@geekmidas/cli 1.8.0 → 1.9.1

package/src/dev/index.ts

@@ -1041,7 +1041,7 @@ export async function loadDevSecrets(
 	}
 
 	logger.warn(
-		'⚠️  Secrets enabled but no dev/development secrets found. Run "gkm secrets:init --stage dev"',
+		'⚠️  Secrets enabled but no dev/development secrets found. Run "gkm setup" to initialize your development environment',
 	);
 	return {};
 }
@@ -1832,6 +1832,85 @@ class EntryRunner {
 	}
 }
 
+/**
+ * Generate the content of the dev server entry file (server.ts).
+ * Uses dynamic import for createApp so Credentials are populated
+ * before any app modules evaluate.
+ * @internal Exported for testing
+ */
+export function generateServerEntryContent(options: {
+	secretsJsonPath?: string;
+	runtime?: Runtime;
+	enableOpenApi?: boolean;
+	appImportPath?: string;
+}): string {
+	const {
+		secretsJsonPath,
+		runtime = 'node',
+		enableOpenApi = false,
+		appImportPath = './app.js',
+	} = options;
+
+	const credentialsInjection = secretsJsonPath
+		? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+`
+		: '';
+
+	const serveCode =
+		runtime === 'bun'
+			? `Bun.serve({
+      port,
+      fetch: app.fetch,
+    });`
+			: `const { serve } = await import('@hono/node-server');
+    const server = serve({
+      fetch: app.fetch,
+      port,
+    });
+    // Inject WebSocket support if available
+    const injectWs = (app as any).__injectWebSocket;
+    if (injectWs) {
+      injectWs(server);
+      console.log('🔌 Telescope real-time updates enabled');
+    }`;
+
+	return `#!/usr/bin/env node
+/**
+ * Development server entry point
+ * This file is auto-generated by 'gkm dev'
+ */
+${credentialsInjection}
+const port = process.argv.includes('--port')
+  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
+  : 3000;
+
+// Dynamic import so Credentials are populated before env.ts evaluates
+const { createApp } = await import('${appImportPath}');
+
+// createApp is async to support optional WebSocket setup
+const { app, start } = await createApp(undefined, ${enableOpenApi});
+
+// Start the server
+start({
+  port,
+  serve: async (app, port) => {
+    ${serveCode}
+  },
+}).catch((error) => {
+  console.error('Failed to start server:', error);
+  process.exit(1);
+});
+`;
+}
+
 class DevServer {
 	private serverProcess: ChildProcess | null = null;
 	private isRunning = false;
@@ -1997,72 +2076,14 @@ class DevServer {
 
 	private async createServerEntry(): Promise<void> {
 		const { writeFile: fsWriteFile } = await import('node:fs/promises');
-		const { relative, dirname } = await import('node:path');
 
 		const serverPath = join(this.appRoot, '.gkm', this.provider, 'server.ts');
 
-		const relativeAppPath = relative(
-			dirname(serverPath),
-			join(dirname(serverPath), 'app.js'),
-		);
-
-		// Generate credentials injection code if secrets are available
-		const credentialsInjection = this.secretsJsonPath
-			? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets into Credentials (must happen before app import)
-const secretsPath = '${this.secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
-}
-
-`
-			: '';
-
-		const serveCode =
-			this.runtime === 'bun'
-				? `Bun.serve({
-      port,
-      fetch: app.fetch,
-    });`
-				: `const { serve } = await import('@hono/node-server');
-    const server = serve({
-      fetch: app.fetch,
-      port,
-    });
-    // Inject WebSocket support if available
-    const injectWs = (app as any).__injectWebSocket;
-    if (injectWs) {
-      injectWs(server);
-      console.log('🔌 Telescope real-time updates enabled');
-    }`;
-
-		const content = `#!/usr/bin/env node
-/**
- * Development server entry point
- * This file is auto-generated by 'gkm dev'
- */
-${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith('.') ? relativeAppPath : `./${relativeAppPath}`}';
-
-const port = process.argv.includes('--port')
-  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
-  : 3000;
-
-// createApp is async to support optional WebSocket setup
-const { app, start } = await createApp(undefined, ${this.enableOpenApi});
-
-// Start the server
-start({
-  port,
-  serve: async (app, port) => {
-    ${serveCode}
-  },
-}).catch((error) => {
-  console.error('Failed to start server:', error);
-  process.exit(1);
-});
-`;
+		const content = generateServerEntryContent({
+			secretsJsonPath: this.secretsJsonPath,
+			runtime: this.runtime,
+			enableOpenApi: this.enableOpenApi,
+		});
 
