@highstate/common 0.9.16 → 0.9.19

package/dist/{chunk-HZBJ6LLS.js → chunk-WDYIUWYZ.js}

@@ -1,22 +1,23 @@
-import { toPromise, output, ComponentResource, interpolate, normalize, secret, getOrCreateSecret, asset } from '@highstate/pulumi';
-import { uniqueBy, capitalize, groupBy } from 'remeda';
+import { ComponentResource, Resource, toPromise, output, interpolate, normalizeInputsAndMap, fileFromString, secret, asset, normalizeInputs } from '@highstate/pulumi';
+import { uniqueBy, flat, groupBy } from 'remeda';
+import { homedir, tmpdir } from 'node:os';
 import { local, remote } from '@pulumi/command';
-import '@highstate/library';
-import { randomBytes } from '@noble/hashes/utils';
+import { sha256 } from '@noble/hashes/sha2';
+import { z, getOrCreate, stripNullish, HighstateSignature } from '@highstate/contract';
+import { randomBytes, bytesToHex } from '@noble/hashes/utils';
 import { secureMask } from 'micro-key-producer/password.js';
 import getKeys, { PrivateExport } from 'micro-key-producer/ssh.js';
 import { randomBytes as randomBytes$1 } from 'micro-key-producer/utils.js';
-import { tmpdir } from 'node:os';
+import { createHash } from 'node:crypto';
+import { createReadStream } from 'node:fs';
 import { mkdtemp, writeFile, cp, rm, stat, rename, mkdir } from 'node:fs/promises';
 import { join, dirname, basename, extname } from 'node:path';
-import { createReadStream } from 'node:fs';
-import { pipeline } from 'node:stream/promises';
 import { Readable } from 'node:stream';
-import { createHash } from 'node:crypto';
+import { pipeline } from 'node:stream/promises';
 import { minimatch } from 'minimatch';
-import { HighstateSignature } from '@highstate/contract';
 import * as tar from 'tar';
 import unzipper from 'unzipper';
+import { network } from '@highstate/library';
 
 // src/shared/network.ts
 function l3EndpointToString(l3Endpoint) {
@@ -123,7 +124,7 @@ async function requireInputL4Endpoint(rawEndpoint, inputEndpoint) {
   }
   throw new Error("No endpoint provided");
 }
-function l3ToL4Endpoint(l3Endpoint, port, protocol = "tcp") {
+function l3EndpointToL4(l3Endpoint, port, protocol = "tcp") {
   return {
     ...parseL3Endpoint(l3Endpoint),
     port,
@@ -138,7 +139,7 @@ function filterEndpoints(endpoints, filter, types) {
   } else if (endpoints.some((endpoint) => endpoint.visibility === "external")) {
     endpoints = endpoints.filter((endpoint) => endpoint.visibility === "external");
   }
-  if (types && types.length) {
+  if (types?.length) {
     endpoints = endpoints.filter((endpoint) => types.includes(endpoint.type));
   }
   return endpoints;
@@ -184,30 +185,31 @@ function parseL7Endpoint(l7Endpoint) {
 }
 async function updateEndpoints(currentEndpoints, endpoints, inputEndpoints, mode = "prepend") {
   const resolvedCurrentEndpoints = await toPromise(currentEndpoints);
-  const resolvedInputEndpoints = await toPromise(inputEndpoints);
-  const newEndpoints = uniqueBy(
-    //
-    [...endpoints.map(parseL34Endpoint), ...resolvedInputEndpoints],
-    (endpoint) => l34EndpointToString(endpoint)
-  );
+  const newEndpoints = await parseEndpoints(endpoints, inputEndpoints);
   if (mode === "replace") {
     return newEndpoints;
   }
   return uniqueBy(
-    //
     [...newEndpoints, ...resolvedCurrentEndpoints],
-    (endpoint) => l34EndpointToString(endpoint)
+    l34EndpointToString
   );
 }
-function getServerConnection(ssh2) {
-  return output(ssh2).apply((ssh3) => ({
-    host: l3EndpointToString(ssh3.endpoints[0]),
-    port: ssh3.endpoints[0].port,
-    user: ssh3.user,
-    password: ssh3.password,
-    privateKey: ssh3.keyPair?.privateKey,
+async function parseEndpoints(endpoints, inputEndpoints) {
+  const resolvedInputEndpoints = await toPromise(inputEndpoints);
+  return uniqueBy(
+    [...endpoints?.map(parseL34Endpoint) ?? [], ...resolvedInputEndpoints ?? []],
+    l34EndpointToString
+  );
+}
+function getServerConnection(ssh) {
+  return output(ssh).apply((ssh2) => ({
+    host: l3EndpointToString(ssh2.endpoints[0]),
+    port: ssh2.endpoints[0].port,
+    user: ssh2.user,
+    password: ssh2.password,
+    privateKey: ssh2.keyPair?.privateKey,
     dialErrorLimit: 3,
-    hostKey: ssh3.hostKey
+    hostKey: ssh2.hostKey
   }));
 }
 function createCommand(command) {
@@ -216,76 +218,234 @@ function createCommand(command) {
   }
   return command;
 }
+function wrapWithWorkDir(dir) {
+  if (!dir) {
+    return (command) => output(command);
+  }
+  return (command) => interpolate`cd "${dir}" && ${command}`;
+}
+function wrapWithEnvironment(environment) {
+  if (!environment) {
+    return (command) => output(command);
+  }
+  return (command) => output({ command, environment }).apply(({ command: command2, environment: environment2 }) => {
+    if (!environment2 || Object.keys(environment2).length === 0) {
+      return command2;
+    }
+    const envExport = Object.entries(environment2).map(([key, value]) => `export ${key}="${value}"`).join(" && ");
+    return `${envExport} && ${command2}`;
+  });
+}
+function wrapWithWaitFor(timeout = 300, interval = 5) {
+  return (command) => (
+    // TOD: escape the command
