@percepta/create 3.6.2 → 3.6.3

package/templates/webapp/agent-skills/database.md

@@ -38,11 +38,9 @@ export * from "./documents";
 pnpm db:generate
 ```
 
-This creates a new SQL migration file and normalizes generated foreign key
-references so they stay schema-relative when `DATABASE_SCHEMA` is set in
-`percepta-test`. **Review the generated SQL** — Drizzle generates it
-automatically but you should verify it's correct, especially for new foreign
-keys and destructive changes.
+This creates a new SQL migration file and normalizes generated SQL. **Review
+the generated SQL** — Drizzle generates it automatically but you should verify
+it's correct, especially for new foreign keys and destructive changes.
 
 ### 4. Apply the migration
 
@@ -95,21 +93,25 @@ If `createTransaction` is called while already inside a transaction, it reuses t
 
 ## Running PostgreSQL Locally
 
-### Start with Docker Compose
+### Start with root setup
 
 ```bash
-pnpm docker:up
+pnpm run setup
 ```
 
-This starts PostgreSQL 16 on port **5434** (not the default 5432, to avoid conflicts).
+This delegates to the monorepo root. Root setup starts PostgreSQL 16 on port
+**5434** and SpiceDB on **50051**, creates the shared auth database plus each
+app database discovered from `packages/*/.env.local`, then runs migrations and
+seeds.
 
-### Create the database and run migrations
+### Run migrations
 
 ```bash
-pnpm db:setup-and-migrate
+pnpm db:migrate
 ```
 
-This creates the database if it doesn't exist and applies all pending migrations.
+This applies all pending migrations. Database creation is owned by the local
+infrastructure setup, not by the app migration command.
 
 ### Inspect the database
 
@@ -119,27 +121,25 @@ pnpm db:studio
 
 Opens Drizzle Studio in the browser — a visual database explorer.
 
-### Stop PostgreSQL
+### Stop local services
 
 ```bash
-pnpm docker:down
+pnpm --dir ../.. run docker:down
 ```
 
 ## Environment Variables
 
 | Variable | Default | Description |
 |----------|---------|-------------|
-| `DATABASE_HOST` | `localhost` | PostgreSQL host |
-| `DATABASE_PORT` | `5434` | PostgreSQL port |
-| `DATABASE_USERNAME` | `postgres` | Database user |
-| `DATABASE_PASSWORD` | `postgres` | Database password |
-| `DATABASE_NAME` | `__DB_NAME__` | Database name |
-| `DATABASE_SCHEMA` | - | Optional Postgres schema/search path |
-| `DATABASE_USE_SSL` | `false` | Enable SSL connections |
+| `DATABASE_URL` | `postgresql://postgres:postgres@localhost:5434/__DB_NAME__` | App PostgreSQL connection URL |
+
+Shared auth data belongs to the customer monorepo auth package. Deployed apps
+should receive `AUTH_DATABASE_URL` from the monorepo auth Secret; do not reuse
+`DATABASE_URL` for auth.
 
 ## Key Concepts
 
 - **Schemas are TypeScript, migrations are SQL.** You define tables in TS, then `pnpm db:generate` creates the SQL diff. Never hand-write migration SQL.
 - **DatabaseService is a singleton.** Call `DatabaseService.create()` anywhere — it always returns the same instance with the same connection pool.
 - **Transaction propagation is automatic.** Code inside `createTransaction` gets a transaction; code outside gets the raw connection. `getDatabase()` returns whichever is active.
-- **Port 5434.** The local Docker Compose uses port 5434 to avoid conflicting with any system PostgreSQL on 5432.
+- **Root-owned local infra.** The monorepo root Docker Compose uses port 5434 to avoid conflicting with any system PostgreSQL on 5432.

package/templates/webapp/agent-skills/langfuse.md

@@ -60,11 +60,11 @@ This is a singleton — `create()` returns the same instance every time. It grac
 
 ## Getting Langfuse Keys
 
-### Percepta's Internal Instance
+### Shared Instances
 
-Percepta runs a shared Langfuse instance. For `percepta-test` deploys, the generated Ryvn installation uses the shared demo project by inheriting `LANGFUSE_PUBLIC_KEY` and sensitive `LANGFUSE_SECRET_KEY` from the `demos-commons` variable group.
-
-For non-demo environments, verify the target Ryvn environment has a Langfuse installation or shared Langfuse project, then store the project keys in an environment-scoped variable group or installation secrets.
+If the target stack provides a shared Langfuse instance, store
+`LANGFUSE_PUBLIC_KEY` and sensitive `LANGFUSE_SECRET_KEY` through that
+platform's environment-scoped variable or secret mechanism.
 
 ### Self-Hosted / Langfuse Cloud
 
@@ -74,17 +74,17 @@ For external projects, you can:
 
 ## Running Locally
 
-### Option 1: Use Percepta's Langfuse (recommended)
+### Option 1: Use a Shared Langfuse Instance
 
 Set the keys in `.env.local` if you want local traces to go to the shared instance:
 
