@geekmidas/cli 1.10.7 → 1.10.9

package/dist/index.cjs

@@ -4,13 +4,13 @@ const require_workspace = require('./workspace-4SP3Gx4Y.cjs');
 const require_config = require('./config-D3ORuiUs.cjs');
 const require_credentials = require('./credentials-C8DWtnMY.cjs');
 const require_openapi = require('./openapi-BYxAWwok.cjs');
-const require_storage = require('./storage-CoCNe0Pt.cjs');
+const require_storage = require('./storage-Cs13jkJ9.cjs');
 const require_dokploy_api = require('./dokploy-api-DLgvEQlr.cjs');
 const require_encryption = require('./encryption-BE0UOb8j.cjs');
 const require_CachedStateProvider = require('./CachedStateProvider-D73dCqfH.cjs');
-const require_fullstack_secrets = require('./fullstack-secrets-BctGaE4E.cjs');
+const require_fullstack_secrets = require('./fullstack-secrets-CtWIYuI0.cjs');
 const require_openapi_react_query = require('./openapi-react-query-DYbBq-WJ.cjs');
-const require_sync = require('./sync-DdkKaHqP.cjs');
+const require_sync = require('./sync-oCqELfeA.cjs');
 const node_fs = require_chunk.__toESM(require("node:fs"));
 const node_path = require_chunk.__toESM(require("node:path"));
 const commander = require_chunk.__toESM(require("commander"));
@@ -35,7 +35,7 @@ const prompts = require_chunk.__toESM(require("prompts"));
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.10.6";
+var version = "1.10.8";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -767,25 +767,30 @@ async function resolveServicePorts(workspaceRoot) {
 	const savedState = await loadPortState(workspaceRoot);
 	const dockerEnv = {};
 	const ports = {};
+	const assignedPorts = /* @__PURE__ */ new Set();
 	logger$11.log("\n🔌 Resolving service ports...");
 	for (const mapping of mappings) {
 		const containerPort = getContainerHostPort(workspaceRoot, mapping.service, mapping.containerPort);
 		if (containerPort !== null) {
 			ports[mapping.envVar] = containerPort;
 			dockerEnv[mapping.envVar] = String(containerPort);
+			assignedPorts.add(containerPort);
 			logger$11.log(`   🔄 ${mapping.service}:${mapping.containerPort}: reusing existing container on port ${containerPort}`);
 			continue;
 		}
 		const savedPort = savedState[mapping.envVar];
-		if (savedPort && await isPortAvailable(savedPort)) {
+		if (savedPort && !assignedPorts.has(savedPort) && await isPortAvailable(savedPort)) {
 			ports[mapping.envVar] = savedPort;
 			dockerEnv[mapping.envVar] = String(savedPort);
+			assignedPorts.add(savedPort);
 			logger$11.log(`   💾 ${mapping.service}:${mapping.containerPort}: using saved port ${savedPort}`);
 			continue;
 		}
-		const resolvedPort = await findAvailablePort(mapping.defaultPort);
+		let resolvedPort = await findAvailablePort(mapping.defaultPort);
+		while (assignedPorts.has(resolvedPort)) resolvedPort = await findAvailablePort(resolvedPort + 1);
 		ports[mapping.envVar] = resolvedPort;
 		dockerEnv[mapping.envVar] = String(resolvedPort);
+		assignedPorts.add(resolvedPort);
 		if (resolvedPort !== mapping.defaultPort) logger$11.log(`   ⚡ ${mapping.service}:${mapping.containerPort}: port ${mapping.defaultPort} occupied, using port ${resolvedPort}`);
 		else logger$11.log(`   ✅ ${mapping.service}:${mapping.containerPort}: using default port ${resolvedPort}`);
 	}
@@ -1222,31 +1227,48 @@ async function loadSecretsForApp(secretsRoot, appName) {
 	return mapped;
 }
 /**
+* Build the environment variables to pass to `docker compose up`.
+* Merges process.env, secrets, and port mappings so that Docker Compose
+* can interpolate variables like ${POSTGRES_USER} correctly.
+* @internal Exported for testing
+*/
+function buildDockerComposeEnv(secretsEnv, portEnv) {
+	return {
+		...process.env,
+		...secretsEnv,
+		...portEnv
+	};
+}
+/**
+* Parse all service names from a docker-compose.yml file.
