@vercel/sandbox 1.9.0 → 1.9.2

package/dist/utils/get-credentials.js

@@ -1,156 +1,122 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.schema = exports.VercelOidcContextError = exports.LocalOidcContextError = void 0;
-exports.getCredentials = getCredentials;
-const oidc_1 = require("@vercel/oidc");
-const decode_base64_url_1 = require("./decode-base64-url");
-const zod_1 = require("zod");
-const dev_credentials_1 = require("./dev-credentials");
+import { decodeBase64Url } from "./decode-base64-url.js";
+import { cachedGenerateCredentials, shouldPromptForCredentials } from "./dev-credentials.js";
+import { z } from "zod";
+import { getVercelOidcToken } from "@vercel/oidc";
+
+//#region src/utils/get-credentials.ts
 /**
- * Error thrown when OIDC context is not available in local development,
- * therefore we should guide how to ensure it is set up by linking a project
- */
-class LocalOidcContextError extends Error {
-    constructor(cause) {
-        const message = [
-            "Could not get credentials from OIDC context.",
-            "Please link your Vercel project using `npx vercel link`.",
-            "Then, pull an initial OIDC token with `npx vercel env pull`",
-            "and retry.",
-            "╰▶ Make sure you are loading `.env.local` correctly, or passing $VERCEL_OIDC_TOKEN directly.",
-        ].join("\n");
-        super(message, { cause });
-        this.name = "LocalOidcContextError";
-    }
-}
-exports.LocalOidcContextError = LocalOidcContextError;
+* Error thrown when OIDC context is not available in local development,
+* therefore we should guide how to ensure it is set up by linking a project
+*/
+var LocalOidcContextError = class extends Error {
+	constructor(cause) {
+		const message = [
+			"Could not get credentials from OIDC context.",
+			"Please link your Vercel project using `npx vercel link`.",
+			"Then, pull an initial OIDC token with `npx vercel env pull`",
+			"and retry.",
+			"╰▶ Make sure you are loading `.env.local` correctly, or passing $VERCEL_OIDC_TOKEN directly."
+		].join("\n");
+		super(message, { cause });
+		this.name = "LocalOidcContextError";
+	}
+};
 /**
- * Error thrown when OIDC context is not available in Vercel environment,
- * therefore we should guide how to set it up.
- */
-class VercelOidcContextError extends Error {
-    constructor(cause) {
-        const message = [
-            "Could not get credentials from OIDC context.",
-            "Please make sure OIDC is set up for your project",
-            "╰▶ Docs: https://vercel.com/docs/oidc",
-        ].join("\n");
-        super(message, { cause });
-        this.name = "VercelOidcContextError";
-    }
-}
-exports.VercelOidcContextError = VercelOidcContextError;
+* Error thrown when OIDC context is not available in Vercel environment,
+* therefore we should guide how to set it up.
+*/
+var VercelOidcContextError = class extends Error {
+	constructor(cause) {
+		const message = [
+			"Could not get credentials from OIDC context.",
+			"Please make sure OIDC is set up for your project",
+			"╰▶ Docs: https://vercel.com/docs/oidc"
+		].join("\n");
+		super(message, { cause });
+		this.name = "VercelOidcContextError";
+	}
+};
 async function getVercelToken(opts) {
-    try {
-        const token = await (0, oidc_1.getVercelOidcToken)({
-            team: opts.teamId,
-            project: opts.projectId,
-        });
-        return getCredentialsFromOIDCToken(token);
-    }
-    catch (error) {
-        if (!(0, dev_credentials_1.shouldPromptForCredentials)()) {
-            if (process.env.VERCEL_URL) {
-                throw new VercelOidcContextError(error);
-            }
-            else {
-                throw new LocalOidcContextError(error);
-            }
-        }
-        return await (0, dev_credentials_1.cachedGenerateCredentials)(opts);
-    }
+	try {
+		return getCredentialsFromOIDCToken(await getVercelOidcToken({
+			team: opts.teamId,
+			project: opts.projectId
+		}));
+	} catch (error) {
+		if (!shouldPromptForCredentials()) if (process.env.VERCEL_URL) throw new VercelOidcContextError(error);
+		else throw new LocalOidcContextError(error);
+		return await cachedGenerateCredentials(opts);
+	}
 }
 /**
- * Allow to get credentials to access the Vercel API. Credentials can be
- * provided in two different ways:
- *
- * 1. By passing an object with the `teamId`, `token`, and `projectId` properties.
- * 2. By using an environment variable VERCEL_OIDC_TOKEN.
- *
- * If both methods are used, the object properties take precedence over the
- * environment variable. If neither method is used, an error is thrown.
- */
+* Allow to get credentials to access the Vercel API. Credentials can be
+* provided in two different ways:
+*
+* 1. By passing an object with the `teamId`, `token`, and `projectId` properties.
+* 2. By using an environment variable VERCEL_OIDC_TOKEN.
+*
+* If both methods are used, the object properties take precedence over the
+* environment variable. If neither method is used, an error is thrown.
+*/
 async function getCredentials(params) {
-    const credentials = getCredentialsFromParams(params ?? {});
-    if (credentials) {
-        return credentials;
