create-svc 0.1.9 → 0.1.11

package/templates/variants/bun-connectrpc/scripts/migrate.ts

@@ -0,0 +1,49 @@
+import { SQL } from "bun";
+import { ensureLocalPostgres } from "./local-docker";
+
+await ensureLocalPostgres();
+
+const databaseUrl = Bun.env.DATABASE_URL?.trim();
+if (!databaseUrl) {
+  throw new Error("DATABASE_URL is required");
+}
+
+const client = new SQL(databaseUrl);
+await waitForDatabase(client);
+const migrationId = "0000_init_waitlist";
+const migrationSql = await Bun.file(new URL("../migrations/0000_init.sql", import.meta.url)).text();
+
+await client.unsafe(`create table if not exists schema_migrations (
+  id text primary key,
+  applied_at timestamptz not null default now()
+)`);
+
+const existing = await client`select id from schema_migrations where id = ${migrationId} limit 1`;
+if (existing.length === 0) {
+  await client.unsafe(migrationSql);
+  await client`insert into schema_migrations (id) values (${migrationId})`;
+  console.log(`Applied migration ${migrationId}`);
+} else {
+  console.log(`Migration ${migrationId} already applied`);
+}
+
+async function waitForDatabase(client: SQL, timeoutMs = 30_000) {
+  const start = Date.now();
+  let lastError: unknown;
+
+  while (Date.now() - start < timeoutMs) {
+    try {
+      await client.unsafe("select 1");
+      return;
+    } catch (error) {
+      lastError = error;
+      await Bun.sleep(1_000);
+    }
+  }
+
+  throw new Error(`Timed out waiting for DATABASE_URL to accept connections: ${formatError(lastError)}`);
+}
+
+function formatError(error: unknown) {
+  return error instanceof Error ? error.message : String(error ?? "unknown error");
+}