+* @internal Exported for testing
+*/
+function parseComposeServiceNames(composePath) {
+	if (!(0, node_fs.existsSync)(composePath)) return [];
+	const content = (0, node_fs.readFileSync)(composePath, "utf-8");
+	const compose = (0, yaml.parse)(content);
+	return Object.keys(compose?.services ?? {});
+}
+/**
 * Start docker-compose services for the workspace.
+* Parses the docker-compose.yml to discover all services and starts
+* everything except app services (which are managed by turbo).
+* This ensures manually added services are always started.
 * @internal Exported for testing
 */
-async function startWorkspaceServices(workspace, portEnv) {
-	const services = workspace.services;
-	if (!services.db && !services.cache && !services.mail) return;
-	const servicesToStart = [];
-	if (services.db) servicesToStart.push("postgres");
-	if (services.cache) servicesToStart.push("redis");
-	if (services.mail) servicesToStart.push("mailpit");
+async function startWorkspaceServices(workspace, portEnv, secretsEnv) {
+	const composeFile = (0, node_path.join)(workspace.root, "docker-compose.yml");
+	if (!(0, node_fs.existsSync)(composeFile)) return;
+	const allServices = parseComposeServiceNames(composeFile);
+	const appNames = new Set(Object.keys(workspace.apps));
+	const servicesToStart = allServices.filter((name$1) => !appNames.has(name$1));
 	if (servicesToStart.length === 0) return;
 	logger$11.log(`🐳 Starting services: ${servicesToStart.join(", ")}`);
 	try {
-		const composeFile = (0, node_path.join)(workspace.root, "docker-compose.yml");
-		if (!(0, node_fs.existsSync)(composeFile)) {
-			logger$11.warn("⚠️  No docker-compose.yml found. Services will not be started.");
-			return;
-		}
 		(0, node_child_process.execSync)(`docker compose up -d ${servicesToStart.join(" ")}`, {
 			cwd: workspace.root,
 			stdio: "inherit",
-			env: {
-				...process.env,
-				...portEnv
-			}
+			env: buildDockerComposeEnv(secretsEnv, portEnv)
 		});
 		logger$11.log("✅ Services started");
 	} catch (error) {
@@ -1295,8 +1317,9 @@ async function workspaceDevCommand(workspace, options) {
 		if (copiedCount > 0) logger$11.log(`\n📦 Copied ${copiedCount} API client(s)`);
 	}
 	const resolvedPorts = await resolveServicePorts(workspace.root);
-	await startWorkspaceServices(workspace, resolvedPorts.dockerEnv);
-	const secretsEnv = rewriteUrlsWithPorts(await loadDevSecrets(workspace), resolvedPorts);
+	const rawSecrets = await loadDevSecrets(workspace);
+	await startWorkspaceServices(workspace, resolvedPorts.dockerEnv, rawSecrets);
+	const secretsEnv = rewriteUrlsWithPorts(rawSecrets, resolvedPorts);
 	if (Object.keys(secretsEnv).length > 0) logger$11.log(`   Loaded ${Object.keys(secretsEnv).length} secret(s)`);
 	const dependencyEnv = generateAllDependencyEnvVars(workspace);
 	if (Object.keys(dependencyEnv).length > 0) {
@@ -2175,7 +2198,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-NpfYPBUo.cjs"));
+			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-Bm3Az_sv.cjs"));
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2837,13 +2860,15 @@ async function verifyDnsRecords(appHostnames, serverIp, state) {
 const DEFAULT_SERVICE_IMAGES = {
 	postgres: "postgres",
 	redis: "redis",
-	rabbitmq: "rabbitmq"
+	rabbitmq: "rabbitmq",
+	minio: "minio/minio"
 };
 /** Default Docker image versions for services */
 const DEFAULT_SERVICE_VERSIONS = {
 	postgres: "18-alpine",
 	redis: "7-alpine",
-	rabbitmq: "3-management-alpine"
+	rabbitmq: "3-management-alpine",
+	minio: "latest"
 };
 /** Get the default full image reference for a service */
 function getDefaultImage(serviceName) {
@@ -2874,7 +2899,9 @@ function generateDockerCompose(options) {
 	const { imageName, registry, port, healthCheckPath, services } = options;
 	const serviceMap = normalizeServices(services);
