create-svc 0.1.10 → 0.1.11

package/src/scaffold.test.ts

@@ -10,6 +10,7 @@ function baseConfig(overrides: Partial<ScaffoldConfig> = {}): ScaffoldConfig {
     directory: "svc",
     serviceName: "dns-api",
     modulePath: "example.com/dns-api",
+    target: "cloudrun",
     runtime: "bun",
     framework: "hono",
     region: "us-west1",
@@ -19,6 +20,11 @@ function baseConfig(overrides: Partial<ScaffoldConfig> = {}): ScaffoldConfig {
     billingAccount: "billingAccounts/01BD2E-3A6949-8F4C84",
     quotaProjectId: "anmho-infra-prod",
     profile: "microservice",
+    git: {
+      enabled: false,
+      owner: "anmho",
+      repository: "dns-api",
+    },
     neonDatabaseName: "dns_api",
     apiHostname: "api.dns-api.anmho.com",
     generatorRoot: join(import.meta.dir, ".."),
@@ -49,6 +55,14 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     );
 
     const configScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "config.ts")).text();
+    const serviceConfig = await Bun.file(join(generatedRoot, "service.config.ts")).text();
+    expect(serviceConfig).toContain('service_id: "dns-api"');
+    expect(serviceConfig).toContain('target: "cloudrun"');
+    expect(serviceConfig).toContain('module: "buf.build/anmho/dns-api"');
+    expect(serviceConfig).toContain('issuer: "https://auth.anmho.com/api/auth"');
+    expect(serviceConfig).toContain('audience: "api://dns-api"');
+    expect(serviceConfig).toContain('vault_path_prefix: "prod/apps/dns-api/server/oauth-clients"');
+    expect(serviceConfig).toContain('api_key_secret_name: "dns-api-temporal-api-key"');
     expect(configScript).toContain('profile: "microservice"');
     expect(configScript).toContain('domain: "waitlist"');
     expect(configScript).toContain('kind: "microservice"');
@@ -56,30 +70,57 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(configScript).toContain(`framework: "${variant.framework}"`);
     expect(configScript).toContain('mode: "create_new"');
     expect(configScript).toContain('quotaProjectId: "anmho-infra-prod"');
+    expect(configScript).toContain('issuer: "https://auth.anmho.com/api/auth"');
+    expect(configScript).toContain('audience: "api://dns-api"');
+    expect(configScript).toContain('jwksUrl: "https://auth.anmho.com/api/auth/jwks"');
+    expect(configScript).toContain('apiKeySecretName: "dns-api-temporal-api-key"');
     expect(configScript).toContain('projectId: ""');
     expect(configScript).toContain('baseBranchId: ""');
     expect(configScript).toContain('baseBranchName: "main"');
     expect(configScript).toContain('previewBranchPrefix: "dns-api-pr"');
     expect(configScript).toContain('hostname: "api.dns-api.anmho.com"');
-    expect(configScript).toContain('attachmentBucket: "anmho-dns-api-dns-api-attachments"');
-    expect(configScript).toContain('attachmentPublicBaseUrl: "https://storage.googleapis.com/anmho-dns-api-dns-api-attachments"');
     expect(configScript).not.toContain("github:");
+    expect(configScript).not.toContain("attachmentBucket");
 
     const deployScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "lib.ts")).text();
     expect(deployScript).toContain('--billing-project", config.project.quotaProjectId');
+    expect(deployScript).toContain('config.project.mode === "use_existing"');
     expect(deployScript).toContain("serviceDomain");
     expect(deployScript).toContain("ensureProductionDomainMapping");
-    expect(deployScript).toContain("ensureStorageBucket");
+    expect(deployScript).toContain('"domain-mappings",');
+    expect(deployScript).toContain('"--region",');
+    expect(deployScript).toContain("assertProductionDomainAvailable");
+    expect(deployScript).toContain("assertServiceNameAvailable");
+    expect(deployScript).not.toContain("ensureStorageBucket");
 
