create-svc 0.1.9 → 0.1.11

package/templates/shared/scripts/cloudrun/neon.ts

@@ -3,11 +3,31 @@ import { homedir } from "node:os";
 import { join } from "node:path";
 import { config } from "./config";
 
+type NeonProject = {
+  id: string;
+  name: string;
+};
+
 type NeonBranch = {
   id: string;
   name: string;
 };
 
+type NeonDatabase = {
+  name: string;
+  ownerName: string;
+};
+
+type ResolvedNeonConfig = {
+  projectId: string;
+  baseBranchId: string;
+  baseBranchName: string;
+  databaseName: string;
+  roleName: string;
+  previewBranchPrefix: string;
+  personalBranchPrefix: string;
+};
+
 async function resolveNeonApiKey() {
   const direct = process.env.NEON_API_KEY?.trim();
   if (direct) {
@@ -17,8 +37,8 @@ async function resolveNeonApiKey() {
   const addr = process.env.VAULT_ADDR?.trim() ?? "";
   const token = await resolveVaultToken();
   const mount = process.env.VAULT_SECRET_MOUNT?.trim() ?? "secret";
-  const path = process.env.VAULT_NEON_API_KEY_PATH?.trim() ?? "provider/neon-api-key";
-  const field = process.env.VAULT_NEON_API_KEY_FIELD?.trim() ?? "value";
+  const path = process.env.VAULT_NEON_API_KEY_PATH?.trim() ?? "prod/providers/neon";
+  const field = process.env.VAULT_NEON_API_KEY_FIELD?.trim() ?? "api_key";
 
   if (!addr || !token) {
     throw new Error("NEON_API_KEY is required for Neon provisioning, or set VAULT_ADDR with VAULT_TOKEN, VAULT_TOKEN_FILE, or ~/.vault-token");
@@ -57,7 +77,7 @@ async function resolveVaultToken() {
     return direct;
   }
 
-  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(homedir(), ".vault-token");
+  const tokenFile = process.env.VAULT_TOKEN_FILE?.trim() || join(process.env.HOME?.trim() || homedir(), ".vault-token");
 
   try {
     return (await Bun.file(tokenFile).text()).trim();
@@ -71,15 +91,80 @@ async function neonClient() {
   return createApiClient({ apiKey });
 }
 
+export async function listProjects() {
+  const payload = await (await neonClient()).listProjects({ limit: 100 });
+  const projects = ((payload.data as { projects?: Array<{ id?: string; name?: string }> } | undefined)?.projects ?? []);
+  return projects
+    .map((project: { id?: string; name?: string }) => ({
+      id: project.id ?? "",
+      name: project.name ?? project.id ?? "",
+    }))
+    .filter((project: NeonProject): project is NeonProject => Boolean(project.id))
+    .sort((left: NeonProject, right: NeonProject) => left.name.localeCompare(right.name));
+}
+
 export async function listBranches(projectId: string) {
   const payload = await (await neonClient()).listProjectBranches({ projectId });
-  return (payload.branches ?? [])
-    .map((branch) => ({
+  const branches = ((payload.data as { branches?: Array<{ id?: string; name?: string }> } | undefined)?.branches ?? []);
+  return branches
+    .map((branch: { id?: string; name?: string }) => ({
       id: branch.id ?? "",
       name: branch.name ?? branch.id ?? "",
     }))
-    .filter((branch): branch is NeonBranch => Boolean(branch.id))
-    .sort((left, right) => left.name.localeCompare(right.name));
+    .filter((branch: NeonBranch): branch is NeonBranch => Boolean(branch.id))
+    .sort((left: NeonBranch, right: NeonBranch) => left.name.localeCompare(right.name));
+}
+
+export async function listDatabases(projectId: string, branchId: string) {
+  const payload = await (await neonClient()).listProjectBranchDatabases(projectId, branchId);
+  const databases = ((payload.data as { databases?: Array<{ name?: string; owner_name?: string }> } | undefined)?.databases ?? []);
+  return databases
+    .map((database: { name?: string; owner_name?: string }) => ({
+      name: database.name ?? "",
+      ownerName: database.owner_name ?? "",
+    }))
+    .filter((database: NeonDatabase): database is NeonDatabase => Boolean(database.name))
+    .sort((left: NeonDatabase, right: NeonDatabase) => left.name.localeCompare(right.name));
+}
+
+export async function resolveNeonConfig(): Promise<ResolvedNeonConfig> {
+  const configuredProjectId = config.neon.projectId.trim();
+  const configuredBaseBranchId = config.neon.baseBranchId.trim();
+  const configuredBaseBranchName = config.neon.baseBranchName.trim() || "main";
+
+  if (configuredProjectId && configuredBaseBranchId) {
+    return {
+      projectId: configuredProjectId,
+      baseBranchId: configuredBaseBranchId,
+      baseBranchName: configuredBaseBranchName,
+      databaseName: config.neon.databaseName,
+      roleName: config.neon.roleName,
+      previewBranchPrefix: config.neon.previewBranchPrefix,
+      personalBranchPrefix: config.neon.personalBranchPrefix,
+    };
+  }
+
+  const projects = await listProjects();
+  const project = projects[0];
+  if (!project) {
+    throw new Error(`No Neon projects are available for ${config.serviceName}`);
+  }
+
+  const branches = await listBranches(project.id);
+  const branch = branches.find((candidate) => candidate.name === configuredBaseBranchName) ?? branches[0];
+  if (!branch) {
+    throw new Error(`No Neon branches are available in project ${project.id}`);
+  }
+
+  return {
+    projectId: project.id,
+    baseBranchId: branch.id,
+    baseBranchName: branch.name,
+    databaseName: config.neon.databaseName,
+    roleName: config.neon.roleName,
+    previewBranchPrefix: config.neon.previewBranchPrefix,
+    personalBranchPrefix: config.neon.personalBranchPrefix,
+  };
 }
 
