@geekmidas/cli 1.10.15 → 1.10.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "1.10.15",
+  "version": "1.10.16",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -58,9 +58,9 @@
     "yaml": "~2.8.2",
     "@geekmidas/envkit": "~1.0.3",
     "@geekmidas/constructs": "~3.0.2",
+    "@geekmidas/logger": "~1.0.0",
     "@geekmidas/schema": "~1.0.0",
-    "@geekmidas/errors": "~1.0.0",
-    "@geekmidas/logger": "~1.0.0"
+    "@geekmidas/errors": "~1.0.0"
   },
   "devDependencies": {
     "@types/lodash.kebabcase": "^4.1.9",

package/src/dev/__tests__/entry.spec.ts

@@ -97,11 +97,9 @@ describe('createEntryWrapper', () => {
 
 		const content = await readFile(wrapperPath, 'utf-8');
 
-		expect(content).toContain(
-			"import { Credentials } from '@geekmidas/envkit/credentials'",
-		);
+		expect(content).toContain('globalThis.__gkm_credentials__');
 		expect(content).toContain(secretsPath);
-		expect(content).toContain('Object.assign(Credentials');
+		expect(content).toContain('Object.assign(process.env');
 		expect(content).toContain("await import('/path/to/entry.ts')");
 	});
 
@@ -114,7 +112,7 @@ describe('createEntryWrapper', () => {
 
 		const content = await readFile(wrapperPath, 'utf-8');
 
-		const credentialsIndex = content.indexOf('Credentials');
+		const credentialsIndex = content.indexOf('__gkm_credentials__');
 		const importIndex = content.indexOf("await import('/path/to/entry.ts')");
 
 		expect(credentialsIndex).toBeGreaterThan(-1);

package/src/dev/__tests__/index.spec.ts

@@ -1799,23 +1799,23 @@ describe('generateServerEntryContent', () => {
 		expect(content).not.toMatch(/^import.*createApp/m);
 	});
 
-	it('should inject Credentials assignment before dynamic import', () => {
+	it('should inject credentials via globalThis before dynamic import', () => {
 		const content = generateServerEntryContent({
 			secretsJsonPath: '/tmp/dev-secrets.json',
 		});
 
-		const credentialsAssignIdx = content.indexOf('Object.assign(Credentials');
+		const credentialsIdx = content.indexOf('__gkm_credentials__');
 		const dynamicImportIdx = content.indexOf("await import('./app.js')");
 
-		expect(credentialsAssignIdx).toBeGreaterThan(-1);
+		expect(credentialsIdx).toBeGreaterThan(-1);
 		expect(dynamicImportIdx).toBeGreaterThan(-1);
-		expect(credentialsAssignIdx).toBeLessThan(dynamicImportIdx);
+		expect(credentialsIdx).toBeLessThan(dynamicImportIdx);
 	});
 
 	it('should not include credentials injection when no secrets path', () => {
 		const content = generateServerEntryContent({});
 
-		expect(content).not.toContain('Object.assign(Credentials');
+		expect(content).not.toContain('__gkm_credentials__');
 		expect(content).not.toContain('existsSync');
 	});
 

package/src/dev/index.ts

@@ -1623,17 +1623,16 @@ export function findSecretsRoot(startDir: string): string {
  * @internal
  */
 function generateCredentialsInjection(secretsJsonPath: string): string {
-	return `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
+	return `import { existsSync, readFileSync } from 'node:fs';
 
-// Inject dev secrets into Credentials and process.env
+// Inject dev secrets via globalThis and process.env
+// Using globalThis.__gkm_credentials__ avoids CJS/ESM interop issues where
+// Object.assign on the Credentials export only mutates one module copy.
 const secretsPath = '${secretsJsonPath}';
 if (existsSync(secretsPath)) {
   const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
-  Object.assign(Credentials, secrets);
+  globalThis.__gkm_credentials__ = secrets;
   Object.assign(process.env, secrets);
-  // Debug: uncomment to verify preload is running
-  // console.log('[gkm preload] Injected', Object.keys(secrets).length, 'credentials');
 }
 `;
 }
@@ -1958,13 +1957,14 @@ export function generateServerEntryContent(options: {
 	} = options;
 
 	const credentialsInjection = secretsJsonPath
-		? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
+		? `import { existsSync, readFileSync } from 'node:fs';
 
