puls-dev 0.2.0 → 0.2.2

package/dist/providers/gcp/iam.test.js

@@ -0,0 +1,305 @@
+import { test, describe, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+import { GoogleAuth } from "google-auth-library";
+import { GCPServiceAccountBuilder, GCPIAMBindingBuilder } from "./iam.js";
+import { Config } from "../../core/config.js";
+import { Output } from "../../core/output.js";
+describe("GCP IAM Builders Unit Tests", () => {
+    let originalFetch;
+    let fetchCalls = [];
+    let mockResponses = {};
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            providers: {
+                gcp: {
+                    projectId: "my-gcp-project",
+                    serviceAccountPath: "/fake/sa.json",
+                    region: "us-central1",
+                },
+            },
+        });
+        originalFetch = globalThis.fetch;
+        fetchCalls = [];
+        mockResponses = {};
+        globalThis.fetch = async (input, init) => {
+            const url = String(input);
+            const method = init?.method ?? "GET";
+            let body;
+            if (init?.body) {
+                if (typeof init.body === "string") {
+                    try {
+                        body = JSON.parse(init.body);
+                    }
+                    catch {
+                        body = init.body;
+                    }
+                }
+                else {
+                    body = "[Binary/Buffer Body]";
+                }
+            }
+            const headers = init?.headers;
+            fetchCalls.push({ url, method, body, headers });
+            const matchKey = Object.keys(mockResponses)
+                .filter((key) => {
+                const [mMethod, mPath] = key.split(" ");
+                return method === mMethod && url.includes(mPath);
+            })
+                .sort((a, b) => b.split(" ")[1].length - a.split(" ")[1].length)[0];
+            if (matchKey) {
+                const resp = mockResponses[matchKey];
+                return {
+                    ok: resp.status >= 200 && resp.status < 300,
+                    status: resp.status,
+                    json: async () => resp.body,
+                    text: async () => JSON.stringify(resp.body),
+                };
+            }
+            return {
+                ok: false,
+                status: 404,
+                json: async () => ({ error: { message: `Endpoint not mocked: ${method} ${url}` } }),
+                text: async () => `Endpoint not mocked: ${method} ${url}`,
+            };
+        };
+        mock.method(GoogleAuth.prototype, "getClient", async () => {
+            return {
+                getAccessToken: async () => ({ token: "fake-gcp-token" }),
+            };
+        });
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+        mock.restoreAll();
+    });
+    describe("GCPServiceAccountBuilder Tests", () => {
+        test("generates email address correctly", () => {
+            const builder = new GCPServiceAccountBuilder("custom-sa");
+            assert.strictEqual(builder.email, "custom-sa@my-gcp-project.iam.gserviceaccount.com");
+        });
+        test("runs in dry-run mode safely without making API calls", async () => {
+            Config.set({
+                dryRun: true,
+                providers: {
+                    gcp: {
+                        projectId: "my-gcp-project",
+                        serviceAccountPath: "/fake/sa.json",
+                    },
+                },
+            });
+            mockResponses["GET /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 404,
+                body: {},
+            };
+            const builder = new GCPServiceAccountBuilder("custom-sa")
+                .displayName("Custom Display Name")
+                .description("Custom Description");
+            const result = await builder.deploy();
+            assert.strictEqual(result.email, "custom-sa@my-gcp-project.iam.gserviceaccount.com");
+            const writeCalls = fetchCalls.filter((c) => c.method !== "GET");
+            assert.strictEqual(writeCalls.length, 0);
+        });
+        test("creates service account when missing", async () => {
+            mockResponses["GET /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 404,
+                body: {},
+            };
+            mockResponses["POST /serviceAccounts"] = {
+                status: 200,
+                body: { name: "projects/my-gcp-project/serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com" },
+            };
+            const builder = new GCPServiceAccountBuilder("custom-sa")
+                .displayName("My Custom Display")
+                .description("My Custom Description");
+            const result = await builder.deploy();
