npm - create-svc - Versions diffs - 0.1.9 → 0.1.11 - Mend

create-svc 0.1.9 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (163) hide show

package/README.md +138 -16
package/bin/create-service.mjs +2 -0
package/package.json +19 -11
package/src/cli.test.ts +46 -7
package/src/cli.ts +282 -84
package/src/git-bootstrap.test.ts +40 -0
package/src/git-bootstrap.ts +110 -0
package/src/naming.test.ts +5 -2
package/src/naming.ts +32 -1
package/src/neon.ts +10 -8
package/src/post-scaffold.test.ts +19 -0
package/src/post-scaffold.ts +18 -26
package/src/profiles.ts +25 -0
package/src/scaffold.test.ts +320 -18
package/src/scaffold.ts +154 -28
package/src/vault.test.ts +94 -10
package/src/vault.ts +81 -18
package/templates/shared/.github/workflows/ci.yml +2 -1
package/templates/shared/.github/workflows/deploy.yml +2 -0
package/templates/shared/README.md +217 -29
package/templates/shared/docker-compose.yml +19 -0
package/templates/shared/grafana/alerts.yaml +54 -0
package/templates/shared/grafana/waitlist-dashboard.json +63 -0
package/templates/shared/scripts/authctl.ts +231 -0
package/templates/shared/scripts/cloudrun/bootstrap.ts +24 -42
package/templates/shared/scripts/cloudrun/cleanup.ts +81 -35
package/templates/shared/scripts/cloudrun/cli.ts +324 -7
package/templates/shared/scripts/cloudrun/config.ts +21 -19
package/templates/shared/scripts/cloudrun/deploy.ts +16 -11
package/templates/shared/scripts/cloudrun/lib.ts +232 -123
package/templates/shared/scripts/cloudrun/neon.ts +127 -13
package/templates/shared/scripts/dev.ts +22 -0
package/templates/shared/scripts/ensure-local-db.ts +3 -0
package/templates/shared/scripts/local-docker.ts +63 -0
package/templates/shared/scripts/local-env.ts +27 -0
package/templates/shared/scripts/seed.ts +73 -0
package/templates/shared/scripts/wait-for-db.ts +32 -0
package/templates/shared/service.config.ts +59 -0
package/templates/shared/service.yaml +24 -1
package/templates/targets/workers/.github/workflows/ci.yml +19 -0
package/templates/targets/workers/.github/workflows/deploy.yml +19 -0
package/templates/targets/workers/Makefile +33 -0
package/templates/targets/workers/README.md +75 -0
package/templates/targets/workers/package.json +35 -0
package/templates/targets/workers/scripts/workers/cli.ts +397 -0
package/templates/targets/workers/src/auth.ts +178 -0
package/templates/targets/workers/src/index.ts +198 -0
package/templates/targets/workers/src/storage.ts +370 -0
package/templates/targets/workers/test/app.test.ts +108 -0
package/templates/targets/workers/tsconfig.json +11 -0
package/templates/targets/workers/wrangler.toml +24 -0
package/templates/variants/bun-connectrpc/Dockerfile +1 -0
package/templates/variants/bun-connectrpc/Makefile +17 -8
package/templates/variants/bun-connectrpc/gen/protos/waitlist/v1/waitlist_pb.ts +424 -0
package/templates/variants/bun-connectrpc/migrations/0000_init.sql +20 -0
package/templates/variants/bun-connectrpc/package.json +25 -1
package/templates/variants/bun-connectrpc/protos/waitlist/v1/waitlist.proto +91 -0
package/templates/variants/bun-connectrpc/scripts/codegen.ts +31 -1
package/templates/variants/bun-connectrpc/scripts/migrate.ts +49 -0
package/templates/variants/bun-connectrpc/src/auth.ts +200 -0
package/templates/variants/bun-connectrpc/src/db/client.ts +15 -0
package/templates/variants/bun-connectrpc/src/db/repository.ts +126 -0
package/templates/variants/bun-connectrpc/src/db/schema.ts +26 -0
package/templates/variants/bun-connectrpc/src/index.ts +194 -22
package/templates/variants/bun-connectrpc/src/temporal/activities.ts +14 -0
package/templates/variants/bun-connectrpc/src/temporal/worker.ts +38 -0
package/templates/variants/bun-connectrpc/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-connectrpc/src/waitlist/service.ts +172 -0
package/templates/variants/bun-connectrpc/src/waitlist/types.ts +45 -0
package/templates/variants/bun-connectrpc/test/app.test.ts +14 -13
