@stacksolo/plugin-gcp-kernel 0.1.0 → 0.1.2

package/README.md

@@ -0,0 +1,508 @@
+# @stacksolo/plugin-gcp-kernel
+
+A GCP-native kernel plugin for StackSolo that provides authentication, file storage, and event publishing using fully serverless GCP services.
+
+## What is the GCP Kernel?
+
+The GCP kernel is a shared infrastructure service that handles common operations for your apps. Unlike the regular kernel (which uses NATS), the GCP kernel uses native GCP services:
+
+| Feature | GCP Kernel | Regular Kernel |
+|---------|-----------|----------------|
+| **Transport** | HTTP | HTTP + NATS |
+| **Events** | Cloud Pub/Sub | NATS JetStream |
+| **Deployment** | Cloud Run | Cloud Run + NATS |
+| **Scaling** | Auto-scales to 0 | Needs min 1 instance |
+| **Cost** | Pay-per-use | ~$44/mo always-on |
+
+**The GCP kernel provides:**
+
+1. **Auth** - Validates Firebase tokens (so you know who's logged in)
+2. **Files** - Generates secure upload/download URLs for Google Cloud Storage
+3. **Events** - Publishes events to Cloud Pub/Sub
+
+---
+
+## Quick Start
+
+### Step 1: Add GCP kernel to your config
+
+In your `stacksolo.config.json`:
+
+```json
+{
+  "project": {
+    "name": "my-app",
+    "gcpProjectId": "my-gcp-project",
+    "region": "us-central1",
+    "plugins": [
+      "@stacksolo/plugin-gcp-cdktf",
+      "@stacksolo/plugin-gcp-kernel"
+    ],
+
+    "buckets": [
+      { "name": "uploads" }
+    ],
+
+    "gcpKernel": {
+      "name": "kernel",
+      "firebaseProjectId": "my-gcp-project",
+      "storageBucket": "uploads"
+    },
+
+    "networks": [{
+      "name": "default",
+      "containers": [{
+        "name": "api",
+        "env": {
+          "KERNEL_URL": "@gcp-kernel/kernel.url",
+          "KERNEL_TYPE": "gcp"
+        }
+      }]
+    }]
+  }
+}
+```
+
+### Step 2: Deploy
+
+```bash
+stacksolo deploy
+```
+
+### Step 3: Use in your code
+
+```typescript
+// Validate a user's token
+const response = await fetch(`${process.env.KERNEL_URL}/auth/validate`, {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ token: userFirebaseToken }),
+});
+
+const { valid, uid, email } = await response.json();
+
+if (valid) {
+  console.log(`User ${uid} is logged in!`);
+}
+```
+
+---
+
+## Configuration Reference
+
+Add this to your `stacksolo.config.json` under `project`:
+
+```json
+{
+  "gcpKernel": {
+    "name": "kernel",
+    "firebaseProjectId": "your-firebase-project-id",
+    "storageBucket": "your-gcs-bucket-name"
+  }
+}
+```
+
+### Required Fields
+
+| Field | What it does | Example |
+|-------|--------------|---------|
+| `firebaseProjectId` | The Firebase project used for user authentication | `"my-app-prod"` |
+| `storageBucket` | The GCS bucket for file uploads/downloads | `"my-app-uploads"` |
+
+### Optional Fields
+
+| Field | Default | What it does |
+|-------|---------|--------------|
+| `name` | `"gcp-kernel"` | Name used in references like `@gcp-kernel/kernel` |
+| `minInstances` | `0` | Minimum instances (0 = scale to zero) |
+| `memory` | `"512Mi"` | Memory for the service |
+
+---
+
+## How to Reference the GCP Kernel
+
+In your container or function config, use these references:
+
+| Reference | What you get | Example value |
+|-----------|--------------|---------------|
+| `@gcp-kernel/kernel.url` | Base URL of the kernel | `https://kernel-abc123.run.app` |
+
+**Example:**
+
+```json
+{
+  "containers": [{
+    "name": "api",
+    "env": {
+      "KERNEL_URL": "@gcp-kernel/kernel.url",
+      "KERNEL_TYPE": "gcp"
+    }
+  }]
+}
+```
+
+---
+
+## Using the Auth Service
+
+The auth service validates Firebase ID tokens via HTTP.
+
+### Code Example: Express Middleware
+
+```typescript
+// middleware/auth.ts
+
+export async function requireAuth(req, res, next) {
+  const authHeader = req.headers.authorization;
+
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'No token provided' });
+  }
+
+  const token = authHeader.replace('Bearer ', '');
+
+  try {
+    const response = await fetch(`${process.env.KERNEL_URL}/auth/validate`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ token }),
+    });
+
+    const data = await response.json();
+
+    if (!data.valid) {
+      return res.status(401).json({ error: data.error });
+    }
+
+    req.user = {
+      uid: data.uid,
+      email: data.email,
+    };
+
+    next();
+  } catch (error) {
+    console.error('Auth validation failed:', error);
+    return res.status(500).json({ error: 'Auth service unavailable' });
+  }
+}
+```
+
+### Auth API Reference
+
+**Endpoint:** `POST /auth/validate`
+
+**Request:**
+```json
+{
+  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6..."
+}
+```
+
+**Success Response (200):**
+```json
+{
+  "valid": true,
+  "uid": "abc123",
+  "email": "user@example.com",
+  "claims": { ... }
+}
+```
+
+**Error Response (401):**
+```json
+{
+  "valid": false,
+  "error": "Token has expired",
+  "code": "TOKEN_EXPIRED"
+}
+```
+
+---
+
+## Using the Files Service
+
+The files service provides HTTP endpoints for file operations.
+
+### Code Example: File Upload
+
+**Backend:**
+
+```typescript
+app.post('/api/files/upload-url', requireAuth, async (req, res) => {
+  const { filename, contentType } = req.body;
+  const path = `users/${req.user.uid}/uploads/${Date.now()}-${filename}`;
+
+  const response = await fetch(`${process.env.KERNEL_URL}/files/upload-url`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ path, contentType }),
+  });
+
+  const result = await response.json();
+  res.json(result);
+});
+```
+
+**Frontend:**
+
+```typescript
+async function uploadFile(file: File, firebaseToken: string) {
+  // Get signed upload URL
+  const urlResponse = await fetch('/api/files/upload-url', {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${firebaseToken}`,
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      filename: file.name,
+      contentType: file.type,
+    }),
+  });
+
+  const { uploadUrl, path } = await urlResponse.json();
+
+  // Upload directly to GCS
+  await fetch(uploadUrl, {
+    method: 'PUT',
+    headers: { 'Content-Type': file.type },
+    body: file,
+  });
+
+  return path;
+}
+```
+
+### Files API Reference (HTTP)
+
+**POST /files/upload-url**
+
+Request:
+```json
+{
+  "path": "users/123/uploads/photo.jpg",
+  "contentType": "image/jpeg"
+}
+```
+
+Response:
+```json
+{
+  "uploadUrl": "https://storage.googleapis.com/...",
+  "path": "users/123/uploads/photo.jpg",
+  "expiresAt": "2024-01-01T12:00:00.000Z"
+}
+```
+
+**POST /files/download-url**
+
+Request:
+```json
+{
+  "path": "users/123/uploads/photo.jpg"
+}
+```
+
+Response:
+```json
+{
+  "downloadUrl": "https://storage.googleapis.com/...",
+  "path": "users/123/uploads/photo.jpg",
+  "expiresAt": "2024-01-01T12:00:00.000Z"
+}
+```
+
+**POST /files/list**
+
+Request:
+```json
+{
+  "prefix": "users/123/",
+  "maxResults": 100
+}
+```
+
+Response:
+```json
+{
+  "files": [
+    {
+      "path": "users/123/photo.jpg",
+      "size": 12345,
+      "contentType": "image/jpeg",
+      "created": "2024-01-01T10:00:00.000Z",
+      "updated": "2024-01-01T10:00:00.000Z"
+    }
+  ],
+  "nextPageToken": null
+}
+```
+
+**POST /files/delete**
+
+Request:
+```json
+{
+  "path": "users/123/uploads/photo.jpg"
+}
+```
+
+**POST /files/move**
+
+Request:
+```json
+{
+  "sourcePath": "users/123/old-photo.jpg",
+  "destinationPath": "users/123/new-photo.jpg"
+}
+```
+
+**POST /files/metadata**
+
+Request:
+```json
+{
+  "path": "users/123/uploads/photo.jpg"
+}
+```
+
+---
+
+## Using the Events Service
+
+The events service publishes to Cloud Pub/Sub via HTTP.
+
+### Code Example: Publishing Events
+
+```typescript
+async function publishEvent(type: string, data: any) {
+  await fetch(`${process.env.KERNEL_URL}/events/publish`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({
+      type,
+      data,
+      metadata: {
+        source: 'api-service',
+        timestamp: new Date().toISOString(),
+      },
+    }),
+  });
+}
+
+// Usage
+await publishEvent('user.signed-up', { userId: '123', email: 'user@example.com' });
+```
+
+### Events API Reference
+
+**POST /events/publish**
+
+Request:
+```json
+{
+  "type": "user.signed-up",
+  "data": {
+    "userId": "123",
+    "email": "user@example.com"
+  },
+  "metadata": {
+    "source": "api-service"
+  }
+}
+```
+
+Response:
+```json
+{
+  "messageId": "1234567890",
+  "published": true
+}
+```
+
+---
+
+## GCP Kernel vs Regular Kernel
+
+Choose GCP Kernel when:
+- You want to scale to zero
+- You don't need real-time messaging
+- You want lower costs for light usage
+- You prefer fully managed services
+
+Choose Regular Kernel when:
+- You need real-time pub/sub (WebSocket-style)
+- You have consistent traffic
+- You need NATS features (request/reply, JetStream)
+
+---
+
+## Local Development
+
+### Running with stacksolo dev
+
+```bash
+stacksolo dev
+```
+
+The GCP kernel will be built and run automatically if `gcpKernel` is in your config.
+
+### Testing the endpoints
+
+```bash
+# Test health check
+curl http://localhost:8080/health
+
+# Test auth (requires Firebase token)
+curl -X POST http://localhost:8080/auth/validate \
+  -H "Content-Type: application/json" \
+  -d '{"token":"your-firebase-token"}'
+
+# Test file upload URL
+curl -X POST http://localhost:8080/files/upload-url \
+  -H "Content-Type: application/json" \
+  -d '{"path":"test.txt","contentType":"text/plain"}'
+```
+
+---
+
+## Troubleshooting
+
+### "Auth service unavailable"
+
+**Problem:** Your app can't reach the kernel.
+
+**Solution:**
+1. Make sure `KERNEL_URL` is set correctly
+2. Check if the kernel service is running: `curl $KERNEL_URL/health`
+
+### "TOKEN_EXPIRED"
+
+**Problem:** The Firebase token has expired.
+
+**Solution:** Refresh the token in your frontend:
+```typescript
+const token = await firebase.auth().currentUser.getIdToken(true);
+```
+
+### File upload fails
+
+**Common causes:**
+1. **Wrong content type:** The `contentType` in your request must match the file
+2. **URL expired:** Signed URLs expire after 1 hour
+3. **Invalid path:** Paths can't start with `/` or contain `..`
+
+---
+
+## Summary
+
+| What | How to use |
+|------|------------|
+| **Validate a user** | POST to `KERNEL_URL/auth/validate` |
+| **Get upload URL** | POST to `KERNEL_URL/files/upload-url` |
+| **Get download URL** | POST to `KERNEL_URL/files/download-url` |
+| **List files** | POST to `KERNEL_URL/files/list` |
+| **Delete file** | POST to `KERNEL_URL/files/delete` |
+| **Move file** | POST to `KERNEL_URL/files/move` |
+| **Get metadata** | POST to `KERNEL_URL/files/metadata` |
+| **Publish event** | POST to `KERNEL_URL/events/publish` |

