@reyemtech/nimbus 0.1.0

package/dist/esm/network/cidr.js

@@ -0,0 +1,189 @@
+"use strict";
+/**
+ * CIDR utilities for multi-cloud network planning.
+ *
+ * Provides overlap detection, auto-offset for non-conflicting CIDRs,
+ * and validation for multi-cloud VPC peering/mesh scenarios.
+ *
+ * @module network/cidr
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseCidr = parseCidr;
+exports.formatIp = formatIp;
+exports.cidrsOverlap = cidrsOverlap;
+exports.detectOverlaps = detectOverlaps;
+exports.validateNoOverlaps = validateNoOverlaps;
+exports.autoOffsetCidrs = autoOffsetCidrs;
+exports.buildCidrMap = buildCidrMap;
+const types_1 = require("../types");
+/**
+ * Parse a CIDR string into its numeric components.
+ *
+ * @param cidr - CIDR notation string (e.g., "10.0.0.0/16")
+ * @returns Parsed CIDR with start/end addresses
+ * @throws {CidrError} If the CIDR string is malformed
+ */
+function parseCidr(cidr) {
+    const match = /^(\d+)\.(\d+)\.(\d+)\.(\d+)\/(\d+)$/.exec(cidr);
+    if (!match) {
+        throw new types_1.CidrError(`Invalid CIDR notation: "${cidr}"`, "CIDR_INVALID", [cidr]);
+    }
+    const octets = [
+        parseInt(match[1] ?? "0", 10),
+        parseInt(match[2] ?? "0", 10),
+        parseInt(match[3] ?? "0", 10),
+        parseInt(match[4] ?? "0", 10),
+    ];
+    const prefix = parseInt(match[5] ?? "0", 10);
+    if (octets.some((o) => o < 0 || o > 255) || prefix < 0 || prefix > 32) {
+        throw new types_1.CidrError(`Invalid CIDR values: "${cidr}"`, "CIDR_INVALID", [cidr]);
+    }
+    const network = ((octets[0] ?? 0) << 24) |
+        ((octets[1] ?? 0) << 16) |
+        ((octets[2] ?? 0) << 8) |
+        (octets[3] ?? 0);
+    const size = 1 << (32 - prefix);
+    const mask = ~(size - 1);
+    const start = (network & mask) >>> 0;
+    const end = (start + size - 1) >>> 0;
+    return { network: start, prefix, size, start, end };
+}
+/**
+ * Format a numeric IP address back to dotted notation.
+ *
+ * @param ip - 32-bit unsigned integer IP address
+ * @returns Dotted decimal string
+ */
+function formatIp(ip) {
+    return `${(ip >>> 24) & 0xff}.${(ip >>> 16) & 0xff}.${(ip >>> 8) & 0xff}.${ip & 0xff}`;
+}
+/**
+ * Check if two CIDR ranges overlap.
+ *
+ * @param a - First CIDR string
+ * @param b - Second CIDR string
+ * @returns True if ranges overlap
+ */
+function cidrsOverlap(a, b) {
+    const pa = parseCidr(a);
+    const pb = parseCidr(b);
+    return pa.start <= pb.end && pb.start <= pa.end;
+}
+/**
+ * Detect overlaps in a set of CIDRs.
+ *
+ * @param cidrs - Array of CIDR strings to check
+ * @returns Array of overlapping pairs, empty if no conflicts
+ */
+function detectOverlaps(cidrs) {
+    const overlaps = [];
+    for (let i = 0; i < cidrs.length; i++) {
+        for (let j = i + 1; j < cidrs.length; j++) {
+            const a = cidrs[i];
+            const b = cidrs[j];
+            if (a && b && cidrsOverlap(a, b)) {
+                overlaps.push([a, b]);
+            }
+        }
+    }
+    return overlaps;
+}
+/**
+ * Validate that a set of CIDRs do not overlap.
+ *
+ * @param cidrs - Array of CIDR strings
+ * @throws {CidrError} If any CIDRs overlap
+ */
+function validateNoOverlaps(cidrs) {
+    const overlaps = detectOverlaps(cidrs);
+    if (overlaps.length > 0) {
+        const pairs = overlaps.map(([a, b]) => `${a} <-> ${b}`).join(", ");
+        throw new types_1.CidrError(`CIDR overlap detected: ${pairs}. Multi-cloud VPC peering requires non-overlapping ranges.`, "CIDR_OVERLAP", cidrs);
+    }
+}
+/**
+ * Auto-generate non-overlapping CIDRs for multiple clouds.
+ *
+ * Uses 10.{offset}.0.0/16 pattern with configurable base and step.
+ *
+ * @param count - Number of CIDRs to generate
+ * @param options - Base octet and step between CIDRs
+ * @returns Array of non-overlapping CIDR strings
+ *
+ * @example
+ * ```typescript
+ * autoOffsetCidrs(3); // ["10.0.0.0/16", "10.1.0.0/16", "10.2.0.0/16"]
+ * autoOffsetCidrs(2, { base: 10, step: 10 }); // ["10.10.0.0/16", "10.20.0.0/16"]
+ * ```
+ */
+function autoOffsetCidrs(count, options) {
+    const base = options?.base ?? 0;
+    const step = options?.step ?? 1;
+    const prefix = options?.prefix ?? 16;
+    const cidrs = [];
+    for (let i = 0; i < count; i++) {
+        const secondOctet = base + i * step;
+        if (secondOctet > 255) {
+            throw new types_1.CidrError(`Cannot generate ${count} non-overlapping /16 CIDRs: second octet exceeds 255 at index ${i}`, "CIDR_INVALID");
+        }
+        cidrs.push(`10.${secondOctet}.0.0/${prefix}`);
+    }
+    return cidrs;
+}
+/**
+ * Build a CIDR map for named clouds from explicit values or auto-offset.
+ *
+ * If explicit CIDRs are provided for all clouds, validates no overlaps.
+ * For missing clouds, auto-generates non-overlapping CIDRs.
+ *
+ * @param clouds - Array of cloud names
+ * @param explicit - Explicit CIDR assignments (partial or full)
+ * @returns Complete CIDR map keyed by cloud name
+ *
+ * @example
+ * ```typescript
+ * buildCidrMap(["aws", "azure"], { aws: "10.0.0.0/16" });
+ * // { aws: "10.0.0.0/16", azure: "10.1.0.0/16" }
+ * ```
+ */
+function buildCidrMap(clouds, explicit) {
+    const result = {};
+    const usedCidrs = [];
+    // First, assign explicit CIDRs
+    for (const cloud of clouds) {
+        const cidr = explicit?.[cloud];
+        if (cidr) {
+            result[cloud] = cidr;
+            usedCidrs.push(cidr);
+        }
+    }
+    // Validate explicit CIDRs don't overlap
+    if (usedCidrs.length > 1) {
+        validateNoOverlaps(usedCidrs);
+    }
+    // Auto-assign remaining clouds with non-overlapping CIDRs
+    const remaining = clouds.filter((c) => !result[c]);
+    if (remaining.length > 0) {
+        // Find a base that doesn't overlap with existing CIDRs
+        let base = 0;
+        for (const existing of usedCidrs) {
+            const parsed = parseCidr(existing);
+            const secondOctet = (parsed.start >>> 16) & 0xff;
+            if (secondOctet >= base) {
+                base = secondOctet + 1;
+            }
+        }
+        const autoCidrs = autoOffsetCidrs(remaining.length, { base });
+        for (let i = 0; i < remaining.length; i++) {
+            const cloud = remaining[i];
+            const cidr = autoCidrs[i];
+            if (cloud && cidr) {
+                result[cloud] = cidr;
+            }
+        }
+        // Final validation
+        validateNoOverlaps(Object.values(result));
+    }
+    return result;
+}
+//# sourceMappingURL=cidr.js.map

