@highstate/common 0.9.15 → 0.9.18

package/dist/chunk-YYNV3MVT.js

@@ -0,0 +1,1141 @@
+import { toPromise, output, ComponentResource, interpolate, normalize, secret, ensureSecretValue, asset } from '@highstate/pulumi';
+import { uniqueBy, flat, capitalize, groupBy } from 'remeda';
+import { homedir, tmpdir } from 'node:os';
+import { local, remote } from '@pulumi/command';
+import '@highstate/library';
+import { randomBytes, bytesToHex } from '@noble/hashes/utils';
+import { secureMask } from 'micro-key-producer/password.js';
+import getKeys, { PrivateExport } from 'micro-key-producer/ssh.js';
+import { randomBytes as randomBytes$1 } from 'micro-key-producer/utils.js';
+import { mkdtemp, writeFile, cp, rm, stat, rename, mkdir } from 'node:fs/promises';
+import { join, dirname, basename, extname } from 'node:path';
+import { createReadStream } from 'node:fs';
+import { pipeline } from 'node:stream/promises';
+import { Readable } from 'node:stream';
+import { createHash } from 'node:crypto';
+import { minimatch } from 'minimatch';
+import { HighstateSignature } from '@highstate/contract';
+import * as tar from 'tar';
+import unzipper from 'unzipper';
+
+// src/shared/network.ts
+function l3EndpointToString(l3Endpoint) {
+  switch (l3Endpoint.type) {
+    case "ipv4":
+      return l3Endpoint.address;
+    case "ipv6":
+      return l3Endpoint.address;
+    case "hostname":
+      return l3Endpoint.hostname;
+  }
+}
+function l4EndpointToString(l4Endpoint) {
+  if (l4Endpoint.type === "ipv6") {
+    return `[${l4Endpoint.address}]:${l4Endpoint.port}`;
+  }
+  return `${l3EndpointToString(l4Endpoint)}:${l4Endpoint.port}`;
+}
+function l4EndpointWithProtocolToString(l4Endpoint) {
+  const protocol = `${l4Endpoint.protocol}://`;
+  return `${protocol}${l4EndpointToString(l4Endpoint)}`;
+}
+function l7EndpointToString(l7Endpoint) {
+  const protocol = `${l7Endpoint.appProtocol}://`;
+  let endpoint = l4EndpointToString(l7Endpoint);
+  if (l7Endpoint.resource) {
+    endpoint += `/${l7Endpoint.resource}`;
+  }
+  return `${protocol}${endpoint}`;
+}
+function l34EndpointToString(l34Endpoint) {
+  if (l34Endpoint.port) {
+    return l4EndpointToString(l34Endpoint);
+  }
+  return l3EndpointToString(l34Endpoint);
+}
+var L34_ENDPOINT_RE = /^(?:(?<protocol>[a-z]+):\/\/)?(?:(?:\[?(?<ipv6>[0-9A-Fa-f:]+)\]?)|(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})|(?<hostname>[a-zA-Z0-9-*]+(?:\.[a-zA-Z0-9-*]+)*))(?::(?<port>\d{1,5}))?$/;
+var L7_ENDPOINT_RE = /^(?<appProtocol>[a-z]+):\/\/(?:(?:\[?(?<ipv6>[0-9A-Fa-f:]+)\]?)|(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})|(?<hostname>[a-zA-Z0-9-*]+(?:\.[a-zA-Z0-9-*]+)*))(?::(?<port>\d{1,5}))?(?:\/(?<resource>.*))?$/;
+function parseL34Endpoint(l34Endpoint) {
+  if (typeof l34Endpoint === "object") {
+    return l34Endpoint;
+  }
+  const match = l34Endpoint.match(L34_ENDPOINT_RE);
+  if (!match) {
+    throw new Error(`Invalid L3/L4 endpoint: "${l34Endpoint}"`);
+  }
+  const { protocol, ipv6, ipv4, hostname, port } = match.groups;
+  if (protocol && protocol !== "tcp" && protocol !== "udp") {
+    throw new Error(`Invalid L4 endpoint protocol: "${protocol}"`);
+  }
+  let visibility = "public";
+  if (ipv4 && IPV4_PRIVATE_REGEX.test(ipv4)) {
+    visibility = "external";
+  } else if (ipv6 && IPV6_PRIVATE_REGEX.test(ipv6)) {
+    visibility = "external";
+  }
+  const fallbackProtocol = port ? "tcp" : void 0;
+  return {
+    type: ipv6 ? "ipv6" : ipv4 ? "ipv4" : "hostname",
+    visibility,
+    address: ipv6 || ipv4,
+    hostname,
+    port: port ? parseInt(port, 10) : void 0,
+    protocol: protocol ? protocol : fallbackProtocol
+  };
+}
+function parseL3Endpoint(l3Endpoint) {
+  if (typeof l3Endpoint === "object") {
+    return l3Endpoint;
+  }
+  const parsed = parseL34Endpoint(l3Endpoint);
+  if (parsed.port) {
+    throw new Error(`Port cannot be specified in L3 endpoint: "${l3Endpoint}"`);
+  }
+  return parsed;
+}
+function parseL4Endpoint(l4Endpoint) {
+  if (typeof l4Endpoint === "object") {
+    return l4Endpoint;
+  }
+  const parsed = parseL34Endpoint(l4Endpoint);
+  if (!parsed.port) {
+    throw new Error(`No port found in L4 endpoint: "${l4Endpoint}"`);
+  }
+  return parsed;
+}
+var IPV4_PRIVATE_REGEX = /^(?:10|127)(?:\.\d{1,3}){3}$|^(?:172\.1[6-9]|172\.2[0-9]|172\.3[0-1])(?:\.\d{1,3}){2}$|^(?:192\.168)(?:\.\d{1,3}){2}$/;