package/templates/variants/bun-connectrpc/test/waitlist.integration.test.ts +71 -0
package/templates/variants/bun-connectrpc/tsconfig.json +2 -1
package/templates/variants/bun-hono/Makefile +17 -8
package/templates/variants/bun-hono/migrations/0000_init.sql +20 -0
package/templates/variants/bun-hono/package.json +21 -1
package/templates/variants/bun-hono/scripts/migrate.ts +49 -0
package/templates/variants/bun-hono/src/auth.ts +181 -0
package/templates/variants/bun-hono/src/db/client.ts +15 -0
package/templates/variants/bun-hono/src/db/repository.ts +126 -0
package/templates/variants/bun-hono/src/db/schema.ts +26 -0
package/templates/variants/bun-hono/src/index.ts +141 -10
package/templates/variants/bun-hono/src/temporal/activities.ts +14 -0
package/templates/variants/bun-hono/src/temporal/worker.ts +38 -0
package/templates/variants/bun-hono/src/temporal/workflows.ts +10 -0
package/templates/variants/bun-hono/src/waitlist/service.ts +166 -0
package/templates/variants/bun-hono/src/waitlist/types.ts +50 -0
package/templates/variants/bun-hono/test/app.test.ts +90 -5
package/templates/variants/bun-hono/test/waitlist.integration.test.ts +102 -0
package/templates/variants/bun-hono/tsconfig.json +1 -0
package/templates/variants/go-chi/Makefile +30 -10
package/templates/variants/go-chi/atlas.hcl +8 -0
package/templates/variants/go-chi/cmd/server/main.go +25 -13
package/templates/variants/go-chi/go.mod +3 -2
package/templates/variants/go-chi/internal/app/service.go +279 -70
package/templates/variants/go-chi/internal/auth/middleware.go +289 -0
package/templates/variants/go-chi/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-chi/internal/config/config.go +38 -7
package/templates/variants/go-chi/internal/httpapi/routes.go +170 -47
package/templates/variants/go-chi/internal/httpapi/waitlist_integration_test.go +199 -0
package/templates/variants/go-chi/internal/temporal/activities.go +27 -0
package/templates/variants/go-chi/internal/temporal/worker.go +42 -0
package/templates/variants/go-chi/internal/temporal/workflows.go +18 -0
package/templates/variants/go-chi/migrations/0000_init.sql +20 -0
package/templates/variants/go-chi/migrations/atlas.sum +2 -0
package/templates/variants/go-chi/package.json +7 -1
package/templates/variants/go-chi/test/go.test.ts +4 -1
package/templates/variants/go-connectrpc/Makefile +29 -8
package/templates/variants/go-connectrpc/atlas.hcl +8 -0
package/templates/variants/go-connectrpc/buf.gen.yaml +2 -0
package/templates/variants/go-connectrpc/cmd/server/main.go +44 -9
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlist.pb.go +960 -0
package/templates/variants/go-connectrpc/gen/waitlist/v1/waitlistv1connect/waitlist.connect.go +283 -0
package/templates/variants/go-connectrpc/go.mod +4 -0
package/templates/variants/go-connectrpc/internal/app/service.go +279 -70
package/templates/variants/go-connectrpc/internal/auth/middleware.go +289 -0
package/templates/variants/go-connectrpc/internal/auth/middleware_test.go +38 -0
package/templates/variants/go-connectrpc/internal/config/config.go +38 -7
package/templates/variants/go-connectrpc/internal/connectapi/handler.go +129 -40
package/templates/variants/go-connectrpc/internal/connectapi/waitlist_integration_test.go +122 -0
package/templates/variants/go-connectrpc/internal/httpapi/routes.go +170 -47
package/templates/variants/go-connectrpc/internal/temporal/activities.go +27 -0
package/templates/variants/go-connectrpc/internal/temporal/worker.go +42 -0
package/templates/variants/go-connectrpc/internal/temporal/workflows.go +18 -0
package/templates/variants/go-connectrpc/migrations/0000_init.sql +20 -0
package/templates/variants/go-connectrpc/migrations/atlas.sum +2 -0
package/templates/variants/go-connectrpc/package.json +7 -1
package/templates/variants/go-connectrpc/protos/waitlist/v1/waitlist.proto +93 -0
package/templates/root/.github/workflows/buf-publish.yml +0 -19
