@geekmidas/cli 1.9.0 → 1.9.1

package/dist/index.cjs

@@ -8,8 +8,9 @@ const require_storage = require('./storage-CoCNe0Pt.cjs');
 const require_dokploy_api = require('./dokploy-api-DLgvEQlr.cjs');
 const require_encryption = require('./encryption-BE0UOb8j.cjs');
 const require_CachedStateProvider = require('./CachedStateProvider-D73dCqfH.cjs');
-const require_openapi_react_query = require('./openapi-react-query-BeXvk-wa.cjs');
-const require_sync = require('./sync-BOS0jKLn.cjs');
+const require_fullstack_secrets = require('./fullstack-secrets-COWz084x.cjs');
+const require_openapi_react_query = require('./openapi-react-query-DYbBq-WJ.cjs');
+const require_sync = require('./sync-DdkKaHqP.cjs');
 const node_fs = require_chunk.__toESM(require("node:fs"));
 const node_path = require_chunk.__toESM(require("node:path"));
 const commander = require_chunk.__toESM(require("commander"));
@@ -34,7 +35,7 @@ const prompts = require_chunk.__toESM(require("prompts"));
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.8.0";
+var version = "1.9.0";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -1740,6 +1741,66 @@ var EntryRunner = class {
 		}
 	}
 };
+/**
+* Generate the content of the dev server entry file (server.ts).
+* Uses dynamic import for createApp so Credentials are populated
+* before any app modules evaluate.
+* @internal Exported for testing
+*/
+function generateServerEntryContent(options) {
+	const { secretsJsonPath, runtime = "node", enableOpenApi = false, appImportPath = "./app.js" } = options;
+	const credentialsInjection = secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+` : "";
+	const serveCode = runtime === "bun" ? `Bun.serve({
+      port,
+      fetch: app.fetch,
+    });` : `const { serve } = await import('@hono/node-server');
+    const server = serve({
+      fetch: app.fetch,
+      port,
+    });
+    // Inject WebSocket support if available
+    const injectWs = (app as any).__injectWebSocket;
+    if (injectWs) {
+      injectWs(server);
+      console.log('🔌 Telescope real-time updates enabled');
+    }`;
+	return `#!/usr/bin/env node
+/**
+ * Development server entry point
+ * This file is auto-generated by 'gkm dev'
+ */
+${credentialsInjection}
+const port = process.argv.includes('--port')
+  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
+  : 3000;
+
+// Dynamic import so Credentials are populated before env.ts evaluates
+const { createApp } = await import('${appImportPath}');
+
+// createApp is async to support optional WebSocket setup
+const { app, start } = await createApp(undefined, ${enableOpenApi});
+
+// Start the server
+start({
+  port,
+  serve: async (app, port) => {
+    ${serveCode}
+  },
+}).catch((error) => {
+  console.error('Failed to start server:', error);
+  process.exit(1);
+});
+`;
+}
 var DevServer = class {
 	serverProcess = null;
 	isRunning = false;
@@ -1833,58 +1894,12 @@ var DevServer = class {
 	}
 	async createServerEntry() {
 		const { writeFile: fsWriteFile } = await import("node:fs/promises");
-		const { relative: relative$6, dirname: dirname$11 } = await import("node:path");
 		const serverPath = (0, node_path.join)(this.appRoot, ".gkm", this.provider, "server.ts");
-		const relativeAppPath = relative$6(dirname$11(serverPath), (0, node_path.join)(dirname$11(serverPath), "app.js"));
-		const credentialsInjection = this.secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets into Credentials (must happen before app import)
-const secretsPath = '${this.secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
-}
-
-` : "";
-		const serveCode = this.runtime === "bun" ? `Bun.serve({
-      port,
-      fetch: app.fetch,
-    });` : `const { serve } = await import('@hono/node-server');
-    const server = serve({
-      fetch: app.fetch,
-      port,
-    });
-    // Inject WebSocket support if available
-    const injectWs = (app as any).__injectWebSocket;
-    if (injectWs) {
-      injectWs(server);
-      console.log('🔌 Telescope real-time updates enabled');
-    }`;
-		const content = `#!/usr/bin/env node
-/**
- * Development server entry point
- * This file is auto-generated by 'gkm dev'
- */
-${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith(".") ? relativeAppPath : `./${relativeAppPath}`}';
-
-const port = process.argv.includes('--port')
-  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
-  : 3000;
-
-// createApp is async to support optional WebSocket setup
