@geekmidas/cli 1.10.2 → 1.10.4

package/dist/{reconcile-7yarEvmK.cjs → reconcile-CCtrj-zt.cjs}

@@ -1,4 +1,4 @@
-const require_fullstack_secrets = require('./fullstack-secrets-COWz084x.cjs');
+const require_fullstack_secrets = require('./fullstack-secrets-DqxYGrgW.cjs');
 
 //#region src/secrets/reconcile.ts
 /**
@@ -33,4 +33,4 @@ function reconcileMissingSecrets(secrets, workspace) {
 
 //#endregion
 exports.reconcileMissingSecrets = reconcileMissingSecrets;
-//# sourceMappingURL=reconcile-7yarEvmK.cjs.map
+//# sourceMappingURL=reconcile-CCtrj-zt.cjs.map

package/dist/{reconcile-7yarEvmK.cjs.map → reconcile-CCtrj-zt.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"reconcile-7yarEvmK.cjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,yDAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}
+{"version":3,"file":"reconcile-CCtrj-zt.cjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,yDAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}

package/dist/{reconcile-D2WCDQue.mjs → reconcile-WzC1oAUV.mjs}

@@ -1,4 +1,4 @@
-import { generateFullstackCustomSecrets } from "./fullstack-secrets-UZAFWuH4.mjs";
+import { generateFullstackCustomSecrets } from "./fullstack-secrets-odm79Uo1.mjs";
 
 //#region src/secrets/reconcile.ts
 /**
@@ -33,4 +33,4 @@ function reconcileMissingSecrets(secrets, workspace) {
 
 //#endregion
 export { reconcileMissingSecrets };
-//# sourceMappingURL=reconcile-D2WCDQue.mjs.map
+//# sourceMappingURL=reconcile-WzC1oAUV.mjs.map

package/dist/{reconcile-D2WCDQue.mjs.map → reconcile-WzC1oAUV.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"reconcile-D2WCDQue.mjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,+BAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}
+{"version":3,"file":"reconcile-WzC1oAUV.mjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,+BAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "1.10.2",
+  "version": "1.10.4",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -58,9 +58,9 @@
     "yaml": "~2.8.2",
     "@geekmidas/constructs": "~3.0.2",
     "@geekmidas/envkit": "~1.0.3",
-    "@geekmidas/errors": "~1.0.0",
     "@geekmidas/schema": "~1.0.0",
-    "@geekmidas/logger": "~1.0.0"
+    "@geekmidas/logger": "~1.0.0",
+    "@geekmidas/errors": "~1.0.0"
   },
   "devDependencies": {
     "@types/lodash.kebabcase": "^4.1.9",

package/src/dev/index.ts

@@ -1315,6 +1315,7 @@ async function workspaceDevCommand(
 		cwd: workspace.root,
 		stdio: 'inherit',
 		env: turboEnv,
+		detached: true,
 	});
 
 	// Set up file watcher for backend .gkm/openapi.ts changes (auto-copy to frontends)
@@ -1408,21 +1409,35 @@ async function workspaceDevCommand(
 			openApiWatcher.close().catch(() => {});
 		}
 
-		// Kill turbo process
-		if (turboProcess.pid) {
+		// Kill turbo process group
+		const pid = turboProcess.pid;
+		if (pid) {
 			try {
-				// Try to kill the process group
-				process.kill(-turboProcess.pid, 'SIGTERM');
+				process.kill(-pid, 'SIGTERM');
 			} catch {
-				// Fall back to killing just the process
-				turboProcess.kill('SIGTERM');
+				try {
+					process.kill(pid, 'SIGTERM');
+				} catch {
+					// Process already dead
+				}
 			}
 		}
 
-		// Give processes time to clean up
+		// Force kill after timeout if processes are still alive
 		setTimeout(() => {
+			if (pid) {
+				try {
+					process.kill(-pid, 'SIGKILL');
+				} catch {
+					try {
+						process.kill(pid, 'SIGKILL');
+					} catch {
+						// Process already dead
+					}
+				}
+			}
 			process.exit(0);
-		}, 2000);
+		}, 3000);
 	};
 
 	process.on('SIGINT', shutdown);

package/src/init/generators/monorepo.ts

@@ -364,6 +364,7 @@ export default defineWorkspace({
       path: 'apps/auth',
       port: 3002,
       entry: './src/index.ts',
+      framework: 'better-auth',
       envParser: './src/config/env#envParser',
       logger: './src/config/logger#logger',
     },
@@ -418,6 +419,12 @@ export default defineWorkspace({
   },`;
 	}
 
+	// Always enable secrets for workspace dev environment
+	config += `
+  secrets: {
+    enabled: true,
+  },`;
+
 	config += `
 });
 `;

package/src/secrets/__tests__/generator.spec.ts

@@ -40,7 +40,7 @@ describe('generateServiceCredentials', () => {
 	it('should generate postgres credentials with defaults', () => {
 		const creds = generateServiceCredentials('postgres');
 
