@highstate/common 0.9.14 → 0.9.16

package/dist/chunk-HZBJ6LLS.js

@@ -0,0 +1,1057 @@
+import { toPromise, output, ComponentResource, interpolate, normalize, secret, getOrCreateSecret, asset } from '@highstate/pulumi';
+import { uniqueBy, capitalize, groupBy } from 'remeda';
+import { local, remote } from '@pulumi/command';
+import '@highstate/library';
+import { randomBytes } from '@noble/hashes/utils';
+import { secureMask } from 'micro-key-producer/password.js';
+import getKeys, { PrivateExport } from 'micro-key-producer/ssh.js';
+import { randomBytes as randomBytes$1 } from 'micro-key-producer/utils.js';
+import { tmpdir } from 'node:os';
+import { mkdtemp, writeFile, cp, rm, stat, rename, mkdir } from 'node:fs/promises';
+import { join, dirname, basename, extname } from 'node:path';
+import { createReadStream } from 'node:fs';
+import { pipeline } from 'node:stream/promises';
+import { Readable } from 'node:stream';
+import { createHash } from 'node:crypto';
+import { minimatch } from 'minimatch';
+import { HighstateSignature } from '@highstate/contract';
+import * as tar from 'tar';
+import unzipper from 'unzipper';
+
+// src/shared/network.ts
+function l3EndpointToString(l3Endpoint) {
+  switch (l3Endpoint.type) {
+    case "ipv4":
+      return l3Endpoint.address;
+    case "ipv6":
+      return l3Endpoint.address;
+    case "hostname":
+      return l3Endpoint.hostname;
+  }
+}
+function l4EndpointToString(l4Endpoint) {
+  if (l4Endpoint.type === "ipv6") {
+    return `[${l4Endpoint.address}]:${l4Endpoint.port}`;
+  }
+  return `${l3EndpointToString(l4Endpoint)}:${l4Endpoint.port}`;
+}
+function l4EndpointWithProtocolToString(l4Endpoint) {
+  const protocol = `${l4Endpoint.protocol}://`;
+  return `${protocol}${l4EndpointToString(l4Endpoint)}`;
+}
+function l7EndpointToString(l7Endpoint) {
+  const protocol = `${l7Endpoint.appProtocol}://`;
+  let endpoint = l4EndpointToString(l7Endpoint);
+  if (l7Endpoint.resource) {
+    endpoint += `/${l7Endpoint.resource}`;
+  }
+  return `${protocol}${endpoint}`;
+}
+function l34EndpointToString(l34Endpoint) {
+  if (l34Endpoint.port) {
+    return l4EndpointToString(l34Endpoint);
+  }
+  return l3EndpointToString(l34Endpoint);
+}
+var L34_ENDPOINT_RE = /^(?:(?<protocol>[a-z]+):\/\/)?(?:(?:\[?(?<ipv6>[0-9A-Fa-f:]+)\]?)|(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})|(?<hostname>[a-zA-Z0-9-*]+(?:\.[a-zA-Z0-9-*]+)*))(?::(?<port>\d{1,5}))?$/;
+var L7_ENDPOINT_RE = /^(?<appProtocol>[a-z]+):\/\/(?:(?:\[?(?<ipv6>[0-9A-Fa-f:]+)\]?)|(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})|(?<hostname>[a-zA-Z0-9-*]+(?:\.[a-zA-Z0-9-*]+)*))(?::(?<port>\d{1,5}))?(?:\/(?<resource>.*))?$/;
+function parseL34Endpoint(l34Endpoint) {
+  if (typeof l34Endpoint === "object") {
+    return l34Endpoint;
+  }
+  const match = l34Endpoint.match(L34_ENDPOINT_RE);
+  if (!match) {
+    throw new Error(`Invalid L3/L4 endpoint: "${l34Endpoint}"`);
+  }
+  const { protocol, ipv6, ipv4, hostname, port } = match.groups;
+  if (protocol && protocol !== "tcp" && protocol !== "udp") {
+    throw new Error(`Invalid L4 endpoint protocol: "${protocol}"`);
+  }
+  let visibility = "public";
+  if (ipv4 && IPV4_PRIVATE_REGEX.test(ipv4)) {
+    visibility = "external";
+  } else if (ipv6 && IPV6_PRIVATE_REGEX.test(ipv6)) {
+    visibility = "external";
+  }
+  const fallbackProtocol = port ? "tcp" : void 0;
+  return {
+    type: ipv6 ? "ipv6" : ipv4 ? "ipv4" : "hostname",
+    visibility,
+    address: ipv6 || ipv4,
+    hostname,
+    port: port ? parseInt(port, 10) : void 0,
+    protocol: protocol ? protocol : fallbackProtocol
+  };
+}
+function parseL3Endpoint(l3Endpoint) {
+  if (typeof l3Endpoint === "object") {
+    return l3Endpoint;
+  }
+  const parsed = parseL34Endpoint(l3Endpoint);
+  if (parsed.port) {
+    throw new Error(`Port cannot be specified in L3 endpoint: "${l3Endpoint}"`);
+  }
+  return parsed;
+}
+function parseL4Endpoint(l4Endpoint) {
+  if (typeof l4Endpoint === "object") {
+    return l4Endpoint;
+  }
+  const parsed = parseL34Endpoint(l4Endpoint);
+  if (!parsed.port) {
+    throw new Error(`No port found in L4 endpoint: "${l4Endpoint}"`);
+  }
+  return parsed;
+}