-const { app, start } = await createApp(undefined, ${this.enableOpenApi});
-
-// Start the server
-start({
-  port,
-  serve: async (app, port) => {
-    ${serveCode}
-  },
-}).catch((error) => {
-  console.error('Failed to start server:', error);
-  process.exit(1);
-});
-`;
+		const content = generateServerEntryContent({
+			secretsJsonPath: this.secretsJsonPath,
+			runtime: this.runtime,
+			enableOpenApi: this.enableOpenApi
+		});
 		await fsWriteFile(serverPath, content);
 	}
 };
@@ -2137,7 +2152,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-CuMIfXw5.cjs"));
+			const { bundleServer } = await Promise.resolve().then(() => require("./bundler-NpfYPBUo.cjs"));
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2416,11 +2431,11 @@ async function createDnsProvider(options) {
 	if (isDnsProvider(config.provider)) return config.provider;
 	const provider = config.provider;
 	if (provider === "hostinger") {
-		const { HostingerProvider } = await Promise.resolve().then(() => require("./HostingerProvider-CEsQbmpY.cjs"));
+		const { HostingerProvider } = await Promise.resolve().then(() => require("./HostingerProvider-5KYmwoK2.cjs"));
 		return new HostingerProvider();
 	}
 	if (provider === "route53") {
-		const { Route53Provider } = await Promise.resolve().then(() => require("./Route53Provider-BqXeHzuc.cjs"));
+		const { Route53Provider } = await Promise.resolve().then(() => require("./Route53Provider-owQQ4pn6.cjs"));
 		const route53Config = config;
 		return new Route53Provider({
 			region: route53Config.region,
@@ -4668,19 +4683,19 @@ function isStateProvider(value) {
 async function createStateProvider(options) {
 	const { config, workspaceRoot, workspaceName } = options;
 	if (!config) {
-		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-Roi202l7.cjs"));
+		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-CLifRC0Y.cjs"));
 		return new LocalStateProvider(workspaceRoot);
 	}
 	if (isStateProvider(config.provider)) return config.provider;
 	const provider = config.provider;
 	if (provider === "local") {
-		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-Roi202l7.cjs"));
+		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-CLifRC0Y.cjs"));
 		return new LocalStateProvider(workspaceRoot);
 	}
 	if (provider === "ssm") {
 		if (!workspaceName) throw new Error("Workspace name is required for SSM state provider. Set \"name\" in gkm.config.ts.");
-		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-Roi202l7.cjs"));
-		const { SSMStateProvider } = await Promise.resolve().then(() => require("./SSMStateProvider-BReQA5re.cjs"));
+		const { LocalStateProvider } = await Promise.resolve().then(() => require("./LocalStateProvider-CLifRC0Y.cjs"));
+		const { SSMStateProvider } = await Promise.resolve().then(() => require("./SSMStateProvider-CT8tjl9o.cjs"));
 		const { CachedStateProvider: CachedStateProvider$1 } = await Promise.resolve().then(() => require("./CachedStateProvider-D_uISMmJ.cjs"));
 		const ssmConfig = config;
 		const local = new LocalStateProvider(workspaceRoot);
@@ -5355,8 +5370,8 @@ async function provisionServices(api, projectId, environmentId, projectName, ser
 				else logger$3.log(`   ⚠ Cached ID invalid, will create new`);
 			}
 			if (!redis) {
-				const { randomBytes: randomBytes$3 } = await import("node:crypto");
-				const databasePassword = randomBytes$3(16).toString("hex");
+				const { randomBytes: randomBytes$2 } = await import("node:crypto");
+				const databasePassword = randomBytes$2(16).toString("hex");
 				const result = await api.findOrCreateRedis(redisName, projectId, environmentId, { databasePassword });
 				redis = result.redis;
 				created = result.created;
@@ -5780,7 +5795,7 @@ async function workspaceDeployCommand(workspace, options) {
 	}
 	if (workspace.deploy?.backups && provisionedPostgres) {
 		logger$3.log("\n💾 Provisioning backup destination...");
-		const { provisionBackupDestination } = await Promise.resolve().then(() => require("./backup-provisioner-C8VK63I-.cjs"));
+		const { provisionBackupDestination } = await Promise.resolve().then(() => require("./backup-provisioner-C4noe75O.cjs"));
 		const backupState = await provisionBackupDestination({
 			api,
 			projectId: project.projectId,
@@ -6405,200 +6420,6 @@ function printStateDetails(state) {
 	}
 }
 
-//#endregion
-//#region src/secrets/generator.ts
-/**
-* Generate a secure random password using URL-safe base64 characters.
