@percepta/create 3.4.3 → 3.5.0

package/templates/webapp/agent-skills/access-control.md

@@ -140,7 +140,7 @@ If `access:reconcile` should repair missing system links for a resource type, pr
 
 ## Permissioned Postgres Tables
 
-When a Drizzle table backs a SpiceDB resource, bind the table to the resource manifest once. Keep Zed as the permission source of truth; the table binding only records object identity, relationship columns, and which field groups require which permissions.
+When a Drizzle table backs a SpiceDB resource, bind the table to the resource manifest once. Keep Zed as the permission source of truth; the table binding records object identity, relationship columns, and which field groups require which permissions. It does not automatically write to SpiceDB.
 
 ```ts
 import {
@@ -192,6 +192,29 @@ const checks = createColumnPermissionChecks(employeeAccess, {
 const [canReadSalary] = await getAccessControl().permissions.canMany(checks);
 ```
 
+Use a lifecycle sync wrapper in repositories/services that create, update, or delete rows with SpiceDB-backed relationships. Configure it once with either direct SpiceDB writes for authorization changes that must be visible immediately, or outbox enqueueing for transactional retry.
+
+```ts
+import {
+  createPermissionedResourceLifecycleSync,
+} from "@percepta/access-control/drizzle";
+
+const employeeLifecycle = createPermissionedResourceLifecycleSync({
+  apply: {
+    client: getAccessControl().client,
+    mode: "direct",
+  },
+  binding: employeeAccess,
+  system: accessManifest.system.ref(),
+});
+
+await employeeLifecycle.afterInsert(createdEmployee);
+await employeeLifecycle.afterUpdate(existingEmployee, updatedEmployee);
+await employeeLifecycle.afterDelete(deletedEmployee);
+```
+
+For transactional outbox sync, pass `apply: { mode: "outbox", enqueue }`; the queued event contains either relationship mutations or a resource delete filter. Hard deletes use resource-filter cleanup by default so relationships not represented by local columns are removed too. Pass `{ cleanup: "derived-mutations" }` to `afterDelete()` only when the resource should keep out-of-band relationships.
+
 Do not model ordinary Postgres columns as SpiceDB objects. Model business permissions in Zed, group columns under those permissions in the table binding, then enforce the binding at the API/data boundary.
 
 ## App Code

package/templates/webapp/drizzle.config.ts

@@ -1,7 +1,7 @@
 import { loadEnvConfig } from "@next/env";
+import { getPgSearchPathOption } from "@percepta/database";
 import type { Config } from "drizzle-kit";
 import { getEnvConfig } from "./src/config/getEnvConfig";
-import { getPgSearchPathOption } from "./src/drizzle/searchPath";
 
 loadEnvConfig(process.cwd());
 

package/templates/webapp/package.json.template

@@ -17,11 +17,11 @@
     "access:apply-local": "pnpm --dir ../.. run access:apply-local",
     "auth:db:setup-and-migrate": "pnpm --dir ../.. run auth:db:setup-and-migrate",
     "inngest:dev": "pnpm dlx inngest-cli@latest dev -u http://localhost:3000/api/inngest",
-    "db:generate": "tsx ./scripts/generate-migrations.ts",
-    "db:migrate": "tsx ./scripts/migrate.ts",
-    "db:setup": "tsx ./scripts/setup-database.ts",
+    "db:generate": "percepta-db generate-migrations",
+    "db:migrate": "percepta-db migrate --database __DB_NAME__",
+    "db:setup": "percepta-db setup --database __DB_NAME__",
     "db:setup-and-migrate": "pnpm db:setup && pnpm db:migrate",
-    "db:setup-readonly": "tsx ./scripts/setup-readonly-user.ts",
+    "db:setup-readonly": "percepta-db setup-readonly --database __DB_NAME__",
     "db:studio": "pnpm db:setup-and-migrate && drizzle-kit studio",
     "db:seed": "tsx ./scripts/seed.ts",
     "deploy:percepta-test": "percepta-deploy percepta-test --app __APP_NAME__ --repo __REPO_NAME__",
@@ -34,7 +34,6 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.888.0",
-    "@aws-sdk/client-secrets-manager": "^3.914.0",
     "@aws-sdk/client-sts": "^3.913.0",
     "@aws-sdk/credential-providers": "^3.913.0",
     "@aws-sdk/s3-request-presigner": "^3.891.0",
@@ -55,6 +54,7 @@
     "@__REPO_NAME__/auth": "workspace:*",
     "@percepta/access-control": "0.7.0",
     "@percepta/ai": "0.1.0",
+    "@percepta/database": "0.1.0",
     "@percepta/design": "0.3.2",
     "@percepta/inngest": "0.1.0",
     "@percepta/logger": "0.1.0",

