create-svc 0.1.4 → 0.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "Bun-authored CLI to scaffold Go Cloud Run services with Chi, ConnectRPC, Vault, and Cloudflare examples.",
   "module": "index.ts",
   "type": "module",

package/src/cli.ts

@@ -1,4 +1,5 @@
 import {
+  autocomplete,
   cancel,
   confirm,
   intro,
@@ -362,13 +363,12 @@ async function resolveGcpSelection(
   defaults: ReturnType<typeof deriveDefaults>,
   discovery: DiscoveryState
 ) {
-  const options = buildGcpProjectOptions(defaults.serviceName, defaults.projectId, defaults.projectName, discovery.projects);
-
   if (args.gcpProjectMode && args.gcpProject) {
+    const existing = discovery.projects.find((project) => matchesProject(project, args.gcpProject ?? ""));
     return {
       mode: args.gcpProjectMode,
       projectId: args.gcpProject,
-      projectName: args.gcpProjectMode === "create_new" ? defaults.projectName : args.gcpProject,
+      projectName: args.gcpProjectMode === "create_new" ? defaults.projectName : existing?.name ?? args.gcpProject,
     };
   }
 
@@ -397,24 +397,51 @@ async function resolveGcpSelection(
     };
   }
 
-  const value = await select({
+  const mode = await select({
     message: "GCP project",
-    initialValue: buildCreateProjectLabel(defaults.serviceName, defaults.projectId),
-    options: options.map((option) => ({
-      value: option.label,
-      label: option.label,
-      hint: option.mode === "create_new" ? "Default" : undefined,
-    })),
+    initialValue: "create_new",
+    options: [
+      {
+        value: "create_new",
+        label: `Create new project: ${defaults.projectName} (${defaults.projectId})`,
+        hint: "Default",
+      },
+      {
+        value: "use_existing",
+        label: "Use existing project...",
+        hint: `${discovery.projects.length} available`,
+      },
+    ],
   });
 
-  if (isCancel(value)) {
+  if (isCancel(mode)) {
     cancel("Aborted");
     process.exit(1);
   }
 
-  const selected = options.find((option) => option.label === value);
+  if (mode === "create_new") {
+    return {
+      mode: "create_new" as const,
+      projectId: defaults.projectId,
+      projectName: defaults.projectName,
+    };
+  }
+
+  if (discovery.projects.length === 0) {
+    throw new Error("No existing GCP projects were discovered");
+  }
+
+  const selected = await promptForExistingProject(discovery.projects);
   if (!selected) {
-    throw new Error(`Unknown GCP project selection: ${value}`);
+    return resolveGcpSelection(
+      {
+        ...args,
+        gcpProjectMode: undefined,
+        gcpProject: undefined,
+      },
+      defaults,
+      discovery
+    );
   }
 
   return {
@@ -498,6 +525,46 @@ function formatError(error: unknown) {
   return error instanceof Error ? error.message : String(error);
 }
 
+async function promptForExistingProject(projects: GcpProject[]) {
+  const value = await autocomplete({
+    message: "Existing GCP project",
+    placeholder: "Search by project name or id",
+    maxItems: 10,
+    options: [
+      {
+        value: "__back__",
+        label: "Back",
+        hint: "Return to project mode",
+      },
+      ...projects.map((project) => ({
+        value: project.projectId,
+        label: project.name,
+        hint: project.projectId,
+      })),
+    ],
+  });
+
+  if (isCancel(value)) {
+    cancel("Aborted");
+    process.exit(1);
+  }
+
+  if (value === "__back__") {
+    return undefined;
+  }
+
+  const project = projects.find((candidate) => candidate.projectId === value);
+  if (project) {
+    return {
+      mode: "use_existing" as const,
+      projectId: project.projectId,
+      projectName: project.name,
+    };
+  }
+
+  return undefined;
+}
+
 export function normalizeValidationResult(result: true | string): string | undefined {
   return result === true ? undefined : result;
 }

package/src/neon.ts

@@ -1,4 +1,5 @@
 import { createApiClient } from "@neondatabase/api-client";
+import { resolveNeonApiKey } from "./vault";
 
 export type NeonProject = {
   id: string;
@@ -16,14 +17,9 @@ export type NeonApi = {
 };
 
 export function createNeonApi(apiKey = process.env.NEON_API_KEY): NeonApi {
-  if (!apiKey?.trim()) {
-    throw new Error("NEON_API_KEY is not set");
-  }
-
-  const client = createApiClient({ apiKey });
-
   return {
     async listProjects() {
+      const client = createApiClient({ apiKey: (apiKey?.trim() || (await resolveNeonApiKey())) });
       const payload = await client.listProjects({ limit: 100 });
       return (payload.projects ?? [])
         .map((project) => ({
@@ -35,6 +31,7 @@ export function createNeonApi(apiKey = process.env.NEON_API_KEY): NeonApi {
     },
 
