npm - @geekmidas/cli - Versions diffs - 1.10.16 → 1.10.18 - Mend

@geekmidas/cli 1.10.16 → 1.10.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

package/CHANGELOG.md +12 -0
package/dist/{bundler-B4AackW5.mjs → bundler-C5xkxnyr.mjs} +2 -2
package/dist/{bundler-B4AackW5.mjs.map → bundler-C5xkxnyr.mjs.map} +1 -1
package/dist/{bundler-BhhfkI9T.cjs → bundler-i-az1DZ2.cjs} +2 -2
package/dist/{bundler-BhhfkI9T.cjs.map → bundler-i-az1DZ2.cjs.map} +1 -1
package/dist/index.cjs +699 -712
package/dist/index.cjs.map +1 -1
package/dist/index.mjs +686 -699
package/dist/index.mjs.map +1 -1
package/dist/{openapi-BYxAWwok.cjs → openapi-CsCNpSf8.cjs} +1 -1
package/dist/{openapi-BYxAWwok.cjs.map → openapi-CsCNpSf8.cjs.map} +1 -1
package/dist/{openapi-DenF-okj.mjs → openapi-kvwpKbNe.mjs} +1 -1
package/dist/{openapi-DenF-okj.mjs.map → openapi-kvwpKbNe.mjs.map} +1 -1
package/dist/openapi.cjs +1 -1
package/dist/openapi.mjs +1 -1
package/dist/{storage-DOEtT2Hr.cjs → storage-ChVQI_G7.cjs} +1 -1
package/dist/{storage-dbb9RyBl.mjs → storage-CpMNB77O.mjs} +1 -1
package/dist/{storage-dbb9RyBl.mjs.map → storage-CpMNB77O.mjs.map} +1 -1
package/dist/{storage-B1wvztiJ.cjs → storage-DLEb8Dkd.cjs} +1 -1
package/dist/{storage-B1wvztiJ.cjs.map → storage-DLEb8Dkd.cjs.map} +1 -1
package/dist/{storage-Cs4WBsc4.mjs → storage-mwbL7PhP.mjs} +1 -1
package/dist/{sync-DGXXSk2v.cjs → sync-BWD_I5Ai.cjs} +2 -2
package/dist/{sync-DGXXSk2v.cjs.map → sync-BWD_I5Ai.cjs.map} +1 -1
package/dist/sync-ByaRPBxh.cjs +4 -0
package/dist/{sync-COnAugP-.mjs → sync-CYBVB64f.mjs} +1 -1
package/dist/{sync-D_NowTkZ.mjs → sync-lExOTa9t.mjs} +2 -2
package/dist/{sync-D_NowTkZ.mjs.map → sync-lExOTa9t.mjs.map} +1 -1
package/package.json +3 -3
package/src/credentials/__tests__/fullDockerPorts.spec.ts +144 -0
package/src/credentials/__tests__/helpers.ts +112 -0
package/src/credentials/__tests__/prepareEntryCredentials.spec.ts +125 -0
package/src/credentials/__tests__/readonlyDockerPorts.spec.ts +190 -0
package/src/credentials/__tests__/workspaceCredentials.spec.ts +209 -0
package/src/credentials/index.ts +826 -0
package/src/dev/__tests__/index.spec.ts +68 -0
package/src/dev/index.ts +44 -821
package/src/exec/index.ts +120 -0
package/src/init/versions.ts +1 -1
package/src/setup/index.ts +4 -1
package/src/test/index.ts +32 -109
package/dist/sync-D1Pa30oV.cjs +0 -4

package/dist/index.cjs CHANGED Viewed

@@ -3,14 +3,14 @@ const require_chunk = require('./chunk-CUT6urMc.cjs');
 const require_workspace = require('./workspace-4SP3Gx4Y.cjs');
 const require_config = require('./config-D3ORuiUs.cjs');
 const require_credentials = require('./credentials-C8DWtnMY.cjs');
-const require_openapi = require('./openapi-BYxAWwok.cjs');
-const require_storage = require('./storage-B1wvztiJ.cjs');
+const require_storage = require('./storage-DLEb8Dkd.cjs');
+const require_openapi = require('./openapi-CsCNpSf8.cjs');
 const require_dokploy_api = require('./dokploy-api-DLgvEQlr.cjs');
 const require_encryption = require('./encryption-BE0UOb8j.cjs');
 const require_CachedStateProvider = require('./CachedStateProvider-D73dCqfH.cjs');
 const require_fullstack_secrets = require('./fullstack-secrets-DOHBU4Rp.cjs');
 const require_openapi_react_query = require('./openapi-react-query-DYbBq-WJ.cjs');
-const require_sync = require('./sync-DGXXSk2v.cjs');
+const require_sync = require('./sync-BWD_I5Ai.cjs');
 const node_fs = require_chunk.__toESM(require("node:fs"));
 const node_path = require_chunk.__toESM(require("node:path"));
 const commander = require_chunk.__toESM(require("commander"));
@@ -18,15 +18,15 @@ const node_process = require_chunk.__toESM(require("node:process"));
 const node_readline_promises = require_chunk.__toESM(require("node:readline/promises"));
 const node_fs_promises = require_chunk.__toESM(require("node:fs/promises"));
 const node_child_process = require_chunk.__toESM(require("node:child_process"));
-const node_net = require_chunk.__toESM(require("node:net"));
 const chokidar = require_chunk.__toESM(require("chokidar"));
-const dotenv = require_chunk.__toESM(require("dotenv"));
 const fast_glob = require_chunk.__toESM(require("fast-glob"));
+const node_net = require_chunk.__toESM(require("node:net"));
+const dotenv = require_chunk.__toESM(require("dotenv"));
 const yaml = require_chunk.__toESM(require("yaml"));
+const node_crypto = require_chunk.__toESM(require("node:crypto"));
 const __geekmidas_constructs_crons = require_chunk.__toESM(require("@geekmidas/constructs/crons"));
 const __geekmidas_constructs_functions = require_chunk.__toESM(require("@geekmidas/constructs/functions"));
 const __geekmidas_constructs_subscribers = require_chunk.__toESM(require("@geekmidas/constructs/subscribers"));
-const node_crypto = require_chunk.__toESM(require("node:crypto"));
 const pg = require_chunk.__toESM(require("pg"));
 const node_dns_promises = require_chunk.__toESM(require("node:dns/promises"));
 const node_module = require_chunk.__toESM(require("node:module"));
@@ -35,7 +35,7 @@ const prompts = require_chunk.__toESM(require("prompts"));
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.10.15";
+var version = "1.10.17";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -133,7 +133,7 @@ var package_default = {
 //#endregion
 //#region src/auth/index.ts
-const logger$12 = console;
+const logger$14 = console;
 /**
 * Validate Dokploy token by making a test API call
 */
@@ -152,7 +152,7 @@ async function prompt$1(message, hidden = false) {
 	if (!process.stdin.isTTY) throw new Error("Interactive input required. Please provide --token option.");
 	if (hidden) {
 		process.stdout.write(message);
-		return new Promise((resolve$3, reject) => {
+		return new Promise((resolve$4, reject) => {
 			let value = "";
 			const cleanup = () => {
 				process.stdin.setRawMode(false);
@@ -169,7 +169,7 @@ async function prompt$1(message, hidden = false) {
 				if (c === "\n" || c === "\r") {
 					cleanup();
 					process.stdout.write("\n");
-					resolve$3(value);
+					resolve$4(value);
 				} else if (c === "") {
 					cleanup();
 					process.stdout.write("\n");
@@ -201,36 +201,36 @@ async function prompt$1(message, hidden = false) {
 async function loginCommand(options) {
 	const { service, token: providedToken, endpoint: providedEndpoint } = options;
 	if (service === "dokploy") {
-		logger$12.log("\n🔐 Logging in to Dokploy...\n");
+		logger$14.log("\n🔐 Logging in to Dokploy...\n");
 		let endpoint = providedEndpoint;
 		if (!endpoint) endpoint = await prompt$1("Dokploy URL (e.g., https://dokploy.example.com): ");
 		endpoint = endpoint.replace(/\/$/, "");
 		try {
 			new URL(endpoint);
 		} catch {
-			logger$12.error("Invalid URL format");
+			logger$14.error("Invalid URL format");
 			process.exit(1);
 		}
 		let token = providedToken;
 		if (!token) {
-			logger$12.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
+			logger$14.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
 			token = await prompt$1("API Token: ", true);
 		}
 		if (!token) {
-			logger$12.error("Token is required");
+			logger$14.error("Token is required");
 			process.exit(1);
 		}
-		logger$12.log("\nValidating credentials...");
+		logger$14.log("\nValidating credentials...");
 		const isValid = await validateDokployToken(endpoint, token);
 		if (!isValid) {
-			logger$12.error("\n✗ Invalid credentials. Please check your token and try again.");
+			logger$14.error("\n✗ Invalid credentials. Please check your token and try again.");
 			process.exit(1);
 		}
 		await require_credentials.storeDokployCredentials(token, endpoint);
-		logger$12.log("\n✓ Successfully logged in to Dokploy!");
-		logger$12.log(`  Endpoint: ${endpoint}`);
-		logger$12.log(`  Credentials stored in: ${require_credentials.getCredentialsPath()}`);
-		logger$12.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
+		logger$14.log("\n✓ Successfully logged in to Dokploy!");
+		logger$14.log(`  Endpoint: ${endpoint}`);
+		logger$14.log(`  Credentials stored in: ${require_credentials.getCredentialsPath()}`);
+		logger$14.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
 	}
 }
 /**
@@ -240,28 +240,28 @@ async function logoutCommand(options) {
 	const { service = "dokploy" } = options;
 	if (service === "all") {
 		const dokployRemoved = await require_credentials.removeDokployCredentials();
-		if (dokployRemoved) logger$12.log("\n✓ Logged out from all services");
-		else logger$12.log("\nNo stored credentials found");
+		if (dokployRemoved) logger$14.log("\n✓ Logged out from all services");
+		else logger$14.log("\nNo stored credentials found");
 		return;
 	}
 	if (service === "dokploy") {
 		const removed = await require_credentials.removeDokployCredentials();
