create-svc 0.1.10 → 0.1.12

package/src/service.ts

@@ -0,0 +1,65 @@
+import { existsSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { run as runScaffoldCli } from "./cli";
+
+const SCAFFOLD_COMMANDS = new Set(["create", "new", "init"]);
+
+export async function runServiceCommand(argv: string[], cwd = process.cwd()) {
+  const serviceRoot = findGeneratedServiceRoot(cwd);
+  if (serviceRoot) {
+    delegateToGeneratedService(serviceRoot, argv);
+    return;
+  }
+
+  await runScaffoldCli(normalizeScaffoldArgs(argv));
+}
+
+export function normalizeScaffoldArgs(argv: string[]) {
+  const [command, ...rest] = argv;
+  if (command && SCAFFOLD_COMMANDS.has(command)) {
+    return rest;
+  }
+  if (command === "help") {
+    return ["--help", ...rest];
+  }
+  return argv;
+}
+
+export function findGeneratedServiceRoot(start: string): string | undefined {
+  let current = start;
+  while (true) {
+    if (isGeneratedServiceRoot(current)) {
+      return current;
+    }
+
+    const parent = dirname(current);
+    if (parent === current) {
+      return undefined;
+    }
+    current = parent;
+  }
+}
+
+function isGeneratedServiceRoot(path: string) {
+  return (
+    existsSync(join(path, "service.config.ts")) &&
+    (existsSync(join(path, "scripts", "cloudrun", "cli.ts")) || existsSync(join(path, "scripts", "workers", "cli.ts")))
+  );
+}
+
+function delegateToGeneratedService(serviceRoot: string, argv: string[]) {
+  const cliPath = existsSync(join(serviceRoot, "scripts", "cloudrun", "cli.ts"))
+    ? "./scripts/cloudrun/cli.ts"
+    : "./scripts/workers/cli.ts";
+  const result = Bun.spawnSync(["bun", "run", cliPath, ...argv], {
+    cwd: serviceRoot,
+    env: process.env,
+    stdin: "inherit",
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+
+  if (!result.success) {
+    process.exit(result.exitCode || 1);
+  }
+}

package/src/vault.test.ts

@@ -1,6 +1,6 @@
 import { afterEach, expect, mock, test } from "bun:test";
 import { mkdir } from "node:fs/promises";
-import { readVaultSecret, resolveNeonApiKey } from "./vault";
+import { readVaultSecret, resolveNeonApiKey, upsertVaultSecretFields } from "./vault";
 
 const originalEnv = { ...process.env };
 
@@ -97,3 +97,63 @@ test("readVaultSecret falls back to ~/.vault-token", async () => {
     })
   ).resolves.toBe("vault-token");
 });
+
+test("upsertVaultSecretFields writes merged KV v2 data", async () => {
+  process.env.VAULT_ADDR = "https://vault.example.com";
+  process.env.VAULT_TOKEN = "token-123";
+
+  const requests: Array<{ method: string; url: string; body?: unknown }> = [];
+  const fetchMock = mock(async (input: string | URL | Request, init?: RequestInit) => {
+    const url = String(input);
+    requests.push({
+      method: init?.method ?? "GET",
+      url,
+      body: init?.body ? JSON.parse(String(init.body)) : undefined,
+    });
+
+    if ((init?.method ?? "GET") === "GET") {
+      return new Response(
+        JSON.stringify({
+          data: {
+            data: {
+              existing_field: "keep-me",
+            },
+          },
+        }),
+        { status: 200 }
+      );
+    }
+
+    return new Response(JSON.stringify({}), { status: 200 });
+  });
+
+  globalThis.fetch = fetchMock as unknown as typeof fetch;
+
+  await upsertVaultSecretFields({
+    path: "prod/providers/clerk",
+    fields: {
+      publishable_key: "pk_live_example",
+      secret_key: "sk_live_example",
+      webhook_secret: "whsec_example",
+    },
+  });
+
+  expect(requests).toEqual([
+    {
+      method: "GET",
+      url: "https://vault.example.com/v1/secret/data/prod/providers/clerk",
+    },
+    {
+      method: "POST",
+      url: "https://vault.example.com/v1/secret/data/prod/providers/clerk",
+      body: {
+        data: {
+          existing_field: "keep-me",
+          publishable_key: "pk_live_example",
+          secret_key: "sk_live_example",
+          webhook_secret: "whsec_example",
+        },
+      },
+    },
+  ]);
+});

package/src/vault.ts

@@ -13,6 +13,14 @@ type VaultSecretOptions = {
   field?: string;
 };
 