package/templates/webapp/src/drizzle/db.ts

@@ -1,8 +1,7 @@
+import { getPgSearchPathOption, getPgSslConfig } from "@percepta/database";
 import { type NodePgDatabase, drizzle } from "drizzle-orm/node-postgres";
 import { Pool } from "pg";
 import { getEnvConfig } from "../config/getEnvConfig";
-import { getPgSearchPathOption } from "./searchPath";
-import { getPgSslConfig } from "./ssl";
 
 export const { client, db } = createDb();
 

package/dist/init-CtCp7Tv2.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"init-CtCp7Tv2.js","names":[],"sources":["../src/commands/init.ts"],"sourcesContent":["import path from \"node:path\";\nimport chalk from \"chalk\";\nimport fs from \"fs-extra\";\nimport inquirer from \"inquirer\";\nimport {\n  writeManifest,\n  manifestExists,\n  derivePlaceholders,\n  type MosaicManifest,\n} from \"../utils/manifest.js\";\nimport { isValidProjectType, VALID_PROJECT_TYPES } from \"../utils/prompts.js\";\nimport { getTemplateVersion } from \"../utils/template-versions.js\";\n\nexport interface InitOptions {\n  type?: string;\n  templateVersion?: string;\n}\n\nexport async function initCommand(options: InitOptions): Promise<void> {\n  const cwd = process.cwd();\n\n  if (await manifestExists(cwd)) {\n    console.error(\n      chalk.red(\".mosaic-template.json already exists in this directory.\"),\n    );\n    process.exit(1);\n  }\n\n  // Auto-detect app name from package.json\n  const pkgPath = path.join(cwd, \"package.json\");\n  let appName = path.basename(cwd);\n  if (await fs.pathExists(pkgPath)) {\n    const pkg = JSON.parse(await fs.readFile(pkgPath, \"utf-8\"));\n    appName = pkg.name?.replace(/^@[^/]+\\//, \"\") || appName;\n  }\n\n  // Determine template type\n  let templateType = options.type;\n  if (templateType && !isValidProjectType(templateType)) {\n    console.error(\n      chalk.red(\n        `Invalid template type \"${templateType}\". Valid types: ${VALID_PROJECT_TYPES.join(\", \")}`,\n      ),\n    );\n    process.exit(1);\n  }\n  if (!templateType) {\n    const answer = await inquirer.prompt([\n      {\n        type: \"list\",\n        name: \"type\",\n        message: \"Template type:\",\n        choices: [\"webapp\", \"library\"],\n      },\n    ]);\n    templateType = answer.type;\n  }\n\n  const templateVersion =\n    options.templateVersion || getTemplateVersion(templateType!);\n\n  // Derive placeholders from app name\n  const appTitle = appName\n    .split(\"-\")\n    .map((w: string) => w.charAt(0).toUpperCase() + w.slice(1))\n    .join(\" \");\n\n  const manifest: MosaicManifest = {\n    