+    interpolate`timeout ${timeout} bash -c 'while ! ${createCommand(command)}; do sleep ${interval}; done'`
+  );
+}
+function applyUpdateTriggers(env, triggers) {
+  return output({ env, triggers }).apply(({ env: env2, triggers: triggers2 }) => {
+    if (!triggers2) {
+      return env2;
+    }
+    const hash = sha256(JSON.stringify(triggers2));
+    const hashHex = Buffer.from(hash).toString("hex");
+    return {
+      ...env2,
+      HIGHSTATE_UPDATE_TRIGGER_HASH: hashHex
+    };
+  });
+}
 var Command = class _Command extends ComponentResource {
-  command;
   stdout;
   stderr;
   constructor(name, args, opts) {
     super("highstate:common:Command", name, args, opts);
-    this.command = output(args).apply((args2) => {
-      if (args2.host === "local") {
-        return new local.Command(
-          name,
-          {
-            create: createCommand(args2.create),
-            update: args2.update ? createCommand(args2.update) : void 0,
-            delete: args2.delete ? createCommand(args2.delete) : void 0,
-            logging: args2.logging,
-            triggers: args2.triggers,
-            dir: args2.cwd
-          },
-          { ...opts, parent: this }
-        );
-      }
-      if (!args2.host.ssh) {
-        throw new Error(`The host "${args2.host.hostname}" has no SSH credentials`);
-      }
-      return new remote.Command(
-        name,
-        {
-          connection: getServerConnection(args2.host.ssh),
-          create: createCommand(args2.create),
-          update: args2.update ? createCommand(args2.update) : void 0,
-          delete: args2.delete ? createCommand(args2.delete) : void 0,
-          logging: args2.logging,
-          triggers: args2.triggers
-        },
-        { ...opts, parent: this }
-      );
+    const environment = applyUpdateTriggers(
+      args.environment,
+      args.updateTriggers
+    );
+    const command = args.host === "local" ? new local.Command(
+      name,
+      {
+        create: output(args.create).apply(createCommand),
+        update: args.update ? output(args.update).apply(createCommand) : void 0,
+        delete: args.delete ? output(args.delete).apply(createCommand) : void 0,
+        logging: args.logging,
+        triggers: args.triggers ? output(args.triggers).apply(flat) : void 0,
+        dir: args.cwd ?? homedir(),
+        environment,
+        stdin: args.stdin
+      },
+      { ...opts, parent: this }
+    ) : new remote.Command(
+      name,
+      {
+        connection: output(args.host).apply((server) => {
+          if (!server.ssh) {
+            throw new Error(`The server "${server.hostname}" has no SSH credentials`);
+          }
+          return getServerConnection(server.ssh);
+        }),
+        create: output(args.create).apply(createCommand).apply(wrapWithWorkDir(args.cwd)).apply(wrapWithEnvironment(environment)),
+        update: args.update ? output(args.update).apply(createCommand).apply(wrapWithWorkDir(args.cwd)).apply(wrapWithEnvironment(environment)) : void 0,
+        delete: args.delete ? output(args.delete).apply(createCommand).apply(wrapWithWorkDir(args.cwd)).apply(wrapWithEnvironment(environment)) : void 0,
+        logging: args.logging,
+        triggers: args.triggers ? output(args.triggers).apply(flat) : void 0,
+        stdin: args.stdin,
+        addPreviousOutputInEnv: false
+        // TODO: does not work if server do not define AcceptEnv
+        // environment,
+      },
+      { ...opts, parent: this }
+    );
+    this.stdout = command.stdout;
+    this.stderr = command.stderr;
+    this.registerOutputs({
+      stdout: this.stdout,
+      stderr: this.stderr
     });
-    this.stdout = this.command.stdout;
-    this.stderr = this.command.stderr;
   }
+  /**
+   * Waits for the command to complete and returns its output.
+   * The standard output will be returned.
+   */
+  async wait() {
+    return await toPromise(this.stdout);
+  }
+  /**
+   * Creates a command that writes the given content to a file on the host.
+   * The file will be created if it does not exist, and overwritten if it does.
+   *
+   * Use for small text files like configuration files.
+   */
   static createTextFile(name, options, opts) {
-    return output(options).apply((options2) => {
-      const escapedContent = options2.content.replace(/"/g, '\\"');
-      const command = new _Command(
-        name,
-        {
-          host: options2.host,
-          create: interpolate`mkdir -p $(dirname ${options2.path}) && echo "${escapedContent}" > ${options2.path}`,
-          delete: interpolate`rm -rf ${options2.path}`
-        },
-        opts
-      );
-      return command;
-    });
+    return new _Command(
+      name,
+      {
+        host: options.host,
+        create: interpolate`mkdir -p $(dirname "${options.path}") && cat > ${options.path}`,
+        delete: interpolate`rm -rf ${options.path}`,
+        stdin: options.content
+      },
+      opts
+    );
   }
+  /**
+   * Creates a command that waits for a file to be created and then reads its content.
+   * This is useful for waiting for a file to be generated by another process.
+   *
+   * Use for small text files like configuration files.
