puls-dev 0.1.0

package/dist/providers/do/firewall.js

@@ -0,0 +1,94 @@
+import { BaseBuilder } from '../../core/resource.js';
+import { getDoApi } from './api.js';
+export class FirewallBuilder extends BaseBuilder {
+    rules = [];
+    dropletNames = [];
+    constructor(name) {
+        super(name);
+        this.discoveryPromise = this.discoverFirewall(name);
+    }
+    async discoverFirewall(name) {
+        const api = getDoApi();
+        const data = await api.get('/firewalls?per_page=200');
+        return data.firewalls.find(f => f.name === name) ?? null;
+    }
+    ingress(protocol, port, sources) {
+        this.rules.push({ type: 'ingress', protocol, port, sources });
+        return this;
+    }
+    egress(protocol, port, destinations) {
+        this.rules.push({ type: 'egress', protocol, port, destinations });
+        return this;
+    }
+    attachTo(dropletName) {
+        this.dropletNames.push(dropletName);
+        return this;
+    }
+    async resolveDropletIds(api) {
+        const ids = [];
+        for (const name of this.dropletNames) {
+            const data = await api.get(`/droplets?name=${encodeURIComponent(name)}&per_page=200`);
+            const match = data.droplets.find(d => d.name === name);
+            if (match)
+                ids.push(match.id);
+        }
+        return ids;
+    }
+    buildApiRules() {
+        const inbound = this.rules
+            .filter(r => r.type === 'ingress')
+            .map(r => ({
+            protocol: r.protocol,
+            ports: String(r.port),
+            sources: { addresses: r.sources ?? [] },
+        }));
+        const outbound = this.rules
+            .filter(r => r.type === 'egress')
+            .map(r => ({
+            protocol: r.protocol,
+            ports: String(r.port),
+            destinations: { addresses: r.destinations ?? [] },
+        }));
+        return { inbound, outbound };
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        const api = getDoApi();
+        console.log(`\n🛡️  Finalizing firewall "${this.name}"...`);
+        if (dryRun) {
+            this.rules.forEach(r => {
+                const dir = r.type === 'ingress' ? 'from' : 'to';
+                const targets = r.type === 'ingress' ? r.sources : r.destinations;
+                console.log(`   📝 [PLAN] ${r.type.toUpperCase()}: ${r.protocol.toUpperCase()} ${r.port} ${dir} [${targets?.join(', ')}]`);
+            });
+            return { name: this.name, rules: this.rules };
+        }
+        const dropletIds = await this.resolveDropletIds(api);
+        const { inbound, outbound } = this.buildApiRules();
+        if (existing) {
+            await api.put(`/firewalls/${existing.id}`, {
+                name: this.name,
+                inbound_rules: inbound,
+                outbound_rules: outbound,
+                droplet_ids: dropletIds,
+            });
+            console.log(`✨ Updated firewall ${this.name} (id=${existing.id})`);
+        }
+        else {
+            const result = await api.post('/firewalls', {
+                name: this.name,
+                inbound_rules: inbound,
+                outbound_rules: outbound,
+                droplet_ids: dropletIds,
+            });
+            console.log(`🚀 Created firewall ${this.name} (id=${result.firewall.id})`);
+        }
+        this.rules.forEach(r => {
+            const dir = r.type === 'ingress' ? 'from' : 'to';
+            const targets = r.type === 'ingress' ? r.sources : r.destinations;
+            console.log(`   ✅ ${r.type.toUpperCase()}: ${r.protocol.toUpperCase()} ${r.port} ${dir} [${targets?.join(', ')}]`);
+        });
+        return { name: this.name, rules: this.rules };
+    }
+}

