create-svc 0.1.76 → 0.1.79

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.76",
+  "version": "0.1.79",
   "description": "Local microservice bootstrap CLI for Cloud Run and Workers services with Neon-backed data.",
   "module": "index.ts",
   "type": "module",

package/src/git-bootstrap.ts

@@ -1,6 +1,7 @@
 import { existsSync } from "node:fs";
 import { readFile, writeFile } from "node:fs/promises";
 import { dirname } from "node:path";
+import { protectMainBranch } from "./github-protection";
 
 export type GitBootstrapConfig = {
   enabled: boolean;
@@ -50,6 +51,7 @@ export async function bootstrapGitHubRepository(targetDir: string, config: GitBo
   run(["gh", "repo", "create", repository, "--private", "--source", ".", "--remote", "origin", "--push"], targetDir, undefined, {
     quiet: true,
   });
+  protectMainBranch({ repo: repository, cwd: targetDir });
 
   return {
     status: "created",

package/src/github-protection.ts

@@ -0,0 +1,196 @@
+type CommandOptions = {
+  cwd?: string;
+  input?: string;
+};
+
+type CommandResult = {
+  success: boolean;
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+};
+
+export type CommandRunner = (command: string, args: string[], options?: CommandOptions) => CommandResult;
+
+export type ProtectionOptions = {
+  repo?: string;
+  branch?: string;
+  requiredChecks?: string[];
+  cwd?: string;
+  runner?: CommandRunner;
+};
+
+export type BranchProtectionRequest = {
+  required_status_checks: {
+    strict: boolean;
+    contexts: string[];
+  };
+  enforce_admins: boolean;
+  required_pull_request_reviews: {
+    dismiss_stale_reviews: boolean;
+    required_approving_review_count: number;
+  };
+  restrictions: null;
+  required_linear_history: boolean;
+  allow_force_pushes: boolean;
+  allow_deletions: boolean;
+  block_creations: boolean;
+  required_conversation_resolution: boolean;
+  lock_branch: boolean;
+  allow_fork_syncing: boolean;
+};
+
+const DEFAULT_BRANCH = "main";
+const DEFAULT_REQUIRED_CHECKS = ["test", "deploy"];
+const decoder = new TextDecoder();
+const encoder = new TextEncoder();
+
+export function parseProtectMainArgs(argv: string[]) {
+  const parsed: Pick<ProtectionOptions, "repo" | "branch"> = {};
+
+  for (let index = 0; index < argv.length; index += 1) {
+    const token = argv[index];
+    if (!token) {
+      continue;
+    }
+
+    const next = argv[index + 1];
+    const readValue = () => {
+      if (!next || next.startsWith("-")) {
+        throw new Error(`Missing value for ${token}`);
+      }
+      index += 1;
+      return next;
+    };
+
+    if (token === "--repo") {
+      parsed.repo = readValue();
+      continue;
+    }
+
+    if (token.startsWith("--repo=")) {
+      parsed.repo = token.slice("--repo=".length);
+      continue;
+    }
+
+    if (token === "--branch") {
+      parsed.branch = readValue();
+      continue;
+    }
+
+    if (token.startsWith("--branch=")) {
+      parsed.branch = token.slice("--branch=".length);
+      continue;
+    }
+
+    throw new Error(`Unknown argument for protect-main: ${token}`);
+  }
+
+  return parsed;
+}
+
+export function protectMainBranch(options: ProtectionOptions = {}) {
+  const runner = options.runner ?? run;
+  const repo = normalizeRepo(options.repo ?? process.env.GITHUB_REPOSITORY ?? discoverRepo(runner, options.cwd));
+  const branch = options.branch ?? DEFAULT_BRANCH;