+var IPV6_PRIVATE_REGEX = /^(?:fc|fd)(?:[0-9a-f]{2}){0,2}::(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}$|^::(?:ffff:(?:10|127)(?:\.\d{1,3}){3}|(?:172\.1[6-9]|172\.2[0-9]|172\.3[0-1])(?:\.\d{1,3}){2}|(?:192\.168)(?:\.\d{1,3}){2})$/;
+async function requireInputL3Endpoint(rawEndpoint, inputEndpoint) {
+  if (rawEndpoint) {
+    return parseL3Endpoint(rawEndpoint);
+  }
+  if (inputEndpoint) {
+    return toPromise(inputEndpoint);
+  }
+  throw new Error("No endpoint provided");
+}
+async function requireInputL4Endpoint(rawEndpoint, inputEndpoint) {
+  if (rawEndpoint) {
+    return parseL4Endpoint(rawEndpoint);
+  }
+  if (inputEndpoint) {
+    return toPromise(inputEndpoint);
+  }
+  throw new Error("No endpoint provided");
+}
+function l3EndpointToL4(l3Endpoint, port, protocol = "tcp") {
+  return {
+    ...parseL3Endpoint(l3Endpoint),
+    port,
+    protocol
+  };
+}
+function filterEndpoints(endpoints, filter, types) {
+  if (filter?.length) {
+    endpoints = endpoints.filter((endpoint) => filter.includes(endpoint.visibility));
+  } else if (endpoints.some((endpoint) => endpoint.visibility === "public")) {
+    endpoints = endpoints.filter((endpoint) => endpoint.visibility === "public");
+  } else if (endpoints.some((endpoint) => endpoint.visibility === "external")) {
+    endpoints = endpoints.filter((endpoint) => endpoint.visibility === "external");
+  }
+  if (types && types.length) {
+    endpoints = endpoints.filter((endpoint) => types.includes(endpoint.type));
+  }
+  return endpoints;
+}
+function l3EndpointToCidr(l3Endpoint) {
+  switch (l3Endpoint.type) {
+    case "ipv4":
+      return `${l3Endpoint.address}/32`;
+    case "ipv6":
+      return `${l3Endpoint.address}/128`;
+    case "hostname":
+      throw new Error("Cannot convert hostname to CIDR");
+  }
+}
+var udpAppProtocols = ["dns", "dhcp"];
+function parseL7Endpoint(l7Endpoint) {
+  if (typeof l7Endpoint === "object") {
+    return l7Endpoint;
+  }
+  const match = l7Endpoint.match(L7_ENDPOINT_RE);
+  if (!match) {
+    throw new Error(`Invalid L7 endpoint: "${l7Endpoint}"`);
+  }
+  const { appProtocol, ipv6, ipv4, hostname, port, resource } = match.groups;
+  let visibility = "public";
+  if (ipv4 && IPV4_PRIVATE_REGEX.test(ipv4)) {
+    visibility = "external";
+  } else if (ipv6 && IPV6_PRIVATE_REGEX.test(ipv6)) {
+    visibility = "external";
+  }
+  return {
+    type: ipv6 ? "ipv6" : ipv4 ? "ipv4" : "hostname",
+    visibility,
+    address: ipv6 || ipv4,
+    hostname,
+    // Default port for L7 endpoints (TODO: add more specific defaults for common protocols)
+    port: port ? parseInt(port, 10) : 443,
+    // L7 endpoints typically use TCP, but can also use UDP for specific protocols
+    protocol: udpAppProtocols.includes(appProtocol) ? "udp" : "tcp",
+    appProtocol,
+    resource: resource || ""
+  };
+}
+async function updateEndpoints(currentEndpoints, endpoints, inputEndpoints, mode = "prepend") {
+  const resolvedCurrentEndpoints = await toPromise(currentEndpoints);
+  const resolvedInputEndpoints = await toPromise(inputEndpoints);
+  const newEndpoints = uniqueBy(
+    //
+    [...endpoints.map(parseL34Endpoint), ...resolvedInputEndpoints],
+    (endpoint) => l34EndpointToString(endpoint)
+  );
+  if (mode === "replace") {
+    return newEndpoints;
+  }
+  return uniqueBy(
+    //
+    [...newEndpoints, ...resolvedCurrentEndpoints],
+    (endpoint) => l34EndpointToString(endpoint)
+  );
+}
+function getServerConnection(ssh2) {
+  return output(ssh2).apply((ssh3) => ({
+    host: l3EndpointToString(ssh3.endpoints[0]),
+    port: ssh3.endpoints[0].port,
+    user: ssh3.user,
+    password: ssh3.password,
+    privateKey: ssh3.keyPair?.privateKey,
+    dialErrorLimit: 3,
+    hostKey: ssh3.hostKey
+  }));
+}
+function createCommand(command) {
+  if (Array.isArray(command)) {
+    return command.join(" ");
+  }
+  return command;
+}
+function wrapWithWorkDir(dir) {
+  if (!dir) {
+    return (command) => output(command);
+  }
+  return (command) => interpolate`cd "${dir}" && ${command}`;
+}
+function wrapWithWaitFor(timeout = 300, interval = 5) {
+  return (command) => (
+    // TOD: escape the command
+    interpolate`timeout ${timeout} bash -c 'while ! ${createCommand(command)}; do sleep ${interval}; done'`
+  );
+}
+var Command = class _Command extends ComponentResource {
