@geekmidas/cli 1.10.17 → 1.10.19

package/dist/index.mjs

@@ -3,14 +3,14 @@ import { __require } from "./chunk-Duj1WY3L.mjs";
 import { getAppBuildOrder, getDependencyEnvVars, getDeployTargetError, isDeployTargetSupported } from "./workspace-D4z4A4cq.mjs";
 import { getAppNameFromCwd, loadAppConfig, loadConfig, loadWorkspaceAppInfo, loadWorkspaceConfig, parseModuleConfig } from "./config-jsRYHOHU.mjs";
 import { getCredentialsPath, getDokployCredentials, getDokployRegistryId, getDokployToken, removeDokployCredentials, storeDokployCredentials, storeDokployRegistryId } from "./credentials-s1kLcIzK.mjs";
-import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, copyAllClients, copyClientToFrontends, generateOpenApi, getBackendOpenApiPath, isPartitionedRoutes, normalizeRoutes, openapiCommand, resolveOpenApiConfig } from "./openapi-DenF-okj.mjs";
-import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-dbb9RyBl.mjs";
+import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecret, toEmbeddableSecrets, writeStageSecrets } from "./storage-CpMNB77O.mjs";
+import { ConstructGenerator, EndpointGenerator, OPENAPI_OUTPUT_PATH, copyAllClients, copyClientToFrontends, generateOpenApi, getBackendOpenApiPath, isPartitionedRoutes, normalizeRoutes, openapiCommand, resolveOpenApiConfig } from "./openapi-kvwpKbNe.mjs";
 import { DokployApi } from "./dokploy-api-2ldYoN3i.mjs";
 import { encryptSecrets } from "./encryption-BOH5M-f-.mjs";
 import { CachedStateProvider } from "./CachedStateProvider-BDq5WqSy.mjs";
 import { createStageSecrets, generateConnectionUrls, generateDbPassword, generateDbUrl, generateFullstackCustomSecrets, generateLocalStackCredentials, generateSecurePassword, generateServiceCredentials, rotateServicePassword, writeDockerEnvFromSecrets } from "./fullstack-secrets-x2Kffx7-.mjs";
 import { generateReactQueryCommand } from "./openapi-react-query-C4UdILaI.mjs";
-import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-D_NowTkZ.mjs";
+import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-lExOTa9t.mjs";
 import { createRequire } from "node:module";
 import { copyFileSync, existsSync, readFileSync, unlinkSync } from "node:fs";
 import { basename, dirname, join, parse, relative, resolve } from "node:path";
@@ -19,15 +19,15 @@ import { stdin, stdout } from "node:process";
 import * as readline from "node:readline/promises";
 import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { execSync, spawn } from "node:child_process";
-import { createServer } from "node:net";
 import chokidar from "chokidar";
-import { config } from "dotenv";
 import fg from "fast-glob";
+import { createServer } from "node:net";
+import { config } from "dotenv";
 import { parse as parse$1 } from "yaml";
+import { randomBytes } from "node:crypto";
 import { Cron } from "@geekmidas/constructs/crons";
 import { Function } from "@geekmidas/constructs/functions";
 import { Subscriber } from "@geekmidas/constructs/subscribers";
-import { randomBytes } from "node:crypto";
 import { Client } from "pg";
 import { lookup } from "node:dns/promises";
 import { fileURLToPath, pathToFileURL } from "node:url";
@@ -35,7 +35,7 @@ import prompts from "prompts";
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.10.16";
+var version = "1.10.18";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -133,7 +133,7 @@ var package_default = {
 
 //#endregion
 //#region src/auth/index.ts
-const logger$12 = console;
+const logger$14 = console;
 /**
 * Validate Dokploy token by making a test API call
 */
@@ -201,36 +201,36 @@ async function prompt$1(message, hidden = false) {
 async function loginCommand(options) {
 	const { service, token: providedToken, endpoint: providedEndpoint } = options;
 	if (service === "dokploy") {
-		logger$12.log("\n🔐 Logging in to Dokploy...\n");
+		logger$14.log("\n🔐 Logging in to Dokploy...\n");
 		let endpoint = providedEndpoint;
 		if (!endpoint) endpoint = await prompt$1("Dokploy URL (e.g., https://dokploy.example.com): ");
 		endpoint = endpoint.replace(/\/$/, "");
 		try {
 			new URL(endpoint);
 		} catch {
-			logger$12.error("Invalid URL format");
+			logger$14.error("Invalid URL format");
 			process.exit(1);
 		}
 		let token = providedToken;
 		if (!token) {
-			logger$12.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
+			logger$14.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
 			token = await prompt$1("API Token: ", true);
 		}
 		if (!token) {
-			logger$12.error("Token is required");
+			logger$14.error("Token is required");
 			process.exit(1);
 		}
-		logger$12.log("\nValidating credentials...");
+		logger$14.log("\nValidating credentials...");
 		const isValid = await validateDokployToken(endpoint, token);
 		if (!isValid) {
-			logger$12.error("\n✗ Invalid credentials. Please check your token and try again.");
+			logger$14.error("\n✗ Invalid credentials. Please check your token and try again.");
 			process.exit(1);
 		}
 		await storeDokployCredentials(token, endpoint);
-		logger$12.log("\n✓ Successfully logged in to Dokploy!");
-		logger$12.log(`  Endpoint: ${endpoint}`);
-		logger$12.log(`  Credentials stored in: ${getCredentialsPath()}`);
-		logger$12.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
+		logger$14.log("\n✓ Successfully logged in to Dokploy!");
+		logger$14.log(`  Endpoint: ${endpoint}`);
+		logger$14.log(`  Credentials stored in: ${getCredentialsPath()}`);
+		logger$14.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
 	}
 }
 /**
@@ -240,28 +240,28 @@ async function logoutCommand(options) {
 	const { service = "dokploy" } = options;
 	if (service === "all") {
 		const dokployRemoved = await removeDokployCredentials();
-		if (dokployRemoved) logger$12.log("\n✓ Logged out from all services");
-		else logger$12.log("\nNo stored credentials found");
+		if (dokployRemoved) logger$14.log("\n✓ Logged out from all services");
+		else logger$14.log("\nNo stored credentials found");
 		return;
 	}
 	if (service === "dokploy") {
 		const removed = await removeDokployCredentials();
-		if (removed) logger$12.log("\n✓ Logged out from Dokploy");
-		else logger$12.log("\nNo Dokploy credentials found");
+		if (removed) logger$14.log("\n✓ Logged out from Dokploy");
+		else logger$14.log("\nNo Dokploy credentials found");
 	}
 }
 /**
 * Show current login status
 */
 async function whoamiCommand() {
-	logger$12.log("\n📋 Current credentials:\n");
+	logger$14.log("\n📋 Current credentials:\n");
 	const dokploy = await getDokployCredentials();
 	if (dokploy) {
-		logger$12.log("  Dokploy:");
-		logger$12.log(`    Endpoint: ${dokploy.endpoint}`);
-		logger$12.log(`    Token: ${maskToken(dokploy.token)}`);
-	} else logger$12.log("  Dokploy: Not logged in");
-	logger$12.log(`\n  Credentials file: ${getCredentialsPath()}`);
+		logger$14.log("  Dokploy:");
+		logger$14.log(`    Endpoint: ${dokploy.endpoint}`);
+		logger$14.log(`    Token: ${maskToken(dokploy.token)}`);
+	} else logger$14.log("  Dokploy: Not logged in");
+	logger$14.log(`\n  Credentials file: ${getCredentialsPath()}`);
 }
 /**
 * Mask a token for display
@@ -343,135 +343,590 @@ function isEnabled(config$1) {
 }
 
 //#endregion
-//#region src/generators/CronGenerator.ts
-var CronGenerator = class extends ConstructGenerator {
-	async build(context, constructs, outputDir, options) {
-		const provider = options?.provider || "aws-lambda";
-		const logger$13 = console;
-		const cronInfos = [];
-		if (constructs.length === 0 || provider !== "aws-lambda") return cronInfos;
-		const cronsDir = join(outputDir, "crons");
-		await mkdir(cronsDir, { recursive: true });
-		for (const { key, construct, path } of constructs) {
-			const handlerFile = await this.generateCronHandler(cronsDir, path.relative, key, context);
-			cronInfos.push({
-				name: key,
-				handler: relative(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
-				schedule: construct.schedule || "rate(1 hour)",
-				timeout: construct.timeout,
-				memorySize: construct.memorySize,
-				environment: await construct.getEnvironment()
+//#region src/credentials/index.ts
