@geekmidas/cli 0.48.0 → 0.49.0

package/src/deploy/dns/hostinger-api.ts

@@ -185,7 +185,10 @@ export class HostingerApi {
 	 * @param records - Records to validate
 	 * @returns true if valid, throws if invalid
 	 */
-	async validateRecords(domain: string, records: DnsRecord[]): Promise<boolean> {
+	async validateRecords(
+		domain: string,
+		records: DnsRecord[],
+	): Promise<boolean> {
 		await this.request('POST', `/api/dns/v1/zones/${domain}/validate`, {
 			overwrite: false,
 			zone: records,

package/src/deploy/dns/index.ts

@@ -7,6 +7,11 @@
 import { lookup } from 'node:dns/promises';
 import { getHostingerToken, storeHostingerToken } from '../../auth/credentials';
 import type { DnsConfig } from '../../workspace/types';
+import {
+	type DokployStageState,
+	isDnsVerified,
+	setDnsVerification,
+} from '../state';
 import { HostingerApi } from './hostinger-api';
 
 const logger = console;
@@ -105,7 +110,7 @@ export function printDnsRecordsTable(
 	records: RequiredDnsRecord[],
 	rootDomain: string,
 ): void {
-	logger.log('\n   📋 DNS Records for ' + rootDomain + ':');
+	logger.log(`\n   📋 DNS Records for ${rootDomain}:`);
 	logger.log(
 		'   ┌─────────────────────────────────────┬──────┬─────────────────┬────────┐',
 	);
@@ -396,3 +401,110 @@ export async function orchestrateDns(
 		serverIp,
 	};
 }
+
+/**
+ * Result of DNS verification for a single hostname
+ */
+export interface DnsVerificationResult {
+	hostname: string;
+	appName: string;
+	verified: boolean;
+	resolvedIp?: string;
+	expectedIp: string;
+	error?: string;
+	skipped?: boolean; // True if already verified in state
+}
+
+/**
+ * Verify DNS records resolve correctly after deployment.
+ *
+ * This function:
+ * 1. Checks state for previously verified hostnames (skips if already verified with same IP)
+ * 2. Attempts to resolve each hostname to an IP
+ * 3. Compares resolved IP with expected server IP
+ * 4. Updates state with verification results
+ *
+ * @param appHostnames - Map of app names to hostnames
+ * @param serverIp - Expected IP address the hostnames should resolve to
+ * @param state - Deploy state for caching verification results
+ * @returns Array of verification results
+ */
+export async function verifyDnsRecords(
+	appHostnames: Map<string, string>,
+	serverIp: string,
+	state: DokployStageState,
+): Promise<DnsVerificationResult[]> {
+	const results: DnsVerificationResult[] = [];
+
+	logger.log('\n🔍 Verifying DNS records...');
+
+	for (const [appName, hostname] of appHostnames) {
+		// Check if already verified with same IP
+		if (isDnsVerified(state, hostname, serverIp)) {
+			logger.log(`   ✓ ${hostname} (previously verified)`);
+			results.push({
+				hostname,
+				appName,
+				verified: true,
+				expectedIp: serverIp,
+				skipped: true,
+			});
+			continue;
+		}
+
+		// Attempt to resolve hostname
+		try {
+			const resolvedIp = await resolveHostnameToIp(hostname);
+
+			if (resolvedIp === serverIp) {
+				// DNS verified successfully
+				setDnsVerification(state, hostname, serverIp);
+				logger.log(`   ✓ ${hostname} → ${resolvedIp}`);
+				results.push({
+					hostname,
+					appName,
+					verified: true,
+					resolvedIp,
+					expectedIp: serverIp,
+				});
+			} else {
+				// DNS resolves but to wrong IP
+				logger.log(
+					`   ⚠ ${hostname} resolves to ${resolvedIp}, expected ${serverIp}`,
+				);
+				results.push({
+					hostname,
+					appName,
+					verified: false,
+					resolvedIp,
+					expectedIp: serverIp,
+				});
+			}
+		} catch (error) {
+			// DNS resolution failed
+			const message = error instanceof Error ? error.message : 'Unknown error';
+			logger.log(`   ⚠ ${hostname} DNS not propagated (${message})`);
+			results.push({
+				hostname,
+				appName,
+				verified: false,
+				expectedIp: serverIp,
+				error: message,
+			});
+		}
+	}
+
+	// Summary
+	const verified = results.filter((r) => r.verified).length;
+	const skipped = results.filter((r) => r.skipped).length;
+	const pending = results.filter((r) => !r.verified).length;
+
+	if (pending > 0) {
+		logger.log(`\n   ${verified} verified, ${pending} pending propagation`);
+		logger.log('   DNS changes may take 5-30 minutes to propagate');
+	} else if (skipped > 0) {
+		logger.log(`   ${verified} verified (${skipped} from cache)`);
+	}
+
+	return results;
+}

