puls-dev 0.2.0 → 0.2.2

package/dist/providers/aws/index.d.ts

@@ -7,6 +7,9 @@ import { FargateBuilder } from "./fargate.js";
 import { RDSBuilder } from "./rds.js";
 import { SQSBuilder } from "./sqs.js";
 import { SecretsBuilder } from "./secrets.js";
+import { IAMRoleBuilder, IAMPolicyBuilder } from "./iam.js";
+import { SNSTopicBuilder } from "./sns.js";
+import { CloudWatchAlarmBuilder } from "./cloudwatch.js";
 export declare const AWS: {
     init: (opts: {
         region: string;
@@ -20,5 +23,9 @@ export declare const AWS: {
     RDS: (name: string) => RDSBuilder;
     SQS: (name: string) => SQSBuilder;
     Secret: (secretId: string) => SecretsBuilder;
+    IAMRole: (name: string) => IAMRoleBuilder;
+    IAMPolicy: (name: string) => IAMPolicyBuilder;
+    SNS: (name: string) => SNSTopicBuilder;
+    Alarm: (name: string) => CloudWatchAlarmBuilder;
 };
 export * from "../../types/aws.js";

package/dist/providers/aws/index.js

@@ -8,6 +8,9 @@ import { FargateBuilder } from "./fargate.js";
 import { RDSBuilder } from "./rds.js";
 import { SQSBuilder } from "./sqs.js";
 import { SecretsBuilder } from "./secrets.js";
+import { IAMRoleBuilder, IAMPolicyBuilder } from "./iam.js";
+import { SNSTopicBuilder } from "./sns.js";
+import { CloudWatchAlarmBuilder } from "./cloudwatch.js";
 export const AWS = {
     init: (opts) => {
         Config.set({
@@ -26,5 +29,9 @@ export const AWS = {
     RDS: (name) => new RDSBuilder(name),
     SQS: (name) => new SQSBuilder(name),
     Secret: (secretId) => new SecretsBuilder(secretId),
+    IAMRole: (name) => new IAMRoleBuilder(name),
+    IAMPolicy: (name) => new IAMPolicyBuilder(name),
+    SNS: (name) => new SNSTopicBuilder(name),
+    Alarm: (name) => new CloudWatchAlarmBuilder(name),
 };
 export * from "../../types/aws.js";

package/dist/providers/aws/lambda.d.ts

@@ -1,5 +1,6 @@
 import { BaseBuilder } from "../../core/resource.js";
 import { SecretsBuilder } from "./secrets.js";
+import { IAMRoleBuilder } from "./iam.js";
 export declare class LambdaBuilder extends BaseBuilder {
     private _runtime;
     private _handler;
@@ -8,6 +9,7 @@ export declare class LambdaBuilder extends BaseBuilder {
     private _codePath?;
     private _env;
     private _roleArn?;
+    private _roleBuilder?;
     resolvedArn: string | null;
     constructor(name: string);
     private discoverFunction;
@@ -16,7 +18,7 @@ export declare class LambdaBuilder extends BaseBuilder {
     handler(h: string): this;
     memory(mb: number): this;
     timeout(seconds: number): this;
-    role(arn: string): this;
+    role(arnOrBuilder: string | IAMRoleBuilder): this;
     env(vars: Record<string, string | SecretsBuilder>): this;
     private ensureRole;
     private buildZip;

package/dist/providers/aws/lambda.js

@@ -25,6 +25,7 @@ export class LambdaBuilder extends BaseBuilder {
     _codePath;
     _env = {};
     _roleArn;
+    _roleBuilder;
     resolvedArn = null;
     constructor(name) {
         super(name);
@@ -64,8 +65,13 @@ export class LambdaBuilder extends BaseBuilder {
         this._timeout = seconds;
         return this;
     }
-    role(arn) {
-        this._roleArn = arn;
+    role(arnOrBuilder) {
+        if (typeof arnOrBuilder === "string") {
+            this._roleArn = arnOrBuilder;
+        }
+        else {
+            this._roleBuilder = arnOrBuilder;
+        }
         return this;
     }
     env(vars) {
@@ -73,6 +79,9 @@ export class LambdaBuilder extends BaseBuilder {
         return this;
     }
     async ensureRole() {
+        if (this._roleBuilder) {
+            return await this._roleBuilder.out.arn.get();
+        }
         if (this._roleArn)
             return this._roleArn;
         const roleName = `puls-lambda-${this.name}-role`;