 export async function ensureDatabase(projectId: string, branchId: string, databaseName: string) {
@@ -98,11 +183,13 @@ export async function ensureDatabase(projectId: string, branchId: string, databa
   await client.createProjectBranchDatabase(projectId, branchId, {
     database: {
       name: databaseName,
+      owner_name: config.neon.roleName,
     },
   });
 }
 
 export async function deleteDatabase(projectId: string, branchId: string, databaseName: string) {
+  await assertDatabaseOwned(projectId, branchId, databaseName);
   try {
     await (await neonClient()).deleteProjectBranchDatabase(projectId, branchId, databaseName);
   } catch (error) {
@@ -127,12 +214,12 @@ export async function ensureBranch(projectId: string, branchName: string, parent
     },
     endpoints: [
       {
-        type: "read_write",
+        type: "read_write" as never,
       },
     ],
   });
 
-  const branch = payload.branch;
+  const branch = (payload.data as { branch?: { id?: string; name?: string } } | undefined)?.branch;
   if (!branch?.id) {
     throw new Error(`Neon did not return a branch for ${branchName}`);
   }
@@ -144,6 +231,11 @@ export async function ensureBranch(projectId: string, branchName: string, parent
 }
 
 export async function deleteBranch(projectId: string, branchId: string) {
+  const branch = (await listBranches(projectId)).find((candidate) => candidate.id === branchId);
+  if (!branch) {
+    return;
+  }
+  assertDisposableBranchName(branch.name);
   try {
     await (await neonClient()).deleteProjectBranch(projectId, branchId);
   } catch (error) {
@@ -155,15 +247,37 @@ export async function deleteBranch(projectId: string, branchId: string) {
   }
 }
 
+async function assertDatabaseOwned(projectId: string, branchId: string, databaseName: string) {
+  if (databaseName !== config.neon.databaseName) {
+    throw new Error(`Refusing to delete Neon database ${databaseName}; expected ${config.neon.databaseName}`);
+  }
+
+  const database = (await listDatabases(projectId, branchId)).find((candidate) => candidate.name === databaseName);
+  if (!database) {
+    return;
+  }
+
+  if (database.ownerName && database.ownerName !== config.neon.roleName) {
+    throw new Error(`Refusing to delete Neon database ${databaseName}; owner is ${database.ownerName}, expected ${config.neon.roleName}`);
+  }
+}
+
+function assertDisposableBranchName(branchName: string) {
+  if (branchName.startsWith(`${config.neon.previewBranchPrefix}-`) || branchName.startsWith(`${config.neon.personalBranchPrefix}-`)) {
+    return;
+  }
+  throw new Error(`Refusing to delete Neon branch ${branchName}; it is not owned by ${config.serviceName}`);
+}
+
 export async function getConnectionUri(projectId: string, branchId: string, databaseName: string, roleName: string) {
   const payload = await (await neonClient()).getConnectionUri({
     projectId,
-    branchId,
-    databaseName,
-    roleName,
+    branch_id: branchId,
+    database_name: databaseName,
+    role_name: roleName,
   });
 
