npm - create-svc - Versions diffs - 0.1.18 → 0.1.20 - Mend

create-svc 0.1.18 → 0.1.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/package.json +1 -1
package/src/post-scaffold.ts +19 -1
package/src/scaffold.test.ts +6 -0
package/src/scaffold.ts +2 -0
package/templates/shared/scripts/cloudrun/config.ts +3 -0
package/templates/shared/scripts/cloudrun/deploy.ts +2 -1
package/templates/shared/scripts/cloudrun/lib.ts +220 -4
package/templates/shared/service.config.ts +4 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.18",
+  "version": "0.1.20",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/post-scaffold.ts CHANGED Viewed

@@ -20,6 +20,8 @@ type PostScaffoldCommand = {
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
+const DEPLOYMENT_VERIFY_ATTEMPTS = 36;
+const DEPLOYMENT_VERIFY_DELAY_MS = 10_000;
 export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   if (config.autoDeploy) {
@@ -28,7 +30,7 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
       run(command.command, command.args, { cwd });
     }
     for (const command of buildDeploymentVerificationCommands(config)) {
-      run(command.command, command.args, { cwd, quiet: true });
+      runWithRetries(command, { cwd, quiet: true }, DEPLOYMENT_VERIFY_ATTEMPTS, DEPLOYMENT_VERIFY_DELAY_MS);
     }
     return { message: "Dependencies installed, service created, service deployed, and production health verified" };
   }
@@ -36,6 +38,22 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   return { message: "Backend package generated" };
 }
+function runWithRetries(command: PostScaffoldCommand, options: CommandOptions, attempts: number, delayMs: number) {
+  let lastError: unknown;
+  for (let attempt = 1; attempt <= attempts; attempt += 1) {
+    try {
+      return run(command.command, command.args, options);
+    } catch (error) {
+      lastError = error;
+      if (attempt === attempts) {
+        break;
+      }
+      Bun.sleepSync(delayMs);
+    }
+  }
+  throw lastError;
+}
 export function buildDeploymentVerificationCommands(
   config: Pick<ScaffoldConfig, "apiHostname" | "framework" | "runtime"> & Partial<Pick<ScaffoldConfig, "target">>
 ): PostScaffoldCommand[] {

package/src/scaffold.test.ts CHANGED Viewed

@@ -59,6 +59,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(serviceConfig).toContain('service_id: "dns-api"');
     expect(serviceConfig).toContain('target: "cloudrun"');
     expect(serviceConfig).toContain('module: "buf.build/anmho/dns-api"');
+    expect(serviceConfig).toContain('cloudflare_vault_path: "prod/providers/cloudflare"');
     expect(serviceConfig).toContain('issuer: "https://auth.anmho.com/api/auth"');
     expect(serviceConfig).toContain('audience: "api://dns-api"');
     expect(serviceConfig).toContain('vault_path_prefix: "prod/apps/dns-api/server/oauth-clients"');
@@ -79,6 +80,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(configScript).toContain('baseBranchName: "main"');
     expect(configScript).toContain('previewBranchPrefix: "dns-api-pr"');
     expect(configScript).toContain('hostname: "api.dns-api.anmho.com"');
+    expect(configScript).toContain('cloudflareVaultPath: "prod/providers/cloudflare"');
     expect(configScript).not.toContain("github:");
     expect(configScript).not.toContain("attachmentBucket");
@@ -87,6 +89,9 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(deployScript).toContain('projectMode === "use_existing"');
     expect(deployScript).toContain("serviceDomain");
     expect(deployScript).toContain("ensureProductionDomainMapping");
+    expect(deployScript).toContain("ensureCloudflareDnsRecord");
+    expect(deployScript).toContain("gcloudWithRetry");
+    expect(deployScript).toContain("CLOUDFLARE_API_TOKEN");
     expect(deployScript).toContain('"domain-mappings",');
     expect(deployScript).toContain('"--region",');
     expect(deployScript).toContain("assertProductionDomainAvailable");
@@ -152,6 +157,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(localEnv).toContain(`DATABASE_URL=postgres://postgres:postgres@127.0.0.1:${localPort}/dns_api?sslmode=disable`);
     expect(localEnv).toContain("VAULT_AUTHCTL_ACCESS_PATH=prod/apps/auth/authctl/cloudflare-access");
     expect(localEnv).toContain("VAULT_NEON_API_KEY_PATH=prod/providers/neon");
+    expect(localEnv).toContain("VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare");
     expect(localEnv).not.toContain("ATTACHMENT_PUBLIC_BASE_URL=");
     const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();