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
-	let yaml$1 = `version: '3.8'
+	let yaml$1 = `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+version: '3.8'
 
 services:
   api:
@@ -2894,6 +2921,13 @@ services:
 	if (serviceMap.has("redis")) yaml$1 += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
 `;
 	if (serviceMap.has("rabbitmq")) yaml$1 += `      - RABBITMQ_URL=\${RABBITMQ_URL:-amqp://rabbitmq:5672}
+`;
+	if (serviceMap.has("minio")) yaml$1 += `      - S3_ENDPOINT=\${S3_ENDPOINT:-http://minio:9000}
+      - S3_ACCESS_KEY_ID=\${MINIO_ACCESS_KEY:-app}
+      - S3_SECRET_ACCESS_KEY=\${MINIO_SECRET_KEY:-app}
+      - S3_BUCKET=\${MINIO_BUCKET:-app}
+      - S3_REGION=\${S3_REGION:-eu-west-1}
+      - S3_FORCE_PATH_STYLE=true
 `;
 	yaml$1 += `    healthcheck:
       test: ["CMD", "wget", "-q", "--spider", "http://localhost:${port}${healthCheckPath}"]
@@ -2967,6 +3001,29 @@ services:
       retries: 5
     networks:
       - app-network
+`;
+	const minioImage = serviceMap.get("minio");
+	if (minioImage) yaml$1 += `
+  minio:
+    image: ${minioImage}
+    container_name: minio
+    restart: unless-stopped
+    entrypoint: sh
+    command: -c 'mkdir -p /data/\${MINIO_BUCKET:-app} && /usr/bin/docker-entrypoint.sh server --console-address ":9001" /data'
+    environment:
+      MINIO_ROOT_USER: \${MINIO_ACCESS_KEY:-app}
+      MINIO_ROOT_PASSWORD: \${MINIO_SECRET_KEY:-app}
+    ports:
+      - "9001:9001"  # Console UI
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - app-network
 `;
 	yaml$1 += `
 volumes:
@@ -2976,6 +3033,8 @@ volumes:
 	if (serviceMap.has("redis")) yaml$1 += `  redis_data:
 `;
 	if (serviceMap.has("rabbitmq")) yaml$1 += `  rabbitmq_data:
+`;
+	if (serviceMap.has("minio")) yaml$1 += `  minio_data:
 `;
 	yaml$1 += `
 networks:
@@ -2990,7 +3049,9 @@ networks:
 function generateMinimalDockerCompose(options) {
 	const { imageName, registry, port, healthCheckPath } = options;
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
-	return `version: '3.8'
+	return `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+version: '3.8'
 
 services:
   api:
@@ -3029,17 +3090,21 @@ function generateWorkspaceCompose(workspace, options = {}) {
 	const hasPostgres = services.db !== void 0 && services.db !== false;
 	const hasRedis = services.cache !== void 0 && services.cache !== false;
 	const hasMail = services.mail !== void 0 && services.mail !== false;
+	const hasMinio = services.storage !== void 0 && services.storage !== false;
 	const postgresImage = getInfraServiceImage("postgres", services.db);
 	const redisImage = getInfraServiceImage("redis", services.cache);
+	const minioImage = getInfraServiceImage("minio", services.storage);
 	let yaml$1 = `# Docker Compose for ${workspace.name} workspace
-# Generated by gkm - do not edit manually
+# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
 
 services:
 `;
 	for (const [appName, app] of apps) yaml$1 += generateAppService(appName, app, apps, {
 		registry,
 		hasPostgres,
-		hasRedis
+		hasRedis,
+		hasMinio
 	});
 	if (hasPostgres) yaml$1 += `
   postgres:
@@ -3085,6 +3150,28 @@ services:
       - "1025:1025"  # SMTP
     networks:
       - workspace-network
+`;
+	if (hasMinio) yaml$1 += `
+  minio:
+    image: ${minioImage}
+    container_name: ${workspace.name}-minio
+    restart: unless-stopped
+    entrypoint: sh
+    command: -c 'mkdir -p /data/\${MINIO_BUCKET:-app} && /usr/bin/docker-entrypoint.sh server --console-address ":9001" /data'
+    environment:
+      MINIO_ROOT_USER: \${MINIO_ACCESS_KEY:-app}
+      MINIO_ROOT_PASSWORD: \${MINIO_SECRET_KEY:-app}
+    ports:
+      - "9001:9001"  # Console UI
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "mc", "ready", "local"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    networks:
+      - workspace-network
 `;
 	yaml$1 += `
 volumes:
@@ -3092,6 +3179,8 @@ volumes:
 	if (hasPostgres) yaml$1 += `  dbdata:
 `;
 	if (hasRedis) yaml$1 += `  redis_data:
+`;
+	if (hasMinio) yaml$1 += `  minio_data:
 `;
 	yaml$1 += `
 networks:
@@ -3106,14 +3195,19 @@ networks:
 function getInfraServiceImage(serviceName, config) {
 	const defaults = {
 		postgres: "postgres:18-alpine",
-		redis: "redis:7-alpine"
+		redis: "redis:7-alpine",
+		minio: "minio/minio:latest"
 	};
 	if (!config || config === true) return defaults[serviceName];
 	if (typeof config === "object") {
 		if (config.image) return config.image;
 		if (config.version) {
-			const baseImage = serviceName === "postgres" ? "postgres" : "redis";
-			return `${baseImage}:${config.version}`;
+			const baseImages = {
+				postgres: "postgres",
+				redis: "redis",
+				minio: "minio/minio"
+			};
+			return `${baseImages[serviceName]}:${config.version}`;
 		}
 	}
 	return defaults[serviceName];
@@ -3122,7 +3216,7 @@ function getInfraServiceImage(serviceName, config) {
 * Generate a service definition for an app.
 */
 function generateAppService(appName, app, allApps, options) {
-	const { registry, hasPostgres, hasRedis } = options;
+	const { registry, hasPostgres, hasRedis, hasMinio } = options;
 	const imageRef = registry ? `\${REGISTRY:-${registry}}/` : "";
 	const healthCheckPath = app.type === "frontend" ? "/" : "/health";
 	const healthCheckCmd = app.type === "frontend" ? `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}/"]` : `["CMD", "wget", "-q", "--spider", "http://localhost:${app.port}${healthCheckPath}"]`;
@@ -3149,6 +3243,13 @@ function generateAppService(appName, app, allApps, options) {
 		if (hasPostgres) yaml$1 += `      - DATABASE_URL=\${DATABASE_URL:-postgresql://\${POSTGRES_USER:-postgres}:\${POSTGRES_PASSWORD:-postgres}@postgres:5432/\${POSTGRES_DB:-app}}
 `;
 		if (hasRedis) yaml$1 += `      - REDIS_URL=\${REDIS_URL:-redis://redis:6379}
+`;
+		if (hasMinio) yaml$1 += `      - S3_ENDPOINT=\${S3_ENDPOINT:-http://minio:9000}
+      - S3_ACCESS_KEY_ID=\${MINIO_ACCESS_KEY:-app}
+      - S3_SECRET_ACCESS_KEY=\${MINIO_SECRET_KEY:-app}
+      - S3_BUCKET=\${MINIO_BUCKET:-app}
+      - S3_REGION=\${S3_REGION:-eu-west-1}
+      - S3_FORCE_PATH_STYLE=true
 `;
 	}
 	yaml$1 += `    healthcheck:
@@ -3161,6 +3262,7 @@ function generateAppService(appName, app, allApps, options) {
 	if (app.type === "backend") {
 		if (hasPostgres) dependencies$1.push("postgres");
 		if (hasRedis) dependencies$1.push("redis");
+		if (hasMinio) dependencies$1.push("minio");
 	}
 	if (dependencies$1.length > 0) {
 		yaml$1 += `    depends_on:
@@ -6205,7 +6307,7 @@ async function deployCommand(options) {
 		dokployConfig = setupResult.config;
 		finalRegistry = dokployConfig.registry ?? dockerConfig.registry;
 		if (setupResult.serviceUrls) {
-			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+			const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1, initStageSecrets } = await Promise.resolve().then(() => require("./storage-D6BGLgWf.cjs"));
 			let secrets = await readStageSecrets$1(stage);
 			if (!secrets) {
 				logger$3.log(`   Creating secrets file for stage "${stage}"...`);
@@ -6502,7 +6604,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/storage": "~2.0.0",
 	"@geekmidas/studio": "~1.0.0",
 	"@geekmidas/telescope": "~1.0.0",
-	"@geekmidas/testkit": "~1.0.2",
+	"@geekmidas/testkit": "~1.0.5",
 	"@geekmidas/cli": CLI_VERSION
 };
 
@@ -7057,7 +7159,9 @@ function generateDockerFiles(options, template, dbApps) {
     environment:
       MP_SMTP_AUTH_ACCEPT_ANY: 1
       MP_SMTP_AUTH_ALLOW_INSECURE: 1`);
-	let dockerCompose = `services:
+	let dockerCompose = `# Use "gkm dev" or "gkm test" to start services.
