create-svc 0.1.9 → 0.1.11

package/templates/shared/scripts/cloudrun/bootstrap.ts

@@ -1,5 +1,5 @@
-import { config, githubVariables } from "./config";
-import { ensureDatabase, getConnectionUri } from "./neon";
+import { config } from "./config";
+import { ensureDatabase, getConnectionUri, resolveNeonConfig } from "./neon";
 import {
   addSecretVersion,
   attachBilling,
@@ -8,79 +8,61 @@ import {
   ensureProjectRole,
   ensureSecretAccessor,
   ensureServiceAccount,
-  ensureServiceAccountRole,
-  ensureWorkloadIdentityPool,
-  ensureWorkloadIdentityProvider,
   gcloud,
   requireCommand,
+  requireGcloudAuth,
   resolveDeploymentTarget,
+  resolveTemporalRuntimeConfig,
   runMain,
   runStep,
-  setGithubVariable,
-  workloadIdentityPoolResource,
-  workloadIdentityProviderResource,
 } from "./lib";
 
 export async function bootstrap() {
   requireCommand("gcloud");
-  requireCommand("gh");
+  requireGcloudAuth();
 
   await runStep("Ensuring GCP project", () => ensureProject());
   await runStep("Attaching billing", () => attachBilling());
   await runStep("Enabling required GCP APIs", () => gcloud(["services", "enable", ...config.requiredApis, "--project", config.project.id]));
 
-  await runStep("Ensuring runtime and deployer service accounts", () => {
+  await runStep("Ensuring runtime service account", () => {
     ensureServiceAccount(config.runtimeServiceAccount);
-    ensureServiceAccount(config.deployerServiceAccount);
   });
 
   await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
-
   await runStep("Granting project roles", () => {
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/run.admin");
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/cloudbuild.builds.editor");
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/artifactregistry.writer");
-    ensureProjectRole(`serviceAccount:${config.deployerServiceAccount}`, "roles/serviceusage.serviceUsageConsumer");
     ensureProjectRole(`serviceAccount:${config.runtimeServiceAccount}`, "roles/secretmanager.secretAccessor");
-    ensureServiceAccountRole(config.runtimeServiceAccount, `serviceAccount:${config.deployerServiceAccount}`, "roles/iam.serviceAccountUser");
   });
 
-  await runStep("Ensuring Workload Identity setup", () => {
-    ensureWorkloadIdentityPool();
-    ensureWorkloadIdentityProvider();
-    ensureServiceAccountRole(
-      config.deployerServiceAccount,
-      `principalSet://iam.googleapis.com/${workloadIdentityPoolResource()}/attribute.repository/${config.github.repo}`,
-      "roles/iam.workloadIdentityUser"
-    );
-  });
-
-  if (!config.neon.projectId || !config.neon.baseBranchId) {
-    throw new Error("Neon project and base branch must be configured before bootstrap");
-  }
+  const neon = await runStep("Resolving Neon defaults", () => resolveNeonConfig());
 
   const target = resolveDeploymentTarget("main");
-  await runStep("Ensuring Neon database", () => ensureDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName));
+  await runStep("Ensuring Neon database", () => ensureDatabase(neon.projectId, neon.baseBranchId, neon.databaseName));
 
   await runStep("Publishing database secret", async () => {
     const connectionUri = await getConnectionUri(
-      config.neon.projectId,
-      config.neon.baseBranchId,
-      config.neon.databaseName,
-      config.neon.roleName
+      neon.projectId,
+      neon.baseBranchId,
+      neon.databaseName,
+      neon.roleName
     );
     addSecretVersion(target.databaseSecretName, connectionUri);
     ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   });
 
-  await runStep("Configuring GitHub repository variables", () => {
-    for (const [name, value] of Object.entries(githubVariables)) {
-      setGithubVariable(name, value);
-    }
+  await runStep("Publishing Temporal secrets", () => publishTemporalSecrets());
+}
 