package/dist/esm/network/cidr.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cidr.js","sourceRoot":"","sources":["../../../src/network/cidr.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AAoBH,8BA6BC;AAQD,4BAEC;AASD,oCAIC;AAQD,wCAcC;AAQD,gDAUC;AAiBD,0CAqBC;AAkBD,oCAgDC;AAtND,oCAAqC;AAWrC;;;;;;GAMG;AACH,SAAgB,SAAS,CAAC,IAAY;IACpC,MAAM,KAAK,GAAG,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAS,CAAC,2BAA2B,IAAI,GAAG,EAAE,cAAc,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,MAAM,GAAG;QACb,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;QAC7B,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;QAC7B,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;QAC7B,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;KAC9B,CAAC;IACF,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IAE7C,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,EAAE,EAAE,CAAC;QACtE,MAAM,IAAI,iBAAS,CAAC,yBAAyB,IAAI,GAAG,EAAE,cAAc,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;IAChF,CAAC;IAED,MAAM,OAAO,GACX,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACxB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACxB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACnB,MAAM,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IACzB,MAAM,KAAK,GAAG,CAAC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,CAAC,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAErC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,QAAQ,CAAC,EAAU;IACjC,OAAO,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC;AACzF,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,YAAY,CAAC,CAAS,EAAE,CAAS;IAC/C,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IACxB,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IACxB,OAAO,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,GAAG,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,SAAgB,cAAc,CAAC,KAA4B;IACzD,MAAM,QAAQ,GAAuB,EAAE,CAAC;IAExC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACnB,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACnB,IAAI,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBACjC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;;GAKG;AACH,SAAgB,kBAAkB,CAAC,KAA4B;IAC7D,MAAM,QAAQ,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,MAAM,IAAI,iBAAS,CACjB,0BAA0B,KAAK,4DAA4D,EAC3F,cAAc,EACd,KAAK,CACN,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,eAAe,CAC7B,KAAa,EACb,OAA2D;IAE3D,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,CAAC,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,EAAE,IAAI,IAAI,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM,IAAI,EAAE,CAAC;IAErC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC;QACpC,IAAI,WAAW,GAAG,GAAG,EAAE,CAAC;YACtB,MAAM,IAAI,iBAAS,CACjB,mBAAmB,KAAK,iEAAiE,CAAC,EAAE,EAC5F,cAAc,CACf,CAAC;QACJ,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,MAAM,WAAW,QAAQ,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,YAAY,CAC1B,MAA6B,EAC7B,QAA2C;IAE3C,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,+BAA+B;IAC/B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC;QAC/B,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;YACrB,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;IAED,0DAA0D;IAC1D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IACnD,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,uDAAuD;QACvD,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;YACnC,MAAM,WAAW,GAAG,CAAC,MAAM,CAAC,KAAK,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC;YACjD,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;gBACxB,IAAI,GAAG,WAAW,GAAG,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,eAAe,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YAC3B,MAAM,IAAI,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;gBAClB,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC;YACvB,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,kBAAkB,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/esm/network/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Network module — VPC/VNet provisioning abstraction.
+ *
+ * @module network
+ */
+export type { NatStrategy, ISubnetConfig, INetworkConfig, INetwork } from "./interfaces";
+export { parseCidr, formatIp, cidrsOverlap, detectOverlaps, validateNoOverlaps, autoOffsetCidrs, buildCidrMap, } from "./cidr";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/network/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/network/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAEzF,OAAO,EACL,SAAS,EACT,QAAQ,EACR,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,eAAe,EACf,YAAY,GACb,MAAM,QAAQ,CAAC"}

