create-svc 0.1.17 → 0.1.19

package/README.md

@@ -41,7 +41,7 @@ service deploy
 To install from npm:
 
 ```bash
-npm install -g create-svc
+bun install -g create-svc
 ```
 
 For the strict one-command production path:
@@ -70,8 +70,7 @@ Without publishing to npm:
 
 ```bash
 bun install
-npm pack
-npm install -g ./create-svc-*.tgz
+bun link
 service create my-service
 ```
 
@@ -130,6 +129,21 @@ service destroy
 
 Language-specific tasks such as local running, linting, formatting, testing, and building stay in package scripts or Make targets. Service lifecycle operations are exposed through the generated `service` CLI.
 
+After `service create` has provisioned auth, the generated repo can mint a
+client-credentials bearer token for smoke checks:
+
+```bash
+TOKEN="$(service auth token)"
+curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.<service_id>.anmho.com/v1/admin/waitlist?limit=1"
+```
+
+For Go ConnectRPC services, use the same token with `grpcurl`:
+
+```bash
+TOKEN="$(service auth token)"
+grpcurl -H "Authorization: Bearer $TOKEN" -d '{"limit":1}' -proto protos/waitlist/v1/waitlist.proto api.<service_id>.anmho.com:443 waitlist.v1.WaitlistService/ListWaitlistEntries
+```
+
 The generated service is intended to be consumed by a web app, mobile client, or another service over HTTPS. In v1, production is expected to live at `https://api.<service_id>.anmho.com`, while preview and personal environments keep using deterministic platform URLs where appropriate.
 
 The generated microservice domain is a small waitlist/launch service example with public submit/status APIs and target-specific scheduled work.
@@ -142,7 +156,8 @@ bun test src scripts
 bun run index.ts create my-service
 ```
 
-Validate the generated app matrix against local Docker Compose Postgres:
+Validate the generated service matrix against local Docker Compose Postgres and
+Workers package checks:
 
 ```bash
 bun run validate:generated
@@ -150,7 +165,7 @@ bun run validate:generated -- --variant bun-hono
 bun run validate:generated -- --variant go-connectrpc --keep
 ```
 
-The validation harness scaffolds generated services into ignored `bin/generated/run-*` workspaces, runs the generated public commands, starts the local server, and smoke-tests health or typed ConnectRPC clients where applicable.
+The validation harness scaffolds generated services into ignored `bin/generated/run-*` workspaces, runs the generated public commands, starts the local server for Cloud Run presets, smoke-tests health plus ConnectRPC clients where applicable, and verifies the Workers preset package compiles and tests.
 
 ## npm Trusted Publishing
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.17",
+  "version": "0.1.19",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",
@@ -21,7 +21,7 @@
     "dev": "bun run index.ts",
     "test": "bun test src scripts",
     "validate:generated": "bun run ./scripts/validate-generated.ts",
-    "typecheck": "bunx tsc --noEmit"
+    "typecheck": "tsc --noEmit"
   },
   "repository": {
     "type": "git",

package/src/post-scaffold.test.ts

@@ -16,6 +16,13 @@ describe("buildPostScaffoldCommands", () => {
       { command: "bun", args: ["./scripts/cloudrun/cli.ts", "deploy"] },
     ]);
   });
+
+  test("uses the workers service CLI for workers services", () => {
+    expect(buildPostScaffoldCommands({ target: "workers", framework: "hono" })).toEqual([
+      { command: "bun", args: ["./scripts/workers/cli.ts", "create"] },
+      { command: "bun", args: ["./scripts/workers/cli.ts", "deploy"] },
+    ]);
+  });
 });
 
 describe("buildDeploymentVerificationCommands", () => {
@@ -23,13 +30,40 @@ describe("buildDeploymentVerificationCommands", () => {
     expect(buildDeploymentVerificationCommands({ apiHostname: "api.launch.anmho.com", framework: "hono", runtime: "bun" })).toEqual([
       { command: "curl", args: ["--fail", "--show-error", "--silent", "https://api.launch.anmho.com/healthz"] },
       { command: "curl", args: ["--fail", "--show-error", "--silent", "https://api.launch.anmho.com/readyz"] },
+      {
+        command: "sh",
+        args: [
+          "-c",
+          'TOKEN="$(bun ./scripts/cloudrun/cli.ts auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
+        ],
+      },
     ]);
   });
 
-  test("uses grpcurl for Go ConnectRPC services", () => {
+  test("uses auth token and grpcurl for Go ConnectRPC services", () => {
     expect(buildDeploymentVerificationCommands({ apiHostname: "api.launch.anmho.com", framework: "connectrpc", runtime: "go" })).toContainEqual({
-      command: "grpcurl",
-      args: ["api.launch.anmho.com:443", "list"],
+      command: "sh",
+      args: [
+        "-c",
+        'TOKEN="$(bun ./scripts/cloudrun/cli.ts auth token)" && grpcurl -H "Authorization: Bearer $TOKEN" -d \'{"limit":1}\' -proto protos/waitlist/v1/waitlist.proto api.launch.anmho.com:443 waitlist.v1.WaitlistService/ListWaitlistEntries',
+      ],
+    });
+  });
+
+  test("uses the workers service CLI for protected workers verification", () => {
+    expect(
+      buildDeploymentVerificationCommands({
+        target: "workers",
+        apiHostname: "api.launch.anmho.com",
+        framework: "hono",
+        runtime: "bun",
+      })
+    ).toContainEqual({
+      command: "sh",
+      args: [
+        "-c",
+        'TOKEN="$(bun ./scripts/workers/cli.ts auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
+      ],
     });
   });
 });

package/src/post-scaffold.ts

@@ -20,6 +20,8 @@ type PostScaffoldCommand = {
 
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
+const DEPLOYMENT_VERIFY_ATTEMPTS = 36;
+const DEPLOYMENT_VERIFY_DELAY_MS = 10_000;
 
 export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   if (config.autoDeploy) {
@@ -28,7 +30,7 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
       run(command.command, command.args, { cwd });
     }
