@geekmidas/cli 0.39.0 → 0.40.0

package/src/deploy/secrets.ts

@@ -0,0 +1,182 @@
+import { encryptSecrets } from '../secrets/encryption.js';
+import { toEmbeddableSecrets } from '../secrets/storage.js';
+import type { EmbeddableSecrets, EncryptedPayload, StageSecrets } from '../secrets/types.js';
+import type { SniffedEnvironment } from './sniffer.js';
+
+/**
+ * Result of filtering secrets for an app.
+ */
+export interface FilteredAppSecrets {
+	appName: string;
+	/** Secrets filtered to only include what the app needs */
+	secrets: EmbeddableSecrets;
+	/** List of required env vars that were found in secrets */
+	found: string[];
+	/** List of required env vars that were NOT found in secrets */
+	missing: string[];
+}
+
+/**
+ * Filter secrets to only include the env vars that an app requires.
+ *
+ * @param stageSecrets - All secrets for the stage
+ * @param sniffedEnv - The sniffed environment requirements for the app
+ * @returns Filtered secrets with found/missing tracking
+ */
+export function filterSecretsForApp(
+	stageSecrets: StageSecrets,
+	sniffedEnv: SniffedEnvironment,
+): FilteredAppSecrets {
+	// Convert stage secrets to flat embeddable format
+	const allSecrets = toEmbeddableSecrets(stageSecrets);
+	const filtered: EmbeddableSecrets = {};
+	const found: string[] = [];
+	const missing: string[] = [];
+
+	// Filter to only required env vars
+	for (const key of sniffedEnv.requiredEnvVars) {
+		if (key in allSecrets) {
+			filtered[key] = allSecrets[key]!;
+			found.push(key);
+		} else {
+			missing.push(key);
+		}
+	}
+
+	return {
+		appName: sniffedEnv.appName,
+		secrets: filtered,
+		found: found.sort(),
+		missing: missing.sort(),
+	};
+}
+
+/**
+ * Result of encrypting secrets for an app.
+ */
+export interface EncryptedAppSecrets {
+	appName: string;
+	/** Encrypted payload with credentials and IV */
+	payload: EncryptedPayload;
+	/** Master key for runtime decryption (hex encoded) */
+	masterKey: string;
+	/** Number of secrets encrypted */
+	secretCount: number;
+	/** List of required env vars that were NOT found in secrets */
+	missingSecrets: string[];
+}
+
+/**
+ * Encrypt filtered secrets for an app.
+ * Generates an ephemeral master key that should be injected into Dokploy.
+ *
+ * @param filteredSecrets - The filtered secrets for the app
+ * @returns Encrypted payload with master key
+ */
+export function encryptSecretsForApp(
+	filteredSecrets: FilteredAppSecrets,
+): EncryptedAppSecrets {
+	const payload = encryptSecrets(filteredSecrets.secrets);
+
+	return {
+		appName: filteredSecrets.appName,
+		payload,
+		masterKey: payload.masterKey,
+		secretCount: Object.keys(filteredSecrets.secrets).length,
+		missingSecrets: filteredSecrets.missing,