 		await fsWriteFile(serverPath, content);
 	}

package/src/generators/SubscriberGenerator.ts

@@ -164,6 +164,7 @@ export const handler = adapter.handler;
  * - sqs://region/account-id/queue-name (SQS queue)
  * - sns://region/account-id/topic-name (SNS topic)
  * - rabbitmq://host:port/queue-name (RabbitMQ)
+ * - pgboss://user:pass@host:port/database (pg-boss / PostgreSQL)
  * - basic://in-memory (In-memory for testing)
  */
 import type { EnvironmentParser } from '@geekmidas/envkit';

package/src/index.ts

@@ -24,8 +24,10 @@ import {
 	secretsSetCommand,
 	secretsShowCommand,
 } from './secrets';
+import { type SetupOptions, setupCommand } from './setup/index';
 import { type TestOptions, testCommand } from './test/index';
 import type { ComposeServiceName, LegacyProvider, MainProvider } from './types';
+import { type UpgradeOptions, upgradeCommand } from './upgrade/index';
 
 const program = new Command();
 
@@ -61,6 +63,26 @@ program
 		}
 	});
 
+program
+	.command('setup')
+	.description('Setup development environment (secrets, Docker, database)')
+	.option('--stage <stage>', 'Stage name', 'development')
+	.option('--force', 'Regenerate secrets even if they exist')
+	.option('--skip-docker', 'Skip starting Docker services')
+	.option('-y, --yes', 'Skip prompts')
+	.action(async (options: SetupOptions) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+			await setupCommand(options);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 program
 	.command('build')
 	.description('Build handlers from endpoints, functions, and crons')
@@ -483,6 +505,138 @@ program
 		}
 	});
 
+program
+	.command('secrets:push')
+	.description('Push secrets to remote provider (SSM)')
+	.requiredOption('--stage <stage>', 'Stage name')
+	.action(async (options: { stage: string }) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+
+			const { loadWorkspaceConfig } = await import('./config');
+			const { pushSecrets } = await import('./secrets/sync');
+			const { reconcileMissingSecrets } = await import('./secrets/reconcile');
+			const { readStageSecrets, writeStageSecrets } = await import(
+				'./secrets/storage'
+			);
+
+			const { workspace } = await loadWorkspaceConfig();
+
+			const secrets = await readStageSecrets(options.stage, workspace.root);
+			if (secrets) {
+				const result = reconcileMissingSecrets(secrets, workspace);
+				if (result) {
+					await writeStageSecrets(result.secrets, workspace.root);
+					console.log(
+						`  Reconciled ${result.addedKeys.length} missing secret(s):`,
+					);
+					for (const key of result.addedKeys) {
+						console.log(`    + ${key}`);
+					}
+				}
+			}
+
+			await pushSecrets(options.stage, workspace);
+			console.log(`\n✓ Secrets pushed for stage "${options.stage}"`);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
+program
+	.command('secrets:pull')
+	.description('Pull secrets from remote provider (SSM)')
+	.requiredOption('--stage <stage>', 'Stage name')
+	.action(async (options: { stage: string }) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+
+			const { loadWorkspaceConfig } = await import('./config');
+			const { pullSecrets } = await import('./secrets/sync');
+			const { writeStageSecrets } = await import('./secrets/storage');
+			const { reconcileMissingSecrets } = await import('./secrets/reconcile');
+
+			const { workspace } = await loadWorkspaceConfig();
+			let secrets = await pullSecrets(options.stage, workspace);
+
+			if (!secrets) {
+				console.error(`No remote secrets found for stage "${options.stage}".`);
+				process.exit(1);
+			}
+
+			const result = reconcileMissingSecrets(secrets, workspace);
+			if (result) {
+				secrets = result.secrets;
+				console.log(
+					`  Reconciled ${result.addedKeys.length} missing secret(s):`,
+				);
+				for (const key of result.addedKeys) {
+					console.log(`    + ${key}`);
+				}
+			}
+
+			await writeStageSecrets(secrets, workspace.root);
+			console.log(`\n✓ Secrets pulled for stage "${options.stage}"`);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
+program
+	.command('secrets:reconcile')
+	.description('Backfill missing custom secrets from workspace config')
+	.option('--stage <stage>', 'Stage name', 'development')
+	.action(async (options: { stage: string }) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+
+			const { loadWorkspaceConfig } = await import('./config');
+			const { reconcileMissingSecrets } = await import('./secrets/reconcile');
+			const { readStageSecrets, writeStageSecrets } = await import(
+				'./secrets/storage'
+			);
+
+			const { workspace } = await loadWorkspaceConfig();
+			const secrets = await readStageSecrets(options.stage, workspace.root);
+
+			if (!secrets) {
+				console.error(
+					`No secrets found for stage "${options.stage}". Run "gkm secrets:init --stage ${options.stage}" first.`,
+				);
+				process.exit(1);
+			}
+
+			const result = reconcileMissingSecrets(secrets, workspace);
+
+			if (!result) {
+				console.log(`\n✓ Secrets for stage "${options.stage}" are up-to-date`);
+				return;
+			}
+
+			await writeStageSecrets(result.secrets, workspace.root);
+			console.log(
+				`\n✓ Reconciled ${result.addedKeys.length} missing secret(s) for stage "${options.stage}":`,
+			);
+			for (const key of result.addedKeys) {
+				console.log(`    + ${key}`);
+			}
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 // Deploy command
 program
 	.command('deploy')
@@ -798,4 +952,21 @@ program
 		}
 	});
 