package/templates/root/.github/workflows/ci.yml +0 -26
package/templates/root/.github/workflows/deploy.yml +0 -22
package/templates/root/Dockerfile +0 -23
package/templates/root/README.md +0 -69
package/templates/root/buf.gen.yaml +0 -10
package/templates/root/buf.yaml +0 -9
package/templates/root/cmd/server/main.go +0 -44
package/templates/root/gen/dns/v1/dns.pb.go +0 -623
package/templates/root/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/root/go.mod +0 -10
package/templates/root/internal/app/service.go +0 -152
package/templates/root/internal/app/token_source.go +0 -50
package/templates/root/internal/cloudflare/client.go +0 -160
package/templates/root/internal/config/config.go +0 -55
package/templates/root/internal/connectapi/handler.go +0 -79
package/templates/root/internal/httpapi/routes.go +0 -93
package/templates/root/internal/vault/client.go +0 -148
package/templates/root/package.json +0 -12
package/templates/root/protos/dns/v1/dns.proto +0 -58
package/templates/root/scripts/cloudrun/bootstrap.ts +0 -65
package/templates/root/scripts/cloudrun/config.ts +0 -50
package/templates/root/scripts/cloudrun/deploy.ts +0 -41
package/templates/root/scripts/cloudrun/lib.ts +0 -244
package/templates/root/service.yaml +0 -50
package/templates/root/test/go.test.ts +0 -19
package/templates/shared/.env.example +0 -10
package/templates/variants/go-chi/buf.gen.yaml +0 -10
package/templates/variants/go-chi/buf.yaml +0 -9
package/templates/variants/go-chi/gen/dns/v1/dns.pb.go +0 -623
package/templates/variants/go-chi/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/variants/go-chi/internal/connectapi/handler.go +0 -79
package/templates/variants/go-chi/protos/dns/v1/dns.proto +0 -58
package/templates/variants/go-connectrpc/gen/dns/v1/dns.pb.go +0 -623
package/templates/variants/go-connectrpc/gen/dns/v1/dnsv1connect/dns.connect.go +0 -192
package/templates/variants/go-connectrpc/protos/dns/v1/dns.proto +0 -58

package/templates/shared/scripts/cloudrun/config.ts CHANGED Viewed

@@ -1,13 +1,16 @@
 export const config = {
   serviceName: "{{SERVICE_NAME}}",
+  profile: "{{PROFILE}}",
+  example: {
+    kind: "{{EXAMPLE_KIND}}",
+    domain: "{{EXAMPLE_DOMAIN}}",
+    label: "{{EXAMPLE_LABEL}}",
+  },
   runtime: "{{RUNTIME}}",
   framework: "{{FRAMEWORK}}",
   region: "{{REGION}}",
   artifactRepository: "cloud-run",
   runtimeServiceAccount: "{{RUNTIME_SERVICE_ACCOUNT}}",
-  deployerServiceAccount: "{{DEPLOYER_SERVICE_ACCOUNT}}",
-  workloadIdentityPoolId: "{{WIF_POOL_ID}}",
-  workloadIdentityProviderId: "{{WIF_PROVIDER_ID}}",
   project: {
     mode: "{{GCP_PROJECT_MODE}}",
     id: "{{PROJECT_ID}}",
@@ -16,10 +19,21 @@ export const config = {
     billingAccount: "{{BILLING_ACCOUNT}}",
     quotaProjectId: "{{QUOTA_PROJECT_ID}}",
   },
-  github: {
-    repo: "{{GITHUB_REPO}}",
-    visibility: "{{GITHUB_VISIBILITY}}",
-    createIfMissing: {{GITHUB_CREATE_IF_MISSING}},
+  domain: {
+    hostname: "{{API_HOSTNAME}}",
+    baseDomain: "{{API_BASE_DOMAIN}}",
+  },
+  auth: {
+    issuer: "https://auth.anmho.com/api/auth",
+    audience: "api://{{SERVICE_ID}}",
+    jwksUrl: "https://auth.anmho.com/api/auth/jwks",
+  },
+  temporal: {
+    enabled: false,
+    address: "localhost:7233",
+    namespace: "default",
+    taskQueue: "{{SERVICE_ID}}",
+    apiKeySecretName: "{{SERVICE_ID}}-temporal-api-key",
   },
   neon: {
     projectId: "{{NEON_PROJECT_ID}}",
@@ -42,16 +56,4 @@ export const config = {
   ],
 } as const;
-export const githubVariables = {
-  GCP_PROJECT_ID: "{{PROJECT_ID}}",
-  GCP_REGION: "{{REGION}}",
-  CLOUD_RUN_SERVICE: "{{SERVICE_NAME}}",
-  CREATE_SVC_RUNTIME: "{{RUNTIME}}",
-  CREATE_SVC_FRAMEWORK: "{{FRAMEWORK}}",
-  NEON_PROJECT_ID: "{{NEON_PROJECT_ID}}",
-  NEON_BASE_BRANCH_ID: "{{NEON_BASE_BRANCH_ID}}",
-  NEON_DATABASE_NAME: "{{NEON_DATABASE_NAME}}",
-} as const;
 export type DeployEnvironment = "main" | "preview" | "personal";

