npm - create-svc - Versions diffs - 0.1.9 → 0.1.11 - Mend

create-svc 0.1.9 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (163) hide show

package/README.md +138 -16
package/bin/create-service.mjs +2 -0
package/package.json +19 -11
package/src/cli.test.ts +46 -7
package/src/cli.ts +282 -84
package/src/git-bootstrap.test.ts +40 -0
package/src/git-bootstrap.ts +110 -0
package/src/naming.test.ts +5 -2
package/src/naming.ts +32 -1
package/src/neon.ts +10 -8
package/src/post-scaffold.test.ts +19 -0
package/src/post-scaffold.ts +18 -26
package/src/profiles.ts +25 -0
package/src/scaffold.test.ts +320 -18
package/src/scaffold.ts +154 -28
package/src/vault.test.ts +94 -10
package/src/vault.ts +81 -18
package/templates/shared/.github/workflows/ci.yml +2 -1
package/templates/shared/.github/workflows/deploy.yml +2 -0
package/templates/shared/README.md +217 -29
package/templates/shared/docker-compose.yml +19 -0
package/templates/shared/grafana/alerts.yaml +54 -0
package/templates/shared/grafana/waitlist-dashboard.json +63 -0
package/templates/shared/scripts/authctl.ts +231 -0
package/templates/shared/scripts/cloudrun/bootstrap.ts +24 -42
package/templates/shared/scripts/cloudrun/cleanup.ts +81 -35
package/templates/shared/scripts/cloudrun/cli.ts +324 -7
package/templates/shared/scripts/cloudrun/config.ts +21 -19
package/templates/shared/scripts/cloudrun/deploy.ts +16 -11
package/templates/shared/scripts/cloudrun/lib.ts +232 -123
package/templates/shared/scripts/cloudrun/neon.ts +127 -13
package/templates/shared/scripts/dev.ts +22 -0
package/templates/shared/scripts/ensure-local-db.ts +3 -0
package/templates/shared/scripts/local-docker.ts +63 -0
package/templates/shared/scripts/local-env.ts +27 -0
package/templates/shared/scripts/seed.ts +73 -0
package/templates/shared/scripts/wait-for-db.ts +32 -0
package/templates/shared/service.config.ts +59 -0
package/templates/shared/service.yaml +24 -1
package/templates/targets/workers/.github/workflows/ci.yml +19 -0
package/templates/targets/workers/.github/workflows/deploy.yml +19 -0
package/templates/targets/workers/Makefile +33 -0
package/templates/targets/workers/README.md +75 -0
package/templates/targets/workers/package.json +35 -0
package/templates/targets/workers/scripts/workers/cli.ts +397 -0
package/templates/targets/workers/src/auth.ts +178 -0
package/templates/targets/workers/src/index.ts +198 -0
package/templates/targets/workers/src/storage.ts +370 -0
package/templates/targets/workers/test/app.test.ts +108 -0
package/templates/targets/workers/tsconfig.json +11 -0
package/templates/targets/workers/wrangler.toml +24 -0
package/templates/variants/bun-connectrpc/Dockerfile +1 -0
package/templates/variants/bun-connectrpc/Makefile +17 -8
package/templates/variants/bun-connectrpc/gen/protos/waitlist/v1/waitlist_pb.ts +424 -0
package/templates/variants/bun-connectrpc/migrations/0000_init.sql +20 -0
package/templates/variants/bun-connectrpc/package.json +25 -1
package/templates/variants/bun-connectrpc/protos/waitlist/v1/waitlist.proto +91 -0
package/templates/variants/bun-connectrpc/scripts/codegen.ts +31 -1
package/templates/variants/bun-connectrpc/scripts/migrate.ts +49 -0
package/templates/variants/bun-connectrpc/src/auth.ts +200 -0
package/templates/variants/bun-connectrpc/src/db/client.ts +15 -0
package/templates/variants/bun-connectrpc/src/db/repository.ts +126 -0
package/templates/variants/bun-connectrpc/src/db/schema.ts +26 -0
package/templates/variants/bun-connectrpc/src/index.ts +194 -22
package/templates/variants/bun-connectrpc/src/temporal/activities.ts +14 -0
package/templates/variants/bun-connectrpc/src/temporal/worker.ts +38 -0
package/templates/variants/bun-connectrpc/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-connectrpc/src/waitlist/service.ts +172 -0
package/templates/variants/bun-connectrpc/src/waitlist/types.ts +45 -0
