firebase-tools 15.15.0 → 15.16.0

package/lib/agentSkills.js

@@ -6,10 +6,11 @@ const child_process_1 = require("child_process");
 const utils = require("./utils");
 const prompt = require("./prompt");
 const error_1 = require("./error");
-async function promptForAgentSkills() {
+async function promptForAgentSkills(options) {
     return prompt.confirm({
         message: "Would you like to install agent skills for Firebase?",
-        default: true,
+        default: !options?.nonInteractive,
+        nonInteractive: options?.nonInteractive,
     });
 }
 async function installAgentSkills(options) {

package/lib/apphosting/backend.js

@@ -66,7 +66,7 @@ async function awaitTlsReady(url) {
         }
     } while (!ready);
 }
-async function doSetup(projectId, nonInteractive, webAppName, backendId, serviceAccount, primaryRegion, rootDir, runtime, automaticBaseImageUpdatesDisabled) {
+async function doSetup(projectId, nonInteractive, webAppName, backendId, serviceAccount, primaryRegion, rootDir, runtime) {
     await ensureRequiredApisEnabled(projectId);
     await ensureAppHostingComputeServiceAccount(projectId, serviceAccount ? serviceAccount : null);
     let location = primaryRegion;
@@ -99,25 +99,13 @@ async function doSetup(projectId, nonInteractive, webAppName, backendId, service
     if (!location || !backendId) {
         throw new error_1.FirebaseError("Internal error: location or backendId is not defined.");
     }
-    if (runtime === undefined && (0, experiments_1.isEnabled)("abiu")) {
-        if (nonInteractive) {
-            runtime = prompts_1.DEFAULT_RUNTIME;
-        }
-        else {
-            runtime = await (0, prompts_1.promptRuntime)(projectId, location);
-        }
-    }
-    if (automaticBaseImageUpdatesDisabled === undefined && (0, experiments_1.isEnabled)("abiu")) {
-        if (!nonInteractive) {
-            automaticBaseImageUpdatesDisabled = !(await (0, prompts_1.promptAutomaticBaseImageUpdates)());
-        }
-    }
+    runtime = await (0, prompts_1.resolveRuntime)(projectId, location, nonInteractive, runtime);
     const webApp = await app_1.webApps.getOrCreateWebApp(projectId, webAppName ? webAppName : null, backendId);
     if (!webApp) {
         (0, utils_1.logWarning)(`Firebase web app not set`);
     }
     const createBackendSpinner = ora("Creating your new backend...").start();
-    const backend = await createBackend(projectId, location, backendId, serviceAccount ? serviceAccount : null, gitRepositoryLink, webApp?.id, rootDir, runtime, automaticBaseImageUpdatesDisabled);
+    const backend = await createBackend(projectId, location, backendId, serviceAccount ? serviceAccount : null, gitRepositoryLink, webApp?.id, rootDir, runtime);
     createBackendSpinner.succeed(`Successfully created backend!\n\t${backend.name}\n`);
     if (nonInteractive) {
         return;
@@ -158,7 +146,7 @@ async function doSetup(projectId, nonInteractive, webAppName, backendId, service
     }
     (0, utils_1.logSuccess)(`Your backend is now deployed at:\n\thttps://${backend.uri}`);
 }
-async function doSetupSourceDeploy(projectId, backendId) {
+async function doSetupSourceDeploy(projectId, backendId, nonInteractive, rootDir = "/") {
     const location = await promptLocation(projectId, "Select a primary region to host your backend:\n");
     const webAppSpinner = ora("Creating a new web app...\n").start();
     const webApp = await app_1.webApps.getOrCreateWebApp(projectId, null, backendId);
@@ -166,8 +154,9 @@ async function doSetupSourceDeploy(projectId, backendId) {
         (0, utils_1.logWarning)(`Firebase web app not set`);
     }
     webAppSpinner.stop();
+    const runtime = await (0, prompts_1.resolveRuntime)(projectId, location, nonInteractive);
     const createBackendSpinner = ora("Creating your new backend...").start();
-    const backend = await createBackend(projectId, location, backendId, null, undefined, webApp?.id);
+    const backend = await createBackend(projectId, location, backendId, null, undefined, webApp?.id, rootDir, runtime);
     createBackendSpinner.succeed(`Successfully created backend!\n\t${backend.name}\n`);
     return {
         backend,
@@ -242,7 +231,7 @@ async function promptNewBackendId(projectId, location) {
 function defaultComputeServiceAccountEmail(projectId) {
     return `${DEFAULT_COMPUTE_SERVICE_ACCOUNT_NAME}@${projectId}.iam.gserviceaccount.com`;
 }
-async function createBackend(projectId, location, backendId, serviceAccount, repository, webAppId, rootDir = "/", runtime, automaticBaseImageUpdatesDisabled) {
+async function createBackend(projectId, location, backendId, serviceAccount, repository, webAppId, rootDir = "/", runtime) {
     const defaultServiceAccount = defaultComputeServiceAccountEmail(projectId);
     const backendReqBody = {
         servingLocality: "GLOBAL_ACCESS",
@@ -258,7 +247,6 @@ async function createBackend(projectId, location, backendId, serviceAccount, rep
     };
     if ((0, experiments_1.isEnabled)("abiu")) {
         backendReqBody.runtime = { value: runtime ?? "" };
-        backendReqBody.automaticBaseImageUpdatesDisabled = automaticBaseImageUpdatesDisabled;
     }
     async function createBackendAndPoll() {
         const op = await apphosting.createBackend(projectId, location, backendReqBody, backendId);

