@geekmidas/cli 0.53.0 → 1.0.0

package/src/deploy/sniffer-routes-worker.ts

@@ -0,0 +1,104 @@
+/**
+ * Subprocess worker for route-based app sniffing.
+ *
+ * This script is executed in a subprocess with tsx loader,
+ * which handles TypeScript compilation and path alias resolution.
+ *
+ * Usage:
+ *   node --import tsx ./sniffer-routes-worker.ts "/path/to/app" "./src/endpoints/**\/*.ts"
+ *
+ * Output (JSON to stdout):
+ *   { "envVars": ["PORT", "DATABASE_URL", ...], "error": null }
+ */
+
+import type { Construct } from '@geekmidas/constructs';
+import { Cron } from '@geekmidas/constructs/crons';
+import { Endpoint } from '@geekmidas/constructs/endpoints';
+import { Function as GkmFunction } from '@geekmidas/constructs/functions';
+import { Subscriber } from '@geekmidas/constructs/subscribers';
+import fg from 'fast-glob';
+
+// Get args from command line
+const appPathArg = process.argv[2];
+const routesPatternArg = process.argv[3];
+
+if (!appPathArg || !routesPatternArg) {
+	console.log(
+		JSON.stringify({
+			envVars: [],
+			error: 'App path and routes pattern are required',
+		}),
+	);
+	process.exit(1);
+}
+
+// After validation, these are guaranteed to be strings
+const appPath: string = appPathArg;
+const routesPattern: string = routesPatternArg;
+
+/**
+ * Check if a value is a gkm construct.
+ */
+function isConstruct(value: unknown): value is Construct {
+	return (
+		Endpoint.isEndpoint(value) ||
+		GkmFunction.isFunction(value) ||
+		Cron.isCron(value) ||
+		Subscriber.isSubscriber(value)
+	);
+}
+
+/**
+ * Main sniffing function
+ */
+async function sniff(): Promise<void> {
+	const envVars = new Set<string>();
+	let error: string | null = null;
+
+	try {
+		// Find all route files matching the pattern
+		const files = await fg(routesPattern, {
+			cwd: appPath,
+			absolute: true,
+		});
+
+		// Import each route file and find constructs
+		for (const file of files) {
+			try {
+				const module = await import(file);
+
+				// Check all exports for constructs
+				for (const [, exportValue] of Object.entries(module)) {
+					if (isConstruct(exportValue)) {
+						try {
+							const constructEnvVars = await exportValue.getEnvironment();
+							constructEnvVars.forEach((v) => envVars.add(v));
+						} catch {
+							// Individual construct may fail, continue with others
+						}
+					}
+				}
+			} catch (e) {
+				// Log import errors but continue with other files
+				const msg = e instanceof Error ? e.message : String(e);
+				console.error(`[sniffer] Failed to import ${file}: ${msg}`);
+			}
+		}
+	} catch (e) {
+		error = e instanceof Error ? e.message : String(e);
+	}
+
+	// Output result as JSON (last line of stdout)
+	console.log(JSON.stringify({ envVars: Array.from(envVars).sort(), error }));
+}
+
+// Handle unhandled rejections
+process.on('unhandledRejection', () => {
+	// Silently ignore - we only care about env var capture
+});
+
+// Run the sniffer
+sniff().catch((e) => {
+	console.log(JSON.stringify({ envVars: [], error: e.message || String(e) }));
+	process.exit(1);
+});

package/src/deploy/sniffer.ts

@@ -1,5 +1,6 @@
-import { existsSync } from 'node:fs';
 import { spawn } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { createRequire } from 'node:module';
 import { dirname, resolve } from 'node:path';
 import { fileURLToPath, pathToFileURL } from 'node:url';
 import type { SniffResult } from '@geekmidas/envkit/sniffer';
@@ -8,6 +9,15 @@ import type { NormalizedAppConfig } from '../workspace/types.js';
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
+/**
+ * Resolve the tsx package path from the CLI package's dependencies.
+ * This ensures tsx is available regardless of whether the target project has it installed.
+ */
+function resolveTsxPath(): string {
+	const require = createRequire(import.meta.url);
+	return require.resolve('tsx');
+}
+
 /**
  * Resolve the path to a sniffer helper file.
  * Handles both dev (.ts with tsx) and production (.mjs from dist).
@@ -67,8 +77,9 @@ export interface SniffAppOptions {
  * 1. Frontend apps: Returns empty (no server secrets)
  * 2. Apps with `requiredEnv`: Uses explicit list from config
  * 3. Entry apps: Imports entry file in subprocess to capture config.parse() calls
- * 4. Apps with `envParser`: Runs SnifferEnvironmentParser to detect usage
- * 5. Apps with neither: Returns empty
+ * 4. Route-based apps: Loads route files and calls getEnvironment() on each construct
+ * 5. Apps with `envParser` (no routes): Runs SnifferEnvironmentParser to detect usage
+ * 6. Apps with neither: Returns empty
  *
  * This function handles "fire and forget" async operations gracefully,
  * capturing errors and unhandled rejections without failing the build.
@@ -110,7 +121,20 @@ export async function sniffAppEnvironment(
 		return { appName, requiredEnvVars: result.envVars };
 	}
 
