npm - @geekmidas/cli - Versions diffs - 0.9.0 → 0.12.0 - Mend

@geekmidas/cli 0.9.0 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (146) hide show

package/README.md +525 -0
package/dist/bundler-DRXCw_YR.mjs +70 -0
package/dist/bundler-DRXCw_YR.mjs.map +1 -0
package/dist/bundler-WsEvH_b2.cjs +71 -0
package/dist/bundler-WsEvH_b2.cjs.map +1 -0
package/dist/{config-CFls09Ey.cjs → config-AmInkU7k.cjs} +10 -8
package/dist/config-AmInkU7k.cjs.map +1 -0
package/dist/{config-Bq72aj8e.mjs → config-DYULeEv8.mjs} +6 -4
package/dist/config-DYULeEv8.mjs.map +1 -0
package/dist/config.cjs +1 -1
package/dist/config.d.cts +2 -1
package/dist/config.d.cts.map +1 -0
package/dist/config.d.mts +2 -1
package/dist/config.d.mts.map +1 -0
package/dist/config.mjs +1 -1
package/dist/encryption-C8H-38Yy.mjs +42 -0
package/dist/encryption-C8H-38Yy.mjs.map +1 -0
package/dist/encryption-Dyf_r1h-.cjs +44 -0
package/dist/encryption-Dyf_r1h-.cjs.map +1 -0
package/dist/index.cjs +2125 -184
package/dist/index.cjs.map +1 -1
package/dist/index.mjs +2143 -197
package/dist/index.mjs.map +1 -1
package/dist/{openapi--vOy9mo4.mjs → openapi-BfFlOBCG.mjs} +812 -49
package/dist/openapi-BfFlOBCG.mjs.map +1 -0
package/dist/{openapi-CHhTPief.cjs → openapi-Bt_1FDpT.cjs} +805 -42
package/dist/openapi-Bt_1FDpT.cjs.map +1 -0
package/dist/{openapi-react-query-o5iMi8tz.cjs → openapi-react-query-B-sNWHFU.cjs} +5 -5
package/dist/openapi-react-query-B-sNWHFU.cjs.map +1 -0
package/dist/{openapi-react-query-CcciaVu5.mjs → openapi-react-query-B6XTeGqS.mjs} +5 -5
package/dist/openapi-react-query-B6XTeGqS.mjs.map +1 -0
package/dist/openapi-react-query.cjs +1 -1
package/dist/openapi-react-query.d.cts.map +1 -0
package/dist/openapi-react-query.d.mts.map +1 -0
package/dist/openapi-react-query.mjs +1 -1
package/dist/openapi.cjs +2 -2
package/dist/openapi.d.cts +1 -1
package/dist/openapi.d.cts.map +1 -0
package/dist/openapi.d.mts +1 -1
package/dist/openapi.d.mts.map +1 -0
package/dist/openapi.mjs +2 -2
package/dist/storage-BUYQJgz7.cjs +4 -0
package/dist/storage-BXoJvmv2.cjs +149 -0
package/dist/storage-BXoJvmv2.cjs.map +1 -0
package/dist/storage-C9PU_30f.mjs +101 -0
package/dist/storage-C9PU_30f.mjs.map +1 -0
package/dist/storage-DLJAYxzJ.mjs +3 -0
package/dist/{types-b-vwGpqc.d.cts → types-BR0M2v_c.d.mts} +100 -1
package/dist/types-BR0M2v_c.d.mts.map +1 -0
package/dist/{types-DXgiA1sF.d.mts → types-BhkZc-vm.d.cts} +100 -1
package/dist/types-BhkZc-vm.d.cts.map +1 -0
package/examples/cron-example.ts +27 -27
package/examples/env.ts +27 -27
package/examples/function-example.ts +31 -31
package/examples/gkm.config.json +20 -20
package/examples/gkm.config.ts +8 -8
package/examples/gkm.minimal.config.json +5 -5
package/examples/gkm.production.config.json +25 -25
package/examples/logger.ts +2 -2
package/package.json +6 -6
package/src/__tests__/EndpointGenerator.hooks.spec.ts +191 -191
package/src/__tests__/config.spec.ts +55 -55
package/src/__tests__/loadEnvFiles.spec.ts +93 -93
package/src/__tests__/normalizeHooksConfig.spec.ts +58 -58
package/src/__tests__/openapi-react-query.spec.ts +497 -497
package/src/__tests__/openapi.spec.ts +428 -428
package/src/__tests__/test-helpers.ts +77 -76
package/src/auth/__tests__/credentials.spec.ts +204 -0
package/src/auth/__tests__/index.spec.ts +168 -0
package/src/auth/credentials.ts +187 -0
package/src/auth/index.ts +226 -0
package/src/build/__tests__/index-new.spec.ts +474 -474
package/src/build/__tests__/manifests.spec.ts +333 -333
package/src/build/bundler.ts +141 -0
package/src/build/endpoint-analyzer.ts +236 -0
package/src/build/handler-templates.ts +1253 -0