+   */
   static receiveTextFile(name, options, opts) {
-    return output(options).apply((options2) => {
-      const command = new _Command(
-        name,
-        {
-          host: options2.host,
-          create: interpolate`while ! test -f ${options2.path}; do sleep 1; done; cat ${options2.path}`,
-          logging: "stderr"
-        },
-        opts
+    return new _Command(
+      name,
+      {
+        host: options.host,
+        create: interpolate`while ! test -f "${options.path}"; do sleep 1; done; cat "${options.path}"`,
+        logging: "stderr"
+      },
+      opts
+    );
+  }
+  /**
+   * Creates a command that waits for a condition to be met.
+   * The command will run until the condition is met or the timeout is reached.
+   *
+   * The condition is considered met if the command returns a zero exit code.
+   *
+   * @param name The name of the command resource.
+   * @param args The arguments for the command, including the condition to check.
+   * @param opts Optional resource options.
+   */
+  static waitFor(name, args, opts) {
+    return new _Command(
+      name,
+      {
+        ...args,
+        create: output(args.create).apply(wrapWithWaitFor(args.timeout, args.interval)),
+        update: args.update ? output(args.update).apply(wrapWithWaitFor(args.timeout, args.interval)) : void 0,
+        delete: args.delete ? output(args.delete).apply(wrapWithWaitFor(args.timeout, args.interval)) : void 0
+      },
+      opts
+    );
+  }
+};
+var ImplementationMediator = class {
+  constructor(path, inputSchema, outputSchema) {
+    this.path = path;
+    this.inputSchema = inputSchema;
+    this.outputSchema = outputSchema;
+  }
+  implement(dataSchema, func) {
+    return async (input, data) => {
+      const parsedInput = this.inputSchema.safeParse(input);
+      if (!parsedInput.success) {
+        throw new Error(
+          `Invalid input for implementation "${this.path}": ${parsedInput.error.message}`
+        );
+      }
+      const parsedData = dataSchema.safeParse(data);
+      if (!parsedData.success) {
+        throw new Error(
+          `Invalid data for implementation "${this.path}": ${parsedData.error.message}`
+        );
+      }
+      const result = await func(parsedInput.data, parsedData.data);
+      const parsedResult = this.outputSchema.safeParse(result);
+      if (!parsedResult.success) {
+        throw new Error(
+          `Invalid output from implementation "${this.path}": ${parsedResult.error.message}`
+        );
+      }
+      return parsedResult.data;
+    };
+  }
+  async call(implRef, input) {
+    const resolvedImplRef = await toPromise(implRef);
+    const resolvedInput = await toPromise(input);
+    const importPath = `${resolvedImplRef.package}/impl/${this.path}`;
+    let impl;
+    try {
+      impl = await import(importPath);
+    } catch (error) {
+      throw new Error(`Failed to import module "${importPath}" required by implementation.`, {
+        cause: error
+      });
+    }
+    const funcs = Object.entries(impl).filter((value) => typeof value[1] === "function");
+    if (funcs.length === 0) {
+      throw new Error(`No implementation functions found in module "${importPath}".`);
+    }
+    if (funcs.length > 1) {
+      throw new Error(
+        `Multiple implementation functions found in module "${importPath}": ${funcs.map((func) => func[0]).join(", ")}. Ensure only one function is exported.`
       );
-      return command;
-    });
+    }
+    const [funcName, implFunc] = funcs[0];
+    let result;
+    try {
+      result = await implFunc(resolvedInput, resolvedImplRef.data);
+    } catch (error) {
+      console.error(`Error in implementation function "${funcName}":`, error);
+      throw new Error(`Implementation function "${funcName}" failed`);
+    }
+    const parsedResult = this.outputSchema.safeParse(result);
+    if (!parsedResult.success) {
+      throw new Error(
+        `Implementation function "${funcName}" returned invalid result: ${parsedResult.error.message}`
+      );
+    }
+    return parsedResult.data;
+  }
+  callOutput(implRef, input) {
+    return output(this.call(implRef, input));
   }
 };
+var dnsRecordMediator = new ImplementationMediator(
+  "dns-record",
+  z.object({ name: z.string(), args: z.custom() }),
+  z.instanceof(ComponentResource)
+);
 function getTypeByEndpoint(endpoint) {
   switch (endpoint.type) {
     case "ipv4":
@@ -302,53 +462,73 @@ var DnsRecord = class extends ComponentResource {
    */
   dnsRecord;
   /**
-   * The wait commands to be executed after the DNS record is created/updated.
+   * The commands to be executed after the DNS record is created/updated.
    *
-   * Use this field as a dependency for other resources.
+   * These commands will wait for the DNS record to be resolved to the specified value.
