@geekmidas/cli 1.7.0 → 1.9.0

package/dist/openapi.d.mts

@@ -1,5 +1,5 @@
 #!/usr/bin/env -S npx tsx
-import { GkmConfig, OpenApiConfig } from "./types-CZg5iUgD.mjs";
+import { GkmConfig, OpenApiConfig } from "./types-eTlj5f2M.mjs";
 
 //#region src/openapi.d.ts
 interface OpenAPIOptions {

package/dist/sync-BOS0jKLn.cjs

@@ -0,0 +1,93 @@
+const require_chunk = require('./chunk-CUT6urMc.cjs');
+const __aws_sdk_client_ssm = require_chunk.__toESM(require("@aws-sdk/client-ssm"));
+
+//#region src/secrets/sync.ts
+/**
+* Get the SSM parameter name for secrets.
+*/
+function getSecretsParameterName(workspaceName, stage) {
+	return `/gkm/${workspaceName}/${stage}/secrets`;
+}
+/**
+* Create an SSM client from workspace state config.
+*/
+function createSSMClient(config) {
+	const clientConfig = { region: config.region };
+	if (config.profile) {
+		const { fromIni } = require("@aws-sdk/credential-providers");
+		clientConfig.credentials = fromIni({ profile: config.profile });
+	}
+	return new __aws_sdk_client_ssm.SSMClient(clientConfig);
+}
+/**
+* Push secrets to SSM Parameter Store.
+*
+* Stores the full StageSecrets object as a SecureString parameter.
+*/
+async function pushSecrets(stage, workspace) {
+	const config = workspace.state;
+	if (!config || config.provider !== "ssm") throw new Error("SSM state provider not configured. Add state: { provider: \"ssm\", region: \"...\" } to gkm.config.ts.");
+	if (!workspace.name) throw new Error("Workspace name is required for SSM secrets sync. Set \"name\" in gkm.config.ts.");
+	const client = createSSMClient(config);
+	const parameterName = getSecretsParameterName(workspace.name, stage);
+	const { readStageSecrets } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+	const secrets = await readStageSecrets(stage, workspace.root);
+	if (!secrets) throw new Error(`No secrets found for stage "${stage}". Run "gkm secrets:init --stage ${stage}" first.`);
+	await client.send(new __aws_sdk_client_ssm.PutParameterCommand({
+		Name: parameterName,
+		Value: JSON.stringify(secrets),
+		Type: "SecureString",
+		Overwrite: true,
+		Description: `GKM secrets for ${workspace.name}/${stage}`
+	}));
+}
+/**
+* Pull secrets from SSM Parameter Store.
+*
+* @returns StageSecrets or null if no secrets are stored remotely
+*/
+async function pullSecrets(stage, workspace) {
+	const config = workspace.state;
+	if (!config || config.provider !== "ssm") return null;
+	if (!workspace.name) return null;
+	const client = createSSMClient(config);
+	const parameterName = getSecretsParameterName(workspace.name, stage);
+	try {
+		const response = await client.send(new __aws_sdk_client_ssm.GetParameterCommand({
+			Name: parameterName,
+			WithDecryption: true
+		}));
+		if (!response.Parameter?.Value) return null;
+		return JSON.parse(response.Parameter.Value);
+	} catch (error) {
+		if (error instanceof __aws_sdk_client_ssm.ParameterNotFound) return null;
+		throw error;
+	}
+}
+/**
+* Check if SSM is configured for the workspace.
+*/
+function isSSMConfigured(workspace) {
+	return !!workspace.state && workspace.state.provider === "ssm";
+}
+
+//#endregion
+Object.defineProperty(exports, 'isSSMConfigured', {
+  enumerable: true,
+  get: function () {
+    return isSSMConfigured;
+  }
+});
+Object.defineProperty(exports, 'pullSecrets', {
+  enumerable: true,
+  get: function () {
+    return pullSecrets;
+  }
+});
+Object.defineProperty(exports, 'pushSecrets', {
+  enumerable: true,
+  get: function () {
+    return pushSecrets;
+  }
+});
+//# sourceMappingURL=sync-BOS0jKLn.cjs.map

