@geekmidas/cli 0.48.0 → 0.50.0

package/dist/index.mjs

@@ -3,7 +3,7 @@ import { __require, getAppBuildOrder, getDependencyEnvVars, getDeployTargetError
 import { getAppNameFromCwd, loadAppConfig, loadConfig, loadWorkspaceConfig, parseModuleConfig } from "./config-C3LSBNSl.mjs";
 import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, OpenApiTsGenerator, generateOpenApi, openapiCommand, resolveOpenApiConfig } from "./openapi-C3C-BzIZ.mjs";
 import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-Dhst7BhI.mjs";
-import { DokployApi } from "./dokploy-api-DvzIDxTj.mjs";
+import { DokployApi } from "./dokploy-api-94KzmTVf.mjs";
 import { encryptSecrets } from "./encryption-BC4MAODn.mjs";
 import { generateReactQueryCommand } from "./openapi-react-query-ZoP9DPbY.mjs";
 import { createRequire } from "node:module";
@@ -23,13 +23,14 @@ import { Cron } from "@geekmidas/constructs/crons";
 import { Function } from "@geekmidas/constructs/functions";
 import { Subscriber } from "@geekmidas/constructs/subscribers";
 import { createHash, randomBytes } from "node:crypto";
+import { Client } from "pg";
 import { lookup } from "node:dns/promises";
-import { pathToFileURL } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 import prompts from "prompts";
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "0.47.0";
+var version = "0.50.0";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -85,12 +86,14 @@ var dependencies = {
 	"hono": "~4.8.0",
 	"lodash.kebabcase": "^4.1.1",
 	"openapi-typescript": "^7.4.2",
+	"pg": "~8.17.1",
 	"prompts": "~2.4.2"
 };
 var devDependencies = {
 	"@geekmidas/testkit": "workspace:*",
 	"@types/lodash.kebabcase": "^4.1.9",
 	"@types/node": "~24.9.1",
+	"@types/pg": "~8.16.0",
 	"@types/prompts": "~2.4.9",
 	"typescript": "^5.8.2",
 	"vitest": "^3.2.4",
@@ -253,7 +256,7 @@ const logger$11 = console;
 * Validate Dokploy token by making a test API call
 */
 async function validateDokployToken(endpoint, token) {
-	const { DokployApi: DokployApi$1 } = await import("./dokploy-api-BN3V57z1.mjs");
+	const { DokployApi: DokployApi$1 } = await import("./dokploy-api-CItuaWTq.mjs");
 	const api = new DokployApi$1({
 		baseUrl: endpoint,
 		token
@@ -2274,2027 +2277,2143 @@ function getAppOutputPath(workspace, _appName, app) {
 }
 
 //#endregion
-//#region src/docker/compose.ts
-/** Default Docker images for services */
-const DEFAULT_SERVICE_IMAGES = {
-	postgres: "postgres",
-	redis: "redis",
-	rabbitmq: "rabbitmq"
-};
-/** Default Docker image versions for services */
-const DEFAULT_SERVICE_VERSIONS = {
-	postgres: "16-alpine",
-	redis: "7-alpine",
-	rabbitmq: "3-management-alpine"
-};
-/** Get the default full image reference for a service */
-function getDefaultImage(serviceName) {
-	return `${DEFAULT_SERVICE_IMAGES[serviceName]}:${DEFAULT_SERVICE_VERSIONS[serviceName]}`;
+//#region src/deploy/state.ts
+/**
+* Get the state file path for a stage
+*/
+function getStateFilePath(workspaceRoot, stage) {
+	return join(workspaceRoot, ".gkm", `deploy-${stage}.json`);
 }
-/** Normalize services config to a consistent format - returns Map of service name to full image reference */
-function normalizeServices(services) {
-	const result = /* @__PURE__ */ new Map();
-	if (Array.isArray(services)) for (const name$1 of services) result.set(name$1, getDefaultImage(name$1));
-	else for (const [name$1, config$1] of Object.entries(services)) {
-		const serviceName = name$1;
-		if (config$1 === true) result.set(serviceName, getDefaultImage(serviceName));
-		else if (config$1 && typeof config$1 === "object") {
-			const serviceConfig = config$1;
-			if (serviceConfig.image) result.set(serviceName, serviceConfig.image);
-			else {
-				const version$1 = serviceConfig.version ?? DEFAULT_SERVICE_VERSIONS[serviceName];
-				result.set(serviceName, `${DEFAULT_SERVICE_IMAGES[serviceName]}:${version$1}`);
-			}
-		}
+/**
+* Read the deploy state for a stage
+* Returns null if state file doesn't exist
+*/
+async function readStageState(workspaceRoot, stage) {
+	const filePath = getStateFilePath(workspaceRoot, stage);
+	try {
+		const content = await readFile(filePath, "utf-8");
+		return JSON.parse(content);
+	} catch (error) {
+		if (error.code === "ENOENT") return null;
+		console.warn(`Warning: Could not read deploy state: ${error}`);
+		return null;
 	}
-	return result;
 }
 /**
-* Generate docker-compose.yml for production deployment
+* Write the deploy state for a stage
 */
-function generateDockerCompose(options) {
-	const { imageName, registry, port, healthCheckPath, services } = options;
-	const serviceMap = normalizeServices(services);
-	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
-	let yaml = `version: '3.8'
-
-services:
-  api:
-    build:
-      context: ../..
-      dockerfile: .gkm/docker/Dockerfile
-    image: ${imageRef}\${IMAGE_NAME:-${imageName}}:\${TAG:-latest}
-    container_name: ${imageName}
-    restart: unless-stopped
-    ports:
-      - "\${PORT:-${port}}:${port}"
-    environment:
-      - NODE_ENV=production
-`;
-	if (serviceMap.has("postgres")) yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
-`;
-	if (serviceMap.has("redis")) yaml += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
-`;
-	if (serviceMap.has("rabbitmq")) yaml += `      - RABBITMQ_URL=\${RABBITMQ_URL:-amqp://rabbitmq:5672}
-`;
-	yaml += `    healthcheck:
-      test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
-      interval: 30s
-      timeout: 3s
-      retries: 3
-`;
-	if (serviceMap.size > 0) {
-		yaml += `    depends_on:
-`;
-		for (const serviceName of serviceMap.keys()) yaml += `      ${serviceName}:
-        condition: service_healthy
-`;
-	}
-	yaml += `    networks:
-      - app-network
-`;
-	const postgresImage = serviceMap.get("postgres");
-	if (postgresImage) yaml += `
-  postgres:
-    image: ${postgresImage}
-    container_name: postgres
-    restart: unless-stopped
-    environment:
-      POSTGRES_USER: \${POSTGRES_USER:-postgres}
-      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD:-postgres}
-      POSTGRES_DB: \${POSTGRES_DB:-app}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-    networks:
-      - app-network
-`;
-	const redisImage = serviceMap.get("redis");
-	if (redisImage) yaml += `
-  redis:
-    image: ${redisImage}
-    container_name: redis
-    restart: unless-stopped
-    volumes:
-      - redis_data:/data
-    healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-    networks:
-      - app-network
-`;
-	const rabbitmqImage = serviceMap.get("rabbitmq");
-	if (rabbitmqImage) yaml += `
-  rabbitmq:
-    image: ${rabbitmqImage}
-    container_name: rabbitmq
-    restart: unless-stopped
-    environment:
-      RABBITMQ_DEFAULT_USER: \${RABBITMQ_USER:-guest}
-      RABBITMQ_DEFAULT_PASS: \${RABBITMQ_PASSWORD:-guest}
-    ports:
-      - "15672:15672"  # Management UI
-    volumes:
-      - rabbitmq_data:/var/lib/rabbitmq
-    healthcheck:
-      test: ["CMD", "rabbitmq-diagnostics", "-q", "ping"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-    networks:
-      - app-network
-`;
-	yaml += `
-volumes:
-`;
-	if (serviceMap.has("postgres")) yaml += `  postgres_data:
-`;
-	if (serviceMap.has("redis")) yaml += `  redis_data:
-`;
-	if (serviceMap.has("rabbitmq")) yaml += `  rabbitmq_data:
-`;
-	yaml += `
-networks:
-  app-network:
-    driver: bridge
-`;
-	return yaml;
+async function writeStageState(workspaceRoot, stage, state) {
+	const filePath = getStateFilePath(workspaceRoot, stage);
+	const dir = join(workspaceRoot, ".gkm");
+	await mkdir(dir, { recursive: true });
+	state.lastDeployedAt = (/* @__PURE__ */ new Date()).toISOString();
+	await writeFile(filePath, JSON.stringify(state, null, 2));
 }
 /**
-* Generate a minimal docker-compose.yml for API only
+* Create a new empty state for a stage
 */
-function generateMinimalDockerCompose(options) {
-	const { imageName, registry, port, healthCheckPath } = options;
-	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
-	return `version: '3.8'
-
-services:
-  api:
-    build:
-      context: ../..
-      dockerfile: .gkm/docker/Dockerfile
-    image: ${imageRef}\${IMAGE_NAME:-${imageName}}:\${TAG:-latest}
-    container_name: ${imageName}
-    restart: unless-stopped
-    ports:
-      - "\${PORT:-${port}}:${port}"
-    environment:
-      - NODE_ENV=production
-    healthcheck:
-      test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
-      interval: 30s
-      timeout: 3s
-      retries: 3
-    networks:
-      - app-network
-
-networks:
-  app-network:
-    driver: bridge
-`;
+function createEmptyState(stage, environmentId) {
+	return {
+		provider: "dokploy",
+		stage,
+		environmentId,
+		applications: {},
+		services: {},
+		lastDeployedAt: (/* @__PURE__ */ new Date()).toISOString()
+	};
 }
 /**
-* Generate docker-compose.yml for a workspace with all apps as services.
-* Apps can communicate with each other via service names.
-* @internal Exported for testing
+* Get application ID from state
 */
-function generateWorkspaceCompose(workspace, options = {}) {
-	const { registry } = options;
-	const apps = Object.entries(workspace.apps);
-	const services = workspace.services;
-	const hasPostgres = services.db !== void 0 && services.db !== false;
-	const hasRedis = services.cache !== void 0 && services.cache !== false;
-	const hasMail = services.mail !== void 0 && services.mail !== false;
-	const postgresImage = getInfraServiceImage("postgres", services.db);
-	const redisImage = getInfraServiceImage("redis", services.cache);
-	let yaml = `# Docker Compose for ${workspace.name} workspace
-# Generated by gkm - do not edit manually
-
-services:
-`;
-	for (const [appName, app] of apps) yaml += generateAppService(appName, app, apps, {
-		registry,
-		hasPostgres,
-		hasRedis
-	});
-	if (hasPostgres) yaml += `
-  postgres:
-    image: ${postgresImage}
-    container_name: ${workspace.name}-postgres
-    restart: unless-stopped
-    environment:
-      POSTGRES_USER: \${POSTGRES_USER:-postgres}
-      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD:-postgres}
-      POSTGRES_DB: \${POSTGRES_DB:-app}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-    networks:
-      - workspace-network
-`;
-	if (hasRedis) yaml += `
-  redis:
-    image: ${redisImage}
-    container_name: ${workspace.name}-redis
-    restart: unless-stopped
-    volumes:
-      - redis_data:/data
-    healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-    networks:
-      - workspace-network
-`;
-	if (hasMail) yaml += `
-  mailpit:
-    image: axllent/mailpit:latest
-    container_name: ${workspace.name}-mailpit
-    restart: unless-stopped
-    ports:
-      - "8025:8025"  # Web UI
-      - "1025:1025"  # SMTP
-    networks:
-      - workspace-network
-`;
-	yaml += `
-volumes:
-`;
-	if (hasPostgres) yaml += `  postgres_data:
-`;
-	if (hasRedis) yaml += `  redis_data:
-`;
-	yaml += `
-networks:
-  workspace-network:
-    driver: bridge
-`;
-	return yaml;
+function getApplicationId(state, appName) {
+	return state?.applications[appName];
 }
 /**
-* Get infrastructure service image with version.
+* Set application ID in state (mutates state)
 */
-function getInfraServiceImage(serviceName, config$1) {
-	const defaults = {
-		postgres: "postgres:16-alpine",
-		redis: "redis:7-alpine"
-	};
-	if (!config$1 || config$1 === true) return defaults[serviceName];
-	if (typeof config$1 === "object") {
-		if (config$1.image) return config$1.image;
-		if (config$1.version) {
-			const baseImage = serviceName === "postgres" ? "postgres" : "redis";
-			return `${baseImage}:${config$1.version}`;
-		}
-	}
-	return defaults[serviceName];
+function setApplicationId(state, appName, applicationId) {
+	state.applications[appName] = applicationId;
 }
 /**
-* Generate a service definition for an app.
+* Get postgres ID from state
 */
-function generateAppService(appName, app, allApps, options) {
-	const { registry, hasPostgres, hasRedis } = options;
-	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
-	const healthCheckPath = app.type === "frontend" ? "/" : "/health";
-	const healthCheckCmd = app.type === "frontend" ? `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}/"]` : `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}${healthCheckPath}"]`;
-	let yaml = `
-  ${appName}:
-    build:
-      context: .
-      dockerfile: .gkm/docker/Dockerfile.${appName}
-    image: ${imageRef}\${${appName.toUpperCase()}_IMAGE:-${appName}}:\${TAG:-latest}
-    container_name: ${appName}
-    restart: unless-stopped
-    ports:
-      - "\${${appName.toUpperCase()}_PORT:-${app.port}}:${app.port}"
-    environment:
-      - NODE_ENV=production
-      - PORT=${app.port}
-`;
-	for (const dep of app.dependencies) {
-		const depApp = allApps.find(([name$1]) => name$1 === dep)?.[1];
-		if (depApp) yaml += `      - ${dep.toUpperCase()}_URL=http://${dep}:${depApp.port}
-`;
-	}
-	if (app.type === "backend") {
-		if (hasPostgres) yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
-`;
-		if (hasRedis) yaml += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
-`;
-	}
-	yaml += `    healthcheck:
-      test: ${healthCheckCmd}
-      interval: 30s
-      timeout: 3s
-      retries: 3
-`;
-	const dependencies$1 = [...app.dependencies];
-	if (app.type === "backend") {
-		if (hasPostgres) dependencies$1.push("postgres");
-		if (hasRedis) dependencies$1.push("redis");
-	}
-	if (dependencies$1.length > 0) {
-		yaml += `    depends_on:
-`;
-		for (const dep of dependencies$1) yaml += `      ${dep}:
-        condition: service_healthy
-`;
-	}
-	yaml += `    networks:
-      - workspace-network
-`;
-	return yaml;
+function getPostgresId(state) {
+	return state?.services.postgresId;
 }
-
-//#endregion
-//#region src/docker/templates.ts
-const LOCKFILES = [
-	["pnpm-lock.yaml", "pnpm"],
-	["bun.lockb", "bun"],
-	["yarn.lock", "yarn"],
-	["package-lock.json", "npm"]
-];
 /**
-* Detect package manager from lockfiles
-* Walks up the directory tree to find lockfile (for monorepos)
+* Set postgres ID in state (mutates state)
 */
-function detectPackageManager$1(cwd = process.cwd()) {
-	let dir = cwd;
-	const root = parse(dir).root;
-	while (dir !== root) {
-		for (const [lockfile, pm] of LOCKFILES) if (existsSync(join(dir, lockfile))) return pm;
-		dir = dirname(dir);
-	}
-	for (const [lockfile, pm] of LOCKFILES) if (existsSync(join(root, lockfile))) return pm;
-	return "pnpm";
+function setPostgresId(state, postgresId) {
+	state.services.postgresId = postgresId;
 }
 /**
-* Find the lockfile path by walking up the directory tree
-* Returns the full path to the lockfile, or null if not found
+* Get redis ID from state
 */
-function findLockfilePath(cwd = process.cwd()) {
-	let dir = cwd;
-	const root = parse(dir).root;
-	while (dir !== root) {
-		for (const [lockfile] of LOCKFILES) {
-			const lockfilePath = join(dir, lockfile);
-			if (existsSync(lockfilePath)) return lockfilePath;
-		}
-		dir = dirname(dir);
-	}
-	for (const [lockfile] of LOCKFILES) {
-		const lockfilePath = join(root, lockfile);
-		if (existsSync(lockfilePath)) return lockfilePath;
-	}
-	return null;
+function getRedisId(state) {
+	return state?.services.redisId;
 }
 /**
-* Check if we're in a monorepo (lockfile is in a parent directory)
+* Set redis ID in state (mutates state)
 */
-function isMonorepo(cwd = process.cwd()) {
-	const lockfilePath = findLockfilePath(cwd);
-	if (!lockfilePath) return false;
-	const lockfileDir = dirname(lockfilePath);
-	return lockfileDir !== cwd;
+function setRedisId(state, redisId) {
+	state.services.redisId = redisId;
 }
 /**
-* Check if turbo.json exists (walks up directory tree)
+* Set app credentials in state (mutates state)
 */
-function hasTurboConfig(cwd = process.cwd()) {
-	let dir = cwd;
-	const root = parse(dir).root;
-	while (dir !== root) {
-		if (existsSync(join(dir, "turbo.json"))) return true;
-		dir = dirname(dir);
-	}
-	return existsSync(join(root, "turbo.json"));
+function setAppCredentials(state, appName, credentials) {
+	if (!state.appCredentials) state.appCredentials = {};
+	state.appCredentials[appName] = credentials;
 }
 /**
-* Get install command for turbo builds (without frozen lockfile)
-* Turbo prune creates a subset that may not perfectly match the lockfile
+* Get all app credentials from state
 */
-function getTurboInstallCmd(pm) {
-	const commands = {
-		pnpm: "pnpm install",
-		npm: "npm install",
-		yarn: "yarn install",
-		bun: "bun install"
-	};
-	return commands[pm];
+function getAllAppCredentials(state) {
+	return state?.appCredentials ?? {};
 }
 /**
-* Get package manager specific commands and paths
+* Get a generated secret for an app
 */
-function getPmConfig(pm) {
-	const configs = {
-		pnpm: {
-			install: "corepack enable && corepack prepare pnpm@latest --activate",
-			lockfile: "pnpm-lock.yaml",
-			fetch: "pnpm fetch",
-			installCmd: "pnpm install --frozen-lockfile --offline",
-			cacheTarget: "/root/.local/share/pnpm/store",
-			cacheId: "pnpm",
-			run: "pnpm",
-			exec: "pnpm exec",
-			dlx: "pnpm dlx",
-			addGlobal: "pnpm add -g"
-		},
-		npm: {
-			install: "",
-			lockfile: "package-lock.json",
-			fetch: "",
-			installCmd: "npm ci",
-			cacheTarget: "/root/.npm",
-			cacheId: "npm",
-			run: "npm run",
-			exec: "npx",
-			dlx: "npx",
-			addGlobal: "npm install -g"
-		},
-		yarn: {
-			install: "corepack enable && corepack prepare yarn@stable --activate",
-			lockfile: "yarn.lock",
-			fetch: "",
-			installCmd: "yarn install --frozen-lockfile",
-			cacheTarget: "/root/.yarn/cache",
-			cacheId: "yarn",
-			run: "yarn",
-			exec: "yarn exec",
-			dlx: "yarn dlx",
-			addGlobal: "yarn global add"
-		},
-		bun: {
-			install: "npm install -g bun",
-			lockfile: "bun.lockb",
-			fetch: "",
-			installCmd: "bun install --frozen-lockfile",
-			cacheTarget: "/root/.bun/install/cache",
-			cacheId: "bun",
-			run: "bun run",
-			exec: "bunx",
-			dlx: "bunx",
-			addGlobal: "bun add -g"
-		}
+function getGeneratedSecret(state, appName, secretName) {
+	return state?.generatedSecrets?.[appName]?.[secretName];
+}
+/**
+* Set a generated secret for an app (mutates state)
+*/
+function setGeneratedSecret(state, appName, secretName, value) {
+	if (!state.generatedSecrets) state.generatedSecrets = {};
+	if (!state.generatedSecrets[appName]) state.generatedSecrets[appName] = {};
+	state.generatedSecrets[appName][secretName] = value;
+}
+/**
+* Set DNS verification record for a hostname (mutates state)
+*/
+function setDnsVerification(state, hostname, serverIp) {
+	if (!state.dnsVerified) state.dnsVerified = {};
+	state.dnsVerified[hostname] = {
+		serverIp,
+		verifiedAt: (/* @__PURE__ */ new Date()).toISOString()
 	};
-	return configs[pm];
 }
 /**
-* Generate a multi-stage Dockerfile for building from source
-* Optimized for build speed with:
-* - BuildKit cache mounts for package manager store
-* - pnpm fetch for better layer caching (when using pnpm)
-* - Optional turbo prune for monorepos
+* Check if a hostname is already verified with the given IP
 */
-function generateMultiStageDockerfile(options) {
-	const { baseImage, port, healthCheckPath, turbo, turboPackage, packageManager } = options;
-	if (turbo) return generateTurboDockerfile({
-		...options,
-		turboPackage: turboPackage ?? "api"
-	});
-	const pm = getPmConfig(packageManager);
-	const installPm = pm.install ? `\n# Install ${packageManager}\nRUN ${pm.install}\n` : "";
-	const hasFetch = packageManager === "pnpm";
-	const depsStage = hasFetch ? `# Copy lockfile first for better caching
-COPY ${pm.lockfile} ./
-
-# Fetch dependencies (downloads to virtual store, cached separately)
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${pm.fetch}
-
-# Copy package.json after fetch
-COPY package.json ./
-
-# Install from cache (fast - no network needed)
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${pm.installCmd}` : `# Copy package files
-COPY package.json ${pm.lockfile} ./
-
-# Install dependencies with cache
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${pm.installCmd}`;
-	return `# syntax=docker/dockerfile:1
-# Stage 1: Dependencies
-FROM ${baseImage} AS deps
-
-WORKDIR /app
-${installPm}
-${depsStage}
-
-# Stage 2: Build
-FROM deps AS builder
-
-WORKDIR /app
-
-# Copy source (deps already installed)
-COPY . .
