create-svc 0.1.16 → 0.1.18

package/README.md

@@ -41,7 +41,7 @@ service deploy
 To install from npm:
 
 ```bash
-npm install -g create-svc
+bun install -g create-svc
 ```
 
 For the strict one-command production path:
@@ -70,8 +70,7 @@ Without publishing to npm:
 
 ```bash
 bun install
-npm pack
-npm install -g ./create-svc-*.tgz
+bun link
 service create my-service
 ```
 
@@ -130,6 +129,21 @@ service destroy
 
 Language-specific tasks such as local running, linting, formatting, testing, and building stay in package scripts or Make targets. Service lifecycle operations are exposed through the generated `service` CLI.
 
+After `service create` has provisioned auth, the generated repo can mint a
+client-credentials bearer token for smoke checks:
+
+```bash
+TOKEN="$(service auth token)"
+curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.<service_id>.anmho.com/v1/admin/waitlist?limit=1"
+```
+
+For Go ConnectRPC services, use the same token with `grpcurl`:
+
+```bash
+TOKEN="$(service auth token)"
+grpcurl -H "Authorization: Bearer $TOKEN" -d '{"limit":1}' -proto protos/waitlist/v1/waitlist.proto api.<service_id>.anmho.com:443 waitlist.v1.WaitlistService/ListWaitlistEntries
+```
+
 The generated service is intended to be consumed by a web app, mobile client, or another service over HTTPS. In v1, production is expected to live at `https://api.<service_id>.anmho.com`, while preview and personal environments keep using deterministic platform URLs where appropriate.
 
 The generated microservice domain is a small waitlist/launch service example with public submit/status APIs and target-specific scheduled work.
@@ -142,7 +156,8 @@ bun test src scripts
 bun run index.ts create my-service
 ```
 
-Validate the generated app matrix against local Docker Compose Postgres:
+Validate the generated service matrix against local Docker Compose Postgres and
+Workers package checks:
 
 ```bash
 bun run validate:generated
@@ -150,7 +165,7 @@ bun run validate:generated -- --variant bun-hono
 bun run validate:generated -- --variant go-connectrpc --keep
 ```
 
-The validation harness scaffolds generated services into ignored `bin/generated/run-*` workspaces, runs the generated public commands, starts the local server, and smoke-tests health or typed ConnectRPC clients where applicable.
+The validation harness scaffolds generated services into ignored `bin/generated/run-*` workspaces, runs the generated public commands, starts the local server for Cloud Run presets, smoke-tests health plus ConnectRPC clients where applicable, and verifies the Workers preset package compiles and tests.
 
 ## npm Trusted Publishing
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.16",
+  "version": "0.1.18",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",
@@ -21,7 +21,7 @@
     "dev": "bun run index.ts",
     "test": "bun test src scripts",
     "validate:generated": "bun run ./scripts/validate-generated.ts",
-    "typecheck": "bunx tsc --noEmit"
+    "typecheck": "tsc --noEmit"
   },
   "repository": {
     "type": "git",

package/src/post-scaffold.test.ts

@@ -4,16 +4,23 @@ import { buildDeploymentVerificationCommands, buildPostScaffoldCommands } from "
 describe("buildPostScaffoldCommands", () => {
   test("runs create and deploy for HTTP services", () => {
     expect(buildPostScaffoldCommands({ framework: "hono" })).toEqual([
-      { command: "bun", args: ["run", "service", "--", "create"] },
-      { command: "bun", args: ["run", "service", "--", "deploy"] },
+      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "create"] },
+      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "deploy"] },
     ]);
   });
 
   test("builds SDK artifacts before create and deploy for ConnectRPC services", () => {
     expect(buildPostScaffoldCommands({ framework: "connectrpc" })).toEqual([
-      { command: "bun", args: ["run", "service", "--", "sdk", "build"] },
-      { command: "bun", args: ["run", "service", "--", "create"] },
-      { command: "bun", args: ["run", "service", "--", "deploy"] },
+      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "sdk", "build"] },
+      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "create"] },
