npm - create-svc - Versions diffs - 0.1.10 → 0.1.11 - Mend

create-svc 0.1.10 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (168) hide show

package/README.md +46 -43
package/bin/create-service.mjs +2 -0
package/package.json +12 -9
package/src/cli.test.ts +28 -10
package/src/cli.ts +195 -30
package/src/git-bootstrap.test.ts +40 -0
package/src/git-bootstrap.ts +110 -0
package/src/naming.test.ts +1 -0
package/src/naming.ts +23 -0
package/src/post-scaffold.test.ts +19 -0
package/src/post-scaffold.ts +17 -4
package/src/profiles.ts +2 -5
package/src/scaffold.test.ts +231 -40
package/src/scaffold.ts +84 -29
package/src/vault.test.ts +61 -1
package/src/vault.ts +77 -15
package/templates/shared/.github/workflows/ci.yml +2 -1
package/templates/shared/.github/workflows/deploy.yml +2 -0
package/templates/shared/README.md +124 -47
package/templates/shared/grafana/alerts.yaml +54 -0
package/templates/shared/grafana/waitlist-dashboard.json +63 -0
package/templates/shared/scripts/authctl.ts +231 -0
package/templates/shared/scripts/cloudrun/bootstrap.ts +14 -5
package/templates/shared/scripts/cloudrun/cleanup.ts +64 -4
package/templates/shared/scripts/cloudrun/cli.ts +324 -7
package/templates/shared/scripts/cloudrun/config.ts +11 -4
package/templates/shared/scripts/cloudrun/deploy.ts +0 -4
package/templates/shared/scripts/cloudrun/lib.ts +174 -41
package/templates/shared/scripts/cloudrun/neon.ts +45 -0
package/templates/shared/scripts/dev.ts +22 -0
package/templates/shared/scripts/ensure-local-db.ts +3 -0
package/templates/shared/scripts/local-docker.ts +63 -0
package/templates/shared/scripts/local-env.ts +27 -0
package/templates/shared/scripts/seed.ts +73 -0
package/templates/shared/scripts/wait-for-db.ts +32 -0
package/templates/shared/service.config.ts +59 -0
package/templates/shared/service.yaml +24 -44
package/templates/targets/workers/.github/workflows/ci.yml +19 -0
package/templates/targets/workers/.github/workflows/deploy.yml +19 -0
package/templates/targets/workers/Makefile +33 -0
package/templates/targets/workers/README.md +75 -0
package/templates/targets/workers/package.json +35 -0
package/templates/targets/workers/scripts/workers/cli.ts +397 -0
package/templates/targets/workers/src/auth.ts +178 -0
package/templates/targets/workers/src/index.ts +198 -0
package/templates/targets/workers/src/storage.ts +370 -0
package/templates/targets/workers/test/app.test.ts +108 -0
package/templates/targets/workers/tsconfig.json +11 -0
package/templates/targets/workers/wrangler.toml +24 -0
package/templates/variants/bun-connectrpc/Makefile +14 -8
package/templates/variants/bun-connectrpc/gen/protos/waitlist/v1/waitlist_pb.ts +424 -0
package/templates/variants/bun-connectrpc/migrations/0000_init.sql +12 -55
package/templates/variants/bun-connectrpc/package.json +12 -5
package/templates/variants/bun-connectrpc/protos/waitlist/v1/waitlist.proto +91 -0
package/templates/variants/bun-connectrpc/scripts/codegen.ts +1 -1
package/templates/variants/bun-connectrpc/scripts/migrate.ts +4 -1
package/templates/variants/bun-connectrpc/src/auth.ts +200 -0
package/templates/variants/bun-connectrpc/src/db/repository.ts +67 -420
package/templates/variants/bun-connectrpc/src/db/schema.ts +15 -64
package/templates/variants/bun-connectrpc/src/index.ts +76 -176
package/templates/variants/bun-connectrpc/src/temporal/activities.ts +14 -0
package/templates/variants/bun-connectrpc/src/temporal/worker.ts +38 -0
package/templates/variants/bun-connectrpc/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-connectrpc/src/waitlist/service.ts +172 -0
package/templates/variants/bun-connectrpc/src/waitlist/types.ts +45 -0
package/templates/variants/bun-connectrpc/test/app.test.ts +4 -4
package/templates/variants/bun-connectrpc/test/waitlist.integration.test.ts +71 -0
package/templates/variants/bun-hono/Makefile +14 -8
package/templates/variants/bun-hono/migrations/0000_init.sql +12 -55
package/templates/variants/bun-hono/package.json +12 -5
package/templates/variants/bun-hono/scripts/migrate.ts +4 -1
package/templates/variants/bun-hono/src/auth.ts +181 -0