package/dist/providers/do/index.d.ts

@@ -0,0 +1,15 @@
+import { DropletBuilder } from "./droplet.js";
+import { DomainBuilder } from "./domain.js";
+import { FirewallBuilder } from "./firewall.js";
+import { CertificateBuilder } from "./certificate.js";
+import { LoadBalancerBuilder } from "./load_balancer.js";
+export declare const DO: {
+    init: (opts: {
+        token: string;
+    }) => void;
+    Droplet: (name: string) => DropletBuilder;
+    Domain: (name: string) => DomainBuilder;
+    Firewall: (name: string) => FirewallBuilder;
+    Certificate: (name: string) => CertificateBuilder;
+    LoadBalancer: (name: string) => LoadBalancerBuilder;
+};

package/dist/providers/do/index.js

@@ -0,0 +1,21 @@
+import { Config } from "../../core/config.js";
+import { DropletBuilder } from "./droplet.js";
+import { DomainBuilder } from "./domain.js";
+import { FirewallBuilder } from "./firewall.js";
+import { CertificateBuilder } from "./certificate.js";
+import { LoadBalancerBuilder } from "./load_balancer.js";
+export const DO = {
+    init: (opts) => {
+        Config.set({
+            providers: {
+                ...Config.get().providers,
+                do: opts,
+            },
+        });
+    },
+    Droplet: (name) => new DropletBuilder(name),
+    Domain: (name) => new DomainBuilder(name),
+    Firewall: (name) => new FirewallBuilder(name),
+    Certificate: (name) => new CertificateBuilder(name),
+    LoadBalancer: (name) => new LoadBalancerBuilder(name),
+};

package/dist/providers/do/list.d.ts

@@ -0,0 +1,2 @@
+import type { DoInventory } from '../../types/inventory.js';
+export declare function listDoResources(): Promise<DoInventory>;

package/dist/providers/do/list.js

@@ -0,0 +1,59 @@
+import { getDoApi } from './api.js';
+const DO_PRICING = {
+    's-1vcpu-1gb': 6,
+    's-1vcpu-2gb': 12,
+    's-2vcpu-2gb': 18,
+    's-2vcpu-4gb': 24,
+    's-4vcpu-8gb': 48,
+    's-6vcpu-16gb': 96,
+    's-8vcpu-32gb': 192,
+    'c-2': 42,
+    'c-4': 84,
+    'c-8': 168,
+    'g-2vcpu-8gb': 60,
+    'g-4vcpu-16gb': 120,
+    'm-2vcpu-16gb': 90,
+    'm-4vcpu-32gb': 180,
+};
+function priceForSlug(slug) {
+    return DO_PRICING[slug] ?? 0;
+}
+export async function listDoResources() {
+    const api = getDoApi();
+    const [dropletsData, firewallsData, lbData, domainsData] = await Promise.all([
+        api.get('/droplets?per_page=200'),
+        api.get('/firewalls?per_page=200'),
+        api.get('/load_balancers?per_page=200'),
+        api.get('/domains?per_page=200'),
+    ]);
+    const droplets = dropletsData.droplets.map((d) => {
+        const pub = (d.networks?.v4 ?? []).find((n) => n.type === 'public');
+        return {
+            id: d.id,
+            name: d.name,
+            status: d.status,
+            region: d.region?.slug ?? d.region ?? '',
+            size: d.size_slug,
+            ip: pub?.ip_address,
+            monthlyCost: priceForSlug(d.size_slug),
+        };
+    });
+    const firewalls = firewallsData.firewalls.map((f) => ({
+        id: f.id,
+        name: f.name,
+        dropletCount: (f.droplet_ids ?? []).length,
+    }));
+    const loadBalancers = lbData.load_balancers.map((lb) => ({
+        id: lb.id,
+        name: lb.name,
+        ip: lb.ip ?? '',
+        region: lb.region?.slug ?? lb.region ?? '',
+        status: lb.status,
+    }));
+    const domains = domainsData.domains.map((d) => ({
+        name: d.name,
+        ttl: d.ttl,
+    }));
+    const totalMonthlyCost = droplets.reduce((sum, d) => sum + d.monthlyCost, 0);
+    return { droplets, firewalls, loadBalancers, domains, totalMonthlyCost };
+}