    */
   waitCommands;
   constructor(name, args, opts) {
     super("highstate:common:DnsRecord", name, args, opts);
-    this.dnsRecord = output(args).apply((args2) => {
-      const l3Endpoint = parseL3Endpoint(args2.value);
-      const type = args2.type ?? getTypeByEndpoint(l3Endpoint);
-      return output(
-        this.create(
-          name,
-          {
-            ...args2,
-            type,
-            value: l3EndpointToString(l3Endpoint)
-          },
-          { ...opts, parent: this }
-        )
-      );
+    const l3Endpoint = output(args.value).apply((value) => parseL3Endpoint(value));
+    const resolvedValue = l3Endpoint.apply(l3EndpointToString);
+    const resolvedType = args.type ? output(args.type) : l3Endpoint.apply(getTypeByEndpoint);
+    this.dnsRecord = output(args.provider).apply((provider) => {
+      return dnsRecordMediator.call(provider.implRef, {
+        name,
+        args: {
+          name: args.name,
+          priority: args.priority,
+          ttl: args.ttl,
+          value: resolvedValue,
+          type: resolvedType
+        }
+      });
     });
-    this.waitCommands = output(args).apply((args2) => {
-      const waitAt = args2.waitAt ? Array.isArray(args2.waitAt) ? args2.waitAt : [args2.waitAt] : [];
-      return waitAt.map((host) => {
+    this.waitCommands = output({
+      waitAt: args.waitAt,
+      resolvedType,
+      proxied: args.proxied
+    }).apply(({ waitAt, resolvedType: resolvedType2, proxied }) => {
+      if (resolvedType2 === "CNAME") {
+        return [];
+      }
+      const resolvedHosts = waitAt ? [waitAt].flat() : [];
+      if (proxied) {
+        return resolvedHosts.map((host) => {
+          const hostname = host === "local" ? "local" : host.hostname;
+          return new Command(
+            `${name}.wait-for-dns.${hostname}`,
+            {
+              host,
+              create: [
+                interpolate`while ! getent hosts "${args.name}";`,
+                interpolate`do echo "Waiting for DNS record \"${args.name}\" to be available...";`,
+                `sleep 5;`,
+                `done`
+              ]
+            },
+            { parent: this }
+          );
+        });
+      }
+      return resolvedHosts.map((host) => {
         const hostname = host === "local" ? "local" : host.hostname;
         return new Command(
-          `${name}-wait-${hostname}`,
+          `${name}.wait-for-dns.${hostname}`,
           {
             host,
-            create: `while ! getent hosts ${args2.name} >/dev/null; do echo "Waiting for DNS record ${args2.name} to be created"; sleep 5; done`,
-            triggers: [args2.type, args2.ttl, args2.priority, args2.proxied]
+            create: [
+              interpolate`while ! getent hosts "${args.name}" | grep "${resolvedValue}";`,
+              interpolate`do echo "Waiting for DNS record \"${args.name}" to resolve to "${resolvedValue}"...";`,
+              `sleep 5;`,
+              `done`
+            ]
           },
           { parent: this }
         );
       });
     });
   }
-  static create(name, args, opts) {
-    return output(args).apply(async (args2) => {
-      const providerType = args2.provider.type;
-      const implName = `${capitalize(providerType)}DnsRecord`;
-      const implModule = await import(`@highstate/${providerType}`);
-      const implClass = implModule[implName];
-      return new implClass(name, args2, opts);
-    });
-  }
 };
 var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
   /**
@@ -356,34 +536,63 @@ var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
    */
   dnsRecords;
   /**
-   * The wait commands to be executed after the DNS records are created/updated.
+   * The flat list of all wait commands for the DNS records.
    */
   waitCommands;
-  constructor(name, records, opts) {
-    super("highstate:common:DnsRecordSet", name, records, opts);
-    this.dnsRecords = records;
-    this.waitCommands = records.apply(
-      (records2) => records2.flatMap((record) => record.waitCommands)
-    );
-  }
-  static create(name, args, opts) {
-    const records = output(args).apply((args2) => {
-      const recordName = args2.name ?? name;
-      const values = normalize(args2.value, args2.values);
-      return output(
-        args2.providers.filter((provider) => recordName.endsWith(provider.domain)).flatMap((provider) => {
-          return values.map((value) => {
-            const l3Endpoint = parseL3Endpoint(value);
-            return DnsRecord.create(
-              `${provider.type}-from-${recordName}-to-${l3EndpointToString(l3Endpoint)}`,
-              { name: recordName, ...args2, value: l3Endpoint, provider },
-              opts
-            );
-          });
-        })
-      );
+  constructor(name, args, opts) {
+    super("highstate:common:DnsRecordSet", name, args, opts);
+    const matchedProviders = output({
+      providers: args.providers,
+      name: args.name ?? name
+    }).apply(({ providers }) => {
+      const matchedProviders2 = providers.filter((provider) => name.endsWith(provider.domain));
+      if (matchedProviders2.length === 0) {
+        throw new Error(`No DNS provider matched the domain "${name}"`);
+      }
+      return matchedProviders2;
     });
-    return new _DnsRecordSet(name, records, opts);
+    this.dnsRecords = normalizeInputsAndMap(args.value, args.values, (value) => {
+      return output({
+        name: args.name ?? name,
+        providers: matchedProviders
+      }).apply(({ name: name2, providers }) => {
+        return providers.flatMap((provider) => {
+          const l3Endpoint = parseL3Endpoint(value);
+          return new DnsRecord(
+            `${name2}.${provider.id}.${l3EndpointToString(l3Endpoint)}`,
+            {
+              name: name2,
+              provider,
+              value: l3Endpoint,
+              type: args.type ?? getTypeByEndpoint(l3Endpoint),
+              proxied: args.proxied,
+              ttl: args.ttl,
+              priority: args.priority,
+              waitAt: args.waitAt
+            },
+            { parent: this }
+          );
+        });
+      });
+    }).apply(flat);
+    this.waitCommands = this.dnsRecords.apply((records) => records.flatMap((record) => record.waitCommands)).apply(flat);
+  }
+  static dnsRecordSetCache = /* @__PURE__ */ new Map();
+  /**
+   * Creates a DNS record set for the specified endpoints and waits for it to be resolved.
+   *
+   * If a DNS record set with the same name already exists, it will be reused.
+   *
+   * @param name The name of the DNS record set.
+   * @param args The arguments for the DNS record set.
+   * @param opts The options for the resource.