package/dist/sync-BOS0jKLn.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync-BOS0jKLn.cjs","names":["workspaceName: string","stage: string","config: SSMStateConfig","clientConfig: SSMClientConfig","SSMClient","workspace: NormalizedWorkspace","PutParameterCommand","GetParameterCommand","ParameterNotFound"],"sources":["../src/secrets/sync.ts"],"sourcesContent":["/**\n * Secrets Sync via AWS SSM Parameter Store\n *\n * Stores and retrieves encrypted StageSecrets as SecureString parameters.\n * Reuses the SSM infrastructure from the state provider.\n *\n * Parameter naming: /gkm/{workspaceName}/{stage}/secrets\n */\n\nimport {\n\tGetParameterCommand,\n\tParameterNotFound,\n\tPutParameterCommand,\n\tSSMClient,\n\ttype SSMClientConfig,\n} from '@aws-sdk/client-ssm';\nimport type { SSMStateConfig } from '../deploy/StateProvider.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\n/**\n * Get the SSM parameter name for secrets.\n */\nfunction getSecretsParameterName(workspaceName: string, stage: string): string {\n\treturn `/gkm/${workspaceName}/${stage}/secrets`;\n}\n\n/**\n * Create an SSM client from workspace state config.\n */\nfunction createSSMClient(config: SSMStateConfig): SSMClient {\n\tconst clientConfig: SSMClientConfig = {\n\t\tregion: config.region,\n\t};\n\n\tif (config.profile) {\n\t\tconst { fromIni } = require('@aws-sdk/credential-providers');\n\t\tclientConfig.credentials = fromIni({ profile: config.profile });\n\t}\n\n\treturn new SSMClient(clientConfig);\n}\n\n/**\n * Push secrets to SSM Parameter Store.\n *\n * Stores the full StageSecrets object as a SecureString parameter.\n */\nexport async function pushSecrets(\n\tstage: string,\n\tworkspace: NormalizedWorkspace,\n): Promise<void> {\n\tconst config = workspace.state;\n\tif (!config || config.provider !== 'ssm') {\n\t\tthrow new Error(\n\t\t\t'SSM state provider not configured. Add state: { provider: \"ssm\", region: \"...\" } to gkm.config.ts.',\n\t\t);\n\t}\n\n\tif (!workspace.name) {\n\t\tthrow new Error(\n\t\t\t'Workspace name is required for SSM secrets sync. Set \"name\" in gkm.config.ts.',\n\t\t);\n\t}\n\n\tconst client = createSSMClient(config as SSMStateConfig);\n\tconst parameterName = getSecretsParameterName(workspace.name, stage);\n\n\tconst { readStageSecrets } = await import('./storage.js');\n\tconst secrets = await readStageSecrets(stage, workspace.root);\n\n\tif (!secrets) {\n\t\tthrow new Error(\n\t\t\t`No secrets found for stage \"${stage}\". Run \"gkm secrets:init --stage ${stage}\" first.`,\n\t\t);\n\t}\n\n\tawait client.send(\n\t\tnew PutParameterCommand({\n\t\t\tName: parameterName,\n\t\t\tValue: JSON.stringify(secrets),\n\t\t\tType: 'SecureString',\n\t\t\tOverwrite: true,\n\t\t\tDescription: `GKM secrets for ${workspace.name}/${stage}`,\n\t\t}),\n\t);\n}\n\n/**\n * Pull secrets from SSM Parameter Store.\n *\n * @returns StageSecrets or null if no secrets are stored remotely\n */\nexport async function pullSecrets(\n\tstage: string,\n\tworkspace: NormalizedWorkspace,\n): Promise<StageSecrets | null> {\n\tconst config = workspace.state;\n\tif (!config || config.provider !== 'ssm') {\n\t\treturn null;\n\t}\n\n\tif (!workspace.name) {\n\t\treturn null;\n\t}\n\n\tconst client = createSSMClient(config as SSMStateConfig);\n\tconst parameterName = getSecretsParameterName(workspace.name, stage);\n\n\ttry {\n\t\tconst response = await client.send(\n\t\t\tnew GetParameterCommand({\n\t\t\t\tName: parameterName,\n\t\t\t\tWithDecryption: true,\n\t\t\t}),\n\t\t);\n\n\t\tif (!response.Parameter?.Value) {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn JSON.parse(response.Parameter.Value) as StageSecrets;\n\t} catch (error) {\n\t\tif (error instanceof ParameterNotFound) {\n\t\t\treturn null;\n\t\t}\n\t\tthrow error;\n\t}\n}\n\n/**\n * Check if SSM is configured for the workspace.\n */\nexport function isSSMConfigured(workspace: NormalizedWorkspace): boolean {\n\treturn !!workspace.state && workspace.state.provider === 'ssm';\n}\n"],"mappings":";;;;;;;AAuBA,SAAS,wBAAwBA,eAAuBC,OAAuB;AAC9E,SAAQ,OAAO,cAAc,GAAG,MAAM;AACtC;;;;AAKD,SAAS,gBAAgBC,QAAmC;CAC3D,MAAMC,eAAgC,EACrC,QAAQ,OAAO,OACf;AAED,KAAI,OAAO,SAAS;EACnB,MAAM,EAAE,SAAS,GAAG,QAAQ,gCAAgC;AAC5D,eAAa,cAAc,QAAQ,EAAE,SAAS,OAAO,QAAS,EAAC;CAC/D;AAED,QAAO,IAAIC,+BAAU;AACrB;;;;;;AAOD,eAAsB,YACrBH,OACAI,WACgB;CAChB,MAAM,SAAS,UAAU;AACzB,MAAK,UAAU,OAAO,aAAa,MAClC,OAAM,IAAI,MACT;AAIF,MAAK,UAAU,KACd,OAAM,IAAI,MACT;CAIF,MAAM,SAAS,gBAAgB,OAAyB;CACxD,MAAM,gBAAgB,wBAAwB,UAAU,MAAM,MAAM;CAEpE,MAAM,EAAE,kBAAkB,GAAG,2CAAM;CACnC,MAAM,UAAU,MAAM,iBAAiB,OAAO,UAAU,KAAK;AAE7D,MAAK,QACJ,OAAM,IAAI,OACR,8BAA8B,MAAM,mCAAmC,MAAM;AAIhF,OAAM,OAAO,KACZ,IAAIC,yCAAoB;EACvB,MAAM;EACN,OAAO,KAAK,UAAU,QAAQ;EAC9B,MAAM;EACN,WAAW;EACX,cAAc,kBAAkB,UAAU,KAAK,GAAG,MAAM;CACxD,GACD;AACD;;;;;;AAOD,eAAsB,YACrBL,OACAI,WAC+B;CAC/B,MAAM,SAAS,UAAU;AACzB,MAAK,UAAU,OAAO,aAAa,MAClC,QAAO;AAGR,MAAK,UAAU,KACd,QAAO;CAGR,MAAM,SAAS,gBAAgB,OAAyB;CACxD,MAAM,gBAAgB,wBAAwB,UAAU,MAAM,MAAM;AAEpE,KAAI;EACH,MAAM,WAAW,MAAM,OAAO,KAC7B,IAAIE,yCAAoB;GACvB,MAAM;GACN,gBAAgB;EAChB,GACD;AAED,OAAK,SAAS,WAAW,MACxB,QAAO;AAGR,SAAO,KAAK,MAAM,SAAS,UAAU,MAAM;CAC3C,SAAQ,OAAO;AACf,MAAI,iBAAiBC,uCACpB,QAAO;AAER,QAAM;CACN;AACD;;;;AAKD,SAAgB,gBAAgBH,WAAyC;AACxE,UAAS,UAAU,SAAS,UAAU,MAAM,aAAa;AACzD"}