-// Inject dev secrets into Credentials (must happen before app import)
+// Inject dev secrets via globalThis (must happen before app import)
 const secretsPath = '${secretsJsonPath}';
 if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+  const __secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  globalThis.__gkm_credentials__ = __secrets;
+  Object.assign(process.env, __secrets);
 }
 
 `

package/src/docker/compose.ts

@@ -15,6 +15,7 @@ export const DEFAULT_SERVICE_IMAGES: Record<ComposeServiceName, string> = {
 	rabbitmq: 'rabbitmq',
 	minio: 'minio/minio',
 	mailpit: 'axllent/mailpit',
+	localstack: 'localstack/localstack',
 };
 
 /** Default Docker image versions for services */
@@ -24,6 +25,7 @@ export const DEFAULT_SERVICE_VERSIONS: Record<ComposeServiceName, string> = {
 	rabbitmq: '3-management-alpine',
 	minio: 'latest',
 	mailpit: 'latest',
+	localstack: 'latest',
 };
 
 export interface ComposeOptions {
@@ -145,6 +147,14 @@ services:
 `;
 	}
 
+	if (serviceMap.has('localstack')) {
+		yaml += `      - AWS_ACCESS_KEY_ID=\${AWS_ACCESS_KEY_ID:-localstack}
+      - AWS_SECRET_ACCESS_KEY=\${AWS_SECRET_ACCESS_KEY:-localstack}
+      - AWS_REGION=\${AWS_REGION:-us-east-1}
+      - AWS_ENDPOINT_URL=\${AWS_ENDPOINT_URL:-http://localstack:4566}
+`;
+	}
+
 	yaml += `    healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
       interval: 30s
@@ -283,6 +293,32 @@ services:
 `;
 	}
 
+	const localstackImage = serviceMap.get('localstack');
+	if (localstackImage) {
+		yaml += `
+  localstack:
+    image: ${localstackImage}
+    container_name: localstack
+    restart: unless-stopped
+    environment:
+      SERVICES: sns,sqs
+      AWS_DEFAULT_REGION: \${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY_ID: \${AWS_ACCESS_KEY_ID:-localstack}
+      AWS_SECRET_ACCESS_KEY: \${AWS_SECRET_ACCESS_KEY:-localstack}
+    ports:
+      - "\${LOCALSTACK_PORT:-4566}:4566"
+    volumes:
+      - localstack_data:/var/lib/localstack
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4566/_localstack/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
+`;
+	}
+
 	// Add volumes
 	yaml += `
 volumes:
@@ -308,6 +344,11 @@ volumes:
 `;
 	}
 
+	if (serviceMap.has('localstack')) {
+		yaml += `  localstack_data:
+`;
+	}
+
 	// Add networks
 	yaml += `
 networks:
@@ -384,6 +425,11 @@ export function generateWorkspaceCompose(
 	const hasRedis = services.cache !== undefined && services.cache !== false;
 	const hasMail = services.mail !== undefined && services.mail !== false;
 	const hasMinio = services.storage !== undefined && services.storage !== false;
+	const eventsBackend = services.events;
+	const hasLocalStack = eventsBackend === 'sns';
+	const hasRabbitMQ =
+		eventsBackend === 'rabbitmq' ||
+		(services as Record<string, unknown>).rabbitmq !== undefined;
 
 	// Get image versions from config
 	const postgresImage = getInfraServiceImage('postgres', services.db);
@@ -406,6 +452,7 @@ services:
 			hasRedis,
 			hasMinio,
 			hasMail,
+			eventsBackend,
 		});
 	}
 