+var IPV4_PRIVATE_REGEX = /^(?:10|127)(?:\.\d{1,3}){3}$|^(?:172\.1[6-9]|172\.2[0-9]|172\.3[0-1])(?:\.\d{1,3}){2}$|^(?:192\.168)(?:\.\d{1,3}){2}$/;
+var IPV6_PRIVATE_REGEX = /^(?:fc|fd)(?:[0-9a-f]{2}){0,2}::(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}$|^::(?:ffff:(?:10|127)(?:\.\d{1,3}){3}|(?:172\.1[6-9]|172\.2[0-9]|172\.3[0-1])(?:\.\d{1,3}){2}|(?:192\.168)(?:\.\d{1,3}){2})$/;
+async function requireInputL3Endpoint(rawEndpoint, inputEndpoint) {
+  if (rawEndpoint) {
+    return parseL3Endpoint(rawEndpoint);
+  }
+  if (inputEndpoint) {
+    return toPromise(inputEndpoint);
+  }
+  throw new Error("No endpoint provided");
+}
+async function requireInputL4Endpoint(rawEndpoint, inputEndpoint) {
+  if (rawEndpoint) {
+    return parseL4Endpoint(rawEndpoint);
+  }
+  if (inputEndpoint) {
+    return toPromise(inputEndpoint);
+  }
+  throw new Error("No endpoint provided");
+}
+function l3ToL4Endpoint(l3Endpoint, port, protocol = "tcp") {
+  return {
+    ...parseL3Endpoint(l3Endpoint),
+    port,
+    protocol
+  };
+}
+function filterEndpoints(endpoints, filter, types) {
+  if (filter?.length) {
+    endpoints = endpoints.filter((endpoint) => filter.includes(endpoint.visibility));
+  } else if (endpoints.some((endpoint) => endpoint.visibility === "public")) {
+    endpoints = endpoints.filter((endpoint) => endpoint.visibility === "public");
+  } else if (endpoints.some((endpoint) => endpoint.visibility === "external")) {
+    endpoints = endpoints.filter((endpoint) => endpoint.visibility === "external");
+  }
+  if (types && types.length) {
+    endpoints = endpoints.filter((endpoint) => types.includes(endpoint.type));
+  }
+  return endpoints;
+}
+function l3EndpointToCidr(l3Endpoint) {
+  switch (l3Endpoint.type) {
+    case "ipv4":
+      return `${l3Endpoint.address}/32`;
+    case "ipv6":
+      return `${l3Endpoint.address}/128`;
+    case "hostname":
+      throw new Error("Cannot convert hostname to CIDR");
+  }
+}
+var udpAppProtocols = ["dns", "dhcp"];
+function parseL7Endpoint(l7Endpoint) {
+  if (typeof l7Endpoint === "object") {
+    return l7Endpoint;
+  }
+  const match = l7Endpoint.match(L7_ENDPOINT_RE);
+  if (!match) {
+    throw new Error(`Invalid L7 endpoint: "${l7Endpoint}"`);
+  }
+  const { appProtocol, ipv6, ipv4, hostname, port, resource } = match.groups;
+  let visibility = "public";
+  if (ipv4 && IPV4_PRIVATE_REGEX.test(ipv4)) {
+    visibility = "external";
+  } else if (ipv6 && IPV6_PRIVATE_REGEX.test(ipv6)) {
+    visibility = "external";
+  }
+  return {
+    type: ipv6 ? "ipv6" : ipv4 ? "ipv4" : "hostname",
+    visibility,
+    address: ipv6 || ipv4,
+    hostname,
+    // Default port for L7 endpoints (TODO: add more specific defaults for common protocols)
+    port: port ? parseInt(port, 10) : 443,
+    // L7 endpoints typically use TCP, but can also use UDP for specific protocols
+    protocol: udpAppProtocols.includes(appProtocol) ? "udp" : "tcp",
+    appProtocol,
+    resource: resource || ""
+  };
+}
+async function updateEndpoints(currentEndpoints, endpoints, inputEndpoints, mode = "prepend") {
+  const resolvedCurrentEndpoints = await toPromise(currentEndpoints);
+  const resolvedInputEndpoints = await toPromise(inputEndpoints);
+  const newEndpoints = uniqueBy(
+    //
+    [...endpoints.map(parseL34Endpoint), ...resolvedInputEndpoints],
+    (endpoint) => l34EndpointToString(endpoint)
+  );
+  if (mode === "replace") {
+    return newEndpoints;
+  }
+  return uniqueBy(
+    //
+    [...newEndpoints, ...resolvedCurrentEndpoints],
+    (endpoint) => l34EndpointToString(endpoint)
+  );
+}
+function getServerConnection(ssh2) {
+  return output(ssh2).apply((ssh3) => ({
+    host: l3EndpointToString(ssh3.endpoints[0]),
+    port: ssh3.endpoints[0].port,
+    user: ssh3.user,
+    password: ssh3.password,
+    privateKey: ssh3.keyPair?.privateKey,
+    dialErrorLimit: 3,
+    hostKey: ssh3.hostKey
+  }));
+}
+function createCommand(command) {
+  if (Array.isArray(command)) {
+    return command.join(" ");
+  }
+  return command;
+}
+var Command = class _Command extends ComponentResource {
+  command;
+  stdout;
+  stderr;
+  constructor(name, args, opts) {
+    super("highstate:common:Command", name, args, opts);
+    this.command = output(args).apply((args2) => {
