@geekmidas/cli 0.39.0 → 0.41.0

package/src/deploy/__tests__/secrets.spec.ts

@@ -0,0 +1,300 @@
+import { describe, expect, it } from 'vitest';
+import type { StageSecrets } from '../../secrets/types';
+import {
+	encryptSecretsForApp,
+	filterSecretsForApp,
+	generateSecretsReport,
+	prepareSecretsForAllApps,
+	prepareSecretsForApp,
+} from '../secrets';
+import type { SniffedEnvironment } from '../sniffer';
+
+describe('filterSecretsForApp', () => {
+	const createStageSecrets = (
+		custom: Record<string, string> = {},
+	): StageSecrets => ({
+		stage: 'production',
+		createdAt: '2024-01-01T00:00:00Z',
+		updatedAt: '2024-01-01T00:00:00Z',
+		services: {},
+		urls: {
+			DATABASE_URL: 'postgresql://localhost:5432/db',
+			REDIS_URL: 'redis://localhost:6379',
+		},
+		custom,
+	});
+
+	it('should filter secrets to only required env vars', () => {
+		const secrets = createStageSecrets({ API_KEY: 'secret123' });
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'API_KEY'],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.appName).toBe('api');
+		expect(result.secrets).toEqual({
+			DATABASE_URL: 'postgresql://localhost:5432/db',
+			API_KEY: 'secret123',
+		});
+		expect(result.found).toEqual(['API_KEY', 'DATABASE_URL']);
+		expect(result.missing).toEqual([]);
+	});
+
+	it('should track missing secrets', () => {
+		const secrets = createStageSecrets();
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'STRIPE_KEY', 'JWT_SECRET'],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.found).toEqual(['DATABASE_URL']);
+		expect(result.missing).toEqual(['JWT_SECRET', 'STRIPE_KEY']);
+	});
+
+	it('should return empty secrets when no env vars required', () => {
+		const secrets = createStageSecrets({ API_KEY: 'secret' });
+		const sniffed: SniffedEnvironment = {
+			appName: 'web',
+			requiredEnvVars: [],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.secrets).toEqual({});
+		expect(result.found).toEqual([]);
+		expect(result.missing).toEqual([]);
+	});
+
+	it('should include service credentials when referenced', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: '2024-01-01T00:00:00Z',
+			updatedAt: '2024-01-01T00:00:00Z',
+			services: {
+				postgres: {
+					host: 'localhost',
+					port: 5432,
+					username: 'user',
+					password: 'pass',
+					database: 'mydb',
+				},
+			},
+			urls: { DATABASE_URL: 'postgresql://user:pass@localhost:5432/mydb' },
+			custom: {},
+		};
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'POSTGRES_PASSWORD'],
+		};
+
+		const result = filterSecretsForApp(secrets, sniffed);
+
+		expect(result.secrets.DATABASE_URL).toBe(
+			'postgresql://user:pass@localhost:5432/mydb',
+		);
+		expect(result.secrets.POSTGRES_PASSWORD).toBe('pass');
+		expect(result.found).toContain('DATABASE_URL');
+		expect(result.found).toContain('POSTGRES_PASSWORD');
+	});
+});
+
+describe('encryptSecretsForApp', () => {
+	it('should encrypt filtered secrets and return master key', () => {
+		const filtered = {
+			appName: 'api',
+			secrets: { DATABASE_URL: 'postgresql://localhost:5432/db' },
+			found: ['DATABASE_URL'],
+			missing: [],
+		};
+
+		const result = encryptSecretsForApp(filtered);
+
+		expect(result.appName).toBe('api');
+		expect(result.masterKey).toHaveLength(64); // 32 bytes hex
+		expect(result.payload.encrypted).toBeTruthy();
+		expect(result.payload.iv).toBeTruthy();
+		expect(result.secretCount).toBe(1);
+		expect(result.missingSecrets).toEqual([]);
+	});
+
+	it('should track missing secrets in result', () => {
+		const filtered = {
+			appName: 'api',
+			secrets: { DATABASE_URL: 'postgresql://localhost:5432/db' },
+			found: ['DATABASE_URL'],
+			missing: ['STRIPE_KEY', 'JWT_SECRET'],
+		};
+
+		const result = encryptSecretsForApp(filtered);
+
+		expect(result.missingSecrets).toEqual(['STRIPE_KEY', 'JWT_SECRET']);
+	});
+
+	it('should handle empty secrets', () => {
+		const filtered = {
+			appName: 'web',
+			secrets: {},
+			found: [],
+			missing: [],
+		};
+
+		const result = encryptSecretsForApp(filtered);
+
+		expect(result.secretCount).toBe(0);