package/lib/apphosting/localbuilds.js

@@ -2,9 +2,24 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.localBuild = localBuild;
 const build_1 = require("@apphosting/build");
-async function localBuild(projectRoot, framework, env = {}) {
+const secrets_1 = require("./secrets");
+const prompt_1 = require("../prompt");
+const error_1 = require("../error");
+async function localBuild(projectId, projectRoot, framework, env = {}, options) {
+    const hasBuildAvailableSecrets = Object.values(env).some((v) => v.secret && (!v.availability || v.availability.includes("BUILD")));
+    if (hasBuildAvailableSecrets && !options?.allowLocalBuildSecrets) {
+        if (options?.nonInteractive) {
+            throw new error_1.FirebaseError("Using build-available secrets during a local build in non-interactive mode requires the --allow-local-build-secrets flag.");
+        }
+        if (!(await (0, prompt_1.confirm)({
+            message: "Your build includes secrets that are available to the build environment. Using secrets in local builds may leave sensitive values in local artifacts/temporary files. Do you want to continue?",
+            default: false,
+        }))) {
+            throw new error_1.FirebaseError("Cancelled local build due to BUILD-available secrets.");
+        }
+    }
     const originalEnv = { ...process.env };
-    const addedEnv = toProcessEnv(env);
+    const addedEnv = await toProcessEnv(projectId, env);
     for (const [key, value] of Object.entries(addedEnv)) {
         process.env[key] = value;
     }
@@ -37,6 +52,19 @@ async function localBuild(projectRoot, framework, env = {}) {
         },
     };
 }
-function toProcessEnv(env) {
-    return Object.fromEntries(Object.entries(env).map(([key, value]) => [key, value.value || ""]));
+async function toProcessEnv(projectId, env) {
+    const entries = await Promise.all(Object.entries(env).map(async ([key, value]) => {
+        if (value.availability && !value.availability.includes("BUILD")) {
+            return null;
+        }
+        if (value.secret) {
+            const resolvedValue = await (0, secrets_1.loadSecret)(projectId, value.secret);
+            return [key, resolvedValue];
+        }
+        else {
+            return [key, value.value || ""];
+        }
+    }));
+    const filteredEntries = entries.filter((entry) => entry !== null);
+    return Object.fromEntries(filteredEntries);
 }

