Merge pull request #2969 from murgatroid99/debugging_example

Add debugging example

examples/debugging/README.md

@@ -0,0 +1,27 @@
+# Debugging
+
+Currently, grpc provides two major tools to help user debug issues, which are logging and channelz.
+
+## Logs
+
+gRPC has put substantial logging instruments on critical paths of gRPC to help users debug issues. The [Environment Variables](https://github.com/grpc/grpc-node/blob/master/doc/environment_variables.md) doc describes the environment variables that control debug logging.
+
+To enable full debug logging, run the code with the following environment variables: `GRPC_TRACE=all GRPC_VERBOSITY=DEBUG`.
+
+## Channelz
+
+We also provide a runtime debugging tool, Channelz, to help users with live debugging.
+
+See the channelz blog post here ([link](https://grpc.io/blog/a-short-introduction-to-channelz/)) for details about how to use channelz service to debug live program.
+
+## Try it
+
+The example is able to showcase how logging and channelz can help with debugging. See the channelz blog post linked above for full explanation.
+
+```
+node server.js
+```
+
+```
+node client.js
+```

examples/debugging/client.js

@@ -0,0 +1,97 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+const grpc = require('@grpc/grpc-js');
+const protoLoader = require('@grpc/proto-loader');
+const parseArgs = require('minimist');
+
+var PROTO_PATH = __dirname + '/../protos/helloworld.proto';
+
+const packageDefinition = protoLoader.loadSync(
+  PROTO_PATH,
+  {keepCase: true,
+   longs: String,
+   enums: String,
+   defaults: true,
+   oneofs: true
+  });
+var helloProto = grpc.loadPackageDefinition(packageDefinition).helloworld;
+
+function serverBindPort(server, port) {
+  return new Promise((resolve, reject) => {
+    server.bindAsync(port, grpc.ServerCredentials.createInsecure(), (error, port) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(port);
+      }
+    })
+  });
+}
+
+const addressString = 'ipv4:///127.0.0.1:10001,127.0.0.1:10002,127.0.0.1:10003';
+
+function callSayHello(client, name) {
+  return new Promise((resolve, reject) => {
+    const deadline = new Date();
+    deadline.setMilliseconds(deadline.getMilliseconds() + 150);
+    client.sayHello({name}, {deadline}, (error, response) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(response);
+      }
+    });
+  });
+}
+
+async function main() {
+  const argv = parseArgs(process.argv.slice(2), {
+    string: ['addr', 'name'],
+    default: {addr: 'localhost:50051', name: 'world'}
+  });
+
+  // Set up the server serving channelz service.
+  const channelzServer = new grpc.Server();
+  grpc.addAdminServicesToServer(channelzServer);
+  await serverBindPort(channelzServer, argv.addr);
+
+  const roundRobinServiceConfig = {
+    methodConfig: [],
+    loadBalancingConfig: [{ round_robin: {} }]
+  };
+  const client = new helloProto.Greeter(addressString, grpc.credentials.createInsecure(), {'grpc.service_config': JSON.stringify(roundRobinServiceConfig)});
+
+  // Contact the server and print out its response
+
+  // Make 100 SayHello RPCs
+  for (let i = 0; i < 100; i++) {
+    try {
+      const response = await callSayHello(client, argv.name);
+      console.log(`Greeting: ${response.message}`);
+    } catch (e) {
+      console.log(`could not greet: ${e.message}`);
+    }
+  }
+
+  // Unless you exit the program (e.g. CTRL+C), channelz data will be available for querying.
+	// Users can take time to examine and learn about the info provided by channelz.
+  setInterval(() => {}, 10000);
+}
+
+main();

examples/debugging/server.js

@@ -0,0 +1,79 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+const grpc = require('@grpc/grpc-js');
+const protoLoader = require('@grpc/proto-loader');
+
+var PROTO_PATH = __dirname + '/../protos/helloworld.proto';
+
+const packageDefinition = protoLoader.loadSync(
+  PROTO_PATH,
+  {keepCase: true,
+   longs: String,
+   enums: String,
+   defaults: true,
+   oneofs: true
+  });
+var helloProto = grpc.loadPackageDefinition(packageDefinition).helloworld;
+
+const greeterImplementation = {
+  sayHello: (call, callback) => {
+    callback(null, { message: `Hello ${call.request.name}`});
+  }
+};
+
+const slowGreeterImplementation = {
+  sayHello: (call, callback) => {
+    const waitTimeMs = 100 + (Math.random() * 100)|0;
+    setTimeout(() => {
+      callback(null, { message: `Hello ${call.request.name}`});
+    }, waitTimeMs);
+  }
+}
+
+function serverBindPort(server, port) {
+  return new Promise((resolve, reject) => {
+    server.bindAsync(`0.0.0.0:${port}`, grpc.ServerCredentials.createInsecure(), (error, port) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(port);
+      }
+    })
+  });
+}
+
+async function main() {
+  const channelzServer = new grpc.Server();
+  grpc.addAdminServicesToServer(channelzServer);
+  await serverBindPort(channelzServer, 50052);
+
+  const server1 = new grpc.Server();
+  server1.addService(helloProto.Greeter.service, greeterImplementation);
+  await serverBindPort(server1, 10001);
+
+  const server2 = new grpc.Server();
+  server2.addService(helloProto.Greeter.service, greeterImplementation);
+  await serverBindPort(server2, 10002);
+
+  const server3 = new grpc.Server();
+  server3.addService(helloProto.Greeter.service, slowGreeterImplementation);
+  await serverBindPort(server3, 10003);
+}
+
+main();

examples/load_balancing/README.md

@@ -0,0 +1,57 @@
+# Load balancing
+
+This examples shows how `Client` can pick different load balancing policies.
+
+## Try it
+
+```
+node server.js
+```
+
+```
+node client.js
+```
+
+## Explanation
+
+Two echo servers are serving on "0.0.0.0:50051" and "0.0.0.0:50052". They will include their serving address in the response. So the server on "0.0.0.0:50051" will reply to the RPC with this is examples/load_balancing (from 0.0.0.0:50051).
+
+Two clients are created, to connect to both of these servers. Each client picks a different load balancer (using the `grpc.service_config` option): `pick_first` or `round_robin`.
+
+Note that balancers can also be switched using service config, which allows service owners (instead of client owners) to pick the balancer to use. Service config doc is available at https://github.com/grpc/grpc/blob/master/doc/service_config.md.
+
+### pick_first
+
+The first client is configured to use `pick_first`. `pick_first` tries to connect to the first address, uses it for all RPCs if it connects, or try the next address if it fails (and keep doing that until one connection is successful). Because of this, all the RPCs will be sent to the same backend. The responses received all show the same backend address.
+
+```
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+```
+
+### round_robin
+
+The second client is configured to use `round_robin`. `round_robin` connects to all the addresses it sees, and sends an RPC to each backend one at a time in order. E.g. the first RPC will be sent to backend-1, the second RPC will be sent to backend-2, and the third RPC will be sent to backend-1 again.
+
+```
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50052)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50052)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50052)
+this is examples/load_balancing (from 0.0.0.0:50051)
+this is examples/load_balancing (from 0.0.0.0:50052)
+this is examples/load_balancing (from 0.0.0.0:50051)
+```
+
+Note that it's possible to see two consecutive RPC sent to the same backend. That's because `round_robin` only picks the connections ready for RPCs. So if one of the two connections is not ready for some reason, all RPCs will be sent to the ready connection.

examples/load_balancing/client.js

@@ -0,0 +1,75 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+const grpc = require('@grpc/grpc-js');
+const protoLoader = require('@grpc/proto-loader');
+
+const PROTO_PATH = __dirname + '/../protos/echo.proto';
+
+const packageDefinition = protoLoader.loadSync(
+  PROTO_PATH,
+  {keepCase: true,
+   longs: String,
+   enums: String,
+   defaults: true,
+   oneofs: true
+  });
+const echoProto = grpc.loadPackageDefinition(packageDefinition).grpc.examples.echo;
+
+const addressString = 'ipv4:///127.0.0.1:50051,127.0.0.1:50052';
+
+function callUnaryEcho(client, message) {
+  return new Promise((resolve, reject) => {
+    const deadline = new Date();
+    deadline.setSeconds(deadline.getSeconds() + 1);
+    client.unaryEcho({message}, {deadline}, (error, response) => {
+      if (error) {
+        reject(error);
+      } else {
+        console.log(response.message);
+        resolve(response);
+      }
+    });
+  });
+}
+
+async function makeRPCs(client, count) {
+  for (let i = 0; i < count; i++) {
+    await callUnaryEcho(client, "this is examples/load_balancing");
+  }
+}
+
+async function main() {
+  // "pick_first" is the default, so there's no need to set the load balancing policy.
+  const pickFirstClient = new echoProto.Echo(addressString, grpc.credentials.createInsecure());
+  console.log("--- calling helloworld.Greeter/SayHello with pick_first ---");
+  await makeRPCs(pickFirstClient, 10);
+  console.log();
+
+  const roundRobinServiceConfig = {
+    methodConfig: [],
+    loadBalancingConfig: [{ round_robin: {} }]
+  };
+  const roundRobinClient = new echoProto.Echo(addressString, grpc.credentials.createInsecure(), {'grpc.service_config': JSON.stringify(roundRobinServiceConfig)});
+  console.log("--- calling helloworld.Greeter/SayHello with round_robin ---");
+  await makeRPCs(roundRobinClient, 10);
+  pickFirstClient.close();
+  roundRobinClient.close();
+}
+
+main();

examples/load_balancing/server.js

@@ -0,0 +1,60 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+const grpc = require('@grpc/grpc-js');
+const protoLoader = require('@grpc/proto-loader');
+
+const PROTO_PATH = __dirname + '/../protos/echo.proto';
+
+const packageDefinition = protoLoader.loadSync(
+  PROTO_PATH,
+  {keepCase: true,
+   longs: String,
+   enums: String,
+   defaults: true,
+   oneofs: true
+  });
+const echoProto = grpc.loadPackageDefinition(packageDefinition).grpc.examples.echo;
+
+function startServer(address) {
+  return new Promise((resolve, reject) => {
+    const server = new grpc.Server();
+    server.addService(echoProto.Echo.service, {
+      unaryEcho: (call, callback) => {
+        callback(null, {message: `${call.request.message} (from ${address})`});
+      }
+    });
+    server.bindAsync(address, grpc.ServerCredentials.createInsecure(), (error, port) => {
+      if (error) {
+        reject(error);
+      } else {
+        resolve(server);
+      }
+    });
+  });
+}
+
+const addresses = ['0.0.0.0:50051', '0.0.0.0:50052'];
+
+async function main() {
+  for (const address of addresses) {
+    await startServer(address)
+  }
+}
+
+main();

packages/grpc-health-check/proto/health/v1/health.proto

@@ -25,6 +25,13 @@ option java_multiple_files = true;
 option java_outer_classname = "HealthProto";
 option java_package = "io.grpc.health.v1";
 
+message HealthListRequest {}
+
+message HealthListResponse {
+  // statuses contains all the services and their respective status.
+  map<string, HealthCheckResponse> statuses = 1;
+}
+
 message HealthCheckRequest {
   string service = 1;
 }
@@ -70,4 +77,17 @@ service Health {
   // call.  If the call terminates with any other status (including OK),
   // clients should retry the call with appropriate exponential backoff.
   rpc Watch(HealthCheckRequest) returns (stream HealthCheckResponse);
+
+  // List provides a non-atomic snapshot of the health of all the available
+  // services.
+  //
+  // The server may respond with a RESOURCE_EXHAUSTED error if too many services
+  // exist.
+  //
+  // Clients should set a deadline when calling List, and can declare the server
+  // unhealthy if they do not receive a timely response.
+  //
+  // Clients should keep in mind that the list of health services exposed by an
+  // application can change over the lifetime of the process.
+  rpc List(HealthListRequest) returns (HealthListResponse);
 }

packages/grpc-js-xds/README.md

@@ -1,6 +1,6 @@
 # @grpc/grpc-js xDS plugin
 
-This package provides support for the `xds://` URL scheme to the `@grpc/grpc-js` library. The latest version of this package is compatible with `@grpc/grpc-js` version 1.10.x.
+This package provides support for the `xds://` URL scheme to the `@grpc/grpc-js` library. The latest version of this package is compatible with `@grpc/grpc-js` version 1.13.x.
 
