@cobaltcore-dev/aurora 0.4.0 → 0.6.0

package/dist/server/index.js

@@ -30779,11 +30779,11 @@ var flavorRouter = {
   })
 };
 
-// src/server/Compute/routers/permissionRouter.ts
+// src/server/policies/createPermissionRouter.ts
 var import_zod10 = require("zod");
 var import_server8 = require("@trpc/server");
 
-// src/server/policyEngineLoader.ts
+// src/server/policies/policyEngineLoader.ts
 var import_path = __toESM(require("path"));
 var import_fs = __toESM(require("fs"));
 var import_policy_engine = __toESM(require_esm());
@@ -30804,8 +30804,8 @@ Pass an absolute path via the policyDir option in createServer.`);
   return (0, import_policy_engine.createPolicyEngineFromFile)(file);
 }, "loadPolicyEngine");
 
-// src/server/Compute/routers/permissionRouter.ts
-var getPolicy = /* @__PURE__ */ __name((ctx, policyEngineName, engines) => {
+// src/server/policies/createPermissionRouter.ts
+var getPolicy = /* @__PURE__ */ __name((ctx, engine) => {
   const openstackSession = ctx.openstack;
   const token = openstackSession?.getToken();
   if (!token) {
@@ -30814,15 +30814,80 @@ var getPolicy = /* @__PURE__ */ __name((ctx, policyEngineName, engines) => {
       message: "No valid OpenStack token found"
     });
   }
-  const policyEngine = policyEngineName === "compute" ? engines.compute : engines.image;
-  return policyEngine.policy(token.tokenData, {
+  return engine.policy(token.tokenData, {
     debug: true,
     defaultParams: {
       project_id: token.tokenData.project?.id
     }
   });
 }, "getPolicy");
-var POLICY_MAPPINGS = {
+function createPermissionRouter(config) {
+  const loadedEngines = Object.fromEntries(Object.entries(config.engines).map(([name, { fileName }]) => [
+    name,
+    loadPolicyEngine(fileName, config.policyDir)
+  ]));
+  for (const [permissionKey, mapping] of Object.entries(config.mappings)) {
+    if (!Object.hasOwn(loadedEngines, mapping.engine)) {
+      throw new Error(`Configuration error: Permission '${permissionKey}' references engine '${mapping.engine}', but no such engine is configured. Available engines: ${Object.keys(loadedEngines).join(", ")}`);
+    }
+  }
+  const PERMISSION_KEY = import_zod10.z.string().superRefine((value, ctx) => {
+    if (!Object.hasOwn(config.mappings, value)) {
+      ctx.addIssue({
+        code: "custom",
+        message: `Unknown permission: ${value}`
+      });
+    }
+  }).transform((value) => value);
+  const checkSinglePermission = /* @__PURE__ */ __name((ctx, permission, engines) => {
+    const mapping = config.mappings[permission];
+    const engine = engines[mapping.engine];
+    if (!engine) {
+      throw new import_server8.TRPCError({
+        code: "INTERNAL_SERVER_ERROR",
+        message: `Policy engine '${mapping.engine}' not found for permission '${String(permission)}'`
+      });
+    }
+    const policy = getPolicy(ctx, engine);
+    return policy.check(mapping.rule);
+  }, "checkSinglePermission");
+  return {
+    /**
+    * Permission checking endpoint that determines whether a user has one or more specific permissions.
+    *
+    * Usage:
+    * - `canUser({ project_id: "abc", permission: "servers:list" })` → returns `[boolean]`
+    * - `canUser({ project_id: "abc", permission: ["servers:list", "flavors:create"] })` → returns `boolean[]`
+    *
+    * Input must be:
+    * - A project_id (required, validated by projectScopedInputSchema), and
+    * - A single valid permission key (string in mappings), or
+    * - An array of valid permission keys.
+    *
+    * Invalid keys are rejected with a `BAD_REQUEST` error before the handler runs.
+    * Empty array input returns an empty array (`[]`).
+    * Always returns `boolean[]` for consistent destructuring on the client.
+    */
+    canUser: projectScopedProcedure.input(projectScopedInputSchema.extend({
+      permission: import_zod10.z.union([
+        PERMISSION_KEY,
+        import_zod10.z.array(PERMISSION_KEY)
+      ])
+    })).query(async ({ ctx, input }) => {
+      const permissions = Array.isArray(input.permission) ? input.permission : [
+        input.permission
+      ];
+      if (permissions.length === 0) {
+        return [];
+      }
+      return permissions.map((permission) => checkSinglePermission(ctx, permission, loadedEngines));
+    })
+  };
+}
+__name(createPermissionRouter, "createPermissionRouter");
+
+// src/server/Compute/routers/permissionRouter.ts
+var COMPUTE_IMAGE_MAPPINGS = {
   // Servers
   "servers:list": {
     engine: "compute",
@@ -30912,41 +30977,18 @@ var POLICY_MAPPINGS = {
     rule: "modify_member"
   }
 };
-var checkSinglePermission = /* @__PURE__ */ __name((ctx, permission, engines) => {
-  const policyMapping = POLICY_MAPPINGS[permission];
-  const policy = getPolicy(ctx, policyMapping.engine, engines);
-  return policy.check(policyMapping.rule);
-}, "checkSinglePermission");
-var PERMISSION_KEY = import_zod10.z.string().superRefine((value, ctx) => {
-  if (!Object.hasOwn(POLICY_MAPPINGS, value)) {
-    ctx.addIssue({
-      code: "custom",
-      message: `Unknown permission: ${value}`
-    });
-  }
-}).transform((value) => value);
-var buildPermissionRouter = /* @__PURE__ */ __name((policyDir) => {
-  const engines = {
-    compute: loadPolicyEngine("compute.yaml", policyDir),
-    image: loadPolicyEngine("image.yaml", policyDir)
-  };
-  return {
-    canUser: projectScopedProcedure.input(projectScopedInputSchema.extend({
-      permission: import_zod10.z.union([
-        PERMISSION_KEY,
-        import_zod10.z.array(PERMISSION_KEY)
-      ])
-    })).query(async ({ ctx, input }) => {
-      const permissions = typeof input.permission === "string" ? [
-        input.permission
-      ] : input.permission;
-      if (permissions.length === 0) {
-        return [];
-      }
-      return permissions.map((permission) => checkSinglePermission(ctx, permission, engines));
-    })
-  };
-}, "buildPermissionRouter");
+var buildPermissionRouter = /* @__PURE__ */ __name((policyDir) => createPermissionRouter({
+  policyDir,
+  engines: {
+    compute: {
+      fileName: "compute.json"
+    },
+    image: {
+      fileName: "image.json"
+    }
+  },
+  mappings: COMPUTE_IMAGE_MAPPINGS
+}), "buildPermissionRouter");
 
 // src/server/Compute/routers/index.ts
 var buildComputeRouters = /* @__PURE__ */ __name((policyDir) => ({
@@ -33261,11 +33303,13 @@ var cephProtectedProcedure = cephCredentialMiddleware.use(/* @__PURE__ */ __name
 
 // src/server/Storage/helpers/s3ErrorMapper.ts
 var import_server12 = require("@trpc/server");
+var import_signal_openstack = __toESM(require_esm2());
 var S3_ERROR_MAP = {
   NoSuchBucket: "NOT_FOUND",
   NoSuchKey: "NOT_FOUND",
   NoSuchUpload: "NOT_FOUND",
   NoSuchVersion: "NOT_FOUND",
+  NoSuchBucketPolicy: "NOT_FOUND",
   BucketAlreadyExists: "CONFLICT",
   BucketAlreadyOwnedByYou: "CONFLICT",
   BucketNotEmpty: "PRECONDITION_FAILED",
@@ -33279,6 +33323,7 @@ var S3_ERROR_MAP = {
   RequestTimeTooSkewed: "UNAUTHORIZED",
   InvalidBucketName: "BAD_REQUEST",
   KeyTooLongError: "BAD_REQUEST",
+  MalformedPolicy: "BAD_REQUEST",
   EntityTooLarge: "PAYLOAD_TOO_LARGE",
   EntityTooSmall: "BAD_REQUEST"
 };
@@ -33290,7 +33335,10 @@ function mapS3ErrorToTRPCError(error, context) {
   const errorCode = s3Error.Code ?? s3Error.name ?? "";
   const trpcCode = S3_ERROR_MAP[errorCode] ?? "INTERNAL_SERVER_ERROR";
   if (!S3_ERROR_MAP[errorCode] && errorCode) {
-    console.warn(`[s3] Unmapped S3 error code: ${errorCode}`);
+    import_signal_openstack.logger.warn("Unmapped S3 error code", {
+      errorCode,
+      operation: context.operation
+    });
   }
   const parts = [
     `Failed to ${context.operation}`
@@ -33336,8 +33384,10 @@ var containerSchema = import_zod13.z.object({
 var listContainersInputSchema2 = projectScopedInputSchema.extend({
   includeMetadata: import_zod13.z.boolean().optional().default(false)
 });
+var bucketNameSchema = import_zod13.z.string().min(3, "Bucket name must be at least 3 characters").max(63, "Bucket name must be at most 63 characters").regex(/^[a-z0-9][a-z0-9.-]*[a-z0-9]$/, "Bucket name must contain only lowercase letters, numbers, hyphens, and periods").refine((name) => !name.includes(".."), "Bucket name cannot contain consecutive periods").refine((name) => !/^\d+\.\d+\.\d+\.\d+$/.test(name), "Bucket name cannot be formatted as an IP address");
+var existingBucketNameSchema = import_zod13.z.string().min(1, "Bucket name is required").max(255, "Bucket name exceeds maximum length");
 var createBucketInputSchema = projectScopedInputSchema.extend({
-  bucketName: import_zod13.z.string().min(3).max(63),
+  bucketName: bucketNameSchema,
   enableVersioning: import_zod13.z.boolean().optional().default(false)
 });
 var createBucketOutputSchema = import_zod13.z.object({
@@ -33459,6 +33509,83 @@ var s3ServiceInfoSchema = import_zod13.z.object({
   region: import_zod13.z.string().optional()
 });
 var getServiceInfoInputSchema = import_zod13.z.object({});
+var bucketPolicyStatementSchema = import_zod13.z.object({
+  Sid: import_zod13.z.string().optional(),
+  Effect: import_zod13.z.enum([
+    "Allow",
+    "Deny"
+  ]),
+  Principal: import_zod13.z.union([
+    import_zod13.z.string(),
+    import_zod13.z.object({
+      AWS: import_zod13.z.union([
+        import_zod13.z.string(),
+        import_zod13.z.array(import_zod13.z.string())
+      ]).optional(),
+      Service: import_zod13.z.union([
+        import_zod13.z.string(),
+        import_zod13.z.array(import_zod13.z.string())
+      ]).optional(),
+      Federated: import_zod13.z.union([
+        import_zod13.z.string(),
+        import_zod13.z.array(import_zod13.z.string())
+      ]).optional()
+    })
+  ]).superRefine((val, ctx) => {
+    if (typeof val === "object" && !val.AWS && !val.Service && !val.Federated) {
+      ctx.addIssue({
+        code: "custom",
+        message: "Principal object must contain at least one of: AWS, Service, or Federated"
+      });
+    }
+    if (typeof val === "object" && val.AWS) {
+      const arns = Array.isArray(val.AWS) ? val.AWS : [
+        val.AWS
+      ];
+      for (const arn of arns) {
+        if (arn !== "*" && !/^arn:aws:iam::\d{12}:(?:root|user\/.+|role\/.+)$/.test(arn)) {
+          ctx.addIssue({
+            code: "custom",
+            message: `Invalid AWS principal ARN format: ${arn}. Expected arn:aws:iam::ACCOUNT-ID:root or arn:aws:iam::ACCOUNT-ID:(user|role)/NAME`
+          });
+        }
+      }
+    }
+  }),
+  Action: import_zod13.z.union([
+    import_zod13.z.string(),
+    import_zod13.z.array(import_zod13.z.string())
+  ]),
+  Resource: import_zod13.z.union([
+    import_zod13.z.string(),
+    import_zod13.z.array(import_zod13.z.string())
+  ]),
+  Condition: import_zod13.z.record(import_zod13.z.string(), import_zod13.z.record(import_zod13.z.string(), import_zod13.z.union([
+    import_zod13.z.string(),
+    import_zod13.z.array(import_zod13.z.string()),
+    import_zod13.z.number(),
+    import_zod13.z.boolean()
+  ]))).optional()
+});
+var bucketPolicyDocumentSchema = import_zod13.z.object({
+  Version: import_zod13.z.string().default("2012-10-17"),
+  Id: import_zod13.z.string().optional(),
+  Statement: import_zod13.z.array(bucketPolicyStatementSchema).min(1, "Policy must contain at least one statement")
+});
+var getBucketPolicyInputSchema = projectScopedInputSchema.extend({
+  bucketName: existingBucketNameSchema
+});
+var getBucketPolicyOutputSchema = import_zod13.z.object({
+  policy: bucketPolicyDocumentSchema.nullable(),
+  policyText: import_zod13.z.string().nullable()
+});
+var setBucketPolicyInputSchema = projectScopedInputSchema.extend({
+  bucketName: existingBucketNameSchema,
+  policy: import_zod13.z.string().min(1).max(20480, "Policy document exceeds maximum size of 20KB")
+});
+var deleteBucketPolicyInputSchema = projectScopedInputSchema.extend({
+  bucketName: existingBucketNameSchema
+});
 