+      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "deploy"] },
+    ]);
+  });
+
+  test("uses the workers service CLI for workers services", () => {
+    expect(buildPostScaffoldCommands({ target: "workers", framework: "hono" })).toEqual([
+      { command: "bun", args: ["./scripts/workers/cli.ts", "create"] },
+      { command: "bun", args: ["./scripts/workers/cli.ts", "deploy"] },
     ]);
   });
 });
@@ -23,13 +30,40 @@ describe("buildDeploymentVerificationCommands", () => {
     expect(buildDeploymentVerificationCommands({ apiHostname: "api.launch.anmho.com", framework: "hono", runtime: "bun" })).toEqual([
       { command: "curl", args: ["--fail", "--show-error", "--silent", "https://api.launch.anmho.com/healthz"] },
       { command: "curl", args: ["--fail", "--show-error", "--silent", "https://api.launch.anmho.com/readyz"] },
+      {
+        command: "sh",
+        args: [
+          "-c",
+          'TOKEN="$(bun ./scripts/cloudrun/cli.ts auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
+        ],
+      },
     ]);
   });
 
-  test("uses grpcurl for Go ConnectRPC services", () => {
+  test("uses auth token and grpcurl for Go ConnectRPC services", () => {
     expect(buildDeploymentVerificationCommands({ apiHostname: "api.launch.anmho.com", framework: "connectrpc", runtime: "go" })).toContainEqual({
-      command: "grpcurl",
-      args: ["api.launch.anmho.com:443", "list"],
+      command: "sh",
+      args: [
+        "-c",
+        'TOKEN="$(bun ./scripts/cloudrun/cli.ts auth token)" && grpcurl -H "Authorization: Bearer $TOKEN" -d \'{"limit":1}\' -proto protos/waitlist/v1/waitlist.proto api.launch.anmho.com:443 waitlist.v1.WaitlistService/ListWaitlistEntries',
+      ],
+    });
+  });
+
+  test("uses the workers service CLI for protected workers verification", () => {
+    expect(
+      buildDeploymentVerificationCommands({
+        target: "workers",
+        apiHostname: "api.launch.anmho.com",
+        framework: "hono",
+        runtime: "bun",
+      })
+    ).toContainEqual({
+      command: "sh",
+      args: [
+        "-c",
+        'TOKEN="$(bun ./scripts/workers/cli.ts auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
+      ],
     });
   });
 });

package/src/post-scaffold.ts

@@ -37,30 +37,86 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
 }
 
 export function buildDeploymentVerificationCommands(
-  config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime">
+  config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime"> & Partial<Pick<ScaffoldConfig, "target">>
 ): PostScaffoldCommand[] {
   const origin = `https://${config.apiHostname}`;
+  const tokenCommand = `TOKEN="$(bun ${serviceCliPath(config)} auth token)"`;
   return [
     { command: "curl", args: ["--fail", "--show-error", "--silent", `${origin}/healthz`] },
     { command: "curl", args: ["--fail", "--show-error", "--silent", `${origin}/readyz`] },
-    ...(config.framework === "connectrpc"
-      ? [
-          config.runtime === "go"
-            ? { command: "grpcurl", args: [`${config.apiHostname}:443`, "list"] }
-            : { command: "curl", args: ["--fail", "--show-error", "--silent", `${origin}/debug/connectrpc`] },
-        ]
-      : []),
+    protectedVerificationCommand(config, origin, tokenCommand),
   ];
 }
 
-export function buildPostScaffoldCommands(config: Pick<ScaffoldConfig, "framework">): PostScaffoldCommand[] {
+function protectedVerificationCommand(
+  config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime">,
+  origin: string,
+  tokenCommand: string
+): PostScaffoldCommand {
+  if (config.framework === "connectrpc" && config.runtime === "go") {
+    return {
+      command: "sh",
+      args: [
+        "-c",
+        [
+          `${tokenCommand} &&`,
+          "grpcurl",
+          '-H "Authorization: Bearer $TOKEN"',
+          "-d '{\"limit\":1}'",
+          "-proto protos/waitlist/v1/waitlist.proto",
+          `${config.apiHostname}:443`,
+          "waitlist.v1.WaitlistService/ListWaitlistEntries",
+        ].join(" "),
+      ],
+    };
+  }
+
+  if (config.framework === "connectrpc") {
+    return {
+      command: "sh",
+      args: [
+        "-c",
+        [
+          `${tokenCommand} &&`,
