create-svc 0.1.6 → 0.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "Bun-authored CLI to scaffold Go Cloud Run services with Chi, ConnectRPC, Vault, and Cloudflare examples.",
   "module": "index.ts",
   "type": "module",

package/src/cli.test.ts

@@ -1,5 +1,6 @@
 import { expect, test } from "bun:test";
-import { normalizeValidationResult } from "./cli";
+import { mkdir } from "node:fs/promises";
+import { assertDiscoveryReady, normalizeValidationResult, validateServiceNameInput } from "./cli";
 
 test("normalizeValidationResult converts success to undefined", () => {
   expect(normalizeValidationResult(true)).toBeUndefined();
@@ -8,3 +9,31 @@ test("normalizeValidationResult converts success to undefined", () => {
 test("normalizeValidationResult preserves validation errors", () => {
   expect(normalizeValidationResult("Service name is required")).toBe("Service name is required");
 });
+
+test("assertDiscoveryReady requires Neon discovery to succeed", () => {
+  expect(() =>
+    assertDiscoveryReady({
+      projects: [],
+      billingAccounts: [],
+      warnings: [],
+      neonError: "Vault secret resolution requires VAULT_ADDR, VAULT_TOKEN, and a secret path",
+    })
+  ).toThrow(
+    "Neon discovery is required before scaffolding. Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and VAULT_TOKEN. Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD."
+  );
+});
+
+test("validateServiceNameInput rejects a taken target directory", async () => {
+  const cwd = process.cwd();
+  const root = "/tmp/create-svc-cli-validation";
+  await mkdir(root, { recursive: true });
+  await mkdir(`${root}/taken-app`, { recursive: true });
+  await Bun.write(`${root}/taken-app/keep.txt`, "x");
+
+  process.chdir(root);
+  try {
+    expect(validateServiceNameInput("taken-app")).toBe("Directory already exists and is not empty");
+  } finally {
+    process.chdir(cwd);
+  }
+});

package/src/cli.ts

@@ -5,13 +5,13 @@ import {
   intro,
   isCancel,
   log,
-  note,
   outro,
   select,
   spinner,
   text,
 } from "@clack/prompts";
 import pc from "picocolors";
+import { readdirSync } from "node:fs";
 import { basename, dirname, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { runPostScaffoldFlow } from "./post-scaffold";
@@ -21,15 +21,18 @@ import {
   BILLING_ACCOUNT_DEFAULT,
   FRAMEWORKS_BY_RUNTIME,
   QUOTA_PROJECT_DEFAULT,
-  buildCreateProjectLabel,
-  buildGcpProjectOptions,
   deriveDefaults,
   slugify,
   type Framework,
   type GcpProjectMode,
   type Runtime,
 } from "./naming";
-import { scaffoldProject, type ScaffoldConfig } from "./scaffold";
+import {
+  DirectoryConflictError,
+  assertTargetDirectoryIsEmpty,
+  scaffoldProject,
+  type ScaffoldConfig,
+} from "./scaffold";
 
 type ParsedArgs = {
   directory?: string;
@@ -52,61 +55,66 @@ type DiscoveryState = {
   neonProjectId?: string;
   neonBaseBranchId?: string;
   neonBaseBranchName?: string;
+  neonError?: string;
   warnings: string[];
 };
 
 const DEFAULT_REGION = "us-west1";
 
 export async function run(argv: string[]) {
-  const args = parseArgs(argv);
-  if (args.help) {
-    printHelp();
-    return;
-  }
+  try {
+    const args = parseArgs(argv);
+    if (args.help) {
+      printHelp();
+      return;
+    }
+
+    intro(`${pc.bold("create-svc")} ${pc.dim("Cloud Run scaffold")}`);
 
