Add GCP data platform + Kafka producer demo catalog additions

.gitignore

@@ -29,5 +29,7 @@ schema-ui.json
 # Build artifacts
 _dist/
 .claude/settings.local.json
+.claude/massdriver.local.md
 node_modules/
 *.zip
+TODO.md

artifact-definitions/gcp-bigquery-dataset/massdriver.yaml

@@ -0,0 +1,78 @@
+name: gcp-bigquery-dataset
+label: GCP BigQuery Dataset
+icon: https://raw.githubusercontent.com/massdriver-cloud/massdriver-catalog/refs/heads/main/platforms/gcp/icon.png
+
+# IAM Role Binding Pattern (examples — adapt to your actual consumer):
+# Downstream bundles that need read-only access bind roles/bigquery.dataViewer.
+# Downstream bundles that need read+write access bind roles/bigquery.dataEditor.
+# Downstream bundles that need full control bind roles/bigquery.dataOwner.
+#
+# Terraform example — grant data viewer access to a workload service account:
+#   resource "google_bigquery_dataset_iam_member" "reader" {
+#     dataset_id = var.bigquery_dataset.dataset_id
+#     role       = "roles/bigquery.dataViewer"
+#     member     = "serviceAccount:${var.bigquery_dataset.workload_sa_email}"
+#   }
+#
+# Note: BigQuery IAM operates at dataset level by default. For table-level access,
+# use google_bigquery_table_iam_member instead. Dataset-level bindings propagate to
+# all tables within the dataset; table-level bindings do not propagate up.
+#
+# Policy examples below (reader / writer / admin) follow this same pattern. They are
+# illustrative — the actual IAM member string comes from the consumer bundle's
+# service account, not from this artifact.
+exports: []
+
+schema:
+  title: GCP BigQuery Dataset
+  description: A Google Cloud BigQuery dataset. Carries the project ID, dataset ID,
+    fully-qualified name (<project>.<dataset>), and location so downstream bundles
+    can reference the dataset for querying, loading, and exporting without hard-coding
+    project or dataset identifiers.
+  type: object
+  required:
+    - project_id
+    - dataset_id
+    - dataset_full_name
+    - location
+  properties:
+    project_id:
+      title: Project ID
+      description: GCP project identifier that owns this BigQuery dataset
+      type: string
+      examples:
+        - my-gcp-project-123
+
+    dataset_id:
+      title: Dataset ID
+      description: BigQuery dataset identifier (letters, digits, underscores — no hyphens)
+      type: string
+      examples:
+        - my_analytics_dataset
+
+    dataset_full_name:
+      title: Dataset Full Name
+      description: Fully-qualified BigQuery dataset name in <project>.<dataset> form.
+        Use this in SQL FROM clauses and bq CLI commands.
+      type: string
+      examples:
+        - my-gcp-project-123.my_analytics_dataset
+
+    location:
+      title: Location
+      description: BigQuery location where the dataset is stored (region or multi-region).
+        Location is immutable after creation.
+      type: string
+      examples:
+        - US
+        - us-central1
+        - EU
+
+    friendly_name:
+      title: Friendly Name
+      description: Human-readable display name for the dataset (optional)
+      type:
+        - string
+        - "null"
+      examples:
+        - My Analytics Dataset

artifact-definitions/gcp-bigquery-table/massdriver.yaml

@@ -0,0 +1,67 @@
+name: gcp-bigquery-table
+label: GCP BigQuery Table
+icon: https://raw.githubusercontent.com/massdriver-cloud/massdriver-catalog/refs/heads/main/platforms/gcp/icon.png
+
+# IAM Role Binding Pattern (examples — adapt to your actual consumer):
+# Downstream bundles that need read-only access bind roles/bigquery.dataViewer at the table level.
+# Downstream bundles that need read+write access bind roles/bigquery.dataEditor at the table level.
+#
+# Terraform example — grant data viewer access to a workload service account:
+#   resource "google_bigquery_table_iam_member" "reader" {
+#     project    = var.bigquery_table.project_id
+#     dataset_id = var.bigquery_table.dataset_id
+#     table_id   = var.bigquery_table.table_id
+#     role       = "roles/bigquery.dataViewer"
+#     member     = "serviceAccount:<consumer-sa-email>"
+#   }
+#
+# Note: Table-level IAM bindings do not propagate up to the parent dataset.
+# Dataset-level bindings DO propagate down to all tables. Prefer dataset-level
+# bindings for broad access and table-level bindings for scoped isolation.
+#
+# Policy examples below (reader / writer) follow this same pattern. They are
+# illustrative — the actual IAM member string comes from the consumer bundle's
+# service account, not from this artifact.
+exports: []
+
+schema:
+  title: GCP BigQuery Table
+  description: A Google Cloud BigQuery table. Carries the project ID, dataset ID,
+    table ID, and fully-qualified table name (<project>.<dataset>.<table>) so
+    downstream bundles can reference the table for querying, loading, and Pub/Sub
+    subscription delivery without hard-coding identifiers.
+  type: object
+  required:
+    - project_id
+    - dataset_id
+    - table_id
+    - table_full_name
+  properties:
+    project_id:
+      title: Project ID
+      description: GCP project identifier that owns this BigQuery table
+      type: string
+      examples:
+        - my-gcp-project-123
+
+    dataset_id:
+      title: Dataset ID
+      description: BigQuery dataset identifier that contains this table (letters, digits, underscores — no hyphens)
+      type: string
+      examples:
+        - my_analytics_dataset
+
+    table_id:
+      title: Table ID
+      description: BigQuery table identifier within the dataset (letters, digits, underscores — no hyphens)
+      type: string
+      examples:
+        - messages
+
+    table_full_name:
+      title: Table Full Name
+      description: Fully-qualified BigQuery table name in <project>.<dataset>.<table> form.
+        Use this in SQL FROM clauses and bq CLI commands.
+      type: string
+      examples:
+        - my-gcp-project-123.my_analytics_dataset.messages

