create-svc 0.1.53 → 0.1.55

package/README.md

@@ -115,6 +115,7 @@ bun run lint
 bun run test
 service create
 service deploy
+service observability-bootstrap
 service dev down
 service destroy
 ```
@@ -129,6 +130,7 @@ make lint
 make test
 service create
 service deploy
+service observability-bootstrap
 service dev down
 service destroy
 ```
@@ -136,6 +138,10 @@ service destroy
 Language-specific tasks such as local running, linting, formatting, testing, and building stay in package scripts or Make targets. Service lifecycle operations are exposed through the generated `service` CLI.
 `service destroy --force` also stops local dev and runs Docker Compose cleanup for generated Cloud Run services.
 
+`service observability-bootstrap` enables the Google Cloud Logging, Monitoring,
+and Trace APIs for the generated GCP project. It does not create dashboards,
+alerts, log-based metrics, or SLOs; those stay explicit follow-up work.
+
 After `service create` has provisioned auth, the generated repo can mint a
 client-credentials bearer token for smoke checks:
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.53",
+  "version": "0.1.55",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/git-bootstrap.test.ts

@@ -2,7 +2,13 @@ import { expect, test } from "bun:test";
 import { mkdir, mkdtemp, realpath, writeFile } from "node:fs/promises";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
-import { buildGitBootstrapConfig, findExistingGitWorktree, manualGitHubDeleteCommand, markGitHubRepositoryDeleteOnDestroy } from "./git-bootstrap";
+import {
+  buildGitBootstrapConfig,
+  commitAndPushGeneratedArtifacts,
+  findExistingGitWorktree,
+  manualGitHubDeleteCommand,
+  markGitHubRepositoryDeleteOnDestroy,
+} from "./git-bootstrap";
 
 test("buildGitBootstrapConfig defaults to anmho private repo creation", () => {
   expect(buildGitBootstrapConfig("launch-api", undefined)).toEqual({
@@ -41,6 +47,36 @@ test("markGitHubRepositoryDeleteOnDestroy records generated repo ownership", asy
   expect(await Bun.file(join(root, "service.jsonc")).text()).toContain('"delete_on_destroy": true');
 });
 
+test("commitAndPushGeneratedArtifacts excludes local dependencies and dev runtime files", async () => {
+  const root = await mkdtemp(join(tmpdir(), "create-svc-git-"));
+  const remote = await mkdtemp(join(tmpdir(), "create-svc-remote-"));
+  run(["git", "init", "--bare"], remote);
+  run(["git", "init", "-b", "main"], root);
+  run(["git", "config", "user.name", "create-svc test"], root);
+  run(["git", "config", "user.email", "create-svc@example.invalid"], root);
+  run(["git", "remote", "add", "origin", remote], root);
+  await writeFile(join(root, "README.md"), "# generated\n");
+  run(["git", "add", "."], root);
+  run(["git", "commit", "-m", "Initial commit"], root);
+  run(["git", "push", "-u", "origin", "main"], root);
+
+  await mkdir(join(root, "node_modules", "large-package"), { recursive: true });
+  await mkdir(join(root, ".service"), { recursive: true });
+  await mkdir(join(root, ".wrangler", "tmp"), { recursive: true });
+  await writeFile(join(root, "node_modules", "large-package", "artifact.bin"), "large");
+  await writeFile(join(root, ".service", "local-dev.log"), "log");
+  await writeFile(join(root, ".service", "local-dev.pid"), "123");
+  await writeFile(join(root, ".wrangler", "tmp", "bundle.js"), "bundle");
+  await writeFile(join(root, "service.jsonc"), '{ "deployed": true }\n');
+
+  expect(commitAndPushGeneratedArtifacts(root, "Record generated deployment artifacts")).toEqual({ committed: true });
+
+  expect(git(["ls-files"], root)).toContain("service.jsonc");
+  expect(git(["ls-files"], root)).not.toContain("node_modules");
+  expect(git(["ls-files"], root)).not.toContain(".service/local-dev.log");
+  expect(git(["ls-files"], root)).not.toContain(".wrangler");
+});
+
 function run(command: string[], cwd: string) {
   const result = Bun.spawnSync(command, {
     cwd,
@@ -51,3 +87,15 @@ function run(command: string[], cwd: string) {
     throw new Error(result.stderr.toString());
   }
 }
+
+function git(command: string[], cwd: string) {
+  const result = Bun.spawnSync(["git", ...command], {
+    cwd,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(result.stderr.toString());
+  }
+  return result.stdout.toString();
+}