-    setGithubVariable("GCP_WIF_PROVIDER", workloadIdentityProviderResource());
-    setGithubVariable("GCP_DEPLOYER_SERVICE_ACCOUNT", config.deployerServiceAccount);
-  });
+function publishTemporalSecrets() {
+  const temporal = resolveTemporalRuntimeConfig();
+  const apiKey = process.env.TEMPORAL_API_KEY?.trim();
+  if (!apiKey || !temporal.apiKeySecretName) {
+    return "No Temporal API key configured";
+  }
+
+  addSecretVersion(temporal.apiKeySecretName, apiKey);
+  ensureSecretAccessor(temporal.apiKeySecretName, `serviceAccount:${config.runtimeServiceAccount}`);
+  return temporal.apiKeySecretName;
 }
 
 if (import.meta.main) {

package/templates/shared/scripts/cloudrun/cleanup.ts

@@ -1,18 +1,22 @@
-import { log } from "@clack/prompts";
-import { config, githubVariables } from "./config";
-import { deleteBranch, deleteDatabase, listBranches } from "./neon";
+import { confirm, isCancel, log } from "@clack/prompts";
+import { config } from "./config";
+import { deleteBranch, deleteDatabase, listBranches, resolveNeonConfig } from "./neon";
 import {
-  deleteGithubRepository,
-  deleteGithubVariable,
+  assertOwnedResource,
   deleteProject,
+  deleteProductionDomainMapping,
   deleteSecret,
   deleteService,
   deleteServiceAccount,
-  deleteWorkloadIdentityProvider,
+  describeCloudRunService,
+  describeProductionDomainMapping,
+  describeSecret,
   listCloudRunServices,
   listSecrets,
   parseCleanupArgs,
   requireCommand,
+  requireGcloudAuth,
+  run,
   runMain,
   runStep,
 } from "./lib";
@@ -22,18 +26,29 @@ function matchesServiceResource(name: string) {
 }
 
 function matchesSecretResource(name: string) {
-  return name === `${config.serviceName}-database-url` || name.startsWith(`${config.serviceName}-pr-`) || name.startsWith(`${config.serviceName}-dev-`);
+  return (
+    name === `${config.serviceName}-database-url` ||
+    name === config.temporal.apiKeySecretName ||
+    name.startsWith(`${config.serviceName}-pr-`) ||
+    name.startsWith(`${config.serviceName}-dev-`)
+  );
 }
 
 export async function cleanup(args = Bun.argv.slice(2)) {
   requireCommand("gcloud");
+  requireGcloudAuth();
 
   const options = parseCleanupArgs(args);
+  await requireDestroyConfirmation(options.force);
+
+  await runStep(`Verifying production domain mapping ${config.domain.hostname}`, () => assertProductionDomainMappingOwned());
+  await runStep(`Deleting production domain mapping ${config.domain.hostname}`, () => deleteProductionDomainMapping());
 
   const services = await runStep("Finding Cloud Run services", () => listCloudRunServices());
   const serviceNames = services.filter(matchesServiceResource);
   await runStep("Deleting Cloud Run services", () => {
     for (const serviceName of serviceNames) {
+      assertOwnedResource(`Cloud Run service ${serviceName}`, describeCloudRunService(serviceName));
       deleteService(serviceName);
     }
   });
@@ -42,59 +57,90 @@ export async function cleanup(args = Bun.argv.slice(2)) {
   const secretNames = secrets.filter(matchesSecretResource);
   await runStep("Deleting service secrets", () => {
     for (const secretName of secretNames) {
+      assertOwnedResource(`Secret ${secretName}`, describeSecret(secretName));
       deleteSecret(secretName);
     }
   });
 
-  if (config.neon.projectId && config.neon.baseBranchId) {
-    const branches = await runStep("Finding Neon branches", () => listBranches(config.neon.projectId));
+  try {
+    const neon = await runStep("Resolving Neon defaults", () => resolveNeonConfig());
+    const branches = await runStep("Finding Neon branches", () => listBranches(neon.projectId));
     const disposableBranches = branches.filter(
-      (branch) => branch.name.startsWith(`${config.neon.previewBranchPrefix}-`) || branch.name.startsWith(`${config.neon.personalBranchPrefix}-`)
+      (branch: { name: string }) =>
+        branch.name.startsWith(`${neon.previewBranchPrefix}-`) || branch.name.startsWith(`${neon.personalBranchPrefix}-`)
     );
 
     await runStep("Deleting Neon preview and personal branches", async () => {
       for (const branch of disposableBranches) {
-        await deleteBranch(config.neon.projectId, branch.id);
+        await deleteBranch(neon.projectId, branch.id);
       }
     });
 
