@percepta/create 3.1.0 → 3.1.2

package/README.md

@@ -8,7 +8,7 @@ Scaffold and manage Mosaic packages.
 npx @percepta/create
 ```
 
-That's it. The CLI prompts you for the package type and project name. Defaults yield a running app — sign in as `admin@example.com` / `password`.
+That's it. The CLI prompts you for the package type, repo name, and package name as needed. Defaults yield a running app — sign in as `admin@example.com` / `password`.
 
 ## Options (mostly for automation)
 
@@ -17,7 +17,9 @@ The bare command above is the canonical UX. The flags below exist for tests and
 | Option | Description |
 |--------|-------------|
 | `-t, --type <type>` | Package type: `monorepo`, `webapp`, or `library` (skips the type prompt) |
-| `--name <name>` | Project name (skips the name prompt) |
+| `--name <name>` | Package/app name (skips the package name prompt) |
+| `--repo-name <name>` | Repo name when creating a new monorepo (skips the repo name prompt) |
+| `--cwd <dir>` | Run as if the CLI was started from `<dir>` |
 | `--skip-install` | Skip dependency installation, which also skips the auto-run setup + dev + browser, leaving you with manual next-steps |
 | `-y, --yes` | Skip all prompts; requires `--name` |
 
@@ -33,7 +35,7 @@ The bare command above is the canonical UX. The flags below exist for tests and
 
 `create` auto-detects whether you're inside an existing pnpm monorepo (by walking up for `pnpm-workspace.yaml`) and changes its prompts accordingly:
 
-- **Outside a monorepo** — you're asked "Initialize with a webapp?" (Y/n, default Y) before the project name. Picking the webapp option scaffolds a monorepo with a webapp inside `packages/<name>/`. Declining gives you an empty monorepo.
+- **Outside a monorepo** — you're asked "Initialize with a webapp?" (Y/n, default Y), then for the repo name. Picking the webapp option also asks for the webapp name and scaffolds it inside `packages/<webapp-name>/`. Declining gives you an empty monorepo.
 - **Inside a monorepo** — pick `Webapp` (default) or `Library` to add a new package under the workspace pattern.
 
 ## Happy-path: zero-friction webapp
@@ -75,9 +77,13 @@ pnpm build
 ### Testing locally
 
 ```bash
-pnpm build
-npm link
-create test-app
+pnpm create:local --cwd /tmp --name test-app --yes --skip-install
+```
+
+From the repo root, the same script can be run with a filter:
+
+```bash
+pnpm --filter @percepta/create create:local --cwd /tmp --name test-app --yes --skip-install
 ```
 
 ### Syncing template files

package/dist/{chunk-7NPWSTCY.js → chunk-CG7IJSB4.js}

@@ -77,6 +77,7 @@ async function promptInsideMonorepoType() {
 }
 async function promptProjectDetails(defaults) {
   const inMonorepo = defaults.monorepoContext?.found ?? false;
+  const cwd = defaults.cwd ?? process.cwd();
   let projectType;
   let finalName;
   if (inMonorepo) {
@@ -86,10 +87,38 @@ async function promptProjectDetails(defaults) {
   } else {
     projectType = defaults.projectType ?? await promptOutsideMonorepoType();
     await defaults.beforeNamePrompt?.(projectType);
-    finalName = defaults.name || await promptName("Project name?");
+    const repoName = defaults.repoName || (projectType === "monorepo" ? defaults.name : void 0) || await promptName("Repo name?");
+    const repoTitle = toTitleCase(repoName);
+    if (projectType === "monorepo") {
+      finalName = repoName;
+      const finalTitle3 = repoTitle;
+      const finalDirectory3 = path.resolve(cwd, repoName);
+      return {
+        projectType,
+        directory: finalDirectory3,
+        name: finalName,
+        title: finalTitle3,
+        installDeps: !defaults.skipInstall,
+        monorepoName: repoName,
+        monorepoTitle: repoTitle
+      };
+    }
+    const packageNamePrompt = projectType === "webapp" ? "Webapp name?" : "Library name?";
+    finalName = defaults.name || await promptName(packageNamePrompt);
+    const finalTitle2 = toTitleCase(finalName);
+    const finalDirectory2 = path.resolve(cwd, repoName);
+    return {
+      projectType,
+      directory: finalDirectory2,
+      name: finalName,
+      title: finalTitle2,
+      installDeps: !defaults.skipInstall,
+      monorepoName: repoName,
+      monorepoTitle: repoTitle
+    };
   }
   const finalTitle = finalName ? toTitleCase(finalName) : "";
-  const finalDirectory = !inMonorepo && finalName ? path.resolve(process.cwd(), finalName) : "";
+  const finalDirectory = !inMonorepo && finalName ? path.resolve(cwd, finalName) : "";
   return {
     projectType,
     directory: finalDirectory,

package/dist/index.js

@@ -7,7 +7,7 @@ import {
   toSnakeCase,
   toTitleCase,
   validateProjectName
-} from "./chunk-7NPWSTCY.js";
+} from "./chunk-CG7IJSB4.js";
 import {
   derivePlaceholders,
   writeManifest
@@ -262,11 +262,28 @@ async function generateEnvLocal(packageDir) {
   const examplePath = path4.join(packageDir, ".env.example");
   const localPath = path4.join(packageDir, ".env.local");
   if (!await fs4.pathExists(examplePath)) return;
-  if (await fs4.pathExists(localPath)) return;
-  const authSecret = randomBytes(32).toString("base64");
-  const encKey = randomBytes(16).toString("hex");
-  const content = (await fs4.readFile(examplePath, "utf-8")).replace(/^BETTER_AUTH_SECRET=.*$/m, `BETTER_AUTH_SECRET=${authSecret}`).replace(/^ENCRYPTION_SECRET_KEY=.*$/m, `ENCRYPTION_SECRET_KEY=${encKey}`);
-  await fs4.writeFile(localPath, content);
+  if (!await fs4.pathExists(localPath)) {
+    const authSecret = randomBytes(32).toString("base64");
+    const encKey = randomBytes(16).toString("hex");
+    const content = (await fs4.readFile(examplePath, "utf-8")).replace(/^BETTER_AUTH_SECRET=.*$/m, `BETTER_AUTH_SECRET=${authSecret}`).replace(/^ENCRYPTION_SECRET_KEY=.*$/m, `ENCRYPTION_SECRET_KEY=${encKey}`);
+    await fs4.writeFile(localPath, content);
+  }
+  const ryvnSecretsPath = path4.join(
+    packageDir,
+    "deploy",
+    "ryvn",
+    "percepta-test.secrets.env"
+  );
+  if (await fs4.pathExists(ryvnSecretsPath)) return;
+  const deployAuthSecret = randomBytes(32).toString("base64");
+  const deployEncKey = randomBytes(16).toString("hex");