     for (const command of buildDeploymentVerificationCommands(config)) {
-      run(command.command, command.args, { cwd, quiet: true });
+      runWithRetries(command, { cwd, quiet: true }, DEPLOYMENT_VERIFY_ATTEMPTS, DEPLOYMENT_VERIFY_DELAY_MS);
     }
     return { message: "Dependencies installed, service created, service deployed, and production health verified" };
   }
@@ -36,31 +38,103 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   return { message: "Backend package generated" };
 }
 
+function runWithRetries(command: PostScaffoldCommand, options: CommandOptions, attempts: number, delayMs: number) {
+  let lastError: unknown;
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    try {
+      return run(command.command, command.args, options);
+    } catch (error) {
+      lastError = error;
+      if (attempt === attempts) {
+        break;
+      }
+      Bun.sleepSync(delayMs);
+    }
+  }
+  throw lastError;
+}
+
 export function buildDeploymentVerificationCommands(
-  config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime">
+  config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime"> & Partial<Pick<ScaffoldConfig, "target">>
 ): PostScaffoldCommand[] {
   const origin = `https://${config.apiHostname}`;
+  const tokenCommand = `TOKEN="$(bun ${serviceCliPath(config)} auth token)"`;
   return [
     { command: "curl", args: ["--fail", "--show-error", "--silent", `${origin}/healthz`] },
     { command: "curl", args: ["--fail", "--show-error", "--silent", `${origin}/readyz`] },
-    ...(config.framework === "connectrpc"
-      ? [
-          config.runtime === "go"
-            ? { command: "grpcurl", args: [`${config.apiHostname}:443`, "list"] }
-            : { command: "curl", args: ["--fail", "--show-error", "--silent", `${origin}/debug/connectrpc`] },
-        ]
-      : []),
+    protectedVerificationCommand(config, origin, tokenCommand),
   ];
 }
 
-export function buildPostScaffoldCommands(config: Pick<ScaffoldConfig, "framework">): PostScaffoldCommand[] {
+function protectedVerificationCommand(
+  config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime">,
+  origin: string,
+  tokenCommand: string
+): PostScaffoldCommand {
+  if (config.framework === "connectrpc" && config.runtime === "go") {
+    return {
+      command: "sh",
+      args: [
+        "-c",
+        [
+          `${tokenCommand} &&`,
+          "grpcurl",
+          '-H "Authorization: Bearer $TOKEN"',
+          "-d '{\"limit\":1}'",
+          "-proto protos/waitlist/v1/waitlist.proto",
+          `${config.apiHostname}:443`,
+          "waitlist.v1.WaitlistService/ListWaitlistEntries",
+        ].join(" "),
+      ],
+    };
+  }
+
+  if (config.framework === "connectrpc") {
+    return {
+      command: "sh",
+      args: [
+        "-c",
+        [
+          `${tokenCommand} &&`,
+          "curl --fail --show-error --silent",
+          '-H "Authorization: Bearer $TOKEN"',
+          '-H "Content-Type: application/json"',
+          "-d '{\"limit\":1}'",
+          `"${origin}/waitlist.v1.WaitlistService/ListWaitlistEntries"`,
+        ].join(" "),
+      ],
+    };
+  }
+
+  return {
+    command: "sh",
+    args: [
+      "-c",
+      [
+        `${tokenCommand} &&`,
+        "curl --fail --show-error --silent",
+        '-H "Authorization: Bearer $TOKEN"',
+        `"${origin}/v1/admin/waitlist?limit=1"`,
+      ].join(" "),
+    ],
+  };
+}
+
+export function buildPostScaffoldCommands(
+  config: Pick<ScaffoldConfig, "framework"> & Partial<Pick<ScaffoldConfig, "target">>
+): PostScaffoldCommand[] {
+  const serviceCli = serviceCliPath(config);
   return [
-    ...(config.framework === "connectrpc" ? [{ command: "bun", args: ["./scripts/cloudrun/cli.ts", "sdk", "build"] }] : []),
-    { command: "bun", args: ["./scripts/cloudrun/cli.ts", "create"] },
-    { command: "bun", args: ["./scripts/cloudrun/cli.ts", "deploy"] },
+    ...(config.target !== "workers" && config.framework === "connectrpc" ? [{ command: "bun", args: [serviceCli, "sdk", "build"] }] : []),
+    { command: "bun", args: [serviceCli, "create"] },
+    { command: "bun", args: [serviceCli, "deploy"] },
   ];
 }
 
+function serviceCliPath(config: Partial<Pick<ScaffoldConfig, "target">>) {
+  return config.target === "workers" ? "./scripts/workers/cli.ts" : "./scripts/cloudrun/cli.ts";
+}
+
 function installProjectDependencies(cwd: string) {
   requireCommand("bun");
   run("bun", ["install"], { cwd });

package/src/scaffold.test.ts

@@ -59,6 +59,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(serviceConfig).toContain('service_id: "dns-api"');
     expect(serviceConfig).toContain('target: "cloudrun"');
     expect(serviceConfig).toContain('module: "buf.build/anmho/dns-api"');
+    expect(serviceConfig).toContain('cloudflare_vault_path: "prod/providers/cloudflare"');
     expect(serviceConfig).toContain('issuer: "https://auth.anmho.com/api/auth"');
     expect(serviceConfig).toContain('audience: "api://dns-api"');
     expect(serviceConfig).toContain('vault_path_prefix: "prod/apps/dns-api/server/oauth-clients"');
@@ -79,6 +80,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(configScript).toContain('baseBranchName: "main"');
     expect(configScript).toContain('previewBranchPrefix: "dns-api-pr"');
     expect(configScript).toContain('hostname: "api.dns-api.anmho.com"');
+    expect(configScript).toContain('cloudflareVaultPath: "prod/providers/cloudflare"');
     expect(configScript).not.toContain("github:");
     expect(configScript).not.toContain("attachmentBucket");
 
@@ -87,6 +89,8 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(deployScript).toContain('projectMode === "use_existing"');
     expect(deployScript).toContain("serviceDomain");
     expect(deployScript).toContain("ensureProductionDomainMapping");
+    expect(deployScript).toContain("ensureCloudflareDnsRecord");