+          "curl --fail --show-error --silent",
+          '-H "Authorization: Bearer $TOKEN"',
+          '-H "Content-Type: application/json"',
+          "-d '{\"limit\":1}'",
+          `"${origin}/waitlist.v1.WaitlistService/ListWaitlistEntries"`,
+        ].join(" "),
+      ],
+    };
+  }
+
+  return {
+    command: "sh",
+    args: [
+      "-c",
+      [
+        `${tokenCommand} &&`,
+        "curl --fail --show-error --silent",
+        '-H "Authorization: Bearer $TOKEN"',
+        `"${origin}/v1/admin/waitlist?limit=1"`,
+      ].join(" "),
+    ],
+  };
+}
+
+export function buildPostScaffoldCommands(
+  config: Pick<ScaffoldConfig, "framework"> & Partial<Pick<ScaffoldConfig, "target">>
+): PostScaffoldCommand[] {
+  const serviceCli = serviceCliPath(config);
   return [
-    ...(config.framework === "connectrpc" ? [{ command: "bun", args: ["run", "service", "--", "sdk", "build"] }] : []),
-    { command: "bun", args: ["run", "service", "--", "create"] },
-    { command: "bun", args: ["run", "service", "--", "deploy"] },
+    ...(config.target !== "workers" && config.framework === "connectrpc" ? [{ command: "bun", args: [serviceCli, "sdk", "build"] }] : []),
+    { command: "bun", args: [serviceCli, "create"] },
+    { command: "bun", args: [serviceCli, "deploy"] },
   ];
 }
 
+function serviceCliPath(config: Partial<Pick<ScaffoldConfig, "target">>) {
+  return config.target === "workers" ? "./scripts/workers/cli.ts" : "./scripts/cloudrun/cli.ts";
+}
+
 function installProjectDependencies(cwd: string) {
   requireCommand("bun");
   run("bun", ["install"], { cwd });

package/src/scaffold.test.ts

@@ -218,6 +218,8 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(serviceCli).toContain("Provision auth, database, migrations, and first deploy");
       expect(serviceCli).toContain("assertServiceNameAvailable(config.serviceName)");
       expect(serviceCli).toContain("ensureAuthResourceServer");
+      expect(serviceCli).toContain("ensureAuthClient");
+      expect(serviceCli).toContain("auth token");
       expect(serviceCli).toContain('["resources", "push", "--path", "./grafana"]');
       const cloudrunLib = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "lib.ts")).text();
       expect(cloudrunLib).toContain("resolveTemporalRuntimeConfig");
@@ -229,6 +231,9 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(authctlScript).toContain("resource-servers");
       expect(authctlScript).toContain("clients");
       expect(authctlScript).toContain("defaultClientTargetArgs");
+      expect(authctlScript).toContain("ensureAuthClient");
+      expect(authctlScript).toContain("mintAuthToken");
+      expect(authctlScript).toContain("clientVaultPath");
       expect(authctlScript).toContain("deleteAuthResourceServer");
       expect(authctlScript).toContain("readAuthctlAccessVaultField");
       expect(authctlScript).toContain("prod/apps/auth/authctl/cloudflare-access");
@@ -363,6 +368,8 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(workerCli).toContain("hyperdrive");
   expect(workerCli).toContain('["resources", "push", "--path", "./grafana"]');
   expect(workerCli).toContain("ensureAuthResourceServer");
+  expect(workerCli).toContain("ensureAuthClient");
+  expect(workerCli).toContain("auth token");
   expect(workerCli).toContain("Workers database schema applied");
   expect(workerCli).toContain("create table if not exists waitlist_entries");
   expect(workerCli).toContain("DATABASE_URL or NEON_API_KEY is required to provision the Hyperdrive binding");

package/src/scaffold.ts

@@ -218,6 +218,7 @@ function buildReplacements(config: ScaffoldConfig) {
     COMMAND_DEPLOY: "service deploy",
     COMMAND_AUTH_RESOURCE: "service auth resource-server",
     COMMAND_AUTH_CLIENT: "service auth client create",
+    COMMAND_AUTH_TOKEN: "service auth token",
     COMMAND_DEPLOY_PERSONAL: "service deploy --environment personal --name <name>",
     COMMAND_DEPLOY_DESTROY: "service destroy --environment personal --name <name>",
     COMMAND_CLEANUP: "service destroy",
@@ -236,9 +237,42 @@ function buildReplacements(config: ScaffoldConfig) {
             "- override with `ENABLE_RPC_INTROSPECTION=true|false`",
           ].join("\n")
         : "",