package/dist/esm/network/index.js

@@ -0,0 +1,17 @@
+"use strict";
+/**
+ * Network module — VPC/VNet provisioning abstraction.
+ *
+ * @module network
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCidrMap = exports.autoOffsetCidrs = exports.validateNoOverlaps = exports.detectOverlaps = exports.cidrsOverlap = exports.formatIp = exports.parseCidr = void 0;
+var cidr_1 = require("./cidr");
+Object.defineProperty(exports, "parseCidr", { enumerable: true, get: function () { return cidr_1.parseCidr; } });
+Object.defineProperty(exports, "formatIp", { enumerable: true, get: function () { return cidr_1.formatIp; } });
+Object.defineProperty(exports, "cidrsOverlap", { enumerable: true, get: function () { return cidr_1.cidrsOverlap; } });
+Object.defineProperty(exports, "detectOverlaps", { enumerable: true, get: function () { return cidr_1.detectOverlaps; } });
+Object.defineProperty(exports, "validateNoOverlaps", { enumerable: true, get: function () { return cidr_1.validateNoOverlaps; } });
+Object.defineProperty(exports, "autoOffsetCidrs", { enumerable: true, get: function () { return cidr_1.autoOffsetCidrs; } });
+Object.defineProperty(exports, "buildCidrMap", { enumerable: true, get: function () { return cidr_1.buildCidrMap; } });
+//# sourceMappingURL=index.js.map

