@highstate/common 0.14.2 → 0.16.0

package/dist/{chunk-WFWXDYUX.js → chunk-X5BK6JSN.js}

@@ -1,11 +1,11 @@
+import { z, check, getOrCreate, HighstateSignature, stripNullish } from '@highstate/contract';
+import { network, metadataSchema } from '@highstate/library';
 import { ComponentResource, Resource, toPromise, getImportBaseUrl, output, interpolate, normalizeInputsAndMap, normalizeInputs, asset, fileFromString, secret } from '@highstate/pulumi';
-import { uniqueBy, flat, groupBy } from 'remeda';
+import { pipe, filter, isNonNullish, map, uniqueBy, omit, flat } from 'remeda';
 import { homedir, tmpdir } from 'node:os';
 import { sha256 } from '@noble/hashes/sha2';
 import { local, remote } from '@pulumi/command';
 import { resolve } from 'import-meta-resolve';
-import { z, getOrCreate, HighstateSignature, stripNullish } from '@highstate/contract';
-import { network } from '@highstate/library';
 import { createHash } from 'node:crypto';
 import { createReadStream } from 'node:fs';
 import { mkdtemp, writeFile, cp, rm, stat, rename, mkdir } from 'node:fs/promises';
@@ -19,188 +19,629 @@ import { randomBytes, bytesToHex } from '@noble/hashes/utils.js';
 import { secureMask } from 'micro-key-producer/password.js';
 import getKeys, { PrivateExport } from 'micro-key-producer/ssh.js';
 import { randomBytes as randomBytes$1 } from 'micro-key-producer/utils.js';
+import { compile } from 'filter-expression';
 
-// src/shared/network.ts
+// src/shared/network/address.ts
+
+// src/shared/network/ip.ts
+function parseIp(value) {
+  if (value.includes(":")) {
+    return { type: "ipv6", value: parseIpv6(value) };
+  }
+  return { type: "ipv4", value: parseIpv4(value) };
+}
+function parseCidr(value) {
+  const [ipPart, prefixPart, ...rest] = value.split("/");
+  if (!ipPart || !prefixPart || rest.length > 0) {
+    throw new Error(`Invalid CIDR: "${value}"`);
+  }
+  const parsedIp = parseIp(ipPart.trim());
+  const prefix = parseInt(prefixPart.trim(), 10);
+  if (!Number.isFinite(prefix)) {
+    throw new Error(`Invalid CIDR prefix: "${value}"`);
+  }
+  const bits = parsedIp.type === "ipv4" ? 32 : 128;
+  if (prefix < 0 || prefix > bits) {
+    throw new Error(`Invalid CIDR prefix length: "${value}"`);
+  }
+  return { type: parsedIp.type, ip: parsedIp.value, prefixLength: prefix };
+}
+function subnetBaseFromCidr(parsed) {
+  const bits = parsed.type === "ipv4" ? 32 : 128;
+  if (parsed.prefixLength === 0) {
+    return 0n;
+  }
+  const mask = (1n << BigInt(parsed.prefixLength)) - 1n << BigInt(bits - parsed.prefixLength);
+  return parsed.ip & mask;
+}
+function cidrBlockSize(type, prefixLength) {
+  const bits = type === "ipv4" ? 32 : 128;
+  return 1n << BigInt(bits - prefixLength);
+}
+function ipToString(type, value) {
+  return type === "ipv4" ? ipv4ToString(value) : ipv6ToString(value);
+}
+function parseIpv4(value) {
+  const parts = value.trim().split(".");
+  if (parts.length !== 4) {
+    throw new Error(`Invalid IPv4 address: "${value}"`);
+  }
+  let result = 0n;
+  for (const part of parts) {
+    if (!part) {
+      throw new Error(`Invalid IPv4 address: "${value}"`);
+    }
+    const octet = parseInt(part, 10);
+    if (!Number.isInteger(octet) || octet < 0 || octet > 255) {
+      throw new Error(`Invalid IPv4 address: "${value}"`);
+    }
+    result = (result << 8n) + BigInt(octet);
+  }
+  return result;
+}
+function parseIpv6(value) {
+  const input = value.trim().toLowerCase();
+  if (!input) {
+    throw new Error(`Invalid IPv6 address: "${value}"`);
+  }
+  let leftParts = [];
+  let rightParts = [];
+  const doubleColonIndex = input.indexOf("::");
+  if (doubleColonIndex >= 0) {
+    const [left, right] = input.split("::");
+    leftParts = left ? left.split(":") : [];
+    rightParts = right ? right.split(":") : [];
+  } else {
+    leftParts = input.split(":");
+    rightParts = [];
+  }
+  const expandIpv4Tail = (parts2) => {
+    if (parts2.length === 0) return parts2;
+    const last = parts2.at(-1);
+    if (!last.includes(".")) {
+      return parts2;
+    }
+    const ipv4Value = parseIpv4(last);
+    const high = Number(ipv4Value >> 16n & 0xffffn);
+    const low = Number(ipv4Value & 0xffffn);
+    return [...parts2.slice(0, -1), high.toString(16), low.toString(16)];
+  };
+  leftParts = leftParts.filter((p) => p.length > 0);
+  rightParts = rightParts.filter((p) => p.length > 0);
+  leftParts = expandIpv4Tail(leftParts);
+  rightParts = expandIpv4Tail(rightParts);
+  const totalParts = leftParts.length + rightParts.length;
+  if (doubleColonIndex < 0 && totalParts !== 8) {
+    throw new Error(`Invalid IPv6 address: "${value}"`);
+  }
+  if (totalParts > 8) {
+    throw new Error(`Invalid IPv6 address: "${value}"`);
+  }
+  const missing = 8 - totalParts;
+  const parts = doubleColonIndex >= 0 ? [...leftParts, ...Array.from({ length: missing }, () => "0"), ...rightParts] : leftParts;
+  if (parts.length !== 8) {
+    throw new Error(`Invalid IPv6 address: "${value}"`);
+  }
+  let result = 0n;
+  for (const part of parts) {
+    if (!part) {
+      throw new Error(`Invalid IPv6 address: "${value}"`);
+    }
+    const hextet = parseInt(part, 16);
+    if (!Number.isInteger(hextet) || hextet < 0 || hextet > 65535) {
+      throw new Error(`Invalid IPv6 address: "${value}"`);
+    }