package/src/git-bootstrap.ts

@@ -58,7 +58,19 @@ export async function bootstrapGitHubRepository(targetDir: string, config: GitBo
 }
 
 export function commitAndPushGeneratedArtifacts(targetDir: string, message: string) {
-  run(["git", "add", "."], targetDir);
+  run(
+    [
+      "git",
+      "add",
+      "--all",
+      ".",
+      ":!node_modules",
+      ":!.service/*.log",
+      ":!.service/*.pid",
+      ":!.wrangler",
+    ],
+    targetDir
+  );
   if (!hasStagedChanges(targetDir)) {
     return { committed: false };
   }

package/src/scaffold.test.ts

@@ -105,6 +105,8 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
 
     const gitignore = await Bun.file(join(generatedRoot, ".gitignore")).text();
     expect(gitignore).toContain("node_modules");
+    expect(gitignore).toContain(".service/*.log");
+    expect(gitignore).toContain(".wrangler");
     expect(await Bun.file(join(generatedRoot, "website", "package.json")).exists()).toBeFalse();
 
     const dockerCompose = await Bun.file(join(generatedRoot, "docker-compose.yml")).text();
@@ -133,12 +135,25 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
     expect(localEnv).toContain("VAULT_CLOUDFLARE_API_TOKEN_PATH=prod/providers/cloudflare");
     expect(localEnv).not.toContain("ATTACHMENT_PUBLIC_BASE_URL=");
 
-    const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();
-    expect(ciWorkflow).toContain("bun run dashboards");
-    expect(ciWorkflow).toContain("GCX_ENABLED");
     expect(await Bun.file(join(generatedRoot, "grafana", "waitlist-dashboard.json")).exists()).toBeTrue();
     expect(await Bun.file(join(generatedRoot, "grafana", "alerts.yaml")).exists()).toBeTrue();
 
+    const previewWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "preview.yml")).text();
+    expect(previewWorkflow).toContain("push:");
+    expect(previewWorkflow).toContain("branches-ignore:");
+    expect(previewWorkflow).toContain("- main");
+    expect(previewWorkflow).toContain("github.ref_name");
+    expect(previewWorkflow).toContain("service deploy --ci --environment preview --name");
+    expect(previewWorkflow).toContain("NEON_API_KEY");
+
+    const deployWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "deploy.yml")).text();
+    expect(deployWorkflow).toContain("branches:");
+    expect(deployWorkflow).toContain("- main");
+    expect(deployWorkflow).toContain("bun install -g create-svc@latest");
+    expect(deployWorkflow).toContain("service deploy --ci");
+    expect(deployWorkflow).toContain("bun run dashboards");
+    expect(deployWorkflow).toContain("GCX_ENABLED");
+
     if (variant.runtime === "go") {
       const goMod = await Bun.file(join(generatedRoot, "go.mod")).text();
       const goSumExists = await Bun.file(join(generatedRoot, "go.sum")).exists();
@@ -148,6 +163,11 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(goSumExists).toBeTrue();
       const dockerfile = await Bun.file(join(generatedRoot, "Dockerfile")).text();
       expect(dockerfile).toContain("COPY go.mod go.sum ./");
+      if (variant.framework === "chi") {
+        expect(dockerfile).not.toContain("COPY gen ./gen");
+      } else {
+        expect(dockerfile).toContain("COPY gen ./gen");
+      }
       expect(packageJson).toContain('"dev": "make dev"');
       expect(packageJson).toContain('"service": "service"');
       expect(packageJson).toContain('"migrate": "service migrate"');
@@ -198,6 +218,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(packageJson).toContain('"create": "service create"');
       expect(packageJson).toContain('"deploy": "service deploy"');
       expect(packageJson).toContain('"dashboards": "service dashboards"');
+      expect(packageJson).toContain('"observability-bootstrap": "service observability-bootstrap"');
       expect(packageJson).toContain('"auth": "service auth"');
       expect(packageJson).toContain('"destroy": "service destroy"');
       expect(await Bun.file(join(generatedRoot, "scripts", "cloudrun", "cli.ts")).exists()).toBeFalse();
@@ -206,12 +227,15 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(serviceConfig).toContain('"service_id": "dns-api"');
       expect(serviceConfig).toContain('"project_id": "anmho-dns-api"');
       expect(serviceConfig).toContain('"database_name": "dns_api"');
+      expect(serviceConfig).toContain('"observability"');
+      expect(serviceConfig).toContain("logging.googleapis.com");
       const authScript = await Bun.file(join(generatedRoot, "src", "auth.ts")).text();
       expect(authScript).toContain('"Ed25519"');
 