-* @param length Password length (default: 32)
-*/
-function generateSecurePassword(length = 32) {
-	return (0, node_crypto.randomBytes)(Math.ceil(length * 3 / 4)).toString("base64url").slice(0, length);
-}
-/** Default service configurations */
-const SERVICE_DEFAULTS = {
-	postgres: {
-		host: "postgres",
-		port: 5432,
-		username: "app",
-		database: "app"
-	},
-	redis: {
-		host: "redis",
-		port: 6379,
-		username: "default"
-	},
-	rabbitmq: {
-		host: "rabbitmq",
-		port: 5672,
-		username: "app",
-		vhost: "/"
-	}
-};
-/**
-* Generate credentials for a specific service.
-*/
-function generateServiceCredentials(service) {
-	const defaults = SERVICE_DEFAULTS[service];
-	return {
-		...defaults,
-		password: generateSecurePassword()
-	};
-}
-/**
-* Generate credentials for multiple services.
-*/
-function generateServicesCredentials(services) {
-	const result = {};
-	for (const service of services) result[service] = generateServiceCredentials(service);
-	return result;
-}
-/**
-* Generate connection URL for PostgreSQL.
-*/
-function generatePostgresUrl(creds) {
-	const { username, password, host, port, database } = creds;
-	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
-}
-/**
-* Generate connection URL for Redis.
-*/
-function generateRedisUrl(creds) {
-	const { password, host, port } = creds;
-	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
-}
-/**
-* Generate connection URL for RabbitMQ.
-*/
-function generateRabbitmqUrl(creds) {
-	const { username, password, host, port, vhost } = creds;
-	const encodedVhost = encodeURIComponent(vhost ?? "/");
-	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
-}
-/**
-* Generate connection URLs from service credentials.
-*/
-function generateConnectionUrls(services) {
-	const urls = {};
-	if (services.postgres) urls.DATABASE_URL = generatePostgresUrl(services.postgres);
-	if (services.redis) urls.REDIS_URL = generateRedisUrl(services.redis);
-	if (services.rabbitmq) urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
-	return urls;
-}
-/**
-* Create a new StageSecrets object with generated credentials.
-*/
-function createStageSecrets(stage, services) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const serviceCredentials = generateServicesCredentials(services);
-	const urls = generateConnectionUrls(serviceCredentials);
-	return {
-		stage,
-		createdAt: now,
-		updatedAt: now,
-		services: serviceCredentials,
-		urls,
-		custom: {}
-	};
-}
-/**
-* Rotate password for a specific service.
-*/
-function rotateServicePassword(secrets, service) {
-	const currentCreds = secrets.services[service];
-	if (!currentCreds) throw new Error(`Service "${service}" not configured in secrets`);
-	const newCreds = {
-		...currentCreds,
-		password: generateSecurePassword()
-	};
-	const newServices = {
-		...secrets.services,
-		[service]: newCreds
-	};
-	return {
-		...secrets,
-		updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-		services: newServices,
-		urls: generateConnectionUrls(newServices)
-	};
-}
-
-//#endregion
-//#region src/setup/fullstack-secrets.ts
-/**
-* Generate a secure random password for database users.
-* Uses a combination of timestamp and random bytes for uniqueness.
-*/
-function generateDbPassword() {
-	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
-}
-/**
-* Generate database URL for an app.
-* All apps connect to the same database, but use different users/schemas.
-*/
-function generateDbUrl(appName, password, projectName, host = "localhost", port = 5432) {
-	const userName = appName.replace(/-/g, "_");
-	const dbName = `${projectName.replace(/-/g, "_")}_dev`;
-	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
-}
-/**
-* Generate fullstack-aware custom secrets for a workspace.