-		if (removed) logger$12.log("\n✓ Logged out from Dokploy");
-		else logger$12.log("\nNo Dokploy credentials found");
+		if (removed) logger$14.log("\n✓ Logged out from Dokploy");
+		else logger$14.log("\nNo Dokploy credentials found");
 	}
 }
 /**
 * Show current login status
 */
 async function whoamiCommand() {
-	logger$12.log("\n📋 Current credentials:\n");
+	logger$14.log("\n📋 Current credentials:\n");
 	const dokploy = await require_credentials.getDokployCredentials();
 	if (dokploy) {
-		logger$12.log("  Dokploy:");
-		logger$12.log(`    Endpoint: ${dokploy.endpoint}`);
-		logger$12.log(`    Token: ${maskToken(dokploy.token)}`);
-	} else logger$12.log("  Dokploy: Not logged in");
-	logger$12.log(`\n  Credentials file: ${require_credentials.getCredentialsPath()}`);
+		logger$14.log("  Dokploy:");
+		logger$14.log(`    Endpoint: ${dokploy.endpoint}`);
+		logger$14.log(`    Token: ${maskToken(dokploy.token)}`);
+	} else logger$14.log("  Dokploy: Not logged in");
+	logger$14.log(`\n  Credentials file: ${require_credentials.getCredentialsPath()}`);
 }
 /**
 * Mask a token for display
@@ -343,134 +343,589 @@ function isEnabled(config) {
 }
 //#endregion
-//#region src/generators/CronGenerator.ts
-var CronGenerator = class extends require_openapi.ConstructGenerator {
-	async build(context, constructs, outputDir, options) {
-		const provider = options?.provider || "aws-lambda";
-		const logger$13 = console;
-		const cronInfos = [];
-		if (constructs.length === 0 || provider !== "aws-lambda") return cronInfos;
-		const cronsDir = (0, node_path.join)(outputDir, "crons");
-		await (0, node_fs_promises.mkdir)(cronsDir, { recursive: true });
-		for (const { key, construct, path } of constructs) {
-			const handlerFile = await this.generateCronHandler(cronsDir, path.relative, key, context);
-			cronInfos.push({
-				name: key,
-				handler: (0, node_path.relative)(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
-				schedule: construct.schedule || "rate(1 hour)",
-				timeout: construct.timeout,
-				memorySize: construct.memorySize,
-				environment: await construct.getEnvironment()
+//#region src/credentials/index.ts
+const logger$13 = console;
+/**
+* Load environment files
+* @internal Exported for testing
+*/
+function loadEnvFiles(envConfig, cwd = process.cwd()) {
+	const loaded = [];
+	const missing = [];
+	const envFiles = envConfig ? Array.isArray(envConfig) ? envConfig : [envConfig] : [".env"];
+	for (const envFile of envFiles) {
+		const envPath = (0, node_path.resolve)(cwd, envFile);
+		if ((0, node_fs.existsSync)(envPath)) {
+			(0, dotenv.config)({
+				path: envPath,
+				override: true,
+				quiet: true
 			});
-			logger$13.log(`Generated cron handler: ${key}`);
-		}
-		return cronInfos;
-	}
-	isConstruct(value) {
-		return __geekmidas_constructs_crons.Cron.isCron(value);
-	}
-	async generateCronHandler(outputDir, sourceFile, exportName, context) {
-		const handlerFileName = `${exportName}.ts`;
-		const handlerPath = (0, node_path.join)(outputDir, handlerFileName);
-		const relativePath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), sourceFile);
-		const importPath = relativePath.replace(/\.ts$/, ".js");
-		const relativeEnvParserPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.envParserPath);
-		const relativeLoggerPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.loggerPath);
-		const content = `import { AWSScheduledFunction } from '@geekmidas/constructs/crons';
-import { ${exportName} } from '${importPath}';
-import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
-import ${context.loggerImportPattern} from '${relativeLoggerPath}';
-const adapter = new AWSScheduledFunction(envParser, ${exportName});
-export const handler = adapter.handler;
-`;
-		await (0, node_fs_promises.writeFile)(handlerPath, content);
-		return handlerPath;
+			loaded.push(envFile);
+		} else if (envConfig) missing.push(envFile);
 	}
-};
-//#endregion
-//#region src/generators/FunctionGenerator.ts
-var FunctionGenerator = class extends require_openapi.ConstructGenerator {
-	isConstruct(value) {
-		return __geekmidas_constructs_functions.Function.isFunction(value);
+	return {
+		loaded,
+		missing
+	};
+}
+/**
+* Check if a port is available
+* @internal Exported for testing
+*/
+async function isPortAvailable(port) {
+	return new Promise((resolve$4) => {
+		const server = (0, node_net.createServer)();
+		server.once("error", (err) => {
+			if (err.code === "EADDRINUSE") resolve$4(false);
+			else resolve$4(false);
+		});
+		server.once("listening", () => {
+			server.close();
+			resolve$4(true);
+		});
+		server.listen(port);
+	});
+}
+/**
+* Find an available port starting from the preferred port
+* @internal Exported for testing
+*/
+async function findAvailablePort(preferredPort, maxAttempts = 10) {
+	for (let i = 0; i < maxAttempts; i++) {
+		const port = preferredPort + i;
+		if (await isPortAvailable(port)) return port;
+		logger$13.log(`⚠️  Port ${port} is in use, trying ${port + 1}...`);
 	}
-	async build(context, constructs, outputDir, options) {
-		const provider = options?.provider || "aws-lambda";
-		const logger$13 = console;
-		const functionInfos = [];
-		if (constructs.length === 0 || provider !== "aws-lambda") return functionInfos;
-		const functionsDir = (0, node_path.join)(outputDir, "functions");
-		await (0, node_fs_promises.mkdir)(functionsDir, { recursive: true });
-		for (const { key, construct, path } of constructs) {
-			const handlerFile = await this.generateFunctionHandler(functionsDir, path.relative, key, context);
-			functionInfos.push({
-				name: key,
-				handler: (0, node_path.relative)(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
-				timeout: construct.timeout,
-				memorySize: construct.memorySize,
-				environment: await construct.getEnvironment()
-			});
-			logger$13.log(`Generated function handler: ${key}`);
-		}
-		return functionInfos;
+	throw new Error(`Could not find an available port after trying ${maxAttempts} ports starting from ${preferredPort}`);
+}
+const PORT_STATE_PATH = ".gkm/ports.json";
+/**
+* Parse docker-compose.yml and extract all port mappings that use env var interpolation.
+* Entries like `'${POSTGRES_HOST_PORT:-5432}:5432'` are captured.
+* Fixed port mappings like `'5050:80'` are skipped.
+* @internal Exported for testing
+*/
+function parseComposePortMappings(composePath) {
+	if (!(0, node_fs.existsSync)(composePath)) return [];
+	const content = (0, node_fs.readFileSync)(composePath, "utf-8");
+	const compose = (0, yaml.parse)(content);
+	if (!compose?.services) return [];
+	const results = [];
+	for (const [serviceName, serviceConfig] of Object.entries(compose.services)) for (const portMapping of serviceConfig?.ports ?? []) {
+		const match = String(portMapping).match(/\$\{(\w+):-(\d+)\}:(\d+)/);
+		if (match?.[1] && match[2] && match[3]) results.push({
+			service: serviceName,
+			envVar: match[1],
+			defaultPort: Number(match[2]),
+			containerPort: Number(match[3])
+		});
 	}
-	async generateFunctionHandler(outputDir, sourceFile, exportName, context) {
-		const handlerFileName = `${exportName}.ts`;
-		const handlerPath = (0, node_path.join)(outputDir, handlerFileName);
-		const relativePath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), sourceFile);
-		const importPath = relativePath.replace(/\.ts$/, ".js");
-		const relativeEnvParserPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.envParserPath);
-		const relativeLoggerPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.loggerPath);
-		const content = `import { AWSLambdaFunction } from '@geekmidas/constructs/aws';
-import { ${exportName} } from '${importPath}';
-import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
-import ${context.loggerImportPattern} from '${relativeLoggerPath}';
-const adapter = new AWSLambdaFunction(envParser, ${exportName});
-export const handler = adapter.handler;
-`;
-		await (0, node_fs_promises.writeFile)(handlerPath, content);
-		return handlerPath;
+	return results;
+}
+/**
+* Load saved port state from .gkm/ports.json.
+* @internal Exported for testing
+*/
+async function loadPortState(workspaceRoot) {
+	try {
+		const raw = await (0, node_fs_promises.readFile)((0, node_path.join)(workspaceRoot, PORT_STATE_PATH), "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return {};
 	}
-};
-//#endregion
-//#region src/generators/SubscriberGenerator.ts
-var SubscriberGenerator = class extends require_openapi.ConstructGenerator {
-	isConstruct(value) {
-		return __geekmidas_constructs_subscribers.Subscriber.isSubscriber(value);
+}
+/**
+* Save port state to .gkm/ports.json.