package/src/build/index.ts +250 -179
package/src/build/manifests.ts +52 -52
package/src/build/providerResolver.ts +145 -145
package/src/build/types.ts +64 -43
package/src/config.ts +39 -37
package/src/deploy/__tests__/docker.spec.ts +111 -0
package/src/deploy/__tests__/dokploy.spec.ts +245 -0
package/src/deploy/__tests__/init.spec.ts +662 -0
package/src/deploy/docker.ts +128 -0
package/src/deploy/dokploy.ts +204 -0
package/src/deploy/index.ts +136 -0
package/src/deploy/init.ts +484 -0
package/src/deploy/types.ts +48 -0
package/src/dev/__tests__/index.spec.ts +266 -266
package/src/dev/index.ts +647 -593
package/src/docker/__tests__/compose.spec.ts +531 -0
package/src/docker/__tests__/templates.spec.ts +280 -0
package/src/docker/compose.ts +273 -0
package/src/docker/index.ts +230 -0
package/src/docker/templates.ts +446 -0
package/src/generators/CronGenerator.ts +72 -72
package/src/generators/EndpointGenerator.ts +699 -398
package/src/generators/FunctionGenerator.ts +84 -84
package/src/generators/Generator.ts +72 -72
package/src/generators/OpenApiTsGenerator.ts +589 -589
package/src/generators/SubscriberGenerator.ts +124 -124
package/src/generators/__tests__/CronGenerator.spec.ts +433 -433
package/src/generators/__tests__/EndpointGenerator.spec.ts +532 -382
package/src/generators/__tests__/FunctionGenerator.spec.ts +244 -244
package/src/generators/__tests__/SubscriberGenerator.spec.ts +397 -382
package/src/generators/index.ts +4 -4
package/src/index.ts +628 -206
package/src/init/__tests__/generators.spec.ts +334 -334
package/src/init/__tests__/init.spec.ts +332 -332
package/src/init/__tests__/utils.spec.ts +89 -89
package/src/init/generators/config.ts +175 -175
package/src/init/generators/docker.ts +41 -41
package/src/init/generators/env.ts +72 -72
package/src/init/generators/index.ts +1 -1
package/src/init/generators/models.ts +64 -64
package/src/init/generators/monorepo.ts +161 -161
package/src/init/generators/package.ts +71 -71
package/src/init/generators/source.ts +6 -6
package/src/init/index.ts +203 -208
package/src/init/templates/api.ts +115 -115
package/src/init/templates/index.ts +75 -75
package/src/init/templates/minimal.ts +98 -98
package/src/init/templates/serverless.ts +89 -89
package/src/init/templates/worker.ts +98 -98
package/src/init/utils.ts +54 -56
package/src/openapi-react-query.ts +194 -194
package/src/openapi.ts +63 -63
package/src/secrets/__tests__/encryption.spec.ts +226 -0
package/src/secrets/__tests__/generator.spec.ts +319 -0
package/src/secrets/__tests__/index.spec.ts +91 -0
package/src/secrets/__tests__/storage.spec.ts +403 -0
package/src/secrets/encryption.ts +91 -0
package/src/secrets/generator.ts +164 -0
package/src/secrets/index.ts +383 -0
package/src/secrets/storage.ts +134 -0
package/src/secrets/types.ts +53 -0
package/src/types.ts +295 -176
package/tsconfig.json +9 -0
package/tsdown.config.ts +11 -8
package/dist/config-Bq72aj8e.mjs.map +0 -1
package/dist/config-CFls09Ey.cjs.map +0 -1
package/dist/openapi--vOy9mo4.mjs.map +0 -1
package/dist/openapi-CHhTPief.cjs.map +0 -1
package/dist/openapi-react-query-CcciaVu5.mjs.map +0 -1
package/dist/openapi-react-query-o5iMi8tz.cjs.map +0 -1

package/src/secrets/__tests__/storage.spec.ts ADDED Viewed

@@ -0,0 +1,403 @@
+import { existsSync } from 'node:fs';
+import { mkdir, rm } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import {
+	getSecretsDir,
+	getSecretsPath,
+	maskPassword,
+	readStageSecrets,
+	secretsExist,
+	setCustomSecret,
+	toEmbeddableSecrets,
+	writeStageSecrets,
+} from '../storage';
+import type { StageSecrets } from '../types';