package/dist/esm/network/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/network/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAIH,+BAQgB;AAPd,iGAAA,SAAS,OAAA;AACT,gGAAA,QAAQ,OAAA;AACR,oGAAA,YAAY,OAAA;AACZ,sGAAA,cAAc,OAAA;AACd,0GAAA,kBAAkB,OAAA;AAClB,uGAAA,eAAe,OAAA;AACf,oGAAA,YAAY,OAAA"}

package/dist/esm/network/interfaces.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Network interfaces for @reyemtech/nimbus.
+ *
+ * Abstracts VPC (AWS), VNet (Azure), and VPC (GCP) provisioning.
+ * Includes NAT strategy options (managed, fck-nat, none) and
+ * CIDR overlap detection for multi-cloud deployments.
+ *
+ * @module network/interfaces
+ */
+import type * as pulumi from "@pulumi/pulumi";
+import type { CloudArg, ResolvedCloudTarget } from "../types";
+/** NAT gateway strategy. */
+export type NatStrategy = "managed" | "fck-nat" | "none";
+/** Subnet configuration. */
+export interface ISubnetConfig {
+    readonly cidr: string;
+    readonly availabilityZone?: string;
+    readonly public?: boolean;
+}
+/**
+ * Network configuration input.
+ *
+ * @example
+ * ```typescript
+ * const config: INetworkConfig = {
+ *   cloud: "aws",
+ *   cidr: "10.0.0.0/16",
+ *   natStrategy: "fck-nat", // ~$97/mo savings vs managed NAT
+ * };
+ * ```
+ */
+export interface INetworkConfig {
+    readonly cloud: CloudArg;
+    /** CIDR block for the VPC/VNet. Optional for hosted K8s without custom networking (e.g. Rackspace Spot). */
+    readonly cidr?: string;
+    readonly publicSubnets?: ReadonlyArray<ISubnetConfig>;
+    readonly privateSubnets?: ReadonlyArray<ISubnetConfig>;
+    readonly natStrategy?: NatStrategy;
+    readonly enableDnsHostnames?: boolean;
+    readonly enableDnsSupport?: boolean;
+    readonly tags?: Readonly<Record<string, string>>;
+}
+/**
+ * Network output — the created VPC/VNet resource.
+ *
+ * Use `nativeResource` for cloud-specific network operations.
+ */
+export interface INetwork {
+    readonly name: string;
+    readonly cloud: ResolvedCloudTarget;
+    /** VPC ID (AWS), VNet ID (Azure), or Network self-link (GCP). */
+    readonly vpcId: pulumi.Output<string>;
+    readonly cidr?: string;
+    readonly publicSubnetIds: pulumi.Output<ReadonlyArray<string>>;
+    readonly privateSubnetIds: pulumi.Output<ReadonlyArray<string>>;
+    readonly natGatewayId?: pulumi.Output<string>;
+    /** Escape hatch: cloud-native network resource. */
+    readonly nativeResource: pulumi.Resource;
+}
+//# sourceMappingURL=interfaces.d.ts.map

package/dist/esm/network/interfaces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../../src/network/interfaces.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,KAAK,MAAM,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAE9D,4BAA4B;AAC5B,MAAM,MAAM,WAAW,GACnB,SAAS,GACT,SAAS,GACT,MAAM,CAAC;AAEX,4BAA4B;AAC5B,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC;IACzB,4GAA4G;IAC5G,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IACtD,QAAQ,CAAC,cAAc,CAAC,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IACvD,QAAQ,CAAC,WAAW,CAAC,EAAE,WAAW,CAAC;IACnC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IACtC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAClD;AAED;;;;GAIG;AACH,MAAM,WAAW,QAAQ;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,mBAAmB,CAAC;IACpC,iEAAiE;IACjE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACtC,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;IAChE,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAE9C,mDAAmD;IACnD,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC,QAAQ,CAAC;CAC1C"}

package/dist/esm/network/interfaces.js

@@ -0,0 +1,12 @@
+"use strict";
+/**
+ * Network interfaces for @reyemtech/nimbus.
+ *
+ * Abstracts VPC (AWS), VNet (Azure), and VPC (GCP) provisioning.
+ * Includes NAT strategy options (managed, fck-nat, none) and
+ * CIDR overlap detection for multi-cloud deployments.
+ *
+ * @module network/interfaces
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=interfaces.js.map

package/dist/esm/network/interfaces.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.js","sourceRoot":"","sources":["../../../src/network/interfaces.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG"}

