@highstate/library 0.9.15 → 0.9.18

package/dist/index.js

@@ -1,23 +1,61 @@
+import { registerKnownAbbreviations, z, defineEntity, camelCaseToHumanReadable, defineUnit, fileContentSchema as fileContentSchema$1, fileMetaSchema, unitArtifactSchema, $args, $outputs, $inputs } from '@highstate/contract';
+import { omit } from 'remeda';
+
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+registerKnownAbbreviations([
+  "ID",
+  "URL",
+  "IP",
+  "IPs",
+  "IPv4",
+  "IPv6",
+  "DNS",
+  "FQDN",
+  "SSH",
+  "WireGuard",
+  "API",
+  "k8s",
+  "TLS",
+  "HTTP",
+  "HTTPS",
+  "TCP",
+  "UDP",
+  "CIDR",
+  "CPU",
+  "RAM",
+  "GPU",
+  "SSD",
+  "HDD",
+  "VM",
+  "CNI",
+  "CSI",
+  "MariaDB",
+  "PostgreSQL",
+  "MongoDB"
+]);
 
 // src/common.ts
 var common_exports = {};
 __export(common_exports, {
+  checksumAlgorithmSchema: () => checksumAlgorithmSchema,
+  checksumSchema: () => checksumSchema,
   existingServer: () => existingServer,
-  fileContentEntity: () => fileContentEntity,
+  fileContentSchema: () => fileContentSchema,
   fileEntity: () => fileEntity,
-  fileMetaEntity: () => fileMetaEntity,
+  folderContentSchema: () => folderContentSchema,
+  folderEntity: () => folderEntity,
+  folderMetaSchema: () => folderMetaSchema,
+  remoteFile: () => remoteFile,
   script: () => script,
   serverDns: () => serverDns,
   serverEntity: () => serverEntity,
   serverOutputs: () => serverOutputs,
   serverPatch: () => serverPatch
 });
-import { defineEntity as defineEntity4, defineUnit as defineUnit3, Type as Type5 } from "@highstate/contract";
 
 // src/ssh.ts
 var ssh_exports = {};
@@ -27,7 +65,6 @@ __export(ssh_exports, {
   keyPairEntity: () => keyPairEntity,
   keyTypeSchema: () => keyTypeSchema
 });
-import { defineEntity as defineEntity2, defineUnit as defineUnit2, Type as Type2 } from "@highstate/contract";
 
 // src/network.ts
 var network_exports = {};
@@ -38,11 +75,12 @@ __export(network_exports, {
   l3EndpointEntity: () => l3EndpointEntity,
   l4Endpoint: () => l4Endpoint,
   l4EndpointEntity: () => l4EndpointEntity,
+  l4PortInfoSchema: () => l4PortInfoSchema,
   l4ProtocolSchema: () => l4ProtocolSchema,
-  portInfoSchema: () => portInfoSchema
+  l7AppInfoSchema: () => l7AppInfoSchema,
+  l7EndpointEntity: () => l7EndpointEntity
 });
-import { defineEntity, defineUnit, Type } from "@highstate/contract";
-var endpointVisibilitySchema = Type.StringEnum([
+var endpointVisibilitySchema = z.enum([
   "public",
   // Reachable from the public internet
   "external",
@@ -50,56 +88,80 @@ var endpointVisibilitySchema = Type.StringEnum([
   "internal"
   // Reachable only from within the system or cluster
 ]);
-var endpointFilterSchema = Type.Array(endpointVisibilitySchema);
+var endpointFilterSchema = endpointVisibilitySchema.array();
 var l3EndpointEntity = defineEntity({
   type: "network.l3-endpoint",
-  schema: Type.Intersect([
-    Type.Object({
+  schema: z.intersection(
+    z.object({
       visibility: endpointVisibilitySchema,
-      metadata: Type.Optional(Type.Record(Type.String(), Type.Unknown()))
+      metadata: z.record(z.string(), z.unknown()).optional()
     }),
-    Type.Union([
-      Type.Object({
-        type: Type.Literal("hostname"),
+    z.union([
+      z.object({
+        type: z.literal("hostname"),
         /**
          * The hostname of the endpoint in the format of a domain name.
          */
-        hostname: Type.String()
+        hostname: z.string().meta({ title: camelCaseToHumanReadable("hostname"), description: `The hostname of the endpoint in the format of a domain name.` })
       }),
-      Type.Object({
-        type: Type.Literal("ipv4"),
+      z.object({
+        type: z.literal("ipv4"),
         /**
          * The IPv4 address of the endpoint.
          */
-        address: Type.String()
+        address: z.string().meta({ title: camelCaseToHumanReadable("address"), description: `The IPv4 address of the endpoint.` })
       }),
-      Type.Object({
-        type: Type.Literal("ipv6"),
+      z.object({
+        type: z.literal("ipv6"),
         /**
          * The IPv6 address of the endpoint.
          */
-        address: Type.String()
+        address: z.string().meta({ title: camelCaseToHumanReadable("address"), description: `The IPv6 address of the endpoint.` })
       })
     ])
-  ]),
+  ),
   meta: {
     color: "#4CAF50",
     description: "The L3 endpoint for some service. May be a domain name or an IP address."
   }
 });
-var l4ProtocolSchema = Type.StringEnum(["tcp", "udp"]);
-var portInfoSchema = Type.Object({
-  port: Type.Number(),
+var l4ProtocolSchema = z.enum(["tcp", "udp"]);
+var l4PortInfoSchema = z.object({
+  port: z.number(),
   protocol: l4ProtocolSchema
 });
 var l4EndpointEntity = defineEntity({
   type: "network.l4-endpoint",
-  schema: Type.Intersect([l3EndpointEntity.schema, portInfoSchema]),
+  schema: z.intersection(l3EndpointEntity.schema, l4PortInfoSchema),
   meta: {
     color: "#2196F3",
     description: "The L4 endpoint for some service. Extends an L3 endpoint with a port."
   }
 });
+var l7AppInfoSchema = z.object({
+  /**
+   * The name of the application protocol used by the endpoint.
+   */
+  appProtocol: z.string().meta({ title: camelCaseToHumanReadable("appProtocol"), description: `The name of the application protocol used by the endpoint.` }),
+  /**
+   * The resource path of the application endpoint, including query parameters.
+   * Must not start with a slash (`/`).
+   *
+   * Example: `api/v1/resource?query=value`, `database?param=value`, `user/repo.git`.
+   */
+  resource: z.string().optional().meta({ title: camelCaseToHumanReadable("resource"), description: `The resource path of the application endpoint, including query parameters.
+ Must not start with a slash (\`/\`).
+
+ Example: \`api/v1/resource?query=value\`, \`database?param=value\`, \`user/repo.git\`.` })
+});
+var l7EndpointEntity = defineEntity({
+  type: "network.l7-endpoint",
+  schema: z.intersection(l4EndpointEntity.schema, l7AppInfoSchema),
+  meta: {
+    color: "#FF9800",
+    description: "The L7 endpoint for some service. Extends an L4 endpoint with application protocol information."
+  }
+});
 var l3Endpoint = defineUnit({
   type: "network.l3-endpoint",
   args: {
@@ -108,20 +170,32 @@ var l3Endpoint = defineUnit({
      *
      * May be a domain name or an IP address.
      */
-    endpoint: Type.String(),
+    endpoint: {
+      schema: z.string(),
+      meta: {
+        description: `The string representation of the endpoint.
+
+ May be a domain name or an IP address.`
+      }
+    },
     /**
      * The visibility of the endpoint.
      */
-    visibility: Type.Default(endpointVisibilitySchema, "public")
+    visibility: {
+      schema: endpointVisibilitySchema.default("public"),
+      meta: {
+        description: `The visibility of the endpoint.`
+      }
+    }
   },
   outputs: {
     endpoint: l3EndpointEntity
   },
   meta: {
-    displayName: "L3 Endpoint",
+    title: "L3 Endpoint",
     description: "An L3 endpoint for some service. May be a domain name or an IP address.",
-    primaryIcon: "mdi:network-outline",
-    primaryIconColor: "#4CAF50",
+    icon: "mdi:network-outline",
+    iconColor: "#4CAF50",
     defaultNamePrefix: "endpoint",
     category: "Network"
   },
@@ -144,20 +218,38 @@ var l4Endpoint = defineUnit({
      * - `tcp://endpoint:port`
      * - `udp://endpoint:port`
      */
-    endpoint: Type.String(),
+    endpoint: {
+      schema: z.string(),
+      meta: {
+        description: `The string representation of the endpoint.
+
+ May be a domain name or an IP address + port/protocol.
+
+ The possible formats are:
+
+ - \`endpoint:port\` (TCP by default)
+ - \`tcp://endpoint:port\`
+ - \`udp://endpoint:port\``
+      }
+    },
     /**
      * The visibility of the endpoint.
      */
-    visibility: Type.Default(endpointVisibilitySchema, "public")
+    visibility: {
+      schema: endpointVisibilitySchema.default("public"),
+      meta: {
+        description: `The visibility of the endpoint.`
+      }
+    }
   },
   outputs: {
     endpoint: l4EndpointEntity
   },
   meta: {
-    displayName: "L4 Endpoint",
+    title: "L4 Endpoint",
     description: "An L4 endpoint for some service. Extends an L3 endpoint with a port.",
-    primaryIcon: "mdi:network-outline",
-    primaryIconColor: "#2196F3",
+    icon: "mdi:network-outline",
+    iconColor: "#2196F3",
     defaultNamePrefix: "endpoint",
     category: "Network"
   },
@@ -166,42 +258,147 @@ var l4Endpoint = defineUnit({
     path: "units/network/l4-endpoint"
   }
 });
+var checksumAlgorithmSchema = z.enum(["md5", "sha1", "sha256", "sha384", "sha512"]);
+var checksumSchema = z.object({
+  algorithm: checksumAlgorithmSchema,
+  value: z.string()
+});
+var fileContentSchema = z.union([
+  fileContentSchema$1,
+  z.object({
+    type: z.literal("local"),
+    path: z.string()
+  }),
+  z.object({
+    type: z.literal("remote"),
+    endpoint: l7EndpointEntity.schema,
+    checksum: checksumSchema.optional()
+  })
+]);
+var fileEntity = defineEntity({
+  type: "common.file",
+  schema: z.object({
+    meta: fileMetaSchema,
+    content: fileContentSchema
+  }),
+  meta: {
+    color: "#FF5722"
+  }
+});
+var folderMetaSchema = z.object({
+  name: z.string(),
+  mode: z.number().optional()
+});
+var folderContentSchema = z.union([
+  z.object({
+    type: z.literal("embedded"),
+    files: fileEntity.schema.array(),
+    folders: z.object({
+      meta: folderMetaSchema,
+      get content() {
+        return folderContentSchema;
+      }
+    }).array()
+  }),
+  z.object({
+    type: z.literal("artifact"),
+    ...unitArtifactSchema.shape
+  }),
+  z.object({
+    type: z.literal("local"),
+    path: z.string()
+  }),
+  z.object({
+    type: z.literal("remote"),
+    endpoint: l7EndpointEntity.schema
+  })
+]);
+var folderEntity = defineEntity({
+  type: "common.folder",
+  schema: z.object({
+    meta: folderMetaSchema,
+    content: folderContentSchema
+  }),
+  meta: {
+    color: "#FF9800"
+  }
+});
+var remoteFile = defineUnit({
+  type: "common.remote-file",
+  args: {
+    /**
+     * The URL of the remote file.
+     */
+    url: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The URL of the remote file.`
+      }
+    }
+  },
+  inputs: {
+    /**
+     * The L7 endpoint of the remote file.
+     */
+    endpoint: {
+      entity: l7EndpointEntity,
+      required: false,
+      meta: {
+        description: `The L7 endpoint of the remote file.`
+      }
+    }
+  },
+  outputs: {
+    file: fileEntity
+  },
+  meta: {
+    title: "Remote File",
+    description: "References a file from a remote URL.",
+    icon: "mdi:file-download",
+    category: "Files"
+  },
+  source: {
+    package: "@highstate/common",
+    path: "units/remote-file"
+  }
+});
 
 // src/ssh.ts
-var keyTypeSchema = Type2.StringEnum(["ed25519"]);
-var keyPairEntity = defineEntity2({
+var keyTypeSchema = z.enum(["ed25519"]);
+var keyPairEntity = defineEntity({
   type: "ssh.key-pair",
-  schema: Type2.Object({
+  schema: z.object({
     type: keyTypeSchema,
-    fingerprint: Type2.String(),
-    publicKey: Type2.String(),
-    privateKey: Type2.String()
+    fingerprint: z.string(),
+    publicKey: z.string(),
+    privateKey: z.string()
   }),
   meta: {
     color: "#2b5797"
   }
 });
-var credentialsSchema = Type2.Object({
-  endpoints: Type2.Array(l4EndpointEntity.schema),
-  hostKey: Type2.String(),
-  user: Type2.String(),
-  password: Type2.Optional(Type2.String()),
-  keyPair: Type2.Optional(keyPairEntity.schema)
+var credentialsSchema = z.object({
+  endpoints: l4EndpointEntity.schema.array(),
+  hostKey: z.string(),
+  user: z.string(),
+  password: z.string().optional(),
+  keyPair: keyPairEntity.schema.optional()
 });
-var keyPair = defineUnit2({
+var keyPair = defineUnit({
   type: "ssh.key-pair",
   secrets: {
-    privateKey: Type2.Optional(Type2.String())
+    privateKey: z.string().optional()
   },
   outputs: {
-    keyPair: keyPairEntity
+    keyPair: keyPairEntity,
+    publicKeyFile: fileEntity
   },
   meta: {
-    displayName: "SSH Key Pair",
+    title: "SSH Key Pair",
     description: "Holds the ED25519 SSH key pair and generates the private key if not provided.",
     category: "ssh",
-    primaryIcon: "charm:key",
-    primaryIconColor: "#ffffff",
+    icon: "charm:key",
+    iconColor: "#ffffff",
     secondaryIcon: "mdi:lock",
     secondaryIconColor: "#ffffff"
   },
@@ -218,10 +415,6 @@ __export(dns_exports, {
   inputs: () => inputs,
   providerEntity: () => providerEntity
 });
-import { defineEntity as defineEntity3, Type as Type4 } from "@highstate/contract";
-
-// src/utils.ts
-import { Type as Type3 } from "@highstate/contract";
 function prefixWith(string, prefix) {
   return prefix ? `${prefix}${string.charAt(0).toUpperCase()}${string.slice(1)}` : string;
 }
@@ -230,16 +423,16 @@ function prefixKeysWith(prefix, obj) {
     Object.entries(obj).map(([key, value]) => [prefixWith(key, prefix), value])
   );
 }
-var arrayPatchModeSchema = Type3.StringEnum(["prepend", "replace"]);
+var arrayPatchModeSchema = z.enum(["prepend", "replace"]);
 
 // src/dns.ts
-var providerEntity = defineEntity3({
+var providerEntity = defineEntity({
   type: "dns.provider",
-  schema: Type4.Object({
-    name: Type4.String(),
-    type: Type4.String(),
-    data: Type4.Record(Type4.String(), Type4.Unknown()),
-    domain: Type4.String()
+  schema: z.object({
+    name: z.string(),
+    type: z.string(),
+    data: z.record(z.string(), z.unknown()),
+    domain: z.string()
   }),
   meta: {
     color: "#FF5722"
@@ -253,17 +446,8 @@ function createArgs(prefix) {
      * Will be inserted at the beginning of the resulting endpoint list.
      *
      * Will throw an error if no matching provider is found.
-     *
-     * @schema
      */
-    fqdn: {
-      ...Type4.Optional(Type4.String()),
-      description: `The FQDN to register the existing endpoints with.
-
- Will be inserted at the beginning of the resulting endpoint list.
-
- Will throw an error if no matching provider is found.`
-    },
+    fqdn: z.string().optional(),
     /**
      * The endpoint filter to filter the endpoints before creating the DNS records.
      *
@@ -280,27 +464,8 @@ function createArgs(prefix) {
      * - If any public endpoints exist, all public endpoints are selected;
      * - Otherwise, if any external endpoints exist, all external endpoints are selected;
      * - If neither exist, all internal endpoints are selected.
-     *
-     * @schema
      */
-    endpointFilter: {
-      ...Type4.Default(endpointFilterSchema, []),
-      description: `The endpoint filter to filter the endpoints before creating the DNS records.
-
- Possible values:
-
- - \`public\`: Only endpoints exposed to the public internet.
- - \`external\`: Reachable from outside the system but not public (e.g., LAN, VPC).
- - \`internal\`: Reachable only from within the system boundary (e.g., inside a cluster).
-
- You can select one or more values.
-
- If no value is provided, the endpoints will be filtered by the most accessible type:
-
- - If any public endpoints exist, all public endpoints are selected;
- - Otherwise, if any external endpoints exist, all external endpoints are selected;
- - If neither exist, all internal endpoints are selected.`
-    },
+    endpointFilter: endpointFilterSchema.default([]),
     /**
      * The mode to use for patching the existing endpoints.
      *
@@ -308,18 +473,8 @@ function createArgs(prefix) {
      * - `replace`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
      *
      * The default is `prepend`.
-     *
-     * @schema
      */
-    patchMode: {
-      ...Type4.Default(arrayPatchModeSchema, "prepend"),
-      description: `The mode to use for patching the existing endpoints.
-
- - \`prepend\`: Prepend the FQDN to the existing endpoints. It will make them prioritized.
- - \`replace\`: Replace the existing endpoints with the FQDN. It will ensure that the only the FQDN is used.
-
- The default is \`prepend\`.`
-    }
+    patchMode: arrayPatchModeSchema.default("prepend")
   });
 }
 var inputs = {
@@ -327,27 +482,20 @@ var inputs = {
    * The DNS providers to use to create the DNS records.
    *
    * If multiple providers match the domain, all of them will be used and multiple DNS records will be created.
-   *
-   * @schema
    */
   dnsProviders: {
-    ...{
-      entity: providerEntity,
-      multiple: true
-    },
-    description: `The DNS providers to use to create the DNS records.
-
- If multiple providers match the domain, all of them will be used and multiple DNS records will be created.`
+    entity: providerEntity,
+    multiple: true
   }
 };
 
 // src/common.ts
-var serverEntity = defineEntity4({
+var serverEntity = defineEntity({
   type: "common.server",
-  schema: Type5.Object({
-    hostname: Type5.String(),
-    endpoints: Type5.Array(l3EndpointEntity.schema),
-    ssh: Type5.Optional(credentialsSchema)
+  schema: z.object({
+    hostname: z.string(),
+    endpoints: l3EndpointEntity.schema.array(),
+    ssh: credentialsSchema.optional()
   }),
   meta: {
     color: "#009688"
@@ -360,7 +508,7 @@ var serverOutputs = {
     multiple: true
   }
 };
-var existingServer = defineUnit3({
+var existingServer = defineUnit({
   type: "common.existing-server",
   args: {
     /**
@@ -368,19 +516,36 @@ var existingServer = defineUnit3({
      *
      * Takes precedence over the `endpoint` input.
      */
-    endpoint: Type5.Optional(Type5.String()),
+    endpoint: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The endpoint of the server.
+
+ Takes precedence over the \`endpoint\` input.`
+      }
+    },
     /**
      * The SSH user to use for connecting to the server.
      */
-    sshUser: Type5.Default(Type5.String(), "root"),
+    sshUser: {
+      schema: z.string().default("root"),
+      meta: {
+        description: `The SSH user to use for connecting to the server.`
+      }
+    },
     /**
      * The SSH port to use for connecting to the server.
      */
-    sshPort: Type5.Default(Type5.Number(), 22)
+    sshPort: {
+      schema: z.number().default(22),
+      meta: {
+        description: `The SSH port to use for connecting to the server.`
+      }
+    }
   },
   secrets: {
-    sshPassword: Type5.Optional(Type5.String()),
-    sshPrivateKey: Type5.Optional(Type5.String())
+    sshPassword: z.string().optional(),
+    sshPrivateKey: z.string().optional()
   },
   inputs: {
     sshKeyPair: {
@@ -394,9 +559,9 @@ var existingServer = defineUnit3({
   },
   outputs: serverOutputs,
   meta: {
-    displayName: "Existing Server",
+    title: "Existing Server",
     description: "An existing server that can be used in the configuration.",
-    primaryIcon: "mdi:server",
+    icon: "mdi:server",
     defaultNamePrefix: "server",
     category: "Infrastructure"
   },
@@ -405,7 +570,7 @@ var existingServer = defineUnit3({
     path: "units/existing-server"
   }
 });
-var serverPatch = defineUnit3({
+var serverPatch = defineUnit({
   type: "common.server-patch",
   args: {
     /**
@@ -414,16 +579,16 @@ var serverPatch = defineUnit3({
      * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
      *
      * The same server may also be represented by multiple entries (e.g. a node with private and public IP).
-     *
-     * @schema
      */
     endpoints: {
-      ...Type5.Default(Type5.Array(Type5.String()), []),
-      description: `The endpoints of the server.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The endpoints of the server.
 
