@highstate/common 0.9.18 → 0.9.20

package/dist/{chunk-YYNV3MVT.js → chunk-WDYIUWYZ.js}

@@ -1,22 +1,23 @@
-import { toPromise, output, ComponentResource, interpolate, normalize, secret, ensureSecretValue, asset } from '@highstate/pulumi';
-import { uniqueBy, flat, capitalize, groupBy } from 'remeda';
+import { ComponentResource, Resource, toPromise, output, interpolate, normalizeInputsAndMap, fileFromString, secret, asset, normalizeInputs } from '@highstate/pulumi';
+import { uniqueBy, flat, groupBy } from 'remeda';
 import { homedir, tmpdir } from 'node:os';
 import { local, remote } from '@pulumi/command';
-import '@highstate/library';
+import { sha256 } from '@noble/hashes/sha2';
+import { z, getOrCreate, stripNullish, HighstateSignature } from '@highstate/contract';
 import { randomBytes, bytesToHex } from '@noble/hashes/utils';
 import { secureMask } from 'micro-key-producer/password.js';
 import getKeys, { PrivateExport } from 'micro-key-producer/ssh.js';
 import { randomBytes as randomBytes$1 } from 'micro-key-producer/utils.js';
+import { createHash } from 'node:crypto';
+import { createReadStream } from 'node:fs';
 import { mkdtemp, writeFile, cp, rm, stat, rename, mkdir } from 'node:fs/promises';
 import { join, dirname, basename, extname } from 'node:path';
-import { createReadStream } from 'node:fs';
-import { pipeline } from 'node:stream/promises';
 import { Readable } from 'node:stream';
-import { createHash } from 'node:crypto';
+import { pipeline } from 'node:stream/promises';
 import { minimatch } from 'minimatch';
-import { HighstateSignature } from '@highstate/contract';
 import * as tar from 'tar';
 import unzipper from 'unzipper';
+import { network } from '@highstate/library';
 
 // src/shared/network.ts
 function l3EndpointToString(l3Endpoint) {
@@ -138,7 +139,7 @@ function filterEndpoints(endpoints, filter, types) {
   } else if (endpoints.some((endpoint) => endpoint.visibility === "external")) {
     endpoints = endpoints.filter((endpoint) => endpoint.visibility === "external");
   }
-  if (types && types.length) {
+  if (types?.length) {
     endpoints = endpoints.filter((endpoint) => types.includes(endpoint.type));
   }
   return endpoints;
@@ -184,30 +185,31 @@ function parseL7Endpoint(l7Endpoint) {
 }
 async function updateEndpoints(currentEndpoints, endpoints, inputEndpoints, mode = "prepend") {
   const resolvedCurrentEndpoints = await toPromise(currentEndpoints);
-  const resolvedInputEndpoints = await toPromise(inputEndpoints);
-  const newEndpoints = uniqueBy(
-    //
-    [...endpoints.map(parseL34Endpoint), ...resolvedInputEndpoints],
-    (endpoint) => l34EndpointToString(endpoint)
-  );
+  const newEndpoints = await parseEndpoints(endpoints, inputEndpoints);
   if (mode === "replace") {
     return newEndpoints;
   }
   return uniqueBy(
-    //
     [...newEndpoints, ...resolvedCurrentEndpoints],
-    (endpoint) => l34EndpointToString(endpoint)
+    l34EndpointToString
   );
 }
-function getServerConnection(ssh2) {
-  return output(ssh2).apply((ssh3) => ({
-    host: l3EndpointToString(ssh3.endpoints[0]),
-    port: ssh3.endpoints[0].port,
-    user: ssh3.user,
-    password: ssh3.password,
-    privateKey: ssh3.keyPair?.privateKey,
+async function parseEndpoints(endpoints, inputEndpoints) {
+  const resolvedInputEndpoints = await toPromise(inputEndpoints);
+  return uniqueBy(
+    [...endpoints?.map(parseL34Endpoint) ?? [], ...resolvedInputEndpoints ?? []],
+    l34EndpointToString
+  );
+}
+function getServerConnection(ssh) {
+  return output(ssh).apply((ssh2) => ({
+    host: l3EndpointToString(ssh2.endpoints[0]),
+    port: ssh2.endpoints[0].port,
+    user: ssh2.user,
+    password: ssh2.password,
+    privateKey: ssh2.keyPair?.privateKey,
     dialErrorLimit: 3,
-    hostKey: ssh3.hostKey
+    hostKey: ssh2.hostKey