+    expect(deployScript).toContain("CLOUDFLARE_API_TOKEN");
     expect(deployScript).toContain('"domain-mappings",');
     expect(deployScript).toContain('"--region",');
     expect(deployScript).toContain("assertProductionDomainAvailable");
@@ -152,6 +156,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(localEnv).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api?sslmode=disable`);
     expect(localEnv).toContain("VAULT_AUTHCTL_ACCESS_PATH=prod/apps/auth/authctl/cloudflare-access");
     expect(localEnv).toContain("VAULT_NEON_API_KEY_PATH=prod/providers/neon");
+    expect(localEnv).toContain("VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare");
     expect(localEnv).not.toContain("ATTACHMENT_PUBLIC_BASE_URL=");
 
     const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();
@@ -218,6 +223,8 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(serviceCli).toContain("Provision auth, database, migrations, and first deploy");
       expect(serviceCli).toContain("assertServiceNameAvailable(config.serviceName)");
       expect(serviceCli).toContain("ensureAuthResourceServer");
+      expect(serviceCli).toContain("ensureAuthClient");
+      expect(serviceCli).toContain("auth token");
       expect(serviceCli).toContain('["resources", "push", "--path", "./grafana"]');
       const cloudrunLib = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "lib.ts")).text();
       expect(cloudrunLib).toContain("resolveTemporalRuntimeConfig");
@@ -229,6 +236,9 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(authctlScript).toContain("resource-servers");
       expect(authctlScript).toContain("clients");
       expect(authctlScript).toContain("defaultClientTargetArgs");
+      expect(authctlScript).toContain("ensureAuthClient");
+      expect(authctlScript).toContain("mintAuthToken");
+      expect(authctlScript).toContain("clientVaultPath");
       expect(authctlScript).toContain("deleteAuthResourceServer");
       expect(authctlScript).toContain("readAuthctlAccessVaultField");
       expect(authctlScript).toContain("prod/apps/auth/authctl/cloudflare-access");
@@ -363,6 +373,8 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(workerCli).toContain("hyperdrive");
   expect(workerCli).toContain('["resources", "push", "--path", "./grafana"]');
   expect(workerCli).toContain("ensureAuthResourceServer");
+  expect(workerCli).toContain("ensureAuthClient");
+  expect(workerCli).toContain("auth token");
   expect(workerCli).toContain("Workers database schema applied");
   expect(workerCli).toContain("create table if not exists waitlist_entries");
   expect(workerCli).toContain("DATABASE_URL or NEON_API_KEY is required to provision the Hyperdrive binding");

package/src/scaffold.ts

@@ -218,6 +218,7 @@ function buildReplacements(config: ScaffoldConfig) {
     COMMAND_DEPLOY: "service deploy",
     COMMAND_AUTH_RESOURCE: "service auth resource-server",
     COMMAND_AUTH_CLIENT: "service auth client create",
+    COMMAND_AUTH_TOKEN: "service auth token",
     COMMAND_DEPLOY_PERSONAL: "service deploy --environment personal --name <name>",
     COMMAND_DEPLOY_DESTROY: "service destroy --environment personal --name <name>",
     COMMAND_CLEANUP: "service destroy",
@@ -236,9 +237,42 @@ function buildReplacements(config: ScaffoldConfig) {
             "- override with `ENABLE_RPC_INTROSPECTION=true|false`",
           ].join("\n")
         : "",
+    PRODUCTION_PROTECTED_CHECKS: buildProtectedChecks(config),
   };
 }
 
+function buildProtectedChecks(config: ScaffoldConfig) {
+  const tokenCommand = 'TOKEN="$(service auth token)"';
+  if (config.framework === "connectrpc" && config.runtime === "go") {
+    return [
+      "After deploy, verify protected reads with:",
+      "",
+      "```bash",
+      tokenCommand,
+      `grpcurl -H "Authorization: Bearer $TOKEN" -d '{"limit":1}' -proto protos/waitlist/v1/waitlist.proto ${config.apiHostname}:443 waitlist.v1.WaitlistService/ListWaitlistEntries`,
+      "```",
+    ].join("\n");
+  }
+  if (config.framework === "connectrpc") {
+    return [
+      "After deploy, verify protected reads with:",
+      "",
+      "```bash",
+      tokenCommand,
+      `curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d '{"limit":1}' "https://${config.apiHostname}/waitlist.v1.WaitlistService/ListWaitlistEntries"`,
+      "```",
+    ].join("\n");
+  }
+  return [
+    "After deploy, verify protected reads with:",
+    "",
+    "```bash",
+    tokenCommand,
+    `curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://${config.apiHostname}/v1/admin/waitlist?limit=1"`,
+    "```",
+  ].join("\n");
+}
+
 async function writeLocalEnvFile(targetDir: string, replacements: Record<string, string>) {
   const envPath = join(targetDir, ".env.local");
   if (await Bun.file(envPath).exists()) {
@@ -259,6 +293,8 @@ async function writeLocalEnvFile(targetDir: string, replacements: Record<string,
       "VAULT_AUTHCTL_ACCESS_CLIENT_SECRET_FIELD=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET",
       "VAULT_NEON_API_KEY_PATH=prod/providers/neon",
       "VAULT_NEON_API_KEY_FIELD=api_key",
+      "VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare",
+      "VAULT_CLOUDFLARE_API_TOKEN_FIELD=api_token",
       "",
     ].join("\n"),
     replacements

package/templates/shared/README.md

@@ -179,6 +179,7 @@ Use `service auth` for follow-up auth operations:
 {{COMMAND_BOOTSTRAP}} # includes resource-server registration
 {{COMMAND_AUTH_RESOURCE}}
 {{COMMAND_AUTH_CLIENT}} --resource-server <target-service> --scope <scope>
+{{COMMAND_AUTH_TOKEN}}
 ```
 
 `authctl clients create` prints a one-time client secret plus the recommended
@@ -194,6 +195,10 @@ target resource server as `resource=api://<resource_server_id>`. The generated
 runtime expects a JWT with that audience; omitting `resource` can return an
 opaque access token that the service will reject.
