@geekmidas/cli 1.9.0 → 1.10.0

package/dist/index.cjs

@@ -1,15 +1,16 @@
 #!/usr/bin/env -S npx tsx
 const require_chunk = require('./chunk-CUT6urMc.cjs');
-const require_workspace = require('./workspace-D2ocAlpl.cjs');
-const require_config = require('./config-6JHOwLCx.cjs');
+const require_workspace = require('./workspace-4SP3Gx4Y.cjs');
+const require_config = require('./config-D3ORuiUs.cjs');
 const require_credentials = require('./credentials-C8DWtnMY.cjs');
-const require_openapi = require('./openapi-CnvwSRDU.cjs');
+const require_openapi = require('./openapi-BYxAWwok.cjs');
 const require_storage = require('./storage-CoCNe0Pt.cjs');
 const require_dokploy_api = require('./dokploy-api-DLgvEQlr.cjs');
 const require_encryption = require('./encryption-BE0UOb8j.cjs');
 const require_CachedStateProvider = require('./CachedStateProvider-D73dCqfH.cjs');
-const require_openapi_react_query = require('./openapi-react-query-BeXvk-wa.cjs');
-const require_sync = require('./sync-BOS0jKLn.cjs');
+const require_fullstack_secrets = require('./fullstack-secrets-COWz084x.cjs');
+const require_openapi_react_query = require('./openapi-react-query-DYbBq-WJ.cjs');
+const require_sync = require('./sync-DdkKaHqP.cjs');
 const node_fs = require_chunk.__toESM(require("node:fs"));
 const node_path = require_chunk.__toESM(require("node:path"));
 const commander = require_chunk.__toESM(require("commander"));
@@ -34,7 +35,7 @@ const prompts = require_chunk.__toESM(require("prompts"));
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.8.0";
+var version = "1.9.1";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -132,7 +133,7 @@ var package_default = {
 
 //#endregion
 //#region src/auth/index.ts
-const logger$13 = console;
+const logger$12 = console;
 /**
 * Validate Dokploy token by making a test API call
 */
@@ -200,36 +201,36 @@ async function prompt$1(message, hidden = false) {
 async function loginCommand(options) {
 	const { service, token: providedToken, endpoint: providedEndpoint } = options;
 	if (service === "dokploy") {
-		logger$13.log("\n🔐 Logging in to Dokploy...\n");
+		logger$12.log("\n🔐 Logging in to Dokploy...\n");
 		let endpoint = providedEndpoint;
 		if (!endpoint) endpoint = await prompt$1("Dokploy URL (e.g., https://dokploy.example.com): ");
 		endpoint = endpoint.replace(/\/$/, "");
 		try {
 			new URL(endpoint);
 		} catch {
-			logger$13.error("Invalid URL format");
+			logger$12.error("Invalid URL format");
 			process.exit(1);
 		}
 		let token = providedToken;
 		if (!token) {
-			logger$13.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
+			logger$12.log(`\nGenerate a token at: ${endpoint}/settings/profile\n`);
 			token = await prompt$1("API Token: ", true);
 		}
 		if (!token) {
-			logger$13.error("Token is required");
+			logger$12.error("Token is required");
 			process.exit(1);
 		}
-		logger$13.log("\nValidating credentials...");
+		logger$12.log("\nValidating credentials...");
 		const isValid = await validateDokployToken(endpoint, token);
 		if (!isValid) {
-			logger$13.error("\n✗ Invalid credentials. Please check your token and try again.");
+			logger$12.error("\n✗ Invalid credentials. Please check your token and try again.");
 			process.exit(1);
 		}
 		await require_credentials.storeDokployCredentials(token, endpoint);
-		logger$13.log("\n✓ Successfully logged in to Dokploy!");
-		logger$13.log(`  Endpoint: ${endpoint}`);
-		logger$13.log(`  Credentials stored in: ${require_credentials.getCredentialsPath()}`);
-		logger$13.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
+		logger$12.log("\n✓ Successfully logged in to Dokploy!");
+		logger$12.log(`  Endpoint: ${endpoint}`);
+		logger$12.log(`  Credentials stored in: ${require_credentials.getCredentialsPath()}`);
+		logger$12.log("\nYou can now use deploy commands without setting DOKPLOY_API_TOKEN.");
 	}
 }
 /**
@@ -239,28 +240,28 @@ async function logoutCommand(options) {
 	const { service = "dokploy" } = options;
 	if (service === "all") {
 		const dokployRemoved = await require_credentials.removeDokployCredentials();
-		if (dokployRemoved) logger$13.log("\n✓ Logged out from all services");
-		else logger$13.log("\nNo stored credentials found");
+		if (dokployRemoved) logger$12.log("\n✓ Logged out from all services");
+		else logger$12.log("\nNo stored credentials found");
 		return;
 	}
 	if (service === "dokploy") {
 		const removed = await require_credentials.removeDokployCredentials();
-		if (removed) logger$13.log("\n✓ Logged out from Dokploy");
-		else logger$13.log("\nNo Dokploy credentials found");
+		if (removed) logger$12.log("\n✓ Logged out from Dokploy");
+		else logger$12.log("\nNo Dokploy credentials found");
 	}
 }
 /**
 * Show current login status
 */
 async function whoamiCommand() {
-	logger$13.log("\n📋 Current credentials:\n");
+	logger$12.log("\n📋 Current credentials:\n");
 	const dokploy = await require_credentials.getDokployCredentials();
 	if (dokploy) {
-		logger$13.log("  Dokploy:");
-		logger$13.log(`    Endpoint: ${dokploy.endpoint}`);
-		logger$13.log(`    Token: ${maskToken(dokploy.token)}`);
-	} else logger$13.log("  Dokploy: Not logged in");
-	logger$13.log(`\n  Credentials file: ${require_credentials.getCredentialsPath()}`);
+		logger$12.log("  Dokploy:");
+		logger$12.log(`    Endpoint: ${dokploy.endpoint}`);
+		logger$12.log(`    Token: ${maskToken(dokploy.token)}`);
+	} else logger$12.log("  Dokploy: Not logged in");
+	logger$12.log(`\n  Credentials file: ${require_credentials.getCredentialsPath()}`);
 }
 /**
 * Mask a token for display
@@ -346,7 +347,7 @@ function isEnabled(config) {
 var CronGenerator = class extends require_openapi.ConstructGenerator {
 	async build(context, constructs, outputDir, options) {
 		const provider = options?.provider || "aws-lambda";