package/templates/variants/bun-hono/src/db/repository.ts +68 -421
package/templates/variants/bun-hono/src/db/schema.ts +15 -64
package/templates/variants/bun-hono/src/index.ts +65 -180
package/templates/variants/bun-hono/src/temporal/activities.ts +14 -0
package/templates/variants/bun-hono/src/temporal/worker.ts +38 -0
package/templates/variants/bun-hono/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-hono/src/waitlist/service.ts +166 -0
package/templates/variants/bun-hono/src/waitlist/types.ts +50 -0
package/templates/variants/bun-hono/test/app.test.ts +72 -41
package/templates/variants/bun-hono/test/waitlist.integration.test.ts +102 -0
package/templates/variants/go-chi/Makefile +27 -11
package/templates/variants/go-chi/atlas.hcl +8 -0
package/templates/variants/go-chi/cmd/server/main.go +21 -10
package/templates/variants/go-chi/go.mod +1 -3
package/templates/variants/go-chi/internal/app/service.go +202 -685
package/templates/variants/go-chi/internal/auth/middleware.go +289 -0
package/templates/variants/go-chi/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-chi/internal/config/config.go +27 -11
package/templates/variants/go-chi/internal/httpapi/routes.go +78 -157
package/templates/variants/go-chi/internal/httpapi/waitlist_integration_test.go +199 -0
package/templates/variants/go-chi/internal/temporal/activities.go +27 -0
package/templates/variants/go-chi/internal/temporal/worker.go +42 -0
package/templates/variants/go-chi/internal/temporal/workflows.go +18 -0
package/templates/variants/go-chi/migrations/0000_init.sql +12 -55
package/templates/variants/go-chi/migrations/atlas.sum +2 -0
package/templates/variants/go-chi/package.json +7 -1
package/templates/variants/go-connectrpc/Makefile +26 -9
package/templates/variants/go-connectrpc/atlas.hcl +8 -0
package/templates/variants/go-connectrpc/buf.gen.yaml +2 -2
package/templates/variants/go-connectrpc/cmd/server/main.go +23 -12
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlist.pb.go +960 -0
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlistv1connect/waitlist.connect.go +283 -0
package/templates/variants/go-connectrpc/go.mod +1 -1
package/templates/variants/go-connectrpc/internal/app/service.go +202 -685
package/templates/variants/go-connectrpc/internal/auth/middleware.go +289 -0
package/templates/variants/go-connectrpc/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-connectrpc/internal/config/config.go +27 -11
package/templates/variants/go-connectrpc/internal/connectapi/handler.go +78 -201
package/templates/variants/go-connectrpc/internal/connectapi/waitlist_integration_test.go +122 -0
package/templates/variants/go-connectrpc/internal/httpapi/routes.go +147 -9
package/templates/variants/go-connectrpc/internal/temporal/activities.go +27 -0
package/templates/variants/go-connectrpc/internal/temporal/worker.go +42 -0
package/templates/variants/go-connectrpc/internal/temporal/workflows.go +18 -0
package/templates/variants/go-connectrpc/migrations/0000_init.sql +12 -55
package/templates/variants/go-connectrpc/migrations/atlas.sum +2 -0
package/templates/variants/go-connectrpc/package.json +7 -1
package/templates/variants/go-connectrpc/protos/waitlist/v1/waitlist.proto +93 -0
package/templates/root/.github/workflows/buf-publish.yml +0 -19
package/templates/root/.github/workflows/ci.yml +0 -26
package/templates/root/.github/workflows/deploy.yml +0 -22
package/templates/root/Dockerfile +0 -23
package/templates/root/README.md +0 -69
package/templates/root/buf.gen.yaml +0 -10
package/templates/root/buf.yaml +0 -9
package/templates/root/cmd/server/main.go +0 -44
package/templates/root/gen/dns/v1/dns.pb.go +0 -623
package/templates/root/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/root/go.mod +0 -10
package/templates/root/internal/app/service.go +0 -152
package/templates/root/internal/app/token_source.go +0 -50
package/templates/root/internal/cloudflare/client.go +0 -160
package/templates/root/internal/config/config.go +0 -55
package/templates/root/internal/connectapi/handler.go +0 -79
package/templates/root/internal/httpapi/routes.go +0 -93
