puls-dev 0.2.0 → 0.2.2

package/dist/providers/firebase/appcheck.test.js

@@ -0,0 +1,141 @@
+import { test, describe, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+import { GoogleAuth } from "google-auth-library";
+import { FirebaseAppCheckBuilder } from "./appcheck.js";
+import { Config } from "../../core/config.js";
+describe("FirebaseAppCheckBuilder Unit Tests", () => {
+    let originalFetch;
+    let fetchCalls = [];
+    let mockResponses = {};
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            providers: {
+                firebase: {
+                    projectId: "my-project",
+                    serviceAccountPath: "/fake/sa.json",
+                },
+            },
+        });
+        originalFetch = globalThis.fetch;
+        fetchCalls = [];
+        mockResponses = {};
+        globalThis.fetch = async (input, init) => {
+            const url = String(input);
+            const method = init?.method ?? "GET";
+            let body;
+            if (init?.body) {
+                if (typeof init.body === "string") {
+                    try {
+                        body = JSON.parse(init.body);
+                    }
+                    catch {
+                        body = init.body;
+                    }
+                }
+                else {
+                    body = "[Binary/Buffer Body]";
+                }
+            }
+            const headers = init?.headers;
+            fetchCalls.push({ url, method, body, headers });
+            const matchKey = Object.keys(mockResponses)
+                .filter((key) => {
+                const [mMethod, mPath] = key.split(" ");
+                return method === mMethod && url.includes(mPath);
+            })
+                .sort((a, b) => b.split(" ")[1].length - a.split(" ")[1].length)[0];
+            if (matchKey) {
+                const resp = mockResponses[matchKey];
+                return {
+                    ok: resp.status >= 200 && resp.status < 300,
+                    status: resp.status,
+                    json: async () => resp.body,
+                    text: async () => JSON.stringify(resp.body),
+                };
+            }
+            return {
+                ok: false,
+                status: 404,
+                json: async () => ({ message: `Endpoint not mocked: ${method} ${url}` }),
+                text: async () => `Endpoint not mocked: ${method} ${url}`,
+            };
+        };
+        mock.method(GoogleAuth.prototype, "getClient", async () => {
+            return {
+                getAccessToken: async () => ({ token: "fake-access-token" }),
+            };
+        });
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+        mock.restoreAll();
+    });
+    test("runs in dry-run mode safely and logs plans", async () => {
+        Config.set({
+            dryRun: true,
+            providers: {
+                firebase: {
+                    projectId: "my-project",
+                    serviceAccountPath: "/fake/sa.json",
+                },
+            },
+        });
+        const builder = new FirebaseAppCheckBuilder()
+            .enforce("firestore")
+            .unenforced("storage")
+            .off("auth");
+        const deployResult = await builder.deploy();
+        assert.strictEqual(deployResult.project, "my-project");
+        assert.strictEqual(fetchCalls.length, 0); // zero write calls
+    });
+    test("syncs App Check services idempotently - updates changed and skips identical", async () => {
+        // 1. Mock GET calls returning existing statuses:
+        // firestore is currently OFF (needs to be ENFORCED)
+        // storage is currently UNENFORCED (needs to be UNENFORCED - should skip)
+        mockResponses["GET /services/firestore.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firestore.googleapis.com", enforcementMode: "OFF" },
+        };
+        mockResponses["GET /services/firebasestorage.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firebasestorage.googleapis.com", enforcementMode: "UNENFORCED" },
+        };
+        // 2. Mock PATCH calls
+        mockResponses["PATCH /services/firestore.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firestore.googleapis.com", enforcementMode: "ENFORCED" },
+        };
+        const builder = new FirebaseAppCheckBuilder()
+            .enforce("firestore")
+            .unenforced("storage");
+        const deployResult = await builder.deploy();
+        assert.strictEqual(deployResult.project, "my-project");
+        // We should have exactly 2 GET calls and 1 PATCH call
+        const patchCalls = fetchCalls.filter((c) => c.method === "PATCH");
+        assert.strictEqual(patchCalls.length, 1);
+        assert.strictEqual(patchCalls[0].url.includes("/services/firestore.googleapis.com"), true);
+        assert.strictEqual(patchCalls[0].body.enforcementMode, "ENFORCED");
+    });
+    test("destroys App Check configuration by reverting all configured services to OFF", async () => {
+        // Mock PATCH calls returning OFF
+        mockResponses["PATCH /services/firestore.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firestore.googleapis.com", enforcementMode: "OFF" },
+        };
+        mockResponses["PATCH /services/firebasestorage.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firebasestorage.googleapis.com", enforcementMode: "OFF" },
+        };
+        const builder = new FirebaseAppCheckBuilder()
+            .enforce("firestore")
+            .unenforced("storage");
+        const destroyResult = await builder.destroy();
+        assert.deepStrictEqual(destroyResult, { destroyed: "appcheck" });
+        // Verify both services were patched to OFF
+        const patchCalls = fetchCalls.filter((c) => c.method === "PATCH");
+        assert.strictEqual(patchCalls.length, 2);
+        assert.strictEqual(patchCalls.some((c) => c.url.includes("/services/firestore.googleapis.com") && c.body.enforcementMode === "OFF"), true);
+        assert.strictEqual(patchCalls.some((c) => c.url.includes("/services/firebasestorage.googleapis.com") && c.body.enforcementMode === "OFF"), true);
+    });
+});