+  stdout;
+  stderr;
+  constructor(name, args, opts) {
+    super("highstate:common:Command", name, args, opts);
+    const command = args.host === "local" ? new local.Command(
+      name,
+      {
+        create: output(args.create).apply(createCommand),
+        update: args.update ? output(args.update).apply(createCommand) : void 0,
+        delete: args.delete ? output(args.delete).apply(createCommand) : void 0,
+        logging: args.logging,
+        triggers: args.triggers ? output(args.triggers).apply(flat) : void 0,
+        dir: args.cwd ?? homedir(),
+        environment: args.environment,
+        stdin: args.stdin
+      },
+      { ...opts, parent: this }
+    ) : new remote.Command(
+      name,
+      {
+        connection: output(args.host).apply((server) => {
+          if ("host" in server) {
+            return output(server);
+          }
+          if (!server.ssh) {
+            throw new Error(`The server "${server.hostname}" has no SSH credentials`);
+          }
+          return getServerConnection(server.ssh);
+        }),
+        create: output(args.create).apply(createCommand).apply(wrapWithWorkDir(args.cwd)),
+        update: args.update ? output(args.update).apply(createCommand).apply(wrapWithWorkDir(args.cwd)) : void 0,
+        delete: args.delete ? output(args.delete).apply(createCommand).apply(wrapWithWorkDir(args.cwd)) : void 0,
+        logging: args.logging,
+        triggers: args.triggers ? output(args.triggers).apply(flat) : void 0,
+        stdin: args.stdin,
+        environment: args.environment
+      },
+      { ...opts, parent: this }
+    );
+    this.stdout = command.stdout;
+    this.stderr = command.stderr;
+  }
+  /**
+   * Waits for the command to complete and returns its output.
+   * The standard output will be returned.
+   */
+  async wait() {
+    return await toPromise(this.stdout);
+  }
+  /**
+   * Creates a command that writes the given content to a file on the host.
+   * The file will be created if it does not exist, and overwritten if it does.
+   *
+   * Use for small text files like configuration files.
+   */
+  static createTextFile(name, options, opts) {
+    return new _Command(
+      name,
+      {
+        host: options.host,
+        create: interpolate`mkdir -p $(dirname "${options.path}") && cat > ${options.path}`,
+        delete: interpolate`rm -rf ${options.path}`,
+        stdin: options.content
+      },
+      opts
+    );
+  }
+  /**
+   * Creates a command that waits for a file to be created and then reads its content.
+   * This is useful for waiting for a file to be generated by another process.
+   *
+   * Use for small text files like configuration files.
+   */
+  static receiveTextFile(name, options, opts) {
+    return new _Command(
+      name,
+      {
+        host: options.host,
+        create: interpolate`while ! test -f "${options.path}"; do sleep 1; done; cat "${options.path}"`,
+        logging: "stderr"
+      },
+      opts
+    );
+  }
+  /**
+   * Creates a command that waits for a condition to be met.
+   * The command will run until the condition is met or the timeout is reached.
+   *
+   * The condition is considered met if the command returns a zero exit code.
+   *
+   * @param name The name of the command resource.
+   * @param args The arguments for the command, including the condition to check.
+   * @param opts Optional resource options.
+   */
+  static waitFor(name, args, opts) {
+    return new _Command(
+      name,
+      {
+        ...args,
+        create: output(args.create).apply(wrapWithWaitFor(args.timeout, args.interval)),
+        update: args.update ? output(args.update).apply(wrapWithWaitFor(args.timeout, args.interval)) : void 0,
+        delete: args.delete ? output(args.delete).apply(wrapWithWaitFor(args.timeout, args.interval)) : void 0
+      },
+      opts
+    );
+  }
+};
+function getTypeByEndpoint(endpoint) {
+  switch (endpoint.type) {
+    case "ipv4":
+      return "A";
+    case "ipv6":
+      return "AAAA";
+    case "hostname":
+      return "CNAME";
+  }
+}
+var DnsRecord = class extends ComponentResource {
+  /**
+   * The underlying dns record resource.
+   */
+  dnsRecord;
+  /**
+   * The wait commands to be executed after the DNS record is created/updated.
+   *
+   * Use this field as a dependency for other resources.