+    PRODUCTION_PROTECTED_CHECKS: buildProtectedChecks(config),
   };
 }
 
+function buildProtectedChecks(config: ScaffoldConfig) {
+  const tokenCommand = 'TOKEN="$(service auth token)"';
+  if (config.framework === "connectrpc" && config.runtime === "go") {
+    return [
+      "After deploy, verify protected reads with:",
+      "",
+      "```bash",
+      tokenCommand,
+      `grpcurl -H "Authorization: Bearer $TOKEN" -d '{"limit":1}' -proto protos/waitlist/v1/waitlist.proto ${config.apiHostname}:443 waitlist.v1.WaitlistService/ListWaitlistEntries`,
+      "```",
+    ].join("\n");
+  }
+  if (config.framework === "connectrpc") {
+    return [
+      "After deploy, verify protected reads with:",
+      "",
+      "```bash",
+      tokenCommand,
+      `curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"limit":1}' "https://${config.apiHostname}/waitlist.v1.WaitlistService/ListWaitlistEntries"`,
+      "```",
+    ].join("\n");
+  }
+  return [
+    "After deploy, verify protected reads with:",
+    "",
+    "```bash",
+    tokenCommand,
+    `curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://${config.apiHostname}/v1/admin/waitlist?limit=1"`,
+    "```",
+  ].join("\n");
+}
+
 async function writeLocalEnvFile(targetDir: string, replacements: Record<string, string>) {
   const envPath = join(targetDir, ".env.local");
   if (await Bun.file(envPath).exists()) {

package/templates/shared/README.md

@@ -179,6 +179,7 @@ Use `service auth` for follow-up auth operations:
 {{COMMAND_BOOTSTRAP}} # includes resource-server registration
 {{COMMAND_AUTH_RESOURCE}}
 {{COMMAND_AUTH_CLIENT}} --resource-server <target-service> --scope <scope>
+{{COMMAND_AUTH_TOKEN}}
 ```
 
 `authctl clients create` prints a one-time client secret plus the recommended
@@ -194,6 +195,10 @@ target resource server as `resource=api://<resource_server_id>`. The generated
 runtime expects a JWT with that audience; omitting `resource` can return an
 opaque access token that the service will reject.
 
+`{{COMMAND_AUTH_TOKEN}}` reads the generated service-client credentials from
+Vault, creates and stores them if missing, and prints a bearer token suitable
+for local smoke checks.
+
 Webhook signature hooks are provider-specific and optional in v1. Add provider
 secrets only when you add a provider adapter. A generic adapter can honor:
 
@@ -231,6 +236,8 @@ The main environment is intended to be public at:
 https://{{API_HOSTNAME}}
 ```
 
+{{PRODUCTION_PROTECTED_CHECKS}}
+
 Preview and personal environments keep using deterministic Cloud Run hostnames in v1 so the generated backend stays easy to use inside standalone repos or monorepos.
 
 ## Generated backend domain
@@ -253,6 +260,7 @@ Hono variants expose:
 - `POST /v1/waitlist`
 - `GET /v1/waitlist?email=...`
 - `GET /v1/waitlist/{entryId}`
+- `GET /v1/admin/waitlist`
 - `POST /v1/triggers/waitlist`
 - `POST /webhooks/:provider`
 

package/templates/shared/scripts/authctl.ts

@@ -27,6 +27,17 @@ type ResourceServerMutationCommand = ResourceServerCommand & {
   mutationAction: "upsert" | "create";
 };
 
+type ClientCredentials = {
+  client_id: string;
+  client_secret: string;
+};
+
+type TokenResponse = {
+  access_token?: string;
+  token_type?: string;
+  expires_in?: number;
+};
+
 export function defaultAuthResourceServerArgs() {
   const auth = serviceConfig.auth;
   return [
@@ -92,31 +103,66 @@ export function runAuthCommand(args: string[]) {
     return runClientCommand(action, rest);
   }
 
-  throw new Error("Usage: service auth <doctor|resource-server|client> [args]");
+  if (subject === "token") {
+    return mintAuthToken(parseTokenOptions([action, ...rest].filter(Boolean) as string[]));
+  }
+
+  throw new Error("Usage: service auth <doctor|resource-server|client|token> [args]");
 }
 
 export function ensureAuthResourceServer() {
   const command = ensureResourceServerCommandAvailable();
-  authctl([command.subject, command.mutationAction, ...defaultAuthResourceServerArgs(), "--json"]);
+  authctl([command.subject, command.mutationAction, ...defaultAuthResourceServerArgs(), "--json"], { quiet: true });
   return `Auth resource server ready: ${serviceConfig.auth.resource_server.audience}`;
 }
 