-		const logger$14 = console;
+		const logger$13 = console;
 		const cronInfos = [];
 		if (constructs.length === 0 || provider !== "aws-lambda") return cronInfos;
 		const cronsDir = (0, node_path.join)(outputDir, "crons");
@@ -361,7 +362,7 @@ var CronGenerator = class extends require_openapi.ConstructGenerator {
 				memorySize: construct.memorySize,
 				environment: await construct.getEnvironment()
 			});
-			logger$14.log(`Generated cron handler: ${key}`);
+			logger$13.log(`Generated cron handler: ${key}`);
 		}
 		return cronInfos;
 	}
@@ -397,7 +398,7 @@ var FunctionGenerator = class extends require_openapi.ConstructGenerator {
 	}
 	async build(context, constructs, outputDir, options) {
 		const provider = options?.provider || "aws-lambda";
-		const logger$14 = console;
+		const logger$13 = console;
 		const functionInfos = [];
 		if (constructs.length === 0 || provider !== "aws-lambda") return functionInfos;
 		const functionsDir = (0, node_path.join)(outputDir, "functions");
@@ -411,7 +412,7 @@ var FunctionGenerator = class extends require_openapi.ConstructGenerator {
 				memorySize: construct.memorySize,
 				environment: await construct.getEnvironment()
 			});
-			logger$14.log(`Generated function handler: ${key}`);
+			logger$13.log(`Generated function handler: ${key}`);
 		}
 		return functionInfos;
 	}
@@ -444,11 +445,11 @@ var SubscriberGenerator = class extends require_openapi.ConstructGenerator {
 	}
 	async build(context, constructs, outputDir, options) {
 		const provider = options?.provider || "aws-lambda";
-		const logger$14 = console;
+		const logger$13 = console;
 		const subscriberInfos = [];
 		if (provider === "server") {
 			await this.generateServerSubscribersFile(outputDir, constructs);
-			logger$14.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
+			logger$13.log(`Generated server subscribers file with ${constructs.length} subscribers (polling mode)`);
 			return subscriberInfos;
 		}
 		if (constructs.length === 0) return subscriberInfos;
@@ -465,7 +466,7 @@ var SubscriberGenerator = class extends require_openapi.ConstructGenerator {
 				memorySize: construct.memorySize,
 				environment: await construct.getEnvironment()
 			});
-			logger$14.log(`Generated subscriber handler: ${key}`);
+			logger$13.log(`Generated subscriber handler: ${key}`);
 		}
 		return subscriberInfos;
 	}
@@ -630,98 +631,6 @@ export async function setupSubscribers(
 	}
 };
 
-//#endregion
-//#region src/workspace/client-generator.ts
-const logger$12 = console;
-/**
-* Get frontend apps that depend on a backend app.
-*/
-function getDependentFrontends(workspace, backendAppName) {
-	const dependentApps = [];
-	for (const [appName, app] of Object.entries(workspace.apps)) if (app.type === "frontend" && app.dependencies.includes(backendAppName)) dependentApps.push(appName);
-	return dependentApps;
-}
-/**
-* Get the path to a backend's OpenAPI spec file.
-*/
-function getBackendOpenApiPath(workspace, backendAppName) {
-	const app = workspace.apps[backendAppName];
-	if (!app || app.type !== "backend") return null;
-	return (0, node_path.join)(workspace.root, app.path, ".gkm", "openapi.ts");
-}
-/**
-* Count endpoints in an OpenAPI spec content.
-*/
-function countEndpoints(content) {
-	const endpointMatches = content.match(/'(GET|POST|PUT|PATCH|DELETE)\s+\/[^']+'/g);
-	return endpointMatches?.length ?? 0;
-}
-/**
-* Copy the OpenAPI client from a backend to all dependent frontend apps.
-* Called when the backend's .gkm/openapi.ts file changes.
-*/
-async function copyClientToFrontends(workspace, backendAppName, options = {}) {
-	const log = options.silent ? () => {} : logger$12.log.bind(logger$12);
-	const results = [];
-	const backendApp = workspace.apps[backendAppName];
-	if (!backendApp || backendApp.type !== "backend") return results;
-	const openApiPath = (0, node_path.join)(workspace.root, backendApp.path, ".gkm", "openapi.ts");
-	if (!(0, node_fs.existsSync)(openApiPath)) return results;
-	const content = await (0, node_fs_promises.readFile)(openApiPath, "utf-8");
-	const endpointCount = countEndpoints(content);
-	const dependentFrontends = getDependentFrontends(workspace, backendAppName);
-	for (const frontendAppName of dependentFrontends) {
-		const frontendApp = workspace.apps[frontendAppName];
-		if (!frontendApp || frontendApp.type !== "frontend") continue;
-		const clientOutput = frontendApp.client?.output;
-		if (!clientOutput) continue;
-		const result = {
-			frontendApp: frontendAppName,
-			backendApp: backendAppName,
-			outputPath: "",
-			endpointCount,
-			success: false
-		};
-		try {
-			const frontendPath = (0, node_path.join)(workspace.root, frontendApp.path);
-			const outputDir = (0, node_path.join)(frontendPath, clientOutput);
-			await (0, node_fs_promises.mkdir)(outputDir, { recursive: true });
-			const fileName = `${backendAppName}.ts`;
-			const outputPath = (0, node_path.join)(outputDir, fileName);
-			const backendRelPath = (0, node_path.relative)((0, node_path.dirname)(outputPath), (0, node_path.join)(workspace.root, backendApp.path));
-			const clientContent = `/**
- * Auto-generated API client for ${backendAppName}
- * Generated from: ${backendRelPath}
- *
- * DO NOT EDIT - This file is automatically regenerated when backend schemas change.
- */
-
-${content}
-`;
-			await (0, node_fs_promises.writeFile)(outputPath, clientContent);
-			result.outputPath = outputPath;
-			result.success = true;
-			log(`📦 Copied client to ${frontendAppName} from ${backendAppName} (${endpointCount} endpoints)`);
-		} catch (error) {
-			result.error = error.message;
-		}
-		results.push(result);
-	}
-	return results;
-}
-/**
-* Copy clients from all backends to their dependent frontends.
-* Useful for initial setup or force refresh.