 
+`{{COMMAND_AUTH_TOKEN}}` reads the generated service-client credentials from
+Vault, creates and stores them if missing, and prints a bearer token suitable
+for local smoke checks.
+
 Webhook signature hooks are provider-specific and optional in v1. Add provider
 secrets only when you add a provider adapter. A generic adapter can honor:
 
@@ -231,6 +236,8 @@ The main environment is intended to be public at:
 https://{{API_HOSTNAME}}
 ```
 
+{{PRODUCTION_PROTECTED_CHECKS}}
+
 Preview and personal environments keep using deterministic Cloud Run hostnames in v1 so the generated backend stays easy to use inside standalone repos or monorepos.
 
 ## Generated backend domain
@@ -253,6 +260,7 @@ Hono variants expose:
 - `POST /v1/waitlist`
 - `GET /v1/waitlist?email=...`
 - `GET /v1/waitlist/{entryId}`
+- `GET /v1/admin/waitlist`
 - `POST /v1/triggers/waitlist`
 - `POST /webhooks/:provider`
 

package/templates/shared/scripts/authctl.ts

@@ -27,6 +27,17 @@ type ResourceServerMutationCommand = ResourceServerCommand & {
   mutationAction: "upsert" | "create";
 };
 
+type ClientCredentials = {
+  client_id: string;
+  client_secret: string;
+};
+
+type TokenResponse = {
+  access_token?: string;
+  token_type?: string;
+  expires_in?: number;
+};
+
 export function defaultAuthResourceServerArgs() {
   const auth = serviceConfig.auth;
   return [
@@ -92,7 +103,11 @@ export function runAuthCommand(args: string[]) {
     return runClientCommand(action, rest);
   }
 
-  throw new Error("Usage: service auth <doctor|resource-server|client> [args]");
+  if (subject === "token") {
+    return mintAuthToken(parseTokenOptions([action, ...rest].filter(Boolean) as string[]));
+  }
+
+  throw new Error("Usage: service auth <doctor|resource-server|client|token> [args]");
 }
 
 export function ensureAuthResourceServer() {
@@ -101,6 +116,34 @@ export function ensureAuthResourceServer() {
   return `Auth resource server ready: ${serviceConfig.auth.resource_server.audience}`;
 }
 
+export function ensureAuthClient() {
+  const existing = readStoredClientCredentials();
+  if (existing) {
+    return `Auth client ready: ${existing.client_id}`;
+  }
+
+  const result = authctl(
+    [
+      "clients",
+      "create",
+      "--client-app",
+      serviceConfig.auth.client.app_id,
+      "--client-identity",
+      serviceConfig.auth.client.identity,
+      ...defaultClientTargetArgs([]),
+      "--stage",
+      serviceConfig.stage_default,
+      "--yes",
+      "--json",
+    ],
+    { quiet: true }
+  );
+
+  const created = parseClientSecretResponse(result.stdout);
+  storeClientCredentials(created);
+  return `Auth client ready: ${created.client_id}`;
+}
+
 export function deleteAuthResourceServer() {
   const command = resolveResourceServerCommand();
   if (!command?.actions.includes("delete")) {
@@ -164,8 +207,12 @@ export function runAuthDoctor(): AuthDoctorResult {
 }
 
 function runClientCommand(action = "", rest: string[]) {
+  if (!action || action === "ensure") {
+    return ensureAuthClient();
+  }
+
   if (action === "create") {
-    authctl([
+    const result = authctl([
       "clients",
       "create",
       "--client-app",
@@ -179,6 +226,8 @@ function runClientCommand(action = "", rest: string[]) {
       "--json",
       ...rest,
     ]);
+    const created = parseClientSecretResponse(result.stdout);
+    storeClientCredentials(created);
     return "Auth client created";
   }
 
@@ -199,6 +248,112 @@ function defaultClientTargetArgs(rest: string[]) {
   ];
 }
 
+function parseTokenOptions(args: string[]) {
+  const options: { json: boolean; scope?: string[]; resource?: string; audience?: string } = { json: false };
+  for (let index = 0; index < args.length; index += 1) {
+    const token = args[index];
+    if (!token) continue;
+    const next = args[index + 1];
+    const readValue = () => {
+      if (!next || next.startsWith("-")) {
+        throw new Error(`Missing value for ${token}`);
+      }
+      index += 1;
+      return next;
+    };
+    if (token === "--json") {
+      options.json = true;
+      continue;
+    }
+    if (token === "--scope") {
+      options.scope = [...(options.scope ?? []), readValue()];
+      continue;
+    }
+    if (token.startsWith("--scope=")) {
+      options.scope = [...(options.scope ?? []), token.slice("--scope=".length)];
+      continue;
+    }
+    if (token === "--resource") {
+      options.resource = readValue();
+      continue;
+    }
+    if (token.startsWith("--resource=")) {
+      options.resource = token.slice("--resource=".length);
+      continue;
+    }
+    if (token === "--audience") {
+      options.audience = readValue();
+      continue;
+    }
+    if (token.startsWith("--audience=")) {
+      options.audience = token.slice("--audience=".length);
+      continue;
+    }
+    throw new Error(`Unknown service auth token argument: ${token}`);
+  }
+  return options;
+}
+
+function mintAuthToken(options: { json: boolean; scope?: string[]; resource?: string; audience?: string }) {
+  const credentials = readStoredClientCredentials() ?? createAndStoreClientCredentials();
+  const scopes = options.scope?.length ? options.scope : serviceConfig.auth.resource_server.default_scopes;
