feat: add preview deployment infrastructure for demo app (#563)

# Enhanced Preview Deployment Pipeline for Demo App

This PR implements a comprehensive preview deployment system for the demo app, enabling isolated preview environments for testing. The changes include:

1. **Structured Preview Deployment Process**
   - Split the deployment into three distinct phases: database, edge functions, and web app
   - Added validation script to ensure all required environment variables are present
   - Created specialized build command for preview environments

2. **Database Management**
   - Added script to reset preview databases with proper handling of pgmq queues
   - Ensured Supabase-managed extensions are properly handled during resets
   - Fixed extension initialization issues with pg_cron and pg_net

3. **Edge Functions Deployment**
   - Added dedicated script for deploying edge functions to preview environments
   - Implemented proper authentication using Supabase access tokens
   - Added support for tracking worker functions

4. **PGFlow Migrations and Improvements**
   - Added migrations for PGFlow auto-compilation and worker management
   - Implemented flow shape comparison and validation
   - Added support for graceful worker shutdown and monitoring

5. **Sample Flow Implementation**
   - Added a simple "GreetUser" flow as an example
   - Created corresponding edge function worker

The PR ensures a complete, isolated preview environment can be deployed with a single command while maintaining proper dependency ordering between components.

Author: jumski

apps/demo/project.json

@@ -77,16 +77,59 @@
 				"command": "wrangler deploy --env production"
 			}
 		},
-		"deploy:preview": {
+		"validate:preview": {
+			"executor": "nx:run-commands",
+			"options": {
+				"cwd": "apps/demo",
+				"command": "./scripts/validate-preview-env.sh"
+			}
+		},
+		"build:preview": {
+			"executor": "nx:run-commands",
+			"dependsOn": ["validate:preview", "^build"],
+			"inputs": ["{projectRoot}/.env.preview", "{projectRoot}/wrangler.toml"],
+			"outputs": ["{projectRoot}/.svelte-kit"],
+			"options": {
+				"cwd": "apps/demo",
+				"command": "vite build --mode preview"
+			}
+		},
+		"deploy:preview:webapp": {
 			"executor": "nx:run-commands",
 			"cache": false,
 			"local": true,
-			"dependsOn": ["build"],
+			"dependsOn": ["sync-edge-deps", "build:preview"],
 			"inputs": ["{projectRoot}/wrangler.toml"],
 			"options": {
 				"cwd": "apps/demo",
 				"command": "./scripts/deploy-preview.sh ${PREVIEW_NAME:-pr-${PR_NUMBER:-preview}}"
 			}
+		},
+		"deploy:preview:db": {
+			"executor": "nx:run-commands",
+			"cache": false,
+			"dependsOn": ["validate:preview"],
+			"options": {
+				"cwd": "apps/demo",
+				"command": "./scripts/db-reset-preview.sh"
+			}
+		},
+		"deploy:preview:functions": {
+			"executor": "nx:run-commands",
+			"cache": false,
+			"dependsOn": ["deploy:preview:db", "sync-edge-deps"],
+			"options": {
+				"cwd": "apps/demo",
+				"command": "./scripts/functions-deploy-preview.sh"
+			}
+		},
+		"deploy:preview": {
+			"executor": "nx:run-commands",
+			"cache": false,
+			"dependsOn": ["deploy:preview:functions", "deploy:preview:webapp"],
+			"options": {
+				"command": "echo '✅ Full preview deployment complete!'"
+			}
 		}
 	}
 }