+    result = (result << 16n) + BigInt(hextet);
+  }
+  return result;
+}
+function ipv4ToString(value) {
+  const parts = [
+    Number(value >> 24n & 0xffn),
+    Number(value >> 16n & 0xffn),
+    Number(value >> 8n & 0xffn),
+    Number(value & 0xffn)
+  ];
+  return parts.join(".");
+}
+function ipv6ToString(value) {
+  const hextets = [];
+  for (let i = 0; i < 8; i++) {
+    const shift = BigInt((7 - i) * 16);
+    hextets.push(Number(value >> shift & 0xffffn));
+  }
+  let bestStart = -1;
+  let bestLength = 0;
+  let currentStart = -1;
+  let currentLength = 0;
+  for (let i = 0; i < hextets.length; i++) {
+    if (hextets[i] === 0) {
+      if (currentStart === -1) {
+        currentStart = i;
+        currentLength = 1;
+      } else {
+        currentLength++;
+      }
+      if (currentLength > bestLength) {
+        bestStart = currentStart;
+        bestLength = currentLength;
+      }
+    } else {
+      currentStart = -1;
+      currentLength = 0;
+    }
+  }
+  if (bestLength < 2) {
+    bestStart = -1;
+    bestLength = 0;
+  }
+  const parts = [];
+  for (let i = 0; i < hextets.length; i++) {
+    if (bestStart >= 0 && i >= bestStart && i < bestStart + bestLength) {
+      if (i === bestStart) {
+        parts.push("");
+      }
+      continue;
+    }
+    parts.push(hextets[i].toString(16));
+  }
+  let result = parts.join(":");
+  if (bestStart === 0) {
+    result = `:${result}`;
+  }
+  if (bestStart >= 0 && bestStart + bestLength === 8) {
+    result = `${result}:`;
+  }
+  if (result === "") {
+    return "::";
+  }
+  return result.replace(/:{3,}/g, "::");
+}
+
+// src/shared/network/address.ts
+function parseAddress(address) {
+  if (check(network.addressEntity.schema, address)) {
+    return address;
+  }
+  const input = address.trim();
+  if (!input) {
+    throw new Error("Empty address string");
+  }
+  const parsed = input.includes("/") ? parseCidr(input) : parseCidrFromIp(input);
+  const canonicalAddress = ipToString(parsed.type, parsed.ip);
+  const subnetBase = subnetBaseFromCidr(parsed);
+  const subnetBaseAddress = ipToString(parsed.type, subnetBase);
+  const result = {
+    type: parsed.type,
+    value: canonicalAddress,
+    subnet: {
+      type: parsed.type,
+      baseAddress: subnetBaseAddress,
+      prefixLength: parsed.prefixLength
+    }
+  };
+  const validated = network.addressEntity.schema.safeParse(result);
+  if (!validated.success) {
+    throw new Error(`Invalid address "${input}": ${validated.error.message}`);
+  }
+  return validated.data;
+}
+function addressToCidr(address) {
+  return `${address.value}/${address.subnet.prefixLength}`;
+}
+function doesAddressBelongToSubnet(address, subnet) {
+  if (address.type !== subnet.type) {
+    return false;
+  }
+  const addressIp = parseIp(address.value);
+  const subnetBaseIp = parseIp(subnet.baseAddress);
+  if (addressIp.type !== subnet.type || subnetBaseIp.type !== subnet.type) {
+    return false;
+  }
+  const bits = subnet.type === "ipv4" ? 32 : 128;
+  if (subnet.prefixLength === 0) {
+    return true;
+  }
+  const mask = (1n << BigInt(subnet.prefixLength)) - 1n << BigInt(bits - subnet.prefixLength);
+  return (addressIp.value & mask) === (subnetBaseIp.value & mask);
+}
+function mergeAddresses(addresses) {
+  const mergedMap = /* @__PURE__ */ new Map();
+  for (const address of addresses) {
+    mergedMap.set(addressToCidr(address), address);
+  }
+  return Array.from(mergedMap.values());
+}
+function parseCidrFromIp(value) {
+  const parsed = parseIp(value);
+  const prefixLength = parsed.type === "ipv4" ? 32 : 128;
+  return {
+    type: parsed.type,
+    ip: parsed.value,
+    prefixLength
+  };
+}
+function parseSubnet(subnet) {
+  if (check(network.subnetEntity.schema, subnet)) {
+    return subnet;
+  }
+  if (check(network.addressEntity.schema, subnet)) {
+    const prefixLength = subnet.type === "ipv4" ? 32 : 128;
+    const result2 = {
+      type: subnet.type,
+      baseAddress: subnet.value,
+      prefixLength
+    };
+    const validated2 = network.subnetEntity.schema.safeParse(result2);
+    if (!validated2.success) {
+      throw new Error(
+        `Invalid subnet "${subnet.value}/${prefixLength}": ${validated2.error.message}`
+      );
+    }
+    return validated2.data;
+  }
+  const input = subnet.trim();
+  if (!input) {
+    throw new Error("Empty subnet string");
+  }
+  let parsed;
+  if (input.includes("/")) {
+    parsed = parseCidr(input);
+  } else {
+    const ip = parseIp(input);
+    const prefixLength = ip.type === "ipv4" ? 32 : 128;
+    parsed = { type: ip.type, ip: ip.value, prefixLength };
+  }
+  const subnetBase = subnetBaseFromCidr(parsed);
+  const baseAddress = ipToString(parsed.type, subnetBase);
+  const result = {
+    type: parsed.type,
+    baseAddress,
+    prefixLength: parsed.prefixLength
+  };
+  const validated = network.subnetEntity.schema.safeParse(result);
+  if (!validated.success) {
+    throw new Error(`Invalid subnet "${input}": ${validated.error.message}`);
+  }
+  return validated.data;
+}
+var privateIpV4Subnets = [
+  parseSubnet("10.0.0.0/8"),
+  parseSubnet("127.0.0.0/8"),
+  parseSubnet("172.16.0.0/12"),
+  parseSubnet("192.168.0.0/16")
+];
+var privateIpV6Subnets = [
+  parseSubnet("fc00::/7"),
+  // IPv4-mapped private ranges.