package/dist/index.js

@@ -93,6 +93,23 @@ var gcpKernelResource = defineResource({
 // GCP Kernel - Serverless kernel using Cloud Run + Pub/Sub
 // =============================================================================
 
+// Enable required APIs
+const ${varName}FirestoreApi = new ProjectService(this, '${name}-firestore-api', {
+  service: 'firestore.googleapis.com',
+  disableOnDestroy: false,
+});
+
+// Create Firestore database (required for access control)
+// Using FIRESTORE_NATIVE mode for document-based access control
+const ${varName}FirestoreDb = new FirestoreDatabase(this, '${name}-firestore-db', {
+  project: '${projectId}',
+  name: '(default)',
+  locationId: '${location}',
+  type: 'FIRESTORE_NATIVE',
+  deleteProtectionState: 'DELETE_PROTECTION_DISABLED',
+  dependsOn: [${varName}FirestoreApi],
+});
+
 // Service account for the GCP kernel
 const ${varName}Sa = new ServiceAccount(this, '${name}-sa', {
   accountId: '${name}-gcp-kernel',
@@ -113,6 +130,13 @@ new ProjectIamMember(this, '${name}-pubsub-iam', {
   member: \`serviceAccount:\${${varName}Sa.email}\`,
 });
 
+// Grant Firestore/Datastore access for access control
+new ProjectIamMember(this, '${name}-firestore-iam', {
+  project: '${projectId}',
+  role: 'roles/datastore.user',
+  member: \`serviceAccount:\${${varName}Sa.email}\`,
+});
+
 // =============================================================================
 // Pub/Sub Topics for Events
 // =============================================================================
@@ -137,6 +161,7 @@ const ${varName}Service = new CloudRunV2Service(this, '${name}', {
   name: '${name}-gcp-kernel',
   location: '${location}',
   ingress: 'INGRESS_TRAFFIC_ALL',
+  deletionProtection: false,
 
   template: {
     serviceAccount: ${varName}Sa.email,
@@ -150,7 +175,7 @@ const ${varName}Service = new CloudRunV2Service(this, '${name}', {
         },
       },
       env: [
-        { name: 'PORT', value: '8080' },
+        // Note: PORT is automatically set by Cloud Run, don't specify it
         { name: 'GCP_PROJECT_ID', value: '${projectId}' },
         { name: 'FIREBASE_PROJECT_ID', value: '${firebaseProjectId}' },
         { name: 'GCS_BUCKET', value: '${storageBucket}' },
@@ -175,6 +200,8 @@ new CloudRunV2ServiceIamMember(this, '${name}-public', {
 });`;
     return {
       imports: [
+        "import { ProjectService } from '@cdktf/provider-google/lib/project-service';",
+        "import { FirestoreDatabase } from '@cdktf/provider-google/lib/firestore-database';",
         "import { ServiceAccount } from '@cdktf/provider-google/lib/service-account';",
         "import { ProjectIamMember } from '@cdktf/provider-google/lib/project-iam-member';",
         "import { CloudRunV2Service } from '@cdktf/provider-google/lib/cloud-run-v2-service';",
@@ -218,7 +245,7 @@ new CloudRunV2ServiceIamMember(this, '${name}-public', {
 });
 
 // src/index.ts
-var VERSION = "0.1.0";
+var VERSION = "0.1.2";
 var plugin = {
   name: "@stacksolo/plugin-gcp-kernel",
   version: VERSION,
@@ -232,7 +259,7 @@ var plugin = {
         http: 8080
       },
       env: {
-        PORT: "8080",
+        // PORT is automatically set by Cloud Run - don't specify it
         GCP_PROJECT_ID: "",
         FIREBASE_PROJECT_ID: "",
         GCS_BUCKET: "",