  The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
  The same server may also be represented by multiple entries (e.g. a node with private and public IP).`
+      }
     },
     /**
      * The mode to use for patching the endpoints.
@@ -431,7 +596,15 @@ var serverPatch = defineUnit3({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type5.Default(arrayPatchModeSchema, "prepend")
+    endpointsPatchMode: {
+      schema: arrayPatchModeSchema.default("prepend"),
+      meta: {
+        description: `The mode to use for patching the endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    }
   },
   inputs: {
     server: serverEntity,
@@ -449,9 +622,9 @@ var serverPatch = defineUnit3({
     }
   },
   meta: {
-    displayName: "Server Patch",
+    title: "Server Patch",
     description: "Patches some properties of the server.",
-    primaryIcon: "mdi:server",
+    icon: "mdi:server",
     secondaryIcon: "fluent:patch-20-filled",
     category: "Infrastructure"
   },
@@ -460,7 +633,7 @@ var serverPatch = defineUnit3({
     path: "units/server-patch"
   }
 });
-var serverDns = defineUnit3({
+var serverDns = defineUnit({
   type: "common.server-dns",
   args: createArgs(),
   inputs: {
@@ -475,9 +648,9 @@ var serverDns = defineUnit3({
     }
   },
   meta: {
-    displayName: "Server DNS",
+    title: "Server DNS",
     description: "Creates DNS records for the server and updates endpoints.",
-    primaryIcon: "mdi:server",
+    icon: "mdi:server",
     secondaryIcon: "mdi:dns",
     category: "Infrastructure"
   },
@@ -486,12 +659,12 @@ var serverDns = defineUnit3({
     path: "units/server-dns"
   }
 });
-var script = defineUnit3({
+var script = defineUnit({
   type: "common.script",
   args: {
-    script: Type5.String({ language: "shell" }),
-    updateScript: Type5.Optional(Type5.String({ language: "shell" })),
-    deleteScript: Type5.Optional(Type5.String({ language: "shell" }))
+    script: z.string().meta({ language: "shell" }),
+    updateScript: z.string().optional().meta({ language: "shell" }),
+    deleteScript: z.string().optional().meta({ language: "shell" })
   },
   inputs: {
     server: serverEntity
@@ -500,9 +673,9 @@ var script = defineUnit3({
     server: serverEntity
   },
   meta: {
-    displayName: "Shell Script",
+    title: "Shell Script",
     description: "Run a shell script on the server.",
-    primaryIcon: "mdi:bash",
+    icon: "mdi:bash",
     category: "Infrastructure"
   },
   source: {
@@ -510,46 +683,6 @@ var script = defineUnit3({
     path: "units/script"
   }
 });
-var fileMetaEntity = defineEntity4({
-  type: "common.file-meta",
-  schema: Type5.Object({
-    name: Type5.String(),
-    size: Type5.Number(),
-    mode: Type5.Number(),
-    isBinary: Type5.Optional(Type5.Boolean())
-  }),
-  meta: {
-    color: "#FF5722",
-    description: "Metadata for a file."
-  }
-});
-var fileContentEntity = defineEntity4({
-  type: "common.file-content",
-  schema: Type5.Union([
-    Type5.Object({
-      type: Type5.Literal("inline"),
-      content: Type5.String()
-    }),
-    Type5.Object({
-      type: Type5.Literal("remote"),
-      url: Type5.String()
-    })
-  ]),
-  meta: {
-    color: "#FF5722",
-    description: "The content of a file."
-  }
-});
-var fileEntity = defineEntity4({
-  type: "common.file",
-  schema: Type5.Object({
-    meta: fileMetaEntity.schema,
-    content: fileContentEntity.schema
-  }),
-  meta: {
-    color: "#FF5722"
-  }
-});
 
 // src/proxmox.ts
 var proxmox_exports = {};
@@ -561,86 +694,277 @@ __export(proxmox_exports, {
   imageEntity: () => imageEntity,
   virtualMachine: () => virtualMachine
 });
-import { defineEntity as defineEntity5, defineUnit as defineUnit4, Type as Type6 } from "@highstate/contract";
-var clusterEntity = defineEntity5({
+var clusterEntity = defineEntity({
   type: "proxmox.cluster",
-  schema: Type6.Object({
-    endpoint: Type6.String(),
-    insecure: Type6.Optional(Type6.Boolean()),
-    username: Type6.Optional(Type6.String()),
-    defaultNodeName: Type6.String(),
-    defaultDatastoreId: Type6.String(),
-    password: Type6.Optional(Type6.String()),
-    apiToken: Type6.Optional(Type6.String()),
-    sshKeyPair: Type6.Optional(keyPairEntity.schema)
+  schema: z.object({
+    endpoint: l7EndpointEntity.schema,
+    insecure: z.boolean().optional(),
+    username: z.string().optional(),
+    defaultNodeName: z.string(),
+    defaultDatastoreId: z.string(),
+    password: z.string().optional(),
+    apiToken: z.string().optional(),
+    ssh: credentialsSchema.optional()
   }),
   meta: {
     color: "#e56901"
   }
 });
-var imageEntity = defineEntity5({
+var imageEntity = defineEntity({
   type: "proxmox.image",
-  schema: Type6.Object({
-    id: Type6.String()
+  schema: z.object({
+    id: z.string()
   }),
   meta: {
     color: "#e56901"
   }
 });
-var connection = defineUnit4({
+var connection = defineUnit({
   type: "proxmox.connection",
   args: {
-    endpoint: Type6.String(),
-    insecure: Type6.Optional(Type6.Boolean()),
-    username: Type6.Optional(Type6.String()),
-    defaultNodeName: Type6.Optional(Type6.String()),
-    defaultDatastoreId: Type6.Optional(Type6.String())
+    /**
+     * The endpoint of the Proxmox API.
+     */
+    endpoint: {
+      schema: z.string(),
+      meta: {
+        description: `The endpoint of the Proxmox API.`
+      }
+    },
+    /**
+     * Whether to allow insecure connections to the Proxmox API.
+     */
+    insecure: {
+      schema: z.boolean().optional(),
+      meta: {
+        description: `Whether to allow insecure connections to the Proxmox API.`
+      }
+    },
+    /**
+     * The username to use for the Proxmox API.
+     *
+     * Only required for password token authentication.
+     */
+    username: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The username to use for the Proxmox API.
+
+ Only required for password token authentication.`
+      }
+    },
+    /**
+     * The name of the default Proxmox node to use for operations.
+     *
+     * If not specified, the first node in the cluster will be used.
+     */
+    defaultNodeName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the default Proxmox node to use for operations.
+
+ If not specified, the first node in the cluster will be used.`
+      }
+    },
+    /**
+     * The ID of the default Proxmox datastore to use for operations.
+     *
+     * If not specified, the first datastore in the cluster will be used.
+     */
+    defaultDatastoreId: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The ID of the default Proxmox datastore to use for operations.
+
+ If not specified, the first datastore in the cluster will be used.`
+      }
+    },
+    /**
+     * The username to use for SSH connections to the Proxmox nodes.
+     *
+     * By default, this is set to "root".
+     */
+    sshUser: {
+      schema: z.string().default("root"),
+      meta: {
+        description: `The username to use for SSH connections to the Proxmox nodes.
+
+ By default, this is set to "root".`
+      }
+    },
+    /**
+     * The port to use for SSH connections to the Proxmox nodes.
+     *
+     * By default, this is set to 22.
+     */
+    sshPort: {
+      schema: z.number().default(22),
+      meta: {
+        description: `The port to use for SSH connections to the Proxmox nodes.
+
+ By default, this is set to 22.`
+      }
+    }
   },
   secrets: {
-    password: Type6.Optional(Type6.String()),
-    apiToken: Type6.Optional(Type6.String())
+    /**
+     * The password to use for the Proxmox API.
+     *
+     * Requires `username` to be set.
+     */
+    password: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The password to use for the Proxmox API.
+
+ Requires \`username\` to be set.`,
+        title: "Proxmox Password"
+      }
+    },
+    /**
+     * The Proxmox API token to use for authentication.
+     */
+    apiToken: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The Proxmox API token to use for authentication.`,
+        title: "Proxmox API Token"
+      }
+    },
+    /**
+     * The SSH password to use for connecting to the Proxmox nodes.
+     */
+    sshPassword: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The SSH password to use for connecting to the Proxmox nodes.`
+      }
+    }
   },
   inputs: {
+    /**
+     * The key pair to use for SSH connections to the Proxmox nodes.
+     */
     sshKeyPair: {
       entity: keyPairEntity,
-      required: false
+      required: false,
+      meta: {
+        description: `The key pair to use for SSH connections to the Proxmox nodes.`
+      }
     }
   },
   outputs: {
     proxmoxCluster: clusterEntity
   },
   meta: {
-    displayName: "Proxmox Connection",
+    title: "Proxmox Connection",
     description: "The connection to an existing Proxmox cluster.",
     category: "Proxmox",
-    primaryIcon: "simple-icons:proxmox",
-    primaryIconColor: "#e56901"
+    icon: "simple-icons:proxmox",
+    iconColor: "#e56901"
   },
   source: {
     package: "@highstate/proxmox",
     path: "connection"
   }
 });
-var image = defineUnit4({
+var image = defineUnit({
   type: "proxmox.image",
   args: {
-    url: Type6.String(),
-    nodeName: Type6.Optional(Type6.String()),
-    sha256: Type6.Optional(Type6.String()),
-    datastoreId: Type6.Optional(Type6.String())
+    /**
+     * The name of the image to upload.
+     *
+     * If not specified, the default name is `<unitName>-<sha256>.<extension>`
+     * or `<unitName>.<extension>` if `sha256` is not provided.
+     */
+    fileName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the image to upload.
+
+ If not specified, the default name is \`<unitName>-<sha256>.<extension>\`
+ or \`<unitName>.<extension>\` if \`sha256\` is not provided.`
+      }
+    },
+    /**
+     * The URL of the image to upload.
+     */
+    url: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The URL of the image to upload.`
+      }
+    },
+    /**
+     * The checksum of the image file to verify.
+     */
+    checksum: {
+      schema: checksumSchema.optional(),
+      meta: {
+        description: `The checksum of the image file to verify.`
+      }
+    },
+    /**
+     * The name of the Proxmox node to upload the image to.
+     *
+     * If not specified, the default node name from the cluster will be used.
+     */
+    nodeName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the Proxmox node to upload the image to.
+
+ If not specified, the default node name from the cluster will be used.`
+      }
+    },
+    /**
+     * The ID of the Proxmox datastore to upload the image to.
+     *
+     * If not specified, the default datastore ID from the cluster will be used.
+     */
+    datastoreId: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The ID of the Proxmox datastore to upload the image to.
+
+ If not specified, the default datastore ID from the cluster will be used.`
+      }
+    }
   },
   inputs: {
-    proxmoxCluster: clusterEntity
+    /**
+     * The Proxmox cluster to upload the image to.
+     */
+    proxmoxCluster: {
+      entity: clusterEntity,
+      meta: {
+        description: `The Proxmox cluster to upload the image to.`
+      }
+    },
+    /**
+     * The file to upload as an image.
+     *
+     * If `url` is not specified, this file will be used.
+     */
+    file: {
+      entity: fileEntity,
+      required: false,
+      meta: {
+        description: `The file to upload as an image.
+
+ If \`url\` is not specified, this file will be used.`
+      }
+    }
   },
   outputs: {
     image: imageEntity
   },
   meta: {
-    displayName: "Proxmox Image",
+    title: "Proxmox Image",
     description: "The image to upload to a Proxmox cluster.",
     category: "Proxmox",
-    primaryIcon: "simple-icons:proxmox",
-    primaryIconColor: "#e56901",
+    icon: "simple-icons:proxmox",
+    iconColor: "#e56901",
     secondaryIcon: "mage:compact-disk-fill"
   },
   source: {
@@ -648,10 +972,10 @@ var image = defineUnit4({
     path: "image"
   }
 });
-var existingImage = defineUnit4({
+var existingImage = defineUnit({
   type: "proxmox.existing-image",
   args: {
-    id: Type6.String()
+    id: z.string()
   },
   inputs: {
     proxmoxCluster: clusterEntity
@@ -660,11 +984,11 @@ var existingImage = defineUnit4({
     image: imageEntity
   },
   meta: {
-    displayName: "Proxmox Existing Image",
+    title: "Proxmox Existing Image",
     description: "The existing image on a Proxmox cluster.",
     category: "Proxmox",
-    primaryIcon: "simple-icons:proxmox",
-    primaryIconColor: "#e56901",
+    icon: "simple-icons:proxmox",
+    iconColor: "#e56901",
     secondaryIcon: "mage:compact-disk-fill"
   },
   source: {
@@ -672,27 +996,204 @@ var existingImage = defineUnit4({
     path: "existing-image"
   }
 });
-var virtualMachine = defineUnit4({
+var virtualMachine = defineUnit({
   type: "proxmox.virtual-machine",
   args: {
-    nodeName: Type6.Optional(Type6.String()),
-    cpuType: Type6.Default(Type6.String(), "host"),
-    cores: Type6.Default(Type6.Number(), 1),
-    sockets: Type6.Default(Type6.Number(), 1),
-    memory: Type6.Default(Type6.Number(), 512),
-    ipv4: Type6.Optional(Type6.String()),
-    ipv4Gateway: Type6.Optional(Type6.String()),
-    dns: Type6.Optional(Type6.Array(Type6.String())),
-    datastoreId: Type6.Optional(Type6.String()),
-    diskSize: Type6.Default(Type6.Number(), 8),
-    bridge: Type6.Default(Type6.String(), "vmbr0"),
-    sshPort: Type6.Default(Type6.Number(), 22),
-    sshUser: Type6.Default(Type6.String(), "root"),
-    waitForAgent: Type6.Default(Type6.Boolean(), true),
-    vendorData: Type6.Optional(Type6.String({ language: "yaml" }))
+    /**
+     * The name of the node to create the virtual machine on.
+     *
+     * If not specified, the default node name from the cluster will be used.
+     */
+    nodeName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the node to create the virtual machine on.
+
+ If not specified, the default node name from the cluster will be used.`
+      }
+    },
+    /**
+     * The ID of the Proxmox datastore to create the virtual machine on.
+     *
+     * If not specified, the default datastore ID from the cluster will be used.
+     */
+    datastoreId: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The ID of the Proxmox datastore to create the virtual machine on.
+
+ If not specified, the default datastore ID from the cluster will be used.`
+      }
+    },
+    /**
+     * The type of CPU to use for the virtual machine.
+     *
+     * By default, this is set to "host" which offers the best performance.
+     */
+    cpuType: {
+      schema: z.string().default("host"),
+      meta: {
+        description: `The type of CPU to use for the virtual machine.
+
+ By default, this is set to "host" which offers the best performance.`
+      }
+    },
+    /**
+     * The resources to allocate to the virtual machine.
+     */
+    resources: {
+      schema: z.object({
+        /**
+         * The number of CPU cores to allocate to the virtual machine.
+         *
+         * By default, this is set to 1.
+         */
+        cores: z.number().meta({ title: camelCaseToHumanReadable("cores"), description: `The number of CPU cores to allocate to the virtual machine.
+
+ By default, this is set to 1.` }),
+        /**
+         * The number of CPU sockets to allocate to the virtual machine.
+         *
+         * By default, this is set to 1.
+         */
+        sockets: z.number().meta({ title: camelCaseToHumanReadable("sockets"), description: `The number of CPU sockets to allocate to the virtual machine.
+
+ By default, this is set to 1.` }),
+        /**
+         * The amount of dedicated memory to allocate to the virtual machine, in MB.
+         *
+         * By default, this is set to 512 MB.
+         */
+        memory: z.number().meta({ title: camelCaseToHumanReadable("memory"), description: `The amount of dedicated memory to allocate to the virtual machine, in MB.
+
+ By default, this is set to 512 MB.` }),
+        /**
+         * The size of the disk to create for the virtual machine, in GB.
+         *
+         * By default, this is set to 8 GB.
+         */
+        diskSize: z.number().meta({ title: camelCaseToHumanReadable("diskSize"), description: `The size of the disk to create for the virtual machine, in GB.
+
+ By default, this is set to 8 GB.` })
+      }).default({
+        cores: 1,
+        sockets: 1,
+        memory: 512,
+        diskSize: 8
+      }),
+      meta: {
+        description: `The resources to allocate to the virtual machine.`
+      }
+    },
+    /**
+     * The IPv4 address configuration for the virtual machine.
+     */
+    ipv4: {
+      schema: z.discriminatedUnion("type", [
+        z.object({
+          type: z.literal("dhcp")
+        }),
+        z.object({
+          type: z.literal("static"),
+          /**
+           * The IPv4 address to assign to the virtual machine.
+           */
+          address: z.string().meta({ title: camelCaseToHumanReadable("address"), description: `The IPv4 address to assign to the virtual machine.` }),
+          /**
+           * The CIDR prefix for the IPv4 address.
+           *
+           * By default, this is set to 24.
+           */
+          prefix: z.number().default(24).meta({ title: camelCaseToHumanReadable("prefix"), description: `The CIDR prefix for the IPv4 address.
+
+ By default, this is set to 24.` }),
+          /**
+           * The IPv4 gateway for the virtual machine.
+           *
+           * If not specified, will be set to the first address in the subnet.
+           */
+          gateway: z.string().optional().meta({ title: camelCaseToHumanReadable("gateway"), description: `The IPv4 gateway for the virtual machine.
+
+ If not specified, will be set to the first address in the subnet.` })
+        })
+      ]).default({ type: "dhcp" }),
+      meta: {
+        description: `The IPv4 address configuration for the virtual machine.`
+      }
+    },
+    /**
+     * The network configuration for the virtual machine.
+     */
+    network: {
+      schema: z.object({
+        /**
+         * The list of DNS servers to use for the virtual machine.
+         */
+        dns: z.string().array().meta({ title: camelCaseToHumanReadable("dns"), description: `The list of DNS servers to use for the virtual machine.` }),
+        /**
+         * The name of the network bridge to connect the virtual machine to.
+         *
+         * By default, this is set to "vmbr0".
+         */
+        bridge: z.string().meta({ title: camelCaseToHumanReadable("bridge"), description: `The name of the network bridge to connect the virtual machine to.
+
+ By default, this is set to "vmbr0".` })
+      }).default({ dns: [], bridge: "vmbr0" }),
+      meta: {
+        description: `The network configuration for the virtual machine.`
+      }
+    },
+    /**
+     * The SSH configuration for the virtual machine.
+     */
+    ssh: {
+      schema: z.object({
+        /**
+         * The port to use for SSH connections to the virtual machine.
+         *
+         * By default, this is set to 22.
+         */
+        port: z.number().meta({ title: camelCaseToHumanReadable("port"), description: `The port to use for SSH connections to the virtual machine.
+
+ By default, this is set to 22.` }),
+        /**
+         * The user to use for SSH connections to the virtual machine.
+         *
+         * By default, this is set to "root".
+         */
+        user: z.string().meta({ title: camelCaseToHumanReadable("user"), description: `The user to use for SSH connections to the virtual machine.
+
+ By default, this is set to "root".` })
+      }).default({ port: 22, user: "root" }),
+      meta: {
+        description: `The SSH configuration for the virtual machine.`
+      }
+    },
+    /**
+     * Whether to wait for the Proxmox agent to be ready before returning.
+     */
+    waitForAgent: {
+      schema: z.boolean().default(true),
+      meta: {
+        description: `Whether to wait for the Proxmox agent to be ready before returning.`
+      }
+    },
+    /**
+     * The cloud-init vendor data to use for the virtual machine.
+     *
+     * Will take precedence over the `vendorData` input.
+     */
+    vendorData: {
+      schema: z.string().optional().meta({ multiline: true }),
+      meta: {
+        description: `The cloud-init vendor data to use for the virtual machine.
+
+ Will take precedence over the \`vendorData\` input.`
+      }
+    }
   },
   secrets: {
-    sshPassword: Type6.Optional(Type6.String())
+    sshPassword: z.string().optional()
   },
   inputs: {
     proxmoxCluster: clusterEntity,
@@ -700,15 +1201,29 @@ var virtualMachine = defineUnit4({
     sshKeyPair: {
       entity: keyPairEntity,
       required: false
+    },
+    /**
+     * The cloud-init vendor data to use for the virtual machine.
+     *
+     * You can provide a cloud-config from the distribution component.
+     */
+    vendorData: {
+      entity: fileEntity,
+      required: false,
+      meta: {
+        description: `The cloud-init vendor data to use for the virtual machine.
+
+ You can provide a cloud-config from the distribution component.`
+      }
     }
   },
   outputs: serverOutputs,
   meta: {
-    displayName: "Proxmox Virtual Machine",
+    title: "Proxmox Virtual Machine",
     description: "The virtual machine on a Proxmox cluster.",
     category: "Proxmox",
-    primaryIcon: "simple-icons:proxmox",
-    primaryIconColor: "#e56901",
+    icon: "simple-icons:proxmox",
+    iconColor: "#e56901",
     secondaryIcon: "codicon:vm"
   },
   source: {
@@ -743,6 +1258,8 @@ __export(k8s_exports, {
   interfaceEntity: () => interfaceEntity,
   internalIpsPolicySchema: () => internalIpsPolicySchema,
   metadataSchema: () => metadataSchema,
+  monitorWorkerParamsSchema: () => monitorWorkerParamsSchema,
+  monitorWorkerResourceGroupSchema: () => monitorWorkerResourceGroupSchema,
   persistentVolumeClaimEntity: () => persistentVolumeClaimEntity,
   resourceSchema: () => resourceSchema,
   scheduleOnMastersPolicyArgs: () => scheduleOnMastersPolicyArgs,
@@ -753,127 +1270,80 @@ __export(k8s_exports, {
   tlsIssuerEntity: () => tlsIssuerEntity,
   tunDevicePolicySchema: () => tunDevicePolicySchema
 });
-import { defineEntity as defineEntity6, defineUnit as defineUnit5, Type as Type7 } from "@highstate/contract";
-import { Literal } from "@sinclair/typebox";
-var fallbackKubeApiAccessSchema = Type7.Object({
-  serverIp: Type7.String(),
-  serverPort: Type7.Number()
+var fallbackKubeApiAccessSchema = z.object({
+  serverIp: z.string(),
+  serverPort: z.number()
 });
-var tunDevicePolicySchema = Type7.Union([
-  Type7.Object({
-    type: Literal("host")
+var tunDevicePolicySchema = z.union([
+  z.object({
+    type: z.literal("host")
   }),
-  Type7.Object({
-    type: Literal("plugin"),
-    resourceName: Type7.String(),
-    resourceValue: Type7.String()
+  z.object({
+    type: z.literal("plugin"),
+    resourceName: z.string(),
+    resourceValue: z.string()
   })
 ]);
-var externalServiceTypeSchema = Type7.StringEnum(["NodePort", "LoadBalancer"]);
-var scheduleOnMastersPolicySchema = Type7.StringEnum(["always", "when-no-workers", "never"]);
-var cniSchema = Type7.StringEnum(["cilium", "other"]);
-var clusterQuirksSchema = Type7.Object({
+var externalServiceTypeSchema = z.enum(["NodePort", "LoadBalancer"]);
+var scheduleOnMastersPolicySchema = z.enum(["always", "when-no-workers", "never"]);
+var cniSchema = z.enum(["cilium", "other"]);
+var clusterQuirksSchema = z.object({
   /**
    * The IP and port of the kube-apiserver available from the cluster.
    *
    * Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.
-   *
-   * @schema
    */
-  fallbackKubeApiAccess: {
-    ...Type7.Optional(fallbackKubeApiAccessSchema),
-    description: `The IP and port of the kube-apiserver available from the cluster.
+  fallbackKubeApiAccess: fallbackKubeApiAccessSchema.optional().meta({ title: camelCaseToHumanReadable("fallbackKubeApiAccess"), description: `The IP and port of the kube-apiserver available from the cluster.
 
- Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.`
-  },
+ Will be used to create fallback network policy in CNIs which does not support allowing access to the kube-apiserver.` }),
   /**
    * Specifies the policy for using the tun device inside containers.
    *
    * If not provided, the default policy is `host` which assumes just mounting /dev/net/tun from the host.
    *
    * For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.
-   *
-   * @schema
    */
-  tunDevicePolicy: {
-    ...Type7.Optional(tunDevicePolicySchema),
-    description: `Specifies the policy for using the tun device inside containers.
+  tunDevicePolicy: tunDevicePolicySchema.optional().meta({ title: camelCaseToHumanReadable("tunDevicePolicy"), description: `Specifies the policy for using the tun device inside containers.
 
  If not provided, the default policy is \`host\` which assumes just mounting /dev/net/tun from the host.
 
- For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.`
-  },
+ For some runtimes, like Talos's one, the /dev/net/tun device is not available in the host, so the plugin policy should be used.` }),
   /**
    * The service type to use for external services.
    *
    * If not provided, the default service type is `NodePort` since `LoadBalancer` may not be available.
-   *
-   * @schema
    */
-  externalServiceType: {
-    ...Type7.Optional(externalServiceTypeSchema),
-    description: `The service type to use for external services.
+  externalServiceType: externalServiceTypeSchema.optional().meta({ title: camelCaseToHumanReadable("externalServiceType"), description: `The service type to use for external services.
 
- If not provided, the default service type is \`NodePort\` since \`LoadBalancer\` may not be available.`
-  }
+ If not provided, the default service type is \`NodePort\` since \`LoadBalancer\` may not be available.` })
 });
 var clusterInfoProperties = {
   /**
    * The unique identifier of the cluster.
    *
    * Should be defined as a UUID of the `kube-system` namespace which is always present in the cluster.
-   *
-   * @schema
    */
-  id: {
-    ...Type7.String(),
-    description: `The unique identifier of the cluster.
-
- Should be defined as a UUID of the \`kube-system\` namespace which is always present in the cluster.`
-  },
+  id: z.string(),
   /**
    * The name of the cluster.
-   *
-   * @schema
    */
-  name: {
-    ...Type7.String(),
-    description: `The name of the cluster.`
-  },
+  name: z.string(),
   /**
    * The name of the CNI plugin used by the cluster.
    *
    * Supported values are:
    * - `cilium`
    * - `other`
-   *
-   * @schema
    */
-  cni: {
-    ...cniSchema,
-    description: `The name of the CNI plugin used by the cluster.
-
- Supported values are:
- - \`cilium\`
- - \`other\``
-  },
+  cni: cniSchema,
   /**
    * The endpoints of the cluster nodes.
    *
    * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
    *
    * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-   *
-   * @schema
    */
-  endpoints: {
-    ...Type7.Array(l3EndpointEntity.schema),
-    description: `The endpoints of the cluster nodes.
-
- The entry may represent real node endpoint or virtual endpoint (like a load balancer).
-
- The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
-  },
+  endpoints: l3EndpointEntity.schema.array(),
   /**
    * The endpoints of the API server.
    *
@@ -881,87 +1351,72 @@ var clusterInfoProperties = {
    *
    * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
    */
-  apiEndpoints: Type7.Array(l4EndpointEntity.schema),
+  apiEndpoints: l4EndpointEntity.schema.array(),
   /**
    * The external IPs of the cluster nodes allowed to be used for external access.
-   *
-   * @schema
    */
-  externalIps: {
-    ...Type7.Array(Type7.String()),
-    description: `The external IPs of the cluster nodes allowed to be used for external access.`
-  },
+  externalIps: z.string().array(),
   /**
    * The extra quirks of the cluster to improve compatibility.
-   *
-   * @schema
    */
-  quirks: {
-    ...Type7.Optional(clusterQuirksSchema),
-    description: `The extra quirks of the cluster to improve compatibility.`
-  },
+  quirks: clusterQuirksSchema.optional(),
   /**
    * The extra metadata to attach to the cluster.
-   *
-   * @schema
    */
-  metadata: {
-    ...Type7.Optional(Type7.Record(Type7.String(), Type7.Unknown())),
-    description: `The extra metadata to attach to the cluster.`
-  }
+  metadata: z.record(z.string(), z.unknown()).optional()
 };
-var serviceTypeSchema = Type7.StringEnum(["NodePort", "LoadBalancer", "ClusterIP"]);
-var metadataSchema = Type7.Object({
-  name: Type7.String(),
-  namespace: Type7.String(),
-  labels: Type7.Optional(Type7.Record(Type7.String(), Type7.String())),
-  annotations: Type7.Optional(Type7.Record(Type7.String(), Type7.String()))
-});
-var resourceSchema = Type7.Object({
-  clusterId: Type7.String(),
+var serviceTypeSchema = z.enum(["NodePort", "LoadBalancer", "ClusterIP"]);
+var metadataSchema = z.object({
+  name: z.string(),
+  namespace: z.string(),
+  labels: z.record(z.string(), z.string()).optional(),
+  annotations: z.record(z.string(), z.string()).optional()
+});
+var resourceSchema = z.object({
+  clusterId: z.string(),
   metadata: metadataSchema
 });
-var serviceEntity = defineEntity6({
+var serviceEntity = defineEntity({
   type: "k8s.service",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.service"),
-    ...resourceSchema.properties,
-    endpoints: Type7.Array(l4EndpointEntity.schema)
+  schema: z.object({
+    type: z.literal("k8s.service"),
+    ...resourceSchema.shape,
+    endpoints: l4EndpointEntity.schema.array()
   }),
   meta: {
     color: "#2196F3"
   }
 });
-var clusterEntity2 = defineEntity6({
+var clusterEntity2 = defineEntity({
   type: "k8s.cluster",
-  schema: Type7.Object({
+  schema: z.object({
     ...clusterInfoProperties,
-    kubeconfig: Type7.String()
+    kubeconfig: z.string()
   }),
   meta: {
     color: "#2196F3"
   }
 });
-var internalIpsPolicySchema = Type7.StringEnum(["always", "public", "never"]);
-var scheduleOnMastersPolicyArgs = {
+var internalIpsPolicySchema = z.enum(["always", "public", "never"]);
+var scheduleOnMastersPolicyArgs = $args({
   /**
    * The policy for scheduling workloads on master nodes.
    *
    * - `always`: always schedule workloads on master nodes regardless of the number of workers;
    * - `when-no-workers`: schedule workloads on master nodes only if there are no workers (default);
    * - `never`: never schedule workloads on master nodes.
-   *
-   * @schema
    */
   scheduleOnMastersPolicy: {
-    ...Type7.Default(scheduleOnMastersPolicySchema, "when-no-workers"),
-    description: `The policy for scheduling workloads on master nodes.
+    schema: scheduleOnMastersPolicySchema.default("when-no-workers"),
+    meta: {
+      description: `The policy for scheduling workloads on master nodes.
 
  - \`always\`: always schedule workloads on master nodes regardless of the number of workers;
  - \`when-no-workers\`: schedule workloads on master nodes only if there are no workers (default);
  - \`never\`: never schedule workloads on master nodes.`
+    }
   }
-};
+});
 var clusterInputs = {
   masters: {
     entity: serverEntity,
@@ -984,21 +1439,21 @@ var clusterOutputs = {
     multiple: true
   }
 };
-var existingCluster = defineUnit5({
+var existingCluster = defineUnit({
   type: "k8s.existing-cluster",
   args: {
     /**
      * The list of external IPs of the cluster nodes allowed to be used for external access.
      *
      * If not provided, will be automatically detected by querying the cluster nodes.
-     *
-     * @schema
      */
     externalIps: {
-      ...Type7.Optional(Type7.Array(Type7.String())),
-      description: `The list of external IPs of the cluster nodes allowed to be used for external access.
+      schema: z.string().array().optional(),
+      meta: {
+        description: `The list of external IPs of the cluster nodes allowed to be used for external access.
 
  If not provided, will be automatically detected by querying the cluster nodes.`
+      }
     },
     /**
      * The policy for using internal IPs of the nodes as external IPs.
@@ -1006,25 +1461,25 @@ var existingCluster = defineUnit5({
      * - `always`: always use internal IPs as external IPs;
      * - `public`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
      * - `never`: never use internal IPs as external IPs.
-     *
-     * @schema
      */
     internalIpsPolicy: {
-      ...Type7.Default(internalIpsPolicySchema, "public"),
-      description: `The policy for using internal IPs of the nodes as external IPs.
+      schema: internalIpsPolicySchema.default("public"),
+      meta: {
+        description: `The policy for using internal IPs of the nodes as external IPs.
 
  - \`always\`: always use internal IPs as external IPs;
  - \`public\`: use internal IPs as external IPs only if they are (theoretically) routable from the public internet **(default)**;
  - \`never\`: never use internal IPs as external IPs.`
+      }
     },
     /**
      * The extra quirks of the cluster to improve compatibility.
-     *
-     * @schema
      */
     quirks: {
-      ...Type7.Optional(clusterQuirksSchema),
-      description: `The extra quirks of the cluster to improve compatibility.`
+      schema: clusterQuirksSchema.optional(),
+      meta: {
+        description: `The extra quirks of the cluster to improve compatibility.`
+      }
     }
   },
   secrets: {
@@ -1032,21 +1487,21 @@ var existingCluster = defineUnit5({
      * The kubeconfig of the cluster to use for connecting to the cluster.
      *
      * Will be available for all components using `cluster` output of this unit.
-     *
-     * @schema
      */
     kubeconfig: {
-      ...Type7.Record(Type7.String(), Type7.Any()),
-      description: `The kubeconfig of the cluster to use for connecting to the cluster.
+      schema: z.record(z.string(), z.unknown()),
+      meta: {
+        description: `The kubeconfig of the cluster to use for connecting to the cluster.
 
  Will be available for all components using \`cluster\` output of this unit.`
+      }
     }
   },
   outputs: clusterOutputs,
   meta: {
-    displayName: "Existing Cluster",
+    title: "Existing Cluster",
     description: "An existing Kubernetes cluster.",
-    primaryIcon: "devicon:kubernetes",
+    icon: "devicon:kubernetes",
     category: "Kubernetes"
   },
   source: {
@@ -1054,7 +1509,7 @@ var existingCluster = defineUnit5({
     path: "units/existing-cluster"
   }
 });
-var clusterPatch = defineUnit5({
+var clusterPatch = defineUnit({
   type: "k8s.cluster-patch",
   args: {
     /**
@@ -1063,16 +1518,16 @@ var clusterPatch = defineUnit5({
      * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
      *
      * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-     *
-     * @schema
      */
     apiEndpoints: {
-      ...Type7.Default(Type7.Array(Type7.String()), []),
-      description: `The endpoints of the API server.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The endpoints of the API server.
 
  The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
  The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+      }
     },
     /**
      * The mode to use for patching the API endpoints.
@@ -1080,23 +1535,31 @@ var clusterPatch = defineUnit5({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    apiEndpointsPatchMode: Type7.Default(arrayPatchModeSchema, "prepend"),
+    apiEndpointsPatchMode: {
+      schema: arrayPatchModeSchema.default("prepend"),
+      meta: {
+        description: `The mode to use for patching the API endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    },
     /**
      * The endpoints of the cluster nodes.
      *
      * The entry may represent real node endpoint or virtual endpoint (like a load balancer).
      *
      * The same node may also be represented by multiple entries (e.g. a node with private and public IP).
-     *
-     * @schema
      */
     endpoints: {
-      ...Type7.Default(Type7.Array(Type7.String()), []),
-      description: `The endpoints of the cluster nodes.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The endpoints of the cluster nodes.
 
