@geekmidas/cli 1.10.7 → 1.10.9

package/src/docker/compose.ts

@@ -13,6 +13,7 @@ export const DEFAULT_SERVICE_IMAGES: Record<ComposeServiceName, string> = {
 	postgres: 'postgres',
 	redis: 'redis',
 	rabbitmq: 'rabbitmq',
+	minio: 'minio/minio',
 };
 
 /** Default Docker image versions for services */
@@ -20,6 +21,7 @@ export const DEFAULT_SERVICE_VERSIONS: Record<ComposeServiceName, string> = {
 	postgres: '18-alpine',
 	redis: '7-alpine',
 	rabbitmq: '3-management-alpine',
+	minio: 'latest',
 };
 
 export interface ComposeOptions {
@@ -87,7 +89,9 @@ export function generateDockerCompose(options: ComposeOptions): string {
 
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : '';
 
-	let yaml = `version: '3.8'
+	let yaml = `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+version: '3.8'
 
 services:
   api:
@@ -119,6 +123,16 @@ services:
 `;
 	}
 
+	if (serviceMap.has('minio')) {
+		yaml += `      - S3_ENDPOINT=\${S3_ENDPOINT:-http://minio:9000}
+      - S3_ACCESS_KEY_ID=\${MINIO_ACCESS_KEY:-app}
+      - S3_SECRET_ACCESS_KEY=\${MINIO_SECRET_KEY:-app}
+      - S3_BUCKET=\${MINIO_BUCKET:-app}
+      - S3_REGION=\${S3_REGION:-eu-west-1}
+      - S3_FORCE_PATH_STYLE=true
+`;
+	}
+
 	yaml += `    healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
       interval: 30s
@@ -208,6 +222,32 @@ services:
 `;
 	}
 
+	const minioImage = serviceMap.get('minio');
+	if (minioImage) {
+		yaml += `
+  minio:
+    image: ${minioImage}
+    container_name: minio
+    restart: unless-stopped
+    entrypoint: sh
+    command: -c 'mkdir -p /data/\${MINIO_BUCKET:-app} && /usr/bin/docker-entrypoint.sh server --console-address ":9001" /data'
+    environment:
+      MINIO_ROOT_USER: \${MINIO_ACCESS_KEY:-app}
+      MINIO_ROOT_PASSWORD: \${MINIO_SECRET_KEY:-app}
+    ports:
+      - "9001:9001"  # Console UI
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
+`;
+	}
+
 	// Add volumes
 	yaml += `
 volumes:
@@ -228,6 +268,11 @@ volumes:
 `;
 	}
 
+	if (serviceMap.has('minio')) {
+		yaml += `  minio_data:
+`;
+	}
+
 	// Add networks
 	yaml += `
 networks:
@@ -248,7 +293,9 @@ export function generateMinimalDockerCompose(
 
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : '';
 
-	return `version: '3.8'
+	return `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+version: '3.8'
 
 services:
   api:
@@ -301,13 +348,16 @@ export function generateWorkspaceCompose(
 	const hasPostgres = services.db !== undefined && services.db !== false;
 	const hasRedis = services.cache !== undefined && services.cache !== false;
 	const hasMail = services.mail !== undefined && services.mail !== false;
+	const hasMinio = services.storage !== undefined && services.storage !== false;
 
 	// Get image versions from config
 	const postgresImage = getInfraServiceImage('postgres', services.db);
 	const redisImage = getInfraServiceImage('redis', services.cache);
+	const minioImage = getInfraServiceImage('minio', services.storage);
 
 	let yaml = `# Docker Compose for ${workspace.name} workspace
-# Generated by gkm - do not edit manually
+# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
 
 services:
 `;
@@ -318,6 +368,7 @@ services:
 			registry,
 			hasPostgres,
 			hasRedis,
+			hasMinio,
 		});
 	}
 
@@ -376,6 +427,31 @@ services:
 `;
 	}
 
+	if (hasMinio) {
+		yaml += `
+  minio:
+    image: ${minioImage}
+    container_name: ${workspace.name}-minio
+    restart: unless-stopped
+    entrypoint: sh
+    command: -c 'mkdir -p /data/\${MINIO_BUCKET:-app} && /usr/bin/docker-entrypoint.sh server --console-address ":9001" /data'
+    environment:
+      MINIO_ROOT_USER: \${MINIO_ACCESS_KEY:-app}
+      MINIO_ROOT_PASSWORD: \${MINIO_SECRET_KEY:-app}
+    ports:
+      - "9001:9001"  # Console UI
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
+`;
+	}
+
 	// Add volumes section
 	yaml += `
 volumes:
@@ -391,6 +467,11 @@ volumes:
 `;
 	}
 