package/templates/variants/bun-connectrpc/test/app.test.ts +14 -13
package/templates/variants/bun-connectrpc/test/waitlist.integration.test.ts +71 -0
package/templates/variants/bun-connectrpc/tsconfig.json +2 -1
package/templates/variants/bun-hono/Makefile +17 -8
package/templates/variants/bun-hono/migrations/0000_init.sql +20 -0
package/templates/variants/bun-hono/package.json +21 -1
package/templates/variants/bun-hono/scripts/migrate.ts +49 -0
package/templates/variants/bun-hono/src/auth.ts +181 -0
package/templates/variants/bun-hono/src/db/client.ts +15 -0
package/templates/variants/bun-hono/src/db/repository.ts +126 -0
package/templates/variants/bun-hono/src/db/schema.ts +26 -0
package/templates/variants/bun-hono/src/index.ts +141 -10
package/templates/variants/bun-hono/src/temporal/activities.ts +14 -0
package/templates/variants/bun-hono/src/temporal/worker.ts +38 -0
package/templates/variants/bun-hono/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-hono/src/waitlist/service.ts +166 -0
package/templates/variants/bun-hono/src/waitlist/types.ts +50 -0
package/templates/variants/bun-hono/test/app.test.ts +90 -5
package/templates/variants/bun-hono/test/waitlist.integration.test.ts +102 -0
package/templates/variants/bun-hono/tsconfig.json +1 -0
package/templates/variants/go-chi/Makefile +30 -10
package/templates/variants/go-chi/atlas.hcl +8 -0
package/templates/variants/go-chi/cmd/server/main.go +25 -13
package/templates/variants/go-chi/go.mod +3 -2
package/templates/variants/go-chi/internal/app/service.go +279 -70
package/templates/variants/go-chi/internal/auth/middleware.go +289 -0
package/templates/variants/go-chi/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-chi/internal/config/config.go +38 -7
package/templates/variants/go-chi/internal/httpapi/routes.go +170 -47
package/templates/variants/go-chi/internal/httpapi/waitlist_integration_test.go +199 -0
package/templates/variants/go-chi/internal/temporal/activities.go +27 -0
package/templates/variants/go-chi/internal/temporal/worker.go +42 -0
package/templates/variants/go-chi/internal/temporal/workflows.go +18 -0
package/templates/variants/go-chi/migrations/0000_init.sql +20 -0
package/templates/variants/go-chi/migrations/atlas.sum +2 -0
package/templates/variants/go-chi/package.json +7 -1
package/templates/variants/go-chi/test/go.test.ts +4 -1
package/templates/variants/go-connectrpc/Makefile +29 -8
package/templates/variants/go-connectrpc/atlas.hcl +8 -0
package/templates/variants/go-connectrpc/buf.gen.yaml +2 -0
package/templates/variants/go-connectrpc/cmd/server/main.go +44 -9
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlist.pb.go +960 -0
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlistv1connect/waitlist.connect.go +283 -0
package/templates/variants/go-connectrpc/go.mod +4 -0
package/templates/variants/go-connectrpc/internal/app/service.go +279 -70
package/templates/variants/go-connectrpc/internal/auth/middleware.go +289 -0
package/templates/variants/go-connectrpc/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-connectrpc/internal/config/config.go +38 -7
package/templates/variants/go-connectrpc/internal/connectapi/handler.go +129 -40
package/templates/variants/go-connectrpc/internal/connectapi/waitlist_integration_test.go +122 -0
package/templates/variants/go-connectrpc/internal/httpapi/routes.go +170 -47
package/templates/variants/go-connectrpc/internal/temporal/activities.go +27 -0
package/templates/variants/go-connectrpc/internal/temporal/worker.go +42 -0
package/templates/variants/go-connectrpc/internal/temporal/workflows.go +18 -0
package/templates/variants/go-connectrpc/migrations/0000_init.sql +20 -0
package/templates/variants/go-connectrpc/migrations/atlas.sum +2 -0
package/templates/variants/go-connectrpc/package.json +7 -1
package/templates/variants/go-connectrpc/protos/waitlist/v1/waitlist.proto +93 -0