+  const requiredChecks = options.requiredChecks ?? DEFAULT_REQUIRED_CHECKS;
+  const request = buildBranchProtectionRequest(requiredChecks);
+  const endpoint = `/repos/${repo}/branches/${branch}/protection`;
+  const result = runner("gh", ["api", "--method", "PUT", endpoint, "--input", "-"], {
+    cwd: options.cwd,
+    input: `${JSON.stringify(request)}\n`,
+  });
+
+  if (!result.success) {
+    throw new Error(formatProtectionFailure(repo, branch, result));
+  }
+
+  return {
+    repo,
+    branch,
+    requiredChecks,
+  };
+}
+
+export function buildBranchProtectionRequest(requiredChecks = DEFAULT_REQUIRED_CHECKS): BranchProtectionRequest {
+  return {
+    required_status_checks: {
+      strict: true,
+      contexts: requiredChecks,
+    },
+    enforce_admins: true,
+    required_pull_request_reviews: {
+      dismiss_stale_reviews: true,
+      required_approving_review_count: 1,
+    },
+    restrictions: null,
+    required_linear_history: false,
+    allow_force_pushes: false,
+    allow_deletions: false,
+    block_creations: false,
+    required_conversation_resolution: true,
+    lock_branch: false,
+    allow_fork_syncing: true,
+  };
+}
+
+export function formatProtectionFailure(repo: string, branch: string, result: CommandResult) {
+  const details = [result.stderr, result.stdout].filter(Boolean).join("\n");
+  const permissionHint = isPermissionFailure(details)
+    ? [
+        "",
+        "The authenticated GitHub token must have repository administration permission for this generated service repo.",
+        "Grant repo admin access or a fine-grained token with Administration: write, then rerun `service protect-main`.",
+      ].join("\n")
+    : "";
+
+  return [`Failed to reconcile ${branch} branch protection for ${repo}.`, details, permissionHint].filter(Boolean).join("\n");
+}
+
+function discoverRepo(runner: CommandRunner, cwd?: string) {
+  const result = runner("git", ["config", "--get", "remote.origin.url"], { cwd });
+  if (!result.success || !result.stdout) {
+    throw new Error("Unable to determine GitHub repo. Pass --repo owner/name or set GITHUB_REPOSITORY.");
+  }
+  return result.stdout;
+}
+
+function normalizeRepo(value: string) {
+  const trimmed = value.trim();
+  const sshMatch = trimmed.match(/^git@github\.com:([^/]+\/[^/]+?)(?:\.git)?$/);
+  if (sshMatch?.[1]) {
+    return sshMatch[1];
+  }
+
+  const urlMatch = trimmed.match(/^https:\/\/github\.com\/([^/]+\/[^/]+?)(?:\.git)?$/);
+  if (urlMatch?.[1]) {
+    return urlMatch[1];
+  }
+
+  if (/^[^/\s]+\/[^/\s]+$/.test(trimmed)) {
+    return trimmed.replace(/\.git$/, "");
+  }
+
+  throw new Error(`Invalid GitHub repo: ${value}. Expected owner/name.`);
+}
+
+function isPermissionFailure(details: string) {
+  return /403|404|admin|administration|resource not accessible|not found|forbidden/i.test(details);
+}
+
+function run(command: string, args: string[], options: CommandOptions = {}): CommandResult {
+  const result = Bun.spawnSync([command, ...args], {
+    cwd: options.cwd ?? process.cwd(),
+    env: process.env,
+    stdin: options.input === undefined ? undefined : encoder.encode(options.input),
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+
+  return {
+    success: result.success,
+    stdout: result.stdout ? decoder.decode(result.stdout).trim() : "",
+    stderr: result.stderr ? decoder.decode(result.stderr).trim() : "",
+    exitCode: result.exitCode,
+  };
+}