+      if (args2.host === "local") {
+        return new local.Command(
+          name,
+          {
+            create: createCommand(args2.create),
+            update: args2.update ? createCommand(args2.update) : void 0,
+            delete: args2.delete ? createCommand(args2.delete) : void 0,
+            logging: args2.logging,
+            triggers: args2.triggers,
+            dir: args2.cwd
+          },
+          { ...opts, parent: this }
+        );
+      }
+      if (!args2.host.ssh) {
+        throw new Error(`The host "${args2.host.hostname}" has no SSH credentials`);
+      }
+      return new remote.Command(
+        name,
+        {
+          connection: getServerConnection(args2.host.ssh),
+          create: createCommand(args2.create),
+          update: args2.update ? createCommand(args2.update) : void 0,
+          delete: args2.delete ? createCommand(args2.delete) : void 0,
+          logging: args2.logging,
+          triggers: args2.triggers
+        },
+        { ...opts, parent: this }
+      );
+    });
+    this.stdout = this.command.stdout;
+    this.stderr = this.command.stderr;
+  }
+  static createTextFile(name, options, opts) {
+    return output(options).apply((options2) => {
+      const escapedContent = options2.content.replace(/"/g, '\\"');
+      const command = new _Command(
+        name,
+        {
+          host: options2.host,
+          create: interpolate`mkdir -p $(dirname ${options2.path}) && echo "${escapedContent}" > ${options2.path}`,
+          delete: interpolate`rm -rf ${options2.path}`
+        },
+        opts
+      );
+      return command;
+    });
+  }
+  static receiveTextFile(name, options, opts) {
+    return output(options).apply((options2) => {
+      const command = new _Command(
+        name,
+        {
+          host: options2.host,
+          create: interpolate`while ! test -f ${options2.path}; do sleep 1; done; cat ${options2.path}`,
+          logging: "stderr"
+        },
+        opts
+      );
+      return command;
+    });
+  }
+};
+function getTypeByEndpoint(endpoint) {
+  switch (endpoint.type) {
+    case "ipv4":
+      return "A";
+    case "ipv6":
+      return "AAAA";
+    case "hostname":
+      return "CNAME";
+  }
+}
+var DnsRecord = class extends ComponentResource {
+  /**
+   * The underlying dns record resource.
+   */
+  dnsRecord;
+  /**
+   * The wait commands to be executed after the DNS record is created/updated.
+   *
+   * Use this field as a dependency for other resources.
+   */
+  waitCommands;
+  constructor(name, args, opts) {
+    super("highstate:common:DnsRecord", name, args, opts);
+    this.dnsRecord = output(args).apply((args2) => {
+      const l3Endpoint = parseL3Endpoint(args2.value);
+      const type = args2.type ?? getTypeByEndpoint(l3Endpoint);
+      return output(
+        this.create(
+          name,
+          {
+            ...args2,
+            type,
+            value: l3EndpointToString(l3Endpoint)
+          },
+          { ...opts, parent: this }
+        )
+      );
+    });
+    this.waitCommands = output(args).apply((args2) => {
+      const waitAt = args2.waitAt ? Array.isArray(args2.waitAt) ? args2.waitAt : [args2.waitAt] : [];
+      return waitAt.map((host) => {
+        const hostname = host === "local" ? "local" : host.hostname;
+        return new Command(
+          `${name}-wait-${hostname}`,
+          {
+            host,
+            create: `while ! getent hosts ${args2.name} >/dev/null; do echo "Waiting for DNS record ${args2.name} to be created"; sleep 5; done`,
+            triggers: [args2.type, args2.ttl, args2.priority, args2.proxied]
+          },
+          { parent: this }
+        );
+      });
+    });
+  }
+  static create(name, args, opts) {
+    return output(args).apply(async (args2) => {
+      const providerType = args2.provider.type;
+      const implName = `${capitalize(providerType)}DnsRecord`;
+      const implModule = await import(`@highstate/${providerType}`);
+      const implClass = implModule[implName];
+      return new implClass(name, args2, opts);
+    });
+  }
+};
+var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
+  /**
+   * The underlying dns record resources.
