create-svc 0.1.69 → 0.1.71

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.69",
+  "version": "0.1.71",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/service-runtime/cloudrun/bootstrap.ts

@@ -79,18 +79,31 @@ export async function prepareGcpProject() {
 
 function publishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
-  if (!temporal.apiKey || !temporal.apiKeySecretName) {
-    return "No Temporal API key configured";
+  const secrets = [
+    { name: temporal.apiKeySecretName, value: temporal.apiKey },
+    { name: temporal.tlsCaCertSecretName, value: temporal.tlsCaCert },
+    { name: temporal.tlsCertSecretName, value: temporal.tlsCert },
+    { name: temporal.tlsKeySecretName, value: temporal.tlsKey },
+  ].filter((secret) => secret.name && secret.value);
+
+  if (secrets.length === 0) {
+    return "No Temporal credentials configured";
   }
 
-  addSecretVersion(temporal.apiKeySecretName, temporal.apiKey);
-  ensureSecretAccessor(temporal.apiKeySecretName, `serviceAccount:${config.runtimeServiceAccount}`);
-  return temporal.apiKeySecretName;
+  for (const secret of secrets) {
+    addSecretVersion(secret.name, secret.value);
+    ensureSecretAccessor(secret.name, `serviceAccount:${config.runtimeServiceAccount}`);
+  }
+  return secrets.map((secret) => secret.name).join(", ");
 }
 
 function shouldPublishTemporalSecrets() {
   const temporal = resolveTemporalRuntimeConfig();
-  return Boolean(temporal.enabled && temporal.apiKey && temporal.apiKeySecretName);
+  return Boolean(
+    temporal.enabled &&
+      ((temporal.apiKey && temporal.apiKeySecretName) ||
+        (temporal.tlsCaCert && temporal.tlsCaCertSecretName && temporal.tlsCert && temporal.tlsCertSecretName && temporal.tlsKey && temporal.tlsKeySecretName))
+  );
 }
 
 if (import.meta.main) {

package/src/service-runtime/cloudrun/cleanup.ts

@@ -41,6 +41,9 @@ function matchesSecretResource(name: string) {
   return (
     name === `${config.serviceName}-database-url` ||
     name === config.temporal.apiKeySecretName ||
+    name === config.temporal.tlsCaCertSecretName ||
+    name === config.temporal.tlsCertSecretName ||
+    name === config.temporal.tlsKeySecretName ||
     name.startsWith(`${config.serviceName}-pr-`) ||
     name.startsWith(`${config.serviceName}-dev-`)
   );

package/src/service-runtime/cloudrun/cli.ts

@@ -8,6 +8,7 @@ import { cleanup } from "./cleanup";
 import { deploy } from "./deploy";
 import { observabilityBootstrap } from "./observability";
 import { config } from "./config";
+import { formatSdkModeDetail, type SdkState } from "./sdk-state";
 import {
   accessSecretVersion,
   assertProductionDomainAvailable,
@@ -295,11 +296,8 @@ async function runDoctor() {
     });
     await record(results, "SDK mode", "warn", async () => {
       const text = await Bun.file(".service/sdk.json").text();
-      const state = JSON.parse(text) as { mode?: string; module?: string };
-      if (state.mode !== "local" && state.mode !== "remote") {
-        throw new Error("SDK mode must be local or remote");
-      }
-      return `${state.mode}: ${state.module || bufModule()}`;
+      const state = JSON.parse(text) as SdkState;
+      return formatSdkModeDetail(state, bufModule());
     });
   }
 
@@ -350,8 +348,9 @@ async function runSdk(args: string[]) {
   if (subcommand === "publish") {
     requireCommand("buf");
     run("buf", ["push"]);
-    await writeSdkMode("remote");
-    return "Schema pushed to Buf Schema Registry and recorded for consumers";
+    const published = resolvePublishedSdk();
+    await writeSdkMode("remote", published);
+    return `Schema pushed to Buf Schema Registry and recorded for consumers: ${published.commit}`;
   }
 
   if (subcommand === "build") {
@@ -371,8 +370,10 @@ async function runSdk(args: string[]) {
   }
 
   if (subcommand === "use-remote") {
-    await writeSdkMode("remote");
-    return `Remote Buf SDK recorded for consumers: ${bufModule()}`;
+    requireCommand("buf");
+    const published = resolvePublishedSdk();
+    await writeSdkMode("remote", published);
+    return `Remote Buf SDK recorded for consumers: ${bufModule()}@${published.commit}`;
   }
 
   throw new Error("Usage: service sdk <build|publish|use-local|use-remote>");
@@ -385,7 +386,40 @@ async function assertLocalSdkArtifacts() {
   }
 }
 