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/resources/gcp-kernel.ts","../src/index.ts"],"sourcesContent":["import { defineResource, type ResourceConfig } from '@stacksolo/core';\n\nfunction toVariableName(name: string): string {\n  return name.replace(/[^a-zA-Z0-9]/g, '_').replace(/^(\\d)/, '_$1');\n}\n\n/**\n * GCP Kernel Resource\n *\n * A fully GCP-native kernel implementation using:\n * - Cloud Run for HTTP endpoints (auth, files, events)\n * - Cloud Pub/Sub for event messaging (replaces NATS/JetStream)\n * - Cloud Storage for file operations\n * - Firebase Admin SDK for token validation\n *\n * This is the serverless alternative to the K8s kernel which uses embedded NATS.\n */\nexport const gcpKernelResource = defineResource({\n  id: 'gcp-kernel:gcp_kernel',\n  provider: 'gcp-kernel',\n  name: 'GCP Kernel',\n  description: 'Serverless kernel using Cloud Run + Pub/Sub (alternative to NATS-based K8s kernel)',\n  icon: 'cpu',\n\n  configSchema: {\n    type: 'object',\n    properties: {\n      name: {\n        type: 'string',\n        title: 'Name',\n        description: 'Resource name for references (@gcp-kernel/<name>)',\n        default: 'kernel',\n      },\n      location: {\n        type: 'string',\n        title: 'Region',\n        description: 'GCP region (defaults to project region)',\n      },\n      cpu: {\n        type: 'string',\n        title: 'CPU',\n        description: 'CPU allocation',\n        default: '1',\n        enum: ['1', '2', '4'],\n      },\n      memory: {\n        type: 'string',\n        title: 'Memory',\n        description: 'Memory allocation',\n        default: '512Mi',\n        enum: ['256Mi', '512Mi', '1Gi', '2Gi'],\n      },\n      minInstances: {\n        type: 'number',\n        title: 'Min Instances',\n        description: 'Minimum instances (0 for scale-to-zero)',\n        default: 0,\n      },\n      maxInstances: {\n        type: 'number',\n        title: 'Max Instances',\n        description: 'Maximum instances',\n        default: 10,\n      },\n      firebaseProjectId: {\n        type: 'string',\n        title: 'Firebase Project ID',\n        description: 'Firebase project for auth token validation',\n      },\n      storageBucket: {\n        type: 'string',\n        title: 'Storage Bucket',\n        description: 'GCS bucket for file uploads',\n      },\n      eventRetentionDays: {\n        type: 'number',\n        title: 'Event Retention Days',\n        description: 'How long to retain events in Pub/Sub',\n        default: 7,\n      },\n    },\n    required: ['firebaseProjectId', 'storageBucket'],\n  },\n\n  defaultConfig: {\n    name: 'kernel',\n    cpu: '1',\n    memory: '512Mi',\n    minInstances: 0,\n    maxInstances: 10,\n    eventRetentionDays: 7,\n  },\n\n  generate: (config: ResourceConfig) => {\n    const varName = toVariableName(config.name as string);\n    const name = (config.name as string) || 'kernel';\n    const location = (config.location as string) || '${var.region}';\n    const cpu = (config.cpu as string) || '1';\n    const memory = (config.memory as string) || '512Mi';\n    const minInstances = (config.minInstances as number) ?? 0;\n    const maxInstances = (config.maxInstances as number) ?? 10;\n    const firebaseProjectId = config.firebaseProjectId as string;\n    const storageBucket = config.storageBucket as string;\n    const eventRetentionDays = (config.eventRetentionDays as number) ?? 7;\n    const projectId = (config.projectId as string) || '${var.project_id}';\n\n    // Convert retention days to seconds\n    const messageRetentionSeconds = eventRetentionDays * 24 * 60 * 60;\n\n    const code = `// =============================================================================\n// GCP Kernel - Serverless kernel using Cloud Run + Pub/Sub\n// =============================================================================\n\n// Service account for the GCP kernel\nconst ${varName}Sa = new ServiceAccount(this, '${name}-sa', {\n  accountId: '${name}-gcp-kernel',\n  displayName: 'GCP Kernel Service Account',\n});\n\n// Grant storage access for files service\nnew ProjectIamMember(this, '${name}-storage-iam', {\n  project: '${projectId}',\n  role: 'roles/storage.objectAdmin',\n  member: \\`serviceAccount:\\${${varName}Sa.email}\\`,\n});\n\n// Grant Pub/Sub access for events service\nnew ProjectIamMember(this, '${name}-pubsub-iam', {\n  project: '${projectId}',\n  role: 'roles/pubsub.editor',\n  member: \\`serviceAccount:\\${${varName}Sa.email}\\`,\n});\n\n// =============================================================================\n// Pub/Sub Topics for Events\n// =============================================================================\n\n// Main events topic\nconst ${varName}EventsTopic = new PubsubTopic(this, '${name}-events-topic', {\n  name: 'stacksolo-${name}-events',\n  messageRetentionDuration: '${messageRetentionSeconds}s',\n});\n\n// Dead letter topic for failed message delivery\nconst ${varName}DlqTopic = new PubsubTopic(this, '${name}-dlq-topic', {\n  name: 'stacksolo-${name}-events-dlq',\n  messageRetentionDuration: '${messageRetentionSeconds * 2}s',\n});\n\n// =============================================================================\n// Cloud Run Service\n// =============================================================================\n\nconst ${varName}Service = new CloudRunV2Service(this, '${name}', {\n  name: '${name}-gcp-kernel',\n  location: '${location}',\n  ingress: 'INGRESS_TRAFFIC_ALL',\n\n  template: {\n    serviceAccount: ${varName}Sa.email,\n    containers: [{\n      image: 'gcr.io/${projectId}/stacksolo-gcp-kernel:latest',\n      ports: { containerPort: 8080 },\n      resources: {\n        limits: {\n          cpu: '${cpu}',\n          memory: '${memory}',\n        },\n      },\n      env: [\n        { name: 'PORT', value: '8080' },\n        { name: 'GCP_PROJECT_ID', value: '${projectId}' },\n        { name: 'FIREBASE_PROJECT_ID', value: '${firebaseProjectId}' },\n        { name: 'GCS_BUCKET', value: '${storageBucket}' },\n        { name: 'PUBSUB_EVENTS_TOPIC', value: \\`\\${${varName}EventsTopic.name}\\` },\n        { name: 'PUBSUB_DLQ_TOPIC', value: \\`\\${${varName}DlqTopic.name}\\` },\n        { name: 'KERNEL_TYPE', value: 'gcp' },\n      ],\n    }],\n    scaling: {\n      minInstanceCount: ${minInstances},\n      maxInstanceCount: ${maxInstances},\n    },\n  },\n});\n\n// Allow unauthenticated access (kernel validates tokens internally)\nnew CloudRunV2ServiceIamMember(this, '${name}-public', {\n  name: ${varName}Service.name,\n  location: ${varName}Service.location,\n  role: 'roles/run.invoker',\n  member: 'allUsers',\n});`;\n\n    return {\n      imports: [\n        \"import { ServiceAccount } from '@cdktf/provider-google/lib/service-account';\",\n        \"import { ProjectIamMember } from '@cdktf/provider-google/lib/project-iam-member';\",\n        \"import { CloudRunV2Service } from '@cdktf/provider-google/lib/cloud-run-v2-service';\",\n        \"import { CloudRunV2ServiceIamMember } from '@cdktf/provider-google/lib/cloud-run-v2-service-iam-member';\",\n        \"import { PubsubTopic } from '@cdktf/provider-google/lib/pubsub-topic';\",\n      ],\n      code,\n      outputs: [\n        `export const ${varName}Url = ${varName}Service.uri;`,\n        `export const ${varName}AuthUrl = \\`\\${${varName}Service.uri}/auth/validate\\`;`,\n        `export const ${varName}FilesUrl = \\`\\${${varName}Service.uri}/files\\`;`,\n        `export const ${varName}EventsUrl = \\`\\${${varName}Service.uri}/events\\`;`,\n        `export const ${varName}EventsTopic = ${varName}EventsTopic.name;`,\n      ],\n    };\n  },\n\n  estimateCost: (config: ResourceConfig) => {\n    const minInstances = (config.minInstances as number) ?? 