+   */
+  static createOnce(name, args, opts) {
+    return getOrCreate(
+      _DnsRecordSet.dnsRecordSetCache,
+      name,
+      () => new _DnsRecordSet(name, args, opts)
+    );
   }
 };
 async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patchMode, dnsProviders) {
@@ -395,7 +604,7 @@ async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patc
     };
   }
   const filteredEndpoints = filterEndpoints(resolvedEndpoints, fqdnEndpointFilter);
-  const dnsRecordSet = DnsRecordSet.create(fqdn, {
+  const dnsRecordSet = new DnsRecordSet(fqdn, {
     providers: dnsProviders,
     values: filteredEndpoints,
     waitAt: "local"
@@ -435,6 +644,16 @@ async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patc
 function generatePassword() {
   return secureMask.apply(randomBytes(32)).password;
 }
+function generateKey(format = "hex") {
+  const bytes = randomBytes(32);
+  if (format === "raw") {
+    return bytes;
+  }
+  if (format === "base64") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  return bytesToHex(bytes);
+}
 
 // assets/images.json
 var terminal_ssh = {
@@ -442,63 +661,48 @@ var terminal_ssh = {
 };
 
 // src/shared/ssh.ts
-function createSshTerminal(credentials) {
-  return output(credentials).apply((credentials2) => {
-    if (!credentials2) {
-      return void 0;
-    }
-    const command = ["ssh", "-tt", "-o", "UserKnownHostsFile=/known_hosts"];
-    const endpoint = credentials2.endpoints[0];
-    command.push("-p", endpoint.port.toString());
-    if (credentials2.keyPair) {
-      command.push("-i", "/private_key");
-    }
-    command.push(`${credentials2.user}@${l3EndpointToString(endpoint)}`);
-    if (credentials2.password) {
-      command.unshift("sshpass", "-f", "/password");
+async function createSshTerminal(credentials) {
+  const resolvedCredentials = await toPromise(credentials);
+  const command = ["ssh", "-tt", "-o", "UserKnownHostsFile=/known_hosts"];
+  const endpoint = resolvedCredentials.endpoints[0];
+  command.push("-p", endpoint.port.toString());
+  if (resolvedCredentials.keyPair) {
+    command.push("-i", "/private_key");
+  }
+  command.push(`${resolvedCredentials.user}@${l3EndpointToString(endpoint)}`);
+  if (resolvedCredentials.password) {
+    command.unshift("sshpass", "-f", "/password");
+  }
+  return output({
+    name: "ssh",
+    meta: {
+      title: "Shell",
+      description: "Connect to the server via SSH.",
+      icon: "gg:remote"
+    },
+    spec: {
+      image: terminal_ssh.image,
+      command,
+      files: stripNullish({
+        "/password": resolvedCredentials.password ? fileFromString("password", resolvedCredentials.password, { isSecret: true }) : void 0,
+        "/private_key": resolvedCredentials.keyPair?.privateKey ? fileFromString("private_key", resolvedCredentials.keyPair.privateKey, {
+          isSecret: true,
+          mode: 384
+        }) : void 0,
+        "/known_hosts": fileFromString(
+          "known_hosts",
+          `${l3EndpointToString(endpoint)} ${resolvedCredentials.hostKey}`,
+          { mode: 420 }
+        )
+      })
     }
-    return {
-      name: "ssh",
-      meta: {
-        title: "Shell",
-        description: "Connect to the server via SSH",
-        icon: "gg:remote"
-      },
-      spec: {
-        image: terminal_ssh.image,
-        command,
-        files: {
-          "/password": credentials2.password,
-          "/private_key": credentials2.keyPair?.privateKey && {
-            content: {
-              type: "embedded",
-              value: credentials2.keyPair?.privateKey
-            },
-            meta: {
-              name: "private_key",
-              mode: 384
-            }
-          },
-          "/known_hosts": {
-            content: {
-              type: "embedded",
-              value: `${l3EndpointToString(endpoint)} ${credentials2.hostKey}`
-            },
-            meta: {
-              name: "known_hosts",
-              mode: 420
-            }
-          }
-        }
-      }
-    };
   });
 }
-function generatePrivateKey() {
+function generateSshPrivateKey() {
   const seed = randomBytes$1(32);
-  return getKeys(seed).privateKey;
+  return secret(getKeys(seed).privateKey);
 }
-function privateKeyToKeyPair(privateKeyString) {
+function sshPrivateKeyToKeyPair(privateKeyString) {
   return output(privateKeyString).apply((privateKeyString2) => {
     const privateKeyStruct = PrivateExport.decode(privateKeyString2);
     const privKey = privateKeyStruct.keys[0].privKey.privKey;
@@ -511,60 +715,88 @@ function privateKeyToKeyPair(privateKeyString) {