package/templates/shared/scripts/cloudrun/deploy.ts CHANGED Viewed

@@ -1,10 +1,11 @@
 import { config } from "./config";
 import { bootstrap } from "./bootstrap";
-import { deleteBranch, ensureBranch, ensureDatabase, getConnectionUri, listBranches } from "./neon";
+import { deleteBranch, ensureBranch, ensureDatabase, getConnectionUri, listBranches, resolveNeonConfig } from "./neon";
 import {
   addSecretVersion,
   deleteService,
   ensureArtifactRepository,
+  ensureProductionDomainMapping,
   ensureSecretAccessor,
   gcloud,
   imageUrl,
@@ -13,7 +14,7 @@ import {
   resolveDeploymentTarget,
   runMain,
   runStep,
-  serviceUrl,
+  serviceOrigin,
   writeRenderedManifest,
 } from "./lib";
@@ -27,6 +28,7 @@ export async function deploy(args = Bun.argv.slice(2)) {
   }
   const target = resolveDeploymentTarget(options.environment, options.name);
+  const neon = await runStep("Resolving Neon defaults", () => resolveNeonConfig());
   if (options.destroy) {
     if (options.environment === "main") {
@@ -35,10 +37,10 @@ export async function deploy(args = Bun.argv.slice(2)) {
     await runStep(`Deleting Cloud Run service ${target.serviceName}`, () => deleteService(target.serviceName));
     await runStep(`Deleting Neon branch ${target.branchName}`, async () => {
-      const branches = await listBranches(config.neon.projectId);
-      const branch = branches.find((candidate) => candidate.name === target.branchName);
+      const branches = await listBranches(neon.projectId);
+      const branch = branches.find((candidate: { name: string }) => candidate.name === target.branchName);
       if (branch) {
-        await deleteBranch(config.neon.projectId, branch.id);
+        await deleteBranch(neon.projectId, branch.id);
       }
     });
     return `Destroyed ${target.serviceName}`;
@@ -46,21 +48,20 @@ export async function deploy(args = Bun.argv.slice(2)) {
   await runStep("Ensuring Artifact Registry repository", () => ensureArtifactRepository());
-  let branchId = config.neon.baseBranchId;
+  let branchId: string = neon.baseBranchId;
   if (options.environment !== "main") {
     const branch = await runStep(`Ensuring Neon branch ${target.branchName}`, () =>
-      ensureBranch(config.neon.projectId, target.branchName, config.neon.baseBranchId)
+      ensureBranch(neon.projectId, target.branchName, neon.baseBranchId)
     );
     branchId = branch.id;
   }
   await runStep("Publishing environment database secret", async () => {
-    await ensureDatabase(config.neon.projectId, branchId, config.neon.databaseName);
-    const connectionUri = await getConnectionUri(config.neon.projectId, branchId, config.neon.databaseName, config.neon.roleName);
+    await ensureDatabase(neon.projectId, branchId, neon.databaseName);
+    const connectionUri = await getConnectionUri(neon.projectId, branchId, neon.databaseName, neon.roleName);
     addSecretVersion(target.databaseSecretName, connectionUri);
     ensureSecretAccessor(target.databaseSecretName, `serviceAccount:${config.runtimeServiceAccount}`);
   });
   const image = imageUrl();
   await runStep("Building container image", () =>
     gcloud(["builds", "submit", "--project", config.project.id, "--region", config.region, "--tag", image])
@@ -89,7 +90,11 @@ export async function deploy(args = Bun.argv.slice(2)) {
     ])
   );
-  return serviceUrl(target.serviceName);
+  if (target.environment === "main") {
+    await runStep(`Ensuring production domain mapping for ${config.domain.hostname}`, () => ensureProductionDomainMapping(target.serviceName));
+  }
+  return serviceOrigin(target);
 }
 if (import.meta.main) {

package/templates/shared/scripts/cloudrun/lib.ts CHANGED Viewed

@@ -4,6 +4,7 @@ import { config } from "./config";
 type CommandOptions = {
   allowFailure?: boolean;
   input?: string;
+  env?: Record<string, string | undefined>;
 };
 type DeployArgs = {
@@ -15,16 +16,23 @@ type DeployArgs = {