+	if (hasMinio) {
+		yaml += `  minio_data:
+`;
+	}
+
 	// Add networks section
 	yaml += `
 networks:
@@ -405,12 +486,13 @@ networks:
  * Get infrastructure service image with version.
  */
 function getInfraServiceImage(
-	serviceName: 'postgres' | 'redis',
+	serviceName: 'postgres' | 'redis' | 'minio',
 	config: boolean | { version?: string; image?: string } | undefined,
 ): string {
-	const defaults: Record<'postgres' | 'redis', string> = {
+	const defaults: Record<'postgres' | 'redis' | 'minio', string> = {
 		postgres: 'postgres:18-alpine',
 		redis: 'redis:7-alpine',
+		minio: 'minio/minio:latest',
 	};
 
 	if (!config || config === true) {
@@ -422,8 +504,12 @@ function getInfraServiceImage(
 			return config.image;
 		}
 		if (config.version) {
-			const baseImage = serviceName === 'postgres' ? 'postgres' : 'redis';
-			return `${baseImage}:${config.version}`;
+			const baseImages: Record<'postgres' | 'redis' | 'minio', string> = {
+				postgres: 'postgres',
+				redis: 'redis',
+				minio: 'minio/minio',
+			};
+			return `${baseImages[serviceName]}:${config.version}`;
 		}
 	}
 
@@ -441,9 +527,10 @@ function generateAppService(
 		registry?: string;
 		hasPostgres: boolean;
 		hasRedis: boolean;
+		hasMinio: boolean;
 	},
 ): string {
-	const { registry, hasPostgres, hasRedis } = options;
+	const { registry, hasPostgres, hasRedis, hasMinio } = options;
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : '';
 
 	// Health check path - frontends use /, backends use /health
@@ -485,6 +572,15 @@ function generateAppService(
 		}
 		if (hasRedis) {
 			yaml += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
+`;
+		}
+		if (hasMinio) {
+			yaml += `      - S3_ENDPOINT=\${S3_ENDPOINT:-http://minio:9000}
+      - S3_ACCESS_KEY_ID=\${MINIO_ACCESS_KEY:-app}
+      - S3_SECRET_ACCESS_KEY=\${MINIO_SECRET_KEY:-app}
+      - S3_BUCKET=\${MINIO_BUCKET:-app}
+      - S3_REGION=\${S3_REGION:-eu-west-1}
+      - S3_FORCE_PATH_STYLE=true
 `;
 		}
 	}
@@ -501,6 +597,7 @@ function generateAppService(
 	if (app.type === 'backend') {
 		if (hasPostgres) dependencies.push('postgres');
 		if (hasRedis) dependencies.push('redis');
+		if (hasMinio) dependencies.push('minio');
 	}
 
 	if (dependencies.length > 0) {

package/src/init/generators/docker.ts

@@ -161,7 +161,9 @@ export function generateDockerFiles(
 	}
 
 	// Build docker-compose.yml
-	let dockerCompose = `services:
+	let dockerCompose = `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+services:
 ${services.join('\n\n')}
 `;
 

package/src/init/index.ts

@@ -330,6 +330,7 @@ export async function initCommand(
 	const secretServices: ComposeServiceName[] = [];
 	if (services.db) secretServices.push('postgres');
 	if (services.cache) secretServices.push('redis');
+	if (services.storage) secretServices.push('minio');
 
 	const devSecrets = createStageSecrets('development', secretServices, {
 		projectName: name,

package/src/init/versions.ts

@@ -45,7 +45,7 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/storage': '~2.0.0',
 	'@geekmidas/studio': '~1.0.0',
 	'@geekmidas/telescope': '~1.0.0',
-	'@geekmidas/testkit': '~1.0.2',
+	'@geekmidas/testkit': '~1.0.5',
 	'@geekmidas/cli': CLI_VERSION,
 } as const;
 

package/src/secrets/__tests__/generator.spec.ts

@@ -2,6 +2,7 @@ import { describe, expect, it } from 'vitest';
 import {
 	createStageSecrets,
 	generateConnectionUrls,
+	generateMinioEndpoint,
 	generatePostgresUrl,
 	generateRabbitmqUrl,
 	generateRedisUrl,
@@ -65,6 +66,16 @@ describe('generateServiceCredentials', () => {
 		expect(creds.vhost).toBe('/');
 		expect(creds.password).toHaveLength(32);
 	});
+
+	it('should generate minio credentials with defaults', () => {
+		const creds = generateServiceCredentials('minio');
+
+		expect(creds.host).toBe('localhost');
+		expect(creds.port).toBe(9000);
+		expect(creds.username).toBe('app');
+		expect(creds.bucket).toBe('app');
+		expect(creds.password).toHaveLength(32);
+	});
 });
 
 describe('generateServicesCredentials', () => {
@@ -142,6 +153,33 @@ describe('generateRedisUrl', () => {
 	});
 });
 
