@geekmidas/cli 1.10.15 → 1.10.16

package/src/init/index.ts

@@ -9,7 +9,7 @@ import {
 	generateDbPassword,
 	generateDbUrl,
 } from '../setup/fullstack-secrets.js';
-import type { ComposeServiceName } from '../types.js';
+import type { ComposeServiceName, EventsBackend } from '../types.js';
 import { generateAuthAppFiles } from './generators/auth.js';
 import { generateConfigFiles } from './generators/config.js';
 import {
@@ -27,6 +27,7 @@ import { generateWebAppFiles } from './generators/web.js';
 import {
 	type DeployTarget,
 	deployTargetChoices,
+	eventsBackendChoices,
 	getTemplate,
 	isFullstackTemplate,
 	loggerTypeChoices,
@@ -110,6 +111,13 @@ export async function initCommand(
 				choices: servicesChoices.map((c) => ({ ...c, selected: true })),
 				hint: '- Space to select. Return to submit',
 			},
+			{
+				type: options.yes ? null : 'select',
+				name: 'eventsBackend',
+				message: 'Event backend:',
+				choices: eventsBackendChoices,
+				initial: 0,
+			},
 			{
 				type: options.yes ? null : 'select',
 				name: 'packageManager',
@@ -183,13 +191,27 @@ export async function initCommand(
 	const servicesArray: string[] = options.yes
 		? ['db', 'cache', 'mail', 'storage']
 		: answers.services || [];
+
+	// Determine events backend (default to pgboss for fullstack with --yes)
+	const eventsBackend: EventsBackend | undefined = options.yes
+		? isFullstack
+			? 'pgboss'
+			: undefined
+		: answers.eventsBackend;
+
 	const services: ServicesSelection = {
 		db: servicesArray.includes('db'),
 		cache: servicesArray.includes('cache'),
 		mail: servicesArray.includes('mail'),
 		storage: servicesArray.includes('storage'),
+		events: eventsBackend,
 	};
 
+	// pgboss requires postgres
+	if (services.events === 'pgboss') {
+		services.db = true;
+	}
+
 	const pkgManager: PackageManager = options.pm
 		? options.pm
 		: options.yes
@@ -333,9 +355,12 @@ export async function initCommand(
 	if (services.cache) secretServices.push('redis');
 	if (services.storage) secretServices.push('minio');
 	if (services.mail) secretServices.push('mailpit');
+	if (services.events === 'sns') secretServices.push('localstack');
+	if (services.events === 'rabbitmq') secretServices.push('rabbitmq');
 
 	const devSecrets = createStageSecrets('development', secretServices, {
 		projectName: name,
+		eventsBackend: services.events,
 	});
 
 	// Add common custom secrets

package/src/init/templates/index.ts

@@ -39,6 +39,7 @@ export interface ServicesSelection {
 	cache: boolean;
 	mail: boolean;
 	storage: boolean;
+	events?: import('../../types.js').EventsBackend;
 }
 
 /**
@@ -255,6 +256,33 @@ export const servicesChoices = [
 	},
 ];
 
+/**
+ * Event backend choices for prompts
+ */
+export const eventsBackendChoices = [
+	{
+		title: 'pg-boss',
+		value: 'pgboss' as const,
+		description:
+			'PostgreSQL-based job queue (reuses postgres, no extra container)',
+	},
+	{
+		title: 'SNS/SQS',
+		value: 'sns' as const,
+		description: 'AWS SNS+SQS via LocalStack for local dev',
+	},
+	{
+		title: 'RabbitMQ',
+		value: 'rabbitmq' as const,
+		description: 'AMQP message broker',
+	},
+	{
+		title: 'None',
+		value: undefined,
+		description: 'Skip event backend',
+	},
+];
+
 /**
  * Get a template by name
  */

