@geekmidas/cli 1.9.0 → 1.9.1

package/dist/index.mjs

@@ -8,8 +8,9 @@ import { getKeyPath, maskPassword, readStageSecrets, secretsExist, setCustomSecr
 import { DokployApi } from "./dokploy-api-2ldYoN3i.mjs";
 import { encryptSecrets } from "./encryption-BOH5M-f-.mjs";
 import { CachedStateProvider } from "./CachedStateProvider-BDq5WqSy.mjs";
-import { generateReactQueryCommand } from "./openapi-react-query-DaTMSPD5.mjs";
-import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-CHfhmXF3.mjs";
+import { createStageSecrets, generateDbPassword, generateDbUrl, generateFullstackCustomSecrets, rotateServicePassword, writeDockerEnvFromSecrets } from "./fullstack-secrets-UZAFWuH4.mjs";
+import { generateReactQueryCommand } from "./openapi-react-query-C4UdILaI.mjs";
+import { isSSMConfigured, pullSecrets, pushSecrets } from "./sync-CbeKrnQV.mjs";
 import { createRequire } from "node:module";
 import { copyFileSync, existsSync, readFileSync, unlinkSync } from "node:fs";
 import { basename, dirname, join, parse, relative, resolve } from "node:path";
@@ -34,7 +35,7 @@ import prompts from "prompts";
 
 //#region package.json
 var name = "@geekmidas/cli";
-var version = "1.8.0";
+var version = "1.9.0";
 var description = "CLI tools for building Lambda handlers, server applications, and generating OpenAPI specs";
 var private$1 = false;
 var type = "module";
@@ -1740,6 +1741,66 @@ var EntryRunner = class {
 		}
 	}
 };
+/**
+* Generate the content of the dev server entry file (server.ts).
+* Uses dynamic import for createApp so Credentials are populated
+* before any app modules evaluate.
+* @internal Exported for testing
+*/
+function generateServerEntryContent(options) {
+	const { secretsJsonPath, runtime = "node", enableOpenApi = false, appImportPath = "./app.js" } = options;
+	const credentialsInjection = secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
+import { existsSync, readFileSync } from 'node:fs';
+
+// Inject dev secrets into Credentials (must happen before app import)
+const secretsPath = '${secretsJsonPath}';
+if (existsSync(secretsPath)) {
+  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
+}
+
+` : "";
+	const serveCode = runtime === "bun" ? `Bun.serve({
+      port,
+      fetch: app.fetch,
+    });` : `const { serve } = await import('@hono/node-server');
+    const server = serve({
+      fetch: app.fetch,
+      port,
+    });
+    // Inject WebSocket support if available
+    const injectWs = (app as any).__injectWebSocket;
+    if (injectWs) {
+      injectWs(server);
+      console.log('🔌 Telescope real-time updates enabled');
+    }`;
+	return `#!/usr/bin/env node
+/**
+ * Development server entry point
+ * This file is auto-generated by 'gkm dev'
+ */
+${credentialsInjection}
+const port = process.argv.includes('--port')
+  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
+  : 3000;
+
+// Dynamic import so Credentials are populated before env.ts evaluates
+const { createApp } = await import('${appImportPath}');
+
+// createApp is async to support optional WebSocket setup
+const { app, start } = await createApp(undefined, ${enableOpenApi});
+
+// Start the server
+start({
+  port,
+  serve: async (app, port) => {
+    ${serveCode}
+  },
+}).catch((error) => {
+  console.error('Failed to start server:', error);
+  process.exit(1);
+});
+`;
+}
 var DevServer = class {
 	serverProcess = null;
 	isRunning = false;
@@ -1833,58 +1894,12 @@ var DevServer = class {
 	}
 	async createServerEntry() {
 		const { writeFile: fsWriteFile } = await import("node:fs/promises");
-		const { relative: relative$1, dirname: dirname$1 } = await import("node:path");
 		const serverPath = join(this.appRoot, ".gkm", this.provider, "server.ts");
-		const relativeAppPath = relative$1(dirname$1(serverPath), join(dirname$1(serverPath), "app.js"));
-		const credentialsInjection = this.secretsJsonPath ? `import { Credentials } from '@geekmidas/envkit/credentials';
-import { existsSync, readFileSync } from 'node:fs';
-
-// Inject dev secrets into Credentials (must happen before app import)
-const secretsPath = '${this.secretsJsonPath}';
-if (existsSync(secretsPath)) {
-  Object.assign(Credentials, JSON.parse(readFileSync(secretsPath, 'utf-8')));
-}
-
-` : "";
-		const serveCode = this.runtime === "bun" ? `Bun.serve({
-      port,
-      fetch: app.fetch,
-    });` : `const { serve } = await import('@hono/node-server');
-    const server = serve({
-      fetch: app.fetch,
-      port,
-    });