 // src/server/Storage/constants.ts
 var S3_MAX_KEYS_PER_REQUEST = 1e3;
@@ -33495,7 +33622,7 @@ var containerRouter = {
         }));
       }
       const CONCURRENCY_LIMIT = 5;
-      const containersWithMetadata = [];
+      const bucketsWithMetadata = [];
       for (let i = 0; i < buckets.length; i += CONCURRENCY_LIMIT) {
         const batch = buckets.slice(i, i + CONCURRENCY_LIMIT);
         const batchResults = await Promise.all(batch.map(async (bucket) => {
@@ -33531,9 +33658,9 @@ var containerRouter = {
             });
           }
         }));
-        containersWithMetadata.push(...batchResults);
+        bucketsWithMetadata.push(...batchResults);
       }
-      return containersWithMetadata;
+      return bucketsWithMetadata;
     } catch (error) {
       throw mapS3ErrorToTRPCError(error, {
         operation: "list containers"
@@ -34413,8 +34540,307 @@ var versioningRouter = {
   })
 };
 
+// src/server/Storage/routers/ceph/bucketPolicyRouter.ts
+var import_client_s35 = require("@aws-sdk/client-s3");
+var import_server15 = require("@trpc/server");
+var import_zod17 = require("zod");
+var policySetRateLimits = /* @__PURE__ */ new Map();
+function checkPolicySetRateLimit(bucketName, projectId) {
+  const key = `${projectId}:${bucketName}`;
+  const now = Date.now();
+  const windowMs = 5 * 60 * 1e3;
+  for (const [k, v] of policySetRateLimits.entries()) {
+    if (now > v.resetAt) {
+      policySetRateLimits.delete(k);
+    }
+  }
+  const limit = policySetRateLimits.get(key);
+  if (!limit || now > limit.resetAt) {
+    policySetRateLimits.set(key, {
+      count: 1,
+      resetAt: now + windowMs
+    });
+    return;
+  }
+  if (limit.count >= 10) {
+    throw new import_server15.TRPCError({
+      code: "TOO_MANY_REQUESTS",
+      message: "Policy modification rate limit exceeded. Maximum 10 policy changes per 5 minutes per bucket."
+    });
+  }
+  limit.count++;
+}
+__name(checkPolicySetRateLimit, "checkPolicySetRateLimit");
+function validateResourceARNsMatchBucket(policy, bucketName) {
+  for (const statement of policy.Statement) {
+    const resources = Array.isArray(statement.Resource) ? statement.Resource : [
+      statement.Resource
+    ];
+    for (const resource of resources) {
+      const arnRegex = /^arn:aws:s3:::([^/]+)/;
+      const match = resource.match(arnRegex);
+      if (!match) {
+        throw new import_server15.TRPCError({
+          code: "BAD_REQUEST",
+          message: `Policy Resource '${resource}' is not a valid S3 bucket ARN for bucket '${bucketName}'. Expected: arn:aws:s3:::${bucketName} or arn:aws:s3:::${bucketName}/*`
+        });
+      }
+      if (match[1] !== bucketName) {
+        throw new import_server15.TRPCError({
+          code: "BAD_REQUEST",
+          message: `Policy Resource ARN '${resource}' does not match bucket '${bucketName}'`
+        });
+      }
+    }
+  }
+}
+__name(validateResourceARNsMatchBucket, "validateResourceARNsMatchBucket");
+function validatePolicySemantics(policy) {
+  if (policy.Statement.length > 100) {
+    throw new import_server15.TRPCError({
+      code: "BAD_REQUEST",
+      message: "Policy exceeds maximum of 100 statements"
+    });
+  }
+  const denyAllStatement = policy.Statement.find((s) => {
+    if (s.Effect !== "Deny") return false;
+    const actions = Array.isArray(s.Action) ? s.Action : [
+      s.Action
+    ];
+    return actions.some((a) => a === "*" || a === "s3:*");
+  });
+  if (denyAllStatement) {
+    throw new import_server15.TRPCError({
+      code: "BAD_REQUEST",
+      message: "Policy contains 'Deny *' or 'Deny s3:*' which may lock out all access including the bucket owner. Please use more specific deny rules."
+    });
+  }
+}
+__name(validatePolicySemantics, "validatePolicySemantics");
+var bucketPolicyRouter = {
+  /**
+  * Get the current bucket policy.
+  *
+  * Returns the policy as both a parsed object and raw JSON string.
+  * Returns null if no policy is set (not an error).
+  *
+  * @throws TRPCError NOT_FOUND - bucket does not exist
+  * @throws TRPCError FORBIDDEN - no credentials or access denied
+  */
+  get: cephProtectedProcedure.input(getBucketPolicyInputSchema).query(async ({ ctx, input }) => {
+    const s3 = ctx.getCephClient();
+    const { bucketName } = input;
+    try {
+      const response = await s3.send(new import_client_s35.GetBucketPolicyCommand({
+        Bucket: bucketName
+      }));
+      const policyText = response.Policy ?? null;
+      if (!policyText) {
+        return {
+          policy: null,
+          policyText: null
+        };
+      }
+      const policyObj = JSON.parse(policyText);
+      const policy = bucketPolicyDocumentSchema.parse(policyObj);
+      return {
+        policy,
+        policyText
+      };
+    } catch (error) {
+      const s3Error = error;
+      if (s3Error.name === "NoSuchBucketPolicy" || s3Error.Code === "NoSuchBucketPolicy") {
+        return {
+          policy: null,
+          policyText: null
+        };
+      }
+      throw mapS3ErrorToTRPCError(error, {
+        operation: "get bucket policy",
+        bucket: bucketName
+      });
+    }
+  }),
+  /**
+  * Set (create or replace) a bucket policy.
+  *
+  * Accepts a policy document as a JSON string. Validates structure before
+  * sending to S3. Replaces any existing policy completely.
+  *
+  * @throws TRPCError BAD_REQUEST - invalid policy JSON or structure
+  * @throws TRPCError NOT_FOUND - bucket does not exist
+  * @throws TRPCError FORBIDDEN - no credentials or access denied
+  */
+  set: cephProtectedProcedure.input(setBucketPolicyInputSchema).mutation(async ({ ctx, input }) => {
+    const s3 = ctx.getCephClient();
+    const { bucketName, policy } = input;
+    checkPolicySetRateLimit(bucketName, input.project_id);
+    if (policy.length > 20480) {
+      throw new import_server15.TRPCError({
+        code: "PAYLOAD_TOO_LARGE",
+        message: "Policy document exceeds maximum size of 20KB"
+      });
+    }
+    const openBrackets = (policy.match(/[{[]/g) || []).length;
+    if (openBrackets > 50) {
+      throw new import_server15.TRPCError({
+        code: "BAD_REQUEST",
+        message: "Policy JSON is too deeply nested (maximum 50 levels)"
+      });
+    }
+    try {
+      const policyObj = JSON.parse(policy);
+      const validatedPolicy = bucketPolicyDocumentSchema.parse(policyObj);
+      validateResourceARNsMatchBucket(validatedPolicy, bucketName);
+      validatePolicySemantics(validatedPolicy);
+      const policyText = JSON.stringify(validatedPolicy);
+      await s3.send(new import_client_s35.PutBucketPolicyCommand({
+        Bucket: bucketName,
+        Policy: policyText
+      }));
+      return true;
+    } catch (error) {
+      if (error instanceof SyntaxError || error instanceof import_zod17.z.ZodError) {
+        const errorDetails = error instanceof import_zod17.z.ZodError ? error.message : "Invalid JSON format";
+        throw new import_server15.TRPCError({
+          code: "BAD_REQUEST",
+          message: `Invalid policy JSON structure: ${errorDetails}`
+        });
+      }
+      throw mapS3ErrorToTRPCError(error, {
+        operation: "set bucket policy",
+        bucket: bucketName
+      });
+    }
+  }),
+  /**
+  * Delete (remove) a bucket policy.
+  *
+  * Removes the policy from the bucket. The bucket reverts to having no policy.
+  * Not an error if no policy was set.
+  *
+  * @throws TRPCError NOT_FOUND - bucket does not exist
+  * @throws TRPCError FORBIDDEN - no credentials or access denied
+  */
+  delete: cephProtectedProcedure.input(deleteBucketPolicyInputSchema).mutation(async ({ ctx, input }) => {
+    const s3 = ctx.getCephClient();
+    const { bucketName } = input;
+    try {
+      await s3.send(new import_client_s35.DeleteBucketPolicyCommand({
+        Bucket: bucketName
+      }));
+      return true;
+    } catch (error) {
+      const s3Error = error;
+      if (s3Error.name === "NoSuchBucketPolicy" || s3Error.Code === "NoSuchBucketPolicy") {
+        return true;
+      }
+      throw mapS3ErrorToTRPCError(error, {
+        operation: "delete bucket policy",
+        bucket: bucketName
+      });
+    }
+  })
+};
+
+// src/server/Storage/routers/permissionRouter.ts
+var STORAGE_MAPPINGS = {
+  // Container Operations (works for both Swift containers and Ceph buckets)
+  "storage:containers:read": {
+    engine: "storage",
+    rule: "storage:container_get"
+  },
+  "storage:containers:list": {
+    engine: "storage",
+    rule: "storage:container_list"
+  },
+  "storage:containers:create": {
+    engine: "storage",
+    rule: "storage:container_create"
+  },
+  "storage:containers:update": {
+    engine: "storage",
+    rule: "storage:container_update"
+  },
+  "storage:containers:delete": {
+    engine: "storage",
+    rule: "storage:container_delete"
+  },
+  "storage:containers:empty": {
+    engine: "storage",
+    rule: "storage:container_empty"
+  },
+  "storage:containers:manage_acls": {
+    engine: "storage",
+    rule: "storage:container_check_acls"
+  },
+  "storage:containers:read_acls": {
+    engine: "storage",
+    rule: "storage:container_show_access_control"
+  },
+  "storage:containers:update_acls": {
+    engine: "storage",
+    rule: "storage:container_update_access_control"
+  },
+  // Object Operations
+  "storage:objects:read": {
+    engine: "storage",
+    rule: "storage:object_get"
+  },
+  "storage:objects:list": {
+    engine: "storage",
+    rule: "storage:object_list"
+  },
+  "storage:objects:download": {
+    engine: "storage",
+    rule: "storage:object_download"
+  },
+  "storage:objects:create": {
+    engine: "storage",
+    rule: "storage:object_update"
+  },
+  "storage:objects:update": {
+    engine: "storage",
+    rule: "storage:object_update"
+  },
+  "storage:objects:delete": {
+    engine: "storage",
+    rule: "storage:object_delete"
+  },
+  "storage:objects:copy": {
+    engine: "storage",
+    rule: "storage:object_create_copy"
+  },
+  "storage:objects:move": {
+    engine: "storage",
+    rule: "storage:object_move"
+  },
+  // Folder Operations
+  "storage:folders:create_object": {
+    engine: "storage",
+    rule: "storage:folder_create_object"
+  },
+  "storage:folders:create": {
+    engine: "storage",
+    rule: "storage:folder_create_folder"
+  },
+  "storage:folders:delete": {
+    engine: "storage",
+    rule: "storage:folder_delete"
+  }
+};
+var buildStoragePermissionRouter = /* @__PURE__ */ __name((policyDir) => createPermissionRouter({
+  policyDir,
+  engines: {
+    storage: {
+      fileName: "storage.json"
+    }
+  },
+  mappings: STORAGE_MAPPINGS
+}), "buildStoragePermissionRouter");
+
 // src/server/Storage/routers/index.ts
-var objectStorageRouters = {
+var buildObjectStorageRouters = /* @__PURE__ */ __name((policyDir) => ({
   storage: {
     swift: auroraRouter({
       ...swiftRouter
@@ -34431,53 +34857,57 @@ var objectStorageRouters = {
       }),
       versioning: auroraRouter({
         ...versioningRouter
+      }),
+      bucketPolicy: auroraRouter({
+        ...bucketPolicyRouter
       })
-    })
+    }),
+    ...buildStoragePermissionRouter(policyDir)
   }
-};
+}), "buildObjectStorageRouters");
 
