tslocal 0.1.0

package/ts/src/types.ts

@@ -0,0 +1,1009 @@
+// Code generated by cmd/typegen; DO NOT EDIT.
+
+import { z } from "zod";
+
+const goSlice = <T extends z.ZodTypeAny>(item: T) =>
+  z.array(item).nullish().transform(v => v ?? []);
+
+const goMap = <V extends z.ZodTypeAny>(val: V) =>
+  z.record(z.string(), val).nullish().transform(v => v ?? {});
+
+const int64 = z.union([z.number().int(), z.bigint()]).transform(v => BigInt(v));
+
+/**
+ * Location represents geographical location data about a
+ * Tailscale host. Location is optional and only set if
+ * explicitly declared by a node.
+ */
+export const LocationSchema = z.object({
+  /** User friendly country name, with proper capitalization ("Canada") */
+  Country: z.string().nullish(),
+  /** ISO 3166-1 alpha-2 in upper case ("CA") */
+  CountryCode: z.string().nullish(),
+  /** User friendly city name, with proper capitalization ("Squamish") */
+  City: z.string().nullish(),
+  /**
+   * CityCode is a short code representing the city in upper case.
+   * CityCode is used to disambiguate a city from another location
+   * with the same city name. It uniquely identifies a particular
+   * geographical location, within the tailnet.
+   * IATA, ICAO or ISO 3166-2 codes are recommended ("YSE")
+   */
+  CityCode: z.string().nullish(),
+  /**
+   * Latitude, Longitude are optional geographical coordinates of the node, in degrees.
+   * No particular accuracy level is promised; the coordinates may simply be the center of the city or country.
+   */
+  Latitude: z.number().nullish(),
+  Longitude: z.number().nullish(),
+  /**
+   * Priority determines the order of use of an exit node when a
+   * location based preference matches more than one exit node,
+   * the node with the highest priority wins. Nodes of equal
+   * probability may be selected arbitrarily.
+   * 
+   * A value of 0 means the exit node does not have a priority
+   * preference. A negative int is not allowed.
+   */
+  Priority: int64.nullish(),
+});
+export type Location = z.infer<typeof LocationSchema>;
+
+/**
+ * PeerStatus describes a peer node and its current state.
+ * WARNING: The fields in PeerStatus are merged by the AddPeer method in the StatusBuilder.
+ * When adding a new field to PeerStatus, you must update AddPeer to handle merging
+ * the new field. The AddPeer function is responsible for combining multiple updates
+ * to the same peer, and any new field that is not merged properly may lead to
+ * inconsistencies or lost data in the peer status.
+ */
+export const PeerStatusSchema = z.object({
+  ID: z.string().default(""),
+  PublicKey: z.string().default(""),
+  /** HostInfo's Hostname (not a DNS name or necessarily unique) */
+  HostName: z.string().default(""),
+  /**
+   * DNSName is the Peer's FQDN. It ends with a dot.
+   * It has the form "host.<MagicDNSSuffix>."
+   */
+  DNSName: z.string().default(""),
+  /** HostInfo.OS */
+  OS: z.string().default(""),
+  UserID: int64.default(0n),
+  /**
+   * AltSharerUserID is the user who shared this node
+   * if it's different than UserID. Otherwise it's zero.
+   */
+  AltSharerUserID: int64.nullish(),
+  /** TailscaleIPs are the IP addresses assigned to the node. */
+  TailscaleIPs: goSlice(z.string()),
+  /** AllowedIPs are IP addresses allowed to route to this node. */
+  AllowedIPs: goSlice(z.string()),
+  /**
+   * Tags are the list of ACL tags applied to this node.
+   * See tailscale.com/tailcfg#Node.Tags for more information.
+   */
+  Tags: goSlice(z.string()),
+  /**
+   * PrimaryRoutes are the routes this node is currently the primary
+   * subnet router for, as determined by the control plane. It does
+   * not include the IPs in TailscaleIPs.
+   */
+  PrimaryRoutes: goSlice(z.string()),
+  /** Endpoints: */
+  Addrs: goSlice(z.string()),
+  /** one of Addrs, or unique if roaming */
+  CurAddr: z.string().default(""),
+  /** DERP region */
+  Relay: z.string().default(""),
+  /** peer relay address (ip:port:vni) */
+  PeerRelay: z.string().default(""),
+  RxBytes: int64.default(0n),
+  TxBytes: int64.default(0n),
+  /** time registered with tailcontrol */
+  Created: z.string().default(""),
+  /** time last packet sent */
+  LastWrite: z.string().default(""),
+  /** last seen to tailcontrol; only present if offline */
+  LastSeen: z.string().default(""),
+  /** with local wireguard */
+  LastHandshake: z.string().default(""),
+  /** whether node is connected to the control plane */
+  Online: z.boolean().default(false),
+  /** true if this is the currently selected exit node. */
+  ExitNode: z.boolean().default(false),
+  /** true if this node can be an exit node (offered && approved) */
+  ExitNodeOption: z.boolean().default(false),
+  /**
+   * Active is whether the node was recently active. The
+   * definition is somewhat undefined but has historically and
+   * currently means that there was some packet sent to this
+   * peer in the past two minutes. That definition is subject to
+   * change.
+   */
+  Active: z.boolean().default(false),
+  /** PeerAPIURL are the URLs of the node's PeerAPI servers. */
+  PeerAPIURL: goSlice(z.string()),
+  /** TaildropTargetStatus represents the node's eligibility to have files shared to it. */
+  TaildropTarget: int64.default(0n),
+  /** Reason why this peer cannot receive files. Empty if CanReceiveFiles=true */
+  NoFileSharingReason: z.string().default(""),
+  /**
+   * Capabilities are capabilities that the node has.