-  intro(`${pc.bold("create-svc")} ${pc.dim("Cloud Run scaffold")}`);
-
-  const config = await resolveConfig(args);
-  const targetDir = resolve(process.cwd(), config.directory);
-
-  note(
-    [
-      `${pc.bold("Output")}: ${targetDir}`,
-      `${pc.bold("Runtime")}: ${config.runtime} + ${config.framework}`,
-      `${pc.bold("Project")}: ${config.gcpProjectMode === "create_new" ? "create" : "use"} ${config.gcpProjectName} (${config.gcpProject})`,
-      `${pc.bold("GitHub")}: ${config.githubRepo}`,
-      `${pc.bold("Neon")}: ${config.neonProjectId || "(set later)"} / ${config.neonBaseBranchName || "(set later)"}`,
-    ].join("\n"),
-    "Scaffold"
-  );
-
-  const buildSpinner = spinner();
-  buildSpinner.start("Generating project files");
-  await scaffoldProject(config);
-  buildSpinner.stop("Project files generated");
-
-  const shouldRunPostScaffoldFlow = Boolean(process.stdout.isTTY && process.stdin.isTTY && (config.createGithubRepo || config.autoDeploy));
-  if (shouldRunPostScaffoldFlow) {
-    const automationSpinner = spinner();
-    automationSpinner.start("Running post-scaffold automation");
-    try {
-      const result = await runPostScaffoldFlow(config, targetDir);
-      automationSpinner.stop(result.message);
-    } catch (error) {
-      automationSpinner.stop("Post-scaffold automation skipped");
-      log.warn(error instanceof Error ? error.message : String(error));
+    const config = await resolveConfig(args);
+    const targetDir = resolve(process.cwd(), config.directory);
+
+    note(
+      [
+        `${pc.bold("Output")}: ${targetDir}`,
+        `${pc.bold("Runtime")}: ${config.runtime} + ${config.framework}`,
+        `${pc.bold("Project")}: ${config.gcpProjectMode === "create_new" ? "create" : "use"} ${config.gcpProjectName} (${config.gcpProject})`,
+        `${pc.bold("GitHub")}: ${config.githubRepo}`,
+        `${pc.bold("Neon")}: ${config.neonProjectId || "(set later)"} / ${config.neonBaseBranchName || "(set later)"}`,
+      ].join("\n"),
+      "Scaffold"
+    );
+
+    const buildSpinner = spinner();
+    buildSpinner.start("Generating project files");
+    await scaffoldProject(config);
+    buildSpinner.stop("Project files generated");
+
+    const shouldRunPostScaffoldFlow = Boolean(process.stdout.isTTY && process.stdin.isTTY && (config.createGithubRepo || config.autoDeploy));
+    if (shouldRunPostScaffoldFlow) {
+      const automationSpinner = spinner();
+      automationSpinner.start("Running post-scaffold automation");
+      try {
+        const result = await runPostScaffoldFlow(config, targetDir);
+        automationSpinner.stop(result.message);
+      } catch (error) {
+        automationSpinner.stop("Post-scaffold automation skipped");
+        log.warn(error instanceof Error ? error.message : String(error));
+      }
     }
-  }
 
-  outro(
-    [
-      `Next: ${pc.cyan(`cd ${config.directory}`)}`,
-      `Local dev: ${pc.cyan("bun dev")}`,
-      `Bootstrap: ${pc.cyan("bun run bootstrap")}`,
-      `Deploy: ${pc.cyan("bun run deploy")}`,
-      `Personal env: ${pc.cyan(`bun run deploy -- --environment personal --name ${config.serviceName}`)}`,
-    ].join("\n")
-  );
+    outro(
+      [
+        `Next: ${pc.cyan(`cd ${config.directory}`)}`,
+        `Local dev: ${pc.cyan("bun dev")}`,
+        `Bootstrap: ${pc.cyan("bun run bootstrap")}`,
+        `Deploy: ${pc.cyan("bun run deploy")}`,
+        `Personal env: ${pc.cyan(`bun run deploy -- --environment personal --name ${config.serviceName}`)}`,
+      ].join("\n")
+    );
+  } catch (error) {
+    handleCliError(error);
+  }
 }
 
 function parseArgs(argv: string[]): ParsedArgs {
@@ -250,18 +258,22 @@ export async function resolveConfig(args: ParsedArgs): Promise<ScaffoldConfig> {
   const inferredName = slugify(basename(args.directory ?? "my-service"));
   const serviceName = args.yes
     ? inferredName
-    : await promptText("Service name", inferredName, (value) => slugify(value).length > 0 || "Service name is required");
+    : await promptText("Service name", inferredName, (value) => validateServiceNameInput(value, args.directory));
+  const directory = args.directory ?? serviceName;
+  const targetDir = resolve(process.cwd(), directory);
+  await assertTargetDirectoryIsEmpty(targetDir);
 