 ```bash
-LANGFUSE_BASE_URL=https://langfuse.percepta-test.aitco.dev
+LANGFUSE_BASE_URL=https://langfuse.example.com
 LANGFUSE_PUBLIC_KEY=pk-lf-...
 LANGFUSE_SECRET_KEY=sk-lf-...
 ```
 
-Traces from local dev appear in the shared dashboard under your project.
+Traces from local dev appear in the configured shared dashboard under your project.
 
 ### Option 2: Run Langfuse locally
 

package/templates/webapp/agent-skills/llm.md

@@ -40,7 +40,9 @@ The shared `@percepta/ai` provider helper chooses a provider at call time:
 
 ## Deployment
 
-For `percepta-test`, `deploy:percepta-test` attaches the `demos-commons` Ryvn variable group. That group provides the shared `ANTHROPIC_API_KEY` and Langfuse project keys, so generated demo apps do not need per-app LLM secrets.
+Provider keys and Langfuse credentials should come from the target deployment
+platform. Do not commit shared provider keys or generated environment-specific
+secret files to the app repo.
 
 ## Local Development
 
@@ -54,6 +56,6 @@ ANTHROPIC_API_KEY=sk-ant-...
 
 ## Observability
 
-`LLMService` enables AI SDK telemetry by default and attaches provider/model metadata to each call. When `LANGFUSE_*` values are configured, the template's OpenTelemetry bootstrap sends LLM spans to Langfuse. In `percepta-test`, those values are inherited from the environment.
+`LLMService` enables AI SDK telemetry by default and attaches provider/model metadata to each call. When `LANGFUSE_*` values are configured, the template's OpenTelemetry bootstrap sends LLM spans to Langfuse.
 
 Use a stable `telemetryFunctionId` for every meaningful LLM operation, such as `extract-invoice-fields` or `draft-member-message`.

package/templates/webapp/agent-skills/oneshot.md

@@ -142,8 +142,7 @@ Once all chunks are implemented, verify the app runs end-to-end locally.
 ### Step 1: Start dependencies
 
 ```bash
-pnpm docker:up
-pnpm db:setup-and-migrate
+pnpm run setup
 ```
 
 If the app uses Inngest functions, start the local Inngest dev server in a separate terminal:
@@ -192,19 +191,21 @@ git init
 git add -A
 git commit -m "Initial implementation of <app-name>"
 
-# Create the repo under the Percepta-Core org
-gh repo create Percepta-Core/<app-name> --internal --source=. --push
+# Create and push the repo in the target GitHub org
+gh repo create <org>/<app-name> --internal --source=. --push
 ```
 
 If `gh` is not authenticated, tell the user to run `gh auth login` and then continue.
 
 ---
 
-## Phase 6: Deploy to Ryvn (When Requested)
+## Phase 6: Deploy (When Requested)
 
 Only do this when the user explicitly asks to deploy.
 
-Follow the step-by-step guide in [agent-skills/deploy.md](deploy.md). It contains the service definition, installation YAML, environment variables, and secrets needed for percepta-test.
+Deployment is stack-specific. Confirm the target environment and use the
+customer infra repo or deployment guide for that stack. Blueberry does not
+generate environment-specific installation YAML.
 