       const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
       expect(makefile).toContain("SERVICE := service");
       expect(makefile).toContain("dashboards:");
+      expect(makefile).toContain("observability-bootstrap:");
       expect(makefile).toContain("auth:");
       expect(makefile).toContain("bun run dev");
       const devScript = await Bun.file(join(generatedRoot, "scripts", "dev.ts")).text();
@@ -249,8 +273,6 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(readme).toContain("service auth resource-server");
     }
 
-    const deployWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "deploy.yml")).text();
-    expect(deployWorkflow).toContain("bun run dashboards");
   }
 }, 30000);
 
@@ -275,14 +297,20 @@ test("scaffolds a backend package cleanly into a nested monorepo-style directory
   expect(readme).toContain("known-good CLIs");
   expect(readme).toContain("service create");
   expect(readme).toContain("service deploy");
+  expect(readme).toContain("Google observability bootstrap");
+  expect(readme).toContain("Google Cloud Logging, Monitoring, and Trace APIs");
   expect(readme).toContain("one-command production create");
   expect(readme).toContain("waitlist/launch service");
   expect(readme).toContain("Terraform is optional");
   expect(readme).toContain("waitlist/launch service");
   expect(readme).not.toContain("Neon main, preview, and personal branch provisioning");
-  const ciWorkflow = await Bun.file(join(generatedRoot, ".github", "workflows", "ci.yml")).text();
-  expect(ciWorkflow).toContain("bun run dashboards");
-  expect(readme).not.toContain("repository");
+  expect(readme).toContain("GitHub Actions deployment");
+  expect(readme).toContain(".github/workflows/preview.yml");
+  expect(readme).toContain(".github/workflows/deploy.yml");
+  expect(readme).toContain("pushes to non-main branches");
+  expect(readme).toContain("GCP_WIF_PROVIDER");
+  expect(readme).toContain("GCP_DEPLOYER_SERVICE_ACCOUNT");
+  expect(readme).toContain("NEON_API_KEY");
 
   const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
   expect(packageJson).toContain('"hono"');
@@ -290,6 +318,8 @@ test("scaffolds a backend package cleanly into a nested monorepo-style directory
   const entrypoint = await Bun.file(join(generatedRoot, "src", "index.ts")).text();
   expect(entrypoint).toContain("/v1/waitlist");
   expect(entrypoint).toContain("/v1/admin/waitlist");
+  expect(await Bun.file(join(generatedRoot, ".github", "workflows", "preview.yml")).exists()).toBeTrue();
+  expect(await Bun.file(join(generatedRoot, ".github", "workflows", "deploy.yml")).exists()).toBeTrue();
 }, 15000);
 
 test("scaffolds the workers target with wrangler lifecycle commands", async () => {

package/src/scaffold.ts

@@ -12,6 +12,11 @@ import {
 import { exampleForProfile, type Profile } from "./profiles";
 import type { GitBootstrapConfig } from "./git-bootstrap";
 