package/templates/root/internal/vault/client.go +0 -148
package/templates/root/package.json +0 -12
package/templates/root/protos/dns/v1/dns.proto +0 -58
package/templates/root/scripts/cloudrun/bootstrap.ts +0 -65
package/templates/root/scripts/cloudrun/config.ts +0 -50
package/templates/root/scripts/cloudrun/deploy.ts +0 -41
package/templates/root/scripts/cloudrun/lib.ts +0 -244
package/templates/root/service.yaml +0 -50
package/templates/root/test/go.test.ts +0 -19
package/templates/shared/scripts/cloudrun/integrations.ts +0 -111
package/templates/variants/bun-connectrpc/gen/protos/chat/v1/chat_pb.ts +0 -1078
package/templates/variants/bun-connectrpc/protos/chat/v1/chat.proto +0 -228
package/templates/variants/bun-connectrpc/src/chat/service.ts +0 -384
package/templates/variants/bun-connectrpc/src/chat/types.ts +0 -142
package/templates/variants/bun-connectrpc/src/storage.ts +0 -72
package/templates/variants/bun-connectrpc/src/webhooks.ts +0 -35
package/templates/variants/bun-connectrpc/test/list-messages.integration.test.ts +0 -182
package/templates/variants/bun-hono/src/chat/service.ts +0 -384
package/templates/variants/bun-hono/src/chat/types.ts +0 -142
package/templates/variants/bun-hono/src/storage.ts +0 -72
package/templates/variants/bun-hono/src/webhooks.ts +0 -35
package/templates/variants/bun-hono/test/list-messages.integration.test.ts +0 -256
package/templates/variants/go-chi/buf.gen.yaml +0 -12
package/templates/variants/go-chi/buf.yaml +0 -9
package/templates/variants/go-chi/cmd/migrate/main.go +0 -101
package/templates/variants/go-chi/internal/httpapi/list_messages_integration_test.go +0 -298
package/templates/variants/go-chi/protos/chat/v1/chat.proto +0 -219
package/templates/variants/go-connectrpc/cmd/migrate/main.go +0 -101
package/templates/variants/go-connectrpc/gen/chat/v1/chat.pb.go +0 -2512
package/templates/variants/go-connectrpc/gen/chat/v1/chatv1connect/chat.connect.go +0 -571
package/templates/variants/go-connectrpc/internal/connectapi/list_messages_integration_test.go +0 -216
package/templates/variants/go-connectrpc/protos/chat/v1/chat.proto +0 -232

package/templates/shared/scripts/cloudrun/lib.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { config } from "./config";
 type CommandOptions = {
   allowFailure?: boolean;
   input?: string;
+  env?: Record<string, string | undefined>;
 };
 type DeployArgs = {
@@ -15,6 +16,7 @@ type DeployArgs = {
 type CleanupArgs = {
   destroyProject: boolean;
+  force: boolean;
 };
 export type DeploymentTarget = {
@@ -24,6 +26,13 @@ export type DeploymentTarget = {
   databaseSecretName: string;
 };
+type GcpResourceWithLabels = {
+  metadata?: {
+    labels?: Record<string, string>;
+  };
+  labels?: Record<string, string>;
+};
 type CommandResult = {
   success: boolean;
   stdout: string;
@@ -67,7 +76,7 @@ export function requireGcloudAuth() {
     throw new Error(
       [
         "gcloud is installed but no active Google Cloud account is available.",
-        "Run `gcloud auth login` on this machine before using bootstrap, deploy, or cleanup.",
+        "Run `gcloud auth login` on this machine before using service create, deploy, doctor, dns, or destroy.",
         "If you also rely on Application Default Credentials for other tooling, run `gcloud auth application-default login` as well.",
       ].join(" ")
     );
@@ -77,7 +86,7 @@ export function requireGcloudAuth() {
 export function run(command: string, args: string[], options: CommandOptions = {}): CommandResult {
   const result = Bun.spawnSync([command, ...args], {
     cwd: process.cwd(),
-    env: process.env,
+    env: { ...process.env, ...options.env },
     stdin: options.input === undefined ? undefined : encoder.encode(options.input),
     stdout: "pipe",
     stderr: "pipe",
@@ -119,7 +128,7 @@ export async function runStep<T>(label: string, task: () => Promise<T> | T) {
   }
 }
-export async function runMain(name: string, task: () => Promise<string | void>) {
+export async function runMain(name: string, task: () => Promise<string | void> | string | void) {
