@geekmidas/cli 1.10.2 → 1.10.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "1.10.2",
+  "version": "1.10.3",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -56,11 +56,11 @@
     "prompts": "~2.4.2",
     "tsx": "~4.20.3",
     "yaml": "~2.8.2",
-    "@geekmidas/constructs": "~3.0.2",
     "@geekmidas/envkit": "~1.0.3",
+    "@geekmidas/constructs": "~3.0.2",
     "@geekmidas/errors": "~1.0.0",
-    "@geekmidas/schema": "~1.0.0",
-    "@geekmidas/logger": "~1.0.0"
+    "@geekmidas/logger": "~1.0.0",
+    "@geekmidas/schema": "~1.0.0"
   },
   "devDependencies": {
     "@types/lodash.kebabcase": "^4.1.9",

package/src/dev/index.ts

@@ -1315,6 +1315,7 @@ async function workspaceDevCommand(
 		cwd: workspace.root,
 		stdio: 'inherit',
 		env: turboEnv,
+		detached: true,
 	});
 
 	// Set up file watcher for backend .gkm/openapi.ts changes (auto-copy to frontends)
@@ -1408,21 +1409,35 @@ async function workspaceDevCommand(
 			openApiWatcher.close().catch(() => {});
 		}
 
-		// Kill turbo process
-		if (turboProcess.pid) {
+		// Kill turbo process group
+		const pid = turboProcess.pid;
+		if (pid) {
 			try {
-				// Try to kill the process group
-				process.kill(-turboProcess.pid, 'SIGTERM');
+				process.kill(-pid, 'SIGTERM');
 			} catch {
-				// Fall back to killing just the process
-				turboProcess.kill('SIGTERM');
+				try {
+					process.kill(pid, 'SIGTERM');
+				} catch {
+					// Process already dead
+				}
 			}
 		}
 
-		// Give processes time to clean up
+		// Force kill after timeout if processes are still alive
 		setTimeout(() => {
+			if (pid) {
+				try {
+					process.kill(-pid, 'SIGKILL');
+				} catch {
+					try {
+						process.kill(pid, 'SIGKILL');
+					} catch {
+						// Process already dead
+					}
+				}
+			}
 			process.exit(0);
-		}, 2000);
+		}, 3000);
 	};
 
 	process.on('SIGINT', shutdown);

