@geekmidas/cli 1.10.6 → 1.10.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "1.10.6",
+  "version": "1.10.8",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -56,10 +56,10 @@
     "prompts": "~2.4.2",
     "tsx": "~4.20.3",
     "yaml": "~2.8.2",
-    "@geekmidas/envkit": "~1.0.3",
     "@geekmidas/constructs": "~3.0.2",
-    "@geekmidas/logger": "~1.0.0",
+    "@geekmidas/envkit": "~1.0.3",
     "@geekmidas/errors": "~1.0.0",
+    "@geekmidas/logger": "~1.0.0",
     "@geekmidas/schema": "~1.0.0"
   },
   "devDependencies": {

package/src/dev/__tests__/index.spec.ts

@@ -9,6 +9,7 @@ import type {
 	NormalizedWorkspace,
 } from '../../workspace/index.js';
 import {
+	buildDockerComposeEnv,
 	checkPortConflicts,
 	findAvailablePort,
 	generateAllDependencyEnvVars,
@@ -1753,3 +1754,71 @@ describe('generateServerEntryContent', () => {
 		expect(content).toContain("await import('./custom-app.js')");
 	});
 });
+
+describe('buildDockerComposeEnv', () => {
+	it('should include secrets in the env passed to docker compose', () => {
+		const secretsEnv = {
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'supersecret',
+			POSTGRES_DB: 'myproject_dev',
+		};
+		const portEnv = { POSTGRES_HOST_PORT: '5434' };
+
+		const env = buildDockerComposeEnv(secretsEnv, portEnv);
+
+		expect(env.POSTGRES_USER).toBe('app');
+		expect(env.POSTGRES_PASSWORD).toBe('supersecret');
+		expect(env.POSTGRES_DB).toBe('myproject_dev');
+		expect(env.POSTGRES_HOST_PORT).toBe('5434');
+	});
+
+	it('should include multiple service secrets', () => {
+		const secretsEnv = {
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'dbpass',
+			REDIS_PASSWORD: 'redispass',
+		};
+
+		const env = buildDockerComposeEnv(secretsEnv, {});
+
+		expect(env.POSTGRES_USER).toBe('app');
+		expect(env.POSTGRES_PASSWORD).toBe('dbpass');
+		expect(env.REDIS_PASSWORD).toBe('redispass');
+	});
+
+	it('should let port env override secrets env for same key', () => {
+		const secretsEnv = { POSTGRES_HOST_PORT: '5432' };
+		const portEnv = { POSTGRES_HOST_PORT: '5434' };
+
+		const env = buildDockerComposeEnv(secretsEnv, portEnv);
+
+		expect(env.POSTGRES_HOST_PORT).toBe('5434');
+	});
+
+	it('should work without secrets env', () => {
+		const env = buildDockerComposeEnv(undefined, {
+			POSTGRES_HOST_PORT: '5434',
+		});
+
+		expect(env.POSTGRES_HOST_PORT).toBe('5434');
+	});
+
+	it('should work without any arguments', () => {
+		const env = buildDockerComposeEnv();
+
+		// Should at least have process.env
+		expect(env.PATH).toBeDefined();
+	});
+
+	it('should include process.env as base', () => {
+		const env = buildDockerComposeEnv(
+			{ POSTGRES_USER: 'app' },
+			{ POSTGRES_HOST_PORT: '5434' },
+		);
+
+		// process.env values should be present
+		expect(env.PATH).toBeDefined();
+		// Custom values should override
+		expect(env.POSTGRES_USER).toBe('app');
+	});
+});

package/src/dev/index.ts

@@ -1111,13 +1111,29 @@ export async function loadSecretsForApp(
 	return mapped;
 }
 