package/src/scaffold.ts CHANGED Viewed

@@ -293,6 +293,8 @@ async function writeLocalEnvFile(targetDir: string, replacements: Record<string,
       "VAULT_AUTHCTL_ACCESS_CLIENT_SECRET_FIELD=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET",
       "VAULT_NEON_API_KEY_PATH=prod/providers/neon",
       "VAULT_NEON_API_KEY_FIELD=api_key",
+      "VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare",
+      "VAULT_CLOUDFLARE_API_TOKEN_FIELD=api_token",
       "",
     ].join("\n"),
     replacements

package/templates/shared/scripts/cloudrun/config.ts CHANGED Viewed

@@ -22,6 +22,9 @@ export const config = {
   domain: {
     hostname: "{{API_HOSTNAME}}",
     baseDomain: "{{API_BASE_DOMAIN}}",
+    cloudflareApiBaseUrl: "https://api.cloudflare.com/client/v4",
+    cloudflareVaultPath: "prod/providers/cloudflare",
+    cloudflareVaultField: "api_token",
   },
   auth: {
     issuer: "https://auth.anmho.com/api/auth",

package/templates/shared/scripts/cloudrun/deploy.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import {
   ensureProductionDomainMapping,
   ensureSecretAccessor,
   gcloud,
+  gcloudWithRetry,
   imageUrl,
   parseDeployArgs,
   requireCommand,
@@ -74,7 +75,7 @@ export async function deploy(args = Bun.argv.slice(2)) {
   );
   await runStep("Granting public invoker access", () =>
-    gcloud([
+    gcloudWithRetry([
       "run",
       "services",
       "add-iam-policy-binding",