package/src/secrets/__tests__/generator.spec.ts

@@ -2,7 +2,11 @@ import { describe, expect, it } from 'vitest';
 import {
 	createStageSecrets,
 	generateConnectionUrls,
+	generateEventConnectionStrings,
+	generateLocalStackAccessKeyId,
+	generateLocalStackCredentials,
 	generateMinioEndpoint,
+	generatePgBossUrl,
 	generatePostgresUrl,
 	generateRabbitmqUrl,
 	generateRedisUrl,
@@ -385,3 +389,182 @@ describe('rotateServicePassword', () => {
 		expect(rotated.services.rabbitmq).toEqual(original.services.rabbitmq);
 	});
 });
+
+describe('generateLocalStackAccessKeyId', () => {
+	it('should start with LSIA prefix', () => {
+		const keyId = generateLocalStackAccessKeyId();
+		expect(keyId).toMatch(/^LSIA/);
+	});
+
+	it('should be at least 20 characters', () => {
+		const keyId = generateLocalStackAccessKeyId();
+		expect(keyId.length).toBeGreaterThanOrEqual(20);
+	});
+
+	it('should generate unique keys', () => {
+		const key1 = generateLocalStackAccessKeyId();
+		const key2 = generateLocalStackAccessKeyId();
+		expect(key1).not.toBe(key2);
+	});
+});
+
+describe('generatePgBossUrl', () => {
+	it('should generate pgboss connection URL', () => {
+		const creds: ServiceCredentials = {
+			host: 'localhost',
+			port: 5432,
+			username: 'pgboss',
+			password: 'secret',
+			database: 'myapp_dev',
+		};
+
+		const url = generatePgBossUrl(creds);
+		expect(url).toBe(
+			'pgboss://pgboss:secret@localhost:5432/myapp_dev?schema=pgboss',
+		);
+	});
+
+	it('should encode special characters in password', () => {
+		const creds: ServiceCredentials = {
+			host: 'localhost',
+			port: 5432,
+			username: 'pgboss',
+			password: 'p@ss/word',
+			database: 'app',
+		};
+
+		const url = generatePgBossUrl(creds);
+		expect(url).toContain('p%40ss%2Fword');
+	});
+});
+
+describe('generateLocalStackCredentials', () => {
+	it('should generate credentials with LSIA-prefixed access key', () => {
+		const creds = generateLocalStackCredentials();
+		expect(creds.accessKeyId).toMatch(/^LSIA/);
+		expect(creds.host).toBe('localhost');
+		expect(creds.port).toBe(4566);
+		expect(creds.region).toBe('us-east-1');
+		expect(creds.password).toHaveLength(32);
+	});
+});
+
+describe('generateEventConnectionStrings', () => {
+	it('should generate pgboss connection strings', () => {
+		const services: StageSecrets['services'] = {
+			pgboss: {
+				host: 'localhost',
+				port: 5432,
+				username: 'pgboss',
+				password: 'secret',
+				database: 'myapp_dev',
+			},
+		};
+
+		const result = generateEventConnectionStrings('pgboss', services);
+		expect(result.publisher).toContain('pgboss://');
+		expect(result.subscriber).toContain('pgboss://');
+		expect(result.publisher).toBe(result.subscriber);
+	});
+
+	it('should generate sns/sqs connection strings', () => {
+		const services: StageSecrets['services'] = {
+			localstack: {
+				host: 'localhost',
+				port: 4566,
+				username: 'localstack',
+				password: 'secret',
+				accessKeyId: 'LSIAtest1234567890xx',
+				region: 'us-east-1',
+			},
+		};
+
+		const result = generateEventConnectionStrings('sns', services);
