@geekmidas/cli 0.39.0 → 0.40.0

package/dist/index.cjs

@@ -1,11 +1,12 @@
 #!/usr/bin/env -S npx tsx
 const require_chunk = require('./chunk-CUT6urMc.cjs');
-const require_workspace = require('./workspace-My0A4IRO.cjs');
-const require_config = require('./config-BAE9LFC1.cjs');
-const require_openapi = require('./openapi-a-e3Y8WA.cjs');
+const require_workspace = require('./workspace-BDAhr6Kb.cjs');
+const require_config = require('./config-xVZsRjN7.cjs');
+const require_openapi = require('./openapi-DhcCtKzM.cjs');
 const require_storage = require('./storage-BPRgh3DU.cjs');
-const require_dokploy_api = require('./dokploy-api-C5czOZoc.cjs');
-const require_openapi_react_query = require('./openapi-react-query-DvNpdDpM.cjs');
+const require_dokploy_api = require('./dokploy-api-BdxOMH_V.cjs');
+const require_encryption = require('./encryption-DaCB_NmS.cjs');
+const require_openapi_react_query = require('./openapi-react-query-C_MxpBgF.cjs');
 const node_fs = require_chunk.__toESM(require("node:fs"));
 const node_path = require_chunk.__toESM(require("node:path"));
 const commander = require_chunk.__toESM(require("commander"));
@@ -22,12 +23,13 @@ const __geekmidas_constructs_crons = require_chunk.__toESM(require("@geekmidas/c
 const __geekmidas_constructs_functions = require_chunk.__toESM(require("@geekmidas/constructs/functions"));
 const __geekmidas_constructs_subscribers = require_chunk.__toESM(require("@geekmidas/constructs/subscribers"));
 const node_crypto = require_chunk.__toESM(require("node:crypto"));
+const node_url = require_chunk.__toESM(require("node:url"));
 const prompts = require_chunk.__toESM(require("prompts"));
 const node_module = require_chunk.__toESM(require("node:module"));
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "0.38.0";
+var version = "0.40.0";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -226,7 +228,7 @@ const logger$10 = console;
 * Validate Dokploy token by making a test API call
 */
 async function validateDokployToken(endpoint, token) {
-	const { DokployApi: DokployApi$1 } = await Promise.resolve().then(() => require("./dokploy-api-BnGeUqN4.cjs"));
+	const { DokployApi: DokployApi$1 } = await Promise.resolve().then(() => require("./dokploy-api-Bdmk5ImW.cjs"));
 	const api = new DokployApi$1({
 		baseUrl: endpoint,
 		token
@@ -240,7 +242,7 @@ async function prompt$1(message, hidden = false) {
 	if (!process.stdin.isTTY) throw new Error("Interactive input required. Please provide --token option.");
 	if (hidden) {
 		process.stdout.write(message);
-		return new Promise((resolve$2, reject) => {
+		return new Promise((resolve$3, reject) => {
 			let value = "";
 			const cleanup = () => {
 				process.stdin.setRawMode(false);
@@ -257,7 +259,7 @@ async function prompt$1(message, hidden = false) {
 				if (c === "\n" || c === "\r") {
 					cleanup();
 					process.stdout.write("\n");
-					resolve$2(value);
+					resolve$3(value);
 				} else if (c === "") {
 					cleanup();
 					process.stdout.write("\n");
@@ -892,15 +894,15 @@ function loadEnvFiles(envConfig, cwd = process.cwd()) {
 * @internal Exported for testing
 */
 async function isPortAvailable(port) {
-	return new Promise((resolve$2) => {
+	return new Promise((resolve$3) => {
 		const server = (0, node_net.createServer)();
 		server.once("error", (err) => {
-			if (err.code === "EADDRINUSE") resolve$2(false);
-			else resolve$2(false);
+			if (err.code === "EADDRINUSE") resolve$3(false);
+			else resolve$3(false);
 		});
 		server.once("listening", () => {
 			server.close();
-			resolve$2(true);
+			resolve$3(true);
 		});
 		server.listen(port);
 	});
@@ -1029,6 +1031,15 @@ async function devCommand(options) {
 		workspaceAppName = appConfig.appName;
 		workspaceAppPort = appConfig.app.port;
 		logger$8.log(`📦 Running app: ${appConfig.appName} on port ${workspaceAppPort}`);
+		if (appConfig.app.entry) {
+			logger$8.log(`📄 Using entry point: ${appConfig.app.entry}`);
+			return entryDevCommand({
+				...options,
+				entry: appConfig.app.entry,
+				port: workspaceAppPort,
+				portExplicit: true
+			});
+		}
 	} catch {
 		const loadedConfig = await require_config.loadWorkspaceConfig();
 		if (loadedConfig.type === "workspace") {
@@ -1491,7 +1502,7 @@ async function workspaceDevCommand(workspace, options) {
 	};
 	process.on("SIGINT", shutdown);
 	process.on("SIGTERM", shutdown);
-	return new Promise((resolve$2, reject) => {
+	return new Promise((resolve$3, reject) => {
 		turboProcess.on("error", (error) => {
 			logger$8.error("❌ Turbo error:", error);
 			reject(error);
@@ -1499,7 +1510,7 @@ async function workspaceDevCommand(workspace, options) {
 		turboProcess.on("exit", (code) => {
 			if (endpointWatcher) endpointWatcher.close().catch(() => {});
 			if (code !== null && code !== 0) reject(new Error(`Turbo exited with code ${code}`));