+	};
+}
+
+/**
+ * Filter and encrypt secrets for an app in one step.
+ *
+ * @param stageSecrets - All secrets for the stage
+ * @param sniffedEnv - The sniffed environment requirements for the app
+ * @returns Encrypted secrets with master key
+ */
+export function prepareSecretsForApp(
+	stageSecrets: StageSecrets,
+	sniffedEnv: SniffedEnvironment,
+): EncryptedAppSecrets {
+	const filtered = filterSecretsForApp(stageSecrets, sniffedEnv);
+	return encryptSecretsForApp(filtered);
+}
+
+/**
+ * Prepare secrets for multiple apps.
+ *
+ * @param stageSecrets - All secrets for the stage
+ * @param sniffedApps - Map of app name to sniffed environment
+ * @returns Map of app name to encrypted secrets
+ */
+export function prepareSecretsForAllApps(
+	stageSecrets: StageSecrets,
+	sniffedApps: Map<string, SniffedEnvironment>,
+): Map<string, EncryptedAppSecrets> {
+	const results = new Map<string, EncryptedAppSecrets>();
+
+	for (const [appName, sniffedEnv] of sniffedApps) {
+		// Only prepare secrets for apps that have required env vars
+		if (sniffedEnv.requiredEnvVars.length > 0) {
+			const encrypted = prepareSecretsForApp(stageSecrets, sniffedEnv);
+			results.set(appName, encrypted);
+		}
+	}
+
+	return results;
+}
+
+/**
+ * Report on secrets preparation status for all apps.
+ */
+export interface SecretsReport {
+	/** Total number of apps processed */
+	totalApps: number;
+	/** Apps with encrypted secrets */
+	appsWithSecrets: string[];
+	/** Apps without secrets (frontends or no env requirements) */
+	appsWithoutSecrets: string[];
+	/** Apps with missing secrets (warnings) */
+	appsWithMissingSecrets: Array<{
+		appName: string;
+		missing: string[];
+	}>;
+}
+
+/**
+ * Generate a report on secrets preparation.
+ */
+export function generateSecretsReport(
+	encryptedApps: Map<string, EncryptedAppSecrets>,
+	sniffedApps: Map<string, SniffedEnvironment>,
+): SecretsReport {
+	const appsWithSecrets: string[] = [];
+	const appsWithoutSecrets: string[] = [];
+	const appsWithMissingSecrets: Array<{ appName: string; missing: string[] }> = [];
+
+	for (const [appName, sniffedEnv] of sniffedApps) {
+		if (sniffedEnv.requiredEnvVars.length === 0) {
+			appsWithoutSecrets.push(appName);
+			continue;
+		}
+
+		const encrypted = encryptedApps.get(appName);
+		if (encrypted) {
+			appsWithSecrets.push(appName);
+
+			if (encrypted.missingSecrets.length > 0) {
+				appsWithMissingSecrets.push({
+					appName,
+					missing: encrypted.missingSecrets,
+				});
+			}
+		}
+	}
+
+	return {
+		totalApps: sniffedApps.size,
+		appsWithSecrets: appsWithSecrets.sort(),
+		appsWithoutSecrets: appsWithoutSecrets.sort(),
+		appsWithMissingSecrets,
+	};
+}