   }));
 }
 function createCommand(command) {
@@ -222,17 +224,46 @@ function wrapWithWorkDir(dir) {
   }
   return (command) => interpolate`cd "${dir}" && ${command}`;
 }
+function wrapWithEnvironment(environment) {
+  if (!environment) {
+    return (command) => output(command);
+  }
+  return (command) => output({ command, environment }).apply(({ command: command2, environment: environment2 }) => {
+    if (!environment2 || Object.keys(environment2).length === 0) {
+      return command2;
+    }
+    const envExport = Object.entries(environment2).map(([key, value]) => `export ${key}="${value}"`).join(" && ");
+    return `${envExport} && ${command2}`;
+  });
+}
 function wrapWithWaitFor(timeout = 300, interval = 5) {
   return (command) => (
     // TOD: escape the command
     interpolate`timeout ${timeout} bash -c 'while ! ${createCommand(command)}; do sleep ${interval}; done'`
   );
 }
+function applyUpdateTriggers(env, triggers) {
+  return output({ env, triggers }).apply(({ env: env2, triggers: triggers2 }) => {
+    if (!triggers2) {
+      return env2;
+    }
+    const hash = sha256(JSON.stringify(triggers2));
+    const hashHex = Buffer.from(hash).toString("hex");
+    return {
+      ...env2,
+      HIGHSTATE_UPDATE_TRIGGER_HASH: hashHex
+    };
+  });
+}
 var Command = class _Command extends ComponentResource {
   stdout;
   stderr;
   constructor(name, args, opts) {
     super("highstate:common:Command", name, args, opts);
+    const environment = applyUpdateTriggers(
+      args.environment,
+      args.updateTriggers
+    );
     const command = args.host === "local" ? new local.Command(
       name,
       {
@@ -242,7 +273,7 @@ var Command = class _Command extends ComponentResource {
         logging: args.logging,
         triggers: args.triggers ? output(args.triggers).apply(flat) : void 0,
         dir: args.cwd ?? homedir(),
-        environment: args.environment,
+        environment,
         stdin: args.stdin
       },
       { ...opts, parent: this }
@@ -250,26 +281,29 @@ var Command = class _Command extends ComponentResource {
       name,
       {
         connection: output(args.host).apply((server) => {
-          if ("host" in server) {
-            return output(server);
-          }
           if (!server.ssh) {
             throw new Error(`The server "${server.hostname}" has no SSH credentials`);
           }
           return getServerConnection(server.ssh);
         }),
-        create: output(args.create).apply(createCommand).apply(wrapWithWorkDir(args.cwd)),
-        update: args.update ? output(args.update).apply(createCommand).apply(wrapWithWorkDir(args.cwd)) : void 0,
-        delete: args.delete ? output(args.delete).apply(createCommand).apply(wrapWithWorkDir(args.cwd)) : void 0,
+        create: output(args.create).apply(createCommand).apply(wrapWithWorkDir(args.cwd)).apply(wrapWithEnvironment(environment)),
+        update: args.update ? output(args.update).apply(createCommand).apply(wrapWithWorkDir(args.cwd)).apply(wrapWithEnvironment(environment)) : void 0,
+        delete: args.delete ? output(args.delete).apply(createCommand).apply(wrapWithWorkDir(args.cwd)).apply(wrapWithEnvironment(environment)) : void 0,
         logging: args.logging,
         triggers: args.triggers ? output(args.triggers).apply(flat) : void 0,
         stdin: args.stdin,
-        environment: args.environment
+        addPreviousOutputInEnv: false
+        // TODO: does not work if server do not define AcceptEnv
+        // environment,
       },
       { ...opts, parent: this }
     );
     this.stdout = command.stdout;
     this.stderr = command.stderr;
+    this.registerOutputs({
+      stdout: this.stdout,
+      stderr: this.stderr
+    });
   }
   /**
    * Waits for the command to complete and returns its output.
