npm - create-svc - Versions diffs - 0.1.10 → 0.1.12 - Mend

create-svc 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

package/README.md +51 -47
package/index.ts +2 -2
package/package.json +10 -9
package/src/cli.test.ts +28 -10
package/src/cli.ts +196 -33
package/src/git-bootstrap.test.ts +40 -0
package/src/git-bootstrap.ts +110 -0
package/src/naming.test.ts +1 -0
package/src/naming.ts +23 -0
package/src/post-scaffold.test.ts +19 -0
package/src/post-scaffold.ts +17 -4
package/src/profiles.ts +2 -5
package/src/scaffold.test.ts +232 -41
package/src/scaffold.ts +81 -36
package/src/service.test.ts +30 -0
package/src/service.ts +65 -0
package/src/vault.test.ts +61 -1
package/src/vault.ts +77 -15
package/templates/shared/.github/workflows/ci.yml +2 -1
package/templates/shared/.github/workflows/deploy.yml +2 -0
package/templates/shared/README.md +124 -47
package/templates/shared/grafana/alerts.yaml +54 -0
package/templates/shared/grafana/waitlist-dashboard.json +63 -0
package/templates/shared/scripts/authctl.ts +231 -0
package/templates/shared/scripts/cloudrun/bootstrap.ts +14 -5
package/templates/shared/scripts/cloudrun/cleanup.ts +64 -4
package/templates/shared/scripts/cloudrun/cli.ts +329 -7
package/templates/shared/scripts/cloudrun/config.ts +11 -4
package/templates/shared/scripts/cloudrun/deploy.ts +0 -4
package/templates/shared/scripts/cloudrun/lib.ts +174 -41
package/templates/shared/scripts/cloudrun/neon.ts +45 -0
package/templates/shared/scripts/dev.ts +22 -0
package/templates/shared/scripts/ensure-local-db.ts +3 -0
package/templates/shared/scripts/local-docker.ts +63 -0
package/templates/shared/scripts/local-env.ts +27 -0
package/templates/shared/scripts/seed.ts +73 -0
package/templates/shared/scripts/wait-for-db.ts +32 -0
package/templates/shared/service.config.ts +59 -0
package/templates/shared/service.yaml +24 -44
package/templates/targets/workers/.github/workflows/ci.yml +19 -0
package/templates/targets/workers/.github/workflows/deploy.yml +19 -0
package/templates/targets/workers/Makefile +33 -0
package/templates/targets/workers/README.md +75 -0
package/templates/targets/workers/package.json +35 -0
package/templates/targets/workers/scripts/workers/cli.ts +402 -0
package/templates/targets/workers/src/auth.ts +178 -0
package/templates/targets/workers/src/index.ts +198 -0
package/templates/targets/workers/src/storage.ts +370 -0
package/templates/targets/workers/test/app.test.ts +108 -0
package/templates/targets/workers/tsconfig.json +11 -0
package/templates/targets/workers/wrangler.toml +24 -0
package/templates/variants/bun-connectrpc/Makefile +14 -8
package/templates/variants/bun-connectrpc/gen/protos/waitlist/v1/waitlist_pb.ts +424 -0
package/templates/variants/bun-connectrpc/migrations/0000_init.sql +12 -55
package/templates/variants/bun-connectrpc/package.json +12 -5
package/templates/variants/bun-connectrpc/protos/waitlist/v1/waitlist.proto +91 -0
package/templates/variants/bun-connectrpc/scripts/codegen.ts +1 -1
package/templates/variants/bun-connectrpc/scripts/migrate.ts +4 -1
package/templates/variants/bun-connectrpc/src/auth.ts +200 -0
package/templates/variants/bun-connectrpc/src/db/repository.ts +67 -420
package/templates/variants/bun-connectrpc/src/db/schema.ts +15 -64
package/templates/variants/bun-connectrpc/src/index.ts +76 -176
package/templates/variants/bun-connectrpc/src/temporal/activities.ts +14 -0
package/templates/variants/bun-connectrpc/src/temporal/worker.ts +38 -0
package/templates/variants/bun-connectrpc/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-connectrpc/src/waitlist/service.ts +172 -0
package/templates/variants/bun-connectrpc/src/waitlist/types.ts +45 -0