@@ -497,6 +544,55 @@ services:
 `;
 	}
 
+	if (hasLocalStack) {
+		yaml += `
+  localstack:
+    image: localstack/localstack:latest
+    container_name: ${workspace.name}-localstack
+    restart: unless-stopped
+    environment:
+      SERVICES: sns,sqs
+      AWS_DEFAULT_REGION: \${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY_ID: \${AWS_ACCESS_KEY_ID:-localstack}
+      AWS_SECRET_ACCESS_KEY: \${AWS_SECRET_ACCESS_KEY:-localstack}
+    ports:
+      - "\${LOCALSTACK_PORT:-4566}:4566"
+    volumes:
+      - localstack_data:/var/lib/localstack
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4566/_localstack/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	}
+
+	if (hasRabbitMQ) {
+		yaml += `
+  rabbitmq:
+    image: rabbitmq:3-management-alpine
+    container_name: ${workspace.name}-rabbitmq
+    restart: unless-stopped
+    environment:
+      RABBITMQ_DEFAULT_USER: \${RABBITMQ_USER:-guest}
+      RABBITMQ_DEFAULT_PASS: \${RABBITMQ_PASSWORD:-guest}
+    ports:
+      - "\${RABBITMQ_HOST_PORT:-5672}:5672"
+      - "\${RABBITMQ_MGMT_HOST_PORT:-15672}:15672"
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    healthcheck:
+      test: ["CMD", "rabbitmq-diagnostics", "-q", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	}
+
 	// Add volumes section
 	yaml += `
 volumes:
@@ -517,6 +613,16 @@ volumes:
 `;
 	}
 
+	if (hasLocalStack) {
+		yaml += `  localstack_data:
+`;
+	}
+
+	if (hasRabbitMQ) {
+		yaml += `  rabbitmq_data:
+`;
+	}
+
 	// Add networks section
 	yaml += `
 networks:
@@ -575,10 +681,18 @@ function generateAppService(
 		hasRedis: boolean;
 		hasMinio: boolean;
 		hasMail: boolean;
+		eventsBackend?: import('../types').EventsBackend;
 	},
 ): string {
-	const { registry, projectName, hasPostgres, hasRedis, hasMinio, hasMail } =
-		options;
+	const {
+		registry,
+		projectName,
+		hasPostgres,
+		hasRedis,
+		hasMinio,
+		hasMail,
+		eventsBackend,
+	} = options;
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : '';
 
 	// Health check path - frontends use /, backends use /health
@@ -640,6 +754,18 @@ function generateAppService(
       - MAIL_FROM=\${MAIL_FROM:-noreply@localhost}
 `;
 		}
+		if (eventsBackend) {
+			yaml += `      - EVENT_PUBLISHER_CONNECTION_STRING=\${EVENT_PUBLISHER_CONNECTION_STRING}
+      - EVENT_SUBSCRIBER_CONNECTION_STRING=\${EVENT_SUBSCRIBER_CONNECTION_STRING}
+`;
+			if (eventsBackend === 'sns') {
+				yaml += `      - AWS_ACCESS_KEY_ID=\${AWS_ACCESS_KEY_ID:-localstack}
+      - AWS_SECRET_ACCESS_KEY=\${AWS_SECRET_ACCESS_KEY:-localstack}
+      - AWS_REGION=\${AWS_REGION:-us-east-1}
+      - AWS_ENDPOINT_URL=\${AWS_ENDPOINT_URL:-http://localstack:4566}
+`;
+			}
+		}
 	}
 
 	yaml += `    healthcheck:
@@ -656,6 +782,8 @@ function generateAppService(
 		if (hasRedis) dependencies.push('redis');
 		if (hasMinio) dependencies.push('minio');
 		if (hasMail) dependencies.push('mailpit');
+		if (eventsBackend === 'sns') dependencies.push('localstack');
+		if (eventsBackend === 'rabbitmq') dependencies.push('rabbitmq');
 	}
 