 ## Installation
 
@@ -36,3 +36,4 @@ const client = new MyServiceClient('xds:///example.com:123');
  - [xDS Ring Hash LB Policy](https://github.com/grpc/proposal/blob/master/A42-xds-ring-hash-lb-policy.md)
  - [`pick_first` via xDS](https://github.com/grpc/proposal/blob/master/A62-pick-first.md#pick_first-via-xds-1) (Currently experimental, enabled by environment variable `GRPC_EXPERIMENTAL_PICKFIRST_LB_CONFIG`)
  - [xDS-Enabled Servers](https://github.com/grpc/proposal/blob/master/A36-xds-for-servers.md)
+ - [xDS-Based Security for gRPC Clients and Servers](https://github.com/grpc/proposal/blob/master/A29-xds-tls-security.md)

packages/grpc-js-xds/gulpfile.ts

@@ -71,6 +71,7 @@ const copyTestFixtures = checkTask(() =>
 const runTests = checkTask(() => {
   process.env.GRPC_EXPERIMENTAL_XDS_FEDERATION = 'true';
   process.env.GRPC_EXPERIMENTAL_PICKFIRST_LB_CONFIG = 'true';
+  process.env.GRPC_XDS_EXPERIMENTAL_RBAC = 'true';
   if (Number(process.versions.node.split('.')[0]) <= 14) {
     process.env.GRPC_XDS_EXPERIMENTAL_ENABLE_RING_HASH = 'false';
   }

packages/grpc-js-xds/interop/test-client.Dockerfile

@@ -42,7 +42,7 @@ COPY --from=build /node/src/grpc-node/packages/grpc-js ./packages/grpc-js/
 COPY --from=build /node/src/grpc-node/packages/grpc-js-xds ./packages/grpc-js-xds/
 
 ENV GRPC_VERBOSITY="DEBUG"
-ENV GRPC_TRACE=xds_client,xds_resolver,xds_cluster_manager,cds_balancer,xds_cluster_resolver,xds_cluster_impl,priority,weighted_target,round_robin,resolving_load_balancer,subchannel,keepalive,dns_resolver,fault_injection,http_filter,csds,outlier_detection,server,server_call,ring_hash
+ENV GRPC_TRACE=xds_client,xds_resolver,xds_cluster_manager,cds_balancer,xds_cluster_resolver,xds_cluster_impl,priority,weighted_target,round_robin,resolving_load_balancer,subchannel,keepalive,dns_resolver,fault_injection,http_filter,csds,outlier_detection,server,server_call,ring_hash,transport,certificate_provider,xds_channel_credentials
 ENV NODE_XDS_INTEROP_VERBOSITY=1
 
 ENTRYPOINT [ "/nodejs/bin/node", "/node/src/grpc-node/packages/grpc-js-xds/build/interop/xds-interop-client" ]

packages/grpc-js-xds/interop/test-server.Dockerfile

@@ -46,7 +46,7 @@ COPY --from=build /node/src/grpc-node/packages/grpc-js ./packages/grpc-js/
 COPY --from=build /node/src/grpc-node/packages/grpc-js-xds ./packages/grpc-js-xds/
 
 ENV GRPC_VERBOSITY="DEBUG"
-ENV GRPC_TRACE=xds_client,server,xds_server
+ENV GRPC_TRACE=xds_client,server,xds_server,http_filter,certificate_provider,rbac_filter
 
 # tini serves as PID 1 and enables the server to properly respond to signals.
 COPY --from=build /tini /tini

packages/grpc-js-xds/interop/xds-interop-client.ts

@@ -41,6 +41,7 @@ import PickResult = grpc.experimental.PickResult;
 import PickResultType = grpc.experimental.PickResultType;
 import createChildChannelControlHelper = grpc.experimental.createChildChannelControlHelper;
 import parseLoadBalancingConfig = grpc.experimental.parseLoadBalancingConfig;
+import StatusOr = grpc.experimental.StatusOr;
 import { ChannelOptions } from '@grpc/grpc-js';
 
 grpc_xds.register();
@@ -100,12 +101,12 @@ class RpcBehaviorLoadBalancer implements LoadBalancer {
     });
     this.child = new ChildLoadBalancerHandler(childChannelControlHelper);
   }
-  updateAddressList(endpointList: Endpoint[], lbConfig: TypedLoadBalancingConfig, options: ChannelOptions): void {
+  updateAddressList(endpointList: StatusOr<Endpoint[]>, lbConfig: TypedLoadBalancingConfig, options: ChannelOptions, resolutionNote: string): boolean {
     if (!(lbConfig instanceof RpcBehaviorLoadBalancingConfig)) {
-      return;
+      return false;
     }
     this.latestConfig = lbConfig;
-    this.child.updateAddressList(endpointList, RPC_BEHAVIOR_CHILD_CONFIG, options);
+    return this.child.updateAddressList(endpointList, RPC_BEHAVIOR_CHILD_CONFIG, options, resolutionNote);
   }
   exitIdle(): void {
     this.child.exitIdle();
@@ -519,7 +520,9 @@ function main() {
      * channels do not share any subchannels. It does not have any
      * inherent function. */
     console.log(`Interop client channel ${i} starting sending ${argv.qps} QPS to ${argv.server}`);
-    sendConstantQps(new loadedProto.grpc.testing.TestService(argv.server, grpc.credentials.createInsecure(), {'unique': i}),
+    const insecureCreds = grpc.credentials.createInsecure();
+    const creds = new grpc_xds.XdsChannelCredentials(insecureCreds);
+    sendConstantQps(new loadedProto.grpc.testing.TestService(argv.server, creds, {'unique': i}),
       argv.qps,
       argv.fail_on_failed_rpcs === 'true',
       callStatsTracker);

packages/grpc-js-xds/interop/xds-interop-server.ts

@@ -30,6 +30,8 @@ import { SimpleRequest__Output } from './generated/grpc/testing/SimpleRequest';
 import { SimpleResponse } from './generated/grpc/testing/SimpleResponse';
 import { ReflectionService } from '@grpc/reflection';
 
+grpc_xds.register();
+
 const packageDefinition = protoLoader.loadSync('grpc/testing/test.proto', {
   keepCase: true,
   defaults: true,
@@ -158,6 +160,10 @@ function adminServiceInterceptor(methodDescriptor: grpc.ServerMethodDefinition<a
   const responder: grpc.Responder = {
     start: next => {
       next(listener);
+    },
+    sendMessage: (message, next) => {
+      console.log(`Responded to request to method ${methodDescriptor.path}: ${JSON.stringify(message)}`);
+      next(message);
     }
   };
   return new grpc.ServerInterceptingCall(call, responder);
@@ -228,11 +234,10 @@ function getIPv6Addresses(): string[] {
 
 async function main() {
   const argv = yargs
-    .string(['port', 'maintenance_port', 'address_type'])
-    .boolean(['secure_mode'])
+    .string(['port', 'maintenance_port', 'address_type', 'secure_mode'])
     .demandOption(['port'])
     .default('address_type', 'IPV4_IPV6')
-    .default('secure_mode', false)
+    .default('secure_mode', 'false')
     .parse()
     console.log('Starting xDS interop server. Args: ', argv);
   const healthImpl = new HealthImplementation({'': 'NOT_SERVING'});
@@ -250,7 +255,8 @@ async function main() {
     services: ['grpc.testing.TestService']
   })
   const addressType = argv.address_type.toUpperCase();
-  if (argv.secure_mode) {
+  const secureMode = argv.secure_mode.toLowerCase() == 'true';
+  if (secureMode) {
     if (addressType !== 'IPV4_IPV6') {
       throw new Error('Secure mode only supports IPV4_IPV6 address type');
     }
@@ -265,7 +271,7 @@ async function main() {
     const xdsCreds = new grpc_xds.XdsServerCredentials(grpc.ServerCredentials.createInsecure());
     await Promise.all([
       serverBindPromise(maintenanceServer, `[::]:${argv.maintenance_port}`, grpc.ServerCredentials.createInsecure()),
-      serverBindPromise(server, `[::]:${argv.port}`, xdsCreds)
+      serverBindPromise(server, `0.0.0.0:${argv.port}`, xdsCreds)
     ]);
   } else {
     const server = new grpc.Server({interceptors: [unifiedInterceptor]});

packages/grpc-js-xds/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@grpc/grpc-js-xds",
-  "version": "1.12.0",
+  "version": "1.13.0",
   "description": "Plugin for @grpc/grpc-js. Adds the xds:// URL scheme and associated features.",
   "main": "build/src/index.js",
   "scripts": {
@@ -12,7 +12,7 @@
     "prepare": "npm run generate-types && npm run compile",
     "pretest": "npm run compile",
     "posttest": "npm run check",
-    "generate-types": "proto-loader-gen-types --keepCase --longs String --enums String --defaults --oneofs --includeComments --includeDirs deps/envoy-api/ deps/xds/ deps/googleapis/ deps/protoc-gen-validate/ -O src/generated/ --grpcLib @grpc/grpc-js envoy/service/discovery/v3/ads.proto envoy/service/load_stats/v3/lrs.proto envoy/config/listener/v3/listener.proto envoy/config/route/v3/route.proto envoy/config/cluster/v3/cluster.proto envoy/config/endpoint/v3/endpoint.proto envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto udpa/type/v1/typed_struct.proto xds/type/v3/typed_struct.proto envoy/extensions/filters/http/fault/v3/fault.proto envoy/service/status/v3/csds.proto envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto envoy/extensions/clusters/aggregate/v3/cluster.proto envoy/extensions/transport_sockets/tls/v3/tls.proto",
+    "generate-types": "proto-loader-gen-types --keepCase --longs String --enums String --defaults --oneofs --includeComments --includeDirs deps/envoy-api/ deps/xds/ deps/googleapis/ deps/protoc-gen-validate/ -O src/generated/ --grpcLib @grpc/grpc-js envoy/service/discovery/v3/ads.proto envoy/service/load_stats/v3/lrs.proto envoy/config/listener/v3/listener.proto envoy/config/route/v3/route.proto envoy/config/cluster/v3/cluster.proto envoy/config/endpoint/v3/endpoint.proto envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto udpa/type/v1/typed_struct.proto xds/type/v3/typed_struct.proto envoy/extensions/filters/http/fault/v3/fault.proto envoy/service/status/v3/csds.proto envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto envoy/extensions/clusters/aggregate/v3/cluster.proto envoy/extensions/transport_sockets/tls/v3/tls.proto envoy/config/rbac/v3/rbac.proto envoy/extensions/filters/http/rbac/v3/rbac.proto",
     "generate-interop-types": "proto-loader-gen-types --keep-case --longs String --enums String --defaults --oneofs --json --includeComments --includeDirs proto/ -O interop/generated --grpcLib @grpc/grpc-js grpc/testing/test.proto",
     "generate-test-types": "proto-loader-gen-types --keep-case --longs String --enums String --defaults --oneofs --json --includeComments --includeDirs proto/ -O test/generated --grpcLib @grpc/grpc-js grpc/testing/echo.proto"
   },
@@ -55,7 +55,7 @@
     "xxhash-wasm": "^1.0.2"
   },
   "peerDependencies": {
-    "@grpc/grpc-js": "~1.12.0"
+    "@grpc/grpc-js": "~1.13.0"
   },
   "engines": {
     "node": ">=10.10.0"