-
-# Debug: Show node_modules/.bin contents and build production server
-RUN echo "=== node_modules/.bin contents ===" && \
-    ls -la node_modules/.bin/ 2>/dev/null || echo "node_modules/.bin not found" && \
-    echo "=== Checking for gkm ===" && \
-    which gkm 2>/dev/null || echo "gkm not in PATH" && \
-    ls -la node_modules/.bin/gkm 2>/dev/null || echo "gkm binary not found in node_modules/.bin" && \
-    echo "=== Running build ===" && \
-    ./node_modules/.bin/gkm build --provider server --production
-
-# Stage 3: Production
-FROM ${baseImage} AS runner
-
-WORKDIR /app
-
-# Install tini for proper signal handling as PID 1
-RUN apk add --no-cache tini
-
-# Create non-root user
-RUN addgroup --system --gid 1001 nodejs && \\
-    adduser --system --uid 1001 hono
-
-# Copy bundled server
-COPY --from=builder --chown=hono:nodejs /app/.gkm/server/dist/server.mjs ./
-
-# Environment
-ENV NODE_ENV=production
-ENV PORT=${port}
-
-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
-  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
-
-# Switch to non-root user
-USER hono
-
-EXPOSE ${port}
-
-# Use tini as entrypoint to handle PID 1 responsibilities
-ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "server.mjs"]
-`;
+function isDnsVerified(state, hostname, serverIp) {
+	const record = state?.dnsVerified?.[hostname];
+	return record?.serverIp === serverIp;
 }
+
+//#endregion
+//#region src/deploy/dns/hostinger-api.ts
 /**
-* Generate a Dockerfile optimized for Turbo monorepos
-* Uses turbo prune to create minimal Docker context
+* Hostinger DNS API client
+*
+* API Documentation: https://developers.hostinger.com/
+* Authentication: Bearer token from hpanel.hostinger.com/profile/api
 */
-function generateTurboDockerfile(options) {
-	const { baseImage, port, healthCheckPath, turboPackage, packageManager } = options;
-	const pm = getPmConfig(packageManager);
-	const installPm = pm.install ? `RUN ${pm.install}` : "";
-	const turboInstallCmd = getTurboInstallCmd(packageManager);
-	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
-	return `# syntax=docker/dockerfile:1
-# Stage 1: Prune monorepo
-FROM ${baseImage} AS pruner
-
-WORKDIR /app
-
-${installPm}
-
-COPY . .
-
-# Prune to only include necessary packages
-RUN ${turboCmd} prune ${turboPackage} --docker
-
-# Stage 2: Install dependencies
-FROM ${baseImage} AS deps
-
-WORKDIR /app
-
-${installPm}
-
-# Copy pruned lockfile and package.jsons
-COPY --from=pruner /app/out/${pm.lockfile} ./
-COPY --from=pruner /app/out/json/ ./
-
-# Install dependencies (no frozen-lockfile since turbo prune creates a subset)
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${turboInstallCmd}
-
-# Stage 3: Build
-FROM deps AS builder
-
-WORKDIR /app
-
-# Copy pruned source
-COPY --from=pruner /app/out/full/ ./
-
-# Debug: Show node_modules/.bin contents and build production server
-RUN echo "=== node_modules/.bin contents ===" && \
-    ls -la node_modules/.bin/ 2>/dev/null || echo "node_modules/.bin not found" && \
-    echo "=== Checking for gkm ===" && \
-    which gkm 2>/dev/null || echo "gkm not in PATH" && \
-    ls -la node_modules/.bin/gkm 2>/dev/null || echo "gkm binary not found in node_modules/.bin" && \
-    echo "=== Running build ===" && \
-    ./node_modules/.bin/gkm build --provider server --production
-
-# Stage 4: Production
-FROM ${baseImage} AS runner
-
-WORKDIR /app
-
-RUN apk add --no-cache tini
-
-RUN addgroup --system --gid 1001 nodejs && \\
-    adduser --system --uid 1001 hono
-
-COPY --from=builder --chown=hono:nodejs /app/.gkm/server/dist/server.mjs ./
-
-ENV NODE_ENV=production
-ENV PORT=${port}
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
-  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
-
-USER hono
-
-EXPOSE ${port}
-
-ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "server.mjs"]
-`;
-}
+const HOSTINGER_API_BASE = "https://developers.hostinger.com";
 /**
-* Generate a slim Dockerfile for pre-built bundles
+* Hostinger API error
 */
-function generateSlimDockerfile(options) {
-	const { baseImage, port, healthCheckPath } = options;
-	return `# Slim Dockerfile for pre-built production bundle
-FROM ${baseImage}
-
-WORKDIR /app
-
-# Install tini for proper signal handling as PID 1
-# Handles SIGTERM propagation and zombie process reaping
-RUN apk add --no-cache tini
-
-# Create non-root user
-RUN addgroup --system --gid 1001 nodejs && \\
-    adduser --system --uid 1001 hono
-
-# Copy pre-built bundle
-COPY .gkm/server/dist/server.mjs ./
-
-# Environment
-ENV NODE_ENV=production
-ENV PORT=${port}
-
-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
-  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
-
-# Switch to non-root user
-USER hono
-
-EXPOSE ${port}
-
-# Use tini as entrypoint to handle PID 1 responsibilities
-ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "server.mjs"]
-`;
-}
+var HostingerApiError = class extends Error {
+	constructor(message, status, statusText, errors) {
+		super(message);
+		this.status = status;
+		this.statusText = statusText;
+		this.errors = errors;
+		this.name = "HostingerApiError";
+	}
+};
 /**
-* Generate .dockerignore file
+* Hostinger DNS API client
+*
+* @example
+* ```ts
+* const api = new HostingerApi(token);
+*
+* // Get all records for a domain
+* const records = await api.getRecords('traflabs.io');
+*
+* // Create/update records
+* await api.upsertRecords('traflabs.io', [
+*   { name: 'api.joemoer', type: 'A', ttl: 300, records: ['1.2.3.4'] }
+* ]);
+* ```
 */
-function generateDockerignore() {
-	return `# Dependencies
-node_modules
-.pnpm-store
-
-# Build output (except what we need)
-.gkm/aws*
-.gkm/server/*.ts
-!.gkm/server/dist
-
-# IDE and editor
-.idea
-.vscode
-*.swp
-*.swo
-
-# Git
-.git
-.gitignore
-
-# Logs
-*.log
-npm-debug.log*
-pnpm-debug.log*
-
-# Test files
-**/*.test.ts
-**/*.spec.ts
-**/__tests__
-coverage
-
-# Documentation
-docs
-*.md
-!README.md
-
-# Environment files (handle secrets separately)
-.env
-.env.*
-!.env.example
+var HostingerApi = class {
+	token;
+	constructor(token) {
+		this.token = token;
+	}
+	/**
+	* Make a request to the Hostinger API
+	*/
+	async request(method, endpoint, body) {
+		const url = `${HOSTINGER_API_BASE}${endpoint}`;
+		const response = await fetch(url, {
+			method,
+			headers: {
+				"Content-Type": "application/json",
+				Authorization: `Bearer ${this.token}`
+			},
+			body: body ? JSON.stringify(body) : void 0
+		});
+		if (!response.ok) {
+			let errorMessage = `Hostinger API error: ${response.status} ${response.statusText}`;
+			let errors;
+			try {
+				const errorBody = await response.json();
+				if (errorBody.message) errorMessage = `Hostinger API error: ${errorBody.message}`;
+				errors = errorBody.errors;
+			} catch {}
+			throw new HostingerApiError(errorMessage, response.status, response.statusText, errors);
+		}
+		const text = await response.text();
+		if (!text || text.trim() === "") return void 0;
+		return JSON.parse(text);
+	}
+	/**
+	* Get all DNS records for a domain
+	*
+	* @param domain - Root domain (e.g., 'traflabs.io')
+	*/
+	async getRecords(domain) {
+		const response = await this.request("GET", `/api/dns/v1/zones/${domain}`);
+		return response.data || [];
+	}
+	/**
+	* Create or update DNS records
+	*
+	* @param domain - Root domain (e.g., 'traflabs.io')
+	* @param records - Records to create/update
+	* @param overwrite - If true, replaces all existing records. If false, merges with existing.
+	*/
+	async upsertRecords(domain, records, overwrite = false) {
+		await this.request("PUT", `/api/dns/v1/zones/${domain}`, {
+			overwrite,
+			zone: records
+		});
+	}
+	/**
+	* Validate DNS records before applying
+	*
+	* @param domain - Root domain (e.g., 'traflabs.io')
+	* @param records - Records to validate
+	* @returns true if valid, throws if invalid
+	*/
+	async validateRecords(domain, records) {
+		await this.request("POST", `/api/dns/v1/zones/${domain}/validate`, {
+			overwrite: false,
+			zone: records
+		});
+		return true;
+	}
+	/**
+	* Delete specific DNS records
+	*
+	* @param domain - Root domain (e.g., 'traflabs.io')
+	* @param filters - Filters to match records for deletion
+	*/
+	async deleteRecords(domain, filters) {
+		await this.request("DELETE", `/api/dns/v1/zones/${domain}`, { filters });
+	}
+	/**
+	* Check if a specific record exists
+	*
+	* @param domain - Root domain (e.g., 'traflabs.io')
+	* @param name - Subdomain name (e.g., 'api.joemoer')
+	* @param type - Record type (e.g., 'A')
+	*/
+	async recordExists(domain, name$1, type$1 = "A") {
+		const records = await this.getRecords(domain);
+		return records.some((r) => r.name === name$1 && r.type === type$1);
+	}
+	/**
+	* Create a single A record if it doesn't exist
+	*
+	* @param domain - Root domain (e.g., 'traflabs.io')
+	* @param subdomain - Subdomain name (e.g., 'api.joemoer')
+	* @param ip - IP address to point to
+	* @param ttl - TTL in seconds (default: 300)
+	* @returns true if created, false if already exists
+	*/
+	async createARecordIfNotExists(domain, subdomain, ip, ttl = 300) {
+		const exists = await this.recordExists(domain, subdomain, "A");
+		if (exists) return false;
+		await this.upsertRecords(domain, [{
+			name: subdomain,
+			type: "A",
+			ttl,
+			records: [{ content: ip }]
+		}]);
+		return true;
+	}
+};
 
-# Docker files (don't copy recursively)
-Dockerfile*
-docker-compose*
-.dockerignore
-`;
+//#endregion
+//#region src/deploy/dns/index.ts
+const logger$6 = console;
+/**
+* Resolve IP address from a hostname
+*/
+async function resolveHostnameToIp(hostname) {
+	try {
+		const addresses = await lookup(hostname, { family: 4 });
+		return addresses.address;
+	} catch (error) {
+		throw new Error(`Failed to resolve IP for ${hostname}: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
 }
 /**
-* Generate docker-entrypoint.sh for custom startup logic
+* Extract subdomain from full hostname relative to root domain
+*
+* @example
+* extractSubdomain('api.joemoer.traflabs.io', 'traflabs.io') => 'api.joemoer'
+* extractSubdomain('joemoer.traflabs.io', 'traflabs.io') => 'joemoer'
 */
-function generateDockerEntrypoint() {
-	return `#!/bin/sh
-set -e
-
-# Run any custom startup scripts here
-# Example: wait for database
-# until nc -z $DB_HOST $DB_PORT; do
-#   echo "Waiting for database..."
-#   sleep 1
-# done
-
-# Execute the main command
-exec "$@"
-`;
+function extractSubdomain(hostname, rootDomain) {
+	if (!hostname.endsWith(rootDomain)) throw new Error(`Hostname ${hostname} is not under root domain ${rootDomain}`);
+	const subdomain = hostname.slice(0, -(rootDomain.length + 1));
+	return subdomain || "@";
 }
 /**
-* Resolve Docker configuration from GkmConfig with defaults
+* Generate required DNS records for a deployment
 */
-function resolveDockerConfig$1(config$1) {
-	const docker = config$1.docker ?? {};
-	let defaultImageName = "api";
-	try {
-		const pkg$1 = __require(`${process.cwd()}/package.json`);
-		if (pkg$1.name) defaultImageName = pkg$1.name.replace(/^@[^/]+\//, "");
-	} catch {}
-	return {
-		registry: docker.registry ?? "",
-		imageName: docker.imageName ?? defaultImageName,
-		baseImage: docker.baseImage ?? "node:22-alpine",
-		port: docker.port ?? 3e3,
-		compose: docker.compose
-	};
+function generateRequiredRecords(appHostnames, rootDomain, serverIp) {
+	const records = [];
+	for (const [appName, hostname] of appHostnames) {
+		const subdomain = extractSubdomain(hostname, rootDomain);
+		records.push({
+			hostname,
+			subdomain,
+			type: "A",
+			value: serverIp,
+			appName
+		});
+	}
+	return records;
 }
 /**
-* Generate a Dockerfile for Next.js frontend apps using standalone output.
-* Uses turbo prune for monorepo optimization.
-* @internal Exported for testing
+* Print DNS records table
 */
-function generateNextjsDockerfile(options) {
-	const { baseImage, port, appPath, turboPackage, packageManager, publicUrlArgs = ["NEXT_PUBLIC_API_URL", "NEXT_PUBLIC_AUTH_URL"] } = options;
-	const pm = getPmConfig(packageManager);
-	const installPm = pm.install ? `RUN ${pm.install}` : "";
-	const turboInstallCmd = getTurboInstallCmd(packageManager);
-	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
-	const publicUrlArgDeclarations = publicUrlArgs.map((arg) => `ARG ${arg}=""`).join("\n");
-	const publicUrlEnvDeclarations = publicUrlArgs.map((arg) => `ENV ${arg}=$${arg}`).join("\n");
-	return `# syntax=docker/dockerfile:1
-# Next.js standalone Dockerfile with turbo prune optimization
-
-# Stage 1: Prune monorepo
-FROM ${baseImage} AS pruner
-
-WORKDIR /app
-
-${installPm}
-
-COPY . .
-
-# Prune to only include necessary packages
-RUN ${turboCmd} prune ${turboPackage} --docker
-
-# Stage 2: Install dependencies
-FROM ${baseImage} AS deps
-
-WORKDIR /app
-
-${installPm}
-
-# Copy pruned lockfile and package.jsons
-COPY --from=pruner /app/out/${pm.lockfile} ./
-COPY --from=pruner /app/out/json/ ./
-
-# Install dependencies
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${turboInstallCmd}
-
-# Stage 3: Build
-FROM deps AS builder
-
-WORKDIR /app
-
-# Build-time args for public API URLs (populated by gkm deploy)
-# These get baked into the Next.js build as public environment variables
-${publicUrlArgDeclarations}
-
-# Convert ARGs to ENVs for Next.js build
-${publicUrlEnvDeclarations}
-
-# Copy pruned source
-COPY --from=pruner /app/out/full/ ./
-
-# Copy workspace root configs for turbo builds (turbo prune doesn't include root configs)
-# Using wildcard to make it optional for single-app projects
-COPY --from=pruner /app/tsconfig.* ./
-
-# Ensure public directory exists (may be empty for scaffolded projects)
-RUN mkdir -p ${appPath}/public
-
-# Set Next.js to produce standalone output
-ENV NEXT_TELEMETRY_DISABLED=1
-
-# Build the application
-RUN ${turboCmd} run build --filter=${turboPackage}
-
-# Stage 4: Production
-FROM ${baseImage} AS runner
-
-WORKDIR /app
-
-# Install tini for proper signal handling
-RUN apk add --no-cache tini
-
-# Create non-root user
-RUN addgroup --system --gid 1001 nodejs && \\
-    adduser --system --uid 1001 nextjs
-
-# Set environment
-ENV NODE_ENV=production
-ENV NEXT_TELEMETRY_DISABLED=1
-ENV PORT=${port}
-ENV HOSTNAME="0.0.0.0"
-
-# Copy static files and standalone output
-COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/.next/standalone ./
-COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/.next/static ./${appPath}/.next/static
-COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/public ./${appPath}/public
-
-USER nextjs
+function printDnsRecordsTable(records, rootDomain) {
+	logger$6.log(`\n   📋 DNS Records for ${rootDomain}:`);
+	logger$6.log("   ┌─────────────────────────────────────┬──────┬─────────────────┬────────┐");
+	logger$6.log("   │ Subdomain                           │ Type │ Value           │ Status │");
+	logger$6.log("   ├─────────────────────────────────────┼──────┼─────────────────┼────────┤");
+	for (const record of records) {
+		const subdomain = record.subdomain.padEnd(35);
+		const type$1 = record.type.padEnd(4);
+		const value = record.value.padEnd(15);
+		let status;
+		if (record.error) status = "✗";
+		else if (record.created) status = "✓ new";
+		else if (record.existed) status = "✓";
+		else status = "?";
+		logger$6.log(`   │ ${subdomain} │ ${type$1} │ ${value} │ ${status.padEnd(6)} │`);
+	}
+	logger$6.log("   └─────────────────────────────────────┴──────┴─────────────────┴────────┘");
+}
+/**
+* Print DNS records in a simple format for manual setup
+*/
+function printDnsRecordsSimple(records, rootDomain) {
+	logger$6.log("\n   📋 Required DNS Records:");
+	logger$6.log(`   Add these A records to your DNS provider (${rootDomain}):\n`);
+	for (const record of records) logger$6.log(`   ${record.subdomain}  →  ${record.value}  (A record)`);
+	logger$6.log("");
+}
+/**
+* Prompt for input (reuse from deploy/index.ts pattern)
+*/
+async function promptForToken(message) {
+	const { stdin: stdin$1, stdout: stdout$1 } = await import("node:process");
+	if (!stdin$1.isTTY) throw new Error("Interactive input required for Hostinger token.");
+	stdout$1.write(message);
+	return new Promise((resolve$1) => {
+		let value = "";
+		const onData = (char) => {
+			const c = char.toString();
+			if (c === "\n" || c === "\r") {
+				stdin$1.setRawMode(false);
+				stdin$1.pause();
+				stdin$1.removeListener("data", onData);
+				stdout$1.write("\n");
+				resolve$1(value);
+			} else if (c === "") {
+				stdin$1.setRawMode(false);
+				stdin$1.pause();
+				stdout$1.write("\n");
+				process.exit(1);
+			} else if (c === "" || c === "\b") {
+				if (value.length > 0) value = value.slice(0, -1);
+			} else value += c;
+		};
+		stdin$1.setRawMode(true);
+		stdin$1.resume();
+		stdin$1.on("data", onData);
+	});
+}
+/**
+* Create DNS records using the configured provider
+*/
+async function createDnsRecords(records, dnsConfig) {
+	const { provider, domain: rootDomain, ttl = 300 } = dnsConfig;
+	if (provider === "manual") return records.map((r) => ({
+		...r,
+		created: false,
+		existed: false
+	}));
+	if (provider === "hostinger") return createHostingerRecords(records, rootDomain, ttl);
+	if (provider === "cloudflare") {
+		logger$6.log("   ⚠ Cloudflare DNS integration not yet implemented");
+		return records.map((r) => ({
+			...r,
+			error: "Cloudflare not implemented"
+		}));
+	}
+	return records;
+}
+/**
+* Create DNS records at Hostinger
+*/
+async function createHostingerRecords(records, rootDomain, ttl) {
+	let token = await getHostingerToken();
+	if (!token) {
+		logger$6.log("\n   📋 Hostinger API token not found.");
+		logger$6.log("   Get your token from: https://hpanel.hostinger.com/profile/api\n");
+		try {
+			token = await promptForToken("   Hostinger API Token: ");
+			await storeHostingerToken(token);
+			logger$6.log("   ✓ Token saved");
+		} catch {
+			logger$6.log("   ⚠ Could not get token, skipping DNS creation");
+			return records.map((r) => ({
+				...r,
+				error: "No API token"
+			}));
+		}
+	}
+	const api = new HostingerApi(token);
+	const results = [];
+	let existingRecords = [];
+	try {
+		existingRecords = await api.getRecords(rootDomain);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger$6.log(`   ⚠ Failed to fetch existing DNS records: ${message}`);
+		return records.map((r) => ({
+			...r,
+			error: message
+		}));
+	}
+	for (const record of records) {
+		const existing = existingRecords.find((r) => r.name === record.subdomain && r.type === "A");
+		if (existing) {
+			results.push({
+				...record,
+				existed: true,
+				created: false
+			});
+			continue;
+		}
+		try {
+			await api.upsertRecords(rootDomain, [{
+				name: record.subdomain,
+				type: "A",
+				ttl,
+				records: [{ content: record.value }]
+			}]);
+			results.push({
+				...record,
+				created: true,
+				existed: false
+			});
+		} catch (error) {
+			const message = error instanceof Error ? error.message : "Unknown error";
+			results.push({
+				...record,
+				error: message
+			});
+		}
+	}
+	return results;
+}
+/**
+* Main DNS orchestration function for deployments
+*/
+async function orchestrateDns(appHostnames, dnsConfig, dokployEndpoint) {
+	if (!dnsConfig) return null;
+	const { domain: rootDomain, autoCreate = true } = dnsConfig;
+	logger$6.log("\n🌐 Setting up DNS records...");
+	let serverIp;
+	try {
+		const endpointUrl = new URL(dokployEndpoint);
+		serverIp = await resolveHostnameToIp(endpointUrl.hostname);
+		logger$6.log(`   Server IP: ${serverIp} (from ${endpointUrl.hostname})`);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger$6.log(`   ⚠ Failed to resolve server IP: ${message}`);
+		return null;
+	}
+	const requiredRecords = generateRequiredRecords(appHostnames, rootDomain, serverIp);
+	if (requiredRecords.length === 0) {
+		logger$6.log("   No DNS records needed");
+		return {
+			records: [],
+			success: true,
+			serverIp
+		};
+	}
+	let finalRecords;
+	if (autoCreate && dnsConfig.provider !== "manual") {
+		logger$6.log(`   Creating DNS records at ${dnsConfig.provider}...`);
+		finalRecords = await createDnsRecords(requiredRecords, dnsConfig);
+		const created = finalRecords.filter((r) => r.created).length;
+		const existed = finalRecords.filter((r) => r.existed).length;
+		const failed = finalRecords.filter((r) => r.error).length;
+		if (created > 0) logger$6.log(`   ✓ Created ${created} DNS record(s)`);
+		if (existed > 0) logger$6.log(`   ✓ ${existed} record(s) already exist`);
+		if (failed > 0) logger$6.log(`   ⚠ ${failed} record(s) failed`);
+	} else finalRecords = requiredRecords;
+	printDnsRecordsTable(finalRecords, rootDomain);
+	const hasFailures = finalRecords.some((r) => r.error);
+	if (dnsConfig.provider === "manual" || hasFailures) printDnsRecordsSimple(finalRecords.filter((r) => !r.created && !r.existed), rootDomain);
+	return {
+		records: finalRecords,
+		success: !hasFailures,
+		serverIp
+	};
+}
+/**
+* Verify DNS records resolve correctly after deployment.