 type CleanupArgs = {
   destroyProject: boolean;
-  destroyRepo: boolean;
+  force: boolean;
 };
-type DeploymentTarget = {
+export type DeploymentTarget = {
   environment: "main" | "preview" | "personal";
   serviceName: string;
   branchName: string;
   databaseSecretName: string;
 };
+type GcpResourceWithLabels = {
+  metadata?: {
+    labels?: Record<string, string>;
+  };
+  labels?: Record<string, string>;
+};
 type CommandResult = {
   success: boolean;
   stdout: string;
@@ -33,6 +41,7 @@ type CommandResult = {
 };
 const decoder = new TextDecoder();
+const encoder = new TextEncoder();
 export class CommandError extends Error {
   command: string;
@@ -58,11 +67,27 @@ export function requireCommand(name: string) {
   }
 }
+export function requireGcloudAuth() {
+  const activeAccount = gcloud(["auth", "list", "--filter=status:ACTIVE", "--format=value(account)"], {
+    allowFailure: true,
+  }).stdout.trim();
+  if (!activeAccount) {
+    throw new Error(
+      [
+        "gcloud is installed but no active Google Cloud account is available.",
+        "Run `gcloud auth login` on this machine before using service create, deploy, doctor, dns, or destroy.",
+        "If you also rely on Application Default Credentials for other tooling, run `gcloud auth application-default login` as well.",
+      ].join(" ")
+    );
+  }
+}
 export function run(command: string, args: string[], options: CommandOptions = {}): CommandResult {
   const result = Bun.spawnSync([command, ...args], {
     cwd: process.cwd(),
-    env: process.env,
-    stdin: options.input,
+    env: { ...process.env, ...options.env },
+    stdin: options.input === undefined ? undefined : encoder.encode(options.input),
     stdout: "pipe",
     stderr: "pipe",
   });
@@ -89,10 +114,6 @@ export function gcloud(args: string[], options: CommandOptions = {}) {
   return run("gcloud", normalized, options);
 }
-export function gh(args: string[], options: CommandOptions = {}) {
-  return run("gh", args, options);
-}
 export async function runStep<T>(label: string, task: () => Promise<T> | T) {
   const indicator = spinner();
   indicator.start(label);
@@ -107,7 +128,7 @@ export async function runStep<T>(label: string, task: () => Promise<T> | T) {
   }
 }
-export async function runMain(name: string, task: () => Promise<string | void>) {
+export async function runMain(name: string, task: () => Promise<string | void> | string | void) {
   intro(name);
   try {
@@ -140,6 +161,9 @@ export function ensureProject() {
 }
 export function attachBilling() {
+  if (config.project.mode === "use_existing") {
+    return "Using existing project billing";
+  }
   gcloud(["beta", "billing", "projects", "link", config.project.id, "--billing-account", config.project.billingAccount]);
 }
@@ -180,7 +204,17 @@ export function ensureSecret(secretName: string) {
     return;
   }
-  gcloud(["secrets", "create", secretName, "--project", config.project.id, "--replication-policy", "automatic"]);
+  gcloud([
+    "secrets",
+    "create",
+    secretName,
+    "--project",
+    config.project.id,
+    "--replication-policy",
+    "automatic",
+    "--labels",
+    ownershipLabelsArg(),
+  ]);
 }
 export function addSecretVersion(secretName: string, value: string) {
@@ -188,6 +222,10 @@ export function addSecretVersion(secretName: string, value: string) {
   gcloud(["secrets", "versions", "add", secretName, "--project", config.project.id, "--data-file=-"], { input: value });
 }
+export function accessSecretVersion(secretName: string) {
+  return gcloud(["secrets", "versions", "access", "latest", "--secret", secretName, "--project", config.project.id]).stdout;
+}
 export function ensureSecretAccessor(secretName: string, member: string) {
   gcloud(["secrets", "add-iam-policy-binding", secretName, "--project", config.project.id, "--member", member, "--role", "roles/secretmanager.secretAccessor"]);
 }