@@ -336,6 +370,82 @@ var Command = class _Command extends ComponentResource {
     );
   }
 };
+var ImplementationMediator = class {
+  constructor(path, inputSchema, outputSchema) {
+    this.path = path;
+    this.inputSchema = inputSchema;
+    this.outputSchema = outputSchema;
+  }
+  implement(dataSchema, func) {
+    return async (input, data) => {
+      const parsedInput = this.inputSchema.safeParse(input);
+      if (!parsedInput.success) {
+        throw new Error(
+          `Invalid input for implementation "${this.path}": ${parsedInput.error.message}`
+        );
+      }
+      const parsedData = dataSchema.safeParse(data);
+      if (!parsedData.success) {
+        throw new Error(
+          `Invalid data for implementation "${this.path}": ${parsedData.error.message}`
+        );
+      }
+      const result = await func(parsedInput.data, parsedData.data);
+      const parsedResult = this.outputSchema.safeParse(result);
+      if (!parsedResult.success) {
+        throw new Error(
+          `Invalid output from implementation "${this.path}": ${parsedResult.error.message}`
+        );
+      }
+      return parsedResult.data;
+    };
+  }
+  async call(implRef, input) {
+    const resolvedImplRef = await toPromise(implRef);
+    const resolvedInput = await toPromise(input);
+    const importPath = `${resolvedImplRef.package}/impl/${this.path}`;
+    let impl;
+    try {
+      impl = await import(importPath);
+    } catch (error) {
+      throw new Error(`Failed to import module "${importPath}" required by implementation.`, {
+        cause: error
+      });
+    }
+    const funcs = Object.entries(impl).filter((value) => typeof value[1] === "function");
+    if (funcs.length === 0) {
+      throw new Error(`No implementation functions found in module "${importPath}".`);
+    }
+    if (funcs.length > 1) {
+      throw new Error(
+        `Multiple implementation functions found in module "${importPath}": ${funcs.map((func) => func[0]).join(", ")}. Ensure only one function is exported.`
+      );
+    }
+    const [funcName, implFunc] = funcs[0];
+    let result;
+    try {
+      result = await implFunc(resolvedInput, resolvedImplRef.data);
+    } catch (error) {
+      console.error(`Error in implementation function "${funcName}":`, error);
+      throw new Error(`Implementation function "${funcName}" failed`);
+    }
+    const parsedResult = this.outputSchema.safeParse(result);
+    if (!parsedResult.success) {
+      throw new Error(
+        `Implementation function "${funcName}" returned invalid result: ${parsedResult.error.message}`
+      );
+    }
+    return parsedResult.data;
+  }
+  callOutput(implRef, input) {
+    return output(this.call(implRef, input));
+  }
+};
+var dnsRecordMediator = new ImplementationMediator(
+  "dns-record",
+  z.object({ name: z.string(), args: z.custom() }),
+  z.instanceof(ComponentResource)
+);
 function getTypeByEndpoint(endpoint) {
   switch (endpoint.type) {
     case "ipv4":
@@ -352,53 +462,73 @@ var DnsRecord = class extends ComponentResource {
    */
   dnsRecord;
   /**
-   * The wait commands to be executed after the DNS record is created/updated.
+   * The commands to be executed after the DNS record is created/updated.
    *
-   * Use this field as a dependency for other resources.
+   * These commands will wait for the DNS record to be resolved to the specified value.
    */
   waitCommands;
   constructor(name, args, opts) {
     super("highstate:common:DnsRecord", name, args, opts);
-    this.dnsRecord = output(args).apply((args2) => {
-      const l3Endpoint = parseL3Endpoint(args2.value);
-      const type = args2.type ?? getTypeByEndpoint(l3Endpoint);
-      return output(
-        this.create(
-          name,
-          {
-            ...args2,
-            type,
-            value: l3EndpointToString(l3Endpoint)
-          },
-          { ...opts, parent: this }
-        )
-      );
+    const l3Endpoint = output(args.value).apply((value) => parseL3Endpoint(value));
+    const resolvedValue = l3Endpoint.apply(l3EndpointToString);
+    const resolvedType = args.type ? output(args.type) : l3Endpoint.apply(getTypeByEndpoint);
+    this.dnsRecord = output(args.provider).apply((provider) => {
+      return dnsRecordMediator.call(provider.implRef, {
+        name,
+        args: {
+          name: args.name,
+          priority: args.priority,
+          ttl: args.ttl,
+          value: resolvedValue,
+          type: resolvedType
+        }
+      });
     });
-    this.waitCommands = output(args).apply((args2) => {
-      const waitAt = args2.waitAt ? Array.isArray(args2.waitAt) ? args2.waitAt : [args2.waitAt] : [];
-      return waitAt.map((host) => {
+    this.waitCommands = output({
+      waitAt: args.waitAt,
+      resolvedType,
+      proxied: args.proxied
+    }).apply(({ waitAt, resolvedType: resolvedType2, proxied }) => {
+      if (resolvedType2 === "CNAME") {