templateType: templateType!,\n    templateVersion,\n    templateCommit: \"unknown\",\n    createdAt: new Date().toISOString(),\n    placeholders: derivePlaceholders(appName, appTitle),\n    source: {\n      templatePath: `packages/create-mosaic-module/templates/${templateType}`,\n    },\n  };\n\n  await writeManifest(cwd, manifest);\n\n  // Create mosaic-template-notes.md if it doesn't exist\n  const notesPath = path.join(cwd, \"mosaic-template-notes.md\");\n  if (!(await fs.pathExists(notesPath))) {\n    await fs.writeFile(\n      notesPath,\n      `# Mosaic Divergence Notes\\n\\nDocument intentional differences from the ${templateType} template here.\\nClaude reads this file during sync to preserve your customizations.\\n\\n## Intentional Divergences\\n\\n`,\n    );\n  }\n\n  console.log();\n  console.log(\n    chalk.green(\"\\u2714\"),\n    chalk.bold(\"Initialized .mosaic-template.json\"),\n  );\n  console.log();\n  console.log(chalk.dim(\"  Template:\"), templateType);\n  console.log(chalk.dim(\"  Version:\"), templateVersion);\n  console.log(chalk.dim(\"  App name:\"), appName);\n  console.log();\n  console.log(\n    chalk.dim(\n      \"Review .mosaic-template.json and mosaic-template-notes.md, then commit them.\",\n    ),\n  );\n  console.log();\n}\n"],"mappings":";;;;;;AAkBA,eAAsB,YAAY,SAAqC;CACrE,MAAM,MAAM,QAAQ,KAAK;AAEzB,KAAI,MAAM,eAAe,IAAI,EAAE;AAC7B,UAAQ,MACN,MAAM,IAAI,0DAA0D,CACrE;AACD,UAAQ,KAAK,EAAE;;CAIjB,MAAM,UAAU,KAAK,KAAK,KAAK,eAAe;CAC9C,IAAI,UAAU,KAAK,SAAS,IAAI;AAChC,KAAI,MAAM,GAAG,WAAW,QAAQ,CAE9B,WADY,KAAK,MAAM,MAAM,GAAG,SAAS,SAAS,QAAQ,CAC7C,CAAC,MAAM,QAAQ,aAAa,GAAG,IAAI;CAIlD,IAAI,eAAe,QAAQ;AAC3B,KAAI,gBAAgB,CAAC,mBAAmB,aAAa,EAAE;AACrD,UAAQ,MACN,MAAM,IACJ,0BAA0B,aAAa,kBAAkB,oBAAoB,KAAK,KAAK,GACxF,CACF;AACD,UAAQ,KAAK,EAAE;;AAEjB,KAAI,CAAC,aASH,iBAAe,MARM,SAAS,OAAO,CACnC;EACE,MAAM;EACN,MAAM;EACN,SAAS;EACT,SAAS,CAAC,UAAU,UAAU;EAC/B,CACF,CAAC,EACoB;CAGxB,MAAM,kBACJ,QAAQ,mBAAmB,mBAAmB,aAAc;CAG9D,MAAM,WAAW,QACd,MAAM,IAAI,CACV,KAAK,MAAc,EAAE,OAAO,EAAE,CAAC,aAAa,GAAG,EAAE,MAAM,EAAE,CAAC,CAC1D,KAAK,IAAI;AAaZ,OAAM,cAAc,KAAK;EAVT;EACd;EACA,gBAAgB;EAChB,4BAAW,IAAI,MAAM,EAAC,aAAa;EACnC,cAAc,mBAAmB,SAAS,SAAS;EACnD,QAAQ,EACN,cAAc,2CAA2C,gBAC1D;EAG8B,CAAC;CAGlC,MAAM,YAAY,KAAK,KAAK,KAAK,2BAA2B;AAC5D,KAAI,CAAE,MAAM,GAAG,WAAW,UAAU,CAClC,OAAM,GAAG,UACP,WACA,0EAA0E,aAAa,wHACxF;AAGH,SAAQ,KAAK;AACb,SAAQ,IACN,MAAM,MAAM,IAAS,EACrB,MAAM,KAAK,oCAAoC,CAChD;AACD,SAAQ,KAAK;AACb,SAAQ,IAAI,MAAM,IAAI,cAAc,EAAE,aAAa;AACnD,SAAQ,IAAI,MAAM,IAAI,aAAa,EAAE,gBAAgB;AACrD,SAAQ,IAAI,MAAM,IAAI,cAAc,EAAE,QAAQ;AAC9C,SAAQ,KAAK;AACb,SAAQ,IACN,MAAM,IACJ,+EACD,CACF;AACD,SAAQ,KAAK"}