apps/demo/scripts/db-reset-preview.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Reset the preview Supabase database using linked mode
+# (--linked mode knows about Supabase-managed extensions like pg_cron)
+
+cd "$(dirname "$0")/.."
+
+# Source env
+set -a; source .env.preview; set +a
+
+echo "🗑️  Resetting preview database..."
+echo "   Project: $SUPABASE_PROJECT_REF"
+
+# Clean up pgmq queues while extension is still intact
+# This prevents orphaned tables after db reset drops the extension
+echo "🧹 Cleaning up pgmq queues..."
+if ! psql "$SUPABASE_DB_URL" -q -c "SELECT pgmq.drop_queue(queue_name) FROM pgmq.list_queues();" 2>/dev/null; then
+  echo "   (no queues to clean up or pgmq not available - continuing)"
+fi
+
+# Link to the project (uses SUPABASE_ACCESS_TOKEN for auth)
+echo "🔗 Linking to project..."
+SUPABASE_ACCESS_TOKEN="$SUPABASE_ACCESS_TOKEN" pnpm supabase link --project-ref "$SUPABASE_PROJECT_REF"
+
+# Reset using linked mode (respects Supabase-managed extensions)
+pnpm supabase db reset --linked --yes
+
+# Set up vault secrets and register worker function
+# - Secrets needed for ensure_workers cron to make HTTP calls to edge functions
+# - Worker registration so cron knows to keep article_flow_worker alive
+echo "🔐 Setting up vault secrets and registering worker..."
+
+# Use psql's -v for safe variable passing (prevents SQL injection)
+# ON_ERROR_STOP ensures heredoc errors propagate correctly with set -e
+if ! psql "$SUPABASE_DB_URL" -q \
+  -v ON_ERROR_STOP=1 \
+  -v service_role_key="$SUPABASE_SERVICE_ROLE_KEY" \
+  -v project_ref="$SUPABASE_PROJECT_REF" \
+  <<'EOSQL'
+DELETE FROM vault.secrets WHERE name IN ('supabase_service_role_key', 'supabase_project_id');
+SELECT vault.create_secret(:'service_role_key', 'supabase_service_role_key');
+SELECT vault.create_secret(:'project_ref', 'supabase_project_id');
+SELECT pgflow.track_worker_function('article_flow_worker');
+EOSQL
+then
+  echo "❌ Failed to set up vault secrets and register worker"
+  exit 1
+fi
+
+echo ""
+echo "✅ Preview database reset complete!"

apps/demo/scripts/deploy-preview.sh

@@ -1,26 +1,17 @@
 #!/usr/bin/env bash
-set -e
+set -euo pipefail
 
-# Script to deploy a preview version of the demo app
-# Uses preview alias for deterministic URLs
+# Deploy preview to Cloudflare Workers
 # Assumes build is already done (via Nx dependsOn)
-# Usage: pnpm nx run demo:deploy:preview -- [preview-name]
+# Usage: ./deploy-preview.sh [preview-name]
 
 PREVIEW_NAME="${1:-preview}"
 
-echo "🚀 Deploying preview: $PREVIEW_NAME"
-
-# Navigate to demo directory if not already there
 cd "$(dirname "$0")/.."
 
-echo "🌐 Deploying to Cloudflare Workers..."
+echo "🚀 Deploying preview: $PREVIEW_NAME"
 wrangler versions upload --preview-alias "${PREVIEW_NAME}"
 
 echo ""
-echo "✅ Preview deployed successfully!"
-echo "🔗 Preview alias URL should be available at:"
-echo "   https://${PREVIEW_NAME}-pgflow-demo.jumski.workers.dev"
-echo ""
-echo "💡 If the URL doesn't work, check:"
-echo "   - Preview URLs are enabled in dashboard (Settings > Domains & Routes)"
-echo "   - Worker name in wrangler.toml matches 'pgflow-demo'"
+echo "✅ Preview deployed!"
+echo "🔗 https://${PREVIEW_NAME}-pgflow-demo.jumski.workers.dev"

apps/demo/scripts/functions-deploy-preview.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Deploy edge functions to the preview Supabase project
+
+cd "$(dirname "$0")/.."
+
+# Source env
+set -a; source .env.preview; set +a
+
+echo "🚀 Deploying edge functions to preview..."
+echo "   Project: $SUPABASE_PROJECT_REF"
+
+SUPABASE_ACCESS_TOKEN="$SUPABASE_ACCESS_TOKEN" pnpm supabase functions deploy article_flow_worker --project-ref "$SUPABASE_PROJECT_REF"
+
+echo ""
+echo "✅ Edge functions deployed to preview!"