+const logger$13 = console;
+/**
+* Load environment files
+* @internal Exported for testing
+*/
+function loadEnvFiles(envConfig, cwd = process.cwd()) {
+	const loaded = [];
+	const missing = [];
+	const envFiles = envConfig ? Array.isArray(envConfig) ? envConfig : [envConfig] : [".env"];
+	for (const envFile of envFiles) {
+		const envPath = resolve(cwd, envFile);
+		if (existsSync(envPath)) {
+			config({
+				path: envPath,
+				override: true,
+				quiet: true
 			});
-			logger$13.log(`Generated cron handler: ${key}`);
-		}
-		return cronInfos;
-	}
-	isConstruct(value) {
-		return Cron.isCron(value);
-	}
-	async generateCronHandler(outputDir, sourceFile, exportName, context) {
-		const handlerFileName = `${exportName}.ts`;
-		const handlerPath = join(outputDir, handlerFileName);
-		const relativePath = relative(dirname(handlerPath), sourceFile);
-		const importPath = relativePath.replace(/\.ts$/, ".js");
-		const relativeEnvParserPath = relative(dirname(handlerPath), context.envParserPath);
-		const relativeLoggerPath = relative(dirname(handlerPath), context.loggerPath);
-		const content = `import { AWSScheduledFunction } from '@geekmidas/constructs/crons';
-import { ${exportName} } from '${importPath}';
-import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
-import ${context.loggerImportPattern} from '${relativeLoggerPath}';
-
-const adapter = new AWSScheduledFunction(envParser, ${exportName});
-
-export const handler = adapter.handler;
-`;
-		await writeFile(handlerPath, content);
-		return handlerPath;
+			loaded.push(envFile);
+		} else if (envConfig) missing.push(envFile);
 	}
-};
-
-//#endregion
-//#region src/generators/FunctionGenerator.ts
-var FunctionGenerator = class extends ConstructGenerator {
-	isConstruct(value) {
-		return Function.isFunction(value);
+	return {
+		loaded,
+		missing
+	};
+}
+/**
+* Check if a port is available
+* @internal Exported for testing
+*/
+async function isPortAvailable(port) {
+	return new Promise((resolve$1) => {
+		const server = createServer();
+		server.once("error", (err) => {
+			if (err.code === "EADDRINUSE") resolve$1(false);
+			else resolve$1(false);
+		});
+		server.once("listening", () => {
+			server.close();
+			resolve$1(true);
+		});
+		server.listen(port);
+	});
+}
+/**
+* Find an available port starting from the preferred port
+* @internal Exported for testing
+*/
+async function findAvailablePort(preferredPort, maxAttempts = 10) {
+	for (let i = 0; i < maxAttempts; i++) {
+		const port = preferredPort + i;
+		if (await isPortAvailable(port)) return port;
+		logger$13.log(`⚠️  Port ${port} is in use, trying ${port + 1}...`);
 	}
-	async build(context, constructs, outputDir, options) {
-		const provider = options?.provider || "aws-lambda";
-		const logger$13 = console;
-		const functionInfos = [];
-		if (constructs.length === 0 || provider !== "aws-lambda") return functionInfos;
-		const functionsDir = join(outputDir, "functions");
-		await mkdir(functionsDir, { recursive: true });
-		for (const { key, construct, path } of constructs) {
-			const handlerFile = await this.generateFunctionHandler(functionsDir, path.relative, key, context);
-			functionInfos.push({
-				name: key,
-				handler: relative(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
-				timeout: construct.timeout,
-				memorySize: construct.memorySize,
-				environment: await construct.getEnvironment()
-			});
-			logger$13.log(`Generated function handler: ${key}`);
-		}
-		return functionInfos;
+	throw new Error(`Could not find an available port after trying ${maxAttempts} ports starting from ${preferredPort}`);
+}
+const PORT_STATE_PATH = ".gkm/ports.json";
+/**
+* Parse docker-compose.yml and extract all port mappings that use env var interpolation.
+* Entries like `'${POSTGRES_HOST_PORT:-5432}:5432'` are captured.
+* Fixed port mappings like `'5050:80'` are skipped.
+* @internal Exported for testing
+*/
+function parseComposePortMappings(composePath) {
+	if (!existsSync(composePath)) return [];
+	const content = readFileSync(composePath, "utf-8");
+	const compose = parse$1(content);
+	if (!compose?.services) return [];
+	const results = [];
+	for (const [serviceName, serviceConfig] of Object.entries(compose.services)) for (const portMapping of serviceConfig?.ports ?? []) {
+		const match = String(portMapping).match(/\$\{(\w+):-(\d+)\}:(\d+)/);
+		if (match?.[1] && match[2] && match[3]) results.push({
+			service: serviceName,
+			envVar: match[1],
+			defaultPort: Number(match[2]),
+			containerPort: Number(match[3])
+		});
 	}
-	async generateFunctionHandler(outputDir, sourceFile, exportName, context) {
-		const handlerFileName = `${exportName}.ts`;
-		const handlerPath = join(outputDir, handlerFileName);
-		const relativePath = relative(dirname(handlerPath), sourceFile);
-		const importPath = relativePath.replace(/\.ts$/, ".js");
-		const relativeEnvParserPath = relative(dirname(handlerPath), context.envParserPath);
-		const relativeLoggerPath = relative(dirname(handlerPath), context.loggerPath);
-		const content = `import { AWSLambdaFunction } from '@geekmidas/constructs/aws';
-import { ${exportName} } from '${importPath}';
-import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
-import ${context.loggerImportPattern} from '${relativeLoggerPath}';
-
-const adapter = new AWSLambdaFunction(envParser, ${exportName});
-
-export const handler = adapter.handler;
-`;
-		await writeFile(handlerPath, content);
-		return handlerPath;
+	return results;
+}
+/**
+* Load saved port state from .gkm/ports.json.
+* @internal Exported for testing
+*/
+async function loadPortState(workspaceRoot) {
+	try {
+		const raw = await readFile(join(workspaceRoot, PORT_STATE_PATH), "utf-8");
+		return JSON.parse(raw);
+	} catch {
+		return {};
 	}
-};
-
-//#endregion
-//#region src/generators/SubscriberGenerator.ts
-var SubscriberGenerator = class extends ConstructGenerator {
-	isConstruct(value) {
-		return Subscriber.isSubscriber(value);
+}
+/**
+* Save port state to .gkm/ports.json.
+* @internal Exported for testing
+*/
+async function savePortState(workspaceRoot, ports) {
+	const dir = join(workspaceRoot, ".gkm");
+	await mkdir(dir, { recursive: true });
+	await writeFile(join(workspaceRoot, PORT_STATE_PATH), `${JSON.stringify(ports, null, 2)}\n`);
+}
+/**
+* Check if a project's own Docker container is running and return its host port.
+* Uses `docker compose port` scoped to the project's compose file.
+* @internal Exported for testing
+*/
+function getContainerHostPort(workspaceRoot, service, containerPort) {
+	try {
+		const result = execSync(`docker compose port ${service} ${containerPort}`, {
+			cwd: workspaceRoot,
+			stdio: "pipe"
+		}).toString().trim();
+		const match = result.match(/:(\d+)$/);
+		return match ? Number(match[1]) : null;
+	} catch {
+		return null;
 	}
-	async build(context, constructs, outputDir, options) {
-		const provider = options?.provider || "aws-lambda";
-		const logger$13 = console;
-		const subscriberInfos = [];
-		if (provider === "server") {
-			await this.generateServerSubscribersFile(outputDir, constructs);
-			logger$13.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
-			return subscriberInfos;
-		}
-		if (constructs.length === 0) return subscriberInfos;
-		if (provider !== "aws-lambda") return subscriberInfos;
-		const subscribersDir = join(outputDir, "subscribers");
-		await mkdir(subscribersDir, { recursive: true });
-		for (const { key, construct, path } of constructs) {
-			const handlerFile = await this.generateSubscriberHandler(subscribersDir, path.relative, key, construct, context);
-			subscriberInfos.push({
-				name: key,
-				handler: relative(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
-				subscribedEvents: construct.subscribedEvents || [],
-				timeout: construct.timeout,
-				memorySize: construct.memorySize,
-				environment: await construct.getEnvironment()
-			});
-			logger$13.log(`Generated subscriber handler: ${key}`);
+}
+/**
+* Resolve host ports for Docker services by parsing docker-compose.yml.