+# Running "docker compose up" directly will not inject secrets or resolve ports.
+services:
 ${services.join("\n\n")}
 `;
 	if (volumes.length > 0) dockerCompose += `
@@ -10868,6 +10972,7 @@ async function initCommand(projectName, options = {}) {
 	const secretServices = [];
 	if (services.db) secretServices.push("postgres");
 	if (services.cache) secretServices.push("redis");
+	if (services.storage) secretServices.push("minio");
 	const devSecrets = require_fullstack_secrets.createStageSecrets("development", secretServices, { projectName: name$1 });
 	const customSecrets = {
 		NODE_ENV: "development",
@@ -11026,6 +11131,7 @@ async function secretsInitCommand(options) {
 	if (secrets.urls.DATABASE_URL) logger$2.log(`\n  DATABASE_URL: ${maskUrl(secrets.urls.DATABASE_URL)}`);
 	if (secrets.urls.REDIS_URL) logger$2.log(`  REDIS_URL: ${maskUrl(secrets.urls.REDIS_URL)}`);
 	if (secrets.urls.RABBITMQ_URL) logger$2.log(`  RABBITMQ_URL: ${maskUrl(secrets.urls.RABBITMQ_URL)}`);
+	if (secrets.urls.S3_ENDPOINT) logger$2.log(`  S3_ENDPOINT: ${secrets.urls.S3_ENDPOINT}`);
 	if (Object.keys(secrets.custom).length > 0) logger$2.log(`\n  Custom secrets: ${Object.keys(secrets.custom).length}`);
 	logger$2.log(`\n  Use "gkm secrets:show --stage ${stage}" to view secrets`);
 	logger$2.log("  Use \"gkm secrets:set <KEY> <VALUE> --stage " + stage + "\" to add custom secrets");
@@ -11087,11 +11193,13 @@ async function secretsShowCommand(options) {
 		logger$2.log(`    password: ${reveal ? creds.password : require_storage.maskPassword(creds.password)}`);
 		if (creds.database) logger$2.log(`    database: ${creds.database}`);
 		if (creds.vhost) logger$2.log(`    vhost: ${creds.vhost}`);
+		if (creds.bucket) logger$2.log(`    bucket: ${creds.bucket}`);
 	}
 	logger$2.log("\nConnection URLs:");
 	if (secrets.urls.DATABASE_URL) logger$2.log(`  DATABASE_URL: ${reveal ? secrets.urls.DATABASE_URL : maskUrl(secrets.urls.DATABASE_URL)}`);
 	if (secrets.urls.REDIS_URL) logger$2.log(`  REDIS_URL: ${reveal ? secrets.urls.REDIS_URL : maskUrl(secrets.urls.REDIS_URL)}`);
 	if (secrets.urls.RABBITMQ_URL) logger$2.log(`  RABBITMQ_URL: ${reveal ? secrets.urls.RABBITMQ_URL : maskUrl(secrets.urls.RABBITMQ_URL)}`);
+	if (secrets.urls.S3_ENDPOINT) logger$2.log(`  S3_ENDPOINT: ${secrets.urls.S3_ENDPOINT}`);
 	const customKeys = Object.keys(secrets.custom);
 	if (customKeys.length > 0) {
 		logger$2.log("\nCustom Secrets:");
@@ -11295,6 +11403,7 @@ async function generateFreshSecrets(stage, workspace, options) {
 	const serviceNames = [];
 	if (workspace.services.db) serviceNames.push("postgres");
 	if (workspace.services.cache) serviceNames.push("redis");
+	if (workspace.services.storage) serviceNames.push("minio");
 	const secrets = require_fullstack_secrets.createStageSecrets(stage, serviceNames, { projectName: workspace.name });
 	const isMultiApp = Object.keys(workspace.apps).length > 1;
 	if (isMultiApp) {
@@ -11364,23 +11473,15 @@ async function testCommand(options = {}) {
 		if (error instanceof Error && error.message.includes("key not found")) console.log(`  Decryption key not found for ${stage}`);
 		else throw error;
 	}
-	const composePath = (0, node_path.join)(cwd, "docker-compose.yml");
-	const mappings = parseComposePortMappings(composePath);
-	if (mappings.length > 0) {
-		const ports = await loadPortState(cwd);
