create-svc 0.1.70 → 0.1.72

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.70",
+  "version": "0.1.72",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/service-runtime/cloudrun/cli.ts

@@ -17,6 +17,7 @@ import {
   formatError,
   gcloud,
   ensureProductionDomainMapping,
+  readVaultField,
   requireCommand,
   requireGcloudAuth,
   resolveDeploymentTarget,
@@ -347,6 +348,7 @@ async function runSdk(args: string[]) {
   const [subcommand] = args;
   if (subcommand === "publish") {
     requireCommand("buf");
+    ensureBufAuth();
     run("buf", ["push"]);
     const published = resolvePublishedSdk();
     await writeSdkMode("remote", published);
@@ -371,6 +373,7 @@ async function runSdk(args: string[]) {
 
   if (subcommand === "use-remote") {
     requireCommand("buf");
+    ensureBufAuth();
     const published = resolvePublishedSdk();
     await writeSdkMode("remote", published);
     return `Remote Buf SDK recorded for consumers: ${bufModule()}@${published.commit}`;
@@ -447,7 +450,17 @@ async function writeSdkMode(mode: "local" | "remote", published?: PublishedSdk)
 }
 
 function bufModule() {
-  return `buf.build/anmho/${config.serviceName}`;
+  return config.buf.module || `buf.build/anmho/${config.serviceName}`;
+}
+
+function ensureBufAuth() {
+  const token =
+    process.env.BUF_TOKEN?.trim() ||
+    readVaultField(config.buf.vaultMount, config.buf.vaultPath, ["BUF_TOKEN", "buf.api_token", "buf_token", "api_token", "token"]);
+  if (!token) {
+    return;
+  }
+  run("buf", ["registry", "login", "buf.build", "--token-stdin"], { input: `${token}\n` });
 }
 
 async function resolveLocalSdkPath() {

package/src/service-runtime/cloudrun/config.ts

@@ -46,6 +46,11 @@ export const config = {
     vaultMount: vault.mount || "secret",
     vaultPath: vault.temporal_path || "prod/providers/temporal",
   },
+  buf: {
+    module: serviceConfig.buf?.module || `buf.build/anmho/${serviceConfig.service_id}`,
+    vaultMount: vault.mount || "secret",
+    vaultPath: vault.buf_path || "prod/providers/buf",
+  },
   neon: {
     projectId: neon.project_id,
     baseBranchId: neon.base_branch_id,

package/src/service-runtime/cloudrun/lib.ts

@@ -589,7 +589,7 @@ function renderTemporalMtlsEnv(temporal: ReturnType<typeof resolveTemporalRuntim
     .join("\n");
 }
 
-function readVaultField(mount: string, path: string, fields: string[]) {
+export function readVaultField(mount: string, path: string, fields: string[]) {
   const vault = Bun.which("vault");
   if (!vault || !path) {
     return "";

package/src/service-runtime/cloudrun/sdk.test.ts

@@ -37,6 +37,7 @@ test("service sdk publish pushes the named Buf module and selects remote SDK mod
   const generatedRoot = join(root, "sdk-proof");
   const fakeBin = join(root, "bin");
   const bufLog = join(root, "buf.log");
+  const tokenLog = join(root, "buf-token.log");
 
   await scaffoldProject(baseConfig(generatedRoot));
   await mkdir(join(generatedRoot, "node_modules"));
@@ -46,10 +47,19 @@ test("service sdk publish pushes the named Buf module and selects remote SDK mod
     [
       "#!/bin/sh",
       `echo "$@" >> "${bufLog}"`,
+      'if [ "$1 $2 $3 $4" = "registry login buf.build --token-stdin" ]; then',
+      `  cat > "${tokenLog}"`,
+      "  exit 0",
+      "fi",
       'if [ "$1 $2 $3 $4" = "registry module commit list" ]; then',
       '  printf \'{"commits":[{"name":"buf.build/anmho/sdk-proof:commit-123","digest":"b5:abc123","create_time":"2026-05-25T12:00:00Z"}]}\'',
+      "  exit 0",
       "fi",
-      "exit 0",
+      'if [ "$1" = "push" ]; then',
+      "  exit 0",
+      "fi",
+      "echo unexpected buf command: $@ >&2",
+      "exit 1",
       "",
     ].join("\n")
   );
@@ -57,16 +67,19 @@ test("service sdk publish pushes the named Buf module and selects remote SDK mod
 
   const result = Bun.spawnSync(["bun", join(import.meta.dir, "..", "..", "..", "index.ts"), "sdk", "publish"], {
     cwd: generatedRoot,
-    env: { ...process.env, PATH: `${fakeBin}:${process.env.PATH ?? ""}` },
+    env: { ...process.env, BUF_TOKEN: "test-token", PATH: `${fakeBin}:${process.env.PATH ?? ""}` },
     stdout: "pipe",
     stderr: "pipe",
   });
 