-  const uri = payload.uri;
+  const uri = (payload.data as { uri?: string } | undefined)?.uri;
   if (!uri) {
     throw new Error(`Neon did not return a connection URI for ${databaseName} in ${config.serviceName}`);
   }

package/templates/shared/scripts/dev.ts

@@ -0,0 +1,22 @@
+import { readLocalEnv } from "./local-env";
+import { ensureLocalPostgres } from "./local-docker";
+
+const command = Bun.argv.slice(2);
+
+if (command.length === 0) {
+  throw new Error("Usage: bun run ./scripts/dev.ts <command...>");
+}
+
+await ensureLocalPostgres();
+
+const child = Bun.spawn(command, {
+  stdin: "inherit",
+  stdout: "inherit",
+  stderr: "inherit",
+  env: {
+    ...Bun.env,
+    ...(await readLocalEnv()),
+  },
+});
+
+process.exit(await child.exited);

package/templates/shared/scripts/ensure-local-db.ts

@@ -0,0 +1,3 @@
+import { ensureLocalPostgres } from "./local-docker";
+
+await ensureLocalPostgres();

package/templates/shared/scripts/local-docker.ts

@@ -0,0 +1,63 @@
+export async function ensureLocalPostgres() {
+  await ensureDockerRunning();
+  await run(["docker", "compose", "up", "-d"], { label: "start local postgres" });
+}
+
+async function ensureDockerRunning() {
+  if (await dockerInfo()) {
+    return;
+  }
+
+  await openDocker();
+  const deadline = Date.now() + 120_000;
+
+  while (Date.now() < deadline) {
+    if (await dockerInfo()) {
+      return;
+    }
+    await Bun.sleep(2_000);
+  }
+
+  throw new Error("Docker did not become ready within 120 seconds. Open Docker Desktop and retry.");
+}
+
+async function dockerInfo() {
+  const result = await Bun.spawn(["docker", "info"], {
+    stdout: "ignore",
+    stderr: "ignore",
+  }).exited;
+  return result === 0;
+}
+
+async function openDocker() {
+  if (process.platform === "darwin") {
+    await run(["open", "-a", "Docker"], { label: "open Docker Desktop" });
+    return;
+  }
+
+  if (process.platform === "win32") {
+    await run(["powershell.exe", "-NoProfile", "-Command", "Start-Process 'Docker Desktop'"], {
+      label: "open Docker Desktop",
+      optional: true,
+    });
+    return;
+  }
+
+  await run(["systemctl", "--user", "start", "docker-desktop"], {
+    label: "open Docker Desktop",
+    optional: true,
+  });
+}
+
+async function run(command: string[], options: { label: string; optional?: boolean }) {
+  const result = await Bun.spawn(command, {
+    stdin: "ignore",
+    stdout: "inherit",
+    stderr: "inherit",
+    env: Bun.env,
+  }).exited;
+
+  if (result !== 0 && !options.optional) {
+    throw new Error(`${options.label} failed with exit code ${result}`);
+  }
+}

package/templates/shared/scripts/local-env.ts

@@ -0,0 +1,27 @@
+import { existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+
+export async function readLocalEnv() {
+  if (!existsSync(".env.local")) {
+    return {};
+  }
+
+  const values: Record<string, string> = {};
+  const text = await readFile(".env.local", "utf8");
+  for (const line of text.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+
+    const separator = trimmed.indexOf("=");
+    if (separator === -1) {
+      continue;
+    }
+
+    const key = trimmed.slice(0, separator).trim();
+    const rawValue = trimmed.slice(separator + 1).trim();
+    values[key] = rawValue.replace(/^['"]|['"]$/g, "");
+  }
+  return values;
+}