package/dist/sync-BnqNNc6O.mjs

@@ -0,0 +1,3 @@
+import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-CHfhmXF3.mjs";
+
+export { pullSecrets, pushSecrets };

package/dist/sync-BxFB34zW.cjs

@@ -0,0 +1,4 @@
+const require_sync = require('./sync-BOS0jKLn.cjs');
+
+exports.pullSecrets = require_sync.pullSecrets;
+exports.pushSecrets = require_sync.pushSecrets;

package/dist/sync-CHfhmXF3.mjs

@@ -0,0 +1,76 @@
+import { __require } from "./chunk-Duj1WY3L.mjs";
+import { GetParameterCommand, ParameterNotFound, PutParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
+
+//#region src/secrets/sync.ts
+/**
+* Get the SSM parameter name for secrets.
+*/
+function getSecretsParameterName(workspaceName, stage) {
+	return `/gkm/${workspaceName}/${stage}/secrets`;
+}
+/**
+* Create an SSM client from workspace state config.
+*/
+function createSSMClient(config) {
+	const clientConfig = { region: config.region };
+	if (config.profile) {
+		const { fromIni } = __require("@aws-sdk/credential-providers");
+		clientConfig.credentials = fromIni({ profile: config.profile });
+	}
+	return new SSMClient(clientConfig);
+}
+/**
+* Push secrets to SSM Parameter Store.
+*
+* Stores the full StageSecrets object as a SecureString parameter.
+*/
+async function pushSecrets(stage, workspace) {
+	const config = workspace.state;
+	if (!config || config.provider !== "ssm") throw new Error("SSM state provider not configured. Add state: { provider: \"ssm\", region: \"...\" } to gkm.config.ts.");
+	if (!workspace.name) throw new Error("Workspace name is required for SSM secrets sync. Set \"name\" in gkm.config.ts.");
+	const client = createSSMClient(config);
+	const parameterName = getSecretsParameterName(workspace.name, stage);
+	const { readStageSecrets } = await import("./storage-Dx_jZbq6.mjs");
+	const secrets = await readStageSecrets(stage, workspace.root);
+	if (!secrets) throw new Error(`No secrets found for stage "${stage}". Run "gkm secrets:init --stage ${stage}" first.`);
+	await client.send(new PutParameterCommand({
+		Name: parameterName,
+		Value: JSON.stringify(secrets),
+		Type: "SecureString",
+		Overwrite: true,
+		Description: `GKM secrets for ${workspace.name}/${stage}`
+	}));
+}
+/**
+* Pull secrets from SSM Parameter Store.
+*
+* @returns StageSecrets or null if no secrets are stored remotely
+*/
+async function pullSecrets(stage, workspace) {
+	const config = workspace.state;
+	if (!config || config.provider !== "ssm") return null;
+	if (!workspace.name) return null;
+	const client = createSSMClient(config);
+	const parameterName = getSecretsParameterName(workspace.name, stage);
+	try {
+		const response = await client.send(new GetParameterCommand({
+			Name: parameterName,
+			WithDecryption: true
+		}));
+		if (!response.Parameter?.Value) return null;
+		return JSON.parse(response.Parameter.Value);
+	} catch (error) {
+		if (error instanceof ParameterNotFound) return null;
+		throw error;
+	}
+}
+/**
+* Check if SSM is configured for the workspace.
+*/
+function isSSMConfigured(workspace) {
+	return !!workspace.state && workspace.state.provider === "ssm";
+}
+
+//#endregion
+export { isSSMConfigured, pullSecrets, pushSecrets };
+//# sourceMappingURL=sync-CHfhmXF3.mjs.map