-    }
-    const oidcToken = await getVercelToken({
-        teamId: params &&
-            typeof params === "object" &&
-            "teamId" in params &&
-            typeof params.teamId === "string"
-            ? params.teamId
-            : undefined,
-        projectId: params &&
-            typeof params === "object" &&
-            "projectId" in params &&
-            typeof params.projectId === "string"
-            ? params.projectId
-            : undefined,
-    });
-    return oidcToken;
+	const credentials = getCredentialsFromParams(params ?? {});
+	if (credentials) return credentials;
+	return await getVercelToken({
+		teamId: params && typeof params === "object" && "teamId" in params && typeof params.teamId === "string" ? params.teamId : void 0,
+		projectId: params && typeof params === "object" && "projectId" in params && typeof params.projectId === "string" ? params.projectId : void 0
+	});
 }
 /**
- * Attempt to extract credentials from the provided parameters. Either all
- * required fields (`token`, `teamId`, and `projectId`) must be present
- * or none of them, otherwise an error is thrown.
- */
+* Attempt to extract credentials from the provided parameters. Either all
+* required fields (`token`, `teamId`, and `projectId`) must be present
+* or none of them, otherwise an error is thrown.
+*/
 function getCredentialsFromParams(params) {
-    // Type guard: params must be an object
-    if (!params || typeof params !== "object") {
-        return null;
-    }
-    const missing = [
-        "token" in params && typeof params.token === "string" ? null : "token",
-        "teamId" in params && typeof params.teamId === "string" ? null : "teamId",
-        "projectId" in params && typeof params.projectId === "string"
-            ? null
-            : "projectId",
-    ].filter((value) => value !== null);
-    if (missing.length === 0) {
-        return {
-            token: params.token,
-            projectId: params.projectId,
-            teamId: params.teamId,
-        };
-    }
-    if (missing.length < 3) {
-        throw new Error(`Missing credentials parameters to access the Vercel API: ${missing
-            .filter((value) => value !== null)
-            .join(", ")}`);
-    }
-    return null;
+	if (!params || typeof params !== "object") return null;
+	const missing = [
+		"token" in params && typeof params.token === "string" ? null : "token",
+		"teamId" in params && typeof params.teamId === "string" ? null : "teamId",
+		"projectId" in params && typeof params.projectId === "string" ? null : "projectId"
+	].filter((value) => value !== null);
+	if (missing.length === 0) return {
+		token: params.token,
+		projectId: params.projectId,
+		teamId: params.teamId
+	};
+	if (missing.length < 3) throw new Error(`Missing credentials parameters to access the Vercel API: ${missing.filter((value) => value !== null).join(", ")}`);
+	return null;
 }
 /**
- * Schema to validate the payload of the Vercel OIDC token where we expect
- * to find the `teamId` and `projectId`.
- */
-exports.schema = zod_1.z.object({
-    exp: zod_1.z.number().optional().describe("Expiry timestamp (seconds since epoch)"),
-    iat: zod_1.z.number().optional().describe("Issued at timestamp"),
-    owner_id: zod_1.z.string(),
-    project_id: zod_1.z.string(),
+* Schema to validate the payload of the Vercel OIDC token where we expect
+* to find the `teamId` and `projectId`.
+*/
+const schema = z.object({
+	exp: z.number().optional().describe("Expiry timestamp (seconds since epoch)"),
+	iat: z.number().optional().describe("Issued at timestamp"),
+	owner_id: z.string(),
+	project_id: z.string()
 });
 /**
- * Extracts credentials from a Vercel OIDC token. The token is expected to be
- * a JWT with a payload that contains `project_id` and `owner_id`.
- *
- * @param token - The Vercel OIDC token.
- * @returns An object containing the token, projectId, and teamId.
- * @throws If the token is invalid or does not contain the required fields.
- */
+* Extracts credentials from a Vercel OIDC token. The token is expected to be
+* a JWT with a payload that contains `project_id` and `owner_id`.
+*
+* @param token - The Vercel OIDC token.
+* @returns An object containing the token, projectId, and teamId.
+* @throws If the token is invalid or does not contain the required fields.
+*/
 function getCredentialsFromOIDCToken(token) {
-    try {
-        const payload = exports.schema.parse((0, decode_base64_url_1.decodeBase64Url)(token.split(".")[1]));
-        return {
-            token,
-            projectId: payload.project_id,
-            teamId: payload.owner_id,
-        };
-    }
-    catch (error) {
-        throw new Error(`Invalid Vercel OIDC token: ${error instanceof Error ? error.message : String(error)}`);
-    }
+	try {
+		const payload = schema.parse(decodeBase64Url(token.split(".")[1]));
+		return {
+			token,
+			projectId: payload.project_id,
+			teamId: payload.owner_id
+		};
+	} catch (error) {
+		throw new Error(`Invalid Vercel OIDC token: ${error instanceof Error ? error.message : String(error)}`);
+	}
 }
+
+//#endregion
+export { getCredentials };
 //# sourceMappingURL=get-credentials.js.map