  The entry may represent real node endpoint or virtual endpoint (like a load balancer).
 
  The same node may also be represented by multiple entries (e.g. a node with private and public IP).`
+      }
     },
     /**
      * The mode to use for patching the endpoints.
@@ -1104,7 +1567,15 @@ var clusterPatch = defineUnit5({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type7.Default(arrayPatchModeSchema, "prepend")
+    endpointsPatchMode: {
+      schema: arrayPatchModeSchema.default("prepend"),
+      meta: {
+        description: `The mode to use for patching the endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    }
   },
   inputs: {
     k8sCluster: clusterEntity2,
@@ -1121,9 +1592,9 @@ var clusterPatch = defineUnit5({
   },
   outputs: clusterOutputs,
   meta: {
-    displayName: "Cluster Patch",
+    title: "Cluster Patch",
     description: "Patches some properties of the cluster.",
-    primaryIcon: "devicon:kubernetes",
+    icon: "devicon:kubernetes",
     secondaryIcon: "fluent:patch-20-filled",
     category: "Kubernetes"
   },
@@ -1132,7 +1603,7 @@ var clusterPatch = defineUnit5({
     path: "units/cluster-patch"
   }
 });
-var clusterDns = defineUnit5({
+var clusterDns = defineUnit({
   type: "k8s.cluster-dns",
   args: {
     ...createArgs(),
@@ -1144,9 +1615,9 @@ var clusterDns = defineUnit5({
   },
   outputs: clusterOutputs,
   meta: {
-    displayName: "Cluster DNS",
+    title: "Cluster DNS",
     description: "Creates DNS records for the cluster and updates endpoints.",
-    primaryIcon: "devicon:kubernetes",
+    icon: "devicon:kubernetes",
     secondaryIcon: "mdi:dns",
     category: "Kubernetes"
   },
@@ -1155,42 +1626,42 @@ var clusterDns = defineUnit5({
     path: "units/cluster-dns"
   }
 });
-var gatewayEntity = defineEntity6({
+var gatewayEntity = defineEntity({
   type: "k8s.gateway",
-  schema: Type7.Object({
-    clusterId: Type7.String(),
-    gatewayClassName: Type7.String(),
-    httpListenerPort: Type7.Number(),
-    httpsListenerPort: Type7.Number(),
-    endpoints: Type7.Array(l3EndpointEntity.schema)
+  schema: z.object({
+    clusterId: z.string(),
+    gatewayClassName: z.string(),
+    httpListenerPort: z.number(),
+    httpsListenerPort: z.number(),
+    endpoints: l3EndpointEntity.schema.array()
   }),
   meta: {
     color: "#4CAF50"
   }
 });
-var tlsIssuerEntity = defineEntity6({
+var tlsIssuerEntity = defineEntity({
   type: "k8s.tls-issuer",
-  schema: Type7.Object({
-    clusterId: Type7.String(),
-    clusterIssuerName: Type7.String()
+  schema: z.object({
+    clusterId: z.string(),
+    clusterIssuerName: z.string()
   }),
   meta: {
     color: "#f06292"
   }
 });
-var accessPointEntity = defineEntity6({
+var accessPointEntity = defineEntity({
   type: "k8s.access-point",
-  schema: Type7.Object({
-    clusterId: Type7.String(),
+  schema: z.object({
+    clusterId: z.string(),
     gateway: gatewayEntity.schema,
     tlsIssuer: tlsIssuerEntity.schema,
-    dnsProviders: Type7.Array(providerEntity.schema)
+    dnsProviders: providerEntity.schema.array()
   }),
   meta: {
     color: "#F57F17"
   }
 });
-var accessPoint = defineUnit5({
+var accessPoint = defineUnit({
   type: "k8s.access-point",
   inputs: {
     gateway: gatewayEntity,
@@ -1204,9 +1675,9 @@ var accessPoint = defineUnit5({
     accessPoint: accessPointEntity
   },
   meta: {
-    displayName: "Access Point",
+    title: "Access Point",
     description: "An access point which can be used to connect to services.",
-    primaryIcon: "mdi:access-point",
+    icon: "mdi:access-point",
     category: "Kubernetes"
   },
   source: {
@@ -1214,7 +1685,7 @@ var accessPoint = defineUnit5({
     path: "units/access-point"
   }
 });
-var certManager = defineUnit5({
+var certManager = defineUnit({
   type: "k8s.cert-manager",
   inputs: {
     k8sCluster: clusterEntity2
@@ -1223,9 +1694,9 @@ var certManager = defineUnit5({
     k8sCluster: clusterEntity2
   },
   meta: {
-    displayName: "Cert Manager",
+    title: "Cert Manager",
     description: "A certificate manager for managing TLS certificates.",
-    primaryIcon: "simple-icons:letsencrypt",
+    icon: "simple-icons:letsencrypt",
     category: "Kubernetes"
   },
   source: {
@@ -1233,21 +1704,21 @@ var certManager = defineUnit5({
     path: "units/cert-manager"
   }
 });
-var dns01TlsIssuer = defineUnit5({
+var dns01TlsIssuer = defineUnit({
   type: "k8s.dns01-issuer",
   args: {
     /**
      * The top-level domains to filter the DNS01 challenge for.
      *
      * If not provided, will use all domains passed to the DNS providers.
-     *
-     * @schema
      */
     domains: {
-      ...Type7.Optional(Type7.Array(Type7.String())),
-      description: `The top-level domains to filter the DNS01 challenge for.
+      schema: z.string().array().optional(),
+      meta: {
+        description: `The top-level domains to filter the DNS01 challenge for.
 
  If not provided, will use all domains passed to the DNS providers.`
+      }
     }
   },
   inputs: {
@@ -1261,9 +1732,9 @@ var dns01TlsIssuer = defineUnit5({
     tlsIssuer: tlsIssuerEntity
   },
   meta: {
-    displayName: "DNS01 Issuer",
+    title: "DNS01 Issuer",
     description: "A TLS issuer for issuing certificate using DNS01 challenge.",
-    primaryIcon: "mdi:certificate",
+    icon: "mdi:certificate",
     category: "Kubernetes"
   },
   source: {
@@ -1271,49 +1742,49 @@ var dns01TlsIssuer = defineUnit5({
     path: "units/dns01-issuer"
   }
 });
-var deploymentEntity = defineEntity6({
+var deploymentEntity = defineEntity({
   type: "k8s.deployment",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.deployment"),
-    ...resourceSchema.properties,
-    service: Type7.Optional(serviceEntity.schema)
+  schema: z.object({
+    type: z.literal("k8s.deployment"),
+    ...resourceSchema.shape,
+    service: serviceEntity.schema.optional()
   }),
   meta: {
     color: "#4CAF50"
   }
 });
-var statefulSetEntity = defineEntity6({
+var statefulSetEntity = defineEntity({
   type: "k8s.stateful-set",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.stateful-set"),
-    ...resourceSchema.properties,
+  schema: z.object({
+    type: z.literal("k8s.stateful-set"),
+    ...resourceSchema.shape,
     service: serviceEntity.schema
   }),
   meta: {
     color: "#FFC107"
   }
 });
-var exposableWorkloadEntity = defineEntity6({
+var exposableWorkloadEntity = defineEntity({
   type: "k8s.exposable-workload",
-  schema: Type7.Union([deploymentEntity.schema, statefulSetEntity.schema]),
+  schema: z.union([deploymentEntity.schema, statefulSetEntity.schema]),
   meta: {
     color: "#4CAF50"
   }
 });
-var persistentVolumeClaimEntity = defineEntity6({
+var persistentVolumeClaimEntity = defineEntity({
   type: "k8s.persistent-volume-claim",
-  schema: Type7.Object({
-    type: Type7.Literal("k8s.persistent-volume-claim"),
-    ...resourceSchema.properties
+  schema: z.object({
+    type: z.literal("k8s.persistent-volume-claim"),
+    ...resourceSchema.shape
   }),
   meta: {
     color: "#FFC107"
   }
 });
-var interfaceEntity = defineEntity6({
+var interfaceEntity = defineEntity({
   type: "k8s.interface",
-  schema: Type7.Object({
-    name: Type7.String(),
+  schema: z.object({
+    name: z.string(),
     workload: exposableWorkloadEntity.schema
   }),
   meta: {
@@ -1321,7 +1792,7 @@ var interfaceEntity = defineEntity6({
     description: "The interface in a network space of pod kernel which can accept or transmit packets."
   }
 });
-var gatewayApi = defineUnit5({
+var gatewayApi = defineUnit({
   type: "k8s.gateway-api",
   inputs: {
     k8sCluster: clusterEntity2
@@ -1330,9 +1801,9 @@ var gatewayApi = defineUnit5({
     k8sCluster: clusterEntity2
   },
   meta: {
-    displayName: "Gateway API",
+    title: "Gateway API",
     description: "Installs the Gateway API CRDs to the cluster.",
-    primaryIcon: "devicon:kubernetes",
+    icon: "devicon:kubernetes",
     secondaryIcon: "mdi:api",
     secondaryIconColor: "#4CAF50",
     category: "Kubernetes"
@@ -1342,7 +1813,7 @@ var gatewayApi = defineUnit5({
     path: "units/gateway-api"
   }
 });
-var cilium = defineUnit5({
+var cilium = defineUnit({
   type: "k8s.cilium",
   args: {
     /**
@@ -1352,7 +1823,16 @@ var cilium = defineUnit5({
      *
      * By default, is `false`.
      */
-    allowForbiddenFqdnResolution: Type7.Default(Type7.Boolean(), false)
+    allowForbiddenFqdnResolution: {
+      schema: z.boolean().default(false),
+      meta: {
+        description: `If set to \`true\`, the generated network policy will allow
+ all DNS queries to be resolved, even if they are
+ for forbidden (non-allowed) FQDNs.
+
+ By default, is \`false\`.`
+      }
+    }
   },
   inputs: {
     k8sCluster: clusterEntity2
@@ -1361,9 +1841,9 @@ var cilium = defineUnit5({
     k8sCluster: clusterEntity2
   },
   meta: {
-    displayName: "Cilium",
+    title: "Cilium",
     description: "The Cilium CNI deployed on Kubernetes.",
-    primaryIcon: "simple-icons:cilium",
+    icon: "simple-icons:cilium",
     secondaryIcon: "devicon:kubernetes",
     category: "Kubernetes"
   },
@@ -1372,6 +1852,21 @@ var cilium = defineUnit5({
     path: "unit"
   }
 });
+var monitorWorkerResourceGroupSchema = z.object({
+  type: z.enum(["deployment", "statefulset", "pod", "service"]),
+  namespace: z.string(),
+  names: z.string().array().optional()
+});
+var monitorWorkerParamsSchema = z.object({
+  /**
+   * The ID of the secret containing the kubeconfig of the cluster.
+   */
+  kubeconfigSecretId: z.string().meta({ title: camelCaseToHumanReadable("kubeconfigSecretId"), description: `The ID of the secret containing the kubeconfig of the cluster.` }),
+  /**
+   * The resources to monitor in the cluster.
+   */
+  resourceGroups: monitorWorkerResourceGroupSchema.array().meta({ title: camelCaseToHumanReadable("resourceGroups"), description: `The resources to monitor in the cluster.` })
+});
 
 // src/talos.ts
 var talos_exports = {};
@@ -1381,20 +1876,19 @@ __export(talos_exports, {
   cniSchema: () => cniSchema2,
   csiSchema: () => csiSchema
 });
-import { defineEntity as defineEntity7, defineUnit as defineUnit6, Type as Type8 } from "@highstate/contract";
-var clusterEntity3 = defineEntity7({
+var clusterEntity3 = defineEntity({
   type: "talos.cluster",
-  schema: Type8.Object({
-    clientConfiguration: Type8.String(),
-    machineSecrets: Type8.String()
+  schema: z.object({
+    clientConfiguration: z.string(),
+    machineSecrets: z.string()
   }),
   meta: {
     color: "#2d2d2d"
   }
 });
-var cniSchema2 = Type8.StringEnum(["none", "cilium", "flannel"]);
-var csiSchema = Type8.StringEnum(["none", "local-path-provisioner"]);
-var cluster = defineUnit6({
+var cniSchema2 = z.enum(["none", "cilium", "flannel"]);
+var csiSchema = z.enum(["none", "local-path-provisioner"]);
+var cluster = defineUnit({
   type: "talos.cluster",
   args: {
     ...scheduleOnMastersPolicyArgs,
@@ -1402,14 +1896,14 @@ var cluster = defineUnit6({
      * The name of the cluster.
      *
      * By default, the name of the instance is used.
-     *
-     * @schema
      */
     clusterName: {
-      ...Type8.Optional(Type8.String()),
-      description: `The name of the cluster.
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the cluster.
 
  By default, the name of the instance is used.`
+      }
     },
     /**
      * The CNI plugin to use.
@@ -1420,12 +1914,11 @@ var cluster = defineUnit6({
      * - "none" (disable CNI, must be installed manually)
      *
      * The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.
-     *
-     * @schema
      */
     cni: {
-      ...Type8.Default(cniSchema2, "cilium"),
-      description: `The CNI plugin to use.
+      schema: cniSchema2.default("cilium"),
+      meta: {
+        description: `The CNI plugin to use.
 
  The following options are available:
  - "cilium" (default)
@@ -1433,6 +1926,7 @@ var cluster = defineUnit6({
  - "none" (disable CNI, must be installed manually)
 
  The "cilium" CNI plugin is recommended to cover advanced network policies like FQDNs.`
+      }
     },
     /**
      * The CSI plugin to use.
@@ -1440,49 +1934,49 @@ var cluster = defineUnit6({
      * The following options are available:
      * - "local-path-provisioner" (default)
      * - "none" (disable CSI, must be installed manually if needed)
-     *
-     * @schema
      */
     csi: {
-      ...Type8.Default(csiSchema, "local-path-provisioner"),
-      description: `The CSI plugin to use.
+      schema: csiSchema.default("local-path-provisioner"),
+      meta: {
+        description: `The CSI plugin to use.
 
  The following options are available:
  - "local-path-provisioner" (default)
  - "none" (disable CSI, must be installed manually if needed)`
+      }
     },
     /**
      * The shared configuration patch.
      * It will be applied to all nodes.
-     *
-     * @schema
      */
     sharedConfigPatch: {
-      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
-      description: `The shared configuration patch.
+      schema: z.record(z.string(), z.any()).optional(),
+      meta: {
+        description: `The shared configuration patch.
  It will be applied to all nodes.`
+      }
     },
     /**
      * The master configuration patch.
      * It will be applied to all master nodes.
-     *
-     * @schema
      */
     masterConfigPatch: {
-      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
-      description: `The master configuration patch.
+      schema: z.record(z.string(), z.any()).optional(),
+      meta: {
+        description: `The master configuration patch.
  It will be applied to all master nodes.`
+      }
     },
     /**
      * The worker configuration patch.
      * It will be applied to all worker nodes.
-     *
-     * @schema
      */
     workerConfigPatch: {
-      ...Type8.Optional(Type8.Record(Type8.String(), Type8.Any())),
-      description: `The worker configuration patch.
+      schema: z.record(z.string(), z.any()).optional(),
+      meta: {
+        description: `The worker configuration patch.
  It will be applied to all worker nodes.`
+      }
     },
     /**
      * Whether to enable the Tun device plugin.
@@ -1491,7 +1985,16 @@ var cluster = defineUnit6({
      *
      * By default, this option is set to true.
      */
-    enableTunDevicePlugin: Type8.Default(Type8.Boolean(), true)
+    enableTunDevicePlugin: {
+      schema: z.boolean().default(true),
+      meta: {
+        description: `Whether to enable the Tun device plugin.
+
+ There is the only option for Talos to get tun device in containers.
+
+ By default, this option is set to true.`
+      }
+    }
   },
   inputs: clusterInputs,
   outputs: {
@@ -1499,11 +2002,11 @@ var cluster = defineUnit6({
     talosCluster: clusterEntity3
   },
   meta: {
-    displayName: "Talos Cluster",
+    title: "Talos Cluster",
     description: "A Kubernetes cluster managed by Talos.",
     category: "Talos",
     color: "#2d2d2d",
-    primaryIcon: "simple-icons:talos",
+    icon: "simple-icons:talos",
     secondaryIcon: "devicon:kubernetes"
   },
   source: {
@@ -1528,27 +2031,25 @@ __export(wireguard_exports, {
   peerEntity: () => peerEntity,
   peerPatch: () => peerPatch
 });
-import { defineEntity as defineEntity8, defineUnit as defineUnit7, Type as Type9 } from "@highstate/contract";
-import { omit } from "remeda";
-var backendSchema = Type9.StringEnum(["wireguard", "amneziawg"]);
-var networkEntity = defineEntity8({
+var backendSchema = z.enum(["wireguard", "amneziawg"]);
+var networkEntity = defineEntity({
   type: "wireguard.network",
-  schema: Type9.Object({
+  schema: z.object({
     backend: backendSchema,
-    ipv6: Type9.Boolean()
+    ipv6: z.boolean()
   })
 });
-var nodeExposePolicySchema = Type9.StringEnum(["always", "when-has-endpoint", "never"]);
-var peerEntity = defineEntity8({
+var nodeExposePolicySchema = z.enum(["always", "when-has-endpoint", "never"]);
+var peerEntity = defineEntity({
   type: "wireguard.peer",
-  schema: Type9.Object({
-    name: Type9.String(),
-    network: Type9.Optional(networkEntity.schema),
-    publicKey: Type9.String(),
-    address: Type9.Optional(Type9.String()),
-    allowedIps: Type9.Array(Type9.String()),
-    endpoints: Type9.Array(l4EndpointEntity.schema),
-    allowedEndpoints: Type9.Array(Type9.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
+  schema: z.object({
+    name: z.string(),
+    network: networkEntity.schema.optional(),
+    publicKey: z.string(),
+    address: z.string().optional(),
+    allowedIps: z.string().array(),
+    endpoints: l4EndpointEntity.schema.array(),
+    allowedEndpoints: z.union([l3EndpointEntity.schema, l4EndpointEntity.schema]).array(),
     /**
      * The pre-shared key of the WireGuard peer.
      *
@@ -1556,32 +2057,38 @@ var peerEntity = defineEntity8({
      *
      * Will be ignored if both peers have `presharedKeyPart` set.
      */
-    presharedKey: Type9.Optional(Type9.String()),
+    presharedKey: z.string().optional().meta({ title: camelCaseToHumanReadable("presharedKey"), description: `The pre-shared key of the WireGuard peer.
+
+ If one of two peers has \`presharedKey\` set, the other peer must have \`presharedKey\` set too and they must be equal.
+
+ Will be ignored if both peers have \`presharedKeyPart\` set.` }),
     /**
      * The pre-shared key part of the WireGuard peer.
      *
      * If both peers have `presharedKeyPart` set, their `presharedKey` will be calculated as XOR of the two parts.
      */
-    presharedKeyPart: Type9.Optional(Type9.String()),
-    excludedIps: Type9.Array(Type9.String()),
-    dns: Type9.Array(Type9.String()),
-    listenPort: Type9.Optional(Type9.Number())
+    presharedKeyPart: z.string().optional().meta({ title: camelCaseToHumanReadable("presharedKeyPart"), description: `The pre-shared key part of the WireGuard peer.
+
+ If both peers have \`presharedKeyPart\` set, their \`presharedKey\` will be calculated as XOR of the two parts.` }),
+    excludedIps: z.string().array(),
+    dns: z.string().array(),
+    listenPort: z.number().optional()
   }),
   meta: {
     color: "#673AB7"
   }
 });
-var identityEntity = defineEntity8({
+var identityEntity = defineEntity({
   type: "wireguard.identity",
-  schema: Type9.Object({
+  schema: z.object({
     peer: peerEntity.schema,
-    privateKey: Type9.String()
+    privateKey: z.string()
   }),
   meta: {
     color: "#F44336"
   }
 });
-var network = defineUnit7({
+var network = defineUnit({
   type: "wireguard.network",
   args: {
     /**
@@ -1592,31 +2099,31 @@ var network = defineUnit7({
      * 2. `amneziawg` - The censorship-resistant fork of WireGuard.
      *
      * By default, the `wireguard` backend is used.
-     *
-     * @schema
      */
     backend: {
-      ...Type9.Default(backendSchema, "wireguard"),
-      description: `The backend to use for the WireGuard network.
+      schema: backendSchema.default("wireguard"),
+      meta: {
+        description: `The backend to use for the WireGuard network.
 