package/templates/variants/bun-connectrpc/test/app.test.ts +4 -4
package/templates/variants/bun-connectrpc/test/waitlist.integration.test.ts +71 -0
package/templates/variants/bun-hono/Makefile +14 -8
package/templates/variants/bun-hono/migrations/0000_init.sql +12 -55
package/templates/variants/bun-hono/package.json +12 -5
package/templates/variants/bun-hono/scripts/migrate.ts +4 -1
package/templates/variants/bun-hono/src/auth.ts +181 -0
package/templates/variants/bun-hono/src/db/repository.ts +68 -421
package/templates/variants/bun-hono/src/db/schema.ts +15 -64
package/templates/variants/bun-hono/src/index.ts +65 -180
package/templates/variants/bun-hono/src/temporal/activities.ts +14 -0
package/templates/variants/bun-hono/src/temporal/worker.ts +38 -0
package/templates/variants/bun-hono/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-hono/src/waitlist/service.ts +166 -0
package/templates/variants/bun-hono/src/waitlist/types.ts +50 -0
package/templates/variants/bun-hono/test/app.test.ts +72 -41
package/templates/variants/bun-hono/test/waitlist.integration.test.ts +102 -0
package/templates/variants/go-chi/Makefile +27 -11
package/templates/variants/go-chi/atlas.hcl +8 -0
package/templates/variants/go-chi/cmd/server/main.go +21 -10
package/templates/variants/go-chi/go.mod +1 -3
package/templates/variants/go-chi/internal/app/service.go +202 -685
package/templates/variants/go-chi/internal/auth/middleware.go +289 -0
package/templates/variants/go-chi/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-chi/internal/config/config.go +27 -11
package/templates/variants/go-chi/internal/httpapi/routes.go +78 -157
package/templates/variants/go-chi/internal/httpapi/waitlist_integration_test.go +199 -0
package/templates/variants/go-chi/internal/temporal/activities.go +27 -0
package/templates/variants/go-chi/internal/temporal/worker.go +42 -0
package/templates/variants/go-chi/internal/temporal/workflows.go +18 -0
package/templates/variants/go-chi/migrations/0000_init.sql +12 -55
package/templates/variants/go-chi/migrations/atlas.sum +2 -0
package/templates/variants/go-chi/package.json +7 -1
package/templates/variants/go-connectrpc/Makefile +26 -9
package/templates/variants/go-connectrpc/atlas.hcl +8 -0
package/templates/variants/go-connectrpc/buf.gen.yaml +2 -2
package/templates/variants/go-connectrpc/cmd/server/main.go +23 -12
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlist.pb.go +960 -0
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlistv1connect/waitlist.connect.go +283 -0
package/templates/variants/go-connectrpc/go.mod +1 -1
package/templates/variants/go-connectrpc/internal/app/service.go +202 -685
package/templates/variants/go-connectrpc/internal/auth/middleware.go +289 -0
package/templates/variants/go-connectrpc/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-connectrpc/internal/config/config.go +27 -11
package/templates/variants/go-connectrpc/internal/connectapi/handler.go +78 -201
package/templates/variants/go-connectrpc/internal/connectapi/waitlist_integration_test.go +122 -0
package/templates/variants/go-connectrpc/internal/httpapi/routes.go +147 -9
package/templates/variants/go-connectrpc/internal/temporal/activities.go +27 -0
package/templates/variants/go-connectrpc/internal/temporal/worker.go +42 -0
package/templates/variants/go-connectrpc/internal/temporal/workflows.go +18 -0
package/templates/variants/go-connectrpc/migrations/0000_init.sql +12 -55
package/templates/variants/go-connectrpc/migrations/atlas.sum +2 -0
package/templates/variants/go-connectrpc/package.json +7 -1
package/templates/variants/go-connectrpc/protos/waitlist/v1/waitlist.proto +93 -0