+* Priority: running container → saved state → find available port.
+* Persists resolved ports to .gkm/ports.json.
+* @internal Exported for testing
+*/
+async function resolveServicePorts(workspaceRoot) {
+	const composePath = join(workspaceRoot, "docker-compose.yml");
+	const mappings = parseComposePortMappings(composePath);
+	if (mappings.length === 0) return {
+		dockerEnv: {},
+		ports: {},
+		mappings: []
+	};
+	const savedState = await loadPortState(workspaceRoot);
+	const dockerEnv = {};
+	const ports = {};
+	const assignedPorts = /* @__PURE__ */ new Set();
+	logger$13.log("\n🔌 Resolving service ports...");
+	for (const mapping of mappings) {
+		const containerPort = getContainerHostPort(workspaceRoot, mapping.service, mapping.containerPort);
+		if (containerPort !== null) {
+			ports[mapping.envVar] = containerPort;
+			dockerEnv[mapping.envVar] = String(containerPort);
+			assignedPorts.add(containerPort);
+			logger$13.log(`   🔄 ${mapping.service}:${mapping.containerPort}: reusing existing container on port ${containerPort}`);
+			continue;
 		}
-		return subscriberInfos;
-	}
-	async generateSubscriberHandler(outputDir, sourceFile, exportName, _subscriber, context) {
-		const handlerFileName = `${exportName}.ts`;
+		const savedPort = savedState[mapping.envVar];
+		if (savedPort && !assignedPorts.has(savedPort) && await isPortAvailable(savedPort)) {
+			ports[mapping.envVar] = savedPort;
+			dockerEnv[mapping.envVar] = String(savedPort);
+			assignedPorts.add(savedPort);
+			logger$13.log(`   💾 ${mapping.service}:${mapping.containerPort}: using saved port ${savedPort}`);
+			continue;
+		}
+		let resolvedPort = await findAvailablePort(mapping.defaultPort);
+		while (assignedPorts.has(resolvedPort)) resolvedPort = await findAvailablePort(resolvedPort + 1);
+		ports[mapping.envVar] = resolvedPort;
+		dockerEnv[mapping.envVar] = String(resolvedPort);
+		assignedPorts.add(resolvedPort);
+		if (resolvedPort !== mapping.defaultPort) logger$13.log(`   ⚡ ${mapping.service}:${mapping.containerPort}: port ${mapping.defaultPort} occupied, using port ${resolvedPort}`);
+		else logger$13.log(`   ✅ ${mapping.service}:${mapping.containerPort}: using default port ${resolvedPort}`);
+	}
+	await savePortState(workspaceRoot, ports);
+	return {
+		dockerEnv,
+		ports,
+		mappings
+	};
+}
+/**
+* Replace a port in a URL string.
+* Handles both `hostname:port` and `localhost:port` patterns.
+* @internal Exported for testing
+*/
+function replacePortInUrl(url, oldPort, newPort) {
+	if (oldPort === newPort) return url;
+	let result = url.replace(new RegExp(`:${oldPort}(?=[/?#]|$)`, "g"), `:${newPort}`);
+	result = result.replace(new RegExp(`%3A${oldPort}(?=[%/?#&]|$)`, "gi"), `%3A${newPort}`);
+	return result;
+}
+/**
+* Rewrite connection URLs and port vars in secrets with resolved ports.
+* Uses the parsed compose mappings to determine which default ports to replace.
+* Pure transform — does not modify secrets on disk.
+* @internal Exported for testing
+*/
+function rewriteUrlsWithPorts(secrets, resolvedPorts) {
+	const { ports, mappings } = resolvedPorts;
+	const result = { ...secrets };
+	const portReplacements = [];
+	const serviceNames = /* @__PURE__ */ new Set();
+	for (const mapping of mappings) {
+		serviceNames.add(mapping.service);
+		const resolved = ports[mapping.envVar];
+		if (resolved !== void 0) portReplacements.push({
+			defaultPort: mapping.defaultPort,
+			resolvedPort: resolved
+		});
+	}
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith("_HOST")) continue;
+		if (serviceNames.has(value)) result[key] = "localhost";
+	}
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith("_PORT")) continue;
+		for (const { defaultPort, resolvedPort } of portReplacements) if (value === String(defaultPort)) result[key] = String(resolvedPort);
+	}
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith("_URL") && !key.endsWith("_ENDPOINT") && !key.endsWith("_CONNECTION_STRING") && key !== "DATABASE_URL") continue;
+		let rewritten = value;
+		for (const name$1 of serviceNames) rewritten = rewritten.replace(new RegExp(`@${name$1}:`, "g"), "@localhost:");
+		for (const { defaultPort, resolvedPort } of portReplacements) rewritten = replacePortInUrl(rewritten, defaultPort, resolvedPort);
+		result[key] = rewritten;
+	}
+	return result;
+}
+/**
+* Build the environment variables to pass to `docker compose up`.
+* Merges process.env, secrets, and port mappings so that Docker Compose
+* can interpolate variables like ${POSTGRES_USER} correctly.
+* @internal Exported for testing
+*/
+function buildDockerComposeEnv(secretsEnv, portEnv) {
+	return {
+		...process.env,
+		...secretsEnv,
+		...portEnv
+	};
+}
+/**
+* Parse all service names from a docker-compose.yml file.
+* @internal Exported for testing
+*/
+function parseComposeServiceNames(composePath) {
+	if (!existsSync(composePath)) return [];
+	const content = readFileSync(composePath, "utf-8");
+	const compose = parse$1(content);
+	return Object.keys(compose?.services ?? {});
+}
+/**
+* Start docker-compose services for a single-app project (no workspace config).
+* Starts all services defined in docker-compose.yml.
+*/
+async function startComposeServices(cwd, portEnv, secretsEnv) {
+	const composeFile = join(cwd, "docker-compose.yml");
+	if (!existsSync(composeFile)) return;
+	const servicesToStart = parseComposeServiceNames(composeFile);
+	if (servicesToStart.length === 0) return;
+	logger$13.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
+	try {
+		execSync(`docker compose up -d ${servicesToStart.join(" ")}`, {
+			cwd,
+			stdio: "inherit",
+			env: buildDockerComposeEnv(secretsEnv, portEnv)
+		});
+		logger$13.log("✅ Services started");
+	} catch (error) {
+		logger$13.error("❌ Failed to start services:", error.message);
+		throw error;
+	}
+}
+/**
+* Start docker-compose services for a workspace.
+* Discovers all services from docker-compose.yml and starts everything
+* except app services (which are managed by turbo).
+* @internal Exported for testing
+*/
+async function startWorkspaceServices(workspace, portEnv, secretsEnv) {
+	const composeFile = join(workspace.root, "docker-compose.yml");
+	if (!existsSync(composeFile)) return;
+	const allServices = parseComposeServiceNames(composeFile);
+	const appNames = new Set(Object.keys(workspace.apps));
+	const servicesToStart = allServices.filter((name$1) => !appNames.has(name$1));
+	if (servicesToStart.length === 0) return;
+	logger$13.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
+	try {
+		execSync(`docker compose up -d ${servicesToStart.join(" ")}`, {
+			cwd: workspace.root,
+			stdio: "inherit",
+			env: buildDockerComposeEnv(secretsEnv, portEnv)
+		});
+		logger$13.log("✅ Services started");
+	} catch (error) {
+		logger$13.error("❌ Failed to start services:", error.message);
+		throw error;
+	}
+}
+/**
+* Load and flatten secrets for an app from encrypted storage.
+* For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
+* @internal Exported for testing
+*/
+async function loadSecretsForApp(secretsRoot, appName, stages = ["dev", "development"]) {
+	let secrets = {};
+	for (const stage of stages) if (secretsExist(stage, secretsRoot)) {
+		const stageSecrets = await readStageSecrets(stage, secretsRoot);
+		if (stageSecrets) {
+			logger$13.log(`🔐 Loading secrets from stage: ${stage}`);
+			secrets = toEmbeddableSecrets(stageSecrets);
+			break;
+		}
+	}
+	if (Object.keys(secrets).length === 0) return {};
+	if (!appName) return secrets;
+	const prefix = appName.toUpperCase();
+	const mapped = { ...secrets };
+	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
+	if (appDbUrl) mapped.DATABASE_URL = appDbUrl;
+	return mapped;
+}
+/**
+* Walk up the directory tree to find the root containing .gkm/secrets/.