+type VaultWriteOptions = {
+  addr?: string;
+  token?: string;
+  mount?: string;
+  path: string;
+  fields: Record<string, string>;
+};
+
 export async function resolveNeonApiKey() {
   const direct = process.env.NEON_API_KEY?.trim();
   if (direct) {
@@ -26,24 +34,59 @@ export async function resolveNeonApiKey() {
 }
 
 export async function readVaultSecret(options: VaultSecretOptions = {}) {
-  const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
-  const token = options.token ?? (await resolveVaultToken());
+  const field = options.field?.trim() ?? "value";
+  const payload = await readVaultSecretData(options);
   const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
   const path = options.path?.trim() ?? "";
-  const field = options.field?.trim() ?? "value";
-
-  if (!addr || !token || !path) {
-    throw new Error("Vault secret resolution requires VAULT_ADDR, a Vault token, and a secret path");
-  }
-
-  const normalizedAddr = addr.replace(/\/+$/g, "");
   const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
   const normalizedPath = path.replace(/^\/+/g, "");
-  const url = `${normalizedAddr}/v1/${normalizedMount}/data/${normalizedPath}`;
+  const value = payload[field]?.trim();
+  if (!value) {
+    throw new Error(`Vault secret field ${field} is empty at ${normalizedMount}/${normalizedPath}`);
+  }
+
+  return value;
+}
+
+export async function readVaultSecretFields(options: VaultSecretOptions = {}) {
+  return readVaultSecretData(options);
+}
+
+export async function upsertVaultSecretFields(options: VaultWriteOptions) {
+  const connection = await resolveVaultConnection(options);
+  const url = vaultKv2Url(connection);
+
+  const existing = await readVaultSecretData({ ...options, path: connection.normalizedPath }).catch((error) => {
+    if (error instanceof Error && error.message.startsWith("Vault read failed: 404")) {
+      return {};
+    }
+    throw error;
+  });
 
   const response = await fetch(url, {
+    method: "POST",
     headers: {
-      "X-Vault-Token": token,
+      "Content-Type": "application/json",
+      "X-Vault-Token": connection.token,
+    },
+    body: JSON.stringify({
+      data: {
+        ...existing,
+        ...trimFields(options.fields),
+      },
+    }),
+  });
+
+  if (!response.ok) {
+    throw new Error(`Vault write failed: ${response.status} ${response.statusText}`);
+  }
+}
+
+async function readVaultSecretData(options: VaultSecretOptions = {}) {
+  const connection = await resolveVaultConnection(options);
+  const response = await fetch(vaultKv2Url(connection), {
+    headers: {
+      "X-Vault-Token": connection.token,
     },
   });
 
@@ -57,12 +100,31 @@ export async function readVaultSecret(options: VaultSecretOptions = {}) {
     };
   };
 
-  const value = payload.data?.data?.[field]?.trim();
-  if (!value) {
-    throw new Error(`Vault secret field ${field} is empty at ${normalizedMount}/${normalizedPath}`);
+  return payload.data?.data ?? {};
+}
+
+async function resolveVaultConnection(options: Omit<VaultWriteOptions, "fields"> | VaultSecretOptions) {
+  const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
+  const token = options.token ?? (await resolveVaultToken());
+  const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
+  const path = options.path?.trim() ?? "";
+
+  if (!addr || !token || !path) {
+    throw new Error("Vault secret resolution requires VAULT_ADDR, a Vault token, and a secret path");
   }
 