package/dist/providers/do/load_balancer.d.ts

@@ -0,0 +1,12 @@
+import { DropletBuilder } from './droplet.js';
+export declare class LoadBalancerBuilder {
+    private name;
+    private config;
+    private targetNames;
+    private discoveryPromise;
+    constructor(name: string);
+    private discoverLb;
+    private resolveDropletIds;
+    targets(droplets: (DropletBuilder | string)[]): this;
+    deploy(): Promise<any>;
+}

package/dist/providers/do/load_balancer.js

@@ -0,0 +1,62 @@
+import { Config } from '../../core/config.js';
+import { getDoApi } from './api.js';
+export class LoadBalancerBuilder {
+    name;
+    config = {
+        region: Config.get().providers.do?.defaultRegion ?? 'fra1',
+    };
+    targetNames = [];
+    discoveryPromise;
+    constructor(name) {
+        this.name = name;
+        this.discoveryPromise = this.discoverLb(name);
+    }
+    async discoverLb(name) {
+        const api = getDoApi();
+        const data = await api.get('/load_balancers?per_page=200');
+        return data.load_balancers.find(lb => lb.name === name) ?? null;
+    }
+    async resolveDropletIds() {
+        const api = getDoApi();
+        const ids = [];
+        for (const name of this.targetNames) {
+            const data = await api.get(`/droplets?name=${encodeURIComponent(name)}&per_page=200`);
+            const match = data.droplets.find(d => d.name === name);
+            if (match)
+                ids.push(match.id);
+        }
+        return ids;
+    }
+    targets(droplets) {
+        this.targetNames = droplets.map(d => (typeof d === 'string' ? d : d.name));
+        return this;
+    }
+    async deploy() {
+        const dryRun = Config.isGlobalDryRun();
+        const existing = await this.discoveryPromise;
+        console.log(`\n⚖️  Finalizing load balancer "${this.name}"...`);
+        if (existing) {
+            console.log(`✅ Load balancer ${this.name} already exists (ip=${existing.ip}).`);
+            return existing;
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Create load balancer ${this.name} targeting [${this.targetNames.join(', ')}]`);
+            return this.config;
+        }
+        const dropletIds = await this.resolveDropletIds();
+        const api = getDoApi();
+        const result = await api.post('/load_balancers', {
+            name: this.name,
+            region: this.config.region,
+            forwarding_rules: [
+                { entry_protocol: 'http', entry_port: 80, target_protocol: 'http', target_port: 80 },
+                { entry_protocol: 'https', entry_port: 443, target_protocol: 'http', target_port: 80 },
+            ],
+            droplet_ids: dropletIds,
+        });
+        console.log(`🚀 Created load balancer ${this.name} (id=${result.load_balancer.id})`);
+        if (this.targetNames.length)
+            console.log(`   Targets: [${this.targetNames.join(', ')}]`);
+        return result.load_balancer;
+    }
+}

package/dist/providers/firebase/api.d.ts

@@ -0,0 +1,4 @@
+export declare function getProjectId(): string;
+export declare function getFirebaseToken(scopes: string[]): Promise<string>;
+export declare function hostingFetch(path: string, opts?: RequestInit): Promise<any>;
+export declare function cloudFetch(base: string, path: string, opts?: RequestInit): Promise<any>;