package/dist/providers/firebase/index.d.ts

@@ -4,6 +4,7 @@ import { FirebaseFirestoreBuilder } from './firestore.js';
 import { FirebaseStorageBuilder } from './storage.js';
 import { FirebaseAuthBuilder } from './auth.js';
 import { FirebaseRemoteConfigBuilder } from './remoteconfig.js';
+import { FirebaseAppCheckBuilder } from './appcheck.js';
 export { FUNCTIONS_RUNTIME };
 export declare const Firebase: {
     Hosting: (siteId: string) => FirebaseHostingBuilder;
@@ -12,4 +13,5 @@ export declare const Firebase: {
     Storage: (bucket?: string) => FirebaseStorageBuilder;
     Auth: () => FirebaseAuthBuilder;
     RemoteConfig: () => FirebaseRemoteConfigBuilder;
+    AppCheck: () => FirebaseAppCheckBuilder;
 };

package/dist/providers/firebase/index.js

@@ -4,6 +4,7 @@ import { FirebaseFirestoreBuilder } from './firestore.js';
 import { FirebaseStorageBuilder } from './storage.js';
 import { FirebaseAuthBuilder } from './auth.js';
 import { FirebaseRemoteConfigBuilder } from './remoteconfig.js';
+import { FirebaseAppCheckBuilder } from './appcheck.js';
 export { FUNCTIONS_RUNTIME };
 export const Firebase = {
     Hosting: (siteId) => new FirebaseHostingBuilder(siteId),
@@ -12,4 +13,5 @@ export const Firebase = {
     Storage: (bucket) => new FirebaseStorageBuilder(bucket),
     Auth: () => new FirebaseAuthBuilder(),
     RemoteConfig: () => new FirebaseRemoteConfigBuilder(),
+    AppCheck: () => new FirebaseAppCheckBuilder(),
 };

package/dist/providers/gcp/api.d.ts

@@ -0,0 +1,10 @@
+export interface GCPConfig {
+    projectId: string;
+    serviceAccountPath: string;
+    region?: string;
+}
+export declare function resolveGCPConfig(): GCPConfig;
+export declare function getProjectId(): string;
+export declare function getRegion(): string;
+export declare function getGCPToken(scopes: string[]): Promise<string>;
+export declare function gcpFetch(base: string, path: string, opts?: RequestInit): Promise<any>;

