@geekmidas/cli 1.7.0 → 1.9.0

package/src/secrets/sync.ts

@@ -0,0 +1,136 @@
+/**
+ * Secrets Sync via AWS SSM Parameter Store
+ *
+ * Stores and retrieves encrypted StageSecrets as SecureString parameters.
+ * Reuses the SSM infrastructure from the state provider.
+ *
+ * Parameter naming: /gkm/{workspaceName}/{stage}/secrets
+ */
+
+import {
+	GetParameterCommand,
+	ParameterNotFound,
+	PutParameterCommand,
+	SSMClient,
+	type SSMClientConfig,
+} from '@aws-sdk/client-ssm';
+import type { SSMStateConfig } from '../deploy/StateProvider.js';
+import type { NormalizedWorkspace } from '../workspace/types.js';
+import type { StageSecrets } from './types.js';
+
+/**
+ * Get the SSM parameter name for secrets.
+ */
+function getSecretsParameterName(workspaceName: string, stage: string): string {
+	return `/gkm/${workspaceName}/${stage}/secrets`;
+}
+
+/**
+ * Create an SSM client from workspace state config.
+ */
+function createSSMClient(config: SSMStateConfig): SSMClient {
+	const clientConfig: SSMClientConfig = {
+		region: config.region,
+	};
+
+	if (config.profile) {
+		const { fromIni } = require('@aws-sdk/credential-providers');
+		clientConfig.credentials = fromIni({ profile: config.profile });
+	}
+
+	return new SSMClient(clientConfig);
+}
+
+/**
+ * Push secrets to SSM Parameter Store.
+ *
+ * Stores the full StageSecrets object as a SecureString parameter.
+ */
+export async function pushSecrets(
+	stage: string,
+	workspace: NormalizedWorkspace,
+): Promise<void> {
+	const config = workspace.state;
+	if (!config || config.provider !== 'ssm') {
+		throw new Error(
+			'SSM state provider not configured. Add state: { provider: "ssm", region: "..." } to gkm.config.ts.',
+		);
+	}
+
+	if (!workspace.name) {
+		throw new Error(
+			'Workspace name is required for SSM secrets sync. Set "name" in gkm.config.ts.',
+		);
+	}
+
+	const client = createSSMClient(config as SSMStateConfig);
+	const parameterName = getSecretsParameterName(workspace.name, stage);
+
+	const { readStageSecrets } = await import('./storage.js');
+	const secrets = await readStageSecrets(stage, workspace.root);
+
+	if (!secrets) {
+		throw new Error(
+			`No secrets found for stage "${stage}". Run "gkm secrets:init --stage ${stage}" first.`,
+		);
+	}
+
+	await client.send(
+		new PutParameterCommand({
+			Name: parameterName,
+			Value: JSON.stringify(secrets),
+			Type: 'SecureString',
+			Overwrite: true,
+			Description: `GKM secrets for ${workspace.name}/${stage}`,
+		}),
+	);
+}
+
+/**
+ * Pull secrets from SSM Parameter Store.
+ *
+ * @returns StageSecrets or null if no secrets are stored remotely
+ */
+export async function pullSecrets(
+	stage: string,
+	workspace: NormalizedWorkspace,
+): Promise<StageSecrets | null> {
+	const config = workspace.state;
+	if (!config || config.provider !== 'ssm') {
+		return null;
+	}
+
+	if (!workspace.name) {
+		return null;
+	}
+
+	const client = createSSMClient(config as SSMStateConfig);
+	const parameterName = getSecretsParameterName(workspace.name, stage);
+
+	try {
+		const response = await client.send(
+			new GetParameterCommand({
+				Name: parameterName,
+				WithDecryption: true,
+			}),
+		);
+
+		if (!response.Parameter?.Value) {
+			return null;
+		}
+
+		return JSON.parse(response.Parameter.Value) as StageSecrets;
+	} catch (error) {
+		if (error instanceof ParameterNotFound) {
+			return null;
+		}
+		throw error;
+	}
+}
+
+/**
+ * Check if SSM is configured for the workspace.
+ */
+export function isSSMConfigured(workspace: NormalizedWorkspace): boolean {
+	return !!workspace.state && workspace.state.provider === 'ssm';
+}