package/src/setup/__tests__/reconcile-secrets.spec.ts

@@ -0,0 +1,248 @@
+import { describe, expect, it } from 'vitest';
+import type { StageSecrets } from '../../secrets/types.js';
+import type { NormalizedWorkspace } from '../../workspace/types.js';
+import { generateFullstackCustomSecrets } from '../fullstack-secrets.js';
+import { reconcileSecrets } from '../index.js';
+
+function createWorkspace(
+	overrides: Partial<NormalizedWorkspace> = {},
+): NormalizedWorkspace {
+	return {
+		name: 'test-project',
+		root: '/tmp/test-project',
+		apps: {
+			api: {
+				type: 'backend',
+				port: 3000,
+				root: '/tmp/test-project/apps/api',
+				packageName: '@test/api',
+				routes: './src/endpoints/**/*.ts',
+				dependencies: [],
+			},
+			auth: {
+				type: 'backend',
+				port: 3001,
+				root: '/tmp/test-project/apps/auth',
+				packageName: '@test/auth',
+				entry: './src/index.ts',
+				framework: 'better-auth',
+				dependencies: [],
+			},
+			web: {
+				type: 'frontend',
+				port: 3002,
+				root: '/tmp/test-project/apps/web',
+				packageName: '@test/web',
+				dependencies: ['api', 'auth'],
+			},
+		},
+		services: {
+			db: true,
+			cache: false,
+			mail: false,
+		},
+		...overrides,
+	} as NormalizedWorkspace;
+}
+
+function createSecrets(custom: Record<string, string> = {}): StageSecrets {
+	return {
+		stage: 'development',
+		createdAt: '2025-01-01T00:00:00.000Z',
+		updatedAt: '2025-01-01T00:00:00.000Z',
+		services: {
+			postgres: {
+				host: 'localhost',
+				port: 5432,
+				username: 'postgres',
+				password: 'postgres',
+				database: 'test_dev',
+			},
+		},
+		urls: {
+			DATABASE_URL: 'postgresql://postgres:postgres@localhost:5432/test_dev',
+		},
+		custom,
+	};
+}
+
+describe('reconcileSecrets', () => {
+	it('should add missing BETTER_AUTH_* keys to existing secrets', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: 'existing-jwt-secret',
+			API_DATABASE_URL: 'postgresql://api:pass@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'pass',
+			AUTH_DATABASE_URL: 'postgresql://auth:pass@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'pass',
+			WEB_URL: 'http://localhost:3002',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.custom.BETTER_AUTH_SECRET).toBeDefined();
+		expect(result!.custom.BETTER_AUTH_URL).toBe('http://localhost:3001');
+		expect(result!.custom.BETTER_AUTH_TRUSTED_ORIGINS).toContain(
+			'http://localhost:3000',
+		);
+		expect(result!.custom.BETTER_AUTH_TRUSTED_ORIGINS).toContain(
+			'http://localhost:3001',
+		);
+		expect(result!.custom.BETTER_AUTH_TRUSTED_ORIGINS).toContain(
+			'http://localhost:3002',
+		);
+		expect(result!.custom.AUTH_PORT).toBe('3001');
+		expect(result!.custom.AUTH_URL).toBe('http://localhost:3001');
+	});
+
+	it('should not overwrite existing secret values', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: 'my-custom-jwt',
+			API_DATABASE_URL: 'postgresql://api:custom@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'custom',
+			AUTH_DATABASE_URL: 'postgresql://auth:custom@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'custom',
+			WEB_URL: 'http://localhost:3002',
+			BETTER_AUTH_SECRET: 'my-existing-secret',
+			BETTER_AUTH_URL: 'http://localhost:3001',
+			BETTER_AUTH_TRUSTED_ORIGINS:
+				'http://localhost:3000,http://localhost:3001',
+			AUTH_PORT: '3001',
+			AUTH_URL: 'http://localhost:3001',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).toBeNull();
+	});
+
+	it('should return null for single-app workspaces', () => {
+		const workspace = createWorkspace({
+			apps: {
+				api: {
+					type: 'backend',
+					port: 3000,
+					root: '/tmp/test-project/apps/api',
+					path: 'apps/api',
+					resolvedDeployTarget: 'dokploy',
+					packageName: '@test/api',
+					routes: './src/endpoints/**/*.ts',
+					dependencies: [],
+				},
+			},
+		} as Partial<NormalizedWorkspace>);
+
+		const secrets = createSecrets({ NODE_ENV: 'development' });
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).toBeNull();
+	});
+
+	it('should preserve all existing custom secrets when adding new ones', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: 'keep-this',
+			MY_CUSTOM_VAR: 'user-added',
+			API_DATABASE_URL: 'postgresql://api:pass@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'pass',
+			AUTH_DATABASE_URL: 'postgresql://auth:pass@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'pass',
+			WEB_URL: 'http://localhost:3002',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.custom.JWT_SECRET).toBe('keep-this');
+		expect(result!.custom.MY_CUSTOM_VAR).toBe('user-added');
+		expect(result!.custom.BETTER_AUTH_SECRET).toBeDefined();
+	});
+
+	it('should update updatedAt timestamp when reconciling', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			API_DATABASE_URL: 'postgresql://api:pass@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'pass',
+			AUTH_DATABASE_URL: 'postgresql://auth:pass@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'pass',
+			WEB_URL: 'http://localhost:3002',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.updatedAt).not.toBe(secrets.updatedAt);
+		expect(result!.createdAt).toBe(secrets.createdAt);
+	});
+});
+
+describe('generateFullstackCustomSecrets', () => {
+	it('should generate BETTER_AUTH_* secrets for better-auth framework apps', () => {
+		const workspace = createWorkspace();
+
+		const result = generateFullstackCustomSecrets(workspace);
+
+		expect(result.BETTER_AUTH_SECRET).toBeDefined();
+		expect(result.BETTER_AUTH_SECRET).toMatch(/^better-auth-/);
+		expect(result.BETTER_AUTH_URL).toBe('http://localhost:3001');
+		expect(result.AUTH_PORT).toBe('3001');
+		expect(result.AUTH_URL).toBe('http://localhost:3001');
+	});
+
+	it('should include all app ports in BETTER_AUTH_TRUSTED_ORIGINS', () => {
+		const workspace = createWorkspace();
+
+		const result = generateFullstackCustomSecrets(workspace);
+
+		const origins = result.BETTER_AUTH_TRUSTED_ORIGINS.split(',');
+		expect(origins).toContain('http://localhost:3000');
+		expect(origins).toContain('http://localhost:3001');
+		expect(origins).toContain('http://localhost:3002');
+	});
+
+	it('should not generate BETTER_AUTH_* for non-better-auth apps', () => {
+		const workspace = createWorkspace({
+			apps: {
+				api: {
+					type: 'backend',
+					port: 3000,
+					root: '/tmp/test-project/apps/api',
+					path: 'apps/api',
+					resolvedDeployTarget: 'dokploy',
+					packageName: '@test/api',
+					routes: './src/endpoints/**/*.ts',
+					dependencies: [],
+				},
+				web: {
+					type: 'frontend',
+					port: 3001,
+					root: '/tmp/test-project/apps/web',
+					path: 'apps/web',
+					resolvedDeployTarget: 'dokploy',
+					packageName: '@test/web',
+					dependencies: ['api'],
+				},
+			},
+		} as Partial<NormalizedWorkspace>);
+
+		const result = generateFullstackCustomSecrets(workspace);
+
+		expect(result.BETTER_AUTH_SECRET).toBeUndefined();
+		expect(result.BETTER_AUTH_URL).toBeUndefined();
+		expect(result.BETTER_AUTH_TRUSTED_ORIGINS).toBeUndefined();
+	});
+});