-  return value;
+  const normalizedAddr = addr.replace(/\/+$/g, "");
+  const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
+  const normalizedPath = path.replace(/^\/+/g, "");
+  return { normalizedAddr, normalizedMount, normalizedPath, token };
+}
+
+function vaultKv2Url(connection: Awaited<ReturnType<typeof resolveVaultConnection>>) {
+  return `${connection.normalizedAddr}/v1/${connection.normalizedMount}/data/${connection.normalizedPath}`;
+}
+
+function trimFields(fields: Record<string, string>) {
+  return Object.fromEntries(Object.entries(fields).map(([key, value]) => [key, value.trim()]));
 }
 
 async function resolveVaultToken() {

package/templates/shared/.github/workflows/ci.yml

@@ -19,4 +19,5 @@ jobs:
       - run: bun install
       - run: bun lint
       - run: bun test
-
+      - if: ${{ vars.GCX_ENABLED == 'true' && github.ref == 'refs/heads/main' }}
+        run: bun run dashboards

package/templates/shared/.github/workflows/deploy.yml

@@ -28,3 +28,5 @@ jobs:
       - run: bun run deploy -- --ci
         env:
           NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
+      - if: ${{ vars.GCX_ENABLED == 'true' }}
+        run: bun run dashboards

package/templates/shared/README.md

@@ -1,23 +1,24 @@
 # {{SERVICE_NAME}}
 
-Generated by `create-svc`.
+Generated by `service create`.
 
 This `{{PROFILE}}` profile targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
 
 - one generated `service.yaml` manifest
 - a lightweight `{{EXAMPLE_LABEL}}` example surface
 - local Docker Compose Postgres for first-run development
-- a local `svc-cloudrun` CLI for bootstrap, deploy, and cleanup
-- GCP project bootstrap with billing and quota-project-aware `gcloud` calls
-- Neon-backed remote database provisioning during bootstrap and deploy
-- GCS-backed image attachments
-- typed HTTP webhook ingestion
+- the `service` CLI for create, deploy, doctor, dashboards, and destroy
+- GCP project create with billing and quota-project-aware `gcloud` calls
+- Neon-backed remote database provisioning during create and deploy
+- Better Auth client-credentials resource-server registration through `authctl`
+- stage-aware waitlist data and trigger ingestion
+- typed HTTP webhook ingestion where the selected template supports it
 - a production API origin at `https://{{API_HOSTNAME}}`
 
 The default happy path is standalone. Terraform is optional: advanced users can
 precreate shared foundations and point this package at them, but a generated app
 does not need Terraform state, Terraform plans, a control plane, or a platform
-console to bootstrap and deploy.
+console to create and deploy.
 
 ## Commands
 
@@ -29,6 +30,8 @@ console to bootstrap and deploy.
 {{COMMAND_TEST}}
 {{COMMAND_BOOTSTRAP}}
 {{COMMAND_DEPLOY}}
+{{COMMAND_AUTH_RESOURCE}}
+{{COMMAND_AUTH_CLIENT}}
 {{COMMAND_DEPLOY_PERSONAL}}
 {{COMMAND_DEPLOY_DESTROY}}
 {{COMMAND_CLEANUP}}
@@ -42,7 +45,6 @@ The scaffold writes a ready-to-use `.env.local` and includes a local Postgres se
 First local run:
 
 ```bash
-docker compose up -d
 {{COMMAND_MIGRATE}}
 {{COMMAND_DEV}}
 ```
@@ -50,21 +52,21 @@ docker compose up -d
 Local runtime uses:
 
 - `DATABASE_URL` from `.env.local`, pointed at Docker Compose Postgres
-- `ATTACHMENT_BUCKET`
-- `ATTACHMENT_PUBLIC_BASE_URL`
+- `{{COMMAND_MIGRATE}}` and `{{COMMAND_DEV}}`, which open Docker Desktop if needed, wait for Docker readiness, and start Docker Compose Postgres
+- `TEMPORAL_ENABLED=false` by default; set Temporal env vars locally only when you want to run against a real Temporal server
 
-The local attachment settings are generated so startup works out of the box. Attachment upload endpoints still rely on GCS credentials when you exercise signed-upload flows locally.
+No cloud credentials are required for local HTTP development after Docker and Postgres are running.
 