-			else resolve$2();
+			else resolve$3();
 		});
 	});
 }
@@ -1709,12 +1720,12 @@ var EntryRunner = class {
 			if (code !== null && code !== 0 && code !== 143) logger$8.error(`❌ Process exited with code ${code}`);
 			this.isRunning = false;
 		});
-		await new Promise((resolve$2) => setTimeout(resolve$2, 500));
+		await new Promise((resolve$3) => setTimeout(resolve$3, 500));
 		if (this.isRunning) logger$8.log(`\n🎉 Running at http://localhost:${this.port}`);
 	}
 	async restart() {
 		this.stopProcess();
-		await new Promise((resolve$2) => setTimeout(resolve$2, 500));
+		await new Promise((resolve$3) => setTimeout(resolve$3, 500));
 		await this.runProcess();
 	}
 	stop() {
@@ -1786,7 +1797,7 @@ var DevServer = class {
 			if (code !== null && code !== 0 && signal !== "SIGTERM") logger$8.error(`❌ Server exited with code ${code}`);
 			this.isRunning = false;
 		});
-		await new Promise((resolve$2) => setTimeout(resolve$2, 1e3));
+		await new Promise((resolve$3) => setTimeout(resolve$3, 1e3));
 		if (this.isRunning) {
 			logger$8.log(`\n🎉 Server running at http://localhost:${this.actualPort}`);
 			if (this.enableOpenApi) logger$8.log(`📚 API Docs available at http://localhost:${this.actualPort}/__docs`);
@@ -1821,7 +1832,7 @@ var DevServer = class {
 		let attempts = 0;
 		while (attempts < 30) {
 			if (await isPortAvailable(portToReuse)) break;
-			await new Promise((resolve$2) => setTimeout(resolve$2, 100));
+			await new Promise((resolve$3) => setTimeout(resolve$3, 100));
 			attempts++;
 		}
 		this.requestedPort = portToReuse;
@@ -1928,11 +1939,11 @@ async function execCommand(commandArgs, options = {}) {
 			NODE_OPTIONS: nodeOptions
 		}
 	});
-	const exitCode = await new Promise((resolve$2) => {
-		child.on("close", (code) => resolve$2(code ?? 0));
+	const exitCode = await new Promise((resolve$3) => {
+		child.on("close", (code) => resolve$3(code ?? 0));
 		child.on("error", (error) => {
 			logger$8.error(`Failed to run command: ${error.message}`);
-			resolve$2(1);
+			resolve$3(1);
 		});
 	});
 	if (exitCode !== 0) process.exit(exitCode);
@@ -2111,7 +2122,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$6.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-CyHg1v_T.cjs"));
+			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-DsXfFSCU.cjs"));
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2181,7 +2192,7 @@ async function workspaceBuildCommand(workspace, options) {
 	try {
 		const turboCommand = getTurboCommand(pm);
 		logger$6.log(`Running: ${turboCommand}`);
-		await new Promise((resolve$2, reject) => {
+		await new Promise((resolve$3, reject) => {
 			const child = (0, node_child_process.spawn)(turboCommand, {
 				shell: true,
 				cwd: workspace.root,
@@ -2192,7 +2203,7 @@ async function workspaceBuildCommand(workspace, options) {
 				}
 			});
 			child.on("close", (code) => {
-				if (code === 0) resolve$2();
+				if (code === 0) resolve$3();
 				else reject(new Error(`Turbo build failed with exit code ${code}`));
 			});
 			child.on("error", (err) => {
@@ -3016,11 +3027,13 @@ function resolveDockerConfig$1(config) {
 * @internal Exported for testing
 */
 function generateNextjsDockerfile(options) {
-	const { baseImage, port, appPath, turboPackage, packageManager } = options;
+	const { baseImage, port, appPath, turboPackage, packageManager, publicUrlArgs = ["NEXT_PUBLIC_API_URL", "NEXT_PUBLIC_AUTH_URL"] } = options;
 	const pm = getPmConfig(packageManager);
 	const installPm = pm.install ? `RUN ${pm.install}` : "";
 	const turboInstallCmd = getTurboInstallCmd(packageManager);
 	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	const publicUrlArgDeclarations = publicUrlArgs.map((arg) => `ARG ${arg}=""`).join("\n");
+	const publicUrlEnvDeclarations = publicUrlArgs.map((arg) => `ENV ${arg}=$${arg}`).join("\n");
 	return `# syntax=docker/dockerfile:1
 # Next.js standalone Dockerfile with turbo prune optimization
 
@@ -3056,6 +3069,13 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for public API URLs (populated by gkm deploy)
+# These get baked into the Next.js build as public environment variables
+${publicUrlArgDeclarations}
+
+# Convert ARGs to ENVs for Next.js build
+${publicUrlEnvDeclarations}
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
@@ -3146,9 +3166,20 @@ FROM deps AS builder
 
 WORKDIR /app
 
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
 # Copy pruned source
 COPY --from=pruner /app/out/full/ ./
 
+# Write encrypted credentials for gkm build to embed
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
 # Build production server using gkm
 RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
 
@@ -3179,6 +3210,107 @@ ENTRYPOINT ["/sbin/tini", "--"]
 CMD ["node", "server.mjs"]
 `;
 }
+/**
+* Generate a Dockerfile for apps with a custom entry point.
