create-svc 0.1.8 → 0.1.10

package/templates/shared/README.md

@@ -2,62 +2,179 @@
 
 Generated by `create-svc`.
 
-This scaffold targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
+This `{{PROFILE}}` profile targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
 
 - one generated `service.yaml` manifest
-- Bun-based `bootstrap` and `deploy` helpers
-- GitHub Actions for CI, `main` deploys, PR previews, and personal environments
+- a lightweight `{{EXAMPLE_LABEL}}` example surface
+- local Docker Compose Postgres for first-run development
+- a local `svc-cloudrun` CLI for bootstrap, deploy, and cleanup
 - GCP project bootstrap with billing and quota-project-aware `gcloud` calls
-- Neon main, preview, and personal branch provisioning
+- Neon-backed remote database provisioning during bootstrap and deploy
+- GCS-backed image attachments
+- typed HTTP webhook ingestion
+- a production API origin at `https://{{API_HOSTNAME}}`
+
+The default happy path is standalone. Terraform is optional: advanced users can
+precreate shared foundations and point this package at them, but a generated app
+does not need Terraform state, Terraform plans, a control plane, or a platform
+console to bootstrap and deploy.
 
 ## Commands
 
 ```bash
-bun dev
-bun gen
-bun lint
-bun test
-bun run bootstrap
-bun run deploy
-bun run deploy -- --environment personal --name <slug>
-bun run deploy -- --destroy --environment personal --name <slug>
+{{COMMAND_DEV}}
+{{COMMAND_MIGRATE}}
+{{COMMAND_GEN}}
+{{COMMAND_LINT}}
+{{COMMAND_TEST}}
+{{COMMAND_BOOTSTRAP}}
+{{COMMAND_DEPLOY}}
+{{COMMAND_DEPLOY_PERSONAL}}
+{{COMMAND_DEPLOY_DESTROY}}
+{{COMMAND_CLEANUP}}
+{{COMMAND_CLEANUP_PROJECT}}
+```
+
+## Local development
+
+The scaffold writes a ready-to-use `.env.local` and includes a local Postgres service in `docker-compose.yml`.
+
+First local run:
+
+```bash
+docker compose up -d
+{{COMMAND_MIGRATE}}
+{{COMMAND_DEV}}
 ```
 
-## Configuration
+Local runtime uses:
+
+- `DATABASE_URL` from `.env.local`, pointed at Docker Compose Postgres
+- `ATTACHMENT_BUCKET`
+- `ATTACHMENT_PUBLIC_BASE_URL`
+
+The local attachment settings are generated so startup works out of the box. Attachment upload endpoints still rely on GCS credentials when you exercise signed-upload flows locally.
+
+## Remote provisioning
 
 The generated Cloud Run config lives in [scripts/cloudrun/config.ts](scripts/cloudrun/config.ts).
 
-Bootstrap and deploy use:
+Bootstrap, deploy, and cleanup use:
 
+- known-good CLIs first, especially `gcloud`
 - `gcloud`
-- `gh`
-- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` + `VAULT_TOKEN`
+- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` plus `VAULT_TOKEN`, `VAULT_TOKEN_FILE`, or `~/.vault-token`
+- the package-local CLI via `npx --no-install svc-cloudrun ...`
 
-## Environment setup
+Local provisioning intentionally prefers known-good CLIs over SDKs for Google Cloud operations.
 
-For project-specific Vault settings, prefer repo-local config over shell startup files:
+Authenticate `gcloud` on the machine before running provisioning commands:
 
 ```bash
-cp .env.example .env.local
+gcloud auth login
 ```
 
-Then edit `.env.local` with your Vault address and secret path overrides.
+If you also want local Application Default Credentials available for other tools, run:
 
-For the token itself, prefer a live shell session:
+```bash
+gcloud auth application-default login
+```
+
+The generated backend scripts still use `gcloud` as the primary control plane even when ADC is present.
+
+For the Neon admin credential, prefer a normal Vault login flow:
 
 ```bash
 vault login
-export VAULT_TOKEN="$(vault print token)"
 ```
 
-or however your existing Vault login flow exposes `VAULT_TOKEN`.
+The scaffold will use, in order:
+
+1. `VAULT_TOKEN`
+2. `VAULT_TOKEN_FILE`
+3. `~/.vault-token`
 
 That keeps stable settings in the repo and keeps the token out of `~/.zshrc`.
 