+  parseSubnet("::ffff:10.0.0.0/104"),
+  parseSubnet("::ffff:127.0.0.0/104"),
+  parseSubnet("::ffff:172.16.0.0/108"),
+  parseSubnet("::ffff:192.168.0.0/112")
+];
+var privateSubnets = [...privateIpV4Subnets, ...privateIpV6Subnets];
+function isPrivateAddress(address) {
+  for (const subnet of privateSubnets) {
+    if (doesAddressBelongToSubnet(address, subnet)) {
+      return true;
+    }
+  }
+  return false;
+}
+async function parseSubnets(subnets, inputSubnets) {
+  const resolvedInputSubnets = await toPromise(inputSubnets ?? []);
+  return pipe(
+    [...subnets ?? [], ...resolvedInputSubnets],
+    filter(isNonNullish),
+    map((subnet) => parseSubnet(subnet)),
+    uniqueBy((subnet) => subnetToString(subnet))
+  );
+}
+function subnetToString(subnet) {
+  return `${subnet.baseAddress}/${subnet.prefixLength}`;
+}
 function l3EndpointToString(l3Endpoint) {
   switch (l3Endpoint.type) {
     case "ipv4":
-      return l3Endpoint.address;
+      return l3Endpoint.address.value;
     case "ipv6":
-      return l3Endpoint.address;
+      return l3Endpoint.address.value;
     case "hostname":
       return l3Endpoint.hostname;
   }
 }
 function l4EndpointToString(l4Endpoint) {
-  if (l4Endpoint.type === "ipv6") {
-    return `[${l4Endpoint.address}]:${l4Endpoint.port}`;
-  }
-  return `${l3EndpointToString(l4Endpoint)}:${l4Endpoint.port}`;
+  const host = l3EndpointToString(l4Endpoint);
+  const wrappedHost = l4Endpoint.type === "ipv6" ? `[${host}]` : host;
+  return `${wrappedHost}:${l4Endpoint.port}`;
 }
-function l4EndpointWithProtocolToString(l4Endpoint) {
+function l4EndpointToFullString(l4Endpoint) {
   const protocol = `${l4Endpoint.protocol}://`;
   return `${protocol}${l4EndpointToString(l4Endpoint)}`;
 }
 function l7EndpointToString(l7Endpoint) {
   const protocol = `${l7Endpoint.appProtocol}://`;
   let endpoint = l4EndpointToString(l7Endpoint);
-  if (l7Endpoint.resource) {
-    endpoint += `/${l7Endpoint.resource}`;
+  if (l7Endpoint.path) {
+    endpoint += `/${l7Endpoint.path}`;
   }
   return `${protocol}${endpoint}`;
 }
-function l34EndpointToString(l34Endpoint) {
-  if (l34Endpoint.port) {
-    return l4EndpointToString(l34Endpoint);
+function endpointToString(endpoint) {
+  switch (endpoint.level) {
+    case 3:
+      return l3EndpointToString(endpoint);
+    case 4:
+      return l4EndpointToString(endpoint);
+    case 7:
+      return l7EndpointToString(endpoint);
   }
-  return l3EndpointToString(l34Endpoint);
 }
-var L34_ENDPOINT_RE = /^(?:(?<protocol>[a-z]+):\/\/)?(?:(?:\[?(?<ipv6>[0-9A-Fa-f:]+)\]?)|(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})|(?<hostname>[a-zA-Z0-9-*]+(?:\.[a-zA-Z0-9-*]+)*))(?::(?<port>\d{1,5}))?$/;
-var L7_ENDPOINT_RE = /^(?<appProtocol>[a-z]+):\/\/(?:(?:\[?(?<ipv6>[0-9A-Fa-f:]+)\]?)|(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})|(?<hostname>[a-zA-Z0-9-*]+(?:\.[a-zA-Z0-9-*]+)*))(?::(?<port>\d{1,5}))?(?:\/(?<resource>.*))?$/;
-function parseL34Endpoint(l34Endpoint) {
-  if (typeof l34Endpoint === "object") {
-    return l34Endpoint;
-  }
-  const match = l34Endpoint.match(L34_ENDPOINT_RE);
-  if (!match) {
-    throw new Error(`Invalid L3/L4 endpoint: "${l34Endpoint}"`);
-  }
-  const { protocol, ipv6, ipv4, hostname, port } = match.groups;
-  if (protocol && protocol !== "tcp" && protocol !== "udp") {
-    throw new Error(`Invalid L4 endpoint protocol: "${protocol}"`);
-  }
-  let visibility = "public";
-  if (ipv4 && IPV4_PRIVATE_REGEX.test(ipv4)) {
-    visibility = "external";
-  } else if (ipv6 && IPV6_PRIVATE_REGEX.test(ipv6)) {
-    visibility = "external";
-  }
-  const fallbackProtocol = port ? "tcp" : void 0;
-  return {
-    type: ipv6 ? "ipv6" : ipv4 ? "ipv4" : "hostname",
-    visibility,
-    address: ipv6 || ipv4,
-    hostname,
-    port: port ? parseInt(port, 10) : void 0,
-    protocol: protocol ? protocol : fallbackProtocol
-  };
+function checkEndpointLevel(endpoint, minLevel) {
+  return endpoint.level >= minLevel;
 }
-function parseL3Endpoint(l3Endpoint) {
-  if (typeof l3Endpoint === "object") {
-    return l3Endpoint;
-  }
-  const parsed = parseL34Endpoint(l3Endpoint);
-  if (parsed.port) {
-    throw new Error(`Port cannot be specified in L3 endpoint: "${l3Endpoint}"`);
+function assertEndpointLevel(endpoint, minLevel) {
+  if (!checkEndpointLevel(endpoint, minLevel)) {
+    throw new Error(
+      `The endpoint "${endpointToString(endpoint)}" is L${endpoint.level}, but L${minLevel} is required`
+    );
   }
-  return parsed;
 }
-function parseL4Endpoint(l4Endpoint) {
-  if (typeof l4Endpoint === "object") {
-    return l4Endpoint;
-  }
-  const parsed = parseL34Endpoint(l4Endpoint);
-  if (!parsed.port) {
-    throw new Error(`No port found in L4 endpoint: "${l4Endpoint}"`);
+function parseEndpoint(endpoint, minLevel = 3) {
+  function validateEndpoint(value) {
+    const schema = value.level === 7 ? network.l7EndpointEntity.schema : value.level === 4 ? network.l4EndpointEntity.schema : network.l3EndpointEntity.schema;
+    const result = schema.safeParse(value);
+    if (!result.success) {
+      throw new Error(`Invalid endpoint "${endpointToString(value)}": ${result.error.message}`);
+    }
+    return value;
   }
-  return parsed;
-}