+  const discoveryPromise = discoverCloudInputs();
   const defaults = deriveDefaults(serviceName);
-  const discovery = await discoverCloudInputs(serviceName);
   const runtime = await resolveRuntime(args);
   const framework = await resolveFramework(args, runtime);
+  const discovery = await discoveryPromise;
+  assertDiscoveryReady(discovery);
   const gcpSelection = await resolveGcpSelection(args, defaults, discovery);
   const githubRepo = args.githubRepo ?? defaults.githubRepo;
   const region = args.region ?? DEFAULT_REGION;
   const billingAccount = chooseBillingAccount(args.billingAccount, discovery.billingAccounts);
   const autoDeploy = resolveAutoDeploy(args.autoDeploy);
-  const directory = args.directory ?? serviceName;
 
   if (!args.yes) {
     const okay = await confirm({
@@ -409,7 +421,8 @@ async function resolveGcpSelection(
       {
         value: "use_existing",
         label: "Use existing project...",
-        hint: `${discovery.projects.length} available`,
+        hint: discovery.projects.length > 0 ? `${discovery.projects.length} available` : "Unavailable",
+        disabled: discovery.projects.length === 0,
       },
     ],
   });
@@ -451,7 +464,7 @@ async function resolveGcpSelection(
   };
 }
 
-async function discoverCloudInputs(serviceName: string): Promise<DiscoveryState> {
+async function discoverCloudInputs(): Promise<DiscoveryState> {
   const result: DiscoveryState = {
     projects: [],
     billingAccounts: [],
@@ -471,17 +484,25 @@ async function discoverCloudInputs(serviceName: string): Promise<DiscoveryState>
   }
 
   try {
-    const neonDefaults = await discoverNeonDefaults(serviceName);
+    const neonDefaults = await discoverNeonDefaults();
     result.neonProjectId = neonDefaults.projectId;
     result.neonBaseBranchId = neonDefaults.baseBranchId;
     result.neonBaseBranchName = neonDefaults.baseBranchName;
   } catch (error) {
-    result.warnings.push(`Skipping Neon discovery: ${formatError(error)}`);
+    result.neonError = formatError(error);
   }
 
   return result;
 }
 
+export function assertDiscoveryReady(discovery: DiscoveryState) {
+  if (!discovery.neonError) {
+    return;
+  }
+
+  throw new Error(formatNeonDiscoveryRequirement(discovery.neonError));
+}
+
 function chooseBillingAccount(input: string | undefined, accounts: BillingAccount[]) {
   if (input) {
     return input;
@@ -525,6 +546,28 @@ function formatError(error: unknown) {
   return error instanceof Error ? error.message : String(error);
 }
 
+function formatNeonDiscoveryRequirement(reason: string) {
+  if (reason.includes("Vault secret resolution requires")) {
+    return [
+      "Neon discovery is required before scaffolding.",
+      "Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and VAULT_TOKEN.",
+      "Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD.",
+    ].join(" ");
+  }
+
+  return `Neon discovery is required before scaffolding: ${reason}`;
+}
+
+function handleCliError(error: unknown) {
+  if (error instanceof DirectoryConflictError) {
+    log.error(`Target directory already exists and is not empty: ${error.targetDir}`);
+    process.exit(1);
+  }
+
+  log.error(formatError(error));
+  process.exit(1);
+}
+
 async function promptForExistingProject(projects: GcpProject[]) {
   const value = await autocomplete({
     message: "Existing GCP project",
@@ -569,6 +612,29 @@ export function normalizeValidationResult(result: true | string): string | undef
   return result === true ? undefined : result;
 }
 