-    await runStep("Deleting Neon service database", () =>
-      deleteDatabase(config.neon.projectId, config.neon.baseBranchId, config.neon.databaseName)
-    );
-  } else {
+    await runStep("Deleting Neon service database", () => deleteDatabase(neon.projectId, neon.baseBranchId, neon.databaseName));
+  } catch (error) {
     log.step("Skipping Neon cleanup because Neon is not configured");
+    log.step(error instanceof Error ? error.message : String(error));
   }
 
+  await runStep("Deleting Grafana resources", async () => deleteGrafanaResources());
+
   await runStep("Deleting service-specific identity resources", () => {
-    deleteWorkloadIdentityProvider();
     deleteServiceAccount(config.runtimeServiceAccount);
-    deleteServiceAccount(config.deployerServiceAccount);
   });
 
-  if (Bun.which("gh")) {
-    await runStep("Deleting GitHub repository variables", () => {
-      for (const name of [...Object.keys(githubVariables), "GCP_WIF_PROVIDER", "GCP_DEPLOYER_SERVICE_ACCOUNT"]) {
-        deleteGithubVariable(name);
-      }
-    });
-
-    if (options.destroyRepo) {
-      await runStep(`Deleting GitHub repository ${config.github.repo}`, () => deleteGithubRepository());
-    }
-  } else if (options.destroyRepo) {
-    throw new Error("gh is required to delete the GitHub repository");
-  } else {
-    log.step("Skipping GitHub cleanup because gh is not installed");
-  }
-
   if (options.destroyProject) {
     await runStep(`Deleting GCP project ${config.project.id}`, () => deleteProject());
     return `Deleted project ${config.project.id}`;
   }
 
-  return `Cleanup finished for ${config.serviceName}`;
+  log.step(`Production API hostname released: ${config.domain.hostname}`);
+  return `Destroy finished for ${config.serviceName}`;
+}
+
+async function deleteGrafanaResources() {
+  if (!(await Bun.file("./grafana").exists())) {
+    return "No grafana directory configured";
+  }
+  if (!Bun.which("gcx")) {
+    return "gcx is not installed; Grafana resources were not deleted";
+  }
+
+  run("gcx", ["resources", "delete", "--path", "./grafana", "--yes", "--on-error", "ignore"]);
+  return "Grafana resources deleted from local manifests";
+}
+
+function assertProductionDomainMappingOwned() {
+  const mapping = describeProductionDomainMapping();
+  if (!mapping) {
+    return;
+  }
+
+  const routeName = mapping.spec?.routeName;
+  if (routeName !== config.serviceName) {
+    throw new Error(`${config.domain.hostname} maps to ${routeName || "an unknown service"}; refusing to delete ambiguous DNS mapping`);
+  }
+
+  assertOwnedResource(`Cloud Run service ${routeName}`, describeCloudRunService(routeName));
+}
+
+async function requireDestroyConfirmation(force: boolean) {
+  if (force) {
+    return;
+  }
+
+  if (!process.stdin.isTTY) {
+    throw new Error("service destroy requires --force when running non-interactively");
+  }
+
+  const answer = await confirm({
+    message: `Destroy resources owned by ${config.serviceName}?`,
+    initialValue: false,
+  });
+  if (isCancel(answer) || !answer) {
+    throw new Error("Destroy cancelled");
+  }
 }
 
 if (import.meta.main) {
-  await runMain("Cleanup", () => cleanup(Bun.argv.slice(2)));
+  await runMain("Destroy", () => cleanup(Bun.argv.slice(2)));
 }

package/templates/shared/scripts/cloudrun/cli.ts

@@ -1,17 +1,43 @@
 #!/usr/bin/env bun
 
+import { mkdir } from "node:fs/promises";
+import { ensureAuthResourceServer, runAuthCommand, runAuthDoctor } from "../authctl";
 import { bootstrap } from "./bootstrap";
 import { cleanup } from "./cleanup";
 import { deploy } from "./deploy";
-import { runMain } from "./lib";
+import { config } from "./config";
+import {
+  accessSecretVersion,
+  assertProductionDomainAvailable,
+  assertServiceNameAvailable,
+  describeProductionDomainMapping,
+  formatError,
+  gcloud,
+  ensureProductionDomainMapping,
+  requireCommand,
+  requireGcloudAuth,
+  resolveDeploymentTarget,
+  run,
+  runMain,
+  runStep,
+  serviceOrigin,
+} from "./lib";
 
 async function main(argv = Bun.argv.slice(2)) {
   const [command, ...rest] = argv;
 