-    const bootstrapScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "bootstrap.ts")).text();
-    expect(bootstrapScript).toContain("publishProviderRuntimeSecrets");
+    expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "integrations.ts")).exists()).toBeFalse();
+    const destroyScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cleanup.ts")).text();
+    expect(destroyScript).toContain("assertOwnedResource");
+    expect(destroyScript).toContain("assertProductionDomainMappingOwned");
+    expect(destroyScript).toContain("deleteGrafanaResources");
+    expect(destroyScript).toContain('gcx", ["resources", "delete"');
+    expect(destroyScript).toContain("config.temporal.apiKeySecretName");
+    const neonScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "neon.ts")).text();
+    expect(neonScript).toContain("assertDatabaseOwned");
+    expect(neonScript).toContain("assertDisposableBranchName");
+    const seedScript = await Bun.file(join(generatedRoot, "scripts", "seed.ts")).text();
+    expect(seedScript).toContain("SEED_PROD=true");
+    expect(seedScript).toContain("waitlist_entries");
 
     const manifest = await Bun.file(join(generatedRoot, "service.yaml")).text();
-    expect(manifest).toContain("CLERK_SECRET_KEY");
-    expect(manifest).toContain("STRIPE_SECRET_KEY");
-    expect(manifest).toContain("REVENUECAT_API_KEY");
-    expect(manifest).toContain("RESEND_API_KEY");
-    expect(manifest).toContain("POSTHOG_API_KEY");
+    expect(manifest).toContain("DATABASE_URL");
+    expect(manifest).toContain("TEMPORAL_ENABLED");
+    expect(manifest).toContain("TEMPORAL_TASK_QUEUE");
+    expect(manifest).toContain("TEMPORAL_API_KEY_ENV");
+    expect(manifest).toContain("AUTH_ENABLED");
+    expect(manifest).toContain("${AUTH_AUDIENCE}");
+    expect(manifest).toContain("managed_by: create-service");
+    expect(manifest).toContain("service_id: ${SERVICE_ID}");
+    expect(manifest).not.toContain("CLERK_SECRET_KEY");
+    expect(manifest).not.toContain("STRIPE_SECRET_KEY");
+    expect(manifest).not.toContain("REVENUECAT_API_KEY");
+    expect(manifest).not.toContain("RESEND_API_KEY");
+    expect(manifest).not.toContain("POSTHOG_API_KEY");
 
     const gitignore = await Bun.file(join(generatedRoot, ".gitignore")).text();
     expect(gitignore).toContain("node_modules");
@@ -90,59 +131,138 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(dockerCompose).toContain(`127.0.0.1:${localPort}:5432`);
 
     const envExample = await Bun.file(join(generatedRoot, ".env.example")).text();
-    expect(envExample).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api`);
-    expect(envExample).toContain("ATTACHMENT_BUCKET=dns-api-local-attachments");
-    expect(envExample).toContain("CLERK_SECRET_KEY=");
-    expect(envExample).toContain("STRIPE_SECRET_KEY=");
-    expect(envExample).toContain("REVENUECAT_API_KEY=");
-    expect(envExample).toContain("RESEND_API_KEY=");
-    expect(envExample).toContain("POSTHOG_API_KEY=");
+    expect(envExample).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api?sslmode=disable`);
+    expect(envExample).toContain("AUTH_ENABLED=false");
+    expect(envExample).toContain("AUTH_AUDIENCE=api://dns-api");
+    expect(envExample).toContain("CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_ID=");
+    expect(envExample).toContain("TEMPORAL_API_KEY=");
+    expect(envExample).toContain("The base waitlist service does not require");
+    expect(envExample).not.toContain("ATTACHMENT_BUCKET=");
+    expect(envExample).not.toContain("CLERK_SECRET_KEY=");
+    expect(envExample).not.toContain("STRIPE_SECRET_KEY=");
+    expect(envExample).not.toContain("REVENUECAT_API_KEY=");
+    expect(envExample).not.toContain("RESEND_API_KEY=");
+    expect(envExample).not.toContain("POSTHOG_API_KEY=");
 
     const localEnv = await Bun.file(join(generatedRoot, ".env.local")).text();
-    expect(localEnv).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api`);
-    expect(localEnv).toContain("ATTACHMENT_PUBLIC_BASE_URL=https://storage.local.invalid/dns-api-local-attachments");
+    expect(localEnv).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api?sslmode=disable`);
+    expect(localEnv).not.toContain("ATTACHMENT_PUBLIC_BASE_URL=");
 