-async function writeSdkMode(mode: "local" | "remote") {
+type PublishedSdk = {
+  commit: string;
+  digest?: string;
+  createTime?: string;
+};
+
+function resolvePublishedSdk(): PublishedSdk {
+  const module = bufModule();
+  const result = run("buf", ["registry", "module", "commit", "list", module, "--format", "json", "--page-size", "1"]);
+  const parsed = JSON.parse(result.stdout) as {
+    commits?: Array<Record<string, unknown>>;
+    commit?: Record<string, unknown>;
+  };
+  const commit = parsed.commits?.[0] ?? parsed.commit;
+  if (!commit) {
+    throw new Error(`Could not resolve the published Buf commit for ${module}`);
+  }
+  const name = stringField(commit, "name") ?? stringField(commit, "commit") ?? stringField(commit, "id");
+  if (!name) {
+    throw new Error(`Buf commit response for ${module} did not include a commit identifier`);
+  }
+  return {
+    commit: name.includes(":") ? name.slice(name.lastIndexOf(":") + 1) : name,
+    digest: stringField(commit, "digest"),
+    createTime: stringField(commit, "create_time") ?? stringField(commit, "createTime"),
+  };
+}
+
+function stringField(source: Record<string, unknown>, key: string) {
+  const value = source[key];
+  return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+
+async function writeSdkMode(mode: "local" | "remote", published?: PublishedSdk) {
   await mkdir(".service", { recursive: true });
   const localPath = await resolveLocalSdkPath();
   await Bun.write(
@@ -395,6 +429,15 @@ async function writeSdkMode(mode: "local" | "remote") {
         mode,
         module: bufModule(),
         localPath,
+        ...(published
+          ? {
+              remote: {
+                commit: published.commit,
+                digest: published.digest,
+                createTime: published.createTime,
+              },
+            }
+          : {}),
         updatedAt: new Date().toISOString(),
       },
       null,

package/src/service-runtime/cloudrun/config.ts

@@ -40,6 +40,9 @@ export const config = {
     namespace: serviceConfig.temporal.namespace,
     taskQueue: serviceConfig.temporal.task_queue,
     apiKeySecretName: serviceConfig.temporal.api_key_secret_name,
+    tlsCaCertSecretName: serviceConfig.temporal.tls_ca_cert_secret_name,
+    tlsCertSecretName: serviceConfig.temporal.tls_cert_secret_name,
+    tlsKeySecretName: serviceConfig.temporal.tls_key_secret_name,
     vaultMount: vault.mount || "secret",
     vaultPath: vault.temporal_path || "prod/providers/temporal",
   },

package/src/service-runtime/cloudrun/lib.ts

@@ -537,6 +537,7 @@ export async function renderManifest(image: string, target: DeploymentTarget, pr
           "                  key: latest",
         ].join("\n")
       : "",
+    TEMPORAL_MTLS_ENV: renderTemporalMtlsEnv(temporal),
     AUTH_ISSUER: config.auth.issuer,
     AUTH_AUDIENCE: config.auth.audience,
     AUTH_JWKS_URL: config.auth.jwksUrl,
@@ -560,9 +561,34 @@ function readTemporalProviderFields(mount: string, path: string) {
     address: readVaultField(mount, path, ["TEMPORAL_ADDRESS", "address"]),
     namespace: readVaultField(mount, path, ["TEMPORAL_NAMESPACE", "namespace"]),
     apiKey: readVaultField(mount, path, ["TEMPORAL_API_KEY", "api_key"]),
+    tlsCaCert: readVaultField(mount, path, ["TEMPORAL_TLS_CA_CERT", "tls_ca_cert", "ca_cert"]),
+    tlsCert: readVaultField(mount, path, ["TEMPORAL_TLS_CERT", "tls_cert", "client_cert"]),
+    tlsKey: readVaultField(mount, path, ["TEMPORAL_TLS_KEY", "tls_key", "client_key"]),
   };
 }
 
+function renderTemporalMtlsEnv(temporal: ReturnType<typeof resolveTemporalRuntimeConfig>) {
+  const entries = [
+    ["TEMPORAL_TLS_CA_CERT", temporal.tlsCaCertSecretName],
+    ["TEMPORAL_TLS_CERT", temporal.tlsCertSecretName],
+    ["TEMPORAL_TLS_KEY", temporal.tlsKeySecretName],
+  ].filter((entry): entry is [string, string] => Boolean(entry[1]));
+
+  if (entries.length === 0) {
+    return "";
+  }
+
+  return entries
+    .flatMap(([envName, secretName]) => [
+      `            - name: ${envName}`,
+      "              valueFrom:",
+      "                secretKeyRef:",
+      `                  name: ${secretName}`,
+      "                  key: latest",
+    ])
+    .join("\n");
+}
+
 function readVaultField(mount: string, path: string, fields: string[]) {
   const vault = Bun.which("vault");
   if (!vault || !path) {