+   */
+  dnsRecords;
+  /**
+   * The wait commands to be executed after the DNS records are created/updated.
+   */
+  waitCommands;
+  constructor(name, records, opts) {
+    super("highstate:common:DnsRecordSet", name, records, opts);
+    this.dnsRecords = records;
+    this.waitCommands = records.apply(
+      (records2) => records2.flatMap((record) => record.waitCommands)
+    );
+  }
+  static create(name, args, opts) {
+    const records = output(args).apply((args2) => {
+      const recordName = args2.name ?? name;
+      const values = normalize(args2.value, args2.values);
+      return output(
+        args2.providers.filter((provider) => recordName.endsWith(provider.domain)).flatMap((provider) => {
+          return values.map((value) => {
+            const l3Endpoint = parseL3Endpoint(value);
+            return DnsRecord.create(
+              `${provider.type}-from-${recordName}-to-${l3EndpointToString(l3Endpoint)}`,
+              { name: recordName, ...args2, value: l3Endpoint, provider },
+              opts
+            );
+          });
+        })
+      );
+    });
+    return new _DnsRecordSet(name, records, opts);
+  }
+};
+async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patchMode, dnsProviders) {
+  const resolvedEndpoints = await toPromise(endpoints);
+  if (!fqdn) {
+    return {
+      endpoints: resolvedEndpoints,
+      dnsRecordSet: void 0
+    };
+  }
+  const filteredEndpoints = filterEndpoints(resolvedEndpoints, fqdnEndpointFilter);
+  const dnsRecordSet = DnsRecordSet.create(fqdn, {
+    providers: dnsProviders,
+    values: filteredEndpoints,
+    waitAt: "local"
+  });
+  const portProtocolGroups = groupBy(
+    filteredEndpoints,
+    (endpoint) => endpoint.port ? `${endpoint.port}-${endpoint.protocol}` : ""
+  );
+  const newEndpoints = [];
+  for (const group of Object.values(portProtocolGroups)) {
+    newEndpoints.unshift({
+      type: "hostname",
+      hostname: fqdn,
+      visibility: group[0].visibility,
+      port: group[0].port,
+      protocol: group[0].protocol
+    });
+  }
+  await toPromise(
+    dnsRecordSet.waitCommands.apply((waitCommands) => waitCommands.map((command) => command.stdout))
+  );
+  if (patchMode === "prepend") {
+    return {
+      endpoints: uniqueBy(
+        //
+        [...newEndpoints, ...resolvedEndpoints],
+        (endpoint) => l34EndpointToString(endpoint)
+      ),
+      dnsRecordSet
+    };
+  }
+  return {
+    endpoints: newEndpoints,
+    dnsRecordSet
+  };
+}
+function generatePassword() {
+  return secureMask.apply(randomBytes(32)).password;
+}
+
+// assets/images.json
+var terminal_ssh = {
+  image: "ghcr.io/exeteres/highstate/terminal-ssh:latest@sha256:99380e0405522afa0058eedce124c1970a87408663365b2dbce737801a7cd5d1"
+};
+
+// src/shared/ssh.ts
+function createSshTerminal(credentials) {
+  return output(credentials).apply((credentials2) => {
+    if (!credentials2) {
+      return void 0;
+    }
+    const command = ["ssh", "-tt", "-o", "UserKnownHostsFile=/known_hosts"];
+    const endpoint = credentials2.endpoints[0];
+    command.push("-p", endpoint.port.toString());
+    if (credentials2.keyPair) {
+      command.push("-i", "/private_key");
+    }
+    command.push(`${credentials2.user}@${l3EndpointToString(endpoint)}`);
+    if (credentials2.password) {
+      command.unshift("sshpass", "-f", "/password");
+    }
+    return {
+      name: "ssh",
+      meta: {
+        title: "Shell",
+        description: "Connect to the server via SSH",
+        icon: "gg:remote"
+      },
+      spec: {
+        image: terminal_ssh.image,
+        command,
+        files: {
+          "/password": credentials2.password,
+          "/private_key": credentials2.keyPair?.privateKey && {
+            content: {
+              type: "embedded",
+              value: credentials2.keyPair?.privateKey
+            },
+            meta: {
