@geekmidas/cli 1.10.15 → 1.10.17

package/dist/index.mjs

@@ -4,13 +4,13 @@ import { getAppBuildOrder, getDependencyEnvVars, getDeployTargetError, isDeployT
 import { getAppNameFromCwd, loadAppConfig, loadConfig, loadWorkspaceAppInfo, loadWorkspaceConfig, parseModuleConfig } from "./config-jsRYHOHU.mjs";
 import { getCredentialsPath, getDokployCredentials, getDokployRegistryId, getDokployToken, removeDokployCredentials, storeDokployCredentials, storeDokployRegistryId } from "./credentials-s1kLcIzK.mjs";
 import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, copyAllClients, copyClientToFrontends, generateOpenApi, getBackendOpenApiPath, isPartitionedRoutes, normalizeRoutes, openapiCommand, resolveOpenApiConfig } from "./openapi-DenF-okj.mjs";
-import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-clMAp4sc.mjs";
+import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-dbb9RyBl.mjs";
 import { DokployApi } from "./dokploy-api-2ldYoN3i.mjs";
 import { encryptSecrets } from "./encryption-BOH5M-f-.mjs";
 import { CachedStateProvider } from "./CachedStateProvider-BDq5WqSy.mjs";
-import { createStageSecrets, generateConnectionUrls, generateDbPassword, generateDbUrl, generateFullstackCustomSecrets, generateServiceCredentials, rotateServicePassword, writeDockerEnvFromSecrets } from "./fullstack-secrets-BIFFv4UZ.mjs";
+import { createStageSecrets, generateConnectionUrls, generateDbPassword, generateDbUrl, generateFullstackCustomSecrets, generateLocalStackCredentials, generateSecurePassword, generateServiceCredentials, rotateServicePassword, writeDockerEnvFromSecrets } from "./fullstack-secrets-x2Kffx7-.mjs";
 import { generateReactQueryCommand } from "./openapi-react-query-C4UdILaI.mjs";
-import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-CWJ6tL0s.mjs";
+import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-D_NowTkZ.mjs";
 import { createRequire } from "node:module";
 import { copyFileSync, existsSync, readFileSync, unlinkSync } from "node:fs";
 import { basename, dirname, join, parse, relative, resolve } from "node:path";
@@ -35,7 +35,7 @@ import prompts from "prompts";
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.10.14";
+var version = "1.10.16";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -808,7 +808,9 @@ async function resolveServicePorts(workspaceRoot) {
 */
 function replacePortInUrl(url, oldPort, newPort) {
 	if (oldPort === newPort) return url;
-	return url.replace(new RegExp(`:${oldPort}(?=/|$)`, "g"), `:${newPort}`);
+	let result = url.replace(new RegExp(`:${oldPort}(?=[/?#]|$)`, "g"), `:${newPort}`);
+	result = result.replace(new RegExp(`%3A${oldPort}(?=[%/?#&]|$)`, "gi"), `%3A${newPort}`);
+	return result;
 }
 /**
 * Rewrite connection URLs and port vars in secrets with resolved ports.
@@ -838,7 +840,7 @@ function rewriteUrlsWithPorts(secrets, resolvedPorts) {
 		for (const { defaultPort, resolvedPort } of portReplacements) if (value === String(defaultPort)) result[key] = String(resolvedPort);
 	}
 	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_URL") && !key.endsWith("_ENDPOINT") && key !== "DATABASE_URL") continue;
+		if (!key.endsWith("_URL") && !key.endsWith("_ENDPOINT") && !key.endsWith("_CONNECTION_STRING") && key !== "DATABASE_URL") continue;
 		let rewritten = value;
 		for (const name$1 of serviceNames) rewritten = rewritten.replace(new RegExp(`@${name$1}:`, "g"), "@localhost:");
 		for (const { defaultPort, resolvedPort } of portReplacements) rewritten = replacePortInUrl(rewritten, defaultPort, resolvedPort);
@@ -1521,17 +1523,16 @@ function findSecretsRoot(startDir) {
 * @internal
 */
 function generateCredentialsInjection(secretsJsonPath) {
-	return `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
+	return `import { existsSync, readFileSync } from 'node:fs';
 
-// Inject dev secrets into Credentials and process.env
+// Inject dev secrets via globalThis and process.env
+// Using globalThis.__gkm_credentials__ avoids CJS/ESM interop issues where
+// Object.assign on the Credentials export only mutates one module copy.