package/src/service-runtime/cloudrun/sdk-state.ts

@@ -0,0 +1,21 @@
+export type SdkState = {
+  mode?: string;
+  module?: string;
+  remote?: {
+    commit?: string;
+    digest?: string;
+  };
+};
+
+export function formatSdkModeDetail(state: SdkState, fallbackModule: string) {
+  if (state.mode !== "local" && state.mode !== "remote") {
+    throw new Error("SDK mode must be local or remote");
+  }
+  const module = state.module || fallbackModule;
+  if (state.mode === "remote") {
+    const version = state.remote?.commit ? `@${state.remote.commit}` : "without recorded commit";
+    const digest = state.remote?.digest ? ` (${state.remote.digest})` : "";
+    return `${state.mode}: ${module}${version}${digest}`;
+  }
+  return `${state.mode}: ${module}`;
+}

package/src/service-runtime/cloudrun/sdk.test.ts

@@ -3,6 +3,7 @@ import { chmod, mkdir, mkdtemp, readFile, writeFile } from "node:fs/promises";
 import { tmpdir } from "node:os";
 import { join } from "node:path";
 import { scaffoldProject, type ScaffoldConfig } from "../../scaffold";
+import { formatSdkModeDetail } from "./sdk-state";
 
 function baseConfig(directory: string): ScaffoldConfig {
   return {
@@ -42,7 +43,15 @@ test("service sdk publish pushes the named Buf module and selects remote SDK mod
   await mkdir(fakeBin);
   await writeFile(
     join(fakeBin, "buf"),
-    ["#!/bin/sh", `echo "$@" > "${bufLog}"`, "exit 0", ""].join("\n")
+    [
+      "#!/bin/sh",
+      `echo "$@" >> "${bufLog}"`,
+      'if [ "$1 $2 $3 $4" = "registry module commit list" ]; then',
+      '  printf \'{"commits":[{"name":"buf.build/anmho/sdk-proof:commit-123","digest":"b5:abc123","create_time":"2026-05-25T12:00:00Z"}]}\'',
+      "fi",
+      "exit 0",
+      "",
+    ].join("\n")
   );
   await chmod(join(fakeBin, "buf"), 0o755);
 
@@ -55,17 +64,79 @@ test("service sdk publish pushes the named Buf module and selects remote SDK mod
 
   expect(result.success, [result.stdout.toString(), result.stderr.toString()].join("\n")).toBeTrue();
   expect(result.stdout.toString()).toContain("recorded for consumers");
-  expect((await readFile(bufLog, "utf8")).trim()).toBe("push");
+  expect((await readFile(bufLog, "utf8")).trim()).toBe(
+    ["push", "registry module commit list buf.build/anmho/sdk-proof --format json --page-size 1"].join("\n")
+  );
   const sdkState = JSON.parse(await Bun.file(join(generatedRoot, ".service", "sdk.json")).text());
   expect(sdkState).toMatchObject({
     mode: "remote",
     module: "buf.build/anmho/sdk-proof",
     localPath: "./gen/waitlist/v1",
+    remote: {
+      commit: "commit-123",
+      digest: "b5:abc123",
+      createTime: "2026-05-25T12:00:00Z",
+    },
   });
   const bufConfig = await Bun.file(join(generatedRoot, "buf.yaml")).text();
   expect(bufConfig).toContain("name: buf.build/anmho/sdk-proof");
 });
 
+test("formatSdkModeDetail reports the recorded remote SDK commit", () => {
+  expect(
+    formatSdkModeDetail(
+      {
+        mode: "remote",
+        module: "buf.build/anmho/sdk-proof",
+        remote: {
+          commit: "commit-123",
+          digest: "b5:abc123",
+        },
+      },
+      "buf.build/anmho/fallback"
+    )
+  ).toBe("remote: buf.build/anmho/sdk-proof@commit-123 (b5:abc123)");
+});
+
+test("service sdk use-remote records the current Buf commit", async () => {
+  const root = await mkdtemp(join(tmpdir(), "create-svc-sdk-"));
+  const generatedRoot = join(root, "sdk-proof");
+  const fakeBin = join(root, "bin");
+
+  await scaffoldProject(baseConfig(generatedRoot));
+  await mkdir(join(generatedRoot, "node_modules"));
+  await mkdir(fakeBin);
+  await writeFile(
+    join(fakeBin, "buf"),
+    [
+      "#!/bin/sh",
+      'if [ "$1 $2 $3 $4" = "registry module commit list" ]; then',
+      '  printf \'{"commits":[{"name":"buf.build/anmho/sdk-proof:commit-456","digest":"b5:def456"}]}\'',
+      "fi",
+      "exit 0",
+      "",
+    ].join("\n")
+  );
+  await chmod(join(fakeBin, "buf"), 0o755);
+
+  const result = Bun.spawnSync(["bun", join(import.meta.dir, "..", "..", "..", "index.ts"), "sdk", "use-remote"], {
+    cwd: generatedRoot,
+    env: { ...process.env, PATH: `${fakeBin}:${process.env.PATH ?? ""}` },
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+
+  expect(result.success, [result.stdout.toString(), result.stderr.toString()].join("\n")).toBeTrue();
+  const sdkState = JSON.parse(await Bun.file(join(generatedRoot, ".service", "sdk.json")).text());
+  expect(sdkState).toMatchObject({
+    mode: "remote",
+    remote: {
+      commit: "commit-456",
+      digest: "b5:def456",
+    },
+  });
+});
+
 test("service sdk publish leaves local SDK mode when Buf push fails", async () => {
   const root = await mkdtemp(join(tmpdir(), "create-svc-sdk-"));
   const generatedRoot = join(root, "sdk-proof");