-Optional Vault overrides for Neon admin key lookup:
+Optional remote-only Vault overrides for Neon admin key lookup:
 
 - `VAULT_SECRET_MOUNT` default `secret`
-- `VAULT_NEON_API_KEY_PATH` default `provider/neon-api-key`
-- `VAULT_NEON_API_KEY_FIELD` default `value`
+- `VAULT_NEON_API_KEY_PATH` default `prod/providers/neon`
+- `VAULT_NEON_API_KEY_FIELD` default `api_key`
 
 The generator only stores application-facing connection material in Secret Manager. Neon admin credentials stay local to bootstrap and deploy.
+
+For attachments, the generated Cloud Run manifest injects:
+
+- `ATTACHMENT_BUCKET`
+- `ATTACHMENT_PUBLIC_BASE_URL`
+
+Webhook signature hooks are provider-specific and optional in v1. The generic adapter will honor:
+
+- `WEBHOOK_<PROVIDER>_SECRET`
+
+## One-command production bootstrap
+
+The one-command production bootstrap path is designed for a fresh standalone service.
+
+When generated through `create-svc` with `--bootstrap`, the intended flow is:
+
+```bash
+bun create svc {{SERVICE_NAME}} --bootstrap --yes
+```
+
+That command scaffolds this package, runs bootstrap, deploys the production
+Cloud Run service, and fails loudly with resumable instructions if a required
+cloud or provider credential is missing. The generated package can also be run
+manually:
+
+```bash
+{{COMMAND_BOOTSTRAP}}
+{{COMMAND_DEPLOY}}
+```
+
+Bootstrap reads provider credentials from environment variables or from Vault
+when `VAULT_ADDR` and a Vault token are available. Runtime secrets are delivered
+to Cloud Run through app-project Secret Manager.
+
+## Production API
+
+The main environment is intended to be public at:
+
+```bash
+https://{{API_HOSTNAME}}
+```
+
+Preview and personal environments keep using deterministic Cloud Run hostnames in v1 so the generated backend stays easy to use inside standalone repos or monorepos.
+
+## Generated backend domain
+
+The generated microservice profile is a waitlist/launch service example. It is
+kept deliberately small so the integration plumbing is easy to remove or adapt:
+
+- public launch/waitlist submission
+- protected admin APIs
+- logo or social-image upload plumbing
+- provider webhook ingestion
+- Pro entitlement checks for paid capabilities
+
+The current backend plumbing includes:
+
+- `users`
+- `conversations`
+- `conversation_participants`
+- `messages`
+- `attachments`
+- `webhook_events`
+
+HTTP variants expose REST endpoints for chat CRUD, attachment upload/finalize, and `/webhooks/:provider`.
+
+ConnectRPC variants expose typed unary chat and attachment RPCs, while keeping webhook ingress on plain HTTP.
+
+Transcript reads are newest-first and cursor-paginated:
+
+- REST: `GET /v1/conversations/{conversationId}/messages?cursor=...&limit=...`
+- ConnectRPC: `ListMessages(conversation_id, cursor, limit)`
+- default page size `50`, max page size `100`
+- message payloads include lightweight attachment metadata only
+{{LOCAL_INTROSPECTION_NOTE}}

package/templates/shared/docker-compose.yml

@@ -0,0 +1,19 @@
+services:
+  postgres:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_DB: {{LOCAL_DATABASE_NAME}}
+      POSTGRES_USER: {{LOCAL_DATABASE_USER}}
+      POSTGRES_PASSWORD: {{LOCAL_DATABASE_PASSWORD}}
+    ports:
+      - "127.0.0.1:{{LOCAL_DATABASE_PORT}}:5432"
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U {{LOCAL_DATABASE_USER}} -d {{LOCAL_DATABASE_NAME}}"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+
+volumes:
+  postgres-data:

package/templates/shared/scripts/cloudrun/bootstrap.ts

@@ -1,5 +1,6 @@
-import { config, githubVariables } from "./config";
-import { ensureDatabase, getConnectionUri } from "./neon";
+import { config } from "./config";
+import { publishProviderRuntimeSecrets } from "./integrations";
+import { ensureDatabase, getConnectionUri, resolveNeonConfig } from "./neon";
 import {
   addSecretVersion,
   attachBilling,
@@ -8,79 +9,51 @@ import {
   ensureProjectRole,
   ensureSecretAccessor,
   ensureServiceAccount,
-  ensureServiceAccountRole,
-  ensureWorkloadIdentityPool,
-  ensureWorkloadIdentityProvider,
+  ensureStorageBucket,
   gcloud,
   requireCommand,
+  requireGcloudAuth,
   resolveDeploymentTarget,
   runMain,
   runStep,
-  setGithubVariable,
-  workloadIdentityPoolResource,
-  workloadIdentityProviderResource,
 } from "./lib";
 