+* @internal Exported for testing
+*/
+function findSecretsRoot(startDir) {
+	let dir = startDir;
+	while (dir !== "/") {
+		if (existsSync(join(dir, ".gkm", "secrets"))) return dir;
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return startDir;
+}
+/**
+* Generate the credentials injection code snippet.
+* This is the common logic used by both entry wrapper and exec preload.
+* @internal
+*/
+function generateCredentialsInjection(secretsJsonPath) {
+	return `import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets via globalThis and process.env
+// Using globalThis.__gkm_credentials__ avoids CJS/ESM interop issues where
+// Object.assign on the Credentials export only mutates one module copy.
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
+  globalThis.__gkm_credentials__ = secrets;
+  Object.assign(process.env, secrets);
+}
+`;
+}
+/**
+* Create a preload script that injects secrets into Credentials.
+* Used by `gkm exec` to inject secrets before running any command.
+* @internal Exported for testing
+*/
+async function createCredentialsPreload(preloadPath, secretsJsonPath) {
+	const content = `/**
+ * Credentials preload generated by 'gkm exec'
+ * This file is loaded via NODE_OPTIONS="--import <path>"
+ */
+${generateCredentialsInjection(secretsJsonPath)}`;
+	await writeFile(preloadPath, content);
+}
+/**
+* Create a wrapper script that injects secrets before importing the entry file.
+* @internal Exported for testing
+*/
+async function createEntryWrapper(wrapperPath, entryPath, secretsJsonPath) {
+	const credentialsInjection = secretsJsonPath ? `${generateCredentialsInjection(secretsJsonPath)}
+` : "";
+	const content = `#!/usr/bin/env node
+/**
+ * Entry wrapper generated by 'gkm dev --entry'
+ */
+${credentialsInjection}// Import and run the user's entry file (dynamic import ensures secrets load first)
+await import('${entryPath}');
+`;
+	await writeFile(wrapperPath, content);
+}
+/**
+* Prepare credentials for dev/exec/test modes.
+* Loads workspace config, secrets, resolves Docker ports, rewrites URLs,
+* injects PORT, dependency URLs, and writes credentials JSON.
+*
+* @param options.resolveDockerPorts - How to resolve Docker ports:
+*   - `'full'` (default): probe running containers, saved state, then find available ports. Used by dev/test.
+*   - `'readonly'`: check running containers and saved state only, never probe for new ports. Used by exec.
+* @param options.stages - Secret stages to try, in order. Default: ['dev', 'development'].
+* @param options.startDocker - Start Docker Compose services after port resolution. Default: false.
+* @param options.secretsFileName - Custom secrets JSON filename. Default: 'dev-secrets-{appName}.json' or 'dev-secrets.json'.
+* @internal Exported for testing
+*/
+async function prepareEntryCredentials(options) {
+	const cwd = options.cwd ?? process.cwd();
+	const portMode = options.resolveDockerPorts ?? "full";
+	let workspaceAppPort;
+	let secretsRoot = cwd;
+	let appName;
+	let appInfo;
+	try {
+		appInfo = await loadWorkspaceAppInfo(cwd);
+		workspaceAppPort = appInfo.app.port;
+		secretsRoot = appInfo.workspaceRoot;
+		appName = appInfo.appName;
+	} catch (error) {
+		logger$13.log(`⚠️  Could not load workspace config: ${error.message}`);
+		secretsRoot = findSecretsRoot(cwd);
+		appName = getAppNameFromCwd(cwd) ?? void 0;
+	}
+	const resolvedPort = options.explicitPort ?? workspaceAppPort ?? 3e3;
+	const credentials = await loadSecretsForApp(secretsRoot, appName, options.stages);
+	credentials.PORT = String(resolvedPort);
+	const composePath = join(secretsRoot, "docker-compose.yml");
+	const mappings = parseComposePortMappings(composePath);
+	if (mappings.length > 0) {
+		let resolvedPorts;
+		if (portMode === "full") resolvedPorts = await resolveServicePorts(secretsRoot);
+		else {
+			const savedPorts = await loadPortState(secretsRoot);
+			const ports = {};
+			for (const mapping of mappings) {
+				const containerPort = getContainerHostPort(secretsRoot, mapping.service, mapping.containerPort);
+				if (containerPort !== null) ports[mapping.envVar] = containerPort;
+				else {
+					const saved = savedPorts[mapping.envVar];
+					if (saved !== void 0) ports[mapping.envVar] = saved;
+				}
+			}
+			resolvedPorts = {
+				dockerEnv: {},
+				ports,
+				mappings
+			};
+		}
+		if (options.startDocker) if (appInfo) await startWorkspaceServices(appInfo.workspace, resolvedPorts.dockerEnv, credentials);
+		else await startComposeServices(secretsRoot, resolvedPorts.dockerEnv, credentials);
+		if (Object.keys(resolvedPorts.ports).length > 0) {
+			const rewritten = rewriteUrlsWithPorts(credentials, resolvedPorts);
+			Object.assign(credentials, rewritten);
+			logger$13.log(`🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
+		}
+	}
+	if (appInfo?.appName) {
+		const depEnv = getDependencyEnvVars(appInfo.workspace, appInfo.appName);
+		Object.assign(credentials, depEnv);
+	}
+	const secretsDir = join(secretsRoot, ".gkm");
+	await mkdir(secretsDir, { recursive: true });
+	const secretsFileName = options.secretsFileName ?? (appName ? `dev-secrets-${appName}.json` : "dev-secrets.json");
+	const secretsJsonPath = join(secretsDir, secretsFileName);
+	await writeFile(secretsJsonPath, JSON.stringify(credentials, null, 2));
+	return {
+		credentials,
+		resolvedPort,
+		secretsJsonPath,
+		appName,
+		secretsRoot,
+		appInfo
+	};
+}
+
+//#endregion
+//#region src/generators/CronGenerator.ts
+var CronGenerator = class extends ConstructGenerator {
+	async build(context, constructs, outputDir, options) {
+		const provider = options?.provider || "aws-lambda";
+		const logger$15 = console;
+		const cronInfos = [];
+		if (constructs.length === 0 || provider !== "aws-lambda") return cronInfos;
+		const cronsDir = join(outputDir, "crons");
+		await mkdir(cronsDir, { recursive: true });
+		for (const { key, construct, path } of constructs) {
+			const handlerFile = await this.generateCronHandler(cronsDir, path.relative, key, context);
+			cronInfos.push({
+				name: key,
+				handler: relative(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
+				schedule: construct.schedule || "rate(1 hour)",
+				timeout: construct.timeout,
+				memorySize: construct.memorySize,
+				environment: await construct.getEnvironment()
+			});
+			logger$15.log(`Generated cron handler: ${key}`);
+		}
+		return cronInfos;
+	}
+	isConstruct(value) {
+		return Cron.isCron(value);
+	}
+	async generateCronHandler(outputDir, sourceFile, exportName, context) {
+		const handlerFileName = `${exportName}.ts`;
+		const handlerPath = join(outputDir, handlerFileName);
+		const relativePath = relative(dirname(handlerPath), sourceFile);
+		const importPath = relativePath.replace(/\.ts$/, ".js");
+		const relativeEnvParserPath = relative(dirname(handlerPath), context.envParserPath);
+		const relativeLoggerPath = relative(dirname(handlerPath), context.loggerPath);
+		const content = `import { AWSScheduledFunction } from '@geekmidas/constructs/crons';
+import { ${exportName} } from '${importPath}';
+import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
+import ${context.loggerImportPattern} from '${relativeLoggerPath}';
+
+const adapter = new AWSScheduledFunction(envParser, ${exportName});
+
+export const handler = adapter.handler;
+`;
+		await writeFile(handlerPath, content);
+		return handlerPath;
+	}
+};
+
+//#endregion
+//#region src/generators/FunctionGenerator.ts
+var FunctionGenerator = class extends ConstructGenerator {
+	isConstruct(value) {
+		return Function.isFunction(value);
+	}
+	async build(context, constructs, outputDir, options) {
+		const provider = options?.provider || "aws-lambda";
+		const logger$15 = console;
+		const functionInfos = [];
+		if (constructs.length === 0 || provider !== "aws-lambda") return functionInfos;
+		const functionsDir = join(outputDir, "functions");
+		await mkdir(functionsDir, { recursive: true });
+		for (const { key, construct, path } of constructs) {