 For Ryvn CLI operations (checking status, logs, troubleshooting), use the `/use-ryvn` skill.
 

package/templates/webapp/agent-skills/ryvn.md

@@ -1,25 +1,21 @@
-# Ryvn — Deployment Platform
+# Ryvn
 
-Ryvn is the deployment platform used by Percepta to manage cloud infrastructure. It provisions environments, deploys services, and handles CI/CD — abstracting away Kubernetes, Terraform, and cloud provider details.
+Ryvn can be used to register and release this app as a service. Blueberry does
+not generate a target environment installation because those details are
+customer and stack specific.
 
-## Percepta Environments
+## Generated Files
 
-| Environment | Purpose | Domain pattern |
-|-------------|---------|---------------|
-| `percepta-test` | Internal dev/test | `<app>.percepta-test.aitco.dev` |
+- `deploy/ryvn/__APP_NAME__.service.yaml` declares the app service and Docker build context.
+- `.github/workflows/__APP_NAME__-ryvn-release.yaml` builds the image and creates a Ryvn release.
 
-New apps are deployed to **percepta-test** using the existing-environment deploy motion. This environment must already have shared PostgreSQL, Inngest, OTEL collector, LGTM stack, and Langfuse installations before app deploys run. The service installation points at the shared Langfuse URL and attaches the `demos-commons` variable group for shared demo Langfuse project keys.
+## Environment Installations
 
-## Deploying This App
-
-For the full step-by-step deployment guide to percepta-test, see [deploy.md](deploy.md).
+Environment installations belong in the infra repo. A customer blueprint should
+compose the required base infrastructure, monorepo infrastructure, app database
+registration, runtime services, ingress, secrets, and the app service
+installation for the target stack.
 
 ## Ryvn CLI
 
 For all Ryvn CLI operations (checking status, viewing logs, troubleshooting, managing installations), use the **`/use-ryvn`** skill. It has comprehensive CLI reference docs and handles authentication, deployment, configuration, and operations.
-
-```bash
-# Quick status check
-ryvn get installation __APP_NAME__ -e percepta-test
-ryvn logs __APP_NAME__ -e percepta-test
-```

package/templates/webapp/deploy/README.md

@@ -1,66 +1,25 @@
 # Deploy
 
-This directory holds Ryvn infrastructure-as-code for deploying __APP_TITLE__ to Percepta environments.
+This directory contains environment-neutral deployment metadata for __APP_TITLE__.
+It intentionally does not include customer or environment installation files.
 
 ```
 deploy/
 └── ryvn/
-    ├── __APP_NAME__.service.yaml
-    ├── __APP_NAME__-terraform.service.yaml
-    └── environments/
-        └── percepta-test/
-            └── installations/
-                ├── __APP_NAME__.env.percepta-test.serviceinstallation.yaml
-                └── __APP_NAME__-terraform.env.percepta-test.serviceinstallation.yaml
+    └── __APP_NAME__.service.yaml
 ```
 
-These files deploy to `https://__APP_NAME__.percepta-test.aitco.dev`.
-
-The default deploy helper performs the existing-environment deploy motion: it assumes the target Ryvn environment already has the shared platform services installed, then wires this app into them. For `percepta-test`, that means shared Postgres, Inngest, the OTEL collector, the LGTM stack, and Langfuse must already exist before app deploy starts. Fresh-environment platform bootstrap is a separate motion and should be handled by a Ryvn blueprint or environment-specific platform rollout.
-
-The `pnpm deploy:percepta-test` script delegates to the versioned `@percepta/deploy` CLI. The app owns only the Ryvn service/installation YAML and secrets env file. The helper talks directly to Ryvn: it preflights the existing platform services, creates/updates the services, runs the GitHub Actions release workflows, creates the schema installation, approves the schema Terraform plan, creates or updates app-scoped Ryvn secrets, creates the web installation, waits for health, and verifies the health and app routes.
-
-## Deploying
-
-Tell Claude "deploy this app to percepta-test" or run:
-
-```bash
-pnpm deploy:percepta-test -- --yes
-```
-
-The helper expects a clean, committed git worktree because GitHub Actions builds from the pushed repo. It can create `Percepta-Core/__REPO_NAME__` if it does not exist yet, and it pushes the current branch to `main` before triggering releases.
+The generated app owns its buildable service identity. The infra repo owns
+customer blueprints, environment installations, app database registration,
+runtime dependencies, ingress, secrets, and rollout policy.
 