package/templates/shared/scripts/cloudrun/lib.ts CHANGED Viewed

@@ -42,6 +42,7 @@ type CommandResult = {
 const decoder = new TextDecoder();
 const encoder = new TextEncoder();
+const CLOUDFLARE_DNS_TTL_AUTO = 1;
 export class CommandError extends Error {
   command: string;
@@ -114,6 +115,22 @@ export function gcloud(args: string[], options: CommandOptions = {}) {
   return run("gcloud", normalized, options);
 }
+export function gcloudWithRetry(args: string[], options: CommandOptions = {}) {
+  let lastError: unknown;
+  for (let attempt = 1; attempt <= 12; attempt += 1) {
+    try {
+      return gcloud(args, options);
+    } catch (error) {
+      lastError = error;
+      if (attempt === 12 || !isRetryableGcloudError(error)) {
+        break;
+      }
+      Bun.sleepSync(5_000);
+    }
+  }
+  throw lastError;
+}
 export async function runStep<T>(label: string, task: () => Promise<T> | T) {
   const indicator = spinner();
   indicator.start(label);
@@ -175,6 +192,7 @@ export function ensureServiceAccount(email: string) {
   const accountId = email.split("@")[0] ?? email;
   gcloud(["iam", "service-accounts", "create", accountId, "--project", config.project.id, "--display-name", accountId]);
+  waitForServiceAccount(email);
 }
 export function deleteServiceAccount(email: string) {
@@ -182,11 +200,11 @@ export function deleteServiceAccount(email: string) {
 }
 export function ensureProjectRole(member: string, role: string) {
-  gcloud(["projects", "add-iam-policy-binding", config.project.id, "--member", member, "--role", role]);
+  gcloudWithRetry(["projects", "add-iam-policy-binding", config.project.id, "--member", member, "--role", role]);
 }
 export function ensureServiceAccountRole(serviceAccount: string, member: string, role: string) {
-  gcloud([
+  gcloudWithRetry([
     "iam",
     "service-accounts",
     "add-iam-policy-binding",
@@ -228,7 +246,17 @@ export function accessSecretVersion(secretName: string) {
 }
 export function ensureSecretAccessor(secretName: string, member: string) {
-  gcloud(["secrets", "add-iam-policy-binding", secretName, "--project", config.project.id, "--member", member, "--role", "roles/secretmanager.secretAccessor"]);
+  gcloudWithRetry([
+    "secrets",
+    "add-iam-policy-binding",
+    secretName,
+    "--project",
+    config.project.id,
+    "--member",
+    member,
+    "--role",
+    "roles/secretmanager.secretAccessor",
+  ]);
 }
 export function listSecrets() {
@@ -485,12 +513,13 @@ export function ensureProductionDomainMapping(serviceName: string) {
   if (existing) {
     const mappedService = existing.spec?.routeName ?? existing.status?.resourceRecords?.[0]?.rrdata;
     if (!mappedService || mappedService === serviceName) {
+      ensureCloudflareDnsRecord(existing);
       return;
     }
     throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; refusing to take it over`);
   }
-  gcloud([
+  const result = gcloud([
     "beta",
     "run",
     "domain-mappings",
@@ -504,6 +533,8 @@ export function ensureProductionDomainMapping(serviceName: string) {
     "--region",
     config.region,
   ]);
+  const created = parseDomainMappingOutput(result.stdout) ?? describeProductionDomainMapping();
+  ensureCloudflareDnsRecord(created);
 }
 export function describeProductionDomainMapping():
@@ -561,6 +592,7 @@ export function assertServiceNameAvailable(serviceName: string) {
 }
 export function deleteProductionDomainMapping() {
+  deleteCloudflareDnsRecord();
   gcloud(["beta", "run", "domain-mappings", "delete", "--domain", config.domain.hostname, "--project", config.project.id, "--quiet"], {
     allowFailure: true,
   });
@@ -573,6 +605,190 @@ export function listCloudRunServices() {
     .filter(Boolean);
 }
+function parseDomainMappingOutput(stdout: string) {
+  if (!stdout.trim().startsWith("{")) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(stdout) as ReturnType<typeof describeProductionDomainMapping>;
+  } catch {
+    return undefined;
+  }
+}
+function ensureCloudflareDnsRecord(
+  mapping:
+    | { status?: { resourceRecords?: Array<{ name?: string; rrdata?: string; type?: string }> } }
+    | undefined
+) {
+  const desired = desiredCloudflareRecord(mapping);
+  const zoneId = cloudflareZoneId();
+  const records = listCloudflareDnsRecords(zoneId, config.domain.hostname);
+  const conflicting = records.find((record) => record.type !== desired.type);
+  if (conflicting) {
+    throw new Error(
+      `Cloudflare DNS record ${config.domain.hostname} already exists as ${conflicting.type}; remove or update it before provisioning`
+    );
+  }
+  const existing = records.find((record) => record.type === desired.type);
+  if (!existing) {
+    cloudflareFetch("POST", `/zones/${zoneId}/dns_records`, desired);
+    return;
+  }
+  if (existing.content === desired.content && existing.proxied === desired.proxied) {
+    return;
+  }
+  cloudflareFetch("PUT", `/zones/${zoneId}/dns_records/${existing.id}`, desired);
+}
+function deleteCloudflareDnsRecord() {
+  const token = resolveCloudflareApiToken({ required: false });
+  if (!token) {
+    return;
+  }
+  const zoneId = cloudflareZoneId(token);
+  const records = listCloudflareDnsRecords(zoneId, config.domain.hostname, token);
+  for (const record of records) {
+    cloudflareFetch("DELETE", `/zones/${zoneId}/dns_records/${record.id}`, undefined, token);
+  }
+}
+function desiredCloudflareRecord(
+  mapping:
+    | { status?: { resourceRecords?: Array<{ name?: string; rrdata?: string; type?: string }> } }
+    | undefined
+) {
+  const cname = mapping?.status?.resourceRecords?.find((record) => record.type === "CNAME" && record.rrdata);