package/dist/sync-CHfhmXF3.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync-CHfhmXF3.mjs","names":["workspaceName: string","stage: string","config: SSMStateConfig","clientConfig: SSMClientConfig","workspace: NormalizedWorkspace"],"sources":["../src/secrets/sync.ts"],"sourcesContent":["/**\n * Secrets Sync via AWS SSM Parameter Store\n *\n * Stores and retrieves encrypted StageSecrets as SecureString parameters.\n * Reuses the SSM infrastructure from the state provider.\n *\n * Parameter naming: /gkm/{workspaceName}/{stage}/secrets\n */\n\nimport {\n\tGetParameterCommand,\n\tParameterNotFound,\n\tPutParameterCommand,\n\tSSMClient,\n\ttype SSMClientConfig,\n} from '@aws-sdk/client-ssm';\nimport type { SSMStateConfig } from '../deploy/StateProvider.js';\nimport type { NormalizedWorkspace } from '../workspace/types.js';\nimport type { StageSecrets } from './types.js';\n\n/**\n * Get the SSM parameter name for secrets.\n */\nfunction getSecretsParameterName(workspaceName: string, stage: string): string {\n\treturn `/gkm/${workspaceName}/${stage}/secrets`;\n}\n\n/**\n * Create an SSM client from workspace state config.\n */\nfunction createSSMClient(config: SSMStateConfig): SSMClient {\n\tconst clientConfig: SSMClientConfig = {\n\t\tregion: config.region,\n\t};\n\n\tif (config.profile) {\n\t\tconst { fromIni } = require('@aws-sdk/credential-providers');\n\t\tclientConfig.credentials = fromIni({ profile: config.profile });\n\t}\n\n\treturn new SSMClient(clientConfig);\n}\n\n/**\n * Push secrets to SSM Parameter Store.\n *\n * Stores the full StageSecrets object as a SecureString parameter.\n */\nexport async function pushSecrets(\n\tstage: string,\n\tworkspace: NormalizedWorkspace,\n): Promise<void> {\n\tconst config = workspace.state;\n\tif (!config || config.provider !== 'ssm') {\n\t\tthrow new Error(\n\t\t\t'SSM state provider not configured. Add state: { provider: \"ssm\", region: \"...\" } to gkm.config.ts.',\n\t\t);\n\t}\n\n\tif (!workspace.name) {\n\t\tthrow new Error(\n\t\t\t'Workspace name is required for SSM secrets sync. Set \"name\" in gkm.config.ts.',\n\t\t);\n\t}\n\n\tconst client = createSSMClient(config as SSMStateConfig);\n\tconst parameterName = getSecretsParameterName(workspace.name, stage);\n\n\tconst { readStageSecrets } = await import('./storage.js');\n\tconst secrets = await readStageSecrets(stage, workspace.root);\n\n\tif (!secrets) {\n\t\tthrow new Error(\n\t\t\t`No secrets found for stage \"${stage}\". Run \"gkm secrets:init --stage ${stage}\" first.`,\n\t\t);\n\t}\n\n\tawait client.send(\n\t\tnew PutParameterCommand({\n\t\t\tName: parameterName,\n\t\t\tValue: JSON.stringify(secrets),\n\t\t\tType: 'SecureString',\n\t\t\tOverwrite: true,\n\t\t\tDescription: `GKM secrets for ${workspace.name}/${stage}`,\n\t\t}),\n\t);\n}\n\n/**\n * Pull secrets from SSM Parameter Store.\n *\n * @returns StageSecrets or null if no secrets are stored remotely\n */\nexport async function pullSecrets(\n\tstage: string,\n\tworkspace: NormalizedWorkspace,\n): Promise<StageSecrets | null> {\n\tconst config = workspace.state;\n\tif (!config || config.provider !== 'ssm') {\n\t\treturn null;\n\t}\n\n\tif (!workspace.name) {\n\t\treturn null;\n\t}\n\n\tconst client = createSSMClient(config as SSMStateConfig);\n\tconst parameterName = getSecretsParameterName(workspace.name, stage);\n\n\ttry {\n\t\tconst response = await client.send(\n\t\t\tnew GetParameterCommand({\n\t\t\t\tName: parameterName,\n\t\t\t\tWithDecryption: true,\n\t\t\t}),\n\t\t);\n\n\t\tif (!response.Parameter?.Value) {\n\t\t\treturn null;\n\t\t}\n\n\t\treturn JSON.parse(response.Parameter.Value) as StageSecrets;\n\t} catch (error) {\n\t\tif (error instanceof ParameterNotFound) {\n\t\t\treturn null;\n\t\t}\n\t\tthrow error;\n\t}\n}\n\n/**\n * Check if SSM is configured for the workspace.\n */\nexport function isSSMConfigured(workspace: NormalizedWorkspace): boolean {\n\treturn !!workspace.state && workspace.state.provider === 'ssm';\n}\n"],"mappings":";;;;;;;AAuBA,SAAS,wBAAwBA,eAAuBC,OAAuB;AAC9E,SAAQ,OAAO,cAAc,GAAG,MAAM;AACtC;;;;AAKD,SAAS,gBAAgBC,QAAmC;CAC3D,MAAMC,eAAgC,EACrC,QAAQ,OAAO,OACf;AAED,KAAI,OAAO,SAAS;EACnB,MAAM,EAAE,SAAS,GAAG,UAAQ,gCAAgC;AAC5D,eAAa,cAAc,QAAQ,EAAE,SAAS,OAAO,QAAS,EAAC;CAC/D;AAED,QAAO,IAAI,UAAU;AACrB;;;;;;AAOD,eAAsB,YACrBF,OACAG,WACgB;CAChB,MAAM,SAAS,UAAU;AACzB,MAAK,UAAU,OAAO,aAAa,MAClC,OAAM,IAAI,MACT;AAIF,MAAK,UAAU,KACd,OAAM,IAAI,MACT;CAIF,MAAM,SAAS,gBAAgB,OAAyB;CACxD,MAAM,gBAAgB,wBAAwB,UAAU,MAAM,MAAM;CAEpE,MAAM,EAAE,kBAAkB,GAAG,MAAM,OAAO;CAC1C,MAAM,UAAU,MAAM,iBAAiB,OAAO,UAAU,KAAK;AAE7D,MAAK,QACJ,OAAM,IAAI,OACR,8BAA8B,MAAM,mCAAmC,MAAM;AAIhF,OAAM,OAAO,KACZ,IAAI,oBAAoB;EACvB,MAAM;EACN,OAAO,KAAK,UAAU,QAAQ;EAC9B,MAAM;EACN,WAAW;EACX,cAAc,kBAAkB,UAAU,KAAK,GAAG,MAAM;CACxD,GACD;AACD;;;;;;AAOD,eAAsB,YACrBH,OACAG,WAC+B;CAC/B,MAAM,SAAS,UAAU;AACzB,MAAK,UAAU,OAAO,aAAa,MAClC,QAAO;AAGR,MAAK,UAAU,KACd,QAAO;CAGR,MAAM,SAAS,gBAAgB,OAAyB;CACxD,MAAM,gBAAgB,wBAAwB,UAAU,MAAM,MAAM;AAEpE,KAAI;EACH,MAAM,WAAW,MAAM,OAAO,KAC7B,IAAI,oBAAoB;GACvB,MAAM;GACN,gBAAgB;EAChB,GACD;AAED,OAAK,SAAS,WAAW,MACxB,QAAO;AAGR,SAAO,KAAK,MAAM,SAAS,UAAU,MAAM;CAC3C,SAAQ,OAAO;AACf,MAAI,iBAAiB,kBACpB,QAAO;AAER,QAAM;CACN;AACD;;;;AAKD,SAAgB,gBAAgBA,WAAyC;AACxE,UAAS,UAAU,SAAS,UAAU,MAAM,aAAa;AACzD"}