-*/
-async function copyAllClients(workspace, options = {}) {
-	const allResults = [];
-	for (const [appName, app] of Object.entries(workspace.apps)) if (app.type === "backend" && app.routes) {
-		const results = await copyClientToFrontends(workspace, appName, options);
-		allResults.push(...results);
-	}
-	return allResults;
-}
-
 //#endregion
 //#region src/dev/index.ts
 const logger$11 = console;
@@ -1374,7 +1283,7 @@ async function workspaceDevCommand(workspace, options) {
 		logger$11.log("✅ Frontend apps validated");
 	}
 	if (frontendApps.length > 0 && backendApps.length > 0) {
-		const clientResults = await copyAllClients(workspace);
+		const clientResults = await require_openapi.copyAllClients(workspace);
 		const copiedCount = clientResults.filter((r) => r.success).length;
 		if (copiedCount > 0) logger$11.log(`\n📦 Copied ${copiedCount} API client(s)`);
 	}
@@ -1442,7 +1351,7 @@ async function workspaceDevCommand(workspace, options) {
 	if (frontendApps.length > 0 && backendApps.length > 0) {
 		const openApiPaths = [];
 		for (const [appName] of backendApps) {
-			const openApiPath = getBackendOpenApiPath(workspace, appName);
+			const openApiPath = require_openapi.getBackendOpenApiPath(workspace, appName);
 			if (openApiPath) openApiPaths.push({
 				path: openApiPath,
 				appName
@@ -1464,7 +1373,7 @@ async function workspaceDevCommand(workspace, options) {
 					if (!backendAppName) return;
 					logger$11.log(`\n🔄 OpenAPI spec changed for ${backendAppName}`);
 					try {
-						const results = await copyClientToFrontends(workspace, backendAppName, { silent: true });
+						const results = await require_openapi.copyClientToFrontends(workspace, backendAppName, { silent: true });
 						for (const result of results) if (result.success) logger$11.log(`   📦 Copied client to ${result.frontendApp} (${result.endpointCount} endpoints)`);
 						else if (result.error) logger$11.error(`   ❌ Failed to copy client to ${result.frontendApp}: ${result.error}`);
 					} catch (error) {
@@ -1740,6 +1649,66 @@ var EntryRunner = class {
 		}
 	}
 };
+/**
+* Generate the content of the dev server entry file (server.ts).
+* Uses dynamic import for createApp so Credentials are populated
+* before any app modules evaluate.
+* @internal Exported for testing
+*/
+function generateServerEntryContent(options) {
+	const { secretsJsonPath, runtime = "node", enableOpenApi = false, appImportPath = "./app.js" } = options;
+	const credentialsInjection = secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+` : "";
+	const serveCode = runtime === "bun" ? `Bun.serve({
+      port,
+      fetch: app.fetch,
+    });` : `const { serve } = await import('@hono/node-server');
+    const server = serve({
+      fetch: app.fetch,
+      port,
+    });
+    // Inject WebSocket support if available
+    const injectWs = (app as any).__injectWebSocket;
+    if (injectWs) {
+      injectWs(server);
+      console.log('🔌 Telescope real-time updates enabled');
+    }`;
+	return `#!/usr/bin/env node
+/**
+ * Development server entry point
+ * This file is auto-generated by 'gkm dev'
+ */
+${credentialsInjection}
+const port = process.argv.includes('--port')
+  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
+  : 3000;
+
+// Dynamic import so Credentials are populated before env.ts evaluates
+const { createApp } = await import('${appImportPath}');
+
+// createApp is async to support optional WebSocket setup
+const { app, start } = await createApp(undefined, ${enableOpenApi});
+
+// Start the server
+start({
+  port,
+  serve: async (app, port) => {
+    ${serveCode}
+  },
+}).catch((error) => {
+  console.error('Failed to start server:', error);
+  process.exit(1);
+});
+`;
+}
 var DevServer = class {
 	serverProcess = null;
 	isRunning = false;
@@ -1833,58 +1802,12 @@ var DevServer = class {
 	}
 	async createServerEntry() {
 		const { writeFile: fsWriteFile } = await import("node:fs/promises");
-		const { relative: relative$6, dirname: dirname$11 } = await import("node:path");
 		const serverPath = (0, node_path.join)(this.appRoot, ".gkm", this.provider, "server.ts");
-		const relativeAppPath = relative$6(dirname$11(serverPath), (0, node_path.join)(dirname$11(serverPath), "app.js"));
-		const credentialsInjection = this.secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets into Credentials (must happen before app import)
-const secretsPath = '${this.secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
-}
-
-` : "";
-		const serveCode = this.runtime === "bun" ? `Bun.serve({
-      port,
-      fetch: app.fetch,
-    });` : `const { serve } = await import('@hono/node-server');
-    const server = serve({
-      fetch: app.fetch,
-      port,
-    });
-    // Inject WebSocket support if available
-    const injectWs = (app as any).__injectWebSocket;
-    if (injectWs) {
-      injectWs(server);
-      console.log('🔌 Telescope real-time updates enabled');
-    }`;
-		const content = `#!/usr/bin/env node
-/**
- * Development server entry point
- * This file is auto-generated by 'gkm dev'
- */
-${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith(".") ? relativeAppPath : `./${relativeAppPath}`}';
-
-const port = process.argv.includes('--port')
-  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
-  : 3000;
-
-// createApp is async to support optional WebSocket setup
-const { app, start } = await createApp(undefined, ${this.enableOpenApi});
-
-// Start the server
-start({
-  port,
-  serve: async (app, port) => {
-    ${serveCode}
-  },
-}).catch((error) => {
-  console.error('Failed to start server:', error);
-  process.exit(1);
-});
-`;
+		const content = generateServerEntryContent({
+			secretsJsonPath: this.secretsJsonPath,
+			runtime: this.runtime,
+			enableOpenApi: this.enableOpenApi
+		});
 		await fsWriteFile(serverPath, content);
 	}
 };
@@ -1967,22 +1890,58 @@ async function execCommand(commandArgs, options = {}) {
 //#endregion
 //#region src/build/manifests.ts
 const logger$10 = console;
+function isPartitioned(field) {
+	return !Array.isArray(field);
+}
+/**
+* Serialize a manifest field to a TypeScript string.
+* Flat arrays serialize as JSON arrays, partitioned fields as objects of arrays.
+*/
+function serializeField(field, indent = 2) {
+	if (Array.isArray(field)) return JSON.stringify(field, null, indent);
+	const entries = Object.entries(field).map(([key, value]) => `    ${JSON.stringify(key)}: ${JSON.stringify(value, null, indent)}`).join(",\n");
+	return `{\n${entries},\n  }`;
+}
+/**
+* Count total items across a manifest field (flat or partitioned).
