npm - @alienplatform/core - Versions diffs - 1.7.1 → 1.9.0 - Mend

@alienplatform/core 1.7.1 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (88) hide show

package/.turbo/turbo-build.log +12 -11
package/dist/index.d.ts +783 -100
package/dist/index.d.ts.map +1 -1
package/dist/index.js +199 -33
package/dist/index.js.map +1 -1
package/dist/stack.js +579 -44
package/dist/stack.js.map +1 -1
package/dist/tests/index.js +1 -1
package/package.json +1 -1
package/src/__tests__/__snapshots__/stack.test.ts.snap +10 -4
package/src/__tests__/error.test.ts +1 -1
package/src/__tests__/stack.test.ts +184 -2
package/src/compute-cluster.ts +211 -0
package/src/container.ts +38 -26
package/src/daemon.ts +79 -0
package/src/generated/index.ts +42 -2
package/src/generated/schemas/architecture.json +1 -0
package/src/generated/schemas/capacityGroup.json +1 -0
package/src/generated/schemas/capacityGroupScalePolicy.json +1 -0
package/src/generated/schemas/computeChoiceRange.json +1 -0
package/src/generated/schemas/computeCluster.json +1 -0
package/src/generated/schemas/computePoolSelection.json +1 -0
package/src/generated/schemas/computeSettings.json +1 -0
package/src/generated/schemas/container.json +1 -1
package/src/generated/schemas/containerOutputs.json +1 -1
package/src/generated/schemas/containerPort.json +1 -1
package/src/generated/schemas/daemon.json +1 -1
package/src/generated/schemas/daemonOutputs.json +1 -1
package/src/generated/schemas/daemonRuntime.json +1 -0
package/src/generated/schemas/daemonRuntimeMount.json +1 -0
package/src/generated/schemas/exposeProtocol.json +1 -1
package/src/generated/schemas/gpuSpec.json +1 -0
package/src/generated/schemas/machineProfile.json +1 -0
package/src/generated/schemas/publicEndpoint.json +1 -0
package/src/generated/schemas/publicEndpointOutput.json +1 -0
package/src/generated/schemas/stack.json +1 -1
package/src/generated/schemas/stackImportRequest.json +1 -1
package/src/generated/schemas/stackImportResponse.json +1 -1
package/src/generated/schemas/stackInputDefaultValue.json +1 -0
package/src/generated/schemas/stackInputDefinition.json +1 -0
package/src/generated/schemas/stackInputEnvironmentMapping.json +1 -0
package/src/generated/schemas/stackInputEnvironmentVariableType.json +1 -0
package/src/generated/schemas/stackInputKind.json +1 -0
package/src/generated/schemas/stackInputProvider.json +1 -0
package/src/generated/schemas/stackInputValidation.json +1 -0
package/src/generated/schemas/stackSettings.json +1 -1
package/src/generated/schemas/worker.json +1 -1
package/src/generated/schemas/workerOutputs.json +1 -1
package/src/generated/schemas/workerPublicEndpoint.json +1 -0
package/src/generated/zod/architecture-schema.ts +13 -0
package/src/generated/zod/capacity-group-scale-policy-schema.ts +27 -0
package/src/generated/zod/capacity-group-schema.ts +27 -0
package/src/generated/zod/compute-choice-range-schema.ts +17 -0
package/src/generated/zod/compute-cluster-schema.ts +20 -0
package/src/generated/zod/compute-pool-selection-schema.ts +22 -0
package/src/generated/zod/compute-settings-schema.ts +18 -0
package/src/generated/zod/container-outputs-schema.ts +5 -6
package/src/generated/zod/container-port-schema.ts +1 -5
package/src/generated/zod/container-schema.ts +7 -3
package/src/generated/zod/daemon-outputs-schema.ts +4 -0
package/src/generated/zod/daemon-runtime-mount-schema.ts +14 -0
package/src/generated/zod/daemon-runtime-schema.ts +19 -0
package/src/generated/zod/daemon-schema.ts +14 -2
package/src/generated/zod/expose-protocol-schema.ts +2 -2
package/src/generated/zod/gpu-spec-schema.ts +16 -0
package/src/generated/zod/index.ts +42 -2
package/src/generated/zod/machine-profile-schema.ts +25 -0
package/src/generated/zod/public-endpoint-output-schema.ts +21 -0
package/src/generated/zod/public-endpoint-schema.ts +22 -0
package/src/generated/zod/stack-import-request-schema.ts +3 -0
package/src/generated/zod/stack-input-default-value-schema.ts +25 -0
package/src/generated/zod/stack-input-definition-schema.ts +43 -0
package/src/generated/zod/stack-input-environment-mapping-schema.ts +20 -0
package/src/generated/zod/stack-input-environment-variable-type-schema.ts +13 -0
package/src/generated/zod/stack-input-kind-schema.ts +13 -0
package/src/generated/zod/stack-input-provider-schema.ts +13 -0
package/src/generated/zod/stack-input-validation-schema.ts +23 -0
package/src/generated/zod/stack-schema.ts +4 -0
package/src/generated/zod/stack-settings-schema.ts +5 -1
package/src/generated/zod/worker-outputs-schema.ts +4 -5
package/src/generated/zod/worker-public-endpoint-schema.ts +17 -0
package/src/generated/zod/worker-schema.ts +4 -4
package/src/index.ts +9 -0
package/src/input.ts +380 -0
package/src/stack.ts +19 -0
package/src/worker.ts +24 -14
package/src/generated/schemas/ingress.json +0 -1
package/src/generated/zod/ingress-schema.ts +0 -13

package/src/generated/schemas/stack.json CHANGED Viewed

	@@ -1 +1 @@
1	- {"type":"object","description":"A bag of resources, unaware of any cloud.","required":["id","resources"],"properties":{"id":{"type":"string","description":"Unique identifier for the stack"},"permissions":{"description":"Combined permissions configuration containing both profiles and management","type":"object","required":["profiles"],"properties":{"management":{"description":"Management permissions configuration for stack management access","oneOf":[{"type":"string","description":"Auto-derived permissions only (default)\nUses resource lifecycles to determine management permissions:\n- Frozen resources: `<type>/management`\n- Live resources: `<type>/provision`","enum":["auto"]},{"type":"object","description":"Add permissions to auto-derived baseline","required":["extend"],"properties":{"extend":{"description":"Add permissions to auto-derived baseline","type":"object","additionalProperties":{"type":"array","items":{"oneOf":[{"type":"string","description":"Reference to a built-in permission set by name (e.g., \"storage/data-read\")"},{"description":"Inline permission set definition","type":"object","required":["id","description","platforms"],"properties":{"description":{"type":"string","description":"Human-readable description of what this permission set allows"},"id":{"type":"string","description":"Unique identifier for the permission set (e.g., \"storage/data-read\")"},"platforms":{"description":"Platform-specific permission configurations","type":"object","properties":{"aws":{"type":["array","null"],"items":{"type":"object","description":"AWS-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false},"stack":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AwsBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"effect":{"description":"IAM effect. Defaults to Allow.","type":"string","enum":["Allow","Deny"],"x-readme-ref-name":"AwsPermissionEffect"},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AwsPlatformPermission"},"description":"AWS permission configurations"},"azure":{"type":["array","null"],"items":{"type":"object","description":"Azure-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AzureBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AzurePlatformPermission"},"description":"Azure permission configurations"},"gcp":{"type":["array","null"],"items":{"type":"object","description":"GCP-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_GcpBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"GcpPlatformPermission"},"description":"GCP permission configurations"}},"additionalProperties":false,"x-readme-ref-name":"PlatformPermissions"}},"additionalProperties":false,"x-readme-ref-name":"PermissionSet"}],"description":"Reference to a permission set - either by name or inline definition","x-readme-ref-name":"PermissionSetReference"}},"propertyNames":{"type":"string"},"x-readme-ref-name":"PermissionProfile"}}},{"type":"object","description":"Replace auto-derived permissions entirely","required":["override"],"properties":{"override":{"description":"Replace auto-derived permissions entirely","type":"object","additionalProperties":{"type":"array","items":{"oneOf":[{"type":"string","description":"Reference to a built-in permission set by name (e.g., \"storage/data-read\")"},{"description":"Inline permission set definition","type":"object","required":["id","description","platforms"],"properties":{"description":{"type":"string","description":"Human-readable description of what this permission set allows"},"id":{"type":"string","description":"Unique identifier for the permission set (e.g., \"storage/data-read\")"},"platforms":{"description":"Platform-specific permission configurations","type":"object","properties":{"aws":{"type":["array","null"],"items":{"type":"object","description":"AWS-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false},"stack":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AwsBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"effect":{"description":"IAM effect. Defaults to Allow.","type":"string","enum":["Allow","Deny"],"x-readme-ref-name":"AwsPermissionEffect"},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AwsPlatformPermission"},"description":"AWS permission configurations"},"azure":{"type":["array","null"],"items":{"type":"object","description":"Azure-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AzureBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AzurePlatformPermission"},"description":"Azure permission configurations"},"gcp":{"type":["array","null"],"items":{"type":"object","description":"GCP-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_GcpBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"GcpPlatformPermission"},"description":"GCP permission configurations"}},"additionalProperties":false,"x-readme-ref-name":"PlatformPermissions"}},"additionalProperties":false,"x-readme-ref-name":"PermissionSet"}],"description":"Reference