 const secretsPath = '${secretsJsonPath}';
 if (existsSync(secretsPath)) {
   const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
-  Object.assign(Credentials, secrets);
+  globalThis.__gkm_credentials__ = secrets;
   Object.assign(process.env, secrets);
-  // Debug: uncomment to verify preload is running
-  // console.log('[gkm preload] Injected', Object.keys(secrets).length, 'credentials');
 }
 `;
 }
@@ -1720,13 +1721,14 @@ var EntryRunner = class {
 */
 function generateServerEntryContent(options) {
 	const { secretsJsonPath, runtime = "node", enableOpenApi = false, appImportPath = "./app.js" } = options;
-	const credentialsInjection = secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
+	const credentialsInjection = secretsJsonPath ? `import { existsSync, readFileSync } from 'node:fs';
 
-// Inject dev secrets into Credentials (must happen before app import)
+// Inject dev secrets via globalThis (must happen before app import)
 const secretsPath = '${secretsJsonPath}';
 if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+  const __secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  globalThis.__gkm_credentials__ = __secrets;
+  Object.assign(process.env, __secrets);
 }
 
 ` : "";
@@ -1894,19 +1896,11 @@ async function execCommand(commandArgs, options = {}) {
 	if (appName) logger$11.log(`📦 App: ${appName}`);
 	const secretCount = Object.keys(credentials).filter((k) => k !== "PORT").length;
 	if (secretCount > 0) logger$11.log(`🔐 Loaded ${secretCount} secret(s)`);
-	const composePath = join(secretsRoot, "docker-compose.yml");
-	const mappings = parseComposePortMappings(composePath);
-	if (mappings.length > 0) {
-		const ports = await loadPortState(secretsRoot);
-		if (Object.keys(ports).length > 0) {
-			const rewritten = rewriteUrlsWithPorts(credentials, {
-				dockerEnv: {},
-				ports,
-				mappings
-			});
-			Object.assign(credentials, rewritten);
-			logger$11.log(`🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
-		}
+	const resolvedPorts = await resolveServicePorts(secretsRoot);
+	if (resolvedPorts.mappings.length > 0 && Object.keys(resolvedPorts.ports).length > 0) {
+		const rewritten = rewriteUrlsWithPorts(credentials, resolvedPorts);
+		Object.assign(credentials, rewritten);
+		logger$11.log(`🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
 	}
 	try {
 		const appInfo = await loadWorkspaceAppInfo(cwd);
@@ -2220,7 +2214,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await import("./bundler-BWsVDer6.mjs");
+			const { bundleServer } = await import("./bundler-B4AackW5.mjs");
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2884,7 +2878,8 @@ const DEFAULT_SERVICE_IMAGES = {
 	redis: "redis",
 	rabbitmq: "rabbitmq",
 	minio: "minio/minio",
-	mailpit: "axllent/mailpit"
+	mailpit: "axllent/mailpit",
+	localstack: "localstack/localstack"
 };
 /** Default Docker image versions for services */
 const DEFAULT_SERVICE_VERSIONS = {
@@ -2892,7 +2887,8 @@ const DEFAULT_SERVICE_VERSIONS = {
 	redis: "7-alpine",
 	rabbitmq: "3-management-alpine",
 	minio: "latest",
-	mailpit: "latest"
+	mailpit: "latest",
+	localstack: "latest"
 };
 /** Get the default full image reference for a service */
 function getDefaultImage(serviceName) {
@@ -2959,6 +2955,11 @@ services:
       - SMTP_PASS=\${SMTP_PASS:-${imageName}}
       - SMTP_SECURE=\${SMTP_SECURE:-false}
       - MAIL_FROM=\${MAIL_FROM:-noreply@localhost}
+`;
+	if (serviceMap.has("localstack")) yaml += `      - AWS_ACCESS_KEY_ID=\${AWS_ACCESS_KEY_ID:-localstack}
+      - AWS_SECRET_ACCESS_KEY=\${AWS_SECRET_ACCESS_KEY:-localstack}
+      - AWS_REGION=\${AWS_REGION:-us-east-1}
+      - AWS_ENDPOINT_URL=\${AWS_ENDPOINT_URL:-http://localstack:4566}