package/dist/upstream-D-LH_1z4.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"upstream-D-LH_1z4.js","names":[],"sources":["../src/commands/upstream.ts"],"sourcesContent":["import path from \"node:path\";\nimport chalk from \"chalk\";\nimport fs from \"fs-extra\";\nimport { getFileAtTag } from \"../utils/git-ops.js\";\nimport {\n  readManifest,\n  resolveMosaicTemplatePath,\n  type MosaicManifest,\n} from \"../utils/manifest.js\";\n\nexport interface UpstreamOptions {\n  mosaicTemplatePath?: string;\n  files?: string[];\n}\n\nasync function generateUpstreamContext(\n  manifest: MosaicManifest,\n  mosaicTemplatePath: string,\n  tag: string,\n  appDir: string,\n  files: string[],\n): Promise<string> {\n  let content = `# Mosaic Upstream Context\n\n## App Info\n- **App name:** ${manifest.placeholders.__APP_NAME__ || \"unknown\"}\n- **Template:** ${manifest.templateType}\n- **Template version:** ${manifest.templateVersion}\n\n## Placeholder Mappings\n\nWhen generalizing app code back to template, replace these values with placeholder tokens:\n\n| Value | Placeholder |\n|-------|------------|\n${Object.entries(manifest.placeholders)\n  .sort((a, b) => b[1].length - a[1].length) // longest first to avoid partial matches\n  .map(([k, v]) => `| \\`${v}\\` | \\`${k}\\` |`)\n  .join(\"\\n\")}\n\n## Files to Review\n\n`;\n\n  for (const file of files) {\n    const appFilePath = path.resolve(appDir, file);\n    const templateRelPath = `${manifest.source.templatePath}/${file}`;\n\n    const appContent = (await fs.pathExists(appFilePath))\n      ? await fs.readFile(appFilePath, \"utf-8\")\n      : null;\n    const templateContent = getFileAtTag(\n      mosaicTemplatePath,\n      tag,\n      templateRelPath,\n    );\n\n    content += `### ${file}\\n\\n`;\n\n    if (!templateContent && appContent) {\n      content += `**New file** (not in template at ${manifest.templateVersion})\\n\\n`;\n      content += `\\`\\`\\`\\n${appContent}\\n\\`\\`\\`\\n\\n`;\n    } else if (templateContent && !appContent) {\n      content += `**Deleted** (exists in template but not in app)\\n\\n`;\n    } else if (appContent && templateContent) {\n      content += `**App version:**\\n\\`\\`\\`\\n${appContent}\\n\\`\\`\\`\\n\\n`;\n      content += `**Template version (at ${manifest.templateVersion}):**\\n\\`\\`\\`\\n${templateContent}\\n\\`\\`\\`\\n\\n`;\n    } else {\n      content += `**Not found** (file does not exist in app or template)\\n\\n`;\n    }\n  }\n\n  content += `## Instructions\n\n1. Review each file above\n2. Determine which changes are generalizable (useful for all apps) vs app-specific\n3. For generalizable changes: apply them to the template at \\`${manifest.source.templatePath}/\\`\n4. When applying, replace app-specific values with placeholders using the mapping table above (replace longest values first)\n5. After applying, bump the version in \\`packages/create-mosaic-module/template-versions.json\\`\n6. Run \\`pnpm template:tag\\` to create the new version tag\n7. Delete this file (\\`.mosaic-upstream-context.md\\`) when done\n`;\n\n  return content;\n}\n\nexport async function upstreamCommand(options: UpstreamOptions): Promise<void> {\n  const cwd = process.cwd();\n\n  try {\n    const manifest = await readManifest(cwd);\n    const mosaicTemplatePath = resolveMosaicTemplatePath(options);\n\n    if (!options.files || options.files.length === 0) {\n      console.error(\n        chalk.red(\"Specify files with --files <file1> <file2> ...