-*
-* Generates:
-* - Common secrets: NODE_ENV, PORT, LOG_LEVEL, JWT_SECRET
-* - Per-app database passwords and URLs for backend apps with db service
-* - Better-auth secrets for apps using the better-auth framework
-*/
-function generateFullstackCustomSecrets(workspace) {
-	const hasDb = !!workspace.services.db;
-	const customs = {
-		NODE_ENV: "development",
-		PORT: "3000",
-		LOG_LEVEL: "debug",
-		JWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`
-	};
-	if (!hasDb) return customs;
-	const frontendPorts = [];
-	for (const [appName, appConfig] of Object.entries(workspace.apps)) {
-		if (appConfig.type === "frontend") {
-			frontendPorts.push(appConfig.port);
-			continue;
-		}
-		const password = generateDbPassword();
-		const upperName = appName.toUpperCase();
-		customs[`${upperName}_DATABASE_URL`] = generateDbUrl(appName, password, workspace.name);
-		customs[`${upperName}_DB_PASSWORD`] = password;
-		if (appConfig.framework === "better-auth") {
-			customs.AUTH_PORT = String(appConfig.port);
-			customs.AUTH_URL = `http://localhost:${appConfig.port}`;
-			customs.BETTER_AUTH_SECRET = `better-auth-${Date.now()}-${generateSecurePassword(16)}`;
-			customs.BETTER_AUTH_URL = `http://localhost:${appConfig.port}`;
-		}
-	}
-	if (customs.BETTER_AUTH_SECRET) {
-		const allPorts = Object.values(workspace.apps).map((a) => a.port);
-		customs.BETTER_AUTH_TRUSTED_ORIGINS = allPorts.map((p) => `http://localhost:${p}`).join(",");
-	}
-	return customs;
-}
-/**
-* Extract *_DB_PASSWORD keys from secrets and write docker/.env.
-*
-* The docker/.env file contains database passwords that the PostgreSQL
-* init script reads to create per-app database users.
-*/
-async function writeDockerEnvFromSecrets(secrets, workspaceRoot) {
-	const dbPasswordEntries = Object.entries(secrets.custom).filter(([key]) => key.endsWith("_DB_PASSWORD"));
-	if (dbPasswordEntries.length === 0) return;
-	const envContent = `# Auto-generated docker environment file
-# Contains database passwords for docker-compose postgres init
-# This file is gitignored - do not commit to version control
-${dbPasswordEntries.map(([key, value]) => `${key}=${value}`).join("\n")}
-`;
-	const envPath = (0, node_path.join)(workspaceRoot, "docker", ".env");
-	await (0, node_fs_promises.mkdir)((0, node_path.dirname)(envPath), { recursive: true });
-	await (0, node_fs_promises.writeFile)(envPath, envContent);
-}
-
 //#endregion
 //#region src/init/versions.ts
 const require$1 = (0, node_module.createRequire)(require("url").pathToFileURL(__filename).href);
@@ -6624,14 +6445,14 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/audit": "~1.0.0",
 	"@geekmidas/auth": "~1.0.0",
 	"@geekmidas/cache": "~1.0.0",
-	"@geekmidas/client": "~2.0.0",
+	"@geekmidas/client": "~3.0.0",
 	"@geekmidas/cloud": "~1.0.0",
-	"@geekmidas/constructs": "~1.1.1",
+	"@geekmidas/constructs": "~2.0.0",
 	"@geekmidas/db": "~1.0.0",
 	"@geekmidas/emailkit": "~1.0.0",
 	"@geekmidas/envkit": "~1.0.3",
 	"@geekmidas/errors": "~1.0.0",
-	"@geekmidas/events": "~1.0.0",
+	"@geekmidas/events": "~1.1.0",
 	"@geekmidas/logger": "~1.0.0",
 	"@geekmidas/rate-limit": "~1.0.0",
 	"@geekmidas/schema": "~1.0.0",
@@ -6639,7 +6460,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/storage": "~1.0.0",
 	"@geekmidas/studio": "~1.0.0",
 	"@geekmidas/telescope": "~1.0.0",
-	"@geekmidas/testkit": "~1.0.1",
+	"@geekmidas/testkit": "~1.0.2",
 	"@geekmidas/cli": CLI_VERSION
 };
 
@@ -10948,10 +10769,10 @@ async function initCommand(projectName, options = {}) {
 	const dbApps = [];
 	if (isFullstack && services.db) dbApps.push({
 		name: "api",
-		password: generateDbPassword()
+		password: require_fullstack_secrets.generateDbPassword()
 	}, {
 		name: "auth",
-		password: generateDbPassword()
+		password: require_fullstack_secrets.generateDbPassword()
 	});
 	const appFiles = baseTemplate ? [
 		...generatePackageJson(templateOptions, baseTemplate),