+  const deploySecrets = [
+    `BETTER_AUTH_SECRET=${deployAuthSecret}`,
+    `ENCRYPTION_SECRET_KEY=${deployEncKey}`,
+    ""
+  ].join("\n");
+  await fs4.ensureDir(path4.dirname(ryvnSecretsPath));
+  await fs4.writeFile(ryvnSecretsPath, deploySecrets);
 }
 
 // src/utils/relocate-workflows.ts
@@ -529,6 +546,15 @@ _None yet \u2014 freshly created from template._
 `
   );
 }
+function buildAppConfig(name, title = toTitleCase(name)) {
+  return {
+    name,
+    title,
+    dbName: `${toSnakeCase(name)}_db`,
+    nameUpper: name.toUpperCase(),
+    nameSnake: toSnakeCase(name)
+  };
+}
 async function scaffoldMonorepo(targetDir, config) {
   const monoSpinner = ora("Copying monorepo template...").start();
   try {
@@ -700,6 +726,7 @@ function requireNpmTokenForWebappInstall(projectType, installDeps) {
   process.exit(1);
 }
 async function createProject(options) {
+  const cwd = await resolveCreateCwd(options.cwd);
   if (options.type !== void 0 && !isValidProjectType(options.type)) {
     console.error(
       chalk.red(
@@ -708,7 +735,6 @@ async function createProject(options) {
     );
     process.exit(1);
   }
-  const cwd = process.cwd();
   console.log();
   console.log(chalk.bold("Creating a new Mosaic package..."));
   console.log();
@@ -735,6 +761,7 @@ async function createProject(options) {
   }
   console.log();
   const projectName = options.name;
+  const repoName = options.repoName;
   if (options.yes && !projectName) {
     console.error(
       chalk.red("Error: --name is required when using --yes flag")
@@ -748,38 +775,47 @@ async function createProject(options) {
       process.exit(1);
     }
   }
+  if (repoName) {
+    const validation = validateProjectName(toKebabCase(repoName));
+    if (!validation.valid) {
+      console.error(chalk.red(`Invalid repo name: ${validation.error}`));
+      process.exit(1);
+    }
+  }
   let answers;
   if (options.yes) {
     const projectType = options.type || "webapp";
     requireNpmTokenForWebappInstall(projectType, !options.skipInstall);
     const kebabName = toKebabCase(projectName);
-    const directory = monorepoContext.found && monorepoContext.packageDir ? path7.join(monorepoContext.packageDir, kebabName) : path7.resolve(cwd, kebabName);
+    const kebabRepoName = repoName ? toKebabCase(repoName) : kebabName;
+    const directory = monorepoContext.found && monorepoContext.packageDir ? path7.join(monorepoContext.packageDir, kebabName) : path7.resolve(cwd, kebabRepoName);
     answers = {
       projectType,
       directory,
       name: kebabName,
       title: toTitleCase(kebabName),
-      installDeps: !options.skipInstall
+      installDeps: !options.skipInstall,
+      monorepoName: monorepoContext.found ? void 0 : kebabRepoName,
+      monorepoTitle: monorepoContext.found ? void 0 : toTitleCase(kebabRepoName)
     };
   } else {
     answers = await promptProjectDetails({
       projectType: options.type,
       name: projectName ? toKebabCase(projectName) : void 0,
+      repoName: repoName ? toKebabCase(repoName) : void 0,
       skipInstall: options.skipInstall,
       monorepoContext,
+      cwd,
       beforeNamePrompt: (projectType) => requireNpmTokenForWebappInstall(projectType, !options.skipInstall)
     });
     if (monorepoContext.found && monorepoContext.packageDir && !answers.directory) {
       answers.directory = path7.join(monorepoContext.packageDir, answers.name);
     }
   }
-  const config = {
-    name: answers.name,
-    title: answers.title,
-    dbName: toSnakeCase(answers.name) + "_db",
-    nameUpper: answers.name.toUpperCase(),
-    nameSnake: toSnakeCase(answers.name)
-  };
+  const config = buildAppConfig(answers.name, answers.title);
+  const monorepoName = answers.monorepoName ?? answers.name;
+  const monorepoTitle = answers.monorepoTitle ?? toTitleCase(monorepoName);
+  const monorepoConfig = buildAppConfig(monorepoName, monorepoTitle);
   const typeLabel = getProjectTypeLabel(answers.projectType);
   if (monorepoContext.found) {
     const monorepoRoot = monorepoContext.rootDir;
@@ -833,7 +869,7 @@ async function createProject(options) {
       installSucceeded
     );
     if (devStarted) return;
-    printNextStepsExisting(answers, options, packageDir);
+    printNextStepsExisting(answers, packageDir);
   } else {
     const isBareMonorepo = answers.projectType === "monorepo";
     const monorepoRoot = answers.directory;
@@ -841,11 +877,12 @@ async function createProject(options) {
     if (isBareMonorepo) {
       console.log(chalk.dim("  Type:"), typeLabel);
       console.log(chalk.dim("  Directory:"), monorepoRoot);
-      console.log(chalk.dim("  Name:"), config.name);
-      console.log(chalk.dim("  Title:"), config.title);
+      console.log(chalk.dim("  Repo name:"), monorepoConfig.name);
+      console.log(chalk.dim("  Title:"), monorepoConfig.title);
     } else {
       console.log(chalk.dim("  Package type:"), typeLabel);
       console.log(chalk.dim("  Monorepo directory:"), monorepoRoot);
+      console.log(chalk.dim("  Repo name:"), monorepoConfig.name);
       console.log(chalk.dim("  Package:"), `packages/${answers.name}/`);
       console.log(chalk.dim("  Name:"), config.name);
       console.log(chalk.dim("  Title:"), config.title);
@@ -863,7 +900,7 @@ async function createProject(options) {
         process.exit(1);
       }
     }
-    await scaffoldMonorepo(monorepoRoot, config);
+    await scaffoldMonorepo(monorepoRoot, monorepoConfig);
     if (packageDir && answers.projectType !== "monorepo") {
       await addPackageToMonorepo({
         packageDir,
@@ -903,8 +940,23 @@ async function createProject(options) {
       installSucceeded
     );
     if (devStarted) return;
-    printNextStepsNew(answers, options, monorepoRoot);
+    printNextStepsNew(answers, monorepoRoot);
+  }
+}
+async function resolveCreateCwd(cwdOption) {
+  const cwd = cwdOption ? path7.resolve(cwdOption) : process.cwd();
+  let stat;
+  try {
+    stat = await fs7.stat(cwd);
+  } catch {
+    console.error(chalk.red(`Error: --cwd directory does not exist: ${cwd}`));
+    process.exit(1);
+  }
+  if (!stat.isDirectory()) {