-		expect(creds.host).toBe('postgres');
+		expect(creds.host).toBe('localhost');
 		expect(creds.port).toBe(5432);
 		expect(creds.username).toBe('app');
 		expect(creds.database).toBe('app');
@@ -50,7 +50,7 @@ describe('generateServiceCredentials', () => {
 	it('should generate redis credentials with defaults', () => {
 		const creds = generateServiceCredentials('redis');
 
-		expect(creds.host).toBe('redis');
+		expect(creds.host).toBe('localhost');
 		expect(creds.port).toBe(6379);
 		expect(creds.username).toBe('default');
 		expect(creds.password).toHaveLength(32);
@@ -59,7 +59,7 @@ describe('generateServiceCredentials', () => {
 	it('should generate rabbitmq credentials with defaults', () => {
 		const creds = generateServiceCredentials('rabbitmq');
 
-		expect(creds.host).toBe('rabbitmq');
+		expect(creds.host).toBe('localhost');
 		expect(creds.port).toBe(5672);
 		expect(creds.username).toBe('app');
 		expect(creds.vhost).toBe('/');

package/src/secrets/generator.ts

@@ -12,24 +12,24 @@ export function generateSecurePassword(length = 32): string {
 		.slice(0, length);
 }
 
-/** Default service configurations */
+/** Default service configurations (localhost for local dev via Docker port mapping) */
 const SERVICE_DEFAULTS: Record<
 	ComposeServiceName,
 	Omit<ServiceCredentials, 'password'>
 > = {
 	postgres: {
-		host: 'postgres',
+		host: 'localhost',
 		port: 5432,
 		username: 'app',
 		database: 'app',
 	},
 	redis: {
-		host: 'redis',
+		host: 'localhost',
 		port: 6379,
 		username: 'default',
 	},
 	rabbitmq: {
-		host: 'rabbitmq',
+		host: 'localhost',
 		port: 5672,
 		username: 'app',
 		vhost: '/',