 `;
 	yaml += `    healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
@@ -3075,6 +3076,29 @@ services:
       retries: 5
     networks:
       - app-network
+`;
+	const localstackImage = serviceMap.get("localstack");
+	if (localstackImage) yaml += `
+  localstack:
+    image: ${localstackImage}
+    container_name: localstack
+    restart: unless-stopped
+    environment:
+      SERVICES: sns,sqs
+      AWS_DEFAULT_REGION: \${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY_ID: \${AWS_ACCESS_KEY_ID:-localstack}
+      AWS_SECRET_ACCESS_KEY: \${AWS_SECRET_ACCESS_KEY:-localstack}
+    ports:
+      - "\${LOCALSTACK_PORT:-4566}:4566"
+    volumes:
+      - localstack_data:/var/lib/localstack
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4566/_localstack/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
 `;
 	yaml += `
 volumes:
@@ -3086,6 +3110,8 @@ volumes:
 	if (serviceMap.has("rabbitmq")) yaml += `  rabbitmq_data:
 `;
 	if (serviceMap.has("minio")) yaml += `  minio_data:
+`;
+	if (serviceMap.has("localstack")) yaml += `  localstack_data:
 `;
 	yaml += `
 networks:
@@ -3142,6 +3168,9 @@ function generateWorkspaceCompose(workspace, options = {}) {
 	const hasRedis = services.cache !== void 0 && services.cache !== false;
 	const hasMail = services.mail !== void 0 && services.mail !== false;
 	const hasMinio = services.storage !== void 0 && services.storage !== false;
+	const eventsBackend = services.events;
+	const hasLocalStack = eventsBackend === "sns";
+	const hasRabbitMQ = eventsBackend === "rabbitmq" || services.rabbitmq !== void 0;
 	const postgresImage = getInfraServiceImage("postgres", services.db);
 	const redisImage = getInfraServiceImage("redis", services.cache);
 	const minioImage = getInfraServiceImage("minio", services.storage);
@@ -3157,7 +3186,8 @@ services:
 		hasPostgres,
 		hasRedis,
 		hasMinio,
-		hasMail
+		hasMail,
+		eventsBackend
 	});
 	if (hasPostgres) yaml += `
   postgres:
@@ -3233,6 +3263,49 @@ services:
       retries: 5
     networks:
       - workspace-network
+`;
+	if (hasLocalStack) yaml += `
+  localstack:
+    image: localstack/localstack:latest
+    container_name: ${workspace.name}-localstack
+    restart: unless-stopped
+    environment:
+      SERVICES: sns,sqs
+      AWS_DEFAULT_REGION: \${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY_ID: \${AWS_ACCESS_KEY_ID:-localstack}
+      AWS_SECRET_ACCESS_KEY: \${AWS_SECRET_ACCESS_KEY:-localstack}
+    ports:
+      - "\${LOCALSTACK_PORT:-4566}:4566"
+    volumes:
+      - localstack_data:/var/lib/localstack
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:4566/_localstack/health"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	if (hasRabbitMQ) yaml += `
+  rabbitmq:
+    image: rabbitmq:3-management-alpine
+    container_name: ${workspace.name}-rabbitmq
+    restart: unless-stopped
+    environment:
+      RABBITMQ_DEFAULT_USER: \${RABBITMQ_USER:-guest}
+      RABBITMQ_DEFAULT_PASS: \${RABBITMQ_PASSWORD:-guest}
+    ports:
+      - "\${RABBITMQ_HOST_PORT:-5672}:5672"
+      - "\${RABBITMQ_MGMT_HOST_PORT:-15672}:15672"
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    healthcheck:
+      test: ["CMD", "rabbitmq-diagnostics", "-q", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
 `;
 	yaml += `
 volumes:
@@ -3242,6 +3315,10 @@ volumes:
 	if (hasRedis) yaml += `  redis_data:
 `;
 	if (hasMinio) yaml += `  minio_data:
+`;
+	if (hasLocalStack) yaml += `  localstack_data:
+`;
+	if (hasRabbitMQ) yaml += `  rabbitmq_data:
 `;
 	yaml += `
 networks:
@@ -3277,7 +3354,7 @@ function getInfraServiceImage(serviceName, config$1) {
 * Generate a service definition for an app.