packages/grpc-js-xds/scripts/xds.sh

@@ -40,6 +40,12 @@ npm install
 cd $base/../grpc-js
 npm install
 
+cd $base/../grpc-health-check
+npm install
+
+cd $base/../grpc-reflection
+npm install
+
 # grpc-js-xds has a dev dependency on "../grpc-js", so it should pull that in automatically
 cd $base
 git submodule update --init --recursive

packages/grpc-js-xds/src/environment.ts

@@ -27,3 +27,4 @@ export const EXPERIMENTAL_RING_HASH = (process.env.GRPC_XDS_EXPERIMENTAL_ENABLE_
 export const EXPERIMENTAL_PICK_FIRST = (process.env.GRPC_EXPERIMENTAL_PICKFIRST_LB_CONFIG ?? 'false') === 'true';
 export const EXPERIMENTAL_DUALSTACK_ENDPOINTS = (process.env.GRPC_EXPERIMENTAL_XDS_DUALSTACK_ENDPOINTS ?? 'true') === 'true';
 export const AGGREGATE_CLUSTER_BACKWARDS_COMPAT = (process.env.GRPC_XDS_AGGREGATE_CLUSTER_BACKWARD_COMPAT ?? 'false') === 'true';
+export const EXPERIMENTAL_RBAC = (process.env.GRPC_XDS_EXPERIMENTAL_RBAC ?? 'false') === 'true';

packages/grpc-js-xds/src/generated/envoy/config/accesslog/v3/AccessLog.ts

@@ -34,5 +34,5 @@ export interface AccessLog__Output {
    * Custom configuration that must be set according to the access logger extension being instantiated.
    * [#extension-category: envoy.access_loggers]
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }

packages/grpc-js-xds/src/generated/envoy/config/accesslog/v3/AccessLogFilter.ts

@@ -131,5 +131,5 @@ export interface AccessLogFilter__Output {
    * Log Type Filter
    */
   'log_type_filter'?: (_envoy_config_accesslog_v3_LogTypeFilter__Output | null);
-  'filter_specifier': "status_code_filter"|"duration_filter"|"not_health_check_filter"|"traceable_filter"|"runtime_filter"|"and_filter"|"or_filter"|"header_filter"|"response_flag_filter"|"grpc_status_filter"|"extension_filter"|"metadata_filter"|"log_type_filter";
+  'filter_specifier'?: "status_code_filter"|"duration_filter"|"not_health_check_filter"|"traceable_filter"|"runtime_filter"|"and_filter"|"or_filter"|"header_filter"|"response_flag_filter"|"grpc_status_filter"|"extension_filter"|"metadata_filter"|"log_type_filter";
 }

packages/grpc-js-xds/src/generated/envoy/config/accesslog/v3/ExtensionFilter.ts

@@ -31,5 +31,5 @@ export interface ExtensionFilter__Output {
   /**
    * Custom configuration that depends on the filter being instantiated.
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }

packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/Cluster.ts

@@ -179,7 +179,7 @@ export interface _envoy_config_cluster_v3_Cluster_CommonLbConfig__Output {
    * set with an empty set of statuses then host overrides will be ignored by the load balancing.
    */
   'override_host_status': (_envoy_config_core_v3_HealthStatusSet__Output | null);
-  'locality_config_specifier': "zone_aware_lb_config"|"locality_weighted_lb_config";
+  'locality_config_specifier'?: "zone_aware_lb_config"|"locality_weighted_lb_config";
 }
 
 /**
@@ -2702,7 +2702,7 @@ export interface Cluster__Output {
    * as the key.
    */
   'lrs_report_endpoint_metrics': (string)[];
-  'cluster_discovery_type': "type"|"cluster_type";
+  'cluster_discovery_type'?: "type"|"cluster_type";
   /**
    * Optional configuration for the load balancing algorithm selected by
    * LbPolicy. Currently only
@@ -2713,5 +2713,5 @@ export interface Cluster__Output {
    * Specifying ring_hash_lb_config or maglev_lb_config or least_request_lb_config without setting the corresponding
    * LbPolicy will generate an error at runtime.
    */
-  'lb_config': "ring_hash_lb_config"|"maglev_lb_config"|"original_dst_lb_config"|"least_request_lb_config"|"round_robin_lb_config";
+  'lb_config'?: "ring_hash_lb_config"|"maglev_lb_config"|"original_dst_lb_config"|"least_request_lb_config"|"round_robin_lb_config";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/Address.ts

@@ -33,5 +33,5 @@ export interface Address__Output {
    * <envoy_v3_api_field_config.listener.v3.Listener.internal_listener>`.
    */
   'envoy_internal_address'?: (_envoy_config_core_v3_EnvoyInternalAddress__Output | null);
-  'address': "socket_address"|"pipe"|"envoy_internal_address";
+  'address'?: "socket_address"|"pipe"|"envoy_internal_address";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/AsyncDataSource.ts

@@ -30,5 +30,5 @@ export interface AsyncDataSource__Output {
    * Remote async data source.
    */
   'remote'?: (_envoy_config_core_v3_RemoteDataSource__Output | null);
-  'specifier': "local"|"remote";
+  'specifier'?: "local"|"remote";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/ConfigSource.ts

@@ -141,5 +141,5 @@ export interface ConfigSource__Output {
    * Local filesystem path configuration source.
    */
   'path_config_source'?: (_envoy_config_core_v3_PathConfigSource__Output | null);
-  'config_source_specifier': "path"|"path_config_source"|"api_config_source"|"ads"|"self";
+  'config_source_specifier'?: "path"|"path_config_source"|"api_config_source"|"ads"|"self";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/DataSource.ts

@@ -81,5 +81,5 @@ export interface DataSource__Output {
    * details.
    */
   'watched_directory': (_envoy_config_core_v3_WatchedDirectory__Output | null);
-  'specifier': "filename"|"inline_bytes"|"inline_string"|"environment_variable";
+  'specifier'?: "filename"|"inline_bytes"|"inline_string"|"environment_variable";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/EnvoyInternalAddress.ts

@@ -36,5 +36,5 @@ export interface EnvoyInternalAddress__Output {
    * example, may be set to the final destination IP for the target internal listener.
    */
   'endpoint_id': (string);
-  'address_name_specifier': "server_listener_name";
+  'address_name_specifier'?: "server_listener_name";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/EventServiceConfig.ts

@@ -23,5 +23,5 @@ export interface EventServiceConfig__Output {
    * Specifies the gRPC service that hosts the event reporting service.
    */
   'grpc_service'?: (_envoy_config_core_v3_GrpcService__Output | null);
-  'config_source_specifier': "grpc_service";
+  'config_source_specifier'?: "grpc_service";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/GrpcService.ts

@@ -95,7 +95,7 @@ export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_CallCredentials__O
    * See https://github.com/grpc/grpc/pull/19587.
    */
   'sts_service'?: (_envoy_config_core_v3_GrpcService_GoogleGrpc_CallCredentials_StsService__Output | null);
-  'credential_specifier': "access_token"|"google_compute_engine"|"google_refresh_token"|"service_account_jwt_access"|"google_iam"|"from_plugin"|"sts_service";
+  'credential_specifier'?: "access_token"|"google_compute_engine"|"google_refresh_token"|"service_account_jwt_access"|"google_iam"|"from_plugin"|"sts_service";
 }
 
 /**
@@ -143,7 +143,7 @@ export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_ChannelCredentials
    */
   'google_default'?: (_google_protobuf_Empty__Output | null);
   'local_credentials'?: (_envoy_config_core_v3_GrpcService_GoogleGrpc_GoogleLocalCredentials__Output | null);
-  'credential_specifier': "ssl_credentials"|"google_default"|"local_credentials";
+  'credential_specifier'?: "ssl_credentials"|"google_default"|"local_credentials";
 }
 
 /**
@@ -361,7 +361,7 @@ export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_CallCredentials_Me
   /**
    * [#extension-category: envoy.grpc_credentials]
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_CallCredentials_ServiceAccountJWTAccessCredentials {
@@ -535,7 +535,7 @@ export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_ChannelArgs_Value_
    * Pointer values are not supported, since they don't make any sense when
    * delivered via the API.
    */
-  'value_specifier': "string_value"|"int_value";
+  'value_specifier'?: "string_value"|"int_value";
 }
 
 /**
@@ -613,5 +613,5 @@ export interface GrpcService__Output {
    * If an async stream doesn't have retry policy configured in its stream options, this retry policy is used.
    */
   'retry_policy': (_envoy_config_core_v3_RetryPolicy__Output | null);
-  'target_specifier': "envoy_grpc"|"google_grpc";
+  'target_specifier'?: "envoy_grpc"|"google_grpc";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/HealthCheck.ts

@@ -46,7 +46,7 @@ export interface _envoy_config_core_v3_HealthCheck_CustomHealthCheck__Output {
    * being instantiated. See :api:`envoy/config/health_checker` for reference.
    * [#extension-category: envoy.health_checkers]
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 /**
@@ -316,7 +316,7 @@ export interface _envoy_config_core_v3_HealthCheck_Payload__Output {
    * Binary payload.
    */
   'binary'?: (Buffer);
-  'payload': "text"|"binary";
+  'payload'?: "text"|"binary";
 }
 
 export interface _envoy_config_core_v3_HealthCheck_RedisHealthCheck {
@@ -804,5 +804,5 @@ export interface HealthCheck__Output {
    * The default value is false.
    */
   'always_log_health_check_success': (boolean);
-  'health_checker': "http_health_check"|"tcp_health_check"|"grpc_health_check"|"custom_health_check";
+  'health_checker'?: "http_health_check"|"tcp_health_check"|"grpc_health_check"|"custom_health_check";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http1ProtocolOptions.ts

@@ -42,7 +42,7 @@ export interface _envoy_config_core_v3_Http1ProtocolOptions_HeaderKeyFormat__Out
    * [#extension-category: envoy.http.stateful_header_formatters]
    */
   'stateful_formatter'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
-  'header_format': "proper_case_words"|"stateful_formatter";
+  'header_format'?: "proper_case_words"|"stateful_formatter";
 }
 
 export interface _envoy_config_core_v3_Http1ProtocolOptions_HeaderKeyFormat_ProperCaseWords {

packages/grpc-js-xds/src/generated/envoy/config/core/v3/HttpUri.ts

@@ -75,5 +75,5 @@ export interface HttpUri__Output {
    * inline DNS resolution. See `issue
    * <https://github.com/envoyproxy/envoy/issues/1606>`_.
    */
-  'http_upstream_type': "cluster";
+  'http_upstream_type'?: "cluster";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/Node.ts