+  const resource = options.resource ?? serviceConfig.auth.resource_server.audience;
+  const token = requestClientCredentialsToken(credentials, {
+    scope: scopes.join(" "),
+    resource,
+    audience: options.audience,
+  });
+
+  if (options.json) {
+    return JSON.stringify(token, null, 2);
+  }
+
+  if (!token.access_token) {
+    throw new Error("token response did not include access_token");
+  }
+  return token.access_token;
+}
+
+function createAndStoreClientCredentials() {
+  ensureAuthClient();
+  const stored = readStoredClientCredentials();
+  if (!stored) {
+    throw new Error(`Auth client credentials were not written to Vault path ${clientVaultPath()}`);
+  }
+  return stored;
+}
+
+function requestClientCredentialsToken(credentials: ClientCredentials, options: { scope: string; resource: string; audience?: string }) {
+  const body = new URLSearchParams({
+    grant_type: "client_credentials",
+    scope: options.scope,
+    resource: options.resource,
+  });
+  if (options.audience) {
+    body.set("audience", options.audience);
+  }
+
+  const response = fetchSync(serviceConfig.auth.token_endpoint, {
+    method: "POST",
+    headers: {
+      authorization: `Basic ${basicAuth(credentials.client_id, credentials.client_secret)}`,
+      "content-type": "application/x-www-form-urlencoded",
+      accept: "application/json",
+    },
+    body: body.toString(),
+  });
+
+  if (response.status < 200 || response.status >= 300) {
+    throw new Error(`token request failed: ${response.status} ${response.body}`);
+  }
+
+  const token = JSON.parse(response.body) as TokenResponse;
+  if (token.token_type?.toLowerCase() !== "bearer" || !token.access_token) {
+    throw new Error("token response did not include a bearer access_token");
+  }
+  return token;
+}
+
 function hasFlag(args: string[], name: string) {
   return args.some((arg) => arg === name || arg.startsWith(`${name}=`));
 }
@@ -335,3 +490,112 @@ function readAuthctlAccessVaultField(env: Record<string, string | undefined>, fi
 
   return decoder.decode(result.stdout).trim();
 }
+
+function parseClientSecretResponse(stdout: string): ClientCredentials {
+  if (!stdout) {
+    throw new Error("authctl did not return client credentials");
+  }
+  const parsed = JSON.parse(stdout) as { client_id?: string; client_secret?: string };
+  if (!parsed.client_id || !parsed.client_secret) {
+    throw new Error("authctl client create did not return one-time client credentials");
+  }
+  return {
+    client_id: parsed.client_id,
+    client_secret: parsed.client_secret,
+  };
+}
+
+function readStoredClientCredentials(): ClientCredentials | undefined {
+  const clientId = readVaultField(clientVaultPath(), "client_id");
+  const clientSecret = readVaultField(clientVaultPath(), "client_secret");
+  if (!clientId || !clientSecret) {
+    return undefined;
+  }
+  return {
+    client_id: clientId,
+    client_secret: clientSecret,
+  };
+}
+
+function storeClientCredentials(credentials: ClientCredentials) {
+  const vault = requireVaultCommand();
+  const result = Bun.spawnSync(
+    [
+      vault,
+      "kv",
+      "put",
+      `-mount=${vaultMount()}`,
+      clientVaultPath(),
+      `client_id=${credentials.client_id}`,
+      `client_secret=${credentials.client_secret}`,
+    ],
+    {
+      cwd: process.cwd(),
+      env: process.env,
+      stdout: "pipe",
+      stderr: "pipe",
+    }
+  );
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`failed to store auth client credentials in Vault at ${clientVaultPath()}\n${stderr}`);
+  }
+}
+
+function readVaultField(path: string, field: string) {
+  const vault = Bun.which("vault");
+  if (!vault) {
+    return "";
+  }
+  const result = Bun.spawnSync([vault, "kv", "get", `-mount=${vaultMount()}`, `-field=${field}`, path], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success || !result.stdout) {
+    return "";
+  }
+  return decoder.decode(result.stdout).trim();
+}
+
+function requireVaultCommand() {
+  const vault = Bun.which("vault");
+  if (!vault) {
+    throw new Error("vault is required to store generated auth client credentials");
+  }
+  return vault;
+}
+
+function vaultMount() {
+  return serviceConfig.providers.vault.mount || "secret";
+}
+
+function clientVaultPath() {
+  return `${serviceConfig.auth.client.vault_path_prefix}/${serviceConfig.auth.resource_server.id}`;
+}
+
+function basicAuth(clientId: string, clientSecret: string) {
+  return Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+}
+
+function fetchSync(url: string, init: { method: string; headers: Record<string, string>; body: string }) {
+  const script = [
+    "const url = process.argv[1];",
+    "const init = JSON.parse(process.argv[2]);",
+    "const response = await fetch(url, init);",
+    "const body = await response.text();",
+    "console.log(JSON.stringify({ status: response.status, body }));",
+  ].join("\n");
+  const result = Bun.spawnSync([process.execPath, "--eval", script, url, JSON.stringify(init)], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`token request process failed\n${stderr}`);
+  }
+  return JSON.parse(decoder.decode(result.stdout).trim()) as { status: number; body: string };
+}