 // src/server/Project/routers/projectRouter.ts
-var import_zod18 = require("zod");
-var import_server15 = require("@trpc/server");
+var import_zod19 = require("zod");
+var import_server16 = require("@trpc/server");
 
 // src/server/Project/types/models.ts
-var import_zod17 = require("zod");
-var baseProjectSchema = import_zod17.z.object({
-  id: import_zod17.z.string(),
-  name: import_zod17.z.string(),
-  enabled: import_zod17.z.boolean(),
-  domain_id: import_zod17.z.string().nullable().optional(),
-  parent_id: import_zod17.z.string().nullable().optional(),
-  is_domain: import_zod17.z.boolean().nullable().optional(),
-  tags: import_zod17.z.array(import_zod17.z.string()).nullable().optional(),
-  options: import_zod17.z.record(import_zod17.z.string(), import_zod17.z.string().or(import_zod17.z.boolean())).nullable().optional(),
-  description: import_zod17.z.string().nullable().optional(),
-  links: import_zod17.z.object({
-    self: import_zod17.z.string().url().nullable().optional()
+var import_zod18 = require("zod");
+var baseProjectSchema = import_zod18.z.object({
+  id: import_zod18.z.string(),
+  name: import_zod18.z.string(),
+  enabled: import_zod18.z.boolean(),
+  domain_id: import_zod18.z.string().nullable().optional(),
+  parent_id: import_zod18.z.string().nullable().optional(),
+  is_domain: import_zod18.z.boolean().nullable().optional(),
+  tags: import_zod18.z.array(import_zod18.z.string()).nullable().optional(),
+  options: import_zod18.z.record(import_zod18.z.string(), import_zod18.z.string().or(import_zod18.z.boolean())).nullable().optional(),
+  description: import_zod18.z.string().nullable().optional(),
+  links: import_zod18.z.object({
+    self: import_zod18.z.string().url().nullable().optional()
   }).optional()
 });
 var projectSchema = baseProjectSchema.extend({
-  domain_name: import_zod17.z.string().optional(),
-  parents: import_zod17.z.array(import_zod17.z.object({
+  domain_name: import_zod18.z.string().optional(),
+  parents: import_zod18.z.array(import_zod18.z.object({
     project: baseProjectSchema
   })).optional()
 });
-var projectResponseSchema = import_zod17.z.object({
+var projectResponseSchema = import_zod18.z.object({
   project: projectSchema
 });
-var projectsResponseSchema = import_zod17.z.object({
-  projects: import_zod17.z.array(projectSchema),
-  links: import_zod17.z.object({
-    self: import_zod17.z.string().url().optional(),
-    previous: import_zod17.z.string().url().nullable().optional(),
-    next: import_zod17.z.string().url().nullable().optional()
+var projectsResponseSchema = import_zod18.z.object({
+  projects: import_zod18.z.array(projectSchema),
+  links: import_zod18.z.object({
+    self: import_zod18.z.string().url().optional(),
+    previous: import_zod18.z.string().url().nullable().optional(),
+    next: import_zod18.z.string().url().nullable().optional()
   }).optional()
 });
 
 // src/server/Project/routers/projectRouter.ts
 async function callIdentityAPI(identityEndpoint, authToken, path3) {
   if (!identityEndpoint) {
-    throw new import_server15.TRPCError({
+    throw new import_server16.TRPCError({
       code: "INTERNAL_SERVER_ERROR",
       message: "Identity endpoint not configured"
     });
@@ -34493,7 +34923,7 @@ async function callIdentityAPI(identityEndpoint, authToken, path3) {
     }
   });
   if (!response.ok) {
-    throw new import_server15.TRPCError({
+    throw new import_server16.TRPCError({
       code: "INTERNAL_SERVER_ERROR",
       message: `Identity API call failed: ${response.status} ${response.statusText}`
     });
@@ -34533,14 +34963,14 @@ var projectRouter = {
   */
   getAuthProjects: protectedProcedure.query(async ({ ctx }) => {
     if (!ctx.openstack) {
-      throw new import_server15.TRPCError({
+      throw new import_server16.TRPCError({
         code: "UNAUTHORIZED",
         message: "No authenticated session"
       });
     }
     const token = ctx.openstack.getToken();
     if (!token?.authToken) {
-      throw new import_server15.TRPCError({
+      throw new import_server16.TRPCError({
         code: "UNAUTHORIZED",
         message: "No auth token available"
       });
@@ -34556,10 +34986,10 @@ var projectRouter = {
       return void 0;
     }
     const domainsData = domainsResponse ? await domainsResponse.json().catch(() => null) : null;
-    const domainsResponseSchema = import_zod18.z.object({
-      domains: import_zod18.z.array(import_zod18.z.object({
-        id: import_zod18.z.string(),
-        name: import_zod18.z.string()
+    const domainsResponseSchema = import_zod19.z.object({
+      domains: import_zod19.z.array(import_zod19.z.object({
+        id: import_zod19.z.string(),
+        name: import_zod19.z.string()
       }))
     });
     const parsedDomains = domainsResponseSchema.safeParse(domainsData);
@@ -34579,18 +35009,18 @@ var projectRouter = {
   * filtered by the optional search term. Uses the OpenStack /v3/auth/projects
   * endpoint which works with any valid token.
   */
-  searchProjects: protectedProcedure.input(import_zod18.z.object({
-    search: import_zod18.z.string().optional()
+  searchProjects: protectedProcedure.input(import_zod19.z.object({
+    search: import_zod19.z.string().optional()
   }).optional()).query(async ({ ctx, input }) => {
     if (!ctx.openstack) {
-      throw new import_server15.TRPCError({
+      throw new import_server16.TRPCError({
         code: "UNAUTHORIZED",
         message: "No authenticated session"
       });
     }
     const token = ctx.openstack.getToken();
     if (!token?.authToken) {
-      throw new import_server15.TRPCError({
+      throw new import_server16.TRPCError({
         code: "UNAUTHORIZED",
         message: "No auth token available"
       });
@@ -34633,12 +35063,12 @@ var projectRouter = {
   * If in the future we need to access project-specific resources (compute, network, etc.),
   * we should create a separate procedure using projectScopedProcedure.
   */
-  getProjectById: protectedProcedure.input(import_zod18.z.object({
-    id: import_zod18.z.string()
+  getProjectById: protectedProcedure.input(import_zod19.z.object({
+    id: import_zod19.z.string()
   })).query(async ({ input, ctx }) => {
     const identityService = ctx.openstack?.service("identity");
     if (!ctx.openstack || !identityService) {
-      throw new import_server15.TRPCError({
+      throw new import_server16.TRPCError({
         code: "INTERNAL_SERVER_ERROR",
         message: "Identity service unavailable"
       });
@@ -34660,13 +35090,13 @@ var projectRouters = {
 };
 
 // src/server/helpers/errorHandling.ts
-var import_server16 = require("@trpc/server");
+var import_server17 = require("@trpc/server");
 function wrapError3(error, operation) {
-  if (error instanceof import_server16.TRPCError) {
+  if (error instanceof import_server17.TRPCError) {
     return error;
   }
   const baseErrorMessage = `Error during ${operation}`;
-  return new import_server16.TRPCError({
+  return new import_server17.TRPCError({
     code: "INTERNAL_SERVER_ERROR",
     message: typeof error !== "string" && error.message ? `${baseErrorMessage}: ${error.message}` : baseErrorMessage,
     cause: error
@@ -34706,11 +35136,11 @@ function appendQueryParamsFromObject(source, options) {
 __name(appendQueryParamsFromObject, "appendQueryParamsFromObject");
 
 // src/server/helpers/validateOpenstackService.ts
-var import_server17 = require("@trpc/server");
+var import_server18 = require("@trpc/server");
 var capitalize = /* @__PURE__ */ __name((str) => str.charAt(0).toUpperCase() + str.slice(1), "capitalize");
 function validateOpenstackService(service, serviceName) {
   if (!service) {
-    throw new import_server17.TRPCError({
+    throw new import_server18.TRPCError({
       code: "INTERNAL_SERVER_ERROR",
       message: `${capitalize(serviceName)} service is not available`
     });
@@ -34719,16 +35149,16 @@ function validateOpenstackService(service, serviceName) {
 __name(validateOpenstackService, "validateOpenstackService");
 
 // src/server/Network/types/floatingIp.ts
-var import_zod20 = require("zod");
+var import_zod21 = require("zod");
 
 // src/server/Network/types/index.ts
-var import_zod19 = require("zod");
-var ISO8601TimestampSchema = import_zod19.z.string().brand("ISO8601Timestamp");
-var SortDirSchema = import_zod19.z.enum([
+var import_zod20 = require("zod");
+var ISO8601TimestampSchema = import_zod20.z.string().brand("ISO8601Timestamp");
+var SortDirSchema = import_zod20.z.enum([
   "asc",
   "desc"
 ]);
-var NetworkPortStatusSchema = import_zod19.z.enum([
+var NetworkPortStatusSchema = import_zod20.z.enum([
   "ACTIVE",
   "DOWN",
   "BUILD",
@@ -34736,154 +35166,154 @@ var NetworkPortStatusSchema = import_zod19.z.enum([
 ]);
 