package/templates/root/.github/workflows/buf-publish.yml +0 -19
package/templates/root/.github/workflows/ci.yml +0 -26
package/templates/root/.github/workflows/deploy.yml +0 -22
package/templates/root/Dockerfile +0 -23
package/templates/root/README.md +0 -69
package/templates/root/buf.gen.yaml +0 -10
package/templates/root/buf.yaml +0 -9
package/templates/root/cmd/server/main.go +0 -44
package/templates/root/gen/dns/v1/dns.pb.go +0 -623
package/templates/root/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/root/go.mod +0 -10
package/templates/root/internal/app/service.go +0 -152
package/templates/root/internal/app/token_source.go +0 -50
package/templates/root/internal/cloudflare/client.go +0 -160
package/templates/root/internal/config/config.go +0 -55
package/templates/root/internal/connectapi/handler.go +0 -79
package/templates/root/internal/httpapi/routes.go +0 -93
package/templates/root/internal/vault/client.go +0 -148
package/templates/root/package.json +0 -12
package/templates/root/protos/dns/v1/dns.proto +0 -58
package/templates/root/scripts/cloudrun/bootstrap.ts +0 -65
package/templates/root/scripts/cloudrun/config.ts +0 -50
package/templates/root/scripts/cloudrun/deploy.ts +0 -41
package/templates/root/scripts/cloudrun/lib.ts +0 -244
package/templates/root/service.yaml +0 -50
package/templates/root/test/go.test.ts +0 -19
package/templates/shared/scripts/cloudrun/integrations.ts +0 -111
package/templates/variants/bun-connectrpc/gen/protos/chat/v1/chat_pb.ts +0 -1078
package/templates/variants/bun-connectrpc/protos/chat/v1/chat.proto +0 -228
package/templates/variants/bun-connectrpc/src/chat/service.ts +0 -384
package/templates/variants/bun-connectrpc/src/chat/types.ts +0 -142
package/templates/variants/bun-connectrpc/src/storage.ts +0 -72
package/templates/variants/bun-connectrpc/src/webhooks.ts +0 -35
package/templates/variants/bun-connectrpc/test/list-messages.integration.test.ts +0 -182
package/templates/variants/bun-hono/src/chat/service.ts +0 -384
package/templates/variants/bun-hono/src/chat/types.ts +0 -142
package/templates/variants/bun-hono/src/storage.ts +0 -72
package/templates/variants/bun-hono/src/webhooks.ts +0 -35
package/templates/variants/bun-hono/test/list-messages.integration.test.ts +0 -256
package/templates/variants/go-chi/buf.gen.yaml +0 -12
package/templates/variants/go-chi/buf.yaml +0 -9
package/templates/variants/go-chi/cmd/migrate/main.go +0 -101
package/templates/variants/go-chi/internal/httpapi/list_messages_integration_test.go +0 -298
package/templates/variants/go-chi/protos/chat/v1/chat.proto +0 -219
package/templates/variants/go-connectrpc/cmd/migrate/main.go +0 -101
package/templates/variants/go-connectrpc/gen/chat/v1/chat.pb.go +0 -2512
package/templates/variants/go-connectrpc/gen/chat/v1/chatv1connect/chat.connect.go +0 -571
package/templates/variants/go-connectrpc/internal/connectapi/list_messages_integration_test.go +0 -216
package/templates/variants/go-connectrpc/protos/chat/v1/chat.proto +0 -232
/package/bin/{create-svc.mjs → service.mjs} +0 -0

package/templates/targets/workers/scripts/workers/cli.ts ADDED Viewed

@@ -0,0 +1,402 @@
+#!/usr/bin/env bun
+import { confirm, intro, isCancel, log, outro } from "@clack/prompts";
+import { createApiClient } from "@neondatabase/api-client";
+import { Client } from "pg";
+import { ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
+const config = {
+  serviceName: "{{SERVICE_NAME}}",
+  hostname: "{{API_HOSTNAME}}",
+  neonDatabaseName: "{{NEON_DATABASE_NAME}}",
+  neonRoleName: "neondb_owner",
+};
+type DoctorStatus = "pass" | "warn" | "fail";
+async function main(argv = Bun.argv.slice(2)) {
+  const [command, ...rest] = argv;