+*/
+function countItems(field) {
+	if (Array.isArray(field)) return field.length;
+	return Object.values(field).reduce((sum, arr) => sum + arr.length, 0);
+}
+/**
+* Generate derived types for a construct field.
+* @param fieldName - The field name in the manifest (e.g., 'routes')
+* @param typeName - The exported type name (e.g., 'Route')
+* @param partitioned - Whether this field is partitioned
+*/
+function generateDerivedType(fieldName, typeName, partitioned) {
+	if (partitioned) {
+		const partitionTypeName = `${typeName}Partition`;
+		return [`export type ${partitionTypeName} = keyof typeof manifest.${fieldName};`, `export type ${typeName}<P extends ${partitionTypeName} = ${partitionTypeName}> = (typeof manifest.${fieldName})[P][number];`].join("\n");
+	}
+	return `export type ${typeName} = (typeof manifest.${fieldName})[number];`;
+}
 async function generateAwsManifest(outputDir, routes, functions, crons, subscribers) {
 	const manifestDir = (0, node_path.join)(outputDir, "manifest");
 	await (0, node_fs_promises.mkdir)(manifestDir, { recursive: true });
-	const awsRoutes = routes.filter((r) => r.method !== "ALL");
+	const awsRoutes = filterAllRoutes(routes);
+	const routesPartitioned = isPartitioned(awsRoutes);
+	const functionsPartitioned = isPartitioned(functions);
+	const cronsPartitioned = isPartitioned(crons);
+	const subscribersPartitioned = isPartitioned(subscribers);
 	const content = `export const manifest = {
-  routes: ${JSON.stringify(awsRoutes, null, 2)},
-  functions: ${JSON.stringify(functions, null, 2)},
-  crons: ${JSON.stringify(crons, null, 2)},
-  subscribers: ${JSON.stringify(subscribers, null, 2)},
+  routes: ${serializeField(awsRoutes)},
+  functions: ${serializeField(functions)},
+  crons: ${serializeField(crons)},
+  subscribers: ${serializeField(subscribers)},
 } as const;
 
 // Derived types
-export type Route = (typeof manifest.routes)[number];
-export type Function = (typeof manifest.functions)[number];
-export type Cron = (typeof manifest.crons)[number];
-export type Subscriber = (typeof manifest.subscribers)[number];
+${generateDerivedType("routes", "Route", routesPartitioned)}
+${generateDerivedType("functions", "Function", functionsPartitioned)}
+${generateDerivedType("crons", "Cron", cronsPartitioned)}
+${generateDerivedType("subscribers", "Subscriber", subscribersPartitioned)}
 
 // Useful union types
 export type Authorizer = Route['authorizer'];
@@ -1991,30 +1950,25 @@ export type RoutePath = Route['path'];
 `;
 	const manifestPath = (0, node_path.join)(manifestDir, "aws.ts");
 	await (0, node_fs_promises.writeFile)(manifestPath, content);
-	logger$10.log(`Generated AWS manifest with ${awsRoutes.length} routes, ${functions.length} functions, ${crons.length} crons, ${subscribers.length} subscribers`);
+	logger$10.log(`Generated AWS manifest with ${countItems(awsRoutes)} routes, ${countItems(functions)} functions, ${countItems(crons)} crons, ${countItems(subscribers)} subscribers`);
 	logger$10.log(`Manifest: ${(0, node_path.relative)(process.cwd(), manifestPath)}`);
 }
 async function generateServerManifest(outputDir, appInfo, routes, subscribers) {
 	const manifestDir = (0, node_path.join)(outputDir, "manifest");
 	await (0, node_fs_promises.mkdir)(manifestDir, { recursive: true });
-	const serverRoutes = routes.filter((r) => r.method !== "ALL").map((r) => ({
-		path: r.path,
-		method: r.method,
-		authorizer: r.authorizer
-	}));
-	const serverSubscribers = subscribers.map((s) => ({
-		name: s.name,
-		subscribedEvents: s.subscribedEvents
-	}));
+	const serverRoutes = mapRouteMetadata(filterAllRoutes(routes));
+	const serverSubscribers = mapSubscriberMetadata(subscribers);
+	const routesPartitioned = isPartitioned(serverRoutes);
+	const subscribersPartitioned = isPartitioned(serverSubscribers);
 	const content = `export const manifest = {
   app: ${JSON.stringify(appInfo, null, 2)},
-  routes: ${JSON.stringify(serverRoutes, null, 2)},
-  subscribers: ${JSON.stringify(serverSubscribers, null, 2)},
+  routes: ${serializeField(serverRoutes)},
+  subscribers: ${serializeField(serverSubscribers)},
 } as const;
 
 // Derived types
-export type Route = (typeof manifest.routes)[number];
-export type Subscriber = (typeof manifest.subscribers)[number];
+${generateDerivedType("routes", "Route", routesPartitioned)}
+${generateDerivedType("subscribers", "Subscriber", subscribersPartitioned)}
 
 // Useful union types
 export type Authorizer = Route['authorizer'];
@@ -2023,9 +1977,70 @@ export type RoutePath = Route['path'];
 `;
 	const manifestPath = (0, node_path.join)(manifestDir, "server.ts");
 	await (0, node_fs_promises.writeFile)(manifestPath, content);
-	logger$10.log(`Generated server manifest with ${serverRoutes.length} routes, ${serverSubscribers.length} subscribers`);
+	logger$10.log(`Generated server manifest with ${countItems(serverRoutes)} routes, ${countItems(serverSubscribers)} subscribers`);
 	logger$10.log(`Manifest: ${(0, node_path.relative)(process.cwd(), manifestPath)}`);
 }
+/**
+* Filter out 'ALL' method routes from a manifest field (flat or partitioned).
+*/
+function filterAllRoutes(routes) {
+	if (Array.isArray(routes)) return routes.filter((r) => r.method !== "ALL");
+	const result = {};
+	for (const [partition, partitionRoutes] of Object.entries(routes)) result[partition] = partitionRoutes.filter((r) => r.method !== "ALL");
+	return result;
+}
+/**
+* Map routes to server metadata (path, method, authorizer only).
+*/
+function mapRouteMetadata(routes) {
+	const mapFn = (r) => ({
+		path: r.path,
+		method: r.method,
+		authorizer: r.authorizer
+	});
+	if (Array.isArray(routes)) return routes.map(mapFn);
+	const result = {};
+	for (const [partition, partitionRoutes] of Object.entries(routes)) result[partition] = partitionRoutes.map(mapFn);
+	return result;
+}
+/**
+* Map subscribers to server metadata (name, subscribedEvents only).