+*
+* This function:
+* 1. Checks state for previously verified hostnames (skips if already verified with same IP)
+* 2. Attempts to resolve each hostname to an IP
+* 3. Compares resolved IP with expected server IP
+* 4. Updates state with verification results
+*
+* @param appHostnames - Map of app names to hostnames
+* @param serverIp - Expected IP address the hostnames should resolve to
+* @param state - Deploy state for caching verification results
+* @returns Array of verification results
+*/
+async function verifyDnsRecords(appHostnames, serverIp, state) {
+	const results = [];
+	logger$6.log("\n🔍 Verifying DNS records...");
+	for (const [appName, hostname] of appHostnames) {
+		if (isDnsVerified(state, hostname, serverIp)) {
+			logger$6.log(`   ✓ ${hostname} (previously verified)`);
+			results.push({
+				hostname,
+				appName,
+				verified: true,
+				expectedIp: serverIp,
+				skipped: true
+			});
+			continue;
+		}
+		try {
+			const resolvedIp = await resolveHostnameToIp(hostname);
+			if (resolvedIp === serverIp) {
+				setDnsVerification(state, hostname, serverIp);
+				logger$6.log(`   ✓ ${hostname} → ${resolvedIp}`);
+				results.push({
+					hostname,
+					appName,
+					verified: true,
+					resolvedIp,
+					expectedIp: serverIp
+				});
+			} else {
+				logger$6.log(`   ⚠ ${hostname} resolves to ${resolvedIp}, expected ${serverIp}`);
+				results.push({
+					hostname,
+					appName,
+					verified: false,
+					resolvedIp,
+					expectedIp: serverIp
+				});
+			}
+		} catch (error) {
+			const message = error instanceof Error ? error.message : "Unknown error";
+			logger$6.log(`   ⚠ ${hostname} DNS not propagated (${message})`);
+			results.push({
+				hostname,
+				appName,
+				verified: false,
+				expectedIp: serverIp,
+				error: message
+			});
+		}
+	}
+	const verified = results.filter((r) => r.verified).length;
+	const skipped = results.filter((r) => r.skipped).length;
+	const pending = results.filter((r) => !r.verified).length;
+	if (pending > 0) {
+		logger$6.log(`\n   ${verified} verified, ${pending} pending propagation`);
+		logger$6.log("   DNS changes may take 5-30 minutes to propagate");
+	} else if (skipped > 0) logger$6.log(`   ${verified} verified (${skipped} from cache)`);
+	return results;
+}
 
-EXPOSE ${port}
+//#endregion
+//#region src/docker/compose.ts
+/** Default Docker images for services */
+const DEFAULT_SERVICE_IMAGES = {
+	postgres: "postgres",
+	redis: "redis",
+	rabbitmq: "rabbitmq"
+};
+/** Default Docker image versions for services */
+const DEFAULT_SERVICE_VERSIONS = {
+	postgres: "16-alpine",
+	redis: "7-alpine",
+	rabbitmq: "3-management-alpine"
+};
+/** Get the default full image reference for a service */
+function getDefaultImage(serviceName) {
+	return `${DEFAULT_SERVICE_IMAGES[serviceName]}:${DEFAULT_SERVICE_VERSIONS[serviceName]}`;
+}
+/** Normalize services config to a consistent format - returns Map of service name to full image reference */
+function normalizeServices(services) {
+	const result = /* @__PURE__ */ new Map();
+	if (Array.isArray(services)) for (const name$1 of services) result.set(name$1, getDefaultImage(name$1));
+	else for (const [name$1, config$1] of Object.entries(services)) {
+		const serviceName = name$1;
+		if (config$1 === true) result.set(serviceName, getDefaultImage(serviceName));
+		else if (config$1 && typeof config$1 === "object") {
+			const serviceConfig = config$1;
+			if (serviceConfig.image) result.set(serviceName, serviceConfig.image);
+			else {
+				const version$1 = serviceConfig.version ?? DEFAULT_SERVICE_VERSIONS[serviceName];
+				result.set(serviceName, `${DEFAULT_SERVICE_IMAGES[serviceName]}:${version$1}`);
+			}
+		}
+	}
+	return result;
+}
+/**
+* Generate docker-compose.yml for production deployment
+*/
+function generateDockerCompose(options) {
+	const { imageName, registry, port, healthCheckPath, services } = options;
+	const serviceMap = normalizeServices(services);
+	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
+	let yaml = `version: '3.8'
 
-ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "${appPath}/server.js"]
+services:
+  api:
+    build:
+      context: ../..
+      dockerfile: .gkm/docker/Dockerfile
+    image: ${imageRef}\${IMAGE_NAME:-${imageName}}:\${TAG:-latest}
+    container_name: ${imageName}
+    restart: unless-stopped
+    ports:
+      - "\${PORT:-${port}}:${port}"
+    environment:
+      - NODE_ENV=production
+`;
+	if (serviceMap.has("postgres")) yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
+`;
+	if (serviceMap.has("redis")) yaml += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
+`;
+	if (serviceMap.has("rabbitmq")) yaml += `      - RABBITMQ_URL=\${RABBITMQ_URL:-amqp://rabbitmq:5672}
+`;
+	yaml += `    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+`;
+	if (serviceMap.size > 0) {
+		yaml += `    depends_on:
+`;
+		for (const serviceName of serviceMap.keys()) yaml += `      ${serviceName}:
+        condition: service_healthy
+`;
+	}
+	yaml += `    networks:
+      - app-network
+`;
+	const postgresImage = serviceMap.get("postgres");
+	if (postgresImage) yaml += `
+  postgres:
+    image: ${postgresImage}
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: \${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: \${POSTGRES_DB:-app}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
+`;
+	const redisImage = serviceMap.get("redis");
+	if (redisImage) yaml += `
+  redis:
+    image: ${redisImage}
+    container_name: redis
+    restart: unless-stopped
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
+`;
+	const rabbitmqImage = serviceMap.get("rabbitmq");
+	if (rabbitmqImage) yaml += `
+  rabbitmq:
+    image: ${rabbitmqImage}
+    container_name: rabbitmq
+    restart: unless-stopped
+    environment:
+      RABBITMQ_DEFAULT_USER: \${RABBITMQ_USER:-guest}
+      RABBITMQ_DEFAULT_PASS: \${RABBITMQ_PASSWORD:-guest}
+    ports:
+      - "15672:15672"  # Management UI
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    healthcheck:
+      test: ["CMD", "rabbitmq-diagnostics", "-q", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
+`;
+	yaml += `
+volumes:
+`;
+	if (serviceMap.has("postgres")) yaml += `  postgres_data:
+`;
+	if (serviceMap.has("redis")) yaml += `  redis_data:
+`;
+	if (serviceMap.has("rabbitmq")) yaml += `  rabbitmq_data:
+`;
+	yaml += `
+networks:
+  app-network:
+    driver: bridge
 `;
+	return yaml;
 }
 /**
-* Generate a Dockerfile for backend apps in a workspace.
-* Uses turbo prune for monorepo optimization.
-* @internal Exported for testing
+* Generate a minimal docker-compose.yml for API only
 */
-function generateBackendDockerfile(options) {
-	const { baseImage, port, appPath, turboPackage, packageManager, healthCheckPath = "/health" } = options;
-	const pm = getPmConfig(packageManager);
-	const installPm = pm.install ? `RUN ${pm.install}` : "";
-	const turboInstallCmd = getTurboInstallCmd(packageManager);
-	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
-	return `# syntax=docker/dockerfile:1
-# Backend Dockerfile with turbo prune optimization
-
-# Stage 1: Prune monorepo
-FROM ${baseImage} AS pruner
-
-WORKDIR /app
-
-${installPm}
-
-COPY . .
-
-# Prune to only include necessary packages
-RUN ${turboCmd} prune ${turboPackage} --docker
-
-# Stage 2: Install dependencies
-FROM ${baseImage} AS deps
-
-WORKDIR /app
-
-${installPm}
-
-# Copy pruned lockfile and package.jsons
-COPY --from=pruner /app/out/${pm.lockfile} ./
-COPY --from=pruner /app/out/json/ ./
-
-# Install dependencies
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${turboInstallCmd}
-
-# Stage 3: Build
-FROM deps AS builder
-
-WORKDIR /app
-
-# Build-time args for encrypted secrets
-ARG GKM_ENCRYPTED_CREDENTIALS=""
-ARG GKM_CREDENTIALS_IV=""
-
-# Copy pruned source
-COPY --from=pruner /app/out/full/ ./
-
-# Copy workspace root configs for turbo builds (turbo prune doesn't include root configs)
-# Using wildcard to make it optional for single-app projects
-COPY --from=pruner /app/gkm.config.* ./
-COPY --from=pruner /app/tsconfig.* ./
-
-# Write encrypted credentials for gkm build to embed
-RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
-      mkdir -p ${appPath}/.gkm && \
-      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
-      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
-    fi
-
-# Build production server using gkm
-RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
-
-# Stage 4: Production
-FROM ${baseImage} AS runner
-
-WORKDIR /app
-
-RUN apk add --no-cache tini
-
-RUN addgroup --system --gid 1001 nodejs && \\
-    adduser --system --uid 1001 hono
-
-# Copy bundled server
-COPY --from=builder --chown=hono:nodejs /app/${appPath}/.gkm/server/dist/server.mjs ./
-
-ENV NODE_ENV=production
-ENV PORT=${port}
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
-  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
-
-USER hono
+function generateMinimalDockerCompose(options) {
+	const { imageName, registry, port, healthCheckPath } = options;
+	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
+	return `version: '3.8'
 
-EXPOSE ${port}
+services:
+  api:
+    build:
+      context: ../..
+      dockerfile: .gkm/docker/Dockerfile
+    image: ${imageRef}\${IMAGE_NAME:-${imageName}}:\${TAG:-latest}
+    container_name: ${imageName}
+    restart: unless-stopped
+    ports:
+      - "\${PORT:-${port}}:${port}"
+    environment:
+      - NODE_ENV=production
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+    networks:
+      - app-network
 
-ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "server.mjs"]
+networks:
+  app-network:
+    driver: bridge
 `;
 }
 /**
-* Generate a Dockerfile for apps with a custom entry point.
-* Uses esbuild to bundle the entry point into dist/index.mjs with all dependencies.
-* This is used for apps that don't use gkm routes (e.g., Better Auth servers).
+* Generate docker-compose.yml for a workspace with all apps as services.
+* Apps can communicate with each other via service names.
 * @internal Exported for testing
 */
-function generateEntryDockerfile(options) {
-	const { baseImage, port, appPath, entry, turboPackage, packageManager, healthCheckPath = "/health" } = options;
-	const pm = getPmConfig(packageManager);
-	const installPm = pm.install ? `RUN ${pm.install}` : "";
-	const turboInstallCmd = getTurboInstallCmd(packageManager);
-	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
-	return `# syntax=docker/dockerfile:1
-# Entry-based Dockerfile with turbo prune + tsdown bundling
-
-# Stage 1: Prune monorepo
-FROM ${baseImage} AS pruner
-
-WORKDIR /app
-
-${installPm}
-
-COPY . .
-
-# Prune to only include necessary packages
-RUN ${turboCmd} prune ${turboPackage} --docker
-
-# Stage 2: Install dependencies
-FROM ${baseImage} AS deps
-
-WORKDIR /app
-
-${installPm}
-
-# Copy pruned lockfile and package.jsons
-COPY --from=pruner /app/out/${pm.lockfile} ./
-COPY --from=pruner /app/out/json/ ./
-
-# Install dependencies
-RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
-    ${turboInstallCmd}
-
-# Stage 3: Build with tsdown
-FROM deps AS builder
-
-WORKDIR /app
-
-# Build-time args for encrypted secrets
-ARG GKM_ENCRYPTED_CREDENTIALS=""
-ARG GKM_CREDENTIALS_IV=""
-
-# Copy pruned source
-COPY --from=pruner /app/out/full/ ./
-
-# Copy workspace root configs for turbo builds (turbo prune doesn't include root configs)
-# Using wildcard to make it optional for single-app projects
-COPY --from=pruner /app/tsconfig.* ./
-
-# Write encrypted credentials for tsdown to embed via define
-RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
-      mkdir -p ${appPath}/.gkm && \
-      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
-      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
-    fi
-
-# Bundle entry point with esbuild (outputs to dist/index.mjs)
-# Creates a fully standalone bundle with all dependencies included
-# Use define to embed credentials if present
-RUN cd ${appPath} && \
-    if [ -f .gkm/credentials.enc ]; then \
-      CREDS=$(cat .gkm/credentials.enc) && \
-      IV=$(cat .gkm/credentials.iv) && \
-      npx esbuild ${entry} --bundle --platform=node --target=node22 --format=esm \
-        --outfile=dist/index.mjs --packages=bundle \
-        --banner:js='import { createRequire } from "module"; const require = createRequire(import.meta.url);' \
-        --define:__GKM_ENCRYPTED_CREDENTIALS__="'\\"$CREDS\\"'" \
-        --define:__GKM_CREDENTIALS_IV__="'\\"$IV\\"'"; \
-    else \
-      npx esbuild ${entry} --bundle --platform=node --target=node22 --format=esm \
-        --outfile=dist/index.mjs --packages=bundle \
-        --banner:js='import { createRequire } from "module"; const require = createRequire(import.meta.url);'; \
-    fi
-
-# Stage 4: Production
-FROM ${baseImage} AS runner
-
-WORKDIR /app
-
-RUN apk add --no-cache tini
-
-RUN addgroup --system --gid 1001 nodejs && \\
-    adduser --system --uid 1001 app
-
-# Copy bundled output only (no node_modules needed - fully bundled)
-COPY --from=builder --chown=app:nodejs /app/${appPath}/dist/index.mjs ./
-
-ENV NODE_ENV=production
-ENV PORT=${port}
-
-HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
-  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
-
-USER app
-
-EXPOSE ${port}
+function generateWorkspaceCompose(workspace, options = {}) {
+	const { registry } = options;
+	const apps = Object.entries(workspace.apps);
+	const services = workspace.services;
+	const hasPostgres = services.db !== void 0 && services.db !== false;
+	const hasRedis = services.cache !== void 0 && services.cache !== false;
+	const hasMail = services.mail !== void 0 && services.mail !== false;
+	const postgresImage = getInfraServiceImage("postgres", services.db);
+	const redisImage = getInfraServiceImage("redis", services.cache);
+	let yaml = `# Docker Compose for ${workspace.name} workspace
+# Generated by gkm - do not edit manually
 
-ENTRYPOINT ["/sbin/tini", "--"]
-CMD ["node", "index.mjs"]
+services:
+`;
+	for (const [appName, app] of apps) yaml += generateAppService(appName, app, apps, {
+		registry,
+		hasPostgres,
+		hasRedis
+	});
+	if (hasPostgres) yaml += `
+  postgres:
+    image: ${postgresImage}
+    container_name: ${workspace.name}-postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: \${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: \${POSTGRES_DB:-app}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	if (hasRedis) yaml += `
+  redis:
+    image: ${redisImage}
+    container_name: ${workspace.name}-redis
+    restart: unless-stopped
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	if (hasMail) yaml += `
+  mailpit:
+    image: axllent/mailpit:latest
+    container_name: ${workspace.name}-mailpit
+    restart: unless-stopped
+    ports:
+      - "8025:8025"  # Web UI
+      - "1025:1025"  # SMTP
+    networks:
+      - workspace-network
+`;
+	yaml += `
+volumes:
 `;
+	if (hasPostgres) yaml += `  postgres_data:
+`;
+	if (hasRedis) yaml += `  redis_data:
+`;
+	yaml += `
+networks:
+  workspace-network:
+    driver: bridge
+`;
+	return yaml;
 }
-
-//#endregion
-//#region src/docker/index.ts
-const logger$6 = console;
 /**
-* Docker command implementation
-* Generates Dockerfile, docker-compose.yml, and related files
-*
-* Default: Multi-stage Dockerfile that builds from source inside Docker
-* --slim: Slim Dockerfile that copies pre-built bundle (requires prior build)
+* Get infrastructure service image with version.