package/src/setup/__tests__/reconcile-secrets.spec.ts

@@ -0,0 +1,248 @@
+import { describe, expect, it } from 'vitest';
+import type { StageSecrets } from '../../secrets/types.js';
+import type { NormalizedWorkspace } from '../../workspace/types.js';
+import { generateFullstackCustomSecrets } from '../fullstack-secrets.js';
+import { reconcileSecrets } from '../index.js';
+
+function createWorkspace(
+	overrides: Partial<NormalizedWorkspace> = {},
+): NormalizedWorkspace {
+	return {
+		name: 'test-project',
+		root: '/tmp/test-project',
+		apps: {
+			api: {
+				type: 'backend',
+				port: 3000,
+				root: '/tmp/test-project/apps/api',
+				packageName: '@test/api',
+				routes: './src/endpoints/**/*.ts',
+				dependencies: [],
+			},
+			auth: {
+				type: 'backend',
+				port: 3001,
+				root: '/tmp/test-project/apps/auth',
+				packageName: '@test/auth',
+				entry: './src/index.ts',
+				framework: 'better-auth',
+				dependencies: [],
+			},
+			web: {
+				type: 'frontend',
+				port: 3002,
+				root: '/tmp/test-project/apps/web',
+				packageName: '@test/web',
+				dependencies: ['api', 'auth'],
+			},
+		},
+		services: {
+			db: true,
+			cache: false,
+			mail: false,
+		},
+		...overrides,
+	} as NormalizedWorkspace;
+}
+
+function createSecrets(custom: Record<string, string> = {}): StageSecrets {
+	return {
+		stage: 'development',
+		createdAt: '2025-01-01T00:00:00.000Z',
+		updatedAt: '2025-01-01T00:00:00.000Z',
+		services: {
+			postgres: {
+				host: 'localhost',
+				port: 5432,
+				username: 'postgres',
+				password: 'postgres',
+				database: 'test_dev',
+			},
+		},
+		urls: {
+			DATABASE_URL: 'postgresql://postgres:postgres@localhost:5432/test_dev',
+		},
+		custom,
+	};
+}
+
+describe('reconcileSecrets', () => {
+	it('should add missing BETTER_AUTH_* keys to existing secrets', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: 'existing-jwt-secret',
+			API_DATABASE_URL: 'postgresql://api:pass@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'pass',
+			AUTH_DATABASE_URL: 'postgresql://auth:pass@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'pass',
+			WEB_URL: 'http://localhost:3002',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.custom.BETTER_AUTH_SECRET).toBeDefined();
+		expect(result!.custom.BETTER_AUTH_URL).toBe('http://localhost:3001');
+		expect(result!.custom.BETTER_AUTH_TRUSTED_ORIGINS).toContain(
+			'http://localhost:3000',
+		);
+		expect(result!.custom.BETTER_AUTH_TRUSTED_ORIGINS).toContain(
+			'http://localhost:3001',
+		);
+		expect(result!.custom.BETTER_AUTH_TRUSTED_ORIGINS).toContain(
+			'http://localhost:3002',
+		);
+		expect(result!.custom.AUTH_PORT).toBe('3001');
+		expect(result!.custom.AUTH_URL).toBe('http://localhost:3001');
+	});
+
+	it('should not overwrite existing secret values', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: 'my-custom-jwt',
+			API_DATABASE_URL: 'postgresql://api:custom@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'custom',
+			AUTH_DATABASE_URL: 'postgresql://auth:custom@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'custom',
+			WEB_URL: 'http://localhost:3002',
+			BETTER_AUTH_SECRET: 'my-existing-secret',
+			BETTER_AUTH_URL: 'http://localhost:3001',
+			BETTER_AUTH_TRUSTED_ORIGINS:
+				'http://localhost:3000,http://localhost:3001',
+			AUTH_PORT: '3001',
+			AUTH_URL: 'http://localhost:3001',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).toBeNull();
+	});
+
+	it('should return null for single-app workspaces', () => {
+		const workspace = createWorkspace({
+			apps: {
+				api: {
+					type: 'backend',
+					port: 3000,
+					root: '/tmp/test-project/apps/api',
+					path: 'apps/api',
+					resolvedDeployTarget: 'dokploy',
+					packageName: '@test/api',
+					routes: './src/endpoints/**/*.ts',
+					dependencies: [],
+				},
+			},
+		} as Partial<NormalizedWorkspace>);
+
+		const secrets = createSecrets({ NODE_ENV: 'development' });
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).toBeNull();
+	});
+
+	it('should preserve all existing custom secrets when adding new ones', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: 'keep-this',
+			MY_CUSTOM_VAR: 'user-added',
+			API_DATABASE_URL: 'postgresql://api:pass@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'pass',
+			AUTH_DATABASE_URL: 'postgresql://auth:pass@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'pass',
+			WEB_URL: 'http://localhost:3002',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.custom.JWT_SECRET).toBe('keep-this');
+		expect(result!.custom.MY_CUSTOM_VAR).toBe('user-added');
+		expect(result!.custom.BETTER_AUTH_SECRET).toBeDefined();
+	});
+
+	it('should update updatedAt timestamp when reconciling', () => {
+		const workspace = createWorkspace();
+		const secrets = createSecrets({
+			NODE_ENV: 'development',
+			PORT: '3000',
+			API_DATABASE_URL: 'postgresql://api:pass@localhost:5432/test_dev',
+			API_DB_PASSWORD: 'pass',
+			AUTH_DATABASE_URL: 'postgresql://auth:pass@localhost:5432/test_dev',
+			AUTH_DB_PASSWORD: 'pass',
+			WEB_URL: 'http://localhost:3002',
+		});
+
+		const result = reconcileSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.updatedAt).not.toBe(secrets.updatedAt);
+		expect(result!.createdAt).toBe(secrets.createdAt);
+	});
+});
+
+describe('generateFullstackCustomSecrets', () => {
+	it('should generate BETTER_AUTH_* secrets for better-auth framework apps', () => {
+		const workspace = createWorkspace();
+
+		const result = generateFullstackCustomSecrets(workspace);
+
+		expect(result.BETTER_AUTH_SECRET).toBeDefined();
+		expect(result.BETTER_AUTH_SECRET).toMatch(/^better-auth-/);
+		expect(result.BETTER_AUTH_URL).toBe('http://localhost:3001');
+		expect(result.AUTH_PORT).toBe('3001');
+		expect(result.AUTH_URL).toBe('http://localhost:3001');
+	});
+
+	it('should include all app ports in BETTER_AUTH_TRUSTED_ORIGINS', () => {
+		const workspace = createWorkspace();
+
+		const result = generateFullstackCustomSecrets(workspace);
+
+		const origins = result.BETTER_AUTH_TRUSTED_ORIGINS.split(',');
+		expect(origins).toContain('http://localhost:3000');
+		expect(origins).toContain('http://localhost:3001');
+		expect(origins).toContain('http://localhost:3002');
+	});
+
+	it('should not generate BETTER_AUTH_* for non-better-auth apps', () => {
+		const workspace = createWorkspace({
+			apps: {
+				api: {
+					type: 'backend',
+					port: 3000,
+					root: '/tmp/test-project/apps/api',
+					path: 'apps/api',
+					resolvedDeployTarget: 'dokploy',
+					packageName: '@test/api',
+					routes: './src/endpoints/**/*.ts',
+					dependencies: [],
+				},
+				web: {
+					type: 'frontend',
+					port: 3001,
+					root: '/tmp/test-project/apps/web',
+					path: 'apps/web',
+					resolvedDeployTarget: 'dokploy',
+					packageName: '@test/web',
+					dependencies: ['api'],
+				},
+			},
+		} as Partial<NormalizedWorkspace>);
+
+		const result = generateFullstackCustomSecrets(workspace);
+
+		expect(result.BETTER_AUTH_SECRET).toBeUndefined();
+		expect(result.BETTER_AUTH_URL).toBeUndefined();
+		expect(result.BETTER_AUTH_TRUSTED_ORIGINS).toBeUndefined();
+	});
+});