package/src/deploy/docker.ts

@@ -134,8 +134,7 @@ async function buildImage(
 	const dockerfilePath = `.gkm/docker/Dockerfile${dockerfileSuffix}`;
 
 	// Build from workspace/monorepo root when we have a lockfile elsewhere or appName is provided
-	const buildCwd =
-		lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
+	const buildCwd = lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
 	if (buildCwd !== cwd) {
 		logger.log(`   Building from workspace root: ${buildCwd}`);
 	}

package/src/deploy/dokploy-api.ts

@@ -431,10 +431,10 @@ export class DokployApi {
 			environmentId,
 			appName:
 				options?.appName ?? name.toLowerCase().replace(/[^a-z0-9-]/g, '-'),
-			databaseName: options?.databaseName ?? 'app',
+			databaseName: options?.databaseName,
 			databaseUser: options?.databaseUser ?? 'postgres',
 			databasePassword: options?.databasePassword,
-			dockerImage: options?.dockerImage ?? 'postgres:16-alpine',
+			dockerImage: options?.dockerImage ?? 'postgres:18',
 			description: options?.description ?? `Postgres database for ${name}`,
 		});
 	}
@@ -447,6 +447,7 @@ export class DokployApi {
 		projectId: string,
 		environmentId: string,
 		options?: {
+			databaseName?: string;
 			databasePassword?: string;
 		},
 	): Promise<{ postgres: DokployPostgres; created: boolean }> {
@@ -513,9 +514,7 @@ export class DokployApi {
 	 */
 	async listRedis(projectId: string): Promise<DokployRedis[]> {
 		try {
-			return await this.get<DokployRedis[]>(
-				`redis.all?projectId=${projectId}`,
-			);
+			return await this.get<DokployRedis[]>(`redis.all?projectId=${projectId}`);
 		} catch {
 			// Fallback: endpoint might not exist in older Dokploy versions
 			return [];
@@ -557,7 +556,7 @@ export class DokployApi {
 			appName:
 				options?.appName ?? name.toLowerCase().replace(/[^a-z0-9-]/g, '-'),
 			databasePassword: options?.databasePassword,
-			dockerImage: options?.dockerImage ?? 'redis:7-alpine',
+			dockerImage: options?.dockerImage ?? 'redis:8',
 			description: options?.description ?? `Redis instance for ${name}`,
 		});
 	}
@@ -577,7 +576,12 @@ export class DokployApi {
 		if (existing) {
 			return { redis: existing, created: false };
 		}
-		const redis = await this.createRedis(name, projectId, environmentId, options);
+		const redis = await this.createRedis(
+			name,
+			projectId,
+			environmentId,
+			options,
+		);
 		return { redis, created: true };
 	}
 
@@ -679,8 +683,13 @@ export class DokployApi {
 	 *
 	 * @param domain - The domain hostname to validate (e.g., 'api.example.com')
 	 */
-	async validateDomain(domain: string): Promise<{ isValid: boolean; resolvedIp: string }> {
-		return this.post<{ isValid: boolean; resolvedIp: string }>('domain.validateDomain', { domain });
+	async validateDomain(
+		domain: string,
+	): Promise<{ isValid: boolean; resolvedIp: string }> {
+		return this.post<{ isValid: boolean; resolvedIp: string }>(
+			'domain.validateDomain',
+			{ domain },
+		);
 	}
 
 	/**

package/src/deploy/domain.ts

@@ -1,4 +1,7 @@
-import type { DokployWorkspaceConfig, NormalizedAppConfig } from '../workspace/types.js';
+import type {
+	DokployWorkspaceConfig,
+	NormalizedAppConfig,
+} from '../workspace/types.js';
 