package/dist/utils/get-credentials.js.map

@@ -1 +1 @@
-{"version":3,"file":"get-credentials.js","sourceRoot":"","sources":["../../src/utils/get-credentials.ts"],"names":[],"mappings":";;;AA0FA,wCAwBC;AAlHD,uCAAkD;AAClD,2DAAsD;AACtD,6BAAwB;AACxB,uDAG2B;AAkB3B;;;GAGG;AACH,MAAa,qBAAsB,SAAQ,KAAK;IAE9C,YAAY,KAAc;QACxB,MAAM,OAAO,GAAG;YACd,8CAA8C;YAC9C,0DAA0D;YAC1D,6DAA6D;YAC7D,YAAY;YACZ,8FAA8F;SAC/F,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAT5B,SAAI,GAAG,uBAAuB,CAAC;IAU/B,CAAC;CACF;AAZD,sDAYC;AAED;;;GAGG;AACH,MAAa,sBAAuB,SAAQ,KAAK;IAE/C,YAAY,KAAc;QACxB,MAAM,OAAO,GAAG;YACd,8CAA8C;YAC9C,kDAAkD;YAClD,uCAAuC;SACxC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,KAAK,CAAC,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAP5B,SAAI,GAAG,wBAAwB,CAAC;IAQhC,CAAC;CACF;AAVD,wDAUC;AAED,KAAK,UAAU,cAAc,CAAC,IAG7B;IACC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,IAAA,yBAAkB,EAAC;YACrC,IAAI,EAAE,IAAI,CAAC,MAAM;YACjB,OAAO,EAAE,IAAI,CAAC,SAAS;SACxB,CAAC,CAAC;QACH,OAAO,2BAA2B,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,IAAA,4CAA0B,GAAE,EAAE,CAAC;YAClC,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC;gBAC3B,MAAM,IAAI,sBAAsB,CAAC,KAAK,CAAC,CAAC;YAC1C,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,qBAAqB,CAAC,KAAK,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QACD,OAAO,MAAM,IAAA,2CAAyB,EAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,cAAc,CAAC,MAAgB;IACnD,MAAM,WAAW,GAAG,wBAAwB,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAC3D,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,cAAc,CAAC;QACrC,MAAM,EACJ,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,QAAQ,IAAI,MAAM;YAClB,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ;YAC/B,CAAC,CAAC,MAAM,CAAC,MAAM;YACf,CAAC,CAAC,SAAS;QACf,SAAS,EACP,MAAM;YACN,OAAO,MAAM,KAAK,QAAQ;YAC1B,WAAW,IAAI,MAAM;YACrB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YAClC,CAAC,CAAC,MAAM,CAAC,SAAS;YAClB,CAAC,CAAC,SAAS;KAChB,CAAC,CAAC;IAEH,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,wBAAwB,CAAC,MAAe;IAC/C,uCAAuC;IACvC,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,OAAO,GAAG;QACd,OAAO,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO;QACtE,QAAQ,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ;QACzE,WAAW,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;YAC3D,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,WAAW;KAChB,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC;IAEpC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,KAAK,EAAG,MAAc,CAAC,KAAK;YAC5B,SAAS,EAAG,MAAc,CAAC,SAAS;YACpC,MAAM,EAAG,MAAc,CAAC,MAAM;SAC/B,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CACb,4DAA4D,OAAO;aAChE,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC;aACjC,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACU,QAAA,MAAM,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,wCAAwC,CAAC;IAC7E,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC1D,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE;CACvB,CAAC,CAAC;AAEH;;;;;;;GAOG;AACH,SAAS,2BAA2B,CAAC,KAAa;IAChD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,cAAM,CAAC,KAAK,CAAC,IAAA,mCAAe,EAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnE,OAAO;YACL,KAAK;YACL,SAAS,EAAE,OAAO,CAAC,UAAU;YAC7B,MAAM,EAAE,OAAO,CAAC,QAAQ;SACzB,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CACvF,CAAC;IACJ,CAAC;AACH,CAAC"}
+{"version":3,"file":"get-credentials.js","names":[],"sources":["../../src/utils/get-credentials.ts"],"sourcesContent":["import { getVercelOidcToken } from \"@vercel/oidc\";\nimport { decodeBase64Url } from \"./decode-base64-url.js\";\nimport { z } from \"zod\";\nimport {\n  cachedGenerateCredentials,\n  shouldPromptForCredentials,\n} from \"./dev-credentials.js\";\n\nexport interface Credentials {\n  /**\n   * Authentication token for the Vercel API. It could be an OIDC token\n   * or a personal access token.\n   */\n  token: string;\n  /**\n   * The ID of the project to associate Sandbox operations.\n   */\n  projectId: string;\n  /**\n   * The ID of the team to associate Sandbox operations.\n   */\n  teamId: string;\n}\n\n/**\n * Error thrown when OIDC context is not available in local development,\n * therefore we should guide how to ensure it is set up by linking a project\n */\nexport class LocalOidcContextError extends Error {\n  name = \"LocalOidcContextError\";\n  constructor(cause: unknown) {\n    const message = [\n      \"Could not get credentials from OIDC context.\",\n      \"Please link your Vercel project using `npx vercel link`.\",\n      \"Then, pull an initial OIDC token with `npx vercel env pull`\",\n      \"and retry.\",\n      \"╰▶ Make sure you are loading `.env.local` correctly, or passing $VERCEL_OIDC_TOKEN directly.\",\n    ].join(\"\\n\");\n    super(message, { cause });\n  }\n}\n\n/**\n * Error thrown when OIDC context is not available in Vercel environment,\n * therefore we should guide how to set it up.\n */\nexport class VercelOidcContextError extends Error {\n  name = \"VercelOidcContextError\";\n  constructor(cause: unknown) {\n    const message = [\n      \"Could not get credentials from OIDC context.