 */
-async function dockerCommand(options) {
-	const loadedConfig = await loadWorkspaceConfig();
-	if (loadedConfig.type === "workspace") {
-		logger$6.log("📦 Detected workspace configuration");
-		return workspaceDockerCommand(loadedConfig.workspace, options);
+function getInfraServiceImage(serviceName, config$1) {
+	const defaults = {
+		postgres: "postgres:16-alpine",
+		redis: "redis:7-alpine"
+	};
+	if (!config$1 || config$1 === true) return defaults[serviceName];
+	if (typeof config$1 === "object") {
+		if (config$1.image) return config$1.image;
+		if (config$1.version) {
+			const baseImage = serviceName === "postgres" ? "postgres" : "redis";
+			return `${baseImage}:${config$1.version}`;
+		}
 	}
-	const config$1 = await loadConfig();
-	const dockerConfig = resolveDockerConfig$1(config$1);
-	const serverConfig = typeof config$1.providers?.server === "object" ? config$1.providers.server : void 0;
-	const healthCheckPath = serverConfig?.production?.healthCheck ?? "/health";
-	const useSlim = options.slim === true;
-	if (useSlim) {
-		const distDir = join(process.cwd(), ".gkm", "server", "dist");
-		const hasBuild = existsSync(join(distDir, "server.mjs"));
-		if (!hasBuild) throw new Error("Slim Dockerfile requires a pre-built bundle. Run `gkm build --provider server --production` first, or omit --slim to use multi-stage build.");
+	return defaults[serviceName];
+}
+/**
+* Generate a service definition for an app.
+*/
+function generateAppService(appName, app, allApps, options) {
+	const { registry, hasPostgres, hasRedis } = options;
+	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
+	const healthCheckPath = app.type === "frontend" ? "/" : "/health";
+	const healthCheckCmd = app.type === "frontend" ? `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}/"]` : `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}${healthCheckPath}"]`;
+	let yaml = `
+  ${appName}:
+    build:
+      context: .
+      dockerfile: .gkm/docker/Dockerfile.${appName}
+    image: ${imageRef}\${${appName.toUpperCase()}_IMAGE:-${appName}}:\${TAG:-latest}
+    container_name: ${appName}
+    restart: unless-stopped
+    ports:
+      - "\${${appName.toUpperCase()}_PORT:-${app.port}}:${app.port}"
+    environment:
+      - NODE_ENV=production
+      - PORT=${app.port}
+`;
+	for (const dep of app.dependencies) {
+		const depApp = allApps.find(([name$1]) => name$1 === dep)?.[1];
+		if (depApp) yaml += `      - ${dep.toUpperCase()}_URL=http://${dep}:${depApp.port}
+`;
 	}
-	const dockerDir = join(process.cwd(), ".gkm", "docker");
-	await mkdir(dockerDir, { recursive: true });
-	const packageManager = detectPackageManager$1();
-	const inMonorepo = isMonorepo();
-	const hasTurbo = hasTurboConfig();
-	let useTurbo = options.turbo ?? false;
-	if (inMonorepo && !useSlim) if (hasTurbo) {
-		useTurbo = true;
-		logger$6.log("   Detected monorepo with turbo.json - using turbo prune");
-	} else throw new Error("Monorepo detected but turbo.json not found.\n\nDocker builds in monorepos require Turborepo for proper dependency isolation.\n\nTo fix this:\n  1. Install turbo: pnpm add -Dw turbo\n  2. Create turbo.json in your monorepo root\n  3. Run this command again\n\nSee: https://turbo.build/repo/docs/guides/tools/docker");
-	let turboPackage = options.turboPackage ?? dockerConfig.imageName;
-	if (useTurbo && !options.turboPackage) try {
-		const pkg$1 = __require(`${process.cwd()}/package.json`);
-		if (pkg$1.name) {
-			turboPackage = pkg$1.name;
-			logger$6.log(`   Turbo package: ${turboPackage}`);
-		}
-	} catch {}
-	const templateOptions = {
-		imageName: dockerConfig.imageName,
-		baseImage: dockerConfig.baseImage,
-		port: dockerConfig.port,
-		healthCheckPath,
-		prebuilt: useSlim,
-		turbo: useTurbo,
-		turboPackage,
-		packageManager
-	};
-	const dockerfile = useSlim ? generateSlimDockerfile(templateOptions) : generateMultiStageDockerfile(templateOptions);
-	const dockerMode = useSlim ? "slim" : useTurbo ? "turbo" : "multi-stage";
-	const dockerfilePath = join(dockerDir, "Dockerfile");
-	await writeFile(dockerfilePath, dockerfile);
-	logger$6.log(`Generated: .gkm/docker/Dockerfile (${dockerMode}, ${packageManager})`);
-	const composeOptions = {
-		imageName: dockerConfig.imageName,
-		registry: options.registry ?? dockerConfig.registry,
-		port: dockerConfig.port,
-		healthCheckPath,
-		services: dockerConfig.compose?.services ?? {}
-	};
-	const hasServices = Array.isArray(composeOptions.services) ? composeOptions.services.length > 0 : Object.keys(composeOptions.services).length > 0;
-	const dockerCompose = hasServices ? generateDockerCompose(composeOptions) : generateMinimalDockerCompose(composeOptions);
-	const composePath = join(dockerDir, "docker-compose.yml");
-	await writeFile(composePath, dockerCompose);
-	logger$6.log("Generated: .gkm/docker/docker-compose.yml");
-	const dockerignore = generateDockerignore();
-	const dockerignorePath = join(process.cwd(), ".dockerignore");
-	await writeFile(dockerignorePath, dockerignore);
-	logger$6.log("Generated: .dockerignore (project root)");
-	const entrypoint = generateDockerEntrypoint();
-	const entrypointPath = join(dockerDir, "docker-entrypoint.sh");
-	await writeFile(entrypointPath, entrypoint);
-	logger$6.log("Generated: .gkm/docker/docker-entrypoint.sh");
-	const result = {
-		dockerfile: dockerfilePath,
-		dockerCompose: composePath,
-		dockerignore: dockerignorePath,
-		entrypoint: entrypointPath
-	};
-	if (options.build) await buildDockerImage(dockerConfig.imageName, options);
-	if (options.push) await pushDockerImage(dockerConfig.imageName, options);
-	return result;
+	if (app.type === "backend") {
+		if (hasPostgres) yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
+`;
+		if (hasRedis) yaml += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
+`;
+	}
+	yaml += `    healthcheck:
+      test: ${healthCheckCmd}
+      interval: 30s
+      timeout: 3s
+      retries: 3
+`;
+	const dependencies$1 = [...app.dependencies];
+	if (app.type === "backend") {
+		if (hasPostgres) dependencies$1.push("postgres");
+		if (hasRedis) dependencies$1.push("redis");
+	}
+	if (dependencies$1.length > 0) {
+		yaml += `    depends_on:
+`;
+		for (const dep of dependencies$1) yaml += `      ${dep}:
+        condition: service_healthy
+`;
+	}
+	yaml += `    networks:
+      - workspace-network
+`;
+	return yaml;
 }
+
+//#endregion
+//#region src/docker/templates.ts
+const LOCKFILES = [
+	["pnpm-lock.yaml", "pnpm"],
+	["bun.lockb", "bun"],
+	["yarn.lock", "yarn"],
+	["package-lock.json", "npm"]
+];
 /**
-* Ensure lockfile exists in the build context
-* For monorepos, copies from workspace root if needed
-* Returns cleanup function if file was copied
+* Detect package manager from lockfiles
+* Walks up the directory tree to find lockfile (for monorepos)
 */
-function ensureLockfile(cwd) {
-	const lockfilePath = findLockfilePath(cwd);
-	if (!lockfilePath) {
-		logger$6.warn("\n⚠️  No lockfile found. Docker build may fail or use stale dependencies.");
-		return null;
+function detectPackageManager$1(cwd = process.cwd()) {
+	let dir = cwd;
+	const root = parse(dir).root;
+	while (dir !== root) {
+		for (const [lockfile, pm] of LOCKFILES) if (existsSync(join(dir, lockfile))) return pm;
+		dir = dirname(dir);
 	}
-	const lockfileName = basename(lockfilePath);
-	const localLockfile = join(cwd, lockfileName);
-	if (lockfilePath === localLockfile) return null;
-	logger$6.log(`   Copying ${lockfileName} from monorepo root...`);
-	copyFileSync(lockfilePath, localLockfile);
-	return () => {
-		try {
-			unlinkSync(localLockfile);
-		} catch {}
-	};
+	for (const [lockfile, pm] of LOCKFILES) if (existsSync(join(root, lockfile))) return pm;
+	return "pnpm";
 }
 /**
-* Build Docker image
-* Uses BuildKit for cache mount support
+* Find the lockfile path by walking up the directory tree
+* Returns the full path to the lockfile, or null if not found
 */
-async function buildDockerImage(imageName, options) {
-	const tag = options.tag ?? "latest";
-	const registry = options.registry;
-	const fullImageName = registry ? `${registry}/${imageName}:${tag}` : `${imageName}:${tag}`;
-	logger$6.log(`\n🐳 Building Docker image: ${fullImageName}`);
-	const cwd = process.cwd();
-	const cleanup = ensureLockfile(cwd);
-	try {
-		execSync(`DOCKER_BUILDKIT=1 docker build -f .gkm/docker/Dockerfile -t ${fullImageName} .`, {
-			cwd,
-			stdio: "inherit",
-			env: {
-				...process.env,
-				DOCKER_BUILDKIT: "1"
-			}
-		});
-		logger$6.log(`✅ Docker image built: ${fullImageName}`);
-	} catch (error) {
-		throw new Error(`Failed to build Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
-	} finally {
-		cleanup?.();
+function findLockfilePath(cwd = process.cwd()) {
+	let dir = cwd;
+	const root = parse(dir).root;
+	while (dir !== root) {
+		for (const [lockfile] of LOCKFILES) {
+			const lockfilePath = join(dir, lockfile);
+			if (existsSync(lockfilePath)) return lockfilePath;
+		}
+		dir = dirname(dir);
 	}
+	for (const [lockfile] of LOCKFILES) {
+		const lockfilePath = join(root, lockfile);
+		if (existsSync(lockfilePath)) return lockfilePath;
+	}
+	return null;
 }
 /**
-* Push Docker image to registry
+* Check if we're in a monorepo (lockfile is in a parent directory)
 */
-async function pushDockerImage(imageName, options) {
-	const tag = options.tag ?? "latest";
-	const registry = options.registry;
-	if (!registry) throw new Error("Registry is required to push Docker image. Use --registry or configure docker.registry in gkm.config.ts");
-	const fullImageName = `${registry}/${imageName}:${tag}`;
-	logger$6.log(`\n🚀 Pushing Docker image: ${fullImageName}`);
-	try {
-		execSync(`docker push ${fullImageName}`, {
-			cwd: process.cwd(),
-			stdio: "inherit"
-		});
-		logger$6.log(`✅ Docker image pushed: ${fullImageName}`);
-	} catch (error) {
-		throw new Error(`Failed to push Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
-	}
+function isMonorepo(cwd = process.cwd()) {
+	const lockfilePath = findLockfilePath(cwd);
+	if (!lockfilePath) return false;
+	const lockfileDir = dirname(lockfilePath);
+	return lockfileDir !== cwd;
 }
 /**
-* Get the package name from package.json in an app directory.
+* Check if turbo.json exists (walks up directory tree)
 */
-function getAppPackageName(appPath) {
-	try {
-		const pkgPath = join(appPath, "package.json");
-		if (!existsSync(pkgPath)) return void 0;
-		const content = readFileSync(pkgPath, "utf-8");
-		const pkg$1 = JSON.parse(content);
-		return pkg$1.name;
-	} catch {
-		return void 0;
+function hasTurboConfig(cwd = process.cwd()) {
+	let dir = cwd;
+	const root = parse(dir).root;
+	while (dir !== root) {
+		if (existsSync(join(dir, "turbo.json"))) return true;
+		dir = dirname(dir);
 	}
+	return existsSync(join(root, "turbo.json"));
 }
 /**
-* Generate Dockerfiles for all apps in a workspace.
-* @internal Exported for testing
+* Get install command for turbo builds (without frozen lockfile)
+* Turbo prune creates a subset that may not perfectly match the lockfile
 */
-async function workspaceDockerCommand(workspace, options) {
-	const results = [];
-	const apps = Object.entries(workspace.apps);
-	logger$6.log(`\n🐳 Generating Dockerfiles for workspace: ${workspace.name}`);
-	const dockerDir = join(workspace.root, ".gkm", "docker");
-	await mkdir(dockerDir, { recursive: true });
-	const packageManager = detectPackageManager$1(workspace.root);
-	logger$6.log(`   Package manager: ${packageManager}`);
-	for (const [appName, app] of apps) {
-		const appPath = app.path;
-		const fullAppPath = join(workspace.root, appPath);
-		const turboPackage = getAppPackageName(fullAppPath) ?? appName;
-		const imageName = appName;
-		const hasEntry = !!app.entry;
-		const buildType = hasEntry ? "entry" : app.type;
-		logger$6.log(`\n   📄 Generating Dockerfile for ${appName} (${buildType})`);
-		let dockerfile;
-		if (app.type === "frontend") dockerfile = generateNextjsDockerfile({
-			imageName,
-			baseImage: "node:22-alpine",
-			port: app.port,
-			appPath,
-			turboPackage,
-			packageManager
-		});
-		else if (app.entry) dockerfile = generateEntryDockerfile({
-			imageName,
-			baseImage: "node:22-alpine",
-			port: app.port,
-			appPath,
-			entry: app.entry,
-			turboPackage,
-			packageManager,
-			healthCheckPath: "/health"
-		});
-		else dockerfile = generateBackendDockerfile({
-			imageName,
-			baseImage: "node:22-alpine",
-			port: app.port,
-			appPath,
-			turboPackage,
-			packageManager,
-			healthCheckPath: "/health"
-		});
-		const dockerfilePath = join(dockerDir, `Dockerfile.${appName}`);
-		await writeFile(dockerfilePath, dockerfile);
-		logger$6.log(`      Generated: .gkm/docker/Dockerfile.${appName}`);
-		results.push({
-			appName,
-			type: app.type,
-			dockerfile: dockerfilePath,
-			imageName
-		});
-	}
-	const dockerignore = generateDockerignore();
-	const dockerignorePath = join(workspace.root, ".dockerignore");
-	await writeFile(dockerignorePath, dockerignore);
-	logger$6.log(`\n   Generated: .dockerignore (workspace root)`);
-	const dockerCompose = generateWorkspaceCompose(workspace, { registry: options.registry });
-	const composePath = join(dockerDir, "docker-compose.yml");
-	await writeFile(composePath, dockerCompose);
-	logger$6.log(`   Generated: .gkm/docker/docker-compose.yml`);
-	logger$6.log(`\n✅ Generated ${results.length} Dockerfile(s) + docker-compose.yml`);
-	logger$6.log("\n📋 Build commands:");
-	for (const result of results) {
-		const icon = result.type === "backend" ? "⚙️" : "🌐";
-		logger$6.log(`   ${icon} docker build -f .gkm/docker/Dockerfile.${result.appName} -t ${result.imageName} .`);
-	}
-	logger$6.log("\n📋 Run all services:");
-	logger$6.log("   docker compose -f .gkm/docker/docker-compose.yml up --build");
-	return {
-		apps: results,
-		dockerCompose: composePath,
-		dockerignore: dockerignorePath
+function getTurboInstallCmd(pm) {
+	const commands = {
+		pnpm: "pnpm install",
+		npm: "npm install",
+		yarn: "yarn install",
+		bun: "bun install"
 	};
+	return commands[pm];
 }
-
-//#endregion
-//#region src/deploy/docker.ts
 /**
-* Get app name from package.json in the current working directory
-* Used for Dokploy app/project naming
+* Get package manager specific commands and paths
 */
-function getAppNameFromCwd$1() {
-	const packageJsonPath = join(process.cwd(), "package.json");
-	if (!existsSync(packageJsonPath)) return void 0;
-	try {
-		const pkg$1 = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
-		if (pkg$1.name) return pkg$1.name.replace(/^@[^/]+\//, "");
-	} catch {}
-	return void 0;
+function getPmConfig(pm) {
+	const configs = {
+		pnpm: {
+			install: "corepack enable && corepack prepare pnpm@latest --activate",
+			lockfile: "pnpm-lock.yaml",
+			fetch: "pnpm fetch",
+			installCmd: "pnpm install --frozen-lockfile --offline",
+			cacheTarget: "/root/.local/share/pnpm/store",
+			cacheId: "pnpm",
+			run: "pnpm",
+			exec: "pnpm exec",
+			dlx: "pnpm dlx",
+			addGlobal: "pnpm add -g"
+		},
+		npm: {
+			install: "",
+			lockfile: "package-lock.json",
+			fetch: "",
+			installCmd: "npm ci",
+			cacheTarget: "/root/.npm",
+			cacheId: "npm",
+			run: "npm run",
+			exec: "npx",
+			dlx: "npx",
+			addGlobal: "npm install -g"
+		},
+		yarn: {
+			install: "corepack enable && corepack prepare yarn@stable --activate",
+			lockfile: "yarn.lock",
+			fetch: "",
+			installCmd: "yarn install --frozen-lockfile",
+			cacheTarget: "/root/.yarn/cache",
+			cacheId: "yarn",
+			run: "yarn",
+			exec: "yarn exec",
+			dlx: "yarn dlx",
+			addGlobal: "yarn global add"
+		},
+		bun: {
+			install: "npm install -g bun",
+			lockfile: "bun.lockb",
+			fetch: "",
+			installCmd: "bun install --frozen-lockfile",
+			cacheTarget: "/root/.bun/install/cache",
+			cacheId: "bun",
+			run: "bun run",
+			exec: "bunx",
+			dlx: "bunx",
+			addGlobal: "bun add -g"
+		}
+	};
+	return configs[pm];
 }
 /**
-* Get app name from package.json adjacent to the lockfile (project root)
-* Used for Docker image naming
+* Generate a multi-stage Dockerfile for building from source
+* Optimized for build speed with:
+* - BuildKit cache mounts for package manager store
+* - pnpm fetch for better layer caching (when using pnpm)
+* - Optional turbo prune for monorepos
 */
-function getAppNameFromPackageJson() {
-	const cwd = process.cwd();
-	const lockfilePath = findLockfilePath(cwd);
-	if (!lockfilePath) return void 0;
-	const projectRoot = dirname(lockfilePath);
-	const packageJsonPath = join(projectRoot, "package.json");
-	if (!existsSync(packageJsonPath)) return void 0;
-	try {
-		const pkg$1 = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
-		if (pkg$1.name) return pkg$1.name.replace(/^@[^/]+\//, "");
-	} catch {}
-	return void 0;
+function generateMultiStageDockerfile(options) {
+	const { baseImage, port, healthCheckPath, turbo, turboPackage, packageManager } = options;
+	if (turbo) return generateTurboDockerfile({
+		...options,
+		turboPackage: turboPackage ?? "api"
+	});
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `\n# Install ${packageManager}\nRUN ${pm.install}\n` : "";
+	const hasFetch = packageManager === "pnpm";
+	const depsStage = hasFetch ? `# Copy lockfile first for better caching
+COPY ${pm.lockfile} ./
+
+# Fetch dependencies (downloads to virtual store, cached separately)
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${pm.fetch}
+
+# Copy package.json after fetch
+COPY package.json ./
+
+# Install from cache (fast - no network needed)
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${pm.installCmd}` : `# Copy package files
+COPY package.json ${pm.lockfile} ./
+
+# Install dependencies with cache
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${pm.installCmd}`;
+	return `# syntax=docker/dockerfile:1
+# Stage 1: Dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+${installPm}
+${depsStage}
+
+# Stage 2: Build
+FROM deps AS builder
+
+WORKDIR /app
+
+# Copy source (deps already installed)
+COPY . .