+   * They're free-form strings, but should be in the form of URLs/URIs
+   * such as:
+   *    "https://tailscale.com/cap/is-admin"
+   *    "https://tailscale.com/cap/file-sharing"
+   *    "funnel"
+   * 
+   * Deprecated: use CapMap instead. See https://github.com/tailscale/tailscale/issues/11508
+   * Every value is Capabilities is also a key in CapMap, even if it
+   * has no values in that map.
+   */
+  Capabilities: goSlice(z.string()),
+  /** CapMap is a map of capabilities to their values. */
+  CapMap: goMap(goSlice(z.unknown())),
+  /** SSH_HostKeys are the node's SSH host keys, if known. */
+  sshHostKeys: goSlice(z.string()),
+  /**
+   * ShareeNode indicates this node exists in the netmap because
+   * it's owned by a shared-to user and that node might connect
+   * to us. These nodes should be hidden by "tailscale status"
+   * etc by default.
+   */
+  ShareeNode: z.boolean().nullish(),
+  /**
+   * InNetworkMap means that this peer was seen in our latest network map.
+   * In theory, all of InNetworkMap and InMagicSock and InEngine should all be true.
+   */
+  InNetworkMap: z.boolean().default(false),
+  /**
+   * InMagicSock means that this peer is being tracked by magicsock.
+   * In theory, all of InNetworkMap and InMagicSock and InEngine should all be true.
+   */
+  InMagicSock: z.boolean().default(false),
+  /**
+   * InEngine means that this peer is tracked by the wireguard engine.
+   * In theory, all of InNetworkMap and InMagicSock and InEngine should all be true.
+   */
+  InEngine: z.boolean().default(false),
+  /**
+   * Expired means that this peer's node key has expired, based on either
+   * information from control or optimisically set on the client if the
+   * expiration time has passed.
+   */
+  Expired: z.boolean().nullish(),
+  /**
+   * KeyExpiry, if present, is the time at which the node key expired or
+   * will expire.
+   */
+  KeyExpiry: z.string().nullish(),
+  Location: LocationSchema.nullish(),
+});
+export type PeerStatus = z.infer<typeof PeerStatusSchema>;
+
+/** ExitNodeStatus describes the current exit node. */
+export const ExitNodeStatusSchema = z.object({
+  /** ID is the exit node's ID. */
+  ID: z.string().default(""),
+  /** Online is whether the exit node is alive. */
+  Online: z.boolean().default(false),
+  /** TailscaleIPs are the exit node's IP addresses assigned to the node. */
+  TailscaleIPs: goSlice(z.string()),
+});
+export type ExitNodeStatus = z.infer<typeof ExitNodeStatusSchema>;
+
+/** TailnetStatus is information about a Tailscale network ("tailnet"). */
+export const TailnetStatusSchema = z.object({
+  /** Name is the name of the network that's currently in use. */
+  Name: z.string().default(""),
+  /**
+   * MagicDNSSuffix is the network's MagicDNS suffix for nodes
+   * in the network such as "userfoo.tailscale.net".
+   * There are no surrounding dots.
+   * MagicDNSSuffix should be populated regardless of whether a domain
+   * has MagicDNS enabled.
+   */
+  MagicDNSSuffix: z.string().default(""),
+  /**
+   * MagicDNSEnabled is whether or not the network has MagicDNS enabled.
+   * Note that the current device may still not support MagicDNS if
+   * `--accept-dns=false` was used.
+   */
+  MagicDNSEnabled: z.boolean().default(false),
+});
+export type TailnetStatus = z.infer<typeof TailnetStatusSchema>;
+
+/**
+ * A UserProfile is display-friendly data for a [User].
+ * It includes the LoginName for display purposes but *not* the Provider.
+ * It also includes derived data from one of the user's logins.
+ */
+export const UserProfileSchema = z.object({
+  ID: int64.default(0n),
+  /** "alice@smith.com"; for display purposes only (provider is not listed) */
+  LoginName: z.string().default(""),
+  /** "Alice Smith" */
+  DisplayName: z.string().default(""),
+  ProfilePicURL: z.string().nullish(),
+});
+export type UserProfile = z.infer<typeof UserProfileSchema>;
+
+/**
+ * ClientVersion is information about the latest client version that's available
+ * for the client (and whether they're already running it).
+ * 
+ * It does not include a URL to download the client, as that varies by platform.
+ */
+export const ClientVersionSchema = z.object({
+  /** RunningLatest is true if the client is running the latest build. */
+  RunningLatest: z.boolean().nullish(),
+  /**
+   * LatestVersion is the latest version.Short ("1.34.2") version available
+   * for download for the client's platform and packaging type.
+   * It won't be populated if RunningLatest is true.
+   */
+  LatestVersion: z.string().nullish(),
+  /**
+   * UrgentSecurityUpdate is set when the client is missing an important
+   * security update. That update may be in LatestVersion or earlier.
+   * UrgentSecurityUpdate should not be set if RunningLatest is false.
+   */
+  UrgentSecurityUpdate: z.boolean().nullish(),
+  /**
+   * Notify is whether the client should do an OS-specific notification about
+   * a new version being available. This should not be populated if
+   * RunningLatest is true. The client should not notify multiple times for
+   * the same LatestVersion value.