package/templates/root/.github/workflows/buf-publish.yml +0 -19
package/templates/root/.github/workflows/ci.yml +0 -26
package/templates/root/.github/workflows/deploy.yml +0 -22
package/templates/root/Dockerfile +0 -23
package/templates/root/README.md +0 -69
package/templates/root/buf.gen.yaml +0 -10
package/templates/root/buf.yaml +0 -9
package/templates/root/cmd/server/main.go +0 -44
package/templates/root/gen/dns/v1/dns.pb.go +0 -623
package/templates/root/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/root/go.mod +0 -10
package/templates/root/internal/app/service.go +0 -152
package/templates/root/internal/app/token_source.go +0 -50
package/templates/root/internal/cloudflare/client.go +0 -160
package/templates/root/internal/config/config.go +0 -55
package/templates/root/internal/connectapi/handler.go +0 -79
package/templates/root/internal/httpapi/routes.go +0 -93
package/templates/root/internal/vault/client.go +0 -148
package/templates/root/package.json +0 -12
package/templates/root/protos/dns/v1/dns.proto +0 -58
package/templates/root/scripts/cloudrun/bootstrap.ts +0 -65
package/templates/root/scripts/cloudrun/config.ts +0 -50
package/templates/root/scripts/cloudrun/deploy.ts +0 -41
package/templates/root/scripts/cloudrun/lib.ts +0 -244
package/templates/root/service.yaml +0 -50
package/templates/root/test/go.test.ts +0 -19
package/templates/shared/.env.example +0 -10
package/templates/variants/go-chi/buf.gen.yaml +0 -10
package/templates/variants/go-chi/buf.yaml +0 -9
package/templates/variants/go-chi/gen/dns/v1/dns.pb.go +0 -623
package/templates/variants/go-chi/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/variants/go-chi/internal/connectapi/handler.go +0 -79
package/templates/variants/go-chi/protos/dns/v1/dns.proto +0 -58
package/templates/variants/go-connectrpc/gen/dns/v1/dns.pb.go +0 -623
package/templates/variants/go-connectrpc/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/variants/go-connectrpc/protos/dns/v1/dns.proto +0 -58

package/src/scaffold.ts CHANGED Viewed

@@ -2,30 +2,34 @@ import { mkdir, readdir } from "node:fs/promises";
 import { dirname, join, resolve } from "node:path";
 import {
   compactIdentifier,
+  compactDatabaseName,
+  deriveLocalPostgresPort,
+  type DeployTarget,
   type Framework,
   type GcpProjectMode,
   type Runtime,
 } from "./naming";
+import { exampleForProfile, type Profile } from "./profiles";
+import type { GitBootstrapConfig } from "./git-bootstrap";
 export type ScaffoldConfig = {
   directory: string;
   serviceName: string;
+  modulePath: string;
+  target: DeployTarget;
   runtime: Runtime;
   framework: Framework;
+  profile: Profile;
   region: string;
   gcpProjectMode: GcpProjectMode;
   gcpProject: string;
   gcpProjectName: string;
   billingAccount: string;
   quotaProjectId: string;
-  githubRepo: string;
-  githubVisibility: "public" | "private";
-  createGithubRepo: boolean;
   autoDeploy: boolean;
-  neonProjectId: string;
-  neonBaseBranchId: string;
-  neonBaseBranchName: string;
+  git: GitBootstrapConfig;
   neonDatabaseName: string;
+  apiHostname: string;
   generatorRoot: string;
 };
@@ -46,14 +50,20 @@ export async function scaffoldProject(config: ScaffoldConfig) {
   await ensureTargetDirectory(targetDir);
   const replacements = buildReplacements(config);
-  const sharedTemplateRoot = resolve(config.generatorRoot, "templates", "shared");
-  const variantTemplateRoot = resolve(config.generatorRoot, "templates", "variants", `${config.runtime}-${config.framework}`);
+  const templateRoots = [
+    { kind: "shared" as const, root: resolve(config.generatorRoot, "templates", "shared") },
+    { kind: "variant" as const, root: resolve(config.generatorRoot, "templates", "variants", `${config.runtime}-${config.framework}`) },
+    { kind: "target" as const, root: resolve(config.generatorRoot, "templates", "targets", config.target) },