package/src/setup/index.ts

@@ -10,6 +10,7 @@ import {
 	writeStageSecrets,
 } from '../secrets/storage.js';
 import { isSSMConfigured, pullSecrets, pushSecrets } from '../secrets/sync.js';
+import type { StageSecrets } from '../secrets/types.js';
 import type { ComposeServiceName } from '../types.js';
 import type { LoadedConfig, NormalizedWorkspace } from '../workspace/types.js';
 import {
@@ -112,7 +113,12 @@ async function resolveSecrets(
 		logger.log('🔐 Using existing local secrets');
 		const secrets = await readStageSecrets(stage, workspace.root);
 		if (secrets) {
-			return secrets;
+			// Reconcile: add any missing workspace-derived keys without overwriting
+			const reconciled = reconcileSecrets(secrets, workspace);
+			if (reconciled) {
+				await writeStageSecrets(reconciled, workspace.root);
+			}
+			return reconciled ?? secrets;
 		}
 	}
 
@@ -137,6 +143,45 @@ async function resolveSecrets(
 	return generateFreshSecrets(stage, workspace, options);
 }
 
+/**
+ * Reconcile existing secrets with expected workspace-derived keys.
+ * Adds missing keys (e.g. BETTER_AUTH_*) without overwriting existing values.
+ * Returns the updated secrets if changes were made, or null if no changes needed.
+ * @internal Exported for testing
+ */
+export function reconcileSecrets(
+	secrets: StageSecrets,
+	workspace: NormalizedWorkspace,
+): StageSecrets | null {
+	const isMultiApp = Object.keys(workspace.apps).length > 1;
+	if (!isMultiApp) {
+		return null;
+	}
+
+	const expected = generateFullstackCustomSecrets(workspace);
+	const missing: Record<string, string> = {};
+
+	for (const [key, value] of Object.entries(expected)) {
+		if (!(key in secrets.custom)) {
+			missing[key] = value;
+		}
+	}
+
+	if (Object.keys(missing).length === 0) {
+		return null;
+	}
+
+	logger.log(
+		`   🔄 Adding missing secrets: ${Object.keys(missing).join(', ')}`,
+	);
+
+	return {
+		...secrets,
+		updatedAt: new Date().toISOString(),
+		custom: { ...secrets.custom, ...missing },
+	};
+}
+
 /**
  * Generate fresh secrets for the workspace.
  */