\",\n      \"Please make sure OIDC is set up for your project\",\n      \"╰▶ Docs: https://vercel.com/docs/oidc\",\n    ].join(\"\\n\");\n    super(message, { cause });\n  }\n}\n\nasync function getVercelToken(opts: {\n  teamId?: string;\n  projectId?: string;\n}): Promise<Credentials> {\n  try {\n    const token = await getVercelOidcToken({\n      team: opts.teamId,\n      project: opts.projectId,\n    });\n    return getCredentialsFromOIDCToken(token);\n  } catch (error) {\n    if (!shouldPromptForCredentials()) {\n      if (process.env.VERCEL_URL) {\n        throw new VercelOidcContextError(error);\n      } else {\n        throw new LocalOidcContextError(error);\n      }\n    }\n    return await cachedGenerateCredentials(opts);\n  }\n}\n\n/**\n * Allow to get credentials to access the Vercel API. Credentials can be\n * provided in two different ways:\n *\n * 1. By passing an object with the `teamId`, `token`, and `projectId` properties.\n * 2. By using an environment variable VERCEL_OIDC_TOKEN.\n *\n * If both methods are used, the object properties take precedence over the\n * environment variable. If neither method is used, an error is thrown.\n */\nexport async function getCredentials(params?: unknown): Promise<Credentials> {\n  const credentials = getCredentialsFromParams(params ?? {});\n  if (credentials) {\n    return credentials;\n  }\n\n  const oidcToken = await getVercelToken({\n    teamId:\n      params &&\n      typeof params === \"object\" &&\n      \"teamId\" in params &&\n      typeof params.teamId === \"string\"\n        ? params.teamId\n        : undefined,\n    projectId:\n      params &&\n      typeof params === \"object\" &&\n      \"projectId\" in params &&\n      typeof params.projectId === \"string\"\n        ? params.projectId\n        : undefined,\n  });\n\n  return oidcToken;\n}\n\n/**\n * Attempt to extract credentials from the provided parameters. Either all\n * required fields (`token`, `teamId`, and `projectId`) must be present\n * or none of them, otherwise an error is thrown.\n */\nfunction getCredentialsFromParams(params: unknown): Credentials | null {\n  // Type guard: params must be an object\n  if (!params || typeof params !== \"object\") {\n    return null;\n  }\n\n  const missing = [\n    \"token\" in params && typeof params.token === \"string\" ? null : \"token\",\n    \"teamId\" in params && typeof params.teamId === \"string\" ? null : \"teamId\",\n    \"projectId\" in params && typeof params.projectId === \"string\"\n      ? null\n      : \"projectId\",\n  ].filter((value) => value !== null);\n\n  if (missing.length === 0) {\n    return {\n      token: (params as any).token,\n      projectId: (params as any).projectId,\n      teamId: (params as any).teamId,\n    };\n  }\n\n  if (missing.length < 3) {\n    throw new Error(\n      `Missing credentials parameters to access the Vercel API: ${missing\n        .filter((value) => value !== null)\n        .join(\", \")}`,\n    );\n  }\n\n  return null;\n}\n\n/**\n * Schema to validate the payload of the Vercel OIDC token where we expect\n * to find the `teamId` and `projectId`.\n */\nexport const schema = z.object({\n  exp: z.number().optional().describe(\"Expiry timestamp (seconds since epoch)\"),\n  iat: z.number().optional().describe(\"Issued at timestamp\"),\n  owner_id: z.string(),\n  project_id: z.string(),\n});\n\n/**\n * Extracts credentials from a Vercel OIDC token. The token is expected to be\n * a JWT with a payload that contains `project_id` and `owner_id`.\n *\n * @param token - The Vercel OIDC token.\n * @returns An object containing the token, projectId, and teamId.\n * @throws If the token is invalid or does not contain the required fields.\n */\nfunction getCredentialsFromOIDCToken(token: string): Credentials {\n  try {\n    const payload = schema.parse(decodeBase64Url(token.split(\".\")[1]));\n    return {\n      token,\n      projectId: payload.project_id,\n      teamId: payload.owner_id,\n    };\n  } catch (error) {\n    throw new Error(\n      `Invalid Vercel OIDC token: ${error instanceof Error ? error.message : String(error)}`,\n    );\n  }\n}\n"],"mappings":";;;;;;;;;;AA4BA,IAAa,wBAAb,cAA2C,MAAM;CAE/C,YAAY,OAAgB;EAC1B,MAAM,UAAU;GACd;GACA;GACA;GACA;GACA;GACD,CAAC,KAAK,KAAK;AACZ,QAAM,SAAS,EAAE,OAAO,CAAC;OAT3B,OAAO;;;;;;;AAiBT,IAAa,yBAAb,cAA4C,MAAM;CAEhD,YAAY,OAAgB;EAC1B,MAAM,UAAU;GACd;GACA;GACA;GACD,CAAC,KAAK,KAAK;AACZ,QAAM,SAAS,EAAE,OAAO,CAAC;OAP3B,OAAO;;;AAWT,eAAe,eAAe,MAGL;AACvB,KAAI;AAKF,SAAO,4BAJO,MAAM,mBAAmB;GACrC,MAAM,KAAK;GACX,SAAS,KAAK;GACf,CAAC,CACuC;UAClC,OAAO;AACd,MAAI,CAAC,4BAA4B,CAC/B,KAAI,QAAQ,IAAI,WACd,OAAM,IAAI,uBAAuB,MAAM;MAEvC,OAAM,IAAI,sBAAsB,MAAM;AAG1C,SAAO,MAAM,0BAA0B,KAAK;;;;;;;;;;;;;AAchD,eAAsB,eAAe,QAAwC;CAC3E,MAAM,cAAc,yBAAyB,UAAU,EAAE,CAAC;AAC1D,KAAI,YACF,QAAO;AAoBT,QAjBkB,MAAM,eAAe;EACrC,QACE,UACA,OAAO,WAAW,YAClB,YAAY,UACZ,OAAO,OAAO,WAAW,WACrB,OAAO,SACP;EACN,WACE,UACA,OAAO,WAAW,YAClB,eAAe,UACf,OAAO,OAAO,cAAc,WACxB,OAAO,YACP;EACP,CAAC;;;;;;;AAUJ,SAAS,yBAAyB,QAAqC;AAErE,KAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;CAGT,MAAM,UAAU;EACd,WAAW,UAAU,OAAO,OAAO,UAAU,WAAW,OAAO;EAC/D,YAAY,UAAU,OAAO,OAAO,WAAW,WAAW,OAAO;EACjE,eAAe,UAAU,OAAO,OAAO,cAAc,WACjD,OACA;EACL,CAAC,QAAQ,UAAU,UAAU,KAAK;AAEnC,KAAI,QAAQ,WAAW,EACrB,QAAO;EACL,OAAQ,OAAe;EACvB,WAAY,OAAe;EAC3B,QAAS,OAAe;EACzB;AAGH,KAAI,QAAQ,SAAS,EACnB,OAAM,IAAI,MACR,4DAA4D,QACzD,QAAQ,UAAU,UAAU,KAAK,CACjC,KAAK,KAAK,GACd;AAGH,QAAO;;;;;;AAOT,MAAa,SAAS,EAAE,OAAO;CAC7B,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS,yCAAyC;CAC7E,KAAK,EAAE,QAAQ,CAAC,UAAU,CAAC,SAAS,sBAAsB;CAC1D,UAAU,EAAE,QAAQ;CACpB,YAAY,EAAE,QAAQ;CACvB,CAAC;;;;;;;;;AAUF,SAAS,4BAA4B,OAA4B;AAC/D,KAAI;EACF,MAAM,UAAU,OAAO,MAAM,gBAAgB,MAAM,MAAM,IAAI,CAAC,GAAG,CAAC;AAClE,SAAO;GACL;GACA,WAAW,QAAQ;GACnB,QAAQ,QAAQ;GACjB;UACM,OAAO;AACd,QAAM,IAAI,MACR,8BAA8B,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACrF"}