-var IPV4_PRIVATE_REGEX = /^(?:10|127)(?:\.\d{1,3}){3}$|^(?:172\.1[6-9]|172\.2[0-9]|172\.3[0-1])(?:\.\d{1,3}){2}$|^(?:192\.168)(?:\.\d{1,3}){2}$/;
-var IPV6_PRIVATE_REGEX = /^(?:fc|fd)(?:[0-9a-f]{2}){0,2}::(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}$|^::(?:ffff:(?:10|127)(?:\.\d{1,3}){3}|(?:172\.1[6-9]|172\.2[0-9]|172\.3[0-1])(?:\.\d{1,3}){2}|(?:192\.168)(?:\.\d{1,3}){2})$/;
-async function requireInputL3Endpoint(rawEndpoint, inputEndpoint) {
-  if (rawEndpoint) {
-    return parseL3Endpoint(rawEndpoint);
+  function parseHostToL3(host) {
+    const trimmed = host.trim();
+    if (!trimmed) {
+      throw new Error("Empty endpoint host");
+    }
+    try {
+      const address = parseAddress(trimmed);
+      return {
+        type: address.type,
+        level: 3,
+        metadata: extractMetadata(address),
+        address,
+        subnet: address.subnet
+      };
+    } catch {
+      return {
+        type: "hostname",
+        level: 3,
+        hostname: trimmed,
+        metadata: {}
+      };
+    }
   }
-  if (inputEndpoint) {
-    return toPromise(inputEndpoint);
+  function splitHostPort(input) {
+    const trimmed = input.trim();
+    if (!trimmed) {
+      throw new Error("Empty endpoint");
+    }
+    if (trimmed.startsWith("[")) {
+      const closingIndex = trimmed.indexOf("]");
+      if (closingIndex === -1) {
+        throw new Error(`Invalid endpoint: "${input}"`);
+      }
+      const host2 = trimmed.slice(1, closingIndex);
+      const remainder = trimmed.slice(closingIndex + 1);
+      if (!remainder) {
+        return { host: host2 };
+      }
+      if (!remainder.startsWith(":")) {
+        throw new Error(`Invalid endpoint: "${input}"`);
+      }
+      const portString2 = remainder.slice(1);
+      if (!/^\d{1,5}$/.test(portString2)) {
+        throw new Error(`Invalid endpoint port: "${portString2}"`);
+      }
+      return { host: host2, port: parseInt(portString2, 10) };
+    }
+    const lastColonIndex = trimmed.lastIndexOf(":");
+    if (lastColonIndex === -1) {
+      return { host: trimmed };
+    }
+    if (trimmed.includes(":")) {
+      const firstColonIndex = trimmed.indexOf(":");
+      if (firstColonIndex !== lastColonIndex) {
+        return { host: trimmed };
+      }
+    }
+    const host = trimmed.slice(0, lastColonIndex);
+    const portString = trimmed.slice(lastColonIndex + 1);
+    if (!/^\d{1,5}$/.test(portString)) {
+      return { host: trimmed };
+    }
+    return { host, port: parseInt(portString, 10) };
+  }
+  if (check(network.l3EndpointEntity.schema, endpoint)) {
+    assertEndpointLevel(endpoint, minLevel);
+    return endpoint;
+  }
+  if (check(network.addressEntity.schema, endpoint)) {
+    const address = endpoint;
+    const built = {
+      type: address.type,
+      level: 3,
+      metadata: extractMetadata(address),
+      address,
+      subnet: address.subnet
+    };
+    const withDynamic2 = syncDynamic(built);
+    const validated2 = validateEndpoint(withDynamic2);
+    assertEndpointLevel(validated2, minLevel);
+    return validated2;
+  }
+  if (typeof endpoint !== "string") {
+    throw new Error("Invalid endpoint");
+  }
+  const endpointString = endpoint;
+  let builtEndpoint;
+  const schemeMatch = /^([a-z]+):\/\/(.*)$/.exec(endpointString);
+  if (schemeMatch) {
+    const appProtocol = schemeMatch[1];
+    const rest = schemeMatch[2];
+    const pathIndex = rest.indexOf("/");
+    const hostPortPart = pathIndex === -1 ? rest : rest.slice(0, pathIndex);
+    const path = pathIndex === -1 ? void 0 : rest.slice(pathIndex + 1);
+    const udpAppProtocols = ["dns", "dhcp"];
+    const { host, port } = splitHostPort(hostPortPart);
+    const l3Base = parseHostToL3(host);
+    const portNumber = port ?? 443;
+    const protocol = udpAppProtocols.includes(appProtocol) ? "udp" : "tcp";
+    builtEndpoint = l3Base.type === "hostname" ? {
+      ...l3Base,
+      level: 7,
+      port: portNumber,
+      protocol,
+      appProtocol,
+      path: path || void 0
+    } : {
+      ...l3Base,
+      level: 7,
+      port: portNumber,
+      protocol,
+      appProtocol,
+      path: path || void 0
+    };
+  } else {
+    const { host, port } = splitHostPort(endpointString);
+    const l3Base = parseHostToL3(host);
+    if (port !== void 0) {
+      builtEndpoint = l3Base.type === "hostname" ? {
+        ...l3Base,
+        level: 4,
+        port,
+        protocol: "tcp"
+      } : {
+        ...l3Base,
+        level: 4,
+        port,
+        protocol: "tcp"
+      };
+    } else {
+      builtEndpoint = l3Base;
+    }
   }
-  throw new Error("No endpoint provided");
+  const withDynamic = syncDynamic(builtEndpoint);
+  const validated = validateEndpoint(withDynamic);
+  assertEndpointLevel(validated, minLevel);
+  return validated;
 }
-async function requireInputL4Endpoint(rawEndpoint, inputEndpoint) {
-  if (rawEndpoint) {
-    return parseL4Endpoint(rawEndpoint);
-  }
-  if (inputEndpoint) {
-    return toPromise(inputEndpoint);
+function parseL4Protocol(input) {
+  input = input.trim().toLowerCase();
+  if (input === "tcp" || input === "udp") {
+    return input;
   }
-  throw new Error("No endpoint provided");
+  throw new Error(`Invalid L4 protocol: "${input}"`);
 }
 function l3EndpointToL4(l3Endpoint, port, protocol = "tcp") {
+  const parsed = parseEndpoint(l3Endpoint);