to a permission set - either by name or inline definition","x-readme-ref-name":"PermissionSetReference"}},"propertyNames":{"type":"string"},"x-readme-ref-name":"PermissionProfile"}}}],"x-readme-ref-name":"ManagementPermissions"},"profiles":{"type":"object","description":"Permission profiles that define access control for compute services\nKey is the profile name, value is the permission configuration","additionalProperties":{"type":"object","description":"Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource","additionalProperties":{"type":"array","items":{"oneOf":[{"type":"string","description":"Reference to a built-in permission set by name (e.g., \"storage/data-read\")"},{"description":"Inline permission set definition","type":"object","required":["id","description","platforms"],"properties":{"description":{"type":"string","description":"Human-readable description of what this permission set allows"},"id":{"type":"string","description":"Unique identifier for the permission set (e.g., \"storage/data-read\")"},"platforms":{"description":"Platform-specific permission configurations","type":"object","properties":{"aws":{"type":["array","null"],"items":{"type":"object","description":"AWS-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false},"stack":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AwsBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"effect":{"description":"IAM effect. Defaults to Allow.","type":"string","enum":["Allow","Deny"],"x-readme-ref-name":"AwsPermissionEffect"},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AwsPlatformPermission"},"description":"AWS permission configurations"},"azure":{"type":["array","null"],"items":{"type":"object","description":"Azure-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AzureBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AzurePlatformPermission"},"description":"Azure permission configurations"},"gcp":{"type":["array","null"],"items":{"type":"object","description":"GCP-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_GcpBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"GcpPlatformPermission"},"description":"GCP permission configurations"}},"additionalProperties":false,"x-readme-ref-name":"PlatformPermissions"}},"additionalProperties":false,"x-readme-ref-name":"PermissionSet"}],"description":"Reference to a permission set - either by name or inline definition","x-readme-ref-name":"PermissionSetReference"}},"propertyNames":{"type":"string"},"x-readme-ref-name":"PermissionProfile"},"propertyNames":{"type":"string"}}},"additionalProperties":false,"x-readme-ref-name":"PermissionsConfig"},"resources":{"type":"object","description":"Map of resource IDs to their configurations and lifecycle settings","additionalProperties":{"type":"object","required":["config","lifecycle","dependencies"],"properties":{"config":{"description":"Resource configuration (can be any type of resource)","type":"object","required":["type","id"],"properties":{"id":{"type":"string","description":"The unique identifier for this specific resource instance. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]). Maximum 64 characters."},"type":{"type":"string","description":"Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.","examples":["worker","storage","queue","redis","postgres"],"x-readme-ref-name":"ResourceType"}},"additionalProperties":true,"x-readme-ref-name":"BaseResource"},"dependencies":{"type":"array","items":{"type":"object","description":"New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.","required":["type","id"],"properties":{"id":{"type":"string"},"type":{"type":"string","description":"Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.","examples":["worker","storage","queue","redis","postgres"],"x-readme-ref-name":"ResourceType"}},"x-readme-ref-name":"ResourceRef"},"description":"Additional dependencies for this resource beyond those defined in the resource itself.\nThe total dependencies are: resource.get_dependencies() + this list"},"lifecycle":{"description":"Lifecycle management configuration for this resource","type":"string","enum":["frozen","live"],"x-readme-ref-name":"ResourceLifecycle"},"remoteAccess":{"type":"boolean","description":"Enable remote bindings for this resource (BYOB use case).\nWhen true, binding params are synced to StackState's `remote_binding_params`.\nDefault: false (prevents sensitive data in synced state)."}},"x-readme-ref-name":"ResourceEntry"},"propertyNames":{"type":"string"}},"supportedPlatforms":{"type":["array","null"],"items":{"type":"string","description":"Represents the target cloud platform.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"},"description":"Which platforms this stack supports. When None, all platforms are supported."}},"x-readme-ref-name":"Stack"}
1	+ {"type":"object","description":"A bag of resources, unaware of any cloud.","required":["id","resources"],"properties":{"id":{"type":"string","description":"Unique identifier for the stack"},"inputs":{"type":"array","items":{"type":"object","description":"Stack input definition serialized into a release stack.","required":["id","kind","providedBy","required","label","description"],"properties":{"default":{"oneOf":[{"type":"null"},{"description":"Default value for optional/plain inputs.","oneOf":[{"type":"object","description":"String default.","required":["value","type"],"properties":{"type":{"type":"string","enum":["string"]},"value":{"type":"string","description":"String default."}}},{"type":"object","description":"Number default.","required":["value","type"],"properties":{"type":{"type":"string","enum":["number"]},"value":{"type":"string","description":"Number default."}}},{"type":"object","description":"Boolean default.","required":["value","type"],"properties":{"type":{"type":"string","enum":["boolean"]},"value":{"type":"boolean","description":"Boolean default."}}},{"type":"object","description":"String list default.","required":["value","type"],"properties":{"type":{"type":"string","enum":["stringList"]},"value":{"type":"array","items":{"type":"string"},"description":"String list default."}}}],"x-readme-ref-name":"StackInputDefaultValue"}]},"description":{"type":"string","description":"Human-facing helper text."},"env":{"type":"array","items":{"type":"object","description":"How a resolved stack input is injected into runtime environment variables.","required":["name"],"properties":{"name":{"type":"string","description":"Environment variable name."},"targetResources":{"type":["array","null"],"items":{"type":"string"},"description":"Target resource IDs or patterns. None means every env-capable resource."},"type":{"oneOf":[{"type":"null"},{"description":"Whether this env var is plain or secret. Defaults from the input kind.","type":"string","enum":["plain","secret"],"x-readme-ref-name":"StackInputEnvironmentVariableType"}]}},"x-readme-ref-name":"StackInputEnvironmentMapping"},"description":"Runtime env-var mappings for v1 input resolution."},"id":{"type":"string","description":"Stable input ID used by CLI/API calls."},"kind":{"description":"Input primitive kind.","type":"string","enum":["string","secret","number","integer","boolean","enum","stringList"],"x-readme-ref-name":"StackInputKind"},"label":{"type":"string","description":"Human-facing field label."},"placeholder":{"type":["string","null"],"description":"Example placeholder shown in UI."},"platforms":{"type":["array","null"],"items":{"type":"string","description":"Represents the target cloud platform.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"},"description":"Platforms where this input applies."},"providedBy":{"type":"array","items":{"type":"string","description":"Who can provide a stack input value.","enum":["developer","deployer"],"x-readme-ref-name":"StackInputProvider"},"description":"Who can provide this value."},"required":{"type":"boolean","description":"Whether a resolved value is required before deployment can proceed."},"validation":{"oneOf":[{"type":"null"},{"description":"Portable validation constraints.","type":"object","properties":{"format":{"type":["string","null"],"description":"Semantic format hint such as url."},"max":{"type":["string","null"],"description":"Maximum number."},"maxItems":{"type":["integer","null"],"format":"int32","description":"Maximum string-list items.","minimum":0},"maxLength":{"type":["integer","null"],"format":"int32","description":"Maximum string length.","minimum":0},"min":{"type":["string","null"],"description":"Minimum number."},"minItems":{"type":["integer","null"],"format":"int32","description":"Minimum string-list items.","minimum":0},"minLength":{"type":["integer","null"],"format":"int32","description":"Minimum string length.","minimum":0},"pattern":{"type":["string","null"],"description":"Portable whole-value regex pattern."},"values":{"type":["array","null"],"items":{"type":"string"},"description":"Allowed string enum values."}},"x-readme-ref-name":"StackInputValidation"}]}},"x-readme-ref-name":"StackInputDefinition"},"description":"Input definitions required before setup or deployment can proceed."