+			const handlerFile = await this.generateFunctionHandler(functionsDir, path.relative, key, context);
+			functionInfos.push({
+				name: key,
+				handler: relative(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
+				timeout: construct.timeout,
+				memorySize: construct.memorySize,
+				environment: await construct.getEnvironment()
+			});
+			logger$15.log(`Generated function handler: ${key}`);
+		}
+		return functionInfos;
+	}
+	async generateFunctionHandler(outputDir, sourceFile, exportName, context) {
+		const handlerFileName = `${exportName}.ts`;
+		const handlerPath = join(outputDir, handlerFileName);
+		const relativePath = relative(dirname(handlerPath), sourceFile);
+		const importPath = relativePath.replace(/\.ts$/, ".js");
+		const relativeEnvParserPath = relative(dirname(handlerPath), context.envParserPath);
+		const relativeLoggerPath = relative(dirname(handlerPath), context.loggerPath);
+		const content = `import { AWSLambdaFunction } from '@geekmidas/constructs/aws';
+import { ${exportName} } from '${importPath}';
+import ${context.envParserImportPattern} from '${relativeEnvParserPath}';
+import ${context.loggerImportPattern} from '${relativeLoggerPath}';
+
+const adapter = new AWSLambdaFunction(envParser, ${exportName});
+
+export const handler = adapter.handler;
+`;
+		await writeFile(handlerPath, content);
+		return handlerPath;
+	}
+};
+
+//#endregion
+//#region src/generators/SubscriberGenerator.ts
+var SubscriberGenerator = class extends ConstructGenerator {
+	isConstruct(value) {
+		return Subscriber.isSubscriber(value);
+	}
+	async build(context, constructs, outputDir, options) {
+		const provider = options?.provider || "aws-lambda";
+		const logger$15 = console;
+		const subscriberInfos = [];
+		if (provider === "server") {
+			await this.generateServerSubscribersFile(outputDir, constructs);
+			logger$15.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
+			return subscriberInfos;
+		}
+		if (constructs.length === 0) return subscriberInfos;
+		if (provider !== "aws-lambda") return subscriberInfos;
+		const subscribersDir = join(outputDir, "subscribers");
+		await mkdir(subscribersDir, { recursive: true });
+		for (const { key, construct, path } of constructs) {
+			const handlerFile = await this.generateSubscriberHandler(subscribersDir, path.relative, key, construct, context);
+			subscriberInfos.push({
+				name: key,
+				handler: relative(process.cwd(), handlerFile).replace(/\.ts$/, ".handler"),
+				subscribedEvents: construct.subscribedEvents || [],
+				timeout: construct.timeout,
+				memorySize: construct.memorySize,
+				environment: await construct.getEnvironment()
+			});
+			logger$15.log(`Generated subscriber handler: ${key}`);
+		}
+		return subscriberInfos;
+	}
+	async generateSubscriberHandler(outputDir, sourceFile, exportName, _subscriber, context) {
+		const handlerFileName = `${exportName}.ts`;
 		const handlerPath = join(outputDir, handlerFileName);
 		const relativePath = relative(dirname(handlerPath), sourceFile);
 		const importPath = relativePath.replace(/\.ts$/, ".js");
@@ -632,222 +1087,69 @@ export async function setupSubscribers(
 };
 
 //#endregion
-//#region src/dev/index.ts
-const logger$11 = console;
-/**
-* Load environment files
-* @internal Exported for testing
-*/
-function loadEnvFiles(envConfig, cwd = process.cwd()) {
-	const loaded = [];
-	const missing = [];
-	const envFiles = envConfig ? Array.isArray(envConfig) ? envConfig : [envConfig] : [".env"];
-	for (const envFile of envFiles) {
-		const envPath = resolve(cwd, envFile);
-		if (existsSync(envPath)) {
-			config({
-				path: envPath,
-				override: true,
-				quiet: true
-			});
-			loaded.push(envFile);
-		} else if (envConfig) missing.push(envFile);
-	}
-	return {
-		loaded,
-		missing
-	};
-}
+//#region src/exec/index.ts
+const logger$12 = console;
 /**
-* Check if a port is available
-* @internal Exported for testing
+* Run a command with secrets injected into Credentials.
+* Uses Node's --import flag to preload a script that populates Credentials
+* before the command loads any modules that depend on them.
+*
+* @example
+* ```bash
+* gkm exec -- npx @better-auth/cli migrate
+* gkm exec -- npx prisma migrate dev
+* ```
 */
-async function isPortAvailable(port) {
-	return new Promise((resolve$1) => {
-		const server = createServer();
-		server.once("error", (err) => {
-			if (err.code === "EADDRINUSE") resolve$1(false);
-			else resolve$1(false);
-		});
-		server.once("listening", () => {
-			server.close();
-			resolve$1(true);
-		});
-		server.listen(port);
+async function execCommand(commandArgs, options = {}) {
+	const cwd = options.cwd ?? process.cwd();
+	if (commandArgs.length === 0) throw new Error("No command specified. Usage: gkm exec -- <command>");
+	const defaultEnv = loadEnvFiles(".env");
+	if (defaultEnv.loaded.length > 0) logger$12.log(`📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
+	const { credentials, secretsJsonPath, appName } = await prepareEntryCredentials({
+		cwd,
+		resolveDockerPorts: "readonly"
 	});
+	if (appName) logger$12.log(`📦 App: ${appName}`);
+	const secretCount = Object.keys(credentials).filter((k) => k !== "PORT").length;
+	if (secretCount > 0) logger$12.log(`🔐 Loaded ${secretCount} secret(s)`);
+	const preloadDir = join(cwd, ".gkm");
+	await mkdir(preloadDir, { recursive: true });
+	const preloadPath = join(preloadDir, "credentials-preload.ts");
+	await createCredentialsPreload(preloadPath, secretsJsonPath);
+	const [cmd, ...rawArgs] = commandArgs;
+	if (!cmd) throw new Error("No command specified");
+	const args = rawArgs.map((arg) => arg.replace(/\$PORT\b/g, credentials.PORT ?? "3000"));
+	logger$12.log(`🚀 Running: ${[cmd, ...args].join(" ")}`);
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
+	const tsxImport = "--import=tsx";
+	const preloadImport = `--import=${preloadPath}`;
+	const nodeOptions = [
+		existingNodeOptions,
+		tsxImport,
+		preloadImport
+	].filter(Boolean).join(" ");
+	const child = spawn(cmd, args, {
+		cwd,
+		stdio: "inherit",
+		env: {
+			...process.env,
+			...credentials,
+			NODE_OPTIONS: nodeOptions
+		}
+	});
+	const exitCode = await new Promise((resolve$1) => {
+		child.on("close", (code) => resolve$1(code ?? 0));
+		child.on("error", (error) => {
+			logger$12.error(`Failed to run command: ${error.message}`);
+			resolve$1(1);
+		});
+	});
+	if (exitCode !== 0) process.exit(exitCode);
 }
-/**
-* Find an available port starting from the preferred port
-* @internal Exported for testing
-*/
-async function findAvailablePort(preferredPort, maxAttempts = 10) {
-	for (let i = 0; i < maxAttempts; i++) {
-		const port = preferredPort + i;
-		if (await isPortAvailable(port)) return port;
-		logger$11.log(`⚠️  Port ${port} is in use, trying ${port + 1}...`);
-	}
-	throw new Error(`Could not find an available port after trying ${maxAttempts} ports starting from ${preferredPort}`);
-}
-const PORT_STATE_PATH = ".gkm/ports.json";
-/**
-* Parse docker-compose.yml and extract all port mappings that use env var interpolation.
-* Entries like `'${POSTGRES_HOST_PORT:-5432}:5432'` are captured.
-* Fixed port mappings like `'5050:80'` are skipped.
-* @internal Exported for testing
-*/
-function parseComposePortMappings(composePath) {
-	if (!existsSync(composePath)) return [];
-	const content = readFileSync(composePath, "utf-8");
-	const compose = parse$1(content);
-	if (!compose?.services) return [];
-	const results = [];
-	for (const [serviceName, serviceConfig] of Object.entries(compose.services)) for (const portMapping of serviceConfig?.ports ?? []) {
-		const match = String(portMapping).match(/\$\{(\w+):-(\d+)\}:(\d+)/);
-		if (match?.[1] && match[2] && match[3]) results.push({
-			service: serviceName,
-			envVar: match[1],
-			defaultPort: Number(match[2]),
-			containerPort: Number(match[3])
-		});
-	}
-	return results;
-}
-/**
-* Load saved port state from .gkm/ports.json.