package/src/setup/index.ts

@@ -10,6 +10,7 @@ import {
 	writeStageSecrets,
 } from '../secrets/storage.js';
 import { isSSMConfigured, pullSecrets, pushSecrets } from '../secrets/sync.js';
+import type { StageSecrets } from '../secrets/types.js';
 import type { ComposeServiceName } from '../types.js';
 import type { LoadedConfig, NormalizedWorkspace } from '../workspace/types.js';
 import {
@@ -112,7 +113,12 @@ async function resolveSecrets(
 		logger.log('🔐 Using existing local secrets');
 		const secrets = await readStageSecrets(stage, workspace.root);
 		if (secrets) {
-			return secrets;
+			// Reconcile: add any missing workspace-derived keys without overwriting
+			const reconciled = reconcileSecrets(secrets, workspace);
+			if (reconciled) {
+				await writeStageSecrets(reconciled, workspace.root);
+			}
+			return reconciled ?? secrets;
 		}
 	}
 
@@ -137,6 +143,45 @@ async function resolveSecrets(
 	return generateFreshSecrets(stage, workspace, options);
 }
 
+/**
+ * Reconcile existing secrets with expected workspace-derived keys.
+ * Adds missing keys (e.g. BETTER_AUTH_*) without overwriting existing values.
+ * Returns the updated secrets if changes were made, or null if no changes needed.
+ * @internal Exported for testing
+ */
+export function reconcileSecrets(
+	secrets: StageSecrets,
+	workspace: NormalizedWorkspace,
+): StageSecrets | null {
+	const isMultiApp = Object.keys(workspace.apps).length > 1;
+	if (!isMultiApp) {
+		return null;
+	}
+
+	const expected = generateFullstackCustomSecrets(workspace);
+	const missing: Record<string, string> = {};
+
+	for (const [key, value] of Object.entries(expected)) {
+		if (!(key in secrets.custom)) {
+			missing[key] = value;
+		}
+	}
+
+	if (Object.keys(missing).length === 0) {
+		return null;
+	}
+
+	logger.log(
+		`   🔄 Adding missing secrets: ${Object.keys(missing).join(', ')}`,
+	);
+
+	return {
+		...secrets,
+		updatedAt: new Date().toISOString(),
+		custom: { ...secrets.custom, ...missing },
+	};
+}
+
 /**
  * Generate fresh secrets for the workspace.
  */

package/src/test/__tests__/index.spec.ts

@@ -1,4 +1,10 @@
-import { mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import {
+	existsSync,
+	mkdirSync,
+	readFileSync,
+	rmSync,
+	writeFileSync,
+} from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import {
@@ -12,6 +18,7 @@ import {
 	vi,
 } from 'vitest';
 import {
+	createCredentialsPreload,
 	loadPortState,
 	parseComposePortMappings,
 	rewriteUrlsWithPorts,
@@ -274,6 +281,38 @@ services:
 		);
 	});
 
+	it('should write test-secrets.json and credentials preload', async () => {
+		const gkmDir = join(testDir, '.gkm');
+		mkdirSync(gkmDir, { recursive: true });
+
+		const secrets = {
+			DATABASE_URL: 'postgresql://app:secret@localhost:5433/myapp_test',
+			JWT_SECRET: 'test-jwt-secret',
+		};
+
+		const secretsJsonPath = join(gkmDir, 'test-secrets.json');
+		writeFileSync(secretsJsonPath, JSON.stringify(secrets, null, 2));
+
+		const preloadPath = join(gkmDir, 'test-credentials-preload.ts');
+		await createCredentialsPreload(preloadPath, secretsJsonPath);
+
+		// Verify secrets JSON was written
+		expect(existsSync(secretsJsonPath)).toBe(true);
+		const written = JSON.parse(readFileSync(secretsJsonPath, 'utf-8'));
+		expect(written.DATABASE_URL).toBe(secrets.DATABASE_URL);
+		expect(written.JWT_SECRET).toBe(secrets.JWT_SECRET);
+
+		// Verify preload script was created with correct content
+		expect(existsSync(preloadPath)).toBe(true);
+		const preloadContent = readFileSync(preloadPath, 'utf-8');
+		expect(preloadContent).toContain(
+			"import { Credentials } from '@geekmidas/envkit/credentials'",
+		);
+		expect(preloadContent).toContain('Object.assign(Credentials');
+		expect(preloadContent).toContain('Object.assign(process.env');
+		expect(preloadContent).toContain(secretsJsonPath);
+	});
+
 	it('should handle worker template with rabbitmq ports', async () => {
 		writeFileSync(
 			join(testDir, 'docker-compose.yml'),

package/src/test/index.ts

@@ -1,8 +1,10 @@
 import { spawn } from 'node:child_process';
+import { mkdir, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { loadWorkspaceAppInfo } from '../config';
 import { sniffAppEnvironment } from '../deploy/sniffer';
 import {
+	createCredentialsPreload,
 	loadEnvFiles,
 	loadPortState,
 	parseComposePortMappings,
@@ -123,6 +125,24 @@ export async function testCommand(options: TestOptions = {}): Promise<void> {
 
 	console.log('');
 