-    expect(await Bun.file(join(generatedRoot, ".github", "workflows", "personal.yml")).exists()).toBeFalse();
+    const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();
+    expect(ciWorkflow).toContain("bun run dashboards");
+    expect(ciWorkflow).toContain("GCX_ENABLED");
+    expect(await Bun.file(join(generatedRoot, "grafana", "waitlist-dashboard.json")).exists()).toBeTrue();
+    expect(await Bun.file(join(generatedRoot, "grafana", "alerts.yaml")).exists()).toBeTrue();
 
     if (variant.runtime === "go") {
       const goMod = await Bun.file(join(generatedRoot, "go.mod")).text();
-      expect(goMod).toContain("connectrpc.com/connect");
       expect(goMod).toContain("module example.com/dns-api");
       expect(goMod).not.toContain("module github.com/anmho/dns-api");
 
       const mainGo = await Bun.file(join(generatedRoot, "cmd", "server", "main.go")).text();
-      expect(mainGo).toContain("NewChatService");
       expect(mainGo).toContain("example.com/dns-api");
+      if (variant.framework === "connectrpc") {
+        expect(goMod).toContain("connectrpc.com/connect");
+        expect(mainGo).toContain("NewWaitlistService");
+        expect(mainGo).toContain("WaitlistServiceName");
+      } else {
+        expect(goMod).not.toContain("connectrpc.com/connect");
+        expect(mainGo).toContain("NewWaitlistService");
+        const routes = await Bun.file(join(generatedRoot, "internal", "httpapi", "routes.go")).text();
+        expect(routes).toContain("/v1/waitlist");
+        expect(routes).toContain("/v1/admin/waitlist");
+        expect(routes).toContain("/v1/triggers/waitlist");
+        expect(await Bun.file(join(generatedRoot, "buf.yaml")).exists()).toBeFalse();
+      }
+      expect(mainGo).toContain("internal/auth");
+      expect(mainGo).toContain("cfg.AuthAudience");
+      expect(mainGo).toContain("cfg.TemporalAPIKey");
+      expect(await Bun.file(join(generatedRoot, "internal", "auth", "middleware.go")).exists()).toBeTrue();
+      const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
+      expect(makefile).toContain("$(ATLAS) migrate apply --env local");
+      expect(makefile).toContain("$(ATLAS) migrate lint --env local --latest 1");
+      expect(makefile).toContain("bun run ./scripts/ensure-local-db.ts");
+      expect(makefile).toContain("bun run ./scripts/wait-for-db.ts");
+      expect(makefile).toContain("bun run ./scripts/dev.ts go run ./cmd/server");
+      expect(await Bun.file(join(generatedRoot, "atlas.hcl")).exists()).toBeTrue();
+      expect(await Bun.file(join(generatedRoot, "migrations", "atlas.sum")).exists()).toBeTrue();
+      expect(await Bun.file(join(generatedRoot, "cmd", "migrate", "main.go")).exists()).toBeFalse();
+      expect(await Bun.file(join(generatedRoot, "internal", "temporal", "worker.go")).exists()).toBeTrue();
+      expect(goMod).toContain("go.temporal.io/sdk");
     } else {
       const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
-      expect(packageJson).toContain('"svc-cloudrun": "./scripts/cloudrun/cli.ts"');
-      expect(packageJson).toContain('"dev": "bun run ./src/index.ts"');
+      expect(packageJson).toContain('"@anmho/authctl": "0.1.1"');
+      expect(packageJson).toContain("@temporalio/worker");
+      expect(packageJson).toContain('"service": "./scripts/cloudrun/cli.ts"');
+      expect(packageJson).toContain('"dev": "bun run ./scripts/dev.ts bun run ./src/index.ts"');
       expect(packageJson).toContain('"gen": "bun run ./scripts/codegen.ts"');
-      expect(packageJson).toContain('"bootstrap": "bun run ./scripts/cloudrun/cli.ts bootstrap"');
+      expect(packageJson).toContain('"create": "bun run ./scripts/cloudrun/cli.ts create"');
       expect(packageJson).toContain('"deploy": "bun run ./scripts/cloudrun/cli.ts deploy"');
-      expect(packageJson).toContain('"cleanup": "bun run ./scripts/cloudrun/cli.ts cleanup"');
+      expect(packageJson).toContain('"dashboards": "bun run ./scripts/cloudrun/cli.ts dashboards"');
+      expect(packageJson).toContain('"auth": "bun run ./scripts/cloudrun/cli.ts auth"');
+      expect(packageJson).toContain('"destroy": "bun run ./scripts/cloudrun/cli.ts destroy"');
+      const serviceCli = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).text();
+      expect(serviceCli).toContain("service <create|deploy|migrate|seed|dashboards|dns|doctor|destroy|auth|sdk>");
+      expect(serviceCli).toContain("assertServiceNameAvailable(config.serviceName)");
+      expect(serviceCli).toContain("ensureAuthResourceServer");
+      expect(serviceCli).toContain('["resources", "push", "--path", "./grafana"]');
+      const cloudrunLib = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "lib.ts")).text();
+      expect(cloudrunLib).toContain("resolveTemporalRuntimeConfig");
+      expect(cloudrunLib).toContain("TEMPORAL_API_KEY_ENV");
+      expect(cloudrunLib).toContain("value === undefined");
+
+      const authctlScript = await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).text();
+      expect(authctlScript).toContain("authctl");
+      expect(authctlScript).toContain("resource-servers");
+      expect(authctlScript).toContain("clients");
+      expect(authctlScript).toContain("defaultClientTargetArgs");
+      expect(authctlScript).toContain('existsSync("./node_modules/.bin/authctl") ? "./node_modules/.bin/authctl" : Bun.which("authctl")');
+      expect(authctlScript).not.toContain('defaultAuthResourceServerArgs(), "--yes", "--json"');
+      const authScript = await Bun.file(join(generatedRoot, "src", "auth.ts")).text();
+      expect(authScript).toContain('"Ed25519"');
 