+* @internal Exported for testing
+*/
+async function savePortState(workspaceRoot, ports) {
+	const dir = (0, node_path.join)(workspaceRoot, ".gkm");
+	await (0, node_fs_promises.mkdir)(dir, { recursive: true });
+	await (0, node_fs_promises.writeFile)((0, node_path.join)(workspaceRoot, PORT_STATE_PATH), `${JSON.stringify(ports, null, 2)}\n`);
+}
+/**
+* Check if a project's own Docker container is running and return its host port.
+* Uses `docker compose port` scoped to the project's compose file.
+* @internal Exported for testing
+*/
+function getContainerHostPort(workspaceRoot, service, containerPort) {
+	try {
+		const result = (0, node_child_process.execSync)(`docker compose port ${service} ${containerPort}`, {
+			cwd: workspaceRoot,
+			stdio: "pipe"
+		}).toString().trim();
+		const match = result.match(/:(\d+)$/);
+		return match ? Number(match[1]) : null;
+	} catch {
+		return null;
 	}
-	async build(context, constructs, outputDir, options) {
-		const provider = options?.provider || "aws-lambda";
-		const logger$13 = console;
-		const subscriberInfos = [];
-		if (provider === "server") {
-			await this.generateServerSubscribersFile(outputDir, constructs);
-			logger$13.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
-			return subscriberInfos;
+}
+/**
+* Resolve host ports for Docker services by parsing docker-compose.yml.
+* Priority: running container → saved state → find available port.
+* Persists resolved ports to .gkm/ports.json.
+* @internal Exported for testing
+*/
+async function resolveServicePorts(workspaceRoot) {
+	const composePath = (0, node_path.join)(workspaceRoot, "docker-compose.yml");
+	const mappings = parseComposePortMappings(composePath);
+	if (mappings.length === 0) return {
+		dockerEnv: {},
+		ports: {},
+		mappings: []
+	};
+	const savedState = await loadPortState(workspaceRoot);
+	const dockerEnv = {};
+	const ports = {};
+	const assignedPorts = /* @__PURE__ */ new Set();
+	logger$13.log("\n🔌 Resolving service ports...");
+	for (const mapping of mappings) {
+		const containerPort = getContainerHostPort(workspaceRoot, mapping.service, mapping.containerPort);
+		if (containerPort !== null) {
+			ports[mapping.envVar] = containerPort;
+			dockerEnv[mapping.envVar] = String(containerPort);
+			assignedPorts.add(containerPort);
+			logger$13.log(`   🔄 ${mapping.service}:${mapping.containerPort}: reusing existing container on port ${containerPort}`);
+			continue;
 		}
-		if (constructs.length === 0) return subscriberInfos;
-		if (provider !== "aws-lambda") return subscriberInfos;
-		const subscribersDir = (0, node_path.join)(outputDir, "subscribers");
-		await (0, node_fs_promises.mkdir)(subscribersDir, { recursive: true });
-		for (const { key, construct, path } of constructs) {
-			const handlerFile = await this.generateSubscriberHandler(subscribersDir, path.relative, key, construct, context);
-			subscriberInfos.push({
-				name: key,
-				handler: (0, node_path.relative)(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
-				subscribedEvents: construct.subscribedEvents || [],
-				timeout: construct.timeout,
-				memorySize: construct.memorySize,
-				environment: await construct.getEnvironment()
-			});
-			logger$13.log(`Generated subscriber handler: ${key}`);
+		const savedPort = savedState[mapping.envVar];
+		if (savedPort && !assignedPorts.has(savedPort) && await isPortAvailable(savedPort)) {
+			ports[mapping.envVar] = savedPort;
+			dockerEnv[mapping.envVar] = String(savedPort);
+			assignedPorts.add(savedPort);
+			logger$13.log(`   💾 ${mapping.service}:${mapping.containerPort}: using saved port ${savedPort}`);
+			continue;
 		}
-		return subscriberInfos;
-	}
-	async generateSubscriberHandler(outputDir, sourceFile, exportName, _subscriber, context) {
+		let resolvedPort = await findAvailablePort(mapping.defaultPort);
+		while (assignedPorts.has(resolvedPort)) resolvedPort = await findAvailablePort(resolvedPort + 1);
+		ports[mapping.envVar] = resolvedPort;
+		dockerEnv[mapping.envVar] = String(resolvedPort);
+		assignedPorts.add(resolvedPort);
+		if (resolvedPort !== mapping.defaultPort) logger$13.log(`   ⚡ ${mapping.service}:${mapping.containerPort}: port ${mapping.defaultPort} occupied, using port ${resolvedPort}`);
+		else logger$13.log(`   ✅ ${mapping.service}:${mapping.containerPort}: using default port ${resolvedPort}`);
+	}
+	await savePortState(workspaceRoot, ports);
+	return {
+		dockerEnv,
+		ports,
+		mappings
+	};
+}
+/**
+* Replace a port in a URL string.
+* Handles both `hostname:port` and `localhost:port` patterns.
+* @internal Exported for testing
+*/
+function replacePortInUrl(url, oldPort, newPort) {
+	if (oldPort === newPort) return url;
+	let result = url.replace(new RegExp(`:${oldPort}(?=[/?#]|$)`, "g"), `:${newPort}`);
+	result = result.replace(new RegExp(`%3A${oldPort}(?=[%/?#&]|$)`, "gi"), `%3A${newPort}`);
+	return result;
+}
+/**
+* Rewrite connection URLs and port vars in secrets with resolved ports.
+* Uses the parsed compose mappings to determine which default ports to replace.
+* Pure transform — does not modify secrets on disk.
+* @internal Exported for testing
+*/
+function rewriteUrlsWithPorts(secrets, resolvedPorts) {
+	const { ports, mappings } = resolvedPorts;
+	const result = { ...secrets };
+	const portReplacements = [];
+	const serviceNames = /* @__PURE__ */ new Set();
+	for (const mapping of mappings) {
+		serviceNames.add(mapping.service);
+		const resolved = ports[mapping.envVar];
+		if (resolved !== void 0) portReplacements.push({
+			defaultPort: mapping.defaultPort,
+			resolvedPort: resolved
+		});
+	}
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith("_HOST")) continue;
+		if (serviceNames.has(value)) result[key] = "localhost";
+	}
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith("_PORT")) continue;
+		for (const { defaultPort, resolvedPort } of portReplacements) if (value === String(defaultPort)) result[key] = String(resolvedPort);
+	}
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith("_URL") && !key.endsWith("_ENDPOINT") && !key.endsWith("_CONNECTION_STRING") && key !== "DATABASE_URL") continue;
+		let rewritten = value;
+		for (const name$1 of serviceNames) rewritten = rewritten.replace(new RegExp(`@${name$1}:`, "g"), "@localhost:");
+		for (const { defaultPort, resolvedPort } of portReplacements) rewritten = replacePortInUrl(rewritten, defaultPort, resolvedPort);
+		result[key] = rewritten;
+	}
+	return result;
+}
+/**
+* Build the environment variables to pass to `docker compose up`.
+* Merges process.env, secrets, and port mappings so that Docker Compose
+* can interpolate variables like ${POSTGRES_USER} correctly.
+* @internal Exported for testing
+*/
+function buildDockerComposeEnv(secretsEnv, portEnv) {
+	return {
+		...process.env,
+		...secretsEnv,
+		...portEnv
+	};
+}
+/**
+* Parse all service names from a docker-compose.yml file.
+* @internal Exported for testing
+*/
+function parseComposeServiceNames(composePath) {
+	if (!(0, node_fs.existsSync)(composePath)) return [];
+	const content = (0, node_fs.readFileSync)(composePath, "utf-8");
+	const compose = (0, yaml.parse)(content);
+	return Object.keys(compose?.services ?? {});
+}
+/**
+* Start docker-compose services for a single-app project (no workspace config).
+* Starts all services defined in docker-compose.yml.
+*/
+async function startComposeServices(cwd, portEnv, secretsEnv) {
+	const composeFile = (0, node_path.join)(cwd, "docker-compose.yml");
+	if (!(0, node_fs.existsSync)(composeFile)) return;
+	const servicesToStart = parseComposeServiceNames(composeFile);
+	if (servicesToStart.length === 0) return;
+	logger$13.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
+	try {
+		(0, node_child_process.execSync)(`docker compose up -d ${servicesToStart.join(" ")}`, {
+			cwd,
+			stdio: "inherit",
+			env: buildDockerComposeEnv(secretsEnv, portEnv)
+		});
+		logger$13.log("✅ Services started");
+	} catch (error) {
+		logger$13.error("❌ Failed to start services:", error.message);
+		throw error;
+	}
+}
+/**
+* Start docker-compose services for a workspace.
+* Discovers all services from docker-compose.yml and starts everything
+* except app services (which are managed by turbo).
+* @internal Exported for testing
+*/
+async function startWorkspaceServices(workspace, portEnv, secretsEnv) {
+	const composeFile = (0, node_path.join)(workspace.root, "docker-compose.yml");
+	if (!(0, node_fs.existsSync)(composeFile)) return;
+	const allServices = parseComposeServiceNames(composeFile);
+	const appNames = new Set(Object.keys(workspace.apps));
+	const servicesToStart = allServices.filter((name$1) => !appNames.has(name$1));
+	if (servicesToStart.length === 0) return;
+	logger$13.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
+	try {
+		(0, node_child_process.execSync)(`docker compose up -d ${servicesToStart.join(" ")}`, {
+			cwd: workspace.root,
+			stdio: "inherit",
+			env: buildDockerComposeEnv(secretsEnv, portEnv)
+		});
+		logger$13.log("✅ Services started");
+	} catch (error) {
+		logger$13.error("❌ Failed to start services:", error.message);
+		throw error;
+	}
+}
+/**
+* Load and flatten secrets for an app from encrypted storage.