+const GENERATED_GITHUB_ACTION_WORKFLOWS = new Set([
+  ".github/workflows/preview.yml",
+  ".github/workflows/deploy.yml",
+]);
+
 export type ScaffoldConfig = {
   directory: string;
   serviceName: string;
@@ -64,7 +69,7 @@ export async function scaffoldProject(config: ScaffoldConfig) {
         continue;
       }
       const sourcePath = join(template.root, relativePath);
-      const destinationPath = join(targetDir, relativePath);
+      const destinationPath = join(targetDir, templateDestinationPath(relativePath));
       const raw = await Bun.file(sourcePath).text();
       const rendered = renderTemplate(raw, replacements);
 
@@ -76,6 +81,10 @@ export async function scaffoldProject(config: ScaffoldConfig) {
   await writeLocalEnvFile(targetDir, replacements);
 }
 
+function templateDestinationPath(relativePath: string) {
+  return relativePath === "_gitignore" ? ".gitignore" : relativePath;
+}
+
 function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "variant" | "target", relativePath: string) {
   if (
     relativePath === "scripts/authctl.ts" ||
@@ -153,12 +162,23 @@ async function collectTemplateFiles(root: string, relative = ""): Promise<string
       files.push(...(await collectTemplateFiles(root, nextRelative)));
       continue;
     }
+    if (shouldSkipTemplateFile(nextRelative)) {
+      continue;
+    }
     files.push(nextRelative);
   }
 
   return files.sort();
 }
 
+function shouldSkipTemplateFile(relativePath: string) {
+  if (!relativePath.startsWith(".github/")) {
+    return false;
+  }
+
+  return !GENERATED_GITHUB_ACTION_WORKFLOWS.has(relativePath);
+}
+
 function buildReplacements(config: ScaffoldConfig) {
   const example = exampleForProfile(config.profile);
   const serviceAccountBase = compactIdentifier(config.serviceName, 21);
@@ -219,6 +239,13 @@ function buildReplacements(config: ScaffoldConfig) {
     COMMAND_DEV_DOWN: "service dev down",
     COMMAND_BOOTSTRAP: "service create",
     COMMAND_DEPLOY: "service deploy",
+    COMMAND_OBSERVABILITY_BOOTSTRAP:
+      config.runtime === "bun" ? "bun run observability-bootstrap" : "make observability-bootstrap",
+    WORKFLOW_DEPLOY_MAIN_COMMAND: "service deploy --ci",
+    WORKFLOW_DEPLOY_PREVIEW_COMMAND:
+      "service deploy --ci --environment preview --name ${{ github.ref_name }}",
+    WORKFLOW_DEPLOY_MAIN_DOC_COMMAND: "service deploy --ci",
+    WORKFLOW_DEPLOY_PREVIEW_DOC_COMMAND: "service deploy --ci --environment preview --name <branch-name>",
     COMMAND_AUTH_RESOURCE: "service auth resource-server",
     COMMAND_AUTH_CLIENT: "service auth client create",
     COMMAND_AUTH_TOKEN: "service auth token",

package/src/service-runtime/cloudrun/cli.ts

@@ -6,6 +6,7 @@ import { stopLocalDev } from "../local-dev";
 import { bootstrap, prepareGcpProject } from "./bootstrap";
 import { cleanup } from "./cleanup";
 import { deploy } from "./deploy";
+import { observabilityBootstrap } from "./observability";
 import { config } from "./config";
 import {
   accessSecretVersion,
@@ -69,6 +70,14 @@ export async function main(argv = Bun.argv.slice(2)) {
     return;
   }
 