+export function ensureAuthClient() {
+  const existing = readStoredClientCredentials();
+  if (existing) {
+    return `Auth client ready: ${existing.client_id}`;
+  }
+
+  const result = authctl(
+    [
+      "clients",
+      "create",
+      "--client-app",
+      serviceConfig.auth.client.app_id,
+      "--client-identity",
+      serviceConfig.auth.client.identity,
+      ...defaultClientTargetArgs([]),
+      "--stage",
+      serviceConfig.stage_default,
+      "--yes",
+      "--json",
+    ],
+    { quiet: true }
+  );
+
+  const created = parseClientSecretResponse(result.stdout);
+  storeClientCredentials(created);
+  return `Auth client ready: ${created.client_id}`;
+}
+
 export function deleteAuthResourceServer() {
   const command = resolveResourceServerCommand();
   if (!command?.actions.includes("delete")) {
     return "authctl does not expose resource-server delete; auth resource server was not deleted";
   }
 
-  authctl([
-    command.subject,
-    "delete",
-    "--resource-server",
-    serviceConfig.auth.resource_server.id,
-    "--stage",
-    serviceConfig.stage_default,
-    "--force",
-    "--json",
-  ]);
+  authctl(
+    [
+      command.subject,
+      "delete",
+      "--resource-server",
+      serviceConfig.auth.resource_server.id,
+      "--stage",
+      serviceConfig.stage_default,
+      "--force",
+      "--json",
+    ],
+    { quiet: true }
+  );
   return `Auth resource server deleted: ${serviceConfig.auth.resource_server.id}`;
 }
 
@@ -161,8 +207,12 @@ export function runAuthDoctor(): AuthDoctorResult {
 }
 
 function runClientCommand(action = "", rest: string[]) {
+  if (!action || action === "ensure") {
+    return ensureAuthClient();
+  }
+
   if (action === "create") {
-    authctl([
+    const result = authctl([
       "clients",
       "create",
       "--client-app",
@@ -176,6 +226,8 @@ function runClientCommand(action = "", rest: string[]) {
       "--json",
       ...rest,
     ]);
+    const created = parseClientSecretResponse(result.stdout);
+    storeClientCredentials(created);
     return "Auth client created";
   }
 
@@ -196,6 +248,112 @@ function defaultClientTargetArgs(rest: string[]) {
   ];
 }
 
+function parseTokenOptions(args: string[]) {
+  const options: { json: boolean; scope?: string[]; resource?: string; audience?: string } = { json: false };
+  for (let index = 0; index < args.length; index += 1) {
+    const token = args[index];
+    if (!token) continue;
+    const next = args[index + 1];
+    const readValue = () => {
+      if (!next || next.startsWith("-")) {
+        throw new Error(`Missing value for ${token}`);
+      }
+      index += 1;
+      return next;
+    };
+    if (token === "--json") {
+      options.json = true;
+      continue;
+    }
+    if (token === "--scope") {
+      options.scope = [...(options.scope ?? []), readValue()];
+      continue;
+    }
+    if (token.startsWith("--scope=")) {
+      options.scope = [...(options.scope ?? []), token.slice("--scope=".length)];
+      continue;
+    }
+    if (token === "--resource") {
+      options.resource = readValue();
+      continue;
+    }
+    if (token.startsWith("--resource=")) {
+      options.resource = token.slice("--resource=".length);
+      continue;
+    }
+    if (token === "--audience") {
+      options.audience = readValue();
+      continue;
+    }
+    if (token.startsWith("--audience=")) {
+      options.audience = token.slice("--audience=".length);
+      continue;
+    }
+    throw new Error(`Unknown service auth token argument: ${token}`);
+  }
+  return options;
+}
+
+function mintAuthToken(options: { json: boolean; scope?: string[]; resource?: string; audience?: string }) {
+  const credentials = readStoredClientCredentials() ?? createAndStoreClientCredentials();
+  const scopes = options.scope?.length ? options.scope : serviceConfig.auth.resource_server.default_scopes;
+  const resource = options.resource ?? serviceConfig.auth.resource_server.audience;
+  const token = requestClientCredentialsToken(credentials, {
+    scope: scopes.join(" "),
+    resource,
+    audience: options.audience,
+  });
+
+  if (options.json) {
+    return JSON.stringify(token, null, 2);
+  }
+
+  if (!token.access_token) {
