puls-dev 0.2.1 → 0.2.2

package/dist/core/config.d.ts

@@ -23,6 +23,11 @@ export interface GlobalConfig {
             projectId: string;
             serviceAccountPath: string;
         };
+        gcp?: {
+            projectId?: string;
+            serviceAccountPath?: string;
+            region?: string;
+        };
     };
 }
 declare class ConfigManager {

package/dist/providers/firebase/appcheck.d.ts

@@ -0,0 +1,15 @@
+import { BaseBuilder } from "../../core/resource.js";
+export declare class FirebaseAppCheckBuilder extends BaseBuilder {
+    private _configs;
+    constructor();
+    enforce(serviceName: string): this;
+    unenforced(serviceName: string): this;
+    off(serviceName: string): this;
+    mode(serviceName: string, mode: "ENFORCED" | "UNENFORCED" | "OFF"): this;
+    deploy(): Promise<{
+        project: string;
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}

package/dist/providers/firebase/appcheck.js

@@ -0,0 +1,109 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { cloudFetch, getProjectId } from "./api.js";
+const APP_CHECK_BASE = "https://firebaseappcheck.googleapis.com";
+const SERVICE_IDS = {
+    firestore: "firestore.googleapis.com",
+    storage: "firebasestorage.googleapis.com",
+    database: "firebasedatabase.googleapis.com",
+    auth: "identitytoolkit.googleapis.com",
+};
+function resolveServiceId(name) {
+    return SERVICE_IDS[name.toLowerCase()] ?? name;
+}
+export class FirebaseAppCheckBuilder extends BaseBuilder {
+    _configs = new Map();
+    constructor() {
+        super("appcheck");
+        this.discoveryPromise = Promise.resolve(null);
+    }
+    enforce(serviceName) {
+        this._configs.set(resolveServiceId(serviceName), "ENFORCED");
+        return this;
+    }
+    unenforced(serviceName) {
+        this._configs.set(resolveServiceId(serviceName), "UNENFORCED");
+        return this;
+    }
+    off(serviceName) {
+        this._configs.set(resolveServiceId(serviceName), "OFF");
+        return this;
+    }
+    mode(serviceName, mode) {
+        this._configs.set(resolveServiceId(serviceName), mode);
+        return this;
+    }
+    async deploy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        console.log(`\n🛡️  Finalizing Firebase App Check...`);
+        if (dryRun) {
+            console.log(`   📝 [PLAN] Configure App Check enforcement modes:`);
+            for (const [serviceId, mode] of this._configs.entries()) {
+                console.log(`      └─ ${serviceId}: ${mode}`);
+            }
+            return { project };
+        }
+        // 1. Fetch current status of each configured service
+        const existingConfigs = {};
+        for (const serviceId of this._configs.keys()) {
+            try {
+                const data = await cloudFetch(APP_CHECK_BASE, `/v1/projects/${project}/services/${serviceId}`);
+                existingConfigs[serviceId] = data.enforcementMode ?? "OFF";
+            }
+            catch (err) {
+                // If not found or not registered yet, default to OFF
+                existingConfigs[serviceId] = "OFF";
+            }
+        }
+        // 2. Patch services whose modes have changed
+        for (const [serviceId, mode] of this._configs.entries()) {
+            const existingMode = existingConfigs[serviceId] ?? "OFF";
+            if (existingMode !== mode) {
+                console.log(`   🔄 Updating App Check service "${serviceId}": ${existingMode} → ${mode}`);
+                await cloudFetch(APP_CHECK_BASE, `/v1/projects/${project}/services/${serviceId}?updateMask=enforcementMode`, {
+                    method: "PATCH",
+                    body: JSON.stringify({
+                        name: `projects/${project}/services/${serviceId}`,
+                        enforcementMode: mode,
+                    }),
+                });
+                console.log(`   ✅ App Check service "${serviceId}" updated to ${mode}`);
+            }
+            else {
+                console.log(`   ✅ App Check service "${serviceId}" already set to ${mode}`);
+            }
+        }
+        await this.deploySidecars();
+        return { project };
+    }
+    async destroy() {
+        const dryRun = this.isDryRunActive();
+        const project = getProjectId();
+        console.log(`\n🗑️  Destroying Firebase App Check...`);
+        console.log(`   ℹ️  Reverting all configured services to OFF enforcement mode`);
+        if (dryRun) {
+            for (const serviceId of this._configs.keys()) {
+                console.log(`   📝 [PLAN] Revert ${serviceId} App Check to OFF`);
+            }
+            return { destroyed: "appcheck" };
+        }
+        for (const serviceId of this._configs.keys()) {
+            try {
+                console.log(`   🔄 Reverting App Check service "${serviceId}" to OFF...`);
+                await cloudFetch(APP_CHECK_BASE, `/v1/projects/${project}/services/${serviceId}?updateMask=enforcementMode`, {
+                    method: "PATCH",
+                    body: JSON.stringify({
+                        name: `projects/${project}/services/${serviceId}`,
+                        enforcementMode: "OFF",
+                    }),
+                });
+                console.log(`   ✅ App Check service "${serviceId}" reverted to OFF`);
+            }
+            catch (err) {
+                // Log error and continue teardown silently
+            }
+        }
+        await this.destroySidecars();
+        return { destroyed: "appcheck" };
+    }
+}