       const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
-      expect(makefile).toContain("npx --no-install svc-cloudrun");
+      expect(makefile).toContain("npx --no-install service");
+      expect(makefile).toContain("dashboards:");
+      expect(makefile).toContain("auth:");
+      expect(makefile).toContain("bun run dev");
+      const devScript = await Bun.file(join(generatedRoot, "scripts", "dev.ts")).text();
+      expect(devScript).toContain("ensureLocalPostgres");
+      const localDocker = await Bun.file(join(generatedRoot, "scripts", "local-docker.ts")).text();
+      expect(localDocker).toContain('["docker", "info"]');
+      expect(localDocker).toContain('["open", "-a", "Docker"]');
+      expect(localDocker).toContain('["docker", "compose", "up", "-d"]');
 
       const entrypoint = await Bun.file(join(generatedRoot, "src", "index.ts")).text();
+      expect(await Bun.file(join(generatedRoot, "src", "auth.ts")).exists()).toBeTrue();
+      expect(entrypoint).toContain(variant.framework === "hono" ? 'app.use("/v1/*", authMiddleware())' : "withServiceAuth");
+      expect(await Bun.file(join(generatedRoot, "src", "temporal", "worker.ts")).exists()).toBeTrue();
       const readme = await Bun.file(join(generatedRoot, "README.md")).text();
       if (variant.framework === "connectrpc") {
-        expect(entrypoint).toContain("ChatService");
-        expect(gitignore).toContain("gen/");
+        expect(entrypoint).toContain("WaitlistService");
+        expect(gitignore).not.toContain("gen/");
         expect(readme).toContain("Local introspection");
       } else {
-        expect(entrypoint).toContain("/v1/conversations");
+        expect(entrypoint).toContain("/v1/waitlist");
+        expect(entrypoint).toContain("/v1/admin/waitlist");
+        expect(entrypoint).toContain("/v1/triggers/waitlist");
         expect(gitignore).not.toContain("gen/");
         expect(readme).not.toContain("Local introspection");
       }
       expect(entrypoint).toContain(variant.framework === "hono" ? "Hono" : "connectNodeAdapter");
-      expect(readme).toContain("ATTACHMENT_BUCKET");
       expect(readme).toContain("/webhooks/:provider");
       expect(readme).toContain("microservice profile");
       expect(readme).toContain("waitlist/launch service");
+      expect(readme).toContain("resource=api://<resource_server_id>");
       expect(readme).toContain("Terraform is optional");
+      expect(readme).toContain("AUTH_ENABLED=true");
+      expect(readme).toContain("verifies JWT bearer tokens");
+      expect(readme).toContain("prod/apps/auth/authctl/cloudflare-access");
+      expect(readme).toContain(variant.runtime === "bun" ? "bun run auth -- resource-server" : 'make auth ARGS="resource-server"');
     }
+
+    const deployWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "deploy.yml")).text();
+    expect(deployWorkflow).toContain("bun run dashboards");
   }
 }, 30000);
 