package/dist/providers/gcp/api.js

@@ -0,0 +1,111 @@
+import fs from 'node:fs';
+import { GoogleAuth } from 'google-auth-library';
+import { Config } from '../../core/config.js';
+export function resolveGCPConfig() {
+    // 1. Check Config.providers.gcp
+    const gcpCfg = Config.get().providers.gcp;
+    if (gcpCfg?.serviceAccountPath) {
+        if (gcpCfg.projectId) {
+            return {
+                projectId: gcpCfg.projectId,
+                serviceAccountPath: gcpCfg.serviceAccountPath,
+                region: gcpCfg.region,
+            };
+        }
+        try {
+            const sa = JSON.parse(fs.readFileSync(gcpCfg.serviceAccountPath, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: gcpCfg.serviceAccountPath,
+                region: gcpCfg.region,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    // 2. Fallback to Config.providers.firebase
+    const fbCfg = Config.get().providers.firebase;
+    if (fbCfg?.serviceAccountPath) {
+        if (fbCfg.projectId) {
+            return {
+                projectId: fbCfg.projectId,
+                serviceAccountPath: fbCfg.serviceAccountPath,
+            };
+        }
+        try {
+            const sa = JSON.parse(fs.readFileSync(fbCfg.serviceAccountPath, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: fbCfg.serviceAccountPath,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    // 3. Fallback to process.env.GCP_SA
+    const gcpSa = process.env.GCP_SA;
+    if (gcpSa && fs.existsSync(gcpSa)) {
+        try {
+            const sa = JSON.parse(fs.readFileSync(gcpSa, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: gcpSa,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    // 4. Fallback to process.env.FIREBASE_SA
+    const fbSa = process.env.FIREBASE_SA;
+    if (fbSa && fs.existsSync(fbSa)) {
+        try {
+            const sa = JSON.parse(fs.readFileSync(fbSa, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: fbSa,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    throw new Error('GCP credentials not configured. Please set GCP_SA or FIREBASE_SA env var, or configure providers.gcp or providers.firebase in Config.');
+}
+export function getProjectId() {
+    return resolveGCPConfig().projectId;
+}
+export function getRegion() {
+    const gcpCfg = Config.get().providers.gcp;
+    return gcpCfg?.region ?? 'us-central1';
+}
+export async function getGCPToken(scopes) {
+    const { serviceAccountPath } = resolveGCPConfig();
+    const auth = new GoogleAuth({ keyFile: serviceAccountPath, scopes });
+    const client = await auth.getClient();
+    const token = await client.getAccessToken();
+    if (!token.token) {
+        throw new Error('Failed to retrieve GCP access token');
+    }
+    return token.token;
+}
+const CLOUD_SCOPE = 'https://www.googleapis.com/auth/cloud-platform';
+export async function gcpFetch(base, path, opts = {}) {
+    const token = await getGCPToken([CLOUD_SCOPE]);
+    const res = await fetch(`${base}${path}`, {
+        ...opts,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+            ...(opts.headers ?? {}),
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`GCP API ${opts.method ?? 'GET'} ${path} → ${res.status}: ${body}`);
+    }
+    const text = await res.text();
+    return text ? JSON.parse(text) : null;
+}

package/dist/providers/gcp/clouddns.d.ts

@@ -0,0 +1,37 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { Output } from "../../core/output.js";
+export interface GCPDNSRecord {
+    name: string;
+    type: string;
+    value: any;
+    ttl: number;
+}
+export declare class GCPCloudDNSZoneBuilder extends BaseBuilder {
+    zoneName: string;
+    readonly out: {
+        zone: Output<{
+            name: string;
+            id: string;
+        }>;
+    };
+    cleanZoneName: string;
+    zoneId: string;
+    private records;
+    constructor(zoneName: string);
+    private discoverZone;
+    record(name: string, type: "A" | "AAAA" | "CNAME" | "MX" | "TXT" | "NS" | "PTR" | "SRV" | "CAA" | "SPF", value: string, ttl?: number): this;
+    pointer(name: string, target: BaseBuilder | Output<string> | string): this;
+    deploy(): Promise<{
+        zone: string;
+        id: string;
+        records: {
+            name: string;
+            type: string;
+            ttl: number;
+            rrdatas: string[];
+        }[];
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}