\"),\n      );\n      console.log(\n        chalk.dim(\n          \"  Example: create upstream --files src/config/getEnvConfig.ts\",\n        ),\n      );\n      process.exit(1);\n    }\n\n    const tag = `template/${manifest.templateType}/${manifest.templateVersion}`;\n\n    const context = await generateUpstreamContext(\n      manifest,\n      mosaicTemplatePath,\n      tag,\n      cwd,\n      options.files,\n    );\n    const contextPath = path.join(cwd, \".mosaic-upstream-context.md\");\n    await fs.writeFile(contextPath, context);\n\n    console.log();\n    console.log(chalk.bold(\"Upstream Context Generated\"));\n    console.log();\n    console.log(chalk.dim(\"  Files:\"), options.files.join(\", \"));\n    console.log(chalk.dim(\"  Context file:\"), \".mosaic-upstream-context.md\");\n    console.log();\n    console.log(\"Next steps:\");\n    console.log(chalk.dim(\"  1.\"), \"Open Claude Code in the mosaic repo\");\n    console.log(\n      chalk.dim(\"  2.\"),\n      `Tell Claude: \"Read ${path.resolve(cwd, \".mosaic-upstream-context.md\")} and apply generalizable changes to the template\"`,\n    );\n    console.log(chalk.dim(\"  3.\"), \"Review Claude's changes to the template\");\n    console.log();\n  } catch (error) {\n    console.error(chalk.red((error as Error).message));\n    process.exit(1);\n  }\n}\n"],"mappings":";;;;;;AAeA,eAAe,wBACb,UACA,oBACA,KACA,QACA,OACiB;CACjB,IAAI,UAAU;;;kBAGE,SAAS,aAAa,gBAAgB,UAAU;kBAChD,SAAS,aAAa;0BACd,SAAS,gBAAgB;;;;;;;;EAQjD,OAAO,QAAQ,SAAS,aAAa,CACpC,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,EAAE,GAAG,OAAO,CACzC,KAAK,CAAC,GAAG,OAAO,OAAO,EAAE,SAAS,EAAE,MAAM,CAC1C,KAAK,KAAK,CAAC;;;;;AAMZ,MAAK,MAAM,QAAQ,OAAO;EACxB,MAAM,cAAc,KAAK,QAAQ,QAAQ,KAAK;EAC9C,MAAM,kBAAkB,GAAG,SAAS,OAAO,aAAa,GAAG;EAE3D,MAAM,aAAc,MAAM,GAAG,WAAW,YAAY,GAChD,MAAM,GAAG,SAAS,aAAa,QAAQ,GACvC;EACJ,MAAM,kBAAkB,aACtB,oBACA,KACA,gBACD;AAED,aAAW,OAAO,KAAK;AAEvB,MAAI,CAAC,mBAAmB,YAAY;AAClC,cAAW,oCAAoC,SAAS,gBAAgB;AACxE,cAAW,WAAW,WAAW;aACxB,mBAAmB,CAAC,WAC7B,YAAW;WACF,cAAc,iBAAiB;AACxC,cAAW,6BAA6B,WAAW;AACnD,cAAW,0BAA0B,SAAS,gBAAgB,gBAAgB,gBAAgB;QAE9F,YAAW;;AAIf,YAAW;;;;gEAImD,SAAS,OAAO,aAAa;;;;;;AAO3F,QAAO;;AAGT,eAAsB,gBAAgB,SAAyC;CAC7E,MAAM,MAAM,QAAQ,KAAK;AAEzB,KAAI;EACF,MAAM,WAAW,MAAM,aAAa,IAAI;EACxC,MAAM,qBAAqB,0BAA0B,QAAQ;AAE7D,MAAI,CAAC,QAAQ,SAAS,QAAQ,MAAM,WAAW,GAAG;AAChD,WAAQ,MACN,MAAM,IAAI,iDAAiD,CAC5D;AACD,WAAQ,IACN,MAAM,IACJ,gEACD,CACF;AACD,WAAQ,KAAK,EAAE;;EAKjB,MAAM,UAAU,MAAM,wBACpB,UACA,oBACA,YALsB,SAAS,aAAa,GAAG,SAAS,mBAMxD,KACA,QAAQ,MACT;EACD,MAAM,cAAc,KAAK,KAAK,KAAK,8BAA8B;AACjE,QAAM,GAAG,UAAU,aAAa,QAAQ;AAExC,UAAQ,KAAK;AACb,UAAQ,IAAI,MAAM,KAAK,6BAA6B,CAAC;AACrD,UAAQ,KAAK;AACb,UAAQ,IAAI,MAAM,IAAI,WAAW,EAAE,QAAQ,MAAM,KAAK,KAAK,CAAC;AAC5D,UAAQ,IAAI,MAAM,IAAI,kBAAkB,EAAE,8BAA8B;AACxE,UAAQ,KAAK;AACb,UAAQ,IAAI,cAAc;AAC1B,UAAQ,IAAI,MAAM,IAAI,OAAO,EAAE,sCAAsC;AACrE,UAAQ,IACN,MAAM,IAAI,OAAO,EACjB,sBAAsB,KAAK,QAAQ,KAAK,8BAA8B,CAAC,mDACxE;AACD,UAAQ,IAAI,MAAM,IAAI,OAAO,EAAE,0CAA0C;AACzE,UAAQ,KAAK;UACN,OAAO;AACd,UAAQ,MAAM,MAAM,IAAK,MAAgB,QAAQ,CAAC;AAClD,UAAQ,KAAK,EAAE"}