+describe('path utilities', () => {
+	describe('getSecretsDir', () => {
+		it('should return .gkm/secrets relative to cwd', () => {
+			const dir = getSecretsDir('/project');
+			expect(dir).toBe('/project/.gkm/secrets');
+		});
+	});
+	describe('getSecretsPath', () => {
+		it('should return path for stage file', () => {
+			const path = getSecretsPath('production', '/project');
+			expect(path).toBe('/project/.gkm/secrets/production.json');
+		});
+		it('should handle stage names with special characters', () => {
+			const path = getSecretsPath('dev-local', '/project');
+			expect(path).toBe('/project/.gkm/secrets/dev-local.json');
+		});
+	});
+	describe('secretsExist', () => {
+		it('should return false for non-existent secrets', () => {
+			const exists = secretsExist('nonexistent', '/nonexistent-path');
+			expect(exists).toBe(false);
+		});
+	});
+});
+describe('file operations', () => {
+	let tempDir: string;
+	beforeEach(async () => {
+		tempDir = join(tmpdir(), `gkm-test-${Date.now()}`);
+		await mkdir(tempDir, { recursive: true });
+	});
+	afterEach(async () => {
+		if (existsSync(tempDir)) {
+			await rm(tempDir, { recursive: true });
+		}
+	});
+	describe('writeStageSecrets / readStageSecrets', () => {
+		it('should write and read secrets', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: '2024-01-01T00:00:00.000Z',
+				updatedAt: '2024-01-01T00:00:00.000Z',
+				services: {
+					postgres: {
+						host: 'postgres',
+						port: 5432,
+						username: 'app',
+						password: 'secret123',
+						database: 'app',
+					},
+				},
+				urls: {
+					DATABASE_URL: 'postgresql://app:secret123@postgres:5432/app',
+				},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const read = await readStageSecrets('production', tempDir);
+			expect(read).toEqual(secrets);
+		});
+		it('should create directory if it does not exist', async () => {
+			const secrets: StageSecrets = {
+				stage: 'staging',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			expect(existsSync(join(tempDir, '.gkm/secrets'))).toBe(true);
+			expect(existsSync(join(tempDir, '.gkm/secrets/staging.json'))).toBe(true);
+		});
+		it('should return null for non-existent stage', async () => {
+			const read = await readStageSecrets('nonexistent', tempDir);
+			expect(read).toBeNull();
+		});
+	});
+	describe('secretsExist', () => {
+		it('should return true when secrets file exists', async () => {
+			const secrets: StageSecrets = {
+				stage: 'test',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			expect(secretsExist('test', tempDir)).toBe(true);
+		});
+		it('should return false when secrets file does not exist', () => {
+			expect(secretsExist('nonexistent', tempDir)).toBe(false);
+		});
+	});
+	describe('setCustomSecret', () => {
+		it('should add custom secret to existing secrets', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'API_KEY',
+				'sk_test_123',
+				tempDir,
+			);
+			expect(updated.custom.API_KEY).toBe('sk_test_123');
+		});
+		it('should update existing custom secret', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: { API_KEY: 'old-value' },
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'API_KEY',
+				'new-value',
+				tempDir,
+			);
+			expect(updated.custom.API_KEY).toBe('new-value');
+		});
+		it('should update updatedAt timestamp', async () => {
+			const originalTime = '2024-01-01T00:00:00.000Z';
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: originalTime,
+				updatedAt: originalTime,
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			const updated = await setCustomSecret(
+				'production',
+				'KEY',