package/dist/utils/log.cjs

@@ -0,0 +1,25 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+let picocolors = require("picocolors");
+picocolors = require_rolldown_runtime.__toESM(picocolors);
+
+//#region src/utils/log.ts
+const colors = {
+	warn: picocolors.default.yellow,
+	error: picocolors.default.red,
+	success: picocolors.default.green,
+	info: picocolors.default.blue
+};
+const logPrefix = picocolors.default.dim("[vercel/sandbox]");
+function write(level, text) {
+	text = Array.isArray(text) ? text.join("\n") : text;
+	const prefixed = text.replace(/^/gm, `${logPrefix} `);
+	console.error(colors[level](prefixed));
+}
+function code(text) {
+	return picocolors.default.italic(picocolors.default.dim("`") + text + picocolors.default.dim("`"));
+}
+
+//#endregion
+exports.code = code;
+exports.write = write;
+//# sourceMappingURL=log.cjs.map

package/dist/utils/log.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.cjs","names":["pico"],"sources":["../../src/utils/log.ts"],"sourcesContent":["import pico from \"picocolors\";\nconst colors = {\n  warn: pico.yellow,\n  error: pico.red,\n  success: pico.green,\n  info: pico.blue,\n};\nconst logPrefix = pico.dim(\"[vercel/sandbox]\");\nexport function write(\n  level: \"warn\" | \"error\" | \"info\" | \"success\",\n  text: string | string[],\n) {\n  text = Array.isArray(text) ? text.join(\"\\n\") : text;\n  const prefixed = text.replace(/^/gm, `${logPrefix} `);\n  console.error(colors[level](prefixed));\n}\n\nexport function code(text: string) {\n  return pico.italic(pico.dim(\"`\") + text + pico.dim(\"`\"));\n}\n"],"mappings":";;;;;AACA,MAAM,SAAS;CACb,MAAMA,mBAAK;CACX,OAAOA,mBAAK;CACZ,SAASA,mBAAK;CACd,MAAMA,mBAAK;CACZ;AACD,MAAM,YAAYA,mBAAK,IAAI,mBAAmB;AAC9C,SAAgB,MACd,OACA,MACA;AACA,QAAO,MAAM,QAAQ,KAAK,GAAG,KAAK,KAAK,KAAK,GAAG;CAC/C,MAAM,WAAW,KAAK,QAAQ,OAAO,GAAG,UAAU,GAAG;AACrD,SAAQ,MAAM,OAAO,OAAO,SAAS,CAAC;;AAGxC,SAAgB,KAAK,MAAc;AACjC,QAAOA,mBAAK,OAAOA,mBAAK,IAAI,IAAI,GAAG,OAAOA,mBAAK,IAAI,IAAI,CAAC"}

package/dist/utils/log.js

@@ -1,24 +1,22 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.write = write;
-exports.code = code;
-const picocolors_1 = __importDefault(require("picocolors"));
+import pico from "picocolors";
+
+//#region src/utils/log.ts
 const colors = {
-    warn: picocolors_1.default.yellow,
-    error: picocolors_1.default.red,
-    success: picocolors_1.default.green,
-    info: picocolors_1.default.blue,
+	warn: pico.yellow,
+	error: pico.red,
+	success: pico.green,
+	info: pico.blue
 };
-const logPrefix = picocolors_1.default.dim("[vercel/sandbox]");
+const logPrefix = pico.dim("[vercel/sandbox]");
 function write(level, text) {
-    text = Array.isArray(text) ? text.join("\n") : text;
-    const prefixed = text.replace(/^/gm, `${logPrefix} `);
-    console.error(colors[level](prefixed));
+	text = Array.isArray(text) ? text.join("\n") : text;
+	const prefixed = text.replace(/^/gm, `${logPrefix} `);
+	console.error(colors[level](prefixed));
 }
 function code(text) {
-    return picocolors_1.default.italic(picocolors_1.default.dim("`") + text + picocolors_1.default.dim("`"));
+	return pico.italic(pico.dim("`") + text + pico.dim("`"));
 }
+
+//#endregion
+export { code, write };
 //# sourceMappingURL=log.js.map

package/dist/utils/log.js.map

@@ -1 +1 @@
-{"version":3,"file":"log.js","sourceRoot":"","sources":["../../src/utils/log.ts"],"names":[],"mappings":";;;;;AAQA,sBAOC;AAED,oBAEC;AAnBD,4DAA8B;AAC9B,MAAM,MAAM,GAAG;IACb,IAAI,EAAE,oBAAI,CAAC,MAAM;IACjB,KAAK,EAAE,oBAAI,CAAC,GAAG;IACf,OAAO,EAAE,oBAAI,CAAC,KAAK;IACnB,IAAI,EAAE,oBAAI,CAAC,IAAI;CAChB,CAAC;AACF,MAAM,SAAS,GAAG,oBAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;AAC/C,SAAgB,KAAK,CACnB,KAA4C,EAC5C,IAAuB;IAEvB,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,SAAS,GAAG,CAAC,CAAC;IACtD,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,SAAgB,IAAI,CAAC,IAAY;IAC/B,OAAO,oBAAI,CAAC,MAAM,CAAC,oBAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,oBAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3D,CAAC"}
+{"version":3,"file":"log.js","names":[],"sources":["../../src/utils/log.ts"],"sourcesContent":["import pico from \"picocolors\";\nconst colors = {\n  warn: pico.yellow,\n  error: pico.red,\n  success: pico.green,\n  info: pico.blue,\n};\nconst logPrefix = pico.dim(\"[vercel/sandbox]\");\nexport function write(\n  level: \"warn\" | \"error\" | \"info\" | \"success\",\n  text: string | string[],\n) {\n  text = Array.isArray(text) ? text.join(\"\\n\") : text;\n  const prefixed = text.replace(/^/gm, `${logPrefix} `);\n  console.error(colors[level](prefixed));\n}\n\nexport function code(text: string) {\n  return pico.italic(pico.dim(\"`\") + text + pico.dim(\"`\"));\n}\n"],"mappings":";;;AACA,MAAM,SAAS;CACb,MAAM,KAAK;CACX,OAAO,KAAK;CACZ,SAAS,KAAK;CACd,MAAM,KAAK;CACZ;AACD,MAAM,YAAY,KAAK,IAAI,mBAAmB;AAC9C,SAAgB,MACd,OACA,MACA;AACA,QAAO,MAAM,QAAQ,KAAK,GAAG,KAAK,KAAK,KAAK,GAAG;CAC/C,MAAM,WAAW,KAAK,QAAQ,OAAO,GAAG,UAAU,GAAG;AACrD,SAAQ,MAAM,OAAO,OAAO,SAAS,CAAC;;AAGxC,SAAgB,KAAK,MAAc;AACjC,QAAO,KAAK,OAAO,KAAK,IAAI,IAAI,GAAG,OAAO,KAAK,IAAI,IAAI,CAAC"}