+* For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
+* @internal Exported for testing
+*/
+async function loadSecretsForApp(secretsRoot, appName, stages = ["dev", "development"]) {
+	let secrets = {};
+	for (const stage of stages) if (require_storage.secretsExist(stage, secretsRoot)) {
+		const stageSecrets = await require_storage.readStageSecrets(stage, secretsRoot);
+		if (stageSecrets) {
+			logger$13.log(`🔐 Loading secrets from stage: ${stage}`);
+			secrets = require_storage.toEmbeddableSecrets(stageSecrets);
+			break;
+		}
+	}
+	if (Object.keys(secrets).length === 0) return {};
+	if (!appName) return secrets;
+	const prefix = appName.toUpperCase();
+	const mapped = { ...secrets };
+	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
+	if (appDbUrl) mapped.DATABASE_URL = appDbUrl;
+	return mapped;
+}
+/**
+* Walk up the directory tree to find the root containing .gkm/secrets/.
+* @internal Exported for testing
+*/
+function findSecretsRoot(startDir) {
+	let dir = startDir;
+	while (dir !== "/") {
+		if ((0, node_fs.existsSync)((0, node_path.join)(dir, ".gkm", "secrets"))) return dir;
+		const parent = (0, node_path.dirname)(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return startDir;
+}
+/**
+* Generate the credentials injection code snippet.
+* This is the common logic used by both entry wrapper and exec preload.
+* @internal
+*/
+function generateCredentialsInjection(secretsJsonPath) {
+	return `import { existsSync, readFileSync } from 'node:fs';
+// Inject dev secrets via globalThis and process.env
+// Using globalThis.__gkm_credentials__ avoids CJS/ESM interop issues where
+// Object.assign on the Credentials export only mutates one module copy.
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  globalThis.__gkm_credentials__ = secrets;
+  Object.assign(process.env, secrets);
+}
+`;
+}
+/**
+* Create a preload script that injects secrets into Credentials.
+* Used by `gkm exec` to inject secrets before running any command.
+* @internal Exported for testing
+*/
+async function createCredentialsPreload(preloadPath, secretsJsonPath) {
+	const content = `/**
+ * Credentials preload generated by 'gkm exec'
+ * This file is loaded via NODE_OPTIONS="--import <path>"
+ */
+${generateCredentialsInjection(secretsJsonPath)}`;
+	await (0, node_fs_promises.writeFile)(preloadPath, content);
+}
+/**
+* Create a wrapper script that injects secrets before importing the entry file.
+* @internal Exported for testing
+*/
+async function createEntryWrapper(wrapperPath, entryPath, secretsJsonPath) {
+	const credentialsInjection = secretsJsonPath ? `${generateCredentialsInjection(secretsJsonPath)}
+` : "";
+	const content = `#!/usr/bin/env node
+/**
+ * Entry wrapper generated by 'gkm dev --entry'
+ */
+${credentialsInjection}// Import and run the user's entry file (dynamic import ensures secrets load first)
+await import('${entryPath}');
+`;
+	await (0, node_fs_promises.writeFile)(wrapperPath, content);
+}
+/**
+* Prepare credentials for dev/exec/test modes.
+* Loads workspace config, secrets, resolves Docker ports, rewrites URLs,
+* injects PORT, dependency URLs, and writes credentials JSON.
+*
+* @param options.resolveDockerPorts - How to resolve Docker ports:
+*   - `'full'` (default): probe running containers, saved state, then find available ports. Used by dev/test.
+*   - `'readonly'`: check running containers and saved state only, never probe for new ports. Used by exec.
+* @param options.stages - Secret stages to try, in order. Default: ['dev', 'development'].
+* @param options.startDocker - Start Docker Compose services after port resolution. Default: false.
+* @param options.secretsFileName - Custom secrets JSON filename. Default: 'dev-secrets-{appName}.json' or 'dev-secrets.json'.
+* @internal Exported for testing
+*/
+async function prepareEntryCredentials(options) {
+	const cwd = options.cwd ?? process.cwd();
+	const portMode = options.resolveDockerPorts ?? "full";
+	let workspaceAppPort;
+	let secretsRoot = cwd;
+	let appName;
+	let appInfo;
+	try {
+		appInfo = await require_config.loadWorkspaceAppInfo(cwd);
+		workspaceAppPort = appInfo.app.port;
+		secretsRoot = appInfo.workspaceRoot;
+		appName = appInfo.appName;
+	} catch (error) {
+		logger$13.log(`⚠️  Could not load workspace config: ${error.message}`);
+		secretsRoot = findSecretsRoot(cwd);
+		appName = require_config.getAppNameFromCwd(cwd) ?? void 0;
+	}
+	const resolvedPort = options.explicitPort ?? workspaceAppPort ?? 3e3;
+	const credentials = await loadSecretsForApp(secretsRoot, appName, options.stages);
+	credentials.PORT = String(resolvedPort);
+	const composePath = (0, node_path.join)(secretsRoot, "docker-compose.yml");
+	const mappings = parseComposePortMappings(composePath);
+	if (mappings.length > 0) {
+		let resolvedPorts;
+		if (portMode === "full") resolvedPorts = await resolveServicePorts(secretsRoot);
+		else {
+			const savedPorts = await loadPortState(secretsRoot);
+			const ports = {};
+			for (const mapping of mappings) {
+				const containerPort = getContainerHostPort(secretsRoot, mapping.service, mapping.containerPort);
+				if (containerPort !== null) ports[mapping.envVar] = containerPort;
+				else {
+					const saved = savedPorts[mapping.envVar];
+					if (saved !== void 0) ports[mapping.envVar] = saved;
+				}
+			}
+			resolvedPorts = {
+				dockerEnv: {},
+				ports,
+				mappings
+			};
+		}
+		if (options.startDocker) if (appInfo) await startWorkspaceServices(appInfo.workspace, resolvedPorts.dockerEnv, credentials);
+		else await startComposeServices(secretsRoot, resolvedPorts.dockerEnv, credentials);
+		if (Object.keys(resolvedPorts.ports).length > 0) {
+			const rewritten = rewriteUrlsWithPorts(credentials, resolvedPorts);
+			Object.assign(credentials, rewritten);
+			logger$13.log(`🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
+		}
+	}
+	if (appInfo?.appName) {
+		const depEnv = require_workspace.getDependencyEnvVars(appInfo.workspace, appInfo.appName);
+		Object.assign(credentials, depEnv);
+	}
+	const secretsDir = (0, node_path.join)(secretsRoot, ".gkm");
+	await (0, node_fs_promises.mkdir)(secretsDir, { recursive: true });
+	const secretsFileName = options.secretsFileName ?? (appName ? `dev-secrets-${appName}.json` : "dev-secrets.json");
+	const secretsJsonPath = (0, node_path.join)(secretsDir, secretsFileName);
+	await (0, node_fs_promises.writeFile)(secretsJsonPath, JSON.stringify(credentials, null, 2));
+	return {
+		credentials,
+		resolvedPort,
+		secretsJsonPath,
+		appName,
+		secretsRoot,
+		appInfo
+	};
+}
+//#endregion
+//#region src/generators/CronGenerator.ts
+var CronGenerator = class extends require_openapi.ConstructGenerator {
+	async build(context, constructs, outputDir, options) {
+		const provider = options?.provider || "aws-lambda";
+		const logger$15 = console;
+		const cronInfos = [];
+		if (constructs.length === 0 || provider !== "aws-lambda") return cronInfos;
+		const cronsDir = (0, node_path.join)(outputDir, "crons");
+		await (0, node_fs_promises.mkdir)(cronsDir, { recursive: true });
+		for (const { key, construct, path } of constructs) {
+			const handlerFile = await this.generateCronHandler(cronsDir, path.relative, key, context);
+			cronInfos.push({
+				name: key,
+				handler: (0, node_path.relative)(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
+				schedule: construct.schedule || "rate(1 hour)",
+				timeout: construct.timeout,
+				memorySize: construct.memorySize,
+				environment: await construct.getEnvironment()
+			});
+			logger$15.log(`Generated cron handler: ${key}`);
+		}
+		return cronInfos;
+	}
+	isConstruct(value) {
+		return __geekmidas_constructs_crons.Cron.isCron(value);
+	}
+	async generateCronHandler(outputDir, sourceFile, exportName, context) {
+		const handlerFileName = `${exportName}.ts`;
+		const handlerPath = (0, node_path.join)(outputDir, handlerFileName);
+		const relativePath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), sourceFile);
+		const importPath = relativePath.replace(/\.ts$/, ".js");
+		const relativeEnvParserPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.envParserPath);
+		const relativeLoggerPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.loggerPath);
+		const content = `import { AWSScheduledFunction } from '@geekmidas/constructs/crons';
+import { ${exportName} } from '${importPath}';
+import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
+import ${context.loggerImportPattern} from '${relativeLoggerPath}';
+const adapter = new AWSScheduledFunction(envParser, ${exportName});
+export const handler = adapter.handler;
+`;
+		await (0, node_fs_promises.writeFile)(handlerPath, content);
+		return handlerPath;
+	}
+};
+//#endregion
+//#region src/generators/FunctionGenerator.ts
+var FunctionGenerator = class extends require_openapi.ConstructGenerator {