package/dist/providers/firebase/appcheck.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/providers/firebase/appcheck.test.js

@@ -0,0 +1,141 @@
+import { test, describe, beforeEach, afterEach, mock } from "node:test";
+import assert from "node:assert";
+import { GoogleAuth } from "google-auth-library";
+import { FirebaseAppCheckBuilder } from "./appcheck.js";
+import { Config } from "../../core/config.js";
+describe("FirebaseAppCheckBuilder Unit Tests", () => {
+    let originalFetch;
+    let fetchCalls = [];
+    let mockResponses = {};
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            providers: {
+                firebase: {
+                    projectId: "my-project",
+                    serviceAccountPath: "/fake/sa.json",
+                },
+            },
+        });
+        originalFetch = globalThis.fetch;
+        fetchCalls = [];
+        mockResponses = {};
+        globalThis.fetch = async (input, init) => {
+            const url = String(input);
+            const method = init?.method ?? "GET";
+            let body;
+            if (init?.body) {
+                if (typeof init.body === "string") {
+                    try {
+                        body = JSON.parse(init.body);
+                    }
+                    catch {
+                        body = init.body;
+                    }
+                }
+                else {
+                    body = "[Binary/Buffer Body]";
+                }
+            }
+            const headers = init?.headers;
+            fetchCalls.push({ url, method, body, headers });
+            const matchKey = Object.keys(mockResponses)
+                .filter((key) => {
+                const [mMethod, mPath] = key.split(" ");
+                return method === mMethod && url.includes(mPath);
+            })
+                .sort((a, b) => b.split(" ")[1].length - a.split(" ")[1].length)[0];
+            if (matchKey) {
+                const resp = mockResponses[matchKey];
+                return {
+                    ok: resp.status >= 200 && resp.status < 300,
+                    status: resp.status,
+                    json: async () => resp.body,
+                    text: async () => JSON.stringify(resp.body),
+                };
+            }
+            return {
+                ok: false,
+                status: 404,
+                json: async () => ({ message: `Endpoint not mocked: ${method} ${url}` }),
+                text: async () => `Endpoint not mocked: ${method} ${url}`,
+            };
+        };
+        mock.method(GoogleAuth.prototype, "getClient", async () => {
+            return {
+                getAccessToken: async () => ({ token: "fake-access-token" }),
+            };
+        });
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+        mock.restoreAll();
+    });
+    test("runs in dry-run mode safely and logs plans", async () => {
+        Config.set({
+            dryRun: true,
+            providers: {
+                firebase: {
+                    projectId: "my-project",
+                    serviceAccountPath: "/fake/sa.json",
+                },
+            },
+        });
+        const builder = new FirebaseAppCheckBuilder()
+            .enforce("firestore")
+            .unenforced("storage")
+            .off("auth");
+        const deployResult = await builder.deploy();
+        assert.strictEqual(deployResult.project, "my-project");
+        assert.strictEqual(fetchCalls.length, 0); // zero write calls
+    });
+    test("syncs App Check services idempotently - updates changed and skips identical", async () => {
+        // 1. Mock GET calls returning existing statuses:
+        // firestore is currently OFF (needs to be ENFORCED)
+        // storage is currently UNENFORCED (needs to be UNENFORCED - should skip)
+        mockResponses["GET /services/firestore.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firestore.googleapis.com", enforcementMode: "OFF" },
+        };
+        mockResponses["GET /services/firebasestorage.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firebasestorage.googleapis.com", enforcementMode: "UNENFORCED" },
+        };
+        // 2. Mock PATCH calls
+        mockResponses["PATCH /services/firestore.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firestore.googleapis.com", enforcementMode: "ENFORCED" },
+        };
+        const builder = new FirebaseAppCheckBuilder()
+            .enforce("firestore")
+            .unenforced("storage");
+        const deployResult = await builder.deploy();
+        assert.strictEqual(deployResult.project, "my-project");
+        // We should have exactly 2 GET calls and 1 PATCH call
+        const patchCalls = fetchCalls.filter((c) => c.method === "PATCH");
+        assert.strictEqual(patchCalls.length, 1);
+        assert.strictEqual(patchCalls[0].url.includes("/services/firestore.googleapis.com"), true);
+        assert.strictEqual(patchCalls[0].body.enforcementMode, "ENFORCED");
+    });
+    test("destroys App Check configuration by reverting all configured services to OFF", async () => {
+        // Mock PATCH calls returning OFF
+        mockResponses["PATCH /services/firestore.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firestore.googleapis.com", enforcementMode: "OFF" },
+        };
+        mockResponses["PATCH /services/firebasestorage.googleapis.com"] = {
+            status: 200,
+            body: { name: "projects/my-project/services/firebasestorage.googleapis.com", enforcementMode: "OFF" },
+        };
+        const builder = new FirebaseAppCheckBuilder()
+            .enforce("firestore")
+            .unenforced("storage");
+        const destroyResult = await builder.destroy();
+        assert.deepStrictEqual(destroyResult, { destroyed: "appcheck" });
+        // Verify both services were patched to OFF
+        const patchCalls = fetchCalls.filter((c) => c.method === "PATCH");
+        assert.strictEqual(patchCalls.length, 2);
+        assert.strictEqual(patchCalls.some((c) => c.url.includes("/services/firestore.googleapis.com") && c.body.enforcementMode === "OFF"), true);
+        assert.strictEqual(patchCalls.some((c) => c.url.includes("/services/firebasestorage.googleapis.com") && c.body.enforcementMode === "OFF"), true);
+    });
+});