+        return [];
+      }
+      const resolvedHosts = waitAt ? [waitAt].flat() : [];
+      if (proxied) {
+        return resolvedHosts.map((host) => {
+          const hostname = host === "local" ? "local" : host.hostname;
+          return new Command(
+            `${name}.wait-for-dns.${hostname}`,
+            {
+              host,
+              create: [
+                interpolate`while ! getent hosts "${args.name}";`,
+                interpolate`do echo "Waiting for DNS record \"${args.name}\" to be available...";`,
+                `sleep 5;`,
+                `done`
+              ]
+            },
+            { parent: this }
+          );
+        });
+      }
+      return resolvedHosts.map((host) => {
         const hostname = host === "local" ? "local" : host.hostname;
         return new Command(
-          `${name}-wait-${hostname}`,
+          `${name}.wait-for-dns.${hostname}`,
           {
             host,
-            create: `while ! getent hosts ${args2.name} >/dev/null; do echo "Waiting for DNS record ${args2.name} to be created"; sleep 5; done`,
-            triggers: [args2.type, args2.ttl, args2.priority, args2.proxied]
+            create: [
+              interpolate`while ! getent hosts "${args.name}" | grep "${resolvedValue}";`,
+              interpolate`do echo "Waiting for DNS record \"${args.name}" to resolve to "${resolvedValue}"...";`,
+              `sleep 5;`,
+              `done`
+            ]
           },
           { parent: this }
         );
       });
     });
   }
-  static create(name, args, opts) {
-    return output(args).apply(async (args2) => {
-      const providerType = args2.provider.type;
-      const implName = `${capitalize(providerType)}DnsRecord`;
-      const implModule = await import(`@highstate/${providerType}`);
-      const implClass = implModule[implName];
-      return new implClass(name, args2, opts);
-    });
-  }
 };
 var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
   /**
@@ -406,34 +536,63 @@ var DnsRecordSet = class _DnsRecordSet extends ComponentResource {
    */
   dnsRecords;
   /**
-   * The wait commands to be executed after the DNS records are created/updated.
+   * The flat list of all wait commands for the DNS records.
    */
   waitCommands;
-  constructor(name, records, opts) {
-    super("highstate:common:DnsRecordSet", name, records, opts);
-    this.dnsRecords = records;
-    this.waitCommands = records.apply(
-      (records2) => records2.flatMap((record) => record.waitCommands)
-    );
-  }
-  static create(name, args, opts) {
-    const records = output(args).apply((args2) => {
-      const recordName = args2.name ?? name;
-      const values = normalize(args2.value, args2.values);
-      return output(
-        args2.providers.filter((provider) => recordName.endsWith(provider.domain)).flatMap((provider) => {
-          return values.map((value) => {
-            const l3Endpoint = parseL3Endpoint(value);
-            return DnsRecord.create(
-              `${provider.type}-from-${recordName}-to-${l3EndpointToString(l3Endpoint)}`,
-              { name: recordName, ...args2, value: l3Endpoint, provider },
-              opts
-            );
-          });
-        })
-      );
+  constructor(name, args, opts) {
+    super("highstate:common:DnsRecordSet", name, args, opts);
+    const matchedProviders = output({
+      providers: args.providers,
+      name: args.name ?? name
+    }).apply(({ providers }) => {
+      const matchedProviders2 = providers.filter((provider) => name.endsWith(provider.domain));
+      if (matchedProviders2.length === 0) {
+        throw new Error(`No DNS provider matched the domain "${name}"`);
+      }
+      return matchedProviders2;
     });
-    return new _DnsRecordSet(name, records, opts);
+    this.dnsRecords = normalizeInputsAndMap(args.value, args.values, (value) => {
+      return output({
+        name: args.name ?? name,
+        providers: matchedProviders
+      }).apply(({ name: name2, providers }) => {
+        return providers.flatMap((provider) => {
+          const l3Endpoint = parseL3Endpoint(value);
+          return new DnsRecord(
+            `${name2}.${provider.id}.${l3EndpointToString(l3Endpoint)}`,
+            {
+              name: name2,
+              provider,
+              value: l3Endpoint,
+              type: args.type ?? getTypeByEndpoint(l3Endpoint),
+              proxied: args.proxied,
+              ttl: args.ttl,
+              priority: args.priority,
+              waitAt: args.waitAt
+            },
+            { parent: this }
+          );
+        });
+      });
+    }).apply(flat);
+    this.waitCommands = this.dnsRecords.apply((records) => records.flatMap((record) => record.waitCommands)).apply(flat);
+  }
+  static dnsRecordSetCache = /* @__PURE__ */ new Map();
+  /**
+   * Creates a DNS record set for the specified endpoints and waits for it to be resolved.