+		expect(result.publisher).toContain('sns://');
+		expect(result.subscriber).toContain('sqs://');
+		expect(result.publisher).toContain('LSIAtest1234567890xx');
+	});
+
+	it('should generate rabbitmq connection strings', () => {
+		const services: StageSecrets['services'] = {
+			rabbitmq: {
+				host: 'localhost',
+				port: 5672,
+				username: 'app',
+				password: 'secret',
+				vhost: '/',
+			},
+		};
+
+		const result = generateEventConnectionStrings('rabbitmq', services);
+		expect(result.publisher).toContain('amqp://');
+		expect(result.subscriber).toContain('amqp://');
+		expect(result.publisher).toBe(result.subscriber);
+	});
+
+	it('should throw if pgboss credentials missing', () => {
+		expect(() => generateEventConnectionStrings('pgboss', {})).toThrow(
+			'pgboss credentials required',
+		);
+	});
+
+	it('should throw if localstack credentials missing', () => {
+		expect(() => generateEventConnectionStrings('sns', {})).toThrow(
+			'localstack credentials required',
+		);
+	});
+});
+
+describe('createStageSecrets with events', () => {
+	it('should create pgboss credentials when eventsBackend is pgboss', () => {
+		const secrets = createStageSecrets('development', ['postgres'], {
+			eventsBackend: 'pgboss',
+		});
+
+		expect(secrets.eventsBackend).toBe('pgboss');
+		expect(secrets.services.pgboss).toBeDefined();
+		expect(secrets.services.pgboss!.username).toBe('pgboss');
+		expect(secrets.services.pgboss!.host).toBe(secrets.services.postgres!.host);
+		expect(secrets.services.pgboss!.database).toBe(
+			secrets.services.postgres!.database,
+		);
+		expect(secrets.urls.EVENT_PUBLISHER_CONNECTION_STRING).toContain(
+			'pgboss://',
+		);
+		expect(secrets.urls.EVENT_SUBSCRIBER_CONNECTION_STRING).toContain(
+			'pgboss://',
+		);
+	});
+
+	it('should create localstack credentials when eventsBackend is sns', () => {
+		const secrets = createStageSecrets('development', [], {
+			eventsBackend: 'sns',
+		});
+
+		expect(secrets.eventsBackend).toBe('sns');
+		expect(secrets.services.localstack).toBeDefined();
+		expect(secrets.services.localstack!.accessKeyId).toMatch(/^LSIA/);
+		expect(secrets.urls.EVENT_PUBLISHER_CONNECTION_STRING).toContain('sns://');
+		expect(secrets.urls.EVENT_SUBSCRIBER_CONNECTION_STRING).toContain('sqs://');
+	});
+
+	it('should use rabbitmq credentials when eventsBackend is rabbitmq', () => {
+		const secrets = createStageSecrets('development', ['rabbitmq'], {
+			eventsBackend: 'rabbitmq',
+		});
+
+		expect(secrets.eventsBackend).toBe('rabbitmq');
+		expect(secrets.urls.EVENT_PUBLISHER_CONNECTION_STRING).toContain('amqp://');
+		expect(secrets.urls.EVENT_SUBSCRIBER_CONNECTION_STRING).toContain(
+			'amqp://',
+		);
+	});
+
+	it('should not create event URLs without eventsBackend', () => {
+		const secrets = createStageSecrets('development', ['postgres']);
+
+		expect(secrets.eventsBackend).toBeUndefined();
+		expect(secrets.urls.EVENT_PUBLISHER_CONNECTION_STRING).toBeUndefined();
+		expect(secrets.urls.EVENT_SUBSCRIBER_CONNECTION_STRING).toBeUndefined();
+	});
+});

