@geekmidas/cli 0.48.0 → 0.50.0

package/src/deploy/secrets.ts

@@ -1,6 +1,10 @@
 import { encryptSecrets } from '../secrets/encryption.js';
 import { toEmbeddableSecrets } from '../secrets/storage.js';
-import type { EmbeddableSecrets, EncryptedPayload, StageSecrets } from '../secrets/types.js';
+import type {
+	EmbeddableSecrets,
+	EncryptedPayload,
+	StageSecrets,
+} from '../secrets/types.js';
 import type { SniffedEnvironment } from './sniffer.js';
 
 /**
@@ -152,7 +156,8 @@ export function generateSecretsReport(
 ): SecretsReport {
 	const appsWithSecrets: string[] = [];
 	const appsWithoutSecrets: string[] = [];
-	const appsWithMissingSecrets: Array<{ appName: string; missing: string[] }> = [];
+	const appsWithMissingSecrets: Array<{ appName: string; missing: string[] }> =
+		[];
 
 	for (const [appName, sniffedEnv] of sniffedApps) {
 		if (sniffedEnv.requiredEnvVars.length === 0) {

package/src/deploy/sniffer-envkit-patch.ts

@@ -0,0 +1,59 @@
+/**
+ * Patched @geekmidas/envkit module for entry app sniffing.
+ *
+ * This module re-exports the SnifferEnvironmentParser as EnvironmentParser,
+ * allowing entry apps to be imported while capturing their env var usage.
+ *
+ * The actual sniffer instance is stored in globalThis.__envSniffer
+ * so the worker script can retrieve the captured variables.
+ */
+
+import { SnifferEnvironmentParser } from '@geekmidas/envkit/sniffer';
+
+// Extend globalThis type for the sniffer instance
+declare global {
+	// eslint-disable-next-line no-var
+	var __envSniffer: SnifferEnvironmentParser | undefined;
+}
+
+// Create a shared sniffer instance that will be used by all imports
+// This is stored globally so the worker script can access it
+if (!globalThis.__envSniffer) {
+	globalThis.__envSniffer = new SnifferEnvironmentParser();
+}
+
+// Type for the config parser returned by create()
+interface ConfigParser<T> {
+	parse(): T;
+	safeParse(): { success: true; data: T } | { success: false; error: Error };
+}
+
+// Type for the env fetcher function
+type EnvFetcher = (name: string) => {
+	string(): { parse(): string; safeParse(): unknown };
+	number(): { parse(): number; safeParse(): unknown };
+	boolean(): { parse(): boolean; safeParse(): unknown };
+	optional(): EnvFetcher;
+	default(value: unknown): EnvFetcher;
+};
+
+/**
+ * Patched EnvironmentParser that uses the global sniffer instance.
+ *
+ * This class wraps the global sniffer to maintain API compatibility
+ * with the real EnvironmentParser. The constructor accepts an env
+ * parameter for API compatibility but ignores it since we're sniffing.
+ */
+class PatchedEnvironmentParser {
+	create<TReturn extends Record<string, unknown>>(
+		builder: (get: EnvFetcher) => TReturn,
+	): ConfigParser<TReturn> {
+		return globalThis.__envSniffer!.create(builder) as ConfigParser<TReturn>;
+	}
+}
+
+// Export the patched parser as EnvironmentParser
+export { PatchedEnvironmentParser as EnvironmentParser };
+
+// Re-export other envkit exports that entry apps might use
+export { SnifferEnvironmentParser } from '@geekmidas/envkit/sniffer';

