create-svc 0.1.8 → 0.1.9

package/README.md

@@ -1,12 +1,14 @@
 # create-svc
 
-`create-svc` is a Bun-authored scaffold CLI for generating a Go Cloud Run service with:
+`create-svc` is a Bun-authored scaffold CLI for generating Cloud Run services with:
 
-- Chi HTTP routes
-- ConnectRPC handlers
-- a real Cloud Run service manifest
-- Bun-based deployment helpers
-- Vault-backed Cloudflare DNS CRUD as the default example
+- `go + chi`
+- `go + connectrpc`
+- `bun + hono`
+- `bun + connectrpc`
+- a real `service.yaml` manifest
+- shared Cloud Run bootstrap, deploy, and cleanup automation
+- Neon-backed main, preview, and personal environments
 
 ## Usage
 
@@ -15,14 +17,22 @@ bun install
 bun run index.ts my-service
 ```
 
-The generated service supports:
+The generator discovers:
+
+- accessible GCP projects
+- open billing accounts
+- Neon defaults from `NEON_API_KEY`, or Vault via `VAULT_ADDR` plus `VAULT_TOKEN`, `VAULT_TOKEN_FILE`, or `~/.vault-token`
+
+Generated repos are `Makefile`-first. The shared Cloud Run control plane is exposed as a local CLI bin and invoked by `make`.
 
 ```bash
-bun dev
-bun gen
-bun lint
-bun test
-bun run deploy
+make dev
+make gen
+make lint
+make test
+make bootstrap
+make deploy
+make cleanup
 ```
 
 ## Development

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-svc",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Bun-authored CLI to scaffold Go Cloud Run services with Chi, ConnectRPC, Vault, and Cloudflare examples.",
   "module": "index.ts",
   "type": "module",

package/src/cli.test.ts

@@ -19,7 +19,7 @@ test("assertDiscoveryReady requires Neon discovery to succeed", () => {
       neonError: "Vault secret resolution requires VAULT_ADDR, VAULT_TOKEN, and a secret path",
     })
   ).toThrow(
-    "Neon discovery is required before scaffolding. Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and VAULT_TOKEN. Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD."
+    "Neon discovery is required before scaffolding. Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and either VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token. Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD."
   );
 });
 

package/src/cli.ts

@@ -550,7 +550,7 @@ function formatNeonDiscoveryRequirement(reason: string) {
   if (reason.includes("Vault secret resolution requires")) {
     return [
       "Neon discovery is required before scaffolding.",
-      "Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and VAULT_TOKEN.",
+      "Set NEON_API_KEY, or use Vault by providing VAULT_ADDR and either VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token.",
       "Optional overrides: VAULT_SECRET_MOUNT, VAULT_NEON_API_KEY_PATH, VAULT_NEON_API_KEY_FIELD.",
     ].join(" ");
   }

package/src/vault.test.ts

@@ -1,4 +1,5 @@
 import { afterEach, expect, mock, test } from "bun:test";
+import { mkdir } from "node:fs/promises";
 import { readVaultSecret, resolveNeonApiKey } from "./vault";
 
 const originalEnv = { ...process.env };
@@ -40,3 +41,35 @@ test("readVaultSecret reads KV v2 secret data using existing vault login env", a
     })
   ).resolves.toBe("vault-token");
 });
+
+test("readVaultSecret falls back to ~/.vault-token", async () => {
+  const home = "/tmp/create-svc-vault-home";
+  process.env.HOME = home;
+  process.env.VAULT_ADDR = "https://vault.example.com";
+  delete process.env.VAULT_TOKEN;
+
+  await mkdir(home, { recursive: true });
+  await Bun.write(`${home}/.vault-token`, "token-from-file\n");
+
+  const fetchMock = mock(async () => {
+    return new Response(
+      JSON.stringify({
+        data: {
+          data: {
+            value: "vault-token",
+          },
+        },
+      }),
+      { status: 200 }
+    );
+  });
+
+  globalThis.fetch = fetchMock as typeof fetch;
+
+  await expect(
+    readVaultSecret({
+      path: "provider/neon-api-key",
+      field: "value",
+    })
+  ).resolves.toBe("vault-token");
+});

package/src/vault.ts

@@ -1,3 +1,6 @@
+import { homedir } from "node:os";
+import { join } from "node:path";
+
 const DEFAULT_VAULT_SECRET_MOUNT = "secret";
 const DEFAULT_NEON_API_KEY_PATH = "provider/neon-api-key";
 const DEFAULT_NEON_API_KEY_FIELD = "value";
@@ -24,13 +27,13 @@ export async function resolveNeonApiKey() {
 
 export async function readVaultSecret(options: VaultSecretOptions = {}) {
   const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
-  const token = options.token ?? process.env.VAULT_TOKEN?.trim() ?? "";
+  const token = options.token ?? (await resolveVaultToken());
   const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
   const path = options.path?.trim() ?? "";
   const field = options.field?.trim() ?? "value";
 
   if (!addr || !token || !path) {
-    throw new Error("Vault secret resolution requires VAULT_ADDR, VAULT_TOKEN, and a secret path");
+    throw new Error("Vault secret resolution requires VAULT_ADDR, a Vault token, and a secret path");
   }
 
   const normalizedAddr = addr.replace(/\/+$/g, "");
@@ -61,3 +64,19 @@ export async function readVaultSecret(options: VaultSecretOptions = {}) {
 
   return value;
 }
+
+async function resolveVaultToken() {
+  const direct = process.env.VAULT_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(homedir(), ".vault-token");
+
+  try {
+    const value = (await Bun.file(tokenFile).text()).trim();
+    return value;
+  } catch {
+    return "";
+  }
+}

package/templates/shared/.env.example

@@ -6,5 +6,5 @@ VAULT_SECRET_MOUNT=secret
 VAULT_NEON_API_KEY_PATH=provider/neon-api-key
 VAULT_NEON_API_KEY_FIELD=value
 
-# Do not commit VAULT_TOKEN. Prefer `vault login` in your shell session.
-
+# Do not commit VAULT_TOKEN. Prefer `vault login`; the CLI will also use
+# VAULT_TOKEN_FILE or ~/.vault-token when available.

package/templates/shared/README.md

@@ -5,7 +5,7 @@ Generated by `create-svc`.
 This scaffold targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
 
 - one generated `service.yaml` manifest
-- Bun-based `bootstrap` and `deploy` helpers
+- a local `svc-cloudrun` CLI for bootstrap, deploy, and cleanup
 - GitHub Actions for CI, `main` deploys, PR previews, and personal environments
 - GCP project bootstrap with billing and quota-project-aware `gcloud` calls
 - Neon main, preview, and personal branch provisioning
@@ -13,25 +13,28 @@ This scaffold targets `{{RUNTIME}} + {{FRAMEWORK}}` on Cloud Run with:
 ## Commands
 