package/dist/utils/network-policy.cjs

@@ -0,0 +1,65 @@
+
+//#region src/utils/network-policy.ts
+function toAPINetworkPolicy(policy) {
+	if (policy === "allow-all") return { mode: "allow-all" };
+	if (policy === "deny-all") return { mode: "deny-all" };
+	if (policy.allow && !Array.isArray(policy.allow)) {
+		const allowedDomains = Object.keys(policy.allow);
+		const injectionRules = [];
+		for (const [domain, rules] of Object.entries(policy.allow)) {
+			const merged = {};
+			for (const rule of rules) for (const t of rule.transform ?? []) Object.assign(merged, t.headers);
+			if (Object.keys(merged).length > 0) injectionRules.push({
+				domain,
+				headers: merged
+			});
+		}
+		return {
+			mode: "custom",
+			...allowedDomains.length > 0 && { allowedDomains },
+			...injectionRules.length > 0 && { injectionRules },
+			...policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow },
+			...policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }
+		};
+	}
+	return {
+		mode: "custom",
+		...policy.allow && { allowedDomains: policy.allow },
+		...policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow },
+		...policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }
+	};
+}
+function fromAPINetworkPolicy(api) {
+	if (api.mode === "allow-all") return "allow-all";
+	if (api.mode === "deny-all") return "deny-all";
+	const subnets = api.allowedCIDRs || api.deniedCIDRs ? { subnets: {
+		...api.allowedCIDRs && { allow: api.allowedCIDRs },
+		...api.deniedCIDRs && { deny: api.deniedCIDRs }
+	} } : void 0;
+	if (api.injectionRules && api.injectionRules.length > 0) {
+		const rulesByDomain = new Map(api.injectionRules.map((r) => [r.domain, r.headerNames ?? []]));
+		const allow = {};
+		for (const domain of api.allowedDomains ?? []) {
+			const headerNames = rulesByDomain.get(domain);
+			if (headerNames && headerNames.length > 0) allow[domain] = [{ transform: [{ headers: Object.fromEntries(headerNames.map((n) => [n, "<redacted>"])) }] }];
+			else allow[domain] = [];
+		}
+		for (const rule of api.injectionRules) if (!(rule.domain in allow)) {
+			const headers = Object.fromEntries((rule.headerNames ?? []).map((n) => [n, "<redacted>"]));
+			allow[rule.domain] = [{ transform: [{ headers }] }];
+		}
+		return {
+			allow,
+			...subnets
+		};
+	}
+	return {
+		...api.allowedDomains && { allow: api.allowedDomains },
+		...subnets
+	};
+}
+
+//#endregion
+exports.fromAPINetworkPolicy = fromAPINetworkPolicy;
+exports.toAPINetworkPolicy = toAPINetworkPolicy;
+//# sourceMappingURL=network-policy.cjs.map