-  if (command === "bootstrap") {
-    await runMain("Bootstrap", async () => {
+  if (command === "create") {
+    await runMain("Create", async () => {
+      assertServiceNameAvailable(config.serviceName);
+      assertProductionDomainAvailable(config.serviceName);
+      await runStep("Registering auth resource server", () => ensureAuthResourceServer());
       await bootstrap();
-      return "Bootstrap finished";
+      const target = resolveDeploymentTarget("main");
+      const databaseUrl = await runStep("Reading production database URL", () => accessSecretVersion(target.databaseSecretName));
+      await runStep("Applying production migrations", () => runLanguageTask("migrate", { DATABASE_URL: databaseUrl }));
+      const origin = await deploy(["--ci"]);
+      await runOptionalBunScript("seed", { DATABASE_URL: databaseUrl });
+      return `Created ${origin}`;
     });
     return;
   }
@@ -21,12 +47,303 @@ async function main(argv = Bun.argv.slice(2)) {
     return;
   }
 
-  if (command === "cleanup") {
-    await runMain("Cleanup", () => cleanup(rest));
+  if (command === "migrate") {
+    await runMain("Migrate", () => runLanguageTask("migrate"));
     return;
   }
 
-  throw new Error("Usage: svc-cloudrun <bootstrap|deploy|cleanup> [args]");
+  if (command === "seed") {
+    await runMain("Seed", () => runOptionalBunScript("seed"));
+    return;
+  }
+
+  if (command === "dashboards") {
+    await runMain("Dashboards", () => runDashboards());
+    return;
+  }
+
+  if (command === "dns") {
+    await runMain("DNS", () => repairDns());
+    return;
+  }
+
+  if (command === "doctor") {
+    await runMain("Doctor", () => runDoctor());
+    return;
+  }
+
+  if (command === "auth") {
+    await runMain("Auth", () => runAuthCommand(rest));
+    return;
+  }
+
+  if (command === "destroy") {
+    await runMain("Destroy", () => cleanup(rest));
+    return;
+  }
+
+  if (command === "sdk") {
+    await runMain("SDK", () => runSdk(rest));
+    return;
+  }
+
+  throw new Error("Usage: service <create|deploy|migrate|seed|dashboards|dns|doctor|destroy|auth|sdk> [args]");
+}
+
+function runLanguageTask(task: "migrate", env?: Record<string, string | undefined>) {
+  if (config.runtime === "bun") {
+    run("bun", ["run", `./scripts/${task}.ts`], { env });
+    return `${task} finished`;
+  }
+
+  if (task === "migrate") {
+    run("make", ["migrate"], { env });
+    return `${task} finished`;
+  }
+
+  throw new Error(`${task} is not available for ${config.runtime}`);
+}
+
+async function runOptionalBunScript(name: string, env?: Record<string, string | undefined>) {
+  const scriptPath = `./scripts/${name}.ts`;
+  if (!(await Bun.file(scriptPath).exists())) {
+    return `${name} script is not configured`;
+  }
+
+  run("bun", ["run", scriptPath], { env });
+  return `${name} finished`;
+}
+
+function runDashboards() {
+  requireCommand("gcx");
+  run("gcx", ["dev", "lint", "run", "./grafana", "-o", "compact"]);
+  run("gcx", ["resources", "push", "--path", "./grafana"]);
+  return "Dashboards pushed";
+}
+
+function repairDns() {
+  ensureProductionDomainMapping(config.serviceName);
+  return `DNS mapping ready for https://${config.domain.hostname}`;
+}
+
+async function runDoctor() {
+  const results: Array<{ name: string; status: "pass" | "warn" | "fail"; detail: string }> = [];
+  const target = resolveDeploymentTarget("main");
+
+  await record(results, "bun CLI", "fail", () => checkCommand("bun"));
+  await record(results, "gcloud CLI", "fail", () => checkCommand("gcloud"));
+  await record(results, "gcloud auth", "fail", () => {
+    requireGcloudAuth();
+    return "active account available";
+  });
+  await record(results, "GCP project", "fail", () => {
+    gcloud(["projects", "describe", config.project.id, "--format=value(projectId)"]);