+              name: "private_key",
+              mode: 384
+            }
+          },
+          "/known_hosts": {
+            content: {
+              type: "embedded",
+              value: `${l3EndpointToString(endpoint)} ${credentials2.hostKey}`
+            },
+            meta: {
+              name: "known_hosts",
+              mode: 420
+            }
+          }
+        }
+      }
+    };
+  });
+}
+function generatePrivateKey() {
+  const seed = randomBytes$1(32);
+  return getKeys(seed).privateKey;
+}
+function privateKeyToKeyPair(privateKeyString) {
+  return output(privateKeyString).apply((privateKeyString2) => {
+    const privateKeyStruct = PrivateExport.decode(privateKeyString2);
+    const privKey = privateKeyStruct.keys[0].privKey.privKey;
+    const { fingerprint, publicKey } = getKeys(privKey.slice(0, 32));
+    return output({
+      type: "ed25519",
+      fingerprint,
+      publicKey,
+      privateKey: secret(privateKeyString2)
+    });
+  });
+}
+function getOrCreateSshKeyPair(inputs, secrets) {
+  if (inputs.sshKeyPair) {
+    return output(inputs.sshKeyPair);
+  }
+  const privateKey = getOrCreateSecret(secrets, "sshPrivateKey", generatePrivateKey);
+  return privateKey.apply(privateKeyToKeyPair);
+}
+function createServerEntity(fallbackHostname, endpoint, sshPort = 22, sshUser = "root", sshPassword, sshPrivateKey, hasSsh = true) {
+  const connection = output({
+    host: l3EndpointToString(endpoint),
+    port: sshPort,
+    user: sshUser,
+    password: sshPassword,
+    privateKey: sshPrivateKey,
+    dialErrorLimit: 3
+  });
+  if (!hasSsh) {
+    return output({
+      hostname: fallbackHostname,
+      endpoints: [endpoint]
+    });
+  }
+  const command = new local.Command("check-ssh", {
+    create: `nc -zv ${l3EndpointToString(endpoint)} ${sshPort} && echo "up" || echo "down"`,
+    triggers: [Date.now()]
+  });
+  return command.stdout.apply((result) => {
+    if (result === "down") {
+      return output({
+        hostname: fallbackHostname,
+        endpoints: [endpoint]
+      });
+    }
+    const hostnameResult = new remote.Command("hostname", {
+      connection,
+      create: "hostname",
+      triggers: [Date.now()]
+    });
+    const hostKeyResult = new remote.Command("host-key", {
+      connection,
+      create: "cat /etc/ssh/ssh_host_ed25519_key.pub",
+      triggers: [Date.now()]
+    });
+    return output({
+      endpoints: [endpoint],
+      hostname: hostnameResult.stdout.apply((x) => x.trim()),
+      ssh: {
+        endpoints: [l3ToL4Endpoint(endpoint, sshPort)],
+        user: sshUser,
+        hostKey: hostKeyResult.stdout.apply((x) => x.trim()),
+        password: sshPassword,
+        keyPair: sshPrivateKey ? privateKeyToKeyPair(sshPrivateKey) : void 0
+      }
+    });
+  });
+}
+function assetFromFile(file) {
+  if (file.content.type === "remote") {
+    return new asset.RemoteAsset(l7EndpointToString(file.content.endpoint));
+  }
+  if (file.content.type === "local") {
+    return new asset.FileAsset(file.content.path);
+  }
+  if (file.content.type === "artifact") {
+    throw new Error(
+      "Artifact-based files cannot be converted to Pulumi assets directly. Use MaterializedFile instead."
+    );
+  }
+  if (file.meta.isBinary) {
+    throw new Error(
+      "Cannot create asset from inline binary file content. Please open an issue if you need this feature."
+    );
+  }
+  return new asset.StringAsset(file.content.value);
+}
+function archiveFromFolder(folder) {
+  if (folder.content.type === "remote") {
+    return new asset.RemoteArchive(l7EndpointToString(folder.content.endpoint));
+  }
+  if (folder.content.type === "local") {
+    return new asset.FileArchive(folder.content.path);
+  }
+  if (folder.content.type === "artifact") {
+    throw new Error(
+      "Artifact-based folders cannot be converted to Pulumi assets directly. Use MaterializedFolder instead."