+/**
+ * Build the environment variables to pass to `docker compose up`.
+ * Merges process.env, secrets, and port mappings so that Docker Compose
+ * can interpolate variables like ${POSTGRES_USER} correctly.
+ * @internal Exported for testing
+ */
+export function buildDockerComposeEnv(
+	secretsEnv?: Record<string, string>,
+	portEnv?: Record<string, string>,
+): Record<string, string | undefined> {
+	return { ...process.env, ...secretsEnv, ...portEnv };
+}
+
 /**
  * Start docker-compose services for the workspace.
+ * Passes both port mappings and secrets to docker-compose so that
+ * variables like POSTGRES_USER/POSTGRES_PASSWORD are available.
  * @internal Exported for testing
  */
 export async function startWorkspaceServices(
 	workspace: NormalizedWorkspace,
 	portEnv?: Record<string, string>,
+	secretsEnv?: Record<string, string>,
 ): Promise<void> {
 	const services = workspace.services;
 	if (!services.db && !services.cache && !services.mail) {
@@ -1152,11 +1168,12 @@ export async function startWorkspaceServices(
 			return;
 		}
 
-		// Start services with docker-compose
+		// Start services with docker-compose, passing secrets so that
+		// POSTGRES_USER, POSTGRES_PASSWORD, etc. are interpolated correctly
 		execSync(`docker compose up -d ${servicesToStart.join(' ')}`, {
 			cwd: workspace.root,
 			stdio: 'inherit',
-			env: { ...process.env, ...portEnv },
+			env: buildDockerComposeEnv(secretsEnv, portEnv),
 		});
 
 		logger.log('✅ Services started');
@@ -1246,14 +1263,15 @@ async function workspaceDevCommand(
 	// Resolve dynamic service ports from docker-compose.yml
 	const resolvedPorts = await resolveServicePorts(workspace.root);
 
-	// Start docker-compose services with resolved ports
-	await startWorkspaceServices(workspace, resolvedPorts.dockerEnv);
+	// Load secrets BEFORE starting Docker so POSTGRES_USER, POSTGRES_PASSWORD,
+	// etc. are available for docker-compose variable interpolation
+	const rawSecrets = await loadDevSecrets(workspace);
 
-	// Load secrets if enabled, then rewrite URLs with resolved ports
-	const secretsEnv = rewriteUrlsWithPorts(
-		await loadDevSecrets(workspace),
-		resolvedPorts,
-	);
+	// Start docker-compose services with resolved ports AND secrets
+	await startWorkspaceServices(workspace, resolvedPorts.dockerEnv, rawSecrets);
+
+	// Rewrite URLs with resolved ports (hostnames and port numbers)
+	const secretsEnv = rewriteUrlsWithPorts(rawSecrets, resolvedPorts);
 	if (Object.keys(secretsEnv).length > 0) {
 		logger.log(`   Loaded ${Object.keys(secretsEnv).length} secret(s)`);
 	}

package/src/docker/__tests__/compose.spec.ts

@@ -577,7 +577,12 @@ describe('generateWorkspaceCompose', () => {
 			const workspace = createWorkspace();
 			const yaml = generateWorkspaceCompose(workspace);
 
-			expect(yaml).toContain('# Generated by gkm - do not edit manually');
+			expect(yaml).toContain(
+				'# Use "gkm dev" or "gkm test" to start services.',
+			);
+			expect(yaml).toContain(
+				'# Running "docker compose up" directly will not inject secrets or resolve ports.',
+			);
 		});
 
 		it('should include services section', () => {

package/src/docker/compose.ts

@@ -87,7 +87,9 @@ export function generateDockerCompose(options: ComposeOptions): string {
 
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : '';
 
-	let yaml = `version: '3.8'
+	let yaml = `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+version: '3.8'
 
 services:
   api:
@@ -248,7 +250,9 @@ export function generateMinimalDockerCompose(
 
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : '';
 
-	return `version: '3.8'
+	return `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+version: '3.8'
 
 services:
   api:
@@ -307,7 +311,8 @@ export function generateWorkspaceCompose(
 	const redisImage = getInfraServiceImage('redis', services.cache);
 
 	let yaml = `# Docker Compose for ${workspace.name} workspace
-# Generated by gkm - do not edit manually
+# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
 
 services:
 `;

package/src/init/generators/docker.ts

@@ -161,7 +161,9 @@ export function generateDockerFiles(
 	}
 
 	// Build docker-compose.yml
-	let dockerCompose = `services:
+	let dockerCompose = `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+services:
 ${services.join('\n\n')}
 `;
 