+  const content = (cname?.rrdata ?? "ghs.googlehosted.com.").replace(/\.$/, "");
+  return {
+    type: "CNAME",
+    name: config.domain.hostname,
+    content,
+    ttl: CLOUDFLARE_DNS_TTL_AUTO,
+    proxied: false,
+  };
+}
+function cloudflareZoneId(token = resolveCloudflareApiToken({ required: true })) {
+  const response = cloudflareFetch("GET", `/zones?name=${encodeURIComponent(config.domain.baseDomain)}`, undefined, token);
+  const zone = response.result?.[0] as { id?: string } | undefined;
+  if (!zone?.id) {
+    throw new Error(`Cloudflare zone not found for ${config.domain.baseDomain}`);
+  }
+  return zone.id;
+}
+function listCloudflareDnsRecords(zoneId: string, name: string, token = resolveCloudflareApiToken({ required: true })) {
+  const response = cloudflareFetch(
+    "GET",
+    `/zones/${zoneId}/dns_records?name=${encodeURIComponent(name)}&per_page=100`,
+    undefined,
+    token
+  );
+  return (response.result ?? []) as Array<{ id: string; type: string; content: string; proxied: boolean }>;
+}
+function cloudflareFetch(method: string, path: string, body?: unknown, token = resolveCloudflareApiToken({ required: true })) {
+  const response = fetchJsonSync(`${config.domain.cloudflareApiBaseUrl}${path}`, {
+    method,
+    headers: {
+      authorization: `Bearer ${token}`,
+      "content-type": "application/json",
+      accept: "application/json",
+    },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  });
+  if (response.status < 200 || response.status >= 300) {
+    throw new Error(`Cloudflare ${method} ${path} failed: ${response.status} ${response.body}`);
+  }
+  const parsed = response.body ? JSON.parse(response.body) : {};
+  if (parsed.success === false) {
+    throw new Error(`Cloudflare ${method} ${path} failed: ${response.body}`);
+  }
+  return parsed;
+}
+function resolveCloudflareApiToken(options: { required: boolean }) {
+  const direct = process.env.CLOUDFLARE_API_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+  const vault = Bun.which("vault");
+  if (vault) {
+    const path = process.env.VAULT_CLOUDFLARE_API_TOKEN_PATH?.trim() || config.domain.cloudflareVaultPath;
+    const field = process.env.VAULT_CLOUDFLARE_API_TOKEN_FIELD?.trim() || config.domain.cloudflareVaultField;
+    const result = Bun.spawnSync(
+      [vault, "kv", "get", `-mount=${process.env.VAULT_SECRET_MOUNT || "secret"}`, `-field=${field}`, path],
+      {
+        cwd: process.cwd(),
+        env: process.env,
+        stdout: "pipe",
+        stderr: "pipe",
+      }
+    );
+    if (result.success && result.stdout) {
+      return decoder.decode(result.stdout).trim();
+    }
+  }
+  if (!options.required) {
+    return "";
+  }
+  throw new Error(
+    [
+      "CLOUDFLARE_API_TOKEN is required to create DNS records for the production Cloud Run domain.",
+      `Set CLOUDFLARE_API_TOKEN or store it at secret/${config.domain.cloudflareVaultPath} field ${config.domain.cloudflareVaultField}.`,
+    ].join(" ")
+  );
+}
+function fetchJsonSync(url: string, init: { method: string; headers: Record<string, string>; body?: string }) {
+  const script = [
+    "const url = process.argv[1];",
+    "const init = JSON.parse(process.argv[2]);",
+    "const response = await fetch(url, init);",
+    "const body = await response.text();",
+    "console.log(JSON.stringify({ status: response.status, body }));",
+  ].join("\n");
+  const result = Bun.spawnSync([process.execPath, "--eval", script, url, JSON.stringify(init)], {
+    cwd: process.cwd(),
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success) {
+    const stderr = result.stderr ? decoder.decode(result.stderr).trim() : "";
+    throw new Error(`Cloudflare request process failed\n${stderr}`);
+  }
+  return JSON.parse(decoder.decode(result.stdout).trim()) as { status: number; body: string };
+}
+function waitForServiceAccount(email: string) {
+  for (let attempt = 1; attempt <= 12; attempt += 1) {
+    if (gcloud(["iam", "service-accounts", "describe", email, "--project", config.project.id], { allowFailure: true }).success) {
+      return;
+    }
+    Bun.sleepSync(5_000);
+  }
+  throw new Error(`service account ${email} was created but is not yet readable`);
+}
+function isRetryableGcloudError(error: unknown) {
+  if (!(error instanceof CommandError)) {
+    return false;
+  }
+  const output = `${error.stdout}\n${error.stderr}`.toLowerCase();
+  return (
+    output.includes("does not exist") ||
+    output.includes("not found") ||
+    output.includes("permission denied") ||
+    output.includes("failed_precondition") ||
+    output.includes("try again") ||
+    output.includes("retry")
+  );
+}
 export function describeCloudRunService(serviceName: string): GcpResourceWithLabels | undefined {
   const result = gcloud(
     ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=json"],

package/templates/shared/service.config.ts CHANGED Viewed

@@ -7,6 +7,9 @@ export default {
   dns: {
     hostname: "{{API_HOSTNAME}}",
     base_domain: "{{API_BASE_DOMAIN}}",
+    cloudflare_api_base_url: "https://api.cloudflare.com/client/v4",
+    cloudflare_vault_path: "prod/providers/cloudflare",
+    cloudflare_vault_field: "api_token",
   },
   ownership: {
     managed_by: "create-service",
@@ -38,6 +41,7 @@ export default {
     vault: {
       mount: "secret",
       neon_path: "prod/providers/neon",
+      cloudflare_path: "prod/providers/cloudflare",
       grafana_path: "prod/providers/grafana",
       clerk_m2m_path: "prod/providers/clerk-m2m",
       temporal_path: "prod/providers/temporal",