+	// Write combined secrets to JSON and create credentials preload
+	const allSecrets = { ...secretsEnv, ...dependencyEnv };
+	const gkmDir = join(cwd, '.gkm');
+	await mkdir(gkmDir, { recursive: true });
+	const secretsJsonPath = join(gkmDir, 'test-secrets.json');
+	await writeFile(secretsJsonPath, JSON.stringify(allSecrets, null, 2));
+
+	const preloadPath = join(gkmDir, 'test-credentials-preload.ts');
+	await createCredentialsPreload(preloadPath, secretsJsonPath);
+
+	// Merge NODE_OPTIONS with existing value (if any)
+	const existingNodeOptions = process.env.NODE_OPTIONS ?? '';
+	const tsxImport = '--import=tsx';
+	const preloadImport = `--import=${preloadPath}`;
+	const nodeOptions = [existingNodeOptions, tsxImport, preloadImport]
+		.filter(Boolean)
+		.join(' ');
+
 	// Build vitest args
 	const args: string[] = [];
 
@@ -144,16 +164,15 @@ export async function testCommand(options: TestOptions = {}): Promise<void> {
 		args.push(options.pattern);
 	}
 
-	// Run vitest with combined environment
+	// Run vitest with combined environment and credentials preload
 	const vitestProcess = spawn('npx', ['vitest', ...args], {
 		cwd,
 		stdio: 'inherit',
 		env: {
 			...process.env,
-			...secretsEnv,
-			...dependencyEnv,
-			// Ensure NODE_ENV is set to test
+			...allSecrets,
 			NODE_ENV: 'test',
+			NODE_OPTIONS: nodeOptions,
 		},
 	});
 