@@ -161,30 +281,101 @@ test("scaffolds a backend package cleanly into a nested monorepo-style directory
   const readme = await Bun.file(join(generatedRoot, "README.md")).text();
   expect(readme).toContain("`microservice` profile");
   expect(readme).toContain("api.dns-api.anmho.com");
-  expect(readme).toContain("docker compose up -d");
+  expect(readme).toContain("open Docker Desktop if needed");
   expect(readme).toContain("local Postgres service in `docker-compose.yml`");
   expect(readme).toContain("gcloud auth login");
   expect(readme).toContain("known-good CLIs");
-  expect(readme).toContain("bun run bootstrap");
+  expect(readme).toContain("bun run create");
   expect(readme).toContain("bun run deploy");
-  expect(readme).toContain("ATTACHMENT_BUCKET");
-  expect(readme).toContain("one-command production bootstrap");
+  expect(readme).toContain("one-command production create");
   expect(readme).toContain("waitlist/launch service");
   expect(readme).toContain("Terraform is optional");
-  expect(readme).toContain("webhook_events");
+  expect(readme).toContain("waitlist/launch service");
   expect(readme).not.toContain("Neon main, preview, and personal branch provisioning");
-  expect(readme).not.toContain("GitHub Actions");
+  const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();
+  expect(ciWorkflow).toContain("bun run dashboards");
   expect(readme).not.toContain("repository");
 
   const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
   expect(packageJson).toContain('"hono"');
 
   const entrypoint = await Bun.file(join(generatedRoot, "src", "index.ts")).text();
-  expect(entrypoint).toContain("/v1/attachments/uploads");
-
-  expect(await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).exists()).toBeFalse();
+  expect(entrypoint).toContain("/v1/waitlist");
+  expect(entrypoint).toContain("/v1/admin/waitlist");
 }, 15000);
 
+test("scaffolds the workers target with wrangler lifecycle commands", async () => {
+  const root = await mkdtemp(join(tmpdir(), "create-svc-workers-"));
+  const generatedRoot = join(root, "edge-api");
+
+  await scaffoldProject(
+    baseConfig({
+      directory: generatedRoot,
+      target: "workers",
+      runtime: "bun",
+      framework: "hono",
+    })
+  );
+
+  const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
+  expect(packageJson).toContain('"@anmho/authctl": "0.1.1"');
+  expect(packageJson).toContain('"service": "./scripts/workers/cli.ts"');
+  expect(packageJson).toContain('"dev": "wrangler dev"');
+  expect(packageJson).toContain('"auth": "bun run ./scripts/workers/cli.ts auth"');
+  expect(packageJson).toContain('"wrangler"');
+  expect(packageJson).toContain('"pg"');
+
+  const wranglerConfig = await Bun.file(join(generatedRoot, "wrangler.toml")).text();
+  expect(wranglerConfig).toContain('name = "dns-api"');
+  expect(wranglerConfig).toContain('compatibility_flags = ["nodejs_compat"]');
+  expect(wranglerConfig).toContain('pattern = "api.dns-api.anmho.com/*"');
+  expect(wranglerConfig).toContain('binding = "HYPERDRIVE"');
+  expect(wranglerConfig).toContain('AUTH_ENABLED = "true"');
+  expect(wranglerConfig).toContain('AUTH_AUDIENCE = "api://dns-api"');
+
+  const entrypoint = await Bun.file(join(generatedRoot, "src", "index.ts")).text();
+  expect(entrypoint).toContain("/v1/waitlist");
+  expect(entrypoint).toContain("/v1/admin/waitlist");
+  expect(entrypoint).toContain('app.use("/v1/*", authMiddleware())');
+  expect(entrypoint).toContain("createStorage(context.env)");
+  expect(entrypoint).toContain("scheduled");
+  const readme = await Bun.file(join(generatedRoot, "README.md")).text();
+  expect(readme).toContain("Cloudflare Workers");
+  expect(readme).toContain("Hyperdrive binding for Neon-backed Postgres persistence");
+  expect(readme).not.toContain("Cloud Run");
+  const workerCli = await Bun.file(join(generatedRoot, "scripts", "workers", "cli.ts")).text();
+  expect(workerCli).toContain("hyperdrive");
+  expect(workerCli).toContain('["resources", "push", "--path", "./grafana"]');
+  expect(workerCli).toContain("ensureAuthResourceServer");
+  expect(workerCli).toContain("Workers database schema applied");
+  expect(workerCli).toContain("create table if not exists waitlist_entries");
+  expect(workerCli).toContain("DATABASE_URL or NEON_API_KEY is required to provision the Hyperdrive binding");
+  expect(workerCli).toContain("createProjectBranchDatabase");
+  expect(workerCli).toContain("deleteNeonDatabase");
+  expect(workerCli).toContain("deleteGrafanaResources");
+  expect(workerCli).toContain("hyperdrive\", \"delete");
+  const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
+  expect(makefile).toContain('no generated code for workers');
+  expect(makefile).toContain("auth:");
+  expect(makefile).not.toContain("scripts/codegen.ts");
+
+  expect(await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "src", "auth.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "src", "storage.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "scripts", "workers", "cli.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "scripts", "dev.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "scripts", "ensure-local-db.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "scripts", "local-docker.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "scripts", "wait-for-db.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "service.yaml")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "Dockerfile")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "docker-compose.yml")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "src", "db", "repository.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "src", "temporal", "worker.ts")).exists()).toBeFalse();
+  expect(await Bun.file(join(generatedRoot, "scripts", "codegen.ts")).exists()).toBeFalse();
+});
+
 test("microservice profile does not generate a website package", async () => {
   const root = await mkdtemp(join(tmpdir(), "create-svc-microservice-profile-"));
   const generatedRoot = join(root, "service");