-		if (Object.keys(ports).length > 0) {
-			secretsEnv = rewriteUrlsWithPorts(secretsEnv, {
-				dockerEnv: {},
-				ports,
-				mappings
-			});
-			console.log(`  🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
-		}
-	}
-	secretsEnv = rewriteDatabaseUrlForTests(secretsEnv);
 	let dependencyEnv = {};
 	try {
 		const appInfo = await require_config.loadWorkspaceAppInfo(cwd);
+		const resolvedPorts = await resolveServicePorts(appInfo.workspaceRoot);
+		await startWorkspaceServices(appInfo.workspace, resolvedPorts.dockerEnv, secretsEnv);
+		if (resolvedPorts.mappings.length > 0) {
+			secretsEnv = rewriteUrlsWithPorts(secretsEnv, resolvedPorts);
+			console.log(`  🔌 Applied ${Object.keys(resolvedPorts.ports).length} port mapping(s)`);
+		}
 		dependencyEnv = require_workspace.getDependencyEnvVars(appInfo.workspace, appInfo.appName);
 		if (Object.keys(dependencyEnv).length > 0) console.log(`  🔗 Loaded ${Object.keys(dependencyEnv).length} dependency URL(s)`);
 		const sniffed = await sniffAppEnvironment(appInfo.app, appInfo.appName, appInfo.workspaceRoot, { logWarnings: false });
@@ -11396,7 +11497,22 @@ async function testCommand(options = {}) {
 			dependencyEnv = filteredEnv;
 			console.log(`  🔍 Sniffed ${sniffed.requiredEnvVars.length} required env var(s)`);
 		}
-	} catch {}
+	} catch {
+		const composePath = (0, node_path.join)(cwd, "docker-compose.yml");
+		const mappings = parseComposePortMappings(composePath);
+		if (mappings.length > 0) {
+			const ports = await loadPortState(cwd);
+			if (Object.keys(ports).length > 0) {
+				secretsEnv = rewriteUrlsWithPorts(secretsEnv, {
+					dockerEnv: {},
+					ports,
+					mappings
+				});
+				console.log(`  🔌 Applied ${Object.keys(ports).length} port mapping(s)`);
+			}
+		}
+	}
+	secretsEnv = rewriteDatabaseUrlForTests(secretsEnv);
 	console.log("");
 	const allSecrets = {
 		...secretsEnv,
@@ -11831,9 +11947,9 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-RsnjXYwG.cjs"));
-		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-TEBsryVn.cjs"));
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-DLlwsrBs.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-D6u4HSg8.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-D6BGLgWf.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (secrets) {
@@ -11856,9 +11972,9 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-RsnjXYwG.cjs"));
-		const { writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
-		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-TEBsryVn.cjs"));
+		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-DLlwsrBs.cjs"));
+		const { writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-D6BGLgWf.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-D6u4HSg8.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
 		let secrets = await pullSecrets$1(options.stage, workspace);
 		if (!secrets) {
@@ -11883,8 +11999,8 @@ program.command("secrets:reconcile").description("Backfill missing custom secret
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-TEBsryVn.cjs"));
-		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-D6u4HSg8.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-D6BGLgWf.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
 		const secrets = await readStageSecrets$1(options.stage, workspace.root);
 		if (!secrets) {