package/src/scaffold.test.ts

@@ -195,6 +195,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(packageJson).toContain('"migrate": "service migrate"');
       expect(packageJson).toContain('"create": "service create"');
       expect(packageJson).toContain('"deploy": "service deploy"');
+      expect(packageJson).toContain('"protect-main": "service protect-main"');
       expect(packageJson).toContain('"destroy": "service destroy"');
 
       const mainGo = await Bun.file(join(generatedRoot, "cmd", "server", "main.go")).text();
@@ -224,6 +225,8 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(makefile).toContain("bun run ./scripts/ensure-local-db.ts");
       expect(makefile).toContain("bun run ./scripts/wait-for-db.ts");
       expect(makefile).toContain("bun run ./scripts/dev.ts go run ./cmd/server --worker go run ./cmd/worker");
+      expect(makefile).toContain("protect-main:");
+      expect(makefile).toContain("$(SERVICE) protect-main");
       expect(await Bun.file(join(generatedRoot, "atlas.hcl")).exists()).toBeTrue();
       const atlasConfig = await Bun.file(join(generatedRoot, "atlas.hcl")).text();
       expect(atlasConfig).toContain('revisions_schema = "public"');
@@ -241,6 +244,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(packageJson).toContain('"migrate": "service migrate"');
       expect(packageJson).toContain('"create": "service create"');
       expect(packageJson).toContain('"deploy": "service deploy"');
+      expect(packageJson).toContain('"protect-main": "service protect-main"');
       expect(packageJson).toContain('"dashboards": "service dashboards"');
       expect(packageJson).toContain('"observability-bootstrap": "service observability-bootstrap"');
       expect(packageJson).toContain('"auth": "service auth"');
@@ -260,6 +264,7 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(makefile).toContain("SERVICE := service");
       expect(makefile).toContain("dashboards:");
       expect(makefile).toContain("observability-bootstrap:");
+      expect(makefile).toContain("protect-main:");
       expect(makefile).toContain("auth:");
       expect(makefile).toContain("bun run dev");
       const devScript = await Bun.file(join(generatedRoot, "scripts", "dev.ts")).text();
@@ -295,6 +300,9 @@ test("scaffolds all runtime/framework variants with shared cloudrun config", asy
       expect(readme).toContain("verifies JWT bearer tokens");
       expect(readme).toContain("prod/apps/auth/authctl/cloudflare-access");
       expect(readme).toContain("service auth resource-server");
+      expect(readme).toContain("GitHub main branch protection");
+      expect(readme).toContain("service create");
+      expect(readme).toContain("service protect-main");
     }
 
   }
@@ -329,6 +337,8 @@ test("scaffolds a backend package cleanly into a nested monorepo-style directory
   expect(readme).toContain("waitlist/launch service");
   expect(readme).not.toContain("Neon main, preview, and personal branch provisioning");
   expect(readme).toContain("GitHub Actions deployment");
+  expect(readme).toContain("GitHub main branch protection");
+  expect(readme).toContain("service protect-main");
   expect(readme).toContain(".github/workflows/preview.yml");
   expect(readme).toContain(".github/workflows/deploy.yml");
   expect(readme).toContain("/deploy preview");
@@ -367,6 +377,7 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   expect(packageJson).toContain('"@anmho/authctl": "0.1.1"');
   expect(packageJson).toContain('"dev": "bun run ./scripts/dev.ts wrangler dev --ip 127.0.0.1 --port 8787 --show-interactive-dev-session=false"');
   expect(packageJson).toContain('"service": "service"');
+  expect(packageJson).toContain('"protect-main": "service protect-main"');
   expect(packageJson).toContain('"auth": "service auth"');
   expect(packageJson).toContain('"wrangler"');
   expect(packageJson).toContain('"pg"');
@@ -413,6 +424,7 @@ test("scaffolds the workers target with wrangler lifecycle commands", async () =
   const makefile = await Bun.file(join(generatedRoot, "Makefile")).text();
   expect(makefile).toContain('no generated code for workers');
   expect(makefile).toContain("auth:");
+  expect(makefile).toContain("protect-main:");
   expect(makefile).not.toContain("scripts/codegen.ts");
 
   expect(await Bun.file(join(generatedRoot, "scripts", "authctl.ts")).exists()).toBeFalse();

package/src/scaffold.ts

@@ -247,6 +247,7 @@ function buildReplacements(config: ScaffoldConfig) {
     COMMAND_DEV_DOWN: "service dev down",
     COMMAND_BOOTSTRAP: "service create",
     COMMAND_DEPLOY: "service deploy",
+    COMMAND_PROTECT_MAIN: "service protect-main",
     COMMAND_OBSERVABILITY_BOOTSTRAP:
       config.runtime === "bun" ? "bun run observability-bootstrap" : "make observability-bootstrap",
     WORKFLOW_DEPLOY_MAIN_COMMAND: "service deploy --ci",

package/src/service-runtime/local-dev.test.ts

@@ -30,6 +30,43 @@ describe("local dev cleanup", () => {
     expect(await Bun.file(join(root, ".service", "local-dev.pid")).exists()).toBe(false);
   });
 