   intro(name);
   try {
@@ -152,6 +161,9 @@ export function ensureProject() {
 }
 export function attachBilling() {
+  if (config.project.mode === "use_existing") {
+    return "Using existing project billing";
+  }
   gcloud(["beta", "billing", "projects", "link", config.project.id, "--billing-account", config.project.billingAccount]);
 }
@@ -192,7 +204,17 @@ export function ensureSecret(secretName: string) {
     return;
   }
-  gcloud(["secrets", "create", secretName, "--project", config.project.id, "--replication-policy", "automatic"]);
+  gcloud([
+    "secrets",
+    "create",
+    secretName,
+    "--project",
+    config.project.id,
+    "--replication-policy",
+    "automatic",
+    "--labels",
+    ownershipLabelsArg(),
+  ]);
 }
 export function addSecretVersion(secretName: string, value: string) {
@@ -200,6 +222,10 @@ export function addSecretVersion(secretName: string, value: string) {
   gcloud(["secrets", "versions", "add", secretName, "--project", config.project.id, "--data-file=-"], { input: value });
 }
+export function accessSecretVersion(secretName: string) {
+  return gcloud(["secrets", "versions", "access", "latest", "--secret", secretName, "--project", config.project.id]).stdout;
+}
 export function ensureSecretAccessor(secretName: string, member: string) {
   gcloud(["secrets", "add-iam-policy-binding", secretName, "--project", config.project.id, "--member", member, "--role", "roles/secretmanager.secretAccessor"]);
 }
@@ -216,6 +242,11 @@ export function deleteSecret(secretName: string) {
   gcloud(["secrets", "delete", secretName, "--project", config.project.id, "--quiet"], { allowFailure: true });
 }
+export function describeSecret(secretName: string): GcpResourceWithLabels | undefined {
+  const result = gcloud(["secrets", "describe", secretName, "--project", config.project.id, "--format=json"], { allowFailure: true });
+  return parseOptionalJson(result.stdout, result.success);
+}
 export function ensureArtifactRepository() {
   if (
     gcloud(
@@ -240,24 +271,6 @@ export function ensureArtifactRepository() {
   ]);
 }
-export function ensureStorageBucket() {
-  if (gcloud(["storage", "buckets", "describe", `gs://${config.storage.attachmentBucket}`, "--project", config.project.id], { allowFailure: true }).success) {
-    return;
-  }
-  gcloud([
-    "storage",
-    "buckets",
-    "create",
-    `gs://${config.storage.attachmentBucket}`,
-    "--project",
-    config.project.id,
-    "--location",
-    config.region,
-    "--uniform-bucket-level-access",
-  ]);
-}
 export function projectNumber() {
   return gcloud(["projects", "describe", config.project.id, "--format=value(projectNumber)"]).stdout;
 }
@@ -330,6 +343,7 @@ export function parseDeployArgs(argv: string[]): DeployArgs {
 export function parseCleanupArgs(argv: string[]): CleanupArgs {
   const parsed: CleanupArgs = {
     destroyProject: false,
+    force: false,
   };
   for (const token of argv) {
@@ -337,6 +351,10 @@ export function parseCleanupArgs(argv: string[]): CleanupArgs {
       parsed.destroyProject = true;
       continue;
     }
+    if (token === "--force") {
+      parsed.force = true;
+      continue;
+    }
   }
   return parsed;
@@ -374,42 +392,63 @@ export function resolveDeploymentTarget(environment: DeployArgs["environment"],
   };
 }
-export function runtimeSecretNames(target: DeploymentTarget) {
-  return {
-    CLERK_SECRET_KEY: `${target.serviceName}-clerk-secret-key`,
-    CLERK_WEBHOOK_SECRET: `${target.serviceName}-clerk-webhook-secret`,
-    STRIPE_SECRET_KEY: `${target.serviceName}-stripe-secret-key`,
-    STRIPE_WEBHOOK_SECRET: `${target.serviceName}-stripe-webhook-secret`,
-    REVENUECAT_API_KEY: `${target.serviceName}-revenuecat-api-key`,
-    REVENUECAT_WEBHOOK_SECRET: `${target.serviceName}-revenuecat-webhook-secret`,
-    RESEND_API_KEY: `${target.serviceName}-resend-api-key`,
-    POSTHOG_API_KEY: `${target.serviceName}-posthog-api-key`,
-  } as const;
-}
 export async function renderManifest(image: string, target: DeploymentTarget) {