package/templates/shared/scripts/seed.ts

@@ -0,0 +1,73 @@
+#!/usr/bin/env bun
+
+import { SQL } from "bun";
+
+const databaseUrl = Bun.env.DATABASE_URL?.trim();
+if (!databaseUrl) {
+  throw new Error("DATABASE_URL is required");
+}
+
+const stage = normalizeStage(Bun.env.SERVICE_STAGE || Bun.env.APP_ENV || Bun.env.NODE_ENV || "local");
+if (stage === "prod" && Bun.env.SEED_PROD !== "true") {
+  console.log("Skipping production seed data. Set SEED_PROD=true to apply production seeds.");
+  process.exit(0);
+}
+
+const sql = new SQL(databaseUrl);
+
+try {
+  const entries = seedEntries(stage);
+  for (const entry of entries) {
+    await sql`
+      insert into waitlist_entries (id, email, name, company, source, status)
+      values (${entry.id}, ${entry.email}, ${entry.name}, ${entry.company}, ${entry.source}, ${entry.status})
+      on conflict (email) do update set
+        name = excluded.name,
+        company = excluded.company,
+        source = excluded.source,
+        updated_at = now()
+    `;
+
+    await sql`
+      insert into waitlist_triggers (id, type, entry_id, status, payload_json)
+      values (${`${entry.id}-trigger`}, ${"seed"}, ${entry.id}, ${"queued"}, ${JSON.stringify({ stage, email: entry.email })})
+      on conflict (id) do nothing
+    `;
+  }
+
+  console.log(`Seeded ${entries.length} waitlist entr${entries.length === 1 ? "y" : "ies"} for ${stage}.`);
+} finally {
+  await sql.close();
+}
+
+function normalizeStage(value: string) {
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "production" || normalized === "main") {
+    return "prod";
+  }
+  if (normalized === "development") {
+    return "local";
+  }
+  return normalized || "local";
+}
+
+function seedEntries(stage: string) {
+  return [
+    {
+      id: `seed-${stage}-founder`,
+      email: `founder+${stage}@example.com`,
+      name: "Founder Example",
+      company: "Example Co",
+      source: `seed:${stage}`,
+      status: "joined",
+    },
+    {
+      id: `seed-${stage}-operator`,
+      email: `operator+${stage}@example.com`,
+      name: "Operator Example",
+      company: "Example Co",
+      source: `seed:${stage}`,
+      status: "joined",
+    },
+  ];
+}

package/templates/shared/scripts/wait-for-db.ts

@@ -0,0 +1,32 @@
+import { SQL } from "bun";
+import { readLocalEnv } from "./local-env";
+
+const env = {
+  ...Bun.env,
+  ...(await readLocalEnv()),
+};
+const databaseUrl = env.DATABASE_URL?.trim();
+
+if (!databaseUrl) {
+  throw new Error("DATABASE_URL is required");
+}
+
+const client = new SQL(databaseUrl);
+const deadline = Date.now() + 45_000;
+let lastError: unknown;
+
+while (Date.now() < deadline) {
+  try {
+    await client.unsafe("select 1");
+    process.exit(0);
+  } catch (error) {
+    lastError = error;
+    await Bun.sleep(1_000);
+  }
+}
+
+throw new Error(`Timed out waiting for Postgres: ${formatError(lastError)}`);
+
+function formatError(error: unknown) {
+  return error instanceof Error ? error.message : String(error ?? "unknown error");
+}