+   *
+   * If a DNS record set with the same name already exists, it will be reused.
+   *
+   * @param name The name of the DNS record set.
+   * @param args The arguments for the DNS record set.
+   * @param opts The options for the resource.
+   */
+  static createOnce(name, args, opts) {
+    return getOrCreate(
+      _DnsRecordSet.dnsRecordSetCache,
+      name,
+      () => new _DnsRecordSet(name, args, opts)
+    );
   }
 };
 async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patchMode, dnsProviders) {
@@ -445,7 +604,7 @@ async function updateEndpointsWithFqdn(endpoints, fqdn, fqdnEndpointFilter, patc
     };
   }
   const filteredEndpoints = filterEndpoints(resolvedEndpoints, fqdnEndpointFilter);
-  const dnsRecordSet = DnsRecordSet.create(fqdn, {
+  const dnsRecordSet = new DnsRecordSet(fqdn, {
     providers: dnsProviders,
     values: filteredEndpoints,
     waitAt: "local"
@@ -502,61 +661,46 @@ var terminal_ssh = {
 };
 
 // src/shared/ssh.ts
-function createSshTerminal(credentials) {
-  return output(credentials).apply((credentials2) => {
-    if (!credentials2) {
-      return void 0;
-    }
-    const command = ["ssh", "-tt", "-o", "UserKnownHostsFile=/known_hosts"];
-    const endpoint = credentials2.endpoints[0];
-    command.push("-p", endpoint.port.toString());
-    if (credentials2.keyPair) {
-      command.push("-i", "/private_key");
-    }
-    command.push(`${credentials2.user}@${l3EndpointToString(endpoint)}`);
-    if (credentials2.password) {
-      command.unshift("sshpass", "-f", "/password");
+async function createSshTerminal(credentials) {
+  const resolvedCredentials = await toPromise(credentials);
+  const command = ["ssh", "-tt", "-o", "UserKnownHostsFile=/known_hosts"];
+  const endpoint = resolvedCredentials.endpoints[0];
+  command.push("-p", endpoint.port.toString());
+  if (resolvedCredentials.keyPair) {
+    command.push("-i", "/private_key");
+  }
+  command.push(`${resolvedCredentials.user}@${l3EndpointToString(endpoint)}`);
+  if (resolvedCredentials.password) {
+    command.unshift("sshpass", "-f", "/password");
+  }
+  return output({
+    name: "ssh",
+    meta: {
+      title: "Shell",
+      description: "Connect to the server via SSH.",
+      icon: "gg:remote"
+    },
+    spec: {
+      image: terminal_ssh.image,
+      command,
+      files: stripNullish({
+        "/password": resolvedCredentials.password ? fileFromString("password", resolvedCredentials.password, { isSecret: true }) : void 0,
+        "/private_key": resolvedCredentials.keyPair?.privateKey ? fileFromString("private_key", resolvedCredentials.keyPair.privateKey, {
+          isSecret: true,
+          mode: 384
+        }) : void 0,
+        "/known_hosts": fileFromString(
+          "known_hosts",
+          `${l3EndpointToString(endpoint)} ${resolvedCredentials.hostKey}`,
+          { mode: 420 }
+        )
+      })
     }
-    return {
-      name: "ssh",
-      meta: {
-        title: "Shell",
-        description: "Connect to the server via SSH",
-        icon: "gg:remote"
-      },
-      spec: {
-        image: terminal_ssh.image,
-        command,
-        files: {
-          "/password": credentials2.password,
-          "/private_key": credentials2.keyPair?.privateKey && {
-            content: {
-              type: "embedded",
-              value: credentials2.keyPair?.privateKey
-            },
-            meta: {
-              name: "private_key",
-              mode: 384
-            }
-          },
-          "/known_hosts": {
-            content: {
-              type: "embedded",
-              value: `${l3EndpointToString(endpoint)} ${credentials2.hostKey}`
-            },
-            meta: {
-              name: "known_hosts",
-              mode: 420
-            }