package/dist/{types-CZg5iUgD.d.mts → types-eTlj5f2M.d.mts}

@@ -261,4 +261,4 @@ interface GkmConfig {
 }
 //#endregion
 export { GkmConfig, HooksConfig, OpenApiConfig, ProvidersConfig, Routes, Runtime, StudioConfig, TelescopeConfig };
-//# sourceMappingURL=types-CZg5iUgD.d.mts.map
+//# sourceMappingURL=types-eTlj5f2M.d.mts.map

package/dist/{types-CZg5iUgD.d.mts.map → types-eTlj5f2M.d.mts.map}

@@ -1 +1 @@
-{"version":3,"file":"types-CZg5iUgD.d.mts","names":[],"sources":["../src/types.ts"],"sourcesContent":[],"mappings":";;AASiB,KAFL,MAAA,GAEmB,MAAA,GAAA,MAAA,EAAA;AAKd,UALA,cAAA,CAKoB;EAIpB,OAAA,CAAA,EAAA,OAAA;EAIA,SAAA,CAAA,EAAA,MAAA;AA4BjB;AAcY,UAlDK,mBAAA,SAA4B,cAkDf,CAAA,CAG9B;AAAiC,UAjDhB,eAAA,SAAwB,cAiDR,CAAA;AACM,UA9CtB,gBAAA,CA8CsB;EAAa;EAGnC,OAAA,CAAA,EAAA,OAAY;EAAA;EAAA,MAwBhB,CAAA,EAAA,OAAA;EAAqB;EAAqB,MAAA,CAAA,EAAA,OAAA;EAItC;EAAa,WAAA,CAAA,EAAA,MAAA;EAAA;EAIA,gBAJQ,CAAA,EAAA,OAAA;EAAc;EAOxC,QAAA,CAAA,EAAO,MAAA,EAAA;EAEF;EAiBA,WAAA,CAAA,EAAA,SAAY,GAAA,SAAA;EASZ;EAWA,OAAA,CAAA,EAAA,OAAW;EA6BX;AAajB;;;;;;EAQoC,iBAGhB,CAAA,EAAA,OAAA;;AAEsB;AAGzB,UAzJA,aAAA,CAyJS;EAAA;;;;EAGX,KACA,CAAA,EAAA,MAAA;EAAM;;;;EA+BoB,OAmBpB,CAAA,EAAA,MAAA;;;AA8BC,KA/NV,kBAAA,GA+NU,UAAA,GAAA,OAAA,GAAA,UAAA;;KA5NV,qBAAA,WACL,gCAAgC;UAGtB,YAAA;;;;;;;;;;;;;;;;;;;;;;;;eAwBJ,wBAAwB;;;UAIpB,YAAA,SAAqB;;;;eAIxB;;KAGF,OAAA;UAEK,eAAA;;;;;;;;;;;;;;;;UAiBA,YAAA;;;;;;;;UASA,aAAA;;;;;;;;;;UAWA,WAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;UA6BA,qBAAA;;;;;;;;;;;;UAaA,eAAA;;;qBAGC;qBACA;;;4BAGO;wBACJ;;;qBAGD;;sBAEC;;UAGJ,SAAA;UACR;cACI;UACJ;gBACM;;;cAGF;;;;;;;;;;UAUJ;;;;;;;;iCAQuB;;;;;;;;;;8BAUH;;;;;;;;;;;;;;;;;;;sBAmBR;;YAEV;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA4BD"}
+{"version":3,"file":"types-eTlj5f2M.d.mts","names":[],"sources":["../src/types.ts"],"sourcesContent":[],"mappings":";;AASiB,KAFL,MAAA,GAEmB,MAAA,GAAA,MAAA,EAAA;AAKd,UALA,cAAA,CAKoB;EAIpB,OAAA,CAAA,EAAA,OAAA;EAIA,SAAA,CAAA,EAAA,MAAA;AA4BjB;AAcY,UAlDK,mBAAA,SAA4B,cAkDf,CAAA,CAG9B;AAAiC,UAjDhB,eAAA,SAAwB,cAiDR,CAAA;AACM,UA9CtB,gBAAA,CA8CsB;EAAa;EAGnC,OAAA,CAAA,EAAA,OAAY;EAAA;EAAA,MAwBhB,CAAA,EAAA,OAAA;EAAqB;EAAqB,MAAA,CAAA,EAAA,OAAA;EAItC;EAAa,WAAA,CAAA,EAAA,MAAA;EAAA;EAIA,gBAJQ,CAAA,EAAA,OAAA;EAAc;EAOxC,QAAA,CAAA,EAAO,MAAA,EAAA;EAEF;EAiBA,WAAA,CAAA,EAAA,SAAY,GAAA,SAAA;EASZ;EAWA,OAAA,CAAA,EAAA,OAAW;EA6BX;AAajB;;;;;;EAQoC,iBAGhB,CAAA,EAAA,OAAA;;AAEsB;AAGzB,UAzJA,aAAA,CAyJS;EAAA;;;;EAGX,KACA,CAAA,EAAA,MAAA;EAAM;;;;EA+BoB,OAmBpB,CAAA,EAAA,MAAA;;;AA8BC,KA/NV,kBAAA,GA+NU,UAAA,GAAA,OAAA,GAAA,UAAA;;KA5NV,qBAAA,WACL,gCAAgC;UAGtB,YAAA;;;;;;;;;;;;;;;;;;;;;;;;eAwBJ,wBAAwB;;;UAIpB,YAAA,SAAqB;;;;eAIxB;;KAGF,OAAA;UAEK,eAAA;;;;;;;;;;;;;;;;UAiBA,YAAA;;;;;;;;UASA,aAAA;;;;;;;;;;UAWA,WAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;UA6BA,qBAAA;;;;;;;;;;;;UAaA,eAAA;;;qBAGC;qBACA;;;4BAGO;wBACJ;;;qBAGD;;sBAEC;;UAGJ,SAAA;UACR;cACI;UACJ;gBACM;;;cAGF;;;;;;;;;;UAUJ;;;;;;;;iCAQuB;;;;;;;;;;8BAUH;;;;;;;;;;;;;;;;;;;sBAmBR;;YAEV;;;;;;;;;;;;;;;;;;;;;;;;;;;;WA4BD"}