package/templates/webapp/scripts/generate-migrations.ts

@@ -1,28 +0,0 @@
-#!/usr/bin/env tsx
-
-import { execFileSync } from "node:child_process";
-import { readFileSync, readdirSync, writeFileSync } from "node:fs";
-import path from "node:path";
-import { normalizeSchemaRelativeReferences } from "../src/drizzle/migrationSql";
-
-const migrationsDir = path.resolve("src", "drizzle", "migrations");
-
-function main(): void {
-  execFileSync("drizzle-kit", ["generate"], {
-    cwd: process.cwd(),
-    stdio: "inherit",
-  });
-
-  for (const fileName of readdirSync(migrationsDir)) {
-    if (!fileName.endsWith(".sql")) continue;
-
-    const filePath = path.join(migrationsDir, fileName);
-    const original = readFileSync(filePath, "utf8");
-    const normalized = normalizeSchemaRelativeReferences(original);
-    if (normalized !== original) {
-      writeFileSync(filePath, normalized);
-    }
-  }
-}
-
-main();

package/templates/webapp/scripts/migrate.ts

@@ -1,21 +0,0 @@
-import { loadEnvConfig } from "@next/env";
-import { drizzle } from "drizzle-orm/node-postgres";
-import { migrate } from "drizzle-orm/node-postgres/migrator";
-
-async function main(): Promise<void> {
-  loadEnvConfig(process.cwd());
-
-  // Dynamically load because we need to load the environment variables before importing modules that depend on them.
-  const { getEnvConfig } = await import("../src/config/getEnvConfig");
-  const { client } = await import("../src/drizzle/db");
-  const { DATABASE_SCHEMA: databaseSchema } = getEnvConfig();
-
-  await migrate(drizzle(client), {
-    migrationsFolder: "./src/drizzle/migrations",
-    ...(databaseSchema ? { migrationsSchema: databaseSchema } : {}),
-  });
-
-  await client.end();
-}
-
-void main();

package/templates/webapp/scripts/setup-database.ts

@@ -1,78 +0,0 @@
-import { loadEnvConfig } from "@next/env";
-import { Pool } from "pg";
-import { getEnvConfig } from "../src/config/getEnvConfig";
-import { getPgSslConfig } from "../src/drizzle/ssl";
-
-const SHARED_DATABASES = new Set(["demos", "internal_apps"]);
-
-async function main(): Promise<void> {
-  loadEnvConfig(process.cwd());
-
-  const {
-    DATABASE_HOST: host,
-    DATABASE_PORT: port,
-    DATABASE_USERNAME: user,
-    DATABASE_PASSWORD: password,
-    DATABASE_NAME: database,
-    DATABASE_SCHEMA: databaseSchema,
-    DATABASE_USE_SSL: useSSL,
-  } = getEnvConfig();
-
-  console.log(`🔧 Setting up database: ${database}`);
-  console.log(`📍 Host: ${host}:${port}`);
-  console.log(`👤 User: ${user}`);
-
-  if (SHARED_DATABASES.has(database)) {
-    console.log(
-      `✅ ${database} is a shared database; skipping CREATE DATABASE. ` +
-        "The database is managed by infra.",
-    );
-    if (databaseSchema) {
-      console.log(`📦 Using schema: ${databaseSchema}`);
-    }
-    return;
-  }
-
-  // First, connect to the default 'postgres' database to create our target database
-  const adminClient = new Pool({
-    host,
-    port,
-    user,
-    password,
-    database: "postgres", // Connect to default postgres database
-    ssl: getPgSslConfig(useSSL),
-  });
-
-  try {
-    // Check if the target database exists
-    const result = await adminClient.query(
-      "SELECT 1 FROM pg_database WHERE datname = $1",
-      [database],
-    );
-
-    if (result.rows.length === 0) {
-      console.log(`📦 Creating database: ${database}`);
-      // Create the database (note: database names cannot be parameterized)
-      await adminClient.query(
-        `CREATE DATABASE ${escapePgIdentifier(database)}`,
-      );
-      console.log(`✅ Database ${database} created successfully`);
-    } else {
-      console.log(`✅ Database ${database} already exists`);
-    }
-  } catch (error) {
-    console.error("❌ Error creating database:", error);
-    throw error;
-  } finally {
-    await adminClient.end();
-  }
-}
-
-function escapePgIdentifier(identifier: string): string {
-  return `"${identifier.replaceAll('"', '""')}"`;
-}
-
-void main().catch((error) => {
-  console.error("💥 Database setup failed:", error);
-  process.exit(1);
-});