package/lib/apphosting/prompts.js

@@ -2,34 +2,55 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.DEFAULT_RUNTIME = void 0;
 exports.promptRuntime = promptRuntime;
-exports.promptAutomaticBaseImageUpdates = promptAutomaticBaseImageUpdates;
+exports.resolveRuntime = resolveRuntime;
 const prompt_1 = require("../prompt");
 const utils_1 = require("../utils");
 const apphosting = require("../gcp/apphosting");
+const experiments_1 = require("../experiments");
 exports.DEFAULT_RUNTIME = "nodejs";
 async function promptRuntime(projectId, location) {
-    const choices = [{ name: "Node.js (default)", value: exports.DEFAULT_RUNTIME }];
+    const choices = [];
+    let nodejsChoice = { name: "Node.js (default)", value: exports.DEFAULT_RUNTIME };
     try {
         const supportedRuntimes = await apphosting.listSupportedRuntimes(projectId, location);
         for (const r of supportedRuntimes) {
-            if (r.runtimeId !== exports.DEFAULT_RUNTIME) {
-                choices.push({ name: r.runtimeId, value: r.runtimeId });
+            const abiuText = r.automaticBaseImageUpdatesSupported
+                ? "Enables Automatic Base Image Updates"
+                : "No Automatic Base Image Updates";
+            const choiceName = `${r.runtimeId} - ${abiuText}`;
+            if (r.runtimeId === exports.DEFAULT_RUNTIME) {
+                nodejsChoice = { name: choiceName, value: r.runtimeId };
+            }
+            else {
+                choices.push({ name: choiceName, value: r.runtimeId });
             }
         }
+        choices.unshift(nodejsChoice);
     }
     catch (err) {
         (0, utils_1.logWarning)("Failed to list supported runtimes. Falling back to hardcoded list.");
-        choices.push({ name: "nodejs22", value: "nodejs22" });
+        choices.push({ name: "nodejs - No Automatic Base Image Updates", value: "nodejs" });
+        choices.push({ name: "nodejs22 - Enables Automatic Base Image Updates", value: "nodejs22" });
     }
-    return await (0, prompt_1.select)({
+    const selectedRuntime = await (0, prompt_1.select)({
         message: "Which runtime do you want to use?",
         choices: choices,
         default: exports.DEFAULT_RUNTIME,
     });
+    if (selectedRuntime === exports.DEFAULT_RUNTIME) {
+        (0, utils_1.logBullet)("ABIU will not be enabled for the unversioned 'nodejs' runtime.");
+    }
+    return selectedRuntime;
 }
-async function promptAutomaticBaseImageUpdates() {
-    return await (0, prompt_1.confirm)({
-        message: "Would you like to enable Automatic Base Image Updates (ABIU)?",
-        default: true,
-    });
+async function resolveRuntime(projectId, location, nonInteractive, runtimeOption) {
+    if (runtimeOption !== undefined) {
+        return runtimeOption;
+    }
+    if (!(0, experiments_1.isEnabled)("abiu")) {
+        return undefined;
+    }
+    if (nonInteractive) {
+        return exports.DEFAULT_RUNTIME;
+    }
+    return promptRuntime(projectId, location);
 }

package/lib/apphosting/secrets/index.js

@@ -5,6 +5,7 @@ exports.serviceAccountsForBackend = serviceAccountsForBackend;
 exports.grantSecretAccess = grantSecretAccess;
 exports.grantEmailsSecretAccess = grantEmailsSecretAccess;
 exports.upsertSecret = upsertSecret;
+exports.loadSecret = loadSecret;
 exports.fetchSecrets = fetchSecrets;
 exports.getSecretNameParts = getSecretNameParts;
 exports.apphostingSecretsSetAction = apphostingSecretsSetAction;
@@ -149,6 +150,48 @@ async function upsertSecret(project, secret, location) {
     }
     return false;
 }
+const secretResourceRegex = /^projects\/([^/]+)\/secrets\/([^/]+)(?:\/versions\/((?:latest)|\d+))?$/;
+const secretShorthandRegex = /^([^/@]+)(?:@((?:latest)|\d+))?$/;
+async function loadSecret(project, name) {
+    let projectId;
+    let secretId;
+    let version;
+    const match = secretResourceRegex.exec(name);
+    if (match) {
+        projectId = match[1];
+        secretId = match[2];
+        version = match[3] || "latest";
+    }
+    else {
+        const match = secretShorthandRegex.exec(name);
+        if (!match) {
+            throw new error_1.FirebaseError(`Invalid secret name: ${name}`);
+        }
+        if (!project) {
+            throw new error_1.FirebaseError(`Cannot load secret ${match[1]} without a project. ` +
+                `Please use ${clc.bold("firebase use")} or pass the --project flag.`);
+        }
+        projectId = project;
+        secretId = match[1];
+        version = match[2] || "latest";
+    }
+    try {
+        return await gcsm.accessSecretVersion(projectId, secretId, version);
+    }
+    catch (err) {
+        if (err instanceof error_1.FirebaseError) {
+            const original = err.original;
+            if (typeof original === "object" && original !== null) {
+                if (original.code === 403 ||
+                    original.context?.response?.statusCode === 403) {
+                    utils.logLabeledError("apphosting", `Permission denied to access secret ${secretId}. Use ` +
+                        `${clc.bold("firebase apphosting:secrets:grantaccess")} to get permissions.`);
+                }
+            }
+        }
+        throw err;
+    }
+}
 async function fetchSecrets(projectId, secrets) {
     let secretsKeyValuePairs;
     try {