package/src/secrets/generator.ts

@@ -1,5 +1,5 @@
 import { randomBytes } from 'node:crypto';
-import type { ComposeServiceName } from '../types';
+import type { ComposeServiceName, EventsBackend } from '../types';
 import type { ServiceCredentials, StageSecrets } from './types';
 
 /**
@@ -45,6 +45,20 @@ const SERVICE_DEFAULTS: Record<
 		port: 1025,
 		username: 'app',
 	},
+	localstack: {
+		host: 'localhost',
+		port: 4566,
+		username: 'localstack',
+		region: 'us-east-1',
+	},
+};
+
+/** Default credentials for pgboss (not a Docker service, reuses postgres) */
+const PGBOSS_DEFAULTS: Omit<ServiceCredentials, 'password'> = {
+	host: 'localhost',
+	port: 5432,
+	username: 'pgboss',
+	database: 'app',
 };
 
 /**
@@ -108,11 +122,72 @@ export function generateMinioEndpoint(creds: ServiceCredentials): string {
 	return `http://${host}:${port}`;
 }
 
+/**
+ * Generate a LocalStack-compatible access key ID.
+ * Must start with 'LSIA' prefix and be at least 20 characters.
+ * @see https://docs.localstack.cloud/aws/capabilities/config/credentials/
+ */
+export function generateLocalStackAccessKeyId(): string {
+	const suffix = randomBytes(12).toString('base64url').slice(0, 16);
+	return `LSIA${suffix}`;
+}
+
+/**
+ * Generate connection URL for pg-boss (uses PostgreSQL protocol).
+ * Format: pgboss://user:pass@host:port/db?schema=pgboss
+ */
+export function generatePgBossUrl(creds: ServiceCredentials): string {
+	const { username, password, host, port, database } = creds;
+	return `pgboss://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}?schema=pgboss`;
+}
+
+/**
+ * Generate event connection strings based on the events backend.
+ */
+export function generateEventConnectionStrings(
+	eventsBackend: EventsBackend,
+	services: StageSecrets['services'],
+): { publisher: string; subscriber: string } {
+	switch (eventsBackend) {
+		case 'pgboss': {
+			const creds = services.pgboss;
+			if (!creds) {
+				throw new Error('pgboss credentials required for pgboss events');
+			}
+			const url = generatePgBossUrl(creds);
+			return { publisher: url, subscriber: url };
+		}
+		case 'sns': {
+			const creds = services.localstack;
+			if (!creds) {
+				throw new Error('localstack credentials required for sns events');
+			}
+			const endpoint = `http://${creds.host}:${creds.port}`;
+			const region = creds.region ?? 'us-east-1';
+			const accessKeyId = creds.accessKeyId ?? creds.username;
+			const secretKey = encodeURIComponent(creds.password);
+			return {
+				publisher: `sns://${accessKeyId}:${secretKey}@${creds.host}:${creds.port}?region=${region}&endpoint=${encodeURIComponent(endpoint)}`,
+				subscriber: `sqs://${accessKeyId}:${secretKey}@${creds.host}:${creds.port}?region=${region}&endpoint=${encodeURIComponent(endpoint)}`,
+			};
+		}
+		case 'rabbitmq': {
+			const creds = services.rabbitmq;
+			if (!creds) {
+				throw new Error('rabbitmq credentials required for rabbitmq events');
+			}
+			const url = generateRabbitmqUrl(creds);
+			return { publisher: url, subscriber: url };
+		}
+	}
+}
+
 /**
  * Generate connection URLs from service credentials.
  */
 export function generateConnectionUrls(
 	services: StageSecrets['services'],
+	eventsBackend?: EventsBackend,
 ): StageSecrets['urls'] {
 	const urls: StageSecrets['urls'] = {};
 
@@ -132,6 +207,12 @@ export function generateConnectionUrls(
 		urls.STORAGE_ENDPOINT = generateMinioEndpoint(services.minio);
 	}
 
+	if (eventsBackend) {
+		const eventUrls = generateEventConnectionStrings(eventsBackend, services);
+		urls.EVENT_PUBLISHER_CONNECTION_STRING = eventUrls.publisher;
+		urls.EVENT_SUBSCRIBER_CONNECTION_STRING = eventUrls.subscriber;
+	}
+
 	if (services.mailpit) {
 		urls.SMTP_HOST = services.mailpit.host;
 		urls.SMTP_PORT = String(services.mailpit.port);
@@ -140,17 +221,30 @@ export function generateConnectionUrls(
 	return urls;
 }
 
