create-svc 0.1.23 → 0.1.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.23",
+  "version": "0.1.25",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",
@@ -43,6 +43,7 @@
   ],
   "packageManager": "bun@1.3.2",
   "devDependencies": {
+    "@types/pg": "^8.16.0",
     "@types/bun": "latest"
   },
   "peerDependencies": {
@@ -51,6 +52,7 @@
   "dependencies": {
     "@clack/prompts": "^1.4.0",
     "@neondatabase/api-client": "^2.7.1",
+    "pg": "^8.16.3",
     "picocolors": "^1.1.1"
   }
 }

package/src/post-scaffold.test.ts

@@ -4,23 +4,23 @@ import { buildDeploymentVerificationCommands, buildPostScaffoldCommands } from "
 describe("buildPostScaffoldCommands", () => {
   test("runs create and deploy for HTTP services", () => {
     expect(buildPostScaffoldCommands({ framework: "hono" })).toEqual([
-      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "create"] },
-      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "deploy"] },
+      { command: "service", args: ["create"] },
+      { command: "service", args: ["deploy"] },
     ]);
   });
 
   test("builds SDK artifacts before create and deploy for ConnectRPC services", () => {
     expect(buildPostScaffoldCommands({ framework: "connectrpc" })).toEqual([
-      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "sdk", "build"] },
-      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "create"] },
-      { command: "bun", args: ["./scripts/cloudrun/cli.ts", "deploy"] },
+      { command: "service", args: ["sdk", "build"] },
+      { command: "service", args: ["create"] },
+      { command: "service", args: ["deploy"] },
     ]);
   });
 
   test("uses the workers service CLI for workers services", () => {
     expect(buildPostScaffoldCommands({ target: "workers", framework: "hono" })).toEqual([
-      { command: "bun", args: ["./scripts/workers/cli.ts", "create"] },
-      { command: "bun", args: ["./scripts/workers/cli.ts", "deploy"] },
+      { command: "service", args: ["create"] },
+      { command: "service", args: ["deploy"] },
     ]);
   });
 });
@@ -34,7 +34,7 @@ describe("buildDeploymentVerificationCommands", () => {
         command: "sh",
         args: [
           "-c",
-          'TOKEN="$(bun ./scripts/cloudrun/cli.ts auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
+          'TOKEN="$(service auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
         ],
       },
     ]);
@@ -64,7 +64,7 @@ describe("buildDeploymentVerificationCommands", () => {
       command: "sh",
       args: [
         "-c",
-        'TOKEN="$(bun ./scripts/cloudrun/cli.ts auth token)" && grpcurl -H "Authorization: Bearer $TOKEN" -d \'{"limit":1}\' -proto protos/waitlist/v1/waitlist.proto "api.launch.anmho.com:443" waitlist.v1.WaitlistService/ListWaitlistEntries',
+        'TOKEN="$(service auth token)" && grpcurl -H "Authorization: Bearer $TOKEN" -d \'{"limit":1}\' -proto protos/waitlist/v1/waitlist.proto "api.launch.anmho.com:443" waitlist.v1.WaitlistService/ListWaitlistEntries',
       ],
     });
   });
@@ -81,7 +81,7 @@ describe("buildDeploymentVerificationCommands", () => {
       command: "sh",
       args: [
         "-c",
-        'TOKEN="$(bun ./scripts/workers/cli.ts auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
+        'TOKEN="$(service auth token)" && curl --fail --show-error --silent -H "Authorization: Bearer $TOKEN" "https://api.launch.anmho.com/v1/admin/waitlist?limit=1"',
       ],
     });
   });

