create-svc 0.1.63 → 0.1.64

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.63",
+  "version": "0.1.64",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/service-runtime/cloudrun/bootstrap.ts

@@ -79,19 +79,18 @@ export async function prepareGcpProject() {
 
 function publishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
-  const apiKey = process.env.TEMPORAL_API_KEY?.trim();
-  if (!apiKey || !temporal.apiKeySecretName) {
+  if (!temporal.apiKey || !temporal.apiKeySecretName) {
     return "No Temporal API key configured";
   }
 
-  addSecretVersion(temporal.apiKeySecretName, apiKey);
+  addSecretVersion(temporal.apiKeySecretName, temporal.apiKey);
   ensureSecretAccessor(temporal.apiKeySecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   return temporal.apiKeySecretName;
 }
 
 function shouldPublishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
-  return Boolean(process.env.TEMPORAL_API_KEY?.trim() && temporal.apiKeySecretName);
+  return Boolean(temporal.enabled && temporal.apiKey && temporal.apiKeySecretName);
 }
 
 if (import.meta.main) {

package/src/service-runtime/cloudrun/config.ts

@@ -3,6 +3,7 @@ import { serviceConfig } from "../runtime";
 const cloudrun = serviceConfig.cloudrun;
 const dns = serviceConfig.dns;
 const neon = serviceConfig.neon;
+const vault = serviceConfig.providers?.vault ?? {};
 
 export const config = {
   serviceName: serviceConfig.service_id,
@@ -39,6 +40,8 @@ export const config = {
     namespace: serviceConfig.temporal.namespace,
     taskQueue: serviceConfig.temporal.task_queue,
     apiKeySecretName: serviceConfig.temporal.api_key_secret_name,
+    vaultMount: vault.mount || "secret",
+    vaultPath: vault.temporal_path || "prod/providers/temporal",
   },
   neon: {
     projectId: neon.project_id,

package/src/service-runtime/cloudrun/lib.ts

@@ -3,6 +3,7 @@ import { join } from "node:path";
 import { config } from "./config";
 import { serviceRoot } from "../runtime";
 import { localDockerBuildArgs, parseDeployArgs, type DeployArgs } from "./deploy-args";
+import { resolveTemporalRuntimeConfigValues } from "./temporal-config";
 
 type CommandOptions = {
   allowFailure?: boolean;
@@ -551,24 +552,40 @@ export async function renderManifest(image: string, target: DeploymentTarget, pr
 }
 
 export function resolveTemporalRuntimeConfig() {
-  const enabledOverride = process.env.TEMPORAL_ENABLED?.trim();
-  const address = process.env.TEMPORAL_ADDRESS?.trim() || config.temporal.address;
-  const namespace = process.env.TEMPORAL_NAMESPACE?.trim() || config.temporal.namespace;
-  const taskQueue = process.env.TEMPORAL_TASK_QUEUE?.trim() || config.temporal.taskQueue;
-  const apiKeySecretName = process.env.TEMPORAL_API_KEY_SECRET?.trim() || (process.env.TEMPORAL_API_KEY?.trim() ? config.temporal.apiKeySecretName : "");
-  const enabled = enabledOverride
-    ? ["1", "true", "yes", "on"].includes(enabledOverride.toLowerCase())
-    : config.temporal.enabled;
+  return resolveTemporalRuntimeConfigValues(config.temporal, process.env, readTemporalProviderFields);
+}
 
+function readTemporalProviderFields(mount: string, path: string) {
   return {
-    enabled,
-    address,
-    namespace,
-    taskQueue,
-    apiKeySecretName,
+    address: readVaultField(mount, path, ["TEMPORAL_ADDRESS", "address"]),
+    namespace: readVaultField(mount, path, ["TEMPORAL_NAMESPACE", "namespace"]),
+    apiKey: readVaultField(mount, path, ["TEMPORAL_API_KEY", "api_key"]),
   };
 }
 
+function readVaultField(mount: string, path: string, fields: string[]) {
+  const vault = Bun.which("vault");
+  if (!vault || !path) {
+    return "";
+  }
+
+  for (const field of fields) {
+    const result = Bun.spawnSync([vault, "kv", "get", `-mount=${mount}`, `-field=${field}`, path], {
+      cwd: process.cwd(),
+      env: process.env,
+      stdout: "pipe",
+      stderr: "pipe",
+    });
+    if (result.success && result.stdout) {
+      const value = decoder.decode(result.stdout).trim();
+      if (value) {
+        return value;
+      }
+    }
+  }
+  return "";
+}
+
 export async function writeRenderedManifest(image: string, target: DeploymentTarget) {
   const rendered = await renderManifest(image, target);
   const path = new URL("../../.cloudrun.rendered.yaml", import.meta.url);