-* @internal Exported for testing
-*/
-async function loadPortState(workspaceRoot) {
-	try {
-		const raw = await readFile(join(workspaceRoot, PORT_STATE_PATH), "utf-8");
-		return JSON.parse(raw);
-	} catch {
-		return {};
-	}
-}
-/**
-* Save port state to .gkm/ports.json.
-* @internal Exported for testing
-*/
-async function savePortState(workspaceRoot, ports) {
-	const dir = join(workspaceRoot, ".gkm");
-	await mkdir(dir, { recursive: true });
-	await writeFile(join(workspaceRoot, PORT_STATE_PATH), `${JSON.stringify(ports, null, 2)}\n`);
-}
-/**
-* Check if a project's own Docker container is running and return its host port.
-* Uses `docker compose port` scoped to the project's compose file.
-* @internal Exported for testing
-*/
-function getContainerHostPort(workspaceRoot, service, containerPort) {
-	try {
-		const result = execSync(`docker compose port ${service} ${containerPort}`, {
-			cwd: workspaceRoot,
-			stdio: "pipe"
-		}).toString().trim();
-		const match = result.match(/:(\d+)$/);
-		return match ? Number(match[1]) : null;
-	} catch {
-		return null;
-	}
-}
-/**
-* Resolve host ports for Docker services by parsing docker-compose.yml.
-* Priority: running container → saved state → find available port.
-* Persists resolved ports to .gkm/ports.json.
-* @internal Exported for testing
-*/
-async function resolveServicePorts(workspaceRoot) {
-	const composePath = join(workspaceRoot, "docker-compose.yml");
-	const mappings = parseComposePortMappings(composePath);
-	if (mappings.length === 0) return {
-		dockerEnv: {},
-		ports: {},
-		mappings: []
-	};
-	const savedState = await loadPortState(workspaceRoot);
-	const dockerEnv = {};
-	const ports = {};
-	const assignedPorts = /* @__PURE__ */ new Set();
-	logger$11.log("\n🔌 Resolving service ports...");
-	for (const mapping of mappings) {
-		const containerPort = getContainerHostPort(workspaceRoot, mapping.service, mapping.containerPort);
-		if (containerPort !== null) {
-			ports[mapping.envVar] = containerPort;
-			dockerEnv[mapping.envVar] = String(containerPort);
-			assignedPorts.add(containerPort);
-			logger$11.log(`   🔄 ${mapping.service}:${mapping.containerPort}: reusing existing container on port ${containerPort}`);
-			continue;
-		}
-		const savedPort = savedState[mapping.envVar];
-		if (savedPort && !assignedPorts.has(savedPort) && await isPortAvailable(savedPort)) {
-			ports[mapping.envVar] = savedPort;
-			dockerEnv[mapping.envVar] = String(savedPort);
-			assignedPorts.add(savedPort);
-			logger$11.log(`   💾 ${mapping.service}:${mapping.containerPort}: using saved port ${savedPort}`);
-			continue;
-		}
-		let resolvedPort = await findAvailablePort(mapping.defaultPort);
-		while (assignedPorts.has(resolvedPort)) resolvedPort = await findAvailablePort(resolvedPort + 1);
-		ports[mapping.envVar] = resolvedPort;
-		dockerEnv[mapping.envVar] = String(resolvedPort);
-		assignedPorts.add(resolvedPort);
-		if (resolvedPort !== mapping.defaultPort) logger$11.log(`   ⚡ ${mapping.service}:${mapping.containerPort}: port ${mapping.defaultPort} occupied, using port ${resolvedPort}`);
-		else logger$11.log(`   ✅ ${mapping.service}:${mapping.containerPort}: using default port ${resolvedPort}`);
-	}
-	await savePortState(workspaceRoot, ports);
-	return {
-		dockerEnv,
-		ports,
-		mappings
-	};
-}
-/**
-* Replace a port in a URL string.
-* Handles both `hostname:port` and `localhost:port` patterns.
-* @internal Exported for testing
-*/
-function replacePortInUrl(url, oldPort, newPort) {
-	if (oldPort === newPort) return url;
-	let result = url.replace(new RegExp(`:${oldPort}(?=[/?#]|$)`, "g"), `:${newPort}`);
-	result = result.replace(new RegExp(`%3A${oldPort}(?=[%/?#&]|$)`, "gi"), `%3A${newPort}`);
-	return result;
-}
-/**
-* Rewrite connection URLs and port vars in secrets with resolved ports.
-* Uses the parsed compose mappings to determine which default ports to replace.
-* Pure transform — does not modify secrets on disk.
-* @internal Exported for testing
-*/
-function rewriteUrlsWithPorts(secrets, resolvedPorts) {
-	const { ports, mappings } = resolvedPorts;
-	const result = { ...secrets };
-	const portReplacements = [];
-	const serviceNames = /* @__PURE__ */ new Set();
-	for (const mapping of mappings) {
-		serviceNames.add(mapping.service);
-		const resolved = ports[mapping.envVar];
-		if (resolved !== void 0) portReplacements.push({
-			defaultPort: mapping.defaultPort,
-			resolvedPort: resolved
-		});
-	}
-	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_HOST")) continue;
-		if (serviceNames.has(value)) result[key] = "localhost";
-	}
-	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_PORT")) continue;
-		for (const { defaultPort, resolvedPort } of portReplacements) if (value === String(defaultPort)) result[key] = String(resolvedPort);
-	}
-	for (const [key, value] of Object.entries(result)) {
-		if (!key.endsWith("_URL") && !key.endsWith("_ENDPOINT") && !key.endsWith("_CONNECTION_STRING") && key !== "DATABASE_URL") continue;
-		let rewritten = value;
-		for (const name$1 of serviceNames) rewritten = rewritten.replace(new RegExp(`@${name$1}:`, "g"), "@localhost:");
-		for (const { defaultPort, resolvedPort } of portReplacements) rewritten = replacePortInUrl(rewritten, defaultPort, resolvedPort);
-		result[key] = rewritten;
-	}
-	return result;
-}
+
+//#endregion
+//#region src/dev/index.ts
+const logger$11 = console;
 /**
 * Normalize telescope configuration
 * @internal Exported for testing
@@ -1025,7 +1327,8 @@ async function devCommand(options) {
 	if (Object.keys(appSecrets).length > 0) {
 		const secretsDir = join(secretsRoot, ".gkm");
 		await mkdir(secretsDir, { recursive: true });
-		secretsJsonPath = join(secretsDir, "dev-secrets.json");
+		const secretsFileName = workspaceAppName ? `dev-secrets-${workspaceAppName}.json` : "dev-secrets.json";
+		secretsJsonPath = join(secretsDir, secretsFileName);
 		await writeFile(secretsJsonPath, JSON.stringify(appSecrets, null, 2));
 		logger$11.log(`🔐 Loaded ${Object.keys(appSecrets).length} secret(s)`);
 	}
@@ -1204,103 +1507,6 @@ async function loadDevSecrets(workspace) {
 	return {};
 }
 /**
-* Load secrets from a path for dev mode.
-* For single app: returns secrets as-is.
-* For workspace app: maps {APP}_DATABASE_URL → DATABASE_URL.
-* @internal Exported for testing
-*/
-async function loadSecretsForApp(secretsRoot, appName) {
-	const stages = ["dev", "development"];
-	let secrets = {};
-	for (const stage of stages) if (secretsExist(stage, secretsRoot)) {
-		const stageSecrets = await readStageSecrets(stage, secretsRoot);
-		if (stageSecrets) {
-			logger$11.log(`🔐 Loading secrets from stage: ${stage}`);
-			secrets = toEmbeddableSecrets(stageSecrets);
-			break;
-		}
-	}
-	if (Object.keys(secrets).length === 0) return {};
-	if (!appName) return secrets;
-	const prefix = appName.toUpperCase();
-	const mapped = { ...secrets };
-	const appDbUrl = secrets[`${prefix}_DATABASE_URL`];
-	if (appDbUrl) mapped.DATABASE_URL = appDbUrl;
-	return mapped;
-}
-/**
-* Build the environment variables to pass to `docker compose up`.
-* Merges process.env, secrets, and port mappings so that Docker Compose
-* can interpolate variables like ${POSTGRES_USER} correctly.