+* Uses tsdown to bundle the entry point into dist/index.mjs.
+* This is used for apps that don't use gkm routes (e.g., Better Auth servers).
+* @internal Exported for testing
+*/
+function generateEntryDockerfile(options) {
+	const { baseImage, port, appPath, entry, turboPackage, packageManager, healthCheckPath = "/health" } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Entry-based Dockerfile with turbo prune + tsdown bundling
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build with tsdown
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Write encrypted credentials for tsdown to embed via define
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
+# Bundle entry point with tsdown (outputs to dist/index.mjs)
+# Use define to embed credentials if present
+RUN cd ${appPath} && \
+    if [ -f .gkm/credentials.enc ]; then \
+      CREDS=$(cat .gkm/credentials.enc) && \
+      IV=$(cat .gkm/credentials.iv) && \
+      npx tsdown ${entry} --outDir dist --format esm \
+        --define __GKM_ENCRYPTED_CREDENTIALS__="'\\"$CREDS\\"'" \
+        --define __GKM_CREDENTIALS_IV__="'\\"$IV\\"'"; \
+    else \
+      npx tsdown ${entry} --outDir dist --format esm; \
+    fi
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 app
+
+# Copy bundled output only (no node_modules needed - fully bundled)
+COPY --from=builder --chown=app:nodejs /app/${appPath}/dist/index.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \\
+  CMD wget -q --spider http://localhost:${port}${healthCheckPath} || exit 1
+
+USER app
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "index.mjs"]
+`;
+}
 
 //#endregion
 //#region src/docker/index.ts
@@ -3365,7 +3497,9 @@ async function workspaceDockerCommand(workspace, options) {
 		const fullAppPath = (0, node_path.join)(workspace.root, appPath);
 		const turboPackage = getAppPackageName(fullAppPath) ?? appName;
 		const imageName = appName;
-		logger$5.log(`\n   📄 Generating Dockerfile for ${appName} (${app.type})`);
+		const hasEntry = !!app.entry;
+		const buildType = hasEntry ? "entry" : app.type;
+		logger$5.log(`\n   📄 Generating Dockerfile for ${appName} (${buildType})`);
 		let dockerfile;
 		if (app.type === "frontend") dockerfile = generateNextjsDockerfile({
 			imageName,
@@ -3375,6 +3509,16 @@ async function workspaceDockerCommand(workspace, options) {
 			turboPackage,
 			packageManager
 		});
+		else if (app.entry) dockerfile = generateEntryDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			entry: app.entry,
+			turboPackage,
+			packageManager,
+			healthCheckPath: "/health"
+		});
 		else dockerfile = generateBackendDockerfile({
 			imageName,
 			baseImage: "node:22-alpine",
@@ -3461,8 +3605,9 @@ function getImageRef(registry, imageName, tag) {
 * Build Docker image
 * @param imageRef - Full image reference (registry/name:tag)
 * @param appName - Name of the app (used for Dockerfile.{appName} in workspaces)
+* @param buildArgs - Build arguments to pass to docker build
 */
-async function buildImage(imageRef, appName) {
+async function buildImage(imageRef, appName, buildArgs) {
 	logger$4.log(`\n🔨 Building Docker image: ${imageRef}`);
 	const cwd = process.cwd();
 	const lockfilePath = findLockfilePath(cwd);
@@ -3475,8 +3620,17 @@ async function buildImage(imageRef, appName) {
 	const dockerfilePath = `.gkm/docker/Dockerfile${dockerfileSuffix}`;
 	const buildCwd = lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
 	if (buildCwd !== cwd) logger$4.log(`   Building from workspace root: ${buildCwd}`);
+	const buildArgsString = buildArgs && buildArgs.length > 0 ? buildArgs.map((arg) => `--build-arg "${arg}"`).join(" ") : "";
 	try {
-		(0, node_child_process.execSync)(`DOCKER_BUILDKIT=1 docker build --platform linux/amd64 -f ${dockerfilePath} -t ${imageRef} .`, {
+		const cmd = [
+			"DOCKER_BUILDKIT=1 docker build",
+			"--platform linux/amd64",
+			`-f ${dockerfilePath}`,
+			`-t ${imageRef}`,
+			buildArgsString,
+			"."
+		].filter(Boolean).join(" ");
+		(0, node_child_process.execSync)(cmd, {
 			cwd: buildCwd,
 			stdio: "inherit",
 			env: {
@@ -3508,10 +3662,10 @@ async function pushImage(imageRef) {
 * Deploy using Docker (build and optionally push image)
 */
 async function deployDocker(options) {
-	const { stage, tag, skipPush, masterKey, config } = options;
+	const { stage, tag, skipPush, masterKey, config, buildArgs } = options;
 	const imageName = config.imageName;
 	const imageRef = getImageRef(config.registry, imageName, tag);
-	await buildImage(imageRef, config.appName);
+	await buildImage(imageRef, config.appName, buildArgs);
 	if (!skipPush) if (!config.registry) logger$4.warn("\n⚠️  No registry configured. Use --skip-push or configure docker.registry in gkm.config.ts");
 	else await pushImage(imageRef);
 	logger$4.log("\n✅ Docker deployment ready!");
@@ -3632,6 +3786,81 @@ async function deployDokploy(options) {
 	};
 }
 
+//#endregion
+//#region src/deploy/domain.ts
+/**
+* Resolve the hostname for an app based on stage configuration.