package/templates/shared/scripts/cloudrun/cli.ts

@@ -1,7 +1,7 @@
 #!/usr/bin/env bun
 
 import { mkdir } from "node:fs/promises";
-import { ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
+import { ensureAuthClient, ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
 import { bootstrap, prepareGcpProject } from "./bootstrap";
 import { cleanup } from "./cleanup";
 import { deploy } from "./deploy";
@@ -37,6 +37,7 @@ async function main(argv = Bun.argv.slice(2)) {
       assertProductionDomainAvailable(config.serviceName);
       await prepareGcpProject();
       await runStep("Registering auth resource server", () => ensureAuthResourceServer());
+      await runStep("Provisioning auth client", () => ensureAuthClient());
       await bootstrap({ skipProjectSetup: true });
       const target = resolveDeploymentTarget("main");
       const databaseUrl = await runStep("Reading production database URL", () => accessSecretVersion(target.databaseSecretName));
@@ -79,6 +80,10 @@ async function main(argv = Bun.argv.slice(2)) {
   }
 
   if (command === "auth") {
+    if (rest[0] === "token") {
+      console.log(runAuthCommand(rest));
+      return;
+    }
     await runMain("Auth", () => runAuthCommand(rest));
     return;
   }
@@ -108,6 +113,7 @@ function formatHelp() {
     "  seed        Run the seed script when configured",
     "  doctor      Check local tools and cloud access",
     "  auth        Manage auth resource server and clients",
+    "  auth token  Mint a bearer token for protected API checks",
     "  sdk         Build or publish generated SDK artifacts",
     "  dns         Repair or inspect DNS mappings",
     "  dashboards  Publish Grafana resources",

package/templates/shared/scripts/cloudrun/config.ts

@@ -22,6 +22,9 @@ export const config = {
   domain: {
     hostname: "{{API_HOSTNAME}}",
     baseDomain: "{{API_BASE_DOMAIN}}",
+    cloudflareApiBaseUrl: "https://api.cloudflare.com/client/v4",
+    cloudflareVaultPath: "prod/providers/cloudflare",
+    cloudflareVaultField: "api_token",
   },
   auth: {
     issuer: "https://auth.anmho.com/api/auth",

package/templates/shared/scripts/cloudrun/lib.ts

@@ -42,6 +42,7 @@ type CommandResult = {
 
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
+const CLOUDFLARE_DNS_TTL_AUTO = 1;
 
 export class CommandError extends Error {
   command: string;
@@ -485,12 +486,13 @@ export function ensureProductionDomainMapping(serviceName: string) {
   if (existing) {
     const mappedService = existing.spec?.routeName ?? existing.status?.resourceRecords?.[0]?.rrdata;
     if (!mappedService || mappedService === serviceName) {
+      ensureCloudflareDnsRecord(existing);
       return;
     }
     throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; refusing to take it over`);
   }
 
-  gcloud([
+  const result = gcloud([
     "beta",
     "run",
     "domain-mappings",
@@ -504,6 +506,8 @@ export function ensureProductionDomainMapping(serviceName: string) {
     "--region",
     config.region,
   ]);
+  const created = parseDomainMappingOutput(result.stdout) ?? describeProductionDomainMapping();
+  ensureCloudflareDnsRecord(created);
 }
 
 export function describeProductionDomainMapping():
@@ -561,6 +565,7 @@ export function assertServiceNameAvailable(serviceName: string) {
 }
 
 export function deleteProductionDomainMapping() {
+  deleteCloudflareDnsRecord();
   gcloud(["beta", "run", "domain-mappings", "delete", "--domain", config.domain.hostname, "--project", config.project.id, "--quiet"], {
     allowFailure: true,
   });
@@ -573,6 +578,165 @@ export function listCloudRunServices() {
     .filter(Boolean);
 }
 
+function parseDomainMappingOutput(stdout: string) {
+  if (!stdout.trim().startsWith("{")) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(stdout) as ReturnType<typeof describeProductionDomainMapping>;
+  } catch {
+    return undefined;
+  }
+}
+
+function ensureCloudflareDnsRecord(
+  mapping:
+    | { status?: { resourceRecords?: Array<{ name?: string; rrdata?: string; type?: string }> } }
+    | undefined
+) {
+  const desired = desiredCloudflareRecord(mapping);
+  const zoneId = cloudflareZoneId();
+  const records = listCloudflareDnsRecords(zoneId, config.domain.hostname);
+  const conflicting = records.find((record) => record.type !== desired.type);
+  if (conflicting) {
+    throw new Error(
+      `Cloudflare DNS record ${config.domain.hostname} already exists as ${conflicting.type}; remove or update it before provisioning`
+    );
+  }
+  const existing = records.find((record) => record.type === desired.type);
+  if (!existing) {
+    cloudflareFetch("POST", `/zones/${zoneId}/dns_records`, desired);
+    return;
+  }
+  if (existing.content === desired.content && existing.proxied === desired.proxied) {
+    return;
+  }
+  cloudflareFetch("PUT", `/zones/${zoneId}/dns_records/${existing.id}`, desired);
+}
+
+function deleteCloudflareDnsRecord() {
+  const token = resolveCloudflareApiToken({ required: false });
+  if (!token) {
+    return;
+  }
+  const zoneId = cloudflareZoneId(token);
+  const records = listCloudflareDnsRecords(zoneId, config.domain.hostname, token);
+  for (const record of records) {