     });
   });
 }
-function getOrCreateSshKeyPair(inputs, secrets) {
-  if (inputs.sshKeyPair) {
-    return output(inputs.sshKeyPair);
-  }
-  const privateKey = getOrCreateSecret(secrets, "sshPrivateKey", generatePrivateKey);
-  return privateKey.apply(privateKeyToKeyPair);
+async function createServerBundle(options) {
+  const server = await createServerEntity(options);
+  const ssh = await toPromise(server.ssh);
+  return {
+    server,
+    terminal: ssh ? await createSshTerminal(ssh) : void 0
+  };
 }
-function createServerEntity(fallbackHostname, endpoint, sshPort = 22, sshUser = "root", sshPassword, sshPrivateKey, hasSsh = true) {
+async function createServerEntity({
+  name,
+  fallbackHostname,
+  endpoints,
+  sshArgs = { enabled: true, port: 22, user: "root" },
+  sshPassword,
+  sshPrivateKey,
+  sshKeyPair,
+  pingInterval,
+  pingTimeout,
+  waitForPing,
+  waitForSsh,
+  sshCheckInterval,
+  sshCheckTimeout
+}) {
+  if (endpoints.length === 0) {
+    throw new Error("At least one L3 endpoint is required to create a server entity");
+  }
+  fallbackHostname ??= name;
+  waitForSsh ??= sshArgs.enabled;
+  waitForPing ??= !waitForSsh;
+  if (waitForPing) {
+    await Command.waitFor(`${name}.ping`, {
+      host: "local",
+      create: `ping -c 1 ${l3EndpointToString(endpoints[0])}`,
+      timeout: pingTimeout ?? 300,
+      interval: pingInterval ?? 5,
+      triggers: [Date.now()]
+    }).wait();
+  }
+  if (!sshArgs.enabled) {
+    return output({
+      hostname: name,
+      endpoints
+    });
+  }
+  const sshHost = sshArgs?.host ?? l3EndpointToString(endpoints[0]);
+  if (waitForSsh) {
+    await Command.waitFor(`${name}.ssh`, {
+      host: "local",
+      create: `nc -zv ${sshHost} ${sshArgs.port}`,
+      timeout: sshCheckTimeout ?? 300,
+      interval: sshCheckInterval ?? 5,
+      triggers: [Date.now()]
+    }).wait();
+  }
   const connection = output({
-    host: l3EndpointToString(endpoint),
-    port: sshPort,
-    user: sshUser,
+    host: sshHost,
+    port: sshArgs.port,
+    user: sshArgs.user,
     password: sshPassword,
-    privateKey: sshPrivateKey,
+    privateKey: sshKeyPair ? output(sshKeyPair).privateKey : sshPrivateKey,
     dialErrorLimit: 3
   });
-  if (!hasSsh) {
-    return output({
-      hostname: fallbackHostname,
-      endpoints: [endpoint]
-    });
-  }
-  const command = new local.Command("check-ssh", {
-    create: `nc -zv ${l3EndpointToString(endpoint)} ${sshPort} && echo "up" || echo "down"`,
+  const hostnameResult = new remote.Command("hostname", {
+    connection,
+    create: "hostname",
     triggers: [Date.now()]
   });
-  return command.stdout.apply((result) => {
-    if (result === "down") {
-      return output({
-        hostname: fallbackHostname,
-        endpoints: [endpoint]
-      });
+  const hostKeyResult = new remote.Command("host-key", {
+    connection,
+    create: "cat /etc/ssh/ssh_host_ed25519_key.pub",
+    triggers: [Date.now()]
+  });
+  return output({
+    endpoints,
+    hostname: hostnameResult.stdout.apply((x) => x.trim()),
+    ssh: {
+      endpoints: [l3EndpointToL4(sshHost, sshArgs.port ?? 22)],
+      user: sshArgs.user ?? "root",
+      hostKey: hostKeyResult.stdout.apply((x) => x.trim()),
+      password: connection.password,
+      keyPair: sshKeyPair ? sshKeyPair : sshPrivateKey ? sshPrivateKeyToKeyPair(sshPrivateKey) : void 0
     }
-    const hostnameResult = new remote.Command("hostname", {
-      connection,
-      create: "hostname",
-      triggers: [Date.now()]
-    });
-    const hostKeyResult = new remote.Command("host-key", {
-      connection,
-      create: "cat /etc/ssh/ssh_host_ed25519_key.pub",
-      triggers: [Date.now()]
-    });
-    return output({
-      endpoints: [endpoint],
-      hostname: hostnameResult.stdout.apply((x) => x.trim()),
-      ssh: {
-        endpoints: [l3ToL4Endpoint(endpoint, sshPort)],
-        user: sshUser,
-        hostKey: hostKeyResult.stdout.apply((x) => x.trim()),
-        password: sshPassword,
-        keyPair: sshPrivateKey ? privateKeyToKeyPair(sshPrivateKey) : void 0
-      }
-    });
   });
 }
 function assetFromFile(file) {
@@ -579,7 +811,7 @@ function assetFromFile(file) {
       "Artifact-based files cannot be converted to Pulumi assets directly. Use MaterializedFile instead."
     );
   }
-  if (file.meta.isBinary) {
+  if (file.content.isBinary) {
     throw new Error(
       "Cannot create asset from inline binary file content. Please open an issue if you need this feature."