package/dist/providers/firebase/index.d.ts

@@ -4,6 +4,7 @@ import { FirebaseFirestoreBuilder } from './firestore.js';
 import { FirebaseStorageBuilder } from './storage.js';
 import { FirebaseAuthBuilder } from './auth.js';
 import { FirebaseRemoteConfigBuilder } from './remoteconfig.js';
+import { FirebaseAppCheckBuilder } from './appcheck.js';
 export { FUNCTIONS_RUNTIME };
 export declare const Firebase: {
     Hosting: (siteId: string) => FirebaseHostingBuilder;
@@ -12,4 +13,5 @@ export declare const Firebase: {
     Storage: (bucket?: string) => FirebaseStorageBuilder;
     Auth: () => FirebaseAuthBuilder;
     RemoteConfig: () => FirebaseRemoteConfigBuilder;
+    AppCheck: () => FirebaseAppCheckBuilder;
 };

package/dist/providers/firebase/index.js

@@ -4,6 +4,7 @@ import { FirebaseFirestoreBuilder } from './firestore.js';
 import { FirebaseStorageBuilder } from './storage.js';
 import { FirebaseAuthBuilder } from './auth.js';
 import { FirebaseRemoteConfigBuilder } from './remoteconfig.js';
+import { FirebaseAppCheckBuilder } from './appcheck.js';
 export { FUNCTIONS_RUNTIME };
 export const Firebase = {
     Hosting: (siteId) => new FirebaseHostingBuilder(siteId),
@@ -12,4 +13,5 @@ export const Firebase = {
     Storage: (bucket) => new FirebaseStorageBuilder(bucket),
     Auth: () => new FirebaseAuthBuilder(),
     RemoteConfig: () => new FirebaseRemoteConfigBuilder(),
+    AppCheck: () => new FirebaseAppCheckBuilder(),
 };

package/dist/providers/gcp/api.d.ts

@@ -0,0 +1,10 @@
+export interface GCPConfig {
+    projectId: string;
+    serviceAccountPath: string;
+    region?: string;
+}
+export declare function resolveGCPConfig(): GCPConfig;
+export declare function getProjectId(): string;
+export declare function getRegion(): string;
+export declare function getGCPToken(scopes: string[]): Promise<string>;
+export declare function gcpFetch(base: string, path: string, opts?: RequestInit): Promise<any>;