   expect(result.success, [result.stdout.toString(), result.stderr.toString()].join("\n")).toBeTrue();
   expect(result.stdout.toString()).toContain("recorded for consumers");
+  expect(result.stdout.toString()).not.toContain("test-token");
+  expect(result.stderr.toString()).not.toContain("test-token");
   expect((await readFile(bufLog, "utf8")).trim()).toBe(
-    ["push", "registry module commit list buf.build/anmho/sdk-proof --format json --page-size 1"].join("\n")
+    ["registry login buf.build --token-stdin", "push", "registry module commit list buf.build/anmho/sdk-proof --format json --page-size 1"].join("\n")
   );
+  expect((await readFile(tokenLog, "utf8")).trim()).toBe("test-token");
   const sdkState = JSON.parse(await Bun.file(join(generatedRoot, ".service", "sdk.json")).text());
   expect(sdkState).toMatchObject({
     mode: "remote",

package/src/service-runtime/cloudrun/temporal-config.test.ts

@@ -62,6 +62,28 @@ test("resolveTemporalRuntimeConfigValues reads self-hosted mTLS config from Vaul
   });
 });
 
+test("resolveTemporalRuntimeConfigValues renders configured mTLS secret names without raw credentials", () => {
+  const resolved = resolveTemporalRuntimeConfigValues(
+    { ...baseConfig, address: "temporal-grpc.anmho.com:7233" },
+    {},
+    () => ({
+      namespace: "default",
+    })
+  );
+
+  expect(resolved).toMatchObject({
+    enabled: true,
+    address: "temporal-grpc.anmho.com:7233",
+    namespace: "default",
+    tlsCaCertSecretName: "orders-temporal-ca-cert",
+    tlsCertSecretName: "orders-temporal-client-cert",
+    tlsKeySecretName: "orders-temporal-client-key",
+    tlsCaCert: "",
+    tlsCert: "",
+    tlsKey: "",
+  });
+});
+
 test("resolveTemporalRuntimeConfigValues prefers explicit environment overrides", () => {
   const resolved = resolveTemporalRuntimeConfigValues(
     baseConfig,

package/src/service-runtime/cloudrun/temporal-config.ts

@@ -75,6 +75,13 @@ export function resolveTemporalRuntimeConfigValues(
     env.TEMPORAL_TLS_CERT_SECRET?.trim() || (tlsCert ? config.tlsCertSecretName || `${config.taskQueue}-temporal-client-cert` : "");
   const tlsKeySecretName =
     env.TEMPORAL_TLS_KEY_SECRET?.trim() || (tlsKey ? config.tlsKeySecretName || `${config.taskQueue}-temporal-client-key` : "");
+  const configuredTLSSecretNames = Boolean(config.tlsCaCertSecretName && config.tlsCertSecretName && config.tlsKeySecretName);
+  const shouldRenderTLSSecretNames = Boolean(tlsCaCert || (!apiKey && configuredTLSSecretNames));
+  const resolvedTLSSecretNames = {
+    ca: shouldRenderTLSSecretNames ? tlsCaCertSecretName || config.tlsCaCertSecretName || "" : "",
+    cert: shouldRenderTLSSecretNames ? tlsCertSecretName || config.tlsCertSecretName || "" : "",
+    key: shouldRenderTLSSecretNames ? tlsKeySecretName || config.tlsKeySecretName || "" : "",
+  };
 
   if (isLocalTemporalAddress(address)) {
     throw new Error(
@@ -95,7 +102,7 @@ export function resolveTemporalRuntimeConfigValues(
       `Temporal mTLS is partially configured; set TEMPORAL_TLS_CA_CERT, TEMPORAL_TLS_CERT, and TEMPORAL_TLS_KEY together in env or Vault at ${config.vaultMount}/${config.vaultPath}`
     );
   }
-  if (!apiKey && !tlsCaCert) {
+  if (!apiKey && !apiKeySecretName && !tlsCaCert && !configuredTLSSecretNames) {
     throw new Error(
       `Temporal is enabled but no credentials were found; set TEMPORAL_API_KEY or TEMPORAL_TLS_CA_CERT/TEMPORAL_TLS_CERT/TEMPORAL_TLS_KEY in env or Vault at ${config.vaultMount}/${config.vaultPath}`
     );
@@ -108,9 +115,9 @@ export function resolveTemporalRuntimeConfigValues(
     taskQueue,
     apiKeySecretName,
     apiKey,
-    tlsCaCertSecretName,
-    tlsCertSecretName,
-    tlsKeySecretName,
+    tlsCaCertSecretName: resolvedTLSSecretNames.ca,
+    tlsCertSecretName: resolvedTLSSecretNames.cert,
+    tlsKeySecretName: resolvedTLSSecretNames.key,
     tlsCaCert,
     tlsCert,
     tlsKey,

package/templates/shared/service.jsonc

@@ -70,7 +70,8 @@
       "cloudflare_path": "prod/providers/cloudflare",
       "grafana_path": "prod/providers/grafana",
       "clerk_m2m_path": "prod/providers/clerk-m2m",
-      "temporal_path": "prod/providers/temporal"
+      "temporal_path": "prod/providers/temporal",
+      "buf_path": "prod/providers/buf"
     }
   },