+            assert.strictEqual(result.email, "custom-sa@my-gcp-project.iam.gserviceaccount.com");
+            // Verify POST call
+            const createCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes("/serviceAccounts"));
+            assert.ok(createCall);
+            assert.strictEqual(createCall.body.accountId, "custom-sa");
+            assert.strictEqual(createCall.body.serviceAccount.displayName, "My Custom Display");
+            assert.strictEqual(createCall.body.serviceAccount.description, "My Custom Description");
+        });
+        test("patches existing service account if metadata differs", async () => {
+            mockResponses["GET /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 200,
+                body: {
+                    displayName: "Old Display",
+                    description: "Old Desc",
+                },
+            };
+            mockResponses["PATCH /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 200,
+                body: {},
+            };
+            const builder = new GCPServiceAccountBuilder("custom-sa")
+                .displayName("New Display")
+                .description("New Desc");
+            await builder.deploy();
+            const patchCall = fetchCalls.find((c) => c.method === "PATCH");
+            assert.ok(patchCall);
+            assert.strictEqual(patchCall.body.displayName, "New Display");
+            assert.strictEqual(patchCall.body.description, "New Desc");
+        });
+        test("skips patch if existing service account metadata is identical", async () => {
+            mockResponses["GET /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 200,
+                body: {
+                    displayName: "Same Display",
+                    description: "Same Desc",
+                },
+            };
+            const builder = new GCPServiceAccountBuilder("custom-sa")
+                .displayName("Same Display")
+                .description("Same Desc");
+            await builder.deploy();
+            const writeCalls = fetchCalls.filter((c) => c.method !== "GET");
+            assert.strictEqual(writeCalls.length, 0);
+        });
+        test("destroys service account successfully", async () => {
+            mockResponses["GET /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 200,
+                body: {},
+            };
+            mockResponses["DELETE /serviceAccounts/custom-sa@my-gcp-project.iam.gserviceaccount.com"] = {
+                status: 200,
+                body: {},
+            };
+            const builder = new GCPServiceAccountBuilder("custom-sa");
+            const result = await builder.destroy();
+            assert.deepStrictEqual(result, { destroyed: "custom-sa" });
+            const deleteCall = fetchCalls.find((c) => c.method === "DELETE");
+            assert.ok(deleteCall);
+        });
+    });
+    describe("GCPIAMBindingBuilder Tests", () => {
+        test("resolves member strings, builders, outputs and custom types correctly", async () => {
+            const saBuilder = new GCPServiceAccountBuilder("builder-sa");
+            const plainString = "user:bob@gmail.com";
+            const plainSaEmail = "test-sa@my-gcp-project.iam.gserviceaccount.com";
+            const plainSaId = "other-sa"; // auto-resolves to serviceAccount:other-sa@proj...
+            const outputEmail = new Output();
+            outputEmail.resolve("output-sa"); // auto-resolves to serviceAccount:output-sa
+            const binding = new GCPIAMBindingBuilder("test-binding")
+                .role("roles/viewer")
+                .members(plainString, saBuilder, plainSaEmail, plainSaId, outputEmail);
+            const resolved = await binding.resolveMembers();
+            assert.deepStrictEqual(resolved, [
+                "user:bob@gmail.com",
+                "serviceAccount:builder-sa@my-gcp-project.iam.gserviceaccount.com",
+                "serviceAccount:test-sa@my-gcp-project.iam.gserviceaccount.com",
+                "serviceAccount:other-sa@my-gcp-project.iam.gserviceaccount.com",
+                "serviceAccount:output-sa",
+            ]);
+        });
+        test("appends bound members non-destructively to an existing role binding", async () => {
+            // 1. Mock getIamPolicy returns existing policy
+            mockResponses["POST /projects/my-gcp-project:getIamPolicy"] = {
+                status: 200,
+                body: {
+                    etag: "version1",
+                    bindings: [
+                        {
+                            role: "roles/storage.objectViewer",
+                            members: ["user:alice@example.com"],
+                        },
+                    ],
+                },
+            };