+		expect(result.masterKey).toHaveLength(64);
+	});
+});
+
+describe('prepareSecretsForApp', () => {
+	it('should filter and encrypt in one step', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: '2024-01-01T00:00:00Z',
+			updatedAt: '2024-01-01T00:00:00Z',
+			services: {},
+			urls: { DATABASE_URL: 'postgresql://localhost:5432/db' },
+			custom: { API_KEY: 'key123' },
+		};
+		const sniffed: SniffedEnvironment = {
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'API_KEY'],
+		};
+
+		const result = prepareSecretsForApp(secrets, sniffed);
+
+		expect(result.appName).toBe('api');
+		expect(result.secretCount).toBe(2);
+		expect(result.masterKey).toHaveLength(64);
+	});
+});
+
+describe('prepareSecretsForAllApps', () => {
+	const secrets: StageSecrets = {
+		stage: 'production',
+		createdAt: '2024-01-01T00:00:00Z',
+		updatedAt: '2024-01-01T00:00:00Z',
+		services: {},
+		urls: {
+			DATABASE_URL: 'postgresql://localhost:5432/db',
+			REDIS_URL: 'redis://localhost:6379',
+		},
+		custom: { BETTER_AUTH_SECRET: 'auth-secret' },
+	};
+
+	it('should prepare secrets for multiple apps', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL', 'REDIS_URL'] }],
+			[
+				'auth',
+				{
+					appName: 'auth',
+					requiredEnvVars: ['DATABASE_URL', 'BETTER_AUTH_SECRET'],
+				},
+			],
+		]);
+
+		const results = prepareSecretsForAllApps(secrets, sniffedApps);
+
+		expect(results.size).toBe(2);
+		expect(results.get('api')?.secretCount).toBe(2);
+		expect(results.get('auth')?.secretCount).toBe(2);
+	});
+
+	it('should skip apps with no required env vars', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+			['web', { appName: 'web', requiredEnvVars: [] }], // Frontend - no secrets
+		]);
+
+		const results = prepareSecretsForAllApps(secrets, sniffedApps);
+
+		expect(results.size).toBe(1);
+		expect(results.has('api')).toBe(true);
+		expect(results.has('web')).toBe(false);
+	});
+
+	it('should generate unique master keys per app', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+			['auth', { appName: 'auth', requiredEnvVars: ['DATABASE_URL'] }],
+		]);
+
+		const results = prepareSecretsForAllApps(secrets, sniffedApps);
+
+		const apiKey = results.get('api')?.masterKey;
+		const authKey = results.get('auth')?.masterKey;
+
+		expect(apiKey).not.toBe(authKey);
+	});
+});
+
+describe('generateSecretsReport', () => {
+	it('should generate report for apps with and without secrets', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+			['auth', { appName: 'auth', requiredEnvVars: ['DATABASE_URL'] }],
+			['web', { appName: 'web', requiredEnvVars: [] }],
+		]);
+
+		const encryptedApps = new Map([
+			[
+				'api',
+				{
+					appName: 'api',
+					payload: { encrypted: '', iv: '', masterKey: '' },
+					masterKey: 'key1',
+					secretCount: 1,
+					missingSecrets: [],
+				},
+			],
+			[
+				'auth',
+				{
+					appName: 'auth',
+					payload: { encrypted: '', iv: '', masterKey: '' },
+					masterKey: 'key2',
+					secretCount: 1,
+					missingSecrets: ['MISSING_VAR'],
+				},
+			],
+		]);
+
+		const report = generateSecretsReport(encryptedApps, sniffedApps);
+
+		expect(report.totalApps).toBe(3);
+		expect(report.appsWithSecrets).toEqual(['api', 'auth']);
+		expect(report.appsWithoutSecrets).toEqual(['web']);
+		expect(report.appsWithMissingSecrets).toEqual([
+			{ appName: 'auth', missing: ['MISSING_VAR'] },
+		]);
+	});
+
+	it('should handle all apps having secrets', () => {
+		const sniffedApps = new Map<string, SniffedEnvironment>([
+			['api', { appName: 'api', requiredEnvVars: ['DATABASE_URL'] }],
+		]);
+
+		const encryptedApps = new Map([
+			[
+				'api',
+				{
+					appName: 'api',
+					payload: { encrypted: '', iv: '', masterKey: '' },
+					masterKey: 'key1',
+					secretCount: 1,
+					missingSecrets: [],
+				},
+			],
+		]);
+
+		const report = generateSecretsReport(encryptedApps, sniffedApps);
+
+		expect(report.appsWithSecrets).toEqual(['api']);
+		expect(report.appsWithoutSecrets).toEqual([]);
+		expect(report.appsWithMissingSecrets).toEqual([]);
+	});
+});