+   */
+  waitCommands;
+  constructor(name, args, opts) {
+    super("highstate:common:DnsRecord", name, args, opts);
+    this.dnsRecord = output(args).apply((args2) => {
+      const l3Endpoint = parseL3Endpoint(args2.value);
+      const type = args2.type ?? getTypeByEndpoint(l3Endpoint);
+      return output(
+        this.create(
+          name,
+          {
+            ...args2,
+            type,
+            value: l3EndpointToString(l3Endpoint)
+          },
+          { ...opts, parent: this }
+        )
+      );
+    });
+    this.waitCommands = output(args).apply((args2) => {
+      const waitAt = args2.waitAt ? Array.isArray(args2.waitAt) ? args2.waitAt : [args2.waitAt] : [];
+      return waitAt.map((host) => {
+        const hostname = host === "local" ? "local" : host.hostname;
+        return new Command(
+          `${name}-wait-${hostname}`,
+          {
+            host,
+            create: `while ! getent hosts ${args2.name} >/dev/null; do echo "Waiting for DNS record ${args2.name} to be created"; sleep 5; done`,
+            triggers: [args2.type, args2.ttl, args2.priority, args2.proxied]
+          },
+          { parent: this }
+        );
+      });
+    });
+  }
+  static create(name, args, opts) {
+    return output(args).apply(async (args2) => {
+      const providerType = args2.provider.type;
+      const implName = `${capitalize(providerType)}DnsRecord`;
+      const implModule = await import(`@highstate/${providerType}`);
+      const implClass = implModule[implName];
+      return new implClass(name, args2, opts);
+    });
+  }
+};
+var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
+  /**
+   * The underlying dns record resources.
+   */
+  dnsRecords;
+  /**
+   * The wait commands to be executed after the DNS records are created/updated.
+   */
+  waitCommands;
+  constructor(name, records, opts) {
+    super("highstate:common:DnsRecordSet", name, records, opts);
+    this.dnsRecords = records;
+    this.waitCommands = records.apply(
+      (records2) => records2.flatMap((record) => record.waitCommands)
+    );
+  }
+  static create(name, args, opts) {
+    const records = output(args).apply((args2) => {
+      const recordName = args2.name ?? name;
+      const values = normalize(args2.value, args2.values);
+      return output(
+        args2.providers.filter((provider) => recordName.endsWith(provider.domain)).flatMap((provider) => {
+          return values.map((value) => {
+            const l3Endpoint = parseL3Endpoint(value);
+            return DnsRecord.create(
+              `${provider.type}-from-${recordName}-to-${l3EndpointToString(l3Endpoint)}`,
+              { name: recordName, ...args2, value: l3Endpoint, provider },
+              opts
+            );
+          });
+        })
+      );
+    });
+    return new _DnsRecordSet(name, records, opts);
+  }
+};
+async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patchMode, dnsProviders) {
+  const resolvedEndpoints = await toPromise(endpoints);
+  if (!fqdn) {
+    return {
+      endpoints: resolvedEndpoints,
+      dnsRecordSet: void 0
+    };
+  }
+  const filteredEndpoints = filterEndpoints(resolvedEndpoints, fqdnEndpointFilter);
+  const dnsRecordSet = DnsRecordSet.create(fqdn, {
+    providers: dnsProviders,
+    values: filteredEndpoints,
+    waitAt: "local"
+  });
+  const portProtocolGroups = groupBy(
+    filteredEndpoints,
+    (endpoint) => endpoint.port ? `${endpoint.port}-${endpoint.protocol}` : ""
+  );
+  const newEndpoints = [];
+  for (const group of Object.values(portProtocolGroups)) {
+    newEndpoints.unshift({
+      type: "hostname",
+      hostname: fqdn,
+      visibility: group[0].visibility,
+      port: group[0].port,
+      protocol: group[0].protocol
+    });
+  }
+  await toPromise(
+    dnsRecordSet.waitCommands.apply((waitCommands) => waitCommands.map((command) => command.stdout))
+  );
+  if (patchMode === "prepend") {
+    return {
+      endpoints: uniqueBy(
+        //
+        [...newEndpoints, ...resolvedEndpoints],
+        (endpoint) => l34EndpointToString(endpoint)
+      ),
+      dnsRecordSet
+    };
+  }
+  return {
+    endpoints: newEndpoints,
+    dnsRecordSet
+  };
+}
+function generatePassword() {
+  return secureMask.apply(randomBytes(32)).password;
+}
+function generateKey(format = "hex") {
+  const bytes = randomBytes(32);
+  if (format === "raw") {
+    return bytes;
+  }
+  if (format === "base64") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  return bytesToHex(bytes);
+}
+
+// assets/images.json
+var terminal_ssh = {
+  image: "ghcr.io/exeteres/highstate/terminal-ssh:latest@sha256:99380e0405522afa0058eedce124c1970a87408663365b2dbce737801a7cd5d1"
+};
+
+// src/shared/ssh.ts
+function createSshTerminal(credentials) {
+  return output(credentials).apply((credentials2) => {
+    if (!credentials2) {
+      return void 0;
