feat: add user prompts for declarative security changes (PR 4)

[inlined]

Description

This is PR 4 in the requiresRole PR chain.
It implements prompts asking the operator for confirmation when:

1. Enabling declarative security (enrolling).
2. Modifying roles on the managed service account.
3. Opting out of declarative security (unenrolling and deleting the SA).
   Includes options.nonInteractive checks to safely throw errors in headless environments.

Scenarios Tested

• Run unit tests: npx mocha src/deploy/functions/prompts.spec.ts
• Run npm run build & npm run lint

Sample Commands

N/A

[gemini-code-assist]

Code Review

This pull request introduces the promptForSecurityChanges function in src/deploy/functions/prompts.ts along with comprehensive unit tests in src/deploy/functions/prompts.spec.ts to prompt operators for codebase-wide declarative security changes. The review feedback points out a TypeScript compilation error caused by typing the plan parameter with DeploymentPlan, which lacks the required security properties; defining a custom CodebasePlan interface is recommended to resolve this. Additionally, the feedback suggests conditionally formatting the prompt message when rolesToAdd is empty to prevent displaying an empty list of roles.

[gemini-code-assist]

The DeploymentPlan type imported from ./release/planner is defined as Record<string, Changeset>, where Changeset does not contain the security-related properties (like serviceAccountToCreate, rolesToAdd, etc.) accessed in promptForSecurityChanges. This causes a TypeScript compilation error.

We should remove DeploymentPlan from this import and define a specific CodebasePlan interface to type the plan parameter correctly.

Suggested change

	import { EndpointUpdate, DeploymentPlan } from "./release/planner";
	import { EndpointUpdate } from "./release/planner";

[gemini-code-assist]

Define a proper CodebasePlan interface and use it to type the plan parameter. This resolves the TypeScript compilation error caused by the mismatch with DeploymentPlan (which is Record<string, Changeset>).

export interface CodebasePlan {
  serviceAccountToDelete?: string;
  serviceAccountToCreate?: string;
  managedServiceAccount?: string;
  rolesToAdd?: string[];
  rolesToRemove?: string[];
}

/**
 * Prompts operators for codebase-wide declarative security changes.
 */
export async function promptForSecurityChanges(
  plan: Record<string, CodebasePlan>,
  options: Options,
): Promise<void> {

[gemini-code-assist]

If rolesToAdd is empty or undefined, the prompt will print an empty list of roles, which looks awkward (e.g., It will use the following role(s):\n\nContinue?). We should conditionally format the message to only list roles if there are any.

Suggested change

	const msg = `This codebase uses declarative security. It will use the following role(s):\n${roleNames
	.map((r) => `* ${r}`)
	.join("\n")}\nContinue?`;
	let msg = `This codebase uses declarative security.`;
	if (roleNames.length > 0) {
	msg += ` It will use the following role(s):\n${roleNames.map((r) => `* ${r}`).join("\n")}\n`;
	} else {
	msg += "\n";
	}
	msg += "Continue?";