+    throw new Error("token response did not include access_token");
+  }
+  return token.access_token;
+}
+
+function createAndStoreClientCredentials() {
+  ensureAuthClient();
+  const stored = readStoredClientCredentials();
+  if (!stored) {
+    throw new Error(`Auth client credentials were not written to Vault path ${clientVaultPath()}`);
+  }
+  return stored;
+}
+
+function requestClientCredentialsToken(credentials: ClientCredentials, options: { scope: string; resource: string; audience?: string }) {
+  const body = new URLSearchParams({
+    grant_type: "client_credentials",
+    scope: options.scope,
+    resource: options.resource,
+  });
+  if (options.audience) {
+    body.set("audience", options.audience);
+  }
+
+  const response = fetchSync(serviceConfig.auth.token_endpoint, {
+    method: "POST",
+    headers: {
+      authorization: `Basic ${basicAuth(credentials.client_id, credentials.client_secret)}`,
+      "content-type": "application/x-www-form-urlencoded",
+      accept: "application/json",
+    },
+    body: body.toString(),
+  });
+
+  if (response.status < 200 || response.status >= 300) {
+    throw new Error(`token request failed: ${response.status} ${response.body}`);
+  }
+
+  const token = JSON.parse(response.body) as TokenResponse;
+  if (token.token_type?.toLowerCase() !== "bearer" || !token.access_token) {
+    throw new Error("token response did not include a bearer access_token");
+  }
+  return token;
+}
+
 function hasFlag(args: string[], name: string) {
   return args.some((arg) => arg === name || arg.startsWith(`${name}=`));
 }
@@ -332,3 +490,112 @@ function readAuthctlAccessVaultField(env: Record<string, string | undefined>, fi
 
   return decoder.decode(result.stdout).trim();
 }
+
+function parseClientSecretResponse(stdout: string): ClientCredentials {
+  if (!stdout) {
+    throw new Error("authctl did not return client credentials");
+  }
+  const parsed = JSON.parse(stdout) as { client_id?: string; client_secret?: string };
+  if (!parsed.client_id || !parsed.client_secret) {
+    throw new Error("authctl client create did not return one-time client credentials");
+  }
+  return {
+    client_id: parsed.client_id,
+    client_secret: parsed.client_secret,
+  };
+}
+
+function readStoredClientCredentials(): ClientCredentials | undefined {
+  const clientId = readVaultField(clientVaultPath(), "client_id");
+  const clientSecret = readVaultField(clientVaultPath(), "client_secret");
+  if (!clientId || !clientSecret) {
+    return undefined;
+  }
+  return {
+    client_id: clientId,
+    client_secret: clientSecret,
+  };
+}
+
+function storeClientCredentials(credentials: ClientCredentials) {
+  const vault = requireVaultCommand();
+  const result = Bun.spawnSync(
+    [
+      vault,
+      "kv",
+      "put",
+      `-mount=${vaultMount()}`,
+      clientVaultPath(),
+      `client_id=${credentials.client_id}`,
+      `client_secret=${credentials.client_secret}`,
+    ],
+    {
+      cwd: process.cwd(),
+      env: process.env,
+      stdout: "pipe",
+      stderr: "pipe",
+    }
+  );
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`failed to store auth client credentials in Vault at ${clientVaultPath()}\n${stderr}`);
+  }
+}
+
+function readVaultField(path: string, field: string) {
+  const vault = Bun.which("vault");
+  if (!vault) {
+    return "";
+  }
+  const result = Bun.spawnSync([vault, "kv", "get", `-mount=${vaultMount()}`, `-field=${field}`, path], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success || !result.stdout) {
+    return "";
+  }
+  return decoder.decode(result.stdout).trim();
+}
+
+function requireVaultCommand() {
+  const vault = Bun.which("vault");
+  if (!vault) {
+    throw new Error("vault is required to store generated auth client credentials");
+  }
+  return vault;
+}
+
+function vaultMount() {
+  return serviceConfig.providers.vault.mount || "secret";
+}
+
+function clientVaultPath() {
+  return `${serviceConfig.auth.client.vault_path_prefix}/${serviceConfig.auth.resource_server.id}`;
+}
+
+function basicAuth(clientId: string, clientSecret: string) {
+  return Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+}
+