package/src/deploy/sniffer-hooks.ts

@@ -0,0 +1,57 @@
+/**
+ * Module loader hooks for entry app sniffing.
+ *
+ * This module provides the resolve hook that intercepts '@geekmidas/envkit'
+ * imports and redirects them to the patched sniffer version.
+ *
+ * This file is registered via module.register() from sniffer-loader.ts.
+ */
+
+import { existsSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+// Resolve path to the patched envkit module
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+// Try .mjs first (production dist), then .ts (development)
+const mjsPath = join(__dirname, 'sniffer-envkit-patch.mjs');
+const tsPath = join(__dirname, 'sniffer-envkit-patch.ts');
+const patchedEnvkitPath = existsSync(mjsPath) ? mjsPath : tsPath;
+
+type ResolveContext = {
+	conditions: string[];
+	importAttributes: Record<string, string>;
+	parentURL?: string;
+};
+
+type ResolveResult = {
+	url: string;
+	shortCircuit?: boolean;
+	format?: string;
+};
+
+type NextResolve = (
+	specifier: string,
+	context: ResolveContext,
+) => Promise<ResolveResult>;
+
+/**
+ * Resolve hook - intercepts module resolution for @geekmidas/envkit
+ */
+export async function resolve(
+	specifier: string,
+	context: ResolveContext,
+	nextResolve: NextResolve,
+): Promise<ResolveResult> {
+	// Intercept @geekmidas/envkit imports
+	if (specifier === '@geekmidas/envkit') {
+		return {
+			url: `file://${patchedEnvkitPath}`,
+			shortCircuit: true,
+		};
+	}
+
+	return nextResolve(specifier, context);
+}

package/src/deploy/sniffer-loader.ts

@@ -0,0 +1,28 @@
+/**
+ * Node.js module loader registration for entry app sniffing.
+ *
+ * This module registers a custom loader hook that intercepts imports of
+ * '@geekmidas/envkit' and replaces the EnvironmentParser with
+ * SnifferEnvironmentParser, allowing us to capture which environment
+ * variables an entry app accesses.
+ *
+ * Usage:
+ *   node --import tsx --import ./sniffer-loader.mjs ./sniffer-worker.mjs /path/to/entry.ts
+ */
+
+import { existsSync } from 'node:fs';
+import { register } from 'node:module';
+import { dirname, join } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+// Resolve path to the loader hooks module
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+// Try .mjs first (production dist), then .ts (development)
+const mjsPath = join(__dirname, 'sniffer-hooks.mjs');
+const tsPath = join(__dirname, 'sniffer-hooks.ts');
+const hooksPath = existsSync(mjsPath) ? mjsPath : tsPath;
+
+// Register the loader hooks
+register(pathToFileURL(hooksPath).href, import.meta.url);

package/src/deploy/sniffer-worker.ts

@@ -0,0 +1,74 @@
+/**
+ * Subprocess worker for entry app sniffing.
+ *
+ * This script is executed in a subprocess with the sniffer-loader.ts
+ * registered, which intercepts @geekmidas/envkit imports.
+ *
+ * Usage:
+ *   node --import tsx --import ./sniffer-loader.ts ./sniffer-worker.ts /path/to/entry.ts
+ *
+ * Output (JSON to stdout):
+ *   { "envVars": ["PORT", "DATABASE_URL", ...], "error": null }
+ */
+
+import { pathToFileURL } from 'node:url';
+import type { SnifferEnvironmentParser } from '@geekmidas/envkit/sniffer';
+
+// Extend globalThis type for the sniffer instance
+declare global {
+	// eslint-disable-next-line no-var
+	var __envSniffer: SnifferEnvironmentParser | undefined;
+}
+
+// Get the entry file path from command line args
+const entryPath = process.argv[2] as string | undefined;
+
+if (!entryPath) {
+	console.log(
+		JSON.stringify({ envVars: [], error: 'No entry file path provided' }),
+	);
+	process.exit(1);
+}
+
+// entryPath is guaranteed to be defined after the check above
+const validEntryPath: string = entryPath;
+
+/**
+ * Main sniffing function
+ */
+async function sniff(): Promise<void> {
+	let error: string | null = null;
+
+	try {
+		// Import the entry file - this triggers:
+		// 1. Entry imports config module
+		// 2. Config module imports @geekmidas/envkit (intercepted by loader)
+		// 3. Config creates EnvironmentParser (actually SnifferEnvironmentParser)
+		// 4. Config calls .create() and .parse()
+		// 5. Sniffer captures all accessed env var names
+		const entryUrl = pathToFileURL(validEntryPath).href;
+		await import(entryUrl);
+	} catch (e) {
+		// Entry may fail due to missing env vars or other runtime issues.
+		// This is expected - we still capture the env vars that were accessed.
+		error = e instanceof Error ? e.message : String(e);
+	}
+
+	// Retrieve captured env vars from the global sniffer
+	const sniffer = globalThis.__envSniffer;
+	const envVars = sniffer ? sniffer.getEnvironmentVariables() : [];
+
+	// Output result as JSON
+	console.log(JSON.stringify({ envVars, error }));
+}
+
+// Handle unhandled rejections (fire-and-forget promises)
+process.on('unhandledRejection', () => {
+	// Silently ignore - we only care about env var capture
+});
+
+// Run the sniffer
+sniff().catch((e) => {
+	console.log(JSON.stringify({ envVars: [], error: e.message || String(e) }));
+	process.exit(1);
+});