package/templates/webapp/scripts/setup-readonly-user.ts

@@ -1,193 +0,0 @@
-#!/usr/bin/env tsx
-
-import {
-  GetSecretValueCommand,
-  SecretsManagerClient,
-} from "@aws-sdk/client-secrets-manager";
-import { loadEnvConfig } from "@next/env";
-import { Pool } from "pg";
-import { getEnvConfig } from "../src/config/getEnvConfig";
-
-interface ReadonlyCredentials {
-  username: string;
-  password: string;
-  host: string;
-  port: number;
-  database: string;
-  engine: string;
-}
-
-async function getReadonlyCredentials(): Promise<ReadonlyCredentials> {
-  const client = new SecretsManagerClient({});
-
-  // Get the secret name from environment
-  // Example format: rds-{app}-readonly-{name}-{environment}-*
-  const { READONLY_SECRET_NAME: secretName } = getEnvConfig();
-  if (secretName == null) {
-    throw new Error("READONLY_SECRET_NAME environment variable not set");
-  }
-
-  const command = new GetSecretValueCommand({ SecretId: secretName });
-  const response = await client.send(command);
-
-  if (!response.SecretString) {
-    throw new Error("Secret value is empty");
-  }
-
-  return JSON.parse(response.SecretString) as ReadonlyCredentials;
-}
-
-async function setupReadonlyUser(): Promise<number> {
-  console.log("🔐 Fetching readonly user credentials from Secrets Manager...");
-
-  let credentials: ReadonlyCredentials;
-  try {
-    credentials = await getReadonlyCredentials();
-    console.log(`✅ Retrieved credentials for user: ${credentials.username}`);
-  } catch (error) {
-    console.error(
-      "❌ Failed to retrieve credentials from Secrets Manager:",
-      error,
-    );
-    return 1;
-  }
-
-  // Connect as master user
-  const {
-    DATABASE_HOST: host,
-    DATABASE_PORT: port,
-    DATABASE_USERNAME: user,
-    DATABASE_PASSWORD: password,
-    DATABASE_NAME: database,
-    DATABASE_USE_SSL: useSSL,
-  } = getEnvConfig();
-  const masterPool = new Pool({
-    host,
-    port,
-    user,
-    password,
-    database,
-    ssl: useSSL ? { rejectUnauthorized: false } : false,
-  });
-
-  let client;
-  try {
-    client = await masterPool.connect();
-    console.log("✅ Connected to database as master user");
-
-    // Check if readonly user already exists
-    const userExistsResult = await client.query(
-      "SELECT 1 FROM pg_roles WHERE rolname = $1",
-      [credentials.username],
-    );
-
-    let userCreated = false;
-    if (userExistsResult.rows.length === 0) {
-      // Create the readonly user
-      console.log(`📝 Creating user: ${credentials.username}`);
-      await client.query(
-        `
-        CREATE USER ${credentials.username} WITH LOGIN PASSWORD $1
-      `,
-        [credentials.password],
-      );
-      userCreated = true;
-      console.log(`✅ User ${credentials.username} created`);
-    } else {
-      // Update password to ensure it matches Secrets Manager
-      console.log(
-        `📝 Updating password for existing user: ${credentials.username}`,
-      );
-      await client.query(
-        `
-        ALTER USER ${credentials.username} WITH PASSWORD $1
-      `,
-        [credentials.password],
-      );
-      console.log(`✅ Password updated for ${credentials.username}`);
-    }
-
-    // Grant CONNECT privilege on database
-    await client.query(`
-      GRANT CONNECT ON DATABASE ${database} TO ${credentials.username}
-    `);
-    console.log("✅ Granted CONNECT on database");
-
-    // Get all schemas (excluding system schemas)
-    const schemasResult = await client.query<{ schema_name: string }>(`
-      SELECT schema_name 
-      FROM information_schema.schemata 
-      WHERE schema_name NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
-    `);
-
-    for (const row of schemasResult.rows) {
-      const schemaName = row.schema_name;
-      console.log(`📝 Configuring access for schema: ${schemaName}`);
-
-      // Grant USAGE on schema
-      await client.query(`
-        GRANT USAGE ON SCHEMA ${schemaName} TO ${credentials.username}
-      `);
-
-      // Grant SELECT on all existing tables in schema
-      await client.query(`
-        GRANT SELECT ON ALL TABLES IN SCHEMA ${schemaName} TO ${credentials.username}
-      `);
-
-      // Set default privileges for future tables in schema
-      // Grant on tables created by the master user
-      await client.query(`
-        ALTER DEFAULT PRIVILEGES IN SCHEMA ${schemaName}
-        GRANT SELECT ON TABLES TO ${credentials.username}
-      `);
-
-      console.log(`✅ Configured access for schema: ${schemaName}`);
-    }
-
-    // Test the readonly user connection
-    console.log("🧪 Testing readonly user connection...");
-    const readonlyPool = new Pool({
-      host,
-      port,
-      user: credentials.username,
-      password: credentials.password,
-      database,
-      ssl: useSSL ? { rejectUnauthorized: false } : false,
-    });
-
-    try {
-      const readonlyClient = await readonlyPool.connect();
-      await readonlyClient.query("SELECT 1");
-      readonlyClient.release();
-      console.log("✅ Readonly user connection test successful");
-    } catch (error) {
-      console.error("⚠️  Readonly user connection test failed:", error);
-      return 1;
-    } finally {
-      await readonlyPool.end();
-    }
-
-    console.log("✅ Readonly user setup completed successfully");
-
-    // Return exit code 2 if user already existed (idempotent case)
-    // Return exit code 0 if user was created
-    return userCreated ? 0 : 2;
-  } catch (error) {
-    console.error("❌ Error setting up readonly user:", error);
-    return 1;
-  } finally {
-    if (client) {
-      client.release();
-    }
-    await masterPool.end();
-  }
-}
-
-async function main(): Promise<void> {
-  loadEnvConfig(process.cwd());
-
-  const exitCode = await setupReadonlyUser();
-  process.exit(exitCode);
-}
-
-void main();