0;\n    const cpu = parseFloat((config.cpu as string) || '1');\n    const memory = parseFloat(((config.memory as string) || '512Mi').replace('Mi', '')) / 1024 || 0.5;\n\n    // Cloud Run pricing\n    let cloudRunCost = 0;\n    if (minInstances > 0) {\n      // Always-on instances\n      const hoursPerMonth = 730;\n      const cpuCost = minInstances * cpu * hoursPerMonth * 0.00002400 * 3600;\n      const memoryCost = minInstances * memory * hoursPerMonth * 0.00000250 * 3600;\n      cloudRunCost = cpuCost + memoryCost;\n    } else {\n      // Pay-per-use estimate (assuming 100k requests/month @ 200ms avg)\n      const estimatedSeconds = 100000 * 0.2;\n      cloudRunCost = estimatedSeconds * cpu * 0.00002400 + estimatedSeconds * memory * 0.00000250;\n    }\n\n    // Pub/Sub pricing (~$0.40/million messages, assume 100k messages/month)\n    const pubsubCost = 0.04;\n\n    return {\n      monthly: Math.round(cloudRunCost + pubsubCost),\n      currency: 'USD',\n      breakdown: [\n        { item: `Cloud Run (${minInstances > 0 ? 'always-on' : 'scale-to-zero'})`, amount: Math.round(cloudRunCost) },\n        { item: 'Pub/Sub (~100k messages)', amount: Math.round(pubsubCost * 100) / 100 },\n      ],\n    };\n  },\n});\n","/**\n * StackSolo GCP Kernel Plugin\n *\n * GCP-native kernel implementation using Cloud Run + Pub/Sub.\n * This is the serverless alternative to the NATS-based kernel plugin.\n *\n * Endpoints:\n * - GET  /health          - Health check\n * - POST /auth/validate   - Validate Firebase token\n * - POST /files/*         - File operations (upload-url, download-url, list, delete, move, metadata)\n * - POST /events/publish  - Publish event to Pub/Sub\n * - POST /events/subscribe - Register HTTP push subscription\n */\n\nimport type { Plugin } from '@stacksolo/core';\nimport { gcpKernelResource } from './resources/index';\n\n/** Plugin version - must match package.json */\nconst VERSION = '0.1.0';\n\nexport const plugin: Plugin = {\n  name: '@stacksolo/plugin-gcp-kernel',\n  version: VERSION,\n  resources: [gcpKernelResource],\n  services: [\n    {\n      name: 'gcp-kernel',\n      image: `ghcr.io/monkeybarrels/stacksolo-gcp-kernel:${VERSION}`,\n      sourcePath: './service',\n      ports: {\n        http: 8080,\n      },\n      env: {\n        PORT: '8080',\n        GCP_PROJECT_ID: '',\n        FIREBASE_PROJECT_ID: '',\n        GCS_BUCKET: '',\n        PUBSUB_EVENTS_TOPIC: '',\n      },\n      resources: {\n        cpu: '1',\n        memory: '512Mi',\n      },\n    },\n  ],\n};\n\nexport default plugin;\n\n// Re-export types\nexport type { GcpKernelConfig, GcpKernelOutputs } from './types';\n"],"mappings":";AAAA,SAAS,sBAA2C;AAEpD,SAAS,eAAe,MAAsB;AAC5C,SAAO,KAAK,QAAQ,iBAAiB,GAAG,EAAE,QAAQ,SAAS,KAAK;AAClE;AAaO,IAAM,oBAAoB,eAAe;AAAA,EAC9C,IAAI;AAAA,EACJ,UAAU;AAAA,EACV,MAAM;AAAA,EACN,aAAa;AAAA,EACb,MAAM;AAAA,EAEN,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,YAAY;AAAA,MACV,MAAM;AAAA,QACJ,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,MACA,UAAU;AAAA,QACR,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,MACf;AAAA,MACA,KAAK;AAAA,QACH,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,QACT,MAAM,CAAC,KAAK,KAAK,GAAG;AAAA,MACtB;AAAA,MACA,QAAQ;AAAA,QACN,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,QACT,MAAM,CAAC,SAAS,SAAS,OAAO,KAAK;AAAA,MACvC;AAAA,MACA,cAAc;AAAA,QACZ,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,MACA,cAAc;AAAA,QACZ,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,MACA,mBAAmB;AAAA,QACjB,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,MACf;AAAA,MACA,eAAe;AAAA,QACb,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,MACf;AAAA,MACA,oBAAoB;AAAA,QAClB,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,IACF;AAAA,IACA,UAAU,CAAC,qBAAqB,eAAe;AAAA,EACjD;AAAA,EAEA,eAAe;AAAA,IACb,MAAM;AAAA,IACN,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,cAAc;AAAA,IACd,oBAAoB;AAAA,EACtB;AAAA,EAEA,UAAU,CAAC,WAA2B;AACpC,UAAM,UAAU,eAAe,OAAO,IAAc;AACpD,UAAM,OAAQ,OAAO,QAAmB;AACxC,UAAM,WAAY,OAAO,YAAuB;AAChD,UAAM,MAAO,OAAO,OAAkB;AACtC,UAAM,SAAU,OAAO,UAAqB;AAC5C,UAAM,eAAgB,OAAO,gBAA2B;AACxD,UAAM,eAAgB,OAAO,gBAA2B;AACxD,UAAM,oBAAoB,OAAO;AACjC,UAAM,gBAAgB,OAAO;AAC7B,UAAM,qBAAsB,OAAO,sBAAiC;AACpE,UAAM,YAAa,OAAO,aAAwB;AAGlD,UAAM,0BAA0B,qBAAqB,KAAK,KAAK;AAE/D,UAAM,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,QAKT,OAAO,kCAAkC,IAAI;AAAA,gBACrC,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA,8BAKU,IAAI;AAAA,cACpB,SAAS;AAAA;AAAA,gCAES,OAAO;AAAA;AAAA;AAAA;AAAA,8BAIT,IAAI;AAAA,cACpB,SAAS;AAAA;AAAA,gCAES,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAQ/B,OAAO,wCAAwC,IAAI;AAAA,qBACtC,IAAI;AAAA,+BACM,uBAAuB;AAAA;AAAA;AAAA;AAAA,QAI9C,OAAO,qCAAqC,IAAI;AAAA,qBACnC,IAAI;AAAA,+BACM,0BAA0B,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAOlD,OAAO,0CAA0C,IAAI;AAAA,WAClD,IAAI;AAAA,eACA,QAAQ;AAAA;AAAA;AAAA;AAAA,sBAID,OAAO;AAAA;AAAA,uBAEN,SAAS;AAAA;AAAA;AAAA;AAAA,kBAId,GAAG;AAAA,qBACA,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA,4CAKiB,SAAS;AAAA,iDACJ,iBAAiB;AAAA,wCAC1B,aAAa;AAAA,qDACA,OAAO;AAAA,kDACV,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,0BAK/B,YAAY;AAAA,0BACZ,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wCAME,IAAI;AAAA,UAClC,OAAO;AAAA,cACH,OAAO;AAAA;AAAA;AAAA;AAKjB,WAAO;AAAA,MACL,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MACA;AAAA,MACA,SAAS;AAAA,QACP,gBAAgB,OAAO,SAAS,OAAO;AAAA,QACvC,gBAAgB,OAAO,kBAAkB,OAAO;AAAA,QAChD,gBAAgB,OAAO,mBAAmB,OAAO;AAAA,QACjD,gBAAgB,OAAO,oBAAoB,OAAO;AAAA,QAClD,gBAAgB,OAAO,iBAAiB,OAAO;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AAAA,EAEA,cAAc,CAAC,WAA2B;AACxC,UAAM,eAAgB,OAAO,gBAA2B;AACxD,UAAM,MAAM,WAAY,OAAO,OAAkB,GAAG;AACpD,UAAM,SAAS,YAAa,OAAO,UAAqB,SAAS,QAAQ,MAAM,EAAE,CAAC,IAAI,QAAQ;AAG9F,QAAI,eAAe;AACnB,QAAI,eAAe,GAAG;AAEpB,YAAM,gBAAgB;AACtB,YAAM,UAAU,eAAe,MAAM,gBAAgB,QAAa;AAClE,YAAM,aAAa,eAAe,SAAS,gBAAgB,QAAa;AACxE,qBAAe,UAAU;AAAA,IAC3B,OAAO;AAEL,YAAM,mBAAmB,MAAS;AAClC,qBAAe,mBAAmB,MAAM,QAAa,mBAAmB,SAAS;AAAA,IACnF;AAGA,UAAM,aAAa;AAEnB,WAAO;AAAA,MACL,SAAS,KAAK,MAAM,eAAe,UAAU;AAAA,MAC7C,UAAU;AAAA,MACV,WAAW;AAAA,QACT,EAAE,MAAM,cAAc,eAAe,IAAI,cAAc,eAAe,KAAK,QAAQ,KAAK,MAAM,YAAY,EAAE;AAAA,QAC5G,EAAE,MAAM,4BAA4B,QAAQ,KAAK,MAAM,aAAa,GAAG,IAAI,IAAI;AAAA,MACjF;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AClOD,IAAM,UAAU;AAET,IAAM,SAAiB;AAAA,EAC5B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW,CAAC,iBAAiB;AAAA,EAC7B,UAAU;AAAA,IACR;AAAA,MACE,MAAM;AAAA,MACN,OAAO,8CAA8C,OAAO;AAAA,MAC5D,YAAY;AAAA,MACZ,OAAO;AAAA,QACL,MAAM;AAAA,MACR;AAAA,MACA,KAAK;AAAA,QACH,MAAM;AAAA,QACN,gBAAgB;AAAA,QAChB,qBAAqB;AAAA,QACrB,YAAY;AAAA,QACZ,qBAAqB;AAAA,MACvB;AAAA,MACA,WAAW;AAAA,QACT,KAAK;AAAA,QACL,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;","names":[]}