+  ];
-  for (const templateRoot of [sharedTemplateRoot, variantTemplateRoot]) {
-    const files = await collectTemplateFiles(templateRoot);
+  for (const template of templateRoots) {
+    const files = await collectTemplateFiles(template.root);
     for (const relativePath of files) {
-      const sourcePath = join(templateRoot, relativePath);
+      if (shouldSkipForTarget(config.target, template.kind, relativePath)) {
+        continue;
+      }
+      const sourcePath = join(template.root, relativePath);
       const destinationPath = join(targetDir, relativePath);
       const raw = await Bun.file(sourcePath).text();
       const rendered = renderTemplate(raw, replacements);
@@ -62,6 +72,45 @@ export async function scaffoldProject(config: ScaffoldConfig) {
       await Bun.write(destinationPath, rendered);
     }
   }
+  await writeLocalEnvFile(targetDir, replacements);
+}
+function shouldSkipForTarget(target: DeployTarget, templateKind: "shared" | "variant" | "target", relativePath: string) {
+  if (target === "workers") {
+    if (templateKind === "target") {
+      return false;
+    }
+    if (relativePath === "Dockerfile" || relativePath === "docker-compose.yml") {
+      return true;
+    }
+    if (templateKind === "shared") {
+      return (
+        relativePath === "service.yaml" ||
+        relativePath === "scripts/dev.ts" ||
+        relativePath === "scripts/ensure-local-db.ts" ||
+        relativePath === "scripts/local-docker.ts" ||
+        relativePath === "scripts/local-env.ts" ||
+        relativePath === "scripts/seed.ts" ||
+        relativePath === "scripts/wait-for-db.ts" ||
+        relativePath.startsWith("scripts/cloudrun/")
+      );
+    }
+    return (
+      relativePath.startsWith("src/db/") ||
+      relativePath.startsWith("src/temporal/") ||
+      relativePath.startsWith("src/waitlist/") ||
+      relativePath.startsWith("test/") ||
+      relativePath.startsWith("migrations/") ||
+      relativePath === "scripts/codegen.ts" ||
+      relativePath === "scripts/migrate.ts"
+    );
+  }
+  return relativePath.startsWith("scripts/workers/") || relativePath === "wrangler.toml";
 }
 async function ensureTargetDirectory(targetDir: string) {
@@ -85,12 +134,23 @@ export async function assertTargetDirectoryIsEmpty(targetDir: string) {
 async function collectTemplateFiles(root: string, relative = ""): Promise<string[]> {
   const cwd = join(root, relative);
-  const entries = await readdir(cwd, { withFileTypes: true });
+  let entries;
+  try {
+    entries = await readdir(cwd, { withFileTypes: true });
+  } catch (error) {
+    if ((error as NodeJS.ErrnoException).code === "ENOENT") {
+      return [];
+    }
+    throw error;
+  }
   const files: string[] = [];
   for (const entry of entries) {
     const nextRelative = relative ? join(relative, entry.name) : entry.name;
     if (entry.isDirectory()) {
+      if (entry.name === "node_modules" || entry.name === ".git") {
+        continue;
+      }
       files.push(...(await collectTemplateFiles(root, nextRelative)));
       continue;
     }
@@ -101,19 +161,22 @@ async function collectTemplateFiles(root: string, relative = ""): Promise<string
 }
 function buildReplacements(config: ScaffoldConfig) {
-  const [githubOwner = "anmho"] = config.githubRepo.split("/");
-  const modulePath = `github.com/${config.githubRepo}`;
+  const example = exampleForProfile(config.profile);
   const serviceAccountBase = compactIdentifier(config.serviceName, 21);
   const runtimeServiceAccount = `${serviceAccountBase}-runtime@${config.gcpProject}.iam.gserviceaccount.com`;
-  const deployerServiceAccount = `${serviceAccountBase}-deployer@${config.gcpProject}.iam.gserviceaccount.com`;
-  const wifPoolId = "github";
-  const wifProviderId = compactIdentifier(config.serviceName, 32);
