@geekmidas/cli 1.10.3 → 1.10.5

package/dist/{reconcile-7yarEvmK.cjs → reconcile-CCtrj-zt.cjs}

@@ -1,4 +1,4 @@
-const require_fullstack_secrets = require('./fullstack-secrets-COWz084x.cjs');
+const require_fullstack_secrets = require('./fullstack-secrets-DqxYGrgW.cjs');
 
 //#region src/secrets/reconcile.ts
 /**
@@ -33,4 +33,4 @@ function reconcileMissingSecrets(secrets, workspace) {
 
 //#endregion
 exports.reconcileMissingSecrets = reconcileMissingSecrets;
-//# sourceMappingURL=reconcile-7yarEvmK.cjs.map
+//# sourceMappingURL=reconcile-CCtrj-zt.cjs.map

package/dist/{reconcile-7yarEvmK.cjs.map → reconcile-CCtrj-zt.cjs.map}

@@ -1 +1 @@
-{"version":3,"file":"reconcile-7yarEvmK.cjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,yDAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}
+{"version":3,"file":"reconcile-CCtrj-zt.cjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,yDAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}

package/dist/{reconcile-D2WCDQue.mjs → reconcile-WzC1oAUV.mjs}

@@ -1,4 +1,4 @@
-import { generateFullstackCustomSecrets } from "./fullstack-secrets-UZAFWuH4.mjs";
+import { generateFullstackCustomSecrets } from "./fullstack-secrets-odm79Uo1.mjs";
 
 //#region src/secrets/reconcile.ts
 /**
@@ -33,4 +33,4 @@ function reconcileMissingSecrets(secrets, workspace) {
 
 //#endregion
 export { reconcileMissingSecrets };
-//# sourceMappingURL=reconcile-D2WCDQue.mjs.map
+//# sourceMappingURL=reconcile-WzC1oAUV.mjs.map

package/dist/{reconcile-D2WCDQue.mjs.map → reconcile-WzC1oAUV.mjs.map}

@@ -1 +1 @@
-{"version":3,"file":"reconcile-D2WCDQue.mjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,+BAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}
+{"version":3,"file":"reconcile-WzC1oAUV.mjs","names":["secrets: StageSecrets","workspace: NormalizedWorkspace","addedKeys: string[]"],"sources":["../src/secrets/reconcile.ts"],"sourcesContent":["import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\nexport interface ReconcileResult {\n\t/** The updated secrets with missing keys backfilled */\n\tsecrets: StageSecrets;\n\t/** Keys that were added */\n\taddedKeys: string[];\n}\n\n/**\n * Reconcile missing custom secrets for a workspace.\n *\n * Compares current secrets against what generateFullstackCustomSecrets()\n * would produce and backfills any missing keys without overwriting\n * existing values.\n *\n * @returns ReconcileResult if keys were added, null if secrets are up-to-date\n */\nexport function reconcileMissingSecrets(\n\tsecrets: StageSecrets,\n\tworkspace: NormalizedWorkspace,\n): ReconcileResult | null {\n\tconst isMultiApp = Object.keys(workspace.apps).length > 1;\n\tif (!isMultiApp) {\n\t\treturn null;\n\t}\n\n\tconst expectedCustom = generateFullstackCustomSecrets(workspace);\n\tconst addedKeys: string[] = [];\n\tconst mergedCustom = { ...secrets.custom };\n\n\tfor (const [key, value] of Object.entries(expectedCustom)) {\n\t\tif (!(key in mergedCustom)) {\n\t\t\tmergedCustom[key] = value;\n\t\t\taddedKeys.push(key);\n\t\t}\n\t}\n\n\tif (addedKeys.length === 0) {\n\t\treturn null;\n\t}\n\n\treturn {\n\t\tsecrets: {\n\t\t\t...secrets,\n\t\t\tupdatedAt: new Date().toISOString(),\n\t\t\tcustom: mergedCustom,\n\t\t},\n\t\taddedKeys,\n\t};\n}\n"],"mappings":";;;;;;;;;;;;AAoBA,SAAgB,wBACfA,SACAC,WACyB;CACzB,MAAM,aAAa,OAAO,KAAK,UAAU,KAAK,CAAC,SAAS;AACxD,MAAK,WACJ,QAAO;CAGR,MAAM,iBAAiB,+BAA+B,UAAU;CAChE,MAAMC,YAAsB,CAAE;CAC9B,MAAM,eAAe,EAAE,GAAG,QAAQ,OAAQ;AAE1C,MAAK,MAAM,CAAC,KAAK,MAAM,IAAI,OAAO,QAAQ,eAAe,CACxD,OAAM,OAAO,eAAe;AAC3B,eAAa,OAAO;AACpB,YAAU,KAAK,IAAI;CACnB;AAGF,KAAI,UAAU,WAAW,EACxB,QAAO;AAGR,QAAO;EACN,SAAS;GACR,GAAG;GACH,WAAW,qBAAI,QAAO,aAAa;GACnC,QAAQ;EACR;EACD;CACA;AACD"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "1.10.3",
+  "version": "1.10.5",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -56,11 +56,11 @@
     "prompts": "~2.4.2",
     "tsx": "~4.20.3",
     "yaml": "~2.8.2",
-    "@geekmidas/envkit": "~1.0.3",
     "@geekmidas/constructs": "~3.0.2",
     "@geekmidas/errors": "~1.0.0",
     "@geekmidas/logger": "~1.0.0",
-    "@geekmidas/schema": "~1.0.0"
+    "@geekmidas/schema": "~1.0.0",
+    "@geekmidas/envkit": "~1.0.3"
   },
   "devDependencies": {
     "@types/lodash.kebabcase": "^4.1.9",

