create-svc 0.1.18 → 0.1.19

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.18",
+  "version": "0.1.19",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/post-scaffold.ts

@@ -20,6 +20,8 @@ type PostScaffoldCommand = {
 
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
+const DEPLOYMENT_VERIFY_ATTEMPTS = 36;
+const DEPLOYMENT_VERIFY_DELAY_MS = 10_000;
 
 export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   if (config.autoDeploy) {
@@ -28,7 +30,7 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
       run(command.command, command.args, { cwd });
     }
     for (const command of buildDeploymentVerificationCommands(config)) {
-      run(command.command, command.args, { cwd, quiet: true });
+      runWithRetries(command, { cwd, quiet: true }, DEPLOYMENT_VERIFY_ATTEMPTS, DEPLOYMENT_VERIFY_DELAY_MS);
     }
     return { message: "Dependencies installed, service created, service deployed, and production health verified" };
   }
@@ -36,6 +38,22 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   return { message: "Backend package generated" };
 }
 
+function runWithRetries(command: PostScaffoldCommand, options: CommandOptions, attempts: number, delayMs: number) {
+  let lastError: unknown;
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    try {
+      return run(command.command, command.args, options);
+    } catch (error) {
+      lastError = error;
+      if (attempt === attempts) {
+        break;
+      }
+      Bun.sleepSync(delayMs);
+    }
+  }
+  throw lastError;
+}
+
 export function buildDeploymentVerificationCommands(
   config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime"> & Partial<Pick<ScaffoldConfig, "target">>
 ): PostScaffoldCommand[] {

package/src/scaffold.test.ts

@@ -59,6 +59,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(serviceConfig).toContain('service_id: "dns-api"');
     expect(serviceConfig).toContain('target: "cloudrun"');
     expect(serviceConfig).toContain('module: "buf.build/anmho/dns-api"');
+    expect(serviceConfig).toContain('cloudflare_vault_path: "prod/providers/cloudflare"');
     expect(serviceConfig).toContain('issuer: "https://auth.anmho.com/api/auth"');
     expect(serviceConfig).toContain('audience: "api://dns-api"');
     expect(serviceConfig).toContain('vault_path_prefix: "prod/apps/dns-api/server/oauth-clients"');
@@ -79,6 +80,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(configScript).toContain('baseBranchName: "main"');
     expect(configScript).toContain('previewBranchPrefix: "dns-api-pr"');
     expect(configScript).toContain('hostname: "api.dns-api.anmho.com"');
+    expect(configScript).toContain('cloudflareVaultPath: "prod/providers/cloudflare"');
     expect(configScript).not.toContain("github:");
     expect(configScript).not.toContain("attachmentBucket");
 
@@ -87,6 +89,8 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(deployScript).toContain('projectMode === "use_existing"');
     expect(deployScript).toContain("serviceDomain");
     expect(deployScript).toContain("ensureProductionDomainMapping");
+    expect(deployScript).toContain("ensureCloudflareDnsRecord");
+    expect(deployScript).toContain("CLOUDFLARE_API_TOKEN");
     expect(deployScript).toContain('"domain-mappings",');
     expect(deployScript).toContain('"--region",');
     expect(deployScript).toContain("assertProductionDomainAvailable");
@@ -152,6 +156,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(localEnv).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api?sslmode=disable`);
     expect(localEnv).toContain("VAULT_AUTHCTL_ACCESS_PATH=prod/apps/auth/authctl/cloudflare-access");
     expect(localEnv).toContain("VAULT_NEON_API_KEY_PATH=prod/providers/neon");
+    expect(localEnv).toContain("VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare");
     expect(localEnv).not.toContain("ATTACHMENT_PUBLIC_BASE_URL=");
 
     const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();

package/src/scaffold.ts

@@ -293,6 +293,8 @@ async function writeLocalEnvFile(targetDir: string, replacements: Record<string,
       "VAULT_AUTHCTL_ACCESS_CLIENT_SECRET_FIELD=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET",
       "VAULT_NEON_API_KEY_PATH=prod/providers/neon",
       "VAULT_NEON_API_KEY_FIELD=api_key",
+      "VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare",
+      "VAULT_CLOUDFLARE_API_TOKEN_FIELD=api_token",
       "",
     ].join("\n"),
     replacements