+export function validateServiceNameInput(rawValue: string, directoryOverride?: string) {
+  const serviceName = slugify(rawValue);
+  if (!serviceName) {
+    return "Service name is required";
+  }
+
+  const directory = directoryOverride ?? serviceName;
+  const targetDir = resolve(process.cwd(), directory);
+
+  try {
+    const entries = readdirSync(targetDir);
+    if (entries.length > 0) {
+      return "Directory already exists and is not empty";
+    }
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code !== "ENOENT") {
+      return "Unable to check target directory";
+    }
+  }
+
+  return true;
+}
+
 function printHelp() {
   log.message(`
 Usage:

package/src/neon.ts

@@ -52,11 +52,11 @@ export async function listBranches(projectId: string, api = createNeonApi()): Pr
   return api.listBranches(projectId);
 }
 
-export async function discoverNeonDefaults(serviceName: string, api = createNeonApi()) {
+export async function discoverNeonDefaults(serviceLabel = "this service", api = createNeonApi()) {
   const projects = await listProjects(api);
   const project = projects[0];
   if (!project) {
-    throw new Error(`No Neon projects are available for ${serviceName}`);
+    throw new Error(`No Neon projects are available for ${serviceLabel}`);
   }
 
   const branches = await listBranches(project.id, api);

package/src/scaffold.test.ts

@@ -1,8 +1,8 @@
 import { expect, test } from "bun:test";
-import { mkdtemp } from "node:fs/promises";
+import { mkdtemp, mkdir, writeFile } from "node:fs/promises";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
-import { scaffoldProject, type ScaffoldConfig } from "./scaffold";
+import { DirectoryConflictError, assertTargetDirectoryIsEmpty, scaffoldProject, type ScaffoldConfig } from "./scaffold";
 
 function baseConfig(overrides: Partial<ScaffoldConfig> = {}): ScaffoldConfig {
   return {
@@ -72,10 +72,22 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(mainGo).toContain("NewDNSService");
     } else {
       const packageJson = await Bun.file(join(generatedRoot, "package.json")).text();
-      expect(packageJson).toContain('"bootstrap": "bun run ./scripts/cloudrun/bootstrap.ts"');
+      expect(packageJson).toContain('"svc-cloudrun": "./scripts/cloudrun/cli.ts"');
+
+      const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
+      expect(makefile).toContain("npx --no-install svc-cloudrun");
 
       const entrypoint = await Bun.file(join(generatedRoot, "src", "index.ts")).text();
       expect(entrypoint).toContain(variant.framework === "hono" ? "Hono" : "rpc.example.v1.Service/Ping");
     }
   }
 });
+
+test("detects conflicting files before scaffold generation", async () => {
+  const root = await mkdtemp(join(tmpdir(), "create-svc-conflict-"));
+  const generatedRoot = join(root, "existing");
+  await mkdir(generatedRoot, { recursive: true });
+  await writeFile(join(generatedRoot, "README.md"), "hello");
+
+  await expect(assertTargetDirectoryIsEmpty(generatedRoot)).rejects.toBeInstanceOf(DirectoryConflictError);
+});

package/src/scaffold.ts

@@ -29,6 +29,18 @@ export type ScaffoldConfig = {
   generatorRoot: string;
 };
 
+export class DirectoryConflictError extends Error {
+  targetDir: string;
+  entries: string[];
+
+  constructor(targetDir: string, entries: string[]) {
+    super(`Target directory already exists and is not empty: ${targetDir}`);
+    this.name = "DirectoryConflictError";
+    this.targetDir = targetDir;
+    this.entries = entries;
+  }
+}
+
 export async function scaffoldProject(config: ScaffoldConfig) {
   const targetDir = resolve(process.cwd(), config.directory);
   await ensureTargetDirectory(targetDir);
@@ -53,14 +65,18 @@ export async function scaffoldProject(config: ScaffoldConfig) {
 }
 
 async function ensureTargetDirectory(targetDir: string) {
+  await assertTargetDirectoryIsEmpty(targetDir);
+  await mkdir(targetDir, { recursive: true });
+}
+
+export async function assertTargetDirectoryIsEmpty(targetDir: string) {
   try {
     const entries = await readdir(targetDir);
     if (entries.length > 0) {
-      throw new Error(`Target directory already exists and is not empty: ${targetDir}`);
+      throw new DirectoryConflictError(targetDir, entries.sort());
     }
   } catch (error) {
     if ((error as NodeJS.ErrnoException).code === "ENOENT") {
-      await mkdir(targetDir, { recursive: true });
       return;
     }
     throw error;