 ## Remote provisioning
 
 The generated Cloud Run config lives in [scripts/cloudrun/config.ts](scripts/cloudrun/config.ts).
 
-Bootstrap, deploy, and cleanup use:
+Create, deploy, and destroy use:
 
 - known-good CLIs first, especially `gcloud`
 - `gcloud`
 - `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` plus `VAULT_TOKEN`, `VAULT_TOKEN_FILE`, or `~/.vault-token`
-- the package-local CLI via `npx --no-install svc-cloudrun ...`
+- the repo-aware `service` CLI from this package
 
 Local provisioning intentionally prefers known-good CLIs over SDKs for Google Cloud operations.
 
@@ -82,6 +84,12 @@ gcloud auth application-default login
 
 The generated backend scripts still use `gcloud` as the primary control plane even when ADC is present.
 
+Go variants use Atlas for migrations:
+
+```bash
+atlas version
+```
+
 For the Neon admin credential, prefer a normal Vault login flow:
 
 ```bash
@@ -96,36 +104,110 @@ The scaffold will use, in order:
 
 That keeps stable settings in the repo and keeps the token out of `~/.zshrc`.
 
+For production auth registration, `authctl` also needs the auth service's
+Cloudflare Access service token:
+
+```bash
+export AUTH_INTERNAL_BASE_URL="$(vault kv get -mount=secret -field=AUTH_INTERNAL_BASE_URL prod/apps/auth/authctl/cloudflare-access)"
+export CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_ID="$(vault kv get -mount=secret -field=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_ID prod/apps/auth/authctl/cloudflare-access)"
+export CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET="$(vault kv get -mount=secret -field=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET prod/apps/auth/authctl/cloudflare-access)"
+```
+
+Before first production create, verify the installed `authctl` exposes the
+resource-server control-plane command:
+
+```bash
+{{COMMAND_AUTH_RESOURCE}} --help
+```
+
+If this fails with `authctl is installed but does not expose resource-server
+commands`, make sure the generated package installed `@anmho/authctl@0.1.1` or
+newer before running `{{COMMAND_BOOTSTRAP}}`.
+
 Optional remote-only Vault overrides for Neon admin key lookup:
 
 - `VAULT_SECRET_MOUNT` default `secret`
 - `VAULT_NEON_API_KEY_PATH` default `prod/providers/neon`
 - `VAULT_NEON_API_KEY_FIELD` default `api_key`
 
-The generator only stores application-facing connection material in Secret Manager. Neon admin credentials stay local to bootstrap and deploy.
+The generator only stores application-facing connection material in Secret Manager. Neon admin credentials stay local to create and deploy.
+
+## Temporal
+
+Cloud Run variants include an in-process Temporal worker in the service process.
+Production Temporal is enabled when you set `TEMPORAL_ENABLED=true`, or when
+`TEMPORAL_ADDRESS`, `TEMPORAL_API_KEY`, or `TEMPORAL_API_KEY_SECRET` is present
+during deploy rendering.
+
+For Temporal Cloud, provide:
 
-For attachments, the generated Cloud Run manifest injects:
+```bash
+TEMPORAL_ENABLED=true
+TEMPORAL_ADDRESS=<namespace>.<account>.tmprl.cloud:7233
+TEMPORAL_NAMESPACE=<namespace>.<account>
+TEMPORAL_API_KEY=<one-time local value for service create>
+```
+
+`service create` writes `TEMPORAL_API_KEY` to Secret Manager as
+`{{SERVICE_ID}}-temporal-api-key` and grants the runtime service account access.
+Later deploys can set `TEMPORAL_API_KEY_SECRET={{SERVICE_ID}}-temporal-api-key`
+without exposing the key locally.
+
+## Service auth
+
+Generated services are resource servers for the Better Auth client-credentials
+server at `https://auth.anmho.com`.
+
+`service create` registers this service as an auth resource server through
+`authctl` before the first production deploy. The generated resource server is:
+
+- id: `{{SERVICE_ID}}`
+- audience: `api://{{SERVICE_ID}}`
+- default scopes: `{{SERVICE_ID}}:read`, `{{SERVICE_ID}}:write`
+
+Production runtime has `AUTH_ENABLED=true` and verifies JWT bearer tokens from
+the Better Auth JWKS endpoint on `/v1/*` and ConnectRPC service paths. Local
+development defaults to `AUTH_ENABLED=false` in `.env.local`.
 
-- `ATTACHMENT_BUCKET`
-- `ATTACHMENT_PUBLIC_BASE_URL`
+Use `service auth` for follow-up auth operations:
 
-Webhook signature hooks are provider-specific and optional in v1. The generic adapter will honor:
+```bash
+{{COMMAND_BOOTSTRAP}} # includes resource-server registration
+{{COMMAND_AUTH_RESOURCE}}
+{{COMMAND_AUTH_CLIENT}} --resource-server <target-service> --scope <scope>
+```
+
+`authctl clients create` prints a one-time client secret plus the recommended
+Vault command. By convention, generated services store outgoing service-client
+credentials under:
+
+```text
+prod/apps/{{SERVICE_ID}}/server/oauth-clients/<resource_server_id>
+```
+
+When requesting a client-credentials token for a generated service, include the
+target resource server as `resource=api://<resource_server_id>`. The generated
+runtime expects a JWT with that audience; omitting `resource` can return an
+opaque access token that the service will reject.
+
+Webhook signature hooks are provider-specific and optional in v1. Add provider
+secrets only when you add a provider adapter. A generic adapter can honor:
 
 - `WEBHOOK_<PROVIDER>_SECRET`
 
-## One-command production bootstrap
+## One-command production create
 
-The one-command production bootstrap path is designed for a fresh standalone service.
+The one-command production create path is designed for a fresh standalone service.
 
-When generated through `create-svc` with `--bootstrap`, the intended flow is:
+The intended one-command flow is:
 