 ## What's in these files
 
 **`__APP_NAME__.service.yaml`** — Ryvn server service for the web app. It points at `Percepta-Core/__REPO_NAME__` and builds from `packages/__APP_NAME__/`.
 
-**`__APP_NAME__-terraform.service.yaml`** — Ryvn Terraform service that owns the per-app Postgres schema in the shared `demos` database.
-
-**`__APP_NAME__.env.percepta-test.serviceinstallation.yaml`** — web app installation for `percepta-test`. It wires the shared platform services, ingress, health probes, database connection, Inngest, OTEL/LGTM telemetry, the Langfuse base URL, and the shared demo variable group.
-
-**`__APP_NAME__-terraform.env.percepta-test.serviceinstallation.yaml`** — schema installation for `percepta-test`.
-
-**`percepta-test.secrets.env`** — generated locally and ignored by git. The deploy helper injects app-specific auth/encryption secrets into the Ryvn installation create manifest so the first pod starts with auth configured; shared Langfuse and LLM demo keys are inherited from a Ryvn variable group.
-
-## Platform Wiring
-
-`pnpm deploy:percepta-test` checks these existing `percepta-test` installations before it mutates GitHub or Ryvn app resources:
-
-- `percepta-internal-terraform` for the shared Postgres instance.
-- `inngest-test` for background jobs and function callbacks.
-- `otel-collector` for trace, metric, and log collection.
-- `lgtm-stack-helm` for Loki, Grafana, Tempo, and Mimir.
-- `langfuse` for LLM tracing and eval observability.
-- `demos-commons` variable group for shared demo configuration, including the Anthropic API key and Langfuse demo project keys.
-
-The service installation sets `LANGFUSE_BASE_URL` to the shared `percepta-test` Langfuse URL, sets `LLM_PROVIDER=anthropic`, and attaches `demos-commons` for `ANTHROPIC_API_KEY`, `LANGFUSE_PUBLIC_KEY`, and sensitive `LANGFUSE_SECRET_KEY`. Individual demo apps do not need LLM or Langfuse keys in `percepta-test.secrets.env`.
-
 ## Notes
 
-The release workflows live at the repo root under `.github/workflows/`. The web workflow uses the org-level `NPM_TOKEN` secret for private `@percepta/*` packages; do not add a repo-level token unless the org secret is unavailable.
-
-For the old GitOps PR path, use `pnpm deploy:percepta-test:pr -- --phase service --yes` and then `pnpm deploy:percepta-test:pr -- --phase installation --yes`.
-
-## Adding More Environments
-
-Copy the two `percepta-test` installation manifests to `environments/<env>/installations/`, then change the `environment:`, host, and environment-specific config.
+The release workflow lives at the repo root under `.github/workflows/` after
+scaffolding. It creates a Ryvn service release from the current app image.
+Installing that release into any environment is a customer/stack-specific
+infra concern and should be modeled in the infra repo.

package/templates/webapp/drizzle.config.ts

@@ -1,5 +1,4 @@
 import * as nextEnvModule from "@next/env";
-import { getPgSearchPathOption } from "@percepta/database";
 import type { Config } from "drizzle-kit";
 import { getEnvConfig } from "./src/config/getEnvConfig";
 
@@ -9,34 +8,14 @@ const nextEnv =
 
 nextEnv.loadEnvConfig(process.cwd());
 