-          }
-        }
-      }
-    };
   });
 }
 function generateSshPrivateKey() {
   const seed = randomBytes$1(32);
-  return getKeys(seed).privateKey;
+  return secret(getKeys(seed).privateKey);
 }
 function sshPrivateKeyToKeyPair(privateKeyString) {
   return output(privateKeyString).apply((privateKeyString2) => {
@@ -571,22 +715,22 @@ function sshPrivateKeyToKeyPair(privateKeyString) {
     });
   });
 }
-function ensureSshKeyPair(privateKey, existingKeyPair) {
-  if (existingKeyPair) {
-    return output(existingKeyPair);
-  }
-  return ensureSecretValue(privateKey, generateSshPrivateKey).value.apply(sshPrivateKeyToKeyPair);
+async function createServerBundle(options) {
+  const server = await createServerEntity(options);
+  const ssh = await toPromise(server.ssh);
+  return {
+    server,
+    terminal: ssh ? await createSshTerminal(ssh) : void 0
+  };
 }
 async function createServerEntity({
   name,
   fallbackHostname,
   endpoints,
-  sshEndpoint,
-  sshPort = 22,
-  sshUser = "root",
+  sshArgs = { enabled: true, port: 22, user: "root" },
   sshPassword,
   sshPrivateKey,
-  hasSsh = true,
+  sshKeyPair,
   pingInterval,
   pingTimeout,
   waitForPing,
@@ -598,7 +742,7 @@ async function createServerEntity({
     throw new Error("At least one L3 endpoint is required to create a server entity");
   }
   fallbackHostname ??= name;
-  waitForSsh ??= hasSsh;
+  waitForSsh ??= sshArgs.enabled;
   waitForPing ??= !waitForSsh;
   if (waitForPing) {
     await Command.waitFor(`${name}.ping`, {
@@ -609,28 +753,28 @@ async function createServerEntity({
       triggers: [Date.now()]
     }).wait();
   }
-  if (!hasSsh) {
-    return {
+  if (!sshArgs.enabled) {
+    return output({
       hostname: name,
       endpoints
-    };
+    });
   }
-  sshEndpoint ??= l3EndpointToL4(endpoints[0], sshPort);
+  const sshHost = sshArgs?.host ?? l3EndpointToString(endpoints[0]);
   if (waitForSsh) {
     await Command.waitFor(`${name}.ssh`, {
       host: "local",
-      create: `nc -zv ${l3EndpointToString(sshEndpoint)} ${sshPort}`,
+      create: `nc -zv ${sshHost} ${sshArgs.port}`,
       timeout: sshCheckTimeout ?? 300,
       interval: sshCheckInterval ?? 5,
       triggers: [Date.now()]
     }).wait();
   }
   const connection = output({
-    host: l3EndpointToString(sshEndpoint),
-    port: sshEndpoint.port,
-    user: sshUser,
+    host: sshHost,
+    port: sshArgs.port,
+    user: sshArgs.user,
     password: sshPassword,
-    privateKey: sshPrivateKey,
+    privateKey: sshKeyPair ? output(sshKeyPair).privateKey : sshPrivateKey,
     dialErrorLimit: 3
   });
   const hostnameResult = new remote.Command("hostname", {
@@ -643,15 +787,15 @@ async function createServerEntity({
     create: "cat /etc/ssh/ssh_host_ed25519_key.pub",
     triggers: [Date.now()]
   });
-  return await toPromise({
+  return output({
     endpoints,
     hostname: hostnameResult.stdout.apply((x) => x.trim()),
     ssh: {
-      endpoints: [sshEndpoint],
-      user: sshUser,
+      endpoints: [l3EndpointToL4(sshHost, sshArgs.port ?? 22)],
+      user: sshArgs.user ?? "root",
       hostKey: hostKeyResult.stdout.apply((x) => x.trim()),
-      password: sshPassword,
-      keyPair: sshPrivateKey ? sshPrivateKeyToKeyPair(sshPrivateKey) : void 0
+      password: connection.password,
+      keyPair: sshKeyPair ? sshKeyPair : sshPrivateKey ? sshPrivateKeyToKeyPair(sshPrivateKey) : void 0
     }
   });
 }
@@ -667,7 +811,7 @@ function assetFromFile(file) {
       "Artifact-based files cannot be converted to Pulumi assets directly. Use MaterializedFile instead."
     );
   }
-  if (file.meta.isBinary) {
+  if (file.content.isBinary) {
     throw new Error(
       "Cannot create asset from inline binary file content. Please open an issue if you need this feature."