package/lib/apphosting/yaml.js

@@ -58,10 +58,8 @@ class AppHostingYamlConfig {
 exports.AppHostingYamlConfig = AppHostingYamlConfig;
 function toEnvMap(envs) {
     return Object.fromEntries(envs.map((env) => {
-        const variable = env.variable;
-        const tmp = { ...env };
-        delete env.variable;
-        return [variable, tmp];
+        const { variable, ...rest } = env;
+        return [variable, rest];
     }));
 }
 function toEnvList(envs) {

package/lib/bin/firebase.js

@@ -3,6 +3,16 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const semver = require("semver");
 const pkg = require("../../package.json");
+const IGNORED_WARNINGS = [
+    "DEP0040",
+];
+process.on("warning", (warning) => {
+    const nodeWarning = warning;
+    if (nodeWarning.code && IGNORED_WARNINGS.includes(nodeWarning.code)) {
+        return;
+    }
+    console.warn(nodeWarning.stack || nodeWarning.message);
+});
 const nodeVersion = process.version;
 if (!semver.satisfies(nodeVersion, pkg.engines.node)) {
     console.error(`Firebase CLI v${pkg.version} is incompatible with Node.js ${nodeVersion} Please upgrade Node.js to version ${pkg.engines.node}`);

package/lib/bin/mcp.js

@@ -49,6 +49,8 @@ Options:
                             If specified, auto-detection is disabled for other features.
   --tools <tools>           Comma-separated list of specific tools to enable. Disables
                             auto-detection entirely.
+  --mode <mode>             Server mode: stdio, sse (defaults to stdio).
+  --port <port>             The port to listen on when running in SSE mode (defaults to 3000).
   -h, --help                Show this help message.
 `;
 async function mcp() {
@@ -57,6 +59,8 @@ async function mcp() {
             only: { type: "string", default: "" },
             tools: { type: "string", default: "" },
             dir: { type: "string" },
+            mode: { type: "string", default: "stdio" },
+            port: { type: "string", default: "3000" },
             "generate-tool-list": { type: "boolean", default: false },
             "generate-prompt-list": { type: "boolean", default: false },
             "generate-resource-list": { type: "boolean", default: false },
@@ -83,6 +87,10 @@ async function mcp() {
     }
     if (earlyExit)
         return;
+    if (values.mode !== "stdio" && values.mode !== "sse") {
+        console.error("Error: --mode must be either 'stdio' or 'sse'");
+        process.exit(1);
+    }
     (0, env_1.setFirebaseMcp)(true);
     const mcpLogDir = (0, path_1.join)((0, os_1.homedir)(), ".cache", "firebase");
     await (0, promises_1.mkdir)(mcpLogDir, { recursive: true });
@@ -100,7 +108,10 @@ async function mcp() {
         enabledTools,
         projectRoot: values.dir ? (0, path_1.resolve)(values.dir) : undefined,
     });
-    await server.start();
+    await server.start({
+        useSSE: values.mode === "sse",
+        port: values.port ? parseInt(values.port, 10) : undefined,
+    });
     if (process.stdin.isTTY)
         process.stderr.write(STARTUP_MESSAGE);
 }