+    console.error(chalk.red(`Error: --cwd is not a directory: ${cwd}`));
+    process.exit(1);
   }
+  return cwd;
 }
 function printWebappNextSteps(params) {
   const {
@@ -1006,7 +1058,7 @@ async function warnIfMissingRootNpmrc(rootDir) {
   );
   console.log();
 }
-function printNextStepsNew(answers, options, targetDir) {
+function printNextStepsNew(answers, targetDir) {
   const pm = PACKAGE_MANAGER;
   const relativePath = path7.relative(process.cwd(), targetDir) || ".";
   console.log("Next steps:");
@@ -1062,7 +1114,7 @@ function printNextStepsNew(answers, options, targetDir) {
   );
   console.log();
 }
-function printNextStepsExisting(answers, options, packageDir) {
+function printNextStepsExisting(answers, packageDir) {
   const pm = PACKAGE_MANAGER;
   const packageRelativePath = path7.relative(process.cwd(), packageDir) || ".";
   const monorepoRoot = path7.dirname(path7.dirname(packageDir));
@@ -1106,7 +1158,7 @@ var packageJson = {
   version: "1.0.0"
 };
 program.name("create").description("Scaffold and manage Mosaic packages").version(packageJson.version);
-program.command("create", { isDefault: true }).description("Scaffold a new Mosaic package").option("-t, --type <type>", "Package type: monorepo, webapp, or library").option("--name <name>", "Project name").option("--skip-install", "Skip dependency installation (also skips the auto-run setup + dev + browser)", false).option("-y, --yes", "Skip all prompts and use defaults", false).action(createProject);
+program.command("create", { isDefault: true }).description("Scaffold a new Mosaic package").option("-t, --type <type>", "Package type: monorepo, webapp, or library").option("--name <name>", "Package/app name").option("--repo-name <name>", "Repository name when creating a new monorepo").option("--cwd <dir>", "Run create as if started from this directory").option("--skip-install", "Skip dependency installation (also skips the auto-run setup + dev + browser)", false).option("-y, --yes", "Skip all prompts and use defaults", false).action(createProject);
 program.command("status").description("Show template sync status for current app").option(
   "--mosaic-template-path <path>",
   "Path to local mosaic repo checkout"
@@ -1129,7 +1181,7 @@ program.command("upstream").description("Generate upstream context (app \u2192 t
   await upstreamCommand(options);
 });
 program.command("init").description("Add .mosaic-template.json to an existing app").option("-t, --type <type>", "Template type (e.g., webapp, library)").option("--template-version <version>", "Template version to set").action(async (options) => {
-  const { initCommand } = await import("./init-NP6GRXLL.js");
+  const { initCommand } = await import("./init-XDWSYHYK.js");
   await initCommand(options);
 });
 program.parse();

package/dist/{init-NP6GRXLL.js → init-XDWSYHYK.js}

@@ -1,7 +1,7 @@
 import {
   VALID_PROJECT_TYPES,
   isValidProjectType
-} from "./chunk-7NPWSTCY.js";
+} from "./chunk-CG7IJSB4.js";
 import {
   derivePlaceholders,
   manifestExists,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@percepta/create",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "Scaffold a new Mosaic package",
   "type": "module",
   "bin": {
@@ -27,7 +27,7 @@
     "tsup": "^8.4.0",
     "typescript": "^5.7.3",
     "vitest": "^4.0.0",
-    "@percepta/build": "0.4.0"
+    "@percepta/build": "0.4.1"
   },
   "engines": {
     "node": ">=18.0.0"
@@ -47,6 +47,7 @@
   "license": "MIT",
   "scripts": {
     "build": "tsup src/index.ts --format esm --dts --clean",
+    "create:local": "pnpm build && node dist/index.js",
     "dev": "tsup src/index.ts --format esm --watch",
     "typecheck": "tsc --noEmit",
     "sync-template": "tsx scripts/sync-template.ts",

package/templates/monorepo/gitignore.template

@@ -21,6 +21,7 @@ Thumbs.db
 .env
 .env.local
 .env.*.local
+**/deploy/ryvn/*.secrets.env
 
 # Logs
 *.log

package/templates/webapp/agent-skills/deploy.md

@@ -10,7 +10,7 @@ When this app was created with `@percepta/create`, the IaC files were generated
 - `deploy/ryvn/environments/percepta-test/installations/__APP_NAME__.env.percepta-test.serviceinstallation.yaml` — percepta-test installation
 - `.github/workflows/__APP_NAME__-ryvn-release.yaml` (at the repo root) — release workflow that builds the Docker image and creates a Ryvn release on push to `main`. Path filter scoped to `packages/__APP_NAME__/` so unrelated changes don't trigger builds.
 
-Per-app values (URLs, k8s service names, database schema) are substituted at create-time. The Better Auth and encryption secrets are declared as Ryvn-managed secrets so their values are set after the infra PR merges, not committed to git. Shared platform values (Inngest and OTel endpoints) are baked in as literals because they're stable across percepta-test apps.
+Per-app values (URLs, k8s service names, database schema) are substituted at create-time. The Better Auth and encryption secrets are written to `deploy/ryvn/percepta-test.secrets.env`, which is ignored by git and intended for Ryvn UI import. Shared platform values (Inngest and OTel endpoints) are baked in as literals because they're stable across percepta-test apps.
 
 See [`deploy/README.md`](../deploy/README.md) for the file-by-file breakdown.
 
@@ -24,42 +24,57 @@ See [`deploy/README.md`](../deploy/README.md) for the file-by-file breakdown.
 
 ## Deploy
 
-### Step 1: Open the infra PR
+### Step 1: Open the service/schema infra PR
 
 Run the generated deploy helper from this package directory:
 
 ```bash
-pnpm deploy:percepta-test -- --yes
+pnpm deploy:percepta-test -- --phase service --yes
 ```
 
 This script:
 
 - uses `INFRA_REPO` or `--infra <path>` when provided
 - otherwise uses a sibling `../infra` checkout, cloning `Percepta-Core/infra` there if needed
-- copies the Ryvn service and installation YAML into infra
+- copies the Ryvn service YAML into infra
 - appends a `postgresql_schema "__APP_NAME_SNAKE__"` resource to `terraform/percepta-internal/databases.tf`
-- opens one PR against `Percepta-Core/infra`
+- opens the first PR against `Percepta-Core/infra`
 
 Get the PR reviewed and merged.