package/dist/utils/network-policy.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"network-policy.cjs","names":["injectionRules: z.infer<typeof InjectionRuleValidator>[]","merged: Record<string, string>","allow: Record<string, NetworkPolicyRule[]>"],"sources":["../../src/utils/network-policy.ts"],"sourcesContent":["import { z } from \"zod\";\nimport { NetworkPolicy, NetworkPolicyRule } from \"../network-policy.js\";\nimport {\n  NetworkPolicyValidator,\n  InjectionRuleValidator,\n} from \"../api-client/validators.js\";\n\ntype APINetworkPolicy = z.infer<typeof NetworkPolicyValidator>;\n\nexport function toAPINetworkPolicy(policy: NetworkPolicy): APINetworkPolicy {\n  if (policy === \"allow-all\") return { mode: \"allow-all\" };\n  if (policy === \"deny-all\") return { mode: \"deny-all\" };\n\n  if (policy.allow && !Array.isArray(policy.allow)) {\n    const allowedDomains = Object.keys(policy.allow);\n    const injectionRules: z.infer<typeof InjectionRuleValidator>[] = [];\n\n    for (const [domain, rules] of Object.entries(policy.allow)) {\n      const merged: Record<string, string> = {};\n      for (const rule of rules) {\n        for (const t of rule.transform ?? []) {\n          Object.assign(merged, t.headers);\n        }\n      }\n      if (Object.keys(merged).length > 0) {\n        injectionRules.push({ domain, headers: merged });\n      }\n    }\n\n    return {\n      mode: \"custom\",\n      ...(allowedDomains.length > 0 && { allowedDomains }),\n      ...(injectionRules.length > 0 && { injectionRules }),\n      ...(policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow }),\n      ...(policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }),\n    };\n  }\n\n  return {\n    mode: \"custom\",\n    ...(policy.allow && { allowedDomains: policy.allow }),\n    ...(policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow }),\n    ...(policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }),\n  };\n}\n\nexport function fromAPINetworkPolicy(api: APINetworkPolicy): NetworkPolicy {\n  if (api.mode === \"allow-all\") return \"allow-all\";\n  if (api.mode === \"deny-all\") return \"deny-all\";\n\n  const subnets =\n    api.allowedCIDRs || api.deniedCIDRs\n      ? {\n          subnets: {\n            ...(api.allowedCIDRs && { allow: api.allowedCIDRs }),\n            ...(api.deniedCIDRs && { deny: api.deniedCIDRs }),\n          },\n        }\n      : undefined;\n\n  // If injectionRules are present, reconstruct the record form.\n  // The API returns headerNames (secret values are stripped), so we\n  // populate each header value with \"<redacted>\".\n  if (api.injectionRules && api.injectionRules.length > 0) {\n    const rulesByDomain = new Map(\n      api.injectionRules.map((r) => [r.domain, r.headerNames ?? []]),\n    );\n\n    const allow: Record<string, NetworkPolicyRule[]> = {};\n    for (const domain of api.allowedDomains ?? []) {\n      const headerNames = rulesByDomain.get(domain);\n      if (headerNames && headerNames.length > 0) {\n        const headers = Object.fromEntries(\n          headerNames.map((n) => [n, \"<redacted>\"]),\n        );\n        allow[domain] = [{ transform: [{ headers }] }];\n      } else {\n        allow[domain] = [];\n      }\n    }\n    // Include injection rules for domains not in allowedDomains\n    for (const rule of api.injectionRules) {\n      if (!(rule.domain in allow)) {\n        const headers = Object.fromEntries(\n          (rule.headerNames ?? []).map((n) => [n, \"<redacted>\"]),\n        );\n        allow[rule.domain] = [{ transform: [{ headers }] }];\n      }\n    }\n\n    return { allow, ...subnets };\n  }\n\n  return {\n    ...(api.allowedDomains && { allow: api.allowedDomains }),\n    ...subnets,\n  };\n}\n"],"mappings":";;AASA,SAAgB,mBAAmB,QAAyC;AAC1E,KAAI,WAAW,YAAa,QAAO,EAAE,MAAM,aAAa;AACxD,KAAI,WAAW,WAAY,QAAO,EAAE,MAAM,YAAY;AAEtD,KAAI,OAAO,SAAS,CAAC,MAAM,QAAQ,OAAO,MAAM,EAAE;EAChD,MAAM,iBAAiB,OAAO,KAAK,OAAO,MAAM;EAChD,MAAMA,iBAA2D,EAAE;AAEnE,OAAK,MAAM,CAAC,QAAQ,UAAU,OAAO,QAAQ,OAAO,MAAM,EAAE;GAC1D,MAAMC,SAAiC,EAAE;AACzC,QAAK,MAAM,QAAQ,MACjB,MAAK,MAAM,KAAK,KAAK,aAAa,EAAE,CAClC,QAAO,OAAO,QAAQ,EAAE,QAAQ;AAGpC,OAAI,OAAO,KAAK,OAAO,CAAC,SAAS,EAC/B,gBAAe,KAAK;IAAE;IAAQ,SAAS;IAAQ,CAAC;;AAIpD,SAAO;GACL,MAAM;GACN,GAAI,eAAe,SAAS,KAAK,EAAE,gBAAgB;GACnD,GAAI,eAAe,SAAS,KAAK,EAAE,gBAAgB;GACnD,GAAI,OAAO,SAAS,SAAS,EAAE,cAAc,OAAO,QAAQ,OAAO;GACnE,GAAI,OAAO,SAAS,QAAQ,EAAE,aAAa,OAAO,QAAQ,MAAM;GACjE;;AAGH,QAAO;EACL,MAAM;EACN,GAAI,OAAO,SAAS,EAAE,gBAAgB,OAAO,OAAO;EACpD,GAAI,OAAO,SAAS,SAAS,EAAE,cAAc,OAAO,QAAQ,OAAO;EACnE,GAAI,OAAO,SAAS,QAAQ,EAAE,aAAa,OAAO,QAAQ,MAAM;EACjE;;AAGH,SAAgB,qBAAqB,KAAsC;AACzE,KAAI,IAAI,SAAS,YAAa,QAAO;AACrC,KAAI,IAAI,SAAS,WAAY,QAAO;CAEpC,MAAM,UACJ,IAAI,gBAAgB,IAAI,cACpB,EACE,SAAS;EACP,GAAI,IAAI,gBAAgB,EAAE,OAAO,IAAI,cAAc;EACnD,GAAI,IAAI,eAAe,EAAE,MAAM,IAAI,aAAa;EACjD,EACF,GACD;AAKN,KAAI,IAAI,kBAAkB,IAAI,eAAe,SAAS,GAAG;EACvD,MAAM,gBAAgB,IAAI,IACxB,IAAI,eAAe,KAAK,MAAM,CAAC,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,CAAC,CAC/D;EAED,MAAMC,QAA6C,EAAE;AACrD,OAAK,MAAM,UAAU,IAAI,kBAAkB,EAAE,EAAE;GAC7C,MAAM,cAAc,cAAc,IAAI,OAAO;AAC7C,OAAI,eAAe,YAAY,SAAS,EAItC,OAAM,UAAU,CAAC,EAAE,WAAW,CAAC,EAAE,SAHjB,OAAO,YACrB,YAAY,KAAK,MAAM,CAAC,GAAG,aAAa,CAAC,CAC1C,EACyC,CAAC,EAAE,CAAC;OAE9C,OAAM,UAAU,EAAE;;AAItB,OAAK,MAAM,QAAQ,IAAI,eACrB,KAAI,EAAE,KAAK,UAAU,QAAQ;GAC3B,MAAM,UAAU,OAAO,aACpB,KAAK,eAAe,EAAE,EAAE,KAAK,MAAM,CAAC,GAAG,aAAa,CAAC,CACvD;AACD,SAAM,KAAK,UAAU,CAAC,EAAE,WAAW,CAAC,EAAE,SAAS,CAAC,EAAE,CAAC;;AAIvD,SAAO;GAAE;GAAO,GAAG;GAAS;;AAG9B,QAAO;EACL,GAAI,IAAI,kBAAkB,EAAE,OAAO,IAAI,gBAAgB;EACvD,GAAG;EACJ"}