package/src/dev/__tests__/index.spec.ts

@@ -1257,10 +1257,11 @@ describe('rewriteUrlsWithPorts', () => {
 		containerPort: 5672,
 	};
 
-	it('should rewrite DATABASE_URL with resolved postgres port', () => {
+	it('should rewrite DATABASE_URL with resolved postgres port and hostname', () => {
 		const secrets = {
 			DATABASE_URL: 'postgresql://app:pass@postgres:5432/mydb',
 			POSTGRES_PORT: '5432',
+			POSTGRES_HOST: 'postgres',
 			SOME_OTHER: 'value',
 		};
 		const result = rewriteUrlsWithPorts(secrets, {
@@ -1269,9 +1270,10 @@ describe('rewriteUrlsWithPorts', () => {
 			mappings: [pgMapping],
 		});
 		expect(result.DATABASE_URL).toBe(
-			'postgresql://app:pass@postgres:5433/mydb',
+			'postgresql://app:pass@localhost:5433/mydb',
 		);
 		expect(result.POSTGRES_PORT).toBe('5433');
+		expect(result.POSTGRES_HOST).toBe('localhost');
 		expect(result.SOME_OTHER).toBe('value');
 	});
 
@@ -1293,18 +1295,20 @@ describe('rewriteUrlsWithPorts', () => {
 		);
 	});
 
-	it('should rewrite REDIS_URL and REDIS_PORT', () => {
+	it('should rewrite REDIS_URL, REDIS_PORT, and REDIS_HOST', () => {
 		const secrets = {
 			REDIS_URL: 'redis://:pass@redis:6379',
 			REDIS_PORT: '6379',
+			REDIS_HOST: 'redis',
 		};
 		const result = rewriteUrlsWithPorts(secrets, {
 			dockerEnv: { REDIS_HOST_PORT: '6380' },
 			ports: { REDIS_HOST_PORT: 6380 },
 			mappings: [redisMapping],
 		});
-		expect(result.REDIS_URL).toBe('redis://:pass@redis:6380');
+		expect(result.REDIS_URL).toBe('redis://:pass@localhost:6380');
 		expect(result.REDIS_PORT).toBe('6380');
+		expect(result.REDIS_HOST).toBe('localhost');
 	});
 
 	it('should rewrite RABBITMQ_URL and RABBITMQ_PORT', () => {
@@ -1317,7 +1321,7 @@ describe('rewriteUrlsWithPorts', () => {
 			ports: { RABBITMQ_HOST_PORT: 5673 },
 			mappings: [rmqMapping],
 		});
-		expect(result.RABBITMQ_URL).toBe('amqp://app:pass@rabbitmq:5673/%2F');
+		expect(result.RABBITMQ_URL).toBe('amqp://app:pass@localhost:5673/%2F');
 		expect(result.RABBITMQ_PORT).toBe('5673');
 	});
 