+*/
+function mapSubscriberMetadata(subscribers) {
+	const mapFn = (s) => ({
+		name: s.name,
+		subscribedEvents: s.subscribedEvents
+	});
+	if (Array.isArray(subscribers)) return subscribers.map(mapFn);
+	const result = {};
+	for (const [partition, partitionSubs] of Object.entries(subscribers)) result[partition] = partitionSubs.map(mapFn);
+	return result;
+}
+
+//#endregion
+//#region src/build/partitions.ts
+const DEFAULT_PARTITION = "default";
+/**
+* Check if any construct across the given arrays has a non-undefined partition.
+* When true, the manifest should use the partitioned shape for that construct type.
+*/
+function hasPartitions(constructs) {
+	return constructs.some((c) => c.partition !== void 0);
+}
+/**
+* Group an info array by partition, using the partition values from
+* the corresponding construct array. Both arrays must be the same length
+* and in the same order.
+*/
+function groupInfosByPartition(infos, constructs) {
+	const groups = {};
+	for (let i = 0; i < infos.length; i++) {
+		const partition = constructs[i]?.partition ?? DEFAULT_PARTITION;
+		if (!groups[partition]) groups[partition] = [];
+		groups[partition].push(infos[i]);
+	}
+	return groups;
+}
 
 //#endregion
 //#region src/build/index.ts
@@ -2047,10 +2062,10 @@ async function buildCommand(options) {
 	const production = normalizeProductionConfig(options.production ?? false, productionConfigFromGkm);
 	if (production) logger$9.log(`🏭 Building for PRODUCTION`);
 	logger$9.log(`Building with providers: ${resolved.providers.join(", ")}`);
-	logger$9.log(`Loading routes from: ${config.routes}`);
-	if (config.functions) logger$9.log(`Loading functions from: ${config.functions}`);
-	if (config.crons) logger$9.log(`Loading crons from: ${config.crons}`);
-	if (config.subscribers) logger$9.log(`Loading subscribers from: ${config.subscribers}`);
+	logger$9.log(`Loading routes from: ${formatRoutes(config.routes)}`);
+	if (config.functions) logger$9.log(`Loading functions from: ${formatRoutes(config.functions)}`);
+	if (config.crons) logger$9.log(`Loading crons from: ${formatRoutes(config.crons)}`);
+	if (config.subscribers) logger$9.log(`Loading subscribers from: ${formatRoutes(config.subscribers)}`);
 	logger$9.log(`Using envParser: ${config.envParser}`);
 	const { path: envParserPath, importPattern: envParserImportPattern } = require_config.parseModuleConfig(config.envParser, "envParser");
 	const { path: loggerPath, importPattern: loggerImportPattern } = require_config.parseModuleConfig(config.logger, "logger");
@@ -2122,6 +2137,10 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		subscriberGenerator.build(context, subscribers, outputDir, { provider })
 	]);
 	logger$9.log(`Generated ${routes.length} routes, ${functionInfos.length} functions, ${cronInfos.length} crons, ${subscriberInfos.length} subscribers for ${provider}`);
+	const manifestRoutes = assembleManifestField(routes, endpoints);
+	const manifestFunctions = assembleManifestField(functionInfos, functions);
+	const manifestCrons = assembleManifestField(cronInfos, crons);
+	const manifestSubscribers = assembleManifestField(subscriberInfos, subscribers);
 	if (provider === "server") {
 		const routeMetadata = await Promise.all(endpoints.map(async ({ construct }) => ({
 			path: construct._path,
@@ -2129,15 +2148,16 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 			handler: "",
 			authorizer: construct.authorizer?.name ?? "none"
 		})));
+		const serverRouteField = assembleManifestField(routeMetadata, endpoints);
 		const appInfo = {
 			handler: (0, node_path.relative)(process.cwd(), (0, node_path.join)(outputDir, "app.ts")),
 			endpoints: (0, node_path.relative)(process.cwd(), (0, node_path.join)(outputDir, "endpoints.ts"))
 		};
-		await generateServerManifest(rootOutputDir, appInfo, routeMetadata, subscriberInfos);
+		await generateServerManifest(rootOutputDir, appInfo, serverRouteField, manifestSubscribers);
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-CuMIfXw5.cjs"));
+			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-NpfYPBUo.cjs"));
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2163,7 +2183,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 			}
 		}
 		return { masterKey };
-	} else await generateAwsManifest(rootOutputDir, routes, functionInfos, cronInfos, subscriberInfos);
+	} else await generateAwsManifest(rootOutputDir, manifestRoutes, manifestFunctions, manifestCrons, manifestSubscribers);
 	return {};
 }
 /**
@@ -2261,6 +2281,25 @@ function getAppOutputPath(workspace, _appName, app) {
 	if (app.type === "frontend") return (0, node_path.join)(appPath, ".next");
 	else return (0, node_path.join)(appPath, ".gkm");
 }
+/**
+* Format routes for logging, handling PartitionedRoutes.
+*/
+function formatRoutes(routes) {
+	if (require_openapi.isPartitionedRoutes(routes)) {
+		const paths = Array.isArray(routes.paths) ? routes.paths.join(", ") : routes.paths;
+		return `${paths} (partitioned)`;
+	}
+	return Array.isArray(routes) ? routes.join(", ") : routes;
+}
+/**
+* Assemble a ManifestField from build infos and constructs.
+* If any construct has a partition, returns a Record<string, T[]>.
+* Otherwise, returns a flat T[].