+
+# Debug: Show node_modules/.bin contents and build production server
+RUN echo "=== node_modules/.bin contents ===" && \
+    ls -la node_modules/.bin/ 2>/dev/null || echo "node_modules/.bin not found" && \
+    echo "=== Checking for gkm ===" && \
+    which gkm 2>/dev/null || echo "gkm not in PATH" && \
+    ls -la node_modules/.bin/gkm 2>/dev/null || echo "gkm binary not found in node_modules/.bin" && \
+    echo "=== Running build ===" && \
+    ./node_modules/.bin/gkm build --provider server --production
+
+# Stage 3: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+# Install tini for proper signal handling as PID 1
+RUN apk add --no-cache tini
+
+# Create non-root user
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 hono
+
+# Copy bundled server
+COPY --from=builder --chown=hono:nodejs /app/.gkm/server/dist/server.mjs ./
+
+# Environment
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
+  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
+
+# Switch to non-root user
+USER hono
+
+EXPOSE ${port}
+
+# Use tini as entrypoint to handle PID 1 responsibilities
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "server.mjs"]
+`;
 }
-const logger$5 = console;
 /**
-* Get the full image reference
+* Generate a Dockerfile optimized for Turbo monorepos
+* Uses turbo prune to create minimal Docker context
 */
-function getImageRef(registry, imageName, tag) {
-	if (registry) return `${registry}/${imageName}:${tag}`;
-	return `${imageName}:${tag}`;
+function generateTurboDockerfile(options) {
+	const { baseImage, port, healthCheckPath, turboPackage, packageManager } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies (no frozen-lockfile since turbo prune creates a subset)
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build
+FROM deps AS builder
+
+WORKDIR /app
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Debug: Show node_modules/.bin contents and build production server
+RUN echo "=== node_modules/.bin contents ===" && \
+    ls -la node_modules/.bin/ 2>/dev/null || echo "node_modules/.bin not found" && \
+    echo "=== Checking for gkm ===" && \
+    which gkm 2>/dev/null || echo "gkm not in PATH" && \
+    ls -la node_modules/.bin/gkm 2>/dev/null || echo "gkm binary not found in node_modules/.bin" && \
+    echo "=== Running build ===" && \
+    ./node_modules/.bin/gkm build --provider server --production
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 hono
+
+COPY --from=builder --chown=hono:nodejs /app/.gkm/server/dist/server.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
+  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
+
+USER hono
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "server.mjs"]
+`;
 }
 /**
-* Build Docker image
-* @param imageRef - Full image reference (registry/name:tag)
-* @param appName - Name of the app (used for Dockerfile.{appName} in workspaces)
-* @param buildArgs - Build arguments to pass to docker build
+* Generate a slim Dockerfile for pre-built bundles
 */
-async function buildImage(imageRef, appName, buildArgs) {
-	logger$5.log(`\n🔨 Building Docker image: ${imageRef}`);
-	const cwd = process.cwd();
-	const lockfilePath = findLockfilePath(cwd);
-	const lockfileDir = lockfilePath ? dirname(lockfilePath) : cwd;
-	const inMonorepo = lockfileDir !== cwd;
-	if (appName || inMonorepo) logger$5.log("   Generating Dockerfile for monorepo (turbo prune)...");
-	else logger$5.log("   Generating Dockerfile...");
-	await dockerCommand({});
-	const dockerfileSuffix = appName ? `.${appName}` : "";
-	const dockerfilePath = `.gkm/docker/Dockerfile${dockerfileSuffix}`;
-	const buildCwd = lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
-	if (buildCwd !== cwd) logger$5.log(`   Building from workspace root: ${buildCwd}`);
-	const buildArgsString = buildArgs && buildArgs.length > 0 ? buildArgs.map((arg) => `--build-arg "${arg}"`).join(" ") : "";
-	try {
-		const cmd = [
-			"DOCKER_BUILDKIT=1 docker build",
-			"--platform linux/amd64",
-			`-f ${dockerfilePath}`,
-			`-t ${imageRef}`,
-			buildArgsString,
-			"."
-		].filter(Boolean).join(" ");
-		execSync(cmd, {
-			cwd: buildCwd,
-			stdio: "inherit",
-			env: {
-				...process.env,
-				DOCKER_BUILDKIT: "1"
-			}
-		});
-		logger$5.log(`✅ Image built: ${imageRef}`);
-	} catch (error) {
-		throw new Error(`Failed to build Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
-	}
+function generateSlimDockerfile(options) {
+	const { baseImage, port, healthCheckPath } = options;
+	return `# Slim Dockerfile for pre-built production bundle
+FROM ${baseImage}
+
+WORKDIR /app
+
+# Install tini for proper signal handling as PID 1
+# Handles SIGTERM propagation and zombie process reaping
+RUN apk add --no-cache tini
+
+# Create non-root user
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 hono
+
+# Copy pre-built bundle
+COPY .gkm/server/dist/server.mjs ./
+
+# Environment
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
+  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
+
+# Switch to non-root user
+USER hono
+
+EXPOSE ${port}
+
+# Use tini as entrypoint to handle PID 1 responsibilities
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "server.mjs"]
+`;
 }
 /**
-* Push Docker image to registry
+* Generate .dockerignore file
 */
-async function pushImage(imageRef) {
-	logger$5.log(`\n☁️  Pushing image: ${imageRef}`);
-	try {
-		execSync(`docker push ${imageRef}`, {
-			cwd: process.cwd(),
-			stdio: "inherit"
-		});
-		logger$5.log(`✅ Image pushed: ${imageRef}`);
-	} catch (error) {
-		throw new Error(`Failed to push Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
-	}
+function generateDockerignore() {
+	return `# Dependencies
+node_modules
+.pnpm-store
+
+# Build output (except what we need)
+.gkm/aws*
+.gkm/server/*.ts
+!.gkm/server/dist
+
+# IDE and editor
+.idea
+.vscode
+*.swp
+*.swo
+
+# Git
+.git
+.gitignore
+
+# Logs
+*.log
+npm-debug.log*
+pnpm-debug.log*
+
+# Test files
+**/*.test.ts
+**/*.spec.ts
+**/__tests__
+coverage
+
+# Documentation
+docs
+*.md
+!README.md
+
+# Environment files (handle secrets separately)
+.env
+.env.*
+!.env.example
+
+# Docker files (don't copy recursively)
+Dockerfile*
+docker-compose*
+.dockerignore
+`;
 }
 /**
-* Deploy using Docker (build and optionally push image)
+* Generate docker-entrypoint.sh for custom startup logic
 */
-async function deployDocker(options) {
-	const { stage, tag, skipPush, masterKey, config: config$1, buildArgs } = options;
-	const imageName = config$1.imageName;
-	const imageRef = getImageRef(config$1.registry, imageName, tag);
-	await buildImage(imageRef, config$1.appName, buildArgs);
-	if (!skipPush) if (!config$1.registry) logger$5.warn("\n⚠️  No registry configured. Use --skip-push or configure docker.registry in gkm.config.ts");
-	else await pushImage(imageRef);
-	logger$5.log("\n✅ Docker deployment ready!");
-	logger$5.log(`\n📋 Deployment details:`);
-	logger$5.log(`   Image: ${imageRef}`);
-	logger$5.log(`   Stage: ${stage}`);
-	if (masterKey) {
-		logger$5.log(`\n🔐 Deploy with this environment variable:`);
-		logger$5.log(`   GKM_MASTER_KEY=${masterKey}`);
-		logger$5.log("\n   Example docker run:");
-		logger$5.log(`   docker run -e GKM_MASTER_KEY=${masterKey} ${imageRef}`);
-	}
-	return {
-		imageRef,
-		masterKey
-	};
+function generateDockerEntrypoint() {
+	return `#!/bin/sh
+set -e
+
+# Run any custom startup scripts here
+# Example: wait for database
+# until nc -z $DB_HOST $DB_PORT; do
+#   echo "Waiting for database..."
+#   sleep 1
+# done
+
+# Execute the main command
+exec "$@"
+`;
 }
 /**
-* Resolve Docker deploy config from gkm config
-* - imageName: from config, or cwd package.json, or 'app' (for Docker image)
-* - projectName: from root package.json, or 'app' (for Dokploy project)
-* - appName: from cwd package.json, or projectName (for Dokploy app within project)
+* Resolve Docker configuration from GkmConfig with defaults
 */
-function resolveDockerConfig(config$1) {
-	const projectName = getAppNameFromPackageJson() ?? "app";
-	const appName = getAppNameFromCwd$1() ?? projectName;
-	const imageName = config$1.docker?.imageName ?? appName;
+function resolveDockerConfig$1(config$1) {
+	const docker = config$1.docker ?? {};
+	let defaultImageName = "api";
+	try {
+		const pkg$1 = __require(`${process.cwd()}/package.json`);
+		if (pkg$1.name) defaultImageName = pkg$1.name.replace(/^@[^/]+\//, "");
+	} catch {}
 	return {
-		registry: config$1.docker?.registry,
-		imageName,
-		projectName,
-		appName
+		registry: docker.registry ?? "",
+		imageName: docker.imageName ?? defaultImageName,
+		baseImage: docker.baseImage ?? "node:22-alpine",
+		port: docker.port ?? 3e3,
+		compose: docker.compose
 	};
 }
-
-//#endregion
-//#region src/deploy/dokploy.ts
-const logger$4 = console;
-/**
-* Get the Dokploy API token from stored credentials or environment
-*/
-async function getApiToken$1() {
-	const token = await getDokployToken();
-	if (!token) throw new Error("Dokploy credentials not found.\nRun \"gkm login --service dokploy\" to authenticate, or set DOKPLOY_API_TOKEN.");
-	return token;
-}
 /**
-* Create a Dokploy API client
+* Generate a Dockerfile for Next.js frontend apps using standalone output.
+* Uses turbo prune for monorepo optimization.
+* @internal Exported for testing
 */
-async function createApi$1(endpoint) {
-	const token = await getApiToken$1();
-	return new DokployApi({
-		baseUrl: endpoint,
-		token
-	});
+function generateNextjsDockerfile(options) {
+	const { baseImage, port, appPath, turboPackage, packageManager, publicUrlArgs = ["NEXT_PUBLIC_API_URL", "NEXT_PUBLIC_AUTH_URL"] } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	const publicUrlArgDeclarations = publicUrlArgs.map((arg) => `ARG ${arg}=""`).join("\n");
+	const publicUrlEnvDeclarations = publicUrlArgs.map((arg) => `ENV ${arg}=$${arg}`).join("\n");
+	return `# syntax=docker/dockerfile:1
+# Next.js standalone Dockerfile with turbo prune optimization
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for public API URLs (populated by gkm deploy)
+# These get baked into the Next.js build as public environment variables
+${publicUrlArgDeclarations}
+
+# Convert ARGs to ENVs for Next.js build
+${publicUrlEnvDeclarations}
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Copy workspace root configs for turbo builds (turbo prune doesn't include root configs)
+# Using wildcard to make it optional for single-app projects
+COPY --from=pruner /app/tsconfig.* ./
+
+# Ensure public directory exists (may be empty for scaffolded projects)
+RUN mkdir -p ${appPath}/public
+
+# Set Next.js to produce standalone output
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Build the application
+RUN ${turboCmd} run build --filter=${turboPackage}
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+# Install tini for proper signal handling
+RUN apk add --no-cache tini
+
+# Create non-root user
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 nextjs
+
+# Set environment
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV PORT=${port}
+ENV HOSTNAME="0.0.0.0"
+
+# Copy static files and standalone output
+COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/.next/static ./${appPath}/.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/${appPath}/public ./${appPath}/public
+
+USER nextjs
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "${appPath}/server.js"]
+`;
 }
 /**
-* Deploy to Dokploy
+* Generate a Dockerfile for backend apps in a workspace.
+* Uses turbo prune for monorepo optimization.
+* @internal Exported for testing
 */
-async function deployDokploy(options) {
-	const { stage, imageRef, masterKey, config: config$1 } = options;
-	logger$4.log(`\n🎯 Deploying to Dokploy...`);
-	logger$4.log(`   Endpoint: ${config$1.endpoint}`);
-	logger$4.log(`   Application: ${config$1.applicationId}`);
-	const api = await createApi$1(config$1.endpoint);
-	logger$4.log(`  Configuring Docker image: ${imageRef}`);
-	const registryOptions = {};
-	if (config$1.registryId) {
-		registryOptions.registryId = config$1.registryId;
-		logger$4.log(`  Using Dokploy registry: ${config$1.registryId}`);
-	} else {
-		const storedRegistryId = await getDokployRegistryId();
-		if (storedRegistryId) {
-			registryOptions.registryId = storedRegistryId;
-			logger$4.log(`  Using stored Dokploy registry: ${storedRegistryId}`);
-		} else if (config$1.registryCredentials) {
-			registryOptions.username = config$1.registryCredentials.username;
-			registryOptions.password = config$1.registryCredentials.password;
-			registryOptions.registryUrl = config$1.registryCredentials.registryUrl;
-			logger$4.log(`  Using registry credentials for: ${config$1.registryCredentials.registryUrl}`);
-		} else {
-			const username = process.env.DOCKER_REGISTRY_USERNAME;
-			const password = process.env.DOCKER_REGISTRY_PASSWORD;
-			const registryUrl = process.env.DOCKER_REGISTRY_URL || config$1.registry;
-			if (username && password && registryUrl) {
-				registryOptions.username = username;
-				registryOptions.password = password;
-				registryOptions.registryUrl = registryUrl;
-				logger$4.log(`  Using registry credentials from environment`);
-			}
-		}
-	}
-	await api.saveDockerProvider(config$1.applicationId, imageRef, registryOptions);
-	logger$4.log("  ✓ Docker provider configured");
-	const envVars = {};
-	if (masterKey) envVars.GKM_MASTER_KEY = masterKey;
-	if (Object.keys(envVars).length > 0) {
-		logger$4.log("  Updating environment variables...");
-		const envString = Object.entries(envVars).map(([key, value]) => `${key}=${value}`).join("\n");
-		await api.saveApplicationEnv(config$1.applicationId, envString);
-		logger$4.log("  ✓ Environment variables updated");
-	}
-	logger$4.log("  Triggering deployment...");
-	await api.deployApplication(config$1.applicationId);
-	logger$4.log("  ✓ Deployment triggered");
-	logger$4.log("\n✅ Dokploy deployment initiated!");
-	logger$4.log(`\n📋 Deployment details:`);
-	logger$4.log(`   Image: ${imageRef}`);
-	logger$4.log(`   Stage: ${stage}`);
-	logger$4.log(`   Application ID: ${config$1.applicationId}`);
-	if (masterKey) logger$4.log(`\n🔐 GKM_MASTER_KEY has been set in Dokploy environment`);
-	const deploymentUrl = `${config$1.endpoint}/project/${config$1.projectId}`;
-	logger$4.log(`\n🔗 View deployment: ${deploymentUrl}`);
-	return {
-		imageRef,
-		masterKey,
-		url: deploymentUrl
-	};
-}
+function generateBackendDockerfile(options) {
+	const { baseImage, port, appPath, turboPackage, packageManager, healthCheckPath = "/health" } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Backend Dockerfile with turbo prune optimization
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Copy workspace root configs for turbo builds (turbo prune doesn't include root configs)
+# Using wildcard to make it optional for single-app projects
+COPY --from=pruner /app/gkm.config.* ./
+COPY --from=pruner /app/tsconfig.* ./
+
+# Write encrypted credentials for gkm build to embed
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
 
-//#endregion
-//#region src/deploy/state.ts
-/**
-* Get the state file path for a stage
-*/
-function getStateFilePath(workspaceRoot, stage) {
-	return join(workspaceRoot, ".gkm", `deploy-${stage}.json`);
-}
-/**
-* Read the deploy state for a stage
-* Returns null if state file doesn't exist
-*/
-async function readStageState(workspaceRoot, stage) {
-	const filePath = getStateFilePath(workspaceRoot, stage);
-	try {
-		const content = await readFile(filePath, "utf-8");
-		return JSON.parse(content);
-	} catch (error) {
-		if (error.code === "ENOENT") return null;
-		console.warn(`Warning: Could not read deploy state: ${error}`);
-		return null;
-	}
+# Build production server using gkm
+RUN cd ${appPath} && ./node_modules/.bin/gkm build --provider server --production
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 hono
+
+# Copy bundled server
+COPY --from=builder --chown=hono:nodejs /app/${appPath}/.gkm/server/dist/server.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
+  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
+
+USER hono
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "server.mjs"]
+`;
 }
 /**
-* Write the deploy state for a stage
+* Generate a Dockerfile for apps with a custom entry point.
+* Uses esbuild to bundle the entry point into dist/index.mjs with all dependencies.
+* This is used for apps that don't use gkm routes (e.g., Better Auth servers).
+* @internal Exported for testing
 */
-async function writeStageState(workspaceRoot, stage, state) {
-	const filePath = getStateFilePath(workspaceRoot, stage);
-	const dir = join(workspaceRoot, ".gkm");
-	await mkdir(dir, { recursive: true });
-	state.lastDeployedAt = (/* @__PURE__ */ new Date()).toISOString();
-	await writeFile(filePath, JSON.stringify(state, null, 2));
+function generateEntryDockerfile(options) {
+	const { baseImage, port, appPath, entry, turboPackage, packageManager, healthCheckPath = "/health" } = options;
+	const pm = getPmConfig(packageManager);
+	const installPm = pm.install ? `RUN ${pm.install}` : "";
+	const turboInstallCmd = getTurboInstallCmd(packageManager);
+	const turboCmd = packageManager === "pnpm" ? "pnpm dlx turbo" : "npx turbo";
+	return `# syntax=docker/dockerfile:1
+# Entry-based Dockerfile with turbo prune + tsdown bundling
+
+# Stage 1: Prune monorepo
+FROM ${baseImage} AS pruner
+
+WORKDIR /app
+
+${installPm}
+
+COPY . .