+*
+* Domain resolution priority:
+* 1. Explicit app.domain override (string or stage-specific)
+* 2. Default pattern based on app type:
+*    - Main frontend app gets base domain (e.g., 'myapp.com')
+*    - Other apps get prefixed domain (e.g., 'api.myapp.com')
+*
+* @param appName - The name of the app
+* @param app - The normalized app configuration
+* @param stage - The deployment stage (e.g., 'production', 'development')
+* @param dokployConfig - Dokploy workspace configuration with domain mappings
+* @param isMainFrontend - Whether this is the main frontend app
+* @returns The resolved hostname for the app
+* @throws Error if no domain configuration is found for the stage
+*/
+function resolveHost(appName, app, stage, dokployConfig, isMainFrontend) {
+	if (app.domain) {
+		if (typeof app.domain === "string") return app.domain;
+		if (app.domain[stage]) return app.domain[stage];
+	}
+	const baseDomain = dokployConfig?.domains?.[stage];
+	if (!baseDomain) throw new Error(`No domain configured for stage "${stage}". Add deploy.dokploy.domains.${stage} to gkm.config.ts`);
+	if (isMainFrontend) return baseDomain;
+	return `${appName}.${baseDomain}`;
+}
+/**
+* Determine if an app is the "main" frontend (gets base domain).
+*
+* An app is considered the main frontend if:
+* 1. It's named 'web' and is a frontend type
+* 2. It's the first frontend app in the apps list
+*
+* @param appName - The name of the app to check
+* @param app - The app configuration
+* @param allApps - All apps in the workspace
+* @returns True if this is the main frontend app
+*/
+function isMainFrontendApp(appName, app, allApps) {
+	if (app.type !== "frontend") return false;
+	if (appName === "web") return true;
+	for (const [name$1, a] of Object.entries(allApps)) if (a.type === "frontend") return name$1 === appName;
+	return false;
+}
+/**
+* Generate public URL build args for a frontend app based on its dependencies.
+*
+* @param app - The frontend app configuration
+* @param deployedUrls - Map of app name to deployed public URL
+* @returns Array of build args like 'NEXT_PUBLIC_API_URL=https://api.example.com'
+*/
+function generatePublicUrlBuildArgs(app, deployedUrls) {
+	const buildArgs = [];
+	for (const dep of app.dependencies) {
+		const publicUrl = deployedUrls[dep];
+		if (publicUrl) {
+			const envVarName = `NEXT_PUBLIC_${dep.toUpperCase()}_URL`;
+			buildArgs.push(`${envVarName}=${publicUrl}`);
+		}
+	}
+	return buildArgs;
+}
+/**
+* Get public URL arg names from app dependencies.
+*
+* @param app - The frontend app configuration
+* @returns Array of arg names like 'NEXT_PUBLIC_API_URL'
+*/
+function getPublicUrlArgNames(app) {
+	return app.dependencies.map((dep) => `NEXT_PUBLIC_${dep.toUpperCase()}_URL`);
+}
+
 //#endregion
 //#region src/deploy/init.ts
 const logger$2 = console;
@@ -3805,6 +4034,214 @@ async function deployListCommand(options) {
 	}
 }
 
+//#endregion
+//#region src/deploy/secrets.ts
+/**
+* Filter secrets to only include the env vars that an app requires.
+*
+* @param stageSecrets - All secrets for the stage
+* @param sniffedEnv - The sniffed environment requirements for the app
+* @returns Filtered secrets with found/missing tracking
+*/
+function filterSecretsForApp(stageSecrets, sniffedEnv) {
+	const allSecrets = require_storage.toEmbeddableSecrets(stageSecrets);
+	const filtered = {};
+	const found = [];
+	const missing = [];
+	for (const key of sniffedEnv.requiredEnvVars) if (key in allSecrets) {
+		filtered[key] = allSecrets[key];
+		found.push(key);
+	} else missing.push(key);
+	return {
+		appName: sniffedEnv.appName,
+		secrets: filtered,
+		found: found.sort(),
+		missing: missing.sort()
+	};
+}
+/**
+* Encrypt filtered secrets for an app.
+* Generates an ephemeral master key that should be injected into Dokploy.
+*
+* @param filteredSecrets - The filtered secrets for the app
+* @returns Encrypted payload with master key
+*/
+function encryptSecretsForApp(filteredSecrets) {
+	const payload = require_encryption.encryptSecrets(filteredSecrets.secrets);
+	return {
+		appName: filteredSecrets.appName,
+		payload,
+		masterKey: payload.masterKey,
+		secretCount: Object.keys(filteredSecrets.secrets).length,
+		missingSecrets: filteredSecrets.missing
+	};
+}
+/**
+* Filter and encrypt secrets for an app in one step.
+*
+* @param stageSecrets - All secrets for the stage
+* @param sniffedEnv - The sniffed environment requirements for the app
+* @returns Encrypted secrets with master key
+*/
+function prepareSecretsForApp(stageSecrets, sniffedEnv) {
+	const filtered = filterSecretsForApp(stageSecrets, sniffedEnv);
+	return encryptSecretsForApp(filtered);
+}
+/**
+* Prepare secrets for multiple apps.