+*/
+function assembleManifestField(infos, constructs) {
+	if (!hasPartitions(constructs)) return infos;
+	return groupInfosByPartition(infos, constructs);
+}
 
 //#endregion
 //#region src/deploy/state.ts
@@ -2416,11 +2455,11 @@ async function createDnsProvider(options) {
 	if (isDnsProvider(config.provider)) return config.provider;
 	const provider = config.provider;
 	if (provider === "hostinger") {
-		const { HostingerProvider } = await Promise.resolve().then(() => require("./HostingerProvider-CEsQbmpY.cjs"));
+		const { HostingerProvider } = await Promise.resolve().then(() => require("./HostingerProvider-5KYmwoK2.cjs"));
 		return new HostingerProvider();
 	}
 	if (provider === "route53") {
-		const { Route53Provider } = await Promise.resolve().then(() => require("./Route53Provider-BqXeHzuc.cjs"));
+		const { Route53Provider } = await Promise.resolve().then(() => require("./Route53Provider-owQQ4pn6.cjs"));
 		const route53Config = config;
 		return new Route53Provider({
 			region: route53Config.region,
@@ -4668,19 +4707,19 @@ function isStateProvider(value) {
 async function createStateProvider(options) {
 	const { config, workspaceRoot, workspaceName } = options;
 	if (!config) {
-		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-Roi202l7.cjs"));
+		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-CLifRC0Y.cjs"));
 		return new LocalStateProvider(workspaceRoot);
 	}
 	if (isStateProvider(config.provider)) return config.provider;
 	const provider = config.provider;
 	if (provider === "local") {
-		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-Roi202l7.cjs"));
+		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-CLifRC0Y.cjs"));
 		return new LocalStateProvider(workspaceRoot);
 	}
 	if (provider === "ssm") {
 		if (!workspaceName) throw new Error("Workspace name is required for SSM state provider. Set \"name\" in gkm.config.ts.");
-		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-Roi202l7.cjs"));
-		const { SSMStateProvider } = await Promise.resolve().then(() => require("./SSMStateProvider-BReQA5re.cjs"));
+		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-CLifRC0Y.cjs"));
+		const { SSMStateProvider } = await Promise.resolve().then(() => require("./SSMStateProvider-CT8tjl9o.cjs"));
 		const { CachedStateProvider: CachedStateProvider$1 } = await Promise.resolve().then(() => require("./CachedStateProvider-D_uISMmJ.cjs"));
 		const ssmConfig = config;
 		const local = new LocalStateProvider(workspaceRoot);
@@ -4875,7 +4914,7 @@ async function sniffAppEnvironment(app, appName, workspacePath, options = {}) {
 		};
 	}
 	if (app.routes) {
-		const result = await sniffRouteFiles(app.routes, app.path, workspacePath);
+		const result = await sniffRouteFiles(require_openapi.normalizeRoutes(app.routes), app.path, workspacePath);
 		if (logWarnings && result.error) console.warn(`[sniffer] ${appName}: Route sniffing threw error (env vars still captured): ${result.error.message}`);
 		return {
 			appName,
@@ -5355,8 +5394,8 @@ async function provisionServices(api, projectId, environmentId, projectName, ser
 				else logger$3.log(`   ⚠ Cached ID invalid, will create new`);
 			}
 			if (!redis) {
-				const { randomBytes: randomBytes$3 } = await import("node:crypto");
-				const databasePassword = randomBytes$3(16).toString("hex");
+				const { randomBytes: randomBytes$2 } = await import("node:crypto");
+				const databasePassword = randomBytes$2(16).toString("hex");
 				const result = await api.findOrCreateRedis(redisName, projectId, environmentId, { databasePassword });
 				redis = result.redis;
 				created = result.created;
@@ -5780,7 +5819,7 @@ async function workspaceDeployCommand(workspace, options) {
 	}
 	if (workspace.deploy?.backups && provisionedPostgres) {
 		logger$3.log("\n💾 Provisioning backup destination...");
-		const { provisionBackupDestination } = await Promise.resolve().then(() => require("./backup-provisioner-C8VK63I-.cjs"));
+		const { provisionBackupDestination } = await Promise.resolve().then(() => require("./backup-provisioner-C4noe75O.cjs"));
 		const backupState = await provisionBackupDestination({
 			api,
 			projectId: project.projectId,
@@ -6405,200 +6444,6 @@ function printStateDetails(state) {
 	}
 }
 
-//#endregion
-//#region src/secrets/generator.ts
-/**
-* Generate a secure random password using URL-safe base64 characters.
-* @param length Password length (default: 32)
-*/
-function generateSecurePassword(length = 32) {
-	return (0, node_crypto.randomBytes)(Math.ceil(length * 3 / 4)).toString("base64url").slice(0, length);
-}
-/** Default service configurations */
-const SERVICE_DEFAULTS = {
-	postgres: {
-		host: "postgres",
-		port: 5432,
-		username: "app",
-		database: "app"
-	},
-	redis: {
-		host: "redis",
-		port: 6379,
-		username: "default"
-	},
-	rabbitmq: {
-		host: "rabbitmq",
-		port: 5672,
-		username: "app",
-		vhost: "/"
-	}
-};
-/**
-* Generate credentials for a specific service.
-*/
-function generateServiceCredentials(service) {
-	const defaults = SERVICE_DEFAULTS[service];
-	return {
-		...defaults,
-		password: generateSecurePassword()
-	};
-}
-/**
-* Generate credentials for multiple services.
-*/
-function generateServicesCredentials(services) {
-	const result = {};
-	for (const service of services) result[service] = generateServiceCredentials(service);
-	return result;
-}
-/**
-* Generate connection URL for PostgreSQL.
-*/
-function generatePostgresUrl(creds) {
-	const { username, password, host, port, database } = creds;
-	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
-}
-/**
-* Generate connection URL for Redis.
-*/
-function generateRedisUrl(creds) {
-	const { password, host, port } = creds;
-	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
-}
-/**
-* Generate connection URL for RabbitMQ.
-*/
-function generateRabbitmqUrl(creds) {
-	const { username, password, host, port, vhost } = creds;
-	const encodedVhost = encodeURIComponent(vhost ?? "/");
-	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
-}
-/**
-* Generate connection URLs from service credentials.
-*/
-function generateConnectionUrls(services) {
-	const urls = {};
-	if (services.postgres) urls.DATABASE_URL = generatePostgresUrl(services.postgres);
-	if (services.redis) urls.REDIS_URL = generateRedisUrl(services.redis);
-	if (services.rabbitmq) urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
-	return urls;
-}
-/**
-* Create a new StageSecrets object with generated credentials.
-*/
-function createStageSecrets(stage, services) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const serviceCredentials = generateServicesCredentials(services);
-	const urls = generateConnectionUrls(serviceCredentials);
-	return {
-		stage,
-		createdAt: now,
-		updatedAt: now,
-		services: serviceCredentials,
-		urls,
-		custom: {}
-	};
-}
-/**
-* Rotate password for a specific service.
-*/
-function rotateServicePassword(secrets, service) {
-	const currentCreds = secrets.services[service];
-	if (!currentCreds) throw new Error(`Service "${service}" not configured in secrets`);
-	const newCreds = {
-		...currentCreds,
-		password: generateSecurePassword()
-	};
-	const newServices = {
-		...secrets.services,
-		[service]: newCreds
-	};
-	return {
-		...secrets,
-		updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-		services: newServices,
-		urls: generateConnectionUrls(newServices)
-	};
-}
-
-//#endregion
-//#region src/setup/fullstack-secrets.ts
-/**
-* Generate a secure random password for database users.