 export async function bootstrap() {
   requireCommand("gcloud");
-  requireCommand("gh");
+  requireGcloudAuth();
 
   await runStep("Ensuring GCP project", () => ensureProject());
   await runStep("Attaching billing", () => attachBilling());
   await runStep("Enabling required GCP APIs", () => gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]));
 
-  await runStep("Ensuring runtime and deployer service accounts", () => {
+  await runStep("Ensuring runtime service account", () => {
     ensureServiceAccount(config.runtimeServiceAccount);
-    ensureServiceAccount(config.deployerServiceAccount);
   });
 
   await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
+  await runStep("Ensuring attachment storage bucket", () => ensureStorageBucket());
 
   await runStep("Granting project roles", () => {
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/artifactregistry.writer");
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
     ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
-    ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
   });
 
-  await runStep("Ensuring Workload Identity setup", () => {
-    ensureWorkloadIdentityPool();
-    ensureWorkloadIdentityProvider();
-    ensureServiceAccountRole(
-      config.deployerServiceAccount,
-      `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.github.repo}`,
-      "roles/iam.workloadIdentityUser"
-    );
-  });
-
-  if (!config.neon.projectId || !config.neon.baseBranchId) {
-    throw new Error("Neon project and base branch must be configured before bootstrap");
-  }
+  const neon = await runStep("Resolving Neon defaults", () => resolveNeonConfig());
 
   const target = resolveDeploymentTarget("main");
-  await runStep("Ensuring Neon database", () => ensureDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName));
+  await runStep("Ensuring Neon database", () => ensureDatabase(neon.projectId, neon.baseBranchId, neon.databaseName));
 
   await runStep("Publishing database secret", async () => {
     const connectionUri = await getConnectionUri(
-      config.neon.projectId,
-      config.neon.baseBranchId,
-      config.neon.databaseName,
-      config.neon.roleName
+      neon.projectId,
+      neon.baseBranchId,
+      neon.databaseName,
+      neon.roleName
     );
     addSecretVersion(target.databaseSecretName, connectionUri);
     ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   });
 
-  await runStep("Configuring GitHub repository variables", () => {
-    for (const [name, value] of Object.entries(githubVariables)) {
-      setGithubVariable(name, value);
-    }
-
-    setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
-    setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
-  });
+  await runStep("Publishing provider runtime secrets", () => publishProviderRuntimeSecrets(target));
 }
 
 if (import.meta.main) {

package/templates/shared/scripts/cloudrun/cleanup.ts

@@ -1,18 +1,17 @@
 import { log } from "@clack/prompts";
-import { config, githubVariables } from "./config";
-import { deleteBranch, deleteDatabase, listBranches } from "./neon";
+import { config } from "./config";
+import { deleteBranch, deleteDatabase, listBranches, resolveNeonConfig } from "./neon";
 import {
-  deleteGithubRepository,
-  deleteGithubVariable,
   deleteProject,
+  deleteProductionDomainMapping,
   deleteSecret,
   deleteService,
   deleteServiceAccount,
-  deleteWorkloadIdentityProvider,
   listCloudRunServices,
   listSecrets,
   parseCleanupArgs,
   requireCommand,
+  requireGcloudAuth,
   runMain,
   runStep,
 } from "./lib";
@@ -27,9 +26,12 @@ function matchesSecretResource(name: string) {
 
 export async function cleanup(args = Bun.argv.slice(2)) {
   requireCommand("gcloud");
+  requireGcloudAuth();
 
   const options = parseCleanupArgs(args);
 
+  await runStep(`Deleting production domain mapping ${config.domain.hostname}`, () => deleteProductionDomainMapping());
+
   const services = await runStep("Finding Cloud Run services", () => listCloudRunServices());
   const serviceNames = services.filter(matchesServiceResource);
   await runStep("Deleting Cloud Run services", () => {
@@ -46,52 +48,36 @@ export async function cleanup(args = Bun.argv.slice(2)) {
     }
   });
 