package/dist/workspace/index.d.mts

@@ -1,3 +1,3 @@
-import "../types-CZg5iUgD.mjs";
-import { AppConfig, AppConfigInput, AppInput, AppsRecord, BackendFramework, ClientConfig, ConstrainedApps, DeployConfig, DeployTarget, DokployWorkspaceConfig, FrontendFramework, InferAppNames, InferredWorkspaceConfig, LoadedConfig, MailServiceConfig, ModelsConfig, NormalizedAppConfig, NormalizedWorkspace, PHASE_2_DEPLOY_TARGETS, SUPPORTED_DEPLOY_TARGETS, SecretsConfig, ServiceImageConfig, ServicesConfig, SharedConfig, WorkspaceConfig, WorkspaceConfigSchema, WorkspaceInput, defineWorkspace, formatValidationErrors, getAppBuildOrder, getAppGkmConfig, getDependencyEnvVars, getDeployTargetError, getEndpointForStage, isDeployTargetSupported, isPhase2DeployTarget, isWorkspaceConfig, normalizeWorkspace, processConfig, safeValidateWorkspaceConfig, validateWorkspaceConfig, wrapSingleAppAsWorkspace } from "../index-C-KxSGGK.mjs";
+import "../types-eTlj5f2M.mjs";
+import { AppConfig, AppConfigInput, AppInput, AppsRecord, BackendFramework, ClientConfig, ConstrainedApps, DeployConfig, DeployTarget, DokployWorkspaceConfig, FrontendFramework, InferAppNames, InferredWorkspaceConfig, LoadedConfig, MailServiceConfig, ModelsConfig, NormalizedAppConfig, NormalizedWorkspace, PHASE_2_DEPLOY_TARGETS, SUPPORTED_DEPLOY_TARGETS, SecretsConfig, ServiceImageConfig, ServicesConfig, SharedConfig, WorkspaceConfig, WorkspaceConfigSchema, WorkspaceInput, defineWorkspace, formatValidationErrors, getAppBuildOrder, getAppGkmConfig, getDependencyEnvVars, getDeployTargetError, getEndpointForStage, isDeployTargetSupported, isPhase2DeployTarget, isWorkspaceConfig, normalizeWorkspace, processConfig, safeValidateWorkspaceConfig, validateWorkspaceConfig, wrapSingleAppAsWorkspace } from "../index-BVNXOydm.mjs";
 export { AppConfig, AppConfigInput, AppInput, AppsRecord, BackendFramework, ClientConfig, ConstrainedApps, DeployConfig, DeployTarget, DokployWorkspaceConfig, FrontendFramework, InferAppNames, InferredWorkspaceConfig, LoadedConfig, MailServiceConfig, ModelsConfig, NormalizedAppConfig, NormalizedWorkspace, PHASE_2_DEPLOY_TARGETS, SUPPORTED_DEPLOY_TARGETS, SecretsConfig, ServiceImageConfig, ServicesConfig, SharedConfig, WorkspaceConfig, WorkspaceConfigSchema, WorkspaceInput, defineWorkspace, formatValidationErrors, getAppBuildOrder, getAppGkmConfig, getDependencyEnvVars, getDeployTargetError, getEndpointForStage, isDeployTargetSupported, isPhase2DeployTarget, isWorkspaceConfig, normalizeWorkspace, processConfig, safeValidateWorkspaceConfig, validateWorkspaceConfig, wrapSingleAppAsWorkspace };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@geekmidas/cli",
-  "version": "1.7.0",
+  "version": "1.9.0",
   "description": "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs",
   "private": false,
   "type": "module",
@@ -56,10 +56,10 @@
     "prompts": "~2.4.2",
     "tsx": "~4.20.3",
     "yaml": "~2.8.2",
+    "@geekmidas/constructs": "~2.0.0",
     "@geekmidas/envkit": "~1.0.3",
-    "@geekmidas/constructs": "~1.1.0",
-    "@geekmidas/logger": "~1.0.0",
     "@geekmidas/errors": "~1.0.0",
+    "@geekmidas/logger": "~1.0.0",
     "@geekmidas/schema": "~1.0.0"
   },
   "devDependencies": {
@@ -70,7 +70,7 @@
     "typescript": "^5.8.2",
     "vitest": "^3.2.4",
     "zod": "~4.1.13",
-    "@geekmidas/testkit": "1.0.1"
+    "@geekmidas/testkit": "1.0.2"
   },
   "peerDependencies": {
     "@geekmidas/telescope": "~1.0.0"

