres) envVars.push(`DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@${workspace.name}-db:5432/app}`);
-				if (dockerServices.redis) envVars.push(`REDIS_URL=\${REDIS_URL:-redis://${workspace.name}-cache:6379}`);
-			}
-			if (application) {
-				await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
-				await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
-				logger$1.log(`      Deploying to Dokploy...`);
-				await api.deployApplication(application.applicationId);
-				const appUrl = `http://${dokployAppName}:${app.port}`;
-				deployedAppUrls[appName] = appUrl;
+				const imageName = `${workspace.name}-${appName}`;
+				const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+				logger$1.log(`      Building Docker image: ${imageRef}`);
+				await deployDocker({
+					stage,
+					tag: imageTag,
+					skipPush: false,
+					config: {
+						registry,
+						imageName,
+						appName
+					},
+					buildArgs
+				});
+				const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
+				if (appSecrets && appSecrets.masterKey) envVars.push(`GKM_MASTER_KEY=${appSecrets.masterKey}`);
+				if (application) {
+					await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
+					await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
+					logger$1.log(`      Deploying to Dokploy...`);
+					await api.deployApplication(application.applicationId);
+					try {
+						const host = resolveHost(appName, app, stage, dokployConfig, false);
+						await api.createDomain({
+							host,
+							port: app.port,
+							https: true,
+							certificateType: "letsencrypt",
+							applicationId: application.applicationId
+						});
+						const publicUrl = `https://${host}`;
+						publicUrls[appName] = publicUrl;
+						logger$1.log(`      ✓ Domain: ${publicUrl}`);
+					} catch (domainError) {
+						const host = resolveHost(appName, app, stage, dokployConfig, false);
+						publicUrls[appName] = `https://${host}`;
+						logger$1.log(`      ℹ Domain already configured: https://${host}`);
+					}
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						applicationId: application.applicationId,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} deployed successfully`);
+				} else {
+					const host = resolveHost(appName, app, stage, dokployConfig, false);
+					publicUrls[appName] = `https://${host}`;
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
+				}
+			} catch (error) {
+				const message = error instanceof Error ? error.message : "Unknown error";
+				logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
 				results.push({
 					appName,
 					type: app.type,
-					success: true,
-					applicationId: application.applicationId,
-					imageRef
+					success: false,
+					error: message
 				});
-				logger$1.log(`      ✓ ${appName} deployed successfully`);
-			} else {
-				const appUrl = `http://${dokployAppName}:${app.port}`;
-				deployedAppUrls[appName] = appUrl;
+				throw new Error(`Backend deployment failed for ${appName}. Aborting to prevent partial deployment.`);
+			}
+		}
+	}
+	if (frontendApps.length > 0) {
+		logger$1.log("\n🌐 PHASE 2: Deploying frontend applications...");
+		for (const appName of frontendApps) {
+			const app = workspace.apps[appName];
+			logger$1.log(`\n   🌐 Deploying ${appName}...`);
+			try {
+				const dokployAppName = `${workspace.name}-${appName}`;
+				let application;
+				try {
+					application = await api.createApplication(dokployAppName, project.projectId, environmentId);
+					logger$1.log(`      Created application: ${application.applicationId}`);
+				} catch (error) {
+					const message = error instanceof Error ? error.message : "Unknown error";
+					if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
+					else throw error;
+				}
+				const buildArgs = generatePublicUrlBuildArgs(app, publicUrls);
+				if (buildArgs.length > 0) logger$1.log(`      Public URLs: ${buildArgs.join(", ")}`);
+				const imageName = `${workspace.name}-${appName}`;
+				const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+				logger$1.log(`      Building Docker image: ${imageRef}`);
+				await deployDocker({
+					stage,
+					tag: imageTag,
+					skipPush: false,
+					config: {
+						registry,
+						imageName,
+						appName
+					},
+					buildArgs,
+					publicUrlArgs: getPublicUrlArgNames(app)
+				});
+				const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
+				if (application) {
+					await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