+*
+* @param stageSecrets - All secrets for the stage
+* @param sniffedApps - Map of app name to sniffed environment
+* @returns Map of app name to encrypted secrets
+*/
+function prepareSecretsForAllApps(stageSecrets, sniffedApps) {
+	const results = /* @__PURE__ */ new Map();
+	for (const [appName, sniffedEnv] of sniffedApps) if (sniffedEnv.requiredEnvVars.length > 0) {
+		const encrypted = prepareSecretsForApp(stageSecrets, sniffedEnv);
+		results.set(appName, encrypted);
+	}
+	return results;
+}
+/**
+* Generate a report on secrets preparation.
+*/
+function generateSecretsReport(encryptedApps, sniffedApps) {
+	const appsWithSecrets = [];
+	const appsWithoutSecrets = [];
+	const appsWithMissingSecrets = [];
+	for (const [appName, sniffedEnv] of sniffedApps) {
+		if (sniffedEnv.requiredEnvVars.length === 0) {
+			appsWithoutSecrets.push(appName);
+			continue;
+		}
+		const encrypted = encryptedApps.get(appName);
+		if (encrypted) {
+			appsWithSecrets.push(appName);
+			if (encrypted.missingSecrets.length > 0) appsWithMissingSecrets.push({
+				appName,
+				missing: encrypted.missingSecrets
+			});
+		}
+	}
+	return {
+		totalApps: sniffedApps.size,
+		appsWithSecrets: appsWithSecrets.sort(),
+		appsWithoutSecrets: appsWithoutSecrets.sort(),
+		appsWithMissingSecrets
+	};
+}
+
+//#endregion
+//#region src/deploy/sniffer.ts
+/**
+* Get required environment variables for an app.
+*
+* Detection strategy:
+* - Frontend apps: Returns empty (no server secrets)
+* - Apps with `requiredEnv`: Uses explicit list from config
+* - Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
+* - Apps with neither: Returns empty
+*
+* This function handles "fire and forget" async operations gracefully,
+* capturing errors and unhandled rejections without failing the build.
+*
+* @param app - The normalized app configuration
+* @param appName - The name of the app
+* @param workspacePath - Absolute path to the workspace root
+* @param options - Optional configuration for sniffing behavior
+* @returns The sniffed environment with required variables
+*/
+async function sniffAppEnvironment(app, appName, workspacePath, options = {}) {
+	const { logWarnings = true } = options;
+	if (app.type === "frontend") return {
+		appName,
+		requiredEnvVars: []
+	};
+	if (app.requiredEnv && app.requiredEnv.length > 0) return {
+		appName,
+		requiredEnvVars: [...app.requiredEnv]
+	};
+	if (app.envParser) {
+		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
+		if (logWarnings) {
+			if (result.error) console.warn(`[sniffer] ${appName}: envParser threw error during sniffing (env vars still captured): ${result.error.message}`);
+			if (result.unhandledRejections.length > 0) console.warn(`[sniffer] ${appName}: Fire-and-forget rejections during sniffing (suppressed): ${result.unhandledRejections.map((e) => e.message).join(", ")}`);
+		}
+		return {
+			appName,
+			requiredEnvVars: result.envVars
+		};
+	}
+	return {
+		appName,
+		requiredEnvVars: []
+	};
+}
+/**
+* Run the SnifferEnvironmentParser on an envParser module to detect
+* which environment variables it accesses.
+*
+* This function handles "fire and forget" async operations by using
+* the shared sniffWithFireAndForget utility from @geekmidas/envkit.
+*
+* @param envParserPath - The envParser config (e.g., './src/config/env#envParser')
+* @param appPath - The app's path relative to workspace
+* @param workspacePath - Absolute path to workspace root
+* @returns SniffResult with env vars and any errors encountered
+*/
+async function sniffEnvParser(envParserPath, appPath, workspacePath) {
+	const [modulePath, exportName = "default"] = envParserPath.split("#");
+	if (!modulePath) return {
+		envVars: [],
+		unhandledRejections: []
+	};
+	const fullPath = (0, node_path.resolve)(workspacePath, appPath, modulePath);
+	let SnifferEnvironmentParser;
+	let sniffWithFireAndForget;
+	try {
+		const envkitModule = await import("@geekmidas/envkit/sniffer");
+		SnifferEnvironmentParser = envkitModule.SnifferEnvironmentParser;
+		sniffWithFireAndForget = envkitModule.sniffWithFireAndForget;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.warn(`[sniffer] Failed to import SnifferEnvironmentParser: ${message}`);
+		return {
+			envVars: [],
+			unhandledRejections: []
+		};
+	}
+	const sniffer = new SnifferEnvironmentParser();
+	return sniffWithFireAndForget(sniffer, async () => {
+		const moduleUrl = (0, node_url.pathToFileURL)(fullPath).href;
+		const module$1 = await import(moduleUrl);
+		const envParser = module$1[exportName];
+		if (typeof envParser !== "function") {
+			console.warn(`[sniffer] Export "${exportName}" from "${modulePath}" is not a function`);
+			return;
+		}
+		const result = envParser(sniffer);
+		if (result && typeof result.parse === "function") try {
+			result.parse();
+		} catch {}
+	});
+}
+/**
+* Sniff environment requirements for multiple apps.