     );
@@ -646,11 +878,14 @@ var MaterializedFile = class _MaterializedFile {
   constructor(entity, parent) {
     this.entity = entity;
     this.parent = parent;
+    this.artifactMeta = {
+      title: `Materialized file "${entity.meta.name}"`
+    };
   }
   _tmpPath;
   _path;
   _disposed = false;
-  artifactMeta = {};
+  artifactMeta;
   get path() {
     return this._path;
   }
@@ -664,7 +899,7 @@ var MaterializedFile = class _MaterializedFile {
     }
     switch (this.entity.content.type) {
       case "embedded": {
-        const content = this.entity.meta.isBinary ? Buffer.from(this.entity.content.value, "base64") : this.entity.content.value;
+        const content = this.entity.content.isBinary ? Buffer.from(this.entity.content.value, "base64") : this.entity.content.value;
         await writeFile(this._path, content, { mode: this.entity.meta.mode });
         break;
       }
@@ -673,21 +908,20 @@ var MaterializedFile = class _MaterializedFile {
         break;
       }
       case "remote": {
-        const response = await load(l7EndpointToString(this.entity.content.endpoint));
+        const response = await fetch(l7EndpointToString(this.entity.content.endpoint));
         if (!response.ok) throw new Error(`Failed to fetch: ${response.statusText}`);
         const arrayBuffer = await response.arrayBuffer();
         await writeFile(this._path, Buffer.from(arrayBuffer), { mode: this.entity.meta.mode });
         break;
       }
       case "artifact": {
-        const artifactData = this.entity.content[HighstateSignature.Artifact];
         const artifactPath = process.env.HIGHSTATE_ARTIFACT_READ_PATH;
         if (!artifactPath) {
           throw new Error(
             "HIGHSTATE_ARTIFACT_READ_PATH environment variable is not set but required for artifact content"
           );
         }
-        const tgzPath = join(artifactPath, `${artifactData.hash}.tgz`);
+        const tgzPath = join(artifactPath, `${this.entity.content.hash}.tgz`);
         const readStream = createReadStream(tgzPath);
         await unarchiveFromStream(readStream, dirname(this._path), "tar");
         break;
@@ -743,18 +977,15 @@ var MaterializedFile = class _MaterializedFile {
         name: this.entity.meta.name,
         mode: fileStats.mode & 511,
         // extract only permission bits
-        size: fileStats.size,
-        isBinary: this.entity.meta.isBinary
-        // keep original binary flag as we can't reliably detect this from filesystem
+        size: fileStats.size
       };
       return {
         meta: newMeta,
         content: {
           type: "artifact",
-          [HighstateSignature.Artifact]: {
-            hash: hashValue,
-            meta: await toPromise(this.artifactMeta)
-          }
+          [HighstateSignature.Artifact]: true,
+          hash: hashValue,
+          meta: await toPromise(this.artifactMeta)
         }
       };
     } finally {
@@ -777,8 +1008,7 @@ var MaterializedFile = class _MaterializedFile {
       meta: {
         name,
         mode,
-        size: 0,
-        isBinary: false
+        size: 0
       },
       content: {
         type: "embedded",
@@ -809,12 +1039,15 @@ var MaterializedFolder = class _MaterializedFolder {
   constructor(entity, parent) {
     this.entity = entity;
     this.parent = parent;
+    this.artifactMeta = {
+      title: `Materialized folder "${entity.meta.name}"`
+    };
   }
   _tmpPath;
   _path;
   _disposed = false;
   _disposables = [];
-  artifactMeta = {};
+  artifactMeta;
   get path() {
     return this._path;
   }
@@ -853,7 +1086,7 @@ var MaterializedFolder = class _MaterializedFolder {
         break;
       }
       case "remote": {
-        const response = await load(l7EndpointToString(this.entity.content.endpoint));
+        const response = await fetch(l7EndpointToString(this.entity.content.endpoint));
         if (!response.ok) throw new Error(`Failed to fetch: ${response.statusText}`);
         if (!response.body) throw new Error("Response body is empty");
         const url = new URL(l7EndpointToString(this.entity.content.endpoint));
@@ -886,14 +1119,13 @@ var MaterializedFolder = class _MaterializedFolder {
         break;
       }
       case "artifact": {
-        const artifactData = this.entity.content[HighstateSignature.Artifact];
         const artifactPath = process.env.HIGHSTATE_ARTIFACT_READ_PATH;
         if (!artifactPath) {
           throw new Error(
             "HIGHSTATE_ARTIFACT_READ_PATH environment variable is not set but required for artifact content"
           );
         }
-        const tgzPath = join(artifactPath, `${artifactData.hash}.tgz`);
+        const tgzPath = join(artifactPath, `${this.entity.content.hash}.tgz`);
         const readStream = createReadStream(tgzPath);
         await unarchiveFromStream(readStream, dirname(this._path), "tar");
         break;
@@ -972,11 +1204,10 @@ var MaterializedFolder = class _MaterializedFolder {
       return {
         meta: newMeta,
         content: {
+          [HighstateSignature.Artifact]: true,
           type: "artifact",
-          [HighstateSignature.Artifact]: {
-            hash: hashValue,
-            meta: await toPromise(this.artifactMeta)
-          }
+          hash: hashValue,
+          meta: await toPromise(this.artifactMeta)
         }
       };
     } finally {
@@ -1033,7 +1264,7 @@ async function fetchFileSize(endpoint) {
     );
   }
   const url = l7EndpointToString(endpoint);
-  const response = await load(url, { method: "HEAD" });
+  const response = await fetch(url, { method: "HEAD" });
   if (!response.ok) {
     throw new Error(`Failed to fetch file size: ${response.statusText}`);
   }
@@ -1042,7 +1273,7 @@ async function fetchFileSize(endpoint) {
     throw new Error("Content-Length header is missing in the response");
   }
   const size = parseInt(contentLength, 10);
-  if (isNaN(size)) {
+  if (Number.isNaN(size)) {
     throw new Error(`Invalid Content-Length value: ${contentLength}`);
   }
   return size;
@@ -1051,7 +1282,168 @@ function getNameByEndpoint(endpoint) {
   const parsedEndpoint = parseL7Endpoint(endpoint);
   return parsedEndpoint.resource ? basename(parsedEndpoint.resource) : "";
 }
+var gatewayRouteMediator = new ImplementationMediator(
+  "gateway-route",
+  z.object({
+    name: z.string(),
+    spec: z.custom(),
+    opts: z.custom().optional()
+  }),
+  z.object({
+    resource: z.instanceof(Resource),
+    endpoints: network.l3EndpointEntity.schema.array()
+  })
+);
+var GatewayRoute = class extends ComponentResource {
+  /**
+   * The underlying resource created by the implementation.
+   */
+  resource;
+  /**
+   * The endpoints of the gateway which serve this route.
+   *
+   * In most cases, this will be a single endpoint of the gateway shared for all routes.