 */
 function generateAppService(appName, app, allApps, options) {
-	const { registry, projectName, hasPostgres, hasRedis, hasMinio, hasMail } = options;
+	const { registry, projectName, hasPostgres, hasRedis, hasMinio, hasMail, eventsBackend } = options;
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
 	const healthCheckPath = app.type === "frontend" ? "/" : "/health";
 	const healthCheckCmd = app.type === "frontend" ? `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}/"]` : `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}${healthCheckPath}"]`;
@@ -3319,6 +3396,16 @@ function generateAppService(appName, app, allApps, options) {
       - SMTP_SECURE=\${SMTP_SECURE:-false}
       - MAIL_FROM=\${MAIL_FROM:-noreply@localhost}
 `;
+		if (eventsBackend) {
+			yaml += `      - EVENT_PUBLISHER_CONNECTION_STRING=\${EVENT_PUBLISHER_CONNECTION_STRING}
+      - EVENT_SUBSCRIBER_CONNECTION_STRING=\${EVENT_SUBSCRIBER_CONNECTION_STRING}
+`;
+			if (eventsBackend === "sns") yaml += `      - AWS_ACCESS_KEY_ID=\${AWS_ACCESS_KEY_ID:-localstack}
+      - AWS_SECRET_ACCESS_KEY=\${AWS_SECRET_ACCESS_KEY:-localstack}
+      - AWS_REGION=\${AWS_REGION:-us-east-1}
+      - AWS_ENDPOINT_URL=\${AWS_ENDPOINT_URL:-http://localstack:4566}
+`;
+		}
 	}
 	yaml += `    healthcheck:
       test: ${healthCheckCmd}
@@ -3332,6 +3419,8 @@ function generateAppService(appName, app, allApps, options) {
 		if (hasRedis) dependencies$1.push("redis");
 		if (hasMinio) dependencies$1.push("minio");
 		if (hasMail) dependencies$1.push("mailpit");
+		if (eventsBackend === "sns") dependencies$1.push("localstack");
+		if (eventsBackend === "rabbitmq") dependencies$1.push("rabbitmq");
 	}
 	if (dependencies$1.length > 0) {
 		yaml += `    depends_on:
@@ -6376,7 +6465,7 @@ async function deployCommand(options) {
 		dokployConfig = setupResult.config;
 		finalRegistry = dokployConfig.registry ?? dockerConfig.registry;
 		if (setupResult.serviceUrls) {
-			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await import("./storage-CauTheT9.mjs");
+			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await import("./storage-Cs4WBsc4.mjs");
 			let secrets = await readStageSecrets$1(stage);
 			if (!secrets) {
 				logger$3.log(`   Creating secrets file for stage "${stage}"...`);
@@ -6663,7 +6752,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/constructs": "~3.0.2",
 	"@geekmidas/db": "~1.0.0",
 	"@geekmidas/emailkit": "~1.0.0",
-	"@geekmidas/envkit": "~1.0.3",
+	"@geekmidas/envkit": "~1.0.4",
 	"@geekmidas/errors": "~1.0.0",
 	"@geekmidas/events": "~1.1.0",
 	"@geekmidas/logger": "~1.0.0",
@@ -7145,11 +7234,11 @@ function generateDockerFiles(options, template, dbApps) {
 		if (isFullstack && dbApps?.length) {
 			files.push({
 				path: "docker/postgres/init.sh",
-				content: generatePostgresInitScript(dbApps)
+				content: generatePostgresInitScript(dbApps, options.services?.events)