+{"version":3,"sources":["../src/resources/gcp-kernel.ts","../src/index.ts"],"sourcesContent":["import { defineResource, type ResourceConfig } from '@stacksolo/core';\n\nfunction toVariableName(name: string): string {\n  return name.replace(/[^a-zA-Z0-9]/g, '_').replace(/^(\\d)/, '_$1');\n}\n\n/**\n * GCP Kernel Resource\n *\n * A fully GCP-native kernel implementation using:\n * - Cloud Run for HTTP endpoints (auth, files, events)\n * - Cloud Pub/Sub for event messaging (replaces NATS/JetStream)\n * - Cloud Storage for file operations\n * - Firebase Admin SDK for token validation\n *\n * This is the serverless alternative to the K8s kernel which uses embedded NATS.\n */\nexport const gcpKernelResource = defineResource({\n  id: 'gcp-kernel:gcp_kernel',\n  provider: 'gcp-kernel',\n  name: 'GCP Kernel',\n  description: 'Serverless kernel using Cloud Run + Pub/Sub (alternative to NATS-based K8s kernel)',\n  icon: 'cpu',\n\n  configSchema: {\n    type: 'object',\n    properties: {\n      name: {\n        type: 'string',\n        title: 'Name',\n        description: 'Resource name for references (@gcp-kernel/<name>)',\n        default: 'kernel',\n      },\n      location: {\n        type: 'string',\n        title: 'Region',\n        description: 'GCP region (defaults to project region)',\n      },\n      cpu: {\n        type: 'string',\n        title: 'CPU',\n        description: 'CPU allocation',\n        default: '1',\n        enum: ['1', '2', '4'],\n      },\n      memory: {\n        type: 'string',\n        title: 'Memory',\n        description: 'Memory allocation',\n        default: '512Mi',\n        enum: ['256Mi', '512Mi', '1Gi', '2Gi'],\n      },\n      minInstances: {\n        type: 'number',\n        title: 'Min Instances',\n        description: 'Minimum instances (0 for scale-to-zero)',\n        default: 0,\n      },\n      maxInstances: {\n        type: 'number',\n        title: 'Max Instances',\n        description: 'Maximum instances',\n        default: 10,\n      },\n      firebaseProjectId: {\n        type: 'string',\n        title: 'Firebase Project ID',\n        description: 'Firebase project for auth token validation',\n      },\n      storageBucket: {\n        type: 'string',\n        title: 'Storage Bucket',\n        description: 'GCS bucket for file uploads',\n      },\n      eventRetentionDays: {\n        type: 'number',\n        title: 'Event Retention Days',\n        description: 'How long to retain events in Pub/Sub',\n        default: 7,\n      },\n    },\n    required: ['firebaseProjectId', 'storageBucket'],\n  },\n\n  defaultConfig: {\n    name: 'kernel',\n    cpu: '1',\n    memory: '512Mi',\n    minInstances: 0,\n    maxInstances: 10,\n    eventRetentionDays: 7,\n  },\n\n  generate: (config: ResourceConfig) => {\n    const varName = toVariableName(config.name as string);\n    const name = (config.name as string) || 'kernel';\n    const location = (config.location as string) || '${var.region}';\n    const cpu = (config.cpu as string) || '1';\n    const memory = (config.memory as string) || '512Mi';\n    const minInstances = (config.minInstances as number) ?? 0;\n    const maxInstances = (config.maxInstances as number) ?? 10;\n    const firebaseProjectId = config.firebaseProjectId as string;\n    const storageBucket = config.storageBucket as string;\n    const eventRetentionDays = (config.eventRetentionDays as number) ?? 7;\n    const projectId = (config.projectId as string) || '${var.project_id}';\n\n    // Convert retention days to seconds\n    const messageRetentionSeconds = eventRetentionDays * 24 * 60 * 60;\n\n    const code = `// =============================================================================\n// GCP Kernel - Serverless kernel using Cloud Run + Pub/Sub\n// =============================================================================\n\n// Enable required APIs\nconst ${varName}FirestoreApi = new ProjectService(this, '${name}-firestore-api', {\n  service: 'firestore.googleapis.com',\n  disableOnDestroy: false,\n});\n\n// Create Firestore database (required for access control)\n// Using FIRESTORE_NATIVE mode for document-based access control\nconst ${varName}FirestoreDb = new FirestoreDatabase(this, '${name}-firestore-db', {\n  project: '${projectId}',\n  name: '(default)',\n  locationId: '${location}',\n  type: 'FIRESTORE_NATIVE',\n  deleteProtectionState: 'DELETE_PROTECTION_DISABLED',\n  dependsOn: [${varName}FirestoreApi],\n});\n\n// Service account for the GCP kernel\nconst ${varName}Sa = new ServiceAccount(this, '${name}-sa', {\n  accountId: '${name}-gcp-kernel',\n  displayName: 'GCP Kernel Service Account',\n});\n\n// Grant storage access for files service\nnew ProjectIamMember(this, '${name}-storage-iam', {\n  project: '${projectId}',\n  role: 'roles/storage.objectAdmin',\n  member: \\`serviceAccount:\\${${varName}Sa.email}\\`,\n});\n\n// Grant Pub/Sub access for events service\nnew ProjectIamMember(this, '${name}-pubsub-iam', {\n  project: '${projectId}',\n  role: 'roles/pubsub.editor',\n  member: \\`serviceAccount:\\${${varName}Sa.email}\\`,\n});\n\n// Grant Firestore/Datastore access for access control\nnew ProjectIamMember(this, '${name}-firestore-iam', {\n  project: '${projectId}',\n  role: 'roles/datastore.user',\n  member: \\`serviceAccount:\\${${varName}Sa.email}\\`,\n});\n\n// =============================================================================\n// Pub/Sub Topics for Events\n// =============================================================================\n\n// Main events topic\nconst ${varName}EventsTopic = new PubsubTopic(this, '${name}-events-topic', {\n  name: 'stacksolo-${name}-events',\n  messageRetentionDuration: '${messageRetentionSeconds}s',\n});\n\n// Dead letter topic for failed message delivery\nconst ${varName}DlqTopic = new PubsubTopic(this, '${name}-dlq-topic', {\n  name: 'stacksolo-${name}-events-dlq',\n  messageRetentionDuration: '${messageRetentionSeconds * 2}s',\n});\n\n// =============================================================================\n// Cloud Run Service\n// =============================================================================\n\nconst ${varName}Service = new CloudRunV2Service(this, '${name}', {\n  name: '${name}-gcp-kernel',\n  location: '${location}',\n  ingress: 'INGRESS_TRAFFIC_ALL',\n  deletionProtection: false,\n\n  template: {\n    serviceAccount: ${varName}Sa.email,\n    containers: [{\n      image: 'gcr.io/${projectId}/stacksolo-gcp-kernel:latest',\n      ports: { containerPort: 8080 },\n      resources: {\n        limits: {\n          cpu: '${cpu}',\n          memory: '${memory}',\n        },\n      },\n      env: [\n        // Note: PORT is automatically set by Cloud Run, don't specify it\n        { name: 'GCP_PROJECT_ID', value: '${projectId}' },\n        { name: 'FIREBASE_PROJECT_ID', value: '${firebaseProjectId}' },\n        { name: 'GCS_BUCKET', value: '${storageBucket}' },\n        { name: 'PUBSUB_EVENTS_TOPIC', value: \\`\\${${varName}EventsTopic.name}\\` },\n        { name: 'PUBSUB_DLQ_TOPIC', value: \\`\\${${varName}DlqTopic.name}\\` },\n        { name: 'KERNEL_TYPE', value: 'gcp' },\n      ],\n    }],\n    scaling: {\n      minInstanceCount: ${minInstances},\n      maxInstanceCount: ${maxInstances},\n    },\n  },\n});\n\n// Allow unauthenticated access (kernel validates tokens internally)\nnew CloudRunV2ServiceIamMember(this, '${name}-public', {\n  name: ${varName}Service.name,\n  location: ${varName}Service.location,\n  role: 'roles/run.invoker',\n  member: 'allUsers',\n});`;\n\n    return {\n      imports: [\n        \"import { ProjectService } from '@cdktf/provider-google/lib/project-service';\",\n        \"import { FirestoreDatabase } from '@cdktf/provider-google/lib/firestore-database';\",\n        \"import { ServiceAccount } from '@cdktf/provider-google/lib/service-account';\",\n        \"import { ProjectIamMember } from '@cdktf/provider-google/lib/project-iam-member';\",\n        \"import { CloudRunV2Service } from '@cdktf/provider-google/lib/cloud-run-v2-service';\",\n        \"import { CloudRunV2ServiceIamMember } from '@cdktf/provider-google/lib/cloud-run-v2-service-iam-member';\",\n        \"import { PubsubTopic } from '@cdktf/provider-google/lib/pubsub-topic';\",\n      ],\n      code,\n      outputs: [\n        `export const ${varName}Url = ${varName}Service.uri;`,\n        `export const ${varName}AuthUrl = \\`\\${${varName}Service.uri}/auth/validate\\`;`,\n        `export const ${varName}FilesUrl = \\`\\${${varName}Service.uri}/files\\`;`,\n        `export const ${varName}EventsUrl = \\`\\${${varName}Service.uri}/events\\`;`,\n        `export const ${varName}EventsTopic = ${varName}EventsTopic.name;`,\n      ],\n    };\n  },\n\n  estimateCost: (config: ResourceConfig) => {\n    const minInstances = (config.minInstances as number) ?? 