+   */
+  Notify: z.boolean().nullish(),
+  /**
+   * NotifyURL is a URL to open in the browser when the user clicks on the
+   * notification, when Notify is true.
+   */
+  NotifyURL: z.string().nullish(),
+  /** NotifyText is the text to show in the notification, when Notify is true. */
+  NotifyText: z.string().nullish(),
+});
+export type ClientVersion = z.infer<typeof ClientVersionSchema>;
+
+/** Status represents the entire state of the IPN network. */
+export const StatusSchema = z.object({
+  /** Version is the daemon's long version (see version.Long). */
+  Version: z.string().default(""),
+  /**
+   * TUN is whether /dev/net/tun (or equivalent kernel interface) is being
+   * used. If false, it's running in userspace mode.
+   */
+  TUN: z.boolean().default(false),
+  /**
+   * BackendState is an ipn.State string value:
+   *  "NoState", "NeedsLogin", "NeedsMachineAuth", "Stopped",
+   *  "Starting", "Running".
+   */
+  BackendState: z.string().default(""),
+  /** HaveNodeKey is whether the current profile has a node key configured. */
+  HaveNodeKey: z.boolean().nullish(),
+  /** current URL provided by control to authorize client */
+  AuthURL: z.string().default(""),
+  /** Tailscale IP(s) assigned to this node */
+  TailscaleIPs: goSlice(z.string()),
+  Self: PeerStatusSchema.nullish(),
+  /**
+   * ExitNodeStatus describes the current exit node.
+   * If nil, an exit node is not in use.
+   */
+  ExitNodeStatus: ExitNodeStatusSchema.nullish(),
+  /**
+   * Health contains health check problems.
+   * Empty means everything is good. (or at least that no known
+   * problems are detected)
+   */
+  Health: goSlice(z.string()),
+  /**
+   * This field is the legacy name of CurrentTailnet.MagicDNSSuffix.
+   * 
+   * Deprecated: use CurrentTailnet.MagicDNSSuffix instead.
+   */
+  MagicDNSSuffix: z.string().default(""),
+  /**
+   * CurrentTailnet is information about the tailnet that the node
+   * is currently connected to. When not connected, this field is nil.
+   */
+  CurrentTailnet: TailnetStatusSchema.nullish(),
+  /**
+   * CertDomains are the set of DNS names for which the control
+   * plane server will assist with provisioning TLS
+   * certificates. See SetDNSRequest for dns-01 ACME challenges
+   * for e.g. LetsEncrypt. These names are FQDNs without
+   * trailing periods, and without any "_acme-challenge." prefix.
+   */
+  CertDomains: goSlice(z.string()),
+  /** Peer is the state of each peer, keyed by each peer's current public key. */
+  Peer: goMap(PeerStatusSchema),
+  /**
+   * User contains profile information about UserIDs referenced by
+   * PeerStatus.UserID, PeerStatus.AltSharerUserID, etc.
+   */
+  User: goMap(UserProfileSchema),
+  /**
+   * ClientVersion, when non-nil, contains information about the latest
+   * version of the Tailscale client that's available. Depending on
+   * the platform and client settings, it may not be available.
+   */
+  ClientVersion: ClientVersionSchema.nullish(),
+});
+export type Status = z.infer<typeof StatusSchema>;
+
+/** Service represents a service running on a node. */
+export const ServiceSchema = z.object({
+  /**
+   * Proto is the type of service. It's usually the constant TCP
+   * or UDP ("tcp" or "udp"), but it can also be one of the
+   * following meta service values:
+   * 
+   *     * "peerapi4": peerapi is available on IPv4; Port is the
+   *        port number that the peerapi is running on the
+   *        node's Tailscale IPv4 address.
+   *     * "peerapi6": peerapi is available on IPv6; Port is the
+   *        port number that the peerapi is running on the
+   *        node's Tailscale IPv6 address.
+   *     * "peerapi-dns-proxy": the local peerapi service supports
+   *        being a DNS proxy (when the node is an exit
+   *        node). For this service, the Port number must only be 1.
+   */
+  Proto: z.string().default(""),
+  /**
+   * Port is the port number.
+   * 
+   * For Proto "peerapi-dns", it must be 1.
+   */
+  Port: z.number().default(0),
+  /**
+   * Description is the textual description of the service,
+   * usually the process name that's running.
+   */
+  Description: z.string().nullish(),
+});
+export type Service = z.infer<typeof ServiceSchema>;
+
+/** NetInfo contains information about the host's network state. */
+export const NetInfoSchema = z.object({
+  /**
+   * MappingVariesByDestIP says whether the host's NAT mappings
+   * vary based on the destination IP.
+   */
+  MappingVariesByDestIP: z.boolean().nullish(),
+  /** WorkingIPv6 is whether the host has IPv6 internet connectivity. */
+  WorkingIPv6: z.boolean().nullish(),
+  /**
+   * OSHasIPv6 is whether the OS supports IPv6 at all, regardless of
+   * whether IPv6 internet connectivity is available.
+   */
+  OSHasIPv6: z.boolean().nullish(),
+  /** WorkingUDP is whether the host has UDP internet connectivity. */
+  WorkingUDP: z.boolean().nullish(),
+  /**
+   * WorkingICMPv4 is whether ICMPv4 works.
+   * Empty means not checked.
+   */
+  WorkingICMPv4: z.boolean().nullish(),
+  /**
+   * HavePortMap is whether we have an existing portmap open
+   * (UPnP, PMP, or PCP).