package/dist/providers/firebase/api.js

@@ -0,0 +1,62 @@
+import { readFileSync } from 'node:fs';
+import { GoogleAuth } from 'google-auth-library';
+import { Config } from '../../core/config.js';
+function resolveFirebaseConfig() {
+    const cfg = Config.get().providers.firebase;
+    if (cfg?.serviceAccountPath)
+        return cfg;
+    // Fallback: auto-configure from FIREBASE_SA env var so the decorator option is optional
+    const saPath = process.env.FIREBASE_SA;
+    if (saPath) {
+        const sa = JSON.parse(readFileSync(saPath, 'utf8'));
+        return { projectId: sa.project_id, serviceAccountPath: saPath };
+    }
+    throw new Error('Firebase not configured. Set FIREBASE_SA=/path/to/sa.json or use @Deploy({ firebase: "..." })');
+}
+export function getProjectId() {
+    return resolveFirebaseConfig().projectId;
+}
+export async function getFirebaseToken(scopes) {
+    const { serviceAccountPath } = resolveFirebaseConfig();
+    const auth = new GoogleAuth({ keyFile: serviceAccountPath, scopes });
+    const client = await auth.getClient();
+    const token = await client.getAccessToken();
+    return token.token;
+}
+const HOSTING_SCOPE = 'https://www.googleapis.com/auth/firebase.hosting';
+const CLOUD_SCOPE = 'https://www.googleapis.com/auth/cloud-platform';
+export async function hostingFetch(path, opts = {}) {
+    const token = await getFirebaseToken([HOSTING_SCOPE]);
+    const base = 'https://firebasehosting.googleapis.com/v1beta1';
+    const res = await fetch(`${base}${path}`, {
+        ...opts,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+            ...(opts.headers ?? {}),
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`Firebase Hosting API ${opts.method ?? 'GET'} ${path} → ${res.status}: ${body}`);
+    }
+    const text = await res.text();
+    return text ? JSON.parse(text) : null;
+}
+export async function cloudFetch(base, path, opts = {}) {
+    const token = await getFirebaseToken([CLOUD_SCOPE]);
+    const res = await fetch(`${base}${path}`, {
+        ...opts,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+            ...(opts.headers ?? {}),
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`GCP API ${opts.method ?? 'GET'} ${path} → ${res.status}: ${body}`);
+    }
+    const text = await res.text();
+    return text ? JSON.parse(text) : null;
+}

package/dist/providers/firebase/auth.d.ts

@@ -0,0 +1,35 @@
+import { BaseBuilder } from '../../core/resource.js';
+interface OAuthCredentials {
+    clientId: string;
+    clientSecret: string;
+}
+export declare class FirebaseAuthBuilder extends BaseBuilder {
+    private _providers;
+    private _allowedDomains?;
+    private _authorizedDomains?;
+    constructor();
+    emailPassword(opts?: {
+        passwordRequired?: boolean;
+    }): this;
+    anonymous(): this;
+    phone(): this;
+    google(creds: OAuthCredentials): this;
+    github(creds: OAuthCredentials): this;
+    facebook(creds: OAuthCredentials): this;
+    twitter(creds: OAuthCredentials): this;
+    apple(creds: OAuthCredentials): this;
+    microsoft(creds: OAuthCredentials): this;
+    authorizedDomains(domains: string[]): this;
+    private projectPath;
+    private getConfig;
+    private patchConfig;
+    private getIdp;
+    private upsertIdp;
+    deploy(): Promise<{
+        project: string;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}
+export {};