 // src/server/Network/types/floatingIp.ts
-var FloatingIpStatusSchema = import_zod20.z.enum([
+var FloatingIpStatusSchema = import_zod21.z.enum([
   "ACTIVE",
   "DOWN",
   "ERROR"
 ]);
-var PortDetailsSchema = import_zod20.z.object({
+var PortDetailsSchema = import_zod21.z.object({
   /** The status of the port */
   status: FloatingIpStatusSchema,
   /** The name of the port */
-  name: import_zod20.z.string(),
+  name: import_zod21.z.string(),
   /** Administrative state of the port (true = UP, false = DOWN) */
-  admin_state_up: import_zod20.z.boolean(),
+  admin_state_up: import_zod21.z.boolean(),
   /** The ID of the network the port is attached to */
-  network_id: import_zod20.z.string(),
+  network_id: import_zod21.z.string(),
   /** The owner of the port device */
-  device_owner: import_zod20.z.string(),
+  device_owner: import_zod21.z.string(),
   /** The MAC address of the port */
-  mac_address: import_zod20.z.string(),
+  mac_address: import_zod21.z.string(),
   /** The ID of the device the port is attached to */
-  device_id: import_zod20.z.string()
+  device_id: import_zod21.z.string()
 });
-var PortForwardingSchema = import_zod20.z.object({
+var PortForwardingSchema = import_zod21.z.object({
   /** Port forwarding protocol  */
-  protocol: import_zod20.z.enum([
+  protocol: import_zod21.z.enum([
     "tcp",
     "udp"
   ]),
   /** The internal fixed IP address associated with the port forwarding */
-  internal_ip_address: import_zod20.z.string(),
+  internal_ip_address: import_zod21.z.string(),
   /** The internal port number or starting port of the range */
-  internal_port: import_zod20.z.number().optional(),
+  internal_port: import_zod21.z.number().optional(),
   /** The internal port range (e.g., "1024:2048") */
-  internal_port_range: import_zod20.z.string().optional(),
+  internal_port_range: import_zod21.z.string().optional(),
   /** The internal port ID for the port forwarding (requires floating-ip-port-forwarding-detail extension) */
-  internal_port_id: import_zod20.z.string().optional(),
+  internal_port_id: import_zod21.z.string().optional(),
   /** The external port number or starting port of the range */
-  external_port: import_zod20.z.number().optional(),
+  external_port: import_zod21.z.number().optional(),
   /** The external port range (e.g., "8000:9000") */
-  external_port_range: import_zod20.z.string().optional(),
+  external_port_range: import_zod21.z.string().optional(),
   /** The ID of the port forwarding resource */
-  id: import_zod20.z.string(),
+  id: import_zod21.z.string(),
   /** Description of the port forwarding rule (requires floating-ip-port-forwarding-description extension) */
-  description: import_zod20.z.string().nullable().optional()
+  description: import_zod21.z.string().nullable().optional()
 });
-var FloatingIpSchema = import_zod20.z.object({
+var FloatingIpSchema = import_zod21.z.object({
   /** The ID of the router for the floating IP (null if not associated) */
-  router_id: import_zod20.z.string().nullable(),
+  router_id: import_zod21.z.string().nullable(),
   /** A human-readable description for the resource */
-  description: import_zod20.z.string().nullable().optional(),
+  description: import_zod21.z.string().nullable().optional(),
   /** Whether this is a distributed floating IP (requires floating-ip-distributed extension) */
-  distributed: import_zod20.z.boolean().optional(),
+  distributed: import_zod21.z.boolean().optional(),
   /** A valid DNS domain (requires dns-integration extension) */
-  dns_domain: import_zod20.z.string().optional(),
+  dns_domain: import_zod21.z.string().optional(),
   /** A valid DNS name (requires dns-integration extension) */
-  dns_name: import_zod20.z.string().optional(),
+  dns_name: import_zod21.z.string().optional(),
   /** Time at which the resource was created (UTC ISO8601 format, requires standard-attr-timestamp extension) */
   created_at: ISO8601TimestampSchema.optional(),
   /** Time at which the resource was last updated (UTC ISO8601 format, requires standard-attr-timestamp extension) */
   updated_at: ISO8601TimestampSchema.optional(),
   /** The revision number of the resource (set by server, for concurrency control) */
-  revision_number: import_zod20.z.number(),
+  revision_number: import_zod21.z.number(),
   /** The ID of the project that owns the floating IP */
-  project_id: import_zod20.z.string(),
+  project_id: import_zod21.z.string(),
   /** The ID of the tenant (deprecated, use project_id) */
-  tenant_id: import_zod20.z.string(),
+  tenant_id: import_zod21.z.string(),
   /** The ID of the network associated with the floating IP */
-  floating_network_id: import_zod20.z.string(),
+  floating_network_id: import_zod21.z.string(),
   /** The fixed IP address associated with the floating IP (null if not associated) */
-  fixed_ip_address: import_zod20.z.string().nullable(),
+  fixed_ip_address: import_zod21.z.string().nullable(),
   /** The floating IP address */
-  floating_ip_address: import_zod20.z.string(),
+  floating_ip_address: import_zod21.z.string(),
   /** The ID of the port associated with the floating IP (null if not associated) */
-  port_id: import_zod20.z.string().nullable(),
+  port_id: import_zod21.z.string().nullable(),
   /** The ID of the floating IP address */
-  id: import_zod20.z.string(),
+  id: import_zod21.z.string(),
   /** The status of the floating IP */
   status: FloatingIpStatusSchema,
   /** The information of the associated port (null if not associated, requires fip-port-details extension) */
   port_details: PortDetailsSchema.nullable().optional(),
   /** The list of tags on the resource (requires standard-attr-tag extension) */
-  tags: import_zod20.z.array(import_zod20.z.string()).optional(),
+  tags: import_zod21.z.array(import_zod21.z.string()).optional(),
   /** The associated port forwarding resources for the floating IP (requires expose-port-forwarding-in-fip extension) */
-  port_forwardings: import_zod20.z.array(PortForwardingSchema).nullish(),
+  port_forwardings: import_zod21.z.array(PortForwardingSchema).nullish(),
   /** The ID of the QoS policy of the network where this floating IP is plugged (requires qos-fip extension) */
-  qos_network_policy_id: import_zod20.z.string().optional(),
+  qos_network_policy_id: import_zod21.z.string().optional(),
   /** The ID of the QoS policy associated with the floating IP (requires qos extension) */
-  qos_policy_id: import_zod20.z.string().optional()
-});
-var FloatingIpIdInputSchema = import_zod20.z.object({
-  project_id: import_zod20.z.string(),
-  floatingip_id: import_zod20.z.string()
-});
-var FloatingIpCreateRequestSchema = import_zod20.z.object({
-  tenant_id: import_zod20.z.string(),
-  project_id: import_zod20.z.string(),
-  floating_network_id: import_zod20.z.string(),
-  fixed_ip_address: import_zod20.z.string().optional(),
-  floating_ip_address: import_zod20.z.string().optional(),
-  port_id: import_zod20.z.string().optional(),
-  subnet_id: import_zod20.z.string().optional(),
-  distributed: import_zod20.z.boolean().optional(),
-  description: import_zod20.z.string().optional(),
-  dns_domain: import_zod20.z.string().optional(),
-  dns_name: import_zod20.z.string().optional(),
-  qos_policy_id: import_zod20.z.string().optional()
-});
-var FloatingIpUpdateRequestSchema = import_zod20.z.object({
-  project_id: import_zod20.z.string(),
-  floatingip_id: import_zod20.z.string(),
-  port_id: import_zod20.z.string().nullable(),
-  fixed_ip_address: import_zod20.z.string().optional(),
-  description: import_zod20.z.string().optional(),
-  distributed: import_zod20.z.boolean().optional()
-});
-var FloatingIpResponseSchema = import_zod20.z.object({
+  qos_policy_id: import_zod21.z.string().optional()
+});
+var FloatingIpIdInputSchema = import_zod21.z.object({
+  project_id: import_zod21.z.string(),
+  floatingip_id: import_zod21.z.string()
+});
+var FloatingIpCreateRequestSchema = import_zod21.z.object({
+  tenant_id: import_zod21.z.string(),
+  project_id: import_zod21.z.string(),
+  floating_network_id: import_zod21.z.string(),
+  fixed_ip_address: import_zod21.z.string().optional(),
+  floating_ip_address: import_zod21.z.string().optional(),
+  port_id: import_zod21.z.string().optional(),
+  subnet_id: import_zod21.z.string().optional(),
+  distributed: import_zod21.z.boolean().optional(),
+  description: import_zod21.z.string().optional(),
+  dns_domain: import_zod21.z.string().optional(),
+  dns_name: import_zod21.z.string().optional(),
+  qos_policy_id: import_zod21.z.string().optional()
+});
+var FloatingIpUpdateRequestSchema = import_zod21.z.object({
+  project_id: import_zod21.z.string(),
+  floatingip_id: import_zod21.z.string(),
+  port_id: import_zod21.z.string().nullable(),
+  fixed_ip_address: import_zod21.z.string().optional(),
+  description: import_zod21.z.string().optional(),
+  distributed: import_zod21.z.boolean().optional()
+});
+var FloatingIpResponseSchema = import_zod21.z.object({
   floatingip: FloatingIpSchema
 });
-var FloatingIpListResponseSchema = import_zod20.z.object({
+var FloatingIpListResponseSchema = import_zod21.z.object({
   /** A list of floating IP objects */
-  floatingips: import_zod20.z.array(FloatingIpSchema)
+  floatingips: import_zod21.z.array(FloatingIpSchema)
 });
-var FloatingIpQueryParametersSchema = import_zod20.z.object({
+var FloatingIpQueryParametersSchema = import_zod21.z.object({
   /** Project ID for rescoping (required for projectScopedProcedure) */
-  project_id: import_zod20.z.string(),
+  project_id: import_zod21.z.string(),
   /** Filter by the ID of the floating IP */
-  id: import_zod20.z.string().optional(),
+  id: import_zod21.z.string().optional(),
   /** Filter by the ID of the router for the floating IP */
-  router_id: import_zod20.z.string().nullable().optional(),
+  router_id: import_zod21.z.string().nullable().optional(),
   /** Filter by the status of the floating IP */
   status: FloatingIpStatusSchema.optional(),
   /** Filter by the ID of the project that owns the resource */
-  tenant_id: import_zod20.z.string().optional(),
+  tenant_id: import_zod21.z.string().optional(),
   /** Filter by the revision number of the resource */
-  revision_number: import_zod20.z.number().optional(),
+  revision_number: import_zod21.z.number().optional(),
   /** Filter by the human-readable description of the resource */
-  description: import_zod20.z.string().nullable().optional(),
+  description: import_zod21.z.string().nullable().optional(),
   /** Filter by the ID of the network associated with the floating IP */
-  floating_network_id: import_zod20.z.string().optional(),
+  floating_network_id: import_zod21.z.string().optional(),
   /** Filter by the fixed IP address associated with the floating IP */
-  fixed_ip_address: import_zod20.z.string().optional(),
+  fixed_ip_address: import_zod21.z.string().optional(),
   /** Filter by the floating IP address */
-  floating_ip_address: import_zod20.z.string().optional(),
+  floating_ip_address: import_zod21.z.string().optional(),
   /** Filter by the ID of a port associated with the floating IP */
-  port_id: import_zod20.z.string().nullable().optional(),
+  port_id: import_zod21.z.string().nullable().optional(),
   /** Sort direction (asc or desc) */
   sort_dir: SortDirSchema.optional(),
   /** Sort key - valid keys: fixed_ip_address, floating_ip_address, floating_network_id, id, router_id, status, tenant_id, project_id */
-  sort_key: import_zod20.z.enum([
+  sort_key: import_zod21.z.enum([
     "fixed_ip_address",
     "floating_ip_address",
     "floating_network_id",
@@ -34894,80 +35324,80 @@ var FloatingIpQueryParametersSchema = import_zod20.z.object({
     "project_id"
   ]).optional(),
   /** Filter by tags (comma-separated, resources must match all tags) -  requires standard-attr-tag extension */
-  tags: import_zod20.z.array(import_zod20.z.string()).optional(),
+  tags: import_zod21.z.array(import_zod21.z.string()).optional(),
   /** Filter by tags with OR logic (comma-separated, resources match any tag) */
-  "tags-any": import_zod20.z.string().optional(),
+  "tags-any": import_zod21.z.string().optional(),
   /** Exclude resources with these tags (comma-separated, resources must match all excluded tags) */
-  "not-tags": import_zod20.z.string().optional(),
+  "not-tags": import_zod21.z.string().optional(),
   /** Exclude resources with these tags using OR logic (comma-separated, resources match any excluded tag) */
-  "not-tags-any": import_zod20.z.string().optional(),
+  "not-tags-any": import_zod21.z.string().optional(),
   /** Specific fields to return (can be repeated) */
-  fields: import_zod20.z.union([
-    import_zod20.z.string(),
-    import_zod20.z.array(import_zod20.z.string())
+  fields: import_zod21.z.union([
+    import_zod21.z.string(),
+    import_zod21.z.array(import_zod21.z.string())
   ]).optional(),
   /** Pagination limit */
-  limit: import_zod20.z.number().optional(),
+  limit: import_zod21.z.number().optional(),
   /** Pagination marker (ID of the last item in the previous list) */
-  marker: import_zod20.z.string().optional(),
+  marker: import_zod21.z.string().optional(),
   /** Pagination direction (false = ascending, true = descending) */
-  page_reverse: import_zod20.z.boolean().optional(),
+  page_reverse: import_zod21.z.boolean().optional(),
   // BFF-side search (filtered in BFF layer, not sent to OpenStack)
-  searchTerm: import_zod20.z.string().optional()
-});
-var ExternalNetworksQuerySchema = import_zod20.z.object({
-  project_id: import_zod20.z.string(),
-  "router:external": import_zod20.z.literal(true).default(true)
-});
-var ExternalNetworkSchema = import_zod20.z.object({
-  id: import_zod20.z.string(),
-  name: import_zod20.z.string(),
-  project_id: import_zod20.z.string(),
-  "router:external": import_zod20.z.boolean().optional(),
-  shared: import_zod20.z.boolean(),
+  searchTerm: import_zod21.z.string().optional()
+});
+var ExternalNetworksQuerySchema = import_zod21.z.object({
+  project_id: import_zod21.z.string(),
+  "router:external": import_zod21.z.literal(true).default(true)
+});
+var ExternalNetworkSchema = import_zod21.z.object({
+  id: import_zod21.z.string(),
+  name: import_zod21.z.string(),
+  project_id: import_zod21.z.string(),
+  "router:external": import_zod21.z.boolean().optional(),
+  shared: import_zod21.z.boolean(),
   status: NetworkPortStatusSchema,
   updated_at: ISO8601TimestampSchema.optional(),
-  is_default: import_zod20.z.boolean().optional()
+  is_default: import_zod21.z.boolean().optional()
 });
-var ExternalNetworksResponseSchema = import_zod20.z.object({
-  networks: import_zod20.z.array(ExternalNetworkSchema)
+var ExternalNetworksResponseSchema = import_zod21.z.object({
+  networks: import_zod21.z.array(ExternalNetworkSchema)
 });
-var DnsDomainSchema = import_zod20.z.object({
-  id: import_zod20.z.string(),
-  name: import_zod20.z.string()
+var DnsDomainSchema = import_zod21.z.object({
+  id: import_zod21.z.string(),
+  name: import_zod21.z.string()
 });
-var DnsDomainResponseSchema = import_zod20.z.object({
-  zones: import_zod20.z.array(DnsDomainSchema)
+var DnsDomainResponseSchema = import_zod21.z.object({
+  zones: import_zod21.z.array(DnsDomainSchema)
 });
-var AvailablePortsQuerySchema = import_zod20.z.object({
-  project_id: import_zod20.z.string(),
+var AvailablePortsQuerySchema = import_zod21.z.object({
+  project_id: import_zod21.z.string(),
   /** Only ACTIVE ports are eligible for floating IP association */
-  status: import_zod20.z.literal("ACTIVE").default("ACTIVE"),
+  status: import_zod21.z.literal("ACTIVE").default("ACTIVE"),
   /** Only administratively UP ports are eligible for floating IP association */
-  admin_state_up: import_zod20.z.literal(true).default(true)
+  admin_state_up: import_zod21.z.literal(true).default(true)
 });
-var AvailablePortSchema = import_zod20.z.object({
+var AvailablePortSchema = import_zod21.z.object({
   /** The ID of the port */
-  id: import_zod20.z.string(),
+  id: import_zod21.z.string(),
   /** Human-readable name of the port */
-  name: import_zod20.z.string().nullable().optional(),
+  name: import_zod21.z.string().nullable().optional(),
   /** List of fixed IPs assigned to the port, each entry pairs an IP address with its subnet. */
-  fixed_ips: import_zod20.z.array(import_zod20.z.object({
+  fixed_ips: import_zod21.z.array(import_zod21.z.object({
     /** The fixed IP address assigned to the port */
-    ip_address: import_zod20.z.string(),
+    ip_address: import_zod21.z.string(),
     /** The ID of the subnet the IP belongs to */
-    subnet_id: import_zod20.z.string().optional()
+    subnet_id: import_zod21.z.string().optional()
   })).optional()
 });
-var AvailablePortsResponseSchema = import_zod20.z.object({
-  ports: import_zod20.z.array(AvailablePortSchema)
+var AvailablePortsResponseSchema = import_zod21.z.object({
+  ports: import_zod21.z.array(AvailablePortSchema)
 });
 