-* @internal Exported for testing
-*/
-function buildDockerComposeEnv(secretsEnv, portEnv) {
-	return {
-		...process.env,
-		...secretsEnv,
-		...portEnv
-	};
-}
-/**
-* Parse all service names from a docker-compose.yml file.
-* @internal Exported for testing
-*/
-function parseComposeServiceNames(composePath) {
-	if (!existsSync(composePath)) return [];
-	const content = readFileSync(composePath, "utf-8");
-	const compose = parse$1(content);
-	return Object.keys(compose?.services ?? {});
-}
-/**
-* Start docker-compose services for the workspace.
-* Parses the docker-compose.yml to discover all services and starts
-* everything except app services (which are managed by turbo).
-* This ensures manually added services are always started.
-* @internal Exported for testing
-*/
-/**
-* Start docker-compose services for a single-app project (no workspace config).
-* Starts all services defined in docker-compose.yml.
-*/
-async function startComposeServices(cwd, portEnv, secretsEnv) {
-	const composeFile = join(cwd, "docker-compose.yml");
-	if (!existsSync(composeFile)) return;
-	const servicesToStart = parseComposeServiceNames(composeFile);
-	if (servicesToStart.length === 0) return;
-	logger$11.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
-	try {
-		execSync(`docker compose up -d ${servicesToStart.join(" ")}`, {
-			cwd,
-			stdio: "inherit",
-			env: buildDockerComposeEnv(secretsEnv, portEnv)
-		});
-		logger$11.log("✅ Services started");
-	} catch (error) {
-		logger$11.error("❌ Failed to start services:", error.message);
-		throw error;
-	}
-}
-async function startWorkspaceServices(workspace, portEnv, secretsEnv) {
-	const composeFile = join(workspace.root, "docker-compose.yml");
-	if (!existsSync(composeFile)) return;
-	const allServices = parseComposeServiceNames(composeFile);
-	const appNames = new Set(Object.keys(workspace.apps));
-	const servicesToStart = allServices.filter((name$1) => !appNames.has(name$1));
-	if (servicesToStart.length === 0) return;
-	logger$11.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
-	try {
-		execSync(`docker compose up -d ${servicesToStart.join(" ")}`, {
-			cwd: workspace.root,
-			stdio: "inherit",
-			env: buildDockerComposeEnv(secretsEnv, portEnv)
-		});
-		logger$11.log("✅ Services started");
-	} catch (error) {
-		logger$11.error("❌ Failed to start services:", error.message);
-		throw error;
-	}
-}
-/**
 * Workspace dev command - orchestrates multi-app development using Turbo.
 *
 * Flow:
@@ -1503,105 +1709,6 @@ async function buildServer(config$1, context, provider, enableOpenApi, appRoot =
 	]);
 }
 /**
-* Find the directory containing .gkm/secrets/.
-* Walks up from cwd until it finds one, or returns cwd.
-* @internal Exported for testing
-*/
-function findSecretsRoot(startDir) {
-	let dir = startDir;
-	while (dir !== "/") {
-		if (existsSync(join(dir, ".gkm", "secrets"))) return dir;
-		const parent = dirname(dir);
-		if (parent === dir) break;
-		dir = parent;
-	}
-	return startDir;
-}
-/**
-* Generate the credentials injection code snippet.
-* This is the common logic used by both entry wrapper and exec preload.
-* @internal
-*/
-function generateCredentialsInjection(secretsJsonPath) {
-	return `import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets via globalThis and process.env
-// Using globalThis.__gkm_credentials__ avoids CJS/ESM interop issues where
-// Object.assign on the Credentials export only mutates one module copy.
-const secretsPath = '${secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  const secrets = JSON.parse(readFileSync(secretsPath, 'utf-8'));
-  globalThis.__gkm_credentials__ = secrets;
-  Object.assign(process.env, secrets);
-}
-`;
-}
-/**
-* Create a preload script that injects secrets into Credentials.
-* Used by `gkm exec` to inject secrets before running any command.
-* @internal Exported for testing
-*/
-async function createCredentialsPreload(preloadPath, secretsJsonPath) {
-	const content = `/**
- * Credentials preload generated by 'gkm exec'
- * This file is loaded via NODE_OPTIONS="--import <path>"
- */
-${generateCredentialsInjection(secretsJsonPath)}`;
-	await writeFile(preloadPath, content);
-}
-/**
-* Create a wrapper script that injects secrets before importing the entry file.
-* @internal Exported for testing
-*/
-async function createEntryWrapper(wrapperPath, entryPath, secretsJsonPath) {
-	const credentialsInjection = secretsJsonPath ? `${generateCredentialsInjection(secretsJsonPath)}
-` : "";
-	const content = `#!/usr/bin/env node
-/**
- * Entry wrapper generated by 'gkm dev --entry'
- */
-${credentialsInjection}// Import and run the user's entry file (dynamic import ensures secrets load first)
-await import('${entryPath}');
-`;
-	await writeFile(wrapperPath, content);
-}
-/**
-* Prepare credentials for entry dev mode.
-* Loads workspace config, secrets, and injects PORT.
-* @internal Exported for testing
-*/
-async function prepareEntryCredentials(options) {
-	const cwd = options.cwd ?? process.cwd();
-	let workspaceAppPort;
-	let secretsRoot = cwd;
-	let appName;
-	try {
-		const appInfo = await loadWorkspaceAppInfo(cwd);
-		workspaceAppPort = appInfo.app.port;
-		secretsRoot = appInfo.workspaceRoot;
-		appName = appInfo.appName;
-	} catch (error) {
-		logger$11.log(`⚠️  Could not load workspace config: ${error.message}`);
-		secretsRoot = findSecretsRoot(cwd);
-		appName = getAppNameFromCwd(cwd) ?? void 0;
-	}
-	const resolvedPort = options.explicitPort ?? workspaceAppPort ?? 3e3;
-	const credentials = await loadSecretsForApp(secretsRoot, appName);
-	credentials.PORT = String(resolvedPort);
-	const secretsDir = join(secretsRoot, ".gkm");
-	await mkdir(secretsDir, { recursive: true });
-	const secretsFileName = appName ? `dev-secrets-${appName}.json` : "dev-secrets.json";
-	const secretsJsonPath = join(secretsDir, secretsFileName);
-	await writeFile(secretsJsonPath, JSON.stringify(credentials, null, 2));
-	return {
-		credentials,
-		resolvedPort,
-		secretsJsonPath,
-		appName,
-		secretsRoot
-	};
-}
-/**
 * Run any TypeScript file with secret injection.
 * Does not require gkm.config.ts.
 */
@@ -1876,73 +1983,6 @@ var DevServer = class {
 		await fsWriteFile(serverPath, content);
 	}
 };
-/**
-* Run a command with secrets injected into Credentials.
-* Uses Node's --import flag to preload a script that populates Credentials
-* before the command loads any modules that depend on them.