-	// 4. Apps with envParser - run sniffer to detect env var usage
+	// 4. Route-based apps - load routes and call getEnvironment() on each construct
+	if (app.routes) {
+		const result = await sniffRouteFiles(app.routes, app.path, workspacePath);
+
+		if (logWarnings && result.error) {
+			console.warn(
+				`[sniffer] ${appName}: Route sniffing threw error (env vars still captured): ${result.error.message}`,
+			);
+		}
+
+		return { appName, requiredEnvVars: result.envVars };
+	}
+
+	// 5. Apps with envParser but no routes - run sniffer to detect env var usage
 	if (app.envParser) {
 		const result = await sniffEnvParser(app.envParser, app.path, workspacePath);
 
@@ -232,6 +256,103 @@ async function sniffEntryFile(
 	});
 }
 
+/**
+ * Sniff route files by loading constructs and calling getEnvironment().
+ *
+ * Route-based apps have endpoints, functions, crons, and subscribers that
+ * use services. Each service's register() method accesses environment variables.
+ *
+ * This runs in a subprocess with tsx loader to properly handle TypeScript
+ * compilation and path alias resolution (e.g., `src/...` imports).
+ *
+ * @param routes - Glob pattern(s) for route files
+ * @param appPath - The app's path relative to workspace (e.g., 'apps/api')
+ * @param workspacePath - Absolute path to workspace root
+ * @returns EntrySniffResult with env vars and optional error
+ */
+async function sniffRouteFiles(
+	routes: string | string[],
+	appPath: string,
+	workspacePath: string,
+): Promise<EntrySniffResult> {
+	const fullAppPath = resolve(workspacePath, appPath);
+	const workerPath = resolveSnifferFile('sniffer-routes-worker');
+	const tsxPath = resolveTsxPath();
+
+	// Convert array of patterns to first pattern (worker handles glob internally)
+	const routesArray = Array.isArray(routes) ? routes : [routes];
+	const pattern = routesArray[0];
+	if (!pattern) {
+		return { envVars: [], error: new Error('No route patterns provided') };
+	}
+
+	return new Promise((resolvePromise) => {
+		const child = spawn(
+			'node',
+			['--import', tsxPath, workerPath, fullAppPath, pattern],
+			{
+				cwd: fullAppPath,
+				stdio: ['ignore', 'pipe', 'pipe'],
+				env: {
+					...process.env,
+				},
+			},
+		);
+
+		let stdout = '';
+		let stderr = '';
+
+		child.stdout.on('data', (data) => {
+			stdout += data.toString();
+		});
+
+		child.stderr.on('data', (data) => {
+			stderr += data.toString();
+		});
+
+		child.on('close', (code) => {
+			// Log any stderr output (import errors, etc.)
+			if (stderr) {
+				stderr
+					.split('\n')
+					.filter((line) => line.trim())
+					.forEach((line) => console.warn(line));
+			}
+
+			// Try to parse the JSON output from the worker
+			try {
+				// Find the last JSON object in stdout (worker may emit other output)
+				const jsonMatch = stdout.match(/\{[^{}]*"envVars"[^{}]*\}[^{]*$/);
+				if (jsonMatch) {
+					const result = JSON.parse(jsonMatch[0]);
+					resolvePromise({
+						envVars: result.envVars || [],
+						error: result.error ? new Error(result.error) : undefined,
+					});
+					return;
+				}
+			} catch {
+				// JSON parse failed
+			}
+
+			// If we couldn't parse the output, return empty with error info
+			resolvePromise({
+				envVars: [],
+				error: new Error(
+					`Failed to sniff route files (exit code ${code}): ${stderr || stdout || 'No output'}`,
+				),
+			});
+		});
+
+		child.on('error', (err) => {
+			resolvePromise({
+				envVars: [],
+				error: err,
+			});
+		});
+	});
+}
+
 /**
  * Run the SnifferEnvironmentParser on an envParser module to detect
  * which environment variables it accesses.
@@ -333,4 +454,8 @@ export async function sniffAllApps(
 }
 