@@ -1336,26 +1340,48 @@ describe('rewriteUrlsWithPorts', () => {
 			ports: { POSTGRES_HOST_PORT: 5433, REDIS_HOST_PORT: 6380 },
 			mappings: [pgMapping, redisMapping],
 		});
-		expect(result.DATABASE_URL).toContain(':5433/');
+		expect(result.DATABASE_URL).toBe(
+			'postgresql://app:pass@localhost:5433/mydb',
+		);
 		expect(result.POSTGRES_PORT).toBe('5433');
-		expect(result.REDIS_URL).toContain(':6380');
+		expect(result.REDIS_URL).toBe('redis://:pass@localhost:6380');
 		expect(result.REDIS_PORT).toBe('6380');
 	});
 
-	it('should not modify secrets when ports are defaults', () => {
+	it('should rewrite hostnames even when ports are defaults', () => {
 		const secrets = {
 			DATABASE_URL: 'postgresql://app:pass@postgres:5432/mydb',
 			POSTGRES_PORT: '5432',
+			POSTGRES_HOST: 'postgres',
 		};
 		const result = rewriteUrlsWithPorts(secrets, {
 			dockerEnv: { POSTGRES_HOST_PORT: '5432' },
 			ports: { POSTGRES_HOST_PORT: 5432 },
 			mappings: [pgMapping],
 		});
-		expect(result.DATABASE_URL).toBe(secrets.DATABASE_URL);
+		expect(result.DATABASE_URL).toBe(
+			'postgresql://app:pass@localhost:5432/mydb',
+		);
+		expect(result.POSTGRES_HOST).toBe('localhost');
 		expect(result.POSTGRES_PORT).toBe('5432');
 	});
 
+	it('should not rewrite _HOST vars that are already localhost', () => {
+		const secrets = {
+			DATABASE_URL: 'postgresql://app:pass@localhost:5432/mydb',
+			POSTGRES_HOST: 'localhost',
+		};
+		const result = rewriteUrlsWithPorts(secrets, {
+			dockerEnv: { POSTGRES_HOST_PORT: '5432' },
+			ports: { POSTGRES_HOST_PORT: 5432 },
+			mappings: [pgMapping],
+		});
+		expect(result.DATABASE_URL).toBe(
+			'postgresql://app:pass@localhost:5432/mydb',
+		);
+		expect(result.POSTGRES_HOST).toBe('localhost');
+	});
+
 	it('should return empty for no mappings', () => {
 		const result = rewriteUrlsWithPorts(
 			{},

package/src/dev/index.ts

@@ -354,7 +354,10 @@ export function rewriteUrlsWithPorts(
 
 	// Build a map of defaultPort → resolvedPort for all changed ports
 	const portReplacements: { defaultPort: number; resolvedPort: number }[] = [];
+	// Collect Docker service names for hostname rewriting
+	const serviceNames = new Set<string>();
 	for (const mapping of mappings) {
+		serviceNames.add(mapping.service);
 		const resolved = ports[mapping.envVar];
 		if (resolved !== undefined) {
 			portReplacements.push({
@@ -364,6 +367,14 @@ export function rewriteUrlsWithPorts(
 		}
 	}
 
+	// Rewrite _HOST env vars that use Docker service names
+	for (const [key, value] of Object.entries(result)) {
+		if (!key.endsWith('_HOST')) continue;
+		if (serviceNames.has(value)) {
+			result[key] = 'localhost';
+		}
+	}
+
 	// Rewrite _PORT env vars whose values match a default port
 	for (const [key, value] of Object.entries(result)) {
 		if (!key.endsWith('_PORT')) continue;
@@ -374,11 +385,17 @@ export function rewriteUrlsWithPorts(
 		}
 	}
 