package/dist/utils/network-policy.js

@@ -1,82 +1,63 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.toAPINetworkPolicy = toAPINetworkPolicy;
-exports.fromAPINetworkPolicy = fromAPINetworkPolicy;
+//#region src/utils/network-policy.ts
 function toAPINetworkPolicy(policy) {
-    if (policy === "allow-all")
-        return { mode: "allow-all" };
-    if (policy === "deny-all")
-        return { mode: "deny-all" };
-    if (policy.allow && !Array.isArray(policy.allow)) {
-        const allowedDomains = Object.keys(policy.allow);
-        const injectionRules = [];
-        for (const [domain, rules] of Object.entries(policy.allow)) {
-            const merged = {};
-            for (const rule of rules) {
-                for (const t of rule.transform ?? []) {
-                    Object.assign(merged, t.headers);
-                }
-            }
-            if (Object.keys(merged).length > 0) {
-                injectionRules.push({ domain, headers: merged });
-            }
-        }
-        return {
-            mode: "custom",
-            ...(allowedDomains.length > 0 && { allowedDomains }),
-            ...(injectionRules.length > 0 && { injectionRules }),
-            ...(policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow }),
-            ...(policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }),
-        };
-    }
-    return {
-        mode: "custom",
-        ...(policy.allow && { allowedDomains: policy.allow }),
-        ...(policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow }),
-        ...(policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }),
-    };
+	if (policy === "allow-all") return { mode: "allow-all" };
+	if (policy === "deny-all") return { mode: "deny-all" };
+	if (policy.allow && !Array.isArray(policy.allow)) {
+		const allowedDomains = Object.keys(policy.allow);
+		const injectionRules = [];
+		for (const [domain, rules] of Object.entries(policy.allow)) {
+			const merged = {};
+			for (const rule of rules) for (const t of rule.transform ?? []) Object.assign(merged, t.headers);
+			if (Object.keys(merged).length > 0) injectionRules.push({
+				domain,
+				headers: merged
+			});
+		}
+		return {
+			mode: "custom",
+			...allowedDomains.length > 0 && { allowedDomains },
+			...injectionRules.length > 0 && { injectionRules },
+			...policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow },
+			...policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }
+		};
+	}
+	return {
+		mode: "custom",
+		...policy.allow && { allowedDomains: policy.allow },
+		...policy.subnets?.allow && { allowedCIDRs: policy.subnets.allow },
+		...policy.subnets?.deny && { deniedCIDRs: policy.subnets.deny }
+	};
 }
 function fromAPINetworkPolicy(api) {
-    if (api.mode === "allow-all")
-        return "allow-all";
-    if (api.mode === "deny-all")
-        return "deny-all";
-    const subnets = (api.allowedCIDRs || api.deniedCIDRs)
-        ? {
-            subnets: {
-                ...(api.allowedCIDRs && { allow: api.allowedCIDRs }),
-                ...(api.deniedCIDRs && { deny: api.deniedCIDRs }),
-            },
-        }
-        : undefined;
-    // If injectionRules are present, reconstruct the record form.
-    // The API returns headerNames (secret values are stripped), so we
-    // populate each header value with "<redacted>".
-    if (api.injectionRules && api.injectionRules.length > 0) {
-        const rulesByDomain = new Map(api.injectionRules.map((r) => [r.domain, r.headerNames ?? []]));
-        const allow = {};
-        for (const domain of api.allowedDomains ?? []) {
-            const headerNames = rulesByDomain.get(domain);
-            if (headerNames && headerNames.length > 0) {
-                const headers = Object.fromEntries(headerNames.map((n) => [n, "<redacted>"]));
-                allow[domain] = [{ transform: [{ headers }] }];
-            }
-            else {
-                allow[domain] = [];
-            }
-        }
-        // Include injection rules for domains not in allowedDomains
-        for (const rule of api.injectionRules) {
-            if (!(rule.domain in allow)) {
-                const headers = Object.fromEntries((rule.headerNames ?? []).map((n) => [n, "<redacted>"]));
-                allow[rule.domain] = [{ transform: [{ headers }] }];
-            }
-        }
-        return { allow, ...subnets };
-    }
-    return {
-        ...(api.allowedDomains && { allow: api.allowedDomains }),
-        ...subnets,
-    };
+	if (api.mode === "allow-all") return "allow-all";
+	if (api.mode === "deny-all") return "deny-all";
+	const subnets = api.allowedCIDRs || api.deniedCIDRs ? { subnets: {
+		...api.allowedCIDRs && { allow: api.allowedCIDRs },
+		...api.deniedCIDRs && { deny: api.deniedCIDRs }
+	} } : void 0;
+	if (api.injectionRules && api.injectionRules.length > 0) {
+		const rulesByDomain = new Map(api.injectionRules.map((r) => [r.domain, r.headerNames ?? []]));
+		const allow = {};
+		for (const domain of api.allowedDomains ?? []) {
+			const headerNames = rulesByDomain.get(domain);
+			if (headerNames && headerNames.length > 0) allow[domain] = [{ transform: [{ headers: Object.fromEntries(headerNames.map((n) => [n, "<redacted>"])) }] }];
+			else allow[domain] = [];
+		}
+		for (const rule of api.injectionRules) if (!(rule.domain in allow)) {
+			const headers = Object.fromEntries((rule.headerNames ?? []).map((n) => [n, "<redacted>"]));
+			allow[rule.domain] = [{ transform: [{ headers }] }];
+		}
+		return {
+			allow,
+			...subnets
+		};
+	}
+	return {
+		...api.allowedDomains && { allow: api.allowedDomains },
+		...subnets
+	};
 }
+
+//#endregion
+export { fromAPINetworkPolicy, toAPINetworkPolicy };
 //# sourceMappingURL=network-policy.js.map