+   */
+  endpoints;
+  constructor(name, args, opts) {
+    super("highstate:common:GatewayRoute", name, args, opts);
+    const { resource, endpoints } = gatewayRouteMediator.callOutput(output(args.gateway).implRef, {
+      name,
+      spec: args,
+      opts: { ...opts, parent: this }
+    });
+    this.resource = resource;
+    this.endpoints = endpoints;
+  }
+};
+var tlsCertificateMediator = new ImplementationMediator(
+  "tls-certificate",
+  z.object({
+    name: z.string(),
+    spec: z.custom(),
+    opts: z.custom().optional()
+  }),
+  z.instanceof(Resource)
+);
+var TlsCertificate = class _TlsCertificate extends ComponentResource {
+  /**
+   * The underlying resource created by the implementation.
+   */
+  resource;
+  constructor(name, args, opts) {
+    super("highstate:common:TlsCertificate", name, args, opts);
+    const issuers = normalizeInputs(args.issuer, args.issuers);
+    this.resource = output({
+      issuers,
+      commonName: args.commonName,
+      dnsNames: args.dnsNames
+    }).apply(async ({ issuers: issuers2, commonName, dnsNames }) => {
+      const matchedIssuer = issuers2.find((issuer) => {
+        if (commonName && !commonName.endsWith(issuer.domain)) {
+          return false;
+        }
+        if (dnsNames && !dnsNames.every((name2) => name2.endsWith(issuer.domain))) {
+          return false;
+        }
+        return true;
+      });
+      if (!matchedIssuer) {
+        throw new Error(
+          `No TLS issuer matched the common name "${commonName}" and DNS names "${dnsNames?.join(", ") ?? ""}"`
+        );
+      }
+      return await tlsCertificateMediator.call(matchedIssuer.implRef, {
+        name,
+        spec: args
+      });
+    });
+  }
+  static tlsCertificateCache = /* @__PURE__ */ new Map();
+  /**
+   * Creates a TLS certificate for the specified common name and DNS names.
+   *
+   * If a TLS certificate with the same name already exists, it will be reused.
+   *
+   * @param name The name of the TLS certificate.
+   * @param args The arguments for the TLS certificate.
+   * @param opts The options for the resource.
+   */
+  static createOnce(name, args, opts) {
+    return getOrCreate(
+      _TlsCertificate.tlsCertificateCache,
+      name,
+      () => new _TlsCertificate(name, args, opts)
+    );
+  }
+};
+var AccessPointRoute = class extends ComponentResource {
+  /**
+   * The created gateway route.
+   */
+  route;
+  /**
+   * The DNS record set created for the route.
+   *
+   * May be shared between multiple routes with the same FQDN.
+   */
+  dnsRecordSet;
+  /**
+   * The TLS certificate created for the route.
+   *
+   * May be shared between multiple routes with the same FQDN.
+   */
+  tlsCertificate;
+  constructor(name, args, opts) {
+    super("highstate:common:AccessPointRoute", name, args, opts);
+    if (args.fqdn && args.type === "http" && !args.insecure) {
+      this.tlsCertificate = output(args.accessPoint).apply((accessPoint) => {
+        if (accessPoint.tlsIssuers.length === 0) {
+          return void 0;
+        }
+        return TlsCertificate.createOnce(
+          name,
+          {
+            issuers: accessPoint.tlsIssuers,
+            dnsNames: args.fqdn ? [args.fqdn] : [],
+            nativeData: args.tlsCertificateNativeData
+          },
+          { ...opts, parent: this }
+        );
+      });
+    }
+    this.route = new GatewayRoute(
+      name,
+      {
+        ...args,
+        gateway: output(args.accessPoint).gateway,
+        tlsCertificate: this.tlsCertificate,
+        nativeData: args.gatewayNativeData
+      },
+      { ...opts, parent: this }
+    );
+    if (args.fqdn) {
+      this.dnsRecordSet = output(args.accessPoint).apply(async (accessPoint) => {
+        if (accessPoint.dnsProviders.length === 0) {
+          return void 0;
+        }
+        const fqdn = await toPromise(args.fqdn);
+        if (!fqdn) {
+          return void 0;
+        }
+        return DnsRecordSet.createOnce(
+          fqdn,
+          {
+            providers: output(args.accessPoint).dnsProviders,
+            values: this.route.endpoints,
+            waitAt: "local"
+          },
+          { ...opts, parent: this }
+        );
+      });
+    }
+  }
+};
 
-export { Command, DnsRecord, DnsRecordSet, MaterializedFile, MaterializedFolder, archiveFromFolder, assetFromFile, createServerEntity, createSshTerminal, fetchFileSize, filterEndpoints, generatePassword, generatePrivateKey, getNameByEndpoint, getOrCreateSshKeyPair, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToString, l3ToL4Endpoint, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, privateKeyToKeyPair, requireInputL3Endpoint, requireInputL4Endpoint, updateEndpoints, updateEndpointsWithFqdn };
-//# sourceMappingURL=chunk-HZBJ6LLS.js.map
-//# sourceMappingURL=chunk-HZBJ6LLS.js.map
+export { AccessPointRoute, Command, DnsRecord, DnsRecordSet, GatewayRoute, ImplementationMediator, MaterializedFile, MaterializedFolder, TlsCertificate, archiveFromFolder, assetFromFile, createServerBundle, createServerEntity, createSshTerminal, dnsRecordMediator, fetchFileSize, filterEndpoints, gatewayRouteMediator, generateKey, generatePassword, generateSshPrivateKey, getNameByEndpoint, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToL4, l3EndpointToString, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseEndpoints, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, requireInputL3Endpoint, requireInputL4Endpoint, sshPrivateKeyToKeyPair, tlsCertificateMediator, updateEndpoints, updateEndpointsWithFqdn };
+//# sourceMappingURL=chunk-WDYIUWYZ.js.map
+//# sourceMappingURL=chunk-WDYIUWYZ.js.map