package/dist/providers/aws/rds.d.ts

@@ -14,6 +14,7 @@ export declare class RDSBuilder extends BaseBuilder {
     resolvedPort: number | null;
     resolvedArn: string | null;
     constructor(name: string);
+    get dbInstanceIdentifier(): string;
     engine(e: {
         engine: string;
         version: string;

package/dist/providers/aws/rds.js

@@ -26,6 +26,9 @@ export class RDSBuilder extends BaseBuilder {
         super(name);
         this.discoveryPromise = this.discoverInstance(name);
     }
+    get dbInstanceIdentifier() {
+        return this.name;
+    }
     engine(e) {
         this._engine = e.engine;
         this._engineVersion = e.version;
@@ -74,7 +77,7 @@ export class RDSBuilder extends BaseBuilder {
             return instance;
         }
         catch (e) {
-            if (e.name === "DBInstanceNotFound")
+            if (e.name === "DBInstanceNotFound" || e.name === "DBInstanceNotFoundFault")
                 return null;
             if (e.name === "CredentialsProviderError")
                 return null;

package/dist/providers/aws/sns.d.ts

@@ -0,0 +1,22 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { Output } from "../../core/output.js";
+export declare class SNSTopicBuilder extends BaseBuilder {
+    readonly out: {
+        arn: Output<string>;
+    };
+    private _displayName?;
+    private _subscriptions;
+    resolvedArn: string | null;
+    resolvedDisplayName: string | null;
+    constructor(name: string);
+    displayName(name: string): this;
+    subscribe(protocol: "email" | "sms" | "lambda" | "sqs" | "https", endpoint: string): this;
+    private discoverTopic;
+    deploy(): Promise<{
+        name: string;
+        arn: string | null;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}