@@ -204,6 +242,11 @@ export function deleteSecret(secretName: string) {
   gcloud(["secrets", "delete", secretName, "--project", config.project.id, "--quiet"], { allowFailure: true });
 }
+export function describeSecret(secretName: string): GcpResourceWithLabels | undefined {
+  const result = gcloud(["secrets", "describe", secretName, "--project", config.project.id, "--format=json"], { allowFailure: true });
+  return parseOptionalJson(result.stdout, result.success);
+}
 export function ensureArtifactRepository() {
   if (
     gcloud(
@@ -232,114 +275,6 @@ export function projectNumber() {
   return gcloud(["projects", "describe", config.project.id, "--format=value(projectNumber)"]).stdout;
 }
-export function workloadIdentityPoolResource() {
-  return `projects/${projectNumber()}/locations/global/workloadIdentityPools/${config.workloadIdentityPoolId}`;
-}
-export function workloadIdentityProviderResource() {
-  return `${workloadIdentityPoolResource()}/providers/${config.workloadIdentityProviderId}`;
-}
-export function ensureWorkloadIdentityPool() {
-  if (
-    gcloud(["iam", "workload-identity-pools", "describe", config.workloadIdentityPoolId, "--project", config.project.id, "--location", "global"], {
-      allowFailure: true,
-    }).success
-  ) {
-    return;
-  }
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "create",
-    config.workloadIdentityPoolId,
-    "--project",
-    config.project.id,
-    "--location",
-    "global",
-    "--display-name",
-    "GitHub Actions",
-  ]);
-}
-export function ensureWorkloadIdentityProvider() {
-  if (
-    gcloud(
-      [
-        "iam",
-        "workload-identity-pools",
-        "providers",
-        "describe",
-        config.workloadIdentityProviderId,
-        "--project",
-        config.project.id,
-        "--location",
-        "global",
-        "--workload-identity-pool",
-        config.workloadIdentityPoolId,
-      ],
-      { allowFailure: true }
-    ).success
-  ) {
-    return;
-  }
-  gcloud([
-    "iam",
-    "workload-identity-pools",
-    "providers",
-    "create-oidc",
-    config.workloadIdentityProviderId,
-    "--project",
-    config.project.id,
-    "--location",
-    "global",
-    "--workload-identity-pool",
-    config.workloadIdentityPoolId,
-    "--display-name",
-    `${config.serviceName} GitHub`,
-    "--issuer-uri",
-    "https://token.actions.githubusercontent.com",
-    "--attribute-mapping",
-    "google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner",
-    "--attribute-condition",
-    `assertion.repository=='${config.github.repo}'`,
-  ]);
-}
-export function deleteWorkloadIdentityProvider() {
-  gcloud(
-    [
-      "iam",
-      "workload-identity-pools",
-      "providers",
-      "delete",
-      config.workloadIdentityProviderId,
-      "--project",
-      config.project.id,
-      "--location",
-      "global",
-      "--workload-identity-pool",
-      config.workloadIdentityPoolId,
-      "--quiet",
-    ],
-    { allowFailure: true }
-  );
-}
-export function setGithubVariable(name: string, value: string) {
-  gh(["variable", "set", name, "--repo", config.github.repo, "--body", value]);
-}
-export function deleteGithubVariable(name: string) {
-  gh(["variable", "delete", name, "--repo", config.github.repo], { allowFailure: true });
-}
-export function deleteGithubRepository() {
-  gh(["repo", "delete", config.github.repo, "--yes"]);
-}
 export function imageTag() {
   const gitSha = run("git", ["rev-parse", "--short", "HEAD"], { allowFailure: true }).stdout;
   return gitSha || `${Date.now()}`;
@@ -408,7 +343,7 @@ export function parseDeployArgs(argv: string[]): DeployArgs {
 export function parseCleanupArgs(argv: string[]): CleanupArgs {
   const parsed: CleanupArgs = {
     destroyProject: false,
-    destroyRepo: false,
+    force: false,
   };
   for (const token of argv) {
@@ -416,9 +351,8 @@ export function parseCleanupArgs(argv: string[]): CleanupArgs {