 // src/server/Network/helpers/errorHandling.ts
-var import_server19 = require("@trpc/server");
+var import_server20 = require("@trpc/server");
 
 // src/server/Network/helpers/index.ts
-var import_server18 = require("@trpc/server");
+var import_server19 = require("@trpc/server");
 var HTTP_STATUS_ERROR_MAP = {
   400: "BAD_REQUEST",
   401: "UNAUTHORIZED",
@@ -34987,7 +35417,7 @@ var parseOrThrow = /* @__PURE__ */ __name((schema, data, context) => {
   const parsed = schema.safeParse(data);
   if (!parsed.success) {
     console.error(`Zod Parsing Error in ${context}:`, parsed.error.issues);
-    throw new import_server18.TRPCError({
+    throw new import_server19.TRPCError({
       code: "PARSE_ERROR",
       message: `Failed to parse response in ${context}`
     });
@@ -34997,27 +35427,27 @@ var parseOrThrow = /* @__PURE__ */ __name((schema, data, context) => {
 
 // src/server/Network/helpers/errorHandling.ts
 var DEFAULT_HANDLERS = {
-  400: (response, resourceLabel) => new import_server19.TRPCError({
+  400: (response, resourceLabel) => new import_server20.TRPCError({
     code: HTTP_STATUS_ERROR_MAP[400],
     message: `Invalid request data for ${resourceLabel}: ${response.statusText || "Unknown error"}`
   }),
-  401: (response, resourceLabel) => new import_server19.TRPCError({
+  401: (response, resourceLabel) => new import_server20.TRPCError({
     code: HTTP_STATUS_ERROR_MAP[401],
     message: `Unauthorized access to ${resourceLabel}: ${response.statusText || "Unknown error"}`
   }),
-  403: (response, resourceLabel) => new import_server19.TRPCError({
+  403: (response, resourceLabel) => new import_server20.TRPCError({
     code: HTTP_STATUS_ERROR_MAP[403],
     message: `Access forbidden to ${resourceLabel}: ${response.statusText || "Unknown error"}`
   }),
-  404: (response, resourceLabel) => new import_server19.TRPCError({
+  404: (response, resourceLabel) => new import_server20.TRPCError({
     code: HTTP_STATUS_ERROR_MAP[404],
     message: `${resourceLabel} not found: ${response.statusText || "Unknown error"}`
   }),
-  409: (response, resourceLabel) => new import_server19.TRPCError({
+  409: (response, resourceLabel) => new import_server20.TRPCError({
     code: HTTP_STATUS_ERROR_MAP[409],
     message: `Conflict - ${resourceLabel} is in use: ${response.statusText || "Unknown error"}`
   }),
-  412: (response, resourceLabel) => new import_server19.TRPCError({
+  412: (response, resourceLabel) => new import_server20.TRPCError({
     code: HTTP_STATUS_ERROR_MAP[412],
     message: `Precondition failed - revision number mismatch in ${resourceLabel}: ${response.statusText || "Unknown error"}`
   })
@@ -35032,7 +35462,7 @@ var ErrorHandler = /* @__PURE__ */ __name((resourceName, customHandlers) => {
     if (response.status && handlers[response.status]) {
       return handlers[response.status](response, resourceLabel);
     }
-    return new import_server19.TRPCError({
+    return new import_server20.TRPCError({
       code: DEFAULT_ERROR_NAME,
       message: `Failed to process ${resourceLabel}: ${response.statusText || "Unknown error"}`
     });
@@ -35207,114 +35637,114 @@ var floatingIpRouter = {
 };
 
 // src/server/Network/types/securityGroup.ts
-var import_zod21 = require("zod");
-var securityGroupRuleSchema = import_zod21.z.object({
-  id: import_zod21.z.string(),
-  direction: import_zod21.z.enum([
+var import_zod22 = require("zod");
+var securityGroupRuleSchema = import_zod22.z.object({
+  id: import_zod22.z.string(),
+  direction: import_zod22.z.enum([
     "ingress",
     "egress"
   ]).optional(),
-  ethertype: import_zod21.z.enum([
+  ethertype: import_zod22.z.enum([
     "IPv4",
     "IPv6"
   ]).optional(),
-  description: import_zod21.z.string().nullable().optional(),
-  security_group_id: import_zod21.z.string().optional(),
-  protocol: import_zod21.z.string().nullable().optional(),
-  port_range_min: import_zod21.z.number().nullable().optional(),
-  port_range_max: import_zod21.z.number().nullable().optional(),
-  remote_ip_prefix: import_zod21.z.string().nullable().optional(),
-  remote_group_id: import_zod21.z.string().nullable().optional(),
-  remote_address_group_id: import_zod21.z.string().nullable().optional(),
-  tenant_id: import_zod21.z.string().nullable().optional(),
-  project_id: import_zod21.z.string().nullable().optional(),
-  revision_number: import_zod21.z.number().optional(),
-  tags: import_zod21.z.array(import_zod21.z.string()).optional(),
-  created_at: import_zod21.z.string().optional(),
-  updated_at: import_zod21.z.string().nullable().optional()
-});
-var securityGroupSchema = import_zod21.z.object({
-  id: import_zod21.z.string(),
-  name: import_zod21.z.string().nullable().optional(),
-  description: import_zod21.z.string().nullable().optional(),
-  tenant_id: import_zod21.z.string().nullable().optional(),
-  project_id: import_zod21.z.string().nullable().optional(),
-  stateful: import_zod21.z.boolean().optional(),
-  shared: import_zod21.z.boolean().optional(),
-  tags: import_zod21.z.array(import_zod21.z.string()).optional(),
-  security_group_rules: import_zod21.z.array(securityGroupRuleSchema).optional(),
-  revision_number: import_zod21.z.number().optional(),
-  created_at: import_zod21.z.string().optional(),
-  updated_at: import_zod21.z.string().nullable().optional()
-});
-var securityGroupsResponseSchema = import_zod21.z.object({
-  security_groups: import_zod21.z.array(securityGroupSchema)
+  description: import_zod22.z.string().nullable().optional(),
+  security_group_id: import_zod22.z.string().optional(),
+  protocol: import_zod22.z.string().nullable().optional(),
+  port_range_min: import_zod22.z.number().nullable().optional(),
+  port_range_max: import_zod22.z.number().nullable().optional(),
+  remote_ip_prefix: import_zod22.z.string().nullable().optional(),
+  remote_group_id: import_zod22.z.string().nullable().optional(),
+  remote_address_group_id: import_zod22.z.string().nullable().optional(),
+  tenant_id: import_zod22.z.string().nullable().optional(),
+  project_id: import_zod22.z.string().nullable().optional(),
+  revision_number: import_zod22.z.number().optional(),
+  tags: import_zod22.z.array(import_zod22.z.string()).optional(),
+  created_at: import_zod22.z.string().optional(),
+  updated_at: import_zod22.z.string().nullable().optional()
 });
-var securityGroupResponseSchema = import_zod21.z.object({
+var securityGroupSchema = import_zod22.z.object({
+  id: import_zod22.z.string(),
+  name: import_zod22.z.string().nullable().optional(),
+  description: import_zod22.z.string().nullable().optional(),
+  tenant_id: import_zod22.z.string().nullable().optional(),
+  project_id: import_zod22.z.string().nullable().optional(),
+  stateful: import_zod22.z.boolean().optional(),
+  shared: import_zod22.z.boolean().optional(),
+  tags: import_zod22.z.array(import_zod22.z.string()).optional(),
+  security_group_rules: import_zod22.z.array(securityGroupRuleSchema).optional(),
+  revision_number: import_zod22.z.number().optional(),
+  created_at: import_zod22.z.string().optional(),
+  updated_at: import_zod22.z.string().nullable().optional()
+});
+var securityGroupsResponseSchema = import_zod22.z.object({
+  security_groups: import_zod22.z.array(securityGroupSchema)
+});
+var securityGroupResponseSchema = import_zod22.z.object({
   security_group: securityGroupSchema
 });
-var securityGroupRuleResponseSchema = import_zod21.z.object({
+var securityGroupRuleResponseSchema = import_zod22.z.object({
   security_group_rule: securityGroupRuleSchema
 });
 var listSecurityGroupsInputSchema = projectScopedInputSchema.extend({
   // Sorting
-  sort_key: import_zod21.z.string().optional(),
+  sort_key: import_zod22.z.string().optional(),
   sort_dir: SortDirSchema.optional(),
   // Basic filtering
-  name: import_zod21.z.string().optional(),
-  description: import_zod21.z.string().optional(),
-  tenant_id: import_zod21.z.string().optional(),
-  shared: import_zod21.z.boolean().optional(),
+  name: import_zod22.z.string().optional(),
+  description: import_zod22.z.string().optional(),
+  tenant_id: import_zod22.z.string().optional(),
+  shared: import_zod22.z.boolean().optional(),
   // Tag-based filtering (string values follow Neutron semantics)
-  tags: import_zod21.z.string().optional(),
-  tags_any: import_zod21.z.string().optional(),
-  not_tags: import_zod21.z.string().optional(),
-  not_tags_any: import_zod21.z.string().optional(),
+  tags: import_zod22.z.string().optional(),
+  tags_any: import_zod22.z.string().optional(),
+  not_tags: import_zod22.z.string().optional(),
+  not_tags_any: import_zod22.z.string().optional(),
   // BFF-side search (filtered in BFF layer, not sent to OpenStack)
-  searchTerm: import_zod21.z.string().optional()
+  searchTerm: import_zod22.z.string().optional()
 });
 var getSecurityGroupByIdInputSchema = projectScopedInputSchema.extend({
-  securityGroupId: import_zod21.z.string()
+  securityGroupId: import_zod22.z.string()
 });
 var createSecurityGroupInputSchema = projectScopedInputSchema.extend({
-  name: import_zod21.z.string().min(1, "Name is required"),
-  description: import_zod21.z.string().optional(),
-  stateful: import_zod21.z.boolean().optional()
+  name: import_zod22.z.string().min(1, "Name is required"),
+  description: import_zod22.z.string().optional(),
+  stateful: import_zod22.z.boolean().optional()
 });
 var deleteSecurityGroupInputSchema = projectScopedInputSchema.extend({
-  securityGroupId: import_zod21.z.string()
+  securityGroupId: import_zod22.z.string()
 });
 var updateSecurityGroupInputSchema = projectScopedInputSchema.extend({
-  securityGroupId: import_zod21.z.string(),
-  name: import_zod21.z.string().min(1, "Name is required").optional(),
-  description: import_zod21.z.string().optional(),
-  stateful: import_zod21.z.boolean().optional()
+  securityGroupId: import_zod22.z.string(),
+  name: import_zod22.z.string().min(1, "Name is required").optional(),
+  description: import_zod22.z.string().optional(),
+  stateful: import_zod22.z.boolean().optional()
 });
 var deleteSecurityGroupRuleInputSchema = projectScopedInputSchema.extend({
-  ruleId: import_zod21.z.string()
+  ruleId: import_zod22.z.string()
 });
 var createSecurityGroupRuleInputSchema = projectScopedInputSchema.extend({
-  security_group_id: import_zod21.z.string(),
-  direction: import_zod21.z.enum([
+  security_group_id: import_zod22.z.string(),
+  direction: import_zod22.z.enum([
     "ingress",
     "egress"
   ]),
-  ethertype: import_zod21.z.enum([
+  ethertype: import_zod22.z.enum([
     "IPv4",
     "IPv6"
   ]).default("IPv4"),
-  description: import_zod21.z.string().optional(),
-  protocol: import_zod21.z.string().nullable().optional(),
-  port_range_min: import_zod21.z.number().int().max(65535).nullable().optional(),
-  port_range_max: import_zod21.z.number().int().max(65535).nullable().optional(),
+  description: import_zod22.z.string().optional(),
+  protocol: import_zod22.z.string().nullable().optional(),
+  port_range_min: import_zod22.z.number().int().max(65535).nullable().optional(),
+  port_range_max: import_zod22.z.number().int().max(65535).nullable().optional(),
   // Transform empty strings to undefined for proper validation
-  remote_ip_prefix: import_zod21.z.string().nullable().optional().transform((val) => val === "" ? void 0 : val),
-  remote_group_id: import_zod21.z.string().nullable().optional().transform((val) => val === "" ? void 0 : val),
-  remote_address_group_id: import_zod21.z.string().nullable().optional().transform((val) => val === "" ? void 0 : val)
+  remote_ip_prefix: import_zod22.z.string().nullable().optional().transform((val) => val === "" ? void 0 : val),
+  remote_group_id: import_zod22.z.string().nullable().optional().transform((val) => val === "" ? void 0 : val),
+  remote_address_group_id: import_zod22.z.string().nullable().optional().transform((val) => val === "" ? void 0 : val)
 });
 