   return {
-    ...parseL3Endpoint(l3Endpoint),
+    ...parsed,
+    level: 4,
     port,
     protocol
   };
 }
-function filterEndpoints(endpoints, filter, types) {
-  if (filter?.length) {
-    endpoints = endpoints.filter((endpoint) => filter.includes(endpoint.visibility));
-  } else if (endpoints.some((endpoint) => endpoint.visibility === "public")) {
-    endpoints = endpoints.filter((endpoint) => endpoint.visibility === "public");
-  } else if (endpoints.some((endpoint) => endpoint.visibility === "external")) {
-    endpoints = endpoints.filter((endpoint) => endpoint.visibility === "external");
-  }
-  if (types?.length) {
-    endpoints = endpoints.filter((endpoint) => types.includes(endpoint.type));
-  }
-  return endpoints;
+function l4EndpointToL7(l4Endpoint, appProtocol, path = "") {
+  const parsed = parseEndpoint(l4Endpoint, 4);
+  return {
+    ...parsed,
+    level: 7,
+    appProtocol,
+    path
+  };
 }
-function l3EndpointToCidr(l3Endpoint) {
-  switch (l3Endpoint.type) {
+function l3EndpointToCidr(endpoint) {
+  switch (endpoint.type) {
     case "ipv4":
-      return `${l3Endpoint.address}/32`;
+      return `${endpoint.address.value}/32`;
     case "ipv6":
-      return `${l3Endpoint.address}/128`;
+      return `${endpoint.address.value}/128`;
     case "hostname":
       throw new Error("Cannot convert hostname to CIDR");
   }
 }
-var udpAppProtocols = ["dns", "dhcp"];
-function parseL7Endpoint(l7Endpoint) {
-  if (typeof l7Endpoint === "object") {
-    return l7Endpoint;
+function extractMetadata(address) {
+  if (!address) {
+    return {};
   }
-  const match = l7Endpoint.match(L7_ENDPOINT_RE);
-  if (!match) {
-    throw new Error(`Invalid L7 endpoint: "${l7Endpoint}"`);
+  const metadata = {};
+  if (privateSubnets.some((subnet) => doesAddressBelongToSubnet(address, subnet))) {
+    metadata["iana.scope"] = "private";
+  } else {
+    metadata["iana.scope"] = "global";
   }
-  const { appProtocol, ipv6, ipv4, hostname, port, resource } = match.groups;
-  let visibility = "public";
-  if (ipv4 && IPV4_PRIVATE_REGEX.test(ipv4)) {
-    visibility = "external";
-  } else if (ipv6 && IPV6_PRIVATE_REGEX.test(ipv6)) {
-    visibility = "external";
+  return metadata;
+}
+async function parseEndpoints(endpoints, inputEndpoints, minLevel = 3) {
+  const resolvedInputEndpoints = await toPromise(inputEndpoints ?? []);
+  return pipe(
+    [...endpoints ?? [], ...resolvedInputEndpoints],
+    filter(isNonNullish),
+    map((endpoint) => parseEndpoint(endpoint, minLevel)),
+    uniqueBy(endpointToString)
+  );
+}
+function addEndpointMetadata(endpoint, newMetadata) {
+  const parsedMetadata = metadataSchema.safeParse(newMetadata);
+  if (!parsedMetadata.success) {
+    throw new Error(
+      `Invalid new metadata for endpoint "${endpointToString(endpoint)}": ${parsedMetadata.error.message}`
+    );
   }
+  return syncDynamic({
+    ...endpoint,
+    metadata: {
+      ...endpoint.metadata,
+      ...newMetadata
+    }
+  });
+}
+function mergeEndpoints(endpoints) {
+  const mergedMap = /* @__PURE__ */ new Map();
+  for (const endpoint of endpoints) {
+    const key = endpointToString(endpoint);
+    const existing = mergedMap.get(key);
+    if (existing) {
+      mergedMap.set(key, addEndpointMetadata(existing, endpoint.metadata ?? {}));
+    } else {
+      mergedMap.set(key, endpoint);
+    }
+  }
+  return Array.from(mergedMap.values());
+}
+function syncDynamic(endpoint) {
   return {
-    type: ipv6 ? "ipv6" : ipv4 ? "ipv4" : "hostname",
-    visibility,
-    address: ipv6 || ipv4,
-    hostname,
-    // Default port for L7 endpoints (TODO: add more specific defaults for common protocols)
-    port: port ? parseInt(port, 10) : 443,
-    // L7 endpoints typically use TCP, but can also use UDP for specific protocols
-    protocol: udpAppProtocols.includes(appProtocol) ? "udp" : "tcp",
-    appProtocol,
-    resource: resource || ""
+    ...endpoint,
+    dynamic: {
+      type: "static",
+      endpoint: omit(endpoint, ["dynamic"])
+    }
   };
 }
-async function updateEndpoints(currentEndpoints, endpoints, inputEndpoints, mode = "prepend") {
-  const resolvedCurrentEndpoints = await toPromise(currentEndpoints);
-  const newEndpoints = await parseEndpoints(endpoints, inputEndpoints);
-  if (mode === "replace") {
-    return newEndpoints;
+function replaceEndpointBase(endpoint, base) {
+  if (base.type === "hostname") {
+    return syncDynamic({
+      ...omit(endpoint, ["type", "address", "subnet"]),
+      type: "hostname",
+      hostname: base.hostname
+    });
   }
-  return uniqueBy(
-    [...newEndpoints, ...resolvedCurrentEndpoints],
-    l34EndpointToString
-  );
-}
-async function parseEndpoints(endpoints, inputEndpoints) {
-  const resolvedInputEndpoints = await toPromise(inputEndpoints);
-  return uniqueBy(
-    [...endpoints?.map(parseL34Endpoint) ?? [], ...resolvedInputEndpoints ?? []],
-    l34EndpointToString
-  );
+  return syncDynamic({
+    ...omit(endpoint, ["type", "hostname", "metadata"]),
+    type: base.type,
+    address: base.address,
+    subnet: base.subnet,
+    metadata: base.metadata ?? extractMetadata(base.address)
+  });
 }
 function getServerConnection(ssh) {
   return output(ssh).apply((ssh2) => ({
@@ -443,6 +884,9 @@ var ImplementationMediator = class {