-const {
-  DATABASE_HOST: host,
-  DATABASE_PORT: port,
-  DATABASE_USERNAME: user,
-  DATABASE_PASSWORD: password,
-  DATABASE_NAME: database,
-  DATABASE_SCHEMA: databaseSchema,
-  DATABASE_USE_SSL: useSSL,
-} = getEnvConfig();
-
-const schemaFilter = databaseSchema?.trim() || undefined;
-const searchPathOption = getPgSearchPathOption(schemaFilter);
-const connectionParams = new URLSearchParams();
-if (useSSL) connectionParams.set("sslmode", "require");
-if (searchPathOption) connectionParams.set("options", searchPathOption);
-
-const connectionString =
-  `postgresql://${encodeURIComponent(user)}:${encodeURIComponent(password)}` +
-  `@${host}:${port}/${encodeURIComponent(database)}` +
-  (connectionParams.size > 0 ? `?${connectionParams.toString()}` : "");
+const { DATABASE_URL: databaseUrl } = getEnvConfig();
 
 const config: Config = {
   schema: "./src/drizzle/schema",
   out: "./src/drizzle/migrations",
   dialect: "postgresql",
-  ...(schemaFilter ? { schemaFilter: [schemaFilter] } : {}),
   dbCredentials: {
-    url: connectionString,
+    url: databaseUrl,
   },
 };
 

package/templates/webapp/env.example.template

@@ -2,21 +2,16 @@
 NODE_ENV=development
 APP_BASE_URL=http://localhost:3000
 
-# Database
-DATABASE_HOST=localhost
-DATABASE_PORT=5434
-DATABASE_USERNAME=postgres
-DATABASE_PASSWORD=postgres
-DATABASE_NAME=__DB_NAME__
-# DATABASE_SCHEMA=
-DATABASE_USE_SSL=false
+# App Database
+DATABASE_URL=postgresql://postgres:postgres@localhost:5434/__DB_NAME__
 
 # Authentication (Better Auth)
 BETTER_AUTH_SECRET=generate-with-openssl-rand-base64-32
 BETTER_AUTH_URL=http://localhost:3000
-# Optional override for the shared customer auth database. Defaults to the
-# customer monorepo database generated in ../../auth.
-# AUTH_DATABASE_NAME=
+
+# Shared Auth Database
+# Deployed apps should set this from the customer monorepo auth database Secret.
+# Local development can leave it empty and use the shared auth package defaults.
 # AUTH_DATABASE_URL=
 
 # Security
@@ -46,9 +41,8 @@ NEXT_PUBLIC_FARO_APP_ENVIRONMENT=development
 # LANGFUSE_SECRET_KEY=
 
 # LLM providers
-# Deployed percepta-test apps inherit ANTHROPIC_API_KEY from the demos-commons
-# Ryvn variable group. For local LLM testing, set ANTHROPIC_API_KEY once in your
-# shell profile or ~/.config/percepta/create.env.
+# For local LLM testing, set ANTHROPIC_API_KEY once in your shell profile or
+# ~/.config/percepta/create.env.
 # ANTHROPIC_API_KEY=
 # OPENAI_API_KEY=
 # LLM_PROVIDER=anthropic

package/templates/webapp/package.json.template

@@ -11,21 +11,15 @@
     "start": "next start",
     "lint": "eslint .",
     "setup": "pnpm --dir ../.. run setup",
-    "docker:up": "docker compose up -d --wait",
-    "docker:down": "docker compose down",
     "access:validate": "percepta-access-control validate",
     "access:apply-local": "pnpm --dir ../.. run access:apply-local",
-    "auth:db:setup-and-migrate": "pnpm --dir ../.. run auth:db:setup-and-migrate",
+    "auth:db:migrate": "pnpm --dir ../.. run auth:db:migrate",
     "inngest:dev": "pnpm dlx inngest-cli@latest dev -u http://localhost:3000/api/inngest",
     "db:generate": "percepta-db generate-migrations",
-    "db:migrate": "percepta-db migrate --database __DB_NAME__",
-    "db:setup": "percepta-db setup --database __DB_NAME__",
-    "db:setup-and-migrate": "pnpm db:setup && pnpm db:migrate",
-    "db:setup-readonly": "percepta-db setup-readonly --database __DB_NAME__",
-    "db:studio": "pnpm db:setup-and-migrate && drizzle-kit studio",
+    "db:migrate": "percepta-db migrate",
+    "db:setup-readonly": "percepta-db setup-readonly",
+    "db:studio": "pnpm db:migrate && drizzle-kit studio",
     "db:seed": "tsx ./scripts/seed.ts",
-    "deploy:percepta-test": "percepta-deploy percepta-test --app __APP_NAME__ --repo __REPO_NAME__",
-    "deploy:percepta-test:pr": "percepta-deploy percepta-test pr --app __APP_NAME__ --database-schema __APP_NAME_SNAKE__",
     "test": "vitest run",
     "test:e2e": "pnpm run setup && playwright test",
     "test:e2e:install": "playwright install chromium",
@@ -54,7 +48,7 @@
     "@__REPO_NAME__/auth": "workspace:*",
     "@percepta/access-control": "0.8.0",
     "@percepta/ai": "0.1.0",
-    "@percepta/database": "0.1.1",
+    "@percepta/database": "0.1.2",
     "@percepta/design": "0.4.0",
     "@percepta/inngest": "0.1.0",
     "@percepta/logger": "0.1.0",
@@ -102,7 +96,6 @@
     "@next/eslint-plugin-next": "^15.3.5",
     "@playwright/test": "^1.58.2",
     "@percepta/build": "0.4.0",
-    "@percepta/deploy": "0.1.0",
     "@tailwindcss/postcss": "^4.1.11",
     "@types/formidable": "^3.4.5",
     "@types/he": "^1.2.3",