 	if (dependencies.length > 0) {

package/src/init/__tests__/generators.spec.ts

@@ -295,6 +295,90 @@ describe('generateDockerFiles', () => {
 		expect(files[0].content).not.toContain('mailpit');
 		expect(files[0].content).not.toContain('minio');
 	});
+
+	it('should include localstack when events is sns', () => {
+		const options = {
+			...baseOptions,
+			services: {
+				db: true,
+				cache: true,
+				mail: false,
+				storage: false,
+				events: 'sns' as const,
+			},
+		};
+		const files = generateDockerFiles(options, minimalTemplate);
+		const compose = files[0].content;
+		expect(compose).toContain('localstack');
+		expect(compose).toContain('SERVICES: sns,sqs');
+		expect(compose).toContain('LOCALSTACK_PORT');
+	});
+
+	it('should include rabbitmq when events is rabbitmq', () => {
+		const options = {
+			...baseOptions,
+			services: {
+				db: true,
+				cache: true,
+				mail: false,
+				storage: false,
+				events: 'rabbitmq' as const,
+			},
+		};
+		const files = generateDockerFiles(options, minimalTemplate);
+		const compose = files[0].content;
+		expect(compose).toContain('rabbitmq');
+		expect(compose).toContain('RABBITMQ_HOST_PORT');
+	});
+
+	it('should not add extra container for pgboss events', () => {
+		const options = {
+			...baseOptions,
+			services: {
+				db: true,
+				cache: true,
+				mail: false,
+				storage: false,
+				events: 'pgboss' as const,
+			},
+		};
+		const files = generateDockerFiles(options, minimalTemplate);
+		const compose = files[0].content;
+		expect(compose).not.toContain('localstack');
+		// pgboss reuses postgres, no separate container
+	});
+
+	it('should generate idempotent postgres init script with pgboss', () => {
+		const options = {
+			...baseOptions,
+			template: 'fullstack' as const,
+			monorepo: true,
+			apiPath: 'apps/api',
+			services: {
+				db: true,
+				cache: true,
+				mail: false,
+				storage: false,
+				events: 'pgboss' as const,
+			},
+		};
+		const dbApps = [
+			{ name: 'api', password: 'api-pass' },
+			{ name: 'auth', password: 'auth-pass' },
+		];
+		const files = generateDockerFiles(options, apiTemplate, dbApps);
+		const initScript = files.find((f) => f.path === 'docker/postgres/init.sh');
+		expect(initScript).toBeDefined();
+		expect(initScript!.content).toContain('IF NOT EXISTS');
+		expect(initScript!.content).toContain('pgboss');
+		expect(initScript!.content).toContain('PGBOSS_DB_PASSWORD');
+		expect(initScript!.content).toContain('CREATE SCHEMA IF NOT EXISTS pgboss');
+
+		// Docker env should include pgboss password
+		const envFile = files.find((f) => f.path === 'docker/.env');
+		expect(envFile).toBeDefined();
+		expect(envFile!.content).toContain('PGBOSS_DB_PASSWORD');
+	});
 });
 
 describe('generateMonorepoFiles', () => {

package/src/init/generators/docker.ts

@@ -1,3 +1,4 @@
+import type { EventsBackend } from '../../types.js';
 import type {
 	GeneratedFile,
 	TemplateConfig,
@@ -64,13 +65,13 @@ export function generateDockerFiles(
 		if (isFullstack && dbApps?.length) {
 			files.push({
 				path: 'docker/postgres/init.sh',
-				content: generatePostgresInitScript(dbApps),
+				content: generatePostgresInitScript(dbApps, options.services?.events),
 			});
 
 			// Generate .env file for docker-compose (contains db passwords)
 			files.push({
 				path: 'docker/.env',
-				content: generateDockerEnv(dbApps),
+				content: generateDockerEnv(dbApps, options.services?.events),
 			});
 		}
 	}
@@ -183,6 +184,53 @@ export function generateDockerFiles(
 		volumes.push('  minio_data:');
 	}
 