+   */
+  HavePortMap: z.boolean().nullish(),
+  /**
+   * UPnP is whether UPnP appears present on the LAN.
+   * Empty means not checked.
+   */
+  UPnP: z.boolean().nullish(),
+  /**
+   * PMP is whether NAT-PMP appears present on the LAN.
+   * Empty means not checked.
+   */
+  PMP: z.boolean().nullish(),
+  /**
+   * PCP is whether PCP appears present on the LAN.
+   * Empty means not checked.
+   */
+  PCP: z.boolean().nullish(),
+  /**
+   * PreferredDERP is this node's preferred (home) DERP region ID.
+   * This is where the node expects to be contacted to begin a
+   * peer-to-peer connection. The node might be be temporarily
+   * connected to multiple DERP servers (to speak to other nodes
+   * that are located elsewhere) but PreferredDERP is the region ID
+   * that the node subscribes to traffic at.
+   * Zero means disconnected or unknown.
+   */
+  PreferredDERP: int64.nullish(),
+  /** LinkType is the current link type, if known. */
+  LinkType: z.string().nullish(),
+  /**
+   * DERPLatency is the fastest recent time to reach various
+   * DERP STUN servers, in seconds. The map key is the
+   * "regionID-v4" or "-v6"; it was previously the DERP server's
+   * STUN host:port.
+   * 
+   * This should only be updated rarely, or when there's a
+   * material change, as any change here also gets uploaded to
+   * the control plane.
+   */
+  DERPLatency: goMap(z.number()),
+  /**
+   * FirewallMode encodes both which firewall mode was selected and why.
+   * It is Linux-specific (at least as of 2023-08-19) and is meant to help
+   * debug iptables-vs-nftables issues. The string is of the form
+   * "{nft,ift}-REASON", like "nft-forced" or "ipt-default". Empty means
+   * either not Linux or a configuration in which the host firewall rules
+   * are not managed by tailscaled.
+   */
+  FirewallMode: z.string().nullish(),
+});
+export type NetInfo = z.infer<typeof NetInfoSchema>;
+
+/**
+ * TPMInfo contains information about a TPM 2.0 device present on a node.
+ * All fields are read from TPM_CAP_TPM_PROPERTIES, see Part 2, section 6.13 of
+ * https://trustedcomputinggroup.org/resource/tpm-library-specification/.
+ */
+export const TPMInfoSchema = z.object({
+  /**
+   * Manufacturer is a 4-letter code from section 4.1 of
+   * https://trustedcomputinggroup.org/resource/vendor-id-registry/,
+   * for example "MSFT" for Microsoft.
+   * Read from TPM_PT_MANUFACTURER.
+   */
+  Manufacturer: z.string().nullish(),
+  /**
+   * Vendor is a vendor ID string, up to 16 characters.
+   * Read from TPM_PT_VENDOR_STRING_*.
+   */
+  Vendor: z.string().nullish(),
+  /**
+   * Model is a vendor-defined TPM model.
+   * Read from TPM_PT_VENDOR_TPM_TYPE.
+   */
+  Model: int64.nullish(),
+  /**
+   * FirmwareVersion is the version number of the firmware.
+   * Read from TPM_PT_FIRMWARE_VERSION_*.
+   */
+  FirmwareVersion: int64.nullish(),
+  /**
+   * SpecRevision is the TPM 2.0 spec revision encoded as a single number. All
+   * revisions can be found at
+   * https://trustedcomputinggroup.org/resource/tpm-library-specification/.
+   * Before revision 184, TCG used the "01.83" format for revision 183.
+   */
+  SpecRevision: int64.nullish(),
+  /**
+   * FamilyIndicator is the TPM spec family, like "2.0".
+   * Read from TPM_PT_FAMILY_INDICATOR.
+   */
+  FamilyIndicator: z.string().nullish(),
+});
+export type TPMInfo = z.infer<typeof TPMInfoSchema>;
+
+/**
+ * Hostinfo contains a summary of a Tailscale host.
+ * 
+ * Because it contains pointers (slices), this type should not be used
+ * as a value type.
+ */
+export const HostinfoSchema = z.object({
+  /** version of this code (in version.Long format) */
+  IPNVersion: z.string().nullish(),
+  /** logtail ID of frontend instance */
+  FrontendLogID: z.string().nullish(),
+  /** logtail ID of backend instance */
+  BackendLogID: z.string().nullish(),
+  /** operating system the client runs on (a version.OS value) */
+  OS: z.string().nullish(),
+  /**
+   * OSVersion is the version of the OS, if available.
+   * 
+   * For Android, it's like "10", "11", "12", etc. For iOS and macOS it's like
+   * "15.6.1" or "12.4.0". For Windows it's like "10.0.19044.1889". For
+   * FreeBSD it's like "12.3-STABLE".
+   * 
+   * For Linux, prior to Tailscale 1.32, we jammed a bunch of fields into this
+   * string on Linux, like "Debian 10.4; kernel=xxx; container; env=kn" and so
+   * on. As of Tailscale 1.32, this is simply the kernel version on Linux, like
+   * "5.10.0-17-amd64".