-    // Inject WebSocket support if available
-    const injectWs = (app as any).__injectWebSocket;
-    if (injectWs) {
-      injectWs(server);
-      console.log('🔌 Telescope real-time updates enabled');
-    }`;
-		const content = `#!/usr/bin/env node
-/**
- * Development server entry point
- * This file is auto-generated by 'gkm dev'
- */
-${credentialsInjection}import { createApp } from './${relativeAppPath.startsWith(".") ? relativeAppPath : `./${relativeAppPath}`}';
-
-const port = process.argv.includes('--port')
-  ? Number.parseInt(process.argv[process.argv.indexOf('--port') + 1])
-  : 3000;
-
-// createApp is async to support optional WebSocket setup
-const { app, start } = await createApp(undefined, ${this.enableOpenApi});
-
-// Start the server
-start({
-  port,
-  serve: async (app, port) => {
-    ${serveCode}
-  },
-}).catch((error) => {
-  console.error('Failed to start server:', error);
-  process.exit(1);
-});
-`;
+		const content = generateServerEntryContent({
+			secretsJsonPath: this.secretsJsonPath,
+			runtime: this.runtime,
+			enableOpenApi: this.enableOpenApi
+		});
 		await fsWriteFile(serverPath, content);
 	}
 };
@@ -2137,7 +2152,7 @@ async function buildForProvider(provider, context, rootOutputDir, endpointGenera
 		let masterKey;
 		if (context.production?.bundle && !skipBundle) {
 			logger$9.log(`\n📦 Bundling production server...`);
-			const { bundleServer } = await import("./bundler-BxHyDhdt.mjs");
+			const { bundleServer } = await import("./bundler-DQYjKFPm.mjs");
 			const allConstructs = [
 				...endpoints.map((e) => e.construct),
 				...functions.map((f) => f.construct),
@@ -2416,11 +2431,11 @@ async function createDnsProvider(options) {
 	if (isDnsProvider(config$1.provider)) return config$1.provider;
 	const provider = config$1.provider;
 	if (provider === "hostinger") {
-		const { HostingerProvider } = await import("./HostingerProvider-DkahM5AP.mjs");
+		const { HostingerProvider } = await import("./HostingerProvider-ANWchdiK.mjs");
 		return new HostingerProvider();
 	}
 	if (provider === "route53") {
-		const { Route53Provider } = await import("./Route53Provider-Ckq_n5Be.mjs");
+		const { Route53Provider } = await import("./Route53Provider-QoPgcXxn.mjs");
 		const route53Config = config$1;
 		return new Route53Provider({
 			region: route53Config.region,
@@ -4668,19 +4683,19 @@ function isStateProvider(value) {
 async function createStateProvider(options) {
 	const { config: config$1, workspaceRoot, workspaceName } = options;
 	if (!config$1) {
-		const { LocalStateProvider } = await import("./LocalStateProvider-DXIwWb7k.mjs");
+		const { LocalStateProvider } = await import("./LocalStateProvider-Dp0KkRcw.mjs");
 		return new LocalStateProvider(workspaceRoot);
 	}
 	if (isStateProvider(config$1.provider)) return config$1.provider;
 	const provider = config$1.provider;
 	if (provider === "local") {
-		const { LocalStateProvider } = await import("./LocalStateProvider-DXIwWb7k.mjs");
+		const { LocalStateProvider } = await import("./LocalStateProvider-Dp0KkRcw.mjs");
 		return new LocalStateProvider(workspaceRoot);
 	}
 	if (provider === "ssm") {
 		if (!workspaceName) throw new Error("Workspace name is required for SSM state provider. Set \"name\" in gkm.config.ts.");
-		const { LocalStateProvider } = await import("./LocalStateProvider-DXIwWb7k.mjs");
-		const { SSMStateProvider } = await import("./SSMStateProvider-wddd0_-d.mjs");
+		const { LocalStateProvider } = await import("./LocalStateProvider-Dp0KkRcw.mjs");
+		const { SSMStateProvider } = await import("./SSMStateProvider-CksOTB8M.mjs");
 		const { CachedStateProvider: CachedStateProvider$1 } = await import("./CachedStateProvider-CI61keQ1.mjs");
 		const ssmConfig = config$1;
 		const local = new LocalStateProvider(workspaceRoot);
@@ -5780,7 +5795,7 @@ async function workspaceDeployCommand(workspace, options) {
 	}
 	if (workspace.deploy?.backups && provisionedPostgres) {
 		logger$3.log("\n💾 Provisioning backup destination...");
-		const { provisionBackupDestination } = await import("./backup-provisioner-BAExdDtc.mjs");
+		const { provisionBackupDestination } = await import("./backup-provisioner-BEXoHTuC.mjs");
 		const backupState = await provisionBackupDestination({
 			api,
 			projectId: project.projectId,
@@ -6405,200 +6420,6 @@ function printStateDetails(state) {
 	}
 }
 
-//#endregion
-//#region src/secrets/generator.ts
-/**
-* Generate a secure random password using URL-safe base64 characters.