package/src/scaffold.ts

@@ -4,16 +4,19 @@ import {
   compactIdentifier,
   compactDatabaseName,
   deriveLocalPostgresPort,
+  type DeployTarget,
   type Framework,
   type GcpProjectMode,
   type Runtime,
 } from "./naming";
 import { exampleForProfile, type Profile } from "./profiles";
+import type { GitBootstrapConfig } from "./git-bootstrap";
 
 export type ScaffoldConfig = {
   directory: string;
   serviceName: string;
   modulePath: string;
+  target: DeployTarget;
   runtime: Runtime;
   framework: Framework;
   profile: Profile;
@@ -24,6 +27,7 @@ export type ScaffoldConfig = {
   billingAccount: string;
   quotaProjectId: string;
   autoDeploy: boolean;
+  git: GitBootstrapConfig;
   neonDatabaseName: string;
   apiHostname: string;
   generatorRoot: string;
@@ -46,15 +50,20 @@ export async function scaffoldProject(config: ScaffoldConfig) {
   await ensureTargetDirectory(targetDir);
 
   const replacements = buildReplacements(config);
-  const sharedTemplateRoot = resolve(config.generatorRoot, "templates", "shared");
-  const variantTemplateRoot = resolve(config.generatorRoot, "templates", "variants", `${config.runtime}-${config.framework}`);
-  const templateRoots = [sharedTemplateRoot, variantTemplateRoot];
+  const templateRoots = [
+    { kind: "shared" as const, root: resolve(config.generatorRoot, "templates", "shared") },
+    { kind: "variant" as const, root: resolve(config.generatorRoot, "templates", "variants", `${config.runtime}-${config.framework}`) },
+    { kind: "target" as const, root: resolve(config.generatorRoot, "templates", "targets", config.target) },
+  ];
 
-  for (const templateRoot of templateRoots) {
-    const files = await collectTemplateFiles(templateRoot);
+  for (const template of templateRoots) {
+    const files = await collectTemplateFiles(template.root);
 
     for (const relativePath of files) {
-      const sourcePath = join(templateRoot, relativePath);
+      if (shouldSkipForTarget(config.target, template.kind, relativePath)) {
+        continue;
+      }
+      const sourcePath = join(template.root, relativePath);
       const destinationPath = join(targetDir, relativePath);
       const raw = await Bun.file(sourcePath).text();
       const rendered = renderTemplate(raw, replacements);
@@ -67,6 +76,43 @@ export async function scaffoldProject(config: ScaffoldConfig) {
   await writeLocalEnvFile(targetDir, replacements);
 }
 