@@ -11000,7 +10821,7 @@ async function initCommand(projectName, options = {}) {
 	const secretServices = [];
 	if (services.db) secretServices.push("postgres");
 	if (services.cache) secretServices.push("redis");
-	const devSecrets = createStageSecrets("development", secretServices);
+	const devSecrets = require_fullstack_secrets.createStageSecrets("development", secretServices);
 	const customSecrets = {
 		NODE_ENV: "development",
 		PORT: "3000",
@@ -11010,7 +10831,7 @@ async function initCommand(projectName, options = {}) {
 	if (isFullstack && dbApps.length > 0) {
 		for (const app of dbApps) {
 			const urlKey = `${app.name.toUpperCase()}_DATABASE_URL`;
-			customSecrets[urlKey] = generateDbUrl(app.name, app.password, name$1);
+			customSecrets[urlKey] = require_fullstack_secrets.generateDbUrl(app.name, app.password, name$1);
 			const passwordKey = `${app.name.toUpperCase()}_DB_PASSWORD`;
 			customSecrets[passwordKey] = app.password;
 		}
@@ -11137,12 +10958,12 @@ async function secretsInitCommand(options) {
 	const config = await require_config.loadConfig();
 	const services = getServicesFromConfig(config.docker?.compose?.services);
 	if (services.length === 0) logger$2.warn("No services configured in docker.compose.services. Creating secrets with empty services.");
-	const secrets = createStageSecrets(stage, services);
+	const secrets = require_fullstack_secrets.createStageSecrets(stage, services);
 	try {
 		const loaded = await require_config.loadWorkspaceConfig();
 		const isMultiApp = Object.keys(loaded.workspace.apps).length > 1;
 		if (isMultiApp) {
-			const customSecrets = generateFullstackCustomSecrets(loaded.workspace);
+			const customSecrets = require_fullstack_secrets.generateFullstackCustomSecrets(loaded.workspace);
 			secrets.custom = customSecrets;
 			logger$2.log("  Detected workspace mode — generating per-app secrets");
 		}
@@ -11243,13 +11064,13 @@ async function secretsRotateCommand(options) {
 			logger$2.error(`Service "${service}" not configured in stage "${stage}"`);
 			process.exit(1);
 		}
-		const updated = rotateServicePassword(secrets, service);
+		const updated = require_fullstack_secrets.rotateServicePassword(secrets, service);
 		await require_storage.writeStageSecrets(updated);
 		logger$2.log(`\n✓ Password rotated for ${service} in stage "${stage}"`);
 	} else {
 		let updated = secrets;
 		const services = Object.keys(secrets.services);
-		for (const svc of services) updated = rotateServicePassword(updated, svc);
+		for (const svc of services) updated = require_fullstack_secrets.rotateServicePassword(updated, svc);
 		await require_storage.writeStageSecrets(updated);
 		logger$2.log(`\n✓ Passwords rotated for all services in stage "${stage}": ${services.join(", ")}`);
 	}
@@ -11342,7 +11163,7 @@ async function setupCommand(options = {}) {
 		process.exit(1);
 	}
 	if (isMultiApp && workspace.services.db) {
-		await writeDockerEnvFromSecrets(secrets, workspace.root);
+		await require_fullstack_secrets.writeDockerEnvFromSecrets(secrets, workspace.root);
 		logger$1.log("📄 Generated docker/.env with database passwords");
 	}
 	if (!options.skipDocker) {
@@ -11396,10 +11217,10 @@ async function generateFreshSecrets(stage, workspace, options) {
 	const serviceNames = [];
 	if (workspace.services.db) serviceNames.push("postgres");
 	if (workspace.services.cache) serviceNames.push("redis");
-	const secrets = createStageSecrets(stage, serviceNames);
+	const secrets = require_fullstack_secrets.createStageSecrets(stage, serviceNames);
 	const isMultiApp = Object.keys(workspace.apps).length > 1;
 	if (isMultiApp) {
-		const customSecrets = generateFullstackCustomSecrets(workspace);
+		const customSecrets = require_fullstack_secrets.generateFullstackCustomSecrets(workspace);
 		secrets.custom = customSecrets;
 	} else secrets.custom = {
 		NODE_ENV: "development",
@@ -11943,8 +11764,19 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-BxFB34zW.cjs"));