package/src/deploy/__tests__/sniffer.spec.ts

@@ -0,0 +1,221 @@
+import { describe, expect, it } from 'vitest';
+import type { NormalizedAppConfig } from '../../workspace/types';
+import { sniffAllApps, sniffAppEnvironment, type SniffResult } from '../sniffer';
+
+describe('sniffAppEnvironment', () => {
+	const workspacePath = '/test/workspace';
+
+	const createApp = (
+		overrides: Partial<NormalizedAppConfig> = {},
+	): NormalizedAppConfig => ({
+		type: 'backend',
+		path: 'apps/api',
+		port: 3000,
+		dependencies: [],
+		resolvedDeployTarget: 'dokploy',
+		...overrides,
+	});
+
+	describe('frontend apps', () => {
+		it('should return empty env vars for frontend apps', async () => {
+			const app = createApp({ type: 'frontend' });
+
+			const result = await sniffAppEnvironment(app, 'web', workspacePath);
+
+			expect(result.appName).toBe('web');
+			expect(result.requiredEnvVars).toEqual([]);
+		});
+
+		it('should ignore requiredEnv for frontend apps', async () => {
+			const app = createApp({
+				type: 'frontend',
+				requiredEnv: ['API_KEY', 'SECRET'], // Should be ignored
+			});
+
+			const result = await sniffAppEnvironment(app, 'web', workspacePath);
+
+			expect(result.requiredEnvVars).toEqual([]);
+		});
+	});
+
+	describe('entry-based apps with requiredEnv', () => {
+		it('should return requiredEnv list for entry-based apps', async () => {
+			const app = createApp({
+				entry: './src/index.ts',
+				requiredEnv: ['DATABASE_URL', 'BETTER_AUTH_SECRET'],
+			});
+
+			const result = await sniffAppEnvironment(app, 'auth', workspacePath);
+
+			expect(result.appName).toBe('auth');
+			expect(result.requiredEnvVars).toEqual([
+				'DATABASE_URL',
+				'BETTER_AUTH_SECRET',
+			]);
+		});
+
+		it('should return copy of requiredEnv (not reference)', async () => {
+			const requiredEnv = ['DATABASE_URL'];
+			const app = createApp({ requiredEnv });
+
+			const result = await sniffAppEnvironment(app, 'api', workspacePath);
+
+			// Modify the result and verify original is unchanged
+			result.requiredEnvVars.push('MODIFIED');
+			expect(requiredEnv).toEqual(['DATABASE_URL']);
+		});
+
+		it('should return empty when requiredEnv is empty array', async () => {
+			const app = createApp({ requiredEnv: [] });
+
+			const result = await sniffAppEnvironment(app, 'api', workspacePath);
+
+			expect(result.requiredEnvVars).toEqual([]);
+		});
+	});
+
+	describe('apps with envParser', () => {
+		it('should return empty when envParser module cannot be loaded', async () => {
+			const app = createApp({
+				envParser: './src/nonexistent/env#parser',
+			});
+
+			// This will fail to load the module and return empty
+			// Suppress warnings for this test
+			const result = await sniffAppEnvironment(app, 'api', workspacePath, {
+				logWarnings: false,
+			});
+
+			expect(result.requiredEnvVars).toEqual([]);
+		});
+
+		it('should gracefully handle errors without failing the build', async () => {
+			const app = createApp({
+				envParser: './src/invalid/path#nonexistent',
+			});
+
+			// Should not throw, just return empty
+			const result = await sniffAppEnvironment(app, 'api', workspacePath, {
+				logWarnings: false,
+			});
+
+			expect(result.appName).toBe('api');