 // Export for testing
-export { sniffEnvParser as _sniffEnvParser, sniffEntryFile as _sniffEntryFile };
+export {
+	sniffEnvParser as _sniffEnvParser,
+	sniffEntryFile as _sniffEntryFile,
+	sniffRouteFiles as _sniffRouteFiles,
+};

package/src/deploy/state-commands.ts

@@ -0,0 +1,274 @@
+/**
+ * State Management CLI Commands
+ *
+ * Commands for managing deployment state across local and remote providers.
+ */
+
+import { loadWorkspaceConfig } from '../config';
+import { CachedStateProvider } from './CachedStateProvider';
+import { createStateProvider } from './StateProvider';
+import type { DokployStageState } from './state';
+
+export interface StateCommandOptions {
+	stage: string;
+}
+
+/**
+ * Pull state from remote to local.
+ * `gkm state:pull --stage=<stage>`
+ */
+export async function statePullCommand(
+	options: StateCommandOptions,
+): Promise<void> {
+	const { workspace } = await loadWorkspaceConfig();
+
+	if (!workspace.state || workspace.state.provider === 'local') {
+		console.error('No remote state provider configured.');
+		console.error('Add a remote provider in gkm.config.ts:');
+		console.error('  state: { provider: "ssm", region: "us-east-1" }');
+		process.exit(1);
+	}
+
+	const provider = await createStateProvider({
+		config: workspace.state,
+		workspaceRoot: workspace.root,
+		workspaceName: workspace.name,
+	});
+
+	if (!(provider instanceof CachedStateProvider)) {
+		console.error('State provider does not support pull operation.');
+		process.exit(1);
+	}
+
+	console.log(`Pulling state for stage: ${options.stage}...`);
+	const state = await provider.pull(options.stage);
+
+	if (state) {
+		console.log('State pulled successfully.');
+		printStateSummary(state);
+	} else {
+		console.log('No remote state found for this stage.');
+	}
+}
+
+/**
+ * Push local state to remote.
+ * `gkm state:push --stage=<stage>`
+ */
+export async function statePushCommand(
+	options: StateCommandOptions,
+): Promise<void> {
+	const { workspace } = await loadWorkspaceConfig();
+
+	if (!workspace.state || workspace.state.provider === 'local') {
+		console.error('No remote state provider configured.');
+		console.error('Add a remote provider in gkm.config.ts:');
+		console.error('  state: { provider: "ssm", region: "us-east-1" }');
+		process.exit(1);
+	}
+
+	const provider = await createStateProvider({
+		config: workspace.state,
+		workspaceRoot: workspace.root,
+		workspaceName: workspace.name,
+	});
+
+	if (!(provider instanceof CachedStateProvider)) {
+		console.error('State provider does not support push operation.');
+		process.exit(1);
+	}
+
+	console.log(`Pushing state for stage: ${options.stage}...`);
+	const state = await provider.push(options.stage);
+
+	if (state) {
+		console.log('State pushed successfully.');
+		printStateSummary(state);
+	} else {
+		console.log('No local state found for this stage.');
+	}
+}
+
+/**
+ * Show current state.
+ * `gkm state:show --stage=<stage>`
+ */
+export async function stateShowCommand(
+	options: StateCommandOptions & { json?: boolean },
+): Promise<void> {
+	const { workspace } = await loadWorkspaceConfig();
+
+	const provider = await createStateProvider({
+		config: workspace.state,
+		workspaceRoot: workspace.root,
+		workspaceName: workspace.name,
+	});
+
+	const state = await provider.read(options.stage);
+
+	if (!state) {
+		console.log(`No state found for stage: ${options.stage}`);
+		return;
+	}
+
+	if (options.json) {
+		console.log(JSON.stringify(state, null, 2));
+	} else {
+		printStateDetails(state);
+	}
+}
+
+/**
+ * Compare local and remote state.
+ * `gkm state:diff --stage=<stage>`
+ */
+export async function stateDiffCommand(
+	options: StateCommandOptions,
+): Promise<void> {
+	const { workspace } = await loadWorkspaceConfig();
+
+	if (!workspace.state || workspace.state.provider === 'local') {
+		console.error('No remote state provider configured.');
+		console.error('Diff requires a remote provider to compare against.');
+		process.exit(1);
+	}
+
+	const provider = await createStateProvider({
+		config: workspace.state,
+		workspaceRoot: workspace.root,
+		workspaceName: workspace.name,
+	});
+
+	if (!(provider instanceof CachedStateProvider)) {