 
-### Step 2: Set Ryvn secrets
+### Step 2: Wait for service/schema import
 
-After the infra PR merges, set the base Ryvn secrets for this installation:
+After the service/schema PR merges, wait for Ryvn GitOps to import the service. If Ryvn creates a `percepta-internal-terraform` task for the database schema, approve/apply it in Ryvn.
+
+### Step 3: Create the first release
+
+Push to `main` in the app repo (or `gh workflow run "Build & Release __APP_NAME__"`). The release workflow builds the Docker image and creates a Ryvn release. Do this before creating the ServiceInstallation, otherwise GitOps can fail with `ReleaseNotFound`.
+
+The workflow lives at `.github/workflows/__APP_NAME__-ryvn-release.yaml` (at the repo root, where GitHub Actions picks it up). It only fires on changes under `packages/__APP_NAME__/`, so unrelated edits to other packages in the monorepo won't trigger it.
+
+### Step 4: Open the installation infra PR
+
+After the first release exists, open the installation PR:
 
 ```bash
-BETTER_AUTH_SECRET=$(openssl rand -base64 32)
-ENCRYPTION_SECRET_KEY=$(openssl rand -hex 16)
+pnpm deploy:percepta-test -- --phase installation --yes
 ```
 
-Also set any app-specific secrets the implementation added, such as `OPENAI_API_KEY`.
+The `--` is the pnpm argument delimiter; it passes `--phase` and `--yes` through to the deploy helper script.
 
-### Step 3: Trigger the first deploy
+Get the PR reviewed and merged. Ryvn GitOps will import the ServiceInstallation and the Staging channel should deploy the latest release.
 
-Push to `main` in the app repo (or `gh workflow run "Build & Release __APP_NAME__"`). The release workflow builds the Docker image and creates a Ryvn release; Ryvn deploys it to percepta-test.
+### Step 5: Import Ryvn secrets
 
-The workflow lives at `.github/workflows/__APP_NAME__-ryvn-release.yaml` (at the repo root, where GitHub Actions picks it up). It only fires on changes under `packages/__APP_NAME__/`, so unrelated edits to other packages in the monorepo won't trigger it.
+After GitOps imports the installation, import this generated file in the Ryvn UI for the installation secrets:
+
+```bash
+deploy/ryvn/percepta-test.secrets.env
+```
+
+Also set any app-specific secrets the implementation added, such as `OPENAI_API_KEY`.
 
-### Step 4: Verify
+### Step 6: Verify
 
 ```bash
 ryvn get installation __APP_NAME__ -e percepta-test
@@ -72,7 +87,8 @@ The app will be available at **https://__APP_NAME__.percepta-test.aitco.dev**.
 
 ## Troubleshooting
 
-- **Pod crash-looping** → check `ryvn logs`; missing Ryvn secrets from Step 2 are the most common cause after a fresh deploy.
+- **Auth/sign-in routes fail after install** → import `deploy/ryvn/percepta-test.secrets.env` in the Ryvn UI, then let Ryvn update/restart the installation.
+- **Pod crash-looping** → check `ryvn logs`; migration or database connectivity failures are the most common fresh-deploy causes.
 - **Database connection refused** → verify `DATABASE_USE_SSL=true` and that `percepta-internal-terraform` is deployed.
 - **Database schema missing** → verify the infra PR added `postgresql_schema "__APP_NAME_SNAKE__"` and Ryvn applied `percepta-internal-terraform`.
 - **Inngest can't reach the app** → `INNGEST_APP_URL` must use the k8s service name `__APP_NAME__-web-server`. The scaffolded YAML gets this right; if you renamed anything, double-check.

package/templates/webapp/deploy/README.md

@@ -12,7 +12,7 @@ deploy/
                 └── __APP_NAME__.env.percepta-test.serviceinstallation.yaml # percepta-test installation
 ```
 
-These files are pre-filled with all base values needed to deploy to `https://__APP_NAME__.percepta-test.aitco.dev`. The generated `pnpm deploy:percepta-test -- --yes` helper opens the required `Percepta-Core/infra` PR.
+These files are pre-filled with all base values needed to deploy to `https://__APP_NAME__.percepta-test.aitco.dev`. The generated deploy helper opens the required `Percepta-Core/infra` PRs in two phases.
 
 ## Deploying
 
@@ -28,7 +28,31 @@ Tell Claude "deploy this app to percepta-test" — it'll follow [`agent-skills/d
 2. **Shared platform values** (Inngest and OTel endpoints) — copied as literals from existing percepta-test installations. These are stable across percepta-test apps.
 3. **Database wiring** — points at the shared `demos` database and a per-app schema created by the infra PR.
 
-`BETTER_AUTH_SECRET` and `ENCRYPTION_SECRET_KEY` are declared as Ryvn-managed secrets. Set their values in Ryvn after the infra PR merges; the scaffold does not commit deployment secret values to git.
+**`percepta-test.secrets.env`** — generated locally and ignored by git. Import it in the Ryvn UI for `BETTER_AUTH_SECRET` and `ENCRYPTION_SECRET_KEY`; deployment secret values are intentionally not committed to GitOps IaC.
+
+## Deployment order
+
+Use two infra PRs. The Service must exist before the first release can be created, and the first release must exist before the ServiceInstallation can be imported.
+
+1. Open and merge the service/schema PR:
+
+   ```bash
+   pnpm deploy:percepta-test -- --phase service --yes
+   ```
+
+2. Wait for GitOps to import the service. If the schema change creates a `percepta-internal-terraform` task in Ryvn, approve/apply it.
+
+3. Push the app to `main` or run the release workflow so Ryvn has a first release for `__APP_NAME__`.
+
+4. Open and merge the installation PR:
+
+   ```bash
+   pnpm deploy:percepta-test -- --phase installation --yes
+   ```
+
+5. After GitOps imports the installation, import `deploy/ryvn/percepta-test.secrets.env` into the Ryvn UI for the `__APP_NAME__` installation secrets.
+
+The `--` is the pnpm argument delimiter; it passes the flags after it through to `scripts/open-ryvn-deploy-pr.ts`.
 
 ## Repo layout note
 

package/templates/webapp/deploy/ryvn/environments/percepta-test/installations/__APP_NAME__.env.percepta-test.serviceinstallation.yaml

@@ -10,8 +10,23 @@ spec:
     service:
       port: 3000
 
+    startupEnabled: true
+    startupProbe:
+      httpGet:
+        path: /api/healthz
+        port: 3000
+      failureThreshold: 30
+      periodSeconds: 10
     livenessEnabled: true
+    livenessProbe:
+      httpGet:
+        path: /api/healthz
+        port: 3000
     readinessEnabled: true
+    readinessProbe:
+      httpGet:
+        path: /api/readyz
+        port: 3000
 
     resources:
       requests:
@@ -78,11 +93,9 @@ spec:
       value: https://__APP_NAME__.percepta-test.aitco.dev
     - key: BETTER_AUTH_URL
       value: https://__APP_NAME__.percepta-test.aitco.dev
-    # Set these in Ryvn after the infra PR merges.