     async listBranches(projectId: string) {
+      const client = createApiClient({ apiKey: (apiKey?.trim() || (await resolveNeonApiKey())) });
       const payload = await client.listProjectBranches({ projectId });
       return (payload.branches ?? [])
         .map((branch) => ({

package/src/post-scaffold.ts

@@ -21,6 +21,7 @@ export async function runPostScaffoldFlow(config: ScaffoldConfig, cwd: string) {
   }
 
   if (config.autoDeploy) {
+    installProjectDependencies(cwd);
     run("bun", ["run", "bootstrap"], { cwd });
     run("bun", ["run", "deploy"], { cwd });
     return { message: "Repository initialized, pushed, and first deploy started" };
@@ -47,6 +48,11 @@ function createGitHubRepo(config: ScaffoldConfig, cwd: string) {
   run("git", ["push", "-u", "origin", "main"], { cwd, allowFailure: true });
 }
 
+function installProjectDependencies(cwd: string) {
+  requireCommand("bun");
+  run("bun", ["install"], { cwd });
+}
+
 function requireCommand(name: string) {
   if (!Bun.which(name)) {
     throw new Error(`missing required command for post-scaffold automation: ${name}`);

package/src/vault.test.ts

@@ -0,0 +1,42 @@
+import { afterEach, expect, mock, test } from "bun:test";
+import { readVaultSecret, resolveNeonApiKey } from "./vault";
+
+const originalEnv = { ...process.env };
+
+afterEach(() => {
+  process.env = { ...originalEnv };
+  mock.restore();
+});
+
+test("resolveNeonApiKey prefers NEON_API_KEY from env", async () => {
+  process.env.NEON_API_KEY = "direct-token";
+  await expect(resolveNeonApiKey()).resolves.toBe("direct-token");
+});
+
+test("readVaultSecret reads KV v2 secret data using existing vault login env", async () => {
+  process.env.VAULT_ADDR = "https://vault.example.com";
+  process.env.VAULT_TOKEN = "token-123";
+
+  const fetchMock = mock(async (input: string | URL | Request) => {
+    expect(String(input)).toBe("https://vault.example.com/v1/secret/data/provider/neon-api-key");
+    return new Response(
+      JSON.stringify({
+        data: {
+          data: {
+            value: "vault-token",
+          },
+        },
+      }),
+      { status: 200 }
+    );
+  });
+
+  globalThis.fetch = fetchMock as typeof fetch;
+
+  await expect(
+    readVaultSecret({
+      path: "provider/neon-api-key",
+      field: "value",
+    })
+  ).resolves.toBe("vault-token");
+});

package/src/vault.ts

@@ -0,0 +1,63 @@
+const DEFAULT_VAULT_SECRET_MOUNT = "secret";
+const DEFAULT_NEON_API_KEY_PATH = "provider/neon-api-key";
+const DEFAULT_NEON_API_KEY_FIELD = "value";
+
+type VaultSecretOptions = {
+  addr?: string;
+  token?: string;
+  mount?: string;
+  path?: string;
+  field?: string;
+};
+
+export async function resolveNeonApiKey() {
+  const direct = process.env.NEON_API_KEY?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  return readVaultSecret({
+    path: process.env.VAULT_NEON_API_KEY_PATH ?? DEFAULT_NEON_API_KEY_PATH,
+    field: process.env.VAULT_NEON_API_KEY_FIELD ?? DEFAULT_NEON_API_KEY_FIELD,
+  });
+}
+
+export async function readVaultSecret(options: VaultSecretOptions = {}) {
+  const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
+  const token = options.token ?? process.env.VAULT_TOKEN?.trim() ?? "";
+  const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
+  const path = options.path?.trim() ?? "";
+  const field = options.field?.trim() ?? "value";
+
+  if (!addr || !token || !path) {
+    throw new Error("Vault secret resolution requires VAULT_ADDR, VAULT_TOKEN, and a secret path");
+  }
+
+  const normalizedAddr = addr.replace(/\/+$/g, "");
+  const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
+  const normalizedPath = path.replace(/^\/+/g, "");
+  const url = `${normalizedAddr}/v1/${normalizedMount}/data/${normalizedPath}`;
+
+  const response = await fetch(url, {
+    headers: {
+      "X-Vault-Token": token,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Vault read failed: ${response.status} ${response.statusText}`);
+  }
+
+  const payload = (await response.json()) as {
+    data?: {
+      data?: Record<string, string | undefined>;
+    };
+  };
+
+  const value = payload.data?.data?.[field]?.trim();
+  if (!value) {
+    throw new Error(`Vault secret field ${field} is empty at ${normalizedMount}/${normalizedPath}`);
+  }
+
+  return value;
+}

package/templates/shared/README.md

@@ -31,7 +31,12 @@ Bootstrap and deploy use:
 