package/src/service-runtime/cloudrun/temporal-config.test.ts

@@ -7,6 +7,9 @@ const baseConfig = {
   namespace: "default",
   taskQueue: "orders",
   apiKeySecretName: "orders-temporal-api-key",
+  tlsCaCertSecretName: "orders-temporal-ca-cert",
+  tlsCertSecretName: "orders-temporal-client-cert",
+  tlsKeySecretName: "orders-temporal-client-key",
   vaultMount: "secret",
   vaultPath: "prod/providers/temporal",
 };
@@ -25,6 +28,59 @@ test("resolveTemporalRuntimeConfigValues reads production Temporal config from V
     taskQueue: "orders",
     apiKeySecretName: "orders-temporal-api-key",
     apiKey: "secret-key",
+    tlsCaCertSecretName: "",
+    tlsCertSecretName: "",
+    tlsKeySecretName: "",
+    tlsCaCert: "",
+    tlsCert: "",
+    tlsKey: "",
+  });
+});
+
+test("resolveTemporalRuntimeConfigValues reads self-hosted mTLS config from Vault fields", () => {
+  const resolved = resolveTemporalRuntimeConfigValues(baseConfig, {}, () => ({
+    address: "temporal-grpc.anmho.com:7233",
+    namespace: "default",
+    tlsCaCert: "ca-pem",
+    tlsCert: "cert-pem",
+    tlsKey: "key-pem",
+  }));
+
+  expect(resolved).toMatchObject({
+    enabled: true,
+    address: "temporal-grpc.anmho.com:7233",
+    namespace: "default",
+    taskQueue: "orders",
+    apiKey: "",
+    apiKeySecretName: "",
+    tlsCaCertSecretName: "orders-temporal-ca-cert",
+    tlsCertSecretName: "orders-temporal-client-cert",
+    tlsKeySecretName: "orders-temporal-client-key",
+    tlsCaCert: "ca-pem",
+    tlsCert: "cert-pem",
+    tlsKey: "key-pem",
+  });
+});
+
+test("resolveTemporalRuntimeConfigValues renders configured mTLS secret names without raw credentials", () => {
+  const resolved = resolveTemporalRuntimeConfigValues(
+    { ...baseConfig, address: "temporal-grpc.anmho.com:7233" },
+    {},
+    () => ({
+      namespace: "default",
+    })
+  );
+
+  expect(resolved).toMatchObject({
+    enabled: true,
+    address: "temporal-grpc.anmho.com:7233",
+    namespace: "default",
+    tlsCaCertSecretName: "orders-temporal-ca-cert",
+    tlsCertSecretName: "orders-temporal-client-cert",
+    tlsKeySecretName: "orders-temporal-client-key",
+    tlsCaCert: "",
+    tlsCert: "",
+    tlsKey: "",
   });
 });
 
@@ -52,6 +108,15 @@ test("resolveTemporalRuntimeConfigValues prefers explicit environment overrides"
   expect(resolved.apiKeySecretName).toBe("env-secret-name");
 });
 
+test("resolveTemporalRuntimeConfigValues rejects partial mTLS config", () => {
+  expect(() =>
+    resolveTemporalRuntimeConfigValues({ ...baseConfig, address: "temporal-grpc.anmho.com:7233" }, {}, () => ({
+      namespace: "default",
+      tlsCaCert: "ca-pem",
+    }))
+  ).toThrow("Temporal mTLS is partially configured");
+});
+
 test("resolveTemporalRuntimeConfigValues fails clearly when enabled Temporal resolves to localhost", () => {
   expect(() => resolveTemporalRuntimeConfigValues(baseConfig, {}, () => ({}))).toThrow(
     "Temporal is enabled for this Cloud Run service, but the resolved Temporal address is local"
@@ -63,4 +128,5 @@ test("resolveTemporalRuntimeConfigValues allows explicit Temporal disable", () =
 
   expect(resolved.enabled).toBeFalse();
   expect(resolved.apiKeySecretName).toBe("");
+  expect(resolved.tlsCaCertSecretName).toBe("");
 });