package/dist/esm/platform/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Platform module — cloud-agnostic platform stack abstraction.
+ *
+ * @module platform
+ */
+export type { DnsProvider, IPlatformComponentConfig, IExternalDnsConfig, IVaultConfig, IPlatformStackConfig, IPlatformStack, } from "./interfaces";
+export { createPlatformStack } from "./stack";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/platform/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/platform/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,WAAW,EACX,wBAAwB,EACxB,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,cAAc,GACf,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC"}

package/dist/esm/platform/index.js

@@ -0,0 +1,11 @@
+"use strict";
+/**
+ * Platform module — cloud-agnostic platform stack abstraction.
+ *
+ * @module platform
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPlatformStack = void 0;
+var stack_1 = require("./stack");
+Object.defineProperty(exports, "createPlatformStack", { enumerable: true, get: function () { return stack_1.createPlatformStack; } });
+//# sourceMappingURL=index.js.map

package/dist/esm/platform/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/platform/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAWH,iCAA8C;AAArC,4GAAA,mBAAmB,OAAA"}

package/dist/esm/platform/interfaces.d.ts

@@ -0,0 +1,86 @@
+/**
+ * Platform stack interfaces for @reyemtech/nimbus.
+ *
+ * Cloud-agnostic platform components deployed via Helm to any ICluster.
+ * These are the components used across all 3 client environments:
+ * Traefik, ArgoCD, cert-manager, External DNS, Vault, External Secrets.
+ *
+ * @module platform/interfaces
+ */
+import type * as pulumi from "@pulumi/pulumi";
+import type * as k8s from "@pulumi/kubernetes";
+import type { ICluster } from "../cluster";
+/** DNS provider for External DNS integration. */
+export type DnsProvider = "route53" | "azure-dns" | "cloud-dns" | "cloudflare";
+/** Individual platform component configuration. */
+export interface IPlatformComponentConfig {
+    /** Enable or disable this component. Default: true for core components. */
+    readonly enabled?: boolean;
+    /** Helm chart version override. */
+    readonly version?: string;
+    /** Additional Helm values to merge with defaults. */
+    readonly values?: Record<string, unknown>;
+}
+/** External DNS component configuration with provider-specific auth. */
+export interface IExternalDnsConfig extends IPlatformComponentConfig {
+    readonly dnsProvider: DnsProvider;
+    /** Provider-specific credentials (e.g., AWS IAM keys, Azure identity). */
+    readonly dnsCredentials?: Record<string, pulumi.Input<string>>;
+    /** DNS zone filter (e.g., ["reyem.tech"]). */
+    readonly domainFilters?: ReadonlyArray<string>;
+}
+/** Vault component configuration. */
+export interface IVaultConfig extends IPlatformComponentConfig {
+    /** Enable HA mode. Default: false (single node). */
+    readonly ha?: boolean;
+    /** Storage size for Vault data. Default: "5Gi". */
+    readonly storageSize?: string;
+    /** Domain for Vault ingress (e.g., "vault.reyem.tech"). */
+    readonly ingressHost?: string;
+}
+/**
+ * Platform stack configuration input.
+ *
+ * @example
+ * ```typescript
+ * const config: IPlatformStackConfig = {
+ *   cluster,
+ *   domain: "reyem.tech",
+ *   externalDns: {
+ *     dnsProvider: "route53",
+ *     domainFilters: ["reyem.tech"],
+ *   },
+ *   vault: { enabled: true, ingressHost: "vault.reyem.tech" },
+ * };
+ * ```
+ */
+export interface IPlatformStackConfig {
+    readonly cluster: ICluster | ReadonlyArray<ICluster>;
+    readonly domain: string;
+    /** Core components (enabled by default). */
+    readonly traefik?: IPlatformComponentConfig;
+    readonly certManager?: IPlatformComponentConfig;
+    readonly externalDns?: IExternalDnsConfig;
+    /** Optional components. */
+    readonly argocd?: IPlatformComponentConfig;
+    readonly vault?: IVaultConfig;
+    readonly externalSecrets?: IPlatformComponentConfig;
+    readonly oauth2Proxy?: IPlatformComponentConfig & {
+        readonly provider: "google" | "github" | "azure";
+        readonly clientId: pulumi.Input<string>;
+        readonly clientSecret: pulumi.Input<string>;
+    };
+    readonly tags?: Readonly<Record<string, string>>;
+}
+/**
+ * Platform stack output — the deployed platform components.
+ *
+ * Each component is accessible as a Helm release for further customization.
+ */
+export interface IPlatformStack {
+    readonly name: string;
+    readonly cluster: ICluster;
+    readonly components: Readonly<Record<string, k8s.helm.v3.Release>>;
+    readonly traefikEndpoint: pulumi.Output<string>;
+}
+//# sourceMappingURL=interfaces.d.ts.map