+  if (!command || command === "--help" || command === "-h" || command === "help") {
+    console.log("Usage: service <create|deploy|migrate|seed|dashboards|dns|doctor|destroy|auth|sdk> [args]");
+    return;
+  }
+  if (command === "create") {
+    return runMain("Create", async () => {
+      ensureAuthResourceServer();
+      const databaseUrl = await resolveDatabaseUrl();
+      await applySchema(databaseUrl);
+      await ensureHyperdrive(databaseUrl);
+      run("wrangler", ["deploy"]);
+      return `Created https://${config.hostname}`;
+    });
+  }
+  if (command === "deploy") {
+    return runMain("Deploy", () => {
+      run("wrangler", ["deploy", ...rest]);
+      return `Deployed https://${config.hostname}`;
+    });
+  }
+  if (command === "migrate") {
+    return runMain("Migrate", async () => {
+      await applySchema(await resolveDatabaseUrl());
+      return "Workers database schema applied";
+    });
+  }
+  if (command === "seed") {
+    return runMain("Seed", () => "Seed data is not configured");
+  }
+  if (command === "dashboards") {
+    return runMain("Dashboards", () => {
+      run("gcx", ["dev", "lint", "run", "./grafana", "-o", "compact"]);
+      run("gcx", ["resources", "push", "--path", "./grafana"]);
+      return "Dashboards pushed";
+    });
+  }
+  if (command === "dns") {
+    return runMain("DNS", () => `Workers custom domain is configured in wrangler.toml for ${config.hostname}`);
+  }
+  if (command === "doctor") {
+    return runMain("Doctor", () => runDoctor());
+  }
+  if (command === "auth") {
+    return runMain("Auth", () => runAuthCommand(rest));
+  }
+  if (command === "destroy") {
+    return runMain("Destroy", async () => {
+      await requireDestroyConfirmation(rest.includes("--force"));
+      const wranglerArgs = rest.filter((arg) => arg !== "--force");
+      await deleteHyperdrive();
+      run("wrangler", ["delete", "--name", config.serviceName, "--force", ...wranglerArgs]);
+      await deleteNeonDatabase();
+      await deleteGrafanaResources();
+      return `Destroyed ${config.serviceName}`;
+    });
+  }
+  if (command === "sdk") {
+    throw new Error("SDK commands are only available for ConnectRPC services");
+  }
+  throw new Error("Usage: service <create|deploy|migrate|seed|dashboards|dns|doctor|destroy|auth|sdk> [args]");
+}
+function run(command: string, args: string[], options: { allowFailure?: boolean; capture?: boolean } = {}) {
+  if (!Bun.which(command)) {
+    throw new Error(`missing required command: ${command}`);
+  }
+  const result = Bun.spawnSync([command, ...args], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdin: "inherit",
+    stdout: options.capture ? "pipe" : "inherit",
+    stderr: options.capture ? "pipe" : "inherit",
+  });
+  if (!result.success && !options.allowFailure) {
+    throw new Error(`${command} ${args.join(" ")} failed with exit code ${result.exitCode}`);
+  }
+  return result;
+}
+async function ensureHyperdrive(databaseUrl?: string) {
+  const configPath = "./wrangler.toml";
+  const text = await Bun.file(configPath).text();
+  if (!text.includes('binding = "HYPERDRIVE"')) {
+    return;
+  }
+  if (!text.includes('id = ""')) {
+    return;
+  }
+  const resolvedDatabaseUrl = databaseUrl ?? (await resolveDatabaseUrl());
+  const result = run("wrangler", ["hyperdrive", "create", `${config.serviceName}-hyperdrive`, "--connection-string", resolvedDatabaseUrl], {
+    capture: true,
+  });
+  const output = `${result.stdout ? new TextDecoder().decode(result.stdout) : ""}\n${result.stderr ? new TextDecoder().decode(result.stderr) : ""}`;
+  const hyperdriveId = extractHyperdriveId(output);
+  if (!hyperdriveId) {