   const template = await Bun.file(new URL("../../service.yaml", import.meta.url)).text();
+  const temporal = resolveTemporalRuntimeConfig();
   const values = {
     SERVICE_NAME: target.serviceName,
+    SERVICE_ID: config.serviceName,
     RUNTIME_SERVICE_ACCOUNT: config.runtimeServiceAccount,
     IMAGE_URL: image,
     DATABASE_URL_SECRET: target.databaseSecretName,
-    ...runtimeSecretNames(target),
     SERVICE_RUNTIME: config.runtime,
     SERVICE_FRAMEWORK: config.framework,
-    ATTACHMENT_BUCKET: config.storage.attachmentBucket,
-    ATTACHMENT_PUBLIC_BASE_URL: config.storage.attachmentPublicBaseUrl,
+    TEMPORAL_ENABLED: String(temporal.enabled),
+    TEMPORAL_ADDRESS: temporal.address,
+    TEMPORAL_NAMESPACE: temporal.namespace,
+    TEMPORAL_TASK_QUEUE: temporal.taskQueue,
+    TEMPORAL_API_KEY_ENV: temporal.apiKeySecretName
+      ? [
+          "            - name: TEMPORAL_API_KEY",
+          "              valueFrom:",
+          "                secretKeyRef:",
+          `                  name: ${temporal.apiKeySecretName}`,
+          "                  key: latest",
+        ].join("\n")
+      : "",
+    AUTH_ISSUER: config.auth.issuer,
+    AUTH_AUDIENCE: config.auth.audience,
+    AUTH_JWKS_URL: config.auth.jwksUrl,
   };
   return template.replace(/\$\{([A-Z0-9_]+)\}/g, (_, key: string) => {
     const value = values[key as keyof typeof values];
-    if (!value) {
+    if (value === undefined) {
       throw new Error(`missing manifest value for ${key}`);
     }
     return value;
   });
 }
+export function resolveTemporalRuntimeConfig() {
+  const enabledOverride = process.env.TEMPORAL_ENABLED?.trim();
+  const address = process.env.TEMPORAL_ADDRESS?.trim() || config.temporal.address;
+  const namespace = process.env.TEMPORAL_NAMESPACE?.trim() || config.temporal.namespace;
+  const taskQueue = process.env.TEMPORAL_TASK_QUEUE?.trim() || config.temporal.taskQueue;
+  const apiKeySecretName = process.env.TEMPORAL_API_KEY_SECRET?.trim() || (process.env.TEMPORAL_API_KEY?.trim() ? config.temporal.apiKeySecretName : "");
+  const enabled = enabledOverride
+    ? ["1", "true", "yes", "on"].includes(enabledOverride.toLowerCase())
+    : Boolean(process.env.TEMPORAL_ADDRESS?.trim() || process.env.TEMPORAL_API_KEY?.trim() || process.env.TEMPORAL_API_KEY_SECRET?.trim());
+  return {
+    enabled,
+    address,
+    namespace,
+    taskQueue,
+    apiKeySecretName,
+  };
+}
 export async function writeRenderedManifest(image: string, target: DeploymentTarget) {
   const rendered = await renderManifest(image, target);
   const path = new URL("../../.cloudrun.rendered.yaml", import.meta.url);
@@ -441,8 +480,13 @@ export function serviceOrigin(target: DeploymentTarget) {
 }
 export function ensureProductionDomainMapping(serviceName: string) {
-  if (gcloud(["beta", "run", "domain-mappings", "describe", "--domain", config.domain.hostname, "--project", config.project.id], { allowFailure: true }).success) {
-    return;
+  const existing = describeProductionDomainMapping();
+  if (existing) {
+    const mappedService = existing.spec?.routeName ?? existing.status?.resourceRecords?.[0]?.rrdata;
+    if (!mappedService || mappedService === serviceName) {
+      return;
+    }
+    throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; refusing to take it over`);
   }
   gcloud([
@@ -461,6 +505,60 @@ export function ensureProductionDomainMapping(serviceName: string) {
   ]);
 }
+export function describeProductionDomainMapping():
+  | { spec?: { routeName?: string }; status?: { resourceRecords?: Array<{ rrdata?: string }> } }
+  | undefined {
+  const result = gcloud(
+    [
+      "beta",
+      "run",
+      "domain-mappings",
+      "describe",
+      "--domain",
+      config.domain.hostname,
+      "--project",
+      config.project.id,
+      "--region",
+      config.region,
+      "--format=json",
+    ],
+    { allowFailure: true }
+  );
+  if (!result.success || !result.stdout) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(result.stdout);
+  } catch {
+    throw new Error(`Unable to parse Cloud Run domain mapping for ${config.domain.hostname}`);