package/dist/providers/aws/sns.js

@@ -0,0 +1,146 @@
+import { CreateTopicCommand, DeleteTopicCommand, GetTopicAttributesCommand, ListTopicsCommand, SetTopicAttributesCommand, SubscribeCommand, UnsubscribeCommand, ListSubscriptionsByTopicCommand, } from "@aws-sdk/client-sns";
+import { BaseBuilder } from "../../core/resource.js";
+import { Output } from "../../core/output.js";
+import { getSNSClient } from "./api.js";
+export class SNSTopicBuilder extends BaseBuilder {
+    out = {
+        arn: new Output(),
+    };
+    _displayName;
+    _subscriptions = [];
+    resolvedArn = null;
+    resolvedDisplayName = null;
+    constructor(name) {
+        super(name);
+        this.discoveryPromise = this.discoverTopic(name);
+    }
+    displayName(name) {
+        this._displayName = name;
+        return this;
+    }
+    subscribe(protocol, endpoint) {
+        this._subscriptions.push({ protocol, endpoint });
+        return this;
+    }
+    async discoverTopic(name) {
+        const sns = getSNSClient();
+        try {
+            let nextToken;
+            do {
+                const result = await sns.send(new ListTopicsCommand({ NextToken: nextToken }));
+                const match = (result.Topics ?? []).find((t) => t.TopicArn?.split(":").pop() === name);
+                if (match) {
+                    this.resolvedArn = match.TopicArn ?? null;
+                    if (this.resolvedArn) {
+                        this.out.arn.resolve(this.resolvedArn);
+                        try {
+                            const attrsResult = await sns.send(new GetTopicAttributesCommand({ TopicArn: this.resolvedArn }));
+                            this.resolvedDisplayName = attrsResult.Attributes?.DisplayName ?? null;
+                        }
+                        catch (err) {
+                            // Ignore attribute fetch errors (e.g. permission or not found)
+                        }
+                    }
+                    return match;
+                }
+                nextToken = result.NextToken;
+            } while (nextToken);
+            return null;
+        }
+        catch (e) {
+            if (e.name === "CredentialsProviderError")
+                return null;
+            throw e;
+        }
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        const sns = getSNSClient();
+        console.log(`\n📢 Finalizing SNS Topic "${this.name}"...`);
+        if (dryRun) {
+            console.log(`   📝 [PLAN] ${existing ? "Update" : "Create"} SNS topic "${this.name}"`);
+            if (this._displayName) {
+                console.log(`      └─ Display Name: ${this._displayName}`);
+            }
+            for (const sub of this._subscriptions) {
+                console.log(`      └─ Subscribe: ${sub.protocol} to ${sub.endpoint}`);
+            }
+            this.resolvedArn = existing?.TopicArn ?? `arn:aws:sns:us-east-1:000000000000:DRYRUN-${this.name}`;
+            this.out.arn.resolve(this.resolvedArn);
+            return { name: this.name, arn: this.resolvedArn };
+        }
+        const topicAttrs = {};
+        if (this._displayName) {
+            topicAttrs.DisplayName = this._displayName;
+        }
+        if (!existing) {
+            const result = await sns.send(new CreateTopicCommand({
+                Name: this.name,
+                Attributes: topicAttrs,
+            }));
+            this.resolvedArn = result.TopicArn;
+            this.out.arn.resolve(this.resolvedArn);
+            console.log(`🚀 Created SNS Topic "${this.name}" (arn=${this.resolvedArn})`);
+        }
+        else {
+            this.resolvedArn = existing.TopicArn;
+            this.out.arn.resolve(this.resolvedArn);
+            if (this._displayName && this._displayName !== this.resolvedDisplayName) {
+                await sns.send(new SetTopicAttributesCommand({
+                    TopicArn: this.resolvedArn,
+                    AttributeName: "DisplayName",
+                    AttributeValue: this._displayName,
+                }));
+                console.log(`   ✅ Updated SNS topic display name to "${this._displayName}"`);
+            }
+            else {
+                console.log(`   ✅ SNS topic "${this.name}" already exists`);
+            }
+        }
+        // Sync subscriptions
+        const activeSubsResult = await sns.send(new ListSubscriptionsByTopicCommand({ TopicArn: this.resolvedArn }));
+        const activeSubs = activeSubsResult.Subscriptions ?? [];
+        // 1. Unsubscribe stale subscriptions
+        for (const sub of activeSubs) {
+            if (!sub.SubscriptionArn || sub.SubscriptionArn === "PendingConfirmation")
+                continue;
+            const isStillWanted = this._subscriptions.some((s) => s.protocol === sub.Protocol && s.endpoint === sub.Endpoint);
+            if (!isStillWanted) {
+                await sns.send(new UnsubscribeCommand({ SubscriptionArn: sub.SubscriptionArn }));
+                console.log(`   🧹 Unsubscribed stale subscription: ${sub.Protocol} to ${sub.Endpoint}`);
+            }
+        }
+        // 2. Subscribe new subscriptions
+        for (const target of this._subscriptions) {
+            const alreadyExists = activeSubs.some((sub) => sub.Protocol === target.protocol && sub.Endpoint === target.endpoint);
+            if (!alreadyExists) {
+                await sns.send(new SubscribeCommand({
+                    TopicArn: this.resolvedArn,
+                    Protocol: target.protocol,
+                    Endpoint: target.endpoint,
+                }));
+                console.log(`   ➕ Subscribed: ${target.protocol} to ${target.endpoint}`);
+            }
+        }
+        await this.deploySidecars();
+        return { name: this.name, arn: this.resolvedArn };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const existing = await this.discoveryPromise;
+        console.log(`\n🗑️  Destroying SNS Topic "${this.name}"...`);
+        if (!existing) {
+            console.log(`   ✅ Topic "${this.name}" does not exist - nothing to do`);
+            return { destroyed: this.name };
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Delete SNS Topic "${this.name}"`);
+            return { destroyed: this.name };
+        }
+        const sns = getSNSClient();
+        await sns.send(new DeleteTopicCommand({ TopicArn: this.resolvedArn }));
+        console.log(`   ✅ Deleted SNS Topic "${this.name}"`);
+        return { destroyed: this.name };
+    }
+}

package/dist/providers/aws/sns.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/providers/aws/sns.test.js