package/src/deploy/sniffer.ts

@@ -1,8 +1,46 @@
-import { resolve } from 'node:path';
-import { pathToFileURL } from 'node:url';
+import { existsSync } from 'node:fs';
+import { spawn } from 'node:child_process';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath, pathToFileURL } from 'node:url';
 import type { SniffResult } from '@geekmidas/envkit/sniffer';
 import type { NormalizedAppConfig } from '../workspace/types.js';
 
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+
+/**
+ * Resolve the path to a sniffer helper file.
+ * Handles both dev (.ts with tsx) and production (.mjs from dist).
+ *
+ * In production: sniffer.ts is bundled into dist/index.mjs, but sniffer helper
+ * files are output to dist/deploy/ as standalone modules for subprocess loading.
+ *
+ * In development: All files are in src/deploy/ and loaded via tsx.
+ */
+function resolveSnifferFile(baseName: string): string {
+	// Try deploy/ subdirectory first (production: bundled code is at dist/index.mjs,
+	// but sniffer files are at dist/deploy/)
+	const deployMjsPath = resolve(__dirname, 'deploy', `${baseName}.mjs`);
+	if (existsSync(deployMjsPath)) {
+		return deployMjsPath;
+	}
+
+	// Try same directory .mjs (production: if running from dist/deploy/ directly)
+	const mjsPath = resolve(__dirname, `${baseName}.mjs`);
+	if (existsSync(mjsPath)) {
+		return mjsPath;
+	}
+
+	// Try same directory .ts (development with tsx: all files in src/deploy/)
+	const tsPath = resolve(__dirname, `${baseName}.ts`);
+	if (existsSync(tsPath)) {
+		return tsPath;
+	}
+
+	// Fallback to .ts (will error if neither exists)
+	return tsPath;
+}
+
 // Re-export SniffResult for consumers
 export type { SniffResult } from '@geekmidas/envkit/sniffer';
 
@@ -25,11 +63,12 @@ export interface SniffAppOptions {
 /**
  * Get required environment variables for an app.
  *
- * Detection strategy:
- * - Frontend apps: Returns empty (no server secrets)
- * - Apps with `requiredEnv`: Uses explicit list from config
- * - Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
- * - Apps with neither: Returns empty
+ * Detection strategy (in order):
+ * 1. Frontend apps: Returns empty (no server secrets)
+ * 2. Apps with `requiredEnv`: Uses explicit list from config
+ * 3. Entry apps: Imports entry file in subprocess to capture config.parse() calls
+ * 4. Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
+ * 5. Apps with neither: Returns empty
  *
  * This function handles "fire and forget" async operations gracefully,
  * capturing errors and unhandled rejections without failing the build.
@@ -48,17 +87,30 @@ export async function sniffAppEnvironment(
 ): Promise<SniffedEnvironment> {
 	const { logWarnings = true } = options;
 