package/templates/variants/bun-connectrpc/src/auth.ts

@@ -0,0 +1,200 @@
+type AuthConfig = {
+  enabled: boolean;
+  issuer: string;
+  audience: string;
+  jwksUrl: string;
+};
+
+type JwtHeader = {
+  alg?: string;
+  kid?: string;
+};
+
+type JwtClaims = {
+  iss?: string;
+  aud?: string | string[];
+  exp?: number;
+  nbf?: number;
+};
+
+type Jwk = JsonWebKey & {
+  kid?: string;
+};
+
+type Jwks = {
+  keys: Jwk[];
+};
+
+type NodeHandler = (request: any, response: any) => void;
+
+const encoder = new TextEncoder();
+const jwksCache = new Map<string, { expiresAt: number; jwks: Jwks }>();
+
+export function withServiceAuth(handler: NodeHandler): NodeHandler {
+  return (request, response) => {
+    void authorizeRequest(request)
+      .then((authorized) => {
+        if (!authorized) {
+          respondUnauthorized(response);
+          return;
+        }
+        handler(request, response);
+      })
+      .catch(() => respondUnauthorized(response));
+  };
+}
+
+async function authorizeRequest(request: any) {
+  const config = authConfigFromEnv();
+  if (!config.enabled || isPublicPath(request)) {
+    return true;
+  }
+
+  const authorization = Array.isArray(request.headers.authorization)
+    ? request.headers.authorization[0]
+    : request.headers.authorization ?? "";
+  const token = bearerToken(authorization);
+  if (!token) {
+    return false;
+  }
+
+  await verifyAccessToken(token, config);
+  return true;
+}
+
+function authConfigFromEnv(): AuthConfig {
+  return {
+    enabled: truthy(Bun.env.AUTH_ENABLED),
+    issuer: Bun.env.AUTH_ISSUER ?? "",
+    audience: Bun.env.AUTH_AUDIENCE ?? "",
+    jwksUrl: Bun.env.AUTH_JWKS_URL ?? "",
+  };
+}
+
+function isPublicPath(request: any) {
+  const path = new URL(request.url ?? "/", "http://localhost").pathname;
+  return path === "/" || path === "/healthz" || path === "/readyz" || path.startsWith("/webhooks/");
+}
+
+async function verifyAccessToken(token: string, config: AuthConfig): Promise<JwtClaims> {
+  const parts = token.split(".");
+  if (parts.length !== 3 || !config.issuer || !config.audience || !config.jwksUrl) {
+    throw new Error("invalid auth config or token");
+  }
+
+  const [encodedHeader, encodedPayload, encodedSignature] = parts;
+  const header = decodeJSON<JwtHeader>(encodedHeader);
+  const claims = decodeJSON<JwtClaims>(encodedPayload);
+  const jwks = await fetchJwks(config.jwksUrl);
+  const key = selectKey(jwks, header);
+  if (!key || !header.alg) {
+    throw new Error("matching jwk not found");
+  }
+
+  const algorithm = importAlgorithm(header.alg, key);
+  const cryptoKey = await crypto.subtle.importKey("jwk", key, algorithm.import, false, ["verify"]);
+  const verified = await crypto.subtle.verify(
+    algorithm.verify,
+    cryptoKey,
+    toArrayBuffer(decodeBase64Url(encodedSignature)),
+    encoder.encode(`${encodedHeader}.${encodedPayload}`)
+  );
+  if (!verified) {
+    throw new Error("bad signature");
+  }
+
+  validateClaims(claims, config);
+  return claims;
+}
+
+async function fetchJwks(jwksUrl: string): Promise<Jwks> {
+  const cached = jwksCache.get(jwksUrl);
+  if (cached && cached.expiresAt > Date.now()) {
+    return cached.jwks;
+  }
+
+  const response = await fetch(jwksUrl);
+  if (!response.ok) {
+    throw new Error(`jwks fetch failed: ${response.status}`);
+  }
+  const jwks = (await response.json()) as Jwks;
+  jwksCache.set(jwksUrl, { jwks, expiresAt: Date.now() + 5 * 60 * 1000 });
+  return jwks;
+}
+
+function selectKey(jwks: Jwks, header: JwtHeader): Jwk | undefined {
+  if (header.kid) {
+    return jwks.keys.find((key) => key.kid === header.kid);
+  }
+  return jwks.keys.length === 1 ? jwks.keys[0] : undefined;
+}
+
+function importAlgorithm(alg: string, key: JsonWebKey) {
+  if (alg === "RS256") {
+    return {
+      import: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      verify: { name: "RSASSA-PKCS1-v1_5" },
+    } as const;
+  }
+  if (alg === "ES256" && key.crv === "P-256") {
+    return {
+      import: { name: "ECDSA", namedCurve: "P-256" },
+      verify: { name: "ECDSA", hash: "SHA-256" },
+    } as const;
+  }
+  if (alg === "EdDSA" && key.crv === "Ed25519") {
+    return {
+      import: { name: "Ed25519" },
+      verify: { name: "Ed25519" },
+    } as const;
+  }
+  throw new Error(`unsupported jwt alg: ${alg}`);
+}
+
+function validateClaims(claims: JwtClaims, config: AuthConfig) {
+  const now = Math.floor(Date.now() / 1000);
+  if (claims.iss !== config.issuer) {
+    throw new Error("issuer mismatch");
+  }
+  if (!audienceMatches(claims.aud, config.audience)) {
+    throw new Error("audience mismatch");
+  }
+  if (typeof claims.exp !== "number" || claims.exp <= now - 30) {
+    throw new Error("token expired");
+  }
+  if (typeof claims.nbf === "number" && claims.nbf > now + 30) {
+    throw new Error("token not active");
+  }
+}
+
+function audienceMatches(audience: JwtClaims["aud"], expected: string) {
+  return Array.isArray(audience) ? audience.includes(expected) : audience === expected;
+}
+
+function decodeJSON<T>(value: string): T {
+  return JSON.parse(new TextDecoder().decode(decodeBase64Url(value))) as T;
+}
+
+function decodeBase64Url(value: string): Uint8Array {
+  const base64 = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(Math.ceil(value.length / 4) * 4, "=");
+  return Uint8Array.from(atob(base64), (char) => char.charCodeAt(0));
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength) as ArrayBuffer;
+}
+
+function bearerToken(value: string) {
+  const [scheme, token] = value.trim().split(/\s+/, 2);
+  return /^Bearer$/i.test(scheme) ? token : "";
+}
+
+function respondUnauthorized(response: any) {
+  response.statusCode = 401;
+  response.setHeader("Content-Type", "application/json");
+  response.end(JSON.stringify({ error: "invalid bearer token", code: "unauthorized" }));
+}
+
+function truthy(value: string | undefined) {
+  return ["1", "true", "yes", "on"].includes((value ?? "").trim().toLowerCase());
+}