+   */
+  OSVersion: z.string().nullish(),
+  /** best-effort whether the client is running in a container */
+  Container: z.boolean().nullish(),
+  /** a hostinfo.EnvType in string form */
+  Env: z.string().nullish(),
+  /** "debian", "ubuntu", "nixos", ... */
+  Distro: z.string().nullish(),
+  /** "20.04", ... */
+  DistroVersion: z.string().nullish(),
+  /** "jammy", "bullseye", ... */
+  DistroCodeName: z.string().nullish(),
+  /** App is used to disambiguate Tailscale clients that run using tsnet. */
+  App: z.string().nullish(),
+  /** if a desktop was detected on Linux */
+  Desktop: z.boolean().nullish(),
+  /** Tailscale package to disambiguate ("choco", "appstore", etc; "" for unknown) */
+  Package: z.string().nullish(),
+  /** mobile phone model ("Pixel 3a", "iPhone12,3") */
+  DeviceModel: z.string().nullish(),
+  /** macOS/iOS APNs device token for notifications (and Android in the future) */
+  PushDeviceToken: z.string().nullish(),
+  /** name of the host the client runs on */
+  Hostname: z.string().nullish(),
+  /** indicates whether the host is blocking incoming connections */
+  ShieldsUp: z.boolean().nullish(),
+  /** indicates this node exists in netmap because it's owned by a shared-to user */
+  ShareeNode: z.boolean().nullish(),
+  /** indicates that the user has opted out of sending logs and support */
+  NoLogsNoSupport: z.boolean().nullish(),
+  /**
+   * WireIngress indicates that the node would like to be wired up server-side
+   * (DNS, etc) to be able to use Tailscale Funnel, even if it's not currently
+   * enabled. For example, the user might only use it for intermittent
+   * foreground CLI serve sessions, for which they'd like it to work right
+   * away, even if it's disabled most of the time. As an optimization, this is
+   * only sent if IngressEnabled is false, as IngressEnabled implies that this
+   * option is true.
+   */
+  WireIngress: z.boolean().nullish(),
+  /** if the node has any funnel endpoint enabled */
+  IngressEnabled: z.boolean().nullish(),
+  /** indicates that the node has opted-in to admin-console-drive remote updates */
+  AllowsUpdate: z.boolean().nullish(),
+  /** the current host's machine type (uname -m) */
+  Machine: z.string().nullish(),
+  /** GOARCH value (of the built binary) */
+  GoArch: z.string().nullish(),
+  /** GOARM, GOAMD64, etc (of the built binary) */
+  GoArchVar: z.string().nullish(),
+  /** Go version binary was built with */
+  GoVersion: z.string().nullish(),
+  /** set of IP ranges this client can route */
+  RoutableIPs: goSlice(z.string()),
+  /** set of ACL tags this node wants to claim */
+  RequestTags: goSlice(z.string()),
+  /** MAC address(es) to send Wake-on-LAN packets to wake this node (lowercase hex w/ colons) */
+  WoLMACs: goSlice(z.string()),
+  /** services advertised by this machine */
+  Services: goSlice(ServiceSchema),
+  NetInfo: NetInfoSchema.nullish(),
+  /** if advertised */
+  sshHostKeys: goSlice(z.string()),
+  Cloud: z.string().nullish(),
+  /** if the client is running in userspace (netstack) mode */
+  Userspace: z.boolean().nullish(),
+  /** if the client's subnet router is running in userspace (netstack) mode */
+  UserspaceRouter: z.boolean().nullish(),
+  /** if the client is running the app-connector service */
+  AppConnector: z.boolean().nullish(),
+  /** opaque hash of the most recent list of tailnet services, change in hash indicates config should be fetched via c2n */
+  ServicesHash: z.string().nullish(),
+  /** the client’s selected exit node, empty when unselected. */
+  ExitNodeID: z.string().nullish(),
+  /**
+   * Location represents geographical location data about a
+   * Tailscale host. Location is optional and only set if
+   * explicitly declared by a node.
+   */
+  Location: LocationSchema.nullish(),
+  /** TPM device metadata, if available */
+  TPM: TPMInfoSchema.nullish(),
+  /**
+   * StateEncrypted reports whether the node state is stored encrypted on
+   * disk. The actual mechanism is platform-specific:
+   *   * Apple nodes use the Keychain
+   *   * Linux and Windows nodes use the TPM
+   *   * Android apps use EncryptedSharedPreferences
+   */
+  StateEncrypted: z.boolean().nullish(),
+});
+export type Hostinfo = z.infer<typeof HostinfoSchema>;
+
+/** Resolver is the configuration for one DNS resolver. */
+export const ResolverSchema = z.object({
+  /**
+   * Addr is the address of the DNS resolver, one of:
+   *  - A plain IP address for a "classic" UDP+TCP DNS resolver.
+   *    This is the common format as sent by the control plane.
+   *  - An IP:port, for tests.
+   *  - "https://resolver.com/path" for DNS over HTTPS; currently
+   *    as of 2022-09-08 only used for certain well-known resolvers
+   *    (see the publicdns package) for which the IP addresses to dial DoH are
+   *    known ahead of time, so bootstrap DNS resolution is not required.
+   *  - "http://node-address:port/path" for DNS over HTTP over WireGuard. This
+   *    is implemented in the PeerAPI for exit nodes and app connectors.
+   *  - [TODO] "tls://resolver.com" for DNS over TCP+TLS
+   */
+  Addr: z.string().nullish(),
+  /**
+   * BootstrapResolution is an optional suggested resolution for the
+   * DoT/DoH resolver, if the resolver URL does not reference an IP
+   * address directly.
+   * BootstrapResolution may be empty, in which case clients should
+   * look up the DoT/DoH server using their local "classic" DNS
+   * resolver.
+   * 
+   * As of 2022-09-08, BootstrapResolution is not yet used.