     );
@@ -734,11 +878,14 @@ var MaterializedFile = class _MaterializedFile {
   constructor(entity, parent) {
     this.entity = entity;
     this.parent = parent;
+    this.artifactMeta = {
+      title: `Materialized file "${entity.meta.name}"`
+    };
   }
   _tmpPath;
   _path;
   _disposed = false;
-  artifactMeta = {};
+  artifactMeta;
   get path() {
     return this._path;
   }
@@ -752,7 +899,7 @@ var MaterializedFile = class _MaterializedFile {
     }
     switch (this.entity.content.type) {
       case "embedded": {
-        const content = this.entity.meta.isBinary ? Buffer.from(this.entity.content.value, "base64") : this.entity.content.value;
+        const content = this.entity.content.isBinary ? Buffer.from(this.entity.content.value, "base64") : this.entity.content.value;
         await writeFile(this._path, content, { mode: this.entity.meta.mode });
         break;
       }
@@ -830,9 +977,7 @@ var MaterializedFile = class _MaterializedFile {
         name: this.entity.meta.name,
         mode: fileStats.mode & 511,
         // extract only permission bits
-        size: fileStats.size,
-        isBinary: this.entity.meta.isBinary
-        // keep original binary flag as we can't reliably detect this from filesystem
+        size: fileStats.size
       };
       return {
         meta: newMeta,
@@ -863,8 +1008,7 @@ var MaterializedFile = class _MaterializedFile {
       meta: {
         name,
         mode,
-        size: 0,
-        isBinary: false
+        size: 0
       },
       content: {
         type: "embedded",
@@ -895,12 +1039,15 @@ var MaterializedFolder = class _MaterializedFolder {
   constructor(entity, parent) {
     this.entity = entity;
     this.parent = parent;
+    this.artifactMeta = {
+      title: `Materialized folder "${entity.meta.name}"`
+    };
   }
   _tmpPath;
   _path;
   _disposed = false;
   _disposables = [];
-  artifactMeta = {};
+  artifactMeta;
   get path() {
     return this._path;
   }
@@ -1126,7 +1273,7 @@ async function fetchFileSize(endpoint) {
     throw new Error("Content-Length header is missing in the response");
   }
   const size = parseInt(contentLength, 10);
-  if (isNaN(size)) {
+  if (Number.isNaN(size)) {
     throw new Error(`Invalid Content-Length value: ${contentLength}`);
   }
   return size;
@@ -1135,7 +1282,168 @@ function getNameByEndpoint(endpoint) {
   const parsedEndpoint = parseL7Endpoint(endpoint);
   return parsedEndpoint.resource ? basename(parsedEndpoint.resource) : "";
 }
+var gatewayRouteMediator = new ImplementationMediator(
+  "gateway-route",
+  z.object({
+    name: z.string(),
+    spec: z.custom(),
+    opts: z.custom().optional()
+  }),
+  z.object({
+    resource: z.instanceof(Resource),
+    endpoints: network.l3EndpointEntity.schema.array()
+  })
+);
+var GatewayRoute = class extends ComponentResource {
+  /**
+   * The underlying resource created by the implementation.
+   */
+  resource;
+  /**
+   * The endpoints of the gateway which serve this route.
+   *
+   * In most cases, this will be a single endpoint of the gateway shared for all routes.
+   */
+  endpoints;
+  constructor(name, args, opts) {
+    super("highstate:common:GatewayRoute", name, args, opts);
+    const { resource, endpoints } = gatewayRouteMediator.callOutput(output(args.gateway).implRef, {
+      name,
+      spec: args,
+      opts: { ...opts, parent: this }
+    });
+    this.resource = resource;
+    this.endpoints = endpoints;
+  }
+};
+var tlsCertificateMediator = new ImplementationMediator(
+  "tls-certificate",
+  z.object({
+    name: z.string(),
+    spec: z.custom(),
+    opts: z.custom().optional()
+  }),
+  z.instanceof(Resource)
+);
+var TlsCertificate = class _TlsCertificate extends ComponentResource {
+  /**
+   * The underlying resource created by the implementation.
+   */
+  resource;
+  constructor(name, args, opts) {
+    super("highstate:common:TlsCertificate", name, args, opts);
+    const issuers = normalizeInputs(args.issuer, args.issuers);
+    this.resource = output({
+      issuers,
+      commonName: args.commonName,
+      dnsNames: args.dnsNames
+    }).apply(async ({ issuers: issuers2, commonName, dnsNames }) => {
+      const matchedIssuer = issuers2.find((issuer) => {
+        if (commonName && !commonName.endsWith(issuer.domain)) {
+          return false;
+        }
+        if (dnsNames && !dnsNames.every((name2) => name2.endsWith(issuer.domain))) {
+          return false;
+        }
+        return true;
+      });
+      if (!matchedIssuer) {
+        throw new Error(
+          `No TLS issuer matched the common name "${commonName}" and DNS names "${dnsNames?.join(", ") ?? ""}"`
+        );
+      }
+      return await tlsCertificateMediator.call(matchedIssuer.implRef, {
+        name,
+        spec: args
+      });
+    });
+  }
+  static tlsCertificateCache = /* @__PURE__ */ new Map();
+  /**
+   * Creates a TLS certificate for the specified common name and DNS names.