 ```bash
-bun dev
-bun gen
-bun lint
-bun test
-bun run bootstrap
-bun run deploy
-bun run deploy -- --environment personal --name <slug>
-bun run deploy -- --destroy --environment personal --name <slug>
+make dev
+make gen
+make lint
+make test
+make bootstrap
+make deploy
+make deploy ARGS="--environment personal --name <slug>"
+make deploy ARGS="--destroy --environment personal --name <slug>"
+make cleanup
+make cleanup ARGS="--repo --project"
 ```
 
 ## Configuration
 
 The generated Cloud Run config lives in [scripts/cloudrun/config.ts](scripts/cloudrun/config.ts).
 
-Bootstrap and deploy use:
+Bootstrap, deploy, and cleanup use:
 
 - `gcloud`
 - `gh`
-- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` + `VAULT_TOKEN`
+- `NEON_API_KEY`, or a working Vault login via `VAULT_ADDR` plus `VAULT_TOKEN`, `VAULT_TOKEN_FILE`, or `~/.vault-token`
+- the local repo CLI via `npx --no-install svc-cloudrun ...`
 
 ## Environment setup
 
@@ -43,14 +46,17 @@ cp .env.example .env.local
 
 Then edit `.env.local` with your Vault address and secret path overrides.
 
-For the token itself, prefer a live shell session:
+For the token itself, prefer a normal Vault login flow:
 
 ```bash
 vault login
-export VAULT_TOKEN="$(vault print token)"
 ```
 
-or however your existing Vault login flow exposes `VAULT_TOKEN`.
+The scaffold will use, in order:
+
+1. `VAULT_TOKEN`
+2. `VAULT_TOKEN_FILE`
+3. `~/.vault-token`
 
 That keeps stable settings in the repo and keeps the token out of `~/.zshrc`.
 

package/templates/shared/scripts/cloudrun/neon.ts

@@ -1,4 +1,6 @@
 import { createApiClient } from "@neondatabase/api-client";
+import { homedir } from "node:os";
+import { join } from "node:path";
 import { config } from "./config";
 
 type NeonBranch = {
@@ -13,13 +15,13 @@ async function resolveNeonApiKey() {
   }
 
   const addr = process.env.VAULT_ADDR?.trim() ?? "";
-  const token = process.env.VAULT_TOKEN?.trim() ?? "";
+  const token = await resolveVaultToken();
   const mount = process.env.VAULT_SECRET_MOUNT?.trim() ?? "secret";
   const path = process.env.VAULT_NEON_API_KEY_PATH?.trim() ?? "provider/neon-api-key";
   const field = process.env.VAULT_NEON_API_KEY_FIELD?.trim() ?? "value";
 
   if (!addr || !token) {
-    throw new Error("NEON_API_KEY is required for Neon provisioning, or set VAULT_ADDR and VAULT_TOKEN");
+    throw new Error("NEON_API_KEY is required for Neon provisioning, or set VAULT_ADDR with VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token");
   }
 
   const normalizedAddr = addr.replace(/\/+$/g, "");
@@ -49,6 +51,21 @@ async function resolveNeonApiKey() {
   return apiKey;
 }
 
+async function resolveVaultToken() {
+  const direct = process.env.VAULT_TOKEN?.trim();
+  if (direct) {
+    return direct;
+  }
+
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(homedir(), ".vault-token");
+
+  try {
+    return (await Bun.file(tokenFile).text()).trim();
+  } catch {
+    return "";
+  }
+}
+
 async function neonClient() {
   const apiKey = await resolveNeonApiKey();
   return createApiClient({ apiKey });