package/dist/providers/gcp/api.js

@@ -0,0 +1,111 @@
+import fs from 'node:fs';
+import { GoogleAuth } from 'google-auth-library';
+import { Config } from '../../core/config.js';
+export function resolveGCPConfig() {
+    // 1. Check Config.providers.gcp
+    const gcpCfg = Config.get().providers.gcp;
+    if (gcpCfg?.serviceAccountPath) {
+        if (gcpCfg.projectId) {
+            return {
+                projectId: gcpCfg.projectId,
+                serviceAccountPath: gcpCfg.serviceAccountPath,
+                region: gcpCfg.region,
+            };
+        }
+        try {
+            const sa = JSON.parse(fs.readFileSync(gcpCfg.serviceAccountPath, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: gcpCfg.serviceAccountPath,
+                region: gcpCfg.region,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    // 2. Fallback to Config.providers.firebase
+    const fbCfg = Config.get().providers.firebase;
+    if (fbCfg?.serviceAccountPath) {
+        if (fbCfg.projectId) {
+            return {
+                projectId: fbCfg.projectId,
+                serviceAccountPath: fbCfg.serviceAccountPath,
+            };
+        }
+        try {
+            const sa = JSON.parse(fs.readFileSync(fbCfg.serviceAccountPath, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: fbCfg.serviceAccountPath,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    // 3. Fallback to process.env.GCP_SA
+    const gcpSa = process.env.GCP_SA;
+    if (gcpSa && fs.existsSync(gcpSa)) {
+        try {
+            const sa = JSON.parse(fs.readFileSync(gcpSa, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: gcpSa,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    // 4. Fallback to process.env.FIREBASE_SA
+    const fbSa = process.env.FIREBASE_SA;
+    if (fbSa && fs.existsSync(fbSa)) {
+        try {
+            const sa = JSON.parse(fs.readFileSync(fbSa, 'utf8'));
+            return {
+                projectId: sa.project_id,
+                serviceAccountPath: fbSa,
+            };
+        }
+        catch (e) {
+            // Continue to next fallback
+        }
+    }
+    throw new Error('GCP credentials not configured. Please set GCP_SA or FIREBASE_SA env var, or configure providers.gcp or providers.firebase in Config.');
+}
+export function getProjectId() {
+    return resolveGCPConfig().projectId;
+}
+export function getRegion() {
+    const gcpCfg = Config.get().providers.gcp;
+    return gcpCfg?.region ?? 'us-central1';
+}
+export async function getGCPToken(scopes) {
+    const { serviceAccountPath } = resolveGCPConfig();
+    const auth = new GoogleAuth({ keyFile: serviceAccountPath, scopes });
+    const client = await auth.getClient();
+    const token = await client.getAccessToken();
+    if (!token.token) {
+        throw new Error('Failed to retrieve GCP access token');
+    }
+    return token.token;
+}
+const CLOUD_SCOPE = 'https://www.googleapis.com/auth/cloud-platform';
+export async function gcpFetch(base, path, opts = {}) {
+    const token = await getGCPToken([CLOUD_SCOPE]);
+    const res = await fetch(`${base}${path}`, {
+        ...opts,
+        headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+            ...(opts.headers ?? {}),
+        },
+    });
+    if (!res.ok) {
+        const body = await res.text();
+        throw new Error(`GCP API ${opts.method ?? 'GET'} ${path} → ${res.status}: ${body}`);
+    }
+    const text = await res.text();
+    return text ? JSON.parse(text) : null;
+}

package/dist/providers/gcp/clouddns.d.ts

@@ -0,0 +1,37 @@
+import { BaseBuilder } from "../../core/resource.js";
+import { Output } from "../../core/output.js";
+export interface GCPDNSRecord {
+    name: string;
+    type: string;
+    value: any;
+    ttl: number;
+}
+export declare class GCPCloudDNSZoneBuilder extends BaseBuilder {
+    zoneName: string;
+    readonly out: {
+        zone: Output<{
+            name: string;
+            id: string;
+        }>;
+    };
+    cleanZoneName: string;
+    zoneId: string;
+    private records;
+    constructor(zoneName: string);
+    private discoverZone;
+    record(name: string, type: "A" | "AAAA" | "CNAME" | "MX" | "TXT" | "NS" | "PTR" | "SRV" | "CAA" | "SPF", value: string, ttl?: number): this;
+    pointer(name: string, target: BaseBuilder | Output<string> | string): this;
+    deploy(): Promise<{
+        zone: string;
+        id: string;
+        records: {
+            name: string;
+            type: string;
+            ttl: number;
+            rrdatas: string[];
+        }[];
+    }>;
+    destroy(): Promise<{
+        destroyed: string;
+    }>;
+}