package/lib/commands/apphosting-backends-create.js

@@ -19,10 +19,7 @@ exports.command = new command_1.Command("apphosting:backends:create")
     .option("--root-dir <rootDir>", "specify the root directory for the backend.");
 const abiuEnabled = experiments.isEnabled("abiu");
 if (abiuEnabled) {
-    exports.command
-        .option("--runtime [runtime]", "specify the runtime for the backend (e.g., nodejs, nodejs22)")
-        .option("--automatic-base-image-updates", "enable automatic base image updates")
-        .option("--no-automatic-base-image-updates", "disable automatic base image updates");
+    exports.command.option("--runtime [runtime]", "specify the runtime for the backend (e.g., nodejs, nodejs22)");
 }
 exports.command
     .before(requireAuth_1.requireAuth)
@@ -34,12 +31,9 @@ exports.command
         throw new error_1.FirebaseError(`--non-interactive option requires --backend and --primary-region`);
     }
     const abiuAllowed = experiments.isEnabled("abiu");
-    if (!abiuAllowed && (options.runtime || options.automaticBaseImageUpdates !== undefined)) {
-        throw new error_1.FirebaseError("The --runtime and --automatic-base-image-updates flags are only available when the 'abiu' experiment is enabled. To enable it, run 'firebase experiments:enable abiu'.");
+    if (!abiuAllowed && options.runtime) {
+        throw new error_1.FirebaseError("The --runtime flag is only available when the 'abiu' experiment is enabled. To enable it, run 'firebase experiments:enable abiu'.");
     }
     const runtime = abiuAllowed && typeof options.runtime === "string" ? options.runtime : undefined;
-    const automaticBaseImageUpdatesDisabled = abiuAllowed
-        ? options.automaticBaseImageUpdates === false
-        : undefined;
-    return (0, backend_1.doSetup)(projectId, options.nonInteractive, options.app, options.backend, options.serviceAccount, options.primaryRegion, options.rootDir, runtime, automaticBaseImageUpdatesDisabled);
+    return (0, backend_1.doSetup)(projectId, options.nonInteractive, options.app, options.backend, options.serviceAccount, options.primaryRegion, options.rootDir, runtime);
 });

package/lib/commands/dataconnect-sdk-generate.js

@@ -42,7 +42,7 @@ exports.command = new command_1.Command("dataconnect:sdk:generate")
             },
             instructions: [],
         };
-        await dataconnectInit.askQuestions(setup);
+        await dataconnectInit.askQuestions(setup, config, options);
         await dataconnectInit.actuate(setup, config, options);
         await (0, init_1.postInitSaves)(setup, config);
         justRanInit = true;
@@ -64,7 +64,7 @@ exports.command = new command_1.Command("dataconnect:sdk:generate")
             },
             instructions: [],
         };
-        await dataconnectSdkInit.askQuestions(setup);
+        await dataconnectSdkInit.askQuestions(setup, config, options);
         await dataconnectSdkInit.actuate(setup, config);
         justRanInit = true;
         serviceInfosWithSDKs = await loadAllWithSDKs(projectId, config, options);

package/lib/commands/deploy.js

@@ -16,6 +16,7 @@ const colorette_1 = require("colorette");
 const interactive_1 = require("../hosting/interactive");
 const utils_1 = require("../utils");
 const api_1 = require("../hosting/api");
+const experiments = require("../experiments");
 exports.VALID_DEPLOY_TARGETS = [
     "database",
     "storage",
@@ -92,7 +93,11 @@ exports.command = new command_1.Command("deploy")
     '(e.g. "--only dataconnect:serviceId,dataconnect:serviceId:connectorId,dataconnect:serviceId:schema")')
     .option("--except <targets>", 'deploy to all targets except specified (e.g. "database")')
     .option("--dry-run", "perform a dry run of your deployment. Validates your changes and builds your code without deploying any changes to your project. " +
-    "In order to provide better validation, this may still enable APIs on the target project")
+    "In order to provide better validation, this may still enable APIs on the target project");
+if (experiments.isEnabled("apphostinglocalbuilds")) {
+    exports.command.option("--allow-local-build-secrets", "allow the use of build-available secrets in local builds for App Hosting without interactive confirmation");
+}
+exports.command
     .before(requireConfig_1.requireConfig)
     .before((options) => {
     options.filteredTargets = (0, filterTargets_1.filterTargets)(options, exports.VALID_DEPLOY_TARGETS);