-  if (config.neon.projectId && config.neon.baseBranchId) {
-    const branches = await runStep("Finding Neon branches", () => listBranches(config.neon.projectId));
+  try {
+    const neon = await runStep("Resolving Neon defaults", () => resolveNeonConfig());
+    const branches = await runStep("Finding Neon branches", () => listBranches(neon.projectId));
     const disposableBranches = branches.filter(
-      (branch) => branch.name.startsWith(`${config.neon.previewBranchPrefix}-`) || branch.name.startsWith(`${config.neon.personalBranchPrefix}-`)
+      (branch: { name: string }) =>
+        branch.name.startsWith(`${neon.previewBranchPrefix}-`) || branch.name.startsWith(`${neon.personalBranchPrefix}-`)
     );
 
     await runStep("Deleting Neon preview and personal branches", async () => {
       for (const branch of disposableBranches) {
-        await deleteBranch(config.neon.projectId, branch.id);
+        await deleteBranch(neon.projectId, branch.id);
       }
     });
 
-    await runStep("Deleting Neon service database", () =>
-      deleteDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName)
-    );
-  } else {
+    await runStep("Deleting Neon service database", () => deleteDatabase(neon.projectId, neon.baseBranchId, neon.databaseName));
+  } catch (error) {
     log.step("Skipping Neon cleanup because Neon is not configured");
+    log.step(error instanceof Error ? error.message : String(error));
   }
 
   await runStep("Deleting service-specific identity resources", () => {
-    deleteWorkloadIdentityProvider();
     deleteServiceAccount(config.runtimeServiceAccount);
-    deleteServiceAccount(config.deployerServiceAccount);
   });
 
-  if (Bun.which("gh")) {
-    await runStep("Deleting GitHub repository variables", () => {
-      for (const name of [...Object.keys(githubVariables), "GCP_WIF_PROVIDER", "GCP_DEPLOYER_SERVICE_ACCOUNT"]) {
-        deleteGithubVariable(name);
-      }
-    });
-
-    if (options.destroyRepo) {
-      await runStep(`Deleting GitHub repository ${config.github.repo}`, () => deleteGithubRepository());
-    }
-  } else if (options.destroyRepo) {
-    throw new Error("gh is required to delete the GitHub repository");
-  } else {
-    log.step("Skipping GitHub cleanup because gh is not installed");
-  }
-
   if (options.destroyProject) {
     await runStep(`Deleting GCP project ${config.project.id}`, () => deleteProject());
     return `Deleted project ${config.project.id}`;
   }
 
+  log.step(`Production API hostname released: ${config.domain.hostname}`);
   return `Cleanup finished for ${config.serviceName}`;
 }
 

package/templates/shared/scripts/cloudrun/config.ts

@@ -1,13 +1,16 @@
 export const config = {
   serviceName: "{{SERVICE_NAME}}",
+  profile: "{{PROFILE}}",
+  example: {
+    kind: "{{EXAMPLE_KIND}}",
+    domain: "{{EXAMPLE_DOMAIN}}",
+    label: "{{EXAMPLE_LABEL}}",
+  },
   runtime: "{{RUNTIME}}",
   framework: "{{FRAMEWORK}}",
   region: "{{REGION}}",
   artifactRepository: "cloud-run",
   runtimeServiceAccount: "{{RUNTIME_SERVICE_ACCOUNT}}",
-  deployerServiceAccount: "{{DEPLOYER_SERVICE_ACCOUNT}}",
-  workloadIdentityPoolId: "{{WIF_POOL_ID}}",
-  workloadIdentityProviderId: "{{WIF_PROVIDER_ID}}",
   project: {
     mode: "{{GCP_PROJECT_MODE}}",
     id: "{{PROJECT_ID}}",
@@ -16,10 +19,13 @@ export const config = {
     billingAccount: "{{BILLING_ACCOUNT}}",
     quotaProjectId: "{{QUOTA_PROJECT_ID}}",
   },
-  github: {
-    repo: "{{GITHUB_REPO}}",
-    visibility: "{{GITHUB_VISIBILITY}}",
-    createIfMissing: {{GITHUB_CREATE_IF_MISSING}},
+  domain: {
+    hostname: "{{API_HOSTNAME}}",
+    baseDomain: "{{API_BASE_DOMAIN}}",
+  },
+  storage: {
+    attachmentBucket: "{{ATTACHMENT_BUCKET}}",
+    attachmentPublicBaseUrl: "{{ATTACHMENT_PUBLIC_BASE_URL}}",
   },
   neon: {
     projectId: "{{NEON_PROJECT_ID}}",
@@ -38,20 +44,9 @@ export const config = {
     "iamcredentials.googleapis.com",
     "secretmanager.googleapis.com",
     "serviceusage.googleapis.com",
+    "storage.googleapis.com",
     "sts.googleapis.com",
   ],
 } as const;
 