+			expect(result.requiredEnvVars).toEqual([]);
+		});
+	});
+
+	describe('apps without env detection', () => {
+		it('should return empty when no envParser or requiredEnv', async () => {
+			const app = createApp({
+				// No envParser or requiredEnv
+			});
+
+			const result = await sniffAppEnvironment(app, 'api', workspacePath);
+
+			expect(result.requiredEnvVars).toEqual([]);
+		});
+	});
+});
+
+describe('sniffAllApps', () => {
+	const workspacePath = '/test/workspace';
+
+	it('should sniff all apps in workspace', async () => {
+		const apps: Record<string, NormalizedAppConfig> = {
+			api: {
+				type: 'backend',
+				path: 'apps/api',
+				port: 3000,
+				dependencies: [],
+				resolvedDeployTarget: 'dokploy',
+				requiredEnv: ['DATABASE_URL', 'REDIS_URL'],
+			},
+			auth: {
+				type: 'backend',
+				path: 'apps/auth',
+				port: 3002,
+				dependencies: [],
+				resolvedDeployTarget: 'dokploy',
+				requiredEnv: ['DATABASE_URL', 'BETTER_AUTH_SECRET'],
+			},
+			web: {
+				type: 'frontend',
+				path: 'apps/web',
+				port: 3001,
+				dependencies: ['api', 'auth'],
+				resolvedDeployTarget: 'dokploy',
+			},
+		};
+
+		const results = await sniffAllApps(apps, workspacePath);
+
+		expect(results.size).toBe(3);
+
+		expect(results.get('api')).toEqual({
+			appName: 'api',
+			requiredEnvVars: ['DATABASE_URL', 'REDIS_URL'],
+		});
+
+		expect(results.get('auth')).toEqual({
+			appName: 'auth',
+			requiredEnvVars: ['DATABASE_URL', 'BETTER_AUTH_SECRET'],
+		});
+
+		expect(results.get('web')).toEqual({
+			appName: 'web',
+			requiredEnvVars: [], // Frontend - no secrets
+		});
+	});
+
+	it('should handle empty apps record', async () => {
+		const apps: Record<string, NormalizedAppConfig> = {};
+
+		const results = await sniffAllApps(apps, workspacePath);
+
+		expect(results.size).toBe(0);
+	});
+
+	it('should pass options to individual app sniffing', async () => {
+		const apps: Record<string, NormalizedAppConfig> = {
+			api: {
+				type: 'backend',
+				path: 'apps/api',
+				port: 3000,
+				dependencies: [],
+				resolvedDeployTarget: 'dokploy',
+				envParser: './src/nonexistent/env#parser', // Will fail but shouldn't log
+			},
+		};
+
+		// Should not throw, and suppress warnings
+		const results = await sniffAllApps(apps, workspacePath, {
+			logWarnings: false,
+		});
+
+		expect(results.size).toBe(1);
+		expect(results.get('api')?.requiredEnvVars).toEqual([]);
+	});
+});
+
+describe('fire-and-forget handling', () => {
+	it('captures environment variables even when envParser throws', async () => {
+		// The sniffer should capture env vars that were accessed before an error
+		// This is the "fire and forget" pattern - errors don't stop env detection
+		const app: NormalizedAppConfig = {
+			type: 'backend',
+			path: 'apps/api',
+			port: 3000,
+			dependencies: [],
+			resolvedDeployTarget: 'dokploy',
+			envParser: './src/invalid#missing',
+		};
+
+		const result = await sniffAppEnvironment(app, 'api', '/test/workspace', {
+			logWarnings: false,
+		});
+
+		// Should return gracefully without throwing
+		expect(result.appName).toBe('api');
+		expect(Array.isArray(result.requiredEnvVars)).toBe(true);
+	});
+});