+            // 2. Mock setIamPolicy
+            mockResponses["POST /projects/my-gcp-project:setIamPolicy"] = {
+                status: 200,
+                body: {},
+            };
+            const binding = new GCPIAMBindingBuilder("viewer-binding")
+                .role("roles/storage.objectViewer")
+                .member("user:bob@example.com");
+            await binding.deploy();
+            const setCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes(":setIamPolicy"));
+            assert.ok(setCall);
+            assert.strictEqual(setCall.body.policy.etag, "version1"); // Etag lock!
+            const targetBinding = setCall.body.policy.bindings.find((b) => b.role === "roles/storage.objectViewer");
+            assert.ok(targetBinding);
+            // Non-destructive: both Alice and Bob are bound!
+            assert.deepStrictEqual(targetBinding.members, ["user:alice@example.com", "user:bob@example.com"]);
+        });
+        test("skips deploy if all members are already bound", async () => {
+            mockResponses["POST /projects/my-gcp-project:getIamPolicy"] = {
+                status: 200,
+                body: {
+                    etag: "version1",
+                    bindings: [
+                        {
+                            role: "roles/storage.objectViewer",
+                            members: ["user:alice@example.com", "user:bob@example.com"],
+                        },
+                    ],
+                },
+            };
+            const binding = new GCPIAMBindingBuilder("viewer-binding")
+                .role("roles/storage.objectViewer")
+                .members("user:alice@example.com", "user:bob@example.com");
+            await binding.deploy();
+            // No setIamPolicy should be called
+            const setCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes(":setIamPolicy"));
+            assert.strictEqual(setCall, undefined);
+        });
+        test("destroys binding cleanly by removing only our declared members", async () => {
+            mockResponses["POST /projects/my-gcp-project:getIamPolicy"] = {
+                status: 200,
+                body: {
+                    etag: "version2",
+                    bindings: [
+                        {
+                            role: "roles/storage.admin",
+                            members: ["user:admin@company.com", "serviceAccount:to-prune@my-gcp-project.iam.gserviceaccount.com"],
+                        },
+                    ],
+                },
+            };
+            mockResponses["POST /projects/my-gcp-project:setIamPolicy"] = {
+                status: 200,
+                body: {},
+            };
+            const binding = new GCPIAMBindingBuilder("admin-binding")
+                .role("roles/storage.admin")
+                .member("to-prune"); // maps to serviceAccount:to-prune@my-gcp-project...
+            const result = await binding.destroy();
+            assert.deepStrictEqual(result, { destroyed: "admin-binding" });
+            const setCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes(":setIamPolicy"));
+            assert.ok(setCall);
+            const targetBinding = setCall.body.policy.bindings.find((b) => b.role === "roles/storage.admin");
+            assert.ok(targetBinding);
+            // Pruned our member, left the other admin!
+            assert.deepStrictEqual(targetBinding.members, ["user:admin@company.com"]);
+        });
+        test("removes the entire role binding block if no members remain", async () => {
+            mockResponses["POST /projects/my-gcp-project:getIamPolicy"] = {
+                status: 200,
+                body: {
+                    etag: "version3",
+                    bindings: [
+                        {
+                            role: "roles/pubsub.publisher",
+                            members: ["serviceAccount:to-prune@my-gcp-project.iam.gserviceaccount.com"],
+                        },
+                    ],
+                },
+            };
+            mockResponses["POST /projects/my-gcp-project:setIamPolicy"] = {
+                status: 200,
+                body: {},
+            };
+            const binding = new GCPIAMBindingBuilder("pub-binding")
+                .role("roles/pubsub.publisher")
+                .member("to-prune");
+            await binding.destroy();
+            const setCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes(":setIamPolicy"));
+            assert.ok(setCall);
+            // Entire block is deleted since no members remain
+            const targetBinding = setCall.body.policy.bindings.find((b) => b.role === "roles/pubsub.publisher");
+            assert.strictEqual(targetBinding, undefined);
+        });
+    });
+});