  Possible values are:
  1. \`wireguard\` - The default backend.
  2. \`amneziawg\` - The censorship-resistant fork of WireGuard.
 
  By default, the \`wireguard\` backend is used.`
+      }
     },
     /**
      * The option to enable IPv6 support in the network.
      *
      * By default, IPv6 support is disabled.
-     *
-     * @schema
      */
     ipv6: {
-      ...Type9.Default(Type9.Boolean(), false),
-      description: `The option to enable IPv6 support in the network.
+      schema: z.boolean().default(false),
+      meta: {
+        description: `The option to enable IPv6 support in the network.
 
  By default, IPv6 support is disabled.`
+      }
     }
   },
   outputs: {
@@ -1624,8 +2131,8 @@ var network = defineUnit7({
   },
   meta: {
     description: "The WireGuard network with some shared configuration.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:local-area-network-connect",
     category: "VPN"
   },
@@ -1639,41 +2146,20 @@ var sharedPeerArgs = {
    * The name of the WireGuard peer.
    *
    * If not provided, the peer will be named after the unit.
-   *
-   * @schema
    */
-  peerName: {
-    ...Type9.Optional(Type9.String()),
-    description: `The name of the WireGuard peer.
-
- If not provided, the peer will be named after the unit.`
-  },
+  peerName: z.string().optional(),
   /**
    * The address of the WireGuard interface.
    *
    * The address may be any IPv4 or IPv6 address. CIDR notation is also supported.
-   *
-   * @schema
    */
-  address: {
-    ...Type9.Optional(Type9.String()),
-    description: `The address of the WireGuard interface.
-
- The address may be any IPv4 or IPv6 address. CIDR notation is also supported.`
-  },
+  address: z.string().optional(),
   /**
    * The convenience option to set `allowedIps` to `0.0.0.0/0, ::/0`.
    *
    * Will be merged with the `allowedIps` if provided.
-   *
-   * @schema
    */
-  exitNode: {
-    ...Type9.Default(Type9.Boolean(), false),
-    description: `The convenience option to set \`allowedIps\` to \`0.0.0.0/0, ::/0\`.
-
- Will be merged with the \`allowedIps\` if provided.`
-  },
+  exitNode: z.boolean().default(false),
   /**
    * The list of IP ranges to exclude from the tunnel.
    *
@@ -1682,19 +2168,8 @@ var sharedPeerArgs = {
    * - This list will not be used to generate the allowed IPs for the peer.
    * - Instead, the node will setup extra direct routes to these IPs via default gateway.
    * - This allows to use `0.0.0.0/0, ::/0` in the `allowedIps` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.
-   *
-   * @schema
    */
-  excludedIps: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The list of IP ranges to exclude from the tunnel.
-
- Implementation notes:
-
- - This list will not be used to generate the allowed IPs for the peer.
- - Instead, the node will setup extra direct routes to these IPs via default gateway.
- - This allows to use \`0.0.0.0/0, ::/0\` in the \`allowedIps\` (and corresponding fwmark magic) and still have some IPs excluded from the tunnel.`
-  },
+  excludedIps: z.string().array().default([]),
   /**
    * The convenience option to exclude private IPs from the tunnel.
    *
@@ -1710,134 +2185,64 @@ var sharedPeerArgs = {
    * - `fe80::/10`
    *
    * Will be merged with `excludedIps` if provided.
-   *
-   * @schema
    */
-  excludePrivateIps: {
-    ...Type9.Default(Type9.Boolean(), false),
-    description: `The convenience option to exclude private IPs from the tunnel.
-
- For IPv4, the private IPs are:
-
- - \`10.0.0.0/8\`
- - \`172.16.0.0/12\`
- - \`192.168.0.0/16\`
-
- For IPv6, the private IPs are:
-
- - \`fc00::/7\`
- - \`fe80::/10\`
-
- Will be merged with \`excludedIps\` if provided.`
-  },
+  excludePrivateIps: z.boolean().default(false),
   /**
    * The endpoints of the WireGuard peer.
-   *
-   * @schema
    */
-  endpoints: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The endpoints of the WireGuard peer.`
-  },
+  endpoints: z.string().array().default([]),
   /**
    * The allowed endpoints of the WireGuard peer.
    *
    * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-   *
-   * @schema
    */
-  allowedEndpoints: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The allowed endpoints of the WireGuard peer.
-
- The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`
-  },
+  allowedEndpoints: z.string().array().default([]),
   /**
    * The DNS servers that should be used by the interface connected to the WireGuard peer.
    *
    * If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).
-   *
-   * @schema
    */
-  dns: {
-    ...Type9.Default(Type9.Array(Type9.String()), []),
-    description: `The DNS servers that should be used by the interface connected to the WireGuard peer.
-
- If multiple peers define DNS servers, the node will merge them into a single list (but this is discouraged).`
-  },
+  dns: z.string().array().default([]),
   /**
    * The convenience option to include the DNS servers to the allowed IPs.
    *
    * By default, is `true`.
-   *
-   * @schema
    */
-  includeDns: {
-    ...Type9.Default(Type9.Boolean(), true),
-    description: `The convenience option to include the DNS servers to the allowed IPs.
-
- By default, is \`true\`.`
-  },
+  includeDns: z.boolean().default(true),
   /**
    * The port to listen on.
-   *
-   * @schema
    */
-  listenPort: {
-    ...Type9.Optional(Type9.Number()),
-    description: `The port to listen on.`
-  }
+  listenPort: z.number().optional()
 };
 var sharedPeerInputs = {
   /**
    * The network to use for the WireGuard identity.
    *
    * If not provided, the identity will use default network configuration.
-   *
-   * @schema
    */
   network: {
-    ...{
-      entity: networkEntity,
-      required: false
-    },
-    description: `The network to use for the WireGuard identity.
-
- If not provided, the identity will use default network configuration.`
+    entity: networkEntity,
+    required: false
   },
   /**
    * The L3 endpoints of the identity.
    *
    * Will produce L4 endpoints for each of the provided L3 endpoints.
-   *
-   * @schema
    */
   l3Endpoints: {
-    ...{
-      entity: l3EndpointEntity,
-      multiple: true,
-      required: false
-    },
-    description: `The L3 endpoints of the identity.
-
- Will produce L4 endpoints for each of the provided L3 endpoints.`
+    entity: l3EndpointEntity,
+    multiple: true,
+    required: false
   },
   /**
    * The L4 endpoints of the identity.
    *
    * Will take priority over all calculated endpoints if provided.
-   *
-   * @schema
    */
   l4Endpoints: {
-    ...{
-      entity: l4EndpointEntity,
-      required: false,
-      multiple: true
-    },
-    description: `The L4 endpoints of the identity.
-
- Will take priority over all calculated endpoints if provided.`
+    entity: l4EndpointEntity,
+    required: false,
+    multiple: true
   },
   /**
    * The L3 endpoints to add to the allowed IPs of the identity.
@@ -1846,40 +2251,22 @@ var sharedPeerInputs = {
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL3Endpoints: {
-    ...{
-      entity: l3EndpointEntity,
-      multiple: true,
-      required: false
-    },
-    description: `The L3 endpoints to add to the allowed IPs of the identity.
-
- \`hostname\` endpoints will be ignored.
-
- If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
- the corresponding network policy will be created.`
+    entity: l3EndpointEntity,
+    multiple: true,
+    required: false
   },
   /**
    * The L4 endpoints to add to the allowed IPs of the identity.
    *
    * If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
    * the corresponding network policy will be created.
-   *
-   * @schema
    */
   allowedL4Endpoints: {
-    ...{
-      entity: l4EndpointEntity,
-      multiple: true,
-      required: false
-    },
-    description: `The L4 endpoints to add to the allowed IPs of the identity.
-
- If the endpoint contains k8s service metadata of the cluster where the identity node is deployed,
- the corresponding network policy will be created.`
+    entity: l4EndpointEntity,
+    multiple: true,
+    required: false
   }
 };
 var sharedPeerOutputs = {
@@ -1890,37 +2277,37 @@ var sharedPeerOutputs = {
     multiple: true
   }
 };
-var peer = defineUnit7({
+var peer = defineUnit({
   type: "wireguard.peer",
   args: {
     ...sharedPeerArgs,
     /**
      * The public key of the WireGuard peer.
-     *
-     * @schema
      */
     publicKey: {
-      ...Type9.String(),
-      description: `The public key of the WireGuard peer.`
+      schema: z.string(),
+      meta: {
+        description: `The public key of the WireGuard peer.`
+      }
     }
   },
   secrets: {
     /**
      * The pre-shared key which should be used for the peer.
-     *
-     * @schema
      */
     presharedKey: {
-      ...Type9.Optional(Type9.String()),
-      description: `The pre-shared key which should be used for the peer.`
+      schema: z.string().optional(),
+      meta: {
+        description: `The pre-shared key which should be used for the peer.`
+      }
     }
   },
   inputs: sharedPeerInputs,
   outputs: sharedPeerOutputs,
   meta: {
     description: "The WireGuard peer with the public key.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:badge-account-horizontal",
     category: "VPN"
   },
@@ -1929,17 +2316,17 @@ var peer = defineUnit7({
     path: "peer"
   }
 });
-var peerPatch = defineUnit7({
+var peerPatch = defineUnit({
   type: "wireguard.peer-patch",
   args: {
     /**
      * The endpoints of the WireGuard peer.
-     *
-     * @schema
      */
     endpoints: {
-      ...Type9.Default(Type9.Array(Type9.String()), []),
-      description: `The endpoints of the WireGuard peer.`
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The endpoints of the WireGuard peer.`
+      }
     },
     /**
      * The mode to use for patching the endpoints.
@@ -1947,19 +2334,27 @@ var peerPatch = defineUnit7({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    endpointsPatchMode: Type9.Default(arrayPatchModeSchema, "prepend"),
+    endpointsPatchMode: {
+      schema: arrayPatchModeSchema.default("prepend"),
+      meta: {
+        description: `The mode to use for patching the endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    },
     /**
      * The allowed endpoints of the WireGuard peer.
      *
      * The non `hostname` endpoints will be added to the `allowedIps` of the peer.
-     *
-     * @schema
      */
     allowedEndpoints: {
-      ...Type9.Default(Type9.Array(Type9.String()), []),
-      description: `The allowed endpoints of the WireGuard peer.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The allowed endpoints of the WireGuard peer.
 
  The non \`hostname\` endpoints will be added to the \`allowedIps\` of the peer.`
+      }
     },
     /**
      * The mode to use for patching the allowed endpoints.
@@ -1967,7 +2362,15 @@ var peerPatch = defineUnit7({
      * - `prepend`: prepend the new endpoints to the existing ones (default);
      * - `replace`: replace the existing endpoints with the new ones.
      */
-    allowedEndpointsPatchMode: Type9.Default(arrayPatchModeSchema, "prepend"),
+    allowedEndpointsPatchMode: {
+      schema: arrayPatchModeSchema.default("prepend"),
+      meta: {
+        description: `The mode to use for patching the allowed endpoints.
+
+ - \`prepend\`: prepend the new endpoints to the existing ones (default);
+ - \`replace\`: replace the existing endpoints with the new ones.`
+      }
+    },
     ...omit(sharedPeerArgs, ["endpoints", "allowedEndpoints"])
   },
   inputs: {
@@ -1983,10 +2386,10 @@ var peerPatch = defineUnit7({
     }
   },
   meta: {
-    displayName: "WireGuard Peer Patch",
+    title: "WireGuard Peer Patch",
     description: "Patches some properties of the WireGuard peer.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:badge-account-horizontal",
     category: "VPN"
   },
@@ -1995,7 +2398,7 @@ var peerPatch = defineUnit7({
     path: "peer-patch"
   }
 });
-var identity = defineUnit7({
+var identity = defineUnit({
   type: "wireguard.identity",
   args: {
     ...sharedPeerArgs,
@@ -2003,14 +2406,14 @@ var identity = defineUnit7({
      * The port to listen on.
      *
      * Used by the implementation of the identity and to calculate the endpoint of the peer.
-     *
-     * @schema
      */
     listenPort: {
-      ...Type9.Optional(Type9.Number()),
-      description: `The port to listen on.
+      schema: z.number().optional(),
+      meta: {
+        description: `The port to listen on.
 
  Used by the implementation of the identity and to calculate the endpoint of the peer.`
+      }
     },
     /**
      * The endpoint of the WireGuard peer.
@@ -2018,16 +2421,16 @@ var identity = defineUnit7({
      * If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
      *
      * Will take priority over all calculated endpoints and `l4Endpoint` input.
-     *
-     * @schema
      */
     endpoints: {
-      ...Type9.Default(Type9.Array(Type9.String()), []),
-      description: `The endpoint of the WireGuard peer.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The endpoint of the WireGuard peer.
 
  If overridden, does not affect node which implements the identity, but is used in the peer configuration of other nodes.
 
  Will take priority over all calculated endpoints and \`l4Endpoint\` input.`
+      }
     }
   },
   secrets: {
@@ -2035,27 +2438,27 @@ var identity = defineUnit7({
      * The private key of the WireGuard identity.
      *
      * If not provided, the key will be generated automatically.
-     *
-     * @schema
      */
     privateKey: {
-      ...Type9.Optional(Type9.String()),
-      description: `The private key of the WireGuard identity.
+      schema: z.string().optional(),
+      meta: {
+        description: `The private key of the WireGuard identity.
 
  If not provided, the key will be generated automatically.`
+      }
     },
     /**
      * The part of the pre-shared of the WireGuard identity.
      *
      * Will be generated automatically if not provided.
-     *
-     * @schema
      */
     presharedKeyPart: {
-      ...Type9.Optional(Type9.String()),
-      description: `The part of the pre-shared of the WireGuard identity.
+      schema: z.string().optional(),
+      meta: {
+        description: `The part of the pre-shared of the WireGuard identity.
 
  Will be generated automatically if not provided.`
+      }
     }
   },
   inputs: sharedPeerInputs,
@@ -2065,8 +2468,8 @@ var identity = defineUnit7({
   },
   meta: {
     description: "The WireGuard identity with the public key.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:account",
     category: "VPN"
   },
@@ -2075,30 +2478,30 @@ var identity = defineUnit7({
     path: "identity"
   }
 });
-var node = defineUnit7({
+var node = defineUnit({
   type: "wireguard.node",
   args: {
     /**
      * The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
      *
      * By default, the name is `wg-${identity.name}`.
-     *
-     * @schema
      */
     appName: {
-      ...Type9.Optional(Type9.String()),
-      description: `The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the namespace/deployment/statefulset where the WireGuard node will be deployed.
 
  By default, the name is \`wg-\${identity.name}\`.`
+      }
     },
     /**
      * Whether to expose the WireGuard node to the outside world.
-     *
-     * @schema
      */
     external: {
-      ...Type9.Default(Type9.Boolean(), false),
-      description: `Whether to expose the WireGuard node to the outside world.`
+      schema: z.boolean().default(false),
+      meta: {
+        description: `Whether to expose the WireGuard node to the outside world.`
+      }
     },
     /**
      * The policy to use for exposing the WireGuard node.
@@ -2109,19 +2512,49 @@ var node = defineUnit7({
      *
      * * By default, the `when-has-endpoint` policy is used.
      */
-    exposePolicy: Type9.Default(nodeExposePolicySchema, "when-has-endpoint"),
+    exposePolicy: {
+      schema: nodeExposePolicySchema.default("when-has-endpoint"),
+      meta: {
+        description: `The policy to use for exposing the WireGuard node.
+
+ - \`always\` - The node will be exposed and the service will be created.
+ - \`when-has-endpoint\` - The node will be exposed only if the provided idenity has at least one endpoint.
+ - \`never\` - The node will not be exposed and the service will not be created.
+
+ * By default, the \`when-has-endpoint\` policy is used.`
+      }
+    },
     /**
      * The extra specification of the container which runs the WireGuard node.
      *
      * Will override any overlapping fields.
-     *
-     * @schema
      */
     containerSpec: {
-      ...Type9.Optional(Type9.Record(Type9.String(), Type9.Any())),
-      description: `The extra specification of the container which runs the WireGuard node.
+      schema: z.record(z.string(), z.unknown()).optional(),
+      meta: {
+        description: `The extra specification of the container which runs the WireGuard node.
 