package/dist/esm/platform/interfaces.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../../src/platform/interfaces.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,KAAK,MAAM,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,KAAK,GAAG,MAAM,oBAAoB,CAAC;AAC/C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE3C,iDAAiD;AACjD,MAAM,MAAM,WAAW,GACnB,SAAS,GACT,WAAW,GACX,WAAW,GACX,YAAY,CAAC;AAEjB,mDAAmD;AACnD,MAAM,WAAW,wBAAwB;IACvC,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,mCAAmC;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC3C;AAED,wEAAwE;AACxE,MAAM,WAAW,kBAAmB,SAAQ,wBAAwB;IAClE,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,0EAA0E;IAC1E,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,8CAA8C;IAC9C,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAChD;AAED,qCAAqC;AACrC,MAAM,WAAW,YAAa,SAAQ,wBAAwB;IAC5D,oDAAoD;IACpD,QAAQ,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC;IACtB,mDAAmD;IACnD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,2DAA2D;IAC3D,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACrD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,4CAA4C;IAC5C,QAAQ,CAAC,OAAO,CAAC,EAAE,wBAAwB,CAAC;IAC5C,QAAQ,CAAC,WAAW,CAAC,EAAE,wBAAwB,CAAC;IAChD,QAAQ,CAAC,WAAW,CAAC,EAAE,kBAAkB,CAAC;IAE1C,2BAA2B;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,wBAAwB,CAAC;IAC3C,QAAQ,CAAC,KAAK,CAAC,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,eAAe,CAAC,EAAE,wBAAwB,CAAC;IACpD,QAAQ,CAAC,WAAW,CAAC,EAAE,wBAAwB,GAAG;QAChD,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC;QACjD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACxC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;KAC7C,CAAC;IAEF,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAClD;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACnE,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;CACjD"}

package/dist/esm/platform/interfaces.js

@@ -0,0 +1,12 @@
+"use strict";
+/**
+ * Platform stack interfaces for @reyemtech/nimbus.
+ *
+ * Cloud-agnostic platform components deployed via Helm to any ICluster.
+ * These are the components used across all 3 client environments:
+ * Traefik, ArgoCD, cert-manager, External DNS, Vault, External Secrets.
+ *
+ * @module platform/interfaces
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=interfaces.js.map

package/dist/esm/platform/interfaces.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"interfaces.js","sourceRoot":"","sources":["../../../src/platform/interfaces.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG"}

package/dist/esm/platform/stack.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Platform stack implementation — deploys Helm-based platform components
+ * to any ICluster.
+ *
+ * Components: Traefik, cert-manager, External DNS, ArgoCD, Vault,
+ * External Secrets Operator.
+ *
+ * @module platform/stack
+ */
+import type { IPlatformStack, IPlatformStackConfig } from "./interfaces";
+/**
+ * Deploy a platform stack to one or more clusters.
+ *
+ * Installs cloud-agnostic Helm releases for ingress, TLS, DNS, GitOps,
+ * secrets management, and more. Each component can be individually
+ * enabled/disabled and configured.
+ *
+ * @example
+ * ```typescript
+ * const platform = createPlatformStack("prod", {
+ *   cluster,
+ *   domain: "reyem.tech",
+ *   externalDns: {
+ *     dnsProvider: "route53",
+ *     domainFilters: ["reyem.tech"],
+ *   },
+ *   vault: { enabled: true, ingressHost: "vault.reyem.tech" },
+ * });
+ * ```
+ */
+export declare function createPlatformStack(name: string, config: IPlatformStackConfig): IPlatformStack | IPlatformStack[];
+//# sourceMappingURL=stack.d.ts.map

package/dist/esm/platform/stack.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stack.d.ts","sourceRoot":"","sources":["../../../src/platform/stack.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EAGV,cAAc,EACd,oBAAoB,EAErB,MAAM,cAAc,CAAC;AAYtB;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,oBAAoB,GAC3B,cAAc,GAAG,cAAc,EAAE,CAUnC"}