},"permissions":{"description":"Combined permissions configuration containing both profiles and management","type":"object","required":["profiles"],"properties":{"management":{"description":"Management permissions configuration for stack management access","oneOf":[{"type":"string","description":"Auto-derived permissions only (default)\nUses resource lifecycles to determine management permissions:\n- Frozen resources: `<type>/management`\n- Live resources: `<type>/provision`","enum":["auto"]},{"type":"object","description":"Add permissions to auto-derived baseline","required":["extend"],"properties":{"extend":{"description":"Add permissions to auto-derived baseline","type":"object","additionalProperties":{"type":"array","items":{"oneOf":[{"type":"string","description":"Reference to a built-in permission set by name (e.g., \"storage/data-read\")"},{"description":"Inline permission set definition","type":"object","required":["id","description","platforms"],"properties":{"description":{"type":"string","description":"Human-readable description of what this permission set allows"},"id":{"type":"string","description":"Unique identifier for the permission set (e.g., \"storage/data-read\")"},"platforms":{"description":"Platform-specific permission configurations","type":"object","properties":{"aws":{"type":["array","null"],"items":{"type":"object","description":"AWS-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false},"stack":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AwsBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"effect":{"description":"IAM effect. Defaults to Allow.","type":"string","enum":["Allow","Deny"],"x-readme-ref-name":"AwsPermissionEffect"},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AwsPlatformPermission"},"description":"AWS permission configurations"},"azure":{"type":["array","null"],"items":{"type":"object","description":"Azure-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AzureBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AzurePlatformPermission"},"description":"Azure permission configurations"},"gcp":{"type":["array","null"],"items":{"type":"object","description":"GCP-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_GcpBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"GcpPlatformPermission"},"description":"GCP permission configurations"}},"additionalProperties":false,"x-readme-ref-name":"PlatformPermissions"}},"additionalProperties":false,"x-readme-ref-name":"PermissionSet"}],"description":"Reference to a permission set - either by name or inline definition","x-readme-ref-name":"PermissionSetReference"}},"propertyNames":{"type":"string"},"x-readme-ref-name":"PermissionProfile"}}},{"type":"object","description":"Replace auto-derived permissions entirely","required":["override"],"properties":{"override":{"description":"Replace auto-derived permissions entirely","type":"object","additionalProperties":{"type":"array","items":{"oneOf":[{"type":"string","description":"Reference to a built-in permission set by name (e.g., \"storage/data-read\")"},{"description":"Inline permission set definition","type":"object","required":["id","description","platforms"],"properties":{"description":{"type":"string","description":"Human-readable description of what this permission set allows"},"id":{"type":"string","description":"Unique identifier for the permission set (e.g., \"storage/data-read\")"},"platforms":{"description":"Platform-specific permission configurations","type":"object","properties":{"aws":{"type":["array","null"],"items":{"type":"object","description":"AWS-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false},"stack":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AwsBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"effect":{"description":"IAM effect. Defaults to Allow.","type":"string","enum":["Allow","Deny"],"x-readme-ref-name":"AwsPermissionEffect"},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AwsPlatformPermission"},"description":"AWS permission configurations"},"azure":{"type":["array","null"],"items":{"type":"object","description":"Azure-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AzureBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AzurePlatformPermission"},"description":"Azure permission configurations"},"gcp":{"type":["array","null"],"items":{"type":"object","description":"GCP-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_GcpBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"GcpPlatformPermission"},"description":"GCP permission configurations"}},"additionalProperties":false,"x-readme-ref-name":"PlatformPermissions"}},"additionalProperties":false,"x-readme-ref-name":"PermissionSet"}],"description":"Reference to a permission set - either by name or inline definition","x-readme-ref-name":"PermissionSetReference"}},"propertyNames":{"type":"string"},"x-readme-ref-name":"PermissionProfile"}}}],"x-readme-ref-name":"ManagementPermissions"},"profiles":{"type":"object","description":"Permission profiles that define access control for compute services\nKey is the profile name, value is the permission configuration","additionalProperties":{"type":"object","description":"Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource","additionalProperties":{"type":"array","items":{"oneOf":[{"type":"string","description":"Reference to a built-in permission set by name (e.g., \"storage/data-read\")"},{"description":"Inline permission set definition","type":"object","required":["id","description","platforms"],"properties":{"description":{"type":"string","description":"Human-readable description of what this permission set allows"},"id":{"type":"string","description":"Unique identifier for the permission set (e.g., \"storage/data-read\")"},"platforms":{"description":"Platform-specific permission configurations","type":"object","properties":{"aws":{"type":["array","null"],"items":{"type":"object","description":"AWS-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false},"stack":{"type":"object","description":"AWS-specific binding specification","required":["resources"],"properties":{"condition":{"type":["object","null"],"description":"Optional condition for additional filtering (rare)","additionalProperties":{"type":"object","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"propertyNames":{"type":"string"}},"resources":{"type":"array","items":{"type":"string"},"description":"Resource ARNs to bind to"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AwsBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"effect":{"description":"IAM effect. Defaults to Allow.","type":"string","enum":["Allow","Deny"],"x-readme-ref-name":"AwsPermissionEffect"},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AwsPlatformPermission"},"description":"AWS permission configurations"},"azure":{"type":["array","null"],"items":{"type":"object","description":"Azure-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"Azure-specific binding specification","required":["scope"],"properties":{"scope":{"type":"string","description":"Scope (subscription/resource group/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_AzureBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"AzurePlatformPermission"},"description":"Azure permission configurations"},"gcp":{"type":["array","null"],"items":{"type":"object","description":"GCP-specific platform permission configuration","required":["grant","binding"],"properties":{"binding":{"description":"How to bind the permissions (stack vs resource scope)","type":"object","properties":{"resource":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false},"stack":{"type":"object","description":"GCP-specific binding specification","required":["scope"],"properties":{"condition":{"oneOf":[{"type":"null"},{"description":"Optional condition for filtering resources","type":"object","required":["title","expression"],"properties":{"expression":{"type":"string"},"title":{"type":"string"}},"additionalProperties":false,"x-readme-ref-name":"GcpCondition"}]},"scope":{"type":"string","description":"Scope (project/resource level)"}},"additionalProperties":false}},"additionalProperties":false,"x-readme-ref-name":"BindingConfiguration_GcpBindingSpec"},"description":{"type":["string","null"],"description":"Short admin-facing description of why this entry exists."},"grant":{"description":"What permissions to grant","type":"object","properties":{"actions":{"type":["array","null"],"items":{"type":"string"},"description":"AWS IAM actions (only for AWS)"},"dataActions":{"type":["array","null"],"items":{"type":"string"},"description":"Azure actions (only for Azure)"},"permissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP permissions that require an exact residual custom role."},"predefinedRoles":{"type":["array","null"],"items":{"type":"string"},"description":"Provider predefined roles to bind directly."},"residualPermissions":{"type":["array","null"],"items":{"type":"string"},"description":"GCP residual custom permissions to pair with predefined roles."}},"additionalProperties":false,"x-readme-ref-name":"PermissionGrant"},"label":{"type":["string","null"],"description":"Stable admin-facing label for this permission entry."}},"additionalProperties":false,"x-readme-ref-name":"GcpPlatformPermission"},"description":"GCP permission configurations"}},"additionalProperties":false,"x-readme-ref-name":"PlatformPermissions"}},"additionalProperties":false,"x-readme-ref-name":"PermissionSet"}],"description":"Reference to a permission set - either by name or inline definition","x-readme-ref-name":"PermissionSetReference"}},"propertyNames":{"type":"string"},"x-readme-ref-name":"PermissionProfile"},"propertyNames":{"type":"string"}}},"additionalProperties":false,"x-readme-ref-name":"PermissionsConfig"},"resources":{"type":"object","description":"Map of resource IDs to their configurations and lifecycle settings","additionalProperties":{"type":"object","required":["config","lifecycle","dependencies"],"properties":{"config":{"description":"Resource configuration (can be any type of resource)","type":"object","required":["type","id"],"properties":{"id":{"type":"string","description":"The unique identifier for this specific resource instance. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]). Maximum 64 characters."