 ```bash
-bun create svc {{SERVICE_NAME}} --bootstrap --yes
+service create {{SERVICE_NAME}} --yes
 ```
 
-That command scaffolds this package, runs bootstrap, deploys the production
-Cloud Run service, and fails loudly with resumable instructions if a required
-cloud or provider credential is missing. The generated package can also be run
+That command scaffolds this package, runs `service create`, deploys the production
+Cloud Run service through `service deploy`, and fails loudly with resumable
+instructions if a required cloud credential is missing. The generated package can also be run
 manually:
 
 ```bash
@@ -133,9 +215,9 @@ manually:
 {{COMMAND_DEPLOY}}
 ```
 
-Bootstrap reads provider credentials from environment variables or from Vault
-when `VAULT_ADDR` and a Vault token are available. Runtime secrets are delivered
-to Cloud Run through app-project Secret Manager.
+Create reads Neon credentials from environment variables or from Vault when
+`VAULT_ADDR` and a Vault token are available. Runtime database credentials are
+delivered to Cloud Run through app-project Secret Manager.
 
 ## Production API
 
@@ -153,28 +235,23 @@ The generated microservice profile is a waitlist/launch service example. It is
 kept deliberately small so the integration plumbing is easy to remove or adapt:
 
 - public launch/waitlist submission
-- protected admin APIs
-- logo or social-image upload plumbing
-- provider webhook ingestion
-- Pro entitlement checks for paid capabilities
-
-The current backend plumbing includes:
+- status lookup
+- trigger ingestion for scheduled, webhook, and manual follow-up work
+- provider webhook ingress where the selected template supports it
 
-- `users`
-- `conversations`
-- `conversation_participants`
-- `messages`
-- `attachments`
-- `webhook_events`
+The current Hono backend plumbing includes:
 
-HTTP variants expose REST endpoints for chat CRUD, attachment upload/finalize, and `/webhooks/:provider`.
+- `waitlist_entries`
+- `waitlist_triggers`
 
-ConnectRPC variants expose typed unary chat and attachment RPCs, while keeping webhook ingress on plain HTTP.
+Hono variants expose:
 
-Transcript reads are newest-first and cursor-paginated:
+- `POST /v1/waitlist`
+- `GET /v1/waitlist?email=...`
+- `GET /v1/waitlist/{entryId}`
+- `POST /v1/triggers/waitlist`
+- `POST /webhooks/:provider`
 
-- REST: `GET /v1/conversations/{conversationId}/messages?cursor=...&limit=...`
-- ConnectRPC: `ListMessages(conversation_id, cursor, limit)`
-- default page size `50`, max page size `100`
-- message payloads include lightweight attachment metadata only
+ConnectRPC variants expose typed unary waitlist RPCs and will usually be the
+first place to adapt domain-specific contracts after scaffold.
 {{LOCAL_INTROSPECTION_NOTE}}

package/templates/shared/grafana/alerts.yaml

@@ -0,0 +1,54 @@
+apiVersion: 1
+groups:
+  - orgId: 1
+    name: "{{SERVICE_NAME}} baseline"
+    folder: "create-service"
+    interval: 1m
+    rules:
+      - uid: "{{SERVICE_ID}}-high-error-rate"
+        title: "{{SERVICE_NAME}} high error rate"
+        condition: C
+        data:
+          - refId: A
+            relativeTimeRange:
+              from: 600
+              to: 0
+            datasourceUid: "${datasource}"
+            model:
+              expr: "sum(rate(http_requests_total{service=\"{{SERVICE_NAME}}\",status=~\"5..\"}[5m]))"
+              intervalMs: 1000
+              maxDataPoints: 43200
+              refId: A
+          - refId: C
+            relativeTimeRange:
+              from: 600
+              to: 0
+            datasourceUid: __expr__
+            model:
+              conditions:
+                - evaluator:
+                    params: [0.05]
+                    type: gt
+                  operator:
+                    type: and
+                  query:
+                    params: [A]
+                  reducer:
+                    type: last
+                  type: query
+              datasource:
+                type: __expr__
+                uid: __expr__
+              expression: A
+              intervalMs: 1000
+              maxDataPoints: 43200
+              refId: C
+              type: threshold
+        noDataState: NoData
+        execErrState: Error
+        for: 5m
+        annotations:
+          summary: "{{SERVICE_NAME}} 5xx rate is elevated"
+        labels:
+          service_id: "{{SERVICE_ID}}"
+          target: "{{TARGET}}"

package/templates/shared/grafana/waitlist-dashboard.json

@@ -0,0 +1,63 @@
+{
+  "uid": "{{SERVICE_ID}}-waitlist",
+  "title": "{{SERVICE_NAME}} Waitlist Service",
+  "tags": ["create-service", "{{TARGET}}", "{{RUNTIME}}", "{{FRAMEWORK}}"],
+  "timezone": "browser",
+  "schemaVersion": 39,
+  "version": 1,
+  "refresh": "30s",
+  "panels": [
+    {
+      "id": 1,
+      "type": "timeseries",
+      "title": "Request rate",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "targets": [
+        {
+          "refId": "A",
+          "expr": "sum(rate(http_requests_total{service=\"{{SERVICE_NAME}}\"}[5m]))"
+        }
+      ],
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 0 }
+    },
+    {
+      "id": 2,
+      "type": "timeseries",
+      "title": "Error rate",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "targets": [
+        {
+          "refId": "A",
+          "expr": "sum(rate(http_requests_total{service=\"{{SERVICE_NAME}}\",status=~\"5..\"}[5m]))"
+        }
+      ],
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 0 }
+    },
+    {
+      "id": 3,
+      "type": "timeseries",
+      "title": "p95 latency",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "targets": [
+        {
+          "refId": "A",
+          "expr": "histogram_quantile(0.95, sum(rate(http_request_duration_seconds_bucket{service=\"{{SERVICE_NAME}}\"}[5m])) by (le))"
+        }
+      ],
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 8 }
+    },
+    {
+      "id": 4,
+      "type": "stat",
+      "title": "Queued triggers",
+      "datasource": { "type": "prometheus", "uid": "${datasource}" },
+      "targets": [
+        {
+          "refId": "A",
+          "expr": "sum(waitlist_triggers_queued{service=\"{{SERVICE_NAME}}\"})"
+        }
+      ],
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 8 }
+    }
+  ]
+}