+  test("stops service-owned listeners when the pid file is missing", async () => {
+    if (!Bun.which("lsof") && !(process.platform === "linux" && Bun.which("fuser"))) {
+      return;
+    }
+
+    const root = await tempRoot();
+    const port = await reservePort();
+    const child = Bun.spawn(
+      [
+        "bun",
+        "-e",
+        "Bun.serve({ port: Number(Bun.env.PORT), fetch() { return new Response('ok'); } }); setInterval(() => {}, 1000);",
+      ],
+      {
+        cwd: root,
+        env: { ...process.env, PORT: String(port) },
+        stdout: "pipe",
+        stderr: "pipe",
+      },
+    );
+    if (!child.pid) {
+      throw new Error("spawned local dev process has no pid");
+    }
+
+    try {
+      await waitForServer(port);
+
+      const result = await stopLocalDev({ root, dockerCompose: false, ports: [port] });
+
+      expect(result).toContain(`Stopped local dev process ${child.pid} on port ${port}`);
+      await waitForListenerStop(port, child.pid);
+    } finally {
+      child.kill("SIGKILL");
+      await child.exited.catch(() => undefined);
+    }
+  }, 10_000);
+
   test("plans Docker Compose cleanup when compose exists", async () => {
     const root = await tempRoot();
     await Bun.write(join(root, "docker-compose.yml"), "services: {}\n");
@@ -45,3 +82,63 @@ async function tempRoot() {
   roots.push(root);
   return root;
 }
+
+async function reservePort() {
+  const server = Bun.serve({ port: 0, fetch: () => new Response("reserved") });
+  const port = server.port;
+  if (!port) {
+    throw new Error("failed to reserve a local port");
+  }
+  await server.stop();
+  return port;
+}
+
+async function waitForServer(port: number) {
+  const deadline = Date.now() + 5_000;
+  while (Date.now() < deadline) {
+    if (await isReachable(port)) {
+      return;
+    }
+    await Bun.sleep(50);
+  }
+  throw new Error(`server on port ${port} did not start`);
+}
+
+async function waitForListenerStop(port: number, pid: number) {
+  const deadline = Date.now() + 5_000;
+  while (Date.now() < deadline) {
+    if (!listenerHasPid(port, pid)) {
+      return;
+    }
+    await Bun.sleep(50);
+  }
+  throw new Error(`process ${pid} on port ${port} did not stop listening`);
+}
+
+async function isReachable(port: number) {
+  try {
+    const response = await fetch(`http://127.0.0.1:${port}`, { signal: AbortSignal.timeout(250) });
+    await response.text();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function listenerHasPid(port: number, pid: number) {
+  if (!Bun.which("lsof")) {
+    return false;
+  }
+
+  const result = Bun.spawnSync(["lsof", "-nP", `-iTCP:${port}`, "-sTCP:LISTEN", "-Fp"], {
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success || !result.stdout) {
+    return false;
+  }
+  return new TextDecoder()
+    .decode(result.stdout)
+    .split("\n")
+    .includes(`p${pid}`);
+}

package/src/service-runtime/local-dev.ts

@@ -1,36 +1,49 @@
 import { rm } from "node:fs/promises";
+import { realpathSync } from "node:fs";
 import { join } from "node:path";
 
 type LocalDevOptions = {
   root?: string;
   dockerCompose?: boolean;
   removeVolumes?: boolean;
+  ports?: number[];
 };
 
 export type LocalDevCleanupPlan = {
   pidFile: string;
   hasPidFile: boolean;
   pid?: number;
+  portProcesses: PortProcess[];
   hasDockerCompose: boolean;
   resources: string[];
   skipped: string[];
 };
 
+type PortProcess = {
+  pid: number;
+  port: number;
+};
+
 const decoder = new TextDecoder();
+const defaultLocalDevPorts = [8080, 3000];
 
 export async function buildLocalDevCleanupPlan(options: LocalDevOptions = {}): Promise<LocalDevCleanupPlan> {
   const root = options.root ?? defaultServiceRoot();
   const pidFile = join(root, ".service", "local-dev.pid");
   const hasPidFile = await Bun.file(pidFile).exists();
   const pid = hasPidFile ? parsePid(await Bun.file(pidFile).text()) : undefined;
+  const ports = options.ports ?? defaultLocalDevPorts;
+  const portProcesses = findServicePortProcesses(root, ports, pid);
   const hasDockerCompose = Boolean(options.dockerCompose) && (await Bun.file(join(root, "docker-compose.yml")).exists());
   const resources: string[] = [];
   const skipped: string[] = [];
 