package/templates/variants/bun-connectrpc/src/db/client.ts

@@ -0,0 +1,15 @@
+import { SQL } from "bun";
+import { drizzle } from "drizzle-orm/bun-sql";
+
+export function requireDatabaseUrl() {
+  const databaseUrl = Bun.env.DATABASE_URL?.trim();
+  if (!databaseUrl) {
+    throw new Error("DATABASE_URL is required");
+  }
+  return databaseUrl;
+}
+
+export function createDb(databaseUrl = requireDatabaseUrl()) {
+  const client = new SQL(databaseUrl);
+  return drizzle({ client });
+}

package/templates/variants/bun-connectrpc/src/db/repository.ts

@@ -0,0 +1,126 @@
+import { desc, eq } from "drizzle-orm";
+import type { createDb } from "./client";
+import { waitlistEntries, waitlistTriggers } from "./schema";
+import type { WaitlistEntry, WaitlistTrigger } from "../waitlist/types";
+
+type Database = ReturnType<typeof createDb>;
+type WaitlistEntryRow = typeof waitlistEntries.$inferSelect;
+
+type CreateEntryRecord = {
+  id: string;
+  email: string;
+  name: string | null;
+  company: string | null;
+  source: string | null;
+};
+
+type CreateTriggerRecord = {
+  id: string;
+  type: string;
+  entryId: string | null;
+  payloadJson: string;
+};
+
+export class WaitlistRepository {
+  constructor(private readonly db: Database) {}
+
+  async createEntry(input: CreateEntryRecord): Promise<WaitlistEntry> {
+    const now = new Date();
+    const [row] = await this.db
+      .insert(waitlistEntries)
+      .values({
+        id: input.id,
+        email: input.email,
+        name: input.name,
+        company: input.company,
+        source: input.source,
+        status: "joined",
+        createdAt: now,
+        updatedAt: now,
+      })
+      .returning();
+    return toWaitlistEntry(row);
+  }
+
+  async getEntryById(entryId: string): Promise<WaitlistEntry | null> {
+    const [row] = await this.db.select().from(waitlistEntries).where(eq(waitlistEntries.id, entryId)).limit(1);
+    return row ? toWaitlistEntry(row) : null;
+  }
+
+  async getEntryByEmail(email: string): Promise<WaitlistEntry | null> {
+    const [row] = await this.db.select().from(waitlistEntries).where(eq(waitlistEntries.email, email)).limit(1);
+    return row ? toWaitlistEntry(row) : null;
+  }
+
+  async listEntries(input: { status?: string | null; limit?: number | null } = {}): Promise<WaitlistEntry[]> {
+    const limit = clampLimit(input.limit);
+    const rows = input.status
+      ? await this.db
+          .select()
+          .from(waitlistEntries)
+          .where(eq(waitlistEntries.status, input.status as WaitlistEntryRow["status"]))
+          .orderBy(desc(waitlistEntries.createdAt))
+          .limit(limit)
+      : await this.db.select().from(waitlistEntries).orderBy(desc(waitlistEntries.createdAt)).limit(limit);
+    return rows.map(toWaitlistEntry);
+  }
+
+  async updateEntryStatus(entryId: string, status: WaitlistEntryRow["status"]): Promise<WaitlistEntry | null> {
+    const [row] = await this.db
+      .update(waitlistEntries)
+      .set({
+        status,
+        updatedAt: new Date(),
+      })
+      .where(eq(waitlistEntries.id, entryId))
+      .returning();
+    return row ? toWaitlistEntry(row) : null;
+  }
+
+  async createTrigger(input: CreateTriggerRecord): Promise<WaitlistTrigger> {
+    const [row] = await this.db
+      .insert(waitlistTriggers)
+      .values({
+        id: input.id,
+        type: input.type,
+        entryId: input.entryId,
+        status: "queued",
+        payloadJson: input.payloadJson,
+        createdAt: new Date(),
+      })
+      .returning();
+    return toWaitlistTrigger(row);
+  }
+}
+
+function clampLimit(value: number | null | undefined) {
+  if (!value || !Number.isFinite(value)) {
+    return 100;
+  }
+  return Math.min(Math.max(Math.trunc(value), 1), 500);
+}
+
+function toWaitlistEntry(row: WaitlistEntryRow): WaitlistEntry {
+  return {
+    id: row.id,
+    email: row.email,
+    name: row.name,
+    company: row.company,
+    source: row.source,
+    status: row.status,
+    createdAt: row.createdAt.toISOString(),
+    updatedAt: row.updatedAt.toISOString(),
+  };
+}
+
+function toWaitlistTrigger(row: typeof waitlistTriggers.$inferSelect): WaitlistTrigger {
+  return {
+    id: row.id,
+    type: row.type,
+    entryId: row.entryId,
+    status: row.status,
+    payloadJson: row.payloadJson,
+    createdAt: row.createdAt.toISOString(),
+    processedAt: row.processedAt?.toISOString() ?? null,
+  };
+}