+				'value',
+				tempDir,
+			);
+			expect(updated.updatedAt).not.toBe(originalTime);
+		});
+		it('should throw if secrets do not exist for stage', async () => {
+			await expect(
+				setCustomSecret('nonexistent', 'KEY', 'value', tempDir),
+			).rejects.toThrow('Secrets not found for stage "nonexistent"');
+		});
+		it('should persist changes to disk', async () => {
+			const secrets: StageSecrets = {
+				stage: 'production',
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				services: {},
+				urls: {},
+				custom: {},
+			};
+			await writeStageSecrets(secrets, tempDir);
+			await setCustomSecret('production', 'NEW_KEY', 'new-value', tempDir);
+			const read = await readStageSecrets('production', tempDir);
+			expect(read!.custom.NEW_KEY).toBe('new-value');
+		});
+	});
+});
+describe('toEmbeddableSecrets', () => {
+	it('should include URLs', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+			},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.DATABASE_URL).toBe('postgresql://...');
+		expect(embeddable.REDIS_URL).toBe('redis://...');
+	});
+	it('should include custom secrets', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {},
+			urls: {},
+			custom: {
+				API_KEY: 'sk_test_123',
+				WEBHOOK_SECRET: 'whsec_abc',
+			},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.API_KEY).toBe('sk_test_123');
+		expect(embeddable.WEBHOOK_SECRET).toBe('whsec_abc');
+	});
+	it('should include postgres service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'secret123',
+					database: 'mydb',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.POSTGRES_USER).toBe('app');
+		expect(embeddable.POSTGRES_PASSWORD).toBe('secret123');
+		expect(embeddable.POSTGRES_DB).toBe('mydb');
+		expect(embeddable.POSTGRES_HOST).toBe('postgres');
+		expect(embeddable.POSTGRES_PORT).toBe('5432');
+	});
+	it('should include redis service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.REDIS_PASSWORD).toBe('redis-pass');
+		expect(embeddable.REDIS_HOST).toBe('redis');
+		expect(embeddable.REDIS_PORT).toBe('6379');
+	});
+	it('should include rabbitmq service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				rabbitmq: {
+					host: 'rabbitmq',
+					port: 5672,
+					username: 'app',
+					password: 'rmq-pass',
+					vhost: '/myapp',
+				},
+			},
+			urls: {},
+			custom: {},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		expect(embeddable.RABBITMQ_USER).toBe('app');
+		expect(embeddable.RABBITMQ_PASSWORD).toBe('rmq-pass');
+		expect(embeddable.RABBITMQ_HOST).toBe('rabbitmq');
+		expect(embeddable.RABBITMQ_PORT).toBe('5672');
+		expect(embeddable.RABBITMQ_VHOST).toBe('/myapp');
+	});
+	it('should handle all services and custom secrets together', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				postgres: {
+					host: 'postgres',
+					port: 5432,
+					username: 'app',
+					password: 'pg-pass',
+					database: 'app',
+				},
+				redis: {
+					host: 'redis',
+					port: 6379,
+					username: 'default',
+					password: 'redis-pass',
+				},
+			},
+			urls: {
+				DATABASE_URL: 'postgresql://...',
+				REDIS_URL: 'redis://...',
+			},
+			custom: {
+				API_KEY: 'key123',
+			},
+		};
+		const embeddable = toEmbeddableSecrets(secrets);
+		// URLs
+		expect(embeddable.DATABASE_URL).toBe('postgresql://...');
+		expect(embeddable.REDIS_URL).toBe('redis://...');
+		// Custom
+		expect(embeddable.API_KEY).toBe('key123');
+		// Postgres
+		expect(embeddable.POSTGRES_PASSWORD).toBe('pg-pass');
+		// Redis
+		expect(embeddable.REDIS_PASSWORD).toBe('redis-pass');
+	});
+});
+describe('maskPassword', () => {