package/dist/providers/firebase/auth.js

@@ -0,0 +1,147 @@
+import { BaseBuilder } from '../../core/resource.js';
+import { cloudFetch, getProjectId } from './api.js';
+const AUTH_BASE = 'https://identitytoolkit.googleapis.com/admin/v2';
+const IDP_ID = {
+    google: 'google.com',
+    github: 'github.com',
+    facebook: 'facebook.com',
+    twitter: 'twitter.com',
+    apple: 'apple.com',
+    microsoft: 'microsoft.com',
+};
+export class FirebaseAuthBuilder extends BaseBuilder {
+    _providers = {};
+    _allowedDomains;
+    _authorizedDomains;
+    constructor() {
+        super('auth');
+        this.discoveryPromise = Promise.resolve(null);
+    }
+    emailPassword(opts = {}) {
+        this._providers.emailPassword = { enabled: true, ...opts };
+        return this;
+    }
+    anonymous() { this._providers.anonymous = { enabled: true }; return this; }
+    phone() { this._providers.phone = { enabled: true }; return this; }
+    google(creds) { this._providers.google = { enabled: true, ...creds }; return this; }
+    github(creds) { this._providers.github = { enabled: true, ...creds }; return this; }
+    facebook(creds) { this._providers.facebook = { enabled: true, ...creds }; return this; }
+    twitter(creds) { this._providers.twitter = { enabled: true, ...creds }; return this; }
+    apple(creds) { this._providers.apple = { enabled: true, ...creds }; return this; }
+    microsoft(creds) { this._providers.microsoft = { enabled: true, ...creds }; return this; }
+    // Domains allowed to use Firebase Auth (e.g. your app domain + localhost)
+    authorizedDomains(domains) { this._authorizedDomains = domains; return this; }
+    // ── Helpers ───────────────────────────────────────────────────────────────
+    projectPath() { return `/projects/${getProjectId()}`; }
+    async getConfig() {
+        try {
+            return await cloudFetch(AUTH_BASE, `${this.projectPath()}/config`);
+        }
+        catch {
+            return null;
+        }
+    }
+    async patchConfig(body, updateMask) {
+        await cloudFetch(AUTH_BASE, `${this.projectPath()}/config?updateMask=${updateMask}`, { method: 'PATCH', body: JSON.stringify(body) });
+    }
+    async getIdp(provider) {
+        try {
+            return await cloudFetch(AUTH_BASE, `${this.projectPath()}/defaultSupportedIdpConfigs/${IDP_ID[provider]}`);
+        }
+        catch {
+            return null;
+        }
+    }
+    async upsertIdp(provider, creds) {
+        const idpId = IDP_ID[provider];
+        const existing = await this.getIdp(provider);
+        const body = {
+            name: `${this.projectPath().slice(1)}/defaultSupportedIdpConfigs/${idpId}`,
+            clientId: creds.clientId,
+            clientSecret: creds.clientSecret,
+            enabled: creds.enabled ?? true,
+        };
+        if (existing) {
+            await cloudFetch(AUTH_BASE, `${this.projectPath()}/defaultSupportedIdpConfigs/${idpId}?updateMask=clientId,clientSecret,enabled`, { method: 'PATCH', body: JSON.stringify(body) });
+        }
+        else {
+            await cloudFetch(AUTH_BASE, `${this.projectPath()}/defaultSupportedIdpConfigs?idpId=${idpId}`, { method: 'POST', body: JSON.stringify(body) });
+        }
+    }
+    // ── Deploy ────────────────────────────────────────────────────────────────