+  }
+}
+export function assertProductionDomainAvailable(serviceName: string) {
+  const existing = describeProductionDomainMapping();
+  if (!existing) {
+    return;
+  }
+  const mappedService = existing.spec?.routeName;
+  if (mappedService && mappedService !== serviceName) {
+    throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; choose a different service_id before provisioning resources`);
+  }
+  throw new Error(`${config.domain.hostname} already has a domain mapping; use service deploy to redeploy or service dns to repair it`);
+}
+export function assertServiceNameAvailable(serviceName: string) {
+  const result = gcloud(
+    ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=value(metadata.name)"],
+    { allowFailure: true }
+  );
+  if (result.success) {
+    throw new Error(`${serviceName} already exists in Cloud Run; use service deploy to redeploy or service destroy to remove owned resources`);
+  }
+}
 export function deleteProductionDomainMapping() {
   gcloud(["beta", "run", "domain-mappings", "delete", "--domain", config.domain.hostname, "--project", config.project.id, "--quiet"], {
     allowFailure: true,
@@ -474,6 +572,14 @@ export function listCloudRunServices() {
     .filter(Boolean);
 }
+export function describeCloudRunService(serviceName: string): GcpResourceWithLabels | undefined {
+  const result = gcloud(
+    ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=json"],
+    { allowFailure: true }
+  );
+  return parseOptionalJson(result.stdout, result.success);
+}
 export function deleteService(serviceName: string) {
   gcloud(["run", "services", "delete", serviceName, "--project", config.project.id, "--region", config.region, "--quiet"], {
     allowFailure: true,
@@ -491,3 +597,30 @@ function slugify(value: string) {
     .replace(/[^a-z0-9]+/g, "-")
     .replace(/^-+|-+$/g, "");
 }
+export function assertOwnedResource(name: string, resource: GcpResourceWithLabels | undefined) {
+  if (!resource) {
+    throw new Error(`${name} does not exist`);
+  }
+  const labels = resource.metadata?.labels ?? resource.labels ?? {};
+  if (labels.managed_by !== "create-service" || labels.service_id !== config.serviceName) {
+    throw new Error(`${name} is missing ownership labels for service_id=${config.serviceName}`);
+  }
+}
+function ownershipLabelsArg() {
+  return `managed_by=create-service,service_id=${config.serviceName}`;
+}
+function parseOptionalJson<T>(stdout: string, success: boolean): T | undefined {
+  if (!success || !stdout) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(stdout) as T;
+  } catch {
+    throw new Error("Unable to parse gcloud JSON response");
+  }
+}

package/templates/shared/scripts/cloudrun/neon.ts CHANGED Viewed

@@ -13,6 +13,11 @@ type NeonBranch = {
   name: string;
 };
+type NeonDatabase = {
+  name: string;
+  ownerName: string;
+};
 type ResolvedNeonConfig = {
   projectId: string;
   baseBranchId: string;
@@ -110,6 +115,18 @@ export async function listBranches(projectId: string) {
     .sort((left: NeonBranch, right: NeonBranch) => left.name.localeCompare(right.name));
 }
+export async function listDatabases(projectId: string, branchId: string) {
+  const payload = await (await neonClient()).listProjectBranchDatabases(projectId, branchId);
+  const databases = ((payload.data as { databases?: Array<{ name?: string; owner_name?: string }> } | undefined)?.databases ?? []);
+  return databases
+    .map((database: { name?: string; owner_name?: string }) => ({
+      name: database.name ?? "",
+      ownerName: database.owner_name ?? "",
+    }))
+    .filter((database: NeonDatabase): database is NeonDatabase => Boolean(database.name))
+    .sort((left: NeonDatabase, right: NeonDatabase) => left.name.localeCompare(right.name));
+}
 export async function resolveNeonConfig(): Promise<ResolvedNeonConfig> {
   const configuredProjectId = config.neon.projectId.trim();
   const configuredBaseBranchId = config.neon.baseBranchId.trim();
@@ -172,6 +189,7 @@ export async function ensureDatabase(projectId: string, branchId: string, databa