 			});
 			files.push({
 				path: "docker/.env",
-				content: generateDockerEnv(dbApps)
+				content: generateDockerEnv(dbApps, options.services?.events)
 			});
 		}
 	}
@@ -7249,6 +7338,47 @@ function generateDockerFiles(options, template, dbApps) {
       retries: 5`);
 		volumes.push("  minio_data:");
 	}
+	if (options.services?.events === "sns") {
+		services.push(`  localstack:
+    image: localstack/localstack:latest
+    container_name: ${options.name}-localstack
+    restart: unless-stopped
+    environment:
+      SERVICES: sns,sqs
+      AWS_DEFAULT_REGION: \${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY_ID: \${AWS_ACCESS_KEY_ID:-localstack}
+      AWS_SECRET_ACCESS_KEY: \${AWS_SECRET_ACCESS_KEY:-localstack}
+    ports:
+      - '\${LOCALSTACK_PORT:-4566}:4566'
+    volumes:
+      - localstack_data:/var/lib/localstack
+    healthcheck:
+      test: ['CMD', 'curl', '-f', 'http://localhost:4566/_localstack/health']
+      interval: 10s
+      timeout: 5s
+      retries: 5`);
+		volumes.push("  localstack_data:");
+	}
+	if (options.services?.events === "rabbitmq" && !hasWorker) {
+		services.push(`  rabbitmq:
+    image: rabbitmq:3-management-alpine
+    container_name: ${options.name}-rabbitmq
+    restart: unless-stopped
+    ports:
+      - '\${RABBITMQ_HOST_PORT:-5672}:5672'
+      - '\${RABBITMQ_MGMT_HOST_PORT:-15672}:15672'
+    environment:
+      RABBITMQ_DEFAULT_USER: guest
+      RABBITMQ_DEFAULT_PASS: guest
+    volumes:
+      - rabbitmq_data:/var/lib/rabbitmq
+    healthcheck:
+      test: ['CMD', 'rabbitmq-diagnostics', 'check_running']
+      interval: 10s
+      timeout: 5s
+      retries: 5`);
+		if (!volumes.includes("  rabbitmq_data:")) volumes.push("  rabbitmq_data:");
+	}
 	let dockerCompose = `# Use "gkm dev" or "gkm test" to start services.
 # Running "docker compose up" directly will not inject secrets or resolve ports.
 services:
@@ -7267,11 +7397,12 @@ ${volumes.join("\n")}
 /**
 * Generate .env file for docker-compose with database passwords
 */
-function generateDockerEnv(apps) {
+function generateDockerEnv(apps, eventsBackend) {
 	const envVars = apps.map((app) => {
 		const envVar = `${app.name.toUpperCase()}_DB_PASSWORD`;
 		return `${envVar}=${app.password}`;
 	});
+	if (eventsBackend === "pgboss") envVars.push(`PGBOSS_DB_PASSWORD=pgboss-dev-password`);
 	return `# Auto-generated docker environment file
 # Contains database passwords for docker-compose postgres init
 # This file is gitignored - do not commit to version control
@@ -7279,33 +7410,50 @@ ${envVars.join("\n")}
 `;
 }
 /**
-* Generate PostgreSQL init shell script that creates per-app users with separate schemas
-* Uses environment variables for passwords (more secure than hardcoded values)
+* Generate PostgreSQL init shell script that creates per-app users with separate schemas.