  Will override any overlapping fields.`
+      }
+    },
+    /**
+     * List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
+     *
+     * This prevents other peers from reaching these destination CIDRs while still allowing
+     * the peers in those CIDRs to access the internet and other allowed endpoints.
+     *
+     * Useful for peer isolation where you want to prevent cross-peer communication.
+     */
+    forwardRestrictedIps: {
+      schema: z.string().array().default([]),
+      meta: {
+        description: `List of CIDR blocks that should be blocked from forwarding through this WireGuard node.
+
+ This prevents other peers from reaching these destination CIDRs while still allowing
+ the peers in those CIDRs to access the internet and other allowed endpoints.
+
+ Useful for peer isolation where you want to prevent cross-peer communication.`
+      }
     }
   },
   inputs: {
@@ -2158,8 +2591,8 @@ var node = defineUnit7({
   },
   meta: {
     description: "The WireGuard node running on the Kubernetes.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:server",
     category: "VPN"
   },
@@ -2168,21 +2601,21 @@ var node = defineUnit7({
     path: "node"
   }
 });
-var config = defineUnit7({
+var config = defineUnit({
   type: "wireguard.config",
   args: {
     /**
      * The name of the "default" interface where non-tunneled traffic should go.
      *
      * If not provided, the config will not respect `excludedIps`.
-     *
-     * @schema
      */
     defaultInterface: {
-      ...Type9.Optional(Type9.String()),
-      description: `The name of the "default" interface where non-tunneled traffic should go.
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the "default" interface where non-tunneled traffic should go.
 
  If not provided, the config will not respect \`excludedIps\`.`
+      }
     }
   },
   inputs: {
@@ -2194,10 +2627,10 @@ var config = defineUnit7({
     }
   },
   meta: {
-    displayName: "WireGuard Config",
+    title: "WireGuard Config",
     description: "Just the WireGuard configuration for the identity and peers.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:settings",
     category: "VPN"
   },
@@ -2206,7 +2639,7 @@ var config = defineUnit7({
     path: "config"
   }
 });
-var configBundle = defineUnit7({
+var configBundle = defineUnit({
   type: "wireguard.config-bundle",
   inputs: {
     identity: identityEntity,
@@ -2221,10 +2654,10 @@ var configBundle = defineUnit7({
     }
   },
   meta: {
-    displayName: "WireGuard Config Bundle",
+    title: "WireGuard Config Bundle",
     description: "The WireGuard configuration bundle for the identity and peers.",
-    primaryIcon: "simple-icons:wireguard",
-    primaryIconColor: "#88171a",
+    icon: "simple-icons:wireguard",
+    iconColor: "#88171a",
     secondaryIcon: "mdi:folder-settings-variant",
     category: "VPN"
   },
@@ -2264,36 +2697,29 @@ __export(apps_exports, {
   vaultwarden: () => vaultwarden
 });
 
-// src/apps/mariadb.ts
-import { defineEntity as defineEntity10, defineUnit as defineUnit9, Type as Type12 } from "@highstate/contract";
-
-// src/apps/shared.ts
-import { Type as Type11 } from "@highstate/contract";
-
 // src/restic.ts
 var restic_exports = {};
 __export(restic_exports, {
   repo: () => repo,
-  repoEntity: () => repoEntity
+  repositoryEntity: () => repositoryEntity
 });
-import { defineEntity as defineEntity9, defineUnit as defineUnit8, Type as Type10 } from "@highstate/contract";
-var repoEntity = defineEntity9({
-  type: "restic.repo",
-  schema: Type10.Object({
-    remoteEndpoints: Type10.Array(Type10.Union([l3EndpointEntity.schema, l4EndpointEntity.schema])),
-    type: Type10.Literal("rclone"),
-    rcloneConfig: Type10.String(),
-    remoteName: Type10.String(),
-    pathPattern: Type10.String()
+var repositoryEntity = defineEntity({
+  type: "restic.repository",
+  schema: z.object({
+    remoteEndpoints: z.union([l3EndpointEntity.schema, l4EndpointEntity.schema]).array(),
+    type: z.literal("rclone"),
+    rcloneConfig: z.string(),
+    remoteName: z.string(),
+    pathPattern: z.string()
   }),
   meta: {
     color: "#e56901"
   }
 });
-var repo = defineUnit8({
+var repo = defineUnit({
   type: "restic.repo",
   args: {
-    remoteEndpoints: Type10.Default(Type10.Array(Type10.String()), []),
+    remoteEndpoints: z.string().array().default([]),
     /**
      * The pattern for the path where backups will be stored for the specific application.
      *
@@ -2304,12 +2730,11 @@ var repo = defineUnit8({
      * - `$unitName`: The name of the unit, which deploys the application, provided by the user.
      *
      * By default, the path pattern is `backups/$clusterName/$appName`.
-     *
-     * @schema
      */
     pathPattern: {
-      ...Type10.Default(Type10.String(), "backups/$clusterName/$appName"),
-      description: `The pattern for the path where backups will be stored for the specific application.
+      schema: z.string().default("backups/$clusterName/$appName"),
+      meta: {
+        description: `The pattern for the path where backups will be stored for the specific application.
 
  Available variables:
 
@@ -2318,10 +2743,11 @@ var repo = defineUnit8({
  - \`$unitName\`: The name of the unit, which deploys the application, provided by the user.
 
  By default, the path pattern is \`backups/$clusterName/$appName\`.`
+      }
     }
   },
   secrets: {
-    rcloneConfig: Type10.String({ language: "ini" })
+    rcloneConfig: z.string()
   },
   inputs: {
     remoteL3Endpoints: {
@@ -2336,13 +2762,13 @@ var repo = defineUnit8({
     }
   },
   outputs: {
-    repo: repoEntity
+    repo: repositoryEntity
   },
   meta: {
-    displayName: "Restic Repo",
+    title: "Restic Repo",
     description: "Holds the configuration for a Restic repository and its remote storage.",
-    primaryIconColor: "#e56901",
-    primaryIcon: "material-symbols:backup",
+    iconColor: "#e56901",
+    icon: "material-symbols:backup",
     category: "Infrastructure"
   },
   source: {
@@ -2354,24 +2780,24 @@ var repo = defineUnit8({
 // src/apps/shared.ts
 var extraArgsDefinitions = {
   fqdn: {
-    schema: Type11.String()
+    schema: z.string()
   },
   endpoints: {
-    schema: Type11.Array(Type11.String()),
+    schema: z.string().array(),
     required: false
   },
   external: {
-    schema: Type11.Boolean(),
+    schema: z.boolean(),
     required: false
   }
 };
 var extraSecretsDefinitions = {
   rootPassword: {
-    schema: Type11.String(),
+    schema: z.string(),
     required: false
   },
   backupPassword: {
-    schema: Type11.String(),
+    schema: z.string(),
     required: false
   }
 };
@@ -2380,7 +2806,7 @@ var eagerExtraInputDefinitions = {
     entity: accessPointEntity
   },
   resticRepo: {
-    entity: repoEntity,
+    entity: repositoryEntity,
     required: false
   },
   dnsProviders: {
@@ -2398,7 +2824,7 @@ var extraInputDefinitions = {
 };
 function createArgs2(defaultAppName, extraArgs) {
   const base = {
-    appName: Type11.Default(Type11.String(), defaultAppName)
+    appName: z.string().default(defaultAppName)
   };
   const dynamicArgs = {};
   if (Array.isArray(extraArgs)) {
@@ -2483,21 +2909,21 @@ function createSource(path) {
     path
   };
 }
-var databaseSchema = Type11.Object({
-  endpoints: Type11.Array(l4EndpointEntity.schema),
-  service: Type11.Optional(serviceEntity.schema),
-  rootPassword: Type11.String()
+var databaseSchema = z.object({
+  endpoints: l4EndpointEntity.schema.array(),
+  service: serviceEntity.schema.optional(),
+  rootPassword: z.string()
 });
 