 /**
  * Resolve the hostname for an app based on stage configuration.
@@ -119,7 +122,5 @@ export function generatePublicUrlBuildArgs(
  * @returns Array of arg names like 'NEXT_PUBLIC_API_URL'
  */
 export function getPublicUrlArgNames(app: NormalizedAppConfig): string[] {
-	return app.dependencies.map(
-		(dep) => `NEXT_PUBLIC_${dep.toUpperCase()}_URL`,
-	);
+	return app.dependencies.map((dep) => `NEXT_PUBLIC_${dep.toUpperCase()}_URL`);
 }

package/src/deploy/env-resolver.ts

@@ -0,0 +1,278 @@
+/**
+ * Environment Variable Resolution for Dokploy Deployments
+ *
+ * Resolves sniffed environment variables to actual values during deployment.
+ * Auto-supports common variables like DATABASE_URL, REDIS_URL, BETTER_AUTH_*,
+ * and falls back to user-provided secrets.
+ */
+
+import { randomBytes } from 'node:crypto';
+import type { StageSecrets } from '../secrets/types';
+import type { NormalizedAppConfig } from '../workspace/types';
+import {
+	getGeneratedSecret,
+	setGeneratedSecret,
+	type AppDbCredentials,
+	type DokployStageState,
+} from './state';
+
+/**
+ * Context needed for environment variable resolution
+ */
+export interface EnvResolverContext {
+	/** The app being deployed */
+	app: NormalizedAppConfig;
+	/** The app name */
+	appName: string;
+	/** Deployment stage (production, staging, development) */
+	stage: string;
+	/** Deploy state (for persisting generated secrets) */
+	state: DokployStageState;
+	/** Per-app database credentials (if postgres is enabled) */
+	appCredentials?: AppDbCredentials;
+	/** Postgres connection info (internal hostname) */
+	postgres?: {
+		host: string;
+		port: number;
+		database: string;
+	};
+	/** Redis connection info (internal hostname) */
+	redis?: {
+		host: string;
+		port: number;
+		password?: string;
+	};
+	/** Public hostname for this app */
+	appHostname: string;
+	/** All frontend app URLs (for BETTER_AUTH_TRUSTED_ORIGINS) */
+	frontendUrls: string[];
+	/** User-provided secrets from secrets store */
+	userSecrets?: StageSecrets;
+	/** Master key for runtime decryption (optional) */
+	masterKey?: string;
+}
+
+/**
+ * Result of environment variable resolution
+ */
+export interface EnvResolutionResult {
+	/** Successfully resolved environment variables */
+	resolved: Record<string, string>;
+	/** Environment variable names that could not be resolved */
+	missing: string[];
+}
+
+/**
+ * Auto-supported environment variable names
+ */
+export const AUTO_SUPPORTED_VARS = [
+	'PORT',
+	'NODE_ENV',
+	'DATABASE_URL',
+	'REDIS_URL',
+	'BETTER_AUTH_URL',
+	'BETTER_AUTH_SECRET',
+	'BETTER_AUTH_TRUSTED_ORIGINS',
+	'GKM_MASTER_KEY',
+] as const;
+
+export type AutoSupportedVar = (typeof AUTO_SUPPORTED_VARS)[number];
+
+/**
+ * Check if a variable name is auto-supported
+ */
+export function isAutoSupportedVar(varName: string): varName is AutoSupportedVar {
+	return AUTO_SUPPORTED_VARS.includes(varName as AutoSupportedVar);
+}
+
+/**
+ * Generate a secure random secret (64 hex characters = 32 bytes)
+ */
+export function generateSecret(): string {
+	return randomBytes(32).toString('hex');
+}
+
+/**
+ * Get or generate a secret for an app.
+ * If the secret already exists in state, returns it.
+ * Otherwise generates a new one and stores it.
+ */
+export function getOrGenerateSecret(
+	state: DokployStageState,
+	appName: string,
+	secretName: string,
+): string {
+	// Check if already generated
+	const existing = getGeneratedSecret(state, appName, secretName);
+	if (existing) {
+		return existing;
+	}
+
+	// Generate new secret
+	const generated = generateSecret();
+
+	// Store in state for persistence
+	setGeneratedSecret(state, appName, secretName, generated);
+
+	return generated;
+}
+
+/**
+ * Build a DATABASE_URL for an app with per-app credentials
+ */
+export function buildDatabaseUrl(
+	credentials: AppDbCredentials,
+	postgres: { host: string; port: number; database: string },
+): string {