+    return config.project.id;
+  });
+  await record(results, "Cloud Run service", "fail", () => {
+    const serviceName = gcloud([
+      "run",
+      "services",
+      "describe",
+      target.serviceName,
+      "--project",
+      config.project.id,
+      "--region",
+      config.region,
+      "--format=value(metadata.name)",
+    ]).stdout;
+    return serviceName || target.serviceName;
+  });
+  await record(results, "runtime database secret", "fail", () => {
+    const value = accessSecretVersion(target.databaseSecretName);
+    if (!value.startsWith("postgres://") && !value.startsWith("postgresql://")) {
+      throw new Error(`${target.databaseSecretName} does not look like a Postgres URL`);
+    }
+    return target.databaseSecretName;
+  });
+  await record(results, "DNS mapping", "fail", () => {
+    const mapping = describeProductionDomainMapping();
+    const mappedService = mapping?.spec?.routeName;
+    if (mappedService !== target.serviceName) {
+      throw new Error(`${config.domain.hostname} maps to ${mappedService || "nothing"}, expected ${target.serviceName}`);
+    }
+    return `${config.domain.hostname} -> ${target.serviceName}`;
+  });
+  await record(results, "deployment health", "fail", async () => {
+    const response = await fetchWithTimeout(`${serviceOrigin(target)}/healthz`, 5_000);
+    if (!response.ok) {
+      throw new Error(`GET /healthz returned ${response.status}`);
+    }
+    return "GET /healthz ok";
+  });
+  await record(results, "migration assets", "fail", async () => {
+    if (!(await Bun.file("./migrations/0000_init.sql").exists())) {
+      throw new Error("missing migrations/0000_init.sql");
+    }
+    return "migrations/0000_init.sql";
+  });
+  if ((config.runtime as string) === "go") {
+    await record(results, "Atlas CLI", "fail", () => checkCommand("atlas"));
+    await record(results, "Atlas config", "fail", async () => {
+      if (!(await Bun.file("./atlas.hcl").exists())) {
+        throw new Error("missing atlas.hcl");
+      }
+      return "atlas.hcl";
+    });
+  }
+  await record(results, "dashboard tooling", "warn", () => {
+    if (!Bun.which("gcx")) {
+      throw new Error("gcx is not installed");
+    }
+    return "gcx available";
+  });
+  await record(results, "dashboard artifacts", "warn", async () => {
+    if (!(await Bun.file("./grafana").exists()) && !(await Bun.file("./dashboards").exists())) {
+      throw new Error("no grafana/ or dashboards/ directory found");
+    }
+    return "dashboard directory found";
+  });
+  await record(results, "authctl", "warn", () => runAuthDoctor().detail);
+  await record(results, "Temporal/Cron", "warn", async () => {
+    const hasBunTemporal = await Bun.file("./src/temporal/worker.ts").exists();
+    const hasGoTemporal = await Bun.file("./internal/temporal/worker.go").exists();
+    if (!hasBunTemporal && !hasGoTemporal) {
+      throw new Error("Temporal worker config is not present in this scaffold yet");
+    }
+    return "Temporal worker config present";
+  });
+
+  if ((config.framework as string) === "connectrpc") {
+    await record(results, "ConnectRPC proto", "fail", async () => {
+      if (!(await Bun.file("./buf.yaml").exists())) {
+        throw new Error("missing buf.yaml");
+      }
+      if (!(await Bun.file("./protos/waitlist/v1/waitlist.proto").exists())) {
+        throw new Error("missing waitlist proto");
+      }
+      return "waitlist proto present";
+    });
+    await record(results, "Buf CLI", "warn", () => checkCommand("buf"));
+    await record(results, "generated SDK artifacts", "warn", async () => {
+      const bunGen = await Bun.file("./gen/protos/waitlist/v1/waitlist_pb.ts").exists();
+      const goGen = await Bun.file("./gen/waitlist/v1/waitlist.pb.go").exists();