-	// Frontend apps don't have server-side secrets
+	// 1. Frontend apps don't have server-side secrets
 	if (app.type === 'frontend') {
 		return { appName, requiredEnvVars: [] };
 	}
 
-	// Entry-based apps with explicit env list
+	// 2. Entry-based apps with explicit env list
 	if (app.requiredEnv && app.requiredEnv.length > 0) {
 		return { appName, requiredEnvVars: [...app.requiredEnv] };
 	}
 
-	// Apps with envParser - run sniffer to detect env var usage
+	// 3. Entry apps - import entry file in subprocess to trigger config.parse()
+	if (app.entry) {
+		const result = await sniffEntryFile(app.entry, app.path, workspacePath);
+
+		if (logWarnings && result.error) {
+			console.warn(
+				`[sniffer] ${appName}: Entry file threw error during sniffing (env vars still captured): ${result.error.message}`,
+			);
+		}
+
+		return { appName, requiredEnvVars: result.envVars };
+	}
+
+	// 4. Apps with envParser - run sniffer to detect env var usage
 	if (app.envParser) {
 		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
 
@@ -79,10 +131,107 @@ export async function sniffAppEnvironment(
 		return { appName, requiredEnvVars: result.envVars };
 	}
 
-	// No env detection method available
+	// 5. No env detection method available
 	return { appName, requiredEnvVars: [] };
 }
 
+/**
+ * Result from sniffing an entry file.
+ */
+interface EntrySniffResult {
+	envVars: string[];
+	error?: Error;
+}
+
+/**
+ * Sniff an entry file by importing it in a subprocess.
+ *
+ * Entry apps call `config.parse()` at module load time. To capture which
+ * env vars are accessed, we:
+ * 1. Spawn a subprocess with a module loader hook
+ * 2. The loader intercepts `@geekmidas/envkit` and replaces EnvironmentParser
+ *    with SnifferEnvironmentParser
+ * 3. Import the entry file (triggers config.parse())
+ * 4. Capture and return the accessed env var names
+ *
+ * This approach provides process isolation - each app is sniffed in its own
+ * subprocess, preventing module cache pollution.
+ *
+ * @param entryPath - Relative path to the entry file (e.g., './src/index.ts')
+ * @param appPath - The app's path relative to workspace (e.g., 'apps/auth')
+ * @param workspacePath - Absolute path to workspace root
+ * @returns EntrySniffResult with env vars and optional error
+ */
+async function sniffEntryFile(
+	entryPath: string,
+	appPath: string,
+	workspacePath: string,
+): Promise<EntrySniffResult> {
+	const fullEntryPath = resolve(workspacePath, appPath, entryPath);
+	const loaderPath = resolveSnifferFile('sniffer-loader');
+	const workerPath = resolveSnifferFile('sniffer-worker');
+
+	return new Promise((resolvePromise) => {
+		const child = spawn(
+			'node',
+			['--import', loaderPath, workerPath, fullEntryPath],
+			{
+				cwd: resolve(workspacePath, appPath),
+				stdio: ['ignore', 'pipe', 'pipe'],
+				env: {
+					...process.env,
+					// Ensure tsx is available for TypeScript entry files
+					NODE_OPTIONS: '--import tsx',
+				},
+			},
+		);
+
+		let stdout = '';
+		let stderr = '';
+
+		child.stdout.on('data', (data) => {
+			stdout += data.toString();
+		});
+
+		child.stderr.on('data', (data) => {
+			stderr += data.toString();
+		});
+
+		child.on('close', (code) => {
+			// Try to parse the JSON output from the worker
+			try {
+				// Find the last JSON object in stdout (worker may emit other output)
+				const jsonMatch = stdout.match(/\{[^{}]*"envVars"[^{}]*\}[^{]*$/);
+				if (jsonMatch) {
+					const result = JSON.parse(jsonMatch[0]);
+					resolvePromise({
+						envVars: result.envVars || [],
+						error: result.error ? new Error(result.error) : undefined,
+					});
+					return;
+				}
+			} catch {
+				// JSON parse failed
+			}
+
+			// If we couldn't parse the output, return empty with error info
+			resolvePromise({
+				envVars: [],
+				error: new Error(
+					`Failed to sniff entry file (exit code ${code}): ${stderr || stdout || 'No output'}`,
+				),
+			});
+		});
+
+		child.on('error', (err) => {
+			resolvePromise({
+				envVars: [],
+				error: err,
+			});
+		});
+	});
+}
+
 /**
  * Run the SnifferEnvironmentParser on an envParser module to detect
  * which environment variables it accesses.
@@ -118,7 +267,9 @@ async function sniffEnvParser(
 		sniffWithFireAndForget = envkitModule.sniffWithFireAndForget;
 	} catch (error) {
 		const message = error instanceof Error ? error.message : String(error);
-		console.warn(`[sniffer] Failed to import SnifferEnvironmentParser: ${message}`);
+		console.warn(
+			`[sniffer] Failed to import SnifferEnvironmentParser: ${message}`,
+		);
 		return { envVars: [], unhandledRejections: [] };
 	}
 