@@ -174,5 +174,5 @@ export interface Node__Output {
    * parameter then appears in this field during future discovery requests.
    */
   'dynamic_parameters': ({[key: string]: _xds_core_v3_ContextParams__Output});
-  'user_agent_version_type': "user_agent_version"|"user_agent_build_version";
+  'user_agent_version_type'?: "user_agent_version"|"user_agent_build_version";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/RetryPolicy.ts

@@ -20,7 +20,7 @@ export interface _envoy_config_core_v3_RetryPolicy_RetryHostPredicate {
 export interface _envoy_config_core_v3_RetryPolicy_RetryHostPredicate__Output {
   'name': (string);
   'typed_config'?: (_google_protobuf_Any__Output | null);
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 /**
@@ -38,7 +38,7 @@ export interface _envoy_config_core_v3_RetryPolicy_RetryPriority {
 export interface _envoy_config_core_v3_RetryPolicy_RetryPriority__Output {
   'name': (string);
   'typed_config'?: (_google_protobuf_Any__Output | null);
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/config/core/v3/SchemeHeaderTransformation.ts

@@ -36,5 +36,5 @@ export interface SchemeHeaderTransformation__Output {
    * If scheme_to_overwrite is set, this field is not used.
    */
   'match_upstream': (boolean);
-  'transformation': "scheme_to_overwrite";
+  'transformation'?: "scheme_to_overwrite";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/SocketAddress.ts

@@ -101,5 +101,5 @@ export interface SocketAddress__Output {
    * IPv6 space as ``::FFFF:<IPv4-address>``.
    */
   'ipv4_compat': (boolean);
-  'port_specifier': "port_value"|"named_port";
+  'port_specifier'?: "port_value"|"named_port";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/SocketOption.ts

@@ -145,5 +145,5 @@ export interface SocketOption__Output {
    * STATE_PREBIND is currently the only valid value.
    */
   'state': (_envoy_config_core_v3_SocketOption_SocketState__Output);
-  'value': "int_value"|"buf_value";
+  'value'?: "int_value"|"buf_value";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/SubstitutionFormatString.ts

@@ -206,5 +206,5 @@ export interface SubstitutionFormatString__Output {
    * If json_format is used, the options will be applied to the output JSON string.
    */
   'json_format_options': (_envoy_config_core_v3_JsonFormatOptions__Output | null);
-  'format': "text_format"|"json_format"|"text_format_source";
+  'format'?: "text_format"|"json_format"|"text_format_source";
 }

packages/grpc-js-xds/src/generated/envoy/config/core/v3/TransportSocket.ts

@@ -39,5 +39,5 @@ export interface TransportSocket__Output {
    * Implementation specific configuration which depends on the implementation being instantiated.
    * See the supported transport socket implementations for further documentation.
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }

packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/LbEndpoint.ts

@@ -86,5 +86,5 @@ export interface LbEndpoint__Output {
   /**
    * Upstream host identifier or a named reference.
    */
-  'host_identifier': "endpoint"|"endpoint_name";
+  'host_identifier'?: "endpoint"|"endpoint_name";
 }

packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/LocalityLbEndpoints.ts

@@ -163,5 +163,5 @@ export interface LocalityLbEndpoints__Output {
   /**
    * [#not-implemented-hide:]
    */
-  'lb_config': "load_balancer_endpoints"|"leds_cluster_locality_config";
+  'lb_config'?: "load_balancer_endpoints"|"leds_cluster_locality_config";
 }

packages/grpc-js-xds/src/generated/envoy/config/listener/v3/Filter.ts

@@ -46,5 +46,5 @@ export interface Filter__Output {
    * listener closes the connections.
    */
   'config_discovery'?: (_envoy_config_core_v3_ExtensionConfigSource__Output | null);
-  'config_type': "typed_config"|"config_discovery";
+  'config_type'?: "typed_config"|"config_discovery";
 }

packages/grpc-js-xds/src/generated/envoy/config/listener/v3/Listener.ts

@@ -47,7 +47,7 @@ export interface _envoy_config_listener_v3_Listener_ConnectionBalanceConfig__Out
    * [#extension-category: envoy.network.connection_balance]
    */
   'extend_balance'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
-  'balance_type': "exact_balance"|"extend_balance";
+  'balance_type'?: "exact_balance"|"extend_balance";
 }
 
 /**
@@ -768,5 +768,5 @@ export interface Listener__Output {
   /**
    * The exclusive listener type and the corresponding config.
    */
-  'listener_specifier': "internal_listener";
+  'listener_specifier'?: "internal_listener";
 }

packages/grpc-js-xds/src/generated/envoy/config/listener/v3/ListenerFilter.ts

@@ -59,5 +59,5 @@ export interface ListenerFilter__Output {
    * listener closes the connections.
    */
   'config_discovery'?: (_envoy_config_core_v3_ExtensionConfigSource__Output | null);
-  'config_type': "typed_config"|"config_discovery";
+  'config_type'?: "typed_config"|"config_discovery";
 }

packages/grpc-js-xds/src/generated/envoy/config/listener/v3/ListenerFilterChainMatchPredicate.ts

@@ -132,5 +132,5 @@ export interface ListenerFilterChainMatchPredicate__Output {
    * the owning listener filter is after :ref:`an original_dst listener filter <config_listener_filters_original_dst>`.
    */
   'destination_port_range'?: (_envoy_type_v3_Int32Range__Output | null);
-  'rule': "or_match"|"and_match"|"not_match"|"any_match"|"destination_port_range";
+  'rule'?: "or_match"|"and_match"|"not_match"|"any_match"|"destination_port_range";
 }

packages/grpc-js-xds/src/generated/envoy/config/rbac/v3/Action.ts

@@ -0,0 +1,63 @@
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+import type { _envoy_config_rbac_v3_RBAC_Action, _envoy_config_rbac_v3_RBAC_Action__Output } from '../../../../envoy/config/rbac/v3/RBAC';
+
+/**
+ * Action defines the result of allowance or denial when a request matches the matcher.
+ */
+export interface Action {
+  /**
+   * The name indicates the policy name.
+   */
+  'name'?: (string);
+  /**
+   * The action to take if the matcher matches. Every action either allows or denies a request,
+   * and can also carry out action-specific operations.
+   * 
+   * Actions:
+   * 
+   * * ``ALLOW``: If the request gets matched on ALLOW, it is permitted.
+   * * ``DENY``: If the request gets matched on DENY, it is not permitted.
+   * * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the
+   * dynamic metadata key ``access_log_hint`` under the shared key namespace
+   * ``envoy.common`` will be set to the value ``true``.
+   * * If the request cannot get matched, it will fallback to ``DENY``.
+   * 
+   * Log behavior:
+   * 
+   * If the RBAC matcher contains at least one LOG action, the dynamic
+   * metadata key ``access_log_hint`` will be set based on if the request
+   * get matched on the LOG action.
+   */
+  'action'?: (_envoy_config_rbac_v3_RBAC_Action);
+}
+
+/**
+ * Action defines the result of allowance or denial when a request matches the matcher.
+ */
+export interface Action__Output {
+  /**
+   * The name indicates the policy name.
+   */
+  'name': (string);
+  /**
+   * The action to take if the matcher matches. Every action either allows or denies a request,
+   * and can also carry out action-specific operations.
+   * 
+   * Actions:
+   * 
+   * * ``ALLOW``: If the request gets matched on ALLOW, it is permitted.
+   * * ``DENY``: If the request gets matched on DENY, it is not permitted.
+   * * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the
+   * dynamic metadata key ``access_log_hint`` under the shared key namespace
+   * ``envoy.common`` will be set to the value ``true``.
+   * * If the request cannot get matched, it will fallback to ``DENY``.
+   * 
+   * Log behavior:
+   * 
+   * If the RBAC matcher contains at least one LOG action, the dynamic
+   * metadata key ``access_log_hint`` will be set based on if the request
+   * get matched on the LOG action.
+   */
+  'action': (_envoy_config_rbac_v3_RBAC_Action__Output);
+}