+	it('should mask middle characters', () => {
+		const masked = maskPassword('abcdefghijklmnop');
+		expect(masked).toBe('abcd**********op');
+	});
+	it('should show first 4 and last 2 characters', () => {
+		const masked = maskPassword('1234567890');
+		expect(masked.slice(0, 4)).toBe('1234');
+		expect(masked.slice(-2)).toBe('90');
+	});
+	it('should return all asterisks for short passwords', () => {
+		expect(maskPassword('short')).toBe('********');
+		expect(maskPassword('12345678')).toBe('********');
+	});
+	it('should handle exactly 9 character password', () => {
+		const masked = maskPassword('123456789');
+		expect(masked).toBe('1234***89');
+	});
+});

package/src/secrets/encryption.ts ADDED Viewed

@@ -0,0 +1,91 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import type { EmbeddableSecrets, EncryptedPayload } from './types';
+/** AES-256-GCM configuration */
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+const IV_LENGTH = 12; // 96 bits for GCM
+const AUTH_TAG_LENGTH = 16; // 128 bits
+/**
+ * Encrypt secrets for embedding in a bundle.
+ * Uses AES-256-GCM with a randomly generated ephemeral key.
+ *
+ * @param secrets - Key-value pairs to encrypt
+ * @returns Encrypted payload with ephemeral master key
+ */
+export function encryptSecrets(secrets: EmbeddableSecrets): EncryptedPayload {
+	// Generate ephemeral key and IV
+	const masterKey = randomBytes(KEY_LENGTH);
+	const iv = randomBytes(IV_LENGTH);
+	// Serialize secrets to JSON
+	const plaintext = JSON.stringify(secrets);
+	// Encrypt
+	const cipher = createCipheriv(ALGORITHM, masterKey, iv);
+	const ciphertext = Buffer.concat([
+		cipher.update(plaintext, 'utf-8'),
+		cipher.final(),
+	]);
+	// Get auth tag
+	const authTag = cipher.getAuthTag();
+	// Combine ciphertext + auth tag
+	const combined = Buffer.concat([ciphertext, authTag]);
+	return {
+		encrypted: combined.toString('base64'),
+		iv: iv.toString('hex'),
+		masterKey: masterKey.toString('hex'),
+	};
+}
+/**
+ * Decrypt secrets from an encrypted payload.
+ * Used at runtime to decrypt embedded credentials.
+ *
+ * @param encrypted - Base64 encoded ciphertext + auth tag
+ * @param iv - Hex encoded IV
+ * @param masterKey - Hex encoded master key
+ * @returns Decrypted secrets
+ */
+export function decryptSecrets(
+	encrypted: string,
+	iv: string,
+	masterKey: string,
+): EmbeddableSecrets {
+	// Decode inputs
+	const key = Buffer.from(masterKey, 'hex');
+	const ivBuffer = Buffer.from(iv, 'hex');
+	const combined = Buffer.from(encrypted, 'base64');
+	// Split ciphertext and auth tag
+	const ciphertext = combined.subarray(0, -AUTH_TAG_LENGTH);
+	const authTag = combined.subarray(-AUTH_TAG_LENGTH);
+	// Decrypt
+	const decipher = createDecipheriv(ALGORITHM, key, ivBuffer);
+	decipher.setAuthTag(authTag);
+	const plaintext = Buffer.concat([
+		decipher.update(ciphertext),
+		decipher.final(),
+	]);
+	return JSON.parse(plaintext.toString('utf-8')) as EmbeddableSecrets;
+}
+/**
+ * Generate the define options for tsdown/esbuild.
+ * These will be injected at build time.
+ */
+export function generateDefineOptions(
+	payload: EncryptedPayload,
+): Record<string, string> {
+	return {
+		__GKM_ENCRYPTED_CREDENTIALS__: JSON.stringify(payload.encrypted),
+		__GKM_CREDENTIALS_IV__: JSON.stringify(payload.iv),
+	};
+}

package/src/secrets/generator.ts ADDED Viewed

@@ -0,0 +1,164 @@
+import { randomBytes } from 'node:crypto';
+import type { ComposeServiceName } from '../types';
+import type { ServiceCredentials, StageSecrets } from './types';
+/**
+ * Generate a secure random password using URL-safe base64 characters.