0;\n    const cpu = parseFloat((config.cpu as string) || '1');\n    const memory = parseFloat(((config.memory as string) || '512Mi').replace('Mi', '')) / 1024 || 0.5;\n\n    // Cloud Run pricing\n    let cloudRunCost = 0;\n    if (minInstances > 0) {\n      // Always-on instances\n      const hoursPerMonth = 730;\n      const cpuCost = minInstances * cpu * hoursPerMonth * 0.00002400 * 3600;\n      const memoryCost = minInstances * memory * hoursPerMonth * 0.00000250 * 3600;\n      cloudRunCost = cpuCost + memoryCost;\n    } else {\n      // Pay-per-use estimate (assuming 100k requests/month @ 200ms avg)\n      const estimatedSeconds = 100000 * 0.2;\n      cloudRunCost = estimatedSeconds * cpu * 0.00002400 + estimatedSeconds * memory * 0.00000250;\n    }\n\n    // Pub/Sub pricing (~$0.40/million messages, assume 100k messages/month)\n    const pubsubCost = 0.04;\n\n    return {\n      monthly: Math.round(cloudRunCost + pubsubCost),\n      currency: 'USD',\n      breakdown: [\n        { item: `Cloud Run (${minInstances > 0 ? 'always-on' : 'scale-to-zero'})`, amount: Math.round(cloudRunCost) },\n        { item: 'Pub/Sub (~100k messages)', amount: Math.round(pubsubCost * 100) / 100 },\n      ],\n    };\n  },\n});\n","/**\n * StackSolo GCP Kernel Plugin\n *\n * GCP-native kernel implementation using Cloud Run + Pub/Sub.\n * This is the serverless alternative to the NATS-based kernel plugin.\n *\n * Endpoints:\n * - GET  /health          - Health check\n * - POST /auth/validate   - Validate Firebase token\n * - POST /files/*         - File operations (upload-url, download-url, list, delete, move, metadata)\n * - POST /events/publish  - Publish event to Pub/Sub\n * - POST /events/subscribe - Register HTTP push subscription\n */\n\nimport type { Plugin } from '@stacksolo/core';\nimport { gcpKernelResource } from './resources/index';\n\n/** Plugin version - must match package.json */\nconst VERSION = '0.1.2';\n\nexport const plugin: Plugin = {\n  name: '@stacksolo/plugin-gcp-kernel',\n  version: VERSION,\n  resources: [gcpKernelResource],\n  services: [\n    {\n      name: 'gcp-kernel',\n      image: `ghcr.io/monkeybarrels/stacksolo-gcp-kernel:${VERSION}`,\n      sourcePath: './service',\n      ports: {\n        http: 8080,\n      },\n      env: {\n        // PORT is automatically set by Cloud Run - don't specify it\n        GCP_PROJECT_ID: '',\n        FIREBASE_PROJECT_ID: '',\n        GCS_BUCKET: '',\n        PUBSUB_EVENTS_TOPIC: '',\n      },\n      resources: {\n        cpu: '1',\n        memory: '512Mi',\n      },\n    },\n  ],\n};\n\nexport default plugin;\n\n// Re-export types\nexport type { GcpKernelConfig, GcpKernelOutputs } from './types';\n"],"mappings":";AAAA,SAAS,sBAA2C;AAEpD,SAAS,eAAe,MAAsB;AAC5C,SAAO,KAAK,QAAQ,iBAAiB,GAAG,EAAE,QAAQ,SAAS,KAAK;AAClE;AAaO,IAAM,oBAAoB,eAAe;AAAA,EAC9C,IAAI;AAAA,EACJ,UAAU;AAAA,EACV,MAAM;AAAA,EACN,aAAa;AAAA,EACb,MAAM;AAAA,EAEN,cAAc;AAAA,IACZ,MAAM;AAAA,IACN,YAAY;AAAA,MACV,MAAM;AAAA,QACJ,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,MACA,UAAU;AAAA,QACR,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,MACf;AAAA,MACA,KAAK;AAAA,QACH,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,QACT,MAAM,CAAC,KAAK,KAAK,GAAG;AAAA,MACtB;AAAA,MACA,QAAQ;AAAA,QACN,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,QACT,MAAM,CAAC,SAAS,SAAS,OAAO,KAAK;AAAA,MACvC;AAAA,MACA,cAAc;AAAA,QACZ,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,MACA,cAAc;AAAA,QACZ,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,MACA,mBAAmB;AAAA,QACjB,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,MACf;AAAA,MACA,eAAe;AAAA,QACb,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,MACf;AAAA,MACA,oBAAoB;AAAA,QAClB,MAAM;AAAA,QACN,OAAO;AAAA,QACP,aAAa;AAAA,QACb,SAAS;AAAA,MACX;AAAA,IACF;AAAA,IACA,UAAU,CAAC,qBAAqB,eAAe;AAAA,EACjD;AAAA,EAEA,eAAe;AAAA,IACb,MAAM;AAAA,IACN,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,cAAc;AAAA,IACd,cAAc;AAAA,IACd,oBAAoB;AAAA,EACtB;AAAA,EAEA,UAAU,CAAC,WAA2B;AACpC,UAAM,UAAU,eAAe,OAAO,IAAc;AACpD,UAAM,OAAQ,OAAO,QAAmB;AACxC,UAAM,WAAY,OAAO,YAAuB;AAChD,UAAM,MAAO,OAAO,OAAkB;AACtC,UAAM,SAAU,OAAO,UAAqB;AAC5C,UAAM,eAAgB,OAAO,gBAA2B;AACxD,UAAM,eAAgB,OAAO,gBAA2B;AACxD,UAAM,oBAAoB,OAAO;AACjC,UAAM,gBAAgB,OAAO;AAC7B,UAAM,qBAAsB,OAAO,sBAAiC;AACpE,UAAM,YAAa,OAAO,aAAwB;AAGlD,UAAM,0BAA0B,qBAAqB,KAAK,KAAK;AAE/D,UAAM,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,QAKT,OAAO,4CAA4C,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAOvD,OAAO,8CAA8C,IAAI;AAAA,cACnD,SAAS;AAAA;AAAA,iBAEN,QAAQ;AAAA;AAAA;AAAA,gBAGT,OAAO;AAAA;AAAA;AAAA;AAAA,QAIf,OAAO,kCAAkC,IAAI;AAAA,gBACrC,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA,8BAKU,IAAI;AAAA,cACpB,SAAS;AAAA;AAAA,gCAES,OAAO;AAAA;AAAA;AAAA;AAAA,8BAIT,IAAI;AAAA,cACpB,SAAS;AAAA;AAAA,gCAES,OAAO;AAAA;AAAA;AAAA;AAAA,8BAIT,IAAI;AAAA,cACpB,SAAS;AAAA;AAAA,gCAES,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAQ/B,OAAO,wCAAwC,IAAI;AAAA,qBACtC,IAAI;AAAA,+BACM,uBAAuB;AAAA;AAAA;AAAA;AAAA,QAI9C,OAAO,qCAAqC,IAAI;AAAA,qBACnC,IAAI;AAAA,+BACM,0BAA0B,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAOlD,OAAO,0CAA0C,IAAI;AAAA,WAClD,IAAI;AAAA,eACA,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,sBAKD,OAAO;AAAA;AAAA,uBAEN,SAAS;AAAA;AAAA;AAAA;AAAA,kBAId,GAAG;AAAA,qBACA,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA,4CAKiB,SAAS;AAAA,iDACJ,iBAAiB;AAAA,wCAC1B,aAAa;AAAA,qDACA,OAAO;AAAA,kDACV,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA,0BAK/B,YAAY;AAAA,0BACZ,YAAY;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,wCAME,IAAI;AAAA,UAClC,OAAO;AAAA,cACH,OAAO;AAAA;AAAA;AAAA;AAKjB,WAAO;AAAA,MACL,SAAS;AAAA,QACP;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MACA;AAAA,MACA,SAAS;AAAA,QACP,gBAAgB,OAAO,SAAS,OAAO;AAAA,QACvC,gBAAgB,OAAO,kBAAkB,OAAO;AAAA,QAChD,gBAAgB,OAAO,mBAAmB,OAAO;AAAA,QACjD,gBAAgB,OAAO,oBAAoB,OAAO;AAAA,QAClD,gBAAgB,OAAO,iBAAiB,OAAO;AAAA,MACjD;AAAA,IACF;AAAA,EACF;AAAA,EAEA,cAAc,CAAC,WAA2B;AACxC,UAAM,eAAgB,OAAO,gBAA2B;AACxD,UAAM,MAAM,WAAY,OAAO,OAAkB,GAAG;AACpD,UAAM,SAAS,YAAa,OAAO,UAAqB,SAAS,QAAQ,MAAM,EAAE,CAAC,IAAI,QAAQ;AAG9F,QAAI,eAAe;AACnB,QAAI,eAAe,GAAG;AAEpB,YAAM,gBAAgB;AACtB,YAAM,UAAU,eAAe,MAAM,gBAAgB,QAAa;AAClE,YAAM,aAAa,eAAe,SAAS,gBAAgB,QAAa;AACxE,qBAAe,UAAU;AAAA,IAC3B,OAAO;AAEL,YAAM,mBAAmB,MAAS;AAClC,qBAAe,mBAAmB,MAAM,QAAa,mBAAmB,SAAS;AAAA,IACnF;AAGA,UAAM,aAAa;AAEnB,WAAO;AAAA,MACL,SAAS,KAAK,MAAM,eAAe,UAAU;AAAA,MAC7C,UAAU;AAAA,MACV,WAAW;AAAA,QACT,EAAE,MAAM,cAAc,eAAe,IAAI,cAAc,eAAe,KAAK,QAAQ,KAAK,MAAM,YAAY,EAAE;AAAA,QAC5G,EAAE,MAAM,4BAA4B,QAAQ,KAAK,MAAM,aAAa,GAAG,IAAI,IAAI;AAAA,MACjF;AAAA,IACF;AAAA,EACF;AACF,CAAC;;;AC7PD,IAAM,UAAU;AAET,IAAM,SAAiB;AAAA,EAC5B,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW,CAAC,iBAAiB;AAAA,EAC7B,UAAU;AAAA,IACR;AAAA,MACE,MAAM;AAAA,MACN,OAAO,8CAA8C,OAAO;AAAA,MAC5D,YAAY;AAAA,MACZ,OAAO;AAAA,QACL,MAAM;AAAA,MACR;AAAA,MACA,KAAK;AAAA;AAAA,QAEH,gBAAgB;AAAA,QAChB,qBAAqB;AAAA,QACrB,YAAY;AAAA,QACZ,qBAAqB;AAAA,MACvB;AAAA,MACA,WAAW;AAAA,QACT,KAAK;AAAA,QACL,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAEA,IAAO,gBAAQ;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stacksolo/plugin-gcp-kernel",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "GCP-native kernel plugin for StackSolo (Cloud Run + Pub/Sub)",
   "type": "module",
   "main": "./dist/index.js",