+	// LocalStack for SNS events
+	if (options.services?.events === 'sns') {
+		services.push(`  localstack:
+    image: localstack/localstack:latest
+    container_name: ${options.name}-localstack
+    restart: unless-stopped
+    environment:
+      SERVICES: sns,sqs
+      AWS_DEFAULT_REGION: \${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY_ID: \${AWS_ACCESS_KEY_ID:-localstack}
+      AWS_SECRET_ACCESS_KEY: \${AWS_SECRET_ACCESS_KEY:-localstack}
+    ports:
+      - '\${LOCALSTACK_PORT:-4566}:4566'
+    volumes:
+      - localstack_data:/var/lib/localstack
+    healthcheck:
+      test: ['CMD', 'curl', '-f', 'http://localhost:4566/_localstack/health']
+      interval: 10s
+      timeout: 5s
+      retries: 5`);
+		volumes.push('  localstack_data:');
+	}
+
+	// RabbitMQ for rabbitmq events (when not already added by worker template)
+	if (options.services?.events === 'rabbitmq' && !hasWorker) {
+		services.push(`  rabbitmq:
+    image: rabbitmq:3-management-alpine
+    container_name: ${options.name}-rabbitmq
+    restart: unless-stopped
+    ports:
+      - '\${RABBITMQ_HOST_PORT:-5672}:5672'
+      - '\${RABBITMQ_MGMT_HOST_PORT:-15672}:15672'
+    environment:
+      RABBITMQ_DEFAULT_USER: guest
+      RABBITMQ_DEFAULT_PASS: guest
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    healthcheck:
+      test: ['CMD', 'rabbitmq-diagnostics', 'check_running']
+      interval: 10s
+      timeout: 5s
+      retries: 5`);
+		if (!volumes.includes('  rabbitmq_data:')) {
+			volumes.push('  rabbitmq_data:');
+		}
+	}
+
 	// Build docker-compose.yml
 	let dockerCompose = `# Use "gkm dev" or "gkm test" to start services.
 # Running "docker compose up" directly will not inject secrets or resolve ports.
@@ -209,12 +257,20 @@ ${volumes.join('\n')}
 /**
  * Generate .env file for docker-compose with database passwords
  */
-function generateDockerEnv(apps: DatabaseAppConfig[]): string {
+function generateDockerEnv(
+	apps: DatabaseAppConfig[],
+	eventsBackend?: EventsBackend,
+): string {
 	const envVars = apps.map((app) => {
 		const envVar = `${app.name.toUpperCase()}_DB_PASSWORD`;
 		return `${envVar}=${app.password}`;
 	});
 
+	// Add pgboss password if events backend is pgboss
+	if (eventsBackend === 'pgboss') {
+		envVars.push(`PGBOSS_DB_PASSWORD=pgboss-dev-password`);
+	}
+
 	return `# Auto-generated docker environment file
 # Contains database passwords for docker-compose postgres init
 # This file is gitignored - do not commit to version control
@@ -223,12 +279,16 @@ ${envVars.join('\n')}
 }
 
 /**
- * Generate PostgreSQL init shell script that creates per-app users with separate schemas
- * Uses environment variables for passwords (more secure than hardcoded values)
+ * Generate PostgreSQL init shell script that creates per-app users with separate schemas.
+ * Uses idempotent DO blocks so the script can be re-run safely.
  * - api user: uses public schema
  * - auth user: uses auth schema with search_path=auth
+ * - pgboss user: uses pgboss schema (when events === 'pgboss')
  */
-function generatePostgresInitScript(apps: DatabaseAppConfig[]): string {
+function generatePostgresInitScript(
+	apps: DatabaseAppConfig[],
+	eventsBackend?: EventsBackend,
+): string {
 	const userCreations = apps.map((app) => {
 		const userName = app.name.replace(/-/g, '_');
 		const envVar = `${app.name.toUpperCase()}_DB_PASSWORD`;
@@ -236,25 +296,39 @@ function generatePostgresInitScript(apps: DatabaseAppConfig[]): string {
 		const schemaName = isApi ? 'public' : userName;
 