     return output(this.call(implRef, input));
   }
 };
+function areImplRefsEqual(a, b) {
+  return a.package === b.package && JSON.stringify(a.data) === JSON.stringify(b.data);
+}
 var dnsRecordMediator = new ImplementationMediator(
   "dns-record",
   z.object({ name: z.string(), args: z.custom() }),
@@ -471,7 +915,7 @@ var DnsRecord = class extends ComponentResource {
   waitCommands;
   constructor(name, args, opts) {
     super("highstate:common:DnsRecord", name, args, opts);
-    const l3Endpoint = output(args.value).apply((value) => parseL3Endpoint(value));
+    const l3Endpoint = output(args.value).apply((value) => parseEndpoint(value));
     const resolvedValue = l3Endpoint.apply(l3EndpointToString);
     const resolvedType = args.type ? output(args.type) : l3Endpoint.apply(getTypeByEndpoint);
     this.dnsRecord = output(args.provider).apply((provider) => {
@@ -547,7 +991,9 @@ var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
       providers: args.providers,
       name: args.name ?? name
     }).apply(({ providers, name: name2 }) => {
-      const matchedProviders2 = providers.filter((provider) => name2.endsWith(provider.domain));
+      const matchedProviders2 = providers.filter(
+        (provider) => provider.zones.some((zone) => name2.endsWith(zone))
+      );
       if (matchedProviders2.length === 0) {
         throw new Error(`No DNS provider matched the domain "${name2}"`);
       }
@@ -559,7 +1005,7 @@ var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
         providers: matchedProviders
       }).apply(({ name: name2, providers }) => {
         return providers.flatMap((provider) => {
-          const l3Endpoint = parseL3Endpoint(value);
+          const l3Endpoint = parseEndpoint(value);
           return new DnsRecord(
             `${name2}.${provider.id}.${l3EndpointToString(l3Endpoint)}`,
             {
@@ -597,53 +1043,6 @@ var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
     );
   }
 };
-async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patchMode, dnsProviders, dnsSetName) {
-  const resolvedEndpoints = await toPromise(endpoints);
-  if (!fqdn) {
-    return {
-      endpoints: resolvedEndpoints,
-      dnsRecordSet: void 0
-    };
-  }
-  const filteredEndpoints = filterEndpoints(resolvedEndpoints, fqdnEndpointFilter);
-  const dnsRecordSet = new DnsRecordSet(dnsSetName ?? fqdn, {
-    name: fqdn,
-    providers: dnsProviders,
-    values: filteredEndpoints,
-    waitAt: "local"
-  });
-  const portProtocolGroups = groupBy(
-    filteredEndpoints,
-    (endpoint) => endpoint.port ? `${endpoint.port}-${endpoint.protocol}` : ""
-  );
-  const newEndpoints = [];
-  for (const group of Object.values(portProtocolGroups)) {
-    newEndpoints.unshift({
-      type: "hostname",
-      hostname: fqdn,
-      visibility: group[0].visibility,
-      port: group[0].port,
-      protocol: group[0].protocol
-    });
-  }
-  await toPromise(
-    dnsRecordSet.waitCommands.apply((waitCommands) => waitCommands.map((command) => command.stdout))
-  );
-  if (patchMode === "prepend") {
-    return {
-      endpoints: uniqueBy(
-        //
-        [...newEndpoints, ...resolvedEndpoints],
-        (endpoint) => l34EndpointToString(endpoint)
-      ),
-      dnsRecordSet
-    };
-  }
-  return {
-    endpoints: newEndpoints,
-    dnsRecordSet
-  };
-}
 var gatewayRouteMediator = new ImplementationMediator(
   "gateway-route",
   z.object({
@@ -701,18 +1100,29 @@ var TlsCertificate = class _TlsCertificate extends ComponentResource {
       dnsNames: args.dnsNames
     }).apply(async ({ issuers: issuers2, commonName, dnsNames }) => {
       const matchedIssuer = issuers2.find((issuer) => {
-        if (commonName && !commonName.endsWith(issuer.domain)) {
+        if (commonName && !issuer.zones.some((zone) => commonName.endsWith(zone))) {
           return false;
         }
-        if (dnsNames && !dnsNames.every((name2) => name2.endsWith(issuer.domain))) {
+        if (dnsNames && !dnsNames.every((name2) => issuer.zones.some((zone) => name2.endsWith(zone)))) {
           return false;
         }
         return true;
       });
       if (!matchedIssuer) {
-        throw new Error(
-          `No TLS issuer matched the common name "${commonName}" and DNS names "${dnsNames?.join(", ") ?? ""}"`
-        );
+        if (commonName && dnsNames && dnsNames.length > 0) {
+          const dnsNameList = dnsNames.join(", ");
+          throw new Error(
+            `No TLS issuer matched the common name "${commonName}" and DNS names "${dnsNameList}"`
+          );
+        }
+        if (commonName) {
+          throw new Error(`No TLS issuer matched the common name "${commonName}"`);
+        }
+        if (dnsNames && dnsNames.length > 0) {
+          const dnsNameList = dnsNames.join(", ");
+          throw new Error(`No TLS issuer matched the DNS names "${dnsNameList}"`);
+        }
+        throw new Error("No TLS issuer provided");
       }
       return await tlsCertificateMediator.call(matchedIssuer.implRef, {
         name,
@@ -1287,8 +1697,251 @@ async function fetchFileSize(endpoint) {
   return size;
 }
 function getNameByEndpoint(endpoint) {
-  const parsedEndpoint = parseL7Endpoint(endpoint);