package/src/post-scaffold.ts

@@ -59,7 +59,7 @@ export function buildDeploymentVerificationCommands(
     Partial<Pick<ScaffoldConfig, "target" | "serviceName" | "gcpProject" | "region">>
 ): PostScaffoldCommand[] {
   const origin = verificationOrigin(config);
-  const tokenCommand = `TOKEN="$(bun ${serviceCliPath(config)} auth token)"`;
+  const tokenCommand = 'TOKEN="$(service auth token)"';
   return [
     shellVerificationCommand(`curl --fail --show-error --silent "${origin}/"`),
     shellVerificationCommand(`curl --fail --show-error --silent "${origin}/readyz"`),
@@ -148,18 +148,13 @@ function verificationHost(
 export function buildPostScaffoldCommands(
   config: Pick<ScaffoldConfig, "framework"> & Partial<Pick<ScaffoldConfig, "target">>
 ): PostScaffoldCommand[] {
-  const serviceCli = serviceCliPath(config);
   return [
-    ...(config.target !== "workers" && config.framework === "connectrpc" ? [{ command: "bun", args: [serviceCli, "sdk", "build"] }] : []),
-    { command: "bun", args: [serviceCli, "create"] },
-    { command: "bun", args: [serviceCli, "deploy"] },
+    ...(config.target !== "workers" && config.framework === "connectrpc" ? [{ command: "service", args: ["sdk", "build"] }] : []),
+    { command: "service", args: ["create"] },
+    { command: "service", args: ["deploy"] },
   ];
 }
 
-function serviceCliPath(config: Partial<Pick<ScaffoldConfig, "target">>) {
-  return config.target === "workers" ? "./scripts/workers/cli.ts" : "./scripts/cloudrun/cli.ts";
-}
-
 function installProjectDependencies(cwd: string) {
   requireCommand("bun");
   run("bun", ["install"], { cwd });

package/src/scaffold.test.ts

@@ -54,63 +54,31 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       })
     );
 
-    const configScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "config.ts")).text();
     const serviceConfig = await Bun.file(join(generatedRoot, "service.config.ts")).text();
     expect(serviceConfig).toContain('service_id: "dns-api"');
     expect(serviceConfig).toContain('target: "cloudrun"');
+    expect(serviceConfig).toContain('profile: "microservice"');
+    expect(serviceConfig).toContain('domain: "waitlist"');
+    expect(serviceConfig).toContain('kind: "microservice"');
+    expect(serviceConfig).toContain(`runtime: "${variant.runtime}"`);
+    expect(serviceConfig).toContain(`framework: "${variant.framework}"`);
     expect(serviceConfig).toContain('module: "buf.build/anmho/dns-api"');
     expect(serviceConfig).toContain('cloudflare_vault_path: "prod/providers/cloudflare"');
     expect(serviceConfig).toContain('issuer: "https://auth.anmho.com/api/auth"');
     expect(serviceConfig).toContain('audience: "api://dns-api"');
     expect(serviceConfig).toContain('vault_path_prefix: "prod/apps/dns-api/server/oauth-clients"');
     expect(serviceConfig).toContain('api_key_secret_name: "dns-api-temporal-api-key"');
-    expect(configScript).toContain('profile: "microservice"');
-    expect(configScript).toContain('domain: "waitlist"');
-    expect(configScript).toContain('kind: "microservice"');
-    expect(configScript).toContain(`runtime: "${variant.runtime}"`);
-    expect(configScript).toContain(`framework: "${variant.framework}"`);
-    expect(configScript).toContain('mode: "create_new"');
-    expect(configScript).toContain('quotaProjectId: "anmho-infra-prod"');
-    expect(configScript).toContain('issuer: "https://auth.anmho.com/api/auth"');
-    expect(configScript).toContain('audience: "api://dns-api"');
-    expect(configScript).toContain('jwksUrl: "https://auth.anmho.com/api/auth/jwks"');
-    expect(configScript).toContain('apiKeySecretName: "dns-api-temporal-api-key"');
-    expect(configScript).toContain('projectId: ""');
-    expect(configScript).toContain('baseBranchId: ""');
-    expect(configScript).toContain('baseBranchName: "main"');
-    expect(configScript).toContain('previewBranchPrefix: "dns-api-pr"');
-    expect(configScript).toContain('hostname: "api.dns-api.anmho.com"');
-    expect(configScript).toContain('cloudflareVaultPath: "prod/providers/cloudflare"');
-    expect(configScript).not.toContain("github:");
-    expect(configScript).not.toContain("attachmentBucket");
-
-    const deployScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "lib.ts")).text();
-    expect(deployScript).toContain('--billing-project", config.project.quotaProjectId');
-    expect(deployScript).toContain('projectMode === "use_existing"');
-    expect(deployScript).toContain("serviceDomain");
-    expect(deployScript).toContain("ensureProductionDomainMapping");
-    expect(deployScript).toContain("ensureCloudflareDnsRecord");
-    expect(deployScript).toContain("gcloudWithRetry");
-    expect(deployScript).toContain("CLOUDFLARE_API_TOKEN");
-    expect(deployScript).toContain('"domain-mappings",');
-    expect(deployScript).toContain('"--region",');
-    expect(deployScript).toContain("assertProductionDomainAvailable");
-    expect(deployScript).toContain("assertServiceNameAvailable");
-    expect(deployScript).not.toContain("ensureStorageBucket");
-
+    expect(serviceConfig).toContain('project_mode: "create_new"');
+    expect(serviceConfig).toContain('quota_project_id: "anmho-infra-prod"');
+    expect(serviceConfig).toContain('jwks_url: "https://auth.anmho.com/api/auth/jwks"');
+    expect(serviceConfig).toContain('project_id: ""');
+    expect(serviceConfig).toContain('base_branch_id: ""');
+    expect(serviceConfig).toContain('base_branch_name: "main"');
+    expect(serviceConfig).toContain('preview_branch_prefix: "dns-api-pr"');
+    expect(serviceConfig).toContain('hostname: "api.dns-api.anmho.com"');
+    expect(serviceConfig).not.toContain("github:");
+    expect(serviceConfig).not.toContain("attachmentBucket");
     expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "integrations.ts")).exists()).toBeFalse();
-    const destroyScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cleanup.ts")).text();
-    expect(destroyScript).toContain("assertOwnedResource");
-    expect(destroyScript).toContain("Planning resources to destroy");
-    expect(destroyScript).toContain("Resources selected for destroy");
-    expect(destroyScript).toContain("Destroy cannot continue until resource discovery succeeds");
-    expect(destroyScript).toContain("deleteAuthResourceServer");
-    expect(destroyScript).toContain("deleteGrafanaResources");
-    expect(destroyScript).toContain('gcx", ["resources", "delete"');
-    expect(destroyScript).toContain("config.temporal.apiKeySecretName");
-    const neonScript = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "neon.ts")).text();
-    expect(neonScript).toContain("assertDatabaseOwned");
-    expect(neonScript).toContain("assertDisposableBranchName");
     const seedScript = await Bun.file(join(generatedRoot, "scripts", "seed.ts")).text();
     expect(seedScript).toContain("SEED_PROD=true");
     expect(seedScript).toContain("waitlist_entries");
@@ -168,14 +136,19 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
 