+    );
+  }
+  const files = {};
+  for (const file of folder.content.files) {
+    files[file.meta.name] = assetFromFile(file);
+  }
+  for (const subfolder of folder.content.folders) {
+    files[subfolder.meta.name] = archiveFromFolder(subfolder);
+  }
+  return new asset.AssetArchive(files);
+}
+async function unarchiveFromStream(stream, destinationPath, archiveType) {
+  await mkdir(destinationPath, { recursive: true });
+  switch (archiveType) {
+    case "tar": {
+      const extractStream = tar.extract({
+        cwd: destinationPath,
+        strict: true
+      });
+      await pipeline(stream, extractStream);
+      return;
+    }
+    case "zip": {
+      await pipeline(stream, unzipper.Extract({ path: destinationPath }));
+      return;
+    }
+  }
+}
+function detectArchiveType(fileName, contentType) {
+  const ext = extname(fileName).toLowerCase();
+  if (ext === ".tar" || ext === ".tgz" || ext === ".tar.gz") {
+    return "tar";
+  }
+  if (ext === ".zip") {
+    return "zip";
+  }
+  if (contentType) {
+    if (contentType.includes("tar") || contentType.includes("gzip")) {
+      return "tar";
+    }
+    if (contentType.includes("zip")) {
+      return "zip";
+    }
+  }
+  return null;
+}
+var MaterializedFile = class _MaterializedFile {
+  constructor(entity, parent) {
+    this.entity = entity;
+    this.parent = parent;
+  }
+  _tmpPath;
+  _path;
+  _disposed = false;
+  artifactMeta = {};
+  get path() {
+    return this._path;
+  }
+  async _open() {
+    if (this.parent) {
+      this._path = join(this.parent.path, this.entity.meta.name);
+    } else {
+      const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+      this._tmpPath = await mkdtemp(join(tempBase, "highstate-file-"));
+      this._path = join(this._tmpPath, this.entity.meta.name);
+    }
+    switch (this.entity.content.type) {
+      case "embedded": {
+        const content = this.entity.meta.isBinary ? Buffer.from(this.entity.content.value, "base64") : this.entity.content.value;
+        await writeFile(this._path, content, { mode: this.entity.meta.mode });
+        break;
+      }
+      case "local": {
+        await cp(this.entity.content.path, this._path, { mode: this.entity.meta.mode });
+        break;
+      }
+      case "remote": {
+        const response = await load(l7EndpointToString(this.entity.content.endpoint));
+        if (!response.ok) throw new Error(`Failed to fetch: ${response.statusText}`);
+        const arrayBuffer = await response.arrayBuffer();
+        await writeFile(this._path, Buffer.from(arrayBuffer), { mode: this.entity.meta.mode });
+        break;
+      }
+      case "artifact": {
+        const artifactData = this.entity.content[HighstateSignature.Artifact];
+        const artifactPath = process.env.HIGHSTATE_ARTIFACT_READ_PATH;
+        if (!artifactPath) {
+          throw new Error(
+            "HIGHSTATE_ARTIFACT_READ_PATH environment variable is not set but required for artifact content"
+          );
+        }
+        const tgzPath = join(artifactPath, `${artifactData.hash}.tgz`);
+        const readStream = createReadStream(tgzPath);
+        await unarchiveFromStream(readStream, dirname(this._path), "tar");
+        break;
+      }
+    }
+  }
+  async [Symbol.asyncDispose]() {
+    if (this._disposed) return;
+    this._disposed = true;
+    try {
+      if (this._tmpPath) {
+        await rm(this._tmpPath, { recursive: true, force: true });
+      } else {
+        await rm(this._path, { force: true });
+      }
+    } catch (error) {
+      console.warn("failed to clean up materialized file:", error);
+    }
+  }
+  /**
+   * Packs the materialized file into an artifact and returns the file entity with artifact content.
+   *
+   * Creates a tgz archive of the file and stores it in HIGHSTATE_ARTIFACT_WRITE_PATH where it will be collected by Highstate.
+   */
+  async pack() {
+    const writeDir = process.env.HIGHSTATE_ARTIFACT_WRITE_PATH;
+    if (!writeDir) {
+      throw new Error("HIGHSTATE_ARTIFACT_WRITE_PATH environment variable is not set");
+    }
+    const fileStats = await stat(this._path);
+    const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+    const tempArchivePath = join(tempBase, `highstate-pack-${Date.now()}.tgz`);
+    try {
+      await tar.create(
+        {
+          gzip: true,
+          file: tempArchivePath,
+          cwd: dirname(this._path),
+          noMtime: true
+          // to reproduce the same archive every time
+        },
+        [basename(this._path)]
+      );
+      const fileContent = createReadStream(tempArchivePath);
+      const hash = createHash("sha256");
+      for await (const chunk of fileContent) {
+        hash.update(chunk);
+      }
+      const hashValue = hash.digest("hex");
+      const finalArchivePath = join(writeDir, `${hashValue}.tgz`);
+      await rename(tempArchivePath, finalArchivePath);
+      const newMeta = {
+        name: this.entity.meta.name,
+        mode: fileStats.mode & 511,
+        // extract only permission bits
+        size: fileStats.size,
+        isBinary: this.entity.meta.isBinary
+        // keep original binary flag as we can't reliably detect this from filesystem
+      };
+      return {
+        meta: newMeta,
+        content: {
+          type: "artifact",
+          [HighstateSignature.Artifact]: {
+            hash: hashValue,
+            meta: await toPromise(this.artifactMeta)
+          }
+        }
+      };
+    } finally {
+      try {
+        await rm(tempArchivePath, { force: true });
+      } catch {
+      }
+    }
+  }
+  /**
+   * Creates an empty materialized file with the given name.