 // src/apps/mariadb.ts
-var mariadbEntity = defineEntity10({
+var mariadbEntity = defineEntity({
   type: "apps.mariadb",
   schema: databaseSchema,
   meta: {
     color: "#f06292"
   }
 });
-var mariadb = defineUnit9({
+var mariadb = defineUnit({
   type: "apps.mariadb",
   args: createArgs2("mariadb", ["external"]),
   secrets: createSecrets(["rootPassword", "backupPassword"]),
@@ -2511,9 +2937,9 @@ var mariadb = defineUnit9({
     }
   },
   meta: {
-    displayName: "MariaDB",
+    title: "MariaDB",
     description: "The MariaDB database deployed on Kubernetes.",
-    primaryIcon: "simple-icons:mariadb",
+    icon: "simple-icons:mariadb",
     secondaryIcon: "mdi:database",
     category: "Databases"
   },
@@ -2521,38 +2947,35 @@ var mariadb = defineUnit9({
 });
 extraInputDefinitions.mariadb = {
   entity: mariadbEntity,
-  displayName: "MariaDB"
+  title: "MariaDB"
 };
-var mariadbDatabase = defineUnit9({
+var mariadbDatabase = defineUnit({
   type: "apps.mariadb.database",
   args: {
-    database: Type12.Optional(Type12.String()),
-    username: Type12.Optional(Type12.String())
+    database: z.string().optional(),
+    username: z.string().optional()
   },
   inputs: createInputs(["mariadb"]),
   secrets: {
-    password: Type12.Optional(Type12.String())
+    password: z.string().optional()
   },
   meta: {
-    displayName: "MariaDB Database",
+    title: "MariaDB Database",
     description: "The virtual MariaDB database created on the MariaDB instance. Works only for MariaDB instances deployed on Kubernetes.",
-    primaryIcon: "simple-icons:mariadb",
+    icon: "simple-icons:mariadb",
     secondaryIcon: "mdi:database-plus",
     category: "Databases"
   },
   source: createSource("mariadb/database")
 });
-
-// src/apps/postgresql.ts
-import { defineEntity as defineEntity11, defineUnit as defineUnit10, Type as Type13 } from "@highstate/contract";
-var postgresqlEntity = defineEntity11({
+var postgresqlEntity = defineEntity({
   type: "apps.postgresql",
   schema: databaseSchema,
   meta: {
     color: "#336791"
   }
 });
-var postgresql = defineUnit10({
+var postgresql = defineUnit({
   type: "apps.postgresql",
   args: createArgs2("postgresql", ["external"]),
   secrets: createSecrets(["rootPassword", "backupPassword"]),
@@ -2566,9 +2989,9 @@ var postgresql = defineUnit10({
     }
   },
   meta: {
-    displayName: "PostgreSQL",
+    title: "PostgreSQL",
     description: "The PostgreSQL database deployed on Kubernetes.",
-    primaryIcon: "simple-icons:postgresql",
+    icon: "simple-icons:postgresql",
     secondaryIcon: "mdi:database",
     category: "Databases"
   },
@@ -2576,56 +2999,50 @@ var postgresql = defineUnit10({
 });
 extraInputDefinitions.postgresql = {
   entity: postgresqlEntity,
-  displayName: "PostgreSQL"
+  title: "PostgreSQL"
 };
-var postgresqlDatabase = defineUnit10({
+var postgresqlDatabase = defineUnit({
   type: "apps.postgresql.database",
   args: {
-    database: Type13.Optional(Type13.String()),
-    username: Type13.Optional(Type13.String())
+    database: z.string().optional(),
+    username: z.string().optional()
   },
   secrets: {
-    password: Type13.Optional(Type13.String())
+    password: z.string().optional()
   },
   inputs: createInputs(["postgresql"]),
   meta: {
-    displayName: "PostgreSQL Database",
+    title: "PostgreSQL Database",
     description: "The virtual PostgreSQL database created on the PostgreSQL instance. Works only for PostgreSQL instances deployed on Kubernetes.",
-    primaryIcon: "simple-icons:postgresql",
+    icon: "simple-icons:postgresql",
     secondaryIcon: "mdi:database-plus",
     category: "Databases"
   },
   source: createSource("postgresql/database")
 });
-
-// src/apps/vaultwarden.ts
-import { defineUnit as defineUnit11, Type as Type14 } from "@highstate/contract";
-var vaultwarden = defineUnit11({
+var vaultwarden = defineUnit({
   type: "apps.vaultwarden",
   args: createArgs2("vaultwarden", ["fqdn"]),
   secrets: {
-    mariadbPassword: Type14.Optional(Type14.String())
+    mariadbPassword: z.string().optional()
   },
   inputs: createInputs(["accessPoint", "mariadb"]),
   meta: {
-    displayName: "Vaultwarden",
+    title: "Vaultwarden",
     description: "The Vaultwarden password manager deployed on Kubernetes.",
-    primaryIcon: "simple-icons:vaultwarden",
+    icon: "simple-icons:vaultwarden",
     category: "Security"
   },
   source: createSource("vaultwarden")
 });
-
-// src/apps/mongodb.ts
-import { defineEntity as defineEntity12, defineUnit as defineUnit12, Type as Type15 } from "@highstate/contract";
-var mongodbEntity = defineEntity12({
+var mongodbEntity = defineEntity({
   type: "apps.mongodb",
   schema: databaseSchema,
   meta: {
     color: "#13aa52"
   }
 });
-var mongodb = defineUnit12({
+var mongodb = defineUnit({
   type: "apps.mongodb",
   args: createArgs2("mongodb", ["external"]),
   secrets: createSecrets(["rootPassword", "backupPassword"]),
@@ -2639,9 +3056,9 @@ var mongodb = defineUnit12({
     }
   },
   meta: {
-    displayName: "MongoDB",
+    title: "MongoDB",
     description: "The MongoDB instance deployed on Kubernetes.",
-    primaryIcon: "simple-icons:mongodb",
+    icon: "simple-icons:mongodb",
     secondaryIcon: "mdi:database",
     category: "Databases"
   },
@@ -2649,32 +3066,29 @@ var mongodb = defineUnit12({
 });
 extraInputDefinitions.mongodb = {
   entity: mongodbEntity,
-  displayName: "MongoDB"
+  title: "MongoDB"
 };
-var mongodbDatabase = defineUnit12({
+var mongodbDatabase = defineUnit({
   type: "apps.mongodb.database",
   args: {
-    database: Type15.Optional(Type15.String()),
-    username: Type15.Optional(Type15.String())
+    database: z.string().optional(),
+    username: z.string().optional()
   },
   secrets: {
-    password: Type15.Optional(Type15.String())
+    password: z.string().optional()
   },
   inputs: createInputs(["mongodb"]),
   meta: {
-    displayName: "MongoDB Database",
+    title: "MongoDB Database",
     description: "The virtual MongoDB database created on the MongoDB instance. Works only for MongoDB instances deployed on Kubernetes.",
-    primaryIcon: "simple-icons:mongodb",
+    icon: "simple-icons:mongodb",
     secondaryIcon: "mdi:database-plus",
     category: "Databases"
   },
   source: createSource("mongodb/database")
 });
-
-// src/apps/network.ts
-import { defineUnit as defineUnit13, Type as Type16 } from "@highstate/contract";
-var explicitEndpointFilterSchema = Type16.StringEnum(["public", "external", "internal"]);
-var endpointFilter = defineUnit13({
+var explicitEndpointFilterSchema = z.enum(["public", "external", "internal"]);
+var endpointFilter = defineUnit({
   type: "apps.endpoint-filter",
   args: {
     /**
@@ -2684,7 +3098,16 @@ var endpointFilter = defineUnit13({
      * - `external`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
      * - `internal`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.
      */
-    filter: Type16.Default(explicitEndpointFilterSchema, "public")
+    filter: {
+      schema: explicitEndpointFilterSchema.default("public"),
+      meta: {
+        description: `The filter to apply to the endpoints.
+
+ - \`public\`: Only public endpoints accessible from the internet.
+ - \`external\`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
+ - \`internal\`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.`
+      }
+    }
   },
   inputs: {
     l3Endpoints: {
@@ -2709,20 +3132,17 @@ var endpointFilter = defineUnit13({
     }
   },
   meta: {
-    displayName: "Endpoint Filter",
+    title: "Endpoint Filter",
     description: "Explicitly filter endpoints by their accessibility.",
-    primaryIcon: "mdi:network-outline",
-    primaryIconColor: "#FF9800",
+    icon: "mdi:network-outline",
+    iconColor: "#FF9800",
     secondaryIcon: "mdi:filter-outline",
     category: "Network"
   },
   source: createSource("endpoint-filter")
 });
-
-// src/apps/dns.ts
-import { defineUnit as defineUnit14, Type as Type17 } from "@highstate/contract";
-var endpointFilterSchema2 = Type17.StringEnum(["all", "public", "external", "internal"]);
-var recordSet = defineUnit14({
+var endpointFilterSchema2 = z.enum(["all", "public", "external", "internal"]);
+var recordSet = defineUnit({
   type: "apps.dns-record-set",
   args: {
     /**
@@ -2730,31 +3150,67 @@ var recordSet = defineUnit14({
      *
      * If not provided, will use the name of the unit.
      */
-    recordName: Type17.Optional(Type17.String()),
+    recordName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the DNS record.
+
+ If not provided, will use the name of the unit.`
+      }
+    },
     /**
      * The type of the DNS record.
      *
      * If not specified, will use the default type for the provider.
      */
-    type: Type17.Optional(Type17.String()),
+    type: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The type of the DNS record.
+
+ If not specified, will use the default type for the provider.`
+      }
+    },
     /**
      * The values of the DNS record.
      */
-    values: Type17.Array(Type17.String()),
+    values: {
+      schema: z.string().array(),
+      meta: {
+        description: `The values of the DNS record.`
+      }
+    },
     /**
      * The TTL of the DNS record.
      */
-    ttl: Type17.Optional(Type17.Number()),
+    ttl: {
+      schema: z.number().optional(),
+      meta: {
+        description: `The TTL of the DNS record.`
+      }
+    },
     /**
      * The priority of the DNS record.
      */
-    priority: Type17.Optional(Type17.Number()),
+    priority: {
+      schema: z.number().optional(),
+      meta: {
+        description: `The priority of the DNS record.`
+      }
+    },
     /**
      * Whether the DNS record is proxied.
      *
      * Available only for public IPs and some DNS providers like Cloudflare.
      */
-    proxied: Type17.Optional(Type17.Boolean()),
+    proxied: {
+      schema: z.boolean().optional(),
+      meta: {
+        description: `Whether the DNS record is proxied.
+
+ Available only for public IPs and some DNS providers like Cloudflare.`
+      }
+    },
     /**
      * The filter to apply to the endpoints.
      *
@@ -2763,7 +3219,17 @@ var recordSet = defineUnit14({
      * - `external`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
      * - `internal`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.
      */
-    endpointFilter: Type17.Default(endpointFilterSchema2, "public")
+    endpointFilter: {
+      schema: endpointFilterSchema2.default("public"),
+      meta: {
+        description: `The filter to apply to the endpoints.
+
+ - \`all\`: All endpoints.
+ - \`public\`: Only public endpoints accessible from the internet (default).
+ - \`external\`: Only external endpoints (e.g. NodePort, LoadBalancer) accessible from outside the cluster, but not from the internet.
+ - \`internal\`: Only internal endpoints (e.g. ClusterIP) accessible from within the cluster.`
+      }
+    }
   },
   inputs: {
     dnsProviders: {
@@ -2785,19 +3251,27 @@ var recordSet = defineUnit14({
     /**
      * The single L3 endpoint representing created DNS records.
      */
-    l3Endpoint: l3EndpointEntity,
+    l3Endpoint: {
+      entity: l3EndpointEntity,
+      meta: {
+        description: `The single L3 endpoint representing created DNS records.`
+      }
+    },
     /**
      * Multiple L4 endpoints representing created DNS records for each unique port/protocol combination from the input L4 endpoints.
      */
     l4Endpoints: {
       entity: l4EndpointEntity,
-      multiple: true
+      multiple: true,
+      meta: {
+        description: `Multiple L4 endpoints representing created DNS records for each unique port/protocol combination from the input L4 endpoints.`
+      }
     }
   },
   meta: {
-    displayName: "DNS Record Set",
+    title: "DNS Record Set",
     description: "A set of DNS records to be created.",
-    primaryIcon: "mdi:server",
+    icon: "mdi:server",
     defaultNamePrefix: "record",
     category: "Network"
   },
@@ -2806,22 +3280,14 @@ var recordSet = defineUnit14({
 var sharedArgs = {
   /**
    * The FQDN to register the cluster nodes with.
-   *
-   * @schema
    */
-  fqdn: {
-    ...Type17.Optional(Type17.String()),
-    description: `The FQDN to register the cluster nodes with.`
-  }
+  fqdn: z.string().optional()
 };
-
-// src/apps/traefik.ts
-import { defineUnit as defineUnit15, Type as Type18 } from "@highstate/contract";
-var traefikGateway = defineUnit15({
+var traefikGateway = defineUnit({
   type: "apps.traefik-gateway",
   args: {
     ...createArgs2("traefik", ["external"]),
-    className: Type18.Optional(Type18.String())
+    className: z.string().optional()
   },
   inputs: createInputs(),
   outputs: {
@@ -2833,9 +3299,9 @@ var traefikGateway = defineUnit15({
     }
   },
   meta: {
-    displayName: "Traefik Gateway",
+    title: "Traefik Gateway",
     description: "A Traefik gateway for routing traffic to services.",
-    primaryIcon: "simple-icons:traefikproxy",
+    icon: "simple-icons:traefikproxy",
     category: "Network"
   },
   source: {
@@ -2843,83 +3309,71 @@ var traefikGateway = defineUnit15({
     path: "traefik"
   }
 });
-
-// src/apps/kubernetes-dashboard.ts
-import { defineUnit as defineUnit16 } from "@highstate/contract";
-var kubernetesDashboard = defineUnit16({
+var kubernetesDashboard = defineUnit({
   type: "apps.kubernetes-dashboard",
   args: createArgs2("kubernetes-dashboard", ["fqdn"]),
   inputs: createInputs(["accessPoint"]),
   meta: {
-    displayName: "Kubernetes Dashboard",
+    title: "Kubernetes Dashboard",
     description: "The Kubernetes Dashboard deployed on Kubernetes.",
-    primaryIcon: "devicon:kubernetes",
+    icon: "devicon:kubernetes",
     secondaryIcon: "material-symbols:dashboard",
     category: "Kubernetes"
   },
   source: createSource("kubernetes-dashboard")
 });
-
-// src/apps/grocy.ts
-import { defineUnit as defineUnit17 } from "@highstate/contract";
-var grocy = defineUnit17({
+var grocy = defineUnit({
   type: "apps.grocy",
   args: createArgs2("grocy", ["fqdn"]),
   secrets: createSecrets(["backupPassword"]),
   inputs: createInputs(["accessPoint", "resticRepo"]),
   meta: {
-    displayName: "Grocy",
+    title: "Grocy",
     description: "Grocy is a web-based self-hosted groceries & household management solution for your home.",
-    primaryIcon: "simple-icons:grocy",
+    icon: "simple-icons:grocy",
     category: "Productivity"
   },
   source: createSource("grocy")
 });
-
-// src/apps/maybe.ts
-import { defineUnit as defineUnit18, Type as Type19 } from "@highstate/contract";
-var maybe = defineUnit18({
+var maybe = defineUnit({
   type: "apps.maybe",
   args: createArgs2("maybe", ["fqdn"]),
   secrets: {
     ...createSecrets(["backupPassword"]),
-    postgresqlPassword: Type19.Optional(Type19.String()),
-    secretKey: Type19.Optional(Type19.String())
+    postgresqlPassword: z.string().optional(),
+    secretKey: z.string().optional()
   },
   inputs: createInputs(["accessPoint", "resticRepo", "postgresql"]),
   meta: {
-    displayName: "Maybe",
+    title: "Maybe",
     description: "The OS for your personal finances.",
-    primaryIcon: "arcticons:finance-manager",
+    icon: "arcticons:finance-manager",
     category: "Finance"
   },
   source: createSource("maybe")
 });
-
-// src/apps/deployment.ts
-import { defineUnit as defineUnit19, Type as Type20 } from "@highstate/contract";
-var deployment = defineUnit19({
+var deployment = defineUnit({
   type: "apps.deployment",
   args: {
-    appName: Type20.Optional(Type20.String()),
-    fqdn: Type20.Optional(Type20.String()),
-    serviceType: Type20.Optional(serviceTypeSchema),
-    image: Type20.Optional(Type20.String()),
-    port: Type20.Optional(Type20.Number()),
-    replicas: Type20.Optional(Type20.Number()),
-    dataPath: Type20.Optional(Type20.String()),
-    env: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    mariadbEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    postgresqlEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    mongodbEnvMapping: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    manifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    serviceManifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any())),
-    httpRouteManifest: Type20.Optional(Type20.Record(Type20.String(), Type20.Any()))
+    appName: z.string().optional(),
+    fqdn: z.string().optional(),
+    serviceType: serviceTypeSchema.optional(),
+    image: z.string().optional(),
+    port: z.number().optional(),
+    replicas: z.number().optional(),
+    dataPath: z.string().optional(),
+    env: z.record(z.string(), z.any()).optional(),
+    mariadbEnvMapping: z.record(z.string(), z.any()).optional(),
+    postgresqlEnvMapping: z.record(z.string(), z.any()).optional(),
+    mongodbEnvMapping: z.record(z.string(), z.any()).optional(),
+    manifest: z.record(z.string(), z.any()).optional(),
+    serviceManifest: z.record(z.string(), z.any()).optional(),
+    httpRouteManifest: z.record(z.string(), z.any()).optional()
   },
   secrets: {
-    mariadbPassword: Type20.Optional(Type20.String()),
-    postgresqlPassword: Type20.Optional(Type20.String()),
-    mongodbPassword: Type20.Optional(Type20.String())
+    mariadbPassword: z.string().optional(),
+    postgresqlPassword: z.string().optional(),
+    mongodbPassword: z.string().optional()
   },
   inputs: createInputs([
     "accessPoint",
@@ -2934,19 +3388,16 @@ var deployment = defineUnit19({
     service: serviceEntity
   },
   meta: {
-    displayName: "Kubernetes Deployment",
+    title: "Kubernetes Deployment",
     description: "A generic Kubernetes deployment with optional service and gateway routes.",
-    primaryIcon: "devicon:kubernetes",
+    icon: "devicon:kubernetes",
     secondaryIcon: "mdi:cube-outline",
     category: "Kubernetes"
   },
   source: createSource("deployment")
 });
-
-// src/apps/syncthing.ts
-import { defineUnit as defineUnit20, Type as Type21 } from "@highstate/contract";
-var backupModeSchema = Type21.StringEnum(["state", "full"]);
-var syncthing = defineUnit20({
+var backupModeSchema = z.enum(["state", "full"]);
+var syncthing = defineUnit({
   type: "apps.syncthing",
   args: {
     ...createArgs2("syncthing", ["fqdn", "external"]),
@@ -2956,7 +3407,15 @@ var syncthing = defineUnit20({
      * The `fqdn` argument unlike this one points to the gateway and used to
      * access the Syncthing Web UI.
      */
-    deviceFqdn: Type21.Optional(Type21.String()),
+    deviceFqdn: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The FQDN of the Syncthing instance used to sync with other devices.
+
+ The \`fqdn\` argument unlike this one points to the gateway and used to
+ access the Syncthing Web UI.`
+      }
+    },
     /**
      * The backup mode to use for the Syncthing instance.
      *
@@ -2966,7 +3425,18 @@ var syncthing = defineUnit20({
      *
      * The default is `state`.
      */
-    backupMode: Type21.Default(backupModeSchema, "state")
+    backupMode: {
+      schema: backupModeSchema.default("state"),
+      meta: {
+        description: `The backup mode to use for the Syncthing instance.
+
+ - \`state\`: Only the state is backed up. When the instance is restored, it will
+ sync files from the other devices automatically.
+ - \`full\`: A full backup is created including all files.
+
+ The default is \`state\`.`
+      }
+    }
   },
   secrets: createSecrets(["backupPassword"]),
   inputs: createInputs(["accessPoint", "resticRepo", "volume"]),
@@ -2979,23 +3449,20 @@ var syncthing = defineUnit20({
     }
   },
   meta: {
-    displayName: "Syncthing",
+    title: "Syncthing",
     description: "The Syncthing instance deployed on Kubernetes.",
-    primaryIcon: "simple-icons:syncthing",
+    icon: "simple-icons:syncthing",
     category: "File Sync"
   },
   source: createSource("syncthing")
 });
-
-// src/apps/code-server.ts
-import { defineUnit as defineUnit21, Type as Type22 } from "@highstate/contract";
-var codeServer = defineUnit21({
+var codeServer = defineUnit({
   type: "apps.code-server",
   args: createArgs2("code-server", ["fqdn"]),
   secrets: {
     ...createSecrets(["backupPassword"]),
-    password: Type22.Optional(Type22.String()),
-    sudoPassword: Type22.Optional(Type22.String())
+    password: z.string().optional(),
+    sudoPassword: z.string().optional()
   },
   inputs: createInputs(["accessPoint", "resticRepo", "dnsProviders", "volume"]),
   outputs: {
@@ -3003,9 +3470,9 @@ var codeServer = defineUnit21({
     volume: persistentVolumeClaimEntity
   },
   meta: {
-    displayName: "Code Server",
+    title: "Code Server",
     description: "The Code Server instance deployed on Kubernetes.",
-    primaryIcon: "material-icon-theme:vscode",
+    icon: "material-icon-theme:vscode",
     category: "Development"
   },
   source: {
@@ -3013,17 +3480,14 @@ var codeServer = defineUnit21({
     path: "code-server"
   }
 });
-
-// src/apps/hubble.ts
-import { defineUnit as defineUnit22 } from "@highstate/contract";
-var hubble = defineUnit22({
+var hubble = defineUnit({
   type: "apps.hubble",
   args: createArgs2("hubble", ["fqdn"]),
   inputs: createInputs(["accessPoint"]),
   meta: {
-    displayName: "Hubble",
+    title: "Hubble",
     description: "Exposes Hubble UI to the user. It must be already installed in the cluster as part of the Cilium.",
-    primaryIcon: "mdi:eye",
+    icon: "mdi:eye",
     secondaryIcon: "simple-icons:cilium",
     category: "Observability"
   },
@@ -3035,19 +3499,18 @@ var cloudflare_exports = {};
 __export(cloudflare_exports, {
   connection: () => connection2
 });
-import { defineUnit as defineUnit23, Type as Type23 } from "@highstate/contract";
-var connection2 = defineUnit23({
+var connection2 = defineUnit({
   type: "cloudflare.connection",
   secrets: {
-    apiToken: Type23.String()
+    apiToken: z.string()
   },
   outputs: {
     dnsProvider: providerEntity
   },
   meta: {
-    displayName: "Cloudflare Connection",
+    title: "Cloudflare Connection",
     description: "Creates a new Cloudflare connection for one zone.",
-    primaryIcon: "simple-icons:cloudflare",
+    icon: "simple-icons:cloudflare",
     category: "Cloudflare"
   },
   source: {
@@ -3065,7 +3528,6 @@ __export(k3s_exports, {
   internalComponents: () => internalComponents,
   packagedComponents: () => packagedComponents
 });
-import { defineUnit as defineUnit24, Type as Type24 } from "@highstate/contract";
 var packagedComponents = [
   "coredns",
   "servicelb",
@@ -3081,69 +3543,69 @@ var internalComponents = [
   "network-policy",
   "helm-controller"
 ];
-var componentSchema = Type24.StringEnum([...packagedComponents, ...internalComponents]);
-var cniSchema3 = Type24.StringEnum(["none", "flannel"]);
-var cluster2 = defineUnit24({
+var componentSchema = z.enum([...packagedComponents, ...internalComponents]);
+var cniSchema3 = z.enum(["none", "flannel"]);
+var cluster2 = defineUnit({
   type: "k3s.cluster",
   args: {
     /**
      * The components to disable in the K3S cluster.
-     *
-     * @schema
      */
     disabledComponents: {
-      ...Type24.Default(Type24.Array(componentSchema), []),
-      description: `The components to disable in the K3S cluster.`
+      schema: componentSchema.array().default([]),
+      meta: {
+        description: `The components to disable in the K3S cluster.`
+      }
     },
     /**
      * The CNI to use in the K3S cluster.
      *
      * Setting this to "none" will disable default Flannel CNI, but will not disable network policy controller and kube-proxy.
      * If needed, you can disable them using `disabledComponents` argument.
-     *
-     * @schema
      */
     cni: {
-      ...Type24.Default(cniSchema3, "flannel"),
-      description: `The CNI to use in the K3S cluster.
+      schema: cniSchema3.default("flannel"),
+      meta: {
+        description: `The CNI to use in the K3S cluster.
 
  Setting this to "none" will disable default Flannel CNI, but will not disable network policy controller and kube-proxy.
  If needed, you can disable them using \`disabledComponents\` argument.`
+      }
     },
     /**
      * The K3S configuration to pass to each server or agent in the cluster.
      *
      * See: https://docs.k3s.io/installation/configuration
-     *
-     * @schema
      */
     config: {
-      ...Type24.Optional(Type24.Record(Type24.String(), Type24.Any())),
-      description: `The K3S configuration to pass to each server or agent in the cluster.
+      schema: z.record(z.string(), z.any()).optional(),
+      meta: {
+        description: `The K3S configuration to pass to each server or agent in the cluster.
 
  See: https://docs.k3s.io/installation/configuration`
+      }
     },
     /**
      * The configuration of the registries to use for the K3S cluster.
      *
      * See: https://docs.k3s.io/installation/private-registry
-     *
-     * @schema
      */
     registries: {
-      ...Type24.Optional(Type24.Record(Type24.String(), Type24.Any())),
-      description: `The configuration of the registries to use for the K3S cluster.
+      schema: z.record(z.string(), z.any()).optional(),
+      meta: {
+        description: `The configuration of the registries to use for the K3S cluster.
 
  See: https://docs.k3s.io/installation/private-registry`
+      }
     }
   },
   inputs: clusterInputs,
   outputs: clusterOutputs,
   meta: {
-    displayName: "K3s Cluster",
+    title: "K3s Cluster",
     description: "The K3s cluster created on top of the server.",
     category: "k3s",
-    primaryIcon: "devicon:k3s",
+    icon: "devicon:k3s",
     secondaryIcon: "devicon:kubernetes"
   },
   source: {
@@ -3157,19 +3619,18 @@ var mullvad_exports = {};
 __export(mullvad_exports, {
   peer: () => peer2
 });
-import { defineUnit as defineUnit25, Type as Type25 } from "@highstate/contract";
-var peer2 = defineUnit25({
+var peer2 = defineUnit({
   type: "mullvad.peer",
   args: {
-    hostname: Type25.Optional(Type25.String()),
+    hostname: z.string().optional(),
     /**
      * Whether to include Mullvad DNS servers in the peer configuration.
-     *
-     * @schema
      */
     includeDns: {
-      ...Type25.Default(Type25.Boolean(), true),
-      description: `Whether to include Mullvad DNS servers in the peer configuration.`
+      schema: z.boolean().default(true),
+      meta: {
+        description: `Whether to include Mullvad DNS servers in the peer configuration.`
+      }
     }
   },
   inputs: {
@@ -3177,17 +3638,15 @@ var peer2 = defineUnit25({
      * The network to use for the WireGuard peer.
      *
      * If not provided, the peer will use default network configuration.
-     *
-     * @schema
      */
     network: {
-      ...{
-        entity: networkEntity,
-        required: false
-      },
-      description: `The network to use for the WireGuard peer.
+      entity: networkEntity,
+      required: false,
+      meta: {
+        description: `The network to use for the WireGuard peer.
 