package/templates/variants/bun-connectrpc/src/db/schema.ts

@@ -0,0 +1,26 @@
+import { pgTable, text, timestamp, uniqueIndex } from "drizzle-orm/pg-core";
+
+export const waitlistEntries = pgTable(
+  "waitlist_entries",
+  {
+    id: text("id").primaryKey(),
+    email: text("email").notNull(),
+    name: text("name"),
+    company: text("company"),
+    source: text("source"),
+    status: text("status").$type<"joined" | "invited" | "converted" | "archived">().notNull().default("joined"),
+    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).notNull().defaultNow(),
+    updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).notNull().defaultNow(),
+  },
+  (table) => [uniqueIndex("waitlist_entries_email_key").on(table.email)]
+);
+
+export const waitlistTriggers = pgTable("waitlist_triggers", {
+  id: text("id").primaryKey(),
+  type: text("type").notNull(),
+  entryId: text("entry_id").references(() => waitlistEntries.id),
+  status: text("status").$type<"queued" | "processed" | "failed">().notNull().default("queued"),
+  payloadJson: text("payload_json").notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).notNull().defaultNow(),
+  processedAt: timestamp("processed_at", { withTimezone: true, mode: "date" }),
+});

package/templates/variants/bun-connectrpc/src/index.ts

@@ -1,32 +1,204 @@
-type ConnectResponse = {
-  message: string;
-};
+import { Code, ConnectError } from "@connectrpc/connect";
+import { connectNodeAdapter } from "@connectrpc/connect-node";
+import type { ServiceImpl } from "@connectrpc/connect";
+import { createServer } from "node:http";
+import { WaitlistService as WaitlistRpcService } from "../gen/protos/waitlist/v1/waitlist_pb.js";
+import { withServiceAuth } from "./auth";
+import { AppError, createDefaultWaitlistService, type WaitlistService } from "./waitlist/service";
+import { startTemporalWorker } from "./temporal/worker";
+import type { WaitlistEntry, WaitlistTrigger } from "./waitlist/types";
 