package/src/test/__tests__/index.spec.ts

@@ -18,9 +18,11 @@ import {
 	vi,
 } from 'vitest';
 import {
+	buildDockerComposeEnv,
 	createCredentialsPreload,
 	loadPortState,
 	parseComposePortMappings,
+	resolveServicePorts,
 	rewriteUrlsWithPorts,
 	savePortState,
 } from '../../dev/index';
@@ -388,3 +390,116 @@ services:
 		);
 	});
 });
+
+describe('test command Docker startup pipeline', () => {
+	let testDir: string;
+
+	beforeAll(() => {
+		vi.spyOn(console, 'log').mockImplementation(() => {});
+		vi.spyOn(console, 'warn').mockImplementation(() => {});
+	});
+
+	afterAll(() => {
+		vi.restoreAllMocks();
+	});
+
+	beforeEach(() => {
+		testDir = join(tmpdir(), `gkm-test-docker-${Date.now()}`);
+		mkdirSync(testDir, { recursive: true });
+	});
+
+	afterEach(() => {
+		rmSync(testDir, { recursive: true, force: true });
+	});
+
+	it('should build docker compose env with secrets so credentials are interpolated', () => {
+		const secretsEnv = {
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'supersecret',
+			POSTGRES_DB: 'myapp',
+		};
+		const portEnv = { POSTGRES_HOST_PORT: '5434' };
+
+		// This is the env that gets passed to `docker compose up -d`
+		const env = buildDockerComposeEnv(secretsEnv, portEnv);
+
+		// Secrets are available so ${POSTGRES_USER:-postgres} resolves correctly
+		expect(env.POSTGRES_USER).toBe('app');
+		expect(env.POSTGRES_PASSWORD).toBe('supersecret');
+		expect(env.POSTGRES_DB).toBe('myapp');
+		expect(env.POSTGRES_HOST_PORT).toBe('5434');
+	});
+
+	it('should resolve ports, rewrite URLs and hostnames, then append _test', async () => {
+		writeFileSync(
+			join(testDir, 'docker-compose.yml'),
+			`
+services:
+  postgres:
+    image: postgres:18
+    ports:
+      - '\${POSTGRES_HOST_PORT:-5432}:5432'
+  redis:
+    image: redis:7
+    ports:
+      - '\${REDIS_HOST_PORT:-6379}:6379'
+`,
+		);
+
+		// Simulate secrets loaded from encrypted store (Docker hostnames)
+		const secretsEnv: Record<string, string> = {
+			DATABASE_URL: 'postgresql://app:supersecret@postgres:5432/myapp',
+			REDIS_URL: 'redis://:redispass@redis:6379',
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'supersecret',
+			POSTGRES_DB: 'myapp',
+			POSTGRES_HOST: 'postgres',
+			POSTGRES_PORT: '5432',
+			REDIS_PASSWORD: 'redispass',
+			REDIS_HOST: 'redis',
+			REDIS_PORT: '6379',
+		};
+
+		// Step 1: Resolve ports
+		const resolvedPorts = await resolveServicePorts(testDir);
+
+		// Step 2: Build env for docker compose (secrets + ports)
+		const dockerEnv = buildDockerComposeEnv(
+			secretsEnv,
+			resolvedPorts.dockerEnv,
+		);
+		expect(dockerEnv.POSTGRES_USER).toBe('app');
+		expect(dockerEnv.POSTGRES_PASSWORD).toBe('supersecret');
+
+		// Step 3: Rewrite URLs with ports and hostnames
+		const rewritten = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
+
+		// Step 4: Apply test suffix
+		const final = rewriteDatabaseUrlForTests(rewritten);
+
+		// Hostnames should be rewritten to localhost
+		expect(final.POSTGRES_HOST).toBe('localhost');
+		expect(final.REDIS_HOST).toBe('localhost');
+
+		// DATABASE_URL should have localhost and _test suffix
+		expect(final.DATABASE_URL).toContain('@localhost:');
+		expect(final.DATABASE_URL).toMatch(/\/myapp_test$/);
+
+		// REDIS_URL should have localhost
+		expect(final.REDIS_URL).toContain('@localhost:');
+	});
+
+	it('should not default to postgres:postgres when secrets are provided', () => {
+		const secretsEnv = {
+			POSTGRES_USER: 'myapp',
+			POSTGRES_PASSWORD: 'strongpass123',
+		};
+
+		const env = buildDockerComposeEnv(secretsEnv, {});
+
+		// The key assertion: secrets are in env so Docker Compose
+		// ${POSTGRES_USER:-postgres} resolves to 'myapp', not 'postgres'
+		expect(env.POSTGRES_USER).toBe('myapp');
+		expect(env.POSTGRES_PASSWORD).toBe('strongpass123');
+	});
+});