+    throw new Error(`Could not find Hyperdrive id in wrangler output:\n${output.trim()}`);
+  }
+  await Bun.write(configPath, text.replace('id = ""', `id = "${hyperdriveId}"`));
+}
+function extractHyperdriveId(output: string) {
+  const jsonMatch = output.match(/"id"\s*:\s*"([^"]+)"/);
+  if (jsonMatch?.[1]) {
+    return jsonMatch[1];
+  }
+  const tomlMatch = output.match(/id\s*=\s*"([^"]+)"/);
+  return tomlMatch?.[1];
+}
+async function deleteHyperdrive() {
+  const text = await Bun.file("./wrangler.toml").text();
+  const id = text.match(/binding\s*=\s*"HYPERDRIVE"[\s\S]*?id\s*=\s*"([^"]+)"/)?.[1];
+  if (!id) {
+    return;
+  }
+  run("wrangler", ["hyperdrive", "delete", id, "--force"], { allowFailure: true });
+}
+async function resolveDatabaseUrl() {
+  const direct = Bun.env.DATABASE_URL?.trim();
+  if (direct) {
+    return direct;
+  }
+  const apiKey = Bun.env.NEON_API_KEY?.trim();
+  if (!apiKey) {
+    throw new Error("DATABASE_URL or NEON_API_KEY is required to provision the Hyperdrive binding");
+  }
+  const { neon, projectId, branchId } = await resolveNeonTarget(apiKey);
+  try {
+    await neon.getProjectBranchDatabase(projectId, branchId, config.neonDatabaseName);
+  } catch (error) {
+    const status = (error as { response?: { status?: number } })?.response?.status;
+    if (status !== 404) {
+      throw error;
+    }
+    await neon.createProjectBranchDatabase(projectId, branchId, {
+      database: {
+        name: config.neonDatabaseName,
+        owner_name: config.neonRoleName,
+      },
+    });
+  }
+  const uriPayload = await neon.getConnectionUri({
+    projectId,
+    branch_id: branchId,
+    database_name: config.neonDatabaseName,
+    role_name: config.neonRoleName,
+  });
+  const uri = (uriPayload.data as { uri?: string } | undefined)?.uri;
+  if (!uri) {
+    throw new Error(`Neon did not return a connection URI for ${config.neonDatabaseName}`);
+  }
+  return uri;
+}
+async function resolveNeonTarget(apiKey: string) {
+  const neon = createApiClient({ apiKey });
+  const projectsPayload = await neon.listProjects({ limit: 100 });
+  const projects = ((projectsPayload.data as { projects?: Array<{ id?: string }> } | undefined)?.projects ?? []).filter((project) => project.id);
+  const project = projects[0];
+  if (!project?.id) {
+    throw new Error("No Neon projects are available for Workers provisioning");
+  }
+  const branchesPayload = await neon.listProjectBranches({ projectId: project.id });
+  const branches = ((branchesPayload.data as { branches?: Array<{ id?: string; name?: string }> } | undefined)?.branches ?? []).filter(
+    (branch) => branch.id
+  );
+  const branch = branches.find((candidate) => candidate.name === "main") ?? branches[0];
+  if (!branch?.id) {
+    throw new Error(`No Neon branches are available in project ${project.id}`);
+  }
+  return { neon, projectId: project.id, branchId: branch.id };
+}
+async function deleteNeonDatabase() {
+  const apiKey = Bun.env.NEON_API_KEY?.trim();
+  if (!apiKey) {
+    log.step("Skipping Neon database deletion because NEON_API_KEY is not set");
+    return;
+  }
+  const { neon, projectId, branchId } = await resolveNeonTarget(apiKey);
+  try {
+    await neon.getProjectBranchDatabase(projectId, branchId, config.neonDatabaseName);
+  } catch (error) {
+    const status = (error as { response?: { status?: number } })?.response?.status;
+    if (status === 404) {
+      return;
+    }
+    throw error;
+  }
+  const payload = await neon.getProjectBranchDatabase(projectId, branchId, config.neonDatabaseName);
+  const database = (payload.data as { database?: { name?: string; owner_name?: string } } | undefined)?.database;