+function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "variant" | "target", relativePath: string) {
+  if (target === "workers") {
+    if (templateKind === "target") {
+      return false;
+    }
+
+    if (relativePath === "Dockerfile" || relativePath === "docker-compose.yml") {
+      return true;
+    }
+
+    if (templateKind === "shared") {
+      return (
+        relativePath === "service.yaml" ||
+        relativePath === "scripts/dev.ts" ||
+        relativePath === "scripts/ensure-local-db.ts" ||
+        relativePath === "scripts/local-docker.ts" ||
+        relativePath === "scripts/local-env.ts" ||
+        relativePath === "scripts/seed.ts" ||
+        relativePath === "scripts/wait-for-db.ts" ||
+        relativePath.startsWith("scripts/cloudrun/")
+      );
+    }
+
+    return (
+      relativePath.startsWith("src/db/") ||
+      relativePath.startsWith("src/temporal/") ||
+      relativePath.startsWith("src/waitlist/") ||
+      relativePath.startsWith("test/") ||
+      relativePath.startsWith("migrations/") ||
+      relativePath === "scripts/codegen.ts" ||
+      relativePath === "scripts/migrate.ts"
+    );
+  }
+
+  return relativePath.startsWith("scripts/workers/") || relativePath === "wrangler.toml";
+}
+
 async function ensureTargetDirectory(targetDir: string) {
   await assertTargetDirectoryIsEmpty(targetDir);
   await mkdir(targetDir, { recursive: true });
@@ -88,21 +134,26 @@ export async function assertTargetDirectoryIsEmpty(targetDir: string) {
 
 async function collectTemplateFiles(root: string, relative = ""): Promise<string[]> {
   const cwd = join(root, relative);
-  const entries = await readdir(cwd, { withFileTypes: true });
+  let entries;
+  try {
+    entries = await readdir(cwd, { withFileTypes: true });
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
   const files: string[] = [];
 
   for (const entry of entries) {
     const nextRelative = relative ? join(relative, entry.name) : entry.name;
     if (entry.isDirectory()) {
-      if (nextRelative === ".github" || nextRelative.startsWith(".github/")) {
+      if (entry.name === "node_modules" || entry.name === ".git") {
         continue;
       }
       files.push(...(await collectTemplateFiles(root, nextRelative)));
       continue;
     }
-    if (nextRelative === ".github" || nextRelative.startsWith(".github/")) {
-      continue;
-    }
     files.push(nextRelative);
   }
 
@@ -115,16 +166,17 @@ function buildReplacements(config: ScaffoldConfig) {
   const runtimeServiceAccount = `${serviceAccountBase}-runtime@${config.gcpProject}.iam.gserviceaccount.com`;
   const previewBranchPrefix = `${config.serviceName}-pr`;
   const personalBranchPrefix = `${config.serviceName}-dev`;
-  const remoteAttachmentBucket = `${config.gcpProject}-${config.serviceName}-attachments`;
-  const remoteAttachmentPublicBaseUrl = `https://storage.googleapis.com/${remoteAttachmentBucket}`;
   const localDatabaseName = compactDatabaseName(config.serviceName);
   const localDatabasePort = deriveLocalPostgresPort(config.serviceName);
-  const localAttachmentBucket = `${config.serviceName}-local-attachments`;
-  const localAttachmentPublicBaseUrl = `https://storage.local.invalid/${localAttachmentBucket}`;
+  const authIssuer = "https://auth.anmho.com/api/auth";
+  const authAudience = `api://${config.serviceName}`;
+  const authJwksUrl = `${authIssuer}/jwks`;
 