package/templates/webapp/scripts/start.sh

@@ -1,24 +1,20 @@
-# Check if database connection variables are set
-if [ -z "$DATABASE_HOST" ] || [ -z "$DATABASE_USERNAME" ] || [ -z "$DATABASE_NAME" ]; then
-    echo "⚠️  Database connection not configured. Skipping migration."
-    echo "Required environment variables: DATABASE_HOST, DATABASE_USERNAME, DATABASE_NAME"
-    echo "❌ Error: Missing required database environment variables."
+# Check if app database connection variables are set
+if [ -z "$DATABASE_URL" ]; then
+    echo "⚠️  App database connection not configured. Skipping migration."
+    echo "Required environment variable: DATABASE_URL"
+    echo "❌ Error: Missing required app database environment variables."
     exit 1
 else
-    echo "Database configuration found:"
-    echo "  HOST: $DATABASE_HOST"
-    echo "  USER: $DATABASE_USERNAME"
-    echo "  DATABASE: $DATABASE_NAME"
-    echo "  SSL: ${DATABASE_USE_SSL:-false}"
+    echo "App database configuration found."
 fi
 
-# Run database migrations only if database is configured
-echo "Running database migrations..."
-if pnpm db:setup-and-migrate; then
-    echo "✅ Database migrations completed successfully"
+# Run app database migrations only if database is configured
+echo "Running app database migrations..."
+if pnpm db:migrate; then
+    echo "✅ App database migrations completed successfully"
 else
-    echo "❌ Database migration failed. App will not start."
-    echo "Check your database configuration and connectivity."
+    echo "❌ App database migration failed. App will not start."
+    echo "Check your app database configuration and connectivity."
     exit 1
 fi
 

package/templates/webapp/src/config/getEnvConfig.ts

@@ -10,17 +10,10 @@ export const { getEnvConfig, schema: ENV_CONFIG_SCHEMA } = createEnvConfig(
     // Application:
     APP_BASE_URL: z.string().optional(),
 
-    // Database:
-    DATABASE_HOST: z.string().default("localhost"),
-    DATABASE_PORT: z.coerce.number().int().default(5434),
-    DATABASE_USERNAME: z.string().default("postgres"),
-    DATABASE_PASSWORD: z.string().default("postgres"),
-    DATABASE_NAME: z.string().default("__DB_NAME__"),
-    DATABASE_SCHEMA: z.string().optional(),
-    DATABASE_USE_SSL: z
+    // App database:
+    DATABASE_URL: z
       .string()
-      .transform((value: string): boolean => value === "true")
-      .default(false),
+      .default("postgresql://postgres:postgres@localhost:5434/__DB_NAME__"),
 
     // AWS:
     AWS_REGION: z.string().default("us-east-1"),
@@ -28,6 +21,7 @@ export const { getEnvConfig, schema: ENV_CONFIG_SCHEMA } = createEnvConfig(
     // Authentication (Better Auth):
     BETTER_AUTH_SECRET: z.string().optional(),
     BETTER_AUTH_URL: z.string().default("http://localhost:3000"),
+    AUTH_DATABASE_URL: z.string().optional(),
 
