How do I add a domain service?

How do I add (or remove) a NATS domain service so that its database user, roles, grants, generated shell vars, and .env credentials are all created consistently?

1. Edit the registry — the one authored source, a literate org model:

   $EDITOR projects/modeling/service_registry.org
   

   Add (or remove) a service as a top-level heading (* <name>) with the per-service properties (psql_var, env_key, iam_role, description, email) and its DML prefixes (the ores_<name>_* tables it owns); Select prefixes for cross-service reads.

2. Regenerate the artefacts the registry drives via the service-registry codegen profile (see How do I run codegen? for the current invocation). This (re)writes projects/ores.sql/service_vars.sh (SERVICE_NAMES) and the SQL for service users, accounts, roles, and DB grants.

3. Regenerate credentials so the new service gets its .env entries (ORES_<NAME>_SERVICE_DB_USER / _PASSWORD / _DATABASE):

   ./projects/ores.compass/compass.sh env init --preset <preset> -y
   

4. Recreate the database to provision the new role and grants:

   ./projects/ores.compass/compass.sh db recreate -y
   

5. Commit the registry edit and all regenerated files together.

wt is intentionally not in the registry — it uses rw_role / ORES_WT_DB_* naming rather than the service-role naming.

Generation: ./compass.sh codegen generate --model projects/modeling/service_registry.org --profile service-registry. Credentials: compass env init. Provisioning: compass db recreate.

Manual: after step 2, git diff projects/ores.sql/service_vars.sh shows the new SERVICE_NAMES entry; after steps 3–4 the new ORES_<NAME>_SERVICE_DB_* vars exist and compass db recreate reports no missing-password errors. CI exercises the same path in the canary "Setup Database" step.

• ores.codegen — the generator and its profile catalogue.
• Model Assisted Software Development — the model→artefact transformation the registry is an instance of.