package/src/setup/fullstack-secrets.ts

@@ -0,0 +1,121 @@
+import { mkdir, writeFile } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+import { generateSecurePassword } from '../secrets/generator.js';
+import type { StageSecrets } from '../secrets/types.js';
+import type { NormalizedWorkspace } from '../workspace/types.js';
+
+/**
+ * Generate a secure random password for database users.
+ * Uses a combination of timestamp and random bytes for uniqueness.
+ */
+export function generateDbPassword(): string {
+	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
+}
+
+/**
+ * Generate database URL for an app.
+ * All apps connect to the same database, but use different users/schemas.
+ */
+export function generateDbUrl(
+	appName: string,
+	password: string,
+	projectName: string,
+	host = 'localhost',
+	port = 5432,
+): string {
+	const userName = appName.replace(/-/g, '_');
+	const dbName = `${projectName.replace(/-/g, '_')}_dev`;
+	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
+}
+
+/**
+ * Generate fullstack-aware custom secrets for a workspace.
+ *
+ * Generates:
+ * - Common secrets: NODE_ENV, PORT, LOG_LEVEL, JWT_SECRET
+ * - Per-app database passwords and URLs for backend apps with db service
+ * - Better-auth secrets for apps using the better-auth framework
+ */
+export function generateFullstackCustomSecrets(
+	workspace: NormalizedWorkspace,
+): Record<string, string> {
+	const hasDb = !!workspace.services.db;
+	const customs: Record<string, string> = {
+		NODE_ENV: 'development',
+		PORT: '3000',
+		LOG_LEVEL: 'debug',
+		JWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+	};
+
+	if (!hasDb) {
+		return customs;
+	}
+
+	// Collect all frontend ports for trusted origins
+	const frontendPorts: number[] = [];
+
+	for (const [appName, appConfig] of Object.entries(workspace.apps)) {
+		if (appConfig.type === 'frontend') {
+			frontendPorts.push(appConfig.port);
+			continue;
+		}
+
+		// Backend apps with database: generate per-app DB passwords and URLs
+		const password = generateDbPassword();
+		const upperName = appName.toUpperCase();
+
+		customs[`${upperName}_DATABASE_URL`] = generateDbUrl(
+			appName,
+			password,
+			workspace.name,
+		);
+		customs[`${upperName}_DB_PASSWORD`] = password;
+
+		// Better-auth framework secrets
+		if (appConfig.framework === 'better-auth') {
+			customs.AUTH_PORT = String(appConfig.port);
+			customs.AUTH_URL = `http://localhost:${appConfig.port}`;
+			customs.BETTER_AUTH_SECRET = `better-auth-${Date.now()}-${generateSecurePassword(16)}`;
+			customs.BETTER_AUTH_URL = `http://localhost:${appConfig.port}`;
+		}
+	}
+
+	// Generate trusted origins for better-auth (all app ports)
+	if (customs.BETTER_AUTH_SECRET) {
+		const allPorts = Object.values(workspace.apps).map((a) => a.port);
+		customs.BETTER_AUTH_TRUSTED_ORIGINS = allPorts
+			.map((p) => `http://localhost:${p}`)
+			.join(',');
+	}
+
+	return customs;
+}
+
+/**
+ * Extract *_DB_PASSWORD keys from secrets and write docker/.env.
+ *
+ * The docker/.env file contains database passwords that the PostgreSQL
+ * init script reads to create per-app database users.
+ */
+export async function writeDockerEnvFromSecrets(
+	secrets: StageSecrets,
+	workspaceRoot: string,
+): Promise<void> {
+	const dbPasswordEntries = Object.entries(secrets.custom).filter(([key]) =>
+		key.endsWith('_DB_PASSWORD'),
+	);
+
+	if (dbPasswordEntries.length === 0) {
+		return;
+	}
+
+	const envContent = `# Auto-generated docker environment file
+# Contains database passwords for docker-compose postgres init
+# This file is gitignored - do not commit to version control
+${dbPasswordEntries.map(([key, value]) => `${key}=${value}`).join('\n')}
+`;
+
+	const envPath = join(workspaceRoot, 'docker', '.env');
+	await mkdir(dirname(envPath), { recursive: true });
+	await writeFile(envPath, envContent);
+}