package/templates/shared/scripts/cloudrun/config.ts

@@ -22,6 +22,9 @@ export const config = {
   domain: {
     hostname: "{{API_HOSTNAME}}",
     baseDomain: "{{API_BASE_DOMAIN}}",
+    cloudflareApiBaseUrl: "https://api.cloudflare.com/client/v4",
+    cloudflareVaultPath: "prod/providers/cloudflare",
+    cloudflareVaultField: "api_token",
   },
   auth: {
     issuer: "https://auth.anmho.com/api/auth",

package/templates/shared/scripts/cloudrun/lib.ts

@@ -42,6 +42,7 @@ type CommandResult = {
 
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
+const CLOUDFLARE_DNS_TTL_AUTO = 1;
 
 export class CommandError extends Error {
   command: string;
@@ -485,12 +486,13 @@ export function ensureProductionDomainMapping(serviceName: string) {
   if (existing) {
     const mappedService = existing.spec?.routeName ?? existing.status?.resourceRecords?.[0]?.rrdata;
     if (!mappedService || mappedService === serviceName) {
+      ensureCloudflareDnsRecord(existing);
       return;
     }
     throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; refusing to take it over`);
   }
 
-  gcloud([
+  const result = gcloud([
     "beta",
     "run",
     "domain-mappings",
@@ -504,6 +506,8 @@ export function ensureProductionDomainMapping(serviceName: string) {
     "--region",
     config.region,
   ]);
+  const created = parseDomainMappingOutput(result.stdout) ?? describeProductionDomainMapping();
+  ensureCloudflareDnsRecord(created);
 }
 
 export function describeProductionDomainMapping():
@@ -561,6 +565,7 @@ export function assertServiceNameAvailable(serviceName: string) {
 }
 
 export function deleteProductionDomainMapping() {
+  deleteCloudflareDnsRecord();
   gcloud(["beta", "run", "domain-mappings", "delete", "--domain", config.domain.hostname, "--project", config.project.id, "--quiet"], {
     allowFailure: true,
   });
@@ -573,6 +578,165 @@ export function listCloudRunServices() {
     .filter(Boolean);
 }
 