@@ -0,0 +1,162 @@
+import { test, describe, beforeEach, afterEach } from "node:test";
+import assert from "node:assert";
+import { SNSClient } from "@aws-sdk/client-sns";
+import { SNSTopicBuilder } from "./sns.js";
+import { Config } from "../../core/config.js";
+describe("SNSTopicBuilder Unit Tests", () => {
+    let originalSnsSend;
+    let snsCalls = [];
+    let mockSnsResponses = {};
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            providers: {
+                aws: { region: "us-east-1" },
+            },
+        });
+        snsCalls = [];
+        mockSnsResponses = {};
+        originalSnsSend = SNSClient.prototype.send;
+        SNSClient.prototype.send = async function (command) {
+            const commandName = command.constructor.name;
+            const input = command.input;
+            snsCalls.push({ commandName, input });
+            if (mockSnsResponses[commandName]) {
+                const handler = mockSnsResponses[commandName];
+                if (typeof handler === "function")
+                    return handler(input);
+                if (handler instanceof Error)
+                    throw handler;
+                return handler;
+            }
+            return {};
+        };
+    });
+    afterEach(() => {
+        SNSClient.prototype.send = originalSnsSend;
+    });
+    test("gracefully handles discovery when topic does not exist", async () => {
+        mockSnsResponses["ListTopicsCommand"] = { Topics: [] };
+        const builder = new SNSTopicBuilder("my-topic");
+        const discoveryResult = await builder.discoveryPromise;
+        assert.strictEqual(discoveryResult, null);
+        assert.ok(snsCalls.some((c) => c.commandName === "ListTopicsCommand"));
+    });
+    test("discovers existing topic by matching name", async () => {
+        mockSnsResponses["ListTopicsCommand"] = {
+            Topics: [{ TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic" }],
+        };
+        mockSnsResponses["GetTopicAttributesCommand"] = {
+            Attributes: { DisplayName: "My Friendly Topic" },
+        };
+        const builder = new SNSTopicBuilder("my-topic");
+        const discoveryResult = await builder.discoveryPromise;
+        assert.ok(discoveryResult);
+        assert.strictEqual(builder.resolvedArn, "arn:aws:sns:us-east-1:123456789012:my-topic");
+        assert.strictEqual(builder.resolvedDisplayName, "My Friendly Topic");
+        const resolvedArn = await builder.out.arn.get();
+        assert.strictEqual(resolvedArn, "arn:aws:sns:us-east-1:123456789012:my-topic");
+    });
+    test("creates a new topic with display name and subscriptions", async () => {
+        mockSnsResponses["ListTopicsCommand"] = { Topics: [] };
+        mockSnsResponses["CreateTopicCommand"] = {
+            TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic",
+        };
+        mockSnsResponses["ListSubscriptionsByTopicCommand"] = { Subscriptions: [] };
+        const builder = new SNSTopicBuilder("my-topic")
+            .displayName("Cool Alert")
+            .subscribe("email", "ops@company.com")
+            .subscribe("sms", "+15555555555");
+        const deployResult = await builder.deploy();
+        assert.strictEqual(deployResult.arn, "arn:aws:sns:us-east-1:123456789012:my-topic");
+        assert.strictEqual(builder.resolvedArn, "arn:aws:sns:us-east-1:123456789012:my-topic");
+        const createCall = snsCalls.find((c) => c.commandName === "CreateTopicCommand");
+        assert.ok(createCall);
+        assert.deepStrictEqual(createCall.input, {
+            Name: "my-topic",
+            Attributes: { DisplayName: "Cool Alert" },
+        });
+        const subscribeCalls = snsCalls.filter((c) => c.commandName === "SubscribeCommand");
+        assert.strictEqual(subscribeCalls.length, 2);
+        assert.deepStrictEqual(subscribeCalls[0].input, {