},"type":{"type":"string","description":"Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.","examples":["worker","storage","queue","redis","postgres"],"x-readme-ref-name":"ResourceType"}},"additionalProperties":true,"x-readme-ref-name":"BaseResource"},"dependencies":{"type":"array","items":{"type":"object","description":"New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.","required":["type","id"],"properties":{"id":{"type":"string"},"type":{"type":"string","description":"Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.","examples":["worker","storage","queue","redis","postgres"],"x-readme-ref-name":"ResourceType"}},"x-readme-ref-name":"ResourceRef"},"description":"Additional dependencies for this resource beyond those defined in the resource itself.\nThe total dependencies are: resource.get_dependencies() + this list"},"lifecycle":{"description":"Lifecycle management configuration for this resource","type":"string","enum":["frozen","live"],"x-readme-ref-name":"ResourceLifecycle"},"remoteAccess":{"type":"boolean","description":"Enable remote bindings for this resource (BYOB use case).\nWhen true, binding params are synced to StackState's `remote_binding_params`.\nDefault: false (prevents sensitive data in synced state)."}},"x-readme-ref-name":"ResourceEntry"},"propertyNames":{"type":"string"}},"supportedPlatforms":{"type":["array","null"],"items":{"type":"string","description":"Represents the target cloud platform.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"},"description":"Which platforms this stack supports. When None, all platforms are supported."}},"x-readme-ref-name":"Stack"}

package/src/generated/schemas/stackImportRequest.json CHANGED Viewed

	@@ -1 +1 @@
1	- {"type":"object","description":"Request body for manager-side stack import.","required":["setupImportFormatVersion","deploymentGroupToken","deploymentName","resourcePrefix","platform","region","setupTarget","setupFingerprint","setupFingerprintVersion","stackSettings","resources"],"properties":{"basePlatform":{"oneOf":[{"type":"null"},{"type":"string","description":"Optional base cloud platform for Kubernetes setup targets such as\nEKS/GKE/AKS. The runtime platform remains Kubernetes.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"}]},"deploymentGroupToken":{"type":"string","description":"Deployment-group token authorizing the import."},"deploymentName":{"type":"string","description":"User-chosen deployment name. Must be unique within the deployment\ngroup; the manager returns 409 on collision rather than silently\nresolving to an existing deployment. Each setup adapter picks\nthe natural source: CloudFormation defaults to the CFN stack name,\nHelm to `{namespace}/{release}`, Terraform requires an explicit\n`name` attribute on the `alien_deployment` resource."},"managementConfig":{"oneOf":[{"type":"null"},{"description":"Platform-derived management configuration, when this setup creates a\ncross-account/cross-tenant management identity.","oneOf":[{"allOf":[{"description":"AWS management configuration","type":"object","required":["managingRoleArn"],"properties":{"managingRoleArn":{"type":"string","description":"The managing AWS IAM role ARN that can assume cross-account roles"}},"x-readme-ref-name":"AwsManagementConfig"},{"type":"object","required":["platform"],"properties":{"platform":{"type":"string","enum":["aws"]}}}],"description":"AWS management configuration"},{"allOf":[{"description":"GCP management configuration","type":"object","required":["serviceAccountEmail"],"properties":{"serviceAccountEmail":{"type":"string","description":"Service account email for management roles"}},"x-readme-ref-name":"GcpManagementConfig"},{"type":"object","required":["platform"],"properties":{"platform":{"type":"string","enum":["gcp"]}}}],"description":"GCP management configuration"},{"allOf":[{"description":"Azure management configuration","type":"object","required":["managingTenantId","oidcIssuer","oidcSubject"],"properties":{"managingTenantId":{"type":"string","description":"The managing Azure Tenant ID for cross-tenant access"},"oidcIssuer":{"type":"string","description":"OIDC issuer URL trusted by the target-side managed identity."},"oidcSubject":{"type":"string","description":"OIDC subject claim trusted by the target-side managed identity."}},"x-readme-ref-name":"AzureManagementConfig"},{"type":"object","required":["platform"],"properties":{"platform":{"type":"string","enum":["azure"]}}}],"description":"Azure management configuration"},{"type":"object","description":"Kubernetes management configuration (minimal for now)","required":["platform"],"properties":{"platform":{"type":"string","enum":["kubernetes"]}}}],"x-readme-ref-name":"ManagementConfig"}]},"platform":{"type":"string","description":"Platform being imported.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"},"region":{"type":"string","description":"Region or location reported by the setup artifact."},"releaseId":{"type":["string","null"],"description":"Optional release id that produced the setup package. When\nomitted, the manager imports against the latest release."},"resourcePrefix":{"type":"string","description":"Stable physical-name prefix used by the setup package for generated\nresources. Runtime controllers use it when addressing imported\nresources."},"resources":{"type":"array","items":{"type":"object","description":"One resolved resource import payload.","required":["id","type","importData"],"properties":{"id":{"type":"string","description":"Resource id from the active stack."},"importData":{"type":"object","description":"Resolved typed payload for this resource."},"type":{"type":"string","description":"Resource type from the active stack.","examples":["worker","storage","queue","redis","postgres"],"x-readme-ref-name":"ResourceType"}},"x-readme-ref-name":"ImportedResource"},"description":"Imported resources with typed per-resource payloads."},"setupFingerprint":{"type":"string","description":"Setup compatibility fingerprint embedded in the package."},"setupFingerprintVersion":{"type":"integer","format":"int32","description":"Setup fingerprint algorithm version embedded in the package.","minimum":0},"setupImportFormatVersion":{"type":"integer","format":"int32","description":"Wire-format version for the setup import payload.","minimum":0},"setupMetadata":{"description":"Setup source metadata needed by the control plane to guide privileged\nteardown. The manager treats this as opaque JSON."},"setupTarget":{"type":"string","description":"Setup target this package was generated for."},"sourceKind":{"oneOf":[{"type":"null"},{"description":"Optional source label for observability. Does not affect import\nbehavior — the manager dispatches the same `ImporterRegistry`\nregardless of which setup package emitted the payload.","type":"string","enum":["cloudformation","terraform","helm"],"x-readme-ref-name":"ImportSourceKind"}]},"stackSettings":{"description":"Resolved stack settings supplied by the setup artifact.","type":"object","properties":{"deploymentModel":{"description":"Deployment model: push (Manager) or pull (Agent).\nDefault: Push.\n- Push: Manager drives updates. For cloud platforms, requires cross-account\n credentials established during initial setup. For push-mode local\n deployments (currently `alien dev`), the manager has direct access —\n no bootstrap needed.\n- Pull: Agent in the target environment drives updates via polling.\n Required for Kubernetes and remote local deployments.","type":"string","enum":["push","pull"],"x-readme-ref-name":"DeploymentModel"},"domains":{"oneOf":[{"type":"null"},{"description":"Domain configuration (future).","type":"object","properties":{"customDomains":{"type":["object","null"],"description":"Custom domain configuration per resource ID.","additionalProperties":{"type":"object","description":"Custom domain configuration for a single resource.","required":["domain","certificate"],"properties":{"certificate":{"description":"Customer-provided certificate reference.","type":"object","properties":{"aws":{"oneOf":[{"type":"null"},{"description":"AWS ACM certificate ARN","type":"object","required":["certificateArn"],"properties":{"certificateArn":{"type":"string"}},"x-readme-ref-name":"AwsCustomCertificateConfig"}]},"azure":{"oneOf":[{"type":"null"},{"description":"Azure Key Vault certificate ID","type":"object","required":["keyVaultCertificateId"],"properties":{"keyVaultCertificateId":{"type":"string"},"keyVaultResourceId":{"type":["string","null"]}},"x-readme-ref-name":"AzureCustomCertificateConfig"}]},"gcp":{"oneOf":[{"type":"null"},{"description":"GCP Certificate Manager certificate name","type":"object","required":["certificateName"],"properties":{"certificateName":{"type":"string"}},"x-readme-ref-name":"GcpCustomCertificateConfig"}]},"kubernetes":{"oneOf":[{"type":"null"},{"description":"Kubernetes TLS Secret reference for Secret-backed route profiles.","type":"object","required":["tlsSecretRef"],"properties":{"tlsSecretRef":{"description":"Existing TLS Secret containing `tls.crt` and `tls.key`.","type":"object","required":["secretName"],"properties":{"namespace":{"type":["string","null"],"description":"Secret namespace. Defaults to the release namespace when omitted."},"secretName":{"type":"string","description":"Secret name."}},"x-readme-ref-name":"KubernetesTlsSecretRef"}},"x-readme-ref-name":"KubernetesCustomCertificateConfig"}]}},"x-readme-ref-name":"CustomCertificateConfig"},"domain":{"type":"string","description":"Fully qualified domain name to use."}},"x-readme-ref-name":"CustomDomainConfig"},"propertyNames":{"type":"string"}}},"x-readme-ref-name":"DomainSettings"}]},"externalBindings":{"type":["object","null"],"description":"External bindings for pre-existing infrastructure.