packages/grpc-js-xds/src/generated/envoy/config/rbac/v3/Permission.ts

@@ -0,0 +1,198 @@
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+import type { HeaderMatcher as _envoy_config_route_v3_HeaderMatcher, HeaderMatcher__Output as _envoy_config_route_v3_HeaderMatcher__Output } from '../../../../envoy/config/route/v3/HeaderMatcher';
+import type { CidrRange as _envoy_config_core_v3_CidrRange, CidrRange__Output as _envoy_config_core_v3_CidrRange__Output } from '../../../../envoy/config/core/v3/CidrRange';
+import type { MetadataMatcher as _envoy_type_matcher_v3_MetadataMatcher, MetadataMatcher__Output as _envoy_type_matcher_v3_MetadataMatcher__Output } from '../../../../envoy/type/matcher/v3/MetadataMatcher';
+import type { Permission as _envoy_config_rbac_v3_Permission, Permission__Output as _envoy_config_rbac_v3_Permission__Output } from '../../../../envoy/config/rbac/v3/Permission';
+import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
+import type { PathMatcher as _envoy_type_matcher_v3_PathMatcher, PathMatcher__Output as _envoy_type_matcher_v3_PathMatcher__Output } from '../../../../envoy/type/matcher/v3/PathMatcher';
+import type { Int32Range as _envoy_type_v3_Int32Range, Int32Range__Output as _envoy_type_v3_Int32Range__Output } from '../../../../envoy/type/v3/Int32Range';
+import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../envoy/config/core/v3/TypedExtensionConfig';
+
+/**
+ * Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context,
+ * each are applied with the associated behavior.
+ */
+export interface _envoy_config_rbac_v3_Permission_Set {
+  'rules'?: (_envoy_config_rbac_v3_Permission)[];
+}
+
+/**
+ * Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context,
+ * each are applied with the associated behavior.
+ */
+export interface _envoy_config_rbac_v3_Permission_Set__Output {
+  'rules': (_envoy_config_rbac_v3_Permission__Output)[];
+}
+
+/**
+ * Permission defines an action (or actions) that a principal can take.
+ * [#next-free-field: 14]
+ */
+export interface Permission {
+  /**
+   * A set of rules that all must match in order to define the action.
+   */
+  'and_rules'?: (_envoy_config_rbac_v3_Permission_Set | null);
+  /**
+   * A set of rules where at least one must match in order to define the action.
+   */
+  'or_rules'?: (_envoy_config_rbac_v3_Permission_Set | null);
+  /**
+   * When any is set, it matches any action.
+   */
+  'any'?: (boolean);
+  /**
+   * A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
+   * available for HTTP request.
+   * Note: the pseudo-header :path includes the query and fragment string. Use the ``url_path``
+   * field if you want to match the URL path without the query and fragment string.
+   */
+  'header'?: (_envoy_config_route_v3_HeaderMatcher | null);
+  /**
+   * A CIDR block that describes the destination IP.
+   */
+  'destination_ip'?: (_envoy_config_core_v3_CidrRange | null);
+  /**
+   * A port number that describes the destination port connecting to.
+   */
+  'destination_port'?: (number);
+  /**
+   * Metadata that describes additional information about the action.
+   */
+  'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher | null);
+  /**
+   * Negates matching the provided permission. For instance, if the value of
+   * ``not_rule`` would match, this permission would not match. Conversely, if
+   * the value of ``not_rule`` would not match, this permission would match.
+   */
+  'not_rule'?: (_envoy_config_rbac_v3_Permission | null);
+  /**
+   * The request server from the client's connection request. This is
+   * typically TLS SNI.
+   * 
+   * .. attention::
+   * 
+   * The behavior of this field may be affected by how Envoy is configured
+   * as explained below.
+   * 
+   * * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
+   * filter is not added, and if a ``FilterChainMatch`` is not defined for
+   * the :ref:`server name
+   * <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
+   * a TLS connection's requested SNI server name will be treated as if it
+   * wasn't present.
+   * 
+   * * A :ref:`listener filter <arch_overview_listener_filters>` may
+   * overwrite a connection's requested server name within Envoy.
+   * 
+   * Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
+   * setup SNI.
+   */
+  'requested_server_name'?: (_envoy_type_matcher_v3_StringMatcher | null);
+  /**
+   * A URL path on the incoming HTTP request. Only available for HTTP.
+   */
+  'url_path'?: (_envoy_type_matcher_v3_PathMatcher | null);
+  /**
+   * A port number range that describes a range of destination ports connecting to.
+   */
+  'destination_port_range'?: (_envoy_type_v3_Int32Range | null);
+  /**
+   * Extension for configuring custom matchers for RBAC.
+   * [#extension-category: envoy.rbac.matchers]
+   */
+  'matcher'?: (_envoy_config_core_v3_TypedExtensionConfig | null);
+  /**
+   * URI template path matching.
+   * [#extension-category: envoy.path.match]
+   */
+  'uri_template'?: (_envoy_config_core_v3_TypedExtensionConfig | null);
+  'rule'?: "and_rules"|"or_rules"|"any"|"header"|"url_path"|"destination_ip"|"destination_port"|"destination_port_range"|"metadata"|"not_rule"|"requested_server_name"|"matcher"|"uri_template";
+}
+
+/**
+ * Permission defines an action (or actions) that a principal can take.
+ * [#next-free-field: 14]
+ */
+export interface Permission__Output {
+  /**
+   * A set of rules that all must match in order to define the action.
+   */
+  'and_rules'?: (_envoy_config_rbac_v3_Permission_Set__Output | null);
+  /**
+   * A set of rules where at least one must match in order to define the action.
+   */
+  'or_rules'?: (_envoy_config_rbac_v3_Permission_Set__Output | null);
+  /**
+   * When any is set, it matches any action.
+   */
+  'any'?: (boolean);
+  /**
+   * A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
+   * available for HTTP request.
+   * Note: the pseudo-header :path includes the query and fragment string. Use the ``url_path``
+   * field if you want to match the URL path without the query and fragment string.
+   */
+  'header'?: (_envoy_config_route_v3_HeaderMatcher__Output | null);
+  /**
+   * A CIDR block that describes the destination IP.
+   */
+  'destination_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
+  /**
+   * A port number that describes the destination port connecting to.
+   */
+  'destination_port'?: (number);
+  /**
+   * Metadata that describes additional information about the action.
+   */
+  'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher__Output | null);
+  /**
+   * Negates matching the provided permission. For instance, if the value of
+   * ``not_rule`` would match, this permission would not match. Conversely, if
+   * the value of ``not_rule`` would not match, this permission would match.
+   */
+  'not_rule'?: (_envoy_config_rbac_v3_Permission__Output | null);
+  /**
+   * The request server from the client's connection request. This is
+   * typically TLS SNI.
+   * 
+   * .. attention::
+   * 
+   * The behavior of this field may be affected by how Envoy is configured
+   * as explained below.
+   * 
+   * * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
+   * filter is not added, and if a ``FilterChainMatch`` is not defined for
+   * the :ref:`server name
+   * <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
+   * a TLS connection's requested SNI server name will be treated as if it
+   * wasn't present.
+   * 
+   * * A :ref:`listener filter <arch_overview_listener_filters>` may
+   * overwrite a connection's requested server name within Envoy.
+   * 
+   * Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
+   * setup SNI.
+   */
+  'requested_server_name'?: (_envoy_type_matcher_v3_StringMatcher__Output | null);
+  /**
+   * A URL path on the incoming HTTP request. Only available for HTTP.
+   */
+  'url_path'?: (_envoy_type_matcher_v3_PathMatcher__Output | null);
+  /**
+   * A port number range that describes a range of destination ports connecting to.
+   */
+  'destination_port_range'?: (_envoy_type_v3_Int32Range__Output | null);
+  /**
+   * Extension for configuring custom matchers for RBAC.
+   * [#extension-category: envoy.rbac.matchers]
+   */
+  'matcher'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
+  /**
+   * URI template path matching.
+   * [#extension-category: envoy.path.match]
+   */
+  'uri_template'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
+  'rule'?: "and_rules"|"or_rules"|"any"|"header"|"url_path"|"destination_ip"|"destination_port"|"destination_port_range"|"metadata"|"not_rule"|"requested_server_name"|"matcher"|"uri_template";
+}

packages/grpc-js-xds/src/generated/envoy/config/rbac/v3/Policy.ts

@@ -0,0 +1,76 @@
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+import type { Permission as _envoy_config_rbac_v3_Permission, Permission__Output as _envoy_config_rbac_v3_Permission__Output } from '../../../../envoy/config/rbac/v3/Permission';
+import type { Principal as _envoy_config_rbac_v3_Principal, Principal__Output as _envoy_config_rbac_v3_Principal__Output } from '../../../../envoy/config/rbac/v3/Principal';
+import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
+import type { CheckedExpr as _google_api_expr_v1alpha1_CheckedExpr, CheckedExpr__Output as _google_api_expr_v1alpha1_CheckedExpr__Output } from '../../../../google/api/expr/v1alpha1/CheckedExpr';
+
+/**
+ * Policy specifies a role and the principals that are assigned/denied the role.
+ * A policy matches if and only if at least one of its permissions match the
+ * action taking place AND at least one of its principals match the downstream
+ * AND the condition is true if specified.
+ */
+export interface Policy {
+  /**
+   * Required. The set of permissions that define a role. Each permission is
+   * matched with OR semantics. To match all actions for this policy, a single
+   * Permission with the ``any`` field set to true should be used.
+   */
+  'permissions'?: (_envoy_config_rbac_v3_Permission)[];
+  /**
+   * Required. The set of principals that are assigned/denied the role based on
+   * “action”. Each principal is matched with OR semantics. To match all
+   * downstreams for this policy, a single Principal with the ``any`` field set to
+   * true should be used.
+   */
+  'principals'?: (_envoy_config_rbac_v3_Principal)[];
+  /**
+   * An optional symbolic expression specifying an access control
+   * :ref:`condition <arch_overview_condition>`. The condition is combined
+   * with the permissions and the principals as a clause with AND semantics.
+   * Only be used when checked_condition is not used.
+   */
+  'condition'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * [#not-implemented-hide:]
+   * An optional symbolic expression that has been successfully type checked.
+   * Only be used when condition is not used.
+   */
+  'checked_condition'?: (_google_api_expr_v1alpha1_CheckedExpr | null);
+}
+
+/**
+ * Policy specifies a role and the principals that are assigned/denied the role.
+ * A policy matches if and only if at least one of its permissions match the
+ * action taking place AND at least one of its principals match the downstream
+ * AND the condition is true if specified.
+ */
+export interface Policy__Output {
+  /**
+   * Required. The set of permissions that define a role. Each permission is
+   * matched with OR semantics. To match all actions for this policy, a single
+   * Permission with the ``any`` field set to true should be used.
+   */
+  'permissions': (_envoy_config_rbac_v3_Permission__Output)[];
+  /**
+   * Required. The set of principals that are assigned/denied the role based on
+   * “action”. Each principal is matched with OR semantics. To match all
+   * downstreams for this policy, a single Principal with the ``any`` field set to
+   * true should be used.
+   */
+  'principals': (_envoy_config_rbac_v3_Principal__Output)[];
+  /**
+   * An optional symbolic expression specifying an access control
+   * :ref:`condition <arch_overview_condition>`. The condition is combined
+   * with the permissions and the principals as a clause with AND semantics.
+   * Only be used when checked_condition is not used.
+   */
+  'condition': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * [#not-implemented-hide:]
+   * An optional symbolic expression that has been successfully type checked.
+   * Only be used when condition is not used.
+   */
+  'checked_condition': (_google_api_expr_v1alpha1_CheckedExpr__Output | null);
+}