-    - key: BETTER_AUTH_SECRET
-      isSecret: true
-    - key: ENCRYPTION_SECRET_KEY
-      isSecret: true
+    # Import BETTER_AUTH_SECRET and ENCRYPTION_SECRET_KEY from
+    # deploy/ryvn/percepta-test.secrets.env in the Ryvn UI after the installation
+    # exists. Secret values are intentionally not declared in GitOps IaC.
 
     # Inngest (shared percepta-test instance)
     - key: INNGEST_BASE_URL

package/templates/webapp/eslint.config.mjs

@@ -11,6 +11,7 @@ export default [
   {
     ignores: [
       "pnpm-lock.yaml",
+      "package.json",
       ".next/**",
       "next-env.d.ts",
       "public/**",

package/templates/webapp/gitignore.template

@@ -33,6 +33,7 @@ yarn-error.log*
 # env files (can opt-in for committing if needed)
 .env*
 !.env.example
+deploy/ryvn/*.secrets.env
 
 # vercel
 .vercel

package/templates/webapp/scripts/open-ryvn-deploy-pr.ts

@@ -1,29 +1,33 @@
 #!/usr/bin/env tsx
-/* eslint-disable no-console, n/no-process-env */
+/* eslint-disable n/no-process-env */
 
 import { execFileSync } from "node:child_process";
 import { existsSync } from "node:fs";
 import { appendFile, mkdir, readFile, writeFile } from "node:fs/promises";
 import path from "node:path";
-import { fileURLToPath } from "node:url";
-import { createInterface } from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
+import { createInterface } from "node:readline/promises";
+import { fileURLToPath } from "node:url";
 
 const APP_NAME = "__APP_NAME__";
 const DATABASE_SCHEMA = "__APP_NAME_SNAKE__";
 const ENVIRONMENT = "percepta-test";
 const INFRA_REMOTE = "git@github.com:Percepta-Core/infra.git";
 
+type DeployPhase = "service" | "installation";
+
 interface Options {
   infraPath?: string;
   yes: boolean;
   noClone: boolean;
+  phase: DeployPhase;
 }
 
 function parseArgs(argv: string[]): Options {
   const options: Options = {
     yes: false,
     noClone: false,
+    phase: "service",
   };
 
   for (let index = 0; index < argv.length; index++) {
@@ -32,6 +36,23 @@ function parseArgs(argv: string[]): Options {
       options.yes = true;
     } else if (arg === "--no-clone") {
       options.noClone = true;
+    } else if (arg === "--service") {
+      options.phase = "service";
+    } else if (arg === "--installation" || arg === "--install") {
+      options.phase = "installation";
+    } else if (arg === "--phase") {
+      const value = argv[index + 1];
+      if (!value) throw new Error("--phase requires service or installation");
+      if (value === "service") {
+        options.phase = "service";
+      } else if (value === "installation" || value === "install") {
+        options.phase = "installation";
+      } else {
+        throw new Error(
+          `Invalid --phase value "${value}". Use service or installation.`,
+        );
+      }
+      index++;
     } else if (arg === "--infra") {
       const value = argv[index + 1];
       if (!value) throw new Error("--infra requires a path");
@@ -135,7 +156,9 @@ async function resolveInfraRepo(
       `Infra repo not found. Clone Percepta-Core/infra to ${infraPath}?`,
     );
     if (!shouldClone) {
-      throw new Error("Skipped cloning infra repo. Re-run with --infra <path>.");
+      throw new Error(
+        "Skipped cloning infra repo. Re-run with --infra <path>.",
+      );
     }
   }
 
@@ -155,8 +178,14 @@ function assertCleanGitWorktree(repoPath: string): void {
   );
 }
 
-function switchDeployBranch(repoPath: string): string {
-  const branchName = `deploy/${APP_NAME}-${ENVIRONMENT}`;
+function getDeployBranchName(phase: DeployPhase): string {
+  return phase === "service"
+    ? `deploy/${APP_NAME}-${ENVIRONMENT}-service`
+    : `deploy/${APP_NAME}-${ENVIRONMENT}-installation`;
+}
+
+function switchDeployBranch(repoPath: string, phase: DeployPhase): string {
+  const branchName = getDeployBranchName(phase);
   const currentBranch = run(
     "git",
     ["branch", "--show-current"],
@@ -165,6 +194,8 @@ function switchDeployBranch(repoPath: string): string {
   );
   if (currentBranch === branchName) return branchName;
 
+  run("git", ["fetch", "origin", "main"], repoPath);
+
   let branchExists = false;
   try {
     run("git", ["rev-parse", "--verify", branchName], repoPath, "pipe");
@@ -176,7 +207,7 @@ function switchDeployBranch(repoPath: string): string {
   if (branchExists) {
     run("git", ["switch", branchName], repoPath);
   } else {
-    run("git", ["switch", "-c", branchName], repoPath);
+    run("git", ["switch", "-c", branchName, "origin/main"], repoPath);
   }
 
   return branchName;
@@ -199,6 +230,7 @@ async function writeIfChanged(
 async function copyDeployYaml(
   packageDir: string,
   infraRepo: string,
+  phase: DeployPhase,
 ): Promise<string[]> {
   const serviceSource = path.join(
     packageDir,
@@ -216,7 +248,11 @@ async function copyDeployYaml(
     `${APP_NAME}.env.${ENVIRONMENT}.serviceinstallation.yaml`,
   );
 
-  const serviceTarget = path.join(infraRepo, "ryvn", `${APP_NAME}.service.yaml`);
+  const serviceTarget = path.join(
+    infraRepo,
+    "ryvn",
+    `${APP_NAME}.service.yaml`,
+  );
   const installationTarget = path.join(
     infraRepo,
     "ryvn",
@@ -227,14 +263,18 @@ async function copyDeployYaml(
   );
 
   const changed: string[] = [];
-  if (await writeIfChanged(serviceTarget, await readFile(serviceSource, "utf8"))) {
+  if (
+    phase === "service" &&
+    (await writeIfChanged(serviceTarget, await readFile(serviceSource, "utf8")))
+  ) {
     changed.push(path.relative(infraRepo, serviceTarget));
   }
   if (
-    await writeIfChanged(
+    phase === "installation" &&
+    (await writeIfChanged(
       installationTarget,
       await readFile(installationSource, "utf8"),
-    )
+    ))
   ) {
     changed.push(path.relative(infraRepo, installationTarget));
   }
@@ -300,10 +340,89 @@ function getPrUrl(repoPath: string, branchName: string): string | null {
   }
 }
 
+function getPrTitle(phase: DeployPhase): string {
+  return phase === "service"
+    ? `Add ${APP_NAME} ${ENVIRONMENT} service`
+    : `Install ${APP_NAME} in ${ENVIRONMENT}`;
+}
+
+function getPrBody(phase: DeployPhase): string {