     if (variant.runtime === "go") {
       const goMod = await Bun.file(join(generatedRoot, "go.mod")).text();
+      const goSumExists = await Bun.file(join(generatedRoot, "go.sum")).exists();
       const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
       expect(goMod).toContain("module github.com/anmho/dns-api");
       expect(goMod).not.toContain("module example.com/dns-api");
+      expect(goSumExists).toBeTrue();
+      const dockerfile = await Bun.file(join(generatedRoot, "Dockerfile")).text();
+      expect(dockerfile).toContain("COPY go.mod go.sum ./");
       expect(packageJson).toContain('"dev": "make dev"');
-      expect(packageJson).toContain('"migrate": "make migrate"');
-      expect(packageJson).toContain('"create": "bun run ./scripts/cloudrun/cli.ts create"');
-      expect(packageJson).toContain('"deploy": "bun run ./scripts/cloudrun/cli.ts deploy"');
-      expect(packageJson).toContain('"destroy": "bun run ./scripts/cloudrun/cli.ts destroy"');
+      expect(packageJson).toContain('"service": "service"');
+      expect(packageJson).toContain('"migrate": "service migrate"');
+      expect(packageJson).toContain('"create": "service create"');
+      expect(packageJson).toContain('"deploy": "service deploy"');
+      expect(packageJson).toContain('"destroy": "service destroy"');
 