+	isConstruct(value) {
+		return __geekmidas_constructs_functions.Function.isFunction(value);
+	}
+	async build(context, constructs, outputDir, options) {
+		const provider = options?.provider || "aws-lambda";
+		const logger$15 = console;
+		const functionInfos = [];
+		if (constructs.length === 0 || provider !== "aws-lambda") return functionInfos;
+		const functionsDir = (0, node_path.join)(outputDir, "functions");
+		await (0, node_fs_promises.mkdir)(functionsDir, { recursive: true });
+		for (const { key, construct, path } of constructs) {
+			const handlerFile = await this.generateFunctionHandler(functionsDir, path.relative, key, context);
+			functionInfos.push({
+				name: key,
+				handler: (0, node_path.relative)(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
+				timeout: construct.timeout,
+				memorySize: construct.memorySize,
+				environment: await construct.getEnvironment()
+			});
+			logger$15.log(`Generated function handler: ${key}`);
+		}
+		return functionInfos;
+	}
+	async generateFunctionHandler(outputDir, sourceFile, exportName, context) {
+		const handlerFileName = `${exportName}.ts`;
+		const handlerPath = (0, node_path.join)(outputDir, handlerFileName);
+		const relativePath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), sourceFile);
+		const importPath = relativePath.replace(/\.ts$/, ".js");
+		const relativeEnvParserPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.envParserPath);
+		const relativeLoggerPath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), context.loggerPath);
+		const content = `import { AWSLambdaFunction } from '@geekmidas/constructs/aws';
+import { ${exportName} } from '${importPath}';
+import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
+import ${context.loggerImportPattern} from '${relativeLoggerPath}';
+const adapter = new AWSLambdaFunction(envParser, ${exportName});
+export const handler = adapter.handler;
+`;
+		await (0, node_fs_promises.writeFile)(handlerPath, content);
+		return handlerPath;
+	}
+};
+//#endregion
+//#region src/generators/SubscriberGenerator.ts
+var SubscriberGenerator = class extends require_openapi.ConstructGenerator {
+	isConstruct(value) {
+		return __geekmidas_constructs_subscribers.Subscriber.isSubscriber(value);
+	}
+	async build(context, constructs, outputDir, options) {
+		const provider = options?.provider || "aws-lambda";
+		const logger$15 = console;
+		const subscriberInfos = [];
+		if (provider === "server") {
+			await this.generateServerSubscribersFile(outputDir, constructs);
+			logger$15.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
+			return subscriberInfos;
+		}
+		if (constructs.length === 0) return subscriberInfos;
+		if (provider !== "aws-lambda") return subscriberInfos;
+		const subscribersDir = (0, node_path.join)(outputDir, "subscribers");
+		await (0, node_fs_promises.mkdir)(subscribersDir, { recursive: true });
+		for (const { key, construct, path } of constructs) {
+			const handlerFile = await this.generateSubscriberHandler(subscribersDir, path.relative, key, construct, context);
+			subscriberInfos.push({
+				name: key,
+				handler: (0, node_path.relative)(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
+				subscribedEvents: construct.subscribedEvents || [],
+				timeout: construct.timeout,
+				memorySize: construct.memorySize,
+				environment: await construct.getEnvironment()
+			});
+			logger$15.log(`Generated subscriber handler: ${key}`);
+		}
+		return subscriberInfos;
+	}
+	async generateSubscriberHandler(outputDir, sourceFile, exportName, _subscriber, context) {
 		const handlerFileName = `${exportName}.ts`;
 		const handlerPath = (0, node_path.join)(outputDir, handlerFileName);
 		const relativePath = (0, node_path.relative)((0, node_path.dirname)(handlerPath), sourceFile);
@@ -632,220 +1087,69 @@ export async function setupSubscribers(
 };
 //#endregion
-//#region src/dev/index.ts
-const logger$11 = console;
-/**
-* Load environment files
-* @internal Exported for testing
-*/
-function loadEnvFiles(envConfig, cwd = process.cwd()) {
-	const loaded = [];
-	const missing = [];
-	const envFiles = envConfig ? Array.isArray(envConfig) ? envConfig : [envConfig] : [".env"];
-	for (const envFile of envFiles) {
-		const envPath = (0, node_path.resolve)(cwd, envFile);
-		if ((0, node_fs.existsSync)(envPath)) {
-			(0, dotenv.config)({
-				path: envPath,
-				override: true,
-				quiet: true
-			});
-			loaded.push(envFile);
-		} else if (envConfig) missing.push(envFile);
-	}
-	return {
-		loaded,
-		missing
-	};
-}
+//#region src/exec/index.ts
+const logger$12 = console;
 /**
-* Check if a port is available
-* @internal Exported for testing
+* Run a command with secrets injected into Credentials.
+* Uses Node's --import flag to preload a script that populates Credentials
+* before the command loads any modules that depend on them.
+*
+* @example
+* ```bash
+* gkm exec -- npx @better-auth/cli migrate
+* gkm exec -- npx prisma migrate dev
+* ```
 */
-async function isPortAvailable(port) {
-	return new Promise((resolve$3) => {
-		const server = (0, node_net.createServer)();
-		server.once("error", (err) => {
-			if (err.code === "EADDRINUSE") resolve$3(false);
-			else resolve$3(false);
-		});
-		server.once("listening", () => {
-			server.close();
-			resolve$3(true);
-		});
-		server.listen(port);
+async function execCommand(commandArgs, options = {}) {
+	const cwd = options.cwd ?? process.cwd();
+	if (commandArgs.length === 0) throw new Error("No command specified. Usage: gkm exec -- <command>");
+	const defaultEnv = loadEnvFiles(".env");
+	if (defaultEnv.loaded.length > 0) logger$12.log(`📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
+	const { credentials, secretsJsonPath, appName } = await prepareEntryCredentials({
+		cwd,
+		resolveDockerPorts: "readonly"
 	});
-}
-/**
-* Find an available port starting from the preferred port
-* @internal Exported for testing
-*/
-async function findAvailablePort(preferredPort, maxAttempts = 10) {
-	for (let i = 0; i < maxAttempts; i++) {
-		const port = preferredPort + i;
-		if (await isPortAvailable(port)) return port;
-		logger$11.log(`⚠️  Port ${port} is in use, trying ${port + 1}...`);
-	}
-	throw new Error(`Could not find an available port after trying ${maxAttempts} ports starting from ${preferredPort}`);
-}
-const PORT_STATE_PATH = ".gkm/ports.json";
-/**
-* Parse docker-compose.yml and extract all port mappings that use env var interpolation.
-* Entries like `'${POSTGRES_HOST_PORT:-5432}:5432'` are captured.
-* Fixed port mappings like `'5050:80'` are skipped.
-* @internal Exported for testing
-*/
-function parseComposePortMappings(composePath) {
-	if (!(0, node_fs.existsSync)(composePath)) return [];
-	const content = (0, node_fs.readFileSync)(composePath, "utf-8");
-	const compose = (0, yaml.parse)(content);
-	if (!compose?.services) return [];
-	const results = [];
-	for (const [serviceName, serviceConfig] of Object.entries(compose.services)) for (const portMapping of serviceConfig?.ports ?? []) {
-		const match = String(portMapping).match(/\$\{(\w+):-(\d+)\}:(\d+)/);
-		if (match?.[1] && match[2] && match[3]) results.push({
-			service: serviceName,
-			envVar: match[1],
-			defaultPort: Number(match[2]),
-			containerPort: Number(match[3])
-		});
-	}
-	return results;
-}
-/**
-* Load saved port state from .gkm/ports.json.
-* @internal Exported for testing
-*/
-async function loadPortState(workspaceRoot) {
-	try {
-		const raw = await (0, node_fs_promises.readFile)((0, node_path.join)(workspaceRoot, PORT_STATE_PATH), "utf-8");
-		return JSON.parse(raw);
-	} catch {
-		return {};
-	}
-}
-/**
-* Save port state to .gkm/ports.json.
-* @internal Exported for testing
-*/
-async function savePortState(workspaceRoot, ports) {
-	const dir = (0, node_path.join)(workspaceRoot, ".gkm");
-	await (0, node_fs_promises.mkdir)(dir, { recursive: true });
-	await (0, node_fs_promises.writeFile)((0, node_path.join)(workspaceRoot, PORT_STATE_PATH), `${JSON.stringify(ports, null, 2)}\n`);
-}
-/**
-* Check if a project's own Docker container is running and return its host port.
-* Uses `docker compose port` scoped to the project's compose file.
-* @internal Exported for testing
-*/
-function getContainerHostPort(workspaceRoot, service, containerPort) {
-	try {
-		const result = (0, node_child_process.execSync)(`docker compose port ${service} ${containerPort}`, {
-			cwd: workspaceRoot,
-			stdio: "pipe"
-		}).toString().trim();
-		const match = result.match(/:(\d+)$/);
-		return match ? Number(match[1]) : null;
-	} catch {
-		return null;
-	}
-}
-/**
-* Resolve host ports for Docker services by parsing docker-compose.yml.
-* Priority: running container → saved state → find available port.
-* Persists resolved ports to .gkm/ports.json.