+  if (command === "observability-bootstrap") {
+    await runMain("Google observability bootstrap", async () => {
+      await observabilityBootstrap();
+      return `Google observability bootstrap finished for ${config.serviceName}`;
+    });
+    return;
+  }
+
   if (command === "dev") {
     if (rest[0] !== "down") {
       throw new Error(`Unknown dev command: ${rest[0] || ""}\n\n${formatHelp()}`);
@@ -125,6 +134,7 @@ function formatHelp() {
     "  sdk         Build or publish generated SDK artifacts",
     "  dns         Repair or inspect DNS mappings",
     "  dev down    Stop local dev and Docker Compose containers",
+    "  observability-bootstrap  Enable Google observability APIs",
     "  dashboards  Publish Grafana resources",
     "  destroy     Remove service-managed cloud resources",
   ].join("\n");

package/src/service-runtime/cloudrun/config.ts

@@ -55,6 +55,9 @@ export const config = {
     repository: serviceConfig.git?.repository || serviceConfig.service_id,
     deleteOnDestroy: Boolean(serviceConfig.git?.delete_on_destroy),
   },
+  observability: {
+    requiredApis: serviceConfig.observability?.required_apis ?? ["logging.googleapis.com", "monitoring.googleapis.com", "cloudtrace.googleapis.com"],
+  },
   requiredApis: cloudrun.required_apis,
 } as const;
 

package/src/service-runtime/cloudrun/lib.ts

@@ -605,7 +605,6 @@ export function ensureProductionDomainMapping(serviceName: string) {
   }
 
   const result = gcloud([
-    "beta",
     "run",
     "domain-mappings",
     "create",
@@ -627,7 +626,6 @@ export function describeProductionDomainMapping():
   | undefined {
   const result = gcloud(
     [
-      "beta",
       "run",
       "domain-mappings",
       "describe",
@@ -680,7 +678,6 @@ export function deleteProductionDomainMapping() {
   deleteCloudflareDnsRecord();
   gcloud(
     [
-      "beta",
       "run",
       "domain-mappings",
       "delete",

package/src/service-runtime/cloudrun/observability.ts

@@ -0,0 +1,18 @@
+import { config } from "./config";
+import { gcloud, requireCommand, requireGcloudAuth, runMain, runStep } from "./lib";
+
+export async function observabilityBootstrap() {
+  requireCommand("gcloud");
+  requireGcloudAuth();
+
+  await runStep("Enabling Google observability APIs", () =>
+    gcloud(["services", "enable", ...config.observability.requiredApis, "--project", config.project.id])
+  );
+}
+
+if (import.meta.main) {
+  await runMain("Google observability bootstrap", async () => {
+    await observabilityBootstrap();
+    return `Google observability bootstrap finished for ${config.serviceName}`;
+  });
+}

package/templates/shared/.env.example

@@ -0,0 +1,40 @@
+# Local development defaults.
+# The scaffold also writes a ready-to-use .env.local for Docker Compose Postgres.
+
+DATABASE_URL=postgres://{{LOCAL_DATABASE_USER}}:{{LOCAL_DATABASE_PASSWORD}}@127.0.0.1:{{LOCAL_DATABASE_PORT}}/{{LOCAL_DATABASE_NAME}}?sslmode=disable
+
+TEMPORAL_ENABLED=false
+TEMPORAL_ADDRESS=localhost:7233
+TEMPORAL_NAMESPACE=default
+TEMPORAL_TASK_QUEUE={{SERVICE_ID}}
+# Optional for Temporal Cloud. `service create` writes this to Secret Manager.
+TEMPORAL_API_KEY=
+
+AUTH_ENABLED=false
+AUTH_ISSUER=https://auth.anmho.com
+AUTH_AUDIENCE=api://{{SERVICE_ID}}
+AUTH_JWKS_URL=https://auth.anmho.com/api/auth/jwks
+
+# Production authctl operations such as `service create` and
+# `service auth client create` load Cloudflare Access values from Vault by
+# default. Direct env values still override Vault when set.
+AUTH_INTERNAL_BASE_URL=https://auth.anmho.com/internal
+CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_ID=
+CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET=
+
+# Remote bootstrap and deploy can use Neon admin credentials directly or through Vault.
+# Do not commit VAULT_TOKEN. Prefer `vault login`; the CLI will also use
+# VAULT_TOKEN_FILE or ~/.vault-token when available.
+
+VAULT_ADDR=https://vault.example.com
+VAULT_SECRET_MOUNT=secret
+VAULT_AUTHCTL_ACCESS_PATH=prod/apps/auth/authctl/cloudflare-access
+VAULT_AUTHCTL_ACCESS_BASE_URL_FIELD=AUTH_INTERNAL_BASE_URL
+VAULT_AUTHCTL_ACCESS_CLIENT_ID_FIELD=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_ID
+VAULT_AUTHCTL_ACCESS_CLIENT_SECRET_FIELD=CLOUDFLARE_ACCESS_SERVICE_TOKEN_CLIENT_SECRET
+VAULT_NEON_API_KEY_PATH=prod/providers/neon
+VAULT_NEON_API_KEY_FIELD=api_key
+
+# Optional provider credentials can be read from Vault or environment by
+# generated adapters you add later. The base waitlist service does not require
+# provider secrets.