+    cloudflareFetch("DELETE", `/zones/${zoneId}/dns_records/${record.id}`, undefined, token);
+  }
+}
+
+function desiredCloudflareRecord(
+  mapping:
+    | { status?: { resourceRecords?: Array<{ name?: string; rrdata?: string; type?: string }> } }
+    | undefined
+) {
+  const cname = mapping?.status?.resourceRecords?.find((record) => record.type === "CNAME" && record.rrdata);
+  const content = (cname?.rrdata ?? "ghs.googlehosted.com.").replace(/\.$/, "");
+  return {
+    type: "CNAME",
+    name: config.domain.hostname,
+    content,
+    ttl: CLOUDFLARE_DNS_TTL_AUTO,
+    proxied: false,
+  };
+}
+
+function cloudflareZoneId(token = resolveCloudflareApiToken({ required: true })) {
+  const response = cloudflareFetch("GET", `/zones?name=${encodeURIComponent(config.domain.baseDomain)}`, undefined, token);
+  const zone = response.result?.[0] as { id?: string } | undefined;
+  if (!zone?.id) {
+    throw new Error(`Cloudflare zone not found for ${config.domain.baseDomain}`);
+  }
+  return zone.id;
+}
+
+function listCloudflareDnsRecords(zoneId: string, name: string, token = resolveCloudflareApiToken({ required: true })) {
+  const response = cloudflareFetch(
+    "GET",
+    `/zones/${zoneId}/dns_records?name=${encodeURIComponent(name)}&per_page=100`,
+    undefined,
+    token
+  );
+  return (response.result ?? []) as Array<{ id: string; type: string; content: string; proxied: boolean }>;
+}
+
+function cloudflareFetch(method: string, path: string, body?: unknown, token = resolveCloudflareApiToken({ required: true })) {
+  const response = fetchJsonSync(`${config.domain.cloudflareApiBaseUrl}${path}`, {
+    method,
+    headers: {
+      authorization: `Bearer ${token}`,
+      "content-type": "application/json",
+      accept: "application/json",
+    },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  });
+  if (response.status < 200 || response.status >= 300) {
+    throw new Error(`Cloudflare ${method} ${path} failed: ${response.status} ${response.body}`);
+  }
+  const parsed = response.body ? JSON.parse(response.body) : {};
+  if (parsed.success === false) {
+    throw new Error(`Cloudflare ${method} ${path} failed: ${response.body}`);
+  }
+  return parsed;
+}
+
+function resolveCloudflareApiToken(options: { required: boolean }) {
+  const direct = process.env.CLOUDFLARE_API_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const vault = Bun.which("vault");
+  if (vault) {
+    const path = process.env.VAULT_CLOUDFLARE_API_TOKEN_PATH?.trim() || config.domain.cloudflareVaultPath;
+    const field = process.env.VAULT_CLOUDFLARE_API_TOKEN_FIELD?.trim() || config.domain.cloudflareVaultField;
+    const result = Bun.spawnSync(
+      [vault, "kv", "get", `-mount=${process.env.VAULT_SECRET_MOUNT || "secret"}`, `-field=${field}`, path],
+      {
+        cwd: process.cwd(),
+        env: process.env,
+        stdout: "pipe",
+        stderr: "pipe",
+      }
+    );
+    if (result.success && result.stdout) {
+      return decoder.decode(result.stdout).trim();
+    }
+  }
+
+  if (!options.required) {
+    return "";
+  }
+  throw new Error(
+    [
+      "CLOUDFLARE_API_TOKEN is required to create DNS records for the production Cloud Run domain.",
+      `Set CLOUDFLARE_API_TOKEN or store it at secret/${config.domain.cloudflareVaultPath} field ${config.domain.cloudflareVaultField}.`,
+    ].join(" ")
+  );
+}
+
+function fetchJsonSync(url: string, init: { method: string; headers: Record<string, string>; body?: string }) {
+  const script = [
+    "const url = process.argv[1];",
+    "const init = JSON.parse(process.argv[2]);",
+    "const response = await fetch(url, init);",
+    "const body = await response.text();",
+    "console.log(JSON.stringify({ status: response.status, body }));",
+  ].join("\n");
+  const result = Bun.spawnSync([process.execPath, "--eval", script, url, JSON.stringify(init)], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`Cloudflare request process failed\n${stderr}`);
+  }
+  return JSON.parse(decoder.decode(result.stdout).trim()) as { status: number; body: string };
+}
+
 export function describeCloudRunService(serviceName: string): GcpResourceWithLabels | undefined {
   const result = gcloud(
     ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=json"],

package/templates/shared/service.config.ts

@@ -7,6 +7,9 @@ export default {
   dns: {
     hostname: "{{API_HOSTNAME}}",
     base_domain: "{{API_BASE_DOMAIN}}",
+    cloudflare_api_base_url: "https://api.cloudflare.com/client/v4",
+    cloudflare_vault_path: "prod/providers/cloudflare",
+    cloudflare_vault_field: "api_token",
   },
   ownership: {
     managed_by: "create-service",
@@ -38,6 +41,7 @@ export default {
     vault: {
       mount: "secret",
       neon_path: "prod/providers/neon",
+      cloudflare_path: "prod/providers/cloudflare",
       grafana_path: "prod/providers/grafana",
       clerk_m2m_path: "prod/providers/clerk-m2m",
       temporal_path: "prod/providers/temporal",

package/templates/targets/workers/Makefile

@@ -12,7 +12,7 @@ gen:
 	@echo "no generated code for workers"
 
 lint:
-	bunx tsc --noEmit
+	bun run lint
 
 test:
 	bun test

package/templates/targets/workers/README.md

@@ -43,6 +43,7 @@ small waitlist/trigger schema on first use.