+   *
+   * @param name The name of the file to create
+   * @param content Optional initial content of the file (default is empty string)
+   * @param mode Optional file mode (permissions)
+   * @returns A new MaterializedFile instance representing an empty file
+   */
+  static async create(name, content = "", mode) {
+    const entity = {
+      meta: {
+        name,
+        mode,
+        size: 0,
+        isBinary: false
+      },
+      content: {
+        type: "embedded",
+        value: content
+      }
+    };
+    const materializedFile = new _MaterializedFile(entity);
+    try {
+      await materializedFile._open();
+    } catch (error) {
+      await materializedFile[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFile;
+  }
+  static async open(file, parent) {
+    const materializedFile = new _MaterializedFile(file, parent);
+    try {
+      await materializedFile._open();
+    } catch (error) {
+      await materializedFile[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFile;
+  }
+};
+var MaterializedFolder = class _MaterializedFolder {
+  constructor(entity, parent) {
+    this.entity = entity;
+    this.parent = parent;
+  }
+  _tmpPath;
+  _path;
+  _disposed = false;
+  _disposables = [];
+  artifactMeta = {};
+  get path() {
+    return this._path;
+  }
+  async _open() {
+    if (this.parent) {
+      this._path = join(this.parent.path, this.entity.meta.name);
+    } else {
+      const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+      this._tmpPath = await mkdtemp(join(tempBase, "highstate-folder-"));
+      this._path = join(this._tmpPath, this.entity.meta.name);
+    }
+    switch (this.entity.content.type) {
+      case "embedded": {
+        await mkdir(this._path, { mode: this.entity.meta.mode });
+        for (const file of this.entity.content.files) {
+          const materializedFile = await MaterializedFile.open(file, this);
+          this._disposables.push(materializedFile);
+        }
+        for (const subfolder of this.entity.content.folders) {
+          const materializedFolder = await _MaterializedFolder.open(subfolder, this);
+          this._disposables.push(materializedFolder);
+        }
+        break;
+      }
+      case "local": {
+        const archiveType = detectArchiveType(this.entity.content.path);
+        if (archiveType) {
+          const readStream = createReadStream(this.entity.content.path);
+          await unarchiveFromStream(readStream, this._path, archiveType);
+        } else {
+          await cp(this.entity.content.path, this._path, {
+            recursive: true,
+            mode: this.entity.meta.mode
+          });
+        }
+        break;
+      }
+      case "remote": {
+        const response = await load(l7EndpointToString(this.entity.content.endpoint));
+        if (!response.ok) throw new Error(`Failed to fetch: ${response.statusText}`);
+        if (!response.body) throw new Error("Response body is empty");
+        const url = new URL(l7EndpointToString(this.entity.content.endpoint));
+        const archiveType = detectArchiveType(
+          url.pathname,
+          response.headers.get("content-type") || void 0
+        );
+        if (!archiveType) {
+          throw new Error("Remote folder content must be an archive (tar, tar.gz, tgz, or zip)");
+        }
+        if (!response.body) {
+          throw new Error("Response body is empty");
+        }
+        const reader = response.body.getReader();
+        const stream = new Readable({
+          async read() {
+            try {
+              const { done, value } = await reader.read();
+              if (done) {
+                this.push(null);
+              } else {
+                this.push(Buffer.from(value));
+              }
+            } catch (error) {
+              this.destroy(error instanceof Error ? error : new Error(String(error)));
+            }
+          }
+        });
+        await unarchiveFromStream(stream, this._path, archiveType);
+        break;
+      }
+      case "artifact": {
+        const artifactData = this.entity.content[HighstateSignature.Artifact];
+        const artifactPath = process.env.HIGHSTATE_ARTIFACT_READ_PATH;
+        if (!artifactPath) {
+          throw new Error(
+            "HIGHSTATE_ARTIFACT_READ_PATH environment variable is not set but required for artifact content"
+          );
+        }
+        const tgzPath = join(artifactPath, `${artifactData.hash}.tgz`);
+        const readStream = createReadStream(tgzPath);
+        await unarchiveFromStream(readStream, dirname(this._path), "tar");
+        break;
+      }
+    }
+  }
+  async [Symbol.asyncDispose]() {
+    if (this._disposed) return;
+    this._disposed = true;
+    try {
+      if (this._tmpPath) {
+        await rm(this._tmpPath, { recursive: true, force: true });
+      } else {
+        await rm(this._path, { recursive: true, force: true });
+      }
+    } catch (error) {
+      console.warn("failed to clean up materialized folder:", error);
+    }
+    for (const disposable of this._disposables) {
+      await disposable[Symbol.asyncDispose]();
+    }
+  }
+  /**
+   * Packs the materialized folder into an artifact and returns the folder entity with artifact content.