+*
+* @param apps - Map of app name to app config
+* @param workspacePath - Absolute path to workspace root
+* @param options - Optional configuration for sniffing behavior
+* @returns Map of app name to sniffed environment
+*/
+async function sniffAllApps(apps, workspacePath, options = {}) {
+	const results = /* @__PURE__ */ new Map();
+	for (const [appName, app] of Object.entries(apps)) {
+		const sniffed = await sniffAppEnvironment(app, appName, workspacePath, options);
+		results.set(appName, sniffed);
+	}
+	return results;
+}
+
 //#endregion
 //#region src/deploy/index.ts
 const logger$1 = console;
@@ -3815,7 +4252,7 @@ async function prompt(message, hidden = false) {
 	if (!process.stdin.isTTY) throw new Error("Interactive input required. Please configure manually.");
 	if (hidden) {
 		process.stdout.write(message);
-		return new Promise((resolve$2) => {
+		return new Promise((resolve$3) => {
 			let value = "";
 			const onData = (char) => {
 				const c = char.toString();
@@ -3824,7 +4261,7 @@ async function prompt(message, hidden = false) {
 					process.stdin.pause();
 					process.stdin.removeListener("data", onData);
 					process.stdout.write("\n");
-					resolve$2(value);
+					resolve$3(value);
 				} else if (c === "") {
 					process.stdin.setRawMode(false);
 					process.stdin.pause();
@@ -4093,14 +4530,20 @@ function generateTag(stage) {
 }
 /**
 * Deploy all apps in a workspace to Dokploy.
-* - Workspace maps to one Dokploy project
-* - Each app maps to one Dokploy application
-* - Deploys in dependency order (backends before dependent frontends)
-* - Syncs environment variables including {APP_NAME}_URL
+*
+* Two-phase orchestration:
+* - PHASE 1: Deploy backend apps (with encrypted secrets)
+* - PHASE 2: Deploy frontend apps (with public URLs from backends)
+*
+* Security model:
+* - Backend apps get encrypted secrets embedded at build time
+* - Only GKM_MASTER_KEY is injected as Dokploy env var
+* - Frontend apps get public URLs baked in at build time (no secrets)
+*
 * @internal Exported for testing
 */
 async function workspaceDeployCommand(workspace, options) {
-	const { provider, stage, tag, skipBuild, apps: selectedApps } = options;
+	const { provider, stage, tag, apps: selectedApps } = options;
 	if (provider !== "dokploy") throw new Error(`Workspace deployment only supports Dokploy. Got: ${provider}`);
 	logger$1.log(`\n🚀 Deploying workspace "${workspace.name}" to Dokploy...`);
 	logger$1.log(`   Stage: ${stage}`);
@@ -4124,11 +4567,20 @@ async function workspaceDeployCommand(workspace, options) {
 		return true;
 	});
 	if (dokployApps.length === 0) throw new Error("No apps to deploy. All selected apps have unsupported deploy targets.");
-	if (dokployApps.length !== appsToDeployNames.length) {
-		const skipped = appsToDeployNames.filter((name$1) => !dokployApps.includes(name$1));
-		logger$1.log(`   📌 ${skipped.length} app(s) skipped due to unsupported targets`);
-	}
 	appsToDeployNames = dokployApps;
+	logger$1.log("\n🔐 Loading secrets and analyzing environment requirements...");
+	const stageSecrets = await require_storage.readStageSecrets(stage, workspace.root);
+	if (!stageSecrets) {
+		logger$1.log(`   ⚠️  No secrets found for stage "${stage}"`);
+		logger$1.log(`      Run "gkm secrets:init --stage ${stage}" to create secrets`);
+	}
+	const sniffedApps = await sniffAllApps(workspace.apps, workspace.root);
+	const encryptedSecrets = stageSecrets ? prepareSecretsForAllApps(stageSecrets, sniffedApps) : /* @__PURE__ */ new Map();
+	if (stageSecrets) {
+		const report = generateSecretsReport(encryptedSecrets, sniffedApps);
+		if (report.appsWithSecrets.length > 0) logger$1.log(`   ✓ Encrypted secrets for: ${report.appsWithSecrets.join(", ")}`);
+		if (report.appsWithMissingSecrets.length > 0) for (const { appName, missing } of report.appsWithMissingSecrets) logger$1.log(`   ⚠️  ${appName}: Missing secrets: ${missing.join(", ")}`);
+	}
 	let creds = await getDokployCredentials();
 	if (!creds) {
 		logger$1.log("\n📋 Dokploy credentials not found. Let's set them up.");
@@ -4222,95 +4674,191 @@ async function workspaceDeployCommand(workspace, options) {
 		logger$1.log("\n🔧 Provisioning infrastructure services...");
 		await provisionServices(api, project.projectId, environmentId, workspace.name, dockerServices);
 	}
-	const deployedAppUrls = {};
-	if (!skipBuild) {
-		logger$1.log("\n🏗️  Building workspace...");
-		try {
-			await buildCommand({
-				provider: "server",
-				production: true,
-				stage
-			});
-			logger$1.log("   ✓ Workspace build complete");
-		} catch (error) {
-			const message = error instanceof Error ? error.message : "Unknown error";
-			logger$1.log(`   ✗ Workspace build failed: ${message}`);
-			throw error;
-		}
-	}
-	logger$1.log("\n📦 Deploying applications...");
+	const backendApps = appsToDeployNames.filter((name$1) => workspace.apps[name$1].type === "backend");
+	const frontendApps = appsToDeployNames.filter((name$1) => workspace.apps[name$1].type === "frontend");
+	const publicUrls = {};
 	const results = [];
-	for (const appName of appsToDeployNames) {
-		const app = workspace.apps[appName];