\nAllows using existing resources (MinIO, Redis, shared Container Apps\nEnvironment, etc.) instead of having Alien provision them.\nRequired for Kubernetes platform, optional for cloud platforms."},"heartbeats":{"description":"How heartbeat health checks are handled.\n- off: No heartbeat permissions\n- on: Heartbeat enabled (default)","type":"string","enum":["off","on"],"x-readme-ref-name":"HeartbeatsMode"},"kubernetes":{"oneOf":[{"type":"null"},{"description":"Kubernetes runtime substrate configuration.","type":"object","properties":{"cluster":{"oneOf":[{"type":"null"},{"description":"Cluster selection or creation settings.","type":"object","required":["ownership"],"properties":{"cloud":{"oneOf":[{"type":"null"},{"description":"Optional provider-specific cloud identity for existing clusters.","type":"object","properties":{"accountId":{"type":["string","null"]},"clusterId":{"type":["string","null"]},"clusterName":{"type":["string","null"]},"projectId":{"type":["string","null"]},"region":{"type":["string","null"]},"resourceGroup":{"type":["string","null"]},"subscriptionId":{"type":["string","null"]}},"additionalProperties":false,"x-readme-ref-name":"KubernetesCloudReference"}]},"namespace":{"type":["string","null"],"description":"Namespace where the Alien chart and application resources run."},"ownership":{"description":"Whether Alien should create the cluster, use a setup-owned existing\ncluster, or bind to an external/on-prem cluster.","type":"string","enum":["managed","existing","external"],"x-readme-ref-name":"KubernetesClusterOwnership"}},"x-readme-ref-name":"KubernetesClusterSettings"}]},"exposure":{"oneOf":[{"type":"null"},{"description":"Public HTTPS exposure contract shared by setup, Helm, and runtime.","oneOf":[{"type":"object","description":"Do not create Alien-managed external routing.","required":["mode"],"properties":{"mode":{"type":"string","enum":["disabled"]}}},{"type":"object","description":"Use Alien-generated DNS and Platform-managed certificate material.","required":["route","certificate","mode"],"properties":{"certificate":{"description":"How managed certificate material reaches the route profile.","oneOf":[{"type":"object","description":"Platform-managed cert imported into AWS ACM by the runtime.","required":["mode"],"properties":{"mode":{"type":"string","enum":["managedAcmImport"]},"region":{"type":["string","null"],"description":"ACM region. Defaults to the deployment region when omitted."},"tags":{"type":"object","description":"Tags applied to runtime-imported ACM certificates.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}}}},{"type":"object","description":"Customer-provided AWS ACM certificate ARN.","required":["certificateArn","mode"],"properties":{"certificateArn":{"type":"string","description":"Existing ACM certificate ARN."},"mode":{"type":"string","enum":["awsAcmArn"]}}},{"type":"object","description":"Platform-managed cert written to a Kubernetes TLS Secret.","required":["secretNameTemplate","mode"],"properties":{"mode":{"type":"string","enum":["managedTlsSecret"]},"secretNameTemplate":{"type":"string","description":"Secret name template. Runtime may substitute resource/deployment tokens."}}},{"allOf":[{"description":"Customer-provided Kubernetes TLS Secret.","type":"object","required":["secretName"],"properties":{"namespace":{"type":["string","null"],"description":"Secret namespace. Defaults to the release namespace when omitted."},"secretName":{"type":"string","description":"Secret name."}},"x-readme-ref-name":"KubernetesTlsSecretRef"},{"type":"object","required":["mode"],"properties":{"mode":{"type":"string","enum":["tlsSecretRef"]}}}],"description":"Customer-provided Kubernetes TLS Secret."},{"type":"object","description":"No TLS certificate should be configured by Alien.","required":["mode"],"properties":{"mode":{"type":"string","enum":["none"]}}}],"x-readme-ref-name":"KubernetesCertificateMode"},"mode":{"type":"string","enum":["generated"]},"route":{"description":"Runtime route profile to materialize.","oneOf":[{"allOf":[{"description":"`networking.k8s.io/v1` Ingress route profile.","type":"object","required":["ingressClassName"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example `eks.amazonaws.com/alb`."},"ingressClassName":{"type":"string","description":"`spec.ingressClassName` for generated Ingresses."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesIngressRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["ingress"]}}}],"description":"`networking.k8s.io/v1` Ingress route profile."},{"allOf":[{"description":"Gateway API `Gateway` + `HTTPRoute` route profile.","type":"object","required":["gatewayClassName","listenerPort"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example a cloud Gateway controller."},"gatewayClassName":{"type":"string","description":"GatewayClass selected for generated Gateways."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"listenerPort":{"type":"integer","format":"int32","description":"Listener port, usually 443.","minimum":0},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesGatewayRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["gateway"]}}}],"description":"Gateway API `Gateway` + `HTTPRoute` route profile."}],"x-readme-ref-name":"KubernetesRouteProfile"}}},{"type":"object","description":"Use a customer hostname and customer-owned certificate reference.","required":["domain","route","certificate","mode"],"properties":{"certificate":{"description":"Customer-owned certificate reference consumed by the route profile.","oneOf":[{"type":"object","description":"Platform-managed cert imported into AWS ACM by the runtime.","required":["mode"],"properties":{"mode":{"type":"string","enum":["managedAcmImport"]},"region":{"type":["string","null"],"description":"ACM region. Defaults to the deployment region when omitted."},"tags":{"type":"object","description":"Tags applied to runtime-imported ACM certificates.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}}}},{"type":"object","description":"Customer-provided AWS ACM certificate ARN.","required":["certificateArn","mode"],"properties":{"certificateArn":{"type":"string","description":"Existing ACM certificate ARN."},"mode":{"type":"string","enum":["awsAcmArn"]}}},{"type":"object","description":"Platform-managed cert written to a Kubernetes TLS Secret.","required":["secretNameTemplate","mode"],"properties":{"mode":{"type":"string","enum":["managedTlsSecret"]},"secretNameTemplate":{"type":"string","description":"Secret name template. Runtime may substitute resource/deployment tokens."}}},{"allOf":[{"description":"Customer-provided Kubernetes TLS Secret.","type":"object","required":["secretName"],"properties":{"namespace":{"type":["string","null"],"description":"Secret namespace. Defaults to the release namespace when omitted."},"secretName":{"type":"string","description":"Secret name."}},"x-readme-ref-name":"KubernetesTlsSecretRef"},{"type":"object","required":["mode"],"properties":{"mode":{"type":"string","enum":["tlsSecretRef"]}}}],"description":"Customer-provided Kubernetes TLS Secret."},{"type":"object","description":"No TLS certificate should be configured by Alien.","required":["mode"],"properties":{"mode":{"type":"string","enum":["none"]}}}],"x-readme-ref-name":"KubernetesCertificateMode"},"domain":{"type":"string","description":"Hostname routed by the Kubernetes public endpoint."},"mode":{"type":"string","enum":["custom"]},"route":{"description":"Runtime route profile to materialize.","oneOf":[{"allOf":[{"description":"`networking.k8s.io/v1` Ingress route profile.","type":"object","required":["ingressClassName"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example `eks.amazonaws.com/alb`."},"ingressClassName":{"type":"string","description":"`spec.ingressClassName` for generated Ingresses."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesIngressRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["ingress"]}}}],"description":"`networking.k8s.io/v1` Ingress route profile."},{"allOf":[{"description":"Gateway API `Gateway` + `HTTPRoute` route profile.","type":"object","required":["gatewayClassName","listenerPort"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example a cloud Gateway controller."},"gatewayClassName":{"type":"string","description":"GatewayClass selected for generated Gateways."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"listenerPort":{"type":"integer","format":"int32","description":"Listener port, usually 443.","minimum":0},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesGatewayRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["gateway"]}}}],"description":"Gateway API `Gateway` + `HTTPRoute` route profile."}],"x-readme-ref-name":"KubernetesRouteProfile"}}}],"x-readme-ref-name":"KubernetesExposureSettings"}]}},"x-readme-ref-name":"KubernetesSettings"}]},"network":{"oneOf":[{"type":"null"},{"description":"Network configuration for the stack (VPC/VNet settings).\nIf `None`, an isolated VPC with NAT is auto-created when the stack has resources\nthat require networking (e.g., containers). Set explicitly to customize:\n`UseDefault` for the provider's default network (fast, dev/test only),\n`Create` for an isolated VPC with managed NAT (production), or `ByoVpc`\nto reference an existing customer-managed VPC.","oneOf":[{"type":"object","description":"Use the cloud provider's default VPC/network.\n\nDesigned for fast dev/test provisioning. No isolated VPC is created, so there\nis nothing to wait for or clean up. VMs receive ephemeral public IPs for internet\naccess — no NAT gateway is provisioned.\n\n- AWS: Discovers the account's default VPC. Subnets are public with auto-assigned IPs.