packages/grpc-js-xds/src/generated/envoy/config/rbac/v3/Principal.ts

@@ -0,0 +1,209 @@
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+import type { CidrRange as _envoy_config_core_v3_CidrRange, CidrRange__Output as _envoy_config_core_v3_CidrRange__Output } from '../../../../envoy/config/core/v3/CidrRange';
+import type { HeaderMatcher as _envoy_config_route_v3_HeaderMatcher, HeaderMatcher__Output as _envoy_config_route_v3_HeaderMatcher__Output } from '../../../../envoy/config/route/v3/HeaderMatcher';
+import type { MetadataMatcher as _envoy_type_matcher_v3_MetadataMatcher, MetadataMatcher__Output as _envoy_type_matcher_v3_MetadataMatcher__Output } from '../../../../envoy/type/matcher/v3/MetadataMatcher';
+import type { Principal as _envoy_config_rbac_v3_Principal, Principal__Output as _envoy_config_rbac_v3_Principal__Output } from '../../../../envoy/config/rbac/v3/Principal';
+import type { PathMatcher as _envoy_type_matcher_v3_PathMatcher, PathMatcher__Output as _envoy_type_matcher_v3_PathMatcher__Output } from '../../../../envoy/type/matcher/v3/PathMatcher';
+import type { FilterStateMatcher as _envoy_type_matcher_v3_FilterStateMatcher, FilterStateMatcher__Output as _envoy_type_matcher_v3_FilterStateMatcher__Output } from '../../../../envoy/type/matcher/v3/FilterStateMatcher';
+import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
+
+/**
+ * Authentication attributes for a downstream.
+ */
+export interface _envoy_config_rbac_v3_Principal_Authenticated {
+  /**
+   * The name of the principal. If set, The URI SAN or DNS SAN in that order
+   * is used from the certificate, otherwise the subject field is used. If
+   * unset, it applies to any user that is authenticated.
+   */
+  'principal_name'?: (_envoy_type_matcher_v3_StringMatcher | null);
+}
+
+/**
+ * Authentication attributes for a downstream.
+ */
+export interface _envoy_config_rbac_v3_Principal_Authenticated__Output {
+  /**
+   * The name of the principal. If set, The URI SAN or DNS SAN in that order
+   * is used from the certificate, otherwise the subject field is used. If
+   * unset, it applies to any user that is authenticated.
+   */
+  'principal_name': (_envoy_type_matcher_v3_StringMatcher__Output | null);
+}
+
+/**
+ * Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof.
+ * Depending on the context, each are applied with the associated behavior.
+ */
+export interface _envoy_config_rbac_v3_Principal_Set {
+  'ids'?: (_envoy_config_rbac_v3_Principal)[];
+}
+
+/**
+ * Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof.
+ * Depending on the context, each are applied with the associated behavior.
+ */
+export interface _envoy_config_rbac_v3_Principal_Set__Output {
+  'ids': (_envoy_config_rbac_v3_Principal__Output)[];
+}
+
+/**
+ * Principal defines an identity or a group of identities for a downstream
+ * subject.
+ * [#next-free-field: 13]
+ */
+export interface Principal {
+  /**
+   * A set of identifiers that all must match in order to define the
+   * downstream.
+   */
+  'and_ids'?: (_envoy_config_rbac_v3_Principal_Set | null);
+  /**
+   * A set of identifiers at least one must match in order to define the
+   * downstream.
+   */
+  'or_ids'?: (_envoy_config_rbac_v3_Principal_Set | null);
+  /**
+   * When any is set, it matches any downstream.
+   */
+  'any'?: (boolean);
+  /**
+   * Authenticated attributes that identify the downstream.
+   */
+  'authenticated'?: (_envoy_config_rbac_v3_Principal_Authenticated | null);
+  /**
+   * A CIDR block that describes the downstream IP.
+   * This address will honor proxy protocol, but will not honor XFF.
+   * 
+   * This field is deprecated; either use :ref:`remote_ip
+   * <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` for the same
+   * behavior, or use
+   * :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
+   * @deprecated
+   */
+  'source_ip'?: (_envoy_config_core_v3_CidrRange | null);
+  /**
+   * A header (or pseudo-header such as :path or :method) on the incoming HTTP
+   * request. Only available for HTTP request. Note: the pseudo-header :path
+   * includes the query and fragment string. Use the ``url_path`` field if you
+   * want to match the URL path without the query and fragment string.
+   */
+  'header'?: (_envoy_config_route_v3_HeaderMatcher | null);
+  /**
+   * Metadata that describes additional information about the principal.
+   */
+  'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher | null);
+  /**
+   * Negates matching the provided principal. For instance, if the value of
+   * ``not_id`` would match, this principal would not match. Conversely, if the
+   * value of ``not_id`` would not match, this principal would match.
+   */
+  'not_id'?: (_envoy_config_rbac_v3_Principal | null);
+  /**
+   * A URL path on the incoming HTTP request. Only available for HTTP.
+   */
+  'url_path'?: (_envoy_type_matcher_v3_PathMatcher | null);
+  /**
+   * A CIDR block that describes the downstream remote/origin address.
+   * Note: This is always the physical peer even if the
+   * :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is
+   * inferred from for example the x-forwarder-for header, proxy protocol,
+   * etc.
+   */
+  'direct_remote_ip'?: (_envoy_config_core_v3_CidrRange | null);
+  /**
+   * A CIDR block that describes the downstream remote/origin address.
+   * Note: This may not be the physical peer and could be different from the
+   * :ref:`direct_remote_ip
+   * <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`. E.g, if the
+   * remote ip is inferred from for example the x-forwarder-for header, proxy
+   * protocol, etc.
+   */
+  'remote_ip'?: (_envoy_config_core_v3_CidrRange | null);
+  /**
+   * Identifies the principal using a filter state object.
+   */
+  'filter_state'?: (_envoy_type_matcher_v3_FilterStateMatcher | null);
+  'identifier'?: "and_ids"|"or_ids"|"any"|"authenticated"|"source_ip"|"direct_remote_ip"|"remote_ip"|"header"|"url_path"|"metadata"|"filter_state"|"not_id";
+}
+
+/**
+ * Principal defines an identity or a group of identities for a downstream
+ * subject.
+ * [#next-free-field: 13]
+ */
+export interface Principal__Output {
+  /**
+   * A set of identifiers that all must match in order to define the
+   * downstream.
+   */
+  'and_ids'?: (_envoy_config_rbac_v3_Principal_Set__Output | null);
+  /**
+   * A set of identifiers at least one must match in order to define the
+   * downstream.
+   */
+  'or_ids'?: (_envoy_config_rbac_v3_Principal_Set__Output | null);
+  /**
+   * When any is set, it matches any downstream.
+   */
+  'any'?: (boolean);
+  /**
+   * Authenticated attributes that identify the downstream.
+   */
+  'authenticated'?: (_envoy_config_rbac_v3_Principal_Authenticated__Output | null);
+  /**
+   * A CIDR block that describes the downstream IP.
+   * This address will honor proxy protocol, but will not honor XFF.
+   * 
+   * This field is deprecated; either use :ref:`remote_ip
+   * <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` for the same
+   * behavior, or use
+   * :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
+   * @deprecated
+   */
+  'source_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
+  /**
+   * A header (or pseudo-header such as :path or :method) on the incoming HTTP
+   * request. Only available for HTTP request. Note: the pseudo-header :path
+   * includes the query and fragment string. Use the ``url_path`` field if you
+   * want to match the URL path without the query and fragment string.
+   */
+  'header'?: (_envoy_config_route_v3_HeaderMatcher__Output | null);
+  /**
+   * Metadata that describes additional information about the principal.
+   */
+  'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher__Output | null);
+  /**
+   * Negates matching the provided principal. For instance, if the value of
+   * ``not_id`` would match, this principal would not match. Conversely, if the
+   * value of ``not_id`` would not match, this principal would match.
+   */
+  'not_id'?: (_envoy_config_rbac_v3_Principal__Output | null);
+  /**
+   * A URL path on the incoming HTTP request. Only available for HTTP.
+   */
+  'url_path'?: (_envoy_type_matcher_v3_PathMatcher__Output | null);
+  /**
+   * A CIDR block that describes the downstream remote/origin address.
+   * Note: This is always the physical peer even if the
+   * :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is
+   * inferred from for example the x-forwarder-for header, proxy protocol,
+   * etc.
+   */
+  'direct_remote_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
+  /**
+   * A CIDR block that describes the downstream remote/origin address.
+   * Note: This may not be the physical peer and could be different from the
+   * :ref:`direct_remote_ip
+   * <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`. E.g, if the
+   * remote ip is inferred from for example the x-forwarder-for header, proxy
+   * protocol, etc.
+   */
+  'remote_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
+  /**
+   * Identifies the principal using a filter state object.
+   */
+  'filter_state'?: (_envoy_type_matcher_v3_FilterStateMatcher__Output | null);
+  'identifier'?: "and_ids"|"or_ids"|"any"|"authenticated"|"source_ip"|"direct_remote_ip"|"remote_ip"|"header"|"url_path"|"metadata"|"filter_state"|"not_id";
+}