package/dist/providers/gcp/index.d.ts

@@ -0,0 +1,19 @@
+import { GCPCloudRunBuilder } from './cloudrun.js';
+import { GCPCloudSQLBuilder } from './cloudsql.js';
+import { GCPSecretBuilder, resolveGCPEnvVars } from './secrets.js';
+import { GCPPubSubTopicBuilder, GCPPubSubSubscriptionBuilder } from './pubsub.js';
+import { GCPCloudDNSZoneBuilder } from './clouddns.js';
+import { GCPServiceAccountBuilder, GCPIAMBindingBuilder } from './iam.js';
+export { GCPSecretBuilder, resolveGCPEnvVars, GCPPubSubTopicBuilder, GCPPubSubSubscriptionBuilder, GCPCloudDNSZoneBuilder, GCPServiceAccountBuilder, GCPIAMBindingBuilder };
+export declare const GCP: {
+    CloudRun: (serviceId: string) => GCPCloudRunBuilder;
+    CloudSQL: (instanceId: string) => GCPCloudSQLBuilder;
+    Secret: (secretId: string) => GCPSecretBuilder;
+    CloudDNS: (zoneName: string) => GCPCloudDNSZoneBuilder;
+    ServiceAccount: (saId: string) => GCPServiceAccountBuilder;
+    IAMBinding: (name: string) => GCPIAMBindingBuilder;
+    PubSub: {
+        Topic: (topicId: string) => GCPPubSubTopicBuilder;
+        Subscription: (subscriptionId: string) => GCPPubSubSubscriptionBuilder;
+    };
+};

package/dist/providers/gcp/index.js

@@ -0,0 +1,19 @@
+import { GCPCloudRunBuilder } from './cloudrun.js';
+import { GCPCloudSQLBuilder } from './cloudsql.js';
+import { GCPSecretBuilder, resolveGCPEnvVars } from './secrets.js';
+import { GCPPubSubTopicBuilder, GCPPubSubSubscriptionBuilder } from './pubsub.js';
+import { GCPCloudDNSZoneBuilder } from './clouddns.js';
+import { GCPServiceAccountBuilder, GCPIAMBindingBuilder } from './iam.js';
+export { GCPSecretBuilder, resolveGCPEnvVars, GCPPubSubTopicBuilder, GCPPubSubSubscriptionBuilder, GCPCloudDNSZoneBuilder, GCPServiceAccountBuilder, GCPIAMBindingBuilder };
+export const GCP = {
+    CloudRun: (serviceId) => new GCPCloudRunBuilder(serviceId),
+    CloudSQL: (instanceId) => new GCPCloudSQLBuilder(instanceId),
+    Secret: (secretId) => new GCPSecretBuilder(secretId),
+    CloudDNS: (zoneName) => new GCPCloudDNSZoneBuilder(zoneName),
+    ServiceAccount: (saId) => new GCPServiceAccountBuilder(saId),
+    IAMBinding: (name) => new GCPIAMBindingBuilder(name),
+    PubSub: {
+        Topic: (topicId) => new GCPPubSubTopicBuilder(topicId),
+        Subscription: (subscriptionId) => new GCPPubSubSubscriptionBuilder(subscriptionId),
+    },
+};

package/dist/providers/gcp/pubsub.d.ts

@@ -0,0 +1,31 @@
+import { BaseBuilder } from "../../core/resource.js";
+export declare class GCPPubSubTopicBuilder extends BaseBuilder {
+    resolvedTopicName: string | null;
+    constructor(topicId: string);
+    private discoverTopic;
+    deploy(): Promise<{
+        name: string;
+        topicName: string | null;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}
+export declare class GCPPubSubSubscriptionBuilder extends BaseBuilder {
+    private _topic?;
+    private _pushEndpoint?;
+    private _ackDeadlineSeconds;
+    resolvedSubscriptionName: string | null;
+    constructor(subscriptionId: string);
+    topic(t: string | GCPPubSubTopicBuilder): this;
+    pushEndpoint(url: string): this;
+    ackDeadline(seconds: number): this;
+    private discoverSubscription;
+    deploy(): Promise<{
+        name: string;
+        subscriptionName: string | null;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}