-* @internal Exported for testing
-*/
-async function resolveServicePorts(workspaceRoot) {
-	const composePath = (0, node_path.join)(workspaceRoot, "docker-compose.yml");
-	const mappings = parseComposePortMappings(composePath);
-	if (mappings.length === 0) return {
-		dockerEnv: {},
-		ports: {},
-		mappings: []
-	};
-	const savedState = await loadPortState(workspaceRoot);
-	const dockerEnv = {};
-	const ports = {};
-	const assignedPorts = /* @__PURE__ */ new Set();
-	logger$11.log("\n🔌 Resolving service ports...");
-	for (const mapping of mappings) {
-		const containerPort = getContainerHostPort(workspaceRoot, mapping.service, mapping.containerPort);
-		if (containerPort !== null) {
-			ports[mapping.envVar] = containerPort;
-			dockerEnv[mapping.envVar] = String(containerPort);
-			assignedPorts.add(containerPort);
-			logger$11.log(`   🔄 ${mapping.service}:${mapping.containerPort}: reusing existing container on port ${containerPort}`);
-			continue;
-		}
-		const savedPort = savedState[mapping.envVar];
-		if (savedPort && !assignedPorts.has(savedPort) && await isPortAvailable(savedPort)) {
-			ports[mapping.envVar] = savedPort;
-			dockerEnv[mapping.envVar] = String(savedPort);
-			assignedPorts.add(savedPort);
-			logger$11.log(`   💾 ${mapping.service}:${mapping.containerPort}: using saved port ${savedPort}`);
-			continue;
+	if (appName) logger$12.log(`📦 App: ${appName}`);
+	const secretCount = Object.keys(credentials).filter((k) => k !== "PORT").length;
+	if (secretCount > 0) logger$12.log(`🔐 Loaded ${secretCount} secret(s)`);
+	const preloadDir = (0, node_path.join)(cwd, ".gkm");
+	await (0, node_fs_promises.mkdir)(preloadDir, { recursive: true });
+	const preloadPath = (0, node_path.join)(preloadDir, "credentials-preload.ts");
+	await createCredentialsPreload(preloadPath, secretsJsonPath);
+	const [cmd, ...rawArgs] = commandArgs;
+	if (!cmd) throw new Error("No command specified");
+	const args = rawArgs.map((arg) => arg.replace(/\$PORT\b/g, credentials.PORT ?? "3000"));
+	logger$12.log(`🚀 Running: ${[cmd, ...args].join(" ")}`);
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
+	const tsxImport = "--import=tsx";
+	const preloadImport = `--import=${preloadPath}`;
+	const nodeOptions = [
+		existingNodeOptions,
+		tsxImport,
+		preloadImport
+	].filter(Boolean).join(" ");
+	const child = (0, node_child_process.spawn)(cmd, args, {
+		cwd,
+		stdio: "inherit",
+		env: {
+			...process.env,
+			...credentials,
+			NODE_OPTIONS: nodeOptions
 		}
-		let resolvedPort = await findAvailablePort(mapping.defaultPort);
-		while (assignedPorts.has(resolvedPort)) resolvedPort = await findAvailablePort(resolvedPort + 1);
-		ports[mapping.envVar] = resolvedPort;
-		dockerEnv[mapping.envVar] = String(resolvedPort);
-		assignedPorts.add(resolvedPort);
-		if (resolvedPort !== mapping.defaultPort) logger$11.log(`   ⚡ ${mapping.service}:${mapping.containerPort}: port ${mapping.defaultPort} occupied, using port ${resolvedPort}`);
-		else logger$11.log(`   ✅ ${mapping.service}:${mapping.containerPort}: using default port ${resolvedPort}`);
-	}
-	await savePortState(workspaceRoot, ports);
-	return {
-		dockerEnv,
-		ports,
-		mappings
-	};
-}
-/**
-* Replace a port in a URL string.
-* Handles both `hostname:port` and `localhost:port` patterns.
-* @internal Exported for testing
-*/
-function replacePortInUrl(url, oldPort, newPort) {
-	if (oldPort === newPort) return url;
-	return url.replace(new RegExp(`:${oldPort}(?=/|$)`, "g"), `:${newPort}`);
-}
-/**
-* Rewrite connection URLs and port vars in secrets with resolved ports.
-* Uses the parsed compose mappings to determine which default ports to replace.
-* Pure transform — does not modify secrets on disk.
-* @internal Exported for testing
-*/
-function rewriteUrlsWithPorts(secrets, resolvedPorts) {
-	const { ports, mappings } = resolvedPorts;
-	const result = { ...secrets };
-	const portReplacements = [];
-	const serviceNames = /* @__PURE__ */ new Set();
-	for (const mapping of mappings) {
-		serviceNames.add(mapping.service);
-		const resolved = ports[mapping.envVar];
-		if (resolved !== void 0) portReplacements.push({
-			defaultPort: mapping.defaultPort,
-			resolvedPort: resolved
-		});
-	}
-	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_HOST")) continue;
-		if (serviceNames.has(value)) result[key] = "localhost";
-	}
-	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_PORT")) continue;
-		for (const { defaultPort, resolvedPort } of portReplacements) if (value === String(defaultPort)) result[key] = String(resolvedPort);
-	}
-	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_URL") && !key.endsWith("_ENDPOINT") && key !== "DATABASE_URL") continue;
-		let rewritten = value;
-		for (const name$1 of serviceNames) rewritten = rewritten.replace(new RegExp(`@${name$1}:`, "g"), "@localhost:");
-		for (const { defaultPort, resolvedPort } of portReplacements) rewritten = replacePortInUrl(rewritten, defaultPort, resolvedPort);
-		result[key] = rewritten;
-	}
-	return result;
+	});
+	const exitCode = await new Promise((resolve$4) => {
+		child.on("close", (code) => resolve$4(code ?? 0));
+		child.on("error", (error) => {
+			logger$12.error(`Failed to run command: ${error.message}`);
+			resolve$4(1);
+		});
+	});
+	if (exitCode !== 0) process.exit(exitCode);
 }
+//#endregion
+//#region src/dev/index.ts
+const logger$11 = console;
 /**
 * Normalize telescope configuration
 * @internal Exported for testing
@@ -1202,103 +1506,6 @@ async function loadDevSecrets(workspace) {
 	return {};
 }
 /**
-* Load secrets from a path for dev mode.
-* For single app: returns secrets as-is.
-* For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
-* @internal Exported for testing
-*/
-async function loadSecretsForApp(secretsRoot, appName) {
-	const stages = ["dev", "development"];
-	let secrets = {};
-	for (const stage of stages) if (require_storage.secretsExist(stage, secretsRoot)) {
-		const stageSecrets = await require_storage.readStageSecrets(stage, secretsRoot);
-		if (stageSecrets) {
-			logger$11.log(`🔐 Loading secrets from stage: ${stage}`);
-			secrets = require_storage.toEmbeddableSecrets(stageSecrets);
-			break;
-		}
-	}
-	if (Object.keys(secrets).length === 0) return {};
-	if (!appName) return secrets;
-	const prefix = appName.toUpperCase();
-	const mapped = { ...secrets };
-	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
-	if (appDbUrl) mapped.DATABASE_URL = appDbUrl;
-	return mapped;
-}
-/**
-* Build the environment variables to pass to `docker compose up`.
-* Merges process.env, secrets, and port mappings so that Docker Compose
-* can interpolate variables like ${POSTGRES_USER} correctly.
-* @internal Exported for testing
-*/
-function buildDockerComposeEnv(secretsEnv, portEnv) {
-	return {
-		...process.env,
-		...secretsEnv,
-		...portEnv
-	};
-}
-/**
-* Parse all service names from a docker-compose.yml file.
-* @internal Exported for testing
-*/
-function parseComposeServiceNames(composePath) {
-	if (!(0, node_fs.existsSync)(composePath)) return [];
-	const content = (0, node_fs.readFileSync)(composePath, "utf-8");
-	const compose = (0, yaml.parse)(content);
-	return Object.keys(compose?.services ?? {});
-}
-/**
-* Start docker-compose services for the workspace.
-* Parses the docker-compose.yml to discover all services and starts
-* everything except app services (which are managed by turbo).
-* This ensures manually added services are always started.
-* @internal Exported for testing
-*/
-/**
-* Start docker-compose services for a single-app project (no workspace config).
-* Starts all services defined in docker-compose.yml.
-*/
-async function startComposeServices(cwd, portEnv, secretsEnv) {
-	const composeFile = (0, node_path.join)(cwd, "docker-compose.yml");
-	if (!(0, node_fs.existsSync)(composeFile)) return;
-	const servicesToStart = parseComposeServiceNames(composeFile);
-	if (servicesToStart.length === 0) return;
-	logger$11.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
-	try {
-		(0, node_child_process.execSync)(`docker compose up -d ${servicesToStart.join(" ")}`, {
-			cwd,
-			stdio: "inherit",
-			env: buildDockerComposeEnv(secretsEnv, portEnv)
-		});
-		logger$11.log("✅ Services started");
-	} catch (error) {
-		logger$11.error("❌ Failed to start services:", error.message);
-		throw error;
-	}
-}
-async function startWorkspaceServices(workspace, portEnv, secretsEnv) {
-	const composeFile = (0, node_path.join)(workspace.root, "docker-compose.yml");
-	if (!(0, node_fs.existsSync)(composeFile)) return;
-	const allServices = parseComposeServiceNames(composeFile);
-	const appNames = new Set(Object.keys(workspace.apps));
-	const servicesToStart = allServices.filter((name$1) => !appNames.has(name$1));
-	if (servicesToStart.length === 0) return;
-	logger$11.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
-	try {
-		(0, node_child_process.execSync)(`docker compose up -d ${servicesToStart.join(" ")}`, {
-			cwd: workspace.root,
-			stdio: "inherit",
-			env: buildDockerComposeEnv(secretsEnv, portEnv)
-		});
-		logger$11.log("✅ Services started");
-	} catch (error) {
-		logger$11.error("❌ Failed to start services:", error.message);
-		throw error;
-	}
-}
-/**
 * Workspace dev command - orchestrates multi-app development using Turbo.