packages/grpc-js-xds/src/generated/envoy/config/rbac/v3/RBAC.ts

@@ -0,0 +1,335 @@
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+import type { Policy as _envoy_config_rbac_v3_Policy, Policy__Output as _envoy_config_rbac_v3_Policy__Output } from '../../../../envoy/config/rbac/v3/Policy';
+import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../envoy/config/core/v3/TypedExtensionConfig';
+
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+/**
+ * Should we do safe-list or block-list style access control?
+ */
+export const _envoy_config_rbac_v3_RBAC_Action = {
+  /**
+   * The policies grant access to principals. The rest are denied. This is safe-list style
+   * access control. This is the default type.
+   */
+  ALLOW: 'ALLOW',
+  /**
+   * The policies deny access to principals. The rest are allowed. This is block-list style
+   * access control.
+   */
+  DENY: 'DENY',
+  /**
+   * The policies set the ``access_log_hint`` dynamic metadata key based on if requests match.
+   * All requests are allowed.
+   */
+  LOG: 'LOG',
+} as const;
+
+/**
+ * Should we do safe-list or block-list style access control?
+ */
+export type _envoy_config_rbac_v3_RBAC_Action =
+  /**
+   * The policies grant access to principals. The rest are denied. This is safe-list style
+   * access control. This is the default type.
+   */
+  | 'ALLOW'
+  | 0
+  /**
+   * The policies deny access to principals. The rest are allowed. This is block-list style
+   * access control.
+   */
+  | 'DENY'
+  | 1
+  /**
+   * The policies set the ``access_log_hint`` dynamic metadata key based on if requests match.
+   * All requests are allowed.
+   */
+  | 'LOG'
+  | 2
+
+/**
+ * Should we do safe-list or block-list style access control?
+ */
+export type _envoy_config_rbac_v3_RBAC_Action__Output = typeof _envoy_config_rbac_v3_RBAC_Action[keyof typeof _envoy_config_rbac_v3_RBAC_Action]
+
+// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
+
+/**
+ * Deny and allow here refer to RBAC decisions, not actions.
+ */
+export const _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition = {
+  /**
+   * Never audit.
+   */
+  NONE: 'NONE',
+  /**
+   * Audit when RBAC denies the request.
+   */
+  ON_DENY: 'ON_DENY',
+  /**
+   * Audit when RBAC allows the request.
+   */
+  ON_ALLOW: 'ON_ALLOW',
+  /**
+   * Audit whether RBAC allows or denies the request.
+   */
+  ON_DENY_AND_ALLOW: 'ON_DENY_AND_ALLOW',
+} as const;
+
+/**
+ * Deny and allow here refer to RBAC decisions, not actions.
+ */
+export type _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition =
+  /**
+   * Never audit.
+   */
+  | 'NONE'
+  | 0
+  /**
+   * Audit when RBAC denies the request.
+   */
+  | 'ON_DENY'
+  | 1
+  /**
+   * Audit when RBAC allows the request.
+   */
+  | 'ON_ALLOW'
+  | 2
+  /**
+   * Audit whether RBAC allows or denies the request.
+   */
+  | 'ON_DENY_AND_ALLOW'
+  | 3
+
+/**
+ * Deny and allow here refer to RBAC decisions, not actions.
+ */
+export type _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition__Output = typeof _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition[keyof typeof _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition]
+
+/**
+ * [#not-implemented-hide:]
+ */
+export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig {
+  /**
+   * Typed logger configuration.
+   * 
+   * [#extension-category: envoy.rbac.audit_loggers]
+   */
+  'audit_logger'?: (_envoy_config_core_v3_TypedExtensionConfig | null);
+  /**
+   * If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
+   */
+  'is_optional'?: (boolean);
+}
+
+/**
+ * [#not-implemented-hide:]
+ */
+export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig__Output {
+  /**
+   * Typed logger configuration.
+   * 
+   * [#extension-category: envoy.rbac.audit_loggers]
+   */
+  'audit_logger': (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
+  /**
+   * If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
+   */
+  'is_optional': (boolean);
+}
+
+export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions {
+  /**
+   * Condition for the audit logging to happen.
+   * If this condition is met, all the audit loggers configured here will be invoked.
+   * 
+   * [#not-implemented-hide:]
+   */
+  'audit_condition'?: (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition);
+  /**
+   * Configurations for RBAC-based authorization audit loggers.
+   * 
+   * [#not-implemented-hide:]
+   */
+  'logger_configs'?: (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig)[];
+}
+
+export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions__Output {
+  /**
+   * Condition for the audit logging to happen.
+   * If this condition is met, all the audit loggers configured here will be invoked.
+   * 
+   * [#not-implemented-hide:]
+   */
+  'audit_condition': (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition__Output);
+  /**
+   * Configurations for RBAC-based authorization audit loggers.
+   * 
+   * [#not-implemented-hide:]
+   */
+  'logger_configs': (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig__Output)[];
+}
+
+/**
+ * Role Based Access Control (RBAC) provides service-level and method-level access control for a
+ * service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
+ * found. For instance, if the action is ALLOW and a matching policy is found the request should be
+ * allowed.
+ * 
+ * RBAC can also be used to make access logging decisions by communicating with access loggers
+ * through dynamic metadata. When the action is LOG and at least one policy matches, the
+ * ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
+ * the request should be logged.
+ * 
+ * Here is an example of RBAC configuration. It has two policies:
+ * 
+ * * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
+ * does "cluster.local/ns/default/sa/superuser".
+ * 
+ * * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
+ * destination port is either 80 or 443.
+ * 
+ * .. code-block:: yaml
+ * 
+ * action: ALLOW
+ * policies:
+ * "service-admin":
+ * permissions:
+ * - any: true
+ * principals:
+ * - authenticated:
+ * principal_name:
+ * exact: "cluster.local/ns/default/sa/admin"
+ * - authenticated:
+ * principal_name:
+ * exact: "cluster.local/ns/default/sa/superuser"
+ * "product-viewer":
+ * permissions:
+ * - and_rules:
+ * rules:
+ * - header:
+ * name: ":method"
+ * string_match:
+ * exact: "GET"
+ * - url_path:
+ * path: { prefix: "/products" }
+ * - or_rules:
+ * rules:
+ * - destination_port: 80
+ * - destination_port: 443
+ * principals:
+ * - any: true
+ */
+export interface RBAC {
+  /**
+   * The action to take if a policy matches. Every action either allows or denies a request,
+   * and can also carry out action-specific operations.
+   * 
+   * Actions:
+   * 
+   * * ``ALLOW``: Allows the request if and only if there is a policy that matches
+   * the request.
+   * * ``DENY``: Allows the request if and only if there are no policies that
+   * match the request.
+   * * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
+   * metadata key ``access_log_hint`` is set to the value ``true`` under the shared
+   * key namespace ``envoy.common``. If no policies match, it is set to ``false``.
+   * Other actions do not modify this key.
+   */
+  'action'?: (_envoy_config_rbac_v3_RBAC_Action);
+  /**
+   * Maps from policy name to policy. A match occurs when at least one policy matches the request.
+   * The policies are evaluated in lexicographic order of the policy name.
+   */
+  'policies'?: ({[key: string]: _envoy_config_rbac_v3_Policy});
+  /**
+   * Audit logging options that include the condition for audit logging to happen
+   * and audit logger configurations.
+   * 
+   * [#not-implemented-hide:]
+   */
+  'audit_logging_options'?: (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions | null);
+}
+
+/**
+ * Role Based Access Control (RBAC) provides service-level and method-level access control for a
+ * service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
+ * found. For instance, if the action is ALLOW and a matching policy is found the request should be
+ * allowed.
+ * 
+ * RBAC can also be used to make access logging decisions by communicating with access loggers
+ * through dynamic metadata. When the action is LOG and at least one policy matches, the
+ * ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
+ * the request should be logged.
+ * 
+ * Here is an example of RBAC configuration. It has two policies:
+ * 
+ * * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
+ * does "cluster.local/ns/default/sa/superuser".
+ * 
+ * * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
+ * destination port is either 80 or 443.
+ * 
+ * .. code-block:: yaml
+ * 
+ * action: ALLOW
+ * policies:
+ * "service-admin":
+ * permissions:
+ * - any: true
+ * principals:
+ * - authenticated:
+ * principal_name:
+ * exact: "cluster.local/ns/default/sa/admin"
+ * - authenticated:
+ * principal_name:
+ * exact: "cluster.local/ns/default/sa/superuser"
+ * "product-viewer":
+ * permissions:
+ * - and_rules:
+ * rules:
+ * - header:
+ * name: ":method"
+ * string_match:
+ * exact: "GET"
+ * - url_path:
+ * path: { prefix: "/products" }
+ * - or_rules:
+ * rules:
+ * - destination_port: 80
+ * - destination_port: 443
+ * principals:
+ * - any: true
+ */
+export interface RBAC__Output {
+  /**
+   * The action to take if a policy matches. Every action either allows or denies a request,
+   * and can also carry out action-specific operations.
+   * 
+   * Actions:
+   * 
+   * * ``ALLOW``: Allows the request if and only if there is a policy that matches
+   * the request.
+   * * ``DENY``: Allows the request if and only if there are no policies that
+   * match the request.
+   * * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
+   * metadata key ``access_log_hint`` is set to the value ``true`` under the shared
+   * key namespace ``envoy.common``. If no policies match, it is set to ``false``.
+   * Other actions do not modify this key.
+   */
+  'action': (_envoy_config_rbac_v3_RBAC_Action__Output);
+  /**
+   * Maps from policy name to policy. A match occurs when at least one policy matches the request.
+   * The policies are evaluated in lexicographic order of the policy name.
+   */
+  'policies': ({[key: string]: _envoy_config_rbac_v3_Policy__Output});
+  /**
+   * Audit logging options that include the condition for audit logging to happen
+   * and audit logger configurations.
+   * 
+   * [#not-implemented-hide:]
+   */
+  'audit_logging_options': (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions__Output | null);
+}

packages/grpc-js-xds/src/generated/envoy/config/route/v3/CorsPolicy.ts

@@ -149,5 +149,5 @@ export interface CorsPolicy__Output {
    * to the upstream. Default is true.
    */
   'forward_not_matching_preflights': (_google_protobuf_BoolValue__Output | null);
-  'enabled_specifier': "filter_enabled";
+  'enabled_specifier'?: "filter_enabled";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/HeaderMatcher.ts

@@ -299,5 +299,5 @@ export interface HeaderMatcher__Output {
   /**
    * Specifies how the header match will be performed to route the request.
    */
-  'header_match_specifier': "exact_match"|"safe_regex_match"|"range_match"|"present_match"|"prefix_match"|"suffix_match"|"contains_match"|"string_match";
+  'header_match_specifier'?: "exact_match"|"safe_regex_match"|"range_match"|"present_match"|"prefix_match"|"suffix_match"|"contains_match"|"string_match";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/QueryParameterMatcher.ts

@@ -43,5 +43,5 @@ export interface QueryParameterMatcher__Output {
    * Specifies whether a query parameter should be present.
    */
   'present_match'?: (boolean);
-  'query_parameter_match_specifier': "string_match"|"present_match";
+  'query_parameter_match_specifier'?: "string_match"|"present_match";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/RateLimit.ts

@@ -128,7 +128,7 @@ export interface _envoy_config_route_v3_RateLimit_Action__Output {
    * Rate limit on the existence of query parameters.
    */
   'query_parameter_value_match'?: (_envoy_config_route_v3_RateLimit_Action_QueryParameterValueMatch__Output | null);
-  'action_specifier': "source_cluster"|"destination_cluster"|"request_headers"|"remote_address"|"generic_key"|"header_value_match"|"dynamic_metadata"|"metadata"|"extension"|"masked_remote_address"|"query_parameter_value_match";
+  'action_specifier'?: "source_cluster"|"destination_cluster"|"request_headers"|"remote_address"|"generic_key"|"header_value_match"|"dynamic_metadata"|"metadata"|"extension"|"masked_remote_address"|"query_parameter_value_match";
 }
 
 /**
@@ -498,7 +498,7 @@ export interface _envoy_config_route_v3_RateLimit_Override__Output {
    * Limit override from dynamic metadata.
    */
   'dynamic_metadata'?: (_envoy_config_route_v3_RateLimit_Override_DynamicMetadata__Output | null);
-  'override_specifier': "dynamic_metadata";
+  'override_specifier'?: "dynamic_metadata";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/config/route/v3/RedirectAction.ts

@@ -246,6 +246,6 @@ export interface RedirectAction__Output {
    * 2. If the source URI scheme is ``https`` and the port is explicitly
    * set to ``:443``, the port will be removed after the redirection
    */
-  'scheme_rewrite_specifier': "https_redirect"|"scheme_redirect";
-  'path_rewrite_specifier': "path_redirect"|"prefix_rewrite"|"regex_rewrite";
+  'scheme_rewrite_specifier'?: "https_redirect"|"scheme_redirect";
+  'path_rewrite_specifier'?: "path_redirect"|"prefix_rewrite"|"regex_rewrite";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/RetryPolicy.ts

@@ -223,7 +223,7 @@ export interface _envoy_config_route_v3_RetryPolicy_RetryHostPredicate__Output {
   /**
    * [#extension-category: envoy.retry_host_predicates]
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 export interface _envoy_config_route_v3_RetryPolicy_RetryPriority {
@@ -241,7 +241,7 @@ export interface _envoy_config_route_v3_RetryPolicy_RetryPriority__Output {
   /**
    * [#extension-category: envoy.retry_priorities]
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/config/route/v3/Route.ts

@@ -264,5 +264,5 @@ export interface Route__Output {
    * statistics use a non-trivial amount of memory(approximately 1KiB per route).
    */
   'stat_prefix': (string);
-  'action': "route"|"redirect"|"direct_response"|"filter_action"|"non_forwarding_action";
+  'action'?: "route"|"redirect"|"direct_response"|"filter_action"|"non_forwarding_action";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/RouteAction.ts

@@ -323,7 +323,7 @@ export interface _envoy_config_route_v3_RouteAction_HashPolicy__Output {
    * it's a terminal policy.
    */
   'terminal': (boolean);
-  'policy_specifier': "header"|"cookie"|"connection_properties"|"query_parameter"|"filter_state";
+  'policy_specifier'?: "header"|"cookie"|"connection_properties"|"query_parameter"|"filter_state";
 }
 
 export interface _envoy_config_route_v3_RouteAction_HashPolicy_Header {
@@ -1430,6 +1430,6 @@ export interface RouteAction__Output {
    * [#extension-category: envoy.path.rewrite]
    */
   'path_rewrite_policy': (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
-  'cluster_specifier': "cluster"|"cluster_header"|"weighted_clusters"|"cluster_specifier_plugin"|"inline_cluster_specifier_plugin";
-  'host_rewrite_specifier': "host_rewrite_literal"|"auto_host_rewrite"|"host_rewrite_header"|"host_rewrite_path_regex";
+  'cluster_specifier'?: "cluster"|"cluster_header"|"weighted_clusters"|"cluster_specifier_plugin"|"inline_cluster_specifier_plugin";
+  'host_rewrite_specifier'?: "host_rewrite_literal"|"auto_host_rewrite"|"host_rewrite_header"|"host_rewrite_path_regex";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/RouteMatch.ts

@@ -325,5 +325,5 @@ export interface RouteMatch__Output {
    * [#extension-category: envoy.path.match]
    */
   'path_match_policy'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
-  'path_specifier': "prefix"|"path"|"safe_regex"|"connect_matcher"|"path_separated_prefix"|"path_match_policy";
+  'path_specifier'?: "prefix"|"path"|"safe_regex"|"connect_matcher"|"path_separated_prefix"|"path_match_policy";
 }

packages/grpc-js-xds/src/generated/envoy/config/route/v3/ScopedRouteConfiguration.ts

@@ -15,7 +15,7 @@ export interface _envoy_config_route_v3_ScopedRouteConfiguration_Key_Fragment__O
    * A string to match against.
    */
   'string_key'?: (string);
-  'type': "string_key";
+  'type'?: "string_key";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/config/route/v3/WeightedCluster.ts