+
+# Prune to only include necessary packages
+RUN ${turboCmd} prune ${turboPackage} --docker
+
+# Stage 2: Install dependencies
+FROM ${baseImage} AS deps
+
+WORKDIR /app
+
+${installPm}
+
+# Copy pruned lockfile and package.jsons
+COPY --from=pruner /app/out/${pm.lockfile} ./
+COPY --from=pruner /app/out/json/ ./
+
+# Install dependencies
+RUN --mount=type=cache,id=${pm.cacheId},target=${pm.cacheTarget} \\
+    ${turboInstallCmd}
+
+# Stage 3: Build with tsdown
+FROM deps AS builder
+
+WORKDIR /app
+
+# Build-time args for encrypted secrets
+ARG GKM_ENCRYPTED_CREDENTIALS=""
+ARG GKM_CREDENTIALS_IV=""
+
+# Copy pruned source
+COPY --from=pruner /app/out/full/ ./
+
+# Copy workspace root configs for turbo builds (turbo prune doesn't include root configs)
+# Using wildcard to make it optional for single-app projects
+COPY --from=pruner /app/tsconfig.* ./
+
+# Write encrypted credentials for tsdown to embed via define
+RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
+      mkdir -p ${appPath}/.gkm && \
+      echo "$GKM_ENCRYPTED_CREDENTIALS" > ${appPath}/.gkm/credentials.enc && \
+      echo "$GKM_CREDENTIALS_IV" > ${appPath}/.gkm/credentials.iv; \
+    fi
+
+# Bundle entry point with esbuild (outputs to dist/index.mjs)
+# Creates a fully standalone bundle with all dependencies included
+# Use define to embed credentials if present
+RUN cd ${appPath} && \
+    if [ -f .gkm/credentials.enc ]; then \
+      CREDS=$(cat .gkm/credentials.enc) && \
+      IV=$(cat .gkm/credentials.iv) && \
+      npx esbuild ${entry} --bundle --platform=node --target=node22 --format=esm \
+        --outfile=dist/index.mjs --packages=bundle \
+        --banner:js='import { createRequire } from "module"; const require = createRequire(import.meta.url);' \
+        --define:__GKM_ENCRYPTED_CREDENTIALS__="'\\"$CREDS\\"'" \
+        --define:__GKM_CREDENTIALS_IV__="'\\"$IV\\"'"; \
+    else \
+      npx esbuild ${entry} --bundle --platform=node --target=node22 --format=esm \
+        --outfile=dist/index.mjs --packages=bundle \
+        --banner:js='import { createRequire } from "module"; const require = createRequire(import.meta.url);'; \
+    fi
+
+# Stage 4: Production
+FROM ${baseImage} AS runner
+
+WORKDIR /app
+
+RUN apk add --no-cache tini
+
+RUN addgroup --system --gid 1001 nodejs && \\
+    adduser --system --uid 1001 app
+
+# Copy bundled output only (no node_modules needed - fully bundled)
+COPY --from=builder --chown=app:nodejs /app/${appPath}/dist/index.mjs ./
+
+ENV NODE_ENV=production
+ENV PORT=${port}
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \\
+  CMD wget -qO- http://localhost:${port}${healthCheckPath} > /dev/null 2>&1 || exit 1
+
+USER app
+
+EXPOSE ${port}
+
+ENTRYPOINT ["/sbin/tini", "--"]
+CMD ["node", "index.mjs"]
+`;
 }
+
+//#endregion
+//#region src/docker/index.ts
+const logger$5 = console;
 /**
-* Create a new empty state for a stage
+* Docker command implementation
+* Generates Dockerfile, docker-compose.yml, and related files
+*
+* Default: Multi-stage Dockerfile that builds from source inside Docker
+* --slim: Slim Dockerfile that copies pre-built bundle (requires prior build)
 */
-function createEmptyState(stage, environmentId) {
-	return {
-		provider: "dokploy",
-		stage,
-		environmentId,
-		applications: {},
-		services: {},
-		lastDeployedAt: (/* @__PURE__ */ new Date()).toISOString()
+async function dockerCommand(options) {
+	const loadedConfig = await loadWorkspaceConfig();
+	if (loadedConfig.type === "workspace") {
+		logger$5.log("📦 Detected workspace configuration");
+		return workspaceDockerCommand(loadedConfig.workspace, options);
+	}
+	const config$1 = await loadConfig();
+	const dockerConfig = resolveDockerConfig$1(config$1);
+	const serverConfig = typeof config$1.providers?.server === "object" ? config$1.providers.server : void 0;
+	const healthCheckPath = serverConfig?.production?.healthCheck ?? "/health";
+	const useSlim = options.slim === true;
+	if (useSlim) {
+		const distDir = join(process.cwd(), ".gkm", "server", "dist");
+		const hasBuild = existsSync(join(distDir, "server.mjs"));
+		if (!hasBuild) throw new Error("Slim Dockerfile requires a pre-built bundle. Run `gkm build --provider server --production` first, or omit --slim to use multi-stage build.");
+	}
+	const dockerDir = join(process.cwd(), ".gkm", "docker");
+	await mkdir(dockerDir, { recursive: true });
+	const packageManager = detectPackageManager$1();
+	const inMonorepo = isMonorepo();
+	const hasTurbo = hasTurboConfig();
+	let useTurbo = options.turbo ?? false;
+	if (inMonorepo && !useSlim) if (hasTurbo) {
+		useTurbo = true;
+		logger$5.log("   Detected monorepo with turbo.json - using turbo prune");
+	} else throw new Error("Monorepo detected but turbo.json not found.\n\nDocker builds in monorepos require Turborepo for proper dependency isolation.\n\nTo fix this:\n  1. Install turbo: pnpm add -Dw turbo\n  2. Create turbo.json in your monorepo root\n  3. Run this command again\n\nSee: https://turbo.build/repo/docs/guides/tools/docker");
+	let turboPackage = options.turboPackage ?? dockerConfig.imageName;
+	if (useTurbo && !options.turboPackage) try {
+		const pkg$1 = __require(`${process.cwd()}/package.json`);
+		if (pkg$1.name) {
+			turboPackage = pkg$1.name;
+			logger$5.log(`   Turbo package: ${turboPackage}`);
+		}
+	} catch {}
+	const templateOptions = {
+		imageName: dockerConfig.imageName,
+		baseImage: dockerConfig.baseImage,
+		port: dockerConfig.port,
+		healthCheckPath,
+		prebuilt: useSlim,
+		turbo: useTurbo,
+		turboPackage,
+		packageManager
 	};
+	const dockerfile = useSlim ? generateSlimDockerfile(templateOptions) : generateMultiStageDockerfile(templateOptions);
+	const dockerMode = useSlim ? "slim" : useTurbo ? "turbo" : "multi-stage";
+	const dockerfilePath = join(dockerDir, "Dockerfile");
+	await writeFile(dockerfilePath, dockerfile);
+	logger$5.log(`Generated: .gkm/docker/Dockerfile (${dockerMode}, ${packageManager})`);
+	const composeOptions = {
+		imageName: dockerConfig.imageName,
+		registry: options.registry ?? dockerConfig.registry,
+		port: dockerConfig.port,
+		healthCheckPath,
+		services: dockerConfig.compose?.services ?? {}
+	};
+	const hasServices = Array.isArray(composeOptions.services) ? composeOptions.services.length > 0 : Object.keys(composeOptions.services).length > 0;
+	const dockerCompose = hasServices ? generateDockerCompose(composeOptions) : generateMinimalDockerCompose(composeOptions);
+	const composePath = join(dockerDir, "docker-compose.yml");
+	await writeFile(composePath, dockerCompose);
+	logger$5.log("Generated: .gkm/docker/docker-compose.yml");
+	const dockerignore = generateDockerignore();
+	const dockerignorePath = join(process.cwd(), ".dockerignore");
+	await writeFile(dockerignorePath, dockerignore);
+	logger$5.log("Generated: .dockerignore (project root)");
+	const entrypoint = generateDockerEntrypoint();
+	const entrypointPath = join(dockerDir, "docker-entrypoint.sh");
+	await writeFile(entrypointPath, entrypoint);
+	logger$5.log("Generated: .gkm/docker/docker-entrypoint.sh");
+	const result = {
+		dockerfile: dockerfilePath,
+		dockerCompose: composePath,
+		dockerignore: dockerignorePath,
+		entrypoint: entrypointPath
+	};
+	if (options.build) await buildDockerImage(dockerConfig.imageName, options);
+	if (options.push) await pushDockerImage(dockerConfig.imageName, options);
+	return result;
 }
 /**
-* Get application ID from state
-*/
-function getApplicationId(state, appName) {
-	return state?.applications[appName];
-}
-/**
-* Set application ID in state (mutates state)
-*/
-function setApplicationId(state, appName, applicationId) {
-	state.applications[appName] = applicationId;
-}
-/**
-* Get postgres ID from state
-*/
-function getPostgresId(state) {
-	return state?.services.postgresId;
-}
-/**
-* Set postgres ID in state (mutates state)
+* Ensure lockfile exists in the build context
+* For monorepos, copies from workspace root if needed
+* Returns cleanup function if file was copied
 */
-function setPostgresId(state, postgresId) {
-	state.services.postgresId = postgresId;
+function ensureLockfile(cwd) {
+	const lockfilePath = findLockfilePath(cwd);
+	if (!lockfilePath) {
+		logger$5.warn("\n⚠️  No lockfile found. Docker build may fail or use stale dependencies.");
+		return null;
+	}
+	const lockfileName = basename(lockfilePath);
+	const localLockfile = join(cwd, lockfileName);
+	if (lockfilePath === localLockfile) return null;
+	logger$5.log(`   Copying ${lockfileName} from monorepo root...`);
+	copyFileSync(lockfilePath, localLockfile);
+	return () => {
+		try {
+			unlinkSync(localLockfile);
+		} catch {}
+	};
 }
 /**
-* Get redis ID from state
+* Build Docker image
+* Uses BuildKit for cache mount support
 */
-function getRedisId(state) {
-	return state?.services.redisId;
+async function buildDockerImage(imageName, options) {
+	const tag = options.tag ?? "latest";
+	const registry = options.registry;
+	const fullImageName = registry ? `${registry}/${imageName}:${tag}` : `${imageName}:${tag}`;
+	logger$5.log(`\n🐳 Building Docker image: ${fullImageName}`);
+	const cwd = process.cwd();
+	const cleanup = ensureLockfile(cwd);
+	try {
+		execSync(`DOCKER_BUILDKIT=1 docker build -f .gkm/docker/Dockerfile -t ${fullImageName} .`, {
+			cwd,
+			stdio: "inherit",
+			env: {
+				...process.env,
+				DOCKER_BUILDKIT: "1"
+			}
+		});
+		logger$5.log(`✅ Docker image built: ${fullImageName}`);
+	} catch (error) {
+		throw new Error(`Failed to build Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
+	} finally {
+		cleanup?.();
+	}
 }
 /**
-* Set redis ID in state (mutates state)
+* Push Docker image to registry
 */
-function setRedisId(state, redisId) {
-	state.services.redisId = redisId;
+async function pushDockerImage(imageName, options) {
+	const tag = options.tag ?? "latest";
+	const registry = options.registry;
+	if (!registry) throw new Error("Registry is required to push Docker image. Use --registry or configure docker.registry in gkm.config.ts");
+	const fullImageName = `${registry}/${imageName}:${tag}`;
+	logger$5.log(`\n🚀 Pushing Docker image: ${fullImageName}`);
+	try {
+		execSync(`docker push ${fullImageName}`, {
+			cwd: process.cwd(),
+			stdio: "inherit"
+		});
+		logger$5.log(`✅ Docker image pushed: ${fullImageName}`);
+	} catch (error) {
+		throw new Error(`Failed to push Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
+	}
 }
-
-//#endregion
-//#region src/deploy/dns/hostinger-api.ts
-/**
-* Hostinger DNS API client
-*
-* API Documentation: https://developers.hostinger.com/
-* Authentication: Bearer token from hpanel.hostinger.com/profile/api
-*/
-const HOSTINGER_API_BASE = "https://developers.hostinger.com";
 /**
-* Hostinger API error
+* Get the package name from package.json in an app directory.
 */
-var HostingerApiError = class extends Error {
-	constructor(message, status, statusText, errors) {
-		super(message);
-		this.status = status;
-		this.statusText = statusText;
-		this.errors = errors;
-		this.name = "HostingerApiError";
+function getAppPackageName(appPath) {
+	try {
+		const pkgPath = join(appPath, "package.json");
+		if (!existsSync(pkgPath)) return void 0;
+		const content = readFileSync(pkgPath, "utf-8");
+		const pkg$1 = JSON.parse(content);
+		return pkg$1.name;
+	} catch {
+		return void 0;
 	}
-};
+}
 /**
-* Hostinger DNS API client
-*
-* @example
-* ```ts
-* const api = new HostingerApi(token);
-*
-* // Get all records for a domain
-* const records = await api.getRecords('traflabs.io');
-*
-* // Create/update records
-* await api.upsertRecords('traflabs.io', [
-*   { name: 'api.joemoer', type: 'A', ttl: 300, records: ['1.2.3.4'] }
-* ]);
-* ```
+* Generate Dockerfiles for all apps in a workspace.
+* @internal Exported for testing
 */
-var HostingerApi = class {
-	token;
-	constructor(token) {
-		this.token = token;
-	}
-	/**
-	* Make a request to the Hostinger API
-	*/
-	async request(method, endpoint, body) {
-		const url = `${HOSTINGER_API_BASE}${endpoint}`;
-		const response = await fetch(url, {
-			method,
-			headers: {
-				"Content-Type": "application/json",
-				Authorization: `Bearer ${this.token}`
-			},
-			body: body ? JSON.stringify(body) : void 0
+async function workspaceDockerCommand(workspace, options) {
+	const results = [];
+	const apps = Object.entries(workspace.apps);
+	logger$5.log(`\n🐳 Generating Dockerfiles for workspace: ${workspace.name}`);
+	const dockerDir = join(workspace.root, ".gkm", "docker");
+	await mkdir(dockerDir, { recursive: true });
+	const packageManager = detectPackageManager$1(workspace.root);
+	logger$5.log(`   Package manager: ${packageManager}`);
+	for (const [appName, app] of apps) {
+		const appPath = app.path;
+		const fullAppPath = join(workspace.root, appPath);
+		const turboPackage = getAppPackageName(fullAppPath) ?? appName;
+		const imageName = appName;
+		const hasEntry = !!app.entry;
+		const buildType = hasEntry ? "entry" : app.type;
+		logger$5.log(`\n   📄 Generating Dockerfile for ${appName} (${buildType})`);
+		let dockerfile;
+		if (app.type === "frontend") dockerfile = generateNextjsDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			turboPackage,
+			packageManager
 		});
-		if (!response.ok) {
-			let errorMessage = `Hostinger API error: ${response.status} ${response.statusText}`;
-			let errors;
-			try {
-				const errorBody = await response.json();
-				if (errorBody.message) errorMessage = `Hostinger API error: ${errorBody.message}`;
-				errors = errorBody.errors;
-			} catch {}
-			throw new HostingerApiError(errorMessage, response.status, response.statusText, errors);
-		}
-		const text = await response.text();
-		if (!text || text.trim() === "") return void 0;
-		return JSON.parse(text);
-	}
-	/**
-	* Get all DNS records for a domain
-	*
-	* @param domain - Root domain (e.g., 'traflabs.io')
-	*/
-	async getRecords(domain) {
-		const response = await this.request("GET", `/api/dns/v1/zones/${domain}`);
-		return response.data || [];
-	}
-	/**
-	* Create or update DNS records
-	*
-	* @param domain - Root domain (e.g., 'traflabs.io')
-	* @param records - Records to create/update
-	* @param overwrite - If true, replaces all existing records. If false, merges with existing.
-	*/
-	async upsertRecords(domain, records, overwrite = false) {
-		await this.request("PUT", `/api/dns/v1/zones/${domain}`, {
-			overwrite,
-			zone: records
+		else if (app.entry) dockerfile = generateEntryDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			entry: app.entry,
+			turboPackage,
+			packageManager,
+			healthCheckPath: "/health"
 		});
-	}
-	/**
-	* Validate DNS records before applying
-	*
-	* @param domain - Root domain (e.g., 'traflabs.io')
-	* @param records - Records to validate
-	* @returns true if valid, throws if invalid
-	*/
-	async validateRecords(domain, records) {
-		await this.request("POST", `/api/dns/v1/zones/${domain}/validate`, {
-			overwrite: false,
-			zone: records
+		else dockerfile = generateBackendDockerfile({
+			imageName,
+			baseImage: "node:22-alpine",
+			port: app.port,
+			appPath,
+			turboPackage,
+			packageManager,
+			healthCheckPath: "/health"
+		});
+		const dockerfilePath = join(dockerDir, `Dockerfile.${appName}`);
+		await writeFile(dockerfilePath, dockerfile);
+		logger$5.log(`      Generated: .gkm/docker/Dockerfile.${appName}`);
+		results.push({
+			appName,
+			type: app.type,
+			dockerfile: dockerfilePath,
+			imageName
 		});
-		return true;
-	}
-	/**
-	* Delete specific DNS records
-	*
-	* @param domain - Root domain (e.g., 'traflabs.io')
-	* @param filters - Filters to match records for deletion
-	*/
-	async deleteRecords(domain, filters) {
-		await this.request("DELETE", `/api/dns/v1/zones/${domain}`, { filters });
-	}
-	/**
-	* Check if a specific record exists
-	*
-	* @param domain - Root domain (e.g., 'traflabs.io')
-	* @param name - Subdomain name (e.g., 'api.joemoer')
-	* @param type - Record type (e.g., 'A')
-	*/
-	async recordExists(domain, name$1, type$1 = "A") {
-		const records = await this.getRecords(domain);
-		return records.some((r) => r.name === name$1 && r.type === type$1);
 	}
-	/**
-	* Create a single A record if it doesn't exist
-	*
-	* @param domain - Root domain (e.g., 'traflabs.io')
-	* @param subdomain - Subdomain name (e.g., 'api.joemoer')
-	* @param ip - IP address to point to
-	* @param ttl - TTL in seconds (default: 300)
-	* @returns true if created, false if already exists
-	*/
-	async createARecordIfNotExists(domain, subdomain, ip, ttl = 300) {
-		const exists = await this.recordExists(domain, subdomain, "A");
-		if (exists) return false;
-		await this.upsertRecords(domain, [{
-			name: subdomain,
-			type: "A",
-			ttl,
-			records: [{ content: ip }]
-		}]);
-		return true;
+	const dockerignore = generateDockerignore();
+	const dockerignorePath = join(workspace.root, ".dockerignore");
+	await writeFile(dockerignorePath, dockerignore);
+	logger$5.log(`\n   Generated: .dockerignore (workspace root)`);
+	const dockerCompose = generateWorkspaceCompose(workspace, { registry: options.registry });
+	const composePath = join(dockerDir, "docker-compose.yml");
+	await writeFile(composePath, dockerCompose);
+	logger$5.log(`   Generated: .gkm/docker/docker-compose.yml`);
+	logger$5.log(`\n✅ Generated ${results.length} Dockerfile(s) + docker-compose.yml`);
+	logger$5.log("\n📋 Build commands:");
+	for (const result of results) {
+		const icon = result.type === "backend" ? "⚙️" : "🌐";
+		logger$5.log(`   ${icon} docker build -f .gkm/docker/Dockerfile.${result.appName} -t ${result.imageName} .`);
 	}
-};
+	logger$5.log("\n📋 Run all services:");
+	logger$5.log("   docker compose -f .gkm/docker/docker-compose.yml up --build");
+	return {
+		apps: results,
+		dockerCompose: composePath,
+		dockerignore: dockerignorePath
+	};
+}
 
 //#endregion
-//#region src/deploy/dns/index.ts
-const logger$3 = console;
+//#region src/deploy/docker.ts
 /**
-* Resolve IP address from a hostname
+* Get app name from package.json in the current working directory
+* Used for Dokploy app/project naming
 */
-async function resolveHostnameToIp(hostname) {
+function getAppNameFromCwd$1() {
+	const packageJsonPath = join(process.cwd(), "package.json");
+	if (!existsSync(packageJsonPath)) return void 0;
 	try {
-		const addresses = await lookup(hostname, { family: 4 });
-		return addresses.address;
-	} catch (error) {
-		throw new Error(`Failed to resolve IP for ${hostname}: ${error instanceof Error ? error.message : "Unknown error"}`);
-	}
-}
-/**
-* Extract subdomain from full hostname relative to root domain
-*
-* @example
-* extractSubdomain('api.joemoer.traflabs.io', 'traflabs.io') => 'api.joemoer'
-* extractSubdomain('joemoer.traflabs.io', 'traflabs.io') => 'joemoer'
-*/
-function extractSubdomain(hostname, rootDomain) {
-	if (!hostname.endsWith(rootDomain)) throw new Error(`Hostname ${hostname} is not under root domain ${rootDomain}`);
-	const subdomain = hostname.slice(0, -(rootDomain.length + 1));
-	return subdomain || "@";
-}
-/**
-* Generate required DNS records for a deployment
-*/
-function generateRequiredRecords(appHostnames, rootDomain, serverIp) {
-	const records = [];
-	for (const [appName, hostname] of appHostnames) {
-		const subdomain = extractSubdomain(hostname, rootDomain);
-		records.push({
-			hostname,
-			subdomain,
-			type: "A",
-			value: serverIp,
-			appName
-		});
-	}
-	return records;
-}
-/**
-* Print DNS records table
-*/
-function printDnsRecordsTable(records, rootDomain) {
-	logger$3.log("\n   📋 DNS Records for " + rootDomain + ":");
-	logger$3.log("   ┌─────────────────────────────────────┬──────┬─────────────────┬────────┐");
-	logger$3.log("   │ Subdomain                           │ Type │ Value           │ Status │");
-	logger$3.log("   ├─────────────────────────────────────┼──────┼─────────────────┼────────┤");
-	for (const record of records) {
-		const subdomain = record.subdomain.padEnd(35);
-		const type$1 = record.type.padEnd(4);
-		const value = record.value.padEnd(15);
-		let status;
-		if (record.error) status = "✗";
-		else if (record.created) status = "✓ new";
-		else if (record.existed) status = "✓";
-		else status = "?";
-		logger$3.log(`   │ ${subdomain} │ ${type$1} │ ${value} │ ${status.padEnd(6)} │`);
-	}
-	logger$3.log("   └─────────────────────────────────────┴──────┴─────────────────┴────────┘");
+		const pkg$1 = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+		if (pkg$1.name) return pkg$1.name.replace(/^@[^/]+\//, "");
+	} catch {}
+	return void 0;
 }
 /**
-* Print DNS records in a simple format for manual setup
+* Get app name from package.json adjacent to the lockfile (project root)
+* Used for Docker image naming
 */
-function printDnsRecordsSimple(records, rootDomain) {
-	logger$3.log("\n   📋 Required DNS Records:");
-	logger$3.log(`   Add these A records to your DNS provider (${rootDomain}):\n`);
-	for (const record of records) logger$3.log(`   ${record.subdomain}  →  ${record.value}  (A record)`);
-	logger$3.log("");
+function getAppNameFromPackageJson() {
+	const cwd = process.cwd();
+	const lockfilePath = findLockfilePath(cwd);
+	if (!lockfilePath) return void 0;
+	const projectRoot = dirname(lockfilePath);
+	const packageJsonPath = join(projectRoot, "package.json");
+	if (!existsSync(packageJsonPath)) return void 0;
+	try {
+		const pkg$1 = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+		if (pkg$1.name) return pkg$1.name.replace(/^@[^/]+\//, "");
+	} catch {}
+	return void 0;
 }
+const logger$4 = console;
 /**
-* Prompt for input (reuse from deploy/index.ts pattern)
+* Get the full image reference
 */
-async function promptForToken(message) {
-	const { stdin: stdin$1, stdout: stdout$1 } = await import("node:process");
-	if (!stdin$1.isTTY) throw new Error("Interactive input required for Hostinger token.");
-	stdout$1.write(message);
-	return new Promise((resolve$1) => {
-		let value = "";
-		const onData = (char) => {
-			const c = char.toString();
-			if (c === "\n" || c === "\r") {
-				stdin$1.setRawMode(false);
-				stdin$1.pause();
-				stdin$1.removeListener("data", onData);
-				stdout$1.write("\n");
-				resolve$1(value);
-			} else if (c === "") {
-				stdin$1.setRawMode(false);
-				stdin$1.pause();
-				stdout$1.write("\n");
-				process.exit(1);
-			} else if (c === "" || c === "\b") {
-				if (value.length > 0) value = value.slice(0, -1);
-			} else value += c;
-		};
-		stdin$1.setRawMode(true);
-		stdin$1.resume();
-		stdin$1.on("data", onData);
-	});
+function getImageRef(registry, imageName, tag) {
+	if (registry) return `${registry}/${imageName}:${tag}`;
+	return `${imageName}:${tag}`;
 }
 /**
-* Create DNS records using the configured provider
+* Build Docker image
+* @param imageRef - Full image reference (registry/name:tag)
+* @param appName - Name of the app (used for Dockerfile.{appName} in workspaces)
+* @param buildArgs - Build arguments to pass to docker build
 */
-async function createDnsRecords(records, dnsConfig) {
-	const { provider, domain: rootDomain, ttl = 300 } = dnsConfig;
-	if (provider === "manual") return records.map((r) => ({
-		...r,
-		created: false,
-		existed: false
-	}));
-	if (provider === "hostinger") return createHostingerRecords(records, rootDomain, ttl);
-	if (provider === "cloudflare") {
-		logger$3.log("   ⚠ Cloudflare DNS integration not yet implemented");
-		return records.map((r) => ({
-			...r,
-			error: "Cloudflare not implemented"
-		}));
+async function buildImage(imageRef, appName, buildArgs) {
+	logger$4.log(`\n🔨 Building Docker image: ${imageRef}`);
+	const cwd = process.cwd();
+	const lockfilePath = findLockfilePath(cwd);
+	const lockfileDir = lockfilePath ? dirname(lockfilePath) : cwd;
+	const inMonorepo = lockfileDir !== cwd;
+	if (appName || inMonorepo) logger$4.log("   Generating Dockerfile for monorepo (turbo prune)...");
+	else logger$4.log("   Generating Dockerfile...");
+	await dockerCommand({});
+	const dockerfileSuffix = appName ? `.${appName}` : "";
+	const dockerfilePath = `.gkm/docker/Dockerfile${dockerfileSuffix}`;
+	const buildCwd = lockfilePath && (inMonorepo || appName) ? lockfileDir : cwd;
+	if (buildCwd !== cwd) logger$4.log(`   Building from workspace root: ${buildCwd}`);
+	const buildArgsString = buildArgs && buildArgs.length > 0 ? buildArgs.map((arg) => `--build-arg "${arg}"`).join(" ") : "";
+	try {
+		const cmd = [
+			"DOCKER_BUILDKIT=1 docker build",
+			"--platform linux/amd64",
+			`-f ${dockerfilePath}`,
+			`-t ${imageRef}`,
+			buildArgsString,
+			"."