+		console.error('State provider does not support diff operation.');
+		process.exit(1);
+	}
+
+	console.log(`Comparing state for stage: ${options.stage}...\n`);
+	const { local, remote } = await provider.diff(options.stage);
+
+	if (!local && !remote) {
+		console.log('No state found (local or remote).');
+		return;
+	}
+
+	if (!local) {
+		console.log('Local:  (none)');
+	} else {
+		console.log(`Local:  Last deployed ${local.lastDeployedAt}`);
+	}
+
+	if (!remote) {
+		console.log('Remote: (none)');
+	} else {
+		console.log(`Remote: Last deployed ${remote.lastDeployedAt}`);
+	}
+
+	console.log('');
+
+	// Compare applications
+	const localApps = local?.applications ?? {};
+	const remoteApps = remote?.applications ?? {};
+	const allApps = new Set([
+		...Object.keys(localApps),
+		...Object.keys(remoteApps),
+	]);
+
+	if (allApps.size > 0) {
+		console.log('Applications:');
+		for (const app of allApps) {
+			const localId = localApps[app];
+			const remoteId = remoteApps[app];
+
+			if (localId === remoteId) {
+				console.log(`  ${app}: ${localId ?? '(none)'}`);
+			} else if (!localId) {
+				console.log(`  ${app}: (none) -> ${remoteId} [REMOTE ONLY]`);
+			} else if (!remoteId) {
+				console.log(`  ${app}: ${localId} -> (none) [LOCAL ONLY]`);
+			} else {
+				console.log(
+					`  ${app}: ${localId} (local) != ${remoteId} (remote) [MISMATCH]`,
+				);
+			}
+		}
+	}
+
+	// Compare services
+	const localServices = local?.services ?? {};
+	const remoteServices = remote?.services ?? {};
+
+	if (
+		Object.keys(localServices).length > 0 ||
+		Object.keys(remoteServices).length > 0
+	) {
+		console.log('\nServices:');
+		const serviceKeys = new Set([
+			...Object.keys(localServices),
+			...Object.keys(remoteServices),
+		]);
+
+		for (const key of serviceKeys) {
+			const localVal = localServices[key as keyof typeof localServices];
+			const remoteVal = remoteServices[key as keyof typeof remoteServices];
+
+			if (localVal === remoteVal) {
+				console.log(`  ${key}: ${localVal ?? '(none)'}`);
+			} else {
+				console.log(
+					`  ${key}: ${localVal ?? '(none)'} (local) != ${remoteVal ?? '(none)'} (remote)`,
+				);
+			}
+		}
+	}
+}
+
+function printStateSummary(state: DokployStageState): void {
+	const appCount = Object.keys(state.applications).length;
+	const hasPostgres = !!state.services.postgresId;
+	const hasRedis = !!state.services.redisId;
+
+	console.log(`  Stage: ${state.stage}`);
+	console.log(`  Applications: ${appCount}`);
+	console.log(`  Postgres: ${hasPostgres ? 'configured' : 'none'}`);
+	console.log(`  Redis: ${hasRedis ? 'configured' : 'none'}`);
+	console.log(`  Last deployed: ${state.lastDeployedAt}`);
+}
+
+function printStateDetails(state: DokployStageState): void {
+	console.log(`Stage: ${state.stage}`);
+	console.log(`Environment ID: ${state.environmentId}`);
+	console.log(`Last Deployed: ${state.lastDeployedAt}`);
+	console.log('');
+
+	console.log('Applications:');
+	const apps = Object.entries(state.applications);
+	if (apps.length === 0) {
+		console.log('  (none)');
+	} else {
+		for (const [name, id] of apps) {
+			console.log(`  ${name}: ${id}`);
+		}
+	}
+	console.log('');
+
+	console.log('Services:');
+	if (!state.services.postgresId && !state.services.redisId) {
+		console.log('  (none)');
+	} else {
+		if (state.services.postgresId) {
+			console.log(`  Postgres: ${state.services.postgresId}`);
+		}
+		if (state.services.redisId) {
+			console.log(`  Redis: ${state.services.redisId}`);
+		}
+	}
+
+	if (state.dnsVerified && Object.keys(state.dnsVerified).length > 0) {
+		console.log('');
+		console.log('DNS Verified:');
+		for (const [hostname, info] of Object.entries(state.dnsVerified)) {
+			console.log(`  ${hostname}: ${info.serverIp} (${info.verifiedAt})`);
+		}
+	}
+}

package/src/dev/__tests__/entry.spec.ts

@@ -8,7 +8,10 @@ describe('findSecretsRoot', () => {
 	let testDir: string;
 
 	beforeEach(async () => {
-		testDir = join(tmpdir(), `gkm-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+		testDir = join(
+			tmpdir(),
+			`gkm-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+		);
 		await mkdir(testDir, { recursive: true });
 	});
 