+	const { dbUser, dbPassword } = credentials;
+	const { host, port, database } = postgres;
+	return `postgresql://${encodeURIComponent(dbUser)}:${encodeURIComponent(dbPassword)}@${host}:${port}/${database}`;
+}
+
+/**
+ * Build a REDIS_URL
+ */
+export function buildRedisUrl(redis: {
+	host: string;
+	port: number;
+	password?: string;
+}): string {
+	const { host, port, password } = redis;
+	if (password) {
+		return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
+	}
+	return `redis://${host}:${port}`;
+}
+
+/**
+ * Resolve a single environment variable
+ */
+export function resolveEnvVar(
+	varName: string,
+	context: EnvResolverContext,
+): string | undefined {
+	// Auto-supported variables
+	switch (varName) {
+		case 'PORT':
+			return String(context.app.port);
+
+		case 'NODE_ENV':
+			return context.stage === 'production' ? 'production' : 'development';
+
+		case 'DATABASE_URL':
+			if (context.appCredentials && context.postgres) {
+				return buildDatabaseUrl(context.appCredentials, context.postgres);
+			}
+			// Fall through to check user secrets
+			break;
+
+		case 'REDIS_URL':
+			if (context.redis) {
+				return buildRedisUrl(context.redis);
+			}
+			// Fall through to check user secrets
+			break;
+
+		case 'BETTER_AUTH_URL':
+			return `https://${context.appHostname}`;
+
+		case 'BETTER_AUTH_SECRET':
+			return getOrGenerateSecret(
+				context.state,
+				context.appName,
+				'BETTER_AUTH_SECRET',
+			);
+
+		case 'BETTER_AUTH_TRUSTED_ORIGINS':
+			if (context.frontendUrls.length > 0) {
+				return context.frontendUrls.join(',');
+			}
+			// Fall through to check user secrets
+			break;
+
+		case 'GKM_MASTER_KEY':
+			if (context.masterKey) {
+				return context.masterKey;
+			}
+			// Fall through to check user secrets
+			break;
+	}
+
+	// Check user-provided secrets
+	if (context.userSecrets) {
+		// Check custom secrets first
+		if (context.userSecrets.custom[varName]) {
+			return context.userSecrets.custom[varName];
+		}
+
+		// Check URLs (DATABASE_URL, REDIS_URL, RABBITMQ_URL)
+		if (varName in context.userSecrets.urls) {
+			return context.userSecrets.urls[varName as keyof typeof context.userSecrets.urls];
+		}
+
+		// Check service-specific vars
+		if (varName === 'POSTGRES_PASSWORD' && context.userSecrets.services.postgres) {
+			return context.userSecrets.services.postgres.password;
+		}
+		if (varName === 'REDIS_PASSWORD' && context.userSecrets.services.redis) {
+			return context.userSecrets.services.redis.password;
+		}
+	}
+
+	return undefined;
+}
+
+/**
+ * Resolve all environment variables for an app
+ */
+export function resolveEnvVars(
+	requiredVars: string[],
+	context: EnvResolverContext,
+): EnvResolutionResult {
+	const resolved: Record<string, string> = {};
+	const missing: string[] = [];
+
+	for (const varName of requiredVars) {
+		const value = resolveEnvVar(varName, context);
+		if (value !== undefined) {
+			resolved[varName] = value;
+		} else {
+			missing.push(varName);
+		}
+	}
+
+	return { resolved, missing };
+}
+
+/**
+ * Format missing variables error message
+ */
+export function formatMissingVarsError(
+	appName: string,
+	missing: string[],
+	stage: string,
+): string {
+	const varList = missing.map((v) => `  - ${v}`).join('\n');
+	return (
+		`Deployment failed: ${appName} is missing required environment variables:\n` +
+		`${varList}\n\n` +
+		`Add them with:\n` +
+		`  gkm secrets:set <VAR_NAME> <value> --stage ${stage}\n\n` +
+		`Or add them to the app's requiredEnv in gkm.config.ts to have them auto-resolved.`
+	);
+}
+
+/**
+ * Validate that all required environment variables can be resolved
+ */
+export function validateEnvVars(
+	requiredVars: string[],
+	context: EnvResolverContext,
+): { valid: boolean; missing: string[]; resolved: Record<string, string> } {
+	const { resolved, missing } = resolveEnvVars(requiredVars, context);
+	return {
+		valid: missing.length === 0,
+		missing,
+		resolved,
+	};
+}