   const previewBranchPrefix = `${config.serviceName}-pr`;
   const personalBranchPrefix = `${config.serviceName}-dev`;
+  const localDatabaseName = compactDatabaseName(config.serviceName);
+  const localDatabasePort = deriveLocalPostgresPort(config.serviceName);
+  const authIssuer = "https://auth.anmho.com/api/auth";
+  const authAudience = `api://${config.serviceName}`;
+  const authJwksUrl = `${authIssuer}/jwks`;
   return {
     SERVICE_NAME: config.serviceName,
-    MODULE_PATH: modulePath,
+    SERVICE_ID: config.serviceName,
+    MODULE_PATH: config.modulePath,
+    TARGET: config.target,
     PROJECT_ID: config.gcpProject,
     PROJECT_NAME: config.gcpProjectName,
     REGION: config.region,
@@ -121,28 +184,91 @@ function buildReplacements(config: ScaffoldConfig) {
     PROJECT_CREATE_IF_MISSING: String(config.gcpProjectMode === "create_new"),
     BILLING_ACCOUNT: config.billingAccount,
     QUOTA_PROJECT_ID: config.quotaProjectId,
-    GITHUB_REPO: config.githubRepo,
-    GITHUB_OWNER: githubOwner,
-    GITHUB_VISIBILITY: config.githubVisibility,
-    GITHUB_CREATE_IF_MISSING: String(config.createGithubRepo),
     AUTO_DEPLOY: String(config.autoDeploy),
     RUNTIME: config.runtime,
     FRAMEWORK: config.framework,
+    PROFILE: config.profile,
+    EXAMPLE_KIND: example.kind,
+    EXAMPLE_DOMAIN: example.domain,
+    EXAMPLE_LABEL: example.label,
     CLOUD_RUN_SERVICE: config.serviceName,
-    NEON_PROJECT_ID: config.neonProjectId,
-    NEON_BASE_BRANCH_ID: config.neonBaseBranchId,
-    NEON_BASE_BRANCH_NAME: config.neonBaseBranchName,
+    NEON_PROJECT_ID: "",
+    NEON_BASE_BRANCH_ID: "",
+    NEON_BASE_BRANCH_NAME: "main",
     NEON_DATABASE_NAME: config.neonDatabaseName,
     NEON_ROLE_NAME: "neondb_owner",
     NEON_PREVIEW_BRANCH_PREFIX: previewBranchPrefix,
     NEON_PERSONAL_BRANCH_PREFIX: personalBranchPrefix,
     RUNTIME_SERVICE_ACCOUNT: runtimeServiceAccount,
-    DEPLOYER_SERVICE_ACCOUNT: deployerServiceAccount,
-    WIF_POOL_ID: wifPoolId,
-    WIF_PROVIDER_ID: wifProviderId,
+    API_HOSTNAME: config.apiHostname,
+    API_BASE_DOMAIN: "anmho.com",
+    AUTH_ISSUER: authIssuer,
+    AUTH_AUDIENCE: authAudience,
+    AUTH_JWKS_URL: authJwksUrl,
+    LOCAL_DATABASE_NAME: localDatabaseName,
+    LOCAL_DATABASE_PORT: localDatabasePort,
+    LOCAL_DATABASE_USER: "postgres",
+    LOCAL_DATABASE_PASSWORD: "postgres",
+    COMMAND_DEV: config.runtime === "bun" ? "bun run dev" : "make dev",
+    COMMAND_MIGRATE: config.runtime === "bun" ? "bun run migrate" : "make migrate",
+    COMMAND_GEN: config.runtime === "bun" ? "bun run gen" : "make gen",
+    COMMAND_LINT: config.runtime === "bun" ? "bun run lint" : "make lint",
+    COMMAND_TEST: config.runtime === "bun" ? "bun run test" : "make test",
+    COMMAND_BOOTSTRAP: config.runtime === "bun" ? "bun run create" : "make create",
+    COMMAND_DEPLOY: config.runtime === "bun" ? "bun run deploy" : "make deploy",
+    COMMAND_AUTH_RESOURCE:
+      config.runtime === "bun" ? "bun run auth -- resource-server" : 'make auth ARGS="resource-server"',
+    COMMAND_AUTH_CLIENT:
+      config.runtime === "bun"
+        ? "bun run auth -- client create"
+        : 'make auth ARGS="client create"',
+    COMMAND_DEPLOY_PERSONAL:
+      config.runtime === "bun"
+        ? 'bun run deploy -- --environment personal --name <slug>'
+        : 'make deploy ARGS="--environment personal --name <slug>"',
+    COMMAND_DEPLOY_DESTROY:
+      config.runtime === "bun"
+        ? 'bun run destroy -- --environment personal --name <slug>'
+        : 'make destroy ARGS="--environment personal --name <slug>"',
+    COMMAND_CLEANUP: config.runtime === "bun" ? "bun run destroy" : "make destroy",
+    COMMAND_CLEANUP_PROJECT: config.runtime === "bun" ? "bun run destroy -- --project" : 'make destroy ARGS="--project"',
+    GITIGNORE_EXTRA: "",
+    LOCAL_INTROSPECTION_NOTE:
+      config.framework === "connectrpc"
+        ? [
+            "",
+            "## Local introspection",
+            "",
+            "When running locally, ConnectRPC variants expose introspection by default.",
+            "",
+            "- `go + connectrpc`: standard gRPC reflection for tools like `grpcurl list localhost:<port>`",
+            "- `bun + connectrpc`: JSON introspection at `/debug/connectrpc`",
+            "- override with `ENABLE_RPC_INTROSPECTION=true|false`",
+          ].join("\n")
+        : "",
   };
 }
+async function writeLocalEnvFile(targetDir: string, replacements: Record<string, string>) {
+  const envPath = join(targetDir, ".env.local");
+  if (await Bun.file(envPath).exists()) {
+    return;
+  }
+  const rendered = renderTemplate(
+    [
+      "# Generated local development defaults for create-service.",
+      "# This file is user-owned after scaffold and is gitignored.",
+      "",
+      "DATABASE_URL=postgres://{{LOCAL_DATABASE_USER}}:{{LOCAL_DATABASE_PASSWORD}}@127.0.0.1:{{LOCAL_DATABASE_PORT}}/{{LOCAL_DATABASE_NAME}}?sslmode=disable",
+      "",
+    ].join("\n"),
+    replacements
+  );
+  await Bun.write(envPath, rendered);
+}
 function renderTemplate(input: string, replacements: Record<string, string>) {
   return input.replace(/\{\{([A-Z0-9_]+)\}\}/g, (_, key: string) => {
     const replacement = replacements[key];

package/src/vault.test.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { afterEach, expect, mock, test } from "bun:test";
 import { mkdir } from "node:fs/promises";
-import { readVaultSecret, resolveNeonApiKey } from "./vault";
+import { readVaultSecret, resolveNeonApiKey, upsertVaultSecretFields } from "./vault";
 const originalEnv = { ...process.env };
@@ -14,17 +14,41 @@ test("resolveNeonApiKey prefers NEON_API_KEY from env", async () => {
   await expect(resolveNeonApiKey()).resolves.toBe("direct-token");
 });
+test("resolveNeonApiKey reads the purpose-named Neon provider secret by default", async () => {
+  delete process.env.NEON_API_KEY;
+  process.env.VAULT_ADDR = "https://vault.example.com";
+  process.env.VAULT_TOKEN = "token-123";
+  const fetchMock = mock(async (input: string | URL | Request) => {
+    expect(String(input)).toBe("https://vault.example.com/v1/secret/data/prod/providers/neon");
+    return new Response(
+      JSON.stringify({
+        data: {
+          data: {
+            api_key: "vault-token",
+          },
+        },
+      }),
+      { status: 200 }
+    );
+  });
+  globalThis.fetch = fetchMock as unknown as typeof fetch;
+  await expect(resolveNeonApiKey()).resolves.toBe("vault-token");
+});
 test("readVaultSecret reads KV v2 secret data using existing vault login env", async () => {
   process.env.VAULT_ADDR = "https://vault.example.com";
   process.env.VAULT_TOKEN = "token-123";
   const fetchMock = mock(async (input: string | URL | Request) => {
-    expect(String(input)).toBe("https://vault.example.com/v1/secret/data/provider/neon-api-key");
+    expect(String(input)).toBe("https://vault.example.com/v1/secret/data/prod/providers/neon");
     return new Response(
       JSON.stringify({
         data: {
           data: {
-            value: "vault-token",
+            api_key: "vault-token",
           },
         },
       }),
@@ -32,12 +56,12 @@ test("readVaultSecret reads KV v2 secret data using existing vault login env", a
     );
   });
-  globalThis.fetch = fetchMock as typeof fetch;
+  globalThis.fetch = fetchMock as unknown as typeof fetch;
   await expect(
     readVaultSecret({
-      path: "provider/neon-api-key",
-      field: "value",
+      path: "prod/providers/neon",
+      field: "api_key",
     })
   ).resolves.toBe("vault-token");
 });
@@ -56,7 +80,7 @@ test("readVaultSecret falls back to ~/.vault-token", async () => {
       JSON.stringify({
         data: {