-*
-* @example
-* ```bash
-* gkm exec -- npx @better-auth/cli migrate
-* gkm exec -- npx prisma migrate dev
-* ```
-*/
-async function execCommand(commandArgs, options = {}) {
-	const cwd = options.cwd ?? process.cwd();
-	if (commandArgs.length === 0) throw new Error("No command specified. Usage: gkm exec -- <command>");
-	const defaultEnv = loadEnvFiles(".env");
-	if (defaultEnv.loaded.length > 0) logger$11.log(`📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
-	const { credentials, secretsJsonPath, appName, secretsRoot } = await prepareEntryCredentials({ cwd });
-	if (appName) logger$11.log(`📦 App: ${appName}`);
-	const secretCount = Object.keys(credentials).filter((k) => k !== "PORT").length;
-	if (secretCount > 0) logger$11.log(`🔐 Loaded ${secretCount} secret(s)`);
-	const resolvedPorts = await resolveServicePorts(secretsRoot);
-	if (resolvedPorts.mappings.length > 0 && Object.keys(resolvedPorts.ports).length > 0) {
-		const rewritten = rewriteUrlsWithPorts(credentials, resolvedPorts);
-		Object.assign(credentials, rewritten);
-		logger$11.log(`🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
-	}
-	try {
-		const appInfo = await loadWorkspaceAppInfo(cwd);
-		if (appInfo.appName) {
-			const depEnv = getDependencyEnvVars(appInfo.workspace, appInfo.appName);
-			Object.assign(credentials, depEnv);
-		}
-	} catch {}
-	const preloadDir = join(cwd, ".gkm");
-	await mkdir(preloadDir, { recursive: true });
-	const preloadPath = join(preloadDir, "credentials-preload.ts");
-	await createCredentialsPreload(preloadPath, secretsJsonPath);
-	const [cmd, ...rawArgs] = commandArgs;
-	if (!cmd) throw new Error("No command specified");
-	const args = rawArgs.map((arg) => arg.replace(/\$PORT\b/g, credentials.PORT ?? "3000"));
-	logger$11.log(`🚀 Running: ${[cmd, ...args].join(" ")}`);
-	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
-	const tsxImport = "--import=tsx";
-	const preloadImport = `--import=${preloadPath}`;
-	const nodeOptions = [
-		existingNodeOptions,
-		tsxImport,
-		preloadImport
-	].filter(Boolean).join(" ");
-	const child = spawn(cmd, args, {
-		cwd,
-		stdio: "inherit",
-		env: {
-			...process.env,
-			...credentials,
-			NODE_OPTIONS: nodeOptions
-		}
-	});
-	const exitCode = await new Promise((resolve$1) => {
-		child.on("close", (code) => resolve$1(code ?? 0));
-		child.on("error", (error) => {
-			logger$11.error(`Failed to run command: ${error.message}`);
-			resolve$1(1);
-		});
-	});
-	if (exitCode !== 0) process.exit(exitCode);
-}
 
 //#endregion
 //#region src/build/manifests.ts
@@ -2214,7 +2254,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await import("./bundler-B4AackW5.mjs");
+			const { bundleServer } = await import("./bundler-C5xkxnyr.mjs");
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -6465,7 +6505,7 @@ async function deployCommand(options) {
 		dokployConfig = setupResult.config;
 		finalRegistry = dokployConfig.registry ?? dockerConfig.registry;
 		if (setupResult.serviceUrls) {
-			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await import("./storage-Cs4WBsc4.mjs");
+			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await import("./storage-mwbL7PhP.mjs");
 			let secrets = await readStageSecrets$1(stage);
 			if (!secrets) {
 				logger$3.log(`   Creating secrets file for stage "${stage}"...`);
@@ -11875,75 +11915,29 @@ async function testCommand(options = {}) {
 	console.log(`\n🧪 Running tests with ${stage} environment...\n`);
 	const defaultEnv = loadEnvFiles(".env");
 	if (defaultEnv.loaded.length > 0) console.log(`  📦 Loaded env: ${defaultEnv.loaded.join(", ")}`);
-	let secretsEnv = {};
-	try {
-		const secrets = await readStageSecrets(stage);
-		if (secrets) {
-			secretsEnv = toEmbeddableSecrets(secrets);
-			console.log(`  🔐 Loaded ${Object.keys(secretsEnv).length} secrets from ${stage}`);
-		} else console.log(`  No secrets found for ${stage}`);
-	} catch (error) {
-		if (error instanceof Error && error.message.includes("key not found")) console.log(`  Decryption key not found for ${stage}`);
-		else throw error;
-	}
-	let dependencyEnv = {};
-	try {
-		const appInfo = await loadWorkspaceAppInfo(cwd);
-		const resolvedPorts = await resolveServicePorts(appInfo.workspaceRoot);
-		await startWorkspaceServices(appInfo.workspace, resolvedPorts.dockerEnv, secretsEnv);
-		if (resolvedPorts.mappings.length > 0) {
-			secretsEnv = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
-			console.log(`  🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
-		}
-		dependencyEnv = getDependencyEnvVars(appInfo.workspace, appInfo.appName);
-		if (Object.keys(dependencyEnv).length > 0) console.log(`  🔗 Loaded ${Object.keys(dependencyEnv).length} dependency URL(s)`);
-		const sniffed = await sniffAppEnvironment(appInfo.app, appInfo.appName, appInfo.workspaceRoot, { logWarnings: false });
+	const result = await prepareEntryCredentials({
+		stages: [stage],
+		startDocker: true,
+		secretsFileName: "test-secrets.json",
+		resolveDockerPorts: "full"
+	});
+	let finalCredentials = { ...result.credentials };
+	if (result.appInfo) {
+		const sniffed = await sniffAppEnvironment(result.appInfo.app, result.appInfo.appName, result.appInfo.workspaceRoot, { logWarnings: false });
 		if (sniffed.requiredEnvVars.length > 0) {
 			const needed = new Set(sniffed.requiredEnvVars);
-			const allEnv = {
-				...secretsEnv,
-				...dependencyEnv
-			};
-			const filteredEnv = {};
-			for (const [key, value] of Object.entries(allEnv)) if (needed.has(key)) filteredEnv[key] = value;
-			secretsEnv = {};
-			dependencyEnv = filteredEnv;
+			const filtered = {};
+			for (const [key, value] of Object.entries(finalCredentials)) if (needed.has(key)) filtered[key] = value;
+			finalCredentials = filtered;
 			console.log(`  🔍 Sniffed ${sniffed.requiredEnvVars.length} required env var(s)`);
 		}
-	} catch {
-		const composePath = join(cwd, "docker-compose.yml");
-		const mappings = parseComposePortMappings(composePath);
-		if (mappings.length > 0) {
-			const resolvedPorts = await resolveServicePorts(cwd);
-			await startComposeServices(cwd, resolvedPorts.dockerEnv, secretsEnv);
-			if (resolvedPorts.mappings.length > 0) {
-				secretsEnv = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
-				console.log(`  🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
-			} else {
-				const ports = await loadPortState(cwd);
-				if (Object.keys(ports).length > 0) {
-					secretsEnv = rewriteUrlsWithPorts(secretsEnv, {
-						dockerEnv: {},
-						ports,
-						mappings
-					});
-					console.log(`  🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
-				}
-			}
-		}
 	}
-	secretsEnv = rewriteDatabaseUrlForTests(secretsEnv);
+	finalCredentials = rewriteDatabaseUrlForTests(finalCredentials);
 	console.log("");
-	const allSecrets = {
-		...secretsEnv,
-		...dependencyEnv
-	};
+	await writeFile(result.secretsJsonPath, JSON.stringify(finalCredentials, null, 2));
 	const gkmDir = join(cwd, ".gkm");
-	await mkdir(gkmDir, { recursive: true });
-	const secretsJsonPath = join(gkmDir, "test-secrets.json");
-	await writeFile(secretsJsonPath, JSON.stringify(allSecrets, null, 2));
 	const preloadPath = join(gkmDir, "test-credentials-preload.ts");
-	await createCredentialsPreload(preloadPath, secretsJsonPath);
+	await createCredentialsPreload(preloadPath, result.secretsJsonPath);
 	const existingNodeOptions = process.env.NODE_OPTIONS ?? "";
 	const tsxImport = "--import=tsx";
 	const preloadImport = `--import=${preloadPath}`;
@@ -11963,7 +11957,7 @@ async function testCommand(options = {}) {
 		stdio: "inherit",
 		env: {
 			...process.env,
-			...allSecrets,
+			...finalCredentials,
 			NODE_ENV: "test",
 			NODE_OPTIONS: nodeOptions
 		}
@@ -12367,9 +12361,9 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { pushSecrets: pushSecrets$1 } = await import("./sync-COnAugP-.mjs");
+		const { pushSecrets: pushSecrets$1 } = await import("./sync-CYBVB64f.mjs");
 		const { reconcileMissingSecrets } = await import("./reconcile-BLh6rswz.mjs");
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Cs4WBsc4.mjs");
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-mwbL7PhP.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (secrets) {
@@ -12392,8 +12386,8 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { pullSecrets: pullSecrets$1 } = await import("./sync-COnAugP-.mjs");
-		const { writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Cs4WBsc4.mjs");
+		const { pullSecrets: pullSecrets$1 } = await import("./sync-CYBVB64f.mjs");
+		const { writeStageSecrets: writeStageSecrets$1 } = await import("./storage-mwbL7PhP.mjs");
 		const { reconcileMissingSecrets } = await import("./reconcile-BLh6rswz.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
 		let secrets = await pullSecrets$1(options.stage, workspace);
@@ -12420,7 +12414,7 @@ program.command("secrets:reconcile").description("Backfill missing custom secret
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
 		const { reconcileMissingSecrets } = await import("./reconcile-BLh6rswz.mjs");
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Cs4WBsc4.mjs");
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-mwbL7PhP.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (!secrets) {