package/src/service-runtime/cloudrun/temporal-config.ts

@@ -4,6 +4,9 @@ type TemporalConfigInput = {
   namespace: string;
   taskQueue: string;
   apiKeySecretName: string;
+  tlsCaCertSecretName?: string;
+  tlsCertSecretName?: string;
+  tlsKeySecretName?: string;
   vaultMount: string;
   vaultPath: string;
 };
@@ -12,6 +15,9 @@ type TemporalProviderFields = {
   address?: string;
   namespace?: string;
   apiKey?: string;
+  tlsCaCert?: string;
+  tlsCert?: string;
+  tlsKey?: string;
 };
 
 export type TemporalRuntimeConfig = {
@@ -21,6 +27,12 @@ export type TemporalRuntimeConfig = {
   taskQueue: string;
   apiKeySecretName: string;
   apiKey: string;
+  tlsCaCertSecretName: string;
+  tlsCertSecretName: string;
+  tlsKeySecretName: string;
+  tlsCaCert: string;
+  tlsCert: string;
+  tlsKey: string;
 };
 
 export function resolveTemporalRuntimeConfigValues(
@@ -40,6 +52,12 @@ export function resolveTemporalRuntimeConfigValues(
       taskQueue,
       apiKeySecretName: "",
       apiKey: "",
+      tlsCaCertSecretName: "",
+      tlsCertSecretName: "",
+      tlsKeySecretName: "",
+      tlsCaCert: "",
+      tlsCert: "",
+      tlsKey: "",
     };
   }
 
@@ -48,13 +66,29 @@ export function resolveTemporalRuntimeConfigValues(
   const namespace = env.TEMPORAL_NAMESPACE?.trim() || provider.namespace || config.namespace;
   const apiKey = env.TEMPORAL_API_KEY?.trim() || provider.apiKey || "";
   const apiKeySecretName = env.TEMPORAL_API_KEY_SECRET?.trim() || (apiKey ? config.apiKeySecretName : "");
+  const tlsCaCert = env.TEMPORAL_TLS_CA_CERT?.trim() || provider.tlsCaCert || "";
+  const tlsCert = env.TEMPORAL_TLS_CERT?.trim() || provider.tlsCert || "";
+  const tlsKey = env.TEMPORAL_TLS_KEY?.trim() || provider.tlsKey || "";
+  const tlsCaCertSecretName =
+    env.TEMPORAL_TLS_CA_CERT_SECRET?.trim() || (tlsCaCert ? config.tlsCaCertSecretName || `${config.taskQueue}-temporal-ca-cert` : "");
+  const tlsCertSecretName =
+    env.TEMPORAL_TLS_CERT_SECRET?.trim() || (tlsCert ? config.tlsCertSecretName || `${config.taskQueue}-temporal-client-cert` : "");
+  const tlsKeySecretName =
+    env.TEMPORAL_TLS_KEY_SECRET?.trim() || (tlsKey ? config.tlsKeySecretName || `${config.taskQueue}-temporal-client-key` : "");
+  const configuredTLSSecretNames = Boolean(config.tlsCaCertSecretName && config.tlsCertSecretName && config.tlsKeySecretName);
+  const shouldRenderTLSSecretNames = Boolean(tlsCaCert || (!apiKey && configuredTLSSecretNames));
+  const resolvedTLSSecretNames = {
+    ca: shouldRenderTLSSecretNames ? tlsCaCertSecretName || config.tlsCaCertSecretName || "" : "",
+    cert: shouldRenderTLSSecretNames ? tlsCertSecretName || config.tlsCertSecretName || "" : "",
+    key: shouldRenderTLSSecretNames ? tlsKeySecretName || config.tlsKeySecretName || "" : "",
+  };
 
   if (isLocalTemporalAddress(address)) {
     throw new Error(
       [
         "Temporal is enabled for this Cloud Run service, but the resolved Temporal address is local.",
-        `Set TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, and TEMPORAL_API_KEY, or populate Vault at ${config.vaultMount}/${config.vaultPath}`,
-        "with TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, and TEMPORAL_API_KEY before running service create or service deploy.",
+        `Set TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, and TEMPORAL_API_KEY or TEMPORAL_TLS_* credentials, or populate Vault at ${config.vaultMount}/${config.vaultPath}`,
+        "with TEMPORAL_ADDRESS, TEMPORAL_NAMESPACE, and either TEMPORAL_API_KEY or TEMPORAL_TLS_CA_CERT/TEMPORAL_TLS_CERT/TEMPORAL_TLS_KEY before running service create or service deploy.",
         "Set TEMPORAL_ENABLED=false only for services that should deploy without Temporal.",
       ].join(" ")
     );
@@ -63,6 +97,16 @@ export function resolveTemporalRuntimeConfigValues(
   if (!namespace) {
     throw new Error(`Temporal is enabled but TEMPORAL_NAMESPACE is missing; set it in env or Vault at ${config.vaultMount}/${config.vaultPath}`);
   }
+  if (!apiKey && (Boolean(tlsCaCert) || Boolean(tlsCert) || Boolean(tlsKey)) && (!tlsCaCert || !tlsCert || !tlsKey)) {
+    throw new Error(
+      `Temporal mTLS is partially configured; set TEMPORAL_TLS_CA_CERT, TEMPORAL_TLS_CERT, and TEMPORAL_TLS_KEY together in env or Vault at ${config.vaultMount}/${config.vaultPath}`
+    );
+  }
+  if (!apiKey && !apiKeySecretName && !tlsCaCert && !configuredTLSSecretNames) {
+    throw new Error(
+      `Temporal is enabled but no credentials were found; set TEMPORAL_API_KEY or TEMPORAL_TLS_CA_CERT/TEMPORAL_TLS_CERT/TEMPORAL_TLS_KEY in env or Vault at ${config.vaultMount}/${config.vaultPath}`
+    );
+  }
 