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        console.log(`\n🔑 Finalizing Firebase Auth...`);
+        const { emailPassword, anonymous, phone, ...oauthProviders } = this._providers;
+        const hasBuiltIn = emailPassword || anonymous || phone;
+        const oauthEntries = Object.entries(oauthProviders);
+        if (dryRun) {
+            if (hasBuiltIn) {
+                console.log(`   📝 [PLAN] Configure sign-in methods:`);
+                if (emailPassword)
+                    console.log(`      └─ Email/Password (passwordRequired: ${emailPassword.passwordRequired ?? true})`);
+                if (anonymous)
+                    console.log(`      └─ Anonymous`);
+                if (phone)
+                    console.log(`      └─ Phone`);
+            }
+            for (const [name] of oauthEntries) {
+                console.log(`   📝 [PLAN] Enable OAuth provider: ${IDP_ID[name]}`);
+            }
+            if (this._authorizedDomains) {
+                console.log(`   📝 [PLAN] Set authorized domains: [${this._authorizedDomains.join(', ')}]`);
+            }
+            return { project: getProjectId() };
+        }
+        // Built-in providers via project config
+        if (hasBuiltIn || this._authorizedDomains) {
+            const signIn = {};
+            const masks = [];
+            if (emailPassword) {
+                signIn.email = { enabled: true, passwordRequired: emailPassword.passwordRequired ?? true };
+                masks.push('signIn.email');
+            }
+            if (anonymous) {
+                signIn.anonymous = { enabled: true };
+                masks.push('signIn.anonymous');
+            }
+            if (phone) {
+                signIn.phoneNumber = { enabled: true };
+                masks.push('signIn.phoneNumber');
+            }
+            const body = {};
+            if (masks.length)
+                body.signIn = signIn;
+            if (this._authorizedDomains) {
+                body.authorizedDomains = this._authorizedDomains;
+                masks.push('authorizedDomains');
+            }
+            await this.patchConfig(body, masks.join(','));
+            if (emailPassword)
+                console.log(`   ✅ Email/Password enabled`);
+            if (anonymous)
+                console.log(`   ✅ Anonymous sign-in enabled`);
+            if (phone)
+                console.log(`   ✅ Phone sign-in enabled`);
+            if (this._authorizedDomains)
+                console.log(`   ✅ Authorized domains set: [${this._authorizedDomains.join(', ')}]`);
+        }
+        // OAuth providers
+        for (const [name, creds] of oauthEntries) {
+            await this.upsertIdp(name, creds);
+            console.log(`   ✅ ${IDP_ID[name]} provider configured`);
+        }
+        return { project: getProjectId() };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        console.log(`\n🗑️  Destroying Firebase Auth config...`);
+        if (dryRun) {
+            console.log(`   ℹ️  Auth providers can be disabled individually — destroying the Auth config is not supported via API`);
+        }
+        else {
+            console.log(`   ℹ️  Disable providers individually in the Firebase console`);
+        }
+        return { destroyed: 'auth' };
+    }
+}