+/**
+ * Generate LocalStack service credentials with LSIA-prefixed access key.
+ */
+export function generateLocalStackCredentials(): ServiceCredentials {
+	const defaults = SERVICE_DEFAULTS.localstack;
+	return {
+		...defaults,
+		password: generateSecurePassword(),
+		accessKeyId: generateLocalStackAccessKeyId(),
+	};
+}
+
 /**
  * Create a new StageSecrets object with generated credentials.
  * @param stage - The deployment stage (e.g., 'development', 'production')
  * @param services - List of services to generate credentials for
  * @param options - Optional configuration
  * @param options.projectName - Project name used to derive the database name (e.g., 'myapp' → 'myapp_dev')
+ * @param options.eventsBackend - Event backend type (pgboss, sns, rabbitmq)
  */
 export function createStageSecrets(
 	stage: string,
 	services: ComposeServiceName[],
-	options?: { projectName?: string },
+	options?: { projectName?: string; eventsBackend?: EventsBackend },
 ): StageSecrets {
 	const now = new Date().toISOString();
 	const serviceCredentials = generateServicesCredentials(services);
@@ -166,12 +260,30 @@ export function createStageSecrets(
 		}
 	}
 
-	const urls = generateConnectionUrls(serviceCredentials);
+	// Generate event-specific credentials
+	const eventsBackend = options?.eventsBackend;
+	if (eventsBackend === 'pgboss' && serviceCredentials.postgres) {
+		// pgboss reuses postgres host/port/database but with dedicated user
+		serviceCredentials.pgboss = {
+			...PGBOSS_DEFAULTS,
+			password: generateSecurePassword(),
+			host: serviceCredentials.postgres.host,
+			port: serviceCredentials.postgres.port,
+			database: serviceCredentials.postgres.database,
+		};
+	}
+	if (eventsBackend === 'sns') {
+		// LocalStack credentials with LSIA-prefixed access key
+		serviceCredentials.localstack = generateLocalStackCredentials();
+	}
+
+	const urls = generateConnectionUrls(serviceCredentials, eventsBackend);
 
 	return {
 		stage,
 		createdAt: now,
 		updatedAt: now,
+		eventsBackend,
 		services: serviceCredentials,
 		urls,
 		custom: {},
@@ -204,6 +316,6 @@ export function rotateServicePassword(
 		...secrets,
 		updatedAt: new Date().toISOString(),
 		services: newServices,
-		urls: generateConnectionUrls(newServices),
+		urls: generateConnectionUrls(newServices, secrets.eventsBackend),
 	};
 }

package/src/secrets/storage.ts

@@ -223,6 +223,18 @@ export function toEmbeddableSecrets(secrets: StageSecrets): EmbeddableSecrets {
 			SMTP_SECURE: 'false',
 			MAIL_FROM: 'noreply@localhost',
 		}),
+		...(secrets.services.localstack && {
+			AWS_ACCESS_KEY_ID:
+				secrets.services.localstack.accessKeyId ??
+				secrets.services.localstack.username,
+			AWS_SECRET_ACCESS_KEY: secrets.services.localstack.password,
+			AWS_REGION: secrets.services.localstack.region ?? 'us-east-1',
+			AWS_ENDPOINT_URL: `http://${secrets.services.localstack.host}:${secrets.services.localstack.port}`,
+		}),
+		...(secrets.services.pgboss && {
+			PGBOSS_DB_USER: secrets.services.pgboss.username,
+			PGBOSS_DB_PASSWORD: secrets.services.pgboss.password,
+		}),
 	};
 }
 

package/src/secrets/types.ts

@@ -1,4 +1,4 @@
-import type { ComposeServiceName } from '../types';
+import type { ComposeServiceName, EventsBackend } from '../types';
 
 /** Credentials for a specific service */
 export interface ServiceCredentials {
@@ -12,6 +12,10 @@ export interface ServiceCredentials {
 	vhost?: string;
 	/** Bucket name (for minio) */
 	bucket?: string;
+	/** Access key ID (for localstack) */
+	accessKeyId?: string;
+	/** Region (for localstack) */
+	region?: string;
 }
 