-* Uses a combination of timestamp and random bytes for uniqueness.
-*/
-function generateDbPassword() {
-	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
-}
-/**
-* Generate database URL for an app.
-* All apps connect to the same database, but use different users/schemas.
-*/
-function generateDbUrl(appName, password, projectName, host = "localhost", port = 5432) {
-	const userName = appName.replace(/-/g, "_");
-	const dbName = `${projectName.replace(/-/g, "_")}_dev`;
-	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
-}
-/**
-* Generate fullstack-aware custom secrets for a workspace.
-*
-* Generates:
-* - Common secrets: NODE_ENV, PORT, LOG_LEVEL, JWT_SECRET
-* - Per-app database passwords and URLs for backend apps with db service
-* - Better-auth secrets for apps using the better-auth framework
-*/
-function generateFullstackCustomSecrets(workspace) {
-	const hasDb = !!workspace.services.db;
-	const customs = {
-		NODE_ENV: "development",
-		PORT: "3000",
-		LOG_LEVEL: "debug",
-		JWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`
-	};
-	if (!hasDb) return customs;
-	const frontendPorts = [];
-	for (const [appName, appConfig] of Object.entries(workspace.apps)) {
-		if (appConfig.type === "frontend") {
-			frontendPorts.push(appConfig.port);
-			continue;
-		}
-		const password = generateDbPassword();
-		const upperName = appName.toUpperCase();
-		customs[`${upperName}_DATABASE_URL`] = generateDbUrl(appName, password, workspace.name);
-		customs[`${upperName}_DB_PASSWORD`] = password;
-		if (appConfig.framework === "better-auth") {
-			customs.AUTH_PORT = String(appConfig.port);
-			customs.AUTH_URL = `http://localhost:${appConfig.port}`;
-			customs.BETTER_AUTH_SECRET = `better-auth-${Date.now()}-${generateSecurePassword(16)}`;
-			customs.BETTER_AUTH_URL = `http://localhost:${appConfig.port}`;
-		}
-	}
-	if (customs.BETTER_AUTH_SECRET) {
-		const allPorts = Object.values(workspace.apps).map((a) => a.port);
-		customs.BETTER_AUTH_TRUSTED_ORIGINS = allPorts.map((p) => `http://localhost:${p}`).join(",");
-	}
-	return customs;
-}
-/**
-* Extract *_DB_PASSWORD keys from secrets and write docker/.env.
-*
-* The docker/.env file contains database passwords that the PostgreSQL
-* init script reads to create per-app database users.
-*/
-async function writeDockerEnvFromSecrets(secrets, workspaceRoot) {
-	const dbPasswordEntries = Object.entries(secrets.custom).filter(([key]) => key.endsWith("_DB_PASSWORD"));
-	if (dbPasswordEntries.length === 0) return;
-	const envContent = `# Auto-generated docker environment file
-# Contains database passwords for docker-compose postgres init
-# This file is gitignored - do not commit to version control
-${dbPasswordEntries.map(([key, value]) => `${key}=${value}`).join("\n")}
-`;
-	const envPath = (0, node_path.join)(workspaceRoot, "docker", ".env");
-	await (0, node_fs_promises.mkdir)((0, node_path.dirname)(envPath), { recursive: true });
-	await (0, node_fs_promises.writeFile)(envPath, envContent);
-}
-
 //#endregion
 //#region src/init/versions.ts
 const require$1 = (0, node_module.createRequire)(require("url").pathToFileURL(__filename).href);
@@ -6624,14 +6469,14 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/audit": "~1.0.0",
 	"@geekmidas/auth": "~1.0.0",
 	"@geekmidas/cache": "~1.0.0",
-	"@geekmidas/client": "~2.0.0",
+	"@geekmidas/client": "~3.0.0",
 	"@geekmidas/cloud": "~1.0.0",
-	"@geekmidas/constructs": "~1.1.1",
+	"@geekmidas/constructs": "~2.0.0",
 	"@geekmidas/db": "~1.0.0",
 	"@geekmidas/emailkit": "~1.0.0",
 	"@geekmidas/envkit": "~1.0.3",
 	"@geekmidas/errors": "~1.0.0",
-	"@geekmidas/events": "~1.0.0",
+	"@geekmidas/events": "~1.1.0",
 	"@geekmidas/logger": "~1.0.0",
 	"@geekmidas/rate-limit": "~1.0.0",
 	"@geekmidas/schema": "~1.0.0",
@@ -6639,7 +6484,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/storage": "~1.0.0",
 	"@geekmidas/studio": "~1.0.0",
 	"@geekmidas/telescope": "~1.0.0",
-	"@geekmidas/testkit": "~1.0.1",
+	"@geekmidas/testkit": "~1.0.2",
 	"@geekmidas/cli": CLI_VERSION
 };
 
@@ -10948,10 +10793,10 @@ async function initCommand(projectName, options = {}) {
 	const dbApps = [];
 	if (isFullstack && services.db) dbApps.push({
 		name: "api",
-		password: generateDbPassword()
+		password: require_fullstack_secrets.generateDbPassword()
 	}, {
 		name: "auth",
-		password: generateDbPassword()
+		password: require_fullstack_secrets.generateDbPassword()
 	});
 	const appFiles = baseTemplate ? [
 		...generatePackageJson(templateOptions, baseTemplate),
@@ -11000,7 +10845,7 @@ async function initCommand(projectName, options = {}) {
 	const secretServices = [];
 	if (services.db) secretServices.push("postgres");
 	if (services.cache) secretServices.push("redis");
-	const devSecrets = createStageSecrets("development", secretServices);
+	const devSecrets = require_fullstack_secrets.createStageSecrets("development", secretServices);
 	const customSecrets = {
 		NODE_ENV: "development",
 		PORT: "3000",
@@ -11010,7 +10855,7 @@ async function initCommand(projectName, options = {}) {
 	if (isFullstack && dbApps.length > 0) {
 		for (const app of dbApps) {
 			const urlKey = `${app.name.toUpperCase()}_DATABASE_URL`;
-			customSecrets[urlKey] = generateDbUrl(app.name, app.password, name$1);
+			customSecrets[urlKey] = require_fullstack_secrets.generateDbUrl(app.name, app.password, name$1);
 			const passwordKey = `${app.name.toUpperCase()}_DB_PASSWORD`;
 			customSecrets[passwordKey] = app.password;
 		}
@@ -11137,12 +10982,12 @@ async function secretsInitCommand(options) {
 	const config = await require_config.loadConfig();
 	const services = getServicesFromConfig(config.docker?.compose?.services);
 	if (services.length === 0) logger$2.warn("No services configured in docker.compose.services. Creating secrets with empty services.");
-	const secrets = createStageSecrets(stage, services);
+	const secrets = require_fullstack_secrets.createStageSecrets(stage, services);
 	try {
 		const loaded = await require_config.loadWorkspaceConfig();