package/dist/fullstack-secrets-COWz084x.cjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"fullstack-secrets-COWz084x.cjs","names":["SERVICE_DEFAULTS: Record<\n\tComposeServiceName,\n\tOmit<ServiceCredentials, 'password'>\n>","service: ComposeServiceName","services: ComposeServiceName[]","result: StageSecrets['services']","creds: ServiceCredentials","services: StageSecrets['services']","urls: StageSecrets['urls']","stage: string","secrets: StageSecrets","newCreds: ServiceCredentials","appName: string","password: string","projectName: string","workspace: NormalizedWorkspace","customs: Record<string, string>","frontendPorts: number[]","upperName","secrets: StageSecrets","workspaceRoot: string"],"sources":["../src/secrets/generator.ts","../src/setup/fullstack-secrets.ts"],"sourcesContent":["import { randomBytes } from 'node:crypto';\nimport type { ComposeServiceName } from '../types';\nimport type { ServiceCredentials, StageSecrets } from './types';\n\n/**\n * Generate a secure random password using URL-safe base64 characters.\n * @param length Password length (default: 32)\n */\nexport function generateSecurePassword(length = 32): string {\n\treturn randomBytes(Math.ceil((length * 3) / 4))\n\t\t.toString('base64url')\n\t\t.slice(0, length);\n}\n\n/** Default service configurations */\nconst SERVICE_DEFAULTS: Record<\n\tComposeServiceName,\n\tOmit<ServiceCredentials, 'password'>\n> = {\n\tpostgres: {\n\t\thost: 'postgres',\n\t\tport: 5432,\n\t\tusername: 'app',\n\t\tdatabase: 'app',\n\t},\n\tredis: {\n\t\thost: 'redis',\n\t\tport: 6379,\n\t\tusername: 'default',\n\t},\n\trabbitmq: {\n\t\thost: 'rabbitmq',\n\t\tport: 5672,\n\t\tusername: 'app',\n\t\tvhost: '/',\n\t},\n};\n\n/**\n * Generate credentials for a specific service.\n */\nexport function generateServiceCredentials(\n\tservice: ComposeServiceName,\n): ServiceCredentials {\n\tconst defaults = SERVICE_DEFAULTS[service];\n\treturn {\n\t\t...defaults,\n\t\tpassword: generateSecurePassword(),\n\t};\n}\n\n/**\n * Generate credentials for multiple services.\n */\nexport function generateServicesCredentials(\n\tservices: ComposeServiceName[],\n): StageSecrets['services'] {\n\tconst result: StageSecrets['services'] = {};\n\n\tfor (const service of services) {\n\t\tresult[service] = generateServiceCredentials(service);\n\t}\n\n\treturn result;\n}\n\n/**\n * Generate connection URL for PostgreSQL.\n */\nexport function generatePostgresUrl(creds: ServiceCredentials): string {\n\tconst { username, password, host, port, database } = creds;\n\treturn `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;\n}\n\n/**\n * Generate connection URL for Redis.\n */\nexport function generateRedisUrl(creds: ServiceCredentials): string {\n\tconst { password, host, port } = creds;\n\treturn `redis://:${encodeURIComponent(password)}@${host}:${port}`;\n}\n\n/**\n * Generate connection URL for RabbitMQ.\n */\nexport function generateRabbitmqUrl(creds: ServiceCredentials): string {\n\tconst { username, password, host, port, vhost } = creds;\n\tconst encodedVhost = encodeURIComponent(vhost ?? '/');\n\treturn `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;\n}\n\n/**\n * Generate connection URLs from service credentials.\n */\nexport function generateConnectionUrls(\n\tservices: StageSecrets['services'],\n): StageSecrets['urls'] {\n\tconst urls: StageSecrets['urls'] = {};\n\n\tif (services.postgres) {\n\t\turls.DATABASE_URL = generatePostgresUrl(services.postgres);\n\t}\n\n\tif (services.redis) {\n\t\turls.REDIS_URL = generateRedisUrl(services.redis);\n\t}\n\n\tif (services.rabbitmq) {\n\t\turls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);\n\t}\n\n\treturn urls;\n}\n\n/**\n * Create a new StageSecrets object with generated credentials.\n */\nexport function createStageSecrets(\n\tstage: string,\n\tservices: ComposeServiceName[],\n): StageSecrets {\n\tconst now = new Date().toISOString();\n\tconst serviceCredentials = generateServicesCredentials(services);\n\tconst urls = generateConnectionUrls(serviceCredentials);\n\n\treturn {\n\t\tstage,\n\t\tcreatedAt: now,\n\t\tupdatedAt: now,\n\t\tservices: serviceCredentials,\n\t\turls,\n\t\tcustom: {},\n\t};\n}\n\n/**\n * Rotate password for a specific service.