-* @param length Password length (default: 32)
-*/
-function generateSecurePassword(length = 32) {
-	return randomBytes(Math.ceil(length * 3 / 4)).toString("base64url").slice(0, length);
-}
-/** Default service configurations */
-const SERVICE_DEFAULTS = {
-	postgres: {
-		host: "postgres",
-		port: 5432,
-		username: "app",
-		database: "app"
-	},
-	redis: {
-		host: "redis",
-		port: 6379,
-		username: "default"
-	},
-	rabbitmq: {
-		host: "rabbitmq",
-		port: 5672,
-		username: "app",
-		vhost: "/"
-	}
-};
-/**
-* Generate credentials for a specific service.
-*/
-function generateServiceCredentials(service) {
-	const defaults = SERVICE_DEFAULTS[service];
-	return {
-		...defaults,
-		password: generateSecurePassword()
-	};
-}
-/**
-* Generate credentials for multiple services.
-*/
-function generateServicesCredentials(services) {
-	const result = {};
-	for (const service of services) result[service] = generateServiceCredentials(service);
-	return result;
-}
-/**
-* Generate connection URL for PostgreSQL.
-*/
-function generatePostgresUrl(creds) {
-	const { username, password, host, port, database } = creds;
-	return `postgresql://${username}:${encodeURIComponent(password)}@${host}:${port}/${database}`;
-}
-/**
-* Generate connection URL for Redis.
-*/
-function generateRedisUrl(creds) {
-	const { password, host, port } = creds;
-	return `redis://:${encodeURIComponent(password)}@${host}:${port}`;
-}
-/**
-* Generate connection URL for RabbitMQ.
-*/
-function generateRabbitmqUrl(creds) {
-	const { username, password, host, port, vhost } = creds;
-	const encodedVhost = encodeURIComponent(vhost ?? "/");
-	return `amqp://${username}:${encodeURIComponent(password)}@${host}:${port}/${encodedVhost}`;
-}
-/**
-* Generate connection URLs from service credentials.
-*/
-function generateConnectionUrls(services) {
-	const urls = {};
-	if (services.postgres) urls.DATABASE_URL = generatePostgresUrl(services.postgres);
-	if (services.redis) urls.REDIS_URL = generateRedisUrl(services.redis);
-	if (services.rabbitmq) urls.RABBITMQ_URL = generateRabbitmqUrl(services.rabbitmq);
-	return urls;
-}
-/**
-* Create a new StageSecrets object with generated credentials.
-*/
-function createStageSecrets(stage, services) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const serviceCredentials = generateServicesCredentials(services);
-	const urls = generateConnectionUrls(serviceCredentials);
-	return {
-		stage,
-		createdAt: now,
-		updatedAt: now,
-		services: serviceCredentials,
-		urls,
-		custom: {}
-	};
-}
-/**
-* Rotate password for a specific service.
-*/
-function rotateServicePassword(secrets, service) {
-	const currentCreds = secrets.services[service];
-	if (!currentCreds) throw new Error(`Service "${service}" not configured in secrets`);
-	const newCreds = {
-		...currentCreds,
-		password: generateSecurePassword()
-	};
-	const newServices = {
-		...secrets.services,
-		[service]: newCreds
-	};
-	return {
-		...secrets,
-		updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-		services: newServices,
-		urls: generateConnectionUrls(newServices)
-	};
-}
-
-//#endregion
-//#region src/setup/fullstack-secrets.ts
-/**
-* Generate a secure random password for database users.
-* Uses a combination of timestamp and random bytes for uniqueness.
-*/
-function generateDbPassword() {
-	return `${Date.now().toString(36)}${Math.random().toString(36).slice(2)}${Math.random().toString(36).slice(2)}`;
-}
-/**
-* Generate database URL for an app.
-* All apps connect to the same database, but use different users/schemas.