package/src/setup/index.ts

@@ -0,0 +1,212 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import prompts from 'prompts';
+import { loadWorkspaceConfig } from '../config.js';
+import { startWorkspaceServices } from '../dev/index.js';
+import { createStageSecrets } from '../secrets/generator.js';
+import {
+	readStageSecrets,
+	secretsExist,
+	writeStageSecrets,
+} from '../secrets/storage.js';
+import { isSSMConfigured, pullSecrets, pushSecrets } from '../secrets/sync.js';
+import type { ComposeServiceName } from '../types.js';
+import type { LoadedConfig, NormalizedWorkspace } from '../workspace/types.js';
+import {
+	generateFullstackCustomSecrets,
+	writeDockerEnvFromSecrets,
+} from './fullstack-secrets.js';
+
+const logger = console;
+
+export interface SetupOptions {
+	stage?: string;
+	force?: boolean;
+	skipDocker?: boolean;
+	yes?: boolean;
+}
+
+/**
+ * Setup development environment.
+ *
+ * Orchestrates:
+ * 1. Load workspace config
+ * 2. Resolve secrets (local → SSM → generate fresh)
+ * 3. Write docker/.env from secrets
+ * 4. Start Docker services
+ */
+export async function setupCommand(options: SetupOptions = {}): Promise<void> {
+	const stage = options.stage ?? 'development';
+
+	logger.log('\n🔧 Setting up development environment...\n');
+
+	// 1. Load workspace config
+	let loadedConfig: LoadedConfig;
+	try {
+		loadedConfig = await loadWorkspaceConfig();
+	} catch {
+		logger.error(
+			'❌ No gkm.config.ts found. Run this command from a workspace root.',
+		);
+		process.exit(1);
+	}
+
+	const { workspace } = loadedConfig;
+	const isMultiApp = Object.keys(workspace.apps).length > 1;
+
+	logger.log(`📦 Workspace: ${workspace.name}`);
+	logger.log(`📱 Apps: ${Object.keys(workspace.apps).join(', ')}`);
+	logger.log(`🔑 Stage: ${stage}\n`);
+
+	// 2. Resolve secrets
+	const secrets = await resolveSecrets(stage, workspace, options);
+
+	if (!secrets) {
+		logger.error('❌ Failed to resolve secrets. Exiting.');
+		process.exit(1);
+	}
+
+	// 3. Write docker/.env from secrets (always regenerated as derived file)
+	if (isMultiApp && workspace.services.db) {
+		await writeDockerEnvFromSecrets(secrets, workspace.root);
+		logger.log('📄 Generated docker/.env with database passwords');
+	}
+
+	// 4. Start Docker services
+	if (!options.skipDocker) {
+		const composeFile = join(workspace.root, 'docker-compose.yml');
+		if (existsSync(composeFile)) {
+			logger.log('');
+			await startWorkspaceServices(workspace);
+		} else {
+			logger.log('⚠️  No docker-compose.yml found. Skipping Docker services.');
+		}
+	}
+
+	// Print summary
+	printSummary(workspace, stage);
+}
+
+/**
+ * Resolve secrets with priority:
+ * 1. Local secrets exist → use them (preserves manual additions)
+ * 2. SSM configured and has secrets → pull and use
+ * 3. Neither → generate fresh secrets
+ *
+ * --force skips checks 1 and 2 and always regenerates.
+ */
+async function resolveSecrets(
+	stage: string,
+	workspace: NormalizedWorkspace,
+	options: SetupOptions,
+) {
+	// Force regeneration
+	if (options.force) {
+		logger.log('🔐 Generating fresh secrets (--force)...');
+		return generateFreshSecrets(stage, workspace, options);
+	}
+
+	// Check local secrets first
+	if (secretsExist(stage, workspace.root)) {
+		logger.log('🔐 Using existing local secrets');
+		const secrets = await readStageSecrets(stage, workspace.root);
+		if (secrets) {
+			return secrets;
+		}