+program
+	.command('upgrade')
+	.description('Upgrade all @geekmidas packages to their latest versions')
+	.option('--dry-run', 'Show what would be upgraded without making changes')
+	.action(async (options: UpgradeOptions) => {
+		try {
+			const globalOptions = program.opts();
+			if (globalOptions.cwd) {
+				process.chdir(globalOptions.cwd);
+			}
+			await upgradeCommand(options);
+		} catch (error) {
+			console.error(error instanceof Error ? error.message : 'Command failed');
+			process.exit(1);
+		}
+	});
+
 program.parse();

package/src/init/index.ts

@@ -5,6 +5,10 @@ import prompts from 'prompts';
 import { createStageSecrets } from '../secrets/generator.js';
 import { getKeyPath } from '../secrets/keystore.js';
 import { writeStageSecrets } from '../secrets/storage.js';
+import {
+	generateDbPassword,
+	generateDbUrl,
+} from '../setup/fullstack-secrets.js';
 import type { ComposeServiceName } from '../types.js';
 import { generateAuthAppFiles } from './generators/auth.js';
 import { generateConfigFiles } from './generators/config.js';
@@ -60,29 +64,6 @@ export interface InitOptions {
 	pm?: PackageManager;
 }
 
-/**
- * Generate a secure random password for database users
- */
-function generateDbPassword(): string {
-	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
-}
-
-/**
- * Generate database URL for an app
- * All apps connect to the same database, but use different users/schemas
- */
-function generateDbUrl(
-	appName: string,
-	password: string,
-	projectName: string,
-	host = 'localhost',
-	port = 5432,
-): string {
-	const userName = appName.replace(/-/g, '_');
-	const dbName = `${projectName.replace(/-/g, '_')}_dev`;
-	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
-}
-
 /**
  * Main init command - scaffolds a new project
  */

package/src/init/utils.ts

@@ -1,5 +1,7 @@
-import { existsSync } from 'node:fs';
-import { join } from 'node:path';
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join, parse } from 'node:path';
+import fg from 'fast-glob';
+import { parse as parseYaml } from 'yaml';
 
 export type PackageManager = 'pnpm' | 'npm' | 'yarn' | 'bun';
 