+  if (database?.name !== config.neonDatabaseName || (database.owner_name && database.owner_name !== config.neonRoleName)) {
+    throw new Error(`Refusing to delete Neon database ${database?.name ?? config.neonDatabaseName}; ownership metadata does not match`);
+  }
+  await neon.deleteProjectBranchDatabase(projectId, branchId, config.neonDatabaseName);
+}
+async function deleteGrafanaResources() {
+  if (!(await Bun.file("./grafana").exists())) {
+    return;
+  }
+  if (!Bun.which("gcx")) {
+    log.step("Skipping Grafana deletion because gcx is not installed");
+    return;
+  }
+  run("gcx", ["resources", "delete", "--path", "./grafana", "--yes", "--on-error", "ignore"], { allowFailure: true });
+}
+async function applySchema(databaseUrl: string) {
+  const client = new Client({ connectionString: databaseUrl });
+  await client.connect();
+  try {
+    await client.query(`
+create table if not exists waitlist_entries (
+  id text primary key,
+  email text not null unique,
+  name text,
+  company text,
+  source text,
+  status text not null default 'joined',
+  created_at timestamptz not null default now(),
+  updated_at timestamptz not null default now()
+);
+create table if not exists waitlist_triggers (
+  id text primary key,
+  type text not null,
+  entry_id text references waitlist_entries(id) on delete set null,
+  status text not null default 'queued',
+  payload_json text not null default '{}',
+  created_at timestamptz not null default now(),
+  processed_at timestamptz
+);
+create index if not exists waitlist_triggers_status_created_idx
+  on waitlist_triggers (status, created_at);
+`);
+  } finally {
+    await client.end();
+  }
+}
+async function runDoctor() {
+  const results: Array<{ name: string; status: DoctorStatus; detail: string }> = [];
+  await record(results, "bun CLI", "fail", () => checkCommand("bun"));
+  await record(results, "wrangler CLI", "fail", () => checkCommand("wrangler"));
+  await record(results, "wrangler auth", "fail", () => {
+    run("wrangler", ["whoami"]);
+    return "authenticated";
+  });
+  await record(results, "wrangler.toml", "fail", async () => {
+    const text = await Bun.file("./wrangler.toml").text();
+    if (!text.includes(`name = "${config.serviceName}"`)) {
+      throw new Error(`wrangler.toml does not name ${config.serviceName}`);
+    }
+    if (!text.includes(`pattern = "${config.hostname}/*"`)) {
+      throw new Error(`wrangler.toml does not route ${config.hostname}`);
+    }
+    return "name and custom domain route configured";
+  });
+  await record(results, "Cron Trigger", "fail", async () => {
+    const text = await Bun.file("./wrangler.toml").text();
+    if (!text.includes("[triggers]") || !text.includes("crons")) {
+      throw new Error("wrangler.toml is missing a cron trigger");
+    }
+    return "cron trigger configured";
+  });
+  await record(results, "Hyperdrive binding", "warn", async () => {
+    const text = await Bun.file("./wrangler.toml").text();
+    if (!text.includes('binding = "HYPERDRIVE"')) {
+      throw new Error("HYPERDRIVE binding is missing");
+    }
+    if (text.includes('id = ""')) {
+      throw new Error("HYPERDRIVE id is not provisioned yet");
+    }
+    return "Hyperdrive binding has an id";
+  });
+  await record(results, "dashboard tooling", "warn", () => checkCommand("gcx"));
+  await record(results, "dashboard artifacts", "warn", async () => {
+    if (!(await Bun.file("./grafana").exists()) && !(await Bun.file("./dashboards").exists())) {
+      throw new Error("no grafana/ or dashboards/ directory found");
+    }
+    return "dashboard directory found";
+  });