+            TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic",
+            Protocol: "email",
+            Endpoint: "ops@company.com",
+        });
+        assert.deepStrictEqual(subscribeCalls[1].input, {
+            TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic",
+            Protocol: "sms",
+            Endpoint: "+15555555555",
+        });
+    });
+    test("syncs subscriptions correctly - unsubscribes stale and skips active", async () => {
+        mockSnsResponses["ListTopicsCommand"] = {
+            Topics: [{ TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic" }],
+        };
+        mockSnsResponses["GetTopicAttributesCommand"] = {
+            Attributes: { DisplayName: "Cool Alert" },
+        };
+        mockSnsResponses["ListSubscriptionsByTopicCommand"] = {
+            Subscriptions: [
+                {
+                    SubscriptionArn: "arn:aws:sns:us-east-1:123456789012:my-topic:sub1",
+                    Protocol: "email",
+                    Endpoint: "keep-me@company.com",
+                    TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic",
+                },
+                {
+                    SubscriptionArn: "arn:aws:sns:us-east-1:123456789012:my-topic:sub2",
+                    Protocol: "email",
+                    Endpoint: "delete-me@company.com",
+                    TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic",
+                },
+            ],
+        };
+        const builder = new SNSTopicBuilder("my-topic")
+            .displayName("Cool Alert")
+            .subscribe("email", "keep-me@company.com")
+            .subscribe("sms", "+19999999999");
+        await builder.deploy();
+        // Verify unsubscribe was called for stale one
+        const unsubscribeCall = snsCalls.find((c) => c.commandName === "UnsubscribeCommand");
+        assert.ok(unsubscribeCall);
+        assert.strictEqual(unsubscribeCall.input.SubscriptionArn, "arn:aws:sns:us-east-1:123456789012:my-topic:sub2");
+        // Verify subscribe was called for the new sms one, but NOT for keep-me@company.com
+        const subscribeCalls = snsCalls.filter((c) => c.commandName === "SubscribeCommand");
+        assert.strictEqual(subscribeCalls.length, 1);
+        assert.deepStrictEqual(subscribeCalls[0].input, {
+            TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic",
+            Protocol: "sms",
+            Endpoint: "+19999999999",
+        });
+    });
+    test("destroys an existing topic successfully", async () => {
+        mockSnsResponses["ListTopicsCommand"] = {
+            Topics: [{ TopicArn: "arn:aws:sns:us-east-1:123456789012:my-topic" }],
+        };
+        const builder = new SNSTopicBuilder("my-topic");
+        await builder.discoveryPromise;
+        const destroyResult = await builder.destroy();
+        assert.deepStrictEqual(destroyResult, { destroyed: "my-topic" });
+        const deleteCall = snsCalls.find((c) => c.commandName === "DeleteTopicCommand");
+        assert.ok(deleteCall);
+        assert.strictEqual(deleteCall.input.TopicArn, "arn:aws:sns:us-east-1:123456789012:my-topic");
+    });
+    test("runs in dry run mode safely", async () => {
+        Config.set({
+            dryRun: true,
+            providers: {
+                aws: { region: "us-east-1" },
+            },
+        });
+        mockSnsResponses["ListTopicsCommand"] = { Topics: [] };
+        const builder = new SNSTopicBuilder("my-topic")
+            .displayName("Cool Alert")
+            .subscribe("email", "ops@company.com");
+        const deployResult = await builder.deploy();
+        assert.ok(deployResult.arn.includes("DRYRUN"));
+        // No create topic or subscribe commands should be called in real mode
+        assert.ok(!snsCalls.some((c) => c.commandName === "CreateTopicCommand"));
+        assert.ok(!snsCalls.some((c) => c.commandName === "SubscribeCommand"));
+    });
+});