@@ -94,3 +96,102 @@ export function getRunCommand(
 			return `npm run ${script}`;
 	}
 }
+
+const lockfileByPm: Record<PackageManager, string> = {
+	pnpm: 'pnpm-lock.yaml',
+	yarn: 'yarn.lock',
+	npm: 'package-lock.json',
+	bun: 'bun.lockb',
+};
+
+/**
+ * Find the workspace/project root by walking up from cwd.
+ * Checks for PM-specific workspace config, package.json#workspaces,
+ * and lockfiles.
+ */
+export function findWorkspaceRoot(cwd: string, pm: PackageManager): string {
+	let dir = cwd;
+	const root = parse(dir).root;
+	const lockfile = lockfileByPm[pm];
+
+	while (dir !== root) {
+		if (pm === 'pnpm' && existsSync(join(dir, 'pnpm-workspace.yaml'))) {
+			return dir;
+		}
+
+		const pkgJsonPath = join(dir, 'package.json');
+		if (existsSync(pkgJsonPath)) {
+			try {
+				const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8'));
+				if (pkg.workspaces) return dir;
+			} catch {
+				// ignore malformed package.json
+			}
+		}
+
+		if (existsSync(join(dir, lockfile))) {
+			return dir;
+		}
+
+		dir = dirname(dir);
+	}
+
+	return cwd;
+}
+
+/**
+ * Get workspace package glob patterns from pnpm-workspace.yaml
+ * or package.json#workspaces.
+ */
+export function getWorkspaceGlobs(root: string): string[] {
+	const pnpmWorkspacePath = join(root, 'pnpm-workspace.yaml');
+	if (existsSync(pnpmWorkspacePath)) {
+		const content = readFileSync(pnpmWorkspacePath, 'utf-8');
+		const parsed = parseYaml(content);
+		return parsed?.packages ?? [];
+	}
+
+	const rootPkgJsonPath = join(root, 'package.json');
+	if (existsSync(rootPkgJsonPath)) {
+		const pkg = JSON.parse(readFileSync(rootPkgJsonPath, 'utf-8'));
+		if (Array.isArray(pkg.workspaces)) {
+			return pkg.workspaces;
+		}
+		if (pkg.workspaces?.packages) {
+			return pkg.workspaces.packages;
+		}
+	}
+
+	return [];
+}
+
+/**
+ * Find all package.json files across a workspace.
+ * Returns the root package.json plus all workspace member package.json paths.
+ */
+export function findWorkspacePackages(
+	cwd: string,
+	pm: PackageManager,
+): string[] {
+	const workspaceRoot = findWorkspaceRoot(cwd, pm);
+	const results: string[] = [];
+
+	const rootPkgJson = join(workspaceRoot, 'package.json');
+	if (existsSync(rootPkgJson)) {
+		results.push(rootPkgJson);
+	}
+
+	const globs = getWorkspaceGlobs(workspaceRoot);
+
+	for (const glob of globs) {
+		const pattern = `${glob}/package.json`;
+		const matches = fg.sync(pattern, {
+			cwd: workspaceRoot,
+			absolute: true,
+			ignore: ['**/node_modules/**'],
+		});
+		results.push(...matches);
+	}
+
+	return [...new Set(results)];
+}

package/src/init/versions.ts

@@ -30,14 +30,14 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/audit': '~1.0.0',
 	'@geekmidas/auth': '~1.0.0',
 	'@geekmidas/cache': '~1.0.0',
-	'@geekmidas/client': '~2.0.0',
+	'@geekmidas/client': '~3.0.0',
 	'@geekmidas/cloud': '~1.0.0',
-	'@geekmidas/constructs': '~1.1.1',
+	'@geekmidas/constructs': '~2.0.0',
 	'@geekmidas/db': '~1.0.0',
 	'@geekmidas/emailkit': '~1.0.0',
 	'@geekmidas/envkit': '~1.0.3',
 	'@geekmidas/errors': '~1.0.0',
-	'@geekmidas/events': '~1.0.0',
+	'@geekmidas/events': '~1.1.0',
 	'@geekmidas/logger': '~1.0.0',
 	'@geekmidas/rate-limit': '~1.0.0',
 	'@geekmidas/schema': '~1.0.0',
@@ -45,7 +45,7 @@ export const GEEKMIDAS_VERSIONS = {
 	'@geekmidas/storage': '~1.0.0',
 	'@geekmidas/studio': '~1.0.0',
 	'@geekmidas/telescope': '~1.0.0',
-	'@geekmidas/testkit': '~1.0.1',
+	'@geekmidas/testkit': '~1.0.2',
 	'@geekmidas/cli': CLI_VERSION,
 } as const;
 