       const mainGo = await Bun.file(join(generatedRoot, "cmd", "server", "main.go")).text();
       expect(mainGo).toContain("github.com/anmho/dns-api");
@@ -211,45 +184,26 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
       expect(packageJson).toContain('"@anmho/authctl": "0.1.1"');
       expect(packageJson).toContain("@temporalio/worker");
-      expect(packageJson).toContain('"service": "./scripts/cloudrun/cli.ts"');
       expect(packageJson).toContain('"dev": "bun run ./scripts/dev.ts bun run ./src/index.ts"');
       expect(packageJson).toContain('"gen": "bun run ./scripts/codegen.ts"');
-      expect(packageJson).toContain('"create": "bun run ./scripts/cloudrun/cli.ts create"');
-      expect(packageJson).toContain('"deploy": "bun run ./scripts/cloudrun/cli.ts deploy"');
-      expect(packageJson).toContain('"dashboards": "bun run ./scripts/cloudrun/cli.ts dashboards"');
-      expect(packageJson).toContain('"auth": "bun run ./scripts/cloudrun/cli.ts auth"');
-      expect(packageJson).toContain('"destroy": "bun run ./scripts/cloudrun/cli.ts destroy"');
-      const serviceCli = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).text();
-      expect(serviceCli).toContain("service <command> [args]");
-      expect(serviceCli).toContain("Provision auth, database, migrations, and first deploy");
-      expect(serviceCli).toContain("assertServiceNameAvailable(config.serviceName)");
-      expect(serviceCli).toContain("ensureAuthResourceServer");
-      expect(serviceCli).toContain("ensureAuthClient");
-      expect(serviceCli).toContain("auth token");
-      expect(serviceCli).toContain('["resources", "push", "--path", "./grafana"]');
-      const cloudrunLib = await Bun.file(join(generatedRoot, "scripts", "cloudrun", "lib.ts")).text();
-      expect(cloudrunLib).toContain("resolveTemporalRuntimeConfig");
-      expect(cloudrunLib).toContain("TEMPORAL_API_KEY_ENV");
-      expect(cloudrunLib).toContain("value === undefined");
-
-      const authctlScript = await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).text();
-      expect(authctlScript).toContain("authctl");
-      expect(authctlScript).toContain("resource-servers");
-      expect(authctlScript).toContain("clients");
-      expect(authctlScript).toContain("defaultClientTargetArgs");
-      expect(authctlScript).toContain("ensureAuthClient");
-      expect(authctlScript).toContain("mintAuthToken");
-      expect(authctlScript).toContain("clientVaultPath");
-      expect(authctlScript).toContain("deleteAuthResourceServer");
-      expect(authctlScript).toContain("readAuthctlAccessVaultField");
-      expect(authctlScript).toContain("prod/apps/auth/authctl/cloudflare-access");
-      expect(authctlScript).toContain('existsSync("./node_modules/.bin/authctl") ? "./node_modules/.bin/authctl" : Bun.which("authctl")');
-      expect(authctlScript).not.toContain('defaultAuthResourceServerArgs(), "--yes", "--json"');
+      expect(packageJson).toContain('"service": "service"');
+      expect(packageJson).toContain('"migrate": "service migrate"');
+      expect(packageJson).toContain('"create": "service create"');
+      expect(packageJson).toContain('"deploy": "service deploy"');
+      expect(packageJson).toContain('"dashboards": "service dashboards"');
+      expect(packageJson).toContain('"auth": "service auth"');
+      expect(packageJson).toContain('"destroy": "service destroy"');
+      expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).exists()).toBeFalse();
+      expect(await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).exists()).toBeFalse();
+      const serviceConfig = await Bun.file(join(generatedRoot, "service.config.ts")).text();
+      expect(serviceConfig).toContain('service_id: "dns-api"');
+      expect(serviceConfig).toContain('project_id: "anmho-dns-api"');
+      expect(serviceConfig).toContain('database_name: "dns_api"');
       const authScript = await Bun.file(join(generatedRoot, "src", "auth.ts")).text();
       expect(authScript).toContain('"Ed25519"');
 
       const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
-      expect(makefile).toContain("npx --no-install service");
+      expect(makefile).toContain("SERVICE := service");
       expect(makefile).toContain("dashboards:");
       expect(makefile).toContain("auth:");
       expect(makefile).toContain("bun run dev");
@@ -346,9 +300,9 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
 
   const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
   expect(packageJson).toContain('"@anmho/authctl": "0.1.1"');
-  expect(packageJson).toContain('"service": "./scripts/workers/cli.ts"');
   expect(packageJson).toContain('"dev": "wrangler dev"');
-  expect(packageJson).toContain('"auth": "bun run ./scripts/workers/cli.ts auth"');
+  expect(packageJson).toContain('"service": "service"');
+  expect(packageJson).toContain('"auth": "service auth"');
   expect(packageJson).toContain('"wrangler"');
   expect(packageJson).toContain('"pg"');
 