+    }
+    const command = ["ssh", "-tt", "-o", "UserKnownHostsFile=/known_hosts"];
+    const endpoint = credentials2.endpoints[0];
+    command.push("-p", endpoint.port.toString());
+    if (credentials2.keyPair) {
+      command.push("-i", "/private_key");
+    }
+    command.push(`${credentials2.user}@${l3EndpointToString(endpoint)}`);
+    if (credentials2.password) {
+      command.unshift("sshpass", "-f", "/password");
+    }
+    return {
+      name: "ssh",
+      meta: {
+        title: "Shell",
+        description: "Connect to the server via SSH",
+        icon: "gg:remote"
+      },
+      spec: {
+        image: terminal_ssh.image,
+        command,
+        files: {
+          "/password": credentials2.password,
+          "/private_key": credentials2.keyPair?.privateKey && {
+            content: {
+              type: "embedded",
+              value: credentials2.keyPair?.privateKey
+            },
+            meta: {
+              name: "private_key",
+              mode: 384
+            }
+          },
+          "/known_hosts": {
+            content: {
+              type: "embedded",
+              value: `${l3EndpointToString(endpoint)} ${credentials2.hostKey}`
+            },
+            meta: {
+              name: "known_hosts",
+              mode: 420
+            }
+          }
+        }
+      }
+    };
+  });
+}
+function generateSshPrivateKey() {
+  const seed = randomBytes$1(32);
+  return getKeys(seed).privateKey;
+}
+function sshPrivateKeyToKeyPair(privateKeyString) {
+  return output(privateKeyString).apply((privateKeyString2) => {
+    const privateKeyStruct = PrivateExport.decode(privateKeyString2);
+    const privKey = privateKeyStruct.keys[0].privKey.privKey;
+    const { fingerprint, publicKey } = getKeys(privKey.slice(0, 32));
+    return output({
+      type: "ed25519",
+      fingerprint,
+      publicKey,
+      privateKey: secret(privateKeyString2)
+    });
+  });
+}
+function ensureSshKeyPair(privateKey, existingKeyPair) {
+  if (existingKeyPair) {
+    return output(existingKeyPair);
+  }
+  return ensureSecretValue(privateKey, generateSshPrivateKey).value.apply(sshPrivateKeyToKeyPair);
+}
+async function createServerEntity({
+  name,
+  fallbackHostname,
+  endpoints,
+  sshEndpoint,
+  sshPort = 22,
+  sshUser = "root",
+  sshPassword,
+  sshPrivateKey,
+  hasSsh = true,
+  pingInterval,
+  pingTimeout,
+  waitForPing,
+  waitForSsh,
+  sshCheckInterval,
+  sshCheckTimeout
+}) {
+  if (endpoints.length === 0) {
+    throw new Error("At least one L3 endpoint is required to create a server entity");
+  }
+  fallbackHostname ??= name;
+  waitForSsh ??= hasSsh;
+  waitForPing ??= !waitForSsh;
+  if (waitForPing) {
+    await Command.waitFor(`${name}.ping`, {
+      host: "local",
+      create: `ping -c 1 ${l3EndpointToString(endpoints[0])}`,
+      timeout: pingTimeout ?? 300,
+      interval: pingInterval ?? 5,
+      triggers: [Date.now()]
+    }).wait();
+  }
+  if (!hasSsh) {
+    return {
+      hostname: name,
+      endpoints
+    };
+  }
+  sshEndpoint ??= l3EndpointToL4(endpoints[0], sshPort);
+  if (waitForSsh) {
+    await Command.waitFor(`${name}.ssh`, {
+      host: "local",
+      create: `nc -zv ${l3EndpointToString(sshEndpoint)} ${sshPort}`,
+      timeout: sshCheckTimeout ?? 300,
+      interval: sshCheckInterval ?? 5,
+      triggers: [Date.now()]
+    }).wait();
+  }
+  const connection = output({
+    host: l3EndpointToString(sshEndpoint),
+    port: sshEndpoint.port,
+    user: sshUser,
+    password: sshPassword,
+    privateKey: sshPrivateKey,
+    dialErrorLimit: 3
+  });
+  const hostnameResult = new remote.Command("hostname", {
+    connection,
+    create: "hostname",
+    triggers: [Date.now()]
+  });
+  const hostKeyResult = new remote.Command("host-key", {
+    connection,
+    create: "cat /etc/ssh/ssh_host_ed25519_key.pub",
+    triggers: [Date.now()]
+  });
+  return await toPromise({
+    endpoints,
+    hostname: hostnameResult.stdout.apply((x) => x.trim()),
+    ssh: {
+      endpoints: [sshEndpoint],
+      user: sshUser,
+      hostKey: hostKeyResult.stdout.apply((x) => x.trim()),
+      password: sshPassword,
+      keyPair: sshPrivateKey ? sshPrivateKeyToKeyPair(sshPrivateKey) : void 0
+    }
+  });
+}
+function assetFromFile(file) {
+  if (file.content.type === "remote") {
+    return new asset.RemoteAsset(l7EndpointToString(file.content.endpoint));
+  }
+  if (file.content.type === "local") {
+    return new asset.FileAsset(file.content.path);
+  }
+  if (file.content.type === "artifact") {
+    throw new Error(
+      "Artifact-based files cannot be converted to Pulumi assets directly. Use MaterializedFile instead."
+    );
+  }
+  if (file.meta.isBinary) {
+    throw new Error(
+      "Cannot create asset from inline binary file content. Please open an issue if you need this feature."