package/dist/providers/gcp/clouddns.js

@@ -0,0 +1,284 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { Output } from "../../core/output.js";
+import { gcpFetch, getProjectId } from "./api.js";
+const DNS_BASE = "https://dns.googleapis.com";
+function cleanZoneId(domain) {
+    return domain
+        .toLowerCase()
+        .replace(/[^a-z0-9]/g, "-")
+        .replace(/-+/g, "-")
+        .replace(/^-|-$/g, "");
+}
+function formatRecordName(name, zoneDnsName) {
+    const cleanZone = zoneDnsName.endsWith(".") ? zoneDnsName : `${zoneDnsName}.`;
+    if (!name || name === "@") {
+        return cleanZone;
+    }
+    if (name.endsWith(cleanZone)) {
+        return name;
+    }
+    if (name.endsWith(cleanZone.slice(0, -1))) {
+        return `${name}.`;
+    }
+    const cleanName = name.endsWith(".") ? name.slice(0, -1) : name;
+    return `${cleanName}.${cleanZone}`;
+}
+export class GCPCloudDNSZoneBuilder extends BaseBuilder {
+    zoneName;
+    out = {
+        zone: new Output(),
+    };
+    cleanZoneName;
+    zoneId;
+    records = [];
+    constructor(zoneName) {
+        super(zoneName);
+        this.zoneName = zoneName;
+        const clean = zoneName.toLowerCase();
+        this.cleanZoneName = clean.endsWith(".") ? clean : `${clean}.`;
+        this.zoneId = cleanZoneId(zoneName);
+        this.discoveryPromise = this.discoverZone();
+    }
+    async discoverZone() {
+        try {
+            const project = getProjectId();
+            const zone = await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones/${this.zoneId}`);
+            if (zone) {
+                this.out.zone.resolve({ name: this.zoneName, id: this.zoneId });
+            }
+            return zone;
+        }
+        catch (e) {
+            if (e.message?.includes("404") ||
+                e.message?.includes("403") ||
+                e.message?.includes("credentials not configured")) {
+                return null;
+            }
+            throw e;
+        }
+    }
+    record(name, type, value, ttl = 300) {
+        this.records.push({ name, type, value, ttl });
+        return this;
+    }
+    pointer(name, target) {
+        this.records.push({ name, type: "A", value: target, ttl: 300 });
+        return this;
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        const existing = await this.discoveryPromise;
+        console.log(`\n🗺️  Finalizing GCP Cloud DNS Zone "${this.zoneId}"...`);
+        if (!existing) {
+            if (dryRun) {
+                console.log(`   📝 [PLAN] Create managed zone "${this.zoneId}" (dnsName: ${this.cleanZoneName})`);
+            }
+            else {
+                await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones`, {
+                    method: "POST",
+                    body: JSON.stringify({
+                        name: this.zoneId,
+                        dnsName: this.cleanZoneName,
+                        description: "Managed by Puls",
+                        visibility: "public",
+                    }),
+                });
+                console.log(`🚀 Created managed zone "${this.zoneId}" (dnsName: ${this.cleanZoneName})`);
+            }
+        }
+        else {
+            console.log(`   ✅ Managed zone "${this.zoneId}" exists`);
+        }
+        this.out.zone.resolve({ name: this.zoneName, id: this.zoneId });
+        // 1. Resolve values of all records
+        const resolvedRecords = [];
+        for (const r of this.records) {
+            let data;
+            let type = r.type;
+            if (r.value instanceof Output) {
+                data = await r.value.get();
+            }
+            else if (typeof r.value === "object" && r.value !== null) {
+                const targetObj = r.value;
+                let targetVal = null;
+                if ("url" in targetObj && typeof targetObj.url === "string") {
+                    targetVal = targetObj.url;
+                }
+                else if ("resolvedUrl" in targetObj && typeof targetObj.resolvedUrl === "string") {
+                    targetVal = targetObj.resolvedUrl;
+                }
+                else if (typeof targetObj.getPublicIp === "function") {
+                    targetVal = await targetObj.getPublicIp();
+                }
+                else if ("resolvedIp" in targetObj && typeof targetObj.resolvedIp === "string") {
+                    targetVal = targetObj.resolvedIp;
+                }
+                else if ("ip" in targetObj && typeof targetObj.ip === "string") {
+                    targetVal = targetObj.ip;
+                }
+                else if (typeof targetObj.deploy === "function") {
+                    const deployRes = await targetObj.deploy();
+                    if (deployRes && typeof deployRes === "object") {
+                        targetVal = deployRes.url ?? deployRes.ip ?? deployRes.publicIp ?? null;
+                    }
+                }
+                data = targetVal ?? `[alias: ${targetObj.name ?? "unknown"}]`;
+            }
+            else {
+                data = r.value;
+            }
+            // Convert HTTP/HTTPS target urls for CNAME conversion
+            if (data.startsWith("http://") || data.startsWith("https://")) {
+                data = data.replace(/^https?:\/\//, "").split("/")[0].split(":")[0];
+                if (type === "A") {
+                    type = "CNAME";
+                }
+            }
+            // Automatically append trailing dot to CNAME, MX, NS targets if they don't have one and are not IPs
+            const isIp = /^[0-9.]+$/.test(data) || data.includes(":");
+            if ((type === "CNAME" || type === "MX" || type === "NS") && !isIp && !data.endsWith(".")) {
+                data = `${data}.`;
+            }
+            // Auto-quote TXT/SPF values
+            if ((type === "TXT" || type === "SPF") && !data.startsWith('"')) {