@@ -370,28 +324,19 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(readme).toContain("Cloudflare Workers");
   expect(readme).toContain("Hyperdrive binding for Neon-backed Postgres persistence");
   expect(readme).not.toContain("Cloud Run");
-  const workerCli = await Bun.file(join(generatedRoot, "scripts", "workers", "cli.ts")).text();
-  expect(workerCli).toContain("hyperdrive");
-  expect(workerCli).toContain('["resources", "push", "--path", "./grafana"]');
-  expect(workerCli).toContain("ensureAuthResourceServer");
-  expect(workerCli).toContain("ensureAuthClient");
-  expect(workerCli).toContain("auth token");
-  expect(workerCli).toContain("Workers database schema applied");
-  expect(workerCli).toContain("create table if not exists waitlist_entries");
-  expect(workerCli).toContain("DATABASE_URL or NEON_API_KEY is required to provision the Hyperdrive binding");
-  expect(workerCli).toContain("createProjectBranchDatabase");
-  expect(workerCli).toContain("deleteNeonDatabase");
-  expect(workerCli).toContain("deleteGrafanaResources");
-  expect(workerCli).toContain("hyperdrive\", \"delete");
+  const serviceConfig = await Bun.file(join(generatedRoot, "service.config.ts")).text();
+  expect(serviceConfig).toContain('target: "workers"');
+  expect(serviceConfig).toContain('hostname: "api.dns-api.anmho.com"');
+  expect(serviceConfig).toContain('database_name: "dns_api"');
   const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
   expect(makefile).toContain('no generated code for workers');
   expect(makefile).toContain("auth:");
   expect(makefile).not.toContain("scripts/codegen.ts");
 
-  expect(await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "src", "auth.ts")).exists()).toBeTrue();
   expect(await Bun.file(join(generatedRoot, "src", "storage.ts")).exists()).toBeTrue();
-  expect(await Bun.file(join(generatedRoot, "scripts", "workers", "cli.ts")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, "scripts", "workers", "cli.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "scripts", "dev.ts")).exists()).toBeFalse();
   expect(await Bun.file(join(generatedRoot, "scripts", "ensure-local-db.ts")).exists()).toBeFalse();

package/src/scaffold.ts

@@ -77,6 +77,14 @@ export async function scaffoldProject(config: ScaffoldConfig) {
 }
 
 function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "variant" | "target", relativePath: string) {
+  if (
+    relativePath === "scripts/authctl.ts" ||
+    relativePath.startsWith("scripts/cloudrun/") ||
+    relativePath.startsWith("scripts/workers/")
+  ) {
+    return true;
+  }
+
   if (target === "workers") {
     if (templateKind === "target") {
       return false;
@@ -94,8 +102,7 @@ function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "var
         relativePath === "scripts/local-docker.ts" ||
         relativePath === "scripts/local-env.ts" ||
         relativePath === "scripts/seed.ts" ||
-        relativePath === "scripts/wait-for-db.ts" ||
-        relativePath.startsWith("scripts/cloudrun/")
+        relativePath === "scripts/wait-for-db.ts"
       );
     }
 
@@ -110,7 +117,7 @@ function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "var
     );
   }
 