+					await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
+					logger$1.log(`      Deploying to Dokploy...`);
+					await api.deployApplication(application.applicationId);
+					const isMainFrontend = isMainFrontendApp(appName, app, workspace.apps);
+					try {
+						const host = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+						await api.createDomain({
+							host,
+							port: app.port,
+							https: true,
+							certificateType: "letsencrypt",
+							applicationId: application.applicationId
+						});
+						const publicUrl = `https://${host}`;
+						publicUrls[appName] = publicUrl;
+						logger$1.log(`      ✓ Domain: ${publicUrl}`);
+					} catch (domainError) {
+						const host = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+						publicUrls[appName] = `https://${host}`;
+						logger$1.log(`      ℹ Domain already configured: https://${host}`);
+					}
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						applicationId: application.applicationId,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} deployed successfully`);
+				} else {
+					const isMainFrontend = isMainFrontendApp(appName, app, workspace.apps);
+					const host = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+					publicUrls[appName] = `https://${host}`;
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
+				}
+			} catch (error) {
+				const message = error instanceof Error ? error.message : "Unknown error";
+				logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
 				results.push({
 					appName,
 					type: app.type,
-					success: true,
-					imageRef
+					success: false,
+					error: message
 				});
-				logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
 			}
-		} catch (error) {
-			const message = error instanceof Error ? error.message : "Unknown error";
-			logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
-			results.push({
-				appName,
-				type: app.type,
-				success: false,
-				error: message
-			});
 		}
 	}
 	const successCount = results.filter((r) => r.success).length;
@@ -4241,6 +4867,10 @@ async function workspaceDeployCommand(workspace, options) {
 	logger$1.log(`   Project: ${project.projectId}`);
 	logger$1.log(`   Successful: ${successCount}`);
 	if (failedCount > 0) logger$1.log(`   Failed: ${failedCount}`);
+	if (Object.keys(publicUrls).length > 0) {
+		logger$1.log("\n   📡 Deployed URLs:");
+		for (const [name$1, url] of Object.entries(publicUrls)) logger$1.log(`      ${name$1}: ${url}`);
+	}
 	return {
 		apps: results,
 		projectId: project.projectId,
@@ -4518,10 +5148,10 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/cli": CLI_VERSION,
 	"@geekmidas/client": "~0.5.0",
 	"@geekmidas/cloud": "~0.2.0",
-	"@geekmidas/constructs": "~0.6.0",
+	"@geekmidas/constructs": "~0.7.0",
 	"@geekmidas/db": "~0.3.0",
 	"@geekmidas/emailkit": "~0.2.0",
-	"@geekmidas/envkit": "~0.5.0",
+	"@geekmidas/envkit": "~0.6.0",
 	"@geekmidas/errors": "~0.1.0",
 	"@geekmidas/events": "~0.2.0",
 	"@geekmidas/logger": "~0.4.0",
@@ -4553,7 +5183,9 @@ function generateAuthAppFiles(options) {
 			dev: "gkm dev --entry ./src/index.ts",
 			build: "tsc",
 			start: "node dist/index.js",
-			typecheck: "tsc --noEmit"
+			typecheck: "tsc --noEmit",
+			"db:migrate": "gkm exec -- npx @better-auth/cli migrate",
+			"db:generate": "gkm exec -- npx @better-auth/cli generate"
 		},
 		dependencies: {
 			[modelsPackage]: "workspace:*",
@@ -7467,6 +8099,16 @@ program.command("dev").description("Start development server with automatic relo
 		process.exit(1);
 	}
 });
+program.command("exec").description("Run a command with secrets injected into Credentials").argument("<command...>", "Command to run (use -- before command)").action(async (commandArgs) => {
+	try {
+		const globalOptions = program.opts();
+		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
+		await execCommand(commandArgs);
+	} catch (error) {
+		console.error(error instanceof Error ? error.message : "Command failed");
+		process.exit(1);
+	}
+});
 program.command("test").description("Run tests with secrets loaded from environment").option("--stage <stage>", "Stage to load secrets from", "development").option("--run", "Run tests once without watch mode").option("--watch", "Enable watch mode").option("--coverage", "Generate coverage report").option("--ui", "Open Vitest UI").argument("[pattern]", "Pattern to filter tests").action(async (pattern, options) => {
 	try {
 		const globalOptions = program.opts();