   return {
     enabled,
@@ -71,6 +115,12 @@ export function resolveTemporalRuntimeConfigValues(
     taskQueue,
     apiKeySecretName,
     apiKey,
+    tlsCaCertSecretName: resolvedTLSSecretNames.ca,
+    tlsCertSecretName: resolvedTLSSecretNames.cert,
+    tlsKeySecretName: resolvedTLSSecretNames.key,
+    tlsCaCert,
+    tlsCert,
+    tlsKey,
   };
 }
 

package/templates/shared/service.jsonc

@@ -57,7 +57,10 @@
     "address": "localhost:7233",
     "namespace": "default",
     "task_queue": "{{SERVICE_ID}}",
-    "api_key_secret_name": "{{SERVICE_ID}}-temporal-api-key"
+    "api_key_secret_name": "{{SERVICE_ID}}-temporal-api-key",
+    "tls_ca_cert_secret_name": "{{SERVICE_ID}}-temporal-ca-cert",
+    "tls_cert_secret_name": "{{SERVICE_ID}}-temporal-client-cert",
+    "tls_key_secret_name": "{{SERVICE_ID}}-temporal-client-key"
   },
 
   "providers": {

package/templates/shared/service.yaml

@@ -36,6 +36,7 @@ ${CONTAINER_COMMAND}
             - name: TEMPORAL_TASK_QUEUE
               value: "${TEMPORAL_TASK_QUEUE}"
 ${TEMPORAL_API_KEY_ENV}
+${TEMPORAL_MTLS_ENV}
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:

package/templates/variants/go-chi/cmd/server/main.go

@@ -36,6 +36,9 @@ func main() {
 			Namespace: cfg.TemporalNamespace,
 			TaskQueue: cfg.TemporalTaskQueue,
 			APIKey:    cfg.TemporalAPIKey,
+			TLSCACert: cfg.TemporalTLSCACert,
+			TLSCert:   cfg.TemporalTLSCert,
+			TLSKey:    cfg.TemporalTLSKey,
 		}
 		dispatcher, err := temporalapp.NewTriggerDispatcher(temporalConfig)
 		if err != nil {

package/templates/variants/go-chi/cmd/worker/main.go

@@ -23,6 +23,9 @@ func main() {
 		Namespace: cfg.TemporalNamespace,
 		TaskQueue: cfg.TemporalTaskQueue,
 		APIKey:    cfg.TemporalAPIKey,
+		TLSCACert: cfg.TemporalTLSCACert,
+		TLSCert:   cfg.TemporalTLSCert,
+		TLSKey:    cfg.TemporalTLSKey,
 	})
 	if err != nil {
 		log.Fatal(err)

package/templates/variants/go-chi/internal/config/config.go

@@ -14,6 +14,9 @@ type Config struct {
 	TemporalNamespace string
 	TemporalTaskQueue string
 	TemporalAPIKey    string
+	TemporalTLSCACert string
+	TemporalTLSCert   string
+	TemporalTLSKey    string
 	AuthEnabled       bool
 	AuthIssuer        string
 	AuthAudience      string
@@ -29,6 +32,9 @@ func Load() (Config, error) {
 		TemporalNamespace: envOrRuntime("TEMPORAL_NAMESPACE", "default"),
 		TemporalTaskQueue: envOr("TEMPORAL_TASK_QUEUE", "{{SERVICE_NAME}}"),
 		TemporalAPIKey:    strings.TrimSpace(os.Getenv("TEMPORAL_API_KEY")),
+		TemporalTLSCACert: strings.TrimSpace(os.Getenv("TEMPORAL_TLS_CA_CERT")),
+		TemporalTLSCert:   strings.TrimSpace(os.Getenv("TEMPORAL_TLS_CERT")),
+		TemporalTLSKey:    strings.TrimSpace(os.Getenv("TEMPORAL_TLS_KEY")),
 		AuthEnabled:       envBool("AUTH_ENABLED"),
 		AuthIssuer:        envOr("AUTH_ISSUER", "{{AUTH_ISSUER}}"),
 		AuthAudience:      envOr("AUTH_AUDIENCE", "{{AUTH_AUDIENCE}}"),