package/lib/config.js

@@ -197,6 +197,7 @@ class Config {
         const shouldWrite = await (0, prompt_1.confirm)({
             message: "File " + clc.underline(path) + " already exists. Overwrite?",
             default: !!confirmByDefault,
+            nonInteractive: this.options.nonInteractive,
         });
         if (!shouldWrite) {
             utils.logBullet("Skipping write of " + clc.bold(path));

package/lib/dataconnect/build.js

@@ -34,6 +34,12 @@ async function build(options, configDir, deployStats) {
     return buildResult?.metadata ?? {};
 }
 async function handleBuildErrors(errors, nonInteractive, force, dryRun) {
+    const fatalDeploys = errors.filter((w) => w.extensions?.warningLevel === "ALWAYS_REQUIRED");
+    if (fatalDeploys.length) {
+        utils.logLabeledError("dataconnect", `There are deployment requirements that are always required and cannot be bypassed:\n` +
+            (0, graphqlError_1.prettifyTable)(fatalDeploys));
+        throw new error_1.FirebaseError("Deployment failed due to unbypassable requirements.");
+    }
     if (errors.filter((w) => !w.extensions?.warningLevel).length) {
         throw new error_1.FirebaseError(`There are errors in your schema and connector files:\n${errors.map(graphqlError_1.prettify).join("\n")}`);
     }

package/lib/dataconnect/names.js

@@ -55,7 +55,7 @@ function parseCloudSQLInstanceName(cloudSQLInstanceName) {
         throw new error_1.FirebaseError(`${cloudSQLInstanceName} is not a valid cloudSQL instance name`);
     }
     const toString = () => {
-        return `projects/${projectId}/locations/${location}/services/${instanceId}`;
+        return `projects/${projectId}/locations/${location}/instances/${instanceId}`;
     };
     return {
         projectId,

package/lib/deploy/apphosting/prepare.js

@@ -110,7 +110,7 @@ async function default_1(context, options) {
             const selectedBackends = selected.map((id) => notFoundBackends.find((backend) => backend.backendId === id));
             for (const cfg of selectedBackends) {
                 (0, utils_1.logLabeledBullet)("apphosting", `Creating a new backend ${cfg.backendId}...`);
-                const { location } = await (0, backend_1.doSetupSourceDeploy)(projectId, cfg.backendId);
+                const { location } = await (0, backend_1.doSetupSourceDeploy)(projectId, cfg.backendId, options.nonInteractive, cfg.rootDir);
                 context.backendConfigs[cfg.backendId] = cfg;
                 context.backendLocations[cfg.backendId] = location;
             }
@@ -133,7 +133,10 @@ async function default_1(context, options) {
         await injectEnvVarsFromApphostingConfig(configs.filter((c) => c.backendId === cfg.backendId), options, buildEnv, runtimeEnv);
         await injectAutoInitEnvVars(cfg, backends, buildEnv, runtimeEnv);
         try {
-            const { outputFiles, annotations, buildConfig } = await (0, localbuilds_1.localBuild)(options.projectRoot || "./", "nextjs", buildEnv[cfg.backendId] || {});
+            const { outputFiles, annotations, buildConfig } = await (0, localbuilds_1.localBuild)(projectId, options.projectRoot || "./", "nextjs", buildEnv[cfg.backendId] || {}, {
+                nonInteractive: options.nonInteractive,
+                allowLocalBuildSecrets: !!options.allowLocalBuildSecrets,
+            });
             if (outputFiles.length !== 1) {
                 throw new error_1.FirebaseError(`Local build for backend ${cfg.backendId} failed: No output files found.`);
             }

package/lib/deploy/firestore/prepare.js

@@ -13,7 +13,7 @@ const error_1 = require("../../error");
 const types = require("../../firestore/api-types");
 const api_2 = require("../../firestore/api");
 function prepareRules(context, rulesDeploy, databaseId, rulesFile) {
-    rulesDeploy.addFile(rulesFile);
+    rulesDeploy.addFile(rulesFile, databaseId);
     context.firestore.rules.push({
         databaseId,
         rulesFile,