artifact-definitions/gcp-cloud-run-service/massdriver.yaml

@@ -0,0 +1,102 @@
+name: gcp-cloud-run-service
+label: GCP Cloud Run Service
+icon: https://raw.githubusercontent.com/massdriver-cloud/massdriver-catalog/refs/heads/main/platforms/gcp/icon.png
+
+# IAM Role Binding Pattern — downstream bundles that need to invoke this service:
+#
+# The `runtime_service_account_member` field carries the IAM principal string
+# ("serviceAccount:<email>") for the service's runtime SA. Use it to grant
+# downstream resources access to write to this service's upstream dependencies.
+#
+# To allow an external caller (e.g., Pub/Sub push subscription, Cloud Scheduler)
+# to invoke this Cloud Run service:
+#
+#   resource "google_cloud_run_v2_service_iam_member" "invoker" {
+#     project  = var.cloud_run_service.project_id
+#     location = var.cloud_run_service.location
+#     name     = var.cloud_run_service.service_name
+#     role     = "roles/run.invoker"
+#     member   = "<caller-identity>"  # e.g., serviceAccount:scheduler-sa@project.iam.gserviceaccount.com
+#   }
+#
+# Policy examples below are illustrative only — the actual IAM member comes from
+# the calling bundle's service account, not from this artifact.
+#
+# invoker policy:
+#   role:   roles/run.invoker
+#   member: <caller's service account or allUsers for public>
+#   resource: projects/<project>/locations/<location>/services/<name>
+exports: []
+
+schema:
+  title: GCP Cloud Run Service
+  description: A deployed Google Cloud Run v2 service. Carries the project ID,
+    service name, HTTPS URL, region, latest ready revision name, and the runtime
+    service account identity so downstream bundles can invoke the service or grant
+    it additional permissions without hard-coding project or service identifiers.
+  type: object
+  required:
+    - project_id
+    - service_name
+    - service_url
+    - location
+    - latest_ready_revision
+    - runtime_service_account_email
+    - runtime_service_account_member
+  properties:
+    project_id:
+      title: Project ID
+      description: GCP project identifier that owns this Cloud Run service
+      type: string
+      examples:
+        - my-gcp-project-123
+
+    service_name:
+      title: Service Name
+      description: Cloud Run service name (short name, not fully-qualified resource path)
+      type: string
+      examples:
+        - my-api-service
+
+    service_url:
+      title: Service URL
+      description: HTTPS URL where the service is reachable. For internal ingress
+        services, this URL is only reachable from within the VPC or via Cloud Load
+        Balancing. For all-ingress services, this is publicly reachable.
+      type: string
+      examples:
+        - https://my-api-service-abc123-uc.a.run.app
+
+    location:
+      title: Location
+      description: GCP region where the Cloud Run service is deployed
+      type: string
+      examples:
+        - us-central1
+
+    latest_ready_revision:
+      title: Latest Ready Revision
+      description: Name of the most recent revision that is currently serving traffic.
+        Use this to pin a specific revision when configuring traffic splits or
+        rolling back to a known-good state.
+      type: string
+      examples:
+        - my-api-service-00001-abc
+
+    runtime_service_account_email:
+      title: Runtime Service Account Email
+      description: "Email address of the GCP service account the Cloud Run service
+        runs as. Downstream bundles that need to grant this service access to other
+        resources bind IAM roles to this email using the serviceAccount: prefix."
+      type: string
+      examples:
+        - data-workload@my-gcp-project-123.iam.gserviceaccount.com
+
+    runtime_service_account_member:
+      title: Runtime Service Account IAM Member
+      description: "The full IAM principal string for the runtime service account,
+        in 'serviceAccount:<email>' form. Use this directly as the member argument
+        in google_*_iam_member resources so callers do not have to construct it manually."
+      type: string
+      examples:
+        - serviceAccount:data-workload@my-gcp-project-123.iam.gserviceaccount.com