 - `POST /v1/waitlist`
 - `GET /v1/waitlist?email=<email>`
 - `GET /v1/waitlist/:entryId`
+- `GET /v1/admin/waitlist`
 - `POST /v1/triggers/waitlist`
 - `POST /webhooks/:provider`
 - `GET /webhooks/:provider/health`
@@ -63,6 +64,8 @@ https://{{API_HOSTNAME}}
 Use `service doctor` after create to verify Wrangler auth, route config, Cron,
 Hyperdrive, dashboard tooling, auth tooling, and deployed health.
 
+{{PRODUCTION_PROTECTED_CHECKS}}
+
 If the Hyperdrive binding id is empty, `service create` uses `DATABASE_URL`, or
 `NEON_API_KEY` to create/resolve the generated Neon database and connection URI,
 applies the waitlist schema, then runs `wrangler hyperdrive create` and writes

package/templates/targets/workers/package.json

@@ -10,7 +10,7 @@
     "service": "bun run ./scripts/workers/cli.ts",
     "migrate": "bun run ./scripts/workers/cli.ts migrate",
     "seed": "bun run ./scripts/workers/cli.ts seed",
-    "lint": "bunx tsc --noEmit",
+    "lint": "tsc --noEmit",
     "test": "bun test",
     "create": "bun run ./scripts/workers/cli.ts create",
     "deploy": "bun run ./scripts/workers/cli.ts deploy",

package/templates/targets/workers/scripts/workers/cli.ts

@@ -3,7 +3,7 @@
 import { confirm, intro, isCancel, log, outro } from "@clack/prompts";
 import { createApiClient } from "@neondatabase/api-client";
 import { Client } from "pg";
-import { ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
+import { ensureAuthClient, ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
 
 const config = {
   serviceName: "{{SERVICE_NAME}}",
@@ -25,6 +25,7 @@ async function main(argv = Bun.argv.slice(2)) {
   if (command === "create") {
     return runMain("Create", async () => {
       ensureAuthResourceServer();
+      ensureAuthClient();
       const databaseUrl = await resolveDatabaseUrl();
       await applySchema(databaseUrl);
       await ensureHyperdrive(databaseUrl);
@@ -68,6 +69,10 @@ async function main(argv = Bun.argv.slice(2)) {
   }
 
   if (command === "auth") {
+    if (rest[0] === "token") {
+      console.log(runAuthCommand(rest));
+      return;
+    }
     return runMain("Auth", () => runAuthCommand(rest));
   }
 
@@ -102,6 +107,7 @@ function formatHelp() {
     "  seed        Report seed status",
     "  doctor      Check local tools and cloud access",
     "  auth        Manage auth resource server and clients",
+    "  auth token  Mint a bearer token for protected API checks",
     "  dns         Show Workers custom-domain configuration",
     "  dashboards  Publish Grafana resources",
     "  destroy     Remove service-managed Worker resources",

package/templates/variants/bun-connectrpc/Makefile

@@ -12,7 +12,7 @@ gen:
 	bun run ./scripts/codegen.ts
 
 lint:
-	bunx tsc --noEmit
+	bun run lint
 
 test:
 	bun test

package/templates/variants/bun-connectrpc/package.json

@@ -10,7 +10,7 @@
     "service": "bun run ./scripts/cloudrun/cli.ts",
     "migrate": "bun run ./scripts/migrate.ts",
     "gen": "bun run ./scripts/codegen.ts",
-    "lint": "bunx tsc --noEmit",
+    "lint": "tsc --noEmit",
     "test": "bun test",
     "create": "bun run ./scripts/cloudrun/cli.ts create",
     "deploy": "bun run ./scripts/cloudrun/cli.ts deploy",

package/templates/variants/bun-hono/Makefile

@@ -12,7 +12,7 @@ gen:
 	bun run ./scripts/codegen.ts
 
 lint:
-	bunx tsc --noEmit
+	bun run lint
 
 test:
 	bun test

package/templates/variants/bun-hono/package.json

@@ -10,7 +10,7 @@
     "service": "bun run ./scripts/cloudrun/cli.ts",
     "migrate": "bun run ./scripts/migrate.ts",
     "gen": "bun run ./scripts/codegen.ts",
-    "lint": "bunx tsc --noEmit",
+    "lint": "tsc --noEmit",
     "test": "bun test",
     "create": "bun run ./scripts/cloudrun/cli.ts create",
     "deploy": "bun run ./scripts/cloudrun/cli.ts deploy",