-export const githubVariables = {
-  GCP_PROJECT_ID: "{{PROJECT_ID}}",
-  GCP_REGION: "{{REGION}}",
-  CLOUD_RUN_SERVICE: "{{SERVICE_NAME}}",
-  CREATE_SVC_RUNTIME: "{{RUNTIME}}",
-  CREATE_SVC_FRAMEWORK: "{{FRAMEWORK}}",
-  NEON_PROJECT_ID: "{{NEON_PROJECT_ID}}",
-  NEON_BASE_BRANCH_ID: "{{NEON_BASE_BRANCH_ID}}",
-  NEON_DATABASE_NAME: "{{NEON_DATABASE_NAME}}",
-} as const;
-
 export type DeployEnvironment = "main" | "preview" | "personal";
-

package/templates/shared/scripts/cloudrun/deploy.ts

@@ -1,10 +1,12 @@
 import { config } from "./config";
 import { bootstrap } from "./bootstrap";
-import { deleteBranch, ensureBranch, ensureDatabase, getConnectionUri, listBranches } from "./neon";
+import { publishProviderRuntimeSecrets } from "./integrations";
+import { deleteBranch, ensureBranch, ensureDatabase, getConnectionUri, listBranches, resolveNeonConfig } from "./neon";
 import {
   addSecretVersion,
   deleteService,
   ensureArtifactRepository,
+  ensureProductionDomainMapping,
   ensureSecretAccessor,
   gcloud,
   imageUrl,
@@ -13,7 +15,7 @@ import {
   resolveDeploymentTarget,
   runMain,
   runStep,
-  serviceUrl,
+  serviceOrigin,
   writeRenderedManifest,
 } from "./lib";
 
@@ -27,6 +29,7 @@ export async function deploy(args = Bun.argv.slice(2)) {
   }
 
   const target = resolveDeploymentTarget(options.environment, options.name);
+  const neon = await runStep("Resolving Neon defaults", () => resolveNeonConfig());
 
   if (options.destroy) {
     if (options.environment === "main") {
@@ -35,10 +38,10 @@ export async function deploy(args = Bun.argv.slice(2)) {
 
     await runStep(`Deleting Cloud Run service ${target.serviceName}`, () => deleteService(target.serviceName));
     await runStep(`Deleting Neon branch ${target.branchName}`, async () => {
-      const branches = await listBranches(config.neon.projectId);
-      const branch = branches.find((candidate) => candidate.name === target.branchName);
+      const branches = await listBranches(neon.projectId);
+      const branch = branches.find((candidate: { name: string }) => candidate.name === target.branchName);
       if (branch) {
-        await deleteBranch(config.neon.projectId, branch.id);
+        await deleteBranch(neon.projectId, branch.id);
       }
     });
     return `Destroyed ${target.serviceName}`;
@@ -46,21 +49,23 @@ export async function deploy(args = Bun.argv.slice(2)) {
 
   await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
 
-  let branchId = config.neon.baseBranchId;
+  let branchId: string = neon.baseBranchId;
   if (options.environment !== "main") {
     const branch = await runStep(`Ensuring Neon branch ${target.branchName}`, () =>
-      ensureBranch(config.neon.projectId, target.branchName, config.neon.baseBranchId)
+      ensureBranch(neon.projectId, target.branchName, neon.baseBranchId)
     );
     branchId = branch.id;
   }
 
   await runStep("Publishing environment database secret", async () => {
-    await ensureDatabase(config.neon.projectId, branchId, config.neon.databaseName);
-    const connectionUri = await getConnectionUri(config.neon.projectId, branchId, config.neon.databaseName, config.neon.roleName);
+    await ensureDatabase(neon.projectId, branchId, neon.databaseName);
+    const connectionUri = await getConnectionUri(neon.projectId, branchId, neon.databaseName, neon.roleName);
     addSecretVersion(target.databaseSecretName, connectionUri);
     ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   });
 
+  await runStep("Publishing environment provider secrets", () => publishProviderRuntimeSecrets(target));
+
   const image = imageUrl();
   await runStep("Building container image", () =>
     gcloud(["builds", "submit", "--project", config.project.id, "--region", config.region, "--tag", image])
@@ -89,7 +94,11 @@ export async function deploy(args = Bun.argv.slice(2)) {
     ])
   );
 