+ * @param length Password length (default: 32)
+ */
+export function generateSecurePassword(length = 32): string {
+	return randomBytes(Math.ceil((length * 3) / 4))
+		.toString('base64url')
+		.slice(0, length);
+}
+/** Default service configurations */
+const SERVICE_DEFAULTS: Record<
+	ComposeServiceName,
+	Omit<ServiceCredentials, 'password'>
+> = {
+	postgres: {
+		host: 'postgres',
+		port: 5432,
+		username: 'app',
+		database: 'app',
+	},
+	redis: {
+		host: 'redis',
+		port: 6379,
+		username: 'default',
+	},
+	rabbitmq: {
+		host: 'rabbitmq',
+		port: 5672,
+		username: 'app',
+		vhost: '/',
+	},
+};
+/**
+ * Generate credentials for a specific service.
+ */
+export function generateServiceCredentials(
+	service: ComposeServiceName,
+): ServiceCredentials {
+	const defaults = SERVICE_DEFAULTS[service];
+	return {
+		...defaults,
+		password: generateSecurePassword(),
+	};
+}
+/**
+ * Generate credentials for multiple services.
+ */
+export function generateServicesCredentials(
+	services: ComposeServiceName[],
+): StageSecrets['services'] {
+	const result: StageSecrets['services'] = {};
+	for (const service of services) {
+		result[service] = generateServiceCredentials(service);
+	}
+	return result;
+}
+/**
+ * Generate connection URL for PostgreSQL.
+ */
+export function generatePostgresUrl(creds: ServiceCredentials): string {
+	const { username, password, host, port, database } = creds;
+	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
+}
+/**
+ * Generate connection URL for Redis.
+ */
+export function generateRedisUrl(creds: ServiceCredentials): string {
+	const { password, host, port } = creds;
+	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
+}
+/**
+ * Generate connection URL for RabbitMQ.
+ */
+export function generateRabbitmqUrl(creds: ServiceCredentials): string {
+	const { username, password, host, port, vhost } = creds;
+	const encodedVhost = encodeURIComponent(vhost ?? '/');
+	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
+}
+/**
+ * Generate connection URLs from service credentials.
+ */
+export function generateConnectionUrls(
+	services: StageSecrets['services'],
+): StageSecrets['urls'] {
+	const urls: StageSecrets['urls'] = {};
+	if (services.postgres) {
+		urls.DATABASE_URL = generatePostgresUrl(services.postgres);
+	}
+	if (services.redis) {
+		urls.REDIS_URL = generateRedisUrl(services.redis);
+	}
+	if (services.rabbitmq) {
+		urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
+	}
+	return urls;
+}
+/**
+ * Create a new StageSecrets object with generated credentials.
+ */
+export function createStageSecrets(
+	stage: string,
+	services: ComposeServiceName[],
+): StageSecrets {
+	const now = new Date().toISOString();
+	const serviceCredentials = generateServicesCredentials(services);
+	const urls = generateConnectionUrls(serviceCredentials);
+	return {
+		stage,
+		createdAt: now,
+		updatedAt: now,
+		services: serviceCredentials,
+		urls,
+		custom: {},
+	};
+}
+/**
+ * Rotate password for a specific service.
+ */
+export function rotateServicePassword(
+	secrets: StageSecrets,
+	service: ComposeServiceName,
+): StageSecrets {
+	const currentCreds = secrets.services[service];
+	if (!currentCreds) {
+		throw new Error(`Service "${service}" not configured in secrets`);
+	}
+	const newCreds: ServiceCredentials = {
+		...currentCreds,
+		password: generateSecurePassword(),
+	};
+	const newServices = {
+		...secrets.services,
+		[service]: newCreds,
+	};
+	return {
+		...secrets,
+		updatedAt: new Date().toISOString(),
+		services: newServices,
+		urls: generateConnectionUrls(newServices),
+	};
+}