+describe('generateMinioEndpoint', () => {
+	it('should generate valid minio endpoint URL', () => {
+		const creds: ServiceCredentials = {
+			host: 'localhost',
+			port: 9000,
+			username: 'app',
+			password: 'secret123',
+			bucket: 'my-bucket',
+		};
+
+		const url = generateMinioEndpoint(creds);
+		expect(url).toBe('http://localhost:9000');
+	});
+
+	it('should use custom host and port', () => {
+		const creds: ServiceCredentials = {
+			host: 'minio.example.com',
+			port: 9090,
+			username: 'app',
+			password: 'secret',
+		};
+
+		const url = generateMinioEndpoint(creds);
+		expect(url).toBe('http://minio.example.com:9090');
+	});
+});
+
 describe('generateRabbitmqUrl', () => {
 	it('should generate valid rabbitmq URL with default vhost', () => {
 		const creds: ServiceCredentials = {
@@ -209,11 +247,34 @@ describe('generateConnectionUrls', () => {
 				password: 'rmq-pass',
 				vhost: '/',
 			},
+			minio: {
+				host: 'minio',
+				port: 9000,
+				username: 'app',
+				password: 'minio-pass',
+				bucket: 'app',
+			},
 		});
 
 		expect(urls.DATABASE_URL).toBeDefined();
 		expect(urls.REDIS_URL).toBeDefined();
 		expect(urls.RABBITMQ_URL).toBeDefined();
+		expect(urls.S3_ENDPOINT).toBe('http://minio:9000');
+	});
+
+	it('should generate S3_ENDPOINT for minio', () => {
+		const urls = generateConnectionUrls({
+			minio: {
+				host: 'localhost',
+				port: 9000,
+				username: 'app',
+				password: 'secret',
+				bucket: 'my-bucket',
+			},
+		});
+
+		expect(urls.S3_ENDPOINT).toBe('http://localhost:9000');
+		expect(urls.DATABASE_URL).toBeUndefined();
 	});
 });
 
@@ -246,6 +307,13 @@ describe('createStageSecrets', () => {
 		expect(secrets.urls.REDIS_URL).toBeDefined();
 		expect(secrets.urls.RABBITMQ_URL).toBeDefined();
 	});
+
+	it('should generate S3_ENDPOINT for minio', () => {
+		const secrets = createStageSecrets('production', ['minio']);
+
+		expect(secrets.services.minio).toBeDefined();
+		expect(secrets.urls.S3_ENDPOINT).toBe('http://localhost:9000');
+	});
 });
 
 describe('rotateServicePassword', () => {

package/src/secrets/__tests__/storage.spec.ts

@@ -338,6 +338,36 @@ describe('toEmbeddableSecrets', () => {
 		expect(embeddable.RABBITMQ_VHOST).toBe('/myapp');
 	});
 
+	it('should include minio service credentials', () => {
+		const secrets: StageSecrets = {
+			stage: 'production',
+			createdAt: new Date().toISOString(),
+			updatedAt: new Date().toISOString(),
+			services: {
+				minio: {
+					host: 'localhost',
+					port: 9000,
+					username: 'myaccesskey',
+					password: 'mysecretkey',
+					bucket: 'my-bucket',
+				},
+			},
+			urls: {
+				S3_ENDPOINT: 'http://localhost:9000',
+			},
+			custom: {},
+		};
+
+		const embeddable = toEmbeddableSecrets(secrets);
+
+		expect(embeddable.S3_ENDPOINT).toBe('http://localhost:9000');
+		expect(embeddable.S3_ACCESS_KEY_ID).toBe('myaccesskey');
+		expect(embeddable.S3_SECRET_ACCESS_KEY).toBe('mysecretkey');
+		expect(embeddable.S3_BUCKET).toBe('my-bucket');
+		expect(embeddable.S3_REGION).toBe('eu-west-1');
+		expect(embeddable.S3_FORCE_PATH_STYLE).toBe('true');
+	});
+
 	it('should handle all services and custom secrets together', () => {
 		const secrets: StageSecrets = {
 			stage: 'production',

package/src/secrets/generator.ts

@@ -34,6 +34,12 @@ const SERVICE_DEFAULTS: Record<
 		username: 'app',
 		vhost: '/',
 	},
+	minio: {
+		host: 'localhost',
+		port: 9000,
+		username: 'app',
+		bucket: 'app',
+	},
 };
 