+function parseDomainMappingOutput(stdout: string) {
+  if (!stdout.trim().startsWith("{")) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(stdout) as ReturnType<typeof describeProductionDomainMapping>;
+  } catch {
+    return undefined;
+  }
+}
+
+function ensureCloudflareDnsRecord(
+  mapping:
+    | { status?: { resourceRecords?: Array<{ name?: string; rrdata?: string; type?: string }> } }
+    | undefined
+) {
+  const desired = desiredCloudflareRecord(mapping);
+  const zoneId = cloudflareZoneId();
+  const records = listCloudflareDnsRecords(zoneId, config.domain.hostname);
+  const conflicting = records.find((record) => record.type !== desired.type);
+  if (conflicting) {
+    throw new Error(
+      `Cloudflare DNS record ${config.domain.hostname} already exists as ${conflicting.type}; remove or update it before provisioning`
+    );
+  }
+  const existing = records.find((record) => record.type === desired.type);
+  if (!existing) {
+    cloudflareFetch("POST", `/zones/${zoneId}/dns_records`, desired);
+    return;
+  }
+  if (existing.content === desired.content && existing.proxied === desired.proxied) {
+    return;
+  }
+  cloudflareFetch("PUT", `/zones/${zoneId}/dns_records/${existing.id}`, desired);
+}
+
+function deleteCloudflareDnsRecord() {
+  const token = resolveCloudflareApiToken({ required: false });
+  if (!token) {
+    return;
+  }
+  const zoneId = cloudflareZoneId(token);
+  const records = listCloudflareDnsRecords(zoneId, config.domain.hostname, token);
+  for (const record of records) {
+    cloudflareFetch("DELETE", `/zones/${zoneId}/dns_records/${record.id}`, undefined, token);
+  }
+}
+
+function desiredCloudflareRecord(
+  mapping:
+    | { status?: { resourceRecords?: Array<{ name?: string; rrdata?: string; type?: string }> } }
+    | undefined
+) {
+  const cname = mapping?.status?.resourceRecords?.find((record) => record.type === "CNAME" && record.rrdata);
+  const content = (cname?.rrdata ?? "ghs.googlehosted.com.").replace(/\.$/, "");
+  return {
+    type: "CNAME",
+    name: config.domain.hostname,
+    content,
+    ttl: CLOUDFLARE_DNS_TTL_AUTO,
+    proxied: false,
+  };
+}
+
+function cloudflareZoneId(token = resolveCloudflareApiToken({ required: true })) {
+  const response = cloudflareFetch("GET", `/zones?name=${encodeURIComponent(config.domain.baseDomain)}`, undefined, token);
+  const zone = response.result?.[0] as { id?: string } | undefined;
+  if (!zone?.id) {
+    throw new Error(`Cloudflare zone not found for ${config.domain.baseDomain}`);
+  }
+  return zone.id;
+}
+
+function listCloudflareDnsRecords(zoneId: string, name: string, token = resolveCloudflareApiToken({ required: true })) {
+  const response = cloudflareFetch(
+    "GET",
+    `/zones/${zoneId}/dns_records?name=${encodeURIComponent(name)}&per_page=100`,
+    undefined,
+    token
+  );
+  return (response.result ?? []) as Array<{ id: string; type: string; content: string; proxied: boolean }>;
+}
+
+function cloudflareFetch(method: string, path: string, body?: unknown, token = resolveCloudflareApiToken({ required: true })) {
+  const response = fetchJsonSync(`${config.domain.cloudflareApiBaseUrl}${path}`, {
+    method,
+    headers: {
+      authorization: `Bearer ${token}`,
+      "content-type": "application/json",
+      accept: "application/json",
+    },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  });
+  if (response.status < 200 || response.status >= 300) {
+    throw new Error(`Cloudflare ${method} ${path} failed: ${response.status} ${response.body}`);
+  }
+  const parsed = response.body ? JSON.parse(response.body) : {};
+  if (parsed.success === false) {
+    throw new Error(`Cloudflare ${method} ${path} failed: ${response.body}`);
+  }
+  return parsed;
+}
+
+function resolveCloudflareApiToken(options: { required: boolean }) {
+  const direct = process.env.CLOUDFLARE_API_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const vault = Bun.which("vault");
+  if (vault) {
+    const path = process.env.VAULT_CLOUDFLARE_API_TOKEN_PATH?.trim() || config.domain.cloudflareVaultPath;
+    const field = process.env.VAULT_CLOUDFLARE_API_TOKEN_FIELD?.trim() || config.domain.cloudflareVaultField;
+    const result = Bun.spawnSync(
+      [vault, "kv", "get", `-mount=${process.env.VAULT_SECRET_MOUNT || "secret"}`, `-field=${field}`, path],
+      {
+        cwd: process.cwd(),
+        env: process.env,
+        stdout: "pipe",
+        stderr: "pipe",
+      }
+    );
+    if (result.success && result.stdout) {
+      return decoder.decode(result.stdout).trim();
+    }
+  }
+
+  if (!options.required) {
+    return "";
+  }
+  throw new Error(
+    [
+      "CLOUDFLARE_API_TOKEN is required to create DNS records for the production Cloud Run domain.",
+      `Set CLOUDFLARE_API_TOKEN or store it at secret/${config.domain.cloudflareVaultPath} field ${config.domain.cloudflareVaultField}.`,
+    ].join(" ")
+  );
+}
+
+function fetchJsonSync(url: string, init: { method: string; headers: Record<string, string>; body?: string }) {
+  const script = [
+    "const url = process.argv[1];",
+    "const init = JSON.parse(process.argv[2]);",
+    "const response = await fetch(url, init);",
+    "const body = await response.text();",
+    "console.log(JSON.stringify({ status: response.status, body }));",
+  ].join("\n");
+  const result = Bun.spawnSync([process.execPath, "--eval", script, url, JSON.stringify(init)], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`Cloudflare request process failed\n${stderr}`);
+  }
+  return JSON.parse(decoder.decode(result.stdout).trim()) as { status: number; body: string };
+}
+
 export function describeCloudRunService(serviceName: string): GcpResourceWithLabels | undefined {
   const result = gcloud(
     ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=json"],

package/templates/shared/service.config.ts

@@ -7,6 +7,9 @@ export default {
   dns: {
     hostname: "{{API_HOSTNAME}}",
     base_domain: "{{API_BASE_DOMAIN}}",
+    cloudflare_api_base_url: "https://api.cloudflare.com/client/v4",
+    cloudflare_vault_path: "prod/providers/cloudflare",
+    cloudflare_vault_field: "api_token",
   },
   ownership: {
     managed_by: "create-service",
@@ -38,6 +41,7 @@ export default {
     vault: {
       mount: "secret",
       neon_path: "prod/providers/neon",
+      cloudflare_path: "prod/providers/cloudflare",
       grafana_path: "prod/providers/grafana",
       clerk_m2m_path: "prod/providers/clerk-m2m",
       temporal_path: "prod/providers/temporal",