-  return parsedEndpoint.resource ? basename(parsedEndpoint.resource) : "";
+  const parsedEndpoint = parseEndpoint(endpoint, 7);
+  return parsedEndpoint.path ? basename(parsedEndpoint.path) : "";
+}
+function createAddressSpace({
+  included,
+  excluded = []
+}) {
+  const includedRanges = included.flatMap(resolveInputToRanges);
+  const excludedRanges = excluded.flatMap(resolveInputToRanges);
+  const normalized = normalizeRanges(includedRanges, excludedRanges);
+  const subnets = rangesToCanonicalSubnets(normalized);
+  return { subnets };
+}
+function resolveInputToRanges(input) {
+  if (typeof input === "string") {
+    return [rangeFromString(input)];
+  }
+  if (check(network.addressSpaceEntity.schema, input)) {
+    return input.subnets.flatMap((subnet) => [rangeFromCidr(subnetToString(subnet))]);
+  }
+  if (check(network.subnetEntity.schema, input)) {
+    return [rangeFromCidr(subnetToString(input))];
+  }
+  if (check(network.addressEntity.schema, input)) {
+    return [rangeFromCidr(addressToCidr(input))];
+  }
+  if (check(network.l3EndpointEntity.schema, input)) {
+    if (input.type === "hostname") {
+      return [];
+    }
+    const cidr = input.cidr;
+    if (typeof cidr === "string") {
+      return [rangeFromCidr(cidr)];
+    }
+    const address = input.address;
+    if (typeof address === "string") {
+      const parsed = parseIp(address);
+      const prefixLength = parsed.type === "ipv4" ? 32 : 128;
+      return [
+        rangeFromParsedCidr({ family: parsed.type, base: parsed.value, prefix: prefixLength })
+      ];
+    }
+    if (check(network.addressEntity.schema, address)) {
+      return [rangeFromCidr(addressToCidr(address))];
+    }
+    throw new Error("Invalid L3 endpoint: missing address information");
+  }
+  throw new Error("Unsupported address space input");
+}
+function rangeFromString(value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    throw new Error("Empty address string");
+  }
+  if (trimmed.includes("-")) {
+    const [left, right, ...rest] = trimmed.split("-");
+    if (!left || !right || rest.length > 0) {
+      throw new Error(`Invalid range: "${value}"`);
+    }
+    const start = parseIp(left.trim());
+    const end = parseIp(right.trim());
+    if (start.type !== end.type) {
+      throw new Error(`Range must not mix IPv4 and IPv6: "${value}"`);
+    }
+    const min = start.value <= end.value ? start.value : end.value;
+    const max = start.value <= end.value ? end.value : start.value;
+    return {
+      family: start.type,
+      start: min,
+      endExclusive: max + 1n
+    };
+  }
+  if (trimmed.includes("/")) {
+    return rangeFromCidr(trimmed);
+  }
+  const parsed = parseIp(trimmed);
+  return {
+    family: parsed.type,
+    start: parsed.value,
+    endExclusive: parsed.value + 1n
+  };
+}
+function rangeFromCidr(cidr) {
+  const parsed = parseCidr(cidr);
+  return rangeFromParsedCidr({
+    family: parsed.type,
+    base: subnetBaseFromCidr(parsed),
+    prefix: parsed.prefixLength
+  });
+}
+function rangeFromParsedCidr(parsed) {
+  const size = cidrBlockSize(parsed.family, parsed.prefix);
+  return {
+    family: parsed.family,
+    start: parsed.base,
+    endExclusive: parsed.base + size
+  };
+}
+function normalizeRanges(included, excluded) {
+  const includedByFamily = splitByFamily(included);
+  const excludedByFamily = splitByFamily(excluded);
+  const normalizedV4 = subtractMergedRanges(
+    mergeRanges(includedByFamily.v4),
+    mergeRanges(excludedByFamily.v4)
+  );
+  const normalizedV6 = subtractMergedRanges(
+    mergeRanges(includedByFamily.v6),
+    mergeRanges(excludedByFamily.v6)
+  );
+  return [...normalizedV4, ...normalizedV6];
+}
+function splitByFamily(ranges) {
+  const v4 = [];
+  const v6 = [];
+  for (const range of ranges) {
+    if (range.start >= range.endExclusive) continue;
+    if (range.family === "ipv4") {
+      v4.push(range);
+    } else {
+      v6.push(range);
+    }
+  }
+  return { v4, v6 };
+}
+function mergeRanges(ranges) {
+  const sorted = [...ranges].sort((a, b) => {
+    if (a.start === b.start) {
+      return a.endExclusive < b.endExclusive ? -1 : a.endExclusive > b.endExclusive ? 1 : 0;
+    }
+    return a.start < b.start ? -1 : 1;
+  });
+  const merged = [];
+  for (const current of sorted) {
+    const last = merged.at(-1);
+    if (!last) {
+      merged.push({ ...current });
+      continue;
+    }
+    if (current.start <= last.endExclusive) {
+      if (current.endExclusive > last.endExclusive) {
+        last.endExclusive = current.endExclusive;
+      }
+      continue;
+    }
+    merged.push({ ...current });
+  }
+  return merged;
+}
+function subtractMergedRanges(included, excluded) {
+  if (included.length === 0) return [];
+  if (excluded.length === 0) return included;
+  const result = [];
+  let j = 0;
+  for (const incOriginal of included) {
+    const inc = { ...incOriginal };
+    while (j < excluded.length && excluded[j].endExclusive <= inc.start) {
+      j++;
+    }
+    while (j < excluded.length) {
+      const exc = excluded[j];
+      if (exc.start >= inc.endExclusive) {
+        break;
+      }
+      if (exc.start <= inc.start) {
+        inc.start = inc.start < exc.endExclusive ? exc.endExclusive : inc.start;
+        if (inc.start >= inc.endExclusive) {
+          break;