+   *
+   * Creates a tgz archive of the entire folder and stores it in HIGHSTATE_ARTIFACT_WRITE_PATH where it will be collected by Highstate.
+   */
+  async pack({ include, exclude } = {}) {
+    const writeDir = process.env.HIGHSTATE_ARTIFACT_WRITE_PATH;
+    if (!writeDir) {
+      throw new Error("HIGHSTATE_ARTIFACT_WRITE_PATH environment variable is not set");
+    }
+    const folderStats = await stat(this._path);
+    const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+    const tempArchivePath = join(tempBase, `highstate-pack-${Date.now()}.tgz`);
+    const entity = this.entity;
+    try {
+      await tar.create(
+        {
+          gzip: true,
+          file: tempArchivePath,
+          cwd: dirname(this._path),
+          filter(path) {
+            path = path.slice(entity.meta.name.length + 1);
+            for (const pattern of exclude ?? []) {
+              if (minimatch(path, pattern)) {
+                return false;
+              }
+            }
+            for (const pattern of include ?? []) {
+              if (minimatch(path, pattern)) {
+                return true;
+              }
+            }
+            return !include || include.length === 0;
+          },
+          // to reproduce the same archive every time
+          portable: true,
+          noMtime: true
+        },
+        [basename(this._path)]
+      );
+      const fileContent = createReadStream(tempArchivePath);
+      const hash = createHash("sha256");
+      for await (const chunk of fileContent) {
+        hash.update(chunk);
+      }
+      const hashValue = hash.digest("hex");
+      const finalArchivePath = join(writeDir, `${hashValue}.tgz`);
+      await rename(tempArchivePath, finalArchivePath);
+      const newMeta = {
+        name: this.entity.meta.name,
+        mode: folderStats.mode & 511
+        // extract only permission bits
+      };
+      return {
+        meta: newMeta,
+        content: {
+          type: "artifact",
+          [HighstateSignature.Artifact]: {
+            hash: hashValue,
+            meta: await toPromise(this.artifactMeta)
+          }
+        }
+      };
+    } finally {
+      try {
+        await rm(tempArchivePath, { force: true });
+      } catch {
+      }
+    }
+  }
+  /**
+   * Creates an empty materialized folder with the given name.
+   *
+   * @param name The name of the folder to create
+   * @param mode Optional folder mode (permissions)
+   * @param parent Optional parent folder to create the folder in
+   * @returns A new MaterializedFolder instance representing an empty folder
+   */
+  static async create(name, mode, parent) {
+    const entity = {
+      meta: {
+        name,
+        mode
+      },
+      content: {
+        type: "embedded",
+        files: [],
+        folders: []
+      }
+    };
+    const materializedFolder = new _MaterializedFolder(entity, parent);
+    try {
+      await materializedFolder._open();
+    } catch (error) {
+      await materializedFolder[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFolder;
+  }
+  static async open(folder, parent) {
+    const materializedFolder = new _MaterializedFolder(folder, parent);
+    try {
+      await materializedFolder._open();
+    } catch (error) {
+      await materializedFolder[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFolder;
+  }
+};
+async function fetchFileSize(endpoint) {
+  if (endpoint.appProtocol !== "http" && endpoint.appProtocol !== "https") {
+    throw new Error(
+      `Unsupported protocol: ${endpoint.appProtocol}. Only HTTP and HTTPS are supported.`
+    );
+  }
+  const url = l7EndpointToString(endpoint);
+  const response = await load(url, { method: "HEAD" });
+  if (!response.ok) {
+    throw new Error(`Failed to fetch file size: ${response.statusText}`);
+  }
+  const contentLength = response.headers.get("content-length");
+  if (!contentLength) {
+    throw new Error("Content-Length header is missing in the response");
+  }
+  const size = parseInt(contentLength, 10);
+  if (isNaN(size)) {
+    throw new Error(`Invalid Content-Length value: ${contentLength}`);
+  }
+  return size;
+}
+function getNameByEndpoint(endpoint) {
+  const parsedEndpoint = parseL7Endpoint(endpoint);
+  return parsedEndpoint.resource ? basename(parsedEndpoint.resource) : "";
+}
+
+export { Command, DnsRecord, DnsRecordSet, MaterializedFile, MaterializedFolder, archiveFromFolder, assetFromFile, createServerEntity, createSshTerminal, fetchFileSize, filterEndpoints, generatePassword, generatePrivateKey, getNameByEndpoint, getOrCreateSshKeyPair, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToString, l3ToL4Endpoint, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, privateKeyToKeyPair, requireInputL3Endpoint, requireInputL4Endpoint, updateEndpoints, updateEndpointsWithFqdn };
+//# sourceMappingURL=chunk-HZBJ6LLS.js.map
+//# sourceMappingURL=chunk-HZBJ6LLS.js.map