+    );
+  }
+  return new asset.StringAsset(file.content.value);
+}
+function archiveFromFolder(folder) {
+  if (folder.content.type === "remote") {
+    return new asset.RemoteArchive(l7EndpointToString(folder.content.endpoint));
+  }
+  if (folder.content.type === "local") {
+    return new asset.FileArchive(folder.content.path);
+  }
+  if (folder.content.type === "artifact") {
+    throw new Error(
+      "Artifact-based folders cannot be converted to Pulumi assets directly. Use MaterializedFolder instead."
+    );
+  }
+  const files = {};
+  for (const file of folder.content.files) {
+    files[file.meta.name] = assetFromFile(file);
+  }
+  for (const subfolder of folder.content.folders) {
+    files[subfolder.meta.name] = archiveFromFolder(subfolder);
+  }
+  return new asset.AssetArchive(files);
+}
+async function unarchiveFromStream(stream, destinationPath, archiveType) {
+  await mkdir(destinationPath, { recursive: true });
+  switch (archiveType) {
+    case "tar": {
+      const extractStream = tar.extract({
+        cwd: destinationPath,
+        strict: true
+      });
+      await pipeline(stream, extractStream);
+      return;
+    }
+    case "zip": {
+      await pipeline(stream, unzipper.Extract({ path: destinationPath }));
+      return;
+    }
+  }
+}
+function detectArchiveType(fileName, contentType) {
+  const ext = extname(fileName).toLowerCase();
+  if (ext === ".tar" || ext === ".tgz" || ext === ".tar.gz") {
+    return "tar";
+  }
+  if (ext === ".zip") {
+    return "zip";
+  }
+  if (contentType) {
+    if (contentType.includes("tar") || contentType.includes("gzip")) {
+      return "tar";
+    }
+    if (contentType.includes("zip")) {
+      return "zip";
+    }
+  }
+  return null;
+}
+var MaterializedFile = class _MaterializedFile {
+  constructor(entity, parent) {
+    this.entity = entity;
+    this.parent = parent;
+  }
+  _tmpPath;
+  _path;
+  _disposed = false;
+  artifactMeta = {};
+  get path() {
+    return this._path;
+  }
+  async _open() {
+    if (this.parent) {
+      this._path = join(this.parent.path, this.entity.meta.name);
+    } else {
+      const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+      this._tmpPath = await mkdtemp(join(tempBase, "highstate-file-"));
+      this._path = join(this._tmpPath, this.entity.meta.name);
+    }
+    switch (this.entity.content.type) {
+      case "embedded": {
+        const content = this.entity.meta.isBinary ? Buffer.from(this.entity.content.value, "base64") : this.entity.content.value;
+        await writeFile(this._path, content, { mode: this.entity.meta.mode });
+        break;
+      }
+      case "local": {
+        await cp(this.entity.content.path, this._path, { mode: this.entity.meta.mode });
+        break;
+      }
+      case "remote": {
+        const response = await fetch(l7EndpointToString(this.entity.content.endpoint));
+        if (!response.ok) throw new Error(`Failed to fetch: ${response.statusText}`);
+        const arrayBuffer = await response.arrayBuffer();
+        await writeFile(this._path, Buffer.from(arrayBuffer), { mode: this.entity.meta.mode });
+        break;
+      }
+      case "artifact": {
+        const artifactPath = process.env.HIGHSTATE_ARTIFACT_READ_PATH;
+        if (!artifactPath) {
+          throw new Error(
+            "HIGHSTATE_ARTIFACT_READ_PATH environment variable is not set but required for artifact content"
+          );
+        }
+        const tgzPath = join(artifactPath, `${this.entity.content.hash}.tgz`);
+        const readStream = createReadStream(tgzPath);
+        await unarchiveFromStream(readStream, dirname(this._path), "tar");
+        break;
+      }
+    }
+  }
+  async [Symbol.asyncDispose]() {
+    if (this._disposed) return;
+    this._disposed = true;
+    try {
+      if (this._tmpPath) {
+        await rm(this._tmpPath, { recursive: true, force: true });
+      } else {
+        await rm(this._path, { force: true });
+      }
+    } catch (error) {
+      console.warn("failed to clean up materialized file:", error);
+    }
+  }
+  /**
+   * Packs the materialized file into an artifact and returns the file entity with artifact content.
+   *
+   * Creates a tgz archive of the file and stores it in HIGHSTATE_ARTIFACT_WRITE_PATH where it will be collected by Highstate.
+   */
+  async pack() {
+    const writeDir = process.env.HIGHSTATE_ARTIFACT_WRITE_PATH;
+    if (!writeDir) {
+      throw new Error("HIGHSTATE_ARTIFACT_WRITE_PATH environment variable is not set");
+    }
+    const fileStats = await stat(this._path);
+    const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+    const tempArchivePath = join(tempBase, `highstate-pack-${Date.now()}.tgz`);
+    try {
+      await tar.create(
+        {
+          gzip: true,
+          file: tempArchivePath,
+          cwd: dirname(this._path),
+          noMtime: true
+          // to reproduce the same archive every time
+        },
+        [basename(this._path)]
+      );
+      const fileContent = createReadStream(tempArchivePath);
+      const hash = createHash("sha256");
+      for await (const chunk of fileContent) {
+        hash.update(chunk);
+      }
+      const hashValue = hash.digest("hex");
+      const finalArchivePath = join(writeDir, `${hashValue}.tgz`);
+      await rename(tempArchivePath, finalArchivePath);
+      const newMeta = {
+        name: this.entity.meta.name,
+        mode: fileStats.mode & 511,
+        // extract only permission bits
+        size: fileStats.size,
+        isBinary: this.entity.meta.isBinary
+        // keep original binary flag as we can't reliably detect this from filesystem
+      };
+      return {
+        meta: newMeta,
+        content: {
+          type: "artifact",
+          [HighstateSignature.Artifact]: true,
+          hash: hashValue,
+          meta: await toPromise(this.artifactMeta)
+        }
+      };
+    } finally {
+      try {
+        await rm(tempArchivePath, { force: true });
+      } catch {
+      }
+    }
+  }
+  /**
+   * Creates an empty materialized file with the given name.