 // src/server/Network/helpers/securityGroupHelpers.ts
-var import_server20 = require("@trpc/server");
+var import_server21 = require("@trpc/server");
 var SecurityGroupErrorHandlers = {
   /**
   * Handles errors specific to security group list operations
@@ -35324,17 +35754,17 @@ var SecurityGroupErrorHandlers = {
   list: /* @__PURE__ */ __name((response) => {
     switch (response.status) {
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: `Access forbidden: ${response.statusText || "Unknown error"}`
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: DEFAULT_ERROR_NAME,
           message: `Failed to list security groups: ${response.statusText || "Unknown error"}`
         });
@@ -35349,22 +35779,22 @@ var SecurityGroupErrorHandlers = {
   getById: /* @__PURE__ */ __name((response, securityGroupId) => {
     switch (response.status) {
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: `Access forbidden: ${response.statusText || "Unknown error"}`
         });
       case 404:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[404],
           message: `Security group not found: ${securityGroupId}`
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: DEFAULT_ERROR_NAME,
           message: `Failed to fetch security group: ${response.statusText || "Unknown error"}`
         });
@@ -35378,32 +35808,32 @@ var SecurityGroupErrorHandlers = {
   create: /* @__PURE__ */ __name((response) => {
     switch (response.status) {
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: `Access forbidden: ${response.statusText || "Unknown error"}`
         });
       case 409:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[409],
           message: `Conflict: ${response.statusText || "Security group already exists"}`
         });
       case 413:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "BAD_REQUEST",
           message: `Quota exceeded for security groups. Please delete an existing security group or contact your administrator to increase your quota.`
         });
       case 400:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "BAD_REQUEST",
           message: `Invalid request: ${response.statusText || "Unknown error"}`
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message: `Failed to create security group: ${response.statusText || "Unknown error"}`
         });
@@ -35418,22 +35848,22 @@ var SecurityGroupErrorHandlers = {
   delete: /* @__PURE__ */ __name((response, securityGroupId) => {
     switch (response.status) {
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 404:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[404],
           message: `Security group not found: ${securityGroupId}`
         });
       case 409:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[409],
           message: "Cannot delete security group because it is in use by one or more ports. Please remove all associations before deleting."
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: DEFAULT_ERROR_NAME,
           message: `Failed to delete security group: ${response.statusText || "Unknown error"}`
         });
@@ -35448,39 +35878,39 @@ var SecurityGroupErrorHandlers = {
   update: /* @__PURE__ */ __name((response, securityGroupId) => {
     const errorMessage = response.statusText || "";
     if (errorMessage.toLowerCase().includes("stateful") && errorMessage.toLowerCase().includes("in use")) {
-      return new import_server20.TRPCError({
+      return new import_server21.TRPCError({
         code: "CONFLICT",
         message: "Cannot update the 'stateful' attribute because this security group is in use by one or more ports."
       });
     }
     switch (response.status) {
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: `Access forbidden: ${errorMessage || "Unknown error"}`
         });
       case 404:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[404],
           message: `Security group not found: ${securityGroupId}`
         });
       case 409:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[409],
           message: `Conflict: ${errorMessage || "Security group conflict"}`
         });
       case 400:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[400],
           message: `Invalid request: ${errorMessage || "Unknown error"}`
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: DEFAULT_ERROR_NAME,
           message: `Failed to update security group: ${errorMessage || "Unknown error"}`
         });
@@ -35498,48 +35928,48 @@ var SecurityGroupRuleErrorHandlers = {
     switch (response.status) {
       case 400:
         if (statusText.toLowerCase().includes("cidr")) {
-          return new import_server20.TRPCError({
+          return new import_server21.TRPCError({
             code: "BAD_REQUEST",
             message: "Invalid CIDR format. Please provide a valid IP address block (e.g., 0.0.0.0/0)"
           });
         }
         if (statusText.toLowerCase().includes("port")) {
-          return new import_server20.TRPCError({
+          return new import_server21.TRPCError({
             code: "BAD_REQUEST",
             message: "Invalid port range. Ports must be between 1 and 65535, and min must be <= max"
           });
         }
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "BAD_REQUEST",
           message: `Invalid request: ${statusText}`
         });
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "UNAUTHORIZED",
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "FORBIDDEN",
           message: `Access forbidden: ${statusText}`
         });
       case 404:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "NOT_FOUND",
           message: "Security group not found"
         });
       case 409:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "CONFLICT",
           message: "A rule with these parameters already exists in this security group"
         });
       case 413:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "BAD_REQUEST",
           message: "Quota exceeded for security group rules. Please delete existing rules or contact your administrator."
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message: `Failed to create security group rule: ${statusText}`
         });
@@ -35558,22 +35988,22 @@ var SecurityGroupRuleErrorHandlers = {
   delete: /* @__PURE__ */ __name((response, ruleId) => {
     switch (response.status) {
       case 401:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "UNAUTHORIZED",
           message: "Unauthorized access"
         });
       case 404:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "NOT_FOUND",
           message: `Security group rule not found: ${ruleId}`
         });
       case 412:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "PRECONDITION_FAILED",
           message: `Cannot delete security group rule: precondition failed`
         });
       default:
-        return new import_server20.TRPCError({
+        return new import_server21.TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message: `Failed to delete security group rule: ${response.statusText || "Unknown error"}`
         });
@@ -35584,7 +36014,7 @@ var parseOpenStackResponse = /* @__PURE__ */ __name((data, schema, operation, er
   const parsed = schema.safeParse(data);
   if (!parsed.success) {
     console.error(`Zod Parsing Error in ${operation}:`, parsed.error.format());
-    throw new import_server20.TRPCError({
+    throw new import_server21.TRPCError({
       code: "INTERNAL_SERVER_ERROR",
       message: errorMessage
     });
@@ -35828,46 +36258,46 @@ var securityGroupRuleRouter = {
 };
 
 // src/server/Network/types/rbacPolicy.ts
-var import_zod22 = require("zod");
-var rbacPolicySchema = import_zod22.z.object({
-  id: import_zod22.z.string(),
-  object_type: import_zod22.z.enum([
+var import_zod23 = require("zod");
+var rbacPolicySchema = import_zod23.z.object({
+  id: import_zod23.z.string(),
+  object_type: import_zod23.z.enum([
     "qos_policy",
     "network",
     "security_group"
   ]),
-  object_id: import_zod22.z.string(),
-  action: import_zod22.z.enum([
+  object_id: import_zod23.z.string(),
+  action: import_zod23.z.enum([
     "access_as_shared",
     "access_as_external"
   ]),
-  target_tenant: import_zod22.z.string(),
-  tenant_id: import_zod22.z.string().nullable().optional(),
-  project_id: import_zod22.z.string().nullable().optional()
+  target_tenant: import_zod23.z.string(),
+  tenant_id: import_zod23.z.string().nullable().optional(),
+  project_id: import_zod23.z.string().nullable().optional()
 });
-var rbacPoliciesResponseSchema = import_zod22.z.object({
-  rbac_policies: import_zod22.z.array(rbacPolicySchema)
+var rbacPoliciesResponseSchema = import_zod23.z.object({
+  rbac_policies: import_zod23.z.array(rbacPolicySchema)
 });
-var rbacPolicyResponseSchema = import_zod22.z.object({
+var rbacPolicyResponseSchema = import_zod23.z.object({
   rbac_policy: rbacPolicySchema
 });
 var listRBACPoliciesForSecurityGroupInputSchema = projectScopedInputSchema.extend({
-  securityGroupId: import_zod22.z.string()
+  securityGroupId: import_zod23.z.string()
 });
 var createRBACPolicyInputSchema = projectScopedInputSchema.extend({
-  securityGroupId: import_zod22.z.string(),
-  targetTenant: import_zod22.z.string().trim().min(1, "Target project ID is required")
+  securityGroupId: import_zod23.z.string(),
+  targetTenant: import_zod23.z.string().trim().min(1, "Target project ID is required")
 });
 var updateRBACPolicyInputSchema = projectScopedInputSchema.extend({
-  policyId: import_zod22.z.string(),
-  targetTenant: import_zod22.z.string().trim().min(1, "Target project ID is required")
+  policyId: import_zod23.z.string(),
+  targetTenant: import_zod23.z.string().trim().min(1, "Target project ID is required")
 });
 var deleteRBACPolicyInputSchema = projectScopedInputSchema.extend({
-  policyId: import_zod22.z.string()
+  policyId: import_zod23.z.string()
 });
 
 // src/server/Network/helpers/rbacPolicyHelpers.ts
-var import_server21 = require("@trpc/server");
+var import_server22 = require("@trpc/server");
 var RBACPolicyErrorHandlers = {
   /**
   * Handles errors specific to RBAC policy list operations
@@ -35877,17 +36307,17 @@ var RBACPolicyErrorHandlers = {
   list: /* @__PURE__ */ __name((response) => {
     switch (response.status) {
       case 401:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: `Access forbidden: ${response.statusText || "Unknown error"}`
         });
       default:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: DEFAULT_ERROR_NAME,
           message: `Failed to list RBAC policies: ${response.statusText || "Unknown error"}`
         });
@@ -35901,32 +36331,32 @@ var RBACPolicyErrorHandlers = {
   create: /* @__PURE__ */ __name((response) => {
     switch (response.status) {
       case 400:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[400],
           message: `Invalid request: ${response.statusText || "Unknown error"}`
         });
       case 401:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: "You don't have permission to share this security group"
         });
       case 404:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[404],
           message: "Security group not found or target project does not exist"
         });
       case 409:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[409],
           message: "This security group is already shared with the specified project"
         });
       default:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message: `Failed to create RBAC policy: ${response.statusText || "Unknown error"}`
         });
@@ -35941,27 +36371,27 @@ var RBACPolicyErrorHandlers = {
   update: /* @__PURE__ */ __name((response, policyId) => {
     switch (response.status) {
       case 400:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[400],
           message: `Invalid request: ${response.statusText || "Unknown error"}`
         });
       case 401:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 403:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[403],
           message: `Access forbidden: ${response.statusText || "Unknown error"}`
         });
       case 404:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[404],
           message: `RBAC policy not found: ${policyId}`
         });
       default:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message: `Failed to update RBAC policy: ${response.statusText || "Unknown error"}`
         });
@@ -35976,22 +36406,22 @@ var RBACPolicyErrorHandlers = {
   delete: /* @__PURE__ */ __name((response, policyId) => {
     switch (response.status) {
       case 401:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[401],
           message: "Unauthorized access"
         });
       case 404:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[404],
           message: `RBAC policy not found: ${policyId}`
         });
       case 409:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: HTTP_STATUS_ERROR_MAP[409],
           message: "Cannot delete RBAC policy because it is in use"
         });
       default:
-        return new import_server21.TRPCError({
+        return new import_server22.TRPCError({
           code: DEFAULT_ERROR_NAME,
           message: `Failed to delete RBAC policy: ${response.statusText || "Unknown error"}`
         });
@@ -36002,7 +36432,7 @@ var parseOpenStackResponse2 = /* @__PURE__ */ __name((data, schema, operation, e
   const parsed = schema.safeParse(data);
   if (!parsed.success) {
     console.error(`Zod Parsing Error in ${operation}:`, parsed.error.format());
-    throw new import_server21.TRPCError({
+    throw new import_server22.TRPCError({
       code: "INTERNAL_SERVER_ERROR",
       message: errorMessage
     });
@@ -36089,125 +36519,344 @@ var rbacPolicyRouter = {
   })
 };
 