@@ -169,7 +320,12 @@ export async function sniffAllApps(
 	const results = new Map<string, SniffedEnvironment>();
 
 	for (const [appName, app] of Object.entries(apps)) {
-		const sniffed = await sniffAppEnvironment(app, appName, workspacePath, options);
+		const sniffed = await sniffAppEnvironment(
+			app,
+			appName,
+			workspacePath,
+			options,
+		);
 		results.set(appName, sniffed);
 	}
 
@@ -177,4 +333,4 @@ export async function sniffAllApps(
 }
 
 // Export for testing
-export { sniffEnvParser as _sniffEnvParser };
+export { sniffEnvParser as _sniffEnvParser, sniffEntryFile as _sniffEntryFile };

package/src/deploy/state.ts

@@ -8,6 +8,22 @@
 import { mkdir, readFile, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
 
+/**
+ * Per-app database credentials
+ */
+export interface AppDbCredentials {
+	dbUser: string;
+	dbPassword: string;
+}
+
+/**
+ * DNS verification record for a hostname
+ */
+export interface DnsVerificationRecord {
+	serverIp: string;
+	verifiedAt: string;
+}
+
 /**
  * State for a single stage deployment
  */
@@ -20,6 +36,12 @@ export interface DokployStageState {
 		postgresId?: string;
 		redisId?: string;
 	};
+	/** Per-app database credentials for reuse on subsequent deploys */
+	appCredentials?: Record<string, AppDbCredentials>;
+	/** Auto-generated secrets per app (e.g., BETTER_AUTH_SECRET) */
+	generatedSecrets?: Record<string, Record<string, string>>;
+	/** DNS verification state per hostname */
+	dnsVerified?: Record<string, DnsVerificationRecord>;
 	lastDeployedAt: string;
 }
 
@@ -134,7 +156,9 @@ export function setPostgresId(
 /**
  * Get redis ID from state
  */
-export function getRedisId(state: DokployStageState | null): string | undefined {
+export function getRedisId(
+	state: DokployStageState | null,
+): string | undefined {
 	return state?.services.redisId;
 }
 