+   *
+   * @param name The name of the file to create
+   * @param content Optional initial content of the file (default is empty string)
+   * @param mode Optional file mode (permissions)
+   * @returns A new MaterializedFile instance representing an empty file
+   */
+  static async create(name, content = "", mode) {
+    const entity = {
+      meta: {
+        name,
+        mode,
+        size: 0,
+        isBinary: false
+      },
+      content: {
+        type: "embedded",
+        value: content
+      }
+    };
+    const materializedFile = new _MaterializedFile(entity);
+    try {
+      await materializedFile._open();
+    } catch (error) {
+      await materializedFile[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFile;
+  }
+  static async open(file, parent) {
+    const materializedFile = new _MaterializedFile(file, parent);
+    try {
+      await materializedFile._open();
+    } catch (error) {
+      await materializedFile[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFile;
+  }
+};
+var MaterializedFolder = class _MaterializedFolder {
+  constructor(entity, parent) {
+    this.entity = entity;
+    this.parent = parent;
+  }
+  _tmpPath;
+  _path;
+  _disposed = false;
+  _disposables = [];
+  artifactMeta = {};
+  get path() {
+    return this._path;
+  }
+  async _open() {
+    if (this.parent) {
+      this._path = join(this.parent.path, this.entity.meta.name);
+    } else {
+      const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+      this._tmpPath = await mkdtemp(join(tempBase, "highstate-folder-"));
+      this._path = join(this._tmpPath, this.entity.meta.name);
+    }
+    switch (this.entity.content.type) {
+      case "embedded": {
+        await mkdir(this._path, { mode: this.entity.meta.mode });
+        for (const file of this.entity.content.files) {
+          const materializedFile = await MaterializedFile.open(file, this);
+          this._disposables.push(materializedFile);
+        }
+        for (const subfolder of this.entity.content.folders) {
+          const materializedFolder = await _MaterializedFolder.open(subfolder, this);
+          this._disposables.push(materializedFolder);
+        }
+        break;
+      }
+      case "local": {
+        const archiveType = detectArchiveType(this.entity.content.path);
+        if (archiveType) {
+          const readStream = createReadStream(this.entity.content.path);
+          await unarchiveFromStream(readStream, this._path, archiveType);
+        } else {
+          await cp(this.entity.content.path, this._path, {
+            recursive: true,
+            mode: this.entity.meta.mode
+          });
+        }
+        break;
+      }
+      case "remote": {
+        const response = await fetch(l7EndpointToString(this.entity.content.endpoint));
+        if (!response.ok) throw new Error(`Failed to fetch: ${response.statusText}`);
+        if (!response.body) throw new Error("Response body is empty");
+        const url = new URL(l7EndpointToString(this.entity.content.endpoint));
+        const archiveType = detectArchiveType(
+          url.pathname,
+          response.headers.get("content-type") || void 0
+        );
+        if (!archiveType) {
+          throw new Error("Remote folder content must be an archive (tar, tar.gz, tgz, or zip)");
+        }
+        if (!response.body) {
+          throw new Error("Response body is empty");
+        }
+        const reader = response.body.getReader();
+        const stream = new Readable({
+          async read() {
+            try {
+              const { done, value } = await reader.read();
+              if (done) {
+                this.push(null);
+              } else {
+                this.push(Buffer.from(value));
+              }
+            } catch (error) {
+              this.destroy(error instanceof Error ? error : new Error(String(error)));
+            }
+          }
+        });
+        await unarchiveFromStream(stream, this._path, archiveType);
+        break;
+      }
+      case "artifact": {
+        const artifactPath = process.env.HIGHSTATE_ARTIFACT_READ_PATH;
+        if (!artifactPath) {
+          throw new Error(
+            "HIGHSTATE_ARTIFACT_READ_PATH environment variable is not set but required for artifact content"
+          );
+        }
+        const tgzPath = join(artifactPath, `${this.entity.content.hash}.tgz`);
+        const readStream = createReadStream(tgzPath);
+        await unarchiveFromStream(readStream, dirname(this._path), "tar");
+        break;
+      }
+    }
+  }
+  async [Symbol.asyncDispose]() {
+    if (this._disposed) return;
+    this._disposed = true;
+    try {
+      if (this._tmpPath) {
+        await rm(this._tmpPath, { recursive: true, force: true });
+      } else {
+        await rm(this._path, { recursive: true, force: true });
+      }
+    } catch (error) {
+      console.warn("failed to clean up materialized folder:", error);
+    }
+    for (const disposable of this._disposables) {
+      await disposable[Symbol.asyncDispose]();
+    }
+  }
+  /**
+   * Packs the materialized folder into an artifact and returns the folder entity with artifact content.