package/templates/shared/.github/workflows/deploy.yml

@@ -25,7 +25,8 @@ jobs:
           service_account: ${{ vars.GCP_DEPLOYER_SERVICE_ACCOUNT }}
       - uses: google-github-actions/setup-gcloud@v2
       - run: bun install
-      - run: bun run deploy -- --ci
+      - run: bun install -g create-svc@latest
+      - run: {{WORKFLOW_DEPLOY_MAIN_COMMAND}}
         env:
           NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
       - if: ${{ vars.GCX_ENABLED == 'true' }}

package/templates/shared/.github/workflows/preview.yml

@@ -1,8 +1,9 @@
 name: Preview
 
 on:
-  pull_request:
-    types: [opened, synchronize, reopened]
+  push:
+    branches-ignore:
+      - main
 
 permissions:
   contents: read
@@ -24,6 +25,7 @@ jobs:
           service_account: ${{ vars.GCP_DEPLOYER_SERVICE_ACCOUNT }}
       - uses: google-github-actions/setup-gcloud@v2
       - run: bun install
-      - run: bun run deploy -- --ci --environment preview --name ${{ github.event.pull_request.number }}
+      - run: bun install -g create-svc@latest
+      - run: {{WORKFLOW_DEPLOY_PREVIEW_COMMAND}}
         env:
           NEON_API_KEY: ${{ secrets.NEON_API_KEY }}

package/templates/shared/README.md

@@ -9,6 +9,7 @@ This `{{PROFILE}}` profile targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run wi
 - local Docker Compose Postgres for first-run development
 - the `service` CLI for create, deploy, doctor, dashboards, and destroy
 - shared GCP project deployment with quota-project-aware `gcloud` calls
+- Google Cloud Observability API bootstrap through `service observability-bootstrap`
 - Neon-backed remote database provisioning during create and deploy
 - Better Auth client-credentials resource-server registration through `authctl`
 - stage-aware waitlist data and trigger ingestion
@@ -77,6 +78,20 @@ Build to build the image remotely.
 Local Docker builds target `linux/amd64` so images built on Apple Silicon run on
 Cloud Run.
 