\n */\nexport function rotateServicePassword(\n\tsecrets: StageSecrets,\n\tservice: ComposeServiceName,\n): StageSecrets {\n\tconst currentCreds = secrets.services[service];\n\tif (!currentCreds) {\n\t\tthrow new Error(`Service \"${service}\" not configured in secrets`);\n\t}\n\n\tconst newCreds: ServiceCredentials = {\n\t\t...currentCreds,\n\t\tpassword: generateSecurePassword(),\n\t};\n\n\tconst newServices = {\n\t\t...secrets.services,\n\t\t[service]: newCreds,\n\t};\n\n\treturn {\n\t\t...secrets,\n\t\tupdatedAt: new Date().toISOString(),\n\t\tservices: newServices,\n\t\turls: generateConnectionUrls(newServices),\n\t};\n}\n","import { mkdir, writeFile } from 'node:fs/promises';\nimport { dirname, join } from 'node:path';\nimport { generateSecurePassword } from '../secrets/generator.js';\nimport type { StageSecrets } from '../secrets/types.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\n\n/**\n * Generate a secure random password for database users.\n * Uses a combination of timestamp and random bytes for uniqueness.\n */\nexport function generateDbPassword(): string {\n\treturn `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;\n}\n\n/**\n * Generate database URL for an app.\n * All apps connect to the same database, but use different users/schemas.\n */\nexport function generateDbUrl(\n\tappName: string,\n\tpassword: string,\n\tprojectName: string,\n\thost = 'localhost',\n\tport = 5432,\n): string {\n\tconst userName = appName.replace(/-/g, '_');\n\tconst dbName = `${projectName.replace(/-/g, '_')}_dev`;\n\treturn `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;\n}\n\n/**\n * Generate fullstack-aware custom secrets for a workspace.\n *\n * Generates:\n * - Common secrets: NODE_ENV, PORT, LOG_LEVEL, JWT_SECRET\n * - Per-app database passwords and URLs for backend apps with db service\n * - Better-auth secrets for apps using the better-auth framework\n */\nexport function generateFullstackCustomSecrets(\n\tworkspace: NormalizedWorkspace,\n): Record<string, string> {\n\tconst hasDb = !!workspace.services.db;\n\tconst customs: Record<string, string> = {\n\t\tNODE_ENV: 'development',\n\t\tPORT: '3000',\n\t\tLOG_LEVEL: 'debug',\n\t\tJWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`,\n\t};\n\n\tif (!hasDb) {\n\t\treturn customs;\n\t}\n\n\t// Collect all frontend ports for trusted origins\n\tconst frontendPorts: number[] = [];\n\n\tfor (const [appName, appConfig] of Object.entries(workspace.apps)) {\n\t\tif (appConfig.type === 'frontend') {\n\t\t\tfrontendPorts.push(appConfig.port);\n\t\t\tconst upperName = appName.toUpperCase();\n\t\t\tcustoms[`${upperName}_URL`] = `http://localhost:${appConfig.port}`;\n\t\t\tcontinue;\n\t\t}\n\n\t\t// Backend apps with database: generate per-app DB passwords and URLs\n\t\tconst password = generateDbPassword();\n\t\tconst upperName = appName.toUpperCase();\n\n\t\tcustoms[`${upperName}_DATABASE_URL`] = generateDbUrl(\n\t\t\tappName,\n\t\t\tpassword,\n\t\t\tworkspace.name,\n\t\t);\n\t\tcustoms[`${upperName}_DB_PASSWORD`] = password;\n\n\t\t// Better-auth framework secrets\n\t\tif (appConfig.framework === 'better-auth') {\n\t\t\tcustoms.AUTH_PORT = String(appConfig.port);\n\t\t\tcustoms.AUTH_URL = `http://localhost:${appConfig.port}`;\n\t\t\tcustoms.BETTER_AUTH_SECRET = `better-auth-${Date.now()}-${generateSecurePassword(16)}`;\n\t\t\tcustoms.BETTER_AUTH_URL = `http://localhost:${appConfig.port}`;\n\t\t}\n\t}\n\n\t// Generate trusted origins for better-auth (all app ports)\n\tif (customs.BETTER_AUTH_SECRET) {\n\t\tconst allPorts = Object.values(workspace.apps).map((a) => a.port);\n\t\tcustoms.BETTER_AUTH_TRUSTED_ORIGINS = allPorts\n\t\t\t.map((p) => `http://localhost:${p}`)\n\t\t\t.join(',');\n\t}\n\n\treturn customs;\n}\n\n/**\n * Extract *_DB_PASSWORD keys from secrets and write docker/.env.\n *\n * The docker/.env file contains database passwords that the PostgreSQL\n * init script reads to create per-app database users.