apps/demo/scripts/validate-preview-env.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Validate .env.preview has all required variables
+
+cd "$(dirname "$0")/.."
+
+if [[ ! -f .env.preview ]]; then
+  echo "❌ .env.preview not found"
+  exit 1
+fi
+
+# Source the env file
+set -a; source .env.preview; set +a
+
+ERRORS=()
+
+# Website build vars
+if [[ -z "${VITE_SUPABASE_URL:-}" ]]; then
+  ERRORS+=("VITE_SUPABASE_URL is missing")
+elif [[ ! "$VITE_SUPABASE_URL" =~ ^https:// ]]; then
+  ERRORS+=("VITE_SUPABASE_URL must use https://")
+fi
+
+if [[ -z "${VITE_SUPABASE_ANON_KEY:-}" ]]; then
+  ERRORS+=("VITE_SUPABASE_ANON_KEY is missing")
+fi
+
+# Supabase CLI vars
+if [[ -z "${SUPABASE_PROJECT_REF:-}" ]]; then
+  ERRORS+=("SUPABASE_PROJECT_REF is missing")
+fi
+
+if [[ -z "${SUPABASE_DB_URL:-}" ]]; then
+  ERRORS+=("SUPABASE_DB_URL is missing")
+elif [[ ! "$SUPABASE_DB_URL" =~ ^postgresql:// ]]; then
+  ERRORS+=("SUPABASE_DB_URL must start with postgresql://")
+fi
+
+if [[ -z "${SUPABASE_ACCESS_TOKEN:-}" ]]; then
+  ERRORS+=("SUPABASE_ACCESS_TOKEN is missing")
+fi
+
+if [[ -z "${SUPABASE_SERVICE_ROLE_KEY:-}" ]]; then
+  ERRORS+=("SUPABASE_SERVICE_ROLE_KEY is missing")
+fi
+
+if [[ ${#ERRORS[@]} -gt 0 ]]; then
+  echo "❌ .env.preview validation failed:"
+  for err in "${ERRORS[@]}"; do
+    echo "   - $err"
+  done
+  exit 1
+fi
+
+echo "✅ .env.preview validated"

apps/demo/supabase/flows/index.ts

@@ -0,0 +1,2 @@
+// Re-export all flows from this directory
+// Example: export { MyFlow } from './my-flow.ts';

apps/demo/supabase/functions/article_flow_worker/deno.json

@@ -1,5 +1,6 @@
 {
 	"imports": {
+		"@std/crypto/timing-safe-equal": "jsr:@std/crypto@1/timing-safe-equal",
 		"@pgflow/core": "../_vendor/@pgflow/core/index.ts",
 		"@pgflow/core/": "../_vendor/@pgflow/core/",
 		"@pgflow/dsl": "../_vendor/@pgflow/dsl/index.ts",

apps/demo/supabase/functions/pgflow/deno.json

@@ -0,0 +1,12 @@
+{
+	"imports": {
+		"@pgflow/core": "npm:@pgflow/core@0.11.0",
+		"@pgflow/core/": "npm:@pgflow/core@0.11.0/",
+		"@pgflow/dsl": "npm:@pgflow/dsl@0.11.0",
+		"@pgflow/dsl/": "npm:@pgflow/dsl@0.11.0/",
+		"@pgflow/dsl/supabase": "npm:@pgflow/dsl@0.11.0/supabase",
+		"@pgflow/edge-worker": "jsr:@pgflow/edge-worker@0.11.0",
+		"@pgflow/edge-worker/": "jsr:@pgflow/edge-worker@0.11.0/",
+		"@pgflow/edge-worker/_internal": "jsr:@pgflow/edge-worker@0.11.0/_internal"
+	}
+}

apps/demo/supabase/functions/pgflow/index.ts

@@ -0,0 +1,4 @@
+import { ControlPlane } from '@pgflow/edge-worker';
+import * as flows from '../../flows/index.ts';
+
+ControlPlane.serve(flows);

apps/demo/supabase/migrations/20251031200000_cleanup_orphaned_pgmq_queues.sql

@@ -1,32 +1,18 @@
 -- Cleanup any orphaned pgmq queues from incomplete resets
 -- This ensures a clean slate before flow migrations run
+-- Note: The primary cleanup now happens in db-reset-preview.sh BEFORE reset,
+-- while pgmq.list_queues() still works. This migration is a fallback.
 
 DO $$
 DECLARE
   queue_record RECORD;
 BEGIN
   -- Drop any existing queues that might be orphaned
-  -- This handles the case where DROP EXTENSION pgmq didn't cascade properly
   FOR queue_record IN
     SELECT queue_name
     FROM pgmq.list_queues()
   LOOP
-    -- Use pgmq's built-in drop function to safely remove the queue
     PERFORM pgmq.drop_queue(queue_record.queue_name);
-
     RAISE NOTICE 'Dropped orphaned queue: %', queue_record.queue_name;
   END LOOP;
-
-  -- Also drop any orphaned sequences that might exist without tables
-  FOR queue_record IN
-    SELECT sequence_name
-    FROM information_schema.sequences
-    WHERE sequence_schema = 'pgmq'
-      AND sequence_name LIKE 'q_%_msg_id_seq'
-  LOOP
-    EXECUTE format('DROP SEQUENCE IF EXISTS pgmq.%I CASCADE', queue_record.sequence_name);
-
-    RAISE NOTICE 'Dropped orphaned sequence: %', queue_record.sequence_name;
-  END LOOP;
-
 END $$;