     // Inngest:
     INNGEST_BASE_URL: z.string().optional(),

package/templates/webapp/src/drizzle/db.ts

@@ -1,30 +1,15 @@
-import { getPgSearchPathOption, getPgSslConfig } from "@percepta/database";
+import { createPgPool, readDatabaseConfig } from "@percepta/database";
 import { type NodePgDatabase, drizzle } from "drizzle-orm/node-postgres";
-import { Pool } from "pg";
+import type { Pool } from "pg";
 import { getEnvConfig } from "../config/getEnvConfig";
 
 export const { client, db } = createDb();
 
 function createDb(): { client: Pool; db: NodePgDatabase } {
-  const {
-    DATABASE_HOST: host,
-    DATABASE_PORT: port,
-    DATABASE_USERNAME: user,
-    DATABASE_PASSWORD: password,
-    DATABASE_NAME: database,
-    DATABASE_SCHEMA: databaseSchema,
-    DATABASE_USE_SSL: useSSL,
-  } = getEnvConfig();
-
-  const pool = new Pool({
-    host,
-    port,
-    user,
-    password,
-    database,
-    ssl: getPgSslConfig(useSSL),
-    options: getPgSearchPathOption(databaseSchema),
-  });
+  const { DATABASE_URL: databaseUrl } = getEnvConfig();
+  const pool = createPgPool(
+    readDatabaseConfig({ env: { DATABASE_URL: databaseUrl } }),
+  );
 
   return { client: pool, db: drizzle(pool) };
 }

package/templates/webapp/src/startup-checks.ts

@@ -1,9 +1,14 @@
+import { client as authClient } from "@__REPO_NAME__/auth/db";
 import { getEnvConfig } from "./config/getEnvConfig";
 import { client } from "./drizzle/db";
 import { getLogger } from "./services/logger/AppLogger";
 
 export async function checkStartup(): Promise<boolean> {
-  return validateEnvironment() && (await validateDatabaseConnection());
+  return (
+    validateEnvironment() &&
+    (await validateDatabaseConnection()) &&
+    (await validateAuthDatabaseConnection())
+  );
 }
 
 function validateEnvironment(): boolean {
@@ -18,15 +23,31 @@ function validateEnvironment(): boolean {
 
 async function validateDatabaseConnection(): Promise<boolean> {
   try {
-    const dbCheckPromise = client.query("SELECT 1");
-
-    const timeoutPromise = new Promise((_, reject) =>
-      setTimeout(() => reject(new Error("Database check timeout")), 5000),
-    );
-    await Promise.race([dbCheckPromise, timeoutPromise]);
+    await checkDatabaseClient(client, "Database check timeout");
   } catch {
     getLogger().warn(undefined, "Database connection failed");
     return false;
   }
   return true;
 }
+
+async function validateAuthDatabaseConnection(): Promise<boolean> {
+  try {
+    await checkDatabaseClient(authClient, "Auth database check timeout");
+  } catch {
+    getLogger().warn(undefined, "Auth database connection failed");
+    return false;
+  }
+  return true;
+}
+
+async function checkDatabaseClient(
+  databaseClient: Pick<typeof client, "query">,
+  timeoutMessage: string,
+): Promise<void> {
+  const dbCheckPromise = databaseClient.query("SELECT 1");
+  const timeoutPromise = new Promise((_, reject) =>
+    setTimeout(() => reject(new Error(timeoutMessage)), 5000),
+  );
+  await Promise.race([dbCheckPromise, timeoutPromise]);
+}

package/templates/monorepo/auth/scripts/setup-database.ts

@@ -1,11 +0,0 @@
-import { setupAuthDatabase } from "@percepta/auth";
-import { getAuthDatabaseConfig } from "../src/config/database";
-
-async function main(): Promise<void> {
-  await setupAuthDatabase({ config: getAuthDatabaseConfig() });
-}
-
-void main().catch((error) => {
-  console.error("Shared auth database setup failed:", error);
-  process.exit(1);
-});