   if (hasPidFile) {
     resources.push(`Local dev process from ${pidFile}`);
+  } else if (portProcesses.length > 0) {
+    resources.push(formatPortProcesses(portProcesses));
   } else {
-    skipped.push("Local dev process: no .service/local-dev.pid");
+    skipped.push(`Local dev process: no .service/local-dev.pid or service-owned listener on ${ports.join(", ")}`);
   }
 
   if (hasDockerCompose) {
@@ -43,6 +56,7 @@ export async function buildLocalDevCleanupPlan(options: LocalDevOptions = {}): P
     pidFile,
     hasPidFile,
     pid,
+    portProcesses,
     hasDockerCompose,
     resources,
     skipped,
@@ -62,7 +76,12 @@ export async function stopLocalDev(options: LocalDevOptions = {}) {
     }
     await rm(plan.pidFile, { force: true });
   } else {
-    messages.push("No local dev pid file found");
+    const stopped = stopPortProcesses(plan.portProcesses);
+    messages.push(
+      stopped.length > 0
+        ? `Stopped ${formatPortProcesses(stopped)}`
+        : "No local dev pid file found and no service-owned local dev process was listening",
+    );
   }
 
   if (plan.hasDockerCompose) {
@@ -84,12 +103,16 @@ function parsePid(raw: string) {
 
 function stopPid(pid: number) {
   const wasRunning = isRunning(pid);
+  if (!wasRunning) {
+    return false;
+  }
   tryKill(-pid, "SIGTERM") || tryKill(pid, "SIGTERM");
-  Bun.sleepSync(1_000);
+  waitForExit(pid, 1_000);
   if (isRunning(pid)) {
     tryKill(-pid, "SIGKILL") || tryKill(pid, "SIGKILL");
+    waitForExit(pid, 1_000);
   }
-  return wasRunning;
+  return !isRunning(pid);
 }
 
 function isRunning(pid: number) {
@@ -110,6 +133,136 @@ function tryKill(pid: number, signal: NodeJS.Signals) {
   }
 }
 
+function waitForExit(pid: number, timeoutMs: number) {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (!isRunning(pid)) {
+      return;
+    }
+    Bun.sleepSync(50);
+  }
+}
+
+function findServicePortProcesses(root: string, ports: number[], pidFromFile?: number): PortProcess[] {
+  const resolvedRoot = realpath(root);
+  const rootWithSlash = resolvedRoot.endsWith("/") ? resolvedRoot : `${resolvedRoot}/`;
+  const seen = new Set<string>();
+  const processes: PortProcess[] = [];
+  for (const port of ports) {
+    for (const pid of listeningPids(port)) {
+      if (pid === pidFromFile) {
+        continue;
+      }
+      const key = `${pid}:${port}`;
+      if (seen.has(key)) {
+        continue;
+      }
+      const cwd = processCwd(pid);
+      if (cwd && (cwd === resolvedRoot || cwd.startsWith(rootWithSlash))) {
+        processes.push({ pid, port });
+        seen.add(key);
+      }
+    }
+  }
+  return processes;
+}
+
+function realpath(path: string) {
+  try {
+    return realpathSync(path);
+  } catch {
+    return path;
+  }
+}
+
+function listeningPids(port: number) {
+  const pids = new Set<number>();
+  for (const pid of listeningPidsFromLsof(port)) {
+    pids.add(pid);
+  }
+  for (const pid of listeningPidsFromFuser(port)) {
+    pids.add(pid);
+  }
+  return [...pids];
+}
+
+function listeningPidsFromLsof(port: number) {
+  if (!Bun.which("lsof")) {
+    return [];
+  }
+
+  const result = Bun.spawnSync(["lsof", "-nP", `-iTCP:${port}`, "-sTCP:LISTEN", "-Fp"], {
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success || !result.stdout) {
+    return [];
+  }
+  return decoder
+    .decode(result.stdout)
+    .split("\n")
+    .map((line) => (line.startsWith("p") ? Number.parseInt(line.slice(1), 10) : undefined))
+    .filter((pid): pid is number => Boolean(pid && Number.isFinite(pid)));
+}
+
+function listeningPidsFromFuser(port: number) {
+  if (process.platform !== "linux" || !Bun.which("fuser")) {
+    return [];
+  }
+
+  const result = Bun.spawnSync(["fuser", "-n", "tcp", String(port)], {
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success) {
+    return [];
+  }
+  return decoder
+    .decode(result.stdout)
+    .trim()
+    .split(/\s+/)
+    .map((value) => Number.parseInt(value, 10))
+    .filter((pid): pid is number => Boolean(pid && Number.isFinite(pid)));
+}
+
+function processCwd(pid: number) {
+  if (process.platform === "linux") {
+    const procCwd = realpath(`/proc/${pid}/cwd`);
+    if (procCwd !== `/proc/${pid}/cwd`) {
+      return procCwd;
+    }
+  }
+
+  const result = Bun.spawnSync(["lsof", "-a", "-p", String(pid), "-d", "cwd", "-Fn"], {
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (!result.success || !result.stdout) {
+    return undefined;
+  }
+  return decoder
+    .decode(result.stdout)
+    .split("\n")
+    .find((line) => line.startsWith("n"))
+    ?.slice(1);
+}
+
+function stopPortProcesses(processes: PortProcess[]) {
+  const stopped: PortProcess[] = [];
+  for (const portProcess of processes) {
+    if (stopPid(portProcess.pid) || !listeningPids(portProcess.port).includes(portProcess.pid)) {
+      stopped.push(portProcess);
+    }
+  }
+  return stopped;
+}
+
+function formatPortProcesses(processes: PortProcess[]) {
+  return processes
+    .map((portProcess) => `local dev process ${portProcess.pid} on port ${portProcess.port}`)
+    .join(", ");
+}
+
 function runDockerComposeDown(root: string, removeVolumes: boolean) {
   if (!Bun.which("docker")) {
     return "Docker is not installed; Docker Compose cleanup skipped";