 *
 * Flow:
@@ -1465,7 +1672,7 @@ async function workspaceDevCommand(workspace, options) {
 	};
 	process.on("SIGINT", shutdown);
 	process.on("SIGTERM", shutdown);
-	return new Promise((resolve$3, reject) => {
+	return new Promise((resolve$4, reject) => {
 		turboProcess.on("error", (error) => {
 			logger$11.error("❌ Turbo error:", error);
 			reject(error);
@@ -1473,7 +1680,7 @@ async function workspaceDevCommand(workspace, options) {
 		turboProcess.on("exit", (code) => {
 			if (openApiWatcher) openApiWatcher.close().catch(() => {});
 			if (code !== null && code !== 0) reject(new Error(`Turbo exited with code ${code}`));
-			else resolve$3();
+			else resolve$4();
 		});
 	});
 }
@@ -1501,105 +1708,6 @@ async function buildServer(config, context, provider, enableOpenApi, appRoot = p
 	]);
 }
 /**
-* Find the directory containing .gkm/secrets/.
-* Walks up from cwd until it finds one, or returns cwd.
-* @internal Exported for testing
-*/
-function findSecretsRoot(startDir) {
-	let dir = startDir;
-	while (dir !== "/") {
-		if ((0, node_fs.existsSync)((0, node_path.join)(dir, ".gkm", "secrets"))) return dir;
-		const parent = (0, node_path.dirname)(dir);
-		if (parent === dir) break;
-		dir = parent;
-	}
-	return startDir;
-}
-/**
-* Generate the credentials injection code snippet.
-* This is the common logic used by both entry wrapper and exec preload.
-* @internal
-*/
-function generateCredentialsInjection(secretsJsonPath) {
-	return `import { existsSync, readFileSync } from 'node:fs';
-// Inject dev secrets via globalThis and process.env
-// Using globalThis.__gkm_credentials__ avoids CJS/ESM interop issues where
-// Object.assign on the Credentials export only mutates one module copy.
-const secretsPath = '${secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
-  globalThis.__gkm_credentials__ = secrets;
-  Object.assign(process.env, secrets);
-}
-`;
-}
-/**
-* Create a preload script that injects secrets into Credentials.
-* Used by `gkm exec` to inject secrets before running any command.
-* @internal Exported for testing
-*/
-async function createCredentialsPreload(preloadPath, secretsJsonPath) {
-	const content = `/**
- * Credentials preload generated by 'gkm exec'
- * This file is loaded via NODE_OPTIONS="--import <path>"
- */
-${generateCredentialsInjection(secretsJsonPath)}`;
-	await (0, node_fs_promises.writeFile)(preloadPath, content);
-}
-/**
-* Create a wrapper script that injects secrets before importing the entry file.
-* @internal Exported for testing
-*/
-async function createEntryWrapper(wrapperPath, entryPath, secretsJsonPath) {
-	const credentialsInjection = secretsJsonPath ? `${generateCredentialsInjection(secretsJsonPath)}
-` : "";
-	const content = `#!/usr/bin/env node
-/**
- * Entry wrapper generated by 'gkm dev --entry'
- */
-${credentialsInjection}// Import and run the user's entry file (dynamic import ensures secrets load first)
-await import('${entryPath}');
-`;
-	await (0, node_fs_promises.writeFile)(wrapperPath, content);
-}
-/**
-* Prepare credentials for entry dev mode.
-* Loads workspace config, secrets, and injects PORT.
-* @internal Exported for testing
-*/
-async function prepareEntryCredentials(options) {
-	const cwd = options.cwd ?? process.cwd();
-	let workspaceAppPort;
-	let secretsRoot = cwd;
-	let appName;
-	try {
-		const appInfo = await require_config.loadWorkspaceAppInfo(cwd);
-		workspaceAppPort = appInfo.app.port;
-		secretsRoot = appInfo.workspaceRoot;
-		appName = appInfo.appName;
-	} catch (error) {
-		logger$11.log(`⚠️  Could not load workspace config: ${error.message}`);
-		secretsRoot = findSecretsRoot(cwd);
-		appName = require_config.getAppNameFromCwd(cwd) ?? void 0;
-	}
-	const resolvedPort = options.explicitPort ?? workspaceAppPort ?? 3e3;
-	const credentials = await loadSecretsForApp(secretsRoot, appName);
-	credentials.PORT = String(resolvedPort);
-	const secretsDir = (0, node_path.join)(secretsRoot, ".gkm");
-	await (0, node_fs_promises.mkdir)(secretsDir, { recursive: true });
-	const secretsFileName = appName ? `dev-secrets-${appName}.json` : "dev-secrets.json";
-	const secretsJsonPath = (0, node_path.join)(secretsDir, secretsFileName);
-	await (0, node_fs_promises.writeFile)(secretsJsonPath, JSON.stringify(credentials, null, 2));
-	return {
-		credentials,
-		resolvedPort,
-		secretsJsonPath,
-		appName,
-		secretsRoot
-	};
-}
-/**
 * Run any TypeScript file with secret injection.
 * Does not require gkm.config.ts.
 */
@@ -1684,12 +1792,12 @@ var EntryRunner = class {
 			if (code !== null && code !== 0 && code !== 143) logger$11.error(`❌ Process exited with code ${code}`);
 			this.isRunning = false;
 		});
-		await new Promise((resolve$3) => setTimeout(resolve$3, 500));
+		await new Promise((resolve$4) => setTimeout(resolve$4, 500));
 		if (this.isRunning) logger$11.log(`\n🎉 Running at http://localhost:${this.port}`);
 	}
 	async restart() {
 		this.stopProcess();
-		await new Promise((resolve$3) => setTimeout(resolve$3, 500));
+		await new Promise((resolve$4) => setTimeout(resolve$4, 500));
 		await this.runProcess();
 	}
 	stop() {
@@ -1822,7 +1930,7 @@ var DevServer = class {
 			if (code !== null && code !== 0 && signal !== "SIGTERM") logger$11.error(`❌ Server exited with code ${code}`);
 			this.isRunning = false;
 		});
-		await new Promise((resolve$3) => setTimeout(resolve$3, 1e3));
+		await new Promise((resolve$4) => setTimeout(resolve$4, 1e3));
 		if (this.isRunning) {
 			logger$11.log(`\n🎉 Server running at http://localhost:${this.actualPort}`);
 			if (this.enableOpenApi) logger$11.log(`📚 API Docs available at http://localhost:${this.actualPort}/__docs`);
@@ -1857,7 +1965,7 @@ var DevServer = class {
 		let attempts = 0;
 		while (attempts < 30) {
 			if (await isPortAvailable(portToReuse)) break;
-			await new Promise((resolve$3) => setTimeout(resolve$3, 100));
+			await new Promise((resolve$4) => setTimeout(resolve$4, 100));
 			attempts++;
 		}
 		this.requestedPort = portToReuse;
@@ -1874,81 +1982,6 @@ var DevServer = class {
 		await fsWriteFile(serverPath, content);
 	}
 };
-/**
-* Run a command with secrets injected into Credentials.
-* Uses Node's --import flag to preload a script that populates Credentials
-* before the command loads any modules that depend on them.