+   */
+  BootstrapResolution: goSlice(z.string()),
+  /**
+   * UseWithExitNode designates that this resolver should continue to be used when an
+   * exit node is in use. Normally, DNS resolution is delegated to the exit node but
+   * there are situations where it is preferable to still use a Split DNS server and/or
+   * global DNS server instead of the exit node.
+   */
+  UseWithExitNode: z.boolean().nullish(),
+});
+export type Resolver = z.infer<typeof ResolverSchema>;
+
+/** Node is a Tailscale device in a tailnet. */
+export const NodeSchema = z.object({
+  ID: int64.default(0n),
+  StableID: z.string().default(""),
+  /**
+   * Name is the FQDN of the node.
+   * It is also the MagicDNS name for the node.
+   * It has a trailing dot.
+   * e.g. "host.tail-scale.ts.net."
+   */
+  Name: z.string().default(""),
+  /**
+   * User is the user who created the node. If ACL tags are in use for the
+   * node then it doesn't reflect the ACL identity that the node is running
+   * as.
+   */
+  User: int64.default(0n),
+  /** Sharer, if non-zero, is the user who shared this node, if different than User. */
+  Sharer: int64.nullish(),
+  Key: z.string().default(""),
+  /** the zero value if this node does not expire */
+  KeyExpiry: z.string().nullish(),
+  KeySignature: z.string().nullish(),
+  Machine: z.string().nullish(),
+  DiscoKey: z.string().nullish(),
+  /** Addresses are the IP addresses of this Node directly. */
+  Addresses: goSlice(z.string()),
+  /**
+   * AllowedIPs are the IP ranges to route to this node.
+   * 
+   * As of CapabilityVersion 112, this may be nil (null or undefined) on the wire
+   * to mean the same as Addresses. Internally, it is always filled in with
+   * its possibly-implicit value.
+   */
+  AllowedIPs: goSlice(z.string()),
+  /** IP+port (public via STUN, and local LANs) */
+  Endpoints: goSlice(z.string()),
+  /**
+   * LegacyDERPString is this node's home LegacyDERPString region ID integer, but shoved into an
+   * IP:port string for legacy reasons. The IP address is always "127.3.3.40"
+   * (a loopback address (127) followed by the digits over the letters DERP on
+   * a QWERTY keyboard (3.3.40)). The "port number" is the home LegacyDERPString region ID
+   * integer.
+   * 
+   * Deprecated: HomeDERP has replaced this, but old servers might still send
+   * this field. See tailscale/tailscale#14636. Do not use this field in code
+   * other than in the upgradeNode func, which canonicalizes it to HomeDERP
+   * if it arrives as a LegacyDERPString string on the wire.
+   */
+  DERP: z.string().nullish(),
+  /**
+   * HomeDERP is the modern version of the DERP string field, with just an
+   * integer. The client advertises support for this as of capver 111.
+   * 
+   * HomeDERP may be zero if not (yet) known, but ideally always be non-zero
+   * for magicsock connectivity to function normally.
+   */
+  HomeDERP: int64.nullish(),
+  Hostinfo: HostinfoSchema.nullish(),
+  Created: z.string().nullish(),
+  /** if non-zero, the node's capability version; old servers might not send */
+  Cap: int64.nullish(),
+  /**
+   * Tags are the list of ACL tags applied to this node.
+   * Tags take the form of `tag:<value>` where value starts
+   * with a letter and only contains alphanumerics and dashes `-`.
+   * Some valid tag examples:
+   *   `tag:prod`
+   *   `tag:database`
+   *   `tag:lab-1`
+   */
+  Tags: goSlice(z.string()),
+  /**
+   * PrimaryRoutes are the routes from AllowedIPs that this node
+   * is currently the primary subnet router for, as determined
+   * by the control plane. It does not include the self address
+   * values from Addresses that are in AllowedIPs.
+   */
+  PrimaryRoutes: goSlice(z.string()),
+  /**
+   * LastSeen is when the node was last online. It is not
+   * updated when Online is true. It is nil if the current
+   * node doesn't have permission to know, or the node
+   * has never been online.
+   */
+  LastSeen: z.string().nullish(),
+  /**
+   * Online is whether the node is currently connected to the
+   * coordination server.  A value of nil means unknown, or the
+   * current node doesn't have permission to know.
+   */
+  Online: z.boolean().nullish(),
+  /** TODO(crawshaw): replace with MachineStatus */
+  MachineAuthorized: z.boolean().nullish(),
+  /**
+   * Capabilities are capabilities that the node has.
+   * They're free-form strings, but should be in the form of URLs/URIs
+   * such as:
+   *    "https://tailscale.com/cap/is-admin"
+   *    "https://tailscale.com/cap/file-sharing"
+   * 
+   * Deprecated: use CapMap instead. See https://github.com/tailscale/tailscale/issues/11508
+   */
+  Capabilities: goSlice(z.string()),
+  /**
+   * CapMap is a map of capabilities to their optional argument/data values.
+   * 
+   * It is valid for a capability to not have any argument/data values; such
+   * capabilities can be tested for using the HasCap method. These type of
+   * capabilities are used to indicate that a node has a capability, but there
+   * is no additional data associated with it. These were previously
+   * represented by the Capabilities field, but can now be represented by
+   * CapMap with an empty value.
+   * 
+   * See NodeCapability for more information on keys.
+   * 
+   * Metadata about nodes can be transmitted in 3 ways:
+   * 1. MapResponse.Node.CapMap describes attributes that affect behavior for
+   *    this node, such as which features have been enabled through the admin
+   *    panel and any associated configuration details.