+## Google observability bootstrap
+
+Run this after the first production create when you want the project ready for
+Google Cloud Observability follow-up work:
+
+```bash
+{{COMMAND_OBSERVABILITY_BOOTSTRAP}}
+```
+
+The command authenticates through `gcloud`, targets the generated GCP project,
+and enables the Google Cloud Logging, Monitoring, and Trace APIs. It does not
+create dashboards, alerts, log-based metrics, or SLOs; those remain explicit
+follow-up work.
+
 Authenticate `gcloud` on the machine before running provisioning commands:
 
 ```bash
@@ -211,6 +226,28 @@ secrets only when you add a provider adapter. A generic adapter can honor:
 
 - `WEBHOOK_<PROVIDER>_SECRET`
 
+## GitHub Actions deployment
+
+The scaffold emits a minimal deployment workflow slice for Cloud Run:
+
+- [.github/workflows/preview.yml](.github/workflows/preview.yml) deploys a preview environment on pushes to non-main branches. It runs `{{WORKFLOW_DEPLOY_PREVIEW_DOC_COMMAND}}`.
+- [.github/workflows/deploy.yml](.github/workflows/deploy.yml) deploys the main production environment on pushes to `main`. It runs `{{WORKFLOW_DEPLOY_MAIN_DOC_COMMAND}}`.
+
+These workflows intentionally assume only GitHub OIDC, Google Cloud Workload Identity Federation, the generated `service` CLI, and Neon.
+They do not use a long-lived Google service account key.
+
+Before enabling the workflows, set these GitHub repository variables:
+
+- `GCP_WIF_PROVIDER`: full Workload Identity Provider resource name that trusts this repository
+- `GCP_DEPLOYER_SERVICE_ACCOUNT`: deployer service account email
+
+Set this GitHub repository secret:
+
+- `NEON_API_KEY`: Neon admin API key used to create preview branches and resolve the main database
+
+The deployer service account needs enough access in the generated GCP project to run `service deploy`, including Cloud Run, Artifact Registry, Secret Manager, IAM service account usage, and storage operations for this service.
+Run `{{COMMAND_BOOTSTRAP}}` once before relying on the production workflow for a fresh project.
+
 ## One-command production create
 
 The one-command production create path is designed for a fresh standalone service.

package/templates/shared/_gitignore

@@ -0,0 +1,13 @@
+node_modules
+.env
+.env.local
+.env.*
+coverage
+dist
+out
+.cloudrun.rendered.yaml
+.service/*.log
+.service/*.pid
+.wrangler
+.DS_Store
+{{GITIGNORE_EXTRA}}

package/templates/shared/service.jsonc

@@ -85,6 +85,14 @@
     "module": "buf.build/anmho/{{SERVICE_ID}}"
   },
 
+  "observability": {
+    "required_apis": [
+      "logging.googleapis.com",
+      "monitoring.googleapis.com",
+      "cloudtrace.googleapis.com"
+    ]
+  },
+
   "cloudrun": {
     "project_id": "{{PROJECT_ID}}",
     "project_name": "{{PROJECT_NAME}}",

package/templates/targets/workers/.github/workflows/deploy.yml

@@ -12,6 +12,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: oven-sh/setup-bun@v2
       - run: bun install
+      - run: bun install -g create-svc@latest
       - run: bun run deploy
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}

package/templates/variants/bun-connectrpc/Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev migrate gen lint test create deploy dashboards auth destroy
+.PHONY: dev migrate gen lint test create deploy dashboards observability-bootstrap auth destroy
 
 SERVICE := service
 
@@ -26,6 +26,9 @@ deploy:
 dashboards:
 	$(SERVICE) dashboards
 
+observability-bootstrap:
+	$(SERVICE) observability-bootstrap
+
 auth:
 	$(SERVICE) auth $(ARGS)
 

package/templates/variants/bun-connectrpc/migrations/0000_init.sql

@@ -18,3 +18,13 @@ create table if not exists waitlist_triggers (
   created_at timestamptz not null default now(),
   processed_at timestamptz
 );
+
+create table if not exists webhook_events (
+  id text primary key,
+  provider text not null,
+  external_event_id text not null,
+  payload_json text not null,
+  headers_json text not null,
+  received_at timestamptz not null default now(),
+  unique (provider, external_event_id)
+);

package/templates/variants/bun-connectrpc/package.json

@@ -12,6 +12,7 @@
     "create": "service create",
     "deploy": "service deploy",
     "dashboards": "service dashboards",
+    "observability-bootstrap": "service observability-bootstrap",
     "auth": "service auth",
     "destroy": "service destroy"
   },