-  return relativePath.startsWith("scripts/workers/") || relativePath === "wrangler.toml";
+  return relativePath === "wrangler.toml";
 }
 
 async function ensureTargetDirectory(targetDir: string) {

package/{templates/shared/scripts → src/service-runtime}/authctl.ts

@@ -1,5 +1,5 @@
-import serviceConfig from "../service.config";
 import { existsSync } from "node:fs";
+import { serviceConfig } from "./runtime";
 
 type CommandResult = {
   success: boolean;
@@ -47,7 +47,7 @@ export function defaultAuthResourceServerArgs() {
     auth.resource_server.audience,
     "--stage",
     serviceConfig.stage_default,
-    ...auth.resource_server.default_scopes.flatMap((scope) => ["--scope", scope]),
+    ...(auth.resource_server.default_scopes as string[]).flatMap((scope: string) => ["--scope", scope]),
   ];
 }
 
@@ -244,7 +244,7 @@ function defaultClientTargetArgs(rest: string[]) {
   const hasScope = hasFlag(rest, "--scope");
   return [
     ...(hasResourceServer ? [] : ["--resource-server", serviceConfig.auth.resource_server.id]),
-    ...(hasScope ? [] : serviceConfig.auth.resource_server.default_scopes.flatMap((scope) => ["--scope", scope])),
+    ...(hasScope ? [] : (serviceConfig.auth.resource_server.default_scopes as string[]).flatMap((scope: string) => ["--scope", scope])),
   ];
 }
 

package/{templates/shared/scripts → src/service-runtime}/cloudrun/cleanup.ts

@@ -151,7 +151,7 @@ function planProductionDomainMapping(plan: DestroyPlan) {
       return;
     }
 
-    const routeName = mapping.spec?.routeName;
+    const routeName = mapping.spec?.routeName ?? "";
     if (routeName !== config.serviceName) {
       plan.blockers.push(`${config.domain.hostname} maps to ${routeName || "an unknown service"}; refusing to delete ambiguous DNS mapping`);
       return;

package/{templates/shared/scripts → src/service-runtime}/cloudrun/cli.ts

@@ -23,7 +23,7 @@ import {
   serviceOrigin,
 } from "./lib";
 
-async function main(argv = Bun.argv.slice(2)) {
+export async function main(argv = Bun.argv.slice(2)) {
   const [command, ...rest] = argv;
 
   if (!command || command === "--help" || command === "-h" || command === "help") {

package/src/service-runtime/cloudrun/config.ts

@@ -0,0 +1,55 @@
+import { serviceConfig } from "../runtime";
+
+const cloudrun = serviceConfig.cloudrun;
+const dns = serviceConfig.dns;
+const neon = serviceConfig.neon;
+
+export const config = {
+  serviceName: serviceConfig.service_id,
+  profile: serviceConfig.profile,
+  example: serviceConfig.example,
+  runtime: serviceConfig.runtime,
+  framework: serviceConfig.framework,
+  region: cloudrun.region,
+  artifactRepository: cloudrun.artifact_repository,
+  runtimeServiceAccount: cloudrun.service_account,
+  project: {
+    mode: cloudrun.project_mode,
+    id: cloudrun.project_id,
+    name: cloudrun.project_name,
+    createIfMissing: cloudrun.create_if_missing,
+    billingAccount: cloudrun.billing_account,
+    quotaProjectId: cloudrun.quota_project_id,
+  },
+  domain: {
+    hostname: dns.hostname,
+    baseDomain: dns.base_domain,
+    cloudflareApiBaseUrl: dns.cloudflare_api_base_url,
+    cloudflareVaultPath: dns.cloudflare_vault_path,
+    cloudflareVaultField: dns.cloudflare_vault_field,
+  },
+  auth: {
+    issuer: serviceConfig.auth.issuer,
+    audience: serviceConfig.auth.resource_server.audience,
+    jwksUrl: serviceConfig.auth.jwks_url,
+  },
+  temporal: {
+    enabled: serviceConfig.temporal.enabled,
+    address: serviceConfig.temporal.address,
+    namespace: serviceConfig.temporal.namespace,
+    taskQueue: serviceConfig.temporal.task_queue,
+    apiKeySecretName: serviceConfig.temporal.api_key_secret_name,
+  },
+  neon: {
+    projectId: neon.project_id,
+    baseBranchId: neon.base_branch_id,
+    baseBranchName: neon.base_branch_name,
+    databaseName: neon.database_name,
+    roleName: neon.role_name,
+    previewBranchPrefix: neon.preview_branch_prefix,
+    personalBranchPrefix: neon.personal_branch_prefix,
+  },
+  requiredApis: cloudrun.required_apis,
+} as const;
+
+export type DeployEnvironment = "main" | "preview" | "personal";