+   *
+   * If a TLS certificate with the same name already exists, it will be reused.
+   *
+   * @param name The name of the TLS certificate.
+   * @param args The arguments for the TLS certificate.
+   * @param opts The options for the resource.
+   */
+  static createOnce(name, args, opts) {
+    return getOrCreate(
+      _TlsCertificate.tlsCertificateCache,
+      name,
+      () => new _TlsCertificate(name, args, opts)
+    );
+  }
+};
+var AccessPointRoute = class extends ComponentResource {
+  /**
+   * The created gateway route.
+   */
+  route;
+  /**
+   * The DNS record set created for the route.
+   *
+   * May be shared between multiple routes with the same FQDN.
+   */
+  dnsRecordSet;
+  /**
+   * The TLS certificate created for the route.
+   *
+   * May be shared between multiple routes with the same FQDN.
+   */
+  tlsCertificate;
+  constructor(name, args, opts) {
+    super("highstate:common:AccessPointRoute", name, args, opts);
+    if (args.fqdn && args.type === "http" && !args.insecure) {
+      this.tlsCertificate = output(args.accessPoint).apply((accessPoint) => {
+        if (accessPoint.tlsIssuers.length === 0) {
+          return void 0;
+        }
+        return TlsCertificate.createOnce(
+          name,
+          {
+            issuers: accessPoint.tlsIssuers,
+            dnsNames: args.fqdn ? [args.fqdn] : [],
+            nativeData: args.tlsCertificateNativeData
+          },
+          { ...opts, parent: this }
+        );
+      });
+    }
+    this.route = new GatewayRoute(
+      name,
+      {
+        ...args,
+        gateway: output(args.accessPoint).gateway,
+        tlsCertificate: this.tlsCertificate,
+        nativeData: args.gatewayNativeData
+      },
+      { ...opts, parent: this }
+    );
+    if (args.fqdn) {
+      this.dnsRecordSet = output(args.accessPoint).apply(async (accessPoint) => {
+        if (accessPoint.dnsProviders.length === 0) {
+          return void 0;
+        }
+        const fqdn = await toPromise(args.fqdn);
+        if (!fqdn) {
+          return void 0;
+        }
+        return DnsRecordSet.createOnce(
+          fqdn,
+          {
+            providers: output(args.accessPoint).dnsProviders,
+            values: this.route.endpoints,
+            waitAt: "local"
+          },
+          { ...opts, parent: this }
+        );
+      });
+    }
+  }
+};
 
-export { Command, DnsRecord, DnsRecordSet, MaterializedFile, MaterializedFolder, archiveFromFolder, assetFromFile, createServerEntity, createSshTerminal, ensureSshKeyPair, fetchFileSize, filterEndpoints, generateKey, generatePassword, generateSshPrivateKey, getNameByEndpoint, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToL4, l3EndpointToString, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, requireInputL3Endpoint, requireInputL4Endpoint, sshPrivateKeyToKeyPair, updateEndpoints, updateEndpointsWithFqdn };
-//# sourceMappingURL=chunk-YYNV3MVT.js.map
-//# sourceMappingURL=chunk-YYNV3MVT.js.map
+export { AccessPointRoute, Command, DnsRecord, DnsRecordSet, GatewayRoute, ImplementationMediator, MaterializedFile, MaterializedFolder, TlsCertificate, archiveFromFolder, assetFromFile, createServerBundle, createServerEntity, createSshTerminal, dnsRecordMediator, fetchFileSize, filterEndpoints, gatewayRouteMediator, generateKey, generatePassword, generateSshPrivateKey, getNameByEndpoint, getServerConnection, l34EndpointToString, l3EndpointToCidr, l3EndpointToL4, l3EndpointToString, l4EndpointToString, l4EndpointWithProtocolToString, l7EndpointToString, parseEndpoints, parseL34Endpoint, parseL3Endpoint, parseL4Endpoint, parseL7Endpoint, requireInputL3Endpoint, requireInputL4Endpoint, sshPrivateKeyToKeyPair, tlsCertificateMediator, updateEndpoints, updateEndpointsWithFqdn };
+//# sourceMappingURL=chunk-WDYIUWYZ.js.map
+//# sourceMappingURL=chunk-WDYIUWYZ.js.map