       parsed.destroyProject = true;
       continue;
     }
-    if (token === "--repo") {
-      parsed.destroyRepo = true;
+    if (token === "--force") {
+      parsed.force = true;
       continue;
     }
   }
@@ -460,24 +394,61 @@ export function resolveDeploymentTarget(environment: DeployArgs["environment"],
 export async function renderManifest(image: string, target: DeploymentTarget) {
   const template = await Bun.file(new URL("../../service.yaml", import.meta.url)).text();
+  const temporal = resolveTemporalRuntimeConfig();
   const values = {
     SERVICE_NAME: target.serviceName,
+    SERVICE_ID: config.serviceName,
     RUNTIME_SERVICE_ACCOUNT: config.runtimeServiceAccount,
     IMAGE_URL: image,
     DATABASE_URL_SECRET: target.databaseSecretName,
     SERVICE_RUNTIME: config.runtime,
     SERVICE_FRAMEWORK: config.framework,
+    TEMPORAL_ENABLED: String(temporal.enabled),
+    TEMPORAL_ADDRESS: temporal.address,
+    TEMPORAL_NAMESPACE: temporal.namespace,
+    TEMPORAL_TASK_QUEUE: temporal.taskQueue,
+    TEMPORAL_API_KEY_ENV: temporal.apiKeySecretName
+      ? [
+          "            - name: TEMPORAL_API_KEY",
+          "              valueFrom:",
+          "                secretKeyRef:",
+          `                  name: ${temporal.apiKeySecretName}`,
+          "                  key: latest",
+        ].join("\n")
+      : "",
+    AUTH_ISSUER: config.auth.issuer,
+    AUTH_AUDIENCE: config.auth.audience,
+    AUTH_JWKS_URL: config.auth.jwksUrl,
   };
   return template.replace(/\$\{([A-Z0-9_]+)\}/g, (_, key: string) => {
     const value = values[key as keyof typeof values];
-    if (!value) {
+    if (value === undefined) {
       throw new Error(`missing manifest value for ${key}`);
     }
     return value;
   });
 }
+export function resolveTemporalRuntimeConfig() {
+  const enabledOverride = process.env.TEMPORAL_ENABLED?.trim();
+  const address = process.env.TEMPORAL_ADDRESS?.trim() || config.temporal.address;
+  const namespace = process.env.TEMPORAL_NAMESPACE?.trim() || config.temporal.namespace;
+  const taskQueue = process.env.TEMPORAL_TASK_QUEUE?.trim() || config.temporal.taskQueue;
+  const apiKeySecretName = process.env.TEMPORAL_API_KEY_SECRET?.trim() || (process.env.TEMPORAL_API_KEY?.trim() ? config.temporal.apiKeySecretName : "");
+  const enabled = enabledOverride
+    ? ["1", "true", "yes", "on"].includes(enabledOverride.toLowerCase())
+    : Boolean(process.env.TEMPORAL_ADDRESS?.trim() || process.env.TEMPORAL_API_KEY?.trim() || process.env.TEMPORAL_API_KEY_SECRET?.trim());
+  return {
+    enabled,
+    address,
+    namespace,
+    taskQueue,
+    apiKeySecretName,
+  };
+}
 export async function writeRenderedManifest(image: string, target: DeploymentTarget) {
   const rendered = await renderManifest(image, target);
   const path = new URL("../../.cloudrun.rendered.yaml", import.meta.url);
@@ -491,6 +462,109 @@ export function serviceUrl(serviceName: string) {
   ).stdout;
 }
+export function serviceDomain(target: DeploymentTarget) {
+  if (target.environment === "main") {
+    return config.domain.hostname;
+  }
+  return `${target.serviceName}-${config.project.id}-${config.region}.a.run.app`;
+}
+export function serviceOrigin(target: DeploymentTarget) {
+  if (target.environment === "main") {
+    return `https://${config.domain.hostname}`;
+  }
+  const url = serviceUrl(target.serviceName);
+  return url || `https://${serviceDomain(target)}`;
+}
+export function ensureProductionDomainMapping(serviceName: string) {
+  const existing = describeProductionDomainMapping();
+  if (existing) {
+    const mappedService = existing.spec?.routeName ?? existing.status?.resourceRecords?.[0]?.rrdata;
+    if (!mappedService || mappedService === serviceName) {
+      return;
+    }
+    throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; refusing to take it over`);
+  }