package/templates/variants/go-chi/internal/temporal/client.go

@@ -14,12 +14,9 @@ type TriggerDispatcher struct {
 }
 
 func NewTriggerDispatcher(cfg WorkerConfig) (*TriggerDispatcher, error) {
-	options := client.Options{
-		HostPort:  cfg.Address,
-		Namespace: cfg.Namespace,
-	}
-	if cfg.APIKey != "" {
-		options.Credentials = client.NewAPIKeyStaticCredentials(cfg.APIKey)
+	options, err := temporalClientOptions(cfg)
+	if err != nil {
+		return nil, err
 	}
 
 	temporalClient, err := client.Dial(options)

package/templates/variants/go-chi/internal/temporal/worker.go

@@ -1,6 +1,10 @@
 package temporalapp
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net"
 	"go.temporal.io/sdk/client"
 	"go.temporal.io/sdk/worker"
 )
@@ -10,15 +14,15 @@ type WorkerConfig struct {
 	Namespace string
 	TaskQueue string
 	APIKey    string
+	TLSCACert string
+	TLSCert   string
+	TLSKey    string
 }
 
 func StartWorker(cfg WorkerConfig) (func(), error) {
-	options := client.Options{
-		HostPort:  cfg.Address,
-		Namespace: cfg.Namespace,
-	}
-	if cfg.APIKey != "" {
-		options.Credentials = client.NewAPIKeyStaticCredentials(cfg.APIKey)
+	options, err := temporalClientOptions(cfg)
+	if err != nil {
+		return nil, err
 	}
 
 	temporalClient, err := client.Dial(options)
@@ -40,3 +44,45 @@ func StartWorker(cfg WorkerConfig) (func(), error) {
 		temporalClient.Close()
 	}, nil
 }
+
+func temporalClientOptions(cfg WorkerConfig) (client.Options, error) {
+	options := client.Options{
+		HostPort:  cfg.Address,
+		Namespace: cfg.Namespace,
+	}
+	if cfg.APIKey != "" {
+		options.Credentials = client.NewAPIKeyStaticCredentials(cfg.APIKey)
+	}
+	if cfg.TLSCACert != "" || cfg.TLSCert != "" || cfg.TLSKey != "" {
+		tlsConfig, err := temporalTLSConfig(cfg)
+		if err != nil {
+			return client.Options{}, err
+		}
+		options.ConnectionOptions.TLS = tlsConfig
+	}
+	return options, nil
+}
+
+func temporalTLSConfig(cfg WorkerConfig) (*tls.Config, error) {
+	if cfg.TLSCACert == "" || cfg.TLSCert == "" || cfg.TLSKey == "" {
+		return nil, fmt.Errorf("TEMPORAL_TLS_CA_CERT, TEMPORAL_TLS_CERT, and TEMPORAL_TLS_KEY must be set together")
+	}
+	certificate, err := tls.X509KeyPair([]byte(cfg.TLSCert), []byte(cfg.TLSKey))
+	if err != nil {
+		return nil, fmt.Errorf("parse Temporal client certificate: %w", err)
+	}
+	roots := x509.NewCertPool()
+	if !roots.AppendCertsFromPEM([]byte(cfg.TLSCACert)) {
+		return nil, fmt.Errorf("parse Temporal CA certificate")
+	}
+	serverName, _, err := net.SplitHostPort(cfg.Address)
+	if err != nil {
+		serverName = cfg.Address
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{certificate},
+		RootCAs:      roots,
+		ServerName:   serverName,
+		MinVersion:   tls.VersionTLS12,
+	}, nil
+}

package/templates/variants/go-connectrpc/cmd/server/main.go

@@ -40,6 +40,9 @@ func main() {
 			Namespace: cfg.TemporalNamespace,
 			TaskQueue: cfg.TemporalTaskQueue,
 			APIKey:    cfg.TemporalAPIKey,
+			TLSCACert: cfg.TemporalTLSCACert,
+			TLSCert:   cfg.TemporalTLSCert,
+			TLSKey:    cfg.TemporalTLSKey,
 		}
 		dispatcher, err := temporalapp.NewTriggerDispatcher(temporalConfig)
 		if err != nil {

package/templates/variants/go-connectrpc/cmd/worker/main.go

@@ -23,6 +23,9 @@ func main() {
 		Namespace: cfg.TemporalNamespace,
 		TaskQueue: cfg.TemporalTaskQueue,
 		APIKey:    cfg.TemporalAPIKey,
+		TLSCACert: cfg.TemporalTLSCACert,
+		TLSCert:   cfg.TemporalTLSCert,
+		TLSKey:    cfg.TemporalTLSKey,
 	})
 	if err != nil {
 		log.Fatal(err)