 /**
@@ -89,6 +95,14 @@ export function generateRabbitmqUrl(creds: ServiceCredentials): string {
 	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
 }
 
+/**
+ * Generate endpoint URL for MinIO (S3-compatible).
+ */
+export function generateMinioEndpoint(creds: ServiceCredentials): string {
+	const { host, port } = creds;
+	return `http://${host}:${port}`;
+}
+
 /**
  * Generate connection URLs from service credentials.
  */
@@ -109,6 +123,10 @@ export function generateConnectionUrls(
 		urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
 	}
 
+	if (services.minio) {
+		urls.S3_ENDPOINT = generateMinioEndpoint(services.minio);
+	}
+
 	return urls;
 }
 

package/src/secrets/index.ts

@@ -129,6 +129,9 @@ export async function secretsInitCommand(
 	if (secrets.urls.RABBITMQ_URL) {
 		logger.log(`  RABBITMQ_URL: ${maskUrl(secrets.urls.RABBITMQ_URL)}`);
 	}
+	if (secrets.urls.S3_ENDPOINT) {
+		logger.log(`  S3_ENDPOINT: ${secrets.urls.S3_ENDPOINT}`);
+	}
 
 	if (Object.keys(secrets.custom).length > 0) {
 		logger.log(`\n  Custom secrets: ${Object.keys(secrets.custom).length}`);
@@ -234,6 +237,9 @@ export async function secretsShowCommand(
 			if (creds.vhost) {
 				logger.log(`    vhost: ${creds.vhost}`);
 			}
+			if (creds.bucket) {
+				logger.log(`    bucket: ${creds.bucket}`);
+			}
 		}
 	}
 
@@ -254,6 +260,9 @@ export async function secretsShowCommand(
 			`  RABBITMQ_URL: ${reveal ? secrets.urls.RABBITMQ_URL : maskUrl(secrets.urls.RABBITMQ_URL)}`,
 		);
 	}
+	if (secrets.urls.S3_ENDPOINT) {
+		logger.log(`  S3_ENDPOINT: ${secrets.urls.S3_ENDPOINT}`);
+	}
 
 	// Show custom secrets
 	const customKeys = Object.keys(secrets.custom);

package/src/secrets/storage.ts

@@ -208,6 +208,13 @@ export function toEmbeddableSecrets(secrets: StageSecrets): EmbeddableSecrets {
 			RABBITMQ_PORT: String(secrets.services.rabbitmq.port),
 			RABBITMQ_VHOST: secrets.services.rabbitmq.vhost ?? '/',
 		}),
+		...(secrets.services.minio && {
+			S3_ACCESS_KEY_ID: secrets.services.minio.username,
+			S3_SECRET_ACCESS_KEY: secrets.services.minio.password,
+			S3_BUCKET: secrets.services.minio.bucket ?? 'app',
+			S3_REGION: 'eu-west-1',
+			S3_FORCE_PATH_STYLE: 'true',
+		}),
 	};
 }
 

package/src/secrets/types.ts

@@ -10,6 +10,8 @@ export interface ServiceCredentials {
 	database?: string;
 	/** Virtual host (for rabbitmq) */
 	vhost?: string;
+	/** Bucket name (for minio) */
+	bucket?: string;
 }
 
 /** Stage secrets configuration */
@@ -25,12 +27,14 @@ export interface StageSecrets {
 		postgres?: ServiceCredentials;
 		redis?: ServiceCredentials;
 		rabbitmq?: ServiceCredentials;
+		minio?: ServiceCredentials;
 	};
 	/** Generated connection URLs */
 	urls: {
 		DATABASE_URL?: string;
 		REDIS_URL?: string;
 		RABBITMQ_URL?: string;
+		S3_ENDPOINT?: string;
 	};
 	/** Custom user-defined secrets */
 	custom: Record<string, string>;

package/src/setup/index.ts

@@ -194,6 +194,7 @@ async function generateFreshSecrets(
 	const serviceNames: ComposeServiceName[] = [];
 	if (workspace.services.db) serviceNames.push('postgres');
 	if (workspace.services.cache) serviceNames.push('redis');
+	if (workspace.services.storage) serviceNames.push('minio');
 