 /** Stage secrets configuration */
@@ -22,6 +26,8 @@ export interface StageSecrets {
 	createdAt: string;
 	/** ISO timestamp when secrets were last updated */
 	updatedAt: string;
+	/** Event backend type (if events are enabled) */
+	eventsBackend?: EventsBackend;
 	/** Service-specific credentials */
 	services: {
 		postgres?: ServiceCredentials;
@@ -29,6 +35,8 @@ export interface StageSecrets {
 		rabbitmq?: ServiceCredentials;
 		minio?: ServiceCredentials;
 		mailpit?: ServiceCredentials;
+		localstack?: ServiceCredentials;
+		pgboss?: ServiceCredentials;
 	};
 	/** Generated connection URLs */
 	urls: {
@@ -38,6 +46,8 @@ export interface StageSecrets {
 		STORAGE_ENDPOINT?: string;
 		SMTP_HOST?: string;
 		SMTP_PORT?: string;
+		EVENT_PUBLISHER_CONNECTION_STRING?: string;
+		EVENT_SUBSCRIBER_CONNECTION_STRING?: string;
 	};
 	/** Custom user-defined secrets */
 	custom: Record<string, string>;

package/src/setup/__tests__/reconcile-secrets.spec.ts

@@ -340,3 +340,89 @@ describe('generateFullstackCustomSecrets', () => {
 		expect(result.BETTER_AUTH_TRUSTED_ORIGINS).toBeUndefined();
 	});
 });
+
+describe('reconcileSecrets - events', () => {
+	it('should add pgboss credentials when events is pgboss', () => {
+		const workspace = createWorkspace({
+			services: { db: true, cache: false, events: 'pgboss' },
+		});
+		const secrets = createSecrets();
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.eventsBackend).toBe('pgboss');
+		expect(result!.services.pgboss).toBeDefined();
+		expect(result!.services.pgboss!.username).toBe('pgboss');
+		expect(result!.services.pgboss!.host).toBe('localhost');
+		expect(result!.services.pgboss!.database).toBe('test_dev');
+		expect(result!.urls.EVENT_PUBLISHER_CONNECTION_STRING).toContain(
+			'pgboss://',
+		);
+		expect(result!.urls.EVENT_SUBSCRIBER_CONNECTION_STRING).toContain(
+			'pgboss://',
+		);
+	});
+
+	it('should add localstack credentials when events is sns', () => {
+		const workspace = createWorkspace({
+			services: { db: true, cache: false, events: 'sns' },
+		});
+		const secrets = createSecrets();
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.eventsBackend).toBe('sns');
+		expect(result!.services.localstack).toBeDefined();
+		expect(result!.services.localstack!.accessKeyId).toMatch(/^LSIA/);
+		expect(result!.urls.EVENT_PUBLISHER_CONNECTION_STRING).toContain('sns://');
+		expect(result!.urls.EVENT_SUBSCRIBER_CONNECTION_STRING).toContain('sqs://');
+	});
+
+	it('should add rabbitmq credentials when events is rabbitmq', () => {
+		const workspace = createWorkspace({
+			services: { db: true, cache: false, events: 'rabbitmq' },
+		});
+		const secrets = createSecrets();
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.eventsBackend).toBe('rabbitmq');
+		expect(result!.services.rabbitmq).toBeDefined();
+		expect(result!.urls.EVENT_PUBLISHER_CONNECTION_STRING).toContain('amqp://');
+	});
+
+	it('should not add duplicate pgboss credentials when already present', () => {
+		const workspace = createWorkspace({
+			services: { db: true, cache: false, events: 'pgboss' },
+		});
+		const secrets: StageSecrets = {
+			...createSecrets(),
+			eventsBackend: 'pgboss',
+			services: {
+				...createSecrets().services,
+				pgboss: {
+					host: 'localhost',
+					port: 5432,
+					username: 'pgboss',
+					password: 'existing-pass',
+					database: 'test_dev',
+				},
+			},
+			urls: {
+				...createSecrets().urls,
+				EVENT_PUBLISHER_CONNECTION_STRING: 'pgboss://existing',
+				EVENT_SUBSCRIBER_CONNECTION_STRING: 'pgboss://existing',
+			},
+		};
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		// pgboss credentials should be preserved (not regenerated)
+		if (result) {
+			expect(result.services.pgboss!.password).toBe('existing-pass');
+		}
+	});
+});