package/src/service.test.ts

@@ -30,6 +30,7 @@ test("createSvcVersion reports the package version", async () => {
 test("formatOutsideServiceCommandError rejects repo-local commands outside generated services", () => {
   expect(formatOutsideServiceCommandError("destroy")).toContain("service destroy must be run inside a generated service repo");
   expect(formatOutsideServiceCommandError("deploy")).toContain("No service.jsonc was found");
+  expect(formatOutsideServiceCommandError("protect-main")).toContain("service protect-main must be run inside a generated service repo");
 });
 
 test("formatOutsideServiceCommandError does not treat positional names as scaffold commands", () => {
@@ -66,3 +67,9 @@ test("generatedServiceCommandHelp intercepts deploy help before side effects", (
   expect(generatedServiceCommandHelp(["deploy"])).toBeUndefined();
   expect(generatedServiceCommandHelp(["destroy", "--help"])).toBeUndefined();
 });
+
+test("generatedServiceCommandHelp intercepts protect-main help before side effects", () => {
+  expect(generatedServiceCommandHelp(["protect-main", "--help"])).toContain("service protect-main");
+  expect(generatedServiceCommandHelp(["protect-main", "-h"])).toContain("--repo owner/name");
+  expect(generatedServiceCommandHelp(["protect-main"])).toBeUndefined();
+});

package/src/service.ts

@@ -1,6 +1,7 @@
 import { existsSync, readFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { formatScaffoldHelp, run as runScaffoldCli } from "./cli";
+import { parseProtectMainArgs, protectMainBranch } from "./github-protection";
 import { parseJsonc } from "./jsonc";
 
 const SCAFFOLD_COMMANDS = new Set(["create", "new", "init"]);
@@ -14,6 +15,7 @@ const GENERATED_SERVICE_COMMANDS = new Set([
   "dns",
   "doctor",
   "migrate",
+  "protect-main",
   "sdk",
   "seed",
 ]);
@@ -109,7 +111,25 @@ async function delegateToGeneratedService(serviceRoot: string, argv: string[]) {
   process.chdir(serviceRoot);
   process.env.CREATE_SVC_SERVICE_ROOT = serviceRoot;
 
-  const serviceConfig = parseJsonc(await Bun.file(join(serviceRoot, "service.jsonc")).text()) as { target?: string };
+  const serviceConfig = parseJsonc(await Bun.file(join(serviceRoot, "service.jsonc")).text()) as {
+    service_id?: string;
+    target?: string;
+    git?: {
+      owner?: string;
+      repository?: string;
+    };
+  };
+  if (argv[0] === "protect-main") {
+    const protectionArgs = parseProtectMainArgs(argv.slice(1));
+    const result = protectMainBranch({
+      repo: protectionArgs.repo ?? repoFromServiceConfig(serviceConfig),
+      branch: protectionArgs.branch,
+      cwd: serviceRoot,
+    });
+    console.log(`Protected ${result.repo} ${result.branch} with required checks: ${result.requiredChecks.join(", ")}`);
+    return;
+  }
+
   if (serviceConfig.target === "workers") {
     const { main } = await import("./service-runtime/workers/cli");
     await main(argv);
@@ -120,6 +140,15 @@ async function delegateToGeneratedService(serviceRoot: string, argv: string[]) {
   await main(argv);
 }
 