+* Uses idempotent DO blocks so the script can be re-run safely.
 * - api user: uses public schema
 * - auth user: uses auth schema with search_path=auth
+* - pgboss user: uses pgboss schema (when events === 'pgboss')
 */
-function generatePostgresInitScript(apps) {
+function generatePostgresInitScript(apps, eventsBackend) {
 	const userCreations = apps.map((app) => {
 		const userName = app.name.replace(/-/g, "_");
 		const envVar = `${app.name.toUpperCase()}_DB_PASSWORD`;
 		const isApi = app.name === "api";
 		const schemaName = isApi ? "public" : userName;
 		if (isApi) return `
-# Create ${app.name} user (uses public schema)
+# Create ${app.name} user (uses public schema) - idempotent
 echo "Creating user ${userName}..."
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-    CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+    DO \\$\\$
+    BEGIN
+        IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${userName}') THEN
+            CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+        ELSE
+            ALTER USER ${userName} WITH PASSWORD '$${envVar}';
+        END IF;
+    END
+    \\$\\$;
     GRANT ALL ON SCHEMA public TO ${userName};
     ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO ${userName};
     ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO ${userName};
 EOSQL
 `;
 		return `
-# Create ${app.name} user with dedicated schema
+# Create ${app.name} user with dedicated schema - idempotent
 echo "Creating user ${userName} with schema ${schemaName}..."
 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
-    CREATE USER ${userName} WITH PASSWORD '$${envVar}';
-    CREATE SCHEMA ${schemaName} AUTHORIZATION ${userName};
+    DO \\$\\$
+    BEGIN
+        IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${userName}') THEN
+            CREATE USER ${userName} WITH PASSWORD '$${envVar}';
+        ELSE
+            ALTER USER ${userName} WITH PASSWORD '$${envVar}';
+        END IF;
+    END
+    \\$\\$;
+    CREATE SCHEMA IF NOT EXISTS ${schemaName} AUTHORIZATION ${userName};
     ALTER USER ${userName} SET search_path TO ${schemaName};
     GRANT USAGE ON SCHEMA ${schemaName} TO ${userName};
     GRANT ALL ON ALL TABLES IN SCHEMA ${schemaName} TO ${userName};
@@ -7315,14 +7463,46 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
 EOSQL
 `;
 	});
+	let pgbossBlock = "";
+	if (eventsBackend === "pgboss") pgbossBlock = `
+# Create pgboss user with dedicated schema - idempotent
+echo "Creating pgboss user and schema..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    DO \\$\\$
+    BEGIN
+        IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'pgboss') THEN
+            CREATE USER pgboss WITH PASSWORD '$PGBOSS_DB_PASSWORD';
+        ELSE
+            ALTER USER pgboss WITH PASSWORD '$PGBOSS_DB_PASSWORD';
+        END IF;
+    END
+    \\$\\$;
+    CREATE SCHEMA IF NOT EXISTS pgboss AUTHORIZATION pgboss;
+    ALTER USER pgboss SET search_path TO pgboss;
+    GRANT USAGE ON SCHEMA pgboss TO pgboss;
+    GRANT ALL ON ALL TABLES IN SCHEMA pgboss TO pgboss;
+    GRANT ALL ON ALL SEQUENCES IN SCHEMA pgboss TO pgboss;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA pgboss GRANT ALL ON TABLES TO pgboss;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA pgboss GRANT ALL ON SEQUENCES TO pgboss;
+EOSQL
+`;
+	const extensions = `
+# Create extensions
+echo "Creating extensions..."