+  gcloud([
+    "beta",
+    "run",
+    "domain-mappings",
+    "create",
+    "--service",
+    serviceName,
+    "--domain",
+    config.domain.hostname,
+    "--project",
+    config.project.id,
+    "--region",
+    config.region,
+  ]);
+}
+export function describeProductionDomainMapping():
+  | { spec?: { routeName?: string }; status?: { resourceRecords?: Array<{ rrdata?: string }> } }
+  | undefined {
+  const result = gcloud(
+    [
+      "beta",
+      "run",
+      "domain-mappings",
+      "describe",
+      "--domain",
+      config.domain.hostname,
+      "--project",
+      config.project.id,
+      "--region",
+      config.region,
+      "--format=json",
+    ],
+    { allowFailure: true }
+  );
+  if (!result.success || !result.stdout) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(result.stdout);
+  } catch {
+    throw new Error(`Unable to parse Cloud Run domain mapping for ${config.domain.hostname}`);
+  }
+}
+export function assertProductionDomainAvailable(serviceName: string) {
+  const existing = describeProductionDomainMapping();
+  if (!existing) {
+    return;
+  }
+  const mappedService = existing.spec?.routeName;
+  if (mappedService && mappedService !== serviceName) {
+    throw new Error(`${config.domain.hostname} is already mapped to ${mappedService}; choose a different service_id before provisioning resources`);
+  }
+  throw new Error(`${config.domain.hostname} already has a domain mapping; use service deploy to redeploy or service dns to repair it`);
+}
+export function assertServiceNameAvailable(serviceName: string) {
+  const result = gcloud(
+    ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=value(metadata.name)"],
+    { allowFailure: true }
+  );
+  if (result.success) {
+    throw new Error(`${serviceName} already exists in Cloud Run; use service deploy to redeploy or service destroy to remove owned resources`);
+  }
+}
+export function deleteProductionDomainMapping() {
+  gcloud(["beta", "run", "domain-mappings", "delete", "--domain", config.domain.hostname, "--project", config.project.id, "--quiet"], {
+    allowFailure: true,
+  });
+}
 export function listCloudRunServices() {
   return gcloud(["run", "services", "list", "--project", config.project.id, "--region", config.region, "--format=value(metadata.name)"]).stdout
     .split("\n")
@@ -498,6 +572,14 @@ export function listCloudRunServices() {
     .filter(Boolean);
 }
+export function describeCloudRunService(serviceName: string): GcpResourceWithLabels | undefined {
+  const result = gcloud(
+    ["run", "services", "describe", serviceName, "--project", config.project.id, "--region", config.region, "--format=json"],
+    { allowFailure: true }
+  );
+  return parseOptionalJson(result.stdout, result.success);
+}
 export function deleteService(serviceName: string) {
   gcloud(["run", "services", "delete", serviceName, "--project", config.project.id, "--region", config.region, "--quiet"], {
     allowFailure: true,
@@ -515,3 +597,30 @@ function slugify(value: string) {
     .replace(/[^a-z0-9]+/g, "-")
     .replace(/^-+|-+$/g, "");
 }
+export function assertOwnedResource(name: string, resource: GcpResourceWithLabels | undefined) {
+  if (!resource) {
+    throw new Error(`${name} does not exist`);
+  }
+  const labels = resource.metadata?.labels ?? resource.labels ?? {};
+  if (labels.managed_by !== "create-service" || labels.service_id !== config.serviceName) {
+    throw new Error(`${name} is missing ownership labels for service_id=${config.serviceName}`);
+  }
+}
+function ownershipLabelsArg() {
+  return `managed_by=create-service,service_id=${config.serviceName}`;
+}
+function parseOptionalJson<T>(stdout: string, success: boolean): T | undefined {
+  if (!success || !stdout) {
+    return undefined;
+  }
+  try {
+    return JSON.parse(stdout) as T;
+  } catch {
+    throw new Error("Unable to parse gcloud JSON response");
+  }
+}