+// src/server/Network/routers/permissionRouter.ts
+var NETWORK_MAPPINGS = {
+  // Network Operations
+  "network:networks:read": {
+    engine: "network",
+    rule: "get_network"
+  },
+  "network:networks:list": {
+    engine: "network",
+    rule: "get_network"
+  },
+  "network:networks:create": {
+    engine: "network",
+    rule: "create_network"
+  },
+  "network:networks:update": {
+    engine: "network",
+    rule: "update_network"
+  },
+  "network:networks:delete": {
+    engine: "network",
+    rule: "delete_network"
+  },
+  // Subnet Operations
+  "network:subnets:read": {
+    engine: "network",
+    rule: "get_subnet"
+  },
+  "network:subnets:list": {
+    engine: "network",
+    rule: "get_subnet"
+  },
+  "network:subnets:create": {
+    engine: "network",
+    rule: "create_subnet"
+  },
+  "network:subnets:update": {
+    engine: "network",
+    rule: "update_subnet"
+  },
+  "network:subnets:delete": {
+    engine: "network",
+    rule: "delete_subnet"
+  },
+  // Subnet Pool Operations
+  "network:subnet_pools:read": {
+    engine: "network",
+    rule: "get_subnetpool"
+  },
+  "network:subnet_pools:list": {
+    engine: "network",
+    rule: "get_subnetpool"
+  },
+  "network:subnet_pools:create": {
+    engine: "network",
+    rule: "create_subnetpool"
+  },
+  "network:subnet_pools:update": {
+    engine: "network",
+    rule: "update_subnetpool"
+  },
+  "network:subnet_pools:delete": {
+    engine: "network",
+    rule: "delete_subnetpool"
+  },
+  // Router Operations
+  "network:routers:read": {
+    engine: "network",
+    rule: "get_router"
+  },
+  "network:routers:list": {
+    engine: "network",
+    rule: "get_router"
+  },
+  "network:routers:create": {
+    engine: "network",
+    rule: "create_router"
+  },
+  "network:routers:update": {
+    engine: "network",
+    rule: "update_router"
+  },
+  "network:routers:delete": {
+    engine: "network",
+    rule: "delete_router"
+  },
+  "network:routers:attach_interface": {
+    engine: "network",
+    rule: "add_router_interface"
+  },
+  "network:routers:detach_interface": {
+    engine: "network",
+    rule: "remove_router_interface"
+  },
+  // Floating IP Operations
+  "network:floatingips:read": {
+    engine: "network",
+    rule: "get_floatingip"
+  },
+  "network:floatingips:list": {
+    engine: "network",
+    rule: "get_floatingip"
+  },
+  "network:floatingips:create": {
+    engine: "network",
+    rule: "create_floatingip"
+  },
+  "network:floatingips:update": {
+    engine: "network",
+    rule: "update_floatingip"
+  },
+  "network:floatingips:delete": {
+    engine: "network",
+    rule: "delete_floatingip"
+  },
+  "network:floatingips:associate": {
+    engine: "network",
+    rule: "update_floatingip"
+  },
+  "network:floatingips:disassociate": {
+    engine: "network",
+    rule: "update_floatingip"
+  },
+  // Security Group Operations
+  "network:security_groups:read": {
+    engine: "network",
+    rule: "get_security_group"
+  },
+  "network:security_groups:list": {
+    engine: "network",
+    rule: "get_security_groups"
+  },
+  "network:security_groups:create": {
+    engine: "network",
+    rule: "create_security_group"
+  },
+  "network:security_groups:update": {
+    engine: "network",
+    rule: "update_security_group"
+  },
+  "network:security_groups:delete": {
+    engine: "network",
+    rule: "delete_security_group"
+  },
+  // Security Group Rule Operations
+  "network:security_group_rules:read": {
+    engine: "network",
+    rule: "get_security_group_rule"
+  },
+  "network:security_group_rules:list": {
+    engine: "network",
+    rule: "get_security_group_rules"
+  },
+  "network:security_group_rules:create": {
+    engine: "network",
+    rule: "create_security_group_rule"
+  },
+  "network:security_group_rules:update": {
+    engine: "network",
+    rule: "update_security_group_rule"
+  },
+  "network:security_group_rules:delete": {
+    engine: "network",
+    rule: "delete_security_group_rule"
+  },
+  // Port Operations
+  "network:ports:read": {
+    engine: "network",
+    rule: "get_port"
+  },
+  "network:ports:list": {
+    engine: "network",
+    rule: "get_port"
+  },
+  "network:ports:create": {
+    engine: "network",
+    rule: "create_port"
+  },
+  "network:ports:update": {
+    engine: "network",
+    rule: "update_port"
+  },
+  "network:ports:delete": {
+    engine: "network",
+    rule: "delete_port"
+  },
+  // RBAC Policy Operations
+  "network:rbac_policies:read": {
+    engine: "network",
+    rule: "get_rbac_policy"
+  },
+  "network:rbac_policies:list": {
+    engine: "network",
+    rule: "get_rbac_policy"
+  },
+  "network:rbac_policies:create": {
+    engine: "network",
+    rule: "create_rbac_policy"
+  },
+  "network:rbac_policies:update": {
+    engine: "network",
+    rule: "update_rbac_policy"
+  },
+  "network:rbac_policies:delete": {
+    engine: "network",
+    rule: "delete_rbac_policy"
+  }
+};
+var buildNetworkPermissionRouter = /* @__PURE__ */ __name((policyDir) => createPermissionRouter({
+  policyDir,
+  engines: {
+    network: {
+      fileName: "networking.json"
+    }
+  },
+  mappings: NETWORK_MAPPINGS
+}), "buildNetworkPermissionRouter");
+
 // src/server/Network/routers/index.ts
-var networkRouters = {
+var buildNetworkRouters = /* @__PURE__ */ __name((policyDir) => ({
   network: auroraRouter({
     floatingIp: floatingIpRouter,
     securityGroup: securityGroupRouter,
     securityGroupRule: securityGroupRuleRouter,
-    rbacPolicy: rbacPolicyRouter
+    rbacPolicy: rbacPolicyRouter,
+    ...buildNetworkPermissionRouter(policyDir)
   })
-};
+}), "buildNetworkRouters");
 
 // src/server/Services/types/pca.ts
-var import_zod23 = require("zod");
-var CertificateValiditySchema = import_zod23.z.object({
-  not_after: import_zod23.z.number().int(),
-  not_before: import_zod23.z.number().int().optional()
+var import_zod24 = require("zod");
+var CertificateValiditySchema = import_zod24.z.object({
+  not_after: import_zod24.z.number().int(),
+  not_before: import_zod24.z.number().int().optional()
 });
-var CertificateAuthorityCertificateSchema = import_zod23.z.object({
+var CertificateAuthorityCertificateSchema = import_zod24.z.object({
   /** PEM encoded certificate data. */
-  pem: import_zod23.z.string(),
+  pem: import_zod24.z.string(),
   validity: CertificateValiditySchema
 });
-var CertificateAuthorityCertificateChainSchema = import_zod23.z.object({
-  certificates: import_zod23.z.array(import_zod23.z.object({
-    pem: import_zod23.z.string()
+var CertificateAuthorityCertificateChainSchema = import_zod24.z.object({
+  certificates: import_zod24.z.array(import_zod24.z.object({
+    pem: import_zod24.z.string()
   })),
   /** Concatenated PEM certificates of the chain. */
-  pem: import_zod23.z.string()
+  pem: import_zod24.z.string()
 });
-var CertificateAuthorityAdditionalAttributeSchema = import_zod23.z.object({
+var CertificateAuthorityAdditionalAttributeSchema = import_zod24.z.object({
   /** ASN.1 Object Identifier of the attribute */
-  key: import_zod23.z.array(import_zod23.z.number().int()),
-  value: import_zod23.z.string()
+  key: import_zod24.z.array(import_zod24.z.number().int()),
+  value: import_zod24.z.string()
 });
-var CertificateAuthoritySubjectSchema = import_zod23.z.object({
-  additional_attribute: import_zod23.z.array(CertificateAuthorityAdditionalAttributeSchema).optional(),
+var CertificateAuthoritySubjectSchema = import_zod24.z.object({
+  additional_attribute: import_zod24.z.array(CertificateAuthorityAdditionalAttributeSchema).optional(),
   /** Typically domain name */
-  common_name: import_zod23.z.string(),
+  common_name: import_zod24.z.string(),
   /** Country codes (ISO 3166-1 alpha-2). */
-  country: import_zod23.z.array(import_zod23.z.string()).optional(),
+  country: import_zod24.z.array(import_zod24.z.string()).optional(),
   /** Locality/city names. */
-  locality: import_zod23.z.array(import_zod23.z.string()).optional(),
+  locality: import_zod24.z.array(import_zod24.z.string()).optional(),
   /** Organization names. */
-  organization: import_zod23.z.array(import_zod23.z.string()).optional(),
+  organization: import_zod24.z.array(import_zod24.z.string()).optional(),
   /** Organizational unit names. */
-  organizational_unit: import_zod23.z.array(import_zod23.z.string()).optional(),
+  organizational_unit: import_zod24.z.array(import_zod24.z.string()).optional(),
   /** Postal/ZIP codes. */
-  postal_code: import_zod23.z.array(import_zod23.z.string()).optional(),
+  postal_code: import_zod24.z.array(import_zod24.z.string()).optional(),
   /** State or province names. */
-  province: import_zod23.z.array(import_zod23.z.string()).optional(),
-  serial_number: import_zod23.z.string().optional(),
-  street_address: import_zod23.z.array(import_zod23.z.string()).optional()
+  province: import_zod24.z.array(import_zod24.z.string()).optional(),
+  serial_number: import_zod24.z.string().optional(),
+  street_address: import_zod24.z.array(import_zod24.z.string()).optional()
 });
-var CertificateAuthorityStateSchema = import_zod23.z.enum([
+var CertificateAuthorityStateSchema = import_zod24.z.enum([
   "CREATING",
   "AWAITING_CERTIFICATE",
   "READY",
   "FAILED",
   "UNEXPECTED"
 ]);
-var CertificateAuthoritySchema = import_zod23.z.object({
+var CertificateAuthoritySchema = import_zod24.z.object({
   certificate: CertificateAuthorityCertificateSchema.optional(),
   /** Details of Certificate Authority certificate's issuers chain. */
   certificate_chain: CertificateAuthorityCertificateChainSchema.optional(),
-  configuration: import_zod23.z.object({
+  configuration: import_zod24.z.object({
     /** X.509 subject of Certificate Authority. Required on create operation. */
     subject: CertificateAuthoritySubjectSchema
   }).optional(),
-  csr: import_zod23.z.string().optional(),
-  id: import_zod23.z.string(),
+  csr: import_zod24.z.string().optional(),
+  id: import_zod24.z.string(),
   /**
   * Required on import certificate operation.
   * Certificate Authority certificate chain, in PEM format. Consists of concatenated string
   * of Certificate Authority certificate, followed by its intermediate issuing CAs certificates
   * and root issuing CA certificate last.
   */
-  imported_certificate_chain: import_zod23.z.string().optional(),
+  imported_certificate_chain: import_zod24.z.string().optional(),
   /** Identifier of OpenStack project that Certificate Authority belongs. */
-  project_id: import_zod23.z.string(),
+  project_id: import_zod24.z.string(),
   /** Current operational state of Certificate Authority. */
   state: CertificateAuthorityStateSchema
 });
-var CertificateAuthoritiesListSchema = import_zod23.z.object({
-  certificate_authorities: import_zod23.z.array(CertificateAuthoritySchema)
+var CertificateAuthoritiesListSchema = import_zod24.z.object({
+  certificate_authorities: import_zod24.z.array(CertificateAuthoritySchema)
 });
-var CertificateAuthorityCreateSchema = import_zod23.z.object({
-  configuration: import_zod23.z.object({
+var CertificateAuthorityCreateSchema = import_zod24.z.object({
+  configuration: import_zod24.z.object({
     subject: CertificateAuthoritySubjectSchema
   })
 });
-var CertificateAuthorityIdInputSchema = import_zod23.z.object({
-  project_id: import_zod23.z.string(),
-  certificate_authority_id: import_zod23.z.string().min(1)
+var CertificateAuthorityIdInputSchema = import_zod24.z.object({
+  project_id: import_zod24.z.string(),
+  certificate_authority_id: import_zod24.z.string().min(1)
 });
 var CertificateAuthorityImportInputSchema = CertificateAuthorityIdInputSchema.extend({
-  imported_certificate_chain: import_zod23.z.string().min(1)
+  imported_certificate_chain: import_zod24.z.string().min(1)
 });
 var CertificateIdInputSchema = CertificateAuthorityIdInputSchema.extend({
-  certificate_id: import_zod23.z.string().min(1)
+  certificate_id: import_zod24.z.string().min(1)
 });
-var CertificateConfigurationSchema = import_zod23.z.object({
+var CertificateConfigurationSchema = import_zod24.z.object({
   validity: CertificateValiditySchema
 });
-var CreateCertificateInputSchema = import_zod23.z.object({
-  project_id: import_zod23.z.string(),
-  certificate_authority_id: import_zod23.z.string().min(1),
-  csr: import_zod23.z.string().min(1),
+var CreateCertificateInputSchema = import_zod24.z.object({
+  project_id: import_zod24.z.string(),
+  certificate_authority_id: import_zod24.z.string().min(1),
+  csr: import_zod24.z.string().min(1),
   configuration: CertificateConfigurationSchema
 });
-var CertificateSchema = import_zod23.z.object({
+var CertificateSchema = import_zod24.z.object({
   certificate: CertificateAuthorityCertificateSchema.optional(),
-  certificate_authority_id: import_zod23.z.string(),
+  certificate_authority_id: import_zod24.z.string(),
   certificate_chain: CertificateAuthorityCertificateChainSchema.optional(),
   configuration: CertificateConfigurationSchema.optional(),
-  csr: import_zod23.z.string().optional(),
-  id: import_zod23.z.string(),
-  project_id: import_zod23.z.string()
+  csr: import_zod24.z.string().optional(),
+  id: import_zod24.z.string(),
+  project_id: import_zod24.z.string()
 });
-var CertificatesListSchema = import_zod23.z.object({
-  certificates: import_zod23.z.array(CertificateSchema)
+var CertificatesListSchema = import_zod24.z.object({
+  certificates: import_zod24.z.array(CertificateSchema)
 });
 