package/dist/providers/firebase/appcheck.d.ts

@@ -0,0 +1,15 @@
+import { BaseBuilder } from "../../core/resource.js";
+export declare class FirebaseAppCheckBuilder extends BaseBuilder {
+    private _configs;
+    constructor();
+    enforce(serviceName: string): this;
+    unenforced(serviceName: string): this;
+    off(serviceName: string): this;
+    mode(serviceName: string, mode: "ENFORCED" | "UNENFORCED" | "OFF"): this;
+    deploy(): Promise<{
+        project: string;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}

package/dist/providers/firebase/appcheck.js

@@ -0,0 +1,109 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { cloudFetch, getProjectId } from "./api.js";
+const APP_CHECK_BASE = "https://firebaseappcheck.googleapis.com";
+const SERVICE_IDS = {
+    firestore: "firestore.googleapis.com",
+    storage: "firebasestorage.googleapis.com",
+    database: "firebasedatabase.googleapis.com",
+    auth: "identitytoolkit.googleapis.com",
+};
+function resolveServiceId(name) {
+    return SERVICE_IDS[name.toLowerCase()] ?? name;
+}
+export class FirebaseAppCheckBuilder extends BaseBuilder {
+    _configs = new Map();
+    constructor() {
+        super("appcheck");
+        this.discoveryPromise = Promise.resolve(null);
+    }
+    enforce(serviceName) {
+        this._configs.set(resolveServiceId(serviceName), "ENFORCED");
+        return this;
+    }
+    unenforced(serviceName) {
+        this._configs.set(resolveServiceId(serviceName), "UNENFORCED");
+        return this;
+    }
+    off(serviceName) {
+        this._configs.set(resolveServiceId(serviceName), "OFF");
+        return this;
+    }
+    mode(serviceName, mode) {
+        this._configs.set(resolveServiceId(serviceName), mode);
+        return this;
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        console.log(`\n🛡️  Finalizing Firebase App Check...`);
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Configure App Check enforcement modes:`);
+            for (const [serviceId, mode] of this._configs.entries()) {
+                console.log(`      └─ ${serviceId}: ${mode}`);
+            }
+            return { project };
+        }
+        // 1. Fetch current status of each configured service
+        const existingConfigs = {};
+        for (const serviceId of this._configs.keys()) {
+            try {
+                const data = await cloudFetch(APP_CHECK_BASE, `/v1/projects/${project}/services/${serviceId}`);
+                existingConfigs[serviceId] = data.enforcementMode ?? "OFF";
+            }
+            catch (err) {
+                // If not found or not registered yet, default to OFF
+                existingConfigs[serviceId] = "OFF";
+            }
+        }
+        // 2. Patch services whose modes have changed
+        for (const [serviceId, mode] of this._configs.entries()) {
+            const existingMode = existingConfigs[serviceId] ?? "OFF";
+            if (existingMode !== mode) {
+                console.log(`   🔄 Updating App Check service "${serviceId}": ${existingMode} → ${mode}`);
+                await cloudFetch(APP_CHECK_BASE, `/v1/projects/${project}/services/${serviceId}?updateMask=enforcementMode`, {
+                    method: "PATCH",
+                    body: JSON.stringify({
+                        name: `projects/${project}/services/${serviceId}`,
+                        enforcementMode: mode,
+                    }),
+                });
+                console.log(`   ✅ App Check service "${serviceId}" updated to ${mode}`);
+            }
+            else {
+                console.log(`   ✅ App Check service "${serviceId}" already set to ${mode}`);
+            }
+        }
+        await this.deploySidecars();
+        return { project };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        console.log(`\n🗑️  Destroying Firebase App Check...`);
+        console.log(`   ℹ️  Reverting all configured services to OFF enforcement mode`);
+        if (dryRun) {
+            for (const serviceId of this._configs.keys()) {
+                console.log(`   📝 [PLAN] Revert ${serviceId} App Check to OFF`);
+            }
+            return { destroyed: "appcheck" };
+        }
+        for (const serviceId of this._configs.keys()) {
+            try {
+                console.log(`   🔄 Reverting App Check service "${serviceId}" to OFF...`);
+                await cloudFetch(APP_CHECK_BASE, `/v1/projects/${project}/services/${serviceId}?updateMask=enforcementMode`, {
+                    method: "PATCH",
+                    body: JSON.stringify({
+                        name: `projects/${project}/services/${serviceId}`,
+                        enforcementMode: "OFF",
+                    }),
+                });
+                console.log(`   ✅ App Check service "${serviceId}" reverted to OFF`);
+            }
+            catch (err) {
+                // Log error and continue teardown silently
+            }
+        }
+        await this.destroySidecars();
+        return { destroyed: "appcheck" };
+    }
+}

package/dist/providers/firebase/appcheck.test.d.ts

@@ -0,0 +1 @@
+export {};