\n- GCP: Discovers the project's `default` network and regional subnet. Instance\n templates include an `AccessConfig` to assign an ephemeral external IP.\n- Azure*: Azure has no default VNet, so one is created along with a NAT Gateway.\n VMs stay private and use NAT for egress.\n\nNot recommended for production. Use `Create` instead.","required":["type"],"properties":{"type":{"type":"string","enum":["use-default"]}}},{"type":"object","description":"Create a new isolated VPC/VNet with a managed NAT gateway.\n\nAll networking infrastructure is provisioned by Alien and cleaned up on delete.\nVMs use private IPs only; all outbound traffic routes through the NAT gateway.\n\nRecommended for production deployments.","required":["type"],"properties":{"availability_zones":{"type":"integer","format":"int32","description":"Number of availability zones (default: 2).","minimum":0},"cidr":{"type":["string","null"],"description":"VPC/VNet CIDR block. If not specified, auto-generated from stack ID\nto reduce conflicts (e.g., \"10.{hash}.0.0/16\")."},"type":{"type":"string","enum":["create"]}}},{"type":"object","description":"Use an existing VPC (AWS).\n\nAlien validates the references but creates no networking infrastructure.\nThe customer is responsible for routing and egress (NAT, proxy, VPN, etc.).","required":["vpc_id","public_subnet_ids","private_subnet_ids","type"],"properties":{"private_subnet_ids":{"type":"array","items":{"type":"string"},"description":"IDs of private subnets"},"public_subnet_ids":{"type":"array","items":{"type":"string"},"description":"IDs of public subnets (required for public ingress)"},"security_group_ids":{"type":"array","items":{"type":"string"},"description":"Optional security group IDs to use"},"type":{"type":"string","enum":["byo-vpc-aws"]},"vpc_id":{"type":"string","description":"The ID of the existing VPC"}}},{"type":"object","description":"Use an existing VPC (GCP).\n\nAlien validates the references but creates no networking infrastructure.\nThe customer is responsible for routing and egress (Cloud NAT, proxy, VPN, etc.).","required":["network_name","subnet_name","region","type"],"properties":{"network_name":{"type":"string","description":"The name of the existing VPC network"},"region":{"type":"string","description":"The region of the subnet"},"subnet_name":{"type":"string","description":"The name of the subnet to use"},"type":{"type":"string","enum":["byo-vpc-gcp"]}}},{"type":"object","description":"Use an existing VNet (Azure).\n\nAlien validates the references but creates no networking infrastructure.\nThe customer is responsible for routing and egress (NAT Gateway, proxy, VPN, etc.).","required":["vnet_resource_id","public_subnet_name","private_subnet_name","type"],"properties":{"application_gateway_subnet_name":{"type":["string","null"],"description":"Name of the dedicated classic Application Gateway subnet within the VNet."},"private_subnet_name":{"type":"string","description":"Name of the private subnet within the VNet"},"public_subnet_name":{"type":"string","description":"Name of the public subnet within the VNet"},"type":{"type":"string","enum":["byo-vnet-azure"]},"vnet_resource_id":{"type":"string","description":"The full resource ID of the existing VNet"}}}],"x-readme-ref-name":"NetworkSettings"}]},"telemetry":{"description":"How telemetry (logs, metrics, traces) is handled.\n- off: No telemetry permissions\n- auto: Telemetry flows automatically (default)\n- approval-required: Telemetry waits for explicit approval","type":"string","enum":["off","auto","approval-required"],"x-readme-ref-name":"TelemetryMode"},"updates":{"description":"How updates are delivered.\n- auto: Updates deploy automatically (default)\n- approval-required: Updates wait for explicit approval","type":"string","enum":["auto","approval-required"],"x-readme-ref-name":"UpdatesMode"}},"x-readme-ref-name":"StackSettings"}},"x-readme-ref-name":"StackImportRequest"}
1	+ {"type":"object","description":"Request body for manager-side stack import.","required":["setupImportFormatVersion","deploymentGroupToken","deploymentName","resourcePrefix","platform","region","setupTarget","setupFingerprint","setupFingerprintVersion","stackSettings","resources"],"properties":{"basePlatform":{"oneOf":[{"type":"null"},{"type":"string","description":"Optional base cloud platform for Kubernetes setup targets such as\nEKS/GKE/AKS. The runtime platform remains Kubernetes.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"}]},"deploymentGroupToken":{"type":"string","description":"Deployment-group token authorizing the import."},"deploymentName":{"type":"string","description":"User-chosen deployment name. Must be unique within the deployment\ngroup; the manager returns 409 on collision rather than silently\nresolving to an existing deployment. Each setup adapter picks\nthe natural source: CloudFormation defaults to the CFN stack name,\nHelm to `{namespace}/{release}`, Terraform requires an explicit\n`name` attribute on the `alien_deployment` resource."},"inputValues":{"type":"object","description":"Deployer-provided stack input values collected by generated setup\nsurfaces. Platform-backed managers resolve these into runtime\nenvironment variables before deployment creation; standalone managers\naccept the field for setup package compatibility.","additionalProperties":{},"propertyNames":{"type":"string"}},"managementConfig":{"oneOf":[{"type":"null"},{"description":"Platform-derived management configuration, when this setup creates a\ncross-account/cross-tenant management identity.","oneOf":[{"allOf":[{"description":"AWS management configuration","type":"object","required":["managingRoleArn"],"properties":{"managingRoleArn":{"type":"string","description":"The managing AWS IAM role ARN that can assume cross-account roles"}},"x-readme-ref-name":"AwsManagementConfig"},{"type":"object","required":["platform"],"properties":{"platform":{"type":"string","enum":["aws"]}}}],"description":"AWS management configuration"},{"allOf":[{"description":"GCP management configuration","type":"object","required":["serviceAccountEmail"],"properties":{"serviceAccountEmail":{"type":"string","description":"Service account email for management roles"}},"x-readme-ref-name":"GcpManagementConfig"},{"type":"object","required":["platform"],"properties":{"platform":{"type":"string","enum":["gcp"]}}}],"description":"GCP management configuration"},{"allOf":[{"description":"Azure management configuration","type":"object","required":["managingTenantId","oidcIssuer","oidcSubject"],"properties":{"managingTenantId":{"type":"string","description":"The managing Azure Tenant ID for cross-tenant access"},"oidcIssuer":{"type":"string","description":"OIDC issuer URL trusted by the target-side managed identity."},"oidcSubject":{"type":"string","description":"OIDC subject claim trusted by the target-side managed identity."}},"x-readme-ref-name":"AzureManagementConfig"},{"type":"object","required":["platform"],"properties":{"platform":{"type":"string","enum":["azure"]}}}],"description":"Azure management configuration"},{"type":"object","description":"Kubernetes management configuration (minimal for now)","required":["platform"],"properties":{"platform":{"type":"string","enum":["kubernetes"]}}}],"x-readme-ref-name":"ManagementConfig"}]},"platform":{"type":"string","description":"Platform being imported.","enum":["aws","gcp","azure","kubernetes","local","test"],"x-readme-ref-name":"Platform"},"region":{"type":"string","description":"Region or location reported by the setup artifact."},"releaseId":{"type":["string","null"],"description":"Optional release id that produced the setup package. When\nomitted, the manager imports against the latest release."},"resourcePrefix":{"type":"string","description":"Stable physical-name prefix used by the setup package for generated\nresources. Runtime controllers use it when addressing imported\nresources."},"resources":{"type":"array","items":{"type":"object","description":"One resolved resource import payload.","required":["id","type","importData"],"properties":{"id":{"type":"string","description":"Resource id from the active stack."},"importData":{"type":"object","description":"Resolved typed payload for this resource."},"type":{"type":"string","description":"Resource type from the active stack.","examples":["worker","storage","queue","redis","postgres"],"x-readme-ref-name":"ResourceType"}},"x-readme-ref-name":"ImportedResource"},"description":"Imported resources with typed per-resource payloads."},"setupFingerprint":{"type":"string","description":"Setup compatibility fingerprint embedded in the package."},"setupFingerprintVersion":{"type":"integer","format":"int32","description":"Setup fingerprint algorithm version embedded in the package.","minimum":0},"setupImportFormatVersion":{"type":"integer","format":"int32","description":"Wire-format version for the setup import payload.","minimum":0},"setupMetadata":{"description":"Setup source metadata needed by the control plane to guide privileged\nteardown. The manager treats this as opaque JSON."},"setupTarget":{"type":"string","description":"Setup target this package was generated for."},"sourceKind":{"oneOf":[{"type":"null"},{"description":"Optional source label for observability. Does not affect import\nbehavior — the manager dispatches the same `ImporterRegistry`\nregardless of which setup package emitted the payload.","type":"string","enum":["cloudformation","terraform","helm"],"x-readme-ref-name":"ImportSourceKind"}]},"stackSettings":{"description":"Resolved stack settings supplied by the setup artifact.","type":"object","properties":{"compute":{"oneOf":[{"type":"null"},{"description":"Deployment-time compute selections for Alien-managed compute pools.