-	// Rewrite URLs containing default ports
+	// Rewrite URLs: replace Docker service hostnames with localhost and fix ports
 	for (const [key, value] of Object.entries(result)) {
 		if (!key.endsWith('_URL') && key !== 'DATABASE_URL') continue;
 
 		let rewritten = value;
+		for (const name of serviceNames) {
+			rewritten = rewritten.replace(
+				new RegExp(`@${name}:`, 'g'),
+				'@localhost:',
+			);
+		}
 		for (const { defaultPort, resolvedPort } of portReplacements) {
 			rewritten = replacePortInUrl(rewritten, defaultPort, resolvedPort);
 		}

package/src/docker/__tests__/compose.spec.ts

@@ -122,14 +122,14 @@ describe('generateDockerCompose', () => {
 	});
 
 	describe('postgres service', () => {
-		it('should add DATABASE_URL environment variable', () => {
+		it('should add DATABASE_URL environment variable with credential interpolation', () => {
 			const yaml = generateDockerCompose({
 				...baseOptions,
 				services: { postgres: true },
 			});
 
 			expect(yaml).toContain(
-				'- DATABASE_URL=${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}',
+				'- DATABASE_URL=${DATABASE_URL:-postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/${POSTGRES_DB:-app}}',
 			);
 		});
 
@@ -185,13 +185,15 @@ describe('generateDockerCompose', () => {
 			expect(yaml).toContain('postgres_data:');
 		});
 
-		it('should include postgres healthcheck', () => {
+		it('should include postgres healthcheck using POSTGRES_USER', () => {
 			const yaml = generateDockerCompose({
 				...baseOptions,
 				services: { postgres: true },
 			});
 
-			expect(yaml).toContain('test: ["CMD-SHELL", "pg_isready -U postgres"]');
+			expect(yaml).toContain(
+				'test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER"]',
+			);
 		});
 
 		it('should add depends_on for postgres', () => {
@@ -801,7 +803,7 @@ describe('generateWorkspaceCompose', () => {
 			const yaml = generateWorkspaceCompose(workspace);
 
 			expect(yaml).toContain(
-				'DATABASE_URL=${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}',
+				'DATABASE_URL=${DATABASE_URL:-postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/${POSTGRES_DB:-app}}',
 			);
 		});
 

package/src/docker/compose.ts

@@ -105,7 +105,7 @@ services:
 
 	// Add environment variables based on services
 	if (serviceMap.has('postgres')) {
-		yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
+		yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://\${POSTGRES_USER:-postgres}:\${POSTGRES_PASSWORD:-postgres}@postgres:5432/\${POSTGRES_DB:-app}}
 `;
 	}
 
@@ -156,7 +156,7 @@ services:
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER"]
       interval: 5s
       timeout: 5s
       retries: 5
@@ -335,7 +335,7 @@ services:
     volumes:
       - postgres_data:/var/lib/postgresql/data
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER"]
       interval: 5s
       timeout: 5s
       retries: 5
@@ -480,7 +480,7 @@ function generateAppService(
 	// Add infrastructure service URLs for backend apps
 	if (app.type === 'backend') {
 		if (hasPostgres) {
-			yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/app}
+			yaml += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://\${POSTGRES_USER:-postgres}:\${POSTGRES_PASSWORD:-postgres}@postgres:5432/\${POSTGRES_DB:-app}}
 `;
 		}
 		if (hasRedis) {

package/src/init/generators/docker.ts

@@ -46,15 +46,15 @@ export function generateDockerFiles(
     container_name: ${options.name}-postgres
     restart: unless-stopped${envFile}
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
-      POSTGRES_DB: ${options.name.replace(/-/g, '_')}_dev
+      POSTGRES_USER: \${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: \${POSTGRES_DB:-${options.name.replace(/-/g, '_')}_dev}
     ports:
       - '\${POSTGRES_HOST_PORT:-5432}:5432'
     volumes:
       - postgres_data:/var/lib/postgresql/data${initVolume}
     healthcheck:
-      test: ['CMD-SHELL', 'pg_isready -U postgres']
+      test: ['CMD-SHELL', 'pg_isready -U $$POSTGRES_USER']
       interval: 5s
       timeout: 5s
       retries: 5`);

package/src/init/generators/monorepo.ts

@@ -364,6 +364,7 @@ export default defineWorkspace({
       path: 'apps/auth',
       port: 3002,
       entry: './src/index.ts',
+      framework: 'better-auth',
       envParser: './src/config/env#envParser',
       logger: './src/config/logger#logger',
     },
@@ -418,6 +419,12 @@ export default defineWorkspace({
   },`;
 	}
 
+	// Always enable secrets for workspace dev environment
+	config += `
+  secrets: {
+    enabled: true,
+  },`;
+
 	config += `
 });
 `;

package/src/secrets/__tests__/generator.spec.ts

@@ -40,7 +40,7 @@ describe('generateServiceCredentials', () => {
 	it('should generate postgres credentials with defaults', () => {
 		const creds = generateServiceCredentials('postgres');
 