@@ -61,7 +64,10 @@ describe('createEntryWrapper', () => {
 	let testDir: string;
 
 	beforeEach(async () => {
-		testDir = join(tmpdir(), `gkm-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+		testDir = join(
+			tmpdir(),
+			`gkm-test-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+		);
 		await mkdir(testDir, { recursive: true });
 	});
 

package/src/dev/__tests__/index.spec.ts

@@ -1049,9 +1049,7 @@ describe('loadSecretsForApp', () => {
 
 			const secrets = await loadSecretsForApp(testDir);
 
-			expect(secrets.DATABASE_URL).toBe(
-				'postgresql://localhost/developmentdb',
-			);
+			expect(secrets.DATABASE_URL).toBe('postgresql://localhost/developmentdb');
 		});
 
 		it('should return empty object if no secrets exist', async () => {

package/src/dev/index.ts

@@ -340,7 +340,9 @@ export async function devCommand(options: DevOptions): Promise<void> {
 			secretsRoot = appConfig.workspaceRoot;
 			workspaceAppName = appConfig.appName;
 			workspaceAppPort = appConfig.app.port;
-			logger.log(`📦 Running app: ${appConfig.appName} on port ${workspaceAppPort}`);
+			logger.log(
+				`📦 Running app: ${appConfig.appName} on port ${workspaceAppPort}`,
+			);
 
 			// Check if app has an entry point (non-gkm app like better-auth)
 			if (appConfig.app.entry) {
@@ -1387,7 +1389,9 @@ export async function prepareEntryCredentials(options: {
 		appName = appConfig.appName;
 	} catch (error) {
 		// Not in a workspace - use defaults
-		logger.log(`⚠️  Could not load workspace config: ${(error as Error).message}`);
+		logger.log(
+			`⚠️  Could not load workspace config: ${(error as Error).message}`,
+		);
 		secretsRoot = findSecretsRoot(cwd);
 		appName = getAppNameFromCwd(cwd) ?? undefined;
 	}
@@ -1457,7 +1461,9 @@ async function entryDevCommand(options: DevOptions): Promise<void> {
 	logger.log(`🚀 Starting entry file: ${entry} on port ${resolvedPort}`);
 
 	if (Object.keys(credentials).length > 1) {
-		logger.log(`🔐 Loaded ${Object.keys(credentials).length - 1} secret(s) + PORT`);
+		logger.log(
+			`🔐 Loaded ${Object.keys(credentials).length - 1} secret(s) + PORT`,
+		);
 	}
 
 	// Create wrapper entry that injects secrets before importing user's file

package/src/docker/__tests__/templates.spec.ts

@@ -614,7 +614,9 @@ describe('docker templates', () => {
 			const dockerfile = generateEntryDockerfile(baseOptions);
 
 			expect(dockerfile).toContain('import { createRequire } from "module"');
-			expect(dockerfile).toContain('const require = createRequire(import.meta.url)');
+			expect(dockerfile).toContain(
+				'const require = createRequire(import.meta.url)',
+			);
 		});
 
 		it('should output to dist/index.mjs', () => {

package/src/docker/templates.ts

@@ -293,7 +293,7 @@ WORKDIR /app
 COPY . .
 
 # Build production server using gkm
-RUN pnpm exec gkm build --provider server --production
+RUN ${pm.exec} gkm build --provider server --production
 
 # Stage 3: Production
 FROM ${baseImage} AS runner
@@ -384,7 +384,7 @@ WORKDIR /app
 COPY --from=pruner /app/out/full/ ./
 
 # Build production server using gkm
-RUN pnpm exec gkm build --provider server --production
+RUN ${pm.exec} gkm build --provider server --production
 
 # Stage 4: Production
 FROM ${baseImage} AS runner
@@ -756,7 +756,7 @@ RUN if [ -n "$GKM_ENCRYPTED_CREDENTIALS" ]; then \
     fi
 
 # Build production server using gkm
-RUN cd ${appPath} && pnpm exec gkm build --provider server --production
+RUN cd ${appPath} && ${pm.exec} gkm build --provider server --production
 
 # Stage 4: Production
 FROM ${baseImage} AS runner