package/src/service-runtime/cloudrun/temporal-config.test.ts

@@ -0,0 +1,66 @@
+import { expect, test } from "bun:test";
+import { resolveTemporalRuntimeConfigValues } from "./temporal-config";
+
+const baseConfig = {
+  enabled: true,
+  address: "localhost:7233",
+  namespace: "default",
+  taskQueue: "orders",
+  apiKeySecretName: "orders-temporal-api-key",
+  vaultMount: "secret",
+  vaultPath: "prod/providers/temporal",
+};
+
+test("resolveTemporalRuntimeConfigValues reads production Temporal config from Vault fields", () => {
+  const resolved = resolveTemporalRuntimeConfigValues(baseConfig, {}, () => ({
+    address: "temporal.example.tmprl.cloud:7233",
+    namespace: "anmho.prod",
+    apiKey: "secret-key",
+  }));
+
+  expect(resolved).toEqual({
+    enabled: true,
+    address: "temporal.example.tmprl.cloud:7233",
+    namespace: "anmho.prod",
+    taskQueue: "orders",
+    apiKeySecretName: "orders-temporal-api-key",
+    apiKey: "secret-key",
+  });
+});
+
+test("resolveTemporalRuntimeConfigValues prefers explicit environment overrides", () => {
+  const resolved = resolveTemporalRuntimeConfigValues(
+    baseConfig,
+    {
+      TEMPORAL_ADDRESS: "env.temporal:7233",
+      TEMPORAL_NAMESPACE: "env.namespace",
+      TEMPORAL_TASK_QUEUE: "env-task-queue",
+      TEMPORAL_API_KEY: "env-key",
+      TEMPORAL_API_KEY_SECRET: "env-secret-name",
+    },
+    () => ({
+      address: "vault.temporal:7233",
+      namespace: "vault.namespace",
+      apiKey: "vault-key",
+    })
+  );
+
+  expect(resolved.address).toBe("env.temporal:7233");
+  expect(resolved.namespace).toBe("env.namespace");
+  expect(resolved.taskQueue).toBe("env-task-queue");
+  expect(resolved.apiKey).toBe("env-key");
+  expect(resolved.apiKeySecretName).toBe("env-secret-name");
+});
+
+test("resolveTemporalRuntimeConfigValues fails clearly when enabled Temporal resolves to localhost", () => {
+  expect(() => resolveTemporalRuntimeConfigValues(baseConfig, {}, () => ({}))).toThrow(
+    "Temporal is enabled for this Cloud Run service, but the resolved Temporal address is local"
+  );
+});
+
+test("resolveTemporalRuntimeConfigValues allows explicit Temporal disable", () => {
+  const resolved = resolveTemporalRuntimeConfigValues(baseConfig, { TEMPORAL_ENABLED: "false" }, () => ({}));
+
+  expect(resolved.enabled).toBeFalse();
+  expect(resolved.apiKeySecretName).toBe("");
+});

package/src/service-runtime/cloudrun/temporal-config.ts

@@ -0,0 +1,84 @@
+type TemporalConfigInput = {
+  enabled: boolean;
+  address: string;
+  namespace: string;
+  taskQueue: string;
+  apiKeySecretName: string;
+  vaultMount: string;
+  vaultPath: string;
+};
+
+type TemporalProviderFields = {
+  address?: string;
+  namespace?: string;
+  apiKey?: string;
+};
+
+export type TemporalRuntimeConfig = {
+  enabled: boolean;
+  address: string;
+  namespace: string;
+  taskQueue: string;
+  apiKeySecretName: string;
+  apiKey: string;
+};
+
+export function resolveTemporalRuntimeConfigValues(
+  config: TemporalConfigInput,
+  env: Record<string, string | undefined>,
+  readProviderFields: (mount: string, path: string) => TemporalProviderFields
+): TemporalRuntimeConfig {
+  const enabledOverride = env.TEMPORAL_ENABLED?.trim();
+  const enabled = enabledOverride ? isTruthy(enabledOverride) : config.enabled;
+  const taskQueue = env.TEMPORAL_TASK_QUEUE?.trim() || config.taskQueue;
+
+  if (!enabled) {
+    return {
+      enabled: false,
+      address: env.TEMPORAL_ADDRESS?.trim() || config.address,
+      namespace: env.TEMPORAL_NAMESPACE?.trim() || config.namespace,
+      taskQueue,
+      apiKeySecretName: "",
+      apiKey: "",
+    };
+  }
+
+  const provider = readProviderFields(config.vaultMount, config.vaultPath);
+  const address = env.TEMPORAL_ADDRESS?.trim() || provider.address || config.address;
+  const namespace = env.TEMPORAL_NAMESPACE?.trim() || provider.namespace || config.namespace;
+  const apiKey = env.TEMPORAL_API_KEY?.trim() || provider.apiKey || "";
+  const apiKeySecretName = env.TEMPORAL_API_KEY_SECRET?.trim() || (apiKey ? config.apiKeySecretName : "");
+
+  if (isLocalTemporalAddress(address)) {
+    throw new Error(
+      [
+        "Temporal is enabled for this Cloud Run service, but the resolved Temporal address is local.",
+        `Set TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, and TEMPORAL_API_KEY, or populate Vault at ${config.vaultMount}/${config.vaultPath}`,
+        "with TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, and TEMPORAL_API_KEY before running service create or service deploy.",
+        "Set TEMPORAL_ENABLED=false only for services that should deploy without Temporal.",
+      ].join(" ")
+    );
+  }
+
+  if (!namespace) {
+    throw new Error(`Temporal is enabled but TEMPORAL_NAMESPACE is missing; set it in env or Vault at ${config.vaultMount}/${config.vaultPath}`);
+  }
+
+  return {
+    enabled,
+    address,
+    namespace,
+    taskQueue,
+    apiKeySecretName,
+    apiKey,
+  };
+}
+
+function isTruthy(value: string) {
+  return ["1", "true", "yes", "on"].includes(value.trim().toLowerCase());
+}
+
+function isLocalTemporalAddress(address: string) {
+  const value = address.trim().toLowerCase();
+  return value === "" || value.startsWith("localhost:") || value.startsWith("127.0.0.1:") || value.startsWith("[::1]:");
+}