+   * 2. MapResponse.PacketFilter(s) describes access (both IP and application
+   *    based) that should be granted to peers.
+   * 3. MapResponse.Peers[].CapMap describes attributes regarding a peer node,
+   *    such as which features the peer supports or if that peer is preferred
+   *    for a particular task vs other peers that could also be chosen.
+   */
+  CapMap: goMap(goSlice(z.unknown())),
+  /**
+   * UnsignedPeerAPIOnly means that this node is not signed nor subject to TKA
+   * restrictions. However, in exchange for that privilege, it does not get
+   * network access. It can only access this node's peerapi, which may not let
+   * it do anything. It is the tailscaled client's job to double-check the
+   * MapResponse's PacketFilter to verify that its AllowedIPs will not be
+   * accepted by the packet filter.
+   */
+  UnsignedPeerAPIOnly: z.boolean().nullish(),
+  /** MagicDNS base name (for normal non-shared-in nodes), FQDN (without trailing dot, for shared-in nodes), or Hostname (if no MagicDNS) */
+  ComputedName: z.string().nullish(),
+  /** either "ComputedName" or "ComputedName (computedHostIfDifferent)", if computedHostIfDifferent is set */
+  ComputedNameWithHost: z.string().nullish(),
+  /** DataPlaneAuditLogID is the per-node logtail ID used for data plane audit logging. */
+  DataPlaneAuditLogID: z.string().nullish(),
+  /**
+   * Expired is whether this node's key has expired. Control may send
+   * this; clients are only allowed to set this from false to true. On
+   * the client, this is calculated client-side based on a timestamp sent
+   * from control, to avoid clock skew issues.
+   */
+  Expired: z.boolean().nullish(),
+  /**
+   * SelfNodeV4MasqAddrForThisPeer is the IPv4 that this peer knows the current node as.
+   * It may be empty if the peer knows the current node by its native
+   * IPv4 address.
+   * This field is only populated in a MapResponse for peers and not
+   * for the current node.
+   * 
+   * If set, it should be used to masquerade traffic originating from the
+   * current node to this peer. The masquerade address is only relevant
+   * for this peer and not for other peers.
+   * 
+   * This only applies to traffic originating from the current node to the
+   * peer or any of its subnets. Traffic originating from subnet routes will
+   * not be masqueraded (e.g. in case of --snat-subnet-routes).
+   */
+  SelfNodeV4MasqAddrForThisPeer: z.string().nullish(),
+  /**
+   * SelfNodeV6MasqAddrForThisPeer is the IPv6 that this peer knows the current node as.
+   * It may be empty if the peer knows the current node by its native
+   * IPv6 address.
+   * This field is only populated in a MapResponse for peers and not
+   * for the current node.
+   * 
+   * If set, it should be used to masquerade traffic originating from the
+   * current node to this peer. The masquerade address is only relevant
+   * for this peer and not for other peers.
+   * 
+   * This only applies to traffic originating from the current node to the
+   * peer or any of its subnets. Traffic originating from subnet routes will
+   * not be masqueraded (e.g. in case of --snat-subnet-routes).
+   */
+  SelfNodeV6MasqAddrForThisPeer: z.string().nullish(),
+  /**
+   * IsWireGuardOnly indicates that this is a non-Tailscale WireGuard peer, it
+   * is not expected to speak Disco or DERP, and it must have Endpoints in
+   * order to be reachable.
+   */
+  IsWireGuardOnly: z.boolean().nullish(),
+  /**
+   * IsJailed indicates that this node is jailed and should not be allowed
+   * initiate connections, however outbound connections to it should still be
+   * allowed.
+   */
+  IsJailed: z.boolean().nullish(),
+  /**
+   * ExitNodeDNSResolvers is the list of DNS servers that should be used when this
+   * node is marked IsWireGuardOnly and being used as an exit node.
+   */
+  ExitNodeDNSResolvers: goSlice(ResolverSchema),
+});
+export type Node = z.infer<typeof NodeSchema>;
+
+/**
+ * TCPPortHandler describes what to do when handling a TCP
+ * connection.
+ */
+export const TCPPortHandlerSchema = z.object({
+  /**
+   * HTTPS, if true, means that tailscaled should handle this connection as an
+   * HTTPS request as configured by ServeConfig.Web.
+   * 
+   * It is mutually exclusive with TCPForward.
+   */
+  HTTPS: z.boolean().nullish(),
+  /**
+   * HTTP, if true, means that tailscaled should handle this connection as an
+   * HTTP request as configured by ServeConfig.Web.
+   * 
+   * It is mutually exclusive with TCPForward.
+   */
+  HTTP: z.boolean().nullish(),
+  /**
+   * TCPForward is the IP:port to forward TCP connections to.
+   * Whether or not TLS is terminated by tailscaled depends on
+   * TerminateTLS.
+   * 
+   * It is mutually exclusive with HTTPS.
+   */
+  TCPForward: z.string().nullish(),
+  /**
+   * TerminateTLS, if non-empty, means that tailscaled should terminate the
+   * TLS connections before forwarding them to TCPForward, permitting only the
+   * SNI name with this value. It is only used if TCPForward is non-empty.
+   * (the HTTPS mode uses ServeConfig.Web)
+   */
+  TerminateTLS: z.string().nullish(),
+  /**
+   * ProxyProtocol indicates whether to send a PROXY protocol header
+   * before forwarding the connection to TCPForward.
+   * 
+   * This is only valid if TCPForward is non-empty.