package/src/deploy/docker.ts

@@ -76,6 +76,16 @@ export interface DockerDeployOptions {
 	masterKey?: string;
 	/** Docker config from gkm.config */
 	config: DockerDeployConfig;
+	/**
+	 * Build arguments to pass to docker build.
+	 * Format: ['KEY=value', 'KEY2=value2']
+	 */
+	buildArgs?: string[];
+	/**
+	 * Public URL argument names for frontend Dockerfile generation.
+	 * Used to ensure the Dockerfile declares these as ARG/ENV.
+	 */
+	publicUrlArgs?: string[];
 }
 
 /**
@@ -96,8 +106,13 @@ export function getImageRef(
  * Build Docker image
  * @param imageRef - Full image reference (registry/name:tag)
  * @param appName - Name of the app (used for Dockerfile.{appName} in workspaces)
+ * @param buildArgs - Build arguments to pass to docker build
  */
-async function buildImage(imageRef: string, appName?: string): Promise<void> {
+async function buildImage(
+	imageRef: string,
+	appName?: string,
+	buildArgs?: string[],
+): Promise<void> {
 	logger.log(`\n🔨 Building Docker image: ${imageRef}`);
 
 	const cwd = process.cwd();
@@ -125,16 +140,30 @@ async function buildImage(imageRef: string, appName?: string): Promise<void> {
 		logger.log(`   Building from workspace root: ${buildCwd}`);
 	}
 
+	// Build the build args string
+	const buildArgsString =
+		buildArgs && buildArgs.length > 0
+			? buildArgs.map((arg) => `--build-arg "${arg}"`).join(' ')
+			: '';
+
 	try {
 		// Build for linux/amd64 to ensure compatibility with most cloud servers
-		execSync(
-			`DOCKER_BUILDKIT=1 docker build --platform linux/amd64 -f ${dockerfilePath} -t ${imageRef} .`,
-			{
-				cwd: buildCwd,
-				stdio: 'inherit',
-				env: { ...process.env, DOCKER_BUILDKIT: '1' },
-			},
-		);
+		const cmd = [
+			'DOCKER_BUILDKIT=1 docker build',
+			'--platform linux/amd64',
+			`-f ${dockerfilePath}`,
+			`-t ${imageRef}`,
+			buildArgsString,
+			'.',
+		]
+			.filter(Boolean)
+			.join(' ');
+
+		execSync(cmd, {
+			cwd: buildCwd,
+			stdio: 'inherit',
+			env: { ...process.env, DOCKER_BUILDKIT: '1' },
+		});
 		logger.log(`✅ Image built: ${imageRef}`);
 	} catch (error) {
 		throw new Error(
@@ -168,14 +197,14 @@ async function pushImage(imageRef: string): Promise<void> {
 export async function deployDocker(
 	options: DockerDeployOptions,
 ): Promise<DeployResult> {
-	const { stage, tag, skipPush, masterKey, config } = options;
+	const { stage, tag, skipPush, masterKey, config, buildArgs } = options;
 
 	// imageName should always be set by resolveDockerConfig
 	const imageName = config.imageName!;
 	const imageRef = getImageRef(config.registry, imageName, tag);
 
 	// Build image (pass appName for workspace Dockerfile selection)
-	await buildImage(imageRef, config.appName);
+	await buildImage(imageRef, config.appName, buildArgs);
 
 	// Push to registry if not skipped
 	if (!skipPush) {