package/lib/deploy/functions/backend.js

@@ -210,20 +210,8 @@ async function loadExistingBackend(ctx) {
         existingBackend.endpoints[endpoint.region][endpoint.id] = endpoint;
     }
     unreachableRegions.gcfV1 = gcfV1Results.unreachable;
-    if (experiments.isEnabled("functionsrunapionly") || experiments.isEnabled("dartfunctions")) {
-        try {
-            const runServices = await run.listServices(ctx.projectId);
-            for (const service of runServices) {
-                const endpoint = run.endpointFromService(service);
-                existingBackend.endpoints[endpoint.region] =
-                    existingBackend.endpoints[endpoint.region] || {};
-                existingBackend.endpoints[endpoint.region][endpoint.id] = endpoint;
-            }
-        }
-        catch (err) {
-            logger_1.logger.debug(err.message);
-            unreachableRegions.run = ["unknown"];
-        }
+    if (experiments.isEnabled("functionsrunapionly")) {
+        await loadCloudRunServices(ctx, existingBackend, unreachableRegions, false);
     }
     else {
         const gcfV2Results = await gcfV2.listAllFunctions(ctx.projectId);
@@ -233,11 +221,31 @@ async function loadExistingBackend(ctx) {
             existingBackend.endpoints[endpoint.region][endpoint.id] = endpoint;
         }
         unreachableRegions.gcfV2 = gcfV2Results.unreachable;
+        if (experiments.isEnabled("dartfunctions")) {
+            await loadCloudRunServices(ctx, existingBackend, unreachableRegions, true);
+        }
     }
     ctx.existingBackend = existingBackend;
     ctx.unreachableRegions = unreachableRegions;
     return ctx.existingBackend;
 }
+async function loadCloudRunServices(ctx, existingBackend, unreachableRegions, onlyMissing) {
+    try {
+        const runServices = await run.listServices(ctx.projectId);
+        for (const service of runServices) {
+            const endpoint = run.endpointFromService(service);
+            if (!onlyMissing || !existingBackend.endpoints[endpoint.region]?.[endpoint.id]) {
+                existingBackend.endpoints[endpoint.region] =
+                    existingBackend.endpoints[endpoint.region] || {};
+                existingBackend.endpoints[endpoint.region][endpoint.id] = endpoint;
+            }
+        }
+    }
+    catch (err) {
+        logger_1.logger.debug(`Error loading Cloud Run services: ${err.message}`);
+        unreachableRegions.run = ["unknown"];
+    }
+}
 async function checkAvailability(context, want) {
     await existingBackend(context);
     const gcfV1Regions = new Set();

package/lib/deploy/functions/prepare.js

@@ -187,13 +187,19 @@ async function prepare(context, options, payload) {
         context.sources[codebase] = source;
     }
     payload.functions = {};
-    const haveBackends = (0, functionsDeployHelper_1.groupEndpointsByCodebase)(wantBackends, backend.allEndpoints(await backend.existingBackend(context)));
+    const existingBackend = await backend.existingBackend(context);
+    for (const [codebase, wantBackend] of Object.entries(wantBackends)) {
+        const relevantEndpoints = backend
+            .allEndpoints(existingBackend)
+            .filter((e) => e.codebase === codebase || e.codebase === undefined);
+        await resolveDefaultRegions(wantBackend, backend.of(...relevantEndpoints));
+    }
+    const haveBackends = (0, functionsDeployHelper_1.groupEndpointsByCodebase)(wantBackends, backend.allEndpoints(existingBackend));
     for (const [codebase, wantBackend] of Object.entries(wantBackends)) {
         const haveBackend = haveBackends[codebase] || backend.empty();
         payload.functions[codebase] = { wantBackend, haveBackend };
     }
     for (const [codebase, { wantBackend, haveBackend }] of Object.entries(payload.functions)) {
-        await resolveDefaultRegions(wantBackend, haveBackend);
         inferDetailsFromExisting(wantBackend, haveBackend, codebaseUsesEnvs.includes(codebase));
         await (0, triggerRegionHelper_1.ensureTriggerRegions)(wantBackend);
         resolveCpuAndConcurrency(wantBackend);