 }
 export async function deleteDatabase(projectId: string, branchId: string, databaseName: string) {
+  await assertDatabaseOwned(projectId, branchId, databaseName);
   try {
     await (await neonClient()).deleteProjectBranchDatabase(projectId, branchId, databaseName);
   } catch (error) {
@@ -213,6 +231,11 @@ export async function ensureBranch(projectId: string, branchName: string, parent
 }
 export async function deleteBranch(projectId: string, branchId: string) {
+  const branch = (await listBranches(projectId)).find((candidate) => candidate.id === branchId);
+  if (!branch) {
+    return;
+  }
+  assertDisposableBranchName(branch.name);
   try {
     await (await neonClient()).deleteProjectBranch(projectId, branchId);
   } catch (error) {
@@ -224,6 +247,28 @@ export async function deleteBranch(projectId: string, branchId: string) {
   }
 }
+async function assertDatabaseOwned(projectId: string, branchId: string, databaseName: string) {
+  if (databaseName !== config.neon.databaseName) {
+    throw new Error(`Refusing to delete Neon database ${databaseName}; expected ${config.neon.databaseName}`);
+  }
+  const database = (await listDatabases(projectId, branchId)).find((candidate) => candidate.name === databaseName);
+  if (!database) {
+    return;
+  }
+  if (database.ownerName && database.ownerName !== config.neon.roleName) {
+    throw new Error(`Refusing to delete Neon database ${databaseName}; owner is ${database.ownerName}, expected ${config.neon.roleName}`);
+  }
+}
+function assertDisposableBranchName(branchName: string) {
+  if (branchName.startsWith(`${config.neon.previewBranchPrefix}-`) || branchName.startsWith(`${config.neon.personalBranchPrefix}-`)) {
+    return;
+  }
+  throw new Error(`Refusing to delete Neon branch ${branchName}; it is not owned by ${config.serviceName}`);
+}
 export async function getConnectionUri(projectId: string, branchId: string, databaseName: string, roleName: string) {
   const payload = await (await neonClient()).getConnectionUri({
     projectId,

package/templates/shared/scripts/dev.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import { readLocalEnv } from "./local-env";
+import { ensureLocalPostgres } from "./local-docker";
+const command = Bun.argv.slice(2);
+if (command.length === 0) {
+  throw new Error("Usage: bun run ./scripts/dev.ts <command...>");
+}
+await ensureLocalPostgres();
+const child = Bun.spawn(command, {
+  stdin: "inherit",
+  stdout: "inherit",
+  stderr: "inherit",
+  env: {
+    ...Bun.env,
+    ...(await readLocalEnv()),
+  },
+});
+process.exit(await child.exited);

package/templates/shared/scripts/ensure-local-db.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import { ensureLocalPostgres } from "./local-docker";
+await ensureLocalPostgres();

package/templates/shared/scripts/local-docker.ts ADDED Viewed

@@ -0,0 +1,63 @@
+export async function ensureLocalPostgres() {
+  await ensureDockerRunning();
+  await run(["docker", "compose", "up", "-d"], { label: "start local postgres" });
+}
+async function ensureDockerRunning() {
+  if (await dockerInfo()) {
+    return;
+  }
+  await openDocker();
+  const deadline = Date.now() + 120_000;
+  while (Date.now() < deadline) {
+    if (await dockerInfo()) {
+      return;
+    }
+    await Bun.sleep(2_000);
+  }
+  throw new Error("Docker did not become ready within 120 seconds. Open Docker Desktop and retry.");
+}
+async function dockerInfo() {
+  const result = await Bun.spawn(["docker", "info"], {
+    stdout: "ignore",
+    stderr: "ignore",
+  }).exited;
+  return result === 0;
+}
+async function openDocker() {
+  if (process.platform === "darwin") {
+    await run(["open", "-a", "Docker"], { label: "open Docker Desktop" });
+    return;
+  }
+  if (process.platform === "win32") {
+    await run(["powershell.exe", "-NoProfile", "-Command", "Start-Process 'Docker Desktop'"], {
+      label: "open Docker Desktop",
+      optional: true,
+    });
+    return;
+  }
+  await run(["systemctl", "--user", "start", "docker-desktop"], {
+    label: "open Docker Desktop",