package/src/service-runtime/runtime.ts

@@ -0,0 +1,8 @@
+import { join } from "node:path";
+import { pathToFileURL } from "node:url";
+
+export const serviceRoot = process.env.CREATE_SVC_SERVICE_ROOT?.trim() || process.cwd();
+
+export const serviceConfig = (
+  await import(pathToFileURL(join(serviceRoot, "service.config.ts")).href)
+).default;

package/{templates/targets/workers/scripts → src/service-runtime}/workers/cli.ts

@@ -4,17 +4,18 @@ import { confirm, intro, isCancel, log, outro } from "@clack/prompts";
 import { createApiClient } from "@neondatabase/api-client";
 import { Client } from "pg";
 import { ensureAuthClient, ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
+import { serviceConfig } from "../runtime";
 
 const config = {
-  serviceName: "{{SERVICE_NAME}}",
-  hostname: "{{API_HOSTNAME}}",
-  neonDatabaseName: "{{NEON_DATABASE_NAME}}",
-  neonRoleName: "neondb_owner",
+  serviceName: serviceConfig.service_id,
+  hostname: serviceConfig.dns.hostname,
+  neonDatabaseName: serviceConfig.neon.database_name,
+  neonRoleName: serviceConfig.neon.role_name,
 };
 
 type DoctorStatus = "pass" | "warn" | "fail";
 
-async function main(argv = Bun.argv.slice(2)) {
+export async function main(argv = Bun.argv.slice(2)) {
   const [command, ...rest] = argv;
 
   if (!command || command === "--help" || command === "-h" || command === "help") {
@@ -255,7 +256,7 @@ async function deleteNeonDatabase() {
 
   const payload = await neon.getProjectBranchDatabase(projectId, branchId, config.neonDatabaseName);
   const database = (payload.data as { database?: { name?: string; owner_name?: string } } | undefined)?.database;
-  if (database?.name !== config.neonDatabaseName || (database.owner_name && database.owner_name !== config.neonRoleName)) {
+  if (!database || database.name !== config.neonDatabaseName || (database.owner_name && database.owner_name !== config.neonRoleName)) {
     throw new Error(`Refusing to delete Neon database ${database?.name ?? config.neonDatabaseName}; ownership metadata does not match`);
   }
 

package/src/service.test.ts

@@ -20,10 +20,8 @@ test("findGeneratedServiceRoot detects generated service context from nested dir
   const root = await mkdtemp(join(tmpdir(), "create-svc-service-root-"));
   const serviceRoot = join(root, "generated-api");
   const nested = join(serviceRoot, "src", "waitlist");
-  await mkdir(join(serviceRoot, "scripts", "cloudrun"), { recursive: true });
   await mkdir(nested, { recursive: true });
   await writeFile(join(serviceRoot, "service.config.ts"), "export default {}");
-  await writeFile(join(serviceRoot, "scripts", "cloudrun", "cli.ts"), "");
 
   expect(findGeneratedServiceRoot(nested)).toBe(serviceRoot);
   expect(findGeneratedServiceRoot(root)).toBeUndefined();

package/src/service.ts

@@ -7,7 +7,7 @@ const SCAFFOLD_COMMANDS = new Set(["create", "new", "init"]);
 export async function runServiceCommand(argv: string[], cwd = process.cwd()) {
   const serviceRoot = findGeneratedServiceRoot(cwd);
   if (serviceRoot) {
-    delegateToGeneratedService(serviceRoot, argv);
+    await delegateToGeneratedService(serviceRoot, argv);
     return;
   }
 
@@ -41,29 +41,23 @@ export function findGeneratedServiceRoot(start: string): string | undefined {
 }
 
 function isGeneratedServiceRoot(path: string) {
-  return (
-    existsSync(join(path, "service.config.ts")) &&
-    (existsSync(join(path, "scripts", "cloudrun", "cli.ts")) || existsSync(join(path, "scripts", "workers", "cli.ts")))
-  );
+  return existsSync(join(path, "service.config.ts"));
 }
 