   return {
     SERVICE_NAME: config.serviceName,
+    SERVICE_ID: config.serviceName,
     MODULE_PATH: config.modulePath,
+    TARGET: config.target,
     PROJECT_ID: config.gcpProject,
     PROJECT_NAME: config.gcpProjectName,
     REGION: config.region,
@@ -150,32 +202,37 @@ function buildReplacements(config: ScaffoldConfig) {
     RUNTIME_SERVICE_ACCOUNT: runtimeServiceAccount,
     API_HOSTNAME: config.apiHostname,
     API_BASE_DOMAIN: "anmho.com",
-    ATTACHMENT_BUCKET: remoteAttachmentBucket,
-    ATTACHMENT_PUBLIC_BASE_URL: remoteAttachmentPublicBaseUrl,
+    AUTH_ISSUER: authIssuer,
+    AUTH_AUDIENCE: authAudience,
+    AUTH_JWKS_URL: authJwksUrl,
     LOCAL_DATABASE_NAME: localDatabaseName,
     LOCAL_DATABASE_PORT: localDatabasePort,
     LOCAL_DATABASE_USER: "postgres",
     LOCAL_DATABASE_PASSWORD: "postgres",
-    LOCAL_ATTACHMENT_BUCKET: localAttachmentBucket,
-    LOCAL_ATTACHMENT_PUBLIC_BASE_URL: localAttachmentPublicBaseUrl,
     COMMAND_DEV: config.runtime === "bun" ? "bun run dev" : "make dev",
     COMMAND_MIGRATE: config.runtime === "bun" ? "bun run migrate" : "make migrate",
     COMMAND_GEN: config.runtime === "bun" ? "bun run gen" : "make gen",
     COMMAND_LINT: config.runtime === "bun" ? "bun run lint" : "make lint",
     COMMAND_TEST: config.runtime === "bun" ? "bun run test" : "make test",
-    COMMAND_BOOTSTRAP: config.runtime === "bun" ? "bun run bootstrap" : "make bootstrap",
+    COMMAND_BOOTSTRAP: config.runtime === "bun" ? "bun run create" : "make create",
     COMMAND_DEPLOY: config.runtime === "bun" ? "bun run deploy" : "make deploy",
+    COMMAND_AUTH_RESOURCE:
+      config.runtime === "bun" ? "bun run auth -- resource-server" : 'make auth ARGS="resource-server"',
+    COMMAND_AUTH_CLIENT:
+      config.runtime === "bun"
+        ? "bun run auth -- client create"
+        : 'make auth ARGS="client create"',
     COMMAND_DEPLOY_PERSONAL:
       config.runtime === "bun"
         ? 'bun run deploy -- --environment personal --name <slug>'
         : 'make deploy ARGS="--environment personal --name <slug>"',
     COMMAND_DEPLOY_DESTROY:
       config.runtime === "bun"
-        ? 'bun run deploy -- --destroy --environment personal --name <slug>'
-        : 'make deploy ARGS="--destroy --environment personal --name <slug>"',
-    COMMAND_CLEANUP: config.runtime === "bun" ? "bun run cleanup" : "make cleanup",
-    COMMAND_CLEANUP_PROJECT: config.runtime === "bun" ? "bun run cleanup -- --project" : 'make cleanup ARGS="--project"',
-    GITIGNORE_EXTRA: config.framework === "connectrpc" ? "gen/" : "",
+        ? 'bun run destroy -- --environment personal --name <slug>'
+        : 'make destroy ARGS="--environment personal --name <slug>"',
+    COMMAND_CLEANUP: config.runtime === "bun" ? "bun run destroy" : "make destroy",
+    COMMAND_CLEANUP_PROJECT: config.runtime === "bun" ? "bun run destroy -- --project" : 'make destroy ARGS="--project"',
+    GITIGNORE_EXTRA: "",
     LOCAL_INTROSPECTION_NOTE:
       config.framework === "connectrpc"
         ? [
@@ -200,12 +257,10 @@ async function writeLocalEnvFile(targetDir: string, replacements: Record<string,
 
   const rendered = renderTemplate(
     [
-      "# Generated local development defaults for create-svc.",
+      "# Generated local development defaults for create-service.",
       "# This file is user-owned after scaffold and is gitignored.",
       "",
-      "DATABASE_URL=postgres://{{LOCAL_DATABASE_USER}}:{{LOCAL_DATABASE_PASSWORD}}@127.0.0.1:{{LOCAL_DATABASE_PORT}}/{{LOCAL_DATABASE_NAME}}",
-      "ATTACHMENT_BUCKET={{LOCAL_ATTACHMENT_BUCKET}}",
-      "ATTACHMENT_PUBLIC_BASE_URL={{LOCAL_ATTACHMENT_PUBLIC_BASE_URL}}",
+      "DATABASE_URL=postgres://{{LOCAL_DATABASE_USER}}:{{LOCAL_DATABASE_PASSWORD}}@127.0.0.1:{{LOCAL_DATABASE_PORT}}/{{LOCAL_DATABASE_NAME}}?sslmode=disable",
       "",
     ].join("\n"),
     replacements