+function fetchSync(url: string, init: { method: string; headers: Record<string, string>; body: string }) {
+  const script = [
+    "const url = process.argv[1];",
+    "const init = JSON.parse(process.argv[2]);",
+    "const response = await fetch(url, init);",
+    "const body = await response.text();",
+    "console.log(JSON.stringify({ status: response.status, body }));",
+  ].join("\n");
+  const result = Bun.spawnSync([process.execPath, "--eval", script, url, JSON.stringify(init)], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`token request process failed\n${stderr}`);
+  }
+  return JSON.parse(decoder.decode(result.stdout).trim()) as { status: number; body: string };
+}

package/templates/shared/scripts/cloudrun/bootstrap.ts

@@ -17,13 +17,13 @@ import {
   runStep,
 } from "./lib";
 
-export async function bootstrap() {
+export async function bootstrap(options: { skipProjectSetup?: boolean } = {}) {
   requireCommand("gcloud");
   requireGcloudAuth();
 
-  await runStep("Ensuring GCP project", () => ensureProject());
-  await runStep("Attaching billing", () => attachBilling());
-  await runStep("Enabling required GCP APIs", () => gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]));
+  if (!options.skipProjectSetup) {
+    await prepareGcpProject();
+  }
 
   await runStep("Ensuring runtime service account", () => {
     ensureServiceAccount(config.runtimeServiceAccount);
@@ -53,6 +53,12 @@ export async function bootstrap() {
   await runStep("Publishing Temporal secrets", () => publishTemporalSecrets());
 }
 
+export async function prepareGcpProject() {
+  await runStep("Ensuring GCP project", () => ensureProject());
+  await runStep("Attaching billing", () => attachBilling());
+  await runStep("Enabling required GCP APIs", () => gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]));
+}
+
 function publishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
   const apiKey = process.env.TEMPORAL_API_KEY?.trim();

package/templates/shared/scripts/cloudrun/cli.ts

@@ -1,8 +1,8 @@
 #!/usr/bin/env bun
 
 import { mkdir } from "node:fs/promises";
-import { ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
-import { bootstrap } from "./bootstrap";
+import { ensureAuthClient, ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
+import { bootstrap, prepareGcpProject } from "./bootstrap";
 import { cleanup } from "./cleanup";
 import { deploy } from "./deploy";
 import { config } from "./config";
@@ -35,8 +35,10 @@ async function main(argv = Bun.argv.slice(2)) {
     await runMain("Create", async () => {
       assertServiceNameAvailable(config.serviceName);
       assertProductionDomainAvailable(config.serviceName);
+      await prepareGcpProject();
       await runStep("Registering auth resource server", () => ensureAuthResourceServer());
-      await bootstrap();
+      await runStep("Provisioning auth client", () => ensureAuthClient());
+      await bootstrap({ skipProjectSetup: true });
       const target = resolveDeploymentTarget("main");
       const databaseUrl = await runStep("Reading production database URL", () => accessSecretVersion(target.databaseSecretName));
       await runStep("Applying production migrations", () => runLanguageTask("migrate", { DATABASE_URL: databaseUrl }));
@@ -78,6 +80,10 @@ async function main(argv = Bun.argv.slice(2)) {
   }
 
   if (command === "auth") {
+    if (rest[0] === "token") {
+      console.log(runAuthCommand(rest));
+      return;
+    }
     await runMain("Auth", () => runAuthCommand(rest));
     return;
   }
@@ -107,6 +113,7 @@ function formatHelp() {
     "  seed        Run the seed script when configured",
     "  doctor      Check local tools and cloud access",
     "  auth        Manage auth resource server and clients",
+    "  auth token  Mint a bearer token for protected API checks",
     "  sdk         Build or publish generated SDK artifacts",
     "  dns         Repair or inspect DNS mappings",
     "  dashboards  Publish Grafana resources",

package/templates/targets/workers/Makefile

@@ -12,7 +12,7 @@ gen:
 	@echo "no generated code for workers"
 
 lint:
-	bunx tsc --noEmit
+	bun run lint
 
 test:
 	bun test

package/templates/targets/workers/README.md

@@ -43,6 +43,7 @@ small waitlist/trigger schema on first use.