-function delegateToGeneratedService(serviceRoot: string, argv: string[]) {
+async function delegateToGeneratedService(serviceRoot: string, argv: string[]) {
   ensureGeneratedDependencies(serviceRoot);
+  process.chdir(serviceRoot);
+  process.env.CREATE_SVC_SERVICE_ROOT = serviceRoot;
 
-  const cliPath = existsSync(join(serviceRoot, "scripts", "cloudrun", "cli.ts"))
-    ? "./scripts/cloudrun/cli.ts"
-    : "./scripts/workers/cli.ts";
-  const result = Bun.spawnSync(["bun", "run", cliPath, ...argv], {
-    cwd: serviceRoot,
-    env: process.env,
-    stdin: "inherit",
-    stdout: "inherit",
-    stderr: "inherit",
-  });
-
-  if (!result.success) {
-    process.exit(result.exitCode || 1);
+  const serviceConfig = (await import(`${serviceRoot}/service.config.ts`)).default;
+  if (serviceConfig.target === "workers") {
+    const { main } = await import("./service-runtime/workers/cli");
+    await main(argv);
+    return;
   }
+
+  const { main } = await import("./service-runtime/cloudrun/cli");
+  await main(argv);
 }
 
 export function generatedDependenciesInstalled(serviceRoot: string) {

package/templates/shared/README.md

@@ -59,7 +59,7 @@ No cloud credentials are required for local HTTP development after Docker and Po
 
 ## Remote provisioning
 
-The generated Cloud Run config lives in [scripts/cloudrun/config.ts](scripts/cloudrun/config.ts).
+The generated service config lives in [service.config.ts](service.config.ts).
 
 Create, deploy, and destroy use:
 

package/templates/shared/service.config.ts

@@ -3,7 +3,13 @@ export default {
   target: "{{TARGET}}",
   runtime: "{{RUNTIME}}",
   framework: "{{FRAMEWORK}}",
+  profile: "{{PROFILE}}",
   stage_default: "prod",
+  example: {
+    kind: "{{EXAMPLE_KIND}}",
+    domain: "{{EXAMPLE_DOMAIN}}",
+    label: "{{EXAMPLE_LABEL}}",
+  },
   dns: {
     hostname: "{{API_HOSTNAME}}",
     base_domain: "{{API_BASE_DOMAIN}}",
@@ -47,13 +53,38 @@ export default {
       temporal_path: "prod/providers/temporal",
     },
   },
+  neon: {
+    project_id: "{{NEON_PROJECT_ID}}",
+    base_branch_id: "{{NEON_BASE_BRANCH_ID}}",
+    base_branch_name: "{{NEON_BASE_BRANCH_NAME}}",
+    database_name: "{{NEON_DATABASE_NAME}}",
+    role_name: "{{NEON_ROLE_NAME}}",
+    preview_branch_prefix: "{{NEON_PREVIEW_BRANCH_PREFIX}}",
+    personal_branch_prefix: "{{NEON_PERSONAL_BRANCH_PREFIX}}",
+  },
   buf: {
     module: "buf.build/anmho/{{SERVICE_ID}}",
   },
   cloudrun: {
     project_id: "{{PROJECT_ID}}",
+    project_name: "{{PROJECT_NAME}}",
+    project_mode: "{{GCP_PROJECT_MODE}}",
+    create_if_missing: {{PROJECT_CREATE_IF_MISSING}},
+    billing_account: "{{BILLING_ACCOUNT}}",
+    quota_project_id: "{{QUOTA_PROJECT_ID}}",
     region: "{{REGION}}",
+    artifact_repository: "cloud-run",
     service_account: "{{RUNTIME_SERVICE_ACCOUNT}}",
+    required_apis: [
+      "run.googleapis.com",
+      "cloudbuild.googleapis.com",
+      "artifactregistry.googleapis.com",
+      "iam.googleapis.com",
+      "iamcredentials.googleapis.com",
+      "secretmanager.googleapis.com",
+      "serviceusage.googleapis.com",
+      "sts.googleapis.com",
+    ],
   },
   workers: {
     script_name: "{{SERVICE_ID}}",