-  return serviceUrl(target.serviceName);
+  if (target.environment === "main") {
+    await runStep(`Ensuring production domain mapping for ${config.domain.hostname}`, () => ensureProductionDomainMapping(target.serviceName));
+  }
+
+  return serviceOrigin(target);
 }
 
 if (import.meta.main) {

package/templates/shared/scripts/cloudrun/integrations.ts

@@ -0,0 +1,111 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { config } from "./config";
+import {
+  addSecretVersion,
+  ensureSecretAccessor,
+  runtimeSecretNames,
+  type DeploymentTarget,
+} from "./lib";
+
+type ProviderSecret = {
+  envName: keyof ReturnType<typeof runtimeSecretNames>;
+  provider: string;
+  field: string;
+};
+
+const PROVIDER_SECRETS: ProviderSecret[] = [
+  { envName: "CLERK_SECRET_KEY", provider: "clerk", field: "secret_key" },
+  { envName: "CLERK_WEBHOOK_SECRET", provider: "clerk", field: "webhook_secret" },
+  { envName: "STRIPE_SECRET_KEY", provider: "stripe", field: "secret_key" },
+  { envName: "STRIPE_WEBHOOK_SECRET", provider: "stripe", field: "webhook_secret" },
+  { envName: "REVENUECAT_API_KEY", provider: "revenuecat", field: "api_key" },
+  { envName: "REVENUECAT_WEBHOOK_SECRET", provider: "revenuecat", field: "webhook_secret" },
+  { envName: "RESEND_API_KEY", provider: "resend", field: "api_key" },
+  { envName: "POSTHOG_API_KEY", provider: "posthog", field: "api_key" },
+];
+
+export async function publishProviderRuntimeSecrets(target: DeploymentTarget) {
+  const secretNames = runtimeSecretNames(target);
+  const missing: string[] = [];
+
+  for (const secret of PROVIDER_SECRETS) {
+    const value = await resolveProviderSecret(secret);
+    if (!value) {
+      missing.push(formatMissingSecret(secret));
+      continue;
+    }
+
+    addSecretVersion(secretNames[secret.envName], value);
+    ensureSecretAccessor(secretNames[secret.envName], `serviceAccount:${config.runtimeServiceAccount}`);
+  }
+
+  if (missing.length > 0) {
+    throw new Error(
+      [
+        "Provider bootstrap credentials are required for the strict production bootstrap path.",
+        "Set the missing environment variables or write the matching Vault fields, then rerun the same bootstrap/deploy command.",
+        ...missing.map((item) => `- ${item}`),
+      ].join("\n")
+    );
+  }
+}
+
+async function resolveProviderSecret(secret: ProviderSecret) {
+  const direct = process.env[secret.envName]?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const addr = process.env.VAULT_ADDR?.trim() ?? "";
+  const token = await resolveVaultToken();
+  if (!addr || !token) {
+    return "";
+  }
+
+  const mount = process.env.VAULT_SECRET_MOUNT?.trim() ?? "secret";
+  const path = providerVaultPath(secret.provider);
+  const normalizedAddr = addr.replace(/\/+$/g, "");
+  const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
+  const response = await fetch(`${normalizedAddr}/v1/${normalizedMount}/data/${path}`, {
+    headers: {
+      "X-Vault-Token": token,
+    },
+  });
+
+  if (!response.ok) {
+    return "";
+  }
+
+  const payload = (await response.json()) as {
+    data?: {
+      data?: Record<string, string | undefined>;
+    };
+  };
+
+  return payload.data?.data?.[secret.field]?.trim() ?? "";
+}
+
+async function resolveVaultToken() {
+  const direct = process.env.VAULT_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(process.env.HOME?.trim() || homedir(), ".vault-token");
+
+  try {
+    return (await Bun.file(tokenFile).text()).trim();
+  } catch {
+    return "";
+  }
+}
+
+function providerVaultPath(provider: string) {
+  const override = process.env[`VAULT_${provider.toUpperCase()}_PATH`]?.trim();
+  return (override || `prod/providers/${provider}`).replace(/^\/+/g, "");
+}
+
+function formatMissingSecret(secret: ProviderSecret) {
+  return `${secret.envName} or Vault secret/${providerVaultPath(secret.provider)} field ${secret.field}`;
+}