           data: {
-            value: "vault-token",
+            api_key: "vault-token",
           },
         },
       }),
@@ -64,12 +88,72 @@ test("readVaultSecret falls back to ~/.vault-token", async () => {
     );
   });
-  globalThis.fetch = fetchMock as typeof fetch;
+  globalThis.fetch = fetchMock as unknown as typeof fetch;
   await expect(
     readVaultSecret({
-      path: "provider/neon-api-key",
-      field: "value",
+      path: "prod/providers/neon",
+      field: "api_key",
     })
   ).resolves.toBe("vault-token");
 });
+test("upsertVaultSecretFields writes merged KV v2 data", async () => {
+  process.env.VAULT_ADDR = "https://vault.example.com";
+  process.env.VAULT_TOKEN = "token-123";
+  const requests: Array<{ method: string; url: string; body?: unknown }> = [];
+  const fetchMock = mock(async (input: string | URL | Request, init?: RequestInit) => {
+    const url = String(input);
+    requests.push({
+      method: init?.method ?? "GET",
+      url,
+      body: init?.body ? JSON.parse(String(init.body)) : undefined,
+    });
+    if ((init?.method ?? "GET") === "GET") {
+      return new Response(
+        JSON.stringify({
+          data: {
+            data: {
+              existing_field: "keep-me",
+            },
+          },
+        }),
+        { status: 200 }
+      );
+    }
+    return new Response(JSON.stringify({}), { status: 200 });
+  });
+  globalThis.fetch = fetchMock as unknown as typeof fetch;
+  await upsertVaultSecretFields({
+    path: "prod/providers/clerk",
+    fields: {
+      publishable_key: "pk_live_example",
+      secret_key: "sk_live_example",
+      webhook_secret: "whsec_example",
+    },
+  });
+  expect(requests).toEqual([
+    {
+      method: "GET",
+      url: "https://vault.example.com/v1/secret/data/prod/providers/clerk",
+    },
+    {
+      method: "POST",
+      url: "https://vault.example.com/v1/secret/data/prod/providers/clerk",
+      body: {
+        data: {
+          existing_field: "keep-me",
+          publishable_key: "pk_live_example",
+          secret_key: "sk_live_example",
+          webhook_secret: "whsec_example",
+        },
+      },
+    },
+  ]);
+});

package/src/vault.ts CHANGED Viewed

@@ -2,8 +2,8 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 const DEFAULT_VAULT_SECRET_MOUNT = "secret";
-const DEFAULT_NEON_API_KEY_PATH = "provider/neon-api-key";
-const DEFAULT_NEON_API_KEY_FIELD = "value";
+const DEFAULT_NEON_API_KEY_PATH = "prod/providers/neon";
+const DEFAULT_NEON_API_KEY_FIELD = "api_key";
 type VaultSecretOptions = {
   addr?: string;
@@ -13,6 +13,14 @@ type VaultSecretOptions = {
   field?: string;
 };
+type VaultWriteOptions = {
+  addr?: string;
+  token?: string;
+  mount?: string;
+  path: string;
+  fields: Record<string, string>;
+};
 export async function resolveNeonApiKey() {
   const direct = process.env.NEON_API_KEY?.trim();
   if (direct) {
@@ -26,24 +34,59 @@ export async function resolveNeonApiKey() {
 }
 export async function readVaultSecret(options: VaultSecretOptions = {}) {
-  const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
-  const token = options.token ?? (await resolveVaultToken());
+  const field = options.field?.trim() ?? "value";
+  const payload = await readVaultSecretData(options);
   const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
   const path = options.path?.trim() ?? "";
-  const field = options.field?.trim() ?? "value";
-  if (!addr || !token || !path) {
-    throw new Error("Vault secret resolution requires VAULT_ADDR, a Vault token, and a secret path");
-  }
-  const normalizedAddr = addr.replace(/\/+$/g, "");
   const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
   const normalizedPath = path.replace(/^\/+/g, "");
-  const url = `${normalizedAddr}/v1/${normalizedMount}/data/${normalizedPath}`;