+		const { pushSecrets: pushSecrets$1 } = await Promise.resolve().then(() => require("./sync-RsnjXYwG.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-7yarEvmK.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
+		const secrets = await readStageSecrets$1(options.stage, workspace.root);
+		if (secrets) {
+			const result = reconcileMissingSecrets(secrets, workspace);
+			if (result) {
+				await writeStageSecrets$1(result.secrets, workspace.root);
+				console.log(`  Reconciled ${result.addedKeys.length} missing secret(s):`);
+				for (const key of result.addedKeys) console.log(`    + ${key}`);
+			}
+		}
 		await pushSecrets$1(options.stage, workspace);
 		console.log(`\n✓ Secrets pushed for stage "${options.stage}"`);
 	} catch (error) {
@@ -11957,14 +11789,21 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
-		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-BxFB34zW.cjs"));
+		const { pullSecrets: pullSecrets$1 } = await Promise.resolve().then(() => require("./sync-RsnjXYwG.cjs"));
 		const { writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-7yarEvmK.cjs"));
 		const { workspace } = await loadWorkspaceConfig$1();
-		const secrets = await pullSecrets$1(options.stage, workspace);
+		let secrets = await pullSecrets$1(options.stage, workspace);
 		if (!secrets) {
 			console.error(`No remote secrets found for stage "${options.stage}".`);
 			process.exit(1);
 		}
+		const result = reconcileMissingSecrets(secrets, workspace);
+		if (result) {
+			secrets = result.secrets;
+			console.log(`  Reconciled ${result.addedKeys.length} missing secret(s):`);
+			for (const key of result.addedKeys) console.log(`    + ${key}`);
+		}
 		await writeStageSecrets$1(secrets, workspace.root);
 		console.log(`\n✓ Secrets pulled for stage "${options.stage}"`);
 	} catch (error) {
@@ -11972,6 +11811,32 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		process.exit(1);
 	}
 });
+program.command("secrets:reconcile").description("Backfill missing custom secrets from workspace config").option("--stage <stage>", "Stage name", "development").action(async (options) => {
+	try {
+		const globalOptions = program.opts();
+		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
+		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await Promise.resolve().then(() => require("./config.cjs"));
+		const { reconcileMissingSecrets } = await Promise.resolve().then(() => require("./reconcile-7yarEvmK.cjs"));
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await Promise.resolve().then(() => require("./storage-C7pmBq1u.cjs"));
+		const { workspace } = await loadWorkspaceConfig$1();
+		const secrets = await readStageSecrets$1(options.stage, workspace.root);
+		if (!secrets) {
+			console.error(`No secrets found for stage "${options.stage}". Run "gkm secrets:init --stage ${options.stage}" first.`);
+			process.exit(1);
+		}
+		const result = reconcileMissingSecrets(secrets, workspace);
+		if (!result) {
+			console.log(`\n✓ Secrets for stage "${options.stage}" are up-to-date`);
+			return;
+		}
+		await writeStageSecrets$1(result.secrets, workspace.root);
+		console.log(`\n✓ Reconciled ${result.addedKeys.length} missing secret(s) for stage "${options.stage}":`);
+		for (const key of result.addedKeys) console.log(`    + ${key}`);
+	} catch (error) {
+		console.error(error instanceof Error ? error.message : "Command failed");
+		process.exit(1);
+	}
+});
 program.command("deploy").description("Deploy application to a provider").requiredOption("--provider <provider>", "Deploy provider (docker, dokploy, aws-lambda)").requiredOption("--stage <stage>", "Deployment stage (e.g., production, staging)").option("--tag <tag>", "Image tag (default: stage-timestamp)").option("--skip-push", "Skip pushing image to registry").option("--skip-build", "Skip build step (use existing build)").action(async (options) => {
 	try {
 		const globalOptions = program.opts();