-*
-* @example
-* ```bash
-* gkm exec -- npx @better-auth/cli migrate
-* gkm exec -- npx prisma migrate dev
-* ```
-*/
-async function execCommand(commandArgs, options = {}) {
-	const cwd = options.cwd ?? process.cwd();
-	if (commandArgs.length === 0) throw new Error("No command specified. Usage: gkm exec -- <command>");
-	const defaultEnv = loadEnvFiles(".env");
-	if (defaultEnv.loaded.length > 0) logger$11.log(`📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
-	const { credentials, secretsJsonPath, appName, secretsRoot } = await prepareEntryCredentials({ cwd });
-	if (appName) logger$11.log(`📦 App: ${appName}`);
-	const secretCount = Object.keys(credentials).filter((k) => k !== "PORT").length;
-	if (secretCount > 0) logger$11.log(`🔐 Loaded ${secretCount} secret(s)`);
-	const composePath = (0, node_path.join)(secretsRoot, "docker-compose.yml");
-	const mappings = parseComposePortMappings(composePath);
-	if (mappings.length > 0) {
-		const ports = await loadPortState(secretsRoot);
-		if (Object.keys(ports).length > 0) {
-			const rewritten = rewriteUrlsWithPorts(credentials, {
-				dockerEnv: {},
-				ports,
-				mappings
-			});
-			Object.assign(credentials, rewritten);
-			logger$11.log(`🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
-		}
-	}
-	try {
-		const appInfo = await require_config.loadWorkspaceAppInfo(cwd);
-		if (appInfo.appName) {
-			const depEnv = require_workspace.getDependencyEnvVars(appInfo.workspace, appInfo.appName);
-			Object.assign(credentials, depEnv);
-		}
-	} catch {}
-	const preloadDir = (0, node_path.join)(cwd, ".gkm");
-	await (0, node_fs_promises.mkdir)(preloadDir, { recursive: true });
-	const preloadPath = (0, node_path.join)(preloadDir, "credentials-preload.ts");
-	await createCredentialsPreload(preloadPath, secretsJsonPath);
-	const [cmd, ...rawArgs] = commandArgs;
-	if (!cmd) throw new Error("No command specified");
-	const args = rawArgs.map((arg) => arg.replace(/\$PORT\b/g, credentials.PORT ?? "3000"));
-	logger$11.log(`🚀 Running: ${[cmd, ...args].join(" ")}`);
-	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
-	const tsxImport = "--import=tsx";
-	const preloadImport = `--import=${preloadPath}`;
-	const nodeOptions = [
-		existingNodeOptions,
-		tsxImport,
-		preloadImport
-	].filter(Boolean).join(" ");
-	const child = (0, node_child_process.spawn)(cmd, args, {
-		cwd,
-		stdio: "inherit",
-		env: {
-			...process.env,
-			...credentials,
-			NODE_OPTIONS: nodeOptions
-		}
-	});
-	const exitCode = await new Promise((resolve$3) => {
-		child.on("close", (code) => resolve$3(code ?? 0));
-		child.on("error", (error) => {
-			logger$11.error(`Failed to run command: ${error.message}`);
-			resolve$3(1);
-		});
-	});
-	if (exitCode !== 0) process.exit(exitCode);
-}
 //#endregion
 //#region src/build/manifests.ts
@@ -2220,7 +2253,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-BhhfkI9T.cjs"));
+			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-i-az1DZ2.cjs"));
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2290,7 +2323,7 @@ async function workspaceBuildCommand(workspace, options) {
 	try {
 		const turboCommand = getTurboCommand(pm);
 		logger$9.log(`Running: ${turboCommand}`);
-		await new Promise((resolve$3, reject) => {
+		await new Promise((resolve$4, reject) => {
 			const child = (0, node_child_process.spawn)(turboCommand, {
 				shell: true,
 				cwd: workspace.root,
@@ -2301,7 +2334,7 @@ async function workspaceBuildCommand(workspace, options) {
 				}
 			});
 			child.on("close", (code) => {
-				if (code === 0) resolve$3();
+				if (code === 0) resolve$4();
 				else reject(new Error(`Turbo build failed with exit code ${code}`));
 			});
 			child.on("error", (err) => {
@@ -5444,7 +5477,7 @@ async function prompt(message, hidden = false) {
 	if (!process.stdin.isTTY) throw new Error("Interactive input required. Please configure manually.");
 	if (hidden) {
 		process.stdout.write(message);
-		return new Promise((resolve$3) => {
+		return new Promise((resolve$4) => {
 			let value = "";
 			const onData = (char) => {
 				const c = char.toString();
@@ -5453,7 +5486,7 @@ async function prompt(message, hidden = false) {
 					process.stdin.pause();
 					process.stdin.removeListener("data", onData);
 					process.stdout.write("\n");
-					resolve$3(value);
+					resolve$4(value);
 				} else if (c === "") {
 					process.stdin.setRawMode(false);
 					process.stdin.pause();
@@ -6471,7 +6504,7 @@ async function deployCommand(options) {
 		dokployConfig = setupResult.config;
 		finalRegistry = dokployConfig.registry ?? dockerConfig.registry;
 		if (setupResult.serviceUrls) {
-			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await Promise.resolve().then(() => require("./storage-DOEtT2Hr.cjs"));
+			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await Promise.resolve().then(() => require("./storage-ChVQI_G7.cjs"));
 			let secrets = await readStageSecrets$1(stage);
 			if (!secrets) {
 				logger$3.log(`   Creating secrets file for stage "${stage}"...`);
@@ -6758,7 +6791,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/constructs": "~3.0.2",
 	"@geekmidas/db": "~1.0.0",
 	"@geekmidas/emailkit": "~1.0.0",
-	"@geekmidas/envkit": "~1.0.3",
+	"@geekmidas/envkit": "~1.0.4",
 	"@geekmidas/errors": "~1.0.0",
 	"@geekmidas/events": "~1.1.0",
 	"@geekmidas/logger": "~1.0.0",
@@ -11881,75 +11914,29 @@ async function testCommand(options = {}) {
 	console.log(`\n🧪 Running tests with ${stage} environment...\n`);
 	const defaultEnv = loadEnvFiles(".env");
 	if (defaultEnv.loaded.length > 0) console.log(`  📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
-	let secretsEnv = {};
-	try {
-		const secrets = await require_storage.readStageSecrets(stage);
-		if (secrets) {
-			secretsEnv = require_storage.toEmbeddableSecrets(secrets);
-			console.log(`  🔐 Loaded ${Object.keys(secretsEnv).length} secrets from ${stage}`);
-		} else console.log(`  No secrets found for ${stage}`);
-	} catch (error) {
-		if (error instanceof Error && error.message.includes("key not found")) console.log(`  Decryption key not found for ${stage}`);
-		else throw error;
-	}
-	let dependencyEnv = {};
-	try {
-		const appInfo = await require_config.loadWorkspaceAppInfo(cwd);
-		const resolvedPorts = await resolveServicePorts(appInfo.workspaceRoot);
-		await startWorkspaceServices(appInfo.workspace, resolvedPorts.dockerEnv, secretsEnv);
-		if (resolvedPorts.mappings.length > 0) {
-			secretsEnv = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
-			console.log(`  🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
-		}
-		dependencyEnv = require_workspace.getDependencyEnvVars(appInfo.workspace, appInfo.appName);
-		if (Object.keys(dependencyEnv).length > 0) console.log(`  🔗 Loaded ${Object.keys(dependencyEnv).length} dependency URL(s)`);
-		const sniffed = await sniffAppEnvironment(appInfo.app, appInfo.appName, appInfo.workspaceRoot, { logWarnings: false });
+	const result = await prepareEntryCredentials({
+		stages: [stage],
+		startDocker: true,
+		secretsFileName: "test-secrets.json",
+		resolveDockerPorts: "full"
+	});
+	let finalCredentials = { ...result.credentials };
+	if (result.appInfo) {
+		const sniffed = await sniffAppEnvironment(result.appInfo.app, result.appInfo.appName, result.appInfo.workspaceRoot, { logWarnings: false });
 		if (sniffed.requiredEnvVars.length > 0) {
 			const needed = new Set(sniffed.requiredEnvVars);
-			const allEnv = {
-				...secretsEnv,
-				...dependencyEnv
-			};
-			const filteredEnv = {};
-			for (const [key, value] of Object.entries(allEnv)) if (needed.has(key)) filteredEnv[key] = value;
-			secretsEnv = {};
-			dependencyEnv = filteredEnv;
+			const filtered = {};
+			for (const [key, value] of Object.entries(finalCredentials)) if (needed.has(key)) filtered[key] = value;
+			finalCredentials = filtered;
 			console.log(`  🔍 Sniffed ${sniffed.requiredEnvVars.length} required env var(s)`);
 		}
-	} catch {
-		const composePath = (0, node_path.join)(cwd, "docker-compose.yml");
-		const mappings = parseComposePortMappings(composePath);
-		if (mappings.length > 0) {
-			const resolvedPorts = await resolveServicePorts(cwd);
-			await startComposeServices(cwd, resolvedPorts.dockerEnv, secretsEnv);
-			if (resolvedPorts.mappings.length > 0) {
-				secretsEnv = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
-				console.log(`  🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
-			} else {
-				const ports = await loadPortState(cwd);
-				if (Object.keys(ports).length > 0) {
-					secretsEnv = rewriteUrlsWithPorts(secretsEnv, {
-						dockerEnv: {},
-						ports,
-						mappings
-					});
-					console.log(`  🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
-				}
-			}
-		}
 	}
-	secretsEnv = rewriteDatabaseUrlForTests(secretsEnv);
+	finalCredentials = rewriteDatabaseUrlForTests(finalCredentials);
 	console.log("");
-	const allSecrets = {
-		...secretsEnv,
-		...dependencyEnv
-	};
+	await (0, node_fs_promises.writeFile)(result.secretsJsonPath, JSON.stringify(finalCredentials, null, 2));
 	const gkmDir = (0, node_path.join)(cwd, ".gkm");
-	await (0, node_fs_promises.mkdir)(gkmDir, { recursive: true });
-	const secretsJsonPath = (0, node_path.join)(gkmDir, "test-secrets.json");
-	await (0, node_fs_promises.writeFile)(secretsJsonPath, JSON.stringify(allSecrets, null, 2));
 	const preloadPath = (0, node_path.join)(gkmDir, "test-credentials-preload.ts");
-	await createCredentialsPreload(preloadPath, secretsJsonPath);
+	await createCredentialsPreload(preloadPath, result.secretsJsonPath);
 	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
 	const tsxImport = "--import=tsx";
 	const preloadImport = `--import=${preloadPath}`;
@@ -11969,14 +11956,14 @@ async function testCommand(options = {}) {
 		stdio: "inherit",
 		env: {
 			...process.env,
-			...allSecrets,
+			...finalCredentials,
 			NODE_ENV: "test",
 			NODE_OPTIONS: nodeOptions
 		}
 	});
-	return new Promise((resolve$3, reject) => {
+	return new Promise((resolve$4, reject) => {
 		vitestProcess.on("close", (code) => {
-			if (code === 0) resolve$3();
+			if (code === 0) resolve$4();
 			else reject(new Error(`Tests failed with exit code ${code}`));
 		});
 		vitestProcess.on("error", (error) => {
@@ -12373,9 +12360,9 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-D1Pa30oV.cjs"));
+		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-ByaRPBxh.cjs"));
 		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-Ch7sIcf8.cjs"));
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-DOEtT2Hr.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-ChVQI_G7.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (secrets) {
@@ -12398,8 +12385,8 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-D1Pa30oV.cjs"));
-		const { writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-DOEtT2Hr.cjs"));
+		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-ByaRPBxh.cjs"));
+		const { writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-ChVQI_G7.cjs"));
 		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-Ch7sIcf8.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
 		let secrets = await pullSecrets$1(options.stage, workspace);
@@ -12426,7 +12413,7 @@ program.command("secrets:reconcile").description("Backfill missing custom secret
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
 		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-Ch7sIcf8.cjs"));
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-DOEtT2Hr.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-ChVQI_G7.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (!secrets) {