+        }
+        if (exc.endExclusive <= inc.start) {
+          j++;
+        }
+        continue;
+      }
+      result.push({
+        family: inc.family,
+        start: inc.start,
+        endExclusive: exc.start
+      });
+      inc.start = exc.endExclusive;
+      if (inc.start >= inc.endExclusive) {
+        break;
+      }
+    }
+    if (inc.start < inc.endExclusive) {
+      result.push(inc);
+    }
+  }
+  return result;
+}
+function rangesToCanonicalSubnets(ranges) {
+  const subnets = [];
+  for (const range of ranges) {
+    for (const cidr of rangeToCidrs(range)) {
+      const baseAddress = ipToString(cidr.family, cidr.base);
+      subnets.push({
+        type: cidr.family,
+        baseAddress,
+        prefixLength: cidr.prefix
+      });
+    }
+  }
+  return sortSubnetsCanonical(subnets);
+}
+function sortSubnetsCanonical(subnets) {
+  return [...subnets].sort((a, b) => {
+    const aFamily = a.type;
+    const bFamily = b.type;
+    if (aFamily !== bFamily) {
+      return aFamily === "ipv4" ? -1 : 1;
+    }
+    const aBase = parseIp(a.baseAddress).value;
+    const bBase = parseIp(b.baseAddress).value;
+    if (aBase !== bBase) {
+      return aBase < bBase ? -1 : 1;
+    }
+    return a.prefixLength - b.prefixLength;
+  });
+}
+function rangeToCidrs(range) {
+  const bits = range.family === "ipv4" ? 32 : 128;
+  const result = [];
+  let current = range.start;
+  while (current < range.endExclusive) {
+    const remaining = range.endExclusive - current;
+    const maxAligned = current === 0n ? 1n << BigInt(bits) : current & -current;
+    const maxByRemaining = highestPowerOfTwoAtMost(remaining);
+    const blockSize = maxAligned < maxByRemaining ? maxAligned : maxByRemaining;
+    const prefix = bits - bitLength(blockSize) + 1;
+    result.push({
+      family: range.family,
+      base: current,
+      prefix
+    });
+    current += blockSize;
+  }
+  return result;
+}
+function highestPowerOfTwoAtMost(value) {
+  if (value <= 0n) {
+    throw new Error("Value must be positive");
+  }
+  return 1n << BigInt(bitLength(value) - 1);
+}
+function bitLength(value) {
+  return value.toString(2).length;
 }
 function generatePassword() {
   return secureMask.apply(randomBytes(32)).password;
@@ -1460,7 +2113,37 @@ async function createServerEntity({
     }
   });
 }
+function filterByExpression(items, expression, getContext = (item) => item) {
+  const { evaluate } = compile(expression);
+  return items.filter((item) => evaluate(getContext(item)));
+}
+function filterWithMetadataByExpression(items, expression, getContext = (item) => item) {
+  return filterByExpression(
+    items,
+    expression,
+    (item) => getContext({ ...item, metadata: item.metadata ? flattenMetadata(item.metadata) : void 0 })
+  );
+}
+function flattenMetadata(metadata) {
+  const result = {};
+  for (const [key, value] of Object.entries(metadata)) {
+    const path = key.split(".");
+    let current = result;
+    for (let i = 0; i < path.length; i++) {
+      const segment = path[i];
+      if (i === path.length - 1) {
+        current[segment] = value;
+      } else {
+        if (!(segment in current)) {
+          current[segment] = {};
+        }
+        current = current[segment];
+      }
+    }
+  }
+  return result;
+}
 
-export { AccessPointRoute, Command, DnsRecord, DnsRecordSet, GatewayRoute, ImplementationMediator, MaterializedFile, MaterializedFolder, TlsCertificate, archiveFromFolder, assetFromFile, createServerBundle, createServerEntity, createSshHostKeyFile, createSshTerminal, dnsRecordMediator, fetchFileSize, filterEndpoints, gatewayRouteMediator, generateKey, generatePassword, generateSshPrivateKey, getNameByEndpoint, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToL4, l3EndpointToString, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseEndpoints, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, requireInputL3Endpoint, requireInputL4Endpoint, sshPrivateKeyToKeyPair, tlsCertificateMediator, updateEndpoints, updateEndpointsWithFqdn };
-//# sourceMappingURL=chunk-WFWXDYUX.js.map
-//# sourceMappingURL=chunk-WFWXDYUX.js.map
+export { AccessPointRoute, Command, DnsRecord, DnsRecordSet, GatewayRoute, ImplementationMediator, MaterializedFile, MaterializedFolder, TlsCertificate, addEndpointMetadata, addressToCidr, archiveFromFolder, areImplRefsEqual, assertEndpointLevel, assetFromFile, checkEndpointLevel, createAddressSpace, createServerBundle, createServerEntity, createSshHostKeyFile, createSshTerminal, dnsRecordMediator, doesAddressBelongToSubnet, endpointToString, fetchFileSize, filterByExpression, filterWithMetadataByExpression, flattenMetadata, gatewayRouteMediator, generateKey, generatePassword, generateSshPrivateKey, getNameByEndpoint, getServerConnection, isPrivateAddress, l3EndpointToCidr, l3EndpointToL4, l3EndpointToString, l4EndpointToFullString, l4EndpointToL7, l4EndpointToString, l7EndpointToString, mergeAddresses, mergeEndpoints, parseAddress, parseEndpoint, parseEndpoints, parseL4Protocol, parseSubnet, parseSubnets, privateIpV4Subnets, privateIpV6Subnets, privateSubnets, replaceEndpointBase, sshPrivateKeyToKeyPair, subnetToString, tlsCertificateMediator };
+//# sourceMappingURL=chunk-X5BK6JSN.js.map
+//# sourceMappingURL=chunk-X5BK6JSN.js.map