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    CREATE EXTENSION IF NOT EXISTS pg_trgm;
+    CREATE EXTENSION IF NOT EXISTS citext;
+EOSQL
+`;
 	return `#!/bin/bash
 set -e
 
-# Auto-generated PostgreSQL init script
+# Auto-generated PostgreSQL init script (idempotent - safe to re-run)
 # Creates per-app users with separate schemas in a single database
 # - api: uses public schema
-# - auth: uses auth schema (search_path=auth)
-${userCreations.join("\n")}
+# - auth: uses auth schema (search_path=auth)${eventsBackend === "pgboss" ? "\n# - pgboss: uses pgboss schema for event processing" : ""}
+${extensions}
+${userCreations.join("\n")}${pgbossBlock}
 echo "Database initialization complete!"
 `;
 }
@@ -8814,6 +8994,31 @@ const servicesChoices = [
 	}
 ];
 /**
+* Event backend choices for prompts
+*/
+const eventsBackendChoices = [
+	{
+		title: "pg-boss",
+		value: "pgboss",
+		description: "PostgreSQL-based job queue (reuses postgres, no extra container)"
+	},
+	{
+		title: "SNS/SQS",
+		value: "sns",
+		description: "AWS SNS+SQS via LocalStack for local dev"
+	},
+	{
+		title: "RabbitMQ",
+		value: "rabbitmq",
+		description: "AMQP message broker"
+	},
+	{
+		title: "None",
+		value: void 0,
+		description: "Skip event backend"
+	}
+];
+/**
 * Get a template by name
 */
 function getTemplate(name$1) {
@@ -10921,6 +11126,13 @@ async function initCommand(projectName, options = {}) {
 			})),
 			hint: "- Space to select. Return to submit"
 		},
+		{
+			type: options.yes ? null : "select",
+			name: "eventsBackend",
+			message: "Event backend:",
+			choices: eventsBackendChoices,
+			initial: 0
+		},
 		{
 			type: options.yes ? null : "select",
 			name: "packageManager",
@@ -10983,12 +11195,15 @@ async function initCommand(projectName, options = {}) {
 		"mail",
 		"storage"
 	] : answers.services || [];
+	const eventsBackend = options.yes ? isFullstack ? "pgboss" : void 0 : answers.eventsBackend;
 	const services = {
 		db: servicesArray.includes("db"),
 		cache: servicesArray.includes("cache"),
 		mail: servicesArray.includes("mail"),
-		storage: servicesArray.includes("storage")
+		storage: servicesArray.includes("storage"),
+		events: eventsBackend
 	};
+	if (services.events === "pgboss") services.db = true;
 	const pkgManager = options.pm ? options.pm : options.yes ? "pnpm" : answers.packageManager ?? detectedPkgManager;
 	const deployTarget = options.yes ? "dokploy" : answers.deployTarget ?? "dokploy";
 	const database = services.db;
@@ -11071,7 +11286,12 @@ async function initCommand(projectName, options = {}) {
 	if (services.cache) secretServices.push("redis");
 	if (services.storage) secretServices.push("minio");
 	if (services.mail) secretServices.push("mailpit");
-	const devSecrets = createStageSecrets("development", secretServices, { projectName: name$1 });
+	if (services.events === "sns") secretServices.push("localstack");
+	if (services.events === "rabbitmq") secretServices.push("rabbitmq");
+	const devSecrets = createStageSecrets("development", secretServices, {
+		projectName: name$1,
+		eventsBackend: services.events
+	});
 	const customSecrets = {
 		NODE_ENV: "development",
 		PORT: "3000",
@@ -11511,10 +11731,55 @@ function reconcileSecrets(secrets, workspace) {
 				[name$1]: creds
 			}
 		};
-		result.urls = generateConnectionUrls(result.services);
+		result.urls = generateConnectionUrls(result.services, result.eventsBackend);
 		logger$1.log(`   🔄 Adding missing service credentials: ${name$1}`);
 		changed = true;
 	}
+	const eventsBackend = workspace.services.events;
+	if (eventsBackend && result.eventsBackend !== eventsBackend) {
+		result.eventsBackend = eventsBackend;
+		if (eventsBackend === "pgboss" && !result.services.pgboss) {
+			result = {
+				...result,
+				services: {
+					...result.services,