+		].filter(Boolean).join(" ");
+		execSync(cmd, {
+			cwd: buildCwd,
+			stdio: "inherit",
+			env: {
+				...process.env,
+				DOCKER_BUILDKIT: "1"
+			}
+		});
+		logger$4.log(`✅ Image built: ${imageRef}`);
+	} catch (error) {
+		throw new Error(`Failed to build Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
 	}
-	return records;
 }
 /**
-* Create DNS records at Hostinger
+* Push Docker image to registry
 */
-async function createHostingerRecords(records, rootDomain, ttl) {
-	let token = await getHostingerToken();
-	if (!token) {
-		logger$3.log("\n   📋 Hostinger API token not found.");
-		logger$3.log("   Get your token from: https://hpanel.hostinger.com/profile/api\n");
-		try {
-			token = await promptForToken("   Hostinger API Token: ");
-			await storeHostingerToken(token);
-			logger$3.log("   ✓ Token saved");
-		} catch {
-			logger$3.log("   ⚠ Could not get token, skipping DNS creation");
-			return records.map((r) => ({
-				...r,
-				error: "No API token"
-			}));
-		}
-	}
-	const api = new HostingerApi(token);
-	const results = [];
-	let existingRecords = [];
+async function pushImage(imageRef) {
+	logger$4.log(`\n☁️  Pushing image: ${imageRef}`);
 	try {
-		existingRecords = await api.getRecords(rootDomain);
+		execSync(`docker push ${imageRef}`, {
+			cwd: process.cwd(),
+			stdio: "inherit"
+		});
+		logger$4.log(`✅ Image pushed: ${imageRef}`);
 	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger$3.log(`   ⚠ Failed to fetch existing DNS records: ${message}`);
-		return records.map((r) => ({
-			...r,
-			error: message
-		}));
-	}
-	for (const record of records) {
-		const existing = existingRecords.find((r) => r.name === record.subdomain && r.type === "A");
-		if (existing) {
-			results.push({
-				...record,
-				existed: true,
-				created: false
-			});
-			continue;
-		}
-		try {
-			await api.upsertRecords(rootDomain, [{
-				name: record.subdomain,
-				type: "A",
-				ttl,
-				records: [{ content: record.value }]
-			}]);
-			results.push({
-				...record,
-				created: true,
-				existed: false
-			});
-		} catch (error) {
-			const message = error instanceof Error ? error.message : "Unknown error";
-			results.push({
-				...record,
-				error: message
-			});
-		}
+		throw new Error(`Failed to push Docker image: ${error instanceof Error ? error.message : "Unknown error"}`);
 	}
-	return results;
 }
 /**
-* Main DNS orchestration function for deployments
+* Deploy using Docker (build and optionally push image)
 */
-async function orchestrateDns(appHostnames, dnsConfig, dokployEndpoint) {
-	if (!dnsConfig) return null;
-	const { domain: rootDomain, autoCreate = true } = dnsConfig;
-	logger$3.log("\n🌐 Setting up DNS records...");
-	let serverIp;
-	try {
-		const endpointUrl = new URL(dokployEndpoint);
-		serverIp = await resolveHostnameToIp(endpointUrl.hostname);
-		logger$3.log(`   Server IP: ${serverIp} (from ${endpointUrl.hostname})`);
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger$3.log(`   ⚠ Failed to resolve server IP: ${message}`);
-		return null;
+async function deployDocker(options) {
+	const { stage, tag, skipPush, masterKey, config: config$1, buildArgs } = options;
+	const imageName = config$1.imageName;
+	const imageRef = getImageRef(config$1.registry, imageName, tag);
+	await buildImage(imageRef, config$1.appName, buildArgs);
+	if (!skipPush) if (!config$1.registry) logger$4.warn("\n⚠️  No registry configured. Use --skip-push or configure docker.registry in gkm.config.ts");
+	else await pushImage(imageRef);
+	logger$4.log("\n✅ Docker deployment ready!");
+	logger$4.log(`\n📋 Deployment details:`);
+	logger$4.log(`   Image: ${imageRef}`);
+	logger$4.log(`   Stage: ${stage}`);
+	if (masterKey) {
+		logger$4.log(`\n🔐 Deploy with this environment variable:`);
+		logger$4.log(`   GKM_MASTER_KEY=${masterKey}`);
+		logger$4.log("\n   Example docker run:");
+		logger$4.log(`   docker run -e GKM_MASTER_KEY=${masterKey} ${imageRef}`);
 	}
-	const requiredRecords = generateRequiredRecords(appHostnames, rootDomain, serverIp);
-	if (requiredRecords.length === 0) {
-		logger$3.log("   No DNS records needed");
-		return {
-			records: [],
-			success: true,
-			serverIp
-		};
+	return {
+		imageRef,
+		masterKey
+	};
+}
+/**
+* Resolve Docker deploy config from gkm config
+* - imageName: from config, or cwd package.json, or 'app' (for Docker image)
+* - projectName: from root package.json, or 'app' (for Dokploy project)
+* - appName: from cwd package.json, or projectName (for Dokploy app within project)
+*/
+function resolveDockerConfig(config$1) {
+	const projectName = getAppNameFromPackageJson() ?? "app";
+	const appName = getAppNameFromCwd$1() ?? projectName;
+	const imageName = config$1.docker?.imageName ?? appName;
+	return {
+		registry: config$1.docker?.registry,
+		imageName,
+		projectName,
+		appName
+	};
+}
+
+//#endregion
+//#region src/deploy/dokploy.ts
+const logger$3 = console;
+/**
+* Get the Dokploy API token from stored credentials or environment
+*/
+async function getApiToken$1() {
+	const token = await getDokployToken();
+	if (!token) throw new Error("Dokploy credentials not found.\nRun \"gkm login --service dokploy\" to authenticate, or set DOKPLOY_API_TOKEN.");
+	return token;
+}
+/**
+* Create a Dokploy API client
+*/
+async function createApi$1(endpoint) {
+	const token = await getApiToken$1();
+	return new DokployApi({
+		baseUrl: endpoint,
+		token
+	});
+}
+/**
+* Deploy to Dokploy
+*/
+async function deployDokploy(options) {
+	const { stage, imageRef, masterKey, config: config$1 } = options;
+	logger$3.log(`\n🎯 Deploying to Dokploy...`);
+	logger$3.log(`   Endpoint: ${config$1.endpoint}`);
+	logger$3.log(`   Application: ${config$1.applicationId}`);
+	const api = await createApi$1(config$1.endpoint);
+	logger$3.log(`  Configuring Docker image: ${imageRef}`);
+	const registryOptions = {};
+	if (config$1.registryId) {
+		registryOptions.registryId = config$1.registryId;
+		logger$3.log(`  Using Dokploy registry: ${config$1.registryId}`);
+	} else {
+		const storedRegistryId = await getDokployRegistryId();
+		if (storedRegistryId) {
+			registryOptions.registryId = storedRegistryId;
+			logger$3.log(`  Using stored Dokploy registry: ${storedRegistryId}`);
+		} else if (config$1.registryCredentials) {
+			registryOptions.username = config$1.registryCredentials.username;
+			registryOptions.password = config$1.registryCredentials.password;
+			registryOptions.registryUrl = config$1.registryCredentials.registryUrl;
+			logger$3.log(`  Using registry credentials for: ${config$1.registryCredentials.registryUrl}`);
+		} else {
+			const username = process.env.DOCKER_REGISTRY_USERNAME;
+			const password = process.env.DOCKER_REGISTRY_PASSWORD;
+			const registryUrl = process.env.DOCKER_REGISTRY_URL || config$1.registry;
+			if (username && password && registryUrl) {
+				registryOptions.username = username;
+				registryOptions.password = password;
+				registryOptions.registryUrl = registryUrl;
+				logger$3.log(`  Using registry credentials from environment`);
+			}
+		}
 	}
-	let finalRecords;
-	if (autoCreate && dnsConfig.provider !== "manual") {
-		logger$3.log(`   Creating DNS records at ${dnsConfig.provider}...`);
-		finalRecords = await createDnsRecords(requiredRecords, dnsConfig);
-		const created = finalRecords.filter((r) => r.created).length;
-		const existed = finalRecords.filter((r) => r.existed).length;
-		const failed = finalRecords.filter((r) => r.error).length;
-		if (created > 0) logger$3.log(`   ✓ Created ${created} DNS record(s)`);
-		if (existed > 0) logger$3.log(`   ✓ ${existed} record(s) already exist`);
-		if (failed > 0) logger$3.log(`   ⚠ ${failed} record(s) failed`);
-	} else finalRecords = requiredRecords;
-	printDnsRecordsTable(finalRecords, rootDomain);
-	const hasFailures = finalRecords.some((r) => r.error);
-	if (dnsConfig.provider === "manual" || hasFailures) printDnsRecordsSimple(finalRecords.filter((r) => !r.created && !r.existed), rootDomain);
+	await api.saveDockerProvider(config$1.applicationId, imageRef, registryOptions);
+	logger$3.log("  ✓ Docker provider configured");
+	const envVars = {};
+	if (masterKey) envVars.GKM_MASTER_KEY = masterKey;
+	if (Object.keys(envVars).length > 0) {
+		logger$3.log("  Updating environment variables...");
+		const envString = Object.entries(envVars).map(([key, value]) => `${key}=${value}`).join("\n");
+		await api.saveApplicationEnv(config$1.applicationId, envString);
+		logger$3.log("  ✓ Environment variables updated");
+	}
+	logger$3.log("  Triggering deployment...");
+	await api.deployApplication(config$1.applicationId);
+	logger$3.log("  ✓ Deployment triggered");
+	logger$3.log("\n✅ Dokploy deployment initiated!");
+	logger$3.log(`\n📋 Deployment details:`);
+	logger$3.log(`   Image: ${imageRef}`);
+	logger$3.log(`   Stage: ${stage}`);
+	logger$3.log(`   Application ID: ${config$1.applicationId}`);
+	if (masterKey) logger$3.log(`\n🔐 GKM_MASTER_KEY has been set in Dokploy environment`);
+	const deploymentUrl = `${config$1.endpoint}/project/${config$1.projectId}`;
+	logger$3.log(`\n🔗 View deployment: ${deploymentUrl}`);
 	return {
-		records: finalRecords,
-		success: !hasFailures,
-		serverIp
+		imageRef,
+		masterKey,
+		url: deploymentUrl
 	};
 }
 
@@ -4373,6 +4492,107 @@ function getPublicUrlArgNames(app) {
 	return app.dependencies.map((dep) => `NEXT_PUBLIC_${dep.toUpperCase()}_URL`);
 }
 
+//#endregion
+//#region src/deploy/env-resolver.ts
+/**
+* Generate a secure random secret (64 hex characters = 32 bytes)
+*/
+function generateSecret() {
+	return randomBytes(32).toString("hex");
+}
+/**
+* Get or generate a secret for an app.
+* If the secret already exists in state, returns it.
+* Otherwise generates a new one and stores it.
+*/
+function getOrGenerateSecret(state, appName, secretName) {
+	const existing = getGeneratedSecret(state, appName, secretName);
+	if (existing) return existing;
+	const generated = generateSecret();
+	setGeneratedSecret(state, appName, secretName, generated);
+	return generated;
+}
+/**
+* Build a DATABASE_URL for an app with per-app credentials
+*/
+function buildDatabaseUrl(credentials, postgres) {
+	const { dbUser, dbPassword } = credentials;
+	const { host, port, database } = postgres;
+	return `postgresql://${encodeURIComponent(dbUser)}:${encodeURIComponent(dbPassword)}@${host}:${port}/${database}`;
+}
+/**
+* Build a REDIS_URL
+*/
+function buildRedisUrl(redis) {
+	const { host, port, password } = redis;
+	if (password) return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
+	return `redis://${host}:${port}`;
+}
+/**
+* Resolve a single environment variable
+*/
+function resolveEnvVar(varName, context) {
+	switch (varName) {
+		case "PORT": return String(context.app.port);
+		case "NODE_ENV": return context.stage === "production" ? "production" : "development";
+		case "DATABASE_URL":
+			if (context.appCredentials && context.postgres) return buildDatabaseUrl(context.appCredentials, context.postgres);
+			break;
+		case "REDIS_URL":
+			if (context.redis) return buildRedisUrl(context.redis);
+			break;
+		case "BETTER_AUTH_URL": return `https://${context.appHostname}`;
+		case "BETTER_AUTH_SECRET": return getOrGenerateSecret(context.state, context.appName, "BETTER_AUTH_SECRET");
+		case "BETTER_AUTH_TRUSTED_ORIGINS":
+			if (context.frontendUrls.length > 0) return context.frontendUrls.join(",");
+			break;
+		case "GKM_MASTER_KEY":
+			if (context.masterKey) return context.masterKey;
+			break;
+	}
+	if (context.userSecrets) {
+		if (context.userSecrets.custom[varName]) return context.userSecrets.custom[varName];
+		if (varName in context.userSecrets.urls) return context.userSecrets.urls[varName];
+		if (varName === "POSTGRES_PASSWORD" && context.userSecrets.services.postgres) return context.userSecrets.services.postgres.password;
+		if (varName === "REDIS_PASSWORD" && context.userSecrets.services.redis) return context.userSecrets.services.redis.password;
+	}
+	return void 0;
+}
+/**
+* Resolve all environment variables for an app
+*/
+function resolveEnvVars(requiredVars, context) {
+	const resolved = {};
+	const missing = [];
+	for (const varName of requiredVars) {
+		const value = resolveEnvVar(varName, context);
+		if (value !== void 0) resolved[varName] = value;
+		else missing.push(varName);
+	}
+	return {
+		resolved,
+		missing
+	};
+}
+/**
+* Format missing variables error message
+*/
+function formatMissingVarsError(appName, missing, stage) {
+	const varList = missing.map((v) => `  - ${v}`).join("\n");
+	return `Deployment failed: ${appName} is missing required environment variables:\n${varList}\n\nAdd them with:\n  gkm secrets:set <VAR_NAME> <value> --stage ${stage}\n\nOr add them to the app's requiredEnv in gkm.config.ts to have them auto-resolved.`;
+}
+/**
+* Validate that all required environment variables can be resolved
+*/
+function validateEnvVars(requiredVars, context) {
+	const { resolved, missing } = resolveEnvVars(requiredVars, context);
+	return {
+		valid: missing.length === 0,
+		missing,
+		resolved
+	};
+}
+
 //#endregion
 //#region src/deploy/init.ts
 const logger$2 = console;
@@ -4645,14 +4865,35 @@ function generateSecretsReport(encryptedApps, sniffedApps) {
 
 //#endregion
 //#region src/deploy/sniffer.ts
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+/**
+* Resolve the path to a sniffer helper file.
+* Handles both dev (.ts with tsx) and production (.mjs from dist).
+*
+* In production: sniffer.ts is bundled into dist/index.mjs, but sniffer helper
+* files are output to dist/deploy/ as standalone modules for subprocess loading.
+*
+* In development: All files are in src/deploy/ and loaded via tsx.
+*/
+function resolveSnifferFile(baseName) {
+	const deployMjsPath = resolve(__dirname, "deploy", `${baseName}.mjs`);
+	if (existsSync(deployMjsPath)) return deployMjsPath;
+	const mjsPath = resolve(__dirname, `${baseName}.mjs`);
+	if (existsSync(mjsPath)) return mjsPath;
+	const tsPath = resolve(__dirname, `${baseName}.ts`);
+	if (existsSync(tsPath)) return tsPath;
+	return tsPath;
+}
 /**
 * Get required environment variables for an app.
 *
-* Detection strategy:
-* - Frontend apps: Returns empty (no server secrets)
-* - Apps with `requiredEnv`: Uses explicit list from config
-* - Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
-* - Apps with neither: Returns empty
+* Detection strategy (in order):
+* 1. Frontend apps: Returns empty (no server secrets)
+* 2. Apps with `requiredEnv`: Uses explicit list from config
+* 3. Entry apps: Imports entry file in subprocess to capture config.parse() calls
+* 4. Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
+* 5. Apps with neither: Returns empty
 *
 * This function handles "fire and forget" async operations gracefully,
 * capturing errors and unhandled rejections without failing the build.
@@ -4673,6 +4914,14 @@ async function sniffAppEnvironment(app, appName, workspacePath, options = {}) {
 		appName,
 		requiredEnvVars: [...app.requiredEnv]
 	};
+	if (app.entry) {
+		const result = await sniffEntryFile(app.entry, app.path, workspacePath);
+		if (logWarnings && result.error) console.warn(`[sniffer] ${appName}: Entry file threw error during sniffing (env vars still captured): ${result.error.message}`);
+		return {
+			appName,
+			requiredEnvVars: result.envVars
+		};
+	}
 	if (app.envParser) {
 		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
 		if (logWarnings) {
@@ -4690,6 +4939,80 @@ async function sniffAppEnvironment(app, appName, workspacePath, options = {}) {
 	};
 }
 /**
+* Sniff an entry file by importing it in a subprocess.
+*
+* Entry apps call `config.parse()` at module load time. To capture which
+* env vars are accessed, we:
+* 1. Spawn a subprocess with a module loader hook
+* 2. The loader intercepts `@geekmidas/envkit` and replaces EnvironmentParser
+*    with SnifferEnvironmentParser
+* 3. Import the entry file (triggers config.parse())
+* 4. Capture and return the accessed env var names
+*
+* This approach provides process isolation - each app is sniffed in its own
+* subprocess, preventing module cache pollution.