+function repoFromServiceConfig(serviceConfig: { service_id?: string; git?: { owner?: string; repository?: string } }) {
+  const owner = serviceConfig.git?.owner || "anmho";
+  const repository = serviceConfig.git?.repository || serviceConfig.service_id;
+  if (!repository) {
+    throw new Error("service.jsonc is missing git.repository and service_id; pass --repo owner/name.");
+  }
+  return `${owner}/${repository}`;
+}
+
 export function generatedDependenciesInstalled(serviceRoot: string) {
   return !existsSync(join(serviceRoot, "package.json")) || existsSync(join(serviceRoot, "node_modules"));
 }
@@ -146,6 +175,15 @@ function ensureGeneratedDependencies(serviceRoot: string) {
 
 export function generatedServiceCommandHelp(argv: string[]) {
   const [command, ...rest] = argv;
+  if (command === "protect-main" && hasHelpFlag(rest)) {
+    return [
+      "Usage:",
+      "  service protect-main [--repo owner/name] [--branch main]",
+      "",
+      "Reconciles generated service branch protection with required test and deploy checks.",
+    ].join("\n");
+  }
+
   if (command !== "deploy" || !hasHelpFlag(rest)) {
     return undefined;
   }

package/templates/shared/README.md

@@ -31,6 +31,7 @@ console to create and deploy.
 {{COMMAND_TEST}}
 {{COMMAND_BOOTSTRAP}}
 {{COMMAND_DEPLOY}}
+{{COMMAND_PROTECT_MAIN}}
 {{COMMAND_DEV_DOWN}}
 {{COMMAND_AUTH_RESOURCE}}
 {{COMMAND_AUTH_CLIENT}}
@@ -145,6 +146,16 @@ gcloud auth application-default login
 
 The generated backend scripts still use `gcloud` as the primary control plane even when ADC is present.
 