+  await record(results, "authctl", "warn", () => runAuthDoctor().detail);
+  await record(results, "deployed health", "warn", async () => {
+    const response = await fetch(`https://${config.hostname}/healthz`, { signal: AbortSignal.timeout(5_000) });
+    if (!response.ok) {
+      throw new Error(`GET /healthz returned ${response.status}`);
+    }
+    return "GET /healthz ok";
+  });
+  const output = results.map(formatDoctorResult).join("\n");
+  const failures = results.filter((result) => result.status === "fail");
+  if (failures.length > 0) {
+    throw new Error(`Doctor found ${failures.length} failing check(s)\n${output}`);
+  }
+  return output;
+}
+async function record(
+  results: Array<{ name: string; status: DoctorStatus; detail: string }>,
+  name: string,
+  failureStatus: "warn" | "fail",
+  check: () => string | Promise<string>
+) {
+  try {
+    results.push({ name, status: "pass", detail: await check() });
+  } catch (error) {
+    results.push({ name, status: failureStatus, detail: error instanceof Error ? error.message : String(error) });
+  }
+}
+function checkCommand(name: string) {
+  const path = Bun.which(name);
+  if (!path) {
+    throw new Error(`${name} is not installed`);
+  }
+  return path;
+}
+function formatDoctorResult(result: { name: string; status: DoctorStatus; detail: string }) {
+  const marker = result.status === "pass" ? "PASS" : result.status === "warn" ? "WARN" : "FAIL";
+  return `[${marker}] ${result.name}: ${result.detail}`;
+}
+async function requireDestroyConfirmation(force: boolean) {
+  if (force) {
+    return;
+  }
+  if (!process.stdin.isTTY) {
+    throw new Error("service destroy requires --force when running non-interactively");
+  }
+  const answer = await confirm({
+    message: `Destroy resources owned by ${config.serviceName}?`,
+    initialValue: false,
+  });
+  if (isCancel(answer) || !answer) {
+    throw new Error("Destroy cancelled");
+  }
+}
+async function runMain(name: string, task: () => string | Promise<string>) {
+  intro(name);
+  try {
+    outro(await task());
+  } catch (error) {
+    log.error(error instanceof Error ? error.message : String(error));
+    process.exit(1);
+  }
+}
+if (import.meta.main) {
+  await main();
+}

package/templates/targets/workers/src/auth.ts ADDED Viewed

@@ -0,0 +1,178 @@
+type AuthConfig = {
+  enabled: boolean;
+  issuer: string;
+  audience: string;
+  jwksUrl: string;
+};
+type AuthEnv = {
+  AUTH_ENABLED?: string;
+  AUTH_ISSUER?: string;
+  AUTH_AUDIENCE?: string;
+  AUTH_JWKS_URL?: string;
+};
+type JwtHeader = {
+  alg?: string;
+  kid?: string;
+};
+type JwtClaims = {
+  iss?: string;
+  aud?: string | string[];
+  exp?: number;
+  nbf?: number;
+};
+type Jwk = JsonWebKey & {
+  kid?: string;
+};
+type Jwks = {
+  keys: Jwk[];
+};
+const encoder = new TextEncoder();
+const jwksCache = new Map<string, { expiresAt: number; jwks: Jwks }>();
+export function authMiddleware() {
+  return async (context: any, next: () => Promise<void>) => {
+    const config = authConfigFromEnv(context.env ?? {});
+    if (!config.enabled) {
+      await next();
+      return;
+    }
+    const token = bearerToken(context.req.header("authorization") ?? "");
+    if (!token) {
+      return context.json({ error: "missing bearer token", code: "unauthorized" }, 401);
+    }
+    try {
+      await verifyAccessToken(token, config);
+      await next();
+    } catch {
+      return context.json({ error: "invalid bearer token", code: "unauthorized" }, 401);
+    }
+  };
+}
+function authConfigFromEnv(env: AuthEnv): AuthConfig {
+  return {
+    enabled: truthy(env.AUTH_ENABLED),
+    issuer: env.AUTH_ISSUER ?? "",