package/dist/providers/gcp/pubsub.js

@@ -0,0 +1,227 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { gcpFetch, getProjectId } from "./api.js";
+const PUBSUB_BASE = "https://pubsub.googleapis.com";
+export class GCPPubSubTopicBuilder extends BaseBuilder {
+    resolvedTopicName = null;
+    constructor(topicId) {
+        super(topicId);
+        this.discoveryPromise = this.discoverTopic();
+    }
+    async discoverTopic() {
+        try {
+            const project = getProjectId();
+            const res = await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/topics/${this.name}`);
+            this.resolvedTopicName = res.name ?? null;
+            return res;
+        }
+        catch (e) {
+            if (e.message?.includes("404") ||
+                e.message?.includes("403") ||
+                e.message?.includes("credentials not configured")) {
+                return null;
+            }
+            throw e;
+        }
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        const topicId = this.name;
+        const existing = await this.discoveryPromise;
+        console.log(`\n📢 Finalizing GCP Pub/Sub Topic "${topicId}"...`);
+        if (dryRun) {
+            console.log(`   📝 [PLAN] ${existing ? "Update" : "Create"} Pub/Sub topic "${topicId}"`);
+            this.resolvedTopicName = `projects/${project}/topics/${topicId}`;
+            return {
+                name: topicId,
+                topicName: this.resolvedTopicName,
+            };
+        }
+        if (!existing) {
+            console.log(`🚀 Creating GCP Pub/Sub topic "${topicId}"...`);
+            const topic = await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/topics/${topicId}`, {
+                method: "PUT",
+                body: JSON.stringify({}),
+            });
+            this.resolvedTopicName = topic.name ?? null;
+            console.log(`🚀 Created Pub/Sub topic "${topicId}"`);
+        }
+        else {
+            this.resolvedTopicName = existing.name ?? null;
+            console.log(`   ✅ GCP Pub/Sub topic "${topicId}" already exists.`);
+        }
+        await this.deploySidecars();
+        return {
+            name: topicId,
+            topicName: this.resolvedTopicName,
+        };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        const topicId = this.name;
+        console.log(`\n🗑️  Destroying GCP Pub/Sub Topic "${topicId}"...`);
+        const existing = await this.discoverTopic();
+        if (!existing) {
+            console.log(`   ✅ Topic "${topicId}" does not exist - nothing to do.`);
+            return { destroyed: topicId };
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Delete Pub/Sub topic "${topicId}"`);
+            return { destroyed: topicId };
+        }
+        console.log(`   🔄 Deleting Pub/Sub topic "${topicId}"...`);
+        await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/topics/${topicId}`, {
+            method: "DELETE",
+        });
+        console.log(`   ✅ Pub/Sub topic "${topicId}" deleted.`);
+        await this.destroySidecars();
+        return { destroyed: topicId };
+    }
+}
+export class GCPPubSubSubscriptionBuilder extends BaseBuilder {
+    _topic;
+    _pushEndpoint;
+    _ackDeadlineSeconds = 10;
+    resolvedSubscriptionName = null;
+    constructor(subscriptionId) {
+        super(subscriptionId);
+        this.discoveryPromise = this.discoverSubscription();
+    }
+    topic(t) {
+        this._topic = t;
+        return this;
+    }
+    pushEndpoint(url) {
+        this._pushEndpoint = url;
+        return this;
+    }
+    ackDeadline(seconds) {
+        this._ackDeadlineSeconds = seconds;
+        return this;
+    }
+    async discoverSubscription() {
+        try {
+            const project = getProjectId();
+            const res = await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/subscriptions/${this.name}`);
+            this.resolvedSubscriptionName = res.name ?? null;
+            return res;
+        }
+        catch (e) {
+            if (e.message?.includes("404") ||
+                e.message?.includes("403") ||
+                e.message?.includes("credentials not configured")) {
+                return null;
+            }
+            throw e;
+        }
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        const subscriptionId = this.name;
+        console.log(`\n📥 Finalizing GCP Pub/Sub Subscription "${subscriptionId}"...`);
+        if (!this._topic) {
+            throw new Error(`[GCP.PubSub.Subscription:${subscriptionId}] .topic(...) is required`);
+        }
+        const existing = await this.discoveryPromise;