  If not provided, the peer will use default network configuration.`
+      }
     }
   },
   outputs: {
@@ -3198,9 +3657,9 @@ var peer2 = defineUnit25({
     }
   },
   meta: {
-    displayName: "Mullvad Peer",
+    title: "Mullvad Peer",
     description: "The Mullvad WireGuard peer fetched from the Mullvad API.",
-    primaryIcon: "simple-icons:mullvad",
+    icon: "simple-icons:mullvad",
     secondaryIcon: "cib:wireguard",
     secondaryIconColor: "#88171a",
     category: "VPN"
@@ -3218,26 +3677,25 @@ __export(timeweb_exports, {
   connectionEntity: () => connectionEntity,
   virtualMachine: () => virtualMachine2
 });
-import { defineEntity as defineEntity13, defineUnit as defineUnit26, Type as Type26 } from "@highstate/contract";
-var connectionEntity = defineEntity13({
+var connectionEntity = defineEntity({
   type: "timeweb.connection",
-  schema: Type26.Object({
-    name: Type26.String(),
-    apiToken: Type26.String()
+  schema: z.object({
+    name: z.string(),
+    apiToken: z.string()
   })
 });
-var connection3 = defineUnit26({
+var connection3 = defineUnit({
   type: "timeweb.connection",
   secrets: {
-    apiToken: Type26.String()
+    apiToken: z.string()
   },
   outputs: {
     connection: connectionEntity
   },
   meta: {
-    displayName: "Timeweb Connection",
+    title: "Timeweb Connection",
     description: "Creates a new Timeweb connection.",
-    primaryIcon: "material-symbols:cloud",
+    icon: "material-symbols:cloud",
     category: "Timeweb"
   },
   source: {
@@ -3245,12 +3703,12 @@ var connection3 = defineUnit26({
     path: "connection"
   }
 });
-var virtualMachine2 = defineUnit26({
+var virtualMachine2 = defineUnit({
   type: "timeweb.virtual-machine",
   args: {
-    presetId: Type26.Optional(Type26.Number()),
-    osId: Type26.Optional(Type26.Number()),
-    availabilityZone: Type26.String()
+    presetId: z.number().optional(),
+    osId: z.number().optional(),
+    availabilityZone: z.string()
   },
   inputs: {
     connection: connectionEntity,
@@ -3260,15 +3718,15 @@ var virtualMachine2 = defineUnit26({
     }
   },
   secrets: {
-    sshPrivateKey: Type26.Optional(Type26.String())
+    sshPrivateKey: z.string().optional()
   },
   outputs: {
     server: serverEntity
   },
   meta: {
-    displayName: "Timeweb Virtual Machine",
+    title: "Timeweb Virtual Machine",
     description: "Creates a new Timeweb virtual machine.",
-    primaryIcon: "material-symbols:cloud",
+    icon: "material-symbols:cloud",
     secondaryIcon: "codicon:vm",
     category: "Timeweb"
   },
@@ -3281,45 +3739,60 @@ var virtualMachine2 = defineUnit26({
 // src/nixos.ts
 var nixos_exports = {};
 __export(nixos_exports, {
-  flakeEntity: () => flakeEntity,
   inlineFlake: () => inlineFlake,
   inlineModule: () => inlineModule,
-  inlineModuleEntity: () => inlineModuleEntity,
-  remoteFlake: () => remoteFlake,
   system: () => system
 });
-import { defineEntity as defineEntity14, defineUnit as defineUnit27, Type as Type27 } from "@highstate/contract";
-var inlineModuleEntity = defineEntity14({
-  type: "nixos.inline-module",
-  schema: Type27.Object({
-    code: Type27.String()
-  }),
-  meta: {
-    displayName: "NixOS Inline Module",
-    description: "The NixOS module reference.",
-    color: "#5277c3"
-  }
-});
-var inlineModule = defineUnit27({
+var inlineModule = defineUnit({
   type: "nixos.inline-module",
   args: {
-    code: Type27.String({ language: "nix" })
+    /**
+     * The name of the module file.
+     *
+     * If not provided, the name will be the name of the unit.
+     */
+    moduleName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the module file.
+
+ If not provided, the name will be the name of the unit.`
+      }
+    },
+    /**
+     * The code of the NixOS module.
+     *
+     * In this code you can reference other modules and files by their names.
+     */
+    code: {
+      schema: z.string().meta({ language: "nix" }),
+      meta: {
+        description: `The code of the NixOS module.
+
+ In this code you can reference other modules and files by their names.`
+      }
+    }
   },
   inputs: {
     files: {
       entity: fileEntity,
       required: false,
       multiple: true
+    },
+    folders: {
+      entity: folderEntity,
+      required: false,
+      multiple: true
     }
   },
   outputs: {
-    module: inlineModuleEntity
+    folder: folderEntity
   },
   meta: {
-    displayName: "NixOS Inline Module",
+    title: "NixOS Inline Module",
     description: "Creates a NixOS module from inline code.",
-    primaryIcon: "simple-icons:nixos",
-    primaryIconColor: "#7ebae4",
+    icon: "simple-icons:nixos",
+    iconColor: "#7ebae4",
     secondaryIcon: "mdi:file-code",
     category: "NixOS"
   },
@@ -3328,69 +3801,56 @@ var inlineModule = defineUnit27({
     path: "inline-module"
   }
 });
-var flakeEntity = defineEntity14({
-  type: "nixos.flake",
-  schema: Type27.Object({
-    url: Type27.String()
-  }),
-  meta: {
-    displayName: "NixOS Flake",
-    description: "The NixOS flake reference.",
-    color: "#5277c3"
-  }
-});
-var remoteFlake = defineUnit27({
-  type: "nixos.remote-flake",
-  args: {
-    url: Type27.String()
-  },
-  outputs: {
-    flake: flakeEntity
-  },
-  meta: {
-    displayName: "NixOS Remote Flake",
-    description: "References a remote NixOS flake.",
-    primaryIcon: "simple-icons:nixos",
-    primaryIconColor: "#7ebae4",
-    secondaryIcon: "simple-icons:git",
-    secondaryIconColor: "#f1502f",
-    category: "NixOS"
-  },
-  source: {
-    package: "@highstate/nixos",
-    path: "flake"
-  }
-});
-var inlineFlake = defineUnit27({
+var inlineFlake = defineUnit({
   type: "nixos.inline-flake",
   args: {
-    code: Type27.String({ language: "nix" })
+    /**
+     * The name of the flake folder.
+     *
+     * If not provided, the name will be the name of the unit.
+     */
+    flakeName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the flake folder.
+
+ If not provided, the name will be the name of the unit.`
+      }
+    },
+    /**
+     * The code of the `flake.nix` file.
+     *
+     * In this code you can reference other flakes, modules, files, and folders by their names.
+     */
+    code: {
+      schema: z.string().meta({ language: "nix" }),
+      meta: {
+        description: `The code of the \`flake.nix\` file.
+
+ In this code you can reference other flakes, modules, files, and folders by their names.`
+      }
+    }
   },
   inputs: {
-    flakes: {
-      entity: flakeEntity,
-      required: false,
-      multiple: true
-    },
-    modules: {
-      entity: inlineModuleEntity,
+    files: {
+      entity: fileEntity,
       required: false,
       multiple: true
     },
-    files: {
-      entity: fileEntity,
+    folders: {
+      entity: folderEntity,
       required: false,
       multiple: true
     }
   },
   outputs: {
-    flake: flakeEntity
+    folder: folderEntity
   },
   meta: {
-    displayName: "NixOS Inline Flake",
+    title: "NixOS Inline Flake",
     description: "Creates a NixOS flake from inline code.",
-    primaryIcon: "simple-icons:nixos",
-    primaryIconColor: "#7ebae4",
+    icon: "simple-icons:nixos",
+    iconColor: "#7ebae4",
     secondaryIcon: "mdi:file-code",
     category: "NixOS"
   },
@@ -3399,28 +3859,23 @@ var inlineFlake = defineUnit27({
     path: "inline-flake"
   }
 });
-var system = defineUnit27({
+var system = defineUnit({
   type: "nixos.system",
   args: {
-    system: Type27.Optional(Type27.String())
+    system: z.string().optional()
   },
   inputs: {
-    flake: flakeEntity,
     server: serverEntity,
-    modules: {
-      entity: inlineModuleEntity,
-      required: false,
-      multiple: true
-    }
+    flake: folderEntity
   },
   outputs: {
     server: serverEntity
   },
   meta: {
-    displayName: "NixOS System",
+    title: "NixOS System",
     description: "Creates a NixOS system on top of any server.",
-    primaryIcon: "simple-icons:nixos",
-    primaryIconColor: "#7ebae4",
+    icon: "simple-icons:nixos",
+    iconColor: "#7ebae4",
     secondaryIcon: "codicon:vm",
     category: "NixOS"
   },
@@ -3435,11 +3890,10 @@ var sops_exports = {};
 __export(sops_exports, {
   secrets: () => secrets
 });
-import { defineUnit as defineUnit28, Type as Type28 } from "@highstate/contract";
-var secrets = defineUnit28({
+var secrets = defineUnit({
   type: "sops.secrets",
-  args: {
-    secrets: Type28.Record(Type28.String(), Type28.Any())
+  secrets: {
+    data: z.record(z.string(), z.any())
   },
   inputs: {
     servers: {
@@ -3452,9 +3906,9 @@ var secrets = defineUnit28({
     file: fileEntity
   },
   meta: {
-    displayName: "SOPS Secrets",
+    title: "SOPS Secrets",
     description: "Encrypts secrets using SOPS for the specified servers.",
-    primaryIcon: "mdi:file-lock",
+    icon: "mdi:file-lock",
     category: "Secrets"
   },
   source: {
@@ -3470,165 +3924,168 @@ __export(obfuscators_exports, {
   obfuscatorSpec: () => obfuscatorSpec,
   phantun: () => phantun_exports
 });
-
-// src/obfuscators/shared.ts
-import { Type as Type29 } from "@highstate/contract";
 var deobfuscatorSpec = {
-  args: {
+  args: $args({
     /**
      * The name of the namespace and deployment to deploy the deobfuscator on.
      *
      * By default, calculated as `deobfs-{type}-{name}`.
      */
-    appName: Type29.Optional(Type29.String()),
+    appName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the namespace and deployment to deploy the deobfuscator on.
+
+ By default, calculated as \`deobfs-{type}-{name}\`.`
+      }
+    },
     /**
      * The L4 endpoint to forward deobfuscated traffic to.
      *
      * Will take precedence over the `targetEndpoint` input.
-     *
-     * @schema
      */
     targetEndpoints: {
-      ...Type29.Default(Type29.Array(Type29.String()), []),
-      description: `The L4 endpoint to forward deobfuscated traffic to.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The L4 endpoint to forward deobfuscated traffic to.
 
  Will take precedence over the \`targetEndpoint\` input.`
+      }
     },
     /**
      * Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
      *
      * By default, the service is not exposed and only accessible from within the cluster.
-     *
-     * @schema
      */
     external: {
-      ...Type29.Default(Type29.Boolean(), false),
-      description: `Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
+      schema: z.boolean().default(false),
+      meta: {
+        description: `Whether to expose the deobfuscator service by "NodePort" or "LoadBalancer".
 
  By default, the service is not exposed and only accessible from within the cluster.`
+      }
     }
-  },
-  inputs: {
+  }),
+  inputs: $inputs({
     /**
      * The Kubernetes cluster to deploy the deobfuscator on.
-     *
-     * @schema
      */
     k8sCluster: {
-      ...clusterEntity2,
-      description: `The Kubernetes cluster to deploy the deobfuscator on.`
+      entity: clusterEntity2,
+      meta: {
+        description: `The Kubernetes cluster to deploy the deobfuscator on.`
+      }
     },
     /**
      * The L4 endpoints to forward deobfuscated traffic to.
      *
      * Will select the most appropriate endpoint based on the environment.
-     *
-     * @schema
      */
     targetEndpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The L4 endpoints to forward deobfuscated traffic to.
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints to forward deobfuscated traffic to.
 
  Will select the most appropriate endpoint based on the environment.`
+      }
     }
-  },
-  outputs: {
+  }),
+  outputs: $outputs({
     /**
      * The L4 endpoints of the deobfuscator accepting obfuscated traffic.
-     *
-     * @schema
      */
     endpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The L4 endpoints of the deobfuscator accepting obfuscated traffic.`
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints of the deobfuscator accepting obfuscated traffic.`
+      }
     }
-  }
+  })
 };
 var obfuscatorSpec = {
-  args: {
+  args: $args({
     /**
      * The name of the namespace and deployment to deploy the obfuscator on.
      *
      * By default, calculated as `obfs-{type}-{name}`.
      */
-    appName: Type29.Optional(Type29.String()),
+    appName: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The name of the namespace and deployment to deploy the obfuscator on.
+
+ By default, calculated as \`obfs-{type}-{name}\`.`
+      }
+    },
     /**
      * The endpoint of the deobfuscator to pass obfuscated traffic to.
      *
      * Will take precedence over the `endpoint` input.
-     *
-     * @schema
      */
     endpoints: {
-      ...Type29.Default(Type29.Array(Type29.String()), []),
-      description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
+      schema: z.string().array().default([]),
+      meta: {
+        description: `The endpoint of the deobfuscator to pass obfuscated traffic to.
 
  Will take precedence over the \`endpoint\` input.`
+      }
     },
     /**
      * Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
      *
      * By default, the service is not exposed and only accessible from within the cluster.
-     *
-     * @schema
      */
     external: {
-      ...Type29.Default(Type29.Boolean(), false),
-      description: `Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
+      schema: z.boolean().default(false),
+      meta: {
+        description: `Whether to expose the obfuscator service by "NodePort" or "LoadBalancer".
 
  By default, the service is not exposed and only accessible from within the cluster.`
+      }
     }
-  },
-  inputs: {
+  }),
+  inputs: $inputs({
     /**
      * The Kubernetes cluster to deploy the obfuscator on.
-     *
-     * @schema
      */
     k8sCluster: {
-      ...clusterEntity2,
-      description: `The Kubernetes cluster to deploy the obfuscator on.`
+      entity: clusterEntity2,
+      meta: {
+        description: `The Kubernetes cluster to deploy the obfuscator on.`
+      }
     },
     /**
      * The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
      *
      * Will select the most appropriate endpoint based on the environment.
-     *
-     * @schema
      */
     endpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        required: false,
-        multiple: true
-      },
-      description: `The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
+      entity: l4EndpointEntity,
+      required: false,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints of the deobfuscator to pass obfuscated traffic to.
 
  Will select the most appropriate endpoint based on the environment.`
+      }
     }
-  },
-  outputs: {
+  }),
+  outputs: $outputs({
     /**
      * The L4 endpoints accepting unobfuscated traffic.
-     *
-     * @schema
      */
     entryEndpoints: {
-      ...{
-        entity: l4EndpointEntity,
-        multiple: true
-      },
-      description: `The L4 endpoints accepting unobfuscated traffic.`
+      entity: l4EndpointEntity,
+      multiple: true,
+      meta: {
+        description: `The L4 endpoints accepting unobfuscated traffic.`
+      }
     }
-  }
+  })
 };
 
 // src/obfuscators/phantun.ts
@@ -3637,14 +4094,13 @@ __export(phantun_exports, {
   deobfuscator: () => deobfuscator,
   obfuscator: () => obfuscator
 });
-import { defineUnit as defineUnit29 } from "@highstate/contract";
-var deobfuscator = defineUnit29({
+var deobfuscator = defineUnit({
   type: "obfuscators.phantun.deobfuscator",
   ...deobfuscatorSpec,
   meta: {
-    displayName: "Phantun Deobfuscator",
+    title: "Phantun Deobfuscator",
     description: "The Phantun Deobfuscator deployed on Kubernetes.",
-    primaryIcon: "mdi:network-outline",
+    icon: "mdi:network-outline",
     secondaryIcon: "mdi:hide",
     category: "Obfuscators"
   },
@@ -3653,13 +4109,13 @@ var deobfuscator = defineUnit29({
     path: "phantun/deobfuscator"
   }
 });
-var obfuscator = defineUnit29({
+var obfuscator = defineUnit({
   type: "obfuscators.phantun.obfuscator",
   ...obfuscatorSpec,
   meta: {
-    displayName: "Phantun Obfuscator",
+    title: "Phantun Obfuscator",
     description: "The Phantun Obfuscator deployed on Kubernetes.",
-    primaryIcon: "mdi:network-outline",
+    icon: "mdi:network-outline",
     secondaryIcon: "mdi:hide",
     category: "Obfuscators"
   },
@@ -3668,25 +4124,119 @@ var obfuscator = defineUnit29({
     path: "phantun/obfuscator"
   }
 });
-export {
-  apps_exports as apps,
-  arrayPatchModeSchema,
-  cloudflare_exports as cloudflare,
-  common_exports as common,
-  dns_exports as dns,
-  k3s_exports as k3s,
-  k8s_exports as k8s,
-  mullvad_exports as mullvad,
-  network_exports as network,
-  nixos_exports as nixos,
-  obfuscators_exports as obfuscators,
-  prefixKeysWith,
-  proxmox_exports as proxmox,
-  restic_exports as restic,
-  sops_exports as sops,
-  ssh_exports as ssh,
-  talos_exports as talos,
-  timeweb_exports as timeweb,
-  wireguard_exports as wireguard
-};
+
+// src/distributions/index.ts
+var distributions_exports = {};
+__export(distributions_exports, {
+  ubuntu: () => ubuntu,
+  ubuntuArchitectureSchema: () => ubuntuArchitectureSchema,
+  ubuntuVersionSchema: () => ubuntuVersionSchema
+});
+var ubuntuVersionSchema = z.enum(["22.04", "24.04", "24.10", "25.04", "25.10"]);
+var ubuntuArchitectureSchema = z.enum(["amd64", "arm64"]);
+var ubuntu = defineUnit({
+  type: "distributions.ubuntu",
+  args: {
+    version: ubuntuVersionSchema.default("24.04"),
+    architecture: ubuntuArchitectureSchema.default("amd64")
+  },
+  outputs: {
+    image: fileEntity,
+    cloudConfig: fileEntity
+  },
+  meta: {
+    title: "Ubuntu",
+    description: "Ubuntu distribution with image and cloud-config.",
+    icon: "mdi:ubuntu",
+    iconColor: "#E95420",
+    category: "Distributions"
+  },
+  source: {
+    package: "@highstate/distributions",
+    path: "ubuntu"
+  }
+});
+
+// src/git.ts
+var git_exports = {};
+__export(git_exports, {
+  remoteRepository: () => remoteRepository
+});
+var remoteRepository = defineUnit({
+  type: "git.remote-repository",
+  args: {
+    /**
+     * The URL of the remote repository.
+     */
+    url: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The URL of the remote repository.`
+      }
+    },
+    /**
+     * The ref of the remote repository to checkout.
+     *
+     * If not specified, the default branch will be used.
+     */
+    ref: {
+      schema: z.string().optional(),
+      meta: {
+        description: `The ref of the remote repository to checkout.
+
+ If not specified, the default branch will be used.`
+      }
+    },
+    /**
+     * Whether to include the .git directory in the packed artifact.
+     *
+     * Do not enable this unless you need the full git history.
+     */
+    includeGit: {
+      schema: z.boolean().default(false),
+      meta: {
+        description: `Whether to include the .git directory in the packed artifact.
+
+ Do not enable this unless you need the full git history.`
+      }
+    }
+  },
+  inputs: {
+    /**
+     * The L7 endpoint of the remote repository.
+     */
+    endpoint: {
+      entity: l7EndpointEntity,
+      required: false,
+      meta: {
+        description: `The L7 endpoint of the remote repository.`
+      }
+    }
+  },
+  outputs: {
+    /**
+     * The folder containing the repository content.
+     */
+    folder: {
+      entity: folderEntity,
+      meta: {
+        description: `The folder containing the repository content.`
+      }
+    }
+  },
+  meta: {
+    title: "Git Remote Repository",
+    description: "References a remote Git repository.",
+    icon: "simple-icons:git",
+    iconColor: "#f1502f",
+    category: "Git"
+  },
+  source: {
+    package: "@highstate/git",
+    path: "remote-repository"
+  }
+});
+
+export { apps_exports as apps, arrayPatchModeSchema, cloudflare_exports as cloudflare, common_exports as common, distributions_exports as distributions, dns_exports as dns, git_exports as git, k3s_exports as k3s, k8s_exports as k8s, mullvad_exports as mullvad, network_exports as network, nixos_exports as nixos, obfuscators_exports as obfuscators, prefixKeysWith, proxmox_exports as proxmox, restic_exports as restic, sops_exports as sops, ssh_exports as ssh, talos_exports as talos, timeweb_exports as timeweb, wireguard_exports as wireguard };
+//# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map