+      if (!bunGen && !goGen) {
+        throw new Error("generated SDK artifacts are missing; run service sdk build");
+      }
+      return "local generated artifacts present";
+    });
+    await record(results, "SDK mode", "warn", async () => {
+      const text = await Bun.file(".service/sdk.json").text();
+      const state = JSON.parse(text) as { mode?: string; module?: string };
+      if (state.mode !== "local" && state.mode !== "remote") {
+        throw new Error("SDK mode must be local or remote");
+      }
+      return `${state.mode}: ${state.module || bufModule()}`;
+    });
+  }
+
+  const output = results.map(formatDoctorResult).join("\n");
+  const failures = results.filter((result) => result.status === "fail");
+  if (failures.length > 0) {
+    throw new Error(`Doctor found ${failures.length} failing check(s)\n${output}`);
+  }
+  return output;
+}
+
+async function record(
+  results: Array<{ name: string; status: "pass" | "warn" | "fail"; detail: string }>,
+  name: string,
+  failureStatus: "warn" | "fail",
+  check: () => string | Promise<string>
+) {
+  try {
+    results.push({ name, status: "pass", detail: await check() });
+  } catch (error) {
+    results.push({ name, status: failureStatus, detail: formatError(error) });
+  }
+}
+
+function checkCommand(name: string) {
+  const path = Bun.which(name);
+  if (!path) {
+    throw new Error(`${name} is not installed`);
+  }
+  return path;
+}
+
+async function fetchWithTimeout(url: string, timeoutMs: number) {
+  return await fetch(url, { signal: AbortSignal.timeout(timeoutMs) });
+}
+
+function formatDoctorResult(result: { name: string; status: "pass" | "warn" | "fail"; detail: string }) {
+  const marker = result.status === "pass" ? "PASS" : result.status === "warn" ? "WARN" : "FAIL";
+  return `[${marker}] ${result.name}: ${result.detail}`;
+}
+
+async function runSdk(args: string[]) {
+  if ((config.framework as string) !== "connectrpc") {
+    throw new Error("SDK commands are only available for ConnectRPC services");
+  }
+
+  const [subcommand] = args;
+  if (subcommand === "publish") {
+    requireCommand("buf");
+    run("buf", ["push"]);
+    return "Schema pushed to Buf Schema Registry";
+  }
+
+  if (subcommand === "build") {
+    if (config.runtime === "bun") {
+      run("bun", ["run", "gen"]);
+    } else {
+      run("make", ["gen"]);
+    }
+    await writeSdkMode("local");
+    return "Local SDK artifacts generated and selected";
+  }
+
+  if (subcommand === "use-local") {
+    await assertLocalSdkArtifacts();
+    await writeSdkMode("local");
+    return "Local SDK artifacts selected";
+  }
+
+  if (subcommand === "use-remote") {
+    await writeSdkMode("remote");
+    return `Remote Buf SDK selected: ${bufModule()}`;
+  }
+
+  throw new Error("Usage: service sdk <build|publish|use-local|use-remote>");
+}
+
+async function assertLocalSdkArtifacts() {
+  const bunArtifacts = await Bun.file("./gen/protos/waitlist/v1/waitlist_pb.ts").exists();
+  const goArtifacts = await Bun.file("./gen/waitlist/v1/waitlist.pb.go").exists();
+  if (!bunArtifacts && !goArtifacts) {
+    throw new Error("Local SDK artifacts are missing. Run `service sdk build` first.");
+  }
+}
+
+async function writeSdkMode(mode: "local" | "remote") {
+  await mkdir(".service", { recursive: true });
+  const localPath = config.runtime === "bun" ? "./gen/protos/waitlist/v1" : "./gen/waitlist/v1";
+  await Bun.write(
+    ".service/sdk.json",
+    `${JSON.stringify(
+      {
+        mode,
+        module: bufModule(),
+        localPath,
+        updatedAt: new Date().toISOString(),
+      },
+      null,
+      2
+    )}\n`
+  );
+}
+
+function bufModule() {
+  return `buf.build/anmho/${config.serviceName}`;
 }
 
 if (import.meta.main) {