-		expect(creds.host).toBe('postgres');
+		expect(creds.host).toBe('localhost');
 		expect(creds.port).toBe(5432);
 		expect(creds.username).toBe('app');
 		expect(creds.database).toBe('app');
@@ -50,7 +50,7 @@ describe('generateServiceCredentials', () => {
 	it('should generate redis credentials with defaults', () => {
 		const creds = generateServiceCredentials('redis');
 
-		expect(creds.host).toBe('redis');
+		expect(creds.host).toBe('localhost');
 		expect(creds.port).toBe(6379);
 		expect(creds.username).toBe('default');
 		expect(creds.password).toHaveLength(32);
@@ -59,7 +59,7 @@ describe('generateServiceCredentials', () => {
 	it('should generate rabbitmq credentials with defaults', () => {
 		const creds = generateServiceCredentials('rabbitmq');
 
-		expect(creds.host).toBe('rabbitmq');
+		expect(creds.host).toBe('localhost');
 		expect(creds.port).toBe(5672);
 		expect(creds.username).toBe('app');
 		expect(creds.vhost).toBe('/');

package/src/secrets/generator.ts

@@ -12,24 +12,24 @@ export function generateSecurePassword(length = 32): string {
 		.slice(0, length);
 }
 
-/** Default service configurations */
+/** Default service configurations (localhost for local dev via Docker port mapping) */
 const SERVICE_DEFAULTS: Record<
 	ComposeServiceName,
 	Omit<ServiceCredentials, 'password'>
 > = {
 	postgres: {
-		host: 'postgres',
+		host: 'localhost',
 		port: 5432,
 		username: 'app',
 		database: 'app',
 	},
 	redis: {
-		host: 'redis',
+		host: 'localhost',
 		port: 6379,
 		username: 'default',
 	},
 	rabbitmq: {
-		host: 'rabbitmq',
+		host: 'localhost',
 		port: 5672,
 		username: 'app',
 		vhost: '/',

package/src/test/__tests__/index.spec.ts

@@ -1,4 +1,10 @@
-import { mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import {
+	existsSync,
+	mkdirSync,
+	readFileSync,
+	rmSync,
+	writeFileSync,
+} from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import {
@@ -12,12 +18,13 @@ import {
 	vi,
 } from 'vitest';
 import {
+	createCredentialsPreload,
 	loadPortState,
 	parseComposePortMappings,
 	rewriteUrlsWithPorts,
 	savePortState,
 } from '../../dev/index';
-import { ensureTestDatabase, rewriteDatabaseUrlForTests } from '../index';
+import { rewriteDatabaseUrlForTests } from '../index';
 
 describe('rewriteDatabaseUrlForTests', () => {
 	beforeAll(() => {
@@ -121,39 +128,6 @@ describe('rewriteDatabaseUrlForTests', () => {
 	});
 });
 
-describe('ensureTestDatabase', () => {
-	beforeAll(() => {
-		vi.spyOn(console, 'log').mockImplementation(() => {});
-	});
-
-	afterAll(() => {
-		vi.restoreAllMocks();
-	});
-
-	it('should do nothing when DATABASE_URL is missing', async () => {
-		// Should resolve without error
-		await ensureTestDatabase({});
-		await ensureTestDatabase({ REDIS_URL: 'redis://localhost:6379' });
-	});
-
-	it('should do nothing when database name is empty', async () => {
-		await ensureTestDatabase({
-			DATABASE_URL: 'postgresql://app:secret@localhost:5432/',
-		});
-	});
-
-	it('should not throw when postgres is unreachable', async () => {
-		// Use a port that's almost certainly not running postgres
-		await ensureTestDatabase({
-			DATABASE_URL: 'postgresql://app:secret@localhost:59999/test_db',
-		});
-		// Should log a warning but not throw
-		expect(console.log).toHaveBeenCalledWith(
-			expect.stringContaining('Could not ensure test database'),
-		);
-	});
-});
-
 describe('port rewriting + test database pipeline', () => {
 	let testDir: string;
 
@@ -274,6 +248,38 @@ services:
 		);
 	});
 