+    audience: env.AUTH_AUDIENCE ?? "",
+    jwksUrl: env.AUTH_JWKS_URL ?? "",
+  };
+}
+async function verifyAccessToken(token: string, config: AuthConfig): Promise<JwtClaims> {
+  const parts = token.split(".");
+  if (parts.length !== 3 || !config.issuer || !config.audience || !config.jwksUrl) {
+    throw new Error("invalid auth config or token");
+  }
+  const [encodedHeader, encodedPayload, encodedSignature] = parts;
+  const header = decodeJSON<JwtHeader>(encodedHeader);
+  const claims = decodeJSON<JwtClaims>(encodedPayload);
+  const jwks = await fetchJwks(config.jwksUrl);
+  const key = selectKey(jwks, header);
+  if (!key || !header.alg) {
+    throw new Error("matching jwk not found");
+  }
+  const algorithm = importAlgorithm(header.alg, key);
+  const cryptoKey = await crypto.subtle.importKey("jwk", key, algorithm.import, false, ["verify"]);
+  const verified = await crypto.subtle.verify(
+    algorithm.verify,
+    cryptoKey,
+    toArrayBuffer(decodeBase64Url(encodedSignature)),
+    encoder.encode(`${encodedHeader}.${encodedPayload}`)
+  );
+  if (!verified) {
+    throw new Error("bad signature");
+  }
+  validateClaims(claims, config);
+  return claims;
+}
+async function fetchJwks(jwksUrl: string): Promise<Jwks> {
+  const cached = jwksCache.get(jwksUrl);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.jwks;
+  }
+  const response = await fetch(jwksUrl);
+  if (!response.ok) {
+    throw new Error(`jwks fetch failed: ${response.status}`);
+  }
+  const jwks = (await response.json()) as Jwks;
+  jwksCache.set(jwksUrl, { jwks, expiresAt: Date.now() + 5 * 60 * 1000 });
+  return jwks;
+}
+function selectKey(jwks: Jwks, header: JwtHeader): Jwk | undefined {
+  if (header.kid) {
+    return jwks.keys.find((key) => key.kid === header.kid);
+  }
+  return jwks.keys.length === 1 ? jwks.keys[0] : undefined;
+}
+function importAlgorithm(alg: string, key: JsonWebKey) {
+  if (alg === "RS256") {
+    return {
+      import: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      verify: { name: "RSASSA-PKCS1-v1_5" },
+    } as const;
+  }
+  if (alg === "ES256" && key.crv === "P-256") {
+    return {
+      import: { name: "ECDSA", namedCurve: "P-256" },
+      verify: { name: "ECDSA", hash: "SHA-256" },
+    } as const;
+  }
+  throw new Error(`unsupported jwt alg: ${alg}`);
+}
+function validateClaims(claims: JwtClaims, config: AuthConfig) {
+  const now = Math.floor(Date.now() / 1000);
+  if (claims.iss !== config.issuer) {
+    throw new Error("issuer mismatch");
+  }
+  if (!audienceMatches(claims.aud, config.audience)) {
+    throw new Error("audience mismatch");
+  }
+  if (typeof claims.exp !== "number" || claims.exp <= now - 30) {
+    throw new Error("token expired");
+  }
+  if (typeof claims.nbf === "number" && claims.nbf > now + 30) {
+    throw new Error("token not active");
+  }
+}
+function audienceMatches(audience: JwtClaims["aud"], expected: string) {
+  return Array.isArray(audience) ? audience.includes(expected) : audience === expected;
+}
+function decodeJSON<T>(value: string): T {
+  return JSON.parse(new TextDecoder().decode(decodeBase64Url(value))) as T;
+}
+function decodeBase64Url(value: string): Uint8Array {
+  const base64 = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+  return Uint8Array.from(atob(base64), (char) => char.charCodeAt(0));
+}
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
+}
+function bearerToken(value: string) {
+  const [scheme, token] = value.trim().split(/\s+/, 2);
+  return /^Bearer$/i.test(scheme) ? token : "";
+}
+function truthy(value: string | undefined) {
+  return ["1", "true", "yes", "on"].includes((value ?? "").trim().toLowerCase());
+}