 - `gcloud`
 - `gh`
-- `NEON_API_KEY`
+- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` + `VAULT_TOKEN`
 
-The generator only stores application-facing connection material in Secret Manager. Neon admin credentials stay local to bootstrap and deploy.
+Optional Vault overrides for Neon admin key lookup:
+
+- `VAULT_SECRET_MOUNT` default `secret`
+- `VAULT_NEON_API_KEY_PATH` default `provider/neon-api-key`
+- `VAULT_NEON_API_KEY_FIELD` default `value`
 
+The generator only stores application-facing connection material in Secret Manager. Neon admin credentials stay local to bootstrap and deploy.

package/templates/shared/scripts/cloudrun/neon.ts

@@ -6,17 +6,56 @@ type NeonBranch = {
   name: string;
 };
 
-function neonClient() {
-  const apiKey = process.env.NEON_API_KEY?.trim();
+async function resolveNeonApiKey() {
+  const direct = process.env.NEON_API_KEY?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const addr = process.env.VAULT_ADDR?.trim() ?? "";
+  const token = process.env.VAULT_TOKEN?.trim() ?? "";
+  const mount = process.env.VAULT_SECRET_MOUNT?.trim() ?? "secret";
+  const path = process.env.VAULT_NEON_API_KEY_PATH?.trim() ?? "provider/neon-api-key";
+  const field = process.env.VAULT_NEON_API_KEY_FIELD?.trim() ?? "value";
+
+  if (!addr || !token) {
+    throw new Error("NEON_API_KEY is required for Neon provisioning, or set VAULT_ADDR and VAULT_TOKEN");
+  }
+
+  const normalizedAddr = addr.replace(/\/+$/g, "");
+  const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
+  const normalizedPath = path.replace(/^\/+/g, "");
+  const response = await fetch(`${normalizedAddr}/v1/${normalizedMount}/data/${normalizedPath}`, {
+    headers: {
+      "X-Vault-Token": token,
+    },
+  });
+
+  if (!response.ok) {
+    throw new Error(`Vault read failed: ${response.status} ${response.statusText}`);
+  }
+
+  const payload = (await response.json()) as {
+    data?: {
+      data?: Record<string, string | undefined>;
+    };
+  };
+
+  const apiKey = payload.data?.data?.[field]?.trim();
   if (!apiKey) {
-    throw new Error("NEON_API_KEY is required for Neon provisioning");
+    throw new Error(`Vault secret field ${field} is empty at ${normalizedMount}/${normalizedPath}`);
   }
 
+  return apiKey;
+}
+
+async function neonClient() {
+  const apiKey = await resolveNeonApiKey();
   return createApiClient({ apiKey });
 }
 
 export async function listBranches(projectId: string) {
-  const payload = await neonClient().listProjectBranches({ projectId });
+  const payload = await (await neonClient()).listProjectBranches({ projectId });
   return (payload.branches ?? [])
     .map((branch) => ({
       id: branch.id ?? "",
@@ -27,7 +66,7 @@ export async function listBranches(projectId: string) {
 }
 
 export async function ensureDatabase(projectId: string, branchId: string, databaseName: string) {
-  const client = neonClient();
+  const client = await neonClient();
 
   try {
     await client.getProjectBranchDatabase(projectId, branchId, databaseName);
@@ -52,7 +91,7 @@ export async function ensureBranch(projectId: string, branchName: string, parent
     return existing;
   }
 
-  const payload = await neonClient().createProjectBranch(projectId, {
+  const payload = await (await neonClient()).createProjectBranch(projectId, {
     branch: {
       name: branchName,
       parent_id: parentId,
@@ -77,7 +116,7 @@ export async function ensureBranch(projectId: string, branchName: string, parent
 
 export async function deleteBranch(projectId: string, branchId: string) {
   try {
-    await neonClient().deleteProjectBranch(projectId, branchId);
+    await (await neonClient()).deleteProjectBranch(projectId, branchId);
   } catch (error) {
     const status = (error as { response?: { status?: number } })?.response?.status;
     if (status === 404) {
@@ -88,7 +127,7 @@ export async function deleteBranch(projectId: string, branchId: string) {
 }
 
 export async function getConnectionUri(projectId: string, branchId: string, databaseName: string, roleName: string) {
-  const payload = await neonClient().getConnectionUri({
+  const payload = await (await neonClient()).getConnectionUri({
     projectId,
     branchId,
     databaseName,