feat: implement preferred port allocation and per-address enable/disable

- Add AvailablePorts::try_alloc() with SSL tracking (BTreeMap<u16, bool>)
- Add DerivedAddressInfo on BindInfo with private_disabled/public_enabled/possible sets
- Add Bindings wrapper with Map impl for patchdb indexed access
- Flatten HostAddress from single-variant enum to struct
- Replace set-gateway-enabled RPC with set-address-enabled
- Remove hostname_info from Host; computed addresses now in BindInfo.addresses.possible
- Compute possible addresses inline in NetServiceData::update()
- Update DB migration, SDK types, frontend, and container-runtime

sdk/base/lib/osBindings/BindInfo.ts

@@ -1,5 +1,11 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
 import type { BindOptions } from './BindOptions'
+import type { DerivedAddressInfo } from './DerivedAddressInfo'
 import type { NetInfo } from './NetInfo'
 
-export type BindInfo = { enabled: boolean; options: BindOptions; net: NetInfo }
+export type BindInfo = {
+  enabled: boolean
+  options: BindOptions
+  net: NetInfo
+  addresses: DerivedAddressInfo
+}

sdk/base/lib/osBindings/BindingSetAddressEnabledParams.ts

@@ -1,8 +1,7 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { GatewayId } from './GatewayId'
 
-export type BindingGatewaySetEnabledParams = {
+export type BindingSetAddressEnabledParams = {
   internalPort: number
-  gateway: GatewayId
+  address: string
   enabled: boolean | null
 }

sdk/base/lib/osBindings/Bindings.ts

@@ -0,0 +1,4 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { BindInfo } from './BindInfo'
+
+export type Bindings = { [key: number]: BindInfo }

sdk/base/lib/osBindings/DerivedAddressInfo.ts

@@ -0,0 +1,17 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { HostnameInfo } from './HostnameInfo'
+
+export type DerivedAddressInfo = {
+  /**
+   * User-controlled: private-gateway addresses the user has disabled
+   */
+  privateDisabled: Array<HostnameInfo>
+  /**
+   * User-controlled: public-gateway addresses the user has enabled
+   */
+  publicEnabled: Array<HostnameInfo>
+  /**
+   * COMPUTED: NetServiceData::update — all possible addresses for this binding
+   */
+  possible: Array<HostnameInfo>
+}

sdk/base/lib/osBindings/Host.ts

@@ -1,14 +1,9 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { BindInfo } from './BindInfo'
-import type { HostnameInfo } from './HostnameInfo'
+import type { Bindings } from './Bindings'
 import type { PublicDomainConfig } from './PublicDomainConfig'
 
 export type Host = {
-  bindings: { [key: number]: BindInfo }
+  bindings: Bindings
   publicDomains: { [key: string]: PublicDomainConfig }
   privateDomains: Array<string>
-  /**
-   * COMPUTED: NetService::update
-   */
-  hostnameInfo: { [key: number]: Array<HostnameInfo> }
 }

sdk/base/lib/osBindings/NetInfo.ts

@@ -1,9 +1,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { GatewayId } from './GatewayId'
 
 export type NetInfo = {
-  privateDisabled: Array<GatewayId>
-  publicEnabled: Array<GatewayId>
   assignedPort: number | null
   assignedSslPort: number | null
 }

sdk/base/lib/osBindings/index.ts

@@ -36,7 +36,8 @@ export { BackupTargetFS } from './BackupTargetFS'
 export { Base64 } from './Base64'
 export { BindId } from './BindId'
 export { BindInfo } from './BindInfo'
-export { BindingGatewaySetEnabledParams } from './BindingGatewaySetEnabledParams'
+export { BindingSetAddressEnabledParams } from './BindingSetAddressEnabledParams'
+export { Bindings } from './Bindings'
 export { BindOptions } from './BindOptions'
 export { BindParams } from './BindParams'
 export { Blake3Commitment } from './Blake3Commitment'
@@ -64,6 +65,7 @@ export { Dependencies } from './Dependencies'
 export { DependencyMetadata } from './DependencyMetadata'
 export { DependencyRequirement } from './DependencyRequirement'
 export { DepInfo } from './DepInfo'
+export { DerivedAddressInfo } from './DerivedAddressInfo'
 export { Description } from './Description'
 export { DesiredStatus } from './DesiredStatus'
 export { DestroySubcontainerFsParams } from './DestroySubcontainerFsParams'

sdk/base/lib/util/getServiceInterface.ts

@@ -1,6 +1,12 @@
 import { PackageId, ServiceInterfaceId, ServiceInterfaceType } from '../types'
 import { knownProtocols } from '../interfaces/Host'
-import { AddressInfo, Host, Hostname, HostnameInfo } from '../types'
+import {
+  AddressInfo,
+  DerivedAddressInfo,
+  Host,
+  Hostname,
+  HostnameInfo,
+} from '../types'
 import { Effects } from '../Effects'
 import { DropGenerator, DropPromise } from './Drop'
 import { IpAddress, IPV6_LINK_LOCAL } from './ip'
@@ -220,6 +226,14 @@ function filterRec(
   return hostnames
 }
 
+function enabledAddresses(addr: DerivedAddressInfo): HostnameInfo[] {
+  return addr.possible.filter((h) =>
+    h.public
+      ? addr.publicEnabled.some((e) => deepEqual(e, h))
+      : !addr.privateDisabled.some((d) => deepEqual(d, h)),
+  )
+}
+
 export const filledAddress = (
   host: Host,
   addressInfo: AddressInfo,
@@ -229,7 +243,8 @@ export const filledAddress = (
     const u = toUrls(h)
     return [u.url, u.sslUrl].filter((u) => u !== null)
   }
-  const hostnames = host.hostnameInfo[addressInfo.internalPort] ?? []
+  const binding = host.bindings[addressInfo.internalPort]
+  const hostnames = binding ? enabledAddresses(binding.addresses) : []
 
   function filledAddressFromHostnames<F extends Filter>(
     hostnames: HostnameInfo[],