\n */\nexport async function writeDockerEnvFromSecrets(\n\tsecrets: StageSecrets,\n\tworkspaceRoot: string,\n): Promise<void> {\n\tconst dbPasswordEntries = Object.entries(secrets.custom).filter(([key]) =>\n\t\tkey.endsWith('_DB_PASSWORD'),\n\t);\n\n\tif (dbPasswordEntries.length === 0) {\n\t\treturn;\n\t}\n\n\tconst envContent = `# Auto-generated docker environment file\n# Contains database passwords for docker-compose postgres init\n# This file is gitignored - do not commit to version control\n${dbPasswordEntries.map(([key, value]) => `${key}=${value}`).join('\\n')}\n`;\n\n\tconst envPath = join(workspaceRoot, 'docker', '.env');\n\tawait mkdir(dirname(envPath), { recursive: true });\n\tawait writeFile(envPath, envContent);\n}\n"],"mappings":";;;;;;;;;;AAQA,SAAgB,uBAAuB,SAAS,IAAY;AAC3D,QAAO,6BAAY,KAAK,KAAM,SAAS,IAAK,EAAE,CAAC,CAC7C,SAAS,YAAY,CACrB,MAAM,GAAG,OAAO;AAClB;;AAGD,MAAMA,mBAGF;CACH,UAAU;EACT,MAAM;EACN,MAAM;EACN,UAAU;EACV,UAAU;CACV;CACD,OAAO;EACN,MAAM;EACN,MAAM;EACN,UAAU;CACV;CACD,UAAU;EACT,MAAM;EACN,MAAM;EACN,UAAU;EACV,OAAO;CACP;AACD;;;;AAKD,SAAgB,2BACfC,SACqB;CACrB,MAAM,WAAW,iBAAiB;AAClC,QAAO;EACN,GAAG;EACH,UAAU,wBAAwB;CAClC;AACD;;;;AAKD,SAAgB,4BACfC,UAC2B;CAC3B,MAAMC,SAAmC,CAAE;AAE3C,MAAK,MAAM,WAAW,SACrB,QAAO,WAAW,2BAA2B,QAAQ;AAGtD,QAAO;AACP;;;;AAKD,SAAgB,oBAAoBC,OAAmC;CACtE,MAAM,EAAE,UAAU,UAAU,MAAM,MAAM,UAAU,GAAG;AACrD,SAAQ,eAAe,SAAS,GAAG,mBAAmB,SAAS,CAAC,GAAG,KAAK,GAAG,KAAK,GAAG,SAAS;AAC5F;;;;AAKD,SAAgB,iBAAiBA,OAAmC;CACnE,MAAM,EAAE,UAAU,MAAM,MAAM,GAAG;AACjC,SAAQ,WAAW,mBAAmB,SAAS,CAAC,GAAG,KAAK,GAAG,KAAK;AAChE;;;;AAKD,SAAgB,oBAAoBA,OAAmC;CACtE,MAAM,EAAE,UAAU,UAAU,MAAM,MAAM,OAAO,GAAG;CAClD,MAAM,eAAe,mBAAmB,SAAS,IAAI;AACrD,SAAQ,SAAS,SAAS,GAAG,mBAAmB,SAAS,CAAC,GAAG,KAAK,GAAG,KAAK,GAAG,aAAa;AAC1F;;;;AAKD,SAAgB,uBACfC,UACuB;CACvB,MAAMC,OAA6B,CAAE;AAErC,KAAI,SAAS,SACZ,MAAK,eAAe,oBAAoB,SAAS,SAAS;AAG3D,KAAI,SAAS,MACZ,MAAK,YAAY,iBAAiB,SAAS,MAAM;AAGlD,KAAI,SAAS,SACZ,MAAK,eAAe,oBAAoB,SAAS,SAAS;AAG3D,QAAO;AACP;;;;AAKD,SAAgB,mBACfC,OACAL,UACe;CACf,MAAM,MAAM,qBAAI,QAAO,aAAa;CACpC,MAAM,qBAAqB,4BAA4B,SAAS;CAChE,MAAM,OAAO,uBAAuB,mBAAmB;AAEvD,QAAO;EACN;EACA,WAAW;EACX,WAAW;EACX,UAAU;EACV;EACA,QAAQ,CAAE;CACV;AACD;;;;AAKD,SAAgB,sBACfM,SACAP,SACe;CACf,MAAM,eAAe,QAAQ,SAAS;AACtC,MAAK,aACJ,OAAM,IAAI,OAAO,WAAW,QAAQ;CAGrC,MAAMQ,WAA+B;EACpC,GAAG;EACH,UAAU,wBAAwB;CAClC;CAED,MAAM,cAAc;EACnB,GAAG,QAAQ;GACV,UAAU;CACX;AAED,QAAO;EACN,GAAG;EACH,WAAW,qBAAI,QAAO,aAAa;EACnC,UAAU;EACV,MAAM,uBAAuB,YAAY;CACzC;AACD;;;;;;;;ACzJD,SAAgB,qBAA6B;AAC5C,SAAQ,EAAE,KAAK,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,MAAM,EAAE,CAAC;AAC9G;;;;;AAMD,SAAgB,cACfC,SACAC,UACAC,aACA,OAAO,aACP,OAAO,MACE;CACT,MAAM,WAAW,QAAQ,QAAQ,MAAM,IAAI;CAC3C,MAAM,UAAU,EAAE,YAAY,QAAQ,MAAM,IAAI,CAAC;AACjD,SAAQ,eAAe,SAAS,GAAG,SAAS,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO;AACtE;;;;;;;;;AAUD,SAAgB,+BACfC,WACyB;CACzB,MAAM,UAAU,UAAU,SAAS;CACnC,MAAMC,UAAkC;EACvC,UAAU;EACV,MAAM;EACN,WAAW;EACX,aAAa,MAAM,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,MAAM,EAAE,CAAC;CACrE;AAED,MAAK,MACJ,QAAO;CAIR,MAAMC,gBAA0B,CAAE;AAElC,MAAK,MAAM,CAAC,SAAS,UAAU,IAAI,OAAO,QAAQ,UAAU,KAAK,EAAE;AAClE,MAAI,UAAU,SAAS,YAAY;AAClC,iBAAc,KAAK,UAAU,KAAK;GAClC,MAAMC,cAAY,QAAQ,aAAa;AACvC,YAAS,EAAEA,YAAU,UAAU,mBAAmB,UAAU,KAAK;AACjE;EACA;EAGD,MAAM,WAAW,oBAAoB;EACrC,MAAM,YAAY,QAAQ,aAAa;AAEvC,WAAS,EAAE,UAAU,kBAAkB,cACtC,SACA,UACA,UAAU,KACV;AACD,WAAS,EAAE,UAAU,iBAAiB;AAGtC,MAAI,UAAU,cAAc,eAAe;AAC1C,WAAQ,YAAY,OAAO,UAAU,KAAK;AAC1C,WAAQ,YAAY,mBAAmB,UAAU,KAAK;AACtD,WAAQ,sBAAsB,cAAc,KAAK,KAAK,CAAC,GAAG,uBAAuB,GAAG,CAAC;AACrF,WAAQ,mBAAmB,mBAAmB,UAAU,KAAK;EAC7D;CACD;AAGD,KAAI,QAAQ,oBAAoB;EAC/B,MAAM,WAAW,OAAO,OAAO,UAAU,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK;AACjE,UAAQ,8BAA8B,SACpC,IAAI,CAAC,OAAO,mBAAmB,EAAE,EAAE,CACnC,KAAK,IAAI;CACX;AAED,QAAO;AACP;;;;;;;AAQD,eAAsB,0BACrBC,SACAC,eACgB;CAChB,MAAM,oBAAoB,OAAO,QAAQ,QAAQ,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,KACrE,IAAI,SAAS,eAAe,CAC5B;AAED,KAAI,kBAAkB,WAAW,EAChC;CAGD,MAAM,cAAc;;;EAGnB,kBAAkB,IAAI,CAAC,CAAC,KAAK,MAAM,MAAM,EAAE,IAAI,GAAG,MAAM,EAAE,CAAC,KAAK,KAAK,CAAC;;CAGvE,MAAM,UAAU,oBAAK,eAAe,UAAU,OAAO;AACrD,OAAM,4BAAM,uBAAQ,QAAQ,EAAE,EAAE,WAAW,KAAM,EAAC;AAClD,OAAM,gCAAU,SAAS,WAAW;AACpC"}