package/templates/webapp/src/drizzle/__tests__/migrationSql.test.ts

@@ -1,24 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { normalizeSchemaRelativeReferences } from "../migrationSql";
-
-describe("normalizeSchemaRelativeReferences", () => {
-  it("keeps generated foreign keys schema-relative for DATABASE_SCHEMA deploys", () => {
-    expect(
-      normalizeSchemaRelativeReferences(
-        'ALTER TABLE "child" ADD CONSTRAINT "child_parent_fk" FOREIGN KEY ("parent_id") REFERENCES "public"."parent"("id") ON DELETE cascade;',
-      ),
-    ).toBe(
-      'ALTER TABLE "child" ADD CONSTRAINT "child_parent_fk" FOREIGN KEY ("parent_id") REFERENCES "parent"("id") ON DELETE cascade;',
-    );
-  });
-
-  it("leaves already schema-relative references unchanged", () => {
-    expect(
-      normalizeSchemaRelativeReferences(
-        'ALTER TABLE "child" ADD CONSTRAINT "child_parent_fk" FOREIGN KEY ("parent_id") REFERENCES "parent"("id");',
-      ),
-    ).toBe(
-      'ALTER TABLE "child" ADD CONSTRAINT "child_parent_fk" FOREIGN KEY ("parent_id") REFERENCES "parent"("id");',
-    );
-  });
-});

package/templates/webapp/src/drizzle/migrationSql.ts

@@ -1,8 +0,0 @@
-const PUBLIC_SCHEMA_REFERENCE_PATTERN = /REFERENCES\s+"public"\."([^"]+)"/g;
-
-export function normalizeSchemaRelativeReferences(sql: string): string {
-  return sql.replace(
-    PUBLIC_SCHEMA_REFERENCE_PATTERN,
-    (_match, tableName: string) => `REFERENCES "${tableName}"`,
-  );
-}

package/templates/webapp/src/drizzle/searchPath.test.ts

@@ -1,21 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { getPgSearchPathOption } from "./searchPath";
-
-describe("getPgSearchPathOption", () => {
-  it("includes public so extension functions remain resolvable", () => {
-    expect(getPgSearchPathOption("my_app")).toBe(
-      "-c search_path=my_app,public",
-    );
-  });
-
-  it("returns undefined for blank schema names", () => {
-    expect(getPgSearchPathOption(undefined)).toBeUndefined();
-    expect(getPgSearchPathOption("   ")).toBeUndefined();
-  });
-
-  it("rejects unsafe unquoted identifiers", () => {
-    expect(() => getPgSearchPathOption("my-app")).toThrow(
-      "DATABASE_SCHEMA must be a valid unquoted Postgres identifier",
-    );
-  });
-});

package/templates/webapp/src/drizzle/searchPath.ts

@@ -1,16 +0,0 @@
-const POSTGRES_IDENTIFIER_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
-
-export function getPgSearchPathOption(
-  schemaName: string | undefined,
-): string | undefined {
-  const searchPath = schemaName?.trim();
-  if (!searchPath) return undefined;
-
-  if (!POSTGRES_IDENTIFIER_PATTERN.test(searchPath)) {
-    throw new Error(
-      `DATABASE_SCHEMA must be a valid unquoted Postgres identifier. Received: ${searchPath}`,
-    );
-  }
-
-  return `-c search_path=${searchPath},public`;
-}

package/templates/webapp/src/drizzle/ssl.ts

@@ -1,5 +0,0 @@
-export function getPgSslConfig(
-  useSSL: boolean,
-): false | { rejectUnauthorized: false } {
-  return useSSL ? { rejectUnauthorized: false } : false;
-}