-*/
-function generateDbUrl(appName, password, projectName, host = "localhost", port = 5432) {
-	const userName = appName.replace(/-/g, "_");
-	const dbName = `${projectName.replace(/-/g, "_")}_dev`;
-	return `postgresql://${userName}:${password}@${host}:${port}/${dbName}`;
-}
-/**
-* Generate fullstack-aware custom secrets for a workspace.
-*
-* Generates:
-* - Common secrets: NODE_ENV, PORT, LOG_LEVEL, JWT_SECRET
-* - Per-app database passwords and URLs for backend apps with db service
-* - Better-auth secrets for apps using the better-auth framework
-*/
-function generateFullstackCustomSecrets(workspace) {
-	const hasDb = !!workspace.services.db;
-	const customs = {
-		NODE_ENV: "development",
-		PORT: "3000",
-		LOG_LEVEL: "debug",
-		JWT_SECRET: `dev-${Date.now()}-${Math.random().toString(36).slice(2)}`
-	};
-	if (!hasDb) return customs;
-	const frontendPorts = [];
-	for (const [appName, appConfig] of Object.entries(workspace.apps)) {
-		if (appConfig.type === "frontend") {
-			frontendPorts.push(appConfig.port);
-			continue;
-		}
-		const password = generateDbPassword();
-		const upperName = appName.toUpperCase();
-		customs[`${upperName}_DATABASE_URL`] = generateDbUrl(appName, password, workspace.name);
-		customs[`${upperName}_DB_PASSWORD`] = password;
-		if (appConfig.framework === "better-auth") {
-			customs.AUTH_PORT = String(appConfig.port);
-			customs.AUTH_URL = `http://localhost:${appConfig.port}`;
-			customs.BETTER_AUTH_SECRET = `better-auth-${Date.now()}-${generateSecurePassword(16)}`;
-			customs.BETTER_AUTH_URL = `http://localhost:${appConfig.port}`;
-		}
-	}
-	if (customs.BETTER_AUTH_SECRET) {
-		const allPorts = Object.values(workspace.apps).map((a) => a.port);
-		customs.BETTER_AUTH_TRUSTED_ORIGINS = allPorts.map((p) => `http://localhost:${p}`).join(",");
-	}
-	return customs;
-}
-/**
-* Extract *_DB_PASSWORD keys from secrets and write docker/.env.
-*
-* The docker/.env file contains database passwords that the PostgreSQL
-* init script reads to create per-app database users.
-*/
-async function writeDockerEnvFromSecrets(secrets, workspaceRoot) {
-	const dbPasswordEntries = Object.entries(secrets.custom).filter(([key]) => key.endsWith("_DB_PASSWORD"));
-	if (dbPasswordEntries.length === 0) return;
-	const envContent = `# Auto-generated docker environment file
-# Contains database passwords for docker-compose postgres init
-# This file is gitignored - do not commit to version control
-${dbPasswordEntries.map(([key, value]) => `${key}=${value}`).join("\n")}
-`;
-	const envPath = join(workspaceRoot, "docker", ".env");
-	await mkdir(dirname(envPath), { recursive: true });
-	await writeFile(envPath, envContent);
-}
-
 //#endregion
 //#region src/init/versions.ts
 const require$1 = createRequire(import.meta.url);
@@ -6624,14 +6445,14 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/audit": "~1.0.0",
 	"@geekmidas/auth": "~1.0.0",
 	"@geekmidas/cache": "~1.0.0",
-	"@geekmidas/client": "~2.0.0",
+	"@geekmidas/client": "~3.0.0",
 	"@geekmidas/cloud": "~1.0.0",
-	"@geekmidas/constructs": "~1.1.1",
+	"@geekmidas/constructs": "~2.0.0",
 	"@geekmidas/db": "~1.0.0",
 	"@geekmidas/emailkit": "~1.0.0",
 	"@geekmidas/envkit": "~1.0.3",
 	"@geekmidas/errors": "~1.0.0",
-	"@geekmidas/events": "~1.0.0",
+	"@geekmidas/events": "~1.1.0",
 	"@geekmidas/logger": "~1.0.0",
 	"@geekmidas/rate-limit": "~1.0.0",
 	"@geekmidas/schema": "~1.0.0",
@@ -6639,7 +6460,7 @@ const GEEKMIDAS_VERSIONS = {
 	"@geekmidas/storage": "~1.0.0",
 	"@geekmidas/studio": "~1.0.0",
 	"@geekmidas/telescope": "~1.0.0",
-	"@geekmidas/testkit": "~1.0.1",
+	"@geekmidas/testkit": "~1.0.2",
 	"@geekmidas/cli": CLI_VERSION
 };
 
@@ -11943,8 +11764,19 @@ program.command("secrets:push").description("Push secrets to remote provider (SS
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { pushSecrets: pushSecrets$1 } = await import("./sync-BnqNNc6O.mjs");
+		const { pushSecrets: pushSecrets$1 } = await import("./sync-6FoT41G3.mjs");
+		const { reconcileMissingSecrets } = await import("./reconcile-D2WCDQue.mjs");