package/templates/shared/.env.example

@@ -0,0 +1,10 @@
+# Stable repo-local settings for Neon admin key lookup via Vault.
+# Copy to .env.local and adjust as needed.
+
+VAULT_ADDR=https://vault.example.com
+VAULT_SECRET_MOUNT=secret
+VAULT_NEON_API_KEY_PATH=provider/neon-api-key
+VAULT_NEON_API_KEY_FIELD=value
+
+# Do not commit VAULT_TOKEN. Prefer `vault login` in your shell session.
+

package/templates/shared/README.md

@@ -33,6 +33,27 @@ Bootstrap and deploy use:
 - `gh`
 - `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` + `VAULT_TOKEN`
 
+## Environment setup
+
+For project-specific Vault settings, prefer repo-local config over shell startup files:
+
+```bash
+cp .env.example .env.local
+```
+
+Then edit `.env.local` with your Vault address and secret path overrides.
+
+For the token itself, prefer a live shell session:
+
+```bash
+vault login
+export VAULT_TOKEN="$(vault print token)"
+```
+
+or however your existing Vault login flow exposes `VAULT_TOKEN`.
+
+That keeps stable settings in the repo and keeps the token out of `~/.zshrc`.
+
 Optional Vault overrides for Neon admin key lookup:
 
 - `VAULT_SECRET_MOUNT` default `secret`

package/templates/shared/scripts/cloudrun/bootstrap.ts

@@ -14,6 +14,8 @@ import {
   gcloud,
   requireCommand,
   resolveDeploymentTarget,
+  runMain,
+  runStep,
   setGithubVariable,
   workloadIdentityPoolResource,
   workloadIdentityProviderResource,
@@ -23,54 +25,67 @@ export async function bootstrap() {
   requireCommand("gcloud");
   requireCommand("gh");
 
-  ensureProject();
-  attachBilling();
-  gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]);
+  await runStep("Ensuring GCP project", () => ensureProject());
+  await runStep("Attaching billing", () => attachBilling());
+  await runStep("Enabling required GCP APIs", () => gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]));
 
-  ensureServiceAccount(config.runtimeServiceAccount);
-  ensureServiceAccount(config.deployerServiceAccount);
-  ensureArtifactRepository();
+  await runStep("Ensuring runtime and deployer service accounts", () => {
+    ensureServiceAccount(config.runtimeServiceAccount);
+    ensureServiceAccount(config.deployerServiceAccount);
+  });
 
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/artifactregistry.writer");
-  ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
-  ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
+  await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
 
-  ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
+  await runStep("Granting project roles", () => {
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/artifactregistry.writer");
+    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
+    ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
+    ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
+  });
 
-  ensureWorkloadIdentityPool();
-  ensureWorkloadIdentityProvider();
-  ensureServiceAccountRole(
-    config.deployerServiceAccount,
-    `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.github.repo}`,
-    "roles/iam.workloadIdentityUser"
-  );
+  await runStep("Ensuring Workload Identity setup", () => {
+    ensureWorkloadIdentityPool();
+    ensureWorkloadIdentityProvider();
+    ensureServiceAccountRole(
+      config.deployerServiceAccount,
+      `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.github.repo}`,
+      "roles/iam.workloadIdentityUser"
+    );
+  });
 
   if (!config.neon.projectId || !config.neon.baseBranchId) {
     throw new Error("Neon project and base branch must be configured before bootstrap");
   }
 
   const target = resolveDeploymentTarget("main");
-  await ensureDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName);
-  const connectionUri = await getConnectionUri(
-    config.neon.projectId,
-    config.neon.baseBranchId,
-    config.neon.databaseName,
-    config.neon.roleName
-  );
-  addSecretVersion(target.databaseSecretName, connectionUri);
-  ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  await runStep("Ensuring Neon database", () => ensureDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName));
 
-  for (const [name, value] of Object.entries(githubVariables)) {
-    setGithubVariable(name, value);
-  }
+  await runStep("Publishing database secret", async () => {
+    const connectionUri = await getConnectionUri(
+      config.neon.projectId,
+      config.neon.baseBranchId,
+      config.neon.databaseName,
+      config.neon.roleName
+    );
+    addSecretVersion(target.databaseSecretName, connectionUri);
+    ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  });
+
+  await runStep("Configuring GitHub repository variables", () => {
+    for (const [name, value] of Object.entries(githubVariables)) {
+      setGithubVariable(name, value);
+    }
 