+					pgboss: {
+						host: result.services.postgres?.host ?? "localhost",
+						port: result.services.postgres?.port ?? 5432,
+						username: "pgboss",
+						password: generateSecurePassword(),
+						database: result.services.postgres?.database ?? "app"
+					}
+				}
+			};
+			logger$1.log("   🔄 Adding missing service credentials: pgboss");
+			changed = true;
+		}
+		if (eventsBackend === "sns" && !result.services.localstack) {
+			result = {
+				...result,
+				services: {
+					...result.services,
+					localstack: generateLocalStackCredentials()
+				}
+			};
+			logger$1.log("   🔄 Adding missing service credentials: localstack");
+			changed = true;
+		}
+		if (eventsBackend === "rabbitmq" && !result.services.rabbitmq) {
+			result = {
+				...result,
+				services: {
+					...result.services,
+					rabbitmq: generateServiceCredentials("rabbitmq")
+				}
+			};
+			logger$1.log("   🔄 Adding missing service credentials: rabbitmq");
+			changed = true;
+		}
+		result.urls = generateConnectionUrls(result.services, eventsBackend);
+		changed = true;
+	}
 	const isMultiApp = Object.keys(workspace.apps).length > 1;
 	if (isMultiApp) {
 		const expected = generateFullstackCustomSecrets(workspace);
@@ -11547,7 +11812,12 @@ async function generateFreshSecrets(stage, workspace, options) {
 	if (workspace.services.cache) serviceNames.push("redis");
 	if (workspace.services.storage) serviceNames.push("minio");
 	if (workspace.services.mail) serviceNames.push("mailpit");
-	const secrets = createStageSecrets(stage, serviceNames, { projectName: workspace.name });
+	if (workspace.services.events === "sns") serviceNames.push("localstack");
+	if (workspace.services.events === "rabbitmq") serviceNames.push("rabbitmq");
+	const secrets = createStageSecrets(stage, serviceNames, {
+		projectName: workspace.name,
+		eventsBackend: workspace.services.events
+	});
 	const isMultiApp = Object.keys(workspace.apps).length > 1;
 	if (isMultiApp) {
 		const customSecrets = generateFullstackCustomSecrets(workspace);
@@ -12097,9 +12367,9 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { pushSecrets: pushSecrets$1 } = await import("./sync-BkalF65h.mjs");
-		const { reconcileMissingSecrets } = await import("./reconcile-DxTEausy.mjs");
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-CauTheT9.mjs");
+		const { pushSecrets: pushSecrets$1 } = await import("./sync-COnAugP-.mjs");
+		const { reconcileMissingSecrets } = await import("./reconcile-BLh6rswz.mjs");
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Cs4WBsc4.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (secrets) {
@@ -12122,9 +12392,9 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { pullSecrets: pullSecrets$1 } = await import("./sync-BkalF65h.mjs");
-		const { writeStageSecrets: writeStageSecrets$1 } = await import("./storage-CauTheT9.mjs");
-		const { reconcileMissingSecrets } = await import("./reconcile-DxTEausy.mjs");
+		const { pullSecrets: pullSecrets$1 } = await import("./sync-COnAugP-.mjs");
+		const { writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Cs4WBsc4.mjs");
+		const { reconcileMissingSecrets } = await import("./reconcile-BLh6rswz.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
 		let secrets = await pullSecrets$1(options.stage, workspace);
 		if (!secrets) {
@@ -12149,8 +12419,8 @@ program.command("secrets:reconcile").description("Backfill missing custom secret
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { reconcileMissingSecrets } = await import("./reconcile-DxTEausy.mjs");
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-CauTheT9.mjs");
+		const { reconcileMissingSecrets } = await import("./reconcile-BLh6rswz.mjs");
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Cs4WBsc4.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (!secrets) {