+   *
+   * Creates a tgz archive of the entire folder and stores it in HIGHSTATE_ARTIFACT_WRITE_PATH where it will be collected by Highstate.
+   */
+  async pack({ include, exclude } = {}) {
+    const writeDir = process.env.HIGHSTATE_ARTIFACT_WRITE_PATH;
+    if (!writeDir) {
+      throw new Error("HIGHSTATE_ARTIFACT_WRITE_PATH environment variable is not set");
+    }
+    const folderStats = await stat(this._path);
+    const tempBase = process.env.HIGHSTATE_TEMP_PATH || tmpdir();
+    const tempArchivePath = join(tempBase, `highstate-pack-${Date.now()}.tgz`);
+    const entity = this.entity;
+    try {
+      await tar.create(
+        {
+          gzip: true,
+          file: tempArchivePath,
+          cwd: dirname(this._path),
+          filter(path) {
+            path = path.slice(entity.meta.name.length + 1);
+            for (const pattern of exclude ?? []) {
+              if (minimatch(path, pattern)) {
+                return false;
+              }
+            }
+            for (const pattern of include ?? []) {
+              if (minimatch(path, pattern)) {
+                return true;
+              }
+            }
+            return !include || include.length === 0;
+          },
+          // to reproduce the same archive every time
+          portable: true,
+          noMtime: true
+        },
+        [basename(this._path)]
+      );
+      const fileContent = createReadStream(tempArchivePath);
+      const hash = createHash("sha256");
+      for await (const chunk of fileContent) {
+        hash.update(chunk);
+      }
+      const hashValue = hash.digest("hex");
+      const finalArchivePath = join(writeDir, `${hashValue}.tgz`);
+      await rename(tempArchivePath, finalArchivePath);
+      const newMeta = {
+        name: this.entity.meta.name,
+        mode: folderStats.mode & 511
+        // extract only permission bits
+      };
+      return {
+        meta: newMeta,
+        content: {
+          [HighstateSignature.Artifact]: true,
+          type: "artifact",
+          hash: hashValue,
+          meta: await toPromise(this.artifactMeta)
+        }
+      };
+    } finally {
+      try {
+        await rm(tempArchivePath, { force: true });
+      } catch {
+      }
+    }
+  }
+  /**
+   * Creates an empty materialized folder with the given name.
+   *
+   * @param name The name of the folder to create
+   * @param mode Optional folder mode (permissions)
+   * @param parent Optional parent folder to create the folder in
+   * @returns A new MaterializedFolder instance representing an empty folder
+   */
+  static async create(name, mode, parent) {
+    const entity = {
+      meta: {
+        name,
+        mode
+      },
+      content: {
+        type: "embedded",
+        files: [],
+        folders: []
+      }
+    };
+    const materializedFolder = new _MaterializedFolder(entity, parent);
+    try {
+      await materializedFolder._open();
+    } catch (error) {
+      await materializedFolder[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFolder;
+  }
+  static async open(folder, parent) {
+    const materializedFolder = new _MaterializedFolder(folder, parent);
+    try {
+      await materializedFolder._open();
+    } catch (error) {
+      await materializedFolder[Symbol.asyncDispose]();
+      throw error;
+    }
+    return materializedFolder;
+  }
+};
+async function fetchFileSize(endpoint) {
+  if (endpoint.appProtocol !== "http" && endpoint.appProtocol !== "https") {
+    throw new Error(
+      `Unsupported protocol: ${endpoint.appProtocol}. Only HTTP and HTTPS are supported.`
+    );
+  }
+  const url = l7EndpointToString(endpoint);
+  const response = await fetch(url, { method: "HEAD" });
+  if (!response.ok) {
+    throw new Error(`Failed to fetch file size: ${response.statusText}`);
+  }
+  const contentLength = response.headers.get("content-length");
+  if (!contentLength) {
+    throw new Error("Content-Length header is missing in the response");
+  }
+  const size = parseInt(contentLength, 10);
+  if (isNaN(size)) {
+    throw new Error(`Invalid Content-Length value: ${contentLength}`);
+  }
+  return size;
+}
+function getNameByEndpoint(endpoint) {
+  const parsedEndpoint = parseL7Endpoint(endpoint);
+  return parsedEndpoint.resource ? basename(parsedEndpoint.resource) : "";
+}
+
+export { Command, DnsRecord, DnsRecordSet, MaterializedFile, MaterializedFolder, archiveFromFolder, assetFromFile, createServerEntity, createSshTerminal, ensureSshKeyPair, fetchFileSize, filterEndpoints, generateKey, generatePassword, generateSshPrivateKey, getNameByEndpoint, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToL4, l3EndpointToString, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, requireInputL3Endpoint, requireInputL4Endpoint, sshPrivateKeyToKeyPair, updateEndpoints, updateEndpointsWithFqdn };
+//# sourceMappingURL=chunk-YYNV3MVT.js.map
+//# sourceMappingURL=chunk-YYNV3MVT.js.map