-export async function handleRequest(request: Request) {
-  const url = new URL(request.url);
+type RpcService = ServiceImpl<typeof WaitlistRpcService>;
+type FallbackHandler = NonNullable<Parameters<typeof connectNodeAdapter>[0]["fallback"]>;
 
-  if (url.pathname === "/healthz") {
-    return Response.json({ status: "ok", runtime: "bun", framework: "connectrpc" });
+export function createRpcService(service: WaitlistService): Partial<RpcService> {
+  return {
+    async joinWaitlist(request) {
+      const result = await service.joinWaitlist({
+        email: request.email,
+        name: request.name || null,
+        company: request.company || null,
+        source: request.source || null,
+      });
+      return { entry: toRpcEntry(result.entry), created: result.created };
+    },
+    async getWaitlistEntry(request) {
+      return { entry: toRpcEntry(await service.getWaitlistEntry(request.entryId)) };
+    },
+    async getWaitlistEntryByEmail(request) {
+      return { entry: toRpcEntry(await service.getWaitlistEntryByEmail(request.email)) };
+    },
+    async listWaitlistEntries(request) {
+      const entries = await service.listWaitlistEntries({
+        status: request.status || null,
+        limit: request.limit || null,
+      });
+      return { entries: entries.map(toRpcEntry) };
+    },
+    async updateWaitlistEntry(request) {
+      return {
+        entry: toRpcEntry(
+          await service.updateWaitlistEntry({
+            entryId: request.entryId,
+            status: request.status,
+          })
+        ),
+      };
+    },
+    async exportWaitlistEntries(request) {
+      return {
+        csv: await service.exportWaitlistEntries({
+          status: request.status || null,
+          limit: request.limit || null,
+        }),
+      };
+    },
+    async recordTrigger(request) {
+      const trigger = (await service.recordTrigger({
+        type: request.type,
+        entryId: request.entryId || null,
+        payloadJson: request.payloadJson || "{}",
+      })) as WaitlistTrigger;
+      return { trigger: toRpcTrigger(trigger) };
+    },
+  };
+}
+
+export function createHandler(service: WaitlistService) {
+  return connectNodeAdapter({
+    routes: (router) => {
+      router.service(WaitlistRpcService, createRpcService(service));
+    },
+    fallback: (async (request: Parameters<FallbackHandler>[0], response: Parameters<FallbackHandler>[1]) => {
+      const url = new URL(request.url ?? "/", "http://localhost");
+      const path = url.pathname;
+
+      if (path === "/healthz" || path === "/readyz") {
+        respondJson(response, 200, { status: "ok" });
+        return;
+      }
+
+      if (path === "/") {
+        respondJson(response, 200, {
+          service: "{{SERVICE_NAME}}",
+          domain: "waitlist",
+          apiOrigin: "https://api.{{SERVICE_NAME}}.anmho.com",
+        });
+        return;
+      }
+
+      if (path === "/debug/connectrpc" && isLocalRpcIntrospectionEnabled()) {
+        respondJson(response, 200, createIntrospectionDocument());
+        return;
+      }
+
+      if (request.method === "POST" && path.startsWith("/webhooks/")) {
+        try {
+          const provider = path.split("/").filter(Boolean)[1] ?? "generic";
+          const rawBody = await readRawBody(request);
+          const trigger = await service.recordTrigger({
+            type: `webhook.${provider}`,
+            payloadJson: JSON.stringify({ headers: request.headers, rawBody }),
+          });
+          respondJson(response, 202, { trigger });
+        } catch (error) {
+          respondAppError(response, error);
+        }
+        return;
+      }
+
+      if (request.method === "GET" && path.startsWith("/webhooks/") && path.endsWith("/health")) {
+        const provider = path.split("/").filter(Boolean)[1] ?? "generic";
+        respondJson(response, 200, { status: "ok", provider });
+        return;
+      }
+
+      respondJson(response, 404, { error: "not found" });
+    }) as FallbackHandler,
+  });
+}
+
+export function createIntrospectionDocument() {
+  return {
+    service: WaitlistRpcService.typeName,
+    file: WaitlistRpcService.file.proto.name,
+    methods: WaitlistRpcService.methods.map((method) => ({
+      name: method.name,
+      localName: method.localName,
+      kind: method.methodKind,
+      input: method.input.typeName,
+      output: method.output.typeName,
+    })),
+  };
+}
+
+export function isLocalRpcIntrospectionEnabled() {
+  const override = Bun.env.ENABLE_RPC_INTROSPECTION?.trim().toLowerCase();
+  if (override) {
+    return !["0", "false", "no", "off"].includes(override);
   }
+  return !Bun.env.K_SERVICE && Bun.env.NODE_ENV !== "production";
+}
+
+function toRpcEntry(entry: WaitlistEntry) {
+  return {
+    id: entry.id,
+    email: entry.email,
+    name: entry.name ?? "",
+    company: entry.company ?? "",
+    source: entry.source ?? "",
+    status: entry.status,
+    createdAt: entry.createdAt,
+    updatedAt: entry.updatedAt,
+  };
+}
+
+function toRpcTrigger(trigger: WaitlistTrigger) {
+  return {
+    id: trigger.id,
+    type: trigger.type,
+    entryId: trigger.entryId ?? "",
+    status: trigger.status,
+    payloadJson: trigger.payloadJson,
+    createdAt: trigger.createdAt,
+    processedAt: trigger.processedAt ?? "",
+  };
+}
+
+function respondJson(response: Parameters<FallbackHandler>[1], status: number, body: unknown) {
+  response.statusCode = status;
+  response.setHeader("Content-Type", "application/json");
+  response.end(JSON.stringify(body));
+}
 