+## GitHub main branch protection
+
+Generated repositories include GitHub Actions workflows for CI and production deploys. `service create` reconciles `main` branch protection after creating and pushing the GitHub repository. To rerun reconciliation for an existing generated repo:
+
+```bash
+{{COMMAND_PROTECT_MAIN}}
+```
+
+The protection requires the generated `test` and `deploy` status checks, pull requests, stale-review dismissal, conversation resolution, and admin enforcement. If GitHub permissions are missing, rerun the command with a token that has repo admin access or fine-grained `Administration: write`.
+
 Go variants use Atlas for migrations:
 
 ```bash

package/templates/targets/workers/Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev migrate gen lint test create deploy dashboards auth destroy
+.PHONY: dev migrate gen lint test create deploy protect-main dashboards auth destroy
 
 SERVICE := service
 
@@ -23,6 +23,9 @@ create:
 deploy:
 	$(SERVICE) deploy $(ARGS)
 
+protect-main:
+	$(SERVICE) protect-main $(ARGS)
+
 dashboards:
 	$(SERVICE) dashboards
 

package/templates/targets/workers/README.md

@@ -22,6 +22,7 @@ bun run trigger -- --help
 bun run trigger:dev
 service create
 service deploy
+{{COMMAND_PROTECT_MAIN}}
 bun run dashboards
 bun run doctor
 bun run destroy
@@ -70,6 +71,16 @@ Worker deploy and fail clearly if these values are missing.
 GitHub Actions deploys require matching repository secrets:
 `TRIGGER_PROJECT_REF`, `TRIGGER_ACCESS_TOKEN`, and `TRIGGER_SECRET_KEY`.
 
+## GitHub main branch protection
+
+Generated repositories include GitHub Actions workflows for CI and production deploys. `service create` reconciles `main` branch protection after creating and pushing the GitHub repository. To rerun reconciliation for an existing generated repo:
+
+```bash
+{{COMMAND_PROTECT_MAIN}}
+```
+
+The protection requires the generated `test` and `deploy` status checks, pull requests, stale-review dismissal, conversation resolution, and admin enforcement. If GitHub permissions are missing, rerun the command with a token that has repo admin access or fine-grained `Administration: write`.
+
 The Trigger.dev CLI is installed in this generated package as a dev dependency
 from the `trigger.dev` npm package.
 Use `bun run trigger -- <args>` for ad-hoc commands, `bun run trigger:dev` for

package/templates/targets/workers/package.json

@@ -11,6 +11,7 @@
     "test": "bun test",
     "create": "service create",
     "deploy": "service deploy",
+    "protect-main": "service protect-main",
     "dashboards": "service dashboards",
     "auth": "service auth",
     "destroy": "service destroy",

package/templates/variants/bun-connectrpc/Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev migrate gen lint test create deploy dashboards observability-bootstrap auth destroy
+.PHONY: dev migrate gen lint test create deploy protect-main dashboards observability-bootstrap auth destroy
 
 SERVICE := service
 
@@ -23,6 +23,9 @@ create:
 deploy:
 	$(SERVICE) deploy $(ARGS)
 
+protect-main:
+	$(SERVICE) protect-main $(ARGS)
+
 dashboards:
 	$(SERVICE) dashboards
 

package/templates/variants/bun-connectrpc/package.json

@@ -11,6 +11,7 @@
     "test": "bun test",
     "create": "service create",
     "deploy": "service deploy",
+    "protect-main": "service protect-main",
     "dashboards": "service dashboards",
     "observability-bootstrap": "service observability-bootstrap",
     "auth": "service auth",

package/templates/variants/bun-hono/Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev migrate gen lint test create deploy dashboards observability-bootstrap auth destroy
+.PHONY: dev migrate gen lint test create deploy protect-main dashboards observability-bootstrap auth destroy
 
 SERVICE := service
 
@@ -23,6 +23,9 @@ create:
 deploy:
 	$(SERVICE) deploy $(ARGS)
 
+protect-main:
+	$(SERVICE) protect-main $(ARGS)
+
 dashboards:
 	$(SERVICE) dashboards
 

package/templates/variants/bun-hono/package.json

@@ -11,6 +11,7 @@
     "test": "bun test",
     "create": "service create",
     "deploy": "service deploy",
+    "protect-main": "service protect-main",
     "dashboards": "service dashboards",
     "observability-bootstrap": "service observability-bootstrap",
     "auth": "service auth",

package/templates/variants/go-chi/Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev migrate migrate-lint gen lint test create deploy dashboards observability-bootstrap auth destroy
+.PHONY: dev migrate migrate-lint gen lint test create deploy protect-main dashboards observability-bootstrap auth destroy
 
 SERVICE := service
 WITH_ENV := set -a; [ ! -f .env.local ] || . ./.env.local; set +a;
@@ -33,6 +33,9 @@ create:
 deploy:
 	$(SERVICE) deploy $(ARGS)
 
+protect-main:
+	$(SERVICE) protect-main $(ARGS)
+
 dashboards:
 	$(SERVICE) dashboards
 

package/templates/variants/go-chi/package.json

@@ -11,6 +11,7 @@
     "test": "make test",
     "create": "service create",
     "deploy": "service deploy",
+    "protect-main": "service protect-main",
     "auth": "service auth",
     "dashboards": "service dashboards",
     "destroy": "service destroy"

package/templates/variants/go-connectrpc/Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev migrate migrate-lint gen lint test create deploy dashboards observability-bootstrap auth destroy
+.PHONY: dev migrate migrate-lint gen lint test create deploy protect-main dashboards observability-bootstrap auth destroy
 
 SERVICE := service
 WITH_ENV := set -a; [ ! -f .env.local ] || . ./.env.local; set +a;
@@ -34,6 +34,9 @@ create:
 deploy:
 	$(SERVICE) deploy $(ARGS)
 
+protect-main:
+	$(SERVICE) protect-main $(ARGS)
+
 dashboards:
 	$(SERVICE) dashboards
 

package/templates/variants/go-connectrpc/package.json

@@ -11,6 +11,7 @@
     "test": "make test",
     "create": "service create",
     "deploy": "service deploy",
+    "protect-main": "service protect-main",
     "auth": "service auth",
     "dashboards": "service dashboards",
     "destroy": "service destroy"