package/service/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM --platform=linux/amd64 node:20-alpine
 
 # Create app directory
 WORKDIR /app

package/service/src/index.ts

@@ -6,6 +6,7 @@
  * - Cloud Pub/Sub for event messaging (replaces NATS/JetStream)
  * - Cloud Storage for file operations
  * - Firebase Admin SDK for token validation
+ * - Firestore for access control
  *
  * Endpoints:
  * - GET  /health          - Health check
@@ -20,6 +21,11 @@
  * - POST /events/subscribe    - Register HTTP push subscription
  * - POST /events/unsubscribe  - Remove subscription
  * - GET  /events/subscriptions - List subscriptions
+ * - POST /access/grant        - Grant access to a resource
+ * - POST /access/revoke       - Revoke access from a resource
+ * - POST /access/check        - Check if member has access
+ * - GET  /access/list         - List members with access
+ * - GET  /access/resources    - List all protected resources
  */
 
 import express from 'express';
@@ -30,6 +36,7 @@ import { healthRouter } from './routes/health.js';
 import { authRouter } from './routes/auth.js';
 import { filesRouter } from './routes/files.js';
 import { eventsRouter } from './routes/events.js';
+import { accessRouter } from './routes/access.js';
 
 const app = express();
 const PORT = parseInt(process.env.PORT || '8080', 10);
@@ -51,6 +58,7 @@ app.use('/health', healthRouter);
 app.use('/auth', authRouter);
 app.use('/files', filesRouter);
 app.use('/events', eventsRouter);
+app.use('/access', accessRouter);
 
 // Root endpoint
 app.get('/', (_req, res) => {
@@ -63,6 +71,7 @@ app.get('/', (_req, res) => {
       auth: '/auth/validate',
       files: '/files/*',
       events: '/events/*',
+      access: '/access/*',
     },
   });
 });

package/service/src/routes/access.ts

@@ -0,0 +1,143 @@
+/**
+ * Access Control Routes
+ *
+ * Endpoints for managing dynamic access control via Firestore.
+ *
+ * POST /access/grant   - Grant access to a resource
+ * POST /access/revoke  - Revoke access from a resource
+ * POST /access/check   - Check if member has access
+ * GET  /access/list    - List members with access to a resource
+ * GET  /access/resources - List all protected resources
+ */
+
+import { Router } from 'express';
+import {
+  grantAccess,
+  revokeAccess,
+  checkAccess,
+  listAccess,
+  listResources,
+} from '../services/access.js';
+
+export const accessRouter = Router();
+
+/**
+ * Grant access to a resource
+ *
+ * POST /access/grant
+ * Body: { resource, member, permissions, grantedBy }
+ */
+accessRouter.post('/grant', async (req, res) => {
+  const { resource, member, permissions, grantedBy } = req.body;
+
+  if (!resource || !member || !permissions || !grantedBy) {
+    return res.status(400).json({
+      error: 'Missing required fields: resource, member, permissions, grantedBy',
+    });
+  }
+
+  if (!Array.isArray(permissions)) {
+    return res.status(400).json({
+      error: 'permissions must be an array',
+    });
+  }
+
+  const result = await grantAccess({ resource, member, permissions, grantedBy });
+
+  if (result.success) {
+    return res.json({ granted: true, resource, member, permissions });
+  }
+
+  return res.status(500).json({ error: result.error });
+});
+
+/**
+ * Revoke access from a resource
+ *
+ * POST /access/revoke
+ * Body: { resource, member, revokedBy }
+ */
+accessRouter.post('/revoke', async (req, res) => {
+  const { resource, member, revokedBy } = req.body;
+
+  if (!resource || !member || !revokedBy) {
+    return res.status(400).json({
+      error: 'Missing required fields: resource, member, revokedBy',
+    });
+  }
+
+  const result = await revokeAccess({ resource, member, revokedBy });
+
+  if (result.success) {
+    return res.json({ revoked: true, resource, member });
+  }
+
+  if (result.error === 'Access grant not found') {
+    return res.status(404).json({ error: result.error });
+  }
+
+  return res.status(500).json({ error: result.error });
+});
+
+/**
+ * Check if member has access to a resource
+ *
+ * POST /access/check
+ * Body: { resource, member, permission? }
+ */
+accessRouter.post('/check', async (req, res) => {
+  const { resource, member, permission } = req.body;
+
+  if (!resource || !member) {
+    return res.status(400).json({
+      error: 'Missing required fields: resource, member',
+    });
+  }
+
+  const result = await checkAccess({ resource, member, permission });
+
+  // Transform response to match runtime expectation (hasAccess instead of allowed)
+  return res.json({
+    hasAccess: result.allowed,
+    permissions: result.permissions || [],
+    reason: result.reason,
+  });
+});
+
+/**
+ * List members with access to a resource
+ *
+ * GET /access/list?resource=xxx
+ */
+accessRouter.get('/list', async (req, res) => {
+  const { resource } = req.query;
+
+  if (!resource || typeof resource !== 'string') {
+    return res.status(400).json({
+      error: 'Missing required query param: resource',
+    });
+  }
+
+  const result = await listAccess({ resource });
+
+  if (result.error) {
+    return res.status(500).json({ error: result.error });
+  }
+
+  return res.json({ resource, members: result.members });
+});
+
+/**
+ * List all protected resources
+ *
+ * GET /access/resources
+ */
+accessRouter.get('/resources', async (_req, res) => {
+  const result = await listResources();
+
+  if (result.error) {
+    return res.status(500).json({ error: result.error });
+  }
+
+  return res.json({ resources: result.resources });
+});