package/lib/deploy/functions/release/fabricator.js

@@ -69,9 +69,9 @@ class Fabricator {
             results: [],
         };
         const changesets = Object.values(plan);
-        const scraperV1 = new sourceTokenScraper_1.SourceTokenScraper();
-        const scraperV2 = new sourceTokenScraper_1.SourceTokenScraper();
         const createAndUpdatePromises = changesets.map((changes) => {
+            const scraperV1 = new sourceTokenScraper_1.SourceTokenScraper();
+            const scraperV2 = new sourceTokenScraper_1.SourceTokenScraper();
             return this.applyUpserts(changes, scraperV1, scraperV2);
         });
         const createAndUpdateResultsArray = await Promise.allSettled(createAndUpdatePromises);
@@ -542,7 +542,20 @@ class Fabricator {
             endpoint.runServiceId = endpoint.id;
         })
             .catch(rethrowAs(endpoint, "create"));
-        await this.setInvoker(endpoint);
+        const serviceName = `projects/${endpoint.project}/locations/${endpoint.region}/services/${endpoint.runServiceId}`;
+        if (backend.isHttpsTriggered(endpoint)) {
+            const invoker = endpoint.httpsTrigger.invoker || ["public"];
+            if (!invoker.includes("private")) {
+                await this.executor
+                    .run(() => run.setInvokerCreate(endpoint.project, serviceName, invoker))
+                    .catch(rethrowAs(endpoint, "set invoker"));
+            }
+        }
+        else if (backend.isCallableTriggered(endpoint)) {
+            await this.executor
+                .run(() => run.setInvokerCreate(endpoint.project, serviceName, ["public"]))
+                .catch(rethrowAs(endpoint, "set invoker"));
+        }
     }
     async updateRunFunction(update) {
         const endpoint = update.endpoint;
@@ -567,7 +580,16 @@ class Fabricator {
             endpoint.runServiceId = endpoint.id;
         })
             .catch(rethrowAs(endpoint, "update"));
-        await this.setInvoker(endpoint);
+        const serviceName = `projects/${endpoint.project}/locations/${endpoint.region}/services/${endpoint.runServiceId}`;
+        let invoker;
+        if (backend.isHttpsTriggered(endpoint)) {
+            invoker = endpoint.httpsTrigger.invoker === null ? ["public"] : endpoint.httpsTrigger.invoker;
+        }
+        if (invoker) {
+            await this.executor
+                .run(() => run.setInvokerUpdate(endpoint.project, serviceName, invoker))
+                .catch(rethrowAs(endpoint, "set invoker"));
+        }
     }
     async deleteRunFunction(endpoint) {
         await this.runFunctionExecutor
@@ -584,16 +606,6 @@ class Fabricator {
         })
             .catch(rethrowAs(endpoint, "delete"));
     }
-    async setInvoker(endpoint) {
-        if (backend.isHttpsTriggered(endpoint)) {
-            const invoker = endpoint.httpsTrigger.invoker || ["public"];
-            if (!invoker.includes("private")) {
-                await this.executor
-                    .run(() => run.setInvokerUpdate(endpoint.project, `projects/${endpoint.project}/locations/${endpoint.region}/services/${endpoint.runServiceId}`, invoker))
-                    .catch(rethrowAs(endpoint, "set invoker"));
-            }
-        }
-    }
     async setRunTraits(serviceName, endpoint) {
         await this.functionExecutor
             .run(async () => {

package/lib/deploy/functions/runtimes/python/index.js

@@ -45,6 +45,9 @@ function getPythonBinary(runtime) {
     else if (runtime === "python313") {
         return "python3.13";
     }
+    else if (runtime === "python314") {
+        return "python3.14";
+    }
     (0, functional_1.assertExhaustive)(runtime, `Unhandled python runtime ${runtime}`);
 }
 class Delegate {

package/lib/deploy/functions/runtimes/supported/types.js

@@ -89,6 +89,12 @@ exports.RUNTIMES = runtimes({
         deprecationDate: "2029-10-10",
         decommissionDate: "2030-04-10",
     },
+    python314: {
+        friendly: "Python 3.14",
+        status: "GA",
+        deprecationDate: "2030-10-10",
+        decommissionDate: "2031-04-10",
+    },
     dart3: {
         friendly: "Dart 3",
         status: "experimental",