+  const value = payload[field]?.trim();
+  if (!value) {
+    throw new Error(`Vault secret field ${field} is empty at ${normalizedMount}/${normalizedPath}`);
+  }
+  return value;
+}
+export async function readVaultSecretFields(options: VaultSecretOptions = {}) {
+  return readVaultSecretData(options);
+}
+export async function upsertVaultSecretFields(options: VaultWriteOptions) {
+  const connection = await resolveVaultConnection(options);
+  const url = vaultKv2Url(connection);
+  const existing = await readVaultSecretData({ ...options, path: connection.normalizedPath }).catch((error) => {
+    if (error instanceof Error && error.message.startsWith("Vault read failed: 404")) {
+      return {};
+    }
+    throw error;
+  });
   const response = await fetch(url, {
+    method: "POST",
     headers: {
-      "X-Vault-Token": token,
+      "Content-Type": "application/json",
+      "X-Vault-Token": connection.token,
+    },
+    body: JSON.stringify({
+      data: {
+        ...existing,
+        ...trimFields(options.fields),
+      },
+    }),
+  });
+  if (!response.ok) {
+    throw new Error(`Vault write failed: ${response.status} ${response.statusText}`);
+  }
+}
+async function readVaultSecretData(options: VaultSecretOptions = {}) {
+  const connection = await resolveVaultConnection(options);
+  const response = await fetch(vaultKv2Url(connection), {
+    headers: {
+      "X-Vault-Token": connection.token,
     },
   });
@@ -57,12 +100,31 @@ export async function readVaultSecret(options: VaultSecretOptions = {}) {
     };
   };
-  const value = payload.data?.data?.[field]?.trim();
-  if (!value) {
-    throw new Error(`Vault secret field ${field} is empty at ${normalizedMount}/${normalizedPath}`);
+  return payload.data?.data ?? {};
+}
+async function resolveVaultConnection(options: Omit<VaultWriteOptions, "fields"> | VaultSecretOptions) {
+  const addr = options.addr ?? process.env.VAULT_ADDR?.trim() ?? "";
+  const token = options.token ?? (await resolveVaultToken());
+  const mount = options.mount ?? process.env.VAULT_SECRET_MOUNT?.trim() ?? DEFAULT_VAULT_SECRET_MOUNT;
+  const path = options.path?.trim() ?? "";
+  if (!addr || !token || !path) {
+    throw new Error("Vault secret resolution requires VAULT_ADDR, a Vault token, and a secret path");
   }
-  return value;
+  const normalizedAddr = addr.replace(/\/+$/g, "");
+  const normalizedMount = mount.replace(/^\/+|\/+$/g, "");
+  const normalizedPath = path.replace(/^\/+/g, "");
+  return { normalizedAddr, normalizedMount, normalizedPath, token };
+}
+function vaultKv2Url(connection: Awaited<ReturnType<typeof resolveVaultConnection>>) {
+  return `${connection.normalizedAddr}/v1/${connection.normalizedMount}/data/${connection.normalizedPath}`;
+}
+function trimFields(fields: Record<string, string>) {
+  return Object.fromEntries(Object.entries(fields).map(([key, value]) => [key, value.trim()]));
 }
 async function resolveVaultToken() {
@@ -71,7 +133,8 @@ async function resolveVaultToken() {
     return direct;
   }
-  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(homedir(), ".vault-token");
+  const home = process.env.HOME?.trim() || homedir();
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(home, ".vault-token");
   try {
     const value = (await Bun.file(tokenFile).text()).trim();

package/templates/shared/.github/workflows/ci.yml CHANGED Viewed

@@ -19,4 +19,5 @@ jobs:
       - run: bun install
       - run: bun lint
       - run: bun test
+      - if: ${{ vars.GCX_ENABLED == 'true' && github.ref == 'refs/heads/main' }}
+        run: bun run dashboards

package/templates/shared/.github/workflows/deploy.yml CHANGED Viewed

@@ -28,3 +28,5 @@ jobs:
       - run: bun run deploy -- --ci
         env:
           NEON_API_KEY: ${{ secrets.NEON_API_KEY }}
+      - if: ${{ vars.GCX_ENABLED == 'true' }}
+        run: bun run dashboards