package/templates/shared/service.config.ts

@@ -0,0 +1,59 @@
+export default {
+  service_id: "{{SERVICE_ID}}",
+  target: "{{TARGET}}",
+  runtime: "{{RUNTIME}}",
+  framework: "{{FRAMEWORK}}",
+  stage_default: "prod",
+  dns: {
+    hostname: "{{API_HOSTNAME}}",
+    base_domain: "{{API_BASE_DOMAIN}}",
+  },
+  ownership: {
+    managed_by: "create-service",
+    service_id: "{{SERVICE_ID}}",
+  },
+  auth: {
+    issuer: "{{AUTH_ISSUER}}",
+    token_endpoint: "https://auth.anmho.com/api/auth/oauth2/token",
+    jwks_url: "https://auth.anmho.com/api/auth/jwks",
+    resource_server: {
+      id: "{{SERVICE_ID}}",
+      audience: "api://{{SERVICE_ID}}",
+      default_scopes: ["{{SERVICE_ID}}:read", "{{SERVICE_ID}}:write"],
+    },
+    client: {
+      app_id: "{{SERVICE_ID}}",
+      identity: "server",
+      vault_path_prefix: "prod/apps/{{SERVICE_ID}}/server/oauth-clients",
+    },
+  },
+  temporal: {
+    enabled: false,
+    address: "localhost:7233",
+    namespace: "default",
+    task_queue: "{{SERVICE_ID}}",
+    api_key_secret_name: "{{SERVICE_ID}}-temporal-api-key",
+  },
+  providers: {
+    vault: {
+      mount: "secret",
+      neon_path: "prod/providers/neon",
+      grafana_path: "prod/providers/grafana",
+      clerk_m2m_path: "prod/providers/clerk-m2m",
+      temporal_path: "prod/providers/temporal",
+    },
+  },
+  buf: {
+    module: "buf.build/anmho/{{SERVICE_ID}}",
+  },
+  cloudrun: {
+    project_id: "{{PROJECT_ID}}",
+    region: "{{REGION}}",
+    service_account: "{{RUNTIME_SERVICE_ACCOUNT}}",
+  },
+  workers: {
+    script_name: "{{SERVICE_ID}}",
+    hyperdrive_binding: "HYPERDRIVE",
+    cron: "*/15 * * * *",
+  },
+} as const;

package/templates/shared/service.yaml

@@ -2,10 +2,17 @@ apiVersion: serving.knative.dev/v1
 kind: Service
 metadata:
   name: ${SERVICE_NAME}
+  labels:
+    managed_by: create-service
+    service_id: ${SERVICE_ID}
   annotations:
     run.googleapis.com/ingress: all
 spec:
   template:
+    metadata:
+      labels:
+        managed_by: create-service
+        service_id: ${SERVICE_ID}
     spec:
       serviceAccountName: ${RUNTIME_SERVICE_ACCOUNT}
       containers:
@@ -17,12 +24,28 @@ spec:
               value: ${SERVICE_RUNTIME}
             - name: APP_FRAMEWORK
               value: ${SERVICE_FRAMEWORK}
+            - name: TEMPORAL_ENABLED
+              value: "${TEMPORAL_ENABLED}"
+            - name: TEMPORAL_ADDRESS
+              value: "${TEMPORAL_ADDRESS}"
+            - name: TEMPORAL_NAMESPACE
+              value: "${TEMPORAL_NAMESPACE}"
+            - name: TEMPORAL_TASK_QUEUE
+              value: "${TEMPORAL_TASK_QUEUE}"
+${TEMPORAL_API_KEY_ENV}
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
                   name: ${DATABASE_URL_SECRET}
                   key: latest
+            - name: AUTH_ENABLED
+              value: "true"
+            - name: AUTH_ISSUER
+              value: ${AUTH_ISSUER}
+            - name: AUTH_AUDIENCE
+              value: ${AUTH_AUDIENCE}
+            - name: AUTH_JWKS_URL
+              value: ${AUTH_JWKS_URL}
   traffic:
     - latestRevision: true
       percent: 100
-

package/templates/targets/workers/.github/workflows/ci.yml

@@ -0,0 +1,19 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install
+      - run: bun lint
+      - run: bun test
+      - if: ${{ vars.GCX_ENABLED == 'true' && github.ref == 'refs/heads/main' }}
+        run: bun run dashboards

package/templates/targets/workers/.github/workflows/deploy.yml

@@ -0,0 +1,19 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install
+      - run: bun run deploy
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+      - if: ${{ vars.GCX_ENABLED == 'true' }}
+        run: bun run dashboards

package/templates/targets/workers/Makefile

@@ -0,0 +1,33 @@
+.PHONY: dev migrate gen lint test create deploy dashboards auth destroy
+
+SERVICE := npx --no-install service
+
+dev:
+	bun run dev
+
+migrate:
+	$(SERVICE) migrate
+
+gen:
+	@echo "no generated code for workers"
+
+lint:
+	bunx tsc --noEmit
+
+test:
+	bun test
+
+create:
+	$(SERVICE) create
+
+deploy:
+	$(SERVICE) deploy $(ARGS)
+
+dashboards:
+	$(SERVICE) dashboards
+
+auth:
+	$(SERVICE) auth $(ARGS)
+
+destroy:
+	$(SERVICE) destroy $(ARGS)