package/service/src/routes/auth.ts

@@ -1,6 +1,7 @@
 /**
  * Auth Routes
  *
+ * GET  /auth/whoami   - Get current user from IAP headers
  * POST /auth/validate - Validate Firebase ID token
  */
 
@@ -9,6 +10,44 @@ import { validateToken } from '../services/firebase.js';
 
 export const authRouter = Router();
 
+/**
+ * Get current user identity from IAP headers
+ *
+ * GET /auth/whoami
+ *
+ * Returns the authenticated user's email and ID from IAP headers.
+ * This endpoint is useful for SPAs that need to know who is logged in.
+ */
+authRouter.get('/whoami', (req: Request, res: Response) => {
+  // IAP sets these headers after authentication
+  const iapEmail = req.headers['x-goog-authenticated-user-email'] as string | undefined;
+  const iapId = req.headers['x-goog-authenticated-user-id'] as string | undefined;
+
+  if (!iapEmail) {
+    res.status(401).json({
+      authenticated: false,
+      error: 'No IAP authentication detected',
+      hint: 'This endpoint requires requests to pass through Identity-Aware Proxy',
+    });
+    return;
+  }
+
+  // IAP email format: "accounts.google.com:user@example.com"
+  const email = iapEmail.replace('accounts.google.com:', '');
+  const id = iapId?.replace('accounts.google.com:', '');
+
+  res.json({
+    authenticated: true,
+    email,
+    id,
+    // Include raw headers for debugging
+    raw: {
+      email: iapEmail,
+      id: iapId,
+    },
+  });
+});
+
 interface ValidateRequest {
   token: string;
 }

package/service/src/services/access.ts

@@ -0,0 +1,235 @@
+/**
+ * Access Control Service
+ *
+ * Manages dynamic access control via Firestore.
+ * Uses the kernel_access collection to store access rules.
+ *
+ * Collection structure:
+ * kernel_access/{resource}/members/{email} => { granted, grantedBy, permissions }
+ */
+
+import admin from 'firebase-admin';
+
+const DEFAULT_COLLECTION = 'kernel_access';
+
+interface AccessGrant {
+  granted: admin.firestore.Timestamp;
+  grantedBy: string;
+  permissions: string[];
+}
+
+interface AccessEntry {
+  member: string;
+  granted: Date;
+  grantedBy: string;
+  permissions: string[];
+}
+
+interface AuditEntry {
+  action: 'grant' | 'revoke';
+  resource: string;
+  member: string;
+  permissions?: string[];
+  performedBy: string;
+  timestamp: admin.firestore.Timestamp;
+}
+
+function getFirestore(): admin.firestore.Firestore {
+  return admin.firestore();
+}
+
+function getCollection(): string {
+  return process.env.ACCESS_COLLECTION || DEFAULT_COLLECTION;
+}
+
+/**
+ * Grant access to a resource for a member
+ */
+export async function grantAccess(params: {
+  resource: string;
+  member: string;
+  permissions: string[];
+  grantedBy: string;
+}): Promise<{ success: boolean; error?: string }> {
+  const { resource, member, permissions, grantedBy } = params;
+  const db = getFirestore();
+  const collection = getCollection();
+
+  try {
+    const docRef = db
+      .collection(collection)
+      .doc(resource)
+      .collection('members')
+      .doc(member);
+
+    const grant: AccessGrant = {
+      granted: admin.firestore.Timestamp.now(),
+      grantedBy,
+      permissions,
+    };
+
+    await docRef.set(grant);
+
+    // Audit log
+    await db.collection(`${collection}_audit`).add({
+      action: 'grant',
+      resource,
+      member,
+      permissions,
+      performedBy: grantedBy,
+      timestamp: admin.firestore.Timestamp.now(),
+    } as AuditEntry);
+
+    return { success: true };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to grant access';
+    return { success: false, error: message };
+  }
+}
+
+/**
+ * Revoke access from a member for a resource
+ */
+export async function revokeAccess(params: {
+  resource: string;
+  member: string;
+  revokedBy: string;
+}): Promise<{ success: boolean; error?: string }> {
+  const { resource, member, revokedBy } = params;
+  const db = getFirestore();
+  const collection = getCollection();
+
+  try {
+    const docRef = db
+      .collection(collection)
+      .doc(resource)
+      .collection('members')
+      .doc(member);
+
+    const doc = await docRef.get();
+    if (!doc.exists) {
+      return { success: false, error: 'Access grant not found' };
+    }
+
+    await docRef.delete();
+
+    // Audit log
+    await db.collection(`${collection}_audit`).add({
+      action: 'revoke',
+      resource,
+      member,
+      performedBy: revokedBy,
+      timestamp: admin.firestore.Timestamp.now(),
+    } as AuditEntry);
+
+    return { success: true };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to revoke access';
+    return { success: false, error: message };
+  }
+}
+
+/**
+ * Check if a member has access to a resource
+ */
+export async function checkAccess(params: {
+  resource: string;
+  member: string;
+  permission?: string;
+}): Promise<{ allowed: boolean; reason?: string; permissions?: string[] }> {
+  const { resource, member, permission } = params;
+  const db = getFirestore();
+  const collection = getCollection();
+
+  try {
+    const docRef = db
+      .collection(collection)
+      .doc(resource)
+      .collection('members')
+      .doc(member);
+
+    const doc = await docRef.get();
+
+    if (!doc.exists) {
+      return { allowed: false, reason: 'no_grant' };
+    }
+
+    const data = doc.data() as AccessGrant;
+
+    // If specific permission requested, check it
+    if (permission && !data.permissions.includes(permission)) {
+      return {
+        allowed: false,
+        reason: 'permission_denied',
+        permissions: data.permissions,
+      };
+    }
+
+    return {
+      allowed: true,
+      reason: 'explicit_grant',
+      permissions: data.permissions,
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to check access';
+    return { allowed: false, reason: message };
+  }
+}
+
+/**
+ * List all members with access to a resource
+ */
+export async function listAccess(params: {
+  resource: string;
+}): Promise<{ members: AccessEntry[]; error?: string }> {
+  const { resource } = params;
+  const db = getFirestore();
+  const collection = getCollection();
+
+  try {
+    const snapshot = await db
+      .collection(collection)
+      .doc(resource)
+      .collection('members')
+      .get();
+
+    const members: AccessEntry[] = [];
+
+    snapshot.forEach((doc) => {
+      const data = doc.data() as AccessGrant;
+      members.push({
+        member: doc.id,
+        granted: data.granted.toDate(),
+        grantedBy: data.grantedBy,
+        permissions: data.permissions,
+      });
+    });
+
+    return { members };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to list access';
+    return { members: [], error: message };
+  }
+}
+
+/**
+ * List all protected resources
+ */
+export async function listResources(): Promise<{ resources: string[]; error?: string }> {
+  const db = getFirestore();
+  const collection = getCollection();
+
+  try {
+    const snapshot = await db.collection(collection).get();
+
+    const resources: string[] = [];
+    snapshot.forEach((doc) => {
+      resources.push(doc.id);
+    });
+
+    return { resources };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Failed to list resources';
+    return { resources: [], error: message };
+  }
+}