\n\nThis is where provider machine names such as EC2 instance types, GCE\nmachine types, or Azure VM SKUs belong. Application source should\ndeclare portable requirements instead.","type":"object","properties":{"pools":{"type":"object","description":"Selected compute choices keyed by pool ID.","additionalProperties":{"oneOf":[{"type":"object","description":"Fixed number of machines.","required":["machines","mode"],"properties":{"machine":{"type":["string","null"],"description":"Provider machine type selected for this deployment."},"machines":{"type":"integer","format":"int32","description":"Number of machines to run.","minimum":0},"mode":{"type":"string","enum":["fixed"]}}},{"type":"object","description":"Autoscaling machine pool.","required":["min","max","mode"],"properties":{"machine":{"type":["string","null"],"description":"Provider machine type selected for this deployment."},"max":{"type":"integer","format":"int32","description":"Maximum machine count.","minimum":0},"min":{"type":"integer","format":"int32","description":"Minimum machine count.","minimum":0},"mode":{"type":"string","enum":["autoscale"]}}}],"description":"User-selected deployment settings for one compute pool.","x-readme-ref-name":"ComputePoolSelection"},"propertyNames":{"type":"string"}}},"x-readme-ref-name":"ComputeSettings"}]},"deploymentModel":{"description":"Deployment model: push (Manager) or pull (Agent).\nDefault: Push.\n- Push: Manager drives updates. For cloud platforms, requires cross-account\n credentials established during initial setup. For push-mode local\n deployments (currently `alien dev`), the manager has direct access —\n no bootstrap needed.\n- Pull: Agent in the target environment drives updates via polling.\n Required for Kubernetes and remote local deployments.","type":"string","enum":["push","pull"],"x-readme-ref-name":"DeploymentModel"},"domains":{"oneOf":[{"type":"null"},{"description":"Domain configuration (future).","type":"object","properties":{"customDomains":{"type":["object","null"],"description":"Custom domain configuration per resource ID.","additionalProperties":{"type":"object","description":"Custom domain configuration for a single resource.","required":["domain","certificate"],"properties":{"certificate":{"description":"Customer-provided certificate reference.","type":"object","properties":{"aws":{"oneOf":[{"type":"null"},{"description":"AWS ACM certificate ARN","type":"object","required":["certificateArn"],"properties":{"certificateArn":{"type":"string"}},"x-readme-ref-name":"AwsCustomCertificateConfig"}]},"azure":{"oneOf":[{"type":"null"},{"description":"Azure Key Vault certificate ID","type":"object","required":["keyVaultCertificateId"],"properties":{"keyVaultCertificateId":{"type":"string"},"keyVaultResourceId":{"type":["string","null"]}},"x-readme-ref-name":"AzureCustomCertificateConfig"}]},"gcp":{"oneOf":[{"type":"null"},{"description":"GCP Certificate Manager certificate name","type":"object","required":["certificateName"],"properties":{"certificateName":{"type":"string"}},"x-readme-ref-name":"GcpCustomCertificateConfig"}]},"kubernetes":{"oneOf":[{"type":"null"},{"description":"Kubernetes TLS Secret reference for Secret-backed route profiles.","type":"object","required":["tlsSecretRef"],"properties":{"tlsSecretRef":{"description":"Existing TLS Secret containing `tls.crt` and `tls.key`.","type":"object","required":["secretName"],"properties":{"namespace":{"type":["string","null"],"description":"Secret namespace. Defaults to the release namespace when omitted."},"secretName":{"type":"string","description":"Secret name."}},"x-readme-ref-name":"KubernetesTlsSecretRef"}},"x-readme-ref-name":"KubernetesCustomCertificateConfig"}]}},"x-readme-ref-name":"CustomCertificateConfig"},"domain":{"type":"string","description":"Fully qualified domain name to use."}},"x-readme-ref-name":"CustomDomainConfig"},"propertyNames":{"type":"string"}}},"x-readme-ref-name":"DomainSettings"}]},"externalBindings":{"type":["object","null"],"description":"External bindings for pre-existing infrastructure.\nAllows using existing resources (MinIO, Redis, shared Container Apps\nEnvironment, etc.) instead of having Alien provision them.\nRequired for Kubernetes platform, optional for cloud platforms."},"heartbeats":{"description":"How heartbeat health checks are handled.\n- off: No heartbeat permissions\n- on: Heartbeat enabled (default)","type":"string","enum":["off","on"],"x-readme-ref-name":"HeartbeatsMode"},"kubernetes":{"oneOf":[{"type":"null"},{"description":"Kubernetes runtime substrate configuration.","type":"object","properties":{"cluster":{"oneOf":[{"type":"null"},{"description":"Cluster selection or creation settings.","type":"object","required":["ownership"],"properties":{"cloud":{"oneOf":[{"type":"null"},{"description":"Optional provider-specific cloud identity for existing clusters.","type":"object","properties":{"accountId":{"type":["string","null"]},"clusterId":{"type":["string","null"]},"clusterName":{"type":["string","null"]},"projectId":{"type":["string","null"]},"region":{"type":["string","null"]},"resourceGroup":{"type":["string","null"]},"subscriptionId":{"type":["string","null"]}},"additionalProperties":false,"x-readme-ref-name":"KubernetesCloudReference"}]},"namespace":{"type":["string","null"],"description":"Namespace where the Alien chart and application resources run."},"ownership":{"description":"Whether Alien should create the cluster, use a setup-owned existing\ncluster, or bind to an external/on-prem cluster.","type":"string","enum":["managed","existing","external"],"x-readme-ref-name":"KubernetesClusterOwnership"}},"x-readme-ref-name":"KubernetesClusterSettings"}]},"exposure":{"oneOf":[{"type":"null"},{"description":"Public HTTPS exposure contract shared by setup, Helm, and runtime.","oneOf":[{"type":"object","description":"Do not create Alien-managed external routing.","required":["mode"],"properties":{"mode":{"type":"string","enum":["disabled"]}}},{"type":"object","description":"Use Alien-generated DNS and Platform-managed certificate material.","required":["route","certificate","mode"],"properties":{"certificate":{"description":"How managed certificate material reaches the route profile.","oneOf":[{"type":"object","description":"Platform-managed cert imported into AWS ACM by the runtime.","required":["mode"],"properties":{"mode":{"type":"string","enum":["managedAcmImport"]},"region":{"type":["string","null"],"description":"ACM region. Defaults to the deployment region when omitted."},"tags":{"type":"object","description":"Tags applied to runtime-imported ACM certificates.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}}}},{"type":"object","description":"Customer-provided AWS ACM certificate ARN.","required":["certificateArn","mode"],"properties":{"certificateArn":{"type":"string","description":"Existing ACM certificate ARN."},"mode":{"type":"string","enum":["awsAcmArn"]}}},{"type":"object","description":"Platform-managed cert written to a Kubernetes TLS Secret.","required":["secretNameTemplate","mode"],"properties":{"mode":{"type":"string","enum":["managedTlsSecret"]},"secretNameTemplate":{"type":"string","description":"Secret name template. Runtime may substitute resource/deployment tokens."}}},{"allOf":[{"description":"Customer-provided Kubernetes TLS Secret.","type":"object","required":["secretName"],"properties":{"namespace":{"type":["string","null"],"description":"Secret namespace. Defaults to the release namespace when omitted."},"secretName":{"type":"string","description":"Secret name."}},"x-readme-ref-name":"KubernetesTlsSecretRef"},{"type":"object","required":["mode"],"properties":{"mode":{"type":"string","enum":["tlsSecretRef"]}}}],"description":"Customer-provided Kubernetes TLS Secret."},{"type":"object","description":"No TLS certificate should be configured by Alien.","required":["mode"],"properties":{"mode":{"type":"string","enum":["none"]}}}],"x-readme-ref-name":"KubernetesCertificateMode"},"mode":{"type":"string","enum":["generated"]},"route":{"description":"Runtime route profile to materialize.","oneOf":[{"allOf":[{"description":"`networking.k8s.io/v1` Ingress route profile.","type":"object","required":["ingressClassName"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example `eks.amazonaws.com/alb`."},"ingressClassName":{"type":"string","description":"`spec.ingressClassName` for generated Ingresses."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesIngressRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["ingress"]}}}],"description":"`networking.k8s.io/v1` Ingress route profile."},{"allOf":[{"description":"Gateway API `Gateway` + `HTTPRoute` route profile.","type":"object","required":["gatewayClassName","listenerPort"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example a cloud Gateway controller."},"gatewayClassName":{"type":"string","description":"GatewayClass selected for generated Gateways."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"listenerPort":{"type":"integer","format":"int32","description":"Listener port, usually 443.","minimum":0},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesGatewayRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["gateway"]}}}],"description":"Gateway API `Gateway` + `HTTPRoute` route profile."}],"x-readme-ref-name":"KubernetesRouteProfile"}}},{"type":"object","description":"Use a customer hostname and customer-owned certificate reference.","required":["domain","route","certificate","mode"],"properties":{"certificate":{"description":"Customer-owned certificate reference consumed by the route profile.","oneOf":[{"type":"object","description":"Platform-managed cert imported into AWS ACM by the runtime.","required":["mode"],"properties":{"mode":{"type":"string","enum":["managedAcmImport"]},"region":{"type":["string","null"],"description":"ACM region. Defaults to the deployment region when omitted."