package/src/deploy/sniffer.ts

@@ -0,0 +1,180 @@
+import { resolve } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import type { SniffResult } from '@geekmidas/envkit/sniffer';
+import type { NormalizedAppConfig } from '../workspace/types.js';
+
+// Re-export SniffResult for consumers
+export type { SniffResult } from '@geekmidas/envkit/sniffer';
+
+/**
+ * Result of sniffing an app's environment requirements.
+ */
+export interface SniffedEnvironment {
+	appName: string;
+	requiredEnvVars: string[];
+}
+
+/**
+ * Options for sniffing an app's environment.
+ */
+export interface SniffAppOptions {
+	/** Whether to log warnings for errors encountered during sniffing. Defaults to true. */
+	logWarnings?: boolean;
+}
+
+/**
+ * Get required environment variables for an app.
+ *
+ * Detection strategy:
+ * - Frontend apps: Returns empty (no server secrets)
+ * - Apps with `requiredEnv`: Uses explicit list from config
+ * - Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
+ * - Apps with neither: Returns empty
+ *
+ * This function handles "fire and forget" async operations gracefully,
+ * capturing errors and unhandled rejections without failing the build.
+ *
+ * @param app - The normalized app configuration
+ * @param appName - The name of the app
+ * @param workspacePath - Absolute path to the workspace root
+ * @param options - Optional configuration for sniffing behavior
+ * @returns The sniffed environment with required variables
+ */
+export async function sniffAppEnvironment(
+	app: NormalizedAppConfig,
+	appName: string,
+	workspacePath: string,
+	options: SniffAppOptions = {},
+): Promise<SniffedEnvironment> {
+	const { logWarnings = true } = options;
+
+	// Frontend apps don't have server-side secrets
+	if (app.type === 'frontend') {
+		return { appName, requiredEnvVars: [] };
+	}
+
+	// Entry-based apps with explicit env list
+	if (app.requiredEnv && app.requiredEnv.length > 0) {
+		return { appName, requiredEnvVars: [...app.requiredEnv] };
+	}
+
+	// Apps with envParser - run sniffer to detect env var usage
+	if (app.envParser) {
+		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
+
+		// Log any issues for debugging
+		if (logWarnings) {
+			if (result.error) {
+				console.warn(
+					`[sniffer] ${appName}: envParser threw error during sniffing (env vars still captured): ${result.error.message}`,
+				);
+			}
+			if (result.unhandledRejections.length > 0) {
+				console.warn(
+					`[sniffer] ${appName}: Fire-and-forget rejections during sniffing (suppressed): ${result.unhandledRejections.map((e) => e.message).join(', ')}`,
+				);
+			}
+		}
+
+		return { appName, requiredEnvVars: result.envVars };
+	}
+
+	// No env detection method available
+	return { appName, requiredEnvVars: [] };
+}
+
+/**
+ * Run the SnifferEnvironmentParser on an envParser module to detect
+ * which environment variables it accesses.
+ *
+ * This function handles "fire and forget" async operations by using
+ * the shared sniffWithFireAndForget utility from @geekmidas/envkit.
+ *
+ * @param envParserPath - The envParser config (e.g., './src/config/env#envParser')
+ * @param appPath - The app's path relative to workspace
+ * @param workspacePath - Absolute path to workspace root
+ * @returns SniffResult with env vars and any errors encountered
+ */
+async function sniffEnvParser(
+	envParserPath: string,
+	appPath: string,
+	workspacePath: string,
+): Promise<SniffResult> {
+	// Parse the envParser path: './src/config/env#envParser' or './src/config/env'
+	const [modulePath, exportName = 'default'] = envParserPath.split('#');
+	if (!modulePath) {
+		return { envVars: [], unhandledRejections: [] };
+	}
+
+	// Resolve the full path to the module
+	const fullPath = resolve(workspacePath, appPath, modulePath);
+
+	// Dynamically import the sniffer utilities
+	let SnifferEnvironmentParser: any;
+	let sniffWithFireAndForget: any;
+	try {
+		const envkitModule = await import('@geekmidas/envkit/sniffer');
+		SnifferEnvironmentParser = envkitModule.SnifferEnvironmentParser;
+		sniffWithFireAndForget = envkitModule.sniffWithFireAndForget;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.warn(`[sniffer] Failed to import SnifferEnvironmentParser: ${message}`);
+		return { envVars: [], unhandledRejections: [] };
+	}
+
+	const sniffer = new SnifferEnvironmentParser();
+
+	return sniffWithFireAndForget(sniffer, async () => {
+		// Import the envParser module
+		const moduleUrl = pathToFileURL(fullPath).href;
+		const module = await import(moduleUrl);
+
+		// Get the envParser function
+		const envParser = module[exportName];
+		if (typeof envParser !== 'function') {
+			console.warn(
+				`[sniffer] Export "${exportName}" from "${modulePath}" is not a function`,
+			);
+			return;
+		}
+
+		// The envParser function typically creates and configures an EnvironmentParser.
+		// We pass our sniffer which implements the same interface.
+		const result = envParser(sniffer);
+
+		// If the result is a ConfigParser, call parse() to trigger env var access
+		if (result && typeof result.parse === 'function') {
+			try {
+				result.parse();
+			} catch {
+				// Parsing may fail due to mock values, that's expected
+			}
+		}
+	});
+}
+
+/**
+ * Sniff environment requirements for multiple apps.
+ *
+ * @param apps - Map of app name to app config
+ * @param workspacePath - Absolute path to workspace root
+ * @param options - Optional configuration for sniffing behavior
+ * @returns Map of app name to sniffed environment
+ */
+export async function sniffAllApps(
+	apps: Record<string, NormalizedAppConfig>,
+	workspacePath: string,
+	options: SniffAppOptions = {},
+): Promise<Map<string, SniffedEnvironment>> {
+	const results = new Map<string, SniffedEnvironment>();
+
+	for (const [appName, app] of Object.entries(apps)) {
+		const sniffed = await sniffAppEnvironment(app, appName, workspacePath, options);
+		results.set(appName, sniffed);
+	}
+
+	return results;
+}
+
+// Export for testing
+export { sniffEnvParser as _sniffEnvParser };