+        // Resolve full topic name
+        let targetTopicName;
+        if (this._topic instanceof GCPPubSubTopicBuilder) {
+            targetTopicName = this._topic.resolvedTopicName ?? `projects/${project}/topics/${this._topic.name}`;
+        }
+        else {
+            targetTopicName = this._topic.includes("/")
+                ? this._topic
+                : `projects/${project}/topics/${this._topic}`;
+        }
+        const pushConfig = this._pushEndpoint
+            ? { pushEndpoint: this._pushEndpoint }
+            : {};
+        if (dryRun) {
+            console.log(`   📝 [PLAN] ${existing ? "Update" : "Create"} Pub/Sub subscription "${subscriptionId}"`);
+            console.log(`      └─ Topic: ${targetTopicName}`);
+            if (this._pushEndpoint) {
+                console.log(`      └─ Push Endpoint: ${this._pushEndpoint}`);
+            }
+            else {
+                console.log(`      └─ Pull Subscription`);
+            }
+            this.resolvedSubscriptionName = `projects/${project}/subscriptions/${subscriptionId}`;
+            return {
+                name: subscriptionId,
+                subscriptionName: this.resolvedSubscriptionName,
+            };
+        }
+        // Determine if update is needed
+        let needsUpdate = !existing;
+        if (existing) {
+            const existingEndpoint = existing.pushConfig?.pushEndpoint ?? "";
+            const targetEndpoint = this._pushEndpoint ?? "";
+            const hasEndpointChange = existingEndpoint !== targetEndpoint;
+            const hasTopicChange = existing.topic !== targetTopicName;
+            const hasAckChange = (existing.ackDeadlineSeconds ?? 10) !== this._ackDeadlineSeconds;
+            needsUpdate = hasEndpointChange || hasTopicChange || hasAckChange;
+        }
+        const subscriptionBody = {
+            topic: targetTopicName,
+            pushConfig,
+            ackDeadlineSeconds: this._ackDeadlineSeconds,
+        };
+        if (!existing) {
+            console.log(`🚀 Creating GCP Pub/Sub subscription "${subscriptionId}"...`);
+            const sub = await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/subscriptions/${subscriptionId}`, {
+                method: "PUT",
+                body: JSON.stringify(subscriptionBody),
+            });
+            this.resolvedSubscriptionName = sub.name ?? null;
+            console.log(`🚀 Created Pub/Sub subscription "${subscriptionId}"`);
+        }
+        else if (needsUpdate) {
+            console.log(`🔄 Updating GCP Pub/Sub subscription "${subscriptionId}"...`);
+            const sub = await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/subscriptions/${subscriptionId}`, {
+                method: "PATCH",
+                body: JSON.stringify({
+                    subscription: {
+                        name: `projects/${project}/subscriptions/${subscriptionId}`,
+                        ...subscriptionBody,
+                    },
+                    updateMask: "topic,pushConfig,ackDeadlineSeconds",
+                }),
+            });
+            this.resolvedSubscriptionName = sub.name ?? null;
+            console.log(`🔄 Updated Pub/Sub subscription "${subscriptionId}"`);
+        }
+        else {
+            this.resolvedSubscriptionName = existing.name ?? null;
+            console.log(`   ✅ GCP Pub/Sub subscription "${subscriptionId}" is up to date.`);
+        }
+        await this.deploySidecars();
+        return {
+            name: subscriptionId,
+            subscriptionName: this.resolvedSubscriptionName,
+        };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        const subscriptionId = this.name;
+        console.log(`\n🗑️  Destroying GCP Pub/Sub Subscription "${subscriptionId}"...`);
+        const existing = await this.discoverSubscription();
+        if (!existing) {
+            console.log(`   ✅ Subscription "${subscriptionId}" does not exist - nothing to do.`);
+            return { destroyed: subscriptionId };
+        }
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Delete Pub/Sub subscription "${subscriptionId}"`);
+            return { destroyed: subscriptionId };
+        }
+        console.log(`   🔄 Deleting Pub/Sub subscription "${subscriptionId}"...`);
+        await gcpFetch(PUBSUB_BASE, `/v1/projects/${project}/subscriptions/${subscriptionId}`, {
+            method: "DELETE",
+        });
+        console.log(`   ✅ Pub/Sub subscription "${subscriptionId}" deleted.`);
+        await this.destroySidecars();
+        return { destroyed: subscriptionId };
+    }
+}

package/dist/providers/gcp/pubsub.test.d.ts

@@ -0,0 +1 @@
+export {};