},"tags":{"type":"object","description":"Tags applied to runtime-imported ACM certificates.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}}}},{"type":"object","description":"Customer-provided AWS ACM certificate ARN.","required":["certificateArn","mode"],"properties":{"certificateArn":{"type":"string","description":"Existing ACM certificate ARN."},"mode":{"type":"string","enum":["awsAcmArn"]}}},{"type":"object","description":"Platform-managed cert written to a Kubernetes TLS Secret.","required":["secretNameTemplate","mode"],"properties":{"mode":{"type":"string","enum":["managedTlsSecret"]},"secretNameTemplate":{"type":"string","description":"Secret name template. Runtime may substitute resource/deployment tokens."}}},{"allOf":[{"description":"Customer-provided Kubernetes TLS Secret.","type":"object","required":["secretName"],"properties":{"namespace":{"type":["string","null"],"description":"Secret namespace. Defaults to the release namespace when omitted."},"secretName":{"type":"string","description":"Secret name."}},"x-readme-ref-name":"KubernetesTlsSecretRef"},{"type":"object","required":["mode"],"properties":{"mode":{"type":"string","enum":["tlsSecretRef"]}}}],"description":"Customer-provided Kubernetes TLS Secret."},{"type":"object","description":"No TLS certificate should be configured by Alien.","required":["mode"],"properties":{"mode":{"type":"string","enum":["none"]}}}],"x-readme-ref-name":"KubernetesCertificateMode"},"domain":{"type":"string","description":"Hostname routed by the Kubernetes public endpoint."},"mode":{"type":"string","enum":["custom"]},"route":{"description":"Runtime route profile to materialize.","oneOf":[{"allOf":[{"description":"`networking.k8s.io/v1` Ingress route profile.","type":"object","required":["ingressClassName"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example `eks.amazonaws.com/alb`."},"ingressClassName":{"type":"string","description":"`spec.ingressClassName` for generated Ingresses."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesIngressRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["ingress"]}}}],"description":"`networking.k8s.io/v1` Ingress route profile."},{"allOf":[{"description":"Gateway API `Gateway` + `HTTPRoute` route profile.","type":"object","required":["gatewayClassName","listenerPort"],"properties":{"annotations":{"type":"object","description":"Annotations applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"controller":{"type":["string","null"],"description":"Route controller identifier, for example a cloud Gateway controller."},"gatewayClassName":{"type":"string","description":"GatewayClass selected for generated Gateways."},"labels":{"type":"object","description":"Labels applied to route objects.","additionalProperties":{"type":"string"},"propertyNames":{"type":"string"}},"listenerPort":{"type":"integer","format":"int32","description":"Listener port, usually 443.","minimum":0},"provider":{"oneOf":[{"type":"null"},{"description":"Provider-specific route options that are required by the selected class.","oneOf":[{"type":"object","description":"AWS ALB route options for EKS.","required":["scheme","targetType","provider"],"properties":{"ipAddressType":{"type":["string","null"],"description":"Optional ALB IP address type, such as `dualstack`."},"provider":{"type":"string","enum":["awsAlb"]},"scheme":{"type":"string","description":"Internet-facing or internal ALB scheme."},"subnetIds":{"type":"array","items":{"type":"string"},"description":"Explicit subnet IDs when the profile cannot rely on controller discovery."},"targetType":{"type":"string","description":"ALB target type, usually `ip`."}}},{"type":"object","description":"GKE Gateway route options.","required":["provider"],"properties":{"provider":{"type":"string","enum":["gkeGateway"]},"staticAddressName":{"type":["string","null"],"description":"Optional static address name for the Gateway frontend."}}},{"type":"object","description":"Azure Application Gateway for Containers route options.","required":["frontend","provider"],"properties":{"albName":{"type":["string","null"],"description":"Optional ALB name when using BYO Application Gateway resources."},"albNamespace":{"type":["string","null"],"description":"Optional ALB namespace when using BYO Application Gateway resources."},"frontend":{"type":"string","description":"Public or internal frontend exposure."},"provider":{"type":"string","enum":["azureApplicationGatewayForContainers"]}}}],"x-readme-ref-name":"KubernetesRouteProviderOptions"}]}},"x-readme-ref-name":"KubernetesGatewayRouteProfile"},{"type":"object","required":["routeApi"],"properties":{"routeApi":{"type":"string","enum":["gateway"]}}}],"description":"Gateway API `Gateway` + `HTTPRoute` route profile."}],"x-readme-ref-name":"KubernetesRouteProfile"}}}],"x-readme-ref-name":"KubernetesExposureSettings"}]}},"x-readme-ref-name":"KubernetesSettings"}]},"network":{"oneOf":[{"type":"null"},{"description":"Network configuration for the stack (VPC/VNet settings).\nIf `None`, an isolated VPC with NAT is auto-created when the stack has resources\nthat require networking (e.g., containers). Set explicitly to customize:\n`UseDefault` for the provider's default network (fast, dev/test only),\n`Create` for an isolated VPC with managed NAT (production), or `ByoVpc`\nto reference an existing customer-managed VPC.","oneOf":[{"type":"object","description":"Use the cloud provider's default VPC/network.\n\nDesigned for fast dev/test provisioning. No isolated VPC is created, so there\nis nothing to wait for or clean up. VMs receive ephemeral public IPs for internet\naccess — no NAT gateway is provisioned.\n\n- AWS: Discovers the account's default VPC. Subnets are public with auto-assigned IPs.\n- GCP: Discovers the project's `default` network and regional subnet. Instance\n templates include an `AccessConfig` to assign an ephemeral external IP.\n- Azure*: Azure has no default VNet, so one is created along with a NAT Gateway.\n VMs stay private and use NAT for egress.\n\nNot recommended for production. Use `Create` instead.","required":["type"],"properties":{"type":{"type":"string","enum":["use-default"]}}},{"type":"object","description":"Create a new isolated VPC/VNet with a managed NAT gateway.\n\nAll networking infrastructure is provisioned by Alien and cleaned up on delete.\nVMs use private IPs only; all outbound traffic routes through the NAT gateway.\n\nRecommended for production deployments.","required":["type"],"properties":{"availability_zones":{"type":"integer","format":"int32","description":"Number of availability zones (default: 2).","minimum":0},"cidr":{"type":["string","null"],"description":"VPC/VNet CIDR block. If not specified, auto-generated from stack ID\nto reduce conflicts (e.g., \"10.{hash}.0.0/16\")."},"type":{"type":"string","enum":["create"]}}},{"type":"object","description":"Use an existing VPC (AWS).\n\nAlien validates the references but creates no networking infrastructure.\nThe customer is responsible for routing and egress (NAT, proxy, VPN, etc.).","required":["vpc_id","public_subnet_ids","private_subnet_ids","type"],"properties":{"private_subnet_ids":{"type":"array","items":{"type":"string"},"description":"IDs of private subnets"},"public_subnet_ids":{"type":"array","items":{"type":"string"},"description":"IDs of public subnets (required for public ingress)"},"security_group_ids":{"type":"array","items":{"type":"string"},"description":"Optional security group IDs to use"},"type":{"type":"string","enum":["byo-vpc-aws"]},"vpc_id":{"type":"string","description":"The ID of the existing VPC"}}},{"type":"object","description":"Use an existing VPC (GCP).\n\nAlien validates the references but creates no networking infrastructure.\nThe customer is responsible for routing and egress (Cloud NAT, proxy, VPN, etc.).","required":["network_name","subnet_name","region","type"],"properties":{"network_name":{"type":"string","description":"The name of the existing VPC network"},"region":{"type":"string","description":"The region of the subnet"},"subnet_name":{"type":"string","description":"The name of the subnet to use"},"type":{"type":"string","enum":["byo-vpc-gcp"]}}},{"type":"object","description":"Use an existing VNet (Azure).\n\nAlien validates the references but creates no networking infrastructure.\nThe customer is responsible for routing and egress (NAT Gateway, proxy, VPN, etc.).","required":["vnet_resource_id","public_subnet_name","private_subnet_name","type"],"properties":{"application_gateway_subnet_name":{"type":["string","null"],"description":"Name of the dedicated classic Application Gateway subnet within the VNet."},"private_subnet_name":{"type":"string","description":"Name of the private subnet within the VNet"},"public_subnet_name":{"type":"string","description":"Name of the public subnet within the VNet"},"type":{"type":"string","enum":["byo-vnet-azure"]},"vnet_resource_id":{"type":"string","description":"The full resource ID of the existing VNet"}}}],"x-readme-ref-name":"NetworkSettings"}]},"telemetry":{"description":"How telemetry (logs, metrics, traces) is handled.\n- off: No telemetry permissions\n- auto: Telemetry flows automatically (default)\n- approval-required: Telemetry waits for explicit approval","type":"string","enum":["off","auto","approval-required"],"x-readme-ref-name":"TelemetryMode"},"updates":{"description":"How updates are delivered.\n- auto: Updates deploy automatically (default)\n- approval-required: Updates wait for explicit approval","type":"string","enum":["auto","approval-required"],"x-readme-ref-name":"UpdatesMode"}},"x-readme-ref-name":"StackSettings"}},"x-readme-ref-name":"StackImportRequest"}