+	}
+
+	// Try SSM pull if configured
+	if (isSSMConfigured(workspace)) {
+		logger.log('☁️  Checking for remote secrets in SSM...');
+		try {
+			const remoteSecrets = await pullSecrets(stage, workspace);
+			if (remoteSecrets) {
+				logger.log('✅ Pulled secrets from SSM');
+				await writeStageSecrets(remoteSecrets, workspace.root);
+				return remoteSecrets;
+			}
+			logger.log('   No remote secrets found');
+		} catch (error) {
+			logger.warn(`⚠️  Failed to pull from SSM: ${(error as Error).message}`);
+		}
+	}
+
+	// Generate fresh secrets
+	logger.log('🔐 Generating fresh development secrets...');
+	return generateFreshSecrets(stage, workspace, options);
+}
+
+/**
+ * Generate fresh secrets for the workspace.
+ */
+async function generateFreshSecrets(
+	stage: string,
+	workspace: NormalizedWorkspace,
+	options: SetupOptions,
+) {
+	// Determine services from workspace config
+	const serviceNames: ComposeServiceName[] = [];
+	if (workspace.services.db) serviceNames.push('postgres');
+	if (workspace.services.cache) serviceNames.push('redis');
+
+	// Create base secrets with service credentials
+	const secrets = createStageSecrets(stage, serviceNames);
+
+	// Generate fullstack-aware custom secrets
+	const isMultiApp = Object.keys(workspace.apps).length > 1;
+	if (isMultiApp) {
+		const customSecrets = generateFullstackCustomSecrets(workspace);
+		secrets.custom = customSecrets;
+	} else {
+		secrets.custom = {
+			NODE_ENV: 'development',
+			PORT: '3000',
+			LOG_LEVEL: 'debug',
+			JWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+		};
+	}
+
+	// Write secrets
+	await writeStageSecrets(secrets, workspace.root);
+	logger.log(`   Secrets written to .gkm/secrets/${stage}.json`);
+
+	// Offer to push to SSM if configured
+	if (isSSMConfigured(workspace) && !options.yes) {
+		const { shouldPush } = await prompts({
+			type: 'confirm',
+			name: 'shouldPush',
+			message: 'Push secrets to SSM for team sharing?',
+			initial: true,
+		});
+
+		if (shouldPush) {
+			try {
+				await pushSecrets(stage, workspace);
+				logger.log('☁️  Secrets pushed to SSM');
+			} catch (error) {
+				logger.warn(`⚠️  Failed to push to SSM: ${(error as Error).message}`);
+			}
+		}
+	}
+
+	return secrets;
+}
+
+/**
+ * Print setup summary with next steps.
+ */
+function printSummary(workspace: NormalizedWorkspace, stage: string): void {
+	logger.log(`\n${'─'.repeat(50)}`);
+	logger.log('\n✅ Development environment ready!\n');
+
+	logger.log('📋 Apps:');
+	for (const [name, app] of Object.entries(workspace.apps)) {
+		const icon = app.type === 'frontend' ? '🌐' : '🔧';
+		logger.log(`   ${icon} ${name} → http://localhost:${app.port}`);
+	}
+
+	logger.log('\n🚀 Next steps:');
+	logger.log('   gkm dev                    # Start all apps');
+	logger.log(`   gkm secrets:show --stage ${stage}  # View secrets`);
+	logger.log('');
+}

package/src/test/__tests__/web.spec.ts

@@ -80,7 +80,7 @@ describe('web (frontend) app context', () => {
 
 	it('should not have DATABASE_URL (frontend does not access database)', () => {
 		// Frontend gets secrets mapped without an app-specific DATABASE_URL
-		const secrets = mapSecretsForApp(createFullstackSecrets(), 'web');
+		const _secrets = mapSecretsForApp(createFullstackSecrets(), 'web');
 
 		// No WEB_DATABASE_URL exists, so DATABASE_URL stays as default (api's)
 		// In practice, frontend apps don't use DATABASE_URL at all