+                data = `"${data}"`;
+            }
+            resolvedRecords.push({
+                name: formatRecordName(r.name, this.cleanZoneName),
+                type,
+                value: data,
+                ttl: r.ttl ?? 300,
+            });
+        }
+        // 2. Group resolved records by name:type to form ResourceRecordSets
+        const declaredRrsetsMap = new Map();
+        for (const r of resolvedRecords) {
+            const key = `${r.name}:${r.type}`;
+            const existingRrset = declaredRrsetsMap.get(key);
+            if (existingRrset) {
+                if (!existingRrset.rrdatas.includes(r.value)) {
+                    existingRrset.rrdatas.push(r.value);
+                }
+                // Keep the minimum TTL or default
+                existingRrset.ttl = Math.min(existingRrset.ttl, r.ttl);
+            }
+            else {
+                declaredRrsetsMap.set(key, {
+                    name: r.name,
+                    type: r.type,
+                    ttl: r.ttl,
+                    rrdatas: [r.value],
+                });
+            }
+        }
+        // Sort rrdatas of declared sets to enable stable comparison
+        for (const rrset of declaredRrsetsMap.values()) {
+            rrset.rrdatas.sort();
+        }
+        // 3. Fetch existing rrsets from the zone
+        let existingRrsets = [];
+        if (existing) {
+            try {
+                const res = await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones/${this.zoneId}/rrsets`);
+                existingRrsets = res.rrsets ?? [];
+            }
+            catch (err) {
+                existingRrsets = [];
+            }
+        }
+        const existingRrsetsMap = new Map();
+        for (const r of existingRrsets) {
+            existingRrsetsMap.set(`${r.name}:${r.type}`, r);
+        }
+        const additions = [];
+        const deletions = [];
+        // 4. Compute additions and deletions transactionally
+        for (const [key, dec] of declaredRrsetsMap.entries()) {
+            const ext = existingRrsetsMap.get(key);
+            if (!ext) {
+                // Brand new record set
+                additions.push(dec);
+                console.log(`   📝 [PLAN] Create ${dec.type} record: ${dec.name} → ${JSON.stringify(dec.rrdatas)} (TTL: ${dec.ttl})`);
+            }
+            else {
+                const sortedExtRrdatas = [...(ext.rrdatas ?? [])].sort();
+                const rrdatasMatch = JSON.stringify(sortedExtRrdatas) === JSON.stringify(dec.rrdatas);
+                const ttlMatch = ext.ttl === dec.ttl;
+                if (rrdatasMatch && ttlMatch) {
+                    console.log(`   ✅ ${dec.type} record ${dec.name} is up to date`);
+                }
+                else {
+                    // Transactional modification: delete old and add new
+                    deletions.push(ext);
+                    additions.push(dec);
+                    console.log(`   📝 [PLAN] Update ${dec.type} record: ${dec.name} → ${JSON.stringify(dec.rrdatas)} (was ${JSON.stringify(ext.rrdatas)})`);
+                }
+            }
+        }
+        // 5. Submit transactional change if any additions or deletions
+        if ((additions.length > 0 || deletions.length > 0) && !dryRun) {
+            await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones/${this.zoneId}/changes`, {
+                method: "POST",
+                body: JSON.stringify({
+                    additions,
+                    deletions,
+                }),
+            });
+            console.log(`   🔄 Submitted transactional record updates to zone "${this.zoneId}"`);
+        }
+        await this.deploySidecars();
+        return {
+            zone: this.zoneName,
+            id: this.zoneId,
+            records: Array.from(declaredRrsetsMap.values()),
+        };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        const zoneId = this.zoneId;
+        console.log(`\n🗑️  Destroying GCP Cloud DNS Zone "${zoneId}"...`);
+        const existing = await this.discoverZone();
+        if (!existing) {
+            console.log(`   ✅ Zone "${zoneId}" does not exist - nothing to do.`);
+            return { destroyed: zoneId };
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Delete managed zone "${zoneId}"`);
+            return { destroyed: zoneId };
+        }
+        // 1. Fetch existing rrsets to clear non-default records
+        let existingRrsets = [];
+        try {
+            const res = await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones/${zoneId}/rrsets`);
+            existingRrsets = res.rrsets ?? [];
+        }
+        catch {
+            // If fetching fails, we'll try to delete anyway
+        }
+        // 2. Filter out default apex NS and SOA records
+        const deletableRrsets = existingRrsets.filter((r) => {
+            const isApex = r.name === this.cleanZoneName;
+            const isDefaultType = r.type === "NS" || r.type === "SOA";
+            return !(isApex && isDefaultType);
+        });
+        // 3. Delete non-default records transactionally
+        if (deletableRrsets.length > 0) {
+            console.log(`   🔄 Deleting ${deletableRrsets.length} non-default records...`);
+            await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones/${zoneId}/changes`, {
+                method: "POST",
+                body: JSON.stringify({
+                    deletions: deletableRrsets,
+                }),
+            });
+        }
+        // 4. Delete the managed zone
+        await gcpFetch(DNS_BASE, `/dns/v1/projects/${project}/managedZones/${zoneId}`, {
+            method: "DELETE",
+        });
+        console.log(`   ✅ Managed zone "${zoneId}" deleted.`);
+        await this.destroySidecars();
+        return { destroyed: zoneId };
+    }
+}

package/dist/providers/gcp/clouddns.test.d.ts

@@ -0,0 +1 @@
+export {};