+	it('should write test-secrets.json and credentials preload', async () => {
+		const gkmDir = join(testDir, '.gkm');
+		mkdirSync(gkmDir, { recursive: true });
+
+		const secrets = {
+			DATABASE_URL: 'postgresql://app:secret@localhost:5433/myapp_test',
+			JWT_SECRET: 'test-jwt-secret',
+		};
+
+		const secretsJsonPath = join(gkmDir, 'test-secrets.json');
+		writeFileSync(secretsJsonPath, JSON.stringify(secrets, null, 2));
+
+		const preloadPath = join(gkmDir, 'test-credentials-preload.ts');
+		await createCredentialsPreload(preloadPath, secretsJsonPath);
+
+		// Verify secrets JSON was written
+		expect(existsSync(secretsJsonPath)).toBe(true);
+		const written = JSON.parse(readFileSync(secretsJsonPath, 'utf-8'));
+		expect(written.DATABASE_URL).toBe(secrets.DATABASE_URL);
+		expect(written.JWT_SECRET).toBe(secrets.JWT_SECRET);
+
+		// Verify preload script was created with correct content
+		expect(existsSync(preloadPath)).toBe(true);
+		const preloadContent = readFileSync(preloadPath, 'utf-8');
+		expect(preloadContent).toContain(
+			"import { Credentials } from '@geekmidas/envkit/credentials'",
+		);
+		expect(preloadContent).toContain('Object.assign(Credentials');
+		expect(preloadContent).toContain('Object.assign(process.env');
+		expect(preloadContent).toContain(secretsJsonPath);
+	});
+
 	it('should handle worker template with rabbitmq ports', async () => {
 		writeFileSync(
 			join(testDir, 'docker-compose.yml'),
@@ -320,4 +326,65 @@ services:
 		// RabbitMQ port rewritten
 		expect(secrets.RABBITMQ_URL).toBe('amqp://app:secret@localhost:5673');
 	});
+
+	it('should preserve root postgres credentials through the pipeline', async () => {
+		writeFileSync(
+			join(testDir, 'docker-compose.yml'),
+			`
+services:
+  postgres:
+    image: postgres:17
+    ports:
+      - '\${POSTGRES_HOST_PORT:-5432}:5432'
+`,
+		);
+
+		await savePortState(testDir, {
+			POSTGRES_HOST_PORT: 5434,
+		});
+
+		// Simulate toEmbeddableSecrets output for a workspace with app-specific users
+		let secrets: Record<string, string> = {
+			DATABASE_URL: 'postgresql://app:rootpass@postgres:5432/app',
+			API_DATABASE_URL: 'postgresql://api:apipass@localhost:5432/myproject_dev',
+			AUTH_DATABASE_URL:
+				'postgresql://auth:authpass@localhost:5432/myproject_dev',
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'rootpass',
+			POSTGRES_DB: 'app',
+			POSTGRES_HOST: 'postgres',
+			POSTGRES_PORT: '5432',
+		};
+
+		// Apply port + host rewriting
+		const mappings = parseComposePortMappings(
+			join(testDir, 'docker-compose.yml'),
+		);
+		const ports = await loadPortState(testDir);
+		secrets = rewriteUrlsWithPorts(secrets, {
+			dockerEnv: {},
+			ports,
+			mappings,
+		});
+
+		// Apply test database suffix
+		secrets = rewriteDatabaseUrlForTests(secrets);
+
+		// Root credentials should be present and rewritten to localhost
+		expect(secrets.POSTGRES_USER).toBe('app');
+		expect(secrets.POSTGRES_PASSWORD).toBe('rootpass');
+		expect(secrets.POSTGRES_HOST).toBe('localhost');
+		expect(secrets.POSTGRES_PORT).toBe('5434');
+
+		// All DATABASE_URLs should have localhost, resolved port, and _test suffix
+		expect(secrets.DATABASE_URL).toBe(
+			'postgresql://app:rootpass@localhost:5434/app_test',
+		);
+		expect(secrets.API_DATABASE_URL).toBe(
+			'postgresql://api:apipass@localhost:5434/myproject_dev_test',
+		);
+		expect(secrets.AUTH_DATABASE_URL).toBe(
+			'postgresql://auth:authpass@localhost:5434/myproject_dev_test',
+		);
+	});
 });