+  if (phase === "service") {
+    return [
+      `Adds the Ryvn service for ${APP_NAME}.`,
+      "",
+      `Also creates the ${DATABASE_SCHEMA} schema in the shared demos database.`,
+      "",
+      "After merge:",
+      "1. Let GitOps import the service.",
+      "2. Approve/apply the percepta-internal Terraform task if one is created.",
+      "3. Push the app to main or run the release workflow so Ryvn has a first release.",
+      `4. Open the installation PR with pnpm deploy:percepta-test -- --phase installation --yes.`,
+    ].join("\n");
+  }
+
+  return [
+    `Adds the ${ENVIRONMENT} ServiceInstallation for ${APP_NAME}.`,
+    "",
+    "Pre-merge checklist:",
+    "1. The Ryvn Service exists from the service/schema PR.",
+    "2. At least one Ryvn release exists for this service.",
+    "",
+    "After merge, import deploy/ryvn/percepta-test.secrets.env in the Ryvn UI for the installation secrets.",
+  ].join("\n");
+}
+
+function printNextSteps(phase: DeployPhase): void {
+  if (phase === "service") {
+    console.log("");
+    console.log("Next:");
+    console.log("1. Merge the service/schema PR.");
+    console.log("2. Wait for GitOps to import the service.");
+    console.log(
+      "3. Approve/apply the percepta-internal Terraform task if one is created.",
+    );
+    console.log("4. Push the app to main or run the release workflow.");
+    console.log(
+      "5. Run: pnpm deploy:percepta-test -- --phase installation --yes",
+    );
+    return;
+  }
+
+  console.log("");
+  console.log("Next:");
+  console.log("1. Merge the installation PR.");
+  console.log("2. Let GitOps import the ServiceInstallation.");
+  console.log(
+    "3. Import deploy/ryvn/percepta-test.secrets.env in the Ryvn UI.",
+  );
+  console.log(
+    "4. Verify health with: ryvn get installation __APP_NAME__ -e percepta-test",
+  );
+}
+
+async function confirmInstallationPrerequisites(
+  options: Options,
+): Promise<void> {
+  if (options.phase !== "installation" || options.yes) return;
+
+  const message =
+    "Before opening the installation PR, confirm the service exists, " +
+    "and a first Ryvn release exists. Continue?";
+
+  if (!process.stdin.isTTY) {
+    throw new Error(`${message} Re-run with --yes to confirm.`);
+  }
+
+  if (!(await confirm(message))) {
+    throw new Error("Skipped installation PR.");
+  }
+}
+
 async function main(): Promise<void> {
   const options = parseArgs(process.argv.slice(2));
   assertCommand("git");
   assertCommand("gh");
+  await confirmInstallationPrerequisites(options);
 
   const packageDir = path.resolve(
     path.dirname(fileURLToPath(import.meta.url)),
@@ -314,16 +433,25 @@ async function main(): Promise<void> {
   const infraRepo = await resolveInfraRepo(options, defaultInfraPath);
 
   assertCleanGitWorktree(infraRepo);
-  const branchName = switchDeployBranch(infraRepo);
+  const branchName = switchDeployBranch(infraRepo, options.phase);
 
-  const changedPaths = await copyDeployYaml(packageDir, infraRepo);
-  const schemaPath = await ensureDatabaseSchema(infraRepo);
-  if (schemaPath) changedPaths.push(schemaPath);
+  const changedPaths = await copyDeployYaml(
+    packageDir,
+    infraRepo,
+    options.phase,
+  );
+  if (options.phase === "service") {
+    const schemaPath = await ensureDatabaseSchema(infraRepo);
+    if (schemaPath) changedPaths.push(schemaPath);
+  }
 
   if (changedPaths.length === 0) {
     console.log(
-      "Infra repo already has the generated Ryvn files and database schema.",
+      options.phase === "service"
+        ? "Infra repo already has the generated Ryvn service and database schema."
+        : "Infra repo already has the generated Ryvn installation.",
     );
+    printNextSteps(options.phase);
     return;
   }
 
@@ -333,42 +461,32 @@ async function main(): Promise<void> {
     return;
   }
 
-  run(
-    "git",
-    ["commit", "-m", `Add ${APP_NAME} ${ENVIRONMENT} deployment`],
-    infraRepo,
-  );
+  run("git", ["commit", "-m", getPrTitle(options.phase)], infraRepo);
   run("git", ["push", "-u", "origin", branchName], infraRepo);
 
   const existingPr = getPrUrl(infraRepo, branchName);
   if (existingPr) {
     console.log(`Infra PR: ${existingPr}`);
+    printNextSteps(options.phase);
     return;
   }
 
-  const body = [
-    `Adds the Ryvn service and ${ENVIRONMENT} installation for ${APP_NAME}.`,
-    "",
-    `Also creates the ${DATABASE_SCHEMA} schema in the shared demos database.`,
-    "",
-    "After merge, Ryvn GitOps should create the installation and the release workflow can deploy the app.",
-  ].join("\n");
-
   const prUrl = run(
     "gh",
     [
       "pr",
       "create",
       "--title",
-      `Add ${APP_NAME} ${ENVIRONMENT} deployment`,
+      getPrTitle(options.phase),
       "--body",
-      body,
+      getPrBody(options.phase),
     ],
     infraRepo,
     "pipe",
   );
 
   console.log(`Infra PR: ${prUrl}`);
+  printNextSteps(options.phase);
 }
 
 void main().catch((error) => {

package/templates/webapp/scripts/seed.ts

@@ -18,7 +18,7 @@ const DEFAULT_USER = {
 
 async function main(): Promise<void> {
   loadEnvConfig(process.cwd());
-  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
   (globalThis as any).AsyncLocalStorage = AsyncLocalStorage;
 
   const { auth } = await import("../src/lib/auth");

package/templates/webapp/scripts/setup-database.ts

@@ -1,6 +1,7 @@
 import { loadEnvConfig } from "@next/env";
 import { Pool } from "pg";
 import { getEnvConfig } from "../src/config/getEnvConfig";
+import { getPgSslConfig } from "../src/drizzle/ssl";
 
 const SHARED_DATABASES = new Set(["demos", "internal_apps"]);
 
@@ -39,7 +40,7 @@ async function main(): Promise<void> {
     user,
     password,
     database: "postgres", // Connect to default postgres database
-    ssl: useSSL,
+    ssl: getPgSslConfig(useSSL),
   });
 
   try {

package/templates/webapp/scripts/start.sh

@@ -17,8 +17,9 @@ echo "Running database migrations..."
 if pnpm db:setup-and-migrate; then
     echo "✅ Database migrations completed successfully"
 else
-    echo "❌ Database migration failed. App will start anyway."