-		logger$1.log(`\n   ${app.type === "backend" ? "⚙️" : "🌐"} Deploying ${appName}...`);
-		try {
-			const dokployAppName = `${workspace.name}-${appName}`;
-			let application;
+	const dokployConfig = workspace.deploy.dokploy;
+	if (backendApps.length > 0) {
+		logger$1.log("\n📦 PHASE 1: Deploying backend applications...");
+		for (const appName of backendApps) {
+			const app = workspace.apps[appName];
+			logger$1.log(`\n   ⚙️  Deploying ${appName}...`);
 			try {
-				application = await api.createApplication(dokployAppName, project.projectId, environmentId);
-				logger$1.log(`      Created application: ${application.applicationId}`);
+				const dokployAppName = `${workspace.name}-${appName}`;
+				let application;
+				try {
+					application = await api.createApplication(dokployAppName, project.projectId, environmentId);
+					logger$1.log(`      Created application: ${application.applicationId}`);
+				} catch (error) {
+					const message = error instanceof Error ? error.message : "Unknown error";
+					if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
+					else throw error;
+				}
+				const appSecrets = encryptedSecrets.get(appName);
+				const buildArgs = [];
+				if (appSecrets && appSecrets.secretCount > 0) {
+					buildArgs.push(`GKM_ENCRYPTED_CREDENTIALS=${appSecrets.payload.encrypted}`);
+					buildArgs.push(`GKM_CREDENTIALS_IV=${appSecrets.payload.iv}`);
+					logger$1.log(`      Encrypted ${appSecrets.secretCount} secrets`);
+				}
+				const imageName = `${workspace.name}-${appName}`;
+				const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+				logger$1.log(`      Building Docker image: ${imageRef}`);
+				await deployDocker({
+					stage,
+					tag: imageTag,
+					skipPush: false,
+					config: {
+						registry,
+						imageName,
+						appName
+					},
+					buildArgs
+				});
+				const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
+				if (appSecrets && appSecrets.masterKey) envVars.push(`GKM_MASTER_KEY=${appSecrets.masterKey}`);
+				if (application) {
+					await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
+					await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
+					logger$1.log(`      Deploying to Dokploy...`);
+					await api.deployApplication(application.applicationId);
+					try {
+						const host = resolveHost(appName, app, stage, dokployConfig, false);
+						await api.createDomain({
+							host,
+							port: app.port,
+							https: true,
+							certificateType: "letsencrypt",
+							applicationId: application.applicationId
+						});
+						const publicUrl = `https://${host}`;
+						publicUrls[appName] = publicUrl;
+						logger$1.log(`      ✓ Domain: ${publicUrl}`);
+					} catch (domainError) {
+						const host = resolveHost(appName, app, stage, dokployConfig, false);
+						publicUrls[appName] = `https://${host}`;
+						logger$1.log(`      ℹ Domain already configured: https://${host}`);
+					}
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						applicationId: application.applicationId,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} deployed successfully`);
+				} else {
+					const host = resolveHost(appName, app, stage, dokployConfig, false);
+					publicUrls[appName] = `https://${host}`;
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
+				}
 			} catch (error) {
 				const message = error instanceof Error ? error.message : "Unknown error";
-				if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
-				else throw error;
-			}
-			const imageName = `${workspace.name}-${appName}`;
-			const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
-			logger$1.log(`      Building Docker image: ${imageRef}`);
-			await deployDocker({
-				stage,
-				tag: imageTag,
-				skipPush: false,
-				config: {
-					registry,
-					imageName,
-					appName
-				}
-			});
-			const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
-			for (const dep of app.dependencies) {
-				const depUrl = deployedAppUrls[dep];
-				if (depUrl) envVars.push(`${dep.toUpperCase()}_URL=${depUrl}`);
-			}
-			if (app.type === "backend") {
-				if (dockerServices.postgres) envVars.push(`DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@${workspace.name}-db:5432/app}`);
-				if (dockerServices.redis) envVars.push(`REDIS_URL=\${REDIS_URL:-redis://${workspace.name}-cache:6379}`);
-			}
-			if (application) {
-				await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
-				await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
-				logger$1.log(`      Deploying to Dokploy...`);
-				await api.deployApplication(application.applicationId);
-				const appUrl = `http://${dokployAppName}:${app.port}`;
-				deployedAppUrls[appName] = appUrl;
+				logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
 				results.push({
 					appName,
 					type: app.type,
-					success: true,
-					applicationId: application.applicationId,
-					imageRef
+					success: false,
+					error: message
+				});
+				throw new Error(`Backend deployment failed for ${appName}. Aborting to prevent partial deployment.`);
+			}
+		}
+	}
+	if (frontendApps.length > 0) {
+		logger$1.log("\n🌐 PHASE 2: Deploying frontend applications...");