 		const isMultiApp = Object.keys(loaded.workspace.apps).length > 1;
 		if (isMultiApp) {
-			const customSecrets = generateFullstackCustomSecrets(loaded.workspace);
+			const customSecrets = require_fullstack_secrets.generateFullstackCustomSecrets(loaded.workspace);
 			secrets.custom = customSecrets;
 			logger$2.log("  Detected workspace mode — generating per-app secrets");
 		}
@@ -11243,13 +11088,13 @@ async function secretsRotateCommand(options) {
 			logger$2.error(`Service "${service}" not configured in stage "${stage}"`);
 			process.exit(1);
 		}
-		const updated = rotateServicePassword(secrets, service);
+		const updated = require_fullstack_secrets.rotateServicePassword(secrets, service);
 		await require_storage.writeStageSecrets(updated);
 		logger$2.log(`\n✓ Password rotated for ${service} in stage "${stage}"`);
 	} else {
 		let updated = secrets;
 		const services = Object.keys(secrets.services);
-		for (const svc of services) updated = rotateServicePassword(updated, svc);
+		for (const svc of services) updated = require_fullstack_secrets.rotateServicePassword(updated, svc);
 		await require_storage.writeStageSecrets(updated);
 		logger$2.log(`\n✓ Passwords rotated for all services in stage "${stage}": ${services.join(", ")}`);
 	}
@@ -11342,7 +11187,7 @@ async function setupCommand(options = {}) {
 		process.exit(1);
 	}
 	if (isMultiApp && workspace.services.db) {
-		await writeDockerEnvFromSecrets(secrets, workspace.root);
+		await require_fullstack_secrets.writeDockerEnvFromSecrets(secrets, workspace.root);
 		logger$1.log("📄 Generated docker/.env with database passwords");
 	}
 	if (!options.skipDocker) {
@@ -11396,10 +11241,10 @@ async function generateFreshSecrets(stage, workspace, options) {
 	const serviceNames = [];
 	if (workspace.services.db) serviceNames.push("postgres");
 	if (workspace.services.cache) serviceNames.push("redis");
-	const secrets = createStageSecrets(stage, serviceNames);
+	const secrets = require_fullstack_secrets.createStageSecrets(stage, serviceNames);
 	const isMultiApp = Object.keys(workspace.apps).length > 1;
 	if (isMultiApp) {
-		const customSecrets = generateFullstackCustomSecrets(workspace);
+		const customSecrets = require_fullstack_secrets.generateFullstackCustomSecrets(workspace);
 		secrets.custom = customSecrets;
 	} else secrets.custom = {
 		NODE_ENV: "development",
@@ -11943,8 +11788,19 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-BxFB34zW.cjs"));
+		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-RsnjXYwG.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-7yarEvmK.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
+		const secrets = await readStageSecrets$1(options.stage, workspace.root);
+		if (secrets) {
+			const result = reconcileMissingSecrets(secrets, workspace);
+			if (result) {
+				await writeStageSecrets$1(result.secrets, workspace.root);
+				console.log(`  Reconciled ${result.addedKeys.length} missing secret(s):`);
+				for (const key of result.addedKeys) console.log(`    + ${key}`);
+			}
+		}
 		await pushSecrets$1(options.stage, workspace);
 		console.log(`\n✓ Secrets pushed for stage "${options.stage}"`);
 	} catch (error) {
@@ -11957,14 +11813,21 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-BxFB34zW.cjs"));
+		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-RsnjXYwG.cjs"));
 		const { writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-7yarEvmK.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
-		const secrets = await pullSecrets$1(options.stage, workspace);
+		let secrets = await pullSecrets$1(options.stage, workspace);
 		if (!secrets) {
 			console.error(`No remote secrets found for stage "${options.stage}".`);
 			process.exit(1);
 		}
+		const result = reconcileMissingSecrets(secrets, workspace);
+		if (result) {
+			secrets = result.secrets;
+			console.log(`  Reconciled ${result.addedKeys.length} missing secret(s):`);
+			for (const key of result.addedKeys) console.log(`    + ${key}`);
+		}
 		await writeStageSecrets$1(secrets, workspace.root);
 		console.log(`\n✓ Secrets pulled for stage "${options.stage}"`);
 	} catch (error) {
@@ -11972,6 +11835,32 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		process.exit(1);
 	}
 });
+program.command("secrets:reconcile").description("Backfill missing custom secrets from workspace config").option("--stage <stage>", "Stage name", "development").action(async (options) => {
+	try {
+		const globalOptions = program.opts();
+		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
+		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-7yarEvmK.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+		const { workspace } = await loadWorkspaceConfig$1();
+		const secrets = await readStageSecrets$1(options.stage, workspace.root);
+		if (!secrets) {
+			console.error(`No secrets found for stage "${options.stage}". Run "gkm secrets:init --stage ${options.stage}" first.`);
+			process.exit(1);
+		}
+		const result = reconcileMissingSecrets(secrets, workspace);
+		if (!result) {
+			console.log(`\n✓ Secrets for stage "${options.stage}" are up-to-date`);
+			return;
+		}
+		await writeStageSecrets$1(result.secrets, workspace.root);
+		console.log(`\n✓ Reconciled ${result.addedKeys.length} missing secret(s) for stage "${options.stage}":`);
+		for (const key of result.addedKeys) console.log(`    + ${key}`);
+	} catch (error) {
+		console.error(error instanceof Error ? error.message : "Command failed");
+		process.exit(1);
+	}
+});
 program.command("deploy").description("Deploy application to a provider").requiredOption("--provider <provider>", "Deploy provider (docker, dokploy, aws-lambda)").requiredOption("--stage <stage>", "Deployment stage (e.g., production, staging)").option("--tag <tag>", "Image tag (default: stage-timestamp)").option("--skip-push", "Skip pushing image to registry").option("--skip-build", "Skip build step (use existing build)").action(async (options) => {
 	try {
 		const globalOptions = program.opts();