 		if (isApi) {
-			// API user uses public schema
 			return `
-# Create ${app.name} user (uses public schema)
+# Create ${app.name} user (uses public schema) - idempotent
 echo "Creating user ${userName}..."
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-    CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+    DO \\$\\$
+    BEGIN
+        IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${userName}') THEN
+            CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+        ELSE
+            ALTER USER ${userName} WITH PASSWORD '$${envVar}';
+        END IF;
+    END
+    \\$\\$;
     GRANT ALL ON SCHEMA public TO ${userName};
     ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO ${userName};
     ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO ${userName};
 EOSQL
 `;
 		}
-		// Other users get their own schema with search_path
 		return `
-# Create ${app.name} user with dedicated schema
+# Create ${app.name} user with dedicated schema - idempotent
 echo "Creating user ${userName} with schema ${schemaName}..."
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-    CREATE USER ${userName} WITH PASSWORD '$${envVar}';
-    CREATE SCHEMA ${schemaName} AUTHORIZATION ${userName};
+    DO \\$\\$
+    BEGIN
+        IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${userName}') THEN
+            CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+        ELSE
+            ALTER USER ${userName} WITH PASSWORD '$${envVar}';
+        END IF;
+    END
+    \\$\\$;
+    CREATE SCHEMA IF NOT EXISTS ${schemaName} AUTHORIZATION ${userName};
     ALTER USER ${userName} SET search_path TO ${schemaName};
     GRANT USAGE ON SCHEMA ${schemaName} TO ${userName};
     GRANT ALL ON ALL TABLES IN SCHEMA ${schemaName} TO ${userName};
@@ -265,14 +339,52 @@ EOSQL
 `;
 	});
 
+	// Add pgboss user and schema if events backend is pgboss
+	let pgbossBlock = '';
+	if (eventsBackend === 'pgboss') {
+		pgbossBlock = `
+# Create pgboss user with dedicated schema - idempotent
+echo "Creating pgboss user and schema..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    DO \\$\\$
+    BEGIN
+        IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'pgboss') THEN
+            CREATE USER pgboss WITH PASSWORD '$PGBOSS_DB_PASSWORD';
+        ELSE
+            ALTER USER pgboss WITH PASSWORD '$PGBOSS_DB_PASSWORD';
+        END IF;
+    END
+    \\$\\$;
+    CREATE SCHEMA IF NOT EXISTS pgboss AUTHORIZATION pgboss;
+    ALTER USER pgboss SET search_path TO pgboss;
+    GRANT USAGE ON SCHEMA pgboss TO pgboss;
+    GRANT ALL ON ALL TABLES IN SCHEMA pgboss TO pgboss;
+    GRANT ALL ON ALL SEQUENCES IN SCHEMA pgboss TO pgboss;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA pgboss GRANT ALL ON TABLES TO pgboss;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA pgboss GRANT ALL ON SEQUENCES TO pgboss;
+EOSQL
+`;
+	}
+
+	// Add extensions
+	const extensions = `
+# Create extensions
+echo "Creating extensions..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    CREATE EXTENSION IF NOT EXISTS pg_trgm;
+    CREATE EXTENSION IF NOT EXISTS citext;
+EOSQL
+`;
+
 	return `#!/bin/bash
 set -e
 
-# Auto-generated PostgreSQL init script
+# Auto-generated PostgreSQL init script (idempotent - safe to re-run)
 # Creates per-app users with separate schemas in a single database
 # - api: uses public schema
-# - auth: uses auth schema (search_path=auth)
-${userCreations.join('\n')}
+# - auth: uses auth schema (search_path=auth)${eventsBackend === 'pgboss' ? '\n# - pgboss: uses pgboss schema for event processing' : ''}
+${extensions}
+${userCreations.join('\n')}${pgbossBlock}
 echo "Database initialization complete!"
 `;
 }