+		for (const appName of frontendApps) {
+			const app = workspace.apps[appName];
+			logger$1.log(`\n   🌐 Deploying ${appName}...`);
+			try {
+				const dokployAppName = `${workspace.name}-${appName}`;
+				let application;
+				try {
+					application = await api.createApplication(dokployAppName, project.projectId, environmentId);
+					logger$1.log(`      Created application: ${application.applicationId}`);
+				} catch (error) {
+					const message = error instanceof Error ? error.message : "Unknown error";
+					if (message.includes("already exists") || message.includes("duplicate")) logger$1.log(`      Application already exists`);
+					else throw error;
+				}
+				const buildArgs = generatePublicUrlBuildArgs(app, publicUrls);
+				if (buildArgs.length > 0) logger$1.log(`      Public URLs: ${buildArgs.join(", ")}`);
+				const imageName = `${workspace.name}-${appName}`;
+				const imageRef = registry ? `${registry}/${imageName}:${imageTag}` : `${imageName}:${imageTag}`;
+				logger$1.log(`      Building Docker image: ${imageRef}`);
+				await deployDocker({
+					stage,
+					tag: imageTag,
+					skipPush: false,
+					config: {
+						registry,
+						imageName,
+						appName
+					},
+					buildArgs,
+					publicUrlArgs: getPublicUrlArgNames(app)
 				});
-				logger$1.log(`      ✓ ${appName} deployed successfully`);
-			} else {
-				const appUrl = `http://${dokployAppName}:${app.port}`;
-				deployedAppUrls[appName] = appUrl;
+				const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
+				if (application) {
+					await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
+					await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
+					logger$1.log(`      Deploying to Dokploy...`);
+					await api.deployApplication(application.applicationId);
+					const isMainFrontend = isMainFrontendApp(appName, app, workspace.apps);
+					try {
+						const host = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+						await api.createDomain({
+							host,
+							port: app.port,
+							https: true,
+							certificateType: "letsencrypt",
+							applicationId: application.applicationId
+						});
+						const publicUrl = `https://${host}`;
+						publicUrls[appName] = publicUrl;
+						logger$1.log(`      ✓ Domain: ${publicUrl}`);
+					} catch (domainError) {
+						const host = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+						publicUrls[appName] = `https://${host}`;
+						logger$1.log(`      ℹ Domain already configured: https://${host}`);
+					}
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						applicationId: application.applicationId,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} deployed successfully`);
+				} else {
+					const isMainFrontend = isMainFrontendApp(appName, app, workspace.apps);
+					const host = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+					publicUrls[appName] = `https://${host}`;
+					results.push({
+						appName,
+						type: app.type,
+						success: true,
+						imageRef
+					});
+					logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
+				}
+			} catch (error) {
+				const message = error instanceof Error ? error.message : "Unknown error";
+				logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
 				results.push({
 					appName,
 					type: app.type,
-					success: true,
-					imageRef
+					success: false,
+					error: message
 				});
-				logger$1.log(`      ✓ ${appName} image pushed (app already exists)`);
 			}
-		} catch (error) {
-			const message = error instanceof Error ? error.message : "Unknown error";
-			logger$1.log(`      ✗ Failed to deploy ${appName}: ${message}`);
-			results.push({
-				appName,
-				type: app.type,
-				success: false,
-				error: message
-			});
 		}
 	}
 	const successCount = results.filter((r) => r.success).length;
@@ -4320,6 +4868,10 @@ async function workspaceDeployCommand(workspace, options) {
 	logger$1.log(`   Project: ${project.projectId}`);
 	logger$1.log(`   Successful: ${successCount}`);
 	if (failedCount > 0) logger$1.log(`   Failed: ${failedCount}`);
+	if (Object.keys(publicUrls).length > 0) {
+		logger$1.log("\n   📡 Deployed URLs:");
+		for (const [name$1, url] of Object.entries(publicUrls)) logger$1.log(`      ${name$1}: ${url}`);
+	}
 	return {
 		apps: results,
 		projectId: project.projectId,
@@ -4597,10 +5149,10 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/cli": CLI_VERSION,
 	"@geekmidas/client": "~0.5.0",
 	"@geekmidas/cloud": "~0.2.0",
-	"@geekmidas/constructs": "~0.6.0",
+	"@geekmidas/constructs": "~0.7.0",
 	"@geekmidas/db": "~0.3.0",
 	"@geekmidas/emailkit": "~0.2.0",
-	"@geekmidas/envkit": "~0.5.0",
+	"@geekmidas/envkit": "~0.6.0",
 	"@geekmidas/errors": "~0.1.0",
 	"@geekmidas/events": "~0.2.0",
 	"@geekmidas/logger": "~0.4.0",
@@ -7474,9 +8026,9 @@ async function testCommand(options = {}) {
 			NODE_ENV: "test"
 		}
 	});
-	return new Promise((resolve$2, reject) => {
+	return new Promise((resolve$3, reject) => {
 		vitestProcess.on("close", (code) => {
-			if (code === 0) resolve$2();
+			if (code === 0) resolve$3();
 			else reject(new Error(`Tests failed with exit code ${code}`));
 		});
 		vitestProcess.on("error", (error) => {