 	// Create base secrets with service credentials
 	const secrets = createStageSecrets(stage, serviceNames, {

package/src/test/__tests__/index.spec.ts

@@ -18,9 +18,11 @@ import {
 	vi,
 } from 'vitest';
 import {
+	buildDockerComposeEnv,
 	createCredentialsPreload,
 	loadPortState,
 	parseComposePortMappings,
+	resolveServicePorts,
 	rewriteUrlsWithPorts,
 	savePortState,
 } from '../../dev/index';
@@ -388,3 +390,116 @@ services:
 		);
 	});
 });
+
+describe('test command Docker startup pipeline', () => {
+	let testDir: string;
+
+	beforeAll(() => {
+		vi.spyOn(console, 'log').mockImplementation(() => {});
+		vi.spyOn(console, 'warn').mockImplementation(() => {});
+	});
+
+	afterAll(() => {
+		vi.restoreAllMocks();
+	});
+
+	beforeEach(() => {
+		testDir = join(tmpdir(), `gkm-test-docker-${Date.now()}`);
+		mkdirSync(testDir, { recursive: true });
+	});
+
+	afterEach(() => {
+		rmSync(testDir, { recursive: true, force: true });
+	});
+
+	it('should build docker compose env with secrets so credentials are interpolated', () => {
+		const secretsEnv = {
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'supersecret',
+			POSTGRES_DB: 'myapp',
+		};
+		const portEnv = { POSTGRES_HOST_PORT: '5434' };
+
+		// This is the env that gets passed to `docker compose up -d`
+		const env = buildDockerComposeEnv(secretsEnv, portEnv);
+
+		// Secrets are available so ${POSTGRES_USER:-postgres} resolves correctly
+		expect(env.POSTGRES_USER).toBe('app');
+		expect(env.POSTGRES_PASSWORD).toBe('supersecret');
+		expect(env.POSTGRES_DB).toBe('myapp');
+		expect(env.POSTGRES_HOST_PORT).toBe('5434');
+	});
+
+	it('should resolve ports, rewrite URLs and hostnames, then append _test', async () => {
+		writeFileSync(
+			join(testDir, 'docker-compose.yml'),
+			`
+services:
+  postgres:
+    image: postgres:18
+    ports:
+      - '\${POSTGRES_HOST_PORT:-5432}:5432'
+  redis:
+    image: redis:7
+    ports:
+      - '\${REDIS_HOST_PORT:-6379}:6379'
+`,
+		);
+
+		// Simulate secrets loaded from encrypted store (Docker hostnames)
+		const secretsEnv: Record<string, string> = {
+			DATABASE_URL: 'postgresql://app:supersecret@postgres:5432/myapp',
+			REDIS_URL: 'redis://:redispass@redis:6379',
+			POSTGRES_USER: 'app',
+			POSTGRES_PASSWORD: 'supersecret',
+			POSTGRES_DB: 'myapp',
+			POSTGRES_HOST: 'postgres',
+			POSTGRES_PORT: '5432',
+			REDIS_PASSWORD: 'redispass',
+			REDIS_HOST: 'redis',
+			REDIS_PORT: '6379',
+		};
+
+		// Step 1: Resolve ports
+		const resolvedPorts = await resolveServicePorts(testDir);
+
+		// Step 2: Build env for docker compose (secrets + ports)
+		const dockerEnv = buildDockerComposeEnv(
+			secretsEnv,
+			resolvedPorts.dockerEnv,
+		);
+		expect(dockerEnv.POSTGRES_USER).toBe('app');
+		expect(dockerEnv.POSTGRES_PASSWORD).toBe('supersecret');
+
+		// Step 3: Rewrite URLs with ports and hostnames
+		const rewritten = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
+
+		// Step 4: Apply test suffix
+		const final = rewriteDatabaseUrlForTests(rewritten);
+
+		// Hostnames should be rewritten to localhost
+		expect(final.POSTGRES_HOST).toBe('localhost');
+		expect(final.REDIS_HOST).toBe('localhost');
+
+		// DATABASE_URL should have localhost and _test suffix
+		expect(final.DATABASE_URL).toContain('@localhost:');
+		expect(final.DATABASE_URL).toMatch(/\/myapp_test$/);
+
+		// REDIS_URL should have localhost
+		expect(final.REDIS_URL).toContain('@localhost:');
+	});
+
+	it('should not default to postgres:postgres when secrets are provided', () => {
+		const secretsEnv = {
+			POSTGRES_USER: 'myapp',
+			POSTGRES_PASSWORD: 'strongpass123',
+		};
+
+		const env = buildDockerComposeEnv(secretsEnv, {});
+
+		// The key assertion: secrets are in env so Docker Compose
+		// ${POSTGRES_USER:-postgres} resolves to 'myapp', not 'postgres'
+		expect(env.POSTGRES_USER).toBe('myapp');
+		expect(env.POSTGRES_PASSWORD).toBe('strongpass123');
+	});
+});