package/src/secrets/__tests__/reconcile.spec.ts

@@ -0,0 +1,123 @@
+import { describe, expect, it } from 'vitest';
+import { generateFullstackCustomSecrets } from '../../setup/fullstack-secrets';
+import type { NormalizedWorkspace } from '../../workspace/types';
+import { reconcileMissingSecrets } from '../reconcile';
+import type { StageSecrets } from '../types';
+
+function createMultiAppWorkspace(
+	overrides?: Partial<NormalizedWorkspace>,
+): NormalizedWorkspace {
+	return {
+		name: 'test-project',
+		root: '/tmp/test',
+		apps: {
+			api: {
+				type: 'backend',
+				path: 'apps/api',
+				port: 3000,
+				dependencies: [],
+				resolvedDeployTarget: 'dokploy',
+			},
+			web: {
+				type: 'frontend',
+				path: 'apps/web',
+				port: 3001,
+				dependencies: ['api'],
+				resolvedDeployTarget: 'dokploy',
+				framework: 'nextjs',
+			},
+		},
+		services: { db: true },
+		deploy: {},
+		shared: {},
+		secrets: {},
+		...overrides,
+	} as NormalizedWorkspace;
+}
+
+function createSecrets(custom: Record<string, string> = {}): StageSecrets {
+	return {
+		stage: 'development',
+		createdAt: '2024-01-01T00:00:00.000Z',
+		updatedAt: '2024-01-01T00:00:00.000Z',
+		services: {},
+		urls: {},
+		custom,
+	};
+}
+
+describe('reconcileMissingSecrets', () => {
+	it('should return null for single-app workspace', () => {
+		const workspace = createMultiAppWorkspace({
+			apps: {
+				api: {
+					type: 'backend',
+					path: 'apps/api',
+					port: 3000,
+					dependencies: [],
+					resolvedDeployTarget: 'dokploy',
+				},
+			},
+		}) as NormalizedWorkspace;
+
+		const result = reconcileMissingSecrets(createSecrets(), workspace);
+		expect(result).toBeNull();
+	});
+
+	it('should return null when no keys are missing', () => {
+		const workspace = createMultiAppWorkspace();
+		const expected = generateFullstackCustomSecrets(workspace);
+
+		const result = reconcileMissingSecrets(createSecrets(expected), workspace);
+		expect(result).toBeNull();
+	});
+
+	it('should backfill missing keys', () => {
+		const workspace = createMultiAppWorkspace();
+		const secrets = createSecrets();
+
+		const result = reconcileMissingSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.addedKeys.length).toBeGreaterThan(0);
+		for (const key of result!.addedKeys) {
+			expect(result!.secrets.custom[key]).toBeDefined();
+		}
+	});
+
+	it('should never overwrite existing keys', () => {
+		const workspace = createMultiAppWorkspace();
+		const existingValue = 'my-custom-jwt-secret';
+		const secrets = createSecrets({
+			JWT_SECRET: existingValue,
+		});
+
+		const result = reconcileMissingSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.secrets.custom.JWT_SECRET).toBe(existingValue);
+		expect(result!.addedKeys).not.toContain('JWT_SECRET');
+	});
+
+	it('should update updatedAt timestamp', () => {
+		const workspace = createMultiAppWorkspace();
+		const secrets = createSecrets();
+		const originalUpdatedAt = secrets.updatedAt;
+
+		const result = reconcileMissingSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.secrets.updatedAt).not.toBe(originalUpdatedAt);
+	});
+
+	it('should backfill frontend URL keys', () => {
+		const workspace = createMultiAppWorkspace();
+		const secrets = createSecrets();
+
+		const result = reconcileMissingSecrets(secrets, workspace);
+
+		expect(result).not.toBeNull();
+		expect(result!.secrets.custom.WEB_URL).toBe('http://localhost:3001');
+		expect(result!.addedKeys).toContain('WEB_URL');
+	});
+});