package/src/dev/index.ts

@@ -1041,7 +1041,7 @@ export async function loadDevSecrets(
 	}
 
 	logger.warn(
-		'⚠️  Secrets enabled but no dev/development secrets found. Run "gkm secrets:init --stage dev"',
+		'⚠️  Secrets enabled but no dev/development secrets found. Run "gkm setup" to initialize your development environment',
 	);
 	return {};
 }

package/src/generators/SubscriberGenerator.ts

@@ -164,6 +164,7 @@ export const handler = adapter.handler;
  * - sqs://region/account-id/queue-name (SQS queue)
  * - sns://region/account-id/topic-name (SNS topic)
  * - rabbitmq://host:port/queue-name (RabbitMQ)
+ * - pgboss://user:pass@host:port/database (pg-boss / PostgreSQL)
  * - basic://in-memory (In-memory for testing)
  */
 import type { EnvironmentParser } from '@geekmidas/envkit';

package/src/index.ts

@@ -24,8 +24,10 @@ import {
 	secretsSetCommand,
 	secretsShowCommand,
 } from './secrets';
+import { type SetupOptions, setupCommand } from './setup/index';
 import { type TestOptions, testCommand } from './test/index';
 import type { ComposeServiceName, LegacyProvider, MainProvider } from './types';
+import { type UpgradeOptions, upgradeCommand } from './upgrade/index';
 
 const program = new Command();
 
@@ -61,6 +63,26 @@ program
 		}
 	});
 
+program
+	.command('setup')
+	.description('Setup development environment (secrets, Docker, database)')
+	.option('--stage <stage>', 'Stage name', 'development')
+	.option('--force', 'Regenerate secrets even if they exist')
+	.option('--skip-docker', 'Skip starting Docker services')
+	.option('-y, --yes', 'Skip prompts')
+	.action(async (options: SetupOptions) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+			await setupCommand(options);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 program
 	.command('build')
 	.description('Build handlers from endpoints, functions, and crons')
@@ -483,6 +505,60 @@ program
 		}
 	});
 
+program
+	.command('secrets:push')
+	.description('Push secrets to remote provider (SSM)')
+	.requiredOption('--stage <stage>', 'Stage name')
+	.action(async (options: { stage: string }) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+
+			const { loadWorkspaceConfig } = await import('./config');
+			const { pushSecrets } = await import('./secrets/sync');
+
+			const { workspace } = await loadWorkspaceConfig();
+			await pushSecrets(options.stage, workspace);
+			console.log(`\n✓ Secrets pushed for stage "${options.stage}"`);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
+program
+	.command('secrets:pull')
+	.description('Pull secrets from remote provider (SSM)')
+	.requiredOption('--stage <stage>', 'Stage name')
+	.action(async (options: { stage: string }) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+
+			const { loadWorkspaceConfig } = await import('./config');
+			const { pullSecrets } = await import('./secrets/sync');
+			const { writeStageSecrets } = await import('./secrets/storage');
+
+			const { workspace } = await loadWorkspaceConfig();
+			const secrets = await pullSecrets(options.stage, workspace);
+
+			if (!secrets) {
+				console.error(`No remote secrets found for stage "${options.stage}".`);
+				process.exit(1);
+			}
+
+			await writeStageSecrets(secrets, workspace.root);
+			console.log(`\n✓ Secrets pulled for stage "${options.stage}"`);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 // Deploy command
 program
 	.command('deploy')
@@ -798,4 +874,21 @@ program
 		}
 	});
 
+program
+	.command('upgrade')
+	.description('Upgrade all @geekmidas packages to their latest versions')
+	.option('--dry-run', 'Show what would be upgraded without making changes')
+	.action(async (options: UpgradeOptions) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+			await upgradeCommand(options);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 program.parse();

package/src/init/index.ts

@@ -5,6 +5,10 @@ import prompts from 'prompts';
 import { createStageSecrets } from '../secrets/generator.js';
 import { getKeyPath } from '../secrets/keystore.js';
 import { writeStageSecrets } from '../secrets/storage.js';
+import {
+	generateDbPassword,
+	generateDbUrl,
+} from '../setup/fullstack-secrets.js';
 import type { ComposeServiceName } from '../types.js';
 import { generateAuthAppFiles } from './generators/auth.js';
 import { generateConfigFiles } from './generators/config.js';
@@ -60,29 +64,6 @@ export interface InitOptions {
 	pm?: PackageManager;
 }
 
-/**
- * Generate a secure random password for database users
- */
-function generateDbPassword(): string {
-	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
-}
-
-/**
- * Generate database URL for an app
- * All apps connect to the same database, but use different users/schemas
- */
-function generateDbUrl(
-	appName: string,
-	password: string,
-	projectName: string,
-	host = 'localhost',
-	port = 5432,
-): string {
-	const userName = appName.replace(/-/g, '_');
-	const dbName = `${projectName.replace(/-/g, '_')}_dev`;
-	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
-}
-
 /**
  * Main init command - scaffolds a new project
  */

package/src/init/utils.ts

@@ -1,5 +1,7 @@
-import { existsSync } from 'node:fs';
-import { join } from 'node:path';
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join, parse } from 'node:path';
+import fg from 'fast-glob';
+import { parse as parseYaml } from 'yaml';
 
 export type PackageManager = 'pnpm' | 'npm' | 'yarn' | 'bun';
 