+    echo "❌ Database migration failed. App will not start."
     echo "Check your database configuration and connectivity."
+    exit 1
 fi
 
 # Setup readonly database user for EDW (only if READONLY_SECRET_NAME is set)
@@ -49,4 +50,4 @@ fi
 
 # Start the Next.js application
 echo "Starting Next.js server on port ${PORT:-3000}..."
-exec pnpm start
+exec pnpm start

package/templates/webapp/src/app/(app)/layout.tsx

@@ -1,11 +1,7 @@
 import React from "react";
 import Header from "../../components/Header";
 
-export default function AppLayout({
-  children,
-}: {
-  children: React.ReactNode;
-}) {
+export default function AppLayout({ children }: { children: React.ReactNode }) {
   return (
     <>
       <Header />

package/templates/webapp/src/app/(auth)/auth/signin/CredentialsSignInForm.tsx

@@ -2,14 +2,15 @@
 
 import { zodResolver } from "@hookform/resolvers/zod";
 import { Button, Input } from "@percepta/design";
+import Link from "next/link";
 import { useRouter, useSearchParams } from "next/navigation";
 import React, { useCallback } from "react";
 import { Controller, useForm } from "react-hook-form";
 import { toast } from "sonner";
 import z from "zod";
 import { FormItem } from "../../../../components/form/FormItem";
-import { authClient } from "../../../../lib/auth-client";
 import { IS_DEV } from "../../../../config/isDev";
+import { authClient } from "../../../../lib/auth-client";
 
 const CREDENTIALS_SCHEMA = z.object({
   email: z.string().min(1, "Email is required"),
@@ -66,6 +67,15 @@ export function CredentialsSignInForm() {
     <div className="space-y-8">
       <div className="text-center">
         <h1 className="text-2xl font-bold text-foreground">Sign In</h1>
+        <p className="mt-2 text-sm text-muted-foreground">
+          Need an account?{" "}
+          <Link
+            className="font-medium text-primary underline-offset-4 hover:underline"
+            href={`/auth/signup?callbackUrl=${encodeURIComponent(callbackUrl)}`}
+          >
+            Create one
+          </Link>
+        </p>
       </div>
       <form className="space-y-6" onSubmit={handleSubmit(submit)}>
         <div className="space-y-4">

package/templates/webapp/src/app/(auth)/auth/signup/CredentialsSignUpForm.tsx

@@ -0,0 +1,113 @@
+"use client";
+
+import { zodResolver } from "@hookform/resolvers/zod";
+import { Button, Input } from "@percepta/design";
+import Link from "next/link";
+import { useRouter, useSearchParams } from "next/navigation";
+import React, { useCallback } from "react";
+import { Controller, useForm } from "react-hook-form";
+import { toast } from "sonner";
+import z from "zod";
+import { FormItem } from "../../../../components/form/FormItem";
+import { authClient } from "../../../../lib/auth-client";
+
+const CREDENTIALS_SCHEMA = z.object({
+  name: z.string().min(1, "Name is required"),
+  email: z.string().email("Enter a valid email address"),
+  password: z.string().min(8, "Password must be at least 8 characters"),
+});
+
+type Credentials = z.infer<typeof CREDENTIALS_SCHEMA>;
+
+export function CredentialsSignUpForm() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+
+  const {
+    control,
+    formState: { isSubmitting },
+    handleSubmit,
+  } = useForm<Credentials>({
+    resolver: zodResolver(CREDENTIALS_SCHEMA),
+    defaultValues: {
+      name: "",
+      email: "",
+      password: "",
+    },
+  });
+
+  const callbackUrl = searchParams.get("callbackUrl") ?? "/";
+
+  const submit = useCallback(
+    async ({ name, email, password }: Credentials): Promise<void> => {
+      const { error } = await authClient.signUp.email({
+        name,
+        email,
+        password,
+        callbackURL: callbackUrl,
+      });
+
+      if (error != null) {
+        toast.error(error.message ?? "Unable to create account.");
+        return;
+      }
+
+      router.push(callbackUrl);
+      router.refresh();
+    },
+    [callbackUrl, router],
+  );
+
+  return (
+    <div className="space-y-8">
+      <div className="text-center">
+        <h1 className="text-2xl font-bold text-foreground">Create Account</h1>
+        <p className="mt-2 text-sm text-muted-foreground">
+          Already have an account?{" "}
+          <Link
+            className="font-medium text-primary underline-offset-4 hover:underline"
+            href={`/auth/signin?callbackUrl=${encodeURIComponent(callbackUrl)}`}
+          >
+            Sign in
+          </Link>
+        </p>
+      </div>
+      <form className="space-y-6" onSubmit={handleSubmit(submit)}>
+        <div className="space-y-4">
+          <Controller
+            control={control}
+            name="name"
+            render={({ field, fieldState }) => (
+              <FormItem label="Name" fieldState={fieldState}>
+                <Input {...field} autoComplete="name" />
+              </FormItem>
+            )}
+          />
+          <Controller
+            control={control}
+            name="email"
+            render={({ field, fieldState }) => (
+              <FormItem label="Email" fieldState={fieldState}>
+                <Input {...field} type="email" autoComplete="email" />
+              </FormItem>
+            )}
+          />
+          <Controller
+            control={control}
+            name="password"
+            render={({ field, fieldState }) => (
+              <FormItem label="Password" fieldState={fieldState}>
+                <Input {...field} type="password" autoComplete="new-password" />
+              </FormItem>
+            )}
+          />
+        </div>
+        <div className="flex justify-end">
+          <Button type="submit" loading={isSubmitting}>
+            Create Account
+          </Button>
+        </div>
+      </form>
+    </div>
+  );
+}

package/templates/webapp/src/app/(auth)/auth/signup/page.tsx

@@ -0,0 +1,30 @@
+import type { Metadata } from "next";
+import { headers } from "next/headers";
+import { redirect } from "next/navigation";
+import { Suspense } from "react";
+import { auth } from "../../../../lib/auth";
+import { CredentialsSignUpForm } from "./CredentialsSignUpForm";
+
+export const metadata: Metadata = {
+  title: "Create Account — __APP_TITLE__",
+};
+
+export default async function SignUpPage() {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (session?.user != null) {
+    redirect("/");
+  }
+
+  return (
+    <Suspense
+      fallback={