 - `POST /v1/waitlist`
 - `GET /v1/waitlist?email=<email>`
 - `GET /v1/waitlist/:entryId`
+- `GET /v1/admin/waitlist`
 - `POST /v1/triggers/waitlist`
 - `POST /webhooks/:provider`
 - `GET /webhooks/:provider/health`
@@ -63,6 +64,8 @@ https://{{API_HOSTNAME}}
 Use `service doctor` after create to verify Wrangler auth, route config, Cron,
 Hyperdrive, dashboard tooling, auth tooling, and deployed health.
 
+{{PRODUCTION_PROTECTED_CHECKS}}
+
 If the Hyperdrive binding id is empty, `service create` uses `DATABASE_URL`, or
 `NEON_API_KEY` to create/resolve the generated Neon database and connection URI,
 applies the waitlist schema, then runs `wrangler hyperdrive create` and writes

package/templates/targets/workers/package.json

@@ -10,7 +10,7 @@
     "service": "bun run ./scripts/workers/cli.ts",
     "migrate": "bun run ./scripts/workers/cli.ts migrate",
     "seed": "bun run ./scripts/workers/cli.ts seed",
-    "lint": "bunx tsc --noEmit",
+    "lint": "tsc --noEmit",
     "test": "bun test",
     "create": "bun run ./scripts/workers/cli.ts create",
     "deploy": "bun run ./scripts/workers/cli.ts deploy",

package/templates/targets/workers/scripts/workers/cli.ts

@@ -3,7 +3,7 @@
 import { confirm, intro, isCancel, log, outro } from "@clack/prompts";
 import { createApiClient } from "@neondatabase/api-client";
 import { Client } from "pg";
-import { ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
+import { ensureAuthClient, ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
 
 const config = {
   serviceName: "{{SERVICE_NAME}}",
@@ -25,6 +25,7 @@ async function main(argv = Bun.argv.slice(2)) {
   if (command === "create") {
     return runMain("Create", async () => {
       ensureAuthResourceServer();
+      ensureAuthClient();
       const databaseUrl = await resolveDatabaseUrl();
       await applySchema(databaseUrl);
       await ensureHyperdrive(databaseUrl);
@@ -68,6 +69,10 @@ async function main(argv = Bun.argv.slice(2)) {
   }
 
   if (command === "auth") {
+    if (rest[0] === "token") {
+      console.log(runAuthCommand(rest));
+      return;
+    }
     return runMain("Auth", () => runAuthCommand(rest));
   }
 
@@ -102,6 +107,7 @@ function formatHelp() {
     "  seed        Report seed status",
     "  doctor      Check local tools and cloud access",
     "  auth        Manage auth resource server and clients",
+    "  auth token  Mint a bearer token for protected API checks",
     "  dns         Show Workers custom-domain configuration",
     "  dashboards  Publish Grafana resources",
     "  destroy     Remove service-managed Worker resources",

package/templates/variants/bun-connectrpc/Makefile

@@ -12,7 +12,7 @@ gen:
 	bun run ./scripts/codegen.ts
 
 lint:
-	bunx tsc --noEmit
+	bun run lint
 
 test:
 	bun test

package/templates/variants/bun-connectrpc/package.json

@@ -10,7 +10,7 @@
     "service": "bun run ./scripts/cloudrun/cli.ts",
     "migrate": "bun run ./scripts/migrate.ts",
     "gen": "bun run ./scripts/codegen.ts",
-    "lint": "bunx tsc --noEmit",
+    "lint": "tsc --noEmit",
     "test": "bun test",
     "create": "bun run ./scripts/cloudrun/cli.ts create",
     "deploy": "bun run ./scripts/cloudrun/cli.ts deploy",

package/templates/variants/bun-hono/Makefile

@@ -12,7 +12,7 @@ gen:
 	bun run ./scripts/codegen.ts
 
 lint:
-	bunx tsc --noEmit
+	bun run lint
 
 test:
 	bun test

package/templates/variants/bun-hono/package.json

@@ -10,7 +10,7 @@
     "service": "bun run ./scripts/cloudrun/cli.ts",
     "migrate": "bun run ./scripts/migrate.ts",
     "gen": "bun run ./scripts/codegen.ts",
-    "lint": "bunx tsc --noEmit",
+    "lint": "tsc --noEmit",
     "test": "bun test",
     "create": "bun run ./scripts/cloudrun/cli.ts create",
     "deploy": "bun run ./scripts/cloudrun/cli.ts deploy",