@@ -144,3 +168,140 @@ export function getRedisId(state: DokployStageState | null): string | undefined
 export function setRedisId(state: DokployStageState, redisId: string): void {
 	state.services.redisId = redisId;
 }
+
+/**
+ * Get app credentials from state
+ */
+export function getAppCredentials(
+	state: DokployStageState | null,
+	appName: string,
+): AppDbCredentials | undefined {
+	return state?.appCredentials?.[appName];
+}
+
+/**
+ * Set app credentials in state (mutates state)
+ */
+export function setAppCredentials(
+	state: DokployStageState,
+	appName: string,
+	credentials: AppDbCredentials,
+): void {
+	if (!state.appCredentials) {
+		state.appCredentials = {};
+	}
+	state.appCredentials[appName] = credentials;
+}
+
+/**
+ * Get all app credentials from state
+ */
+export function getAllAppCredentials(
+	state: DokployStageState | null,
+): Record<string, AppDbCredentials> {
+	return state?.appCredentials ?? {};
+}
+
+// ============================================================================
+// Generated Secrets
+// ============================================================================
+
+/**
+ * Get a generated secret for an app
+ */
+export function getGeneratedSecret(
+	state: DokployStageState | null,
+	appName: string,
+	secretName: string,
+): string | undefined {
+	return state?.generatedSecrets?.[appName]?.[secretName];
+}
+
+/**
+ * Set a generated secret for an app (mutates state)
+ */
+export function setGeneratedSecret(
+	state: DokployStageState,
+	appName: string,
+	secretName: string,
+	value: string,
+): void {
+	if (!state.generatedSecrets) {
+		state.generatedSecrets = {};
+	}
+	if (!state.generatedSecrets[appName]) {
+		state.generatedSecrets[appName] = {};
+	}
+	state.generatedSecrets[appName][secretName] = value;
+}
+
+/**
+ * Get all generated secrets for an app
+ */
+export function getAppGeneratedSecrets(
+	state: DokployStageState | null,
+	appName: string,
+): Record<string, string> {
+	return state?.generatedSecrets?.[appName] ?? {};
+}
+
+/**
+ * Get all generated secrets from state
+ */
+export function getAllGeneratedSecrets(
+	state: DokployStageState | null,
+): Record<string, Record<string, string>> {
+	return state?.generatedSecrets ?? {};
+}
+
+// ============================================================================
+// DNS Verification
+// ============================================================================
+
+/**
+ * Get DNS verification record for a hostname
+ */
+export function getDnsVerification(
+	state: DokployStageState | null,
+	hostname: string,
+): DnsVerificationRecord | undefined {
+	return state?.dnsVerified?.[hostname];
+}
+
+/**
+ * Set DNS verification record for a hostname (mutates state)
+ */
+export function setDnsVerification(
+	state: DokployStageState,
+	hostname: string,
+	serverIp: string,
+): void {
+	if (!state.dnsVerified) {
+		state.dnsVerified = {};
+	}
+	state.dnsVerified[hostname] = {
+		serverIp,
+		verifiedAt: new Date().toISOString(),
+	};
+}
+
+/**
+ * Check if a hostname is already verified with the given IP
+ */
+export function isDnsVerified(
+	state: DokployStageState | null,
+	hostname: string,
+	serverIp: string,
+): boolean {
+	const record = state?.dnsVerified?.[hostname];
+	return record?.serverIp === serverIp;
+}
+
+/**
+ * Get all DNS verification records from state
+ */
+export function getAllDnsVerifications(
+	state: DokployStageState | null,
+): Record<string, DnsVerificationRecord> {
+	return state?.dnsVerified ?? {};
+}

package/src/init/versions.ts

@@ -32,10 +32,10 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/cli': CLI_VERSION,
 	'@geekmidas/client': '~0.5.0',
 	'@geekmidas/cloud': '~0.2.0',
-	'@geekmidas/constructs': '~0.7.0',
+	'@geekmidas/constructs': '~0.8.0',
 	'@geekmidas/db': '~0.3.0',
 	'@geekmidas/emailkit': '~0.2.0',
-	'@geekmidas/envkit': '~0.6.0',
+	'@geekmidas/envkit': '~0.7.0',
 	'@geekmidas/errors': '~0.1.0',
 	'@geekmidas/events': '~0.2.0',
 	'@geekmidas/logger': '~0.4.0',
@@ -44,7 +44,7 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/services': '~0.2.0',
 	'@geekmidas/storage': '~0.1.0',
 	'@geekmidas/studio': '~0.4.0',
-	'@geekmidas/telescope': '~0.5.0',
+	'@geekmidas/telescope': '~0.6.0',
 	'@geekmidas/testkit': '~0.6.0',
 };