package/dist/providers/firebase/firestore.d.ts

@@ -0,0 +1,28 @@
+import { BaseBuilder } from '../../core/resource.js';
+type FieldOrder = 'ASCENDING' | 'DESCENDING';
+interface IndexField {
+    field: string;
+    order: FieldOrder;
+}
+export declare class FirebaseFirestoreBuilder extends BaseBuilder {
+    private _rulesPath?;
+    private _indexes;
+    constructor(database?: string);
+    rules(filePath: string): this;
+    index(collection: string, fields: IndexField[]): this;
+    private rulesRelease;
+    private currentRulesReleaseRuleset;
+    private deployRules;
+    private dbPath;
+    private listExistingIndexes;
+    private indexKey;
+    private deployIndexes;
+    deploy(): Promise<{
+        database: string;
+        project: string;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}
+export {};

package/dist/providers/firebase/firestore.js

@@ -0,0 +1,120 @@
+import { readFileSync } from 'node:fs';
+import { BaseBuilder } from '../../core/resource.js';
+import { cloudFetch, getProjectId } from './api.js';
+const RULES_BASE = 'https://firebaserules.googleapis.com/v1';
+const FS_BASE = 'https://firestore.googleapis.com/v1';
+export class FirebaseFirestoreBuilder extends BaseBuilder {
+    _rulesPath;
+    _indexes = [];
+    constructor(database = '(default)') {
+        super(database);
+        this.discoveryPromise = Promise.resolve(null);
+    }
+    rules(filePath) { this._rulesPath = filePath; return this; }
+    index(collection, fields) { this._indexes.push({ collection, fields }); return this; }
+    // ── Rules ────────────────────────────────────────────────────────────────
+    rulesRelease() {
+        return `projects/${getProjectId()}/releases/cloud.firestore`;
+    }
+    async currentRulesReleaseRuleset() {
+        try {
+            const rel = await cloudFetch(RULES_BASE, `/${this.rulesRelease()}`);
+            return rel?.rulesetName ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+    async deployRules(dryRun) {
+        if (!this._rulesPath)
+            return;
+        const source = readFileSync(this._rulesPath, 'utf8');
+        const current = await this.currentRulesReleaseRuleset();
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Deploy Firestore rules from "${this._rulesPath}"`);
+            if (current)
+                console.log(`      └─ replaces ruleset: ${current.split('/').pop()}`);
+            return;
+        }
+        const ruleset = await cloudFetch(RULES_BASE, `/projects/${getProjectId()}/rulesets`, {
+            method: 'POST',
+            body: JSON.stringify({ source: { files: [{ name: 'firestore.rules', content: source }] } }),
+        });
+        await cloudFetch(RULES_BASE, `/${this.rulesRelease()}`, {
+            method: 'PUT',
+            body: JSON.stringify({ name: this.rulesRelease(), rulesetName: ruleset.name }),
+        });
+        console.log(`   ✅ Rules deployed (ruleset: ${ruleset.name.split('/').pop()})`);
+    }
+    // ── Indexes ───────────────────────────────────────────────────────────────
+    dbPath() {
+        return `projects/${getProjectId()}/databases/${this.name}`;
+    }
+    async listExistingIndexes() {
+        try {
+            const res = await cloudFetch(FS_BASE, `/${this.dbPath()}/collectionGroups/-/indexes`);
+            return res?.indexes ?? [];
+        }
+        catch {
+            return [];
+        }
+    }
+    indexKey(collection, fields) {
+        return `${collection}:${fields.map(f => `${f.field}:${f.order}`).join(',')}`;
+    }
+    async deployIndexes(dryRun) {
+        if (this._indexes.length === 0)
+            return;
+        const existing = await this.listExistingIndexes();
+        const existingKeys = new Set(existing.map((idx) => {
+            const parts = idx.name.split('/collectionGroups/');
+            const collection = parts[1]?.split('/')[0] ?? '';
+            const fields = (idx.fields ?? [])
+                .filter((f) => f.fieldPath !== '__name__')
+                .map((f) => ({ field: f.fieldPath, order: f.order }));
+            return this.indexKey(collection, fields);
+        }));
+        const toCreate = this._indexes.filter(i => !existingKeys.has(this.indexKey(i.collection, i.fields)));
+        if (dryRun) {
+            console.log(`   📝 [PLAN] ${toCreate.length} index(es) to create, ${this._indexes.length - toCreate.length} already exist`);
+            for (const idx of toCreate) {
+                console.log(`      └─ ${idx.collection}: [${idx.fields.map(f => `${f.field} ${f.order}`).join(', ')}]`);
+            }
+            return;
+        }
+        for (const idx of toCreate) {
+            await cloudFetch(FS_BASE, `/${this.dbPath()}/collectionGroups/${idx.collection}/indexes`, {
+                method: 'POST',
+                body: JSON.stringify({
+                    queryScope: 'COLLECTION',
+                    fields: idx.fields.map(f => ({ fieldPath: f.field, order: f.order })),
+                }),
+            });
+            console.log(`   ✅ Index created: ${idx.collection} [${idx.fields.map(f => `${f.field} ${f.order}`).join(', ')}]`);
+        }
+        if (toCreate.length === 0)
+            console.log(`   ✅ All indexes already exist`);
+    }
+    // ── Lifecycle ─────────────────────────────────────────────────────────────
+    async deploy() {
+        console.log(`\n🔥 Finalizing Firestore "${this.name}"...`);
+        const dryRun = this.isDryRunActive();
+        await this.deployRules(dryRun);
+        await this.deployIndexes(dryRun);
+        return { database: this.name, project: getProjectId() };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        console.log(`\n🗑️  Destroying Firestore config "${this.name}"...`);
+        // Firestore databases themselves cannot be deleted via API — only the config managed here
+        if (dryRun) {
+            if (this._rulesPath)
+                console.log(`   📝 [PLAN] Rules release cannot be rolled back via API — do this in the Firebase console`);
+            console.log(`   ℹ️  Firestore databases cannot be deleted via API`);
+        }
+        else {
+            console.log(`   ℹ️  Firestore databases cannot be deleted via API. Remove rules/indexes manually in the Firebase console.`);
+        }
+        return { destroyed: this.name };
+    }
+}