package/src/dev/index.ts

@@ -341,6 +341,17 @@ export async function devCommand(options: DevOptions): Promise<void> {
 			workspaceAppName = appConfig.appName;
 			workspaceAppPort = appConfig.app.port;
 			logger.log(`📦 Running app: ${appConfig.appName} on port ${workspaceAppPort}`);
+
+			// Check if app has an entry point (non-gkm app like better-auth)
+			if (appConfig.app.entry) {
+				logger.log(`📄 Using entry point: ${appConfig.app.entry}`);
+				return entryDevCommand({
+					...options,
+					entry: appConfig.app.entry,
+					port: workspaceAppPort,
+					portExplicit: true,
+				});
+			}
 		} catch {
 			// Not in a workspace or app not found in workspace - fall back to regular loading
 			const loadedConfig = await loadWorkspaceConfig();

package/src/docker/index.ts

@@ -15,6 +15,7 @@ import {
 	generateBackendDockerfile,
 	generateDockerEntrypoint,
 	generateDockerignore,
+	generateEntryDockerfile,
 	generateMultiStageDockerfile,
 	generateNextjsDockerfile,
 	generateSlimDockerfile,
@@ -400,7 +401,9 @@ export async function workspaceDockerCommand(
 		// Determine image name
 		const imageName = appName;
 
-		logger.log(`\n   📄 Generating Dockerfile for ${appName} (${app.type})`);
+		const hasEntry = !!app.entry;
+		const buildType = hasEntry ? 'entry' : app.type;
+		logger.log(`\n   📄 Generating Dockerfile for ${appName} (${buildType})`);
 
 		let dockerfile: string;
 
@@ -414,8 +417,20 @@ export async function workspaceDockerCommand(
 				turboPackage,
 				packageManager,
 			});
+		} else if (app.entry) {
+			// Backend with custom entry point - use tsdown bundling
+			dockerfile = generateEntryDockerfile({
+				imageName,
+				baseImage: 'node:22-alpine',
+				port: app.port,
+				appPath,
+				entry: app.entry,
+				turboPackage,
+				packageManager,
+				healthCheckPath: '/health',
+			});
 		} else {
-			// Generate backend Dockerfile
+			// Backend with gkm routes - use gkm build
 			dockerfile = generateBackendDockerfile({
 				imageName,
 				baseImage: 'node:22-alpine',

package/src/docker/templates.ts

@@ -25,6 +25,12 @@ export interface FrontendDockerfileOptions {
 	turboPackage: string;
 	/** Detected package manager */
 	packageManager: PackageManager;
+	/**
+	 * Public URL build args to include in the Dockerfile.
+	 * These will be declared as ARG and converted to ENV for Next.js build.
+	 * Example: ['NEXT_PUBLIC_API_URL', 'NEXT_PUBLIC_AUTH_URL']
+	 */
+	publicUrlArgs?: string[];
 }
 
 export interface MultiStageDockerfileOptions extends DockerTemplateOptions {
@@ -568,7 +574,14 @@ export function resolveDockerConfig(
 export function generateNextjsDockerfile(
 	options: FrontendDockerfileOptions,
 ): string {
-	const { baseImage, port, appPath, turboPackage, packageManager } = options;
+	const {
+		baseImage,
+		port,
+		appPath,
+		turboPackage,
+		packageManager,
+		publicUrlArgs = ['NEXT_PUBLIC_API_URL', 'NEXT_PUBLIC_AUTH_URL'],
+	} = options;
 
 	const pm = getPmConfig(packageManager);
 	const installPm = pm.install ? `RUN ${pm.install}` : '';
@@ -580,6 +593,14 @@ export function generateNextjsDockerfile(
 	// Use pnpm dlx for pnpm (avoids global bin dir issues in Docker)
 	const turboCmd = packageManager === 'pnpm' ? 'pnpm dlx turbo' : 'npx turbo';
 
+	// Generate ARG and ENV declarations for public URLs
+	const publicUrlArgDeclarations = publicUrlArgs
+		.map((arg) => `ARG ${arg}=""`)
+		.join('\n');
+	const publicUrlEnvDeclarations = publicUrlArgs
+		.map((arg) => `ENV ${arg}=$${arg}`)
+		.join('\n');
+
 	return `# syntax=docker/dockerfile:1
 # Next.js standalone Dockerfile with turbo prune optimization
 