 // src/server/Services/routers/pcaRouter.ts
@@ -36312,10 +36961,10 @@ var serviceRouters = {
 };
 
 // src/server/routers.ts
-var buildAppRouter = /* @__PURE__ */ __name((policyDir) => mergeRouters(auroraRouter(authRouters), auroraRouter(buildComputeRouters(policyDir)), auroraRouter(objectStorageRouters), auroraRouter(projectRouters), auroraRouter(networkRouters), auroraRouter(serviceRouters)), "buildAppRouter");
+var buildAppRouter = /* @__PURE__ */ __name((policyDir) => mergeRouters(auroraRouter(authRouters), auroraRouter(buildComputeRouters(policyDir)), auroraRouter(buildObjectStorageRouters(policyDir)), auroraRouter(projectRouters), auroraRouter(buildNetworkRouters(policyDir)), auroraRouter(serviceRouters)), "buildAppRouter");
 
 // src/server/context.ts
-var import_signal_openstack = __toESM(require_esm2());
+var import_signal_openstack2 = __toESM(require_esm2());
 
 // src/server/sessionCookie.ts
 var import_cookie = require("@fastify/cookie");
@@ -36416,7 +37065,7 @@ async function createContext(opts, config) {
     writable: false
   });
   if (currentAuthToken) {
-    openstackSession = await (0, import_signal_openstack.SignalOpenstackSession)(normalizedEndpoint, {
+    openstackSession = await (0, import_signal_openstack2.SignalOpenstackSession)(normalizedEndpoint, {
       auth: {
         identity: {
           methods: [
@@ -36479,7 +37128,7 @@ async function createContext(opts, config) {
     }
   }, "getUserInfo");
   const createSession = /* @__PURE__ */ __name(async (params) => {
-    openstackSession = await (0, import_signal_openstack.SignalOpenstackSession)(normalizedEndpoint, {
+    openstackSession = await (0, import_signal_openstack2.SignalOpenstackSession)(normalizedEndpoint, {
       auth: {
         identity: {
           methods: [
@@ -36624,7 +37273,7 @@ __name(createContext, "createContext");
 // src/server/server.ts
 var import_path2 = __toESM(require("path"));
 var import_node_stream3 = require("stream");
-var import_zod24 = require("zod");
+var import_zod25 = require("zod");
 
 // src/server/aurora-fastify-plugins/csrfProtection.ts
 var import_csrf_protection = __toESM(require("@fastify/csrf-protection"));
@@ -36693,7 +37342,195 @@ var csrfProtection_default = (0, import_fastify_plugin.default)(csrfPlugin, {
   fastify: "5.x"
 });
 
+// src/server/aurora-fastify-plugins/httpMetricsCollector.ts
+var import_fastify_plugin2 = __toESM(require("fastify-plugin"));
+var import_prom_client = require("prom-client");
+var LABEL_NAMES = [
+  "status_code",
+  "method",
+  "route",
+  "endpoint_type",
+  "project_id"
+];
+var EXCLUDE_PATHS = [
+  "/metrics"
+];
+async function httpMetricsCollectorPlugin(fastify, options) {
+  const prefix = options.prefix || "aurora";
+  const excludePaths = options.excludePaths || EXCLUDE_PATHS;
+  const registry = options.registry || new import_prom_client.Registry();
+  const bffEndpoint = options.bffEndpoint || "/polaris-bff";
+  const requestsTotal = new import_prom_client.Counter({
+    name: `${prefix}_requests_total`,
+    help: "The total number of HTTP requests handled by the application",
+    labelNames: LABEL_NAMES,
+    registers: [
+      registry
+    ]
+  });
+  const requestDurationSeconds = new import_prom_client.Histogram({
+    name: `${prefix}_request_duration_seconds`,
+    help: "The HTTP response duration of the application",
+    labelNames: LABEL_NAMES,
+    registers: [
+      registry
+    ]
+  });
+  const exceptionsTotal = new import_prom_client.Counter({
+    name: `${prefix}_exceptions_total`,
+    help: "The total number of exceptions raised by the application",
+    labelNames: [
+      "exception"
+    ],
+    registers: [
+      registry
+    ]
+  });
+  fastify.addHook("onRequest", async (request) => {
+    request.metricsStartTime = process.hrtime.bigint();
+  });
+  fastify.addHook("onResponse", async (request, reply) => {
+    const path3 = request.url.split("?")[0];
+    if (excludePaths.some((excludePath) => path3.startsWith(excludePath))) {
+      return;
+    }
+    if (!request.metricsStartTime) {
+      fastify.log.debug({
+        url: request.url
+      }, "Metrics start time missing, skipping metric collection");
+      return;
+    }
+    const endTime = process.hrtime.bigint();
+    const duration = Number(endTime - request.metricsStartTime) / 1e9;
+    const labels = extractLabels(request, reply, bffEndpoint);
+    try {
+      requestsTotal.inc(labels);
+      requestDurationSeconds.observe(labels, duration);
+    } catch (error) {
+      fastify.log.error({
+        err: error
+      }, "Failed to record HTTP metrics");
+    }
+  });
+  fastify.addHook("onError", async (_request, _reply, error) => {
+    try {
+      exceptionsTotal.inc({
+        exception: error.constructor.name
+      });
+    } catch (err) {
+      fastify.log.error({
+        err
+      }, "Failed to record exception metric");
+    }
+  });
+  fastify.decorate("metricsRegistry", registry);
+}
+__name(httpMetricsCollectorPlugin, "httpMetricsCollectorPlugin");
+function extractLabels(request, reply, bffEndpoint) {
+  const urlPath = request.url.split("?")[0];
+  let endpointType;
+  let route = urlPath;
+  let projectId = "";
+  if (urlPath.includes(bffEndpoint)) {
+    endpointType = "trpc";
+    const procedurePath = urlPath.split(bffEndpoint + "/")[1];
+    if (procedurePath) {
+      const cleanPath = procedurePath.split("?")[0];
+      const parts = cleanPath.split(".");
+      if (parts.length >= 2) {
+        const service = parts[0];
+        const action = parts.slice(1).join(".");
+        route = `${service}/${action}`;
+      } else {
+        route = cleanPath;
+      }
+    }
+    const url = new URL(request.url, "http://localhost");
+    const inputParam = url.searchParams.get("input");
+    if (inputParam) {
+      try {
+        const input = JSON.parse(inputParam);
+        if (input.project_id) {
+          projectId = input.project_id;
+        } else if (typeof input === "object") {
+          const firstKey = Object.keys(input)[0];
+          if (firstKey && input[firstKey]?.project_id) {
+            projectId = input[firstKey].project_id;
+          }
+        }
+      } catch {
+      }
+    }
+  } else if (urlPath.startsWith("/api/")) {
+    endpointType = "api";
+    route = normalizeApiPath(urlPath);
+  } else if (urlPath.startsWith("/@")) {
+    endpointType = "vite-dev";
+    route = "vite-dev";
+  } else if (urlPath.match(/\.(js|jsx|ts|tsx|mjs|css|json|map)$/)) {
+    endpointType = "module";
+    const ext = urlPath.split(".").pop() || "unknown";
+    route = `*.${ext}`;
+  } else if (urlPath.match(/\.(png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot|ico|webp)$/)) {
+    endpointType = "asset";
+    const ext = urlPath.split(".").pop() || "unknown";
+    route = `*.${ext}`;
+  } else if (urlPath === "/" || urlPath === "/index.html") {
+    endpointType = "spa";
+    route = "/";
+  } else {
+    endpointType = "spa";
+    route = normalizeSpaRoute(urlPath);
+    const projectMatch = urlPath.match(/^\/projects\/([^/?]+)/);
+    if (projectMatch) {
+      projectId = projectMatch[1];
+    }
+  }
+  return {
+    status_code: reply.statusCode.toString(),
+    method: request.method.toLowerCase(),
+    route,
+    endpoint_type: endpointType,
+    project_id: projectId
+  };
+}
+__name(extractLabels, "extractLabels");
+function normalizeSpaRoute(path3) {
+  const segments = path3.split("/").filter(Boolean);
+  if (segments[0] === "projects" && segments.length >= 3) {
+    const service = segments[2];
+    return `/projects/:id/${service}`;
+  }
+  if (segments[0] === "accounts" && segments.length >= 2) {
+    return "/accounts/:id";
+  }
+  return "/" + segments.map((segment) => {
+    if (segment.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i)) {
+      return ":id";
+    }
+    if (segment.match(/^[a-zA-Z0-9_-]{20,}$/)) {
+      return ":id";
+    }
+    return segment;
+  }).join("/");
+}
+__name(normalizeSpaRoute, "normalizeSpaRoute");
+function normalizeApiPath(path3) {
+  return path3.split("/").map((segment) => {
+    if (segment.match(/^\d+$/) || segment.match(/^[0-9a-f-]{36}$/i)) {
+      return ":id";
+    }
+    return segment;
+  }).join("/");
+}
+__name(normalizeApiPath, "normalizeApiPath");
+var AuroraHttpMetricsCollector = (0, import_fastify_plugin2.default)(httpMetricsCollectorPlugin, {
+  name: "aurora-http-metrics-collector",
+  fastify: "5.x"
+});
+
 // src/server/server.ts
+var import_prom_client2 = require("prom-client");
 async function createServer(config) {
   const isProduction = process.env.NODE_ENV === "production";
   const rawBffEndpoint = config.bffEndpoint ?? "/polaris-bff";
@@ -36722,6 +37559,19 @@ async function createServer(config) {
   server.register(import_cookie2.default, {
     secret: void 0
   });
+  const metricsRegistry = new import_prom_client2.Registry();
+  await server.register(AuroraHttpMetricsCollector, {
+    prefix: "aurora",
+    excludePaths: [
+      "/metrics"
+    ],
+    registry: metricsRegistry,
+    bffEndpoint
+  });
+  server.get("/metrics", async (_request, reply) => {
+    reply.header("Content-Type", metricsRegistry.contentType);
+    return reply.send(await metricsRegistry.metrics());
+  });
   await server.register(import_rate_limit.default, {
     max: 200,
     timeWindow: "1 minute"
@@ -36832,7 +37682,7 @@ async function createServer(config) {
       router: appRouter,
       createContext: /* @__PURE__ */ __name((opts) => createContext(opts, contextConfig), "createContext"),
       onError: /* @__PURE__ */ __name((err) => {
-        if (err.error.cause instanceof import_zod24.ZodError) err.error.message = err.error.cause.issues.map((e) => e.message).join(",");
+        if (err.error.cause instanceof import_zod25.ZodError) err.error.message = err.error.cause.issues.map((e) => e.message).join(",");
       }, "onError")
     }
   });