+*
+* @param entryPath - Relative path to the entry file (e.g., './src/index.ts')
+* @param appPath - The app's path relative to workspace (e.g., 'apps/auth')
+* @param workspacePath - Absolute path to workspace root
+* @returns EntrySniffResult with env vars and optional error
+*/
+async function sniffEntryFile(entryPath, appPath, workspacePath) {
+	const fullEntryPath = resolve(workspacePath, appPath, entryPath);
+	const loaderPath = resolveSnifferFile("sniffer-loader");
+	const workerPath = resolveSnifferFile("sniffer-worker");
+	return new Promise((resolvePromise) => {
+		const child = spawn("node", [
+			"--import",
+			loaderPath,
+			workerPath,
+			fullEntryPath
+		], {
+			cwd: resolve(workspacePath, appPath),
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			],
+			env: {
+				...process.env,
+				NODE_OPTIONS: "--import tsx"
+			}
+		});
+		let stdout$1 = "";
+		let stderr = "";
+		child.stdout.on("data", (data) => {
+			stdout$1 += data.toString();
+		});
+		child.stderr.on("data", (data) => {
+			stderr += data.toString();
+		});
+		child.on("close", (code) => {
+			try {
+				const jsonMatch = stdout$1.match(/\{[^{}]*"envVars"[^{}]*\}[^{]*$/);
+				if (jsonMatch) {
+					const result = JSON.parse(jsonMatch[0]);
+					resolvePromise({
+						envVars: result.envVars || [],
+						error: result.error ? new Error(result.error) : void 0
+					});
+					return;
+				}
+			} catch {}
+			resolvePromise({
+				envVars: [],
+				error: new Error(`Failed to sniff entry file (exit code ${code}): ${stderr || stdout$1 || "No output"}`)
+			});
+		});
+		child.on("error", (err) => {
+			resolvePromise({
+				envVars: [],
+				error: err
+			});
+		});
+	});
+}
+/**
 * Run the SnifferEnvironmentParser on an envParser module to detect
 * which environment variables it accesses.
 *
@@ -4799,10 +5122,130 @@ async function prompt(message, hidden = false) {
 	}
 }
 /**
+* Wait for Postgres to be ready to accept connections.
+*
+* Polls the Postgres server until it accepts a connection or max retries reached.
+* Used after enabling the external port to ensure the database is accessible
+* before creating users.
+*
+* @param host - The Postgres server hostname
+* @param port - The external port (typically 5432)
+* @param user - Master database user (postgres)
+* @param password - Master database password
+* @param database - Database name to connect to
+* @param maxRetries - Maximum number of connection attempts (default: 30)
+* @param retryIntervalMs - Milliseconds between retries (default: 2000)
+* @throws Error if Postgres is not ready after maxRetries
+*/
+async function waitForPostgres(host, port, user, password, database, maxRetries = 30, retryIntervalMs = 2e3) {
+	for (let i = 0; i < maxRetries; i++) try {
+		const client = new Client({
+			host,
+			port,
+			user,
+			password,
+			database
+		});
+		await client.connect();
+		await client.end();
+		return;
+	} catch {
+		if (i < maxRetries - 1) {
+			logger$1.log(`   Waiting for Postgres... (${i + 1}/${maxRetries})`);
+			await new Promise((r) => setTimeout(r, retryIntervalMs));
+		}
+	}
+	throw new Error(`Postgres not ready after ${maxRetries} retries`);
+}
+/**
+* Initialize Postgres with per-app users and schemas.
+*
+* This function implements the same user/schema isolation pattern used in local
+* dev mode (see docker/postgres/init.sh). It:
+*
+* 1. Temporarily enables the external Postgres port
+* 2. Connects using master credentials
+* 3. Creates each user with appropriate schema permissions
+* 4. Disables the external port for security
+*
+* Schema assignment follows this pattern:
+* - `api` app: Uses `public` schema (shared tables, migrations run here)
+* - Other apps: Get their own schema with `search_path` configured
+*
+* @param api - The Dokploy API client
+* @param postgres - The provisioned Postgres service details
+* @param serverHostname - The Dokploy server hostname (for external connection)
+* @param users - Array of users to create with their schema configuration
+*
+* @example
+* ```ts
+* await initializePostgresUsers(api, postgres, 'dokploy.example.com', [
+*   { name: 'api', password: 'xxx', usePublicSchema: true },
+*   { name: 'auth', password: 'yyy', usePublicSchema: false },
+* ]);
+* ```
+*/
+async function initializePostgresUsers(api, postgres, serverHostname, users) {
+	logger$1.log("\n🔧 Initializing database users...");
+	const externalPort = 5432;
+	logger$1.log(`   Enabling external port ${externalPort}...`);
+	await api.savePostgresExternalPort(postgres.postgresId, externalPort);
+	await api.deployPostgres(postgres.postgresId);
+	logger$1.log(`   Waiting for Postgres to be accessible at ${serverHostname}:${externalPort}...`);
+	await waitForPostgres(serverHostname, externalPort, postgres.databaseUser, postgres.databasePassword, postgres.databaseName);
+	const client = new Client({
+		host: serverHostname,
+		port: externalPort,
+		user: postgres.databaseUser,
+		password: postgres.databasePassword,
+		database: postgres.databaseName
+	});
+	try {
+		await client.connect();
+		for (const user of users) {
+			const schemaName = user.usePublicSchema ? "public" : user.name;
+			logger$1.log(`   Creating user "${user.name}" with schema "${schemaName}"...`);
+			await client.query(`
+				DO $$ BEGIN
+					CREATE USER "${user.name}" WITH PASSWORD '${user.password}';
+				EXCEPTION WHEN duplicate_object THEN
+					ALTER USER "${user.name}" WITH PASSWORD '${user.password}';
+				END $$;
+			`);
+			if (user.usePublicSchema) await client.query(`
+					GRANT ALL ON SCHEMA public TO "${user.name}";
+					ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO "${user.name}";
+					ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO "${user.name}";
+				`);
+			else await client.query(`
+					CREATE SCHEMA IF NOT EXISTS "${schemaName}" AUTHORIZATION "${user.name}";
+					ALTER USER "${user.name}" SET search_path TO "${schemaName}";
+					GRANT USAGE ON SCHEMA "${schemaName}" TO "${user.name}";
+					GRANT ALL ON ALL TABLES IN SCHEMA "${schemaName}" TO "${user.name}";
+					ALTER DEFAULT PRIVILEGES IN SCHEMA "${schemaName}" GRANT ALL ON TABLES TO "${user.name}";
+				`);
+			logger$1.log(`   ✓ User "${user.name}" configured`);
+		}
+	} finally {
+		await client.end();
+	}
+	logger$1.log("   Disabling external port...");
+	await api.savePostgresExternalPort(postgres.postgresId, null);
+	await api.deployPostgres(postgres.postgresId);
+	logger$1.log("   ✓ Database users initialized");
+}
+/**
+* Get the server hostname from the Dokploy endpoint URL
+*/
+function getServerHostname(endpoint) {
+	const url = new URL(endpoint);
+	return url.hostname;
+}
+/**
 * Provision docker compose services in Dokploy
 * @internal Exported for testing
 */
-async function provisionServices(api, projectId, environmentId, appName, services, existingServiceIds) {
+async function provisionServices(api, projectId, environmentId, projectName, services, existingServiceIds) {
 	logger$1.log(`\n🔍 provisionServices called: services=${JSON.stringify(services)}, envId=${environmentId}`);
 	if (!services || !environmentId) {
 		logger$1.log("   Skipping: no services or no environmentId");
@@ -4823,9 +5266,12 @@ async function provisionServices(api, projectId, environmentId, appName, service
 				else logger$1.log(`   ⚠ Cached ID invalid, will create new`);
 			}
 			if (!postgres) {
-				const { randomBytes: randomBytes$1 } = await import("node:crypto");
-				const databasePassword = randomBytes$1(16).toString("hex");
-				const result = await api.findOrCreatePostgres(postgresName, projectId, environmentId, { databasePassword });
+				const databasePassword = randomBytes(16).toString("hex");
+				const databaseName = projectName.replace(/-/g, "_");
+				const result = await api.findOrCreatePostgres(postgresName, projectId, environmentId, {
+					databaseName,
+					databasePassword
+				});
 				postgres = result.postgres;
 				created = result.created;
 				if (created) {
@@ -4893,12 +5339,6 @@ async function provisionServices(api, projectId, environmentId, appName, service
 */
 async function ensureDokploySetup(config$1, dockerConfig, stage, services) {
 	logger$1.log("\n🔧 Checking Dokploy setup...");
-	const { readStageSecrets: readStageSecrets$1 } = await import("./storage-DNj_I11J.mjs");
-	const existingSecrets = await readStageSecrets$1(stage);
-	const existingUrls = {
-		DATABASE_URL: existingSecrets?.urls?.DATABASE_URL,
-		REDIS_URL: existingSecrets?.urls?.REDIS_URL
-	};
 	let creds = await getDokployCredentials();
 	if (!creds) {
 		logger$1.log("\n📋 Dokploy credentials not found. Let's set them up.");
@@ -5224,6 +5664,8 @@ async function workspaceDeployCommand(workspace, options) {
 		postgres: services.db !== void 0 && services.db !== false,
 		redis: services.cache !== void 0 && services.cache !== false
 	};
+	let provisionedPostgres = null;
+	let provisionedRedis = null;
 	if (dockerServices.postgres || dockerServices.redis) {
 		logger$1.log("\n🔧 Provisioning infrastructure services...");
 		const existingServiceIds = {
@@ -5232,17 +5674,64 @@ async function workspaceDeployCommand(workspace, options) {
 		};
 		const provisionResult = await provisionServices(api, project.projectId, environmentId, workspace.name, dockerServices, existingServiceIds);
 		if (provisionResult?.serviceIds) {
-			if (provisionResult.serviceIds.postgresId) setPostgresId(state, provisionResult.serviceIds.postgresId);
-			if (provisionResult.serviceIds.redisId) setRedisId(state, provisionResult.serviceIds.redisId);
+			if (provisionResult.serviceIds.postgresId) {
+				setPostgresId(state, provisionResult.serviceIds.postgresId);
+				provisionedPostgres = await api.getPostgres(provisionResult.serviceIds.postgresId);
+			}
+			if (provisionResult.serviceIds.redisId) {
+				setRedisId(state, provisionResult.serviceIds.redisId);
+				provisionedRedis = await api.getRedis(provisionResult.serviceIds.redisId);
+			}
 		}
 	}
 	const backendApps = appsToDeployNames.filter((name$1) => workspace.apps[name$1].type === "backend");
 	const frontendApps = appsToDeployNames.filter((name$1) => workspace.apps[name$1].type === "frontend");
+	const perAppDbCredentials = /* @__PURE__ */ new Map();
+	if (provisionedPostgres && backendApps.length > 0) {
+		const appsNeedingDb = backendApps.filter((appName) => {
+			const requirements = sniffedApps.get(appName);
+			return requirements?.requiredEnvVars.includes("DATABASE_URL");
+		});
+		if (appsNeedingDb.length > 0) {
+			logger$1.log(`\n🔐 Setting up per-app database credentials...`);
+			logger$1.log(`   Apps needing DATABASE_URL: ${appsNeedingDb.join(", ")}`);
+			const existingCredentials = getAllAppCredentials(state);
+			const usersToCreate = [];
+			for (const appName of appsNeedingDb) {
+				let credentials = existingCredentials[appName];
+				if (credentials) logger$1.log(`   ${appName}: Using existing credentials from state`);
+				else {
+					const password = randomBytes(16).toString("hex");
+					credentials = {
+						dbUser: appName,
+						dbPassword: password
+					};
+					setAppCredentials(state, appName, credentials);
+					logger$1.log(`   ${appName}: Generated new credentials`);
+				}
+				perAppDbCredentials.set(appName, credentials);
+				usersToCreate.push({
+					name: appName,
+					password: credentials.dbPassword,
+					usePublicSchema: appName === "api"
+				});
+			}
+			const serverHostname = getServerHostname(creds.endpoint);
+			await initializePostgresUsers(api, provisionedPostgres, serverHostname, usersToCreate);
+		}
+	}
 	const publicUrls = {};
 	const results = [];
 	const dokployConfig = workspace.deploy.dokploy;
 	const appHostnames = /* @__PURE__ */ new Map();
 	const appDomainIds = /* @__PURE__ */ new Map();
+	const frontendUrls = [];
+	for (const appName of frontendApps) {
+		const app = workspace.apps[appName];
+		const isMainFrontend = isMainFrontendApp(appName, app, workspace.apps);
+		const hostname = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
+		frontendUrls.push(`https://${hostname}`);
+	}
 	if (backendApps.length > 0) {
 		logger$1.log("\n📦 PHASE 1: Deploying backend applications...");
 		for (const appName of backendApps) {
@@ -5286,14 +5775,46 @@ async function workspaceDeployCommand(workspace, options) {
 					},
 					buildArgs
 				});
-				const envVars = [`NODE_ENV=production`, `PORT=${app.port}`];
-				if (appSecrets && appSecrets.masterKey) envVars.push(`GKM_MASTER_KEY=${appSecrets.masterKey}`);
+				const backendHost = resolveHost(appName, app, stage, dokployConfig, false);
+				const envContext = {
+					app,
+					appName,
+					stage,
+					state,
+					appCredentials: perAppDbCredentials.get(appName),
+					postgres: provisionedPostgres ? {
+						host: provisionedPostgres.appName,
+						port: 5432,
+						database: provisionedPostgres.databaseName
+					} : void 0,
+					redis: provisionedRedis ? {
+						host: provisionedRedis.appName,
+						port: 6379,
+						password: provisionedRedis.databasePassword
+					} : void 0,
+					appHostname: backendHost,
+					frontendUrls,
+					userSecrets: stageSecrets ?? void 0,
+					masterKey: appSecrets?.masterKey
+				};
+				const appRequirements = sniffedApps.get(appName);
+				const requiredVars = appRequirements?.requiredEnvVars ?? [];
+				const { valid, missing, resolved } = validateEnvVars(requiredVars, envContext);
+				if (!valid) throw new Error(formatMissingVarsError(appName, missing, stage));
+				const envVars = Object.entries(resolved).map(([key, value]) => `${key}=${value}`);
+				if (Object.keys(resolved).length > 0) logger$1.log(`      Resolved ${Object.keys(resolved).length} env vars: ${Object.keys(resolved).join(", ")}`);
 				await api.saveDockerProvider(application.applicationId, imageRef, { registryId });
 				await api.saveApplicationEnv(application.applicationId, envVars.join("\n"));
 				logger$1.log(`      Deploying to Dokploy...`);
 				await api.deployApplication(application.applicationId);
-				const backendHost = resolveHost(appName, app, stage, dokployConfig, false);
-				try {
+				const existingDomains = await api.getDomainsByApplicationId(application.applicationId);
+				const existingDomain = existingDomains.find((d) => d.host === backendHost);
+				if (existingDomain) {
+					appHostnames.set(appName, backendHost);
+					appDomainIds.set(appName, existingDomain.domainId);
+					publicUrls[appName] = `https://${backendHost}`;
+					logger$1.log(`      ✓ Domain: https://${backendHost} (existing)`);
+				} else try {
 					const domain = await api.createDomain({
 						host: backendHost,
 						port: app.port,
@@ -5303,18 +5824,13 @@ async function workspaceDeployCommand(workspace, options) {
 					});
 					appHostnames.set(appName, backendHost);
 					appDomainIds.set(appName, domain.domainId);
-					const publicUrl = `https://${backendHost}`;
-					publicUrls[appName] = publicUrl;
-					logger$1.log(`      ✓ Domain: ${publicUrl}`);
+					publicUrls[appName] = `https://${backendHost}`;
+					logger$1.log(`      ✓ Domain: https://${backendHost} (created)`);
 				} catch (domainError) {
+					const message = domainError instanceof Error ? domainError.message : "Unknown error";
+					logger$1.log(`      ⚠ Domain creation failed: ${message}`);
 					appHostnames.set(appName, backendHost);
-					try {
-						const existingDomains = await api.getDomainsByApplicationId(application.applicationId);
-						const matchingDomain = existingDomains.find((d) => d.host === backendHost);
-						if (matchingDomain) appDomainIds.set(appName, matchingDomain.domainId);
-					} catch {}
 					publicUrls[appName] = `https://${backendHost}`;
-					logger$1.log(`      ℹ Domain already configured: https://${backendHost}`);
 				}
 				results.push({
 					appName,
@@ -5383,7 +5899,14 @@ async function workspaceDeployCommand(workspace, options) {
 				await api.deployApplication(application.applicationId);
 				const isMainFrontend = isMainFrontendApp(appName, app, workspace.apps);
 				const frontendHost = resolveHost(appName, app, stage, dokployConfig, isMainFrontend);
-				try {
+				const existingFrontendDomains = await api.getDomainsByApplicationId(application.applicationId);
+				const existingFrontendDomain = existingFrontendDomains.find((d) => d.host === frontendHost);
+				if (existingFrontendDomain) {
+					appHostnames.set(appName, frontendHost);
+					appDomainIds.set(appName, existingFrontendDomain.domainId);
+					publicUrls[appName] = `https://${frontendHost}`;
+					logger$1.log(`      ✓ Domain: https://${frontendHost} (existing)`);
+				} else try {
 					const domain = await api.createDomain({
 						host: frontendHost,
 						port: app.port,
@@ -5393,18 +5916,13 @@ async function workspaceDeployCommand(workspace, options) {
 					});
 					appHostnames.set(appName, frontendHost);
 					appDomainIds.set(appName, domain.domainId);
-					const publicUrl = `https://${frontendHost}`;
-					publicUrls[appName] = publicUrl;
-					logger$1.log(`      ✓ Domain: ${publicUrl}`);
+					publicUrls[appName] = `https://${frontendHost}`;
+					logger$1.log(`      ✓ Domain: https://${frontendHost} (created)`);
 				} catch (domainError) {
+					const message = domainError instanceof Error ? domainError.message : "Unknown error";
+					logger$1.log(`      ⚠ Domain creation failed: ${message}`);
 					appHostnames.set(appName, frontendHost);
-					try {
-						const existingDomains = await api.getDomainsByApplicationId(application.applicationId);
-						const matchingDomain = existingDomains.find((d) => d.host === frontendHost);
-						if (matchingDomain) appDomainIds.set(appName, matchingDomain.domainId);
-					} catch {}
 					publicUrls[appName] = `https://${frontendHost}`;
-					logger$1.log(`      ℹ Domain already configured: https://${frontendHost}`);
 				}
 				results.push({
 					appName,
@@ -5432,6 +5950,10 @@ async function workspaceDeployCommand(workspace, options) {
 	const dnsConfig = workspace.deploy.dns;
 	if (dnsConfig && appHostnames.size > 0) {
 		const dnsResult = await orchestrateDns(appHostnames, dnsConfig, creds.endpoint);
+		if (dnsResult?.serverIp && appHostnames.size > 0) {
+			await verifyDnsRecords(appHostnames, dnsResult.serverIp, state);
+			await writeStageState(workspace.root, stage, state);
+		}
 		if (dnsResult?.success && appHostnames.size > 0) {
 			logger$1.log("\n🔒 Validating domains for SSL certificates...");
 			for (const [appName, hostname] of appHostnames) try {
@@ -5732,10 +6254,10 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/cli": CLI_VERSION,
 	"@geekmidas/client": "~0.5.0",
 	"@geekmidas/cloud": "~0.2.0",
-	"@geekmidas/constructs": "~0.7.0",
+	"@geekmidas/constructs": "~0.8.0",
 	"@geekmidas/db": "~0.3.0",
 	"@geekmidas/emailkit": "~0.2.0",
-	"@geekmidas/envkit": "~0.6.0",
+	"@geekmidas/envkit": "~0.7.0",
 	"@geekmidas/errors": "~0.1.0",
 	"@geekmidas/events": "~0.2.0",
 	"@geekmidas/logger": "~0.4.0",
@@ -5744,7 +6266,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/services": "~0.2.0",
 	"@geekmidas/storage": "~0.1.0",
 	"@geekmidas/studio": "~0.4.0",
-	"@geekmidas/telescope": "~0.5.0",
+	"@geekmidas/telescope": "~0.6.0",
 	"@geekmidas/testkit": "~0.6.0"
 };