@@ -615,6 +636,13 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for public API URLs (populated by gkm deploy)
+# These get baked into the Next.js build as public environment variables
+${publicUrlArgDeclarations}
+
+# Convert ARGs to ENVs for Next.js build
+${publicUrlEnvDeclarations}
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
@@ -717,9 +745,20 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
+# Write encrypted credentials for gkm build to embed
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
 # Build production server using gkm
 RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
 
@@ -750,3 +789,134 @@ ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["node", "server.mjs"]
 `;
 }
+
+/**
+ * Options for entry-based Dockerfile generation.
+ */
+export interface EntryDockerfileOptions {
+	imageName: string;
+	baseImage: string;
+	port: number;
+	/** App path relative to workspace root */
+	appPath: string;
+	/** Entry file path relative to app path (e.g., './src/index.ts') */
+	entry: string;
+	/** Package name for turbo prune */
+	turboPackage: string;
+	/** Detected package manager */
+	packageManager: PackageManager;
+	/** Health check path (default: '/health') */
+	healthCheckPath?: string;
+}
+
+/**
+ * Generate a Dockerfile for apps with a custom entry point.
+ * Uses tsdown to bundle the entry point into dist/index.mjs.
+ * This is used for apps that don't use gkm routes (e.g., Better Auth servers).
+ * @internal Exported for testing
+ */
+export function generateEntryDockerfile(options: EntryDockerfileOptions): string {
+	const {
+		baseImage,
+		port,
+		appPath,
+		entry,
+		turboPackage,
+		packageManager,
+		healthCheckPath = '/health',
+	} = options;
+
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : '';
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === 'pnpm' ? 'pnpm dlx turbo' : 'npx turbo';
+
+	return `# syntax=docker/dockerfile:1
+# Entry-based Dockerfile with turbo prune + tsdown bundling
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build with tsdown
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Write encrypted credentials for tsdown to embed via define
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
+# Bundle entry point with tsdown (outputs to dist/index.mjs)
+# Use define to embed credentials if present
+RUN cd ${appPath} && \
+    if [ -f .gkm/credentials.enc ]; then \
+      CREDS=$(cat .gkm/credentials.enc) && \
+      IV=$(cat .gkm/credentials.iv) && \
+      npx tsdown ${entry} --outDir dist --format esm \
+        --define __GKM_ENCRYPTED_CREDENTIALS__="'\\"$CREDS\\"'" \
+        --define __GKM_CREDENTIALS_IV__="'\\"$IV\\"'"; \
+    else \
+      npx tsdown ${entry} --outDir dist --format esm; \
+    fi
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 app
+
+# Copy bundled output only (no node_modules needed - fully bundled)
+COPY --from=builder --chown=app:nodejs /app/${appPath}/dist/index.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \\
+  CMD wget -q --spider http://localhost:${port}${healthCheckPath} || exit 1
+
+USER app
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "index.mjs"]
+`;
+}

package/src/init/versions.ts

@@ -32,10 +32,10 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/cli': CLI_VERSION,
 	'@geekmidas/client': '~0.5.0',
 	'@geekmidas/cloud': '~0.2.0',
-	'@geekmidas/constructs': '~0.6.0',
+	'@geekmidas/constructs': '~0.7.0',
 	'@geekmidas/db': '~0.3.0',
 	'@geekmidas/emailkit': '~0.2.0',
-	'@geekmidas/envkit': '~0.5.0',
+	'@geekmidas/envkit': '~0.6.0',
 	'@geekmidas/errors': '~0.1.0',
 	'@geekmidas/events': '~0.2.0',
 	'@geekmidas/logger': '~0.4.0',

package/src/workspace/index.ts

@@ -34,11 +34,13 @@ export type {
 	AppConfigInput,
 	AppInput,
 	AppsRecord,
+	BackendFramework,
 	ClientConfig,
 	ConstrainedApps,
 	DeployConfig,
 	DeployTarget,
 	DokployWorkspaceConfig,
+	FrontendFramework,
 	InferAppNames,
 	InferredWorkspaceConfig,
 	LoadedConfig,