@@ -94,3 +96,102 @@ export function getRunCommand(
 			return `npm run ${script}`;
 	}
 }
+
+const lockfileByPm: Record<PackageManager, string> = {
+	pnpm: 'pnpm-lock.yaml',
+	yarn: 'yarn.lock',
+	npm: 'package-lock.json',
+	bun: 'bun.lockb',
+};
+
+/**
+ * Find the workspace/project root by walking up from cwd.
+ * Checks for PM-specific workspace config, package.json#workspaces,
+ * and lockfiles.
+ */
+export function findWorkspaceRoot(cwd: string, pm: PackageManager): string {
+	let dir = cwd;
+	const root = parse(dir).root;
+	const lockfile = lockfileByPm[pm];
+
+	while (dir !== root) {
+		if (pm === 'pnpm' && existsSync(join(dir, 'pnpm-workspace.yaml'))) {
+			return dir;
+		}
+
+		const pkgJsonPath = join(dir, 'package.json');
+		if (existsSync(pkgJsonPath)) {
+			try {
+				const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+				if (pkg.workspaces) return dir;
+			} catch {
+				// ignore malformed package.json
+			}
+		}
+
+		if (existsSync(join(dir, lockfile))) {
+			return dir;
+		}
+
+		dir = dirname(dir);
+	}
+
+	return cwd;
+}
+
+/**
+ * Get workspace package glob patterns from pnpm-workspace.yaml
+ * or package.json#workspaces.
+ */
+export function getWorkspaceGlobs(root: string): string[] {
+	const pnpmWorkspacePath = join(root, 'pnpm-workspace.yaml');
+	if (existsSync(pnpmWorkspacePath)) {
+		const content = readFileSync(pnpmWorkspacePath, 'utf-8');
+		const parsed = parseYaml(content);
+		return parsed?.packages ?? [];
+	}
+
+	const rootPkgJsonPath = join(root, 'package.json');
+	if (existsSync(rootPkgJsonPath)) {
+		const pkg = JSON.parse(readFileSync(rootPkgJsonPath, 'utf-8'));
+		if (Array.isArray(pkg.workspaces)) {
+			return pkg.workspaces;
+		}
+		if (pkg.workspaces?.packages) {
+			return pkg.workspaces.packages;
+		}
+	}
+
+	return [];
+}
+
+/**
+ * Find all package.json files across a workspace.
+ * Returns the root package.json plus all workspace member package.json paths.
+ */
+export function findWorkspacePackages(
+	cwd: string,
+	pm: PackageManager,
+): string[] {
+	const workspaceRoot = findWorkspaceRoot(cwd, pm);
+	const results: string[] = [];
+
+	const rootPkgJson = join(workspaceRoot, 'package.json');
+	if (existsSync(rootPkgJson)) {
+		results.push(rootPkgJson);
+	}
+
+	const globs = getWorkspaceGlobs(workspaceRoot);
+
+	for (const glob of globs) {
+		const pattern = `${glob}/package.json`;
+		const matches = fg.sync(pattern, {
+			cwd: workspaceRoot,
+			absolute: true,
+			ignore: ['**/node_modules/**'],
+		});
+		results.push(...matches);
+	}
+
+	return [...new Set(results)];
+}

package/src/init/versions.ts

@@ -32,7 +32,7 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/cache': '~1.0.0',
 	'@geekmidas/client': '~2.0.0',
 	'@geekmidas/cloud': '~1.0.0',
-	'@geekmidas/constructs': '~1.1.0',
+	'@geekmidas/constructs': '~1.1.1',
 	'@geekmidas/db': '~1.0.0',
 	'@geekmidas/emailkit': '~1.0.0',
 	'@geekmidas/envkit': '~1.0.3',

package/src/secrets/index.ts

@@ -1,6 +1,7 @@
 import { existsSync } from 'node:fs';
 import { readFile } from 'node:fs/promises';
-import { loadConfig } from '../config';
+import { loadConfig, loadWorkspaceConfig } from '../config';
+import { generateFullstackCustomSecrets } from '../setup/fullstack-secrets';
 import type { ComposeServiceName, ComposeServicesConfig } from '../types';
 import { createStageSecrets, rotateServicePassword } from './generator';
 import {
@@ -88,6 +89,20 @@ export async function secretsInitCommand(
 	// Generate secrets
 	const secrets = createStageSecrets(stage, services);
 
+	// Detect workspace mode and generate fullstack-aware custom secrets
+	try {
+		const loaded = await loadWorkspaceConfig();
+		const isMultiApp = Object.keys(loaded.workspace.apps).length > 1;
+
+		if (isMultiApp) {
+			const customSecrets = generateFullstackCustomSecrets(loaded.workspace);
+			secrets.custom = customSecrets;
+			logger.log('  Detected workspace mode — generating per-app secrets');
+		}
+	} catch {
+		// Not a workspace — single-app mode, skip custom secrets
+	}
+
 	// Write to file
 	await writeStageSecrets(secrets);
 
@@ -109,6 +124,10 @@ export async function secretsInitCommand(
 		logger.log(`  RABBITMQ_URL: ${maskUrl(secrets.urls.RABBITMQ_URL)}`);
 	}
 
+	if (Object.keys(secrets.custom).length > 0) {
+		logger.log(`\n  Custom secrets: ${Object.keys(secrets.custom).length}`);
+	}
+
 	logger.log(`\n  Use "gkm secrets:show --stage ${stage}" to view secrets`);
 	logger.log(
 		'  Use "gkm secrets:set <KEY> <VALUE> --stage ' +