+        <p className="text-center text-sm text-muted-foreground">Loading...</p>
+      }
+    >
+      <CredentialsSignUpForm />
+    </Suspense>
+  );
+}

package/templates/webapp/src/app/global-error.tsx

@@ -18,7 +18,7 @@ export default function GlobalError({
 
   return (
     <html lang="en">
-      <body suppressHydrationWarning>
+      <body suppressHydrationWarning={true}>
         <div style={{ padding: "2rem", textAlign: "center" }}>
           <h1>Something went wrong</h1>
           <button onClick={() => reset()}>Try again</button>

package/templates/webapp/src/components/FaroProvider.tsx

@@ -1,7 +1,7 @@
 "use client";
 
+import { Alert, AlertDescription, AlertTitle, Button } from "@percepta/design";
 import { FaroProvider as BaseFaroProvider } from "@percepta/next-utils/faro";
-import { Alert, AlertTitle, AlertDescription, Button } from "@percepta/design";
 import { type ReactNode } from "react";
 
 // Import to trigger Faro initialization at module scope (earliest possible)
@@ -9,9 +9,7 @@ import "../services/observability/initFaro";
 
 export function AppFaroProvider({ children }: { children: ReactNode }) {
   return (
-    <BaseFaroProvider fallback={<ErrorFallback />}>
-      {children}
-    </BaseFaroProvider>
+    <BaseFaroProvider fallback={<ErrorFallback />}>{children}</BaseFaroProvider>
   );
 }
 

package/templates/webapp/src/components/form/FormItem.tsx

@@ -34,7 +34,7 @@ export const FormItem: React.FC<FormItemProps> = ({
     return (
       <p
         id={messageId}
-        className="text-destructive-foreground text-sm"
+        className="text-sm text-destructive-foreground"
         data-slot="form-message"
       >
         {body}
@@ -70,7 +70,7 @@ export const FormItem: React.FC<FormItemProps> = ({
       {description != null && (
         <p
           id={descriptionId}
-          className="text-muted-foreground text-sm"
+          className="text-sm text-muted-foreground"
           data-slot="form-description"
         >
           {description}

package/templates/webapp/src/drizzle/db.ts

@@ -3,6 +3,7 @@ import { Pool } from "pg";
 import { getEnvConfig } from "../config/getEnvConfig";
 import * as schema from "./schema";
 import { getPgSearchPathOption } from "./searchPath";
+import { getPgSslConfig } from "./ssl";
 
 export const { client, db } = createDb();
 
@@ -23,7 +24,7 @@ function createDb(): { client: Pool; db: NodePgDatabase<typeof schema> } {
     user,
     password,
     database,
-    ssl: useSSL,
+    ssl: getPgSslConfig(useSSL),
     options: getPgSearchPathOption(databaseSchema),
   });
 

package/templates/webapp/src/drizzle/migrations/0000_eager_grandmaster.sql

@@ -52,6 +52,6 @@ CREATE TABLE "verification" (
 	"updated_at" timestamp
 );
 --> statement-breakpoint
-ALTER TABLE "account" ADD CONSTRAINT "account_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "session" ADD CONSTRAINT "session_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-CREATE UNIQUE INDEX "lower_email_index" ON "users" USING btree (lower("email"));
+ALTER TABLE "account" ADD CONSTRAINT "account_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "session" ADD CONSTRAINT "session_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE UNIQUE INDEX "lower_email_index" ON "users" USING btree (lower("email"));

package/templates/webapp/src/drizzle/migrations/meta/0000_snapshot.json

@@ -99,12 +99,8 @@
           "name": "account_user_id_users_id_fk",
           "tableFrom": "account",
           "tableTo": "users",
-          "columnsFrom": [
-            "user_id"
-          ],
-          "columnsTo": [
-            "id"
-          ],
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
           "onDelete": "cascade",
           "onUpdate": "no action"
         }
@@ -180,12 +176,8 @@
           "name": "session_user_id_users_id_fk",
           "tableFrom": "session",
           "tableTo": "users",
-          "columnsFrom": [
-            "user_id"
-          ],
-          "columnsTo": [
-            "id"
-          ],
+          "columnsFrom": ["user_id"],
+          "columnsTo": ["id"],
           "onDelete": "cascade",
           "onUpdate": "no action"
         }
@@ -195,9 +187,7 @@
         "session_token_unique": {
           "name": "session_token_unique",
           "nullsNotDistinct": false,
-          "columns": [
-            "token"
-          ]
+          "columns": ["token"]
         }
       },
       "policies": {},
@@ -303,9 +293,7 @@
         "users_email_unique": {
           "name": "users_email_unique",
           "nullsNotDistinct": false,
-          "columns": [
-            "email"
-          ]
+          "columns": ["email"]
         }
       },
       "policies": {},
@@ -373,4 +361,4 @@
     "schemas": {},
     "tables": {}
   }
-}
+}

package/templates/webapp/src/drizzle/ssl.ts

@@ -0,0 +1,5 @@
+export function getPgSslConfig(
+  useSSL: boolean,
+): false | { rejectUnauthorized: false } {
+  return useSSL ? { rejectUnauthorized: false } : false;
+}

package/templates/webapp/src/lib/auth/index.ts

@@ -1,12 +1,12 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { admin } from "better-auth/plugins";
+import { getEnvConfig } from "../../config/getEnvConfig";
 import { db } from "../../drizzle/db";
 import { accounts } from "../../drizzle/schema/auth/accounts";
 import { sessions } from "../../drizzle/schema/auth/sessions";
 import { users } from "../../drizzle/schema/auth/users";
 import { verifications } from "../../drizzle/schema/auth/verifications";
-import { getEnvConfig } from "../../config/getEnvConfig";
 import { getLogger } from "../../services/logger/AppLogger";
 
 // eslint-disable-next-line n/no-process-env -- detecting Next.js build phase

package/templates/webapp/src/lib/auth-client.ts

@@ -1,5 +1,5 @@
-import { createAuthClient } from "better-auth/react";
 import { adminClient } from "better-auth/client/plugins";
+import { createAuthClient } from "better-auth/react";
 
 export const authClient = createAuthClient({
   plugins: [adminClient()],

package/templates/webapp/src/services/observability/initFaro.ts

@@ -1,7 +1,7 @@
 "use client";
 
-import { createFaroInstance } from "@percepta/next-utils/faro";
 import { TracingInstrumentation } from "@grafana/faro-web-tracing";
+import { createFaroInstance } from "@percepta/next-utils/faro";
 import { getClientEnvConfig } from "../../config/clientEnvConfig";
 
 const {