-  if (url.pathname === "/rpc.example.v1.Service/Ping" && request.method === "POST") {
-    const payload = (await request.json().catch(() => ({}))) as { name?: string };
-    const body: ConnectResponse = {
-      message: `hello ${payload.name?.trim() || "{{SERVICE_NAME}}"}`,
-    };
-    return Response.json(body, {
-      headers: {
-        "Content-Type": "application/json",
-      },
-    });
+function respondAppError(response: Parameters<FallbackHandler>[1], error: unknown) {
+  if (error instanceof AppError) {
+    respondJson(response, error.status, { error: error.message, code: error.code });
+    return;
   }
+  if (error instanceof ConnectError) {
+    respondJson(response, 500, { error: error.message, code: error.code });
+    return;
+  }
+  respondJson(response, 500, { error: error instanceof Error ? error.message : String(error), code: Code[Code.Internal] });
+}
 
-  return Response.json({ error: "not found" }, { status: 404 });
+function readRawBody(request: Parameters<FallbackHandler>[0]) {
+  return new Promise<string>((resolve, reject) => {
+    const chunks: Buffer[] = [];
+    request.on("data", (chunk) => chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk)));
+    request.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    request.on("error", reject);
+  });
 }
 
 if (import.meta.main) {
-  Bun.serve({
-    port: Number(Bun.env.PORT ?? 8080),
-    fetch: handleRequest,
-  });
+  const temporalWorker = await startTemporalWorker();
+  if (temporalWorker) {
+    console.log(`Temporal worker polling ${temporalWorker.taskQueue}`);
+  }
+
+  const port = Number(Bun.env.PORT ?? 8080);
+  const server = createServer(withServiceAuth(createHandler(createDefaultWaitlistService())));
+  server.listen(port);
 }

package/templates/variants/bun-connectrpc/src/temporal/activities.ts

@@ -0,0 +1,14 @@
+export type WaitlistFollowUpInput = {
+  triggerId?: string;
+  email?: string;
+  type: string;
+};
+
+export async function recordWaitlistFollowUp(input: WaitlistFollowUpInput) {
+  return {
+    status: "queued",
+    triggerId: input.triggerId ?? null,
+    email: input.email ?? null,
+    type: input.type,
+  };
+}