+   */
+  ProxyProtocol: int64.nullish(),
+});
+export type TCPPortHandler = z.infer<typeof TCPPortHandlerSchema>;
+
+/** HTTPHandler is either a path or a proxy to serve. */
+export const HTTPHandlerSchema = z.object({
+  /** absolute path to directory or file to serve */
+  Path: z.string().nullish(),
+  /** http://localhost:3000/, localhost:3030, 3030 */
+  Proxy: z.string().nullish(),
+  /** plaintext to serve (primarily for testing) */
+  Text: z.string().nullish(),
+  /** peer capabilities to forward in grant header, e.g. example.com/cap/mon */
+  AcceptAppCaps: goSlice(z.string()),
+  /**
+   * Redirect, if not empty, is the target URL to redirect requests to.
+   * By default, we redirect with HTTP 302 (Found) status.
+   * If Redirect starts with '<httpcode>:', then we use that status instead.
+   * 
+   * The target URL supports the following expansion variables:
+   *   - ${HOST}: replaced with the request's Host header value
+   *   - ${REQUEST_URI}: replaced with the request's full URI (path and query string)
+   */
+  Redirect: z.string().nullish(),
+});
+export type HTTPHandler = z.infer<typeof HTTPHandlerSchema>;
+
+/** WebServerConfig describes a web server's configuration. */
+export const WebServerConfigSchema = z.object({
+  /** mountPoint => handler */
+  Handlers: goMap(HTTPHandlerSchema),
+});
+export type WebServerConfig = z.infer<typeof WebServerConfigSchema>;
+
+/**
+ * ServiceConfig contains the config information for a single service.
+ * it contains a bool to indicate if the service is in Tun mode (L3 forwarding).
+ * If the service is not in Tun mode, the service is configured by the L4 forwarding
+ * (TCP ports) and/or the L7 forwarding (http handlers) information.
+ */
+export const ServiceConfigSchema = z.object({
+  /**
+   * TCP are the list of TCP port numbers that tailscaled should handle for
+   * the Tailscale IP addresses. (not subnet routers, etc)
+   */
+  TCP: goMap(TCPPortHandlerSchema),
+  /**
+   * Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers
+   * keyed by mount point ("/", "/foo", etc)
+   */
+  Web: goMap(WebServerConfigSchema),
+  /** Tun determines if the service should be using L3 forwarding (Tun mode). */
+  Tun: z.boolean().nullish(),
+});
+export type ServiceConfig = z.infer<typeof ServiceConfigSchema>;
+
+const _ServeConfigRef: z.ZodTypeAny = z.lazy(() => ServeConfigSchema);
+/**
+ * ServeConfig is the JSON type stored in the StateStore for
+ * StateKey "_serve/$PROFILE_ID" as returned by ServeConfigKey.
+ */
+export const ServeConfigSchema = z.object({
+  /**
+   * TCP are the list of TCP port numbers that tailscaled should handle for
+   * the Tailscale IP addresses. (not subnet routers, etc)
+   */
+  TCP: goMap(TCPPortHandlerSchema),
+  /**
+   * Web maps from "$SNI_NAME:$PORT" to a set of HTTP handlers
+   * keyed by mount point ("/", "/foo", etc)
+   */
+  Web: goMap(WebServerConfigSchema),
+  /**
+   * Services maps from service name (in the form "svc:dns-label") to a ServiceConfig.
+   * Which describes the L3, L4, and L7 forwarding information for the service.
+   */
+  Services: goMap(ServiceConfigSchema),
+  /**
+   * AllowFunnel is the set of SNI:port values for which funnel
+   * traffic is allowed, from trusted ingress peers.
+   */
+  AllowFunnel: goMap(z.boolean()),
+  /**
+   * Foreground is a map of an IPN Bus session ID to an alternate foreground serve config that's valid for the
+   * life of that WatchIPNBus session ID. This allows the config to specify ephemeral configs that are used
+   * in the CLI's foreground mode to ensure ungraceful shutdowns of either the client or the LocalBackend does not
+   * expose ports that users are not aware of. In practice this contains any serve config set via 'tailscale
+   * serve' command run without the '--bg' flag. ServeConfig contained by Foreground is not expected itself to contain
+   * another Foreground block.
+   */
+  Foreground: goMap(_ServeConfigRef),
+});
+export type ServeConfig = z.infer<typeof ServeConfigSchema> & {
+  /**
+   * ETag is the checksum of the serve config that's populated
+   * by the LocalClient through the HTTP ETag header during a
+   * GetServeConfig request and is translated to an If-Match header
+   * during a SetServeConfig request.
+   */
+  ETag: string;
+};
+
+/**
+ * WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
+ * In successful whois responses, Node and UserProfile are never nil.
+ */
+export const WhoIsResponseSchema = z.object({
+  Node: NodeSchema.nullish(),
+  UserProfile: UserProfileSchema.nullish(),
+  /**
+   * CapMap is a map of capabilities to their values.
+   * See tailcfg.PeerCapMap and tailcfg.PeerCapability for details.
+   */
+  CapMap: goMap(goSlice(z.unknown())),
+});
+export type WhoIsResponse = z.infer<typeof WhoIsResponseSchema>;
+
+/** Alias for TailnetStatus for backward compatibility. */
+export const CurrentTailnetSchema = z.object({
+  Name: z.string(),
+  MagicDNSSuffix: z.string(),
+  MagicDNSEnabled: z.boolean(),
+});
+export type CurrentTailnet = z.infer<typeof CurrentTailnetSchema>;