+    optional: true,
+  });
+}
+async function run(command: string[], options: { label: string; optional?: boolean }) {
+  const result = await Bun.spawn(command, {
+    stdin: "ignore",
+    stdout: "inherit",
+    stderr: "inherit",
+    env: Bun.env,
+  }).exited;
+  if (result !== 0 && !options.optional) {
+    throw new Error(`${options.label} failed with exit code ${result}`);
+  }
+}

package/templates/shared/scripts/local-env.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+export async function readLocalEnv() {
+  if (!existsSync(".env.local")) {
+    return {};
+  }
+  const values: Record<string, string> = {};
+  const text = await readFile(".env.local", "utf8");
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+    const separator = trimmed.indexOf("=");
+    if (separator === -1) {
+      continue;
+    }
+    const key = trimmed.slice(0, separator).trim();
+    const rawValue = trimmed.slice(separator + 1).trim();
+    values[key] = rawValue.replace(/^['"]|['"]$/g, "");
+  }
+  return values;
+}

package/templates/shared/scripts/seed.ts ADDED Viewed

@@ -0,0 +1,73 @@
+#!/usr/bin/env bun
+import { SQL } from "bun";
+const databaseUrl = Bun.env.DATABASE_URL?.trim();
+if (!databaseUrl) {
+  throw new Error("DATABASE_URL is required");
+}
+const stage = normalizeStage(Bun.env.SERVICE_STAGE || Bun.env.APP_ENV || Bun.env.NODE_ENV || "local");
+if (stage === "prod" && Bun.env.SEED_PROD !== "true") {
+  console.log("Skipping production seed data. Set SEED_PROD=true to apply production seeds.");
+  process.exit(0);
+}
+const sql = new SQL(databaseUrl);
+try {
+  const entries = seedEntries(stage);
+  for (const entry of entries) {
+    await sql`
+      insert into waitlist_entries (id, email, name, company, source, status)
+      values (${entry.id}, ${entry.email}, ${entry.name}, ${entry.company}, ${entry.source}, ${entry.status})
+      on conflict (email) do update set
+        name = excluded.name,
+        company = excluded.company,
+        source = excluded.source,
+        updated_at = now()
+    `;
+    await sql`
+      insert into waitlist_triggers (id, type, entry_id, status, payload_json)
+      values (${`${entry.id}-trigger`}, ${"seed"}, ${entry.id}, ${"queued"}, ${JSON.stringify({ stage, email: entry.email })})
+      on conflict (id) do nothing
+    `;
+  }
+  console.log(`Seeded ${entries.length} waitlist entr${entries.length === 1 ? "y" : "ies"} for ${stage}.`);
+} finally {
+  await sql.close();
+}
+function normalizeStage(value: string) {
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "production" || normalized === "main") {
+    return "prod";
+  }
+  if (normalized === "development") {
+    return "local";
+  }
+  return normalized || "local";
+}
+function seedEntries(stage: string) {
+  return [
+    {
+      id: `seed-${stage}-founder`,
+      email: `founder+${stage}@example.com`,
+      name: "Founder Example",
+      company: "Example Co",
+      source: `seed:${stage}`,
+      status: "joined",
+    },
+    {
+      id: `seed-${stage}-operator`,
+      email: `operator+${stage}@example.com`,
+      name: "Operator Example",
+      company: "Example Co",
+      source: `seed:${stage}`,
+      status: "joined",
+    },
+  ];
+}

package/templates/shared/scripts/wait-for-db.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { SQL } from "bun";
+import { readLocalEnv } from "./local-env";
+const env = {
+  ...Bun.env,
+  ...(await readLocalEnv()),
+};
+const databaseUrl = env.DATABASE_URL?.trim();
+if (!databaseUrl) {
+  throw new Error("DATABASE_URL is required");
+}
+const client = new SQL(databaseUrl);
+const deadline = Date.now() + 45_000;
+let lastError: unknown;
+while (Date.now() < deadline) {
+  try {
+    await client.unsafe("select 1");
+    process.exit(0);
+  } catch (error) {
+    lastError = error;
+    await Bun.sleep(1_000);
+  }
+}
+throw new Error(`Timed out waiting for Postgres: ${formatError(lastError)}`);
+function formatError(error: unknown) {
+  return error instanceof Error ? error.message : String(error ?? "unknown error");
+}