package/src/test/index.ts

@@ -8,7 +8,9 @@ import {
 	loadEnvFiles,
 	loadPortState,
 	parseComposePortMappings,
+	resolveServicePorts,
 	rewriteUrlsWithPorts,
+	startWorkspaceServices,
 } from '../dev/index';
 import { readStageSecrets, toEmbeddableSecrets } from '../secrets/storage';
 import { getDependencyEnvVars } from '../workspace/index';
@@ -64,28 +66,28 @@ export async function testCommand(options: TestOptions = {}): Promise<void> {
 		}
 	}
 
-	// 3. Rewrite URLs with resolved Docker ports (from gkm dev)
-	const composePath = join(cwd, 'docker-compose.yml');
-	const mappings = parseComposePortMappings(composePath);
-	if (mappings.length > 0) {
-		const ports = await loadPortState(cwd);
-		if (Object.keys(ports).length > 0) {
-			secretsEnv = rewriteUrlsWithPorts(secretsEnv, {
-				dockerEnv: {},
-				ports,
-				mappings,
-			});
-			console.log(`  🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
-		}
-	}
-
-	// 4. Use a separate test database (append _test suffix)
-	secretsEnv = rewriteDatabaseUrlForTests(secretsEnv);
-
-	// 5. Load workspace config + dependency URLs + sniff env vars
+	// 3. Load workspace config + start Docker services with secrets
 	let dependencyEnv: Record<string, string> = {};
 	try {
 		const appInfo = await loadWorkspaceAppInfo(cwd);
+
+		// Resolve ports and start Docker services with secrets so that
+		// POSTGRES_USER, POSTGRES_PASSWORD, etc. are interpolated correctly
+		const resolvedPorts = await resolveServicePorts(appInfo.workspaceRoot);
+		await startWorkspaceServices(
+			appInfo.workspace,
+			resolvedPorts.dockerEnv,
+			secretsEnv,
+		);
+
+		// Rewrite URLs with resolved Docker ports and hostnames
+		if (resolvedPorts.mappings.length > 0) {
+			secretsEnv = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
+			console.log(
+				`  🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`,
+			);
+		}
+
 		dependencyEnv = getDependencyEnvVars(appInfo.workspace, appInfo.appName);
 
 		if (Object.keys(dependencyEnv).length > 0) {
@@ -94,7 +96,7 @@ export async function testCommand(options: TestOptions = {}): Promise<void> {
 			);
 		}
 
-		// 6. Sniff to detect which env vars the app needs
+		// Sniff to detect which env vars the app needs
 		const sniffed = await sniffAppEnvironment(
 			appInfo.app,
 			appInfo.appName,
@@ -119,9 +121,27 @@ export async function testCommand(options: TestOptions = {}): Promise<void> {
 			);
 		}
 	} catch {
-		// Not in a workspace — continue with just secrets
+		// Not in a workspace — fall back to port state file
+		const composePath = join(cwd, 'docker-compose.yml');
+		const mappings = parseComposePortMappings(composePath);
+		if (mappings.length > 0) {
+			const ports = await loadPortState(cwd);
+			if (Object.keys(ports).length > 0) {
+				secretsEnv = rewriteUrlsWithPorts(secretsEnv, {
+					dockerEnv: {},
+					ports,
+					mappings,
+				});
+				console.log(
+					`  🔌 Applied ${Object.keys(ports).length} port mapping(s)`,
+				);
+			}
+		}
 	}
 
+	// 4. Use a separate test database (append _test suffix)
+	secretsEnv = rewriteDatabaseUrlForTests(secretsEnv);
+
 	console.log('');
 
 	// Write combined secrets to JSON and create credentials preload