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Dx_jZbq6.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
+		const secrets = await readStageSecrets$1(options.stage, workspace.root);
+		if (secrets) {
+			const result = reconcileMissingSecrets(secrets, workspace);
+			if (result) {
+				await writeStageSecrets$1(result.secrets, workspace.root);
+				console.log(`  Reconciled ${result.addedKeys.length} missing secret(s):`);
+				for (const key of result.addedKeys) console.log(`    + ${key}`);
+			}
+		}
 		await pushSecrets$1(options.stage, workspace);
 		console.log(`\n✓ Secrets pushed for stage "${options.stage}"`);
 	} catch (error) {
@@ -11957,14 +11789,21 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		const globalOptions = program.opts();
 		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
 		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
-		const { pullSecrets: pullSecrets$1 } = await import("./sync-BnqNNc6O.mjs");
+		const { pullSecrets: pullSecrets$1 } = await import("./sync-6FoT41G3.mjs");
 		const { writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Dx_jZbq6.mjs");
+		const { reconcileMissingSecrets } = await import("./reconcile-D2WCDQue.mjs");
 		const { workspace } = await loadWorkspaceConfig$1();
-		const secrets = await pullSecrets$1(options.stage, workspace);
+		let secrets = await pullSecrets$1(options.stage, workspace);
 		if (!secrets) {
 			console.error(`No remote secrets found for stage "${options.stage}".`);
 			process.exit(1);
 		}
+		const result = reconcileMissingSecrets(secrets, workspace);
+		if (result) {
+			secrets = result.secrets;
+			console.log(`  Reconciled ${result.addedKeys.length} missing secret(s):`);
+			for (const key of result.addedKeys) console.log(`    + ${key}`);
+		}
 		await writeStageSecrets$1(secrets, workspace.root);
 		console.log(`\n✓ Secrets pulled for stage "${options.stage}"`);
 	} catch (error) {
@@ -11972,6 +11811,32 @@ program.command("secrets:pull").description("Pull secrets from remote provider (
 		process.exit(1);
 	}
 });
+program.command("secrets:reconcile").description("Backfill missing custom secrets from workspace config").option("--stage <stage>", "Stage name", "development").action(async (options) => {
+	try {
+		const globalOptions = program.opts();
+		if (globalOptions.cwd) process.chdir(globalOptions.cwd);
+		const { loadWorkspaceConfig: loadWorkspaceConfig$1 } = await import("./config.mjs");
+		const { reconcileMissingSecrets } = await import("./reconcile-D2WCDQue.mjs");
+		const { readStageSecrets: readStageSecrets$1, writeStageSecrets: writeStageSecrets$1 } = await import("./storage-Dx_jZbq6.mjs");
+		const { workspace } = await loadWorkspaceConfig$1();
+		const secrets = await readStageSecrets$1(options.stage, workspace.root);
+		if (!secrets) {
+			console.error(`No secrets found for stage "${options.stage}". Run "gkm secrets:init --stage ${options.stage}" first.`);
+			process.exit(1);
+		}
+		const result = reconcileMissingSecrets(secrets, workspace);
+		if (!result) {
+			console.log(`\n✓ Secrets for stage "${options.stage}" are up-to-date`);
+			return;
+		}
+		await writeStageSecrets$1(result.secrets, workspace.root);
+		console.log(`\n✓ Reconciled ${result.addedKeys.length} missing secret(s) for stage "${options.stage}":`);
+		for (const key of result.addedKeys) console.log(`    + ${key}`);
+	} catch (error) {
+		console.error(error instanceof Error ? error.message : "Command failed");
+		process.exit(1);
+	}
+});
 program.command("deploy").description("Deploy application to a provider").requiredOption("--provider <provider>", "Deploy provider (docker, dokploy, aws-lambda)").requiredOption("--stage <stage>", "Deployment stage (e.g., production, staging)").option("--tag <tag>", "Image tag (default: stage-timestamp)").option("--skip-push", "Skip pushing image to registry").option("--skip-build", "Skip build step (use existing build)").action(async (options) => {
 	try {
 		const globalOptions = program.opts();