package/templates/variants/go-connectrpc/internal/config/config.go

@@ -14,6 +14,9 @@ type Config struct {
 	TemporalNamespace string
 	TemporalTaskQueue string
 	TemporalAPIKey    string
+	TemporalTLSCACert string
+	TemporalTLSCert   string
+	TemporalTLSKey    string
 	AuthEnabled       bool
 	AuthIssuer        string
 	AuthAudience      string
@@ -29,6 +32,9 @@ func Load() (Config, error) {
 		TemporalNamespace: envOrRuntime("TEMPORAL_NAMESPACE", "default"),
 		TemporalTaskQueue: envOr("TEMPORAL_TASK_QUEUE", "{{SERVICE_NAME}}"),
 		TemporalAPIKey:    strings.TrimSpace(os.Getenv("TEMPORAL_API_KEY")),
+		TemporalTLSCACert: strings.TrimSpace(os.Getenv("TEMPORAL_TLS_CA_CERT")),
+		TemporalTLSCert:   strings.TrimSpace(os.Getenv("TEMPORAL_TLS_CERT")),
+		TemporalTLSKey:    strings.TrimSpace(os.Getenv("TEMPORAL_TLS_KEY")),
 		AuthEnabled:       envBool("AUTH_ENABLED"),
 		AuthIssuer:        envOr("AUTH_ISSUER", "{{AUTH_ISSUER}}"),
 		AuthAudience:      envOr("AUTH_AUDIENCE", "{{AUTH_AUDIENCE}}"),

package/templates/variants/go-connectrpc/internal/temporal/client.go

@@ -14,12 +14,9 @@ type TriggerDispatcher struct {
 }
 
 func NewTriggerDispatcher(cfg WorkerConfig) (*TriggerDispatcher, error) {
-	options := client.Options{
-		HostPort:  cfg.Address,
-		Namespace: cfg.Namespace,
-	}
-	if cfg.APIKey != "" {
-		options.Credentials = client.NewAPIKeyStaticCredentials(cfg.APIKey)
+	options, err := temporalClientOptions(cfg)
+	if err != nil {
+		return nil, err
 	}
 
 	temporalClient, err := client.Dial(options)

package/templates/variants/go-connectrpc/internal/temporal/worker.go

@@ -1,6 +1,10 @@
 package temporalapp
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net"
 	"go.temporal.io/sdk/client"
 	"go.temporal.io/sdk/worker"
 )
@@ -10,15 +14,15 @@ type WorkerConfig struct {
 	Namespace string
 	TaskQueue string
 	APIKey    string
+	TLSCACert string
+	TLSCert   string
+	TLSKey    string
 }
 
 func StartWorker(cfg WorkerConfig) (func(), error) {
-	options := client.Options{
-		HostPort:  cfg.Address,
-		Namespace: cfg.Namespace,
-	}
-	if cfg.APIKey != "" {
-		options.Credentials = client.NewAPIKeyStaticCredentials(cfg.APIKey)
+	options, err := temporalClientOptions(cfg)
+	if err != nil {
+		return nil, err
 	}
 
 	temporalClient, err := client.Dial(options)
@@ -40,3 +44,45 @@ func StartWorker(cfg WorkerConfig) (func(), error) {
 		temporalClient.Close()
 	}, nil
 }
+
+func temporalClientOptions(cfg WorkerConfig) (client.Options, error) {
+	options := client.Options{
+		HostPort:  cfg.Address,
+		Namespace: cfg.Namespace,
+	}
+	if cfg.APIKey != "" {
+		options.Credentials = client.NewAPIKeyStaticCredentials(cfg.APIKey)
+	}
+	if cfg.TLSCACert != "" || cfg.TLSCert != "" || cfg.TLSKey != "" {
+		tlsConfig, err := temporalTLSConfig(cfg)
+		if err != nil {
+			return client.Options{}, err
+		}
+		options.ConnectionOptions.TLS = tlsConfig
+	}
+	return options, nil
+}
+
+func temporalTLSConfig(cfg WorkerConfig) (*tls.Config, error) {
+	if cfg.TLSCACert == "" || cfg.TLSCert == "" || cfg.TLSKey == "" {
+		return nil, fmt.Errorf("TEMPORAL_TLS_CA_CERT, TEMPORAL_TLS_CERT, and TEMPORAL_TLS_KEY must be set together")
+	}
+	certificate, err := tls.X509KeyPair([]byte(cfg.TLSCert), []byte(cfg.TLSKey))
+	if err != nil {
+		return nil, fmt.Errorf("parse Temporal client certificate: %w", err)
+	}
+	roots := x509.NewCertPool()
+	if !roots.AppendCertsFromPEM([]byte(cfg.TLSCACert)) {
+		return nil, fmt.Errorf("parse Temporal CA certificate")
+	}
+	serverName, _, err := net.SplitHostPort(cfg.Address)
+	if err != nil {
+		serverName = cfg.Address
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{certificate},
+		RootCAs:      roots,
+		ServerName:   serverName,
+		MinVersion:   tls.VersionTLS12,
+	}, nil
+}