-  setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
-  setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
+    setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
+    setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
+  });
 }
 
 if (import.meta.main) {
-  await bootstrap();
+  await runMain("Bootstrap", async () => {
+    await bootstrap();
+    return `Bootstrap finished for ${config.serviceName}`;
+  });
 }
-

package/templates/shared/scripts/cloudrun/cleanup.ts

@@ -0,0 +1,100 @@
+import { log } from "@clack/prompts";
+import { config, githubVariables } from "./config";
+import { deleteBranch, deleteDatabase, listBranches } from "./neon";
+import {
+  deleteGithubRepository,
+  deleteGithubVariable,
+  deleteProject,
+  deleteSecret,
+  deleteService,
+  deleteServiceAccount,
+  deleteWorkloadIdentityProvider,
+  listCloudRunServices,
+  listSecrets,
+  parseCleanupArgs,
+  requireCommand,
+  runMain,
+  runStep,
+} from "./lib";
+
+function matchesServiceResource(name: string) {
+  return name === config.serviceName || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+}
+
+function matchesSecretResource(name: string) {
+  return name === `${config.serviceName}-database-url` || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+}
+
+export async function cleanup(args = Bun.argv.slice(2)) {
+  requireCommand("gcloud");
+
+  const options = parseCleanupArgs(args);
+
+  const services = await runStep("Finding Cloud Run services", () => listCloudRunServices());
+  const serviceNames = services.filter(matchesServiceResource);
+  await runStep("Deleting Cloud Run services", () => {
+    for (const serviceName of serviceNames) {
+      deleteService(serviceName);
+    }
+  });
+
+  const secrets = await runStep("Finding service secrets", () => listSecrets());
+  const secretNames = secrets.filter(matchesSecretResource);
+  await runStep("Deleting service secrets", () => {
+    for (const secretName of secretNames) {
+      deleteSecret(secretName);
+    }
+  });
+
+  if (config.neon.projectId && config.neon.baseBranchId) {
+    const branches = await runStep("Finding Neon branches", () => listBranches(config.neon.projectId));
+    const disposableBranches = branches.filter(
+      (branch) => branch.name.startsWith(`${config.neon.previewBranchPrefix}-`) || branch.name.startsWith(`${config.neon.personalBranchPrefix}-`)
+    );
+
+    await runStep("Deleting Neon preview and personal branches", async () => {
+      for (const branch of disposableBranches) {
+        await deleteBranch(config.neon.projectId, branch.id);
+      }
+    });
+
+    await runStep("Deleting Neon service database", () =>
+      deleteDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName)
+    );
+  } else {
+    log.step("Skipping Neon cleanup because Neon is not configured");
+  }
+
+  await runStep("Deleting service-specific identity resources", () => {
+    deleteWorkloadIdentityProvider();
+    deleteServiceAccount(config.runtimeServiceAccount);
+    deleteServiceAccount(config.deployerServiceAccount);
+  });
+
+  if (Bun.which("gh")) {
+    await runStep("Deleting GitHub repository variables", () => {
+      for (const name of [...Object.keys(githubVariables), "GCP_WIF_PROVIDER", "GCP_DEPLOYER_SERVICE_ACCOUNT"]) {
+        deleteGithubVariable(name);
+      }
+    });
+
+    if (options.destroyRepo) {
+      await runStep(`Deleting GitHub repository ${config.github.repo}`, () => deleteGithubRepository());
+    }
+  } else if (options.destroyRepo) {
+    throw new Error("gh is required to delete the GitHub repository");
+  } else {
+    log.step("Skipping GitHub cleanup because gh is not installed");
+  }
+
+  if (options.destroyProject) {
+    await runStep(`Deleting GCP project ${config.project.id}`, () => deleteProject());
+    return `Deleted project ${config.project.id}`;
+  }
+
+  return `Cleanup finished for ${config.serviceName}`;
+}
+
+if (import.meta.main) {
+  await runMain("Cleanup", () => cleanup(Bun.argv.slice(2)));
+}