@@ -190,7 +190,7 @@ export interface _envoy_config_route_v3_WeightedCluster_ClusterWeight__Output {
    * this value.
    */
   'host_rewrite_literal'?: (string);
-  'host_rewrite_specifier': "host_rewrite_literal";
+  'host_rewrite_specifier'?: "host_rewrite_literal";
 }
 
 /**
@@ -276,5 +276,5 @@ export interface WeightedCluster__Output {
    * the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX.
    */
   'header_name'?: (string);
-  'random_value_specifier': "header_name";
+  'random_value_specifier'?: "header_name";
 }

packages/grpc-js-xds/src/generated/envoy/config/trace/v3/Tracing.ts

@@ -45,7 +45,7 @@ export interface _envoy_config_trace_v3_Tracing_Http__Output {
    * Trace driver specific configuration which must be set according to the driver being instantiated.
    * [#extension-category: envoy.tracers]
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/data/accesslog/v3/TLSProperties.ts

@@ -47,7 +47,7 @@ export interface _envoy_data_accesslog_v3_TLSProperties_CertificateProperties_Su
    * [#not-implemented-hide:]
    */
   'dns'?: (string);
-  'san': "uri"|"dns";
+  'san'?: "uri"|"dns";
 }
 
 // Original file: deps/envoy-api/envoy/data/accesslog/v3/accesslog.proto

packages/grpc-js-xds/src/generated/envoy/extensions/filters/common/fault/v3/FaultDelay.ts

@@ -84,5 +84,5 @@ export interface FaultDelay__Output {
    * Fault delays are controlled via an HTTP header (if applicable).
    */
   'header_delay'?: (_envoy_extensions_filters_common_fault_v3_FaultDelay_HeaderDelay__Output | null);
-  'fault_delay_secifier': "fixed_delay"|"header_delay";
+  'fault_delay_secifier'?: "fixed_delay"|"header_delay";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/filters/common/fault/v3/FaultRateLimit.ts

@@ -74,5 +74,5 @@ export interface FaultRateLimit__Output {
    * Rate limits are controlled via an HTTP header (if applicable).
    */
   'header_limit'?: (_envoy_extensions_filters_common_fault_v3_FaultRateLimit_HeaderLimit__Output | null);
-  'limit_type': "fixed_limit"|"header_limit";
+  'limit_type'?: "fixed_limit"|"header_limit";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/filters/http/fault/v3/FaultAbort.ts

@@ -63,5 +63,5 @@ export interface FaultAbort__Output {
    * gRPC status code to use to abort the gRPC request.
    */
   'grpc_status'?: (number);
-  'error_type': "http_status"|"grpc_status"|"header_abort";
+  'error_type'?: "http_status"|"grpc_status"|"header_abort";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/filters/http/rbac/v3/RBAC.ts

@@ -0,0 +1,104 @@
+// Original file: deps/envoy-api/envoy/extensions/filters/http/rbac/v3/rbac.proto
+
+import type { RBAC as _envoy_config_rbac_v3_RBAC, RBAC__Output as _envoy_config_rbac_v3_RBAC__Output } from '../../../../../../envoy/config/rbac/v3/RBAC';
+import type { Matcher as _xds_type_matcher_v3_Matcher, Matcher__Output as _xds_type_matcher_v3_Matcher__Output } from '../../../../../../xds/type/matcher/v3/Matcher';
+
+/**
+ * RBAC filter config.
+ * [#next-free-field: 8]
+ */
+export interface RBAC {
+  /**
+   * Specify the RBAC rules to be applied globally.
+   * If absent, no enforcing RBAC policy will be applied.
+   * If present and empty, DENY.
+   * If both rules and matcher are configured, rules will be ignored.
+   */
+  'rules'?: (_envoy_config_rbac_v3_RBAC | null);
+  /**
+   * Shadow rules are not enforced by the filter (i.e., returning a 403)
+   * but will emit stats and logs and can be used for rule testing.
+   * If absent, no shadow RBAC policy will be applied.
+   * If both shadow rules and shadow matcher are configured, shadow rules will be ignored.
+   */
+  'shadow_rules'?: (_envoy_config_rbac_v3_RBAC | null);
+  /**
+   * If specified, shadow rules will emit stats with the given prefix.
+   * This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
+   * shadow rules.
+   */
+  'shadow_rules_stat_prefix'?: (string);
+  /**
+   * The match tree to use when resolving RBAC action for incoming requests. Requests do not
+   * match any matcher will be denied.
+   * If absent, no enforcing RBAC matcher will be applied.
+   * If present and empty, deny all requests.
+   */
+  'matcher'?: (_xds_type_matcher_v3_Matcher | null);
+  /**
+   * The match tree to use for emitting stats and logs which can be used for rule testing for
+   * incoming requests.
+   * If absent, no shadow matcher will be applied.
+   */
+  'shadow_matcher'?: (_xds_type_matcher_v3_Matcher | null);
+  /**
+   * If specified, rules will emit stats with the given prefix.
+   * This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
+   * rules.
+   */
+  'rules_stat_prefix'?: (string);
+  /**
+   * If track_per_rule_stats is true, counters will be published for each rule and shadow rule.
+   */
+  'track_per_rule_stats'?: (boolean);
+}
+
+/**
+ * RBAC filter config.
+ * [#next-free-field: 8]
+ */
+export interface RBAC__Output {
+  /**
+   * Specify the RBAC rules to be applied globally.
+   * If absent, no enforcing RBAC policy will be applied.
+   * If present and empty, DENY.
+   * If both rules and matcher are configured, rules will be ignored.
+   */
+  'rules': (_envoy_config_rbac_v3_RBAC__Output | null);
+  /**
+   * Shadow rules are not enforced by the filter (i.e., returning a 403)
+   * but will emit stats and logs and can be used for rule testing.
+   * If absent, no shadow RBAC policy will be applied.
+   * If both shadow rules and shadow matcher are configured, shadow rules will be ignored.
+   */
+  'shadow_rules': (_envoy_config_rbac_v3_RBAC__Output | null);
+  /**
+   * If specified, shadow rules will emit stats with the given prefix.
+   * This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
+   * shadow rules.
+   */
+  'shadow_rules_stat_prefix': (string);
+  /**
+   * The match tree to use when resolving RBAC action for incoming requests. Requests do not
+   * match any matcher will be denied.
+   * If absent, no enforcing RBAC matcher will be applied.
+   * If present and empty, deny all requests.
+   */
+  'matcher': (_xds_type_matcher_v3_Matcher__Output | null);
+  /**
+   * The match tree to use for emitting stats and logs which can be used for rule testing for
+   * incoming requests.
+   * If absent, no shadow matcher will be applied.
+   */
+  'shadow_matcher': (_xds_type_matcher_v3_Matcher__Output | null);
+  /**
+   * If specified, rules will emit stats with the given prefix.
+   * This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
+   * rules.
+   */
+  'rules_stat_prefix': (string);
+  /**
+   * If track_per_rule_stats is true, counters will be published for each rule and shadow rule.
+   */
+  'track_per_rule_stats': (boolean);
+}

packages/grpc-js-xds/src/generated/envoy/extensions/filters/http/rbac/v3/RBACPerRoute.ts

@@ -0,0 +1,19 @@
+// Original file: deps/envoy-api/envoy/extensions/filters/http/rbac/v3/rbac.proto
+
+import type { RBAC as _envoy_extensions_filters_http_rbac_v3_RBAC, RBAC__Output as _envoy_extensions_filters_http_rbac_v3_RBAC__Output } from '../../../../../../envoy/extensions/filters/http/rbac/v3/RBAC';
+
+export interface RBACPerRoute {
+  /**
+   * Override the global configuration of the filter with this new config.
+   * If absent, the global RBAC policy will be disabled for this route.
+   */
+  'rbac'?: (_envoy_extensions_filters_http_rbac_v3_RBAC | null);
+}
+
+export interface RBACPerRoute__Output {
+  /**
+   * Override the global configuration of the filter with this new config.
+   * If absent, the global RBAC policy will be disabled for this route.
+   */
+  'rbac': (_envoy_extensions_filters_http_rbac_v3_RBAC__Output | null);
+}

packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager.ts

@@ -535,7 +535,7 @@ export interface _envoy_extensions_filters_network_http_connection_manager_v3_Ht
    * If neither of these values are set, this value defaults to ``server_name``,
    * which itself defaults to "envoy".
    */
-  'proxy_name': "use_node_id"|"literal_proxy_name";
+  'proxy_name'?: "use_node_id"|"literal_proxy_name";
 }
 
 // Original file: deps/envoy-api/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@@ -1946,6 +1946,6 @@ export interface HttpConnectionManager__Output {
    * the Overload Manager has been triggered.
    */
   'append_local_overload': (boolean);
-  'route_specifier': "rds"|"route_config"|"scoped_routes";
-  'strip_port_mode': "strip_any_host_port";
+  'route_specifier'?: "rds"|"route_config"|"scoped_routes";
+  'strip_port_mode'?: "strip_any_host_port";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpFilter.ts

@@ -94,5 +94,5 @@ export interface HttpFilter__Output {
    * Terminal filters (e.g. ``envoy.filters.http.router``) cannot be marked as disabled.
    */
   'disabled': (boolean);
-  'config_type': "typed_config"|"config_discovery";
+  'config_type'?: "typed_config"|"config_discovery";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/ScopedRoutes.ts

@@ -23,7 +23,7 @@ export interface _envoy_extensions_filters_network_http_connection_manager_v3_Sc
    * Specifies how a header field's value should be extracted.
    */
   'header_value_extractor'?: (_envoy_extensions_filters_network_http_connection_manager_v3_ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor__Output | null);
-  'type': "header_value_extractor";
+  'type'?: "header_value_extractor";
 }
 
 /**
@@ -119,7 +119,7 @@ export interface _envoy_extensions_filters_network_http_connection_manager_v3_Sc
    * Specifies the key value pair to extract the value from.
    */
   'element'?: (_envoy_extensions_filters_network_http_connection_manager_v3_ScopedRoutes_ScopeKeyBuilder_FragmentBuilder_HeaderValueExtractor_KvElement__Output | null);
-  'extract_type': "index"|"element";
+  'extract_type'?: "index"|"element";
 }
 
 /**
@@ -269,5 +269,5 @@ export interface ScopedRoutes__Output {
    * in this message.
    */
   'scoped_rds'?: (_envoy_extensions_filters_network_http_connection_manager_v3_ScopedRds__Output | null);
-  'config_specifier': "scoped_route_configurations_list"|"scoped_rds";
+  'config_specifier'?: "scoped_route_configurations_list"|"scoped_rds";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/load_balancing_policies/common/v3/LocalityLbConfig.ts

@@ -96,5 +96,5 @@ export interface LocalityLbConfig__Output {
    * Enable locality weighted load balancing.
    */
   'locality_weighted_lb_config'?: (_envoy_extensions_load_balancing_policies_common_v3_LocalityLbConfig_LocalityWeightedLbConfig__Output | null);
-  'locality_config_specifier': "zone_aware_lb_config"|"locality_weighted_lb_config";
+  'locality_config_specifier'?: "zone_aware_lb_config"|"locality_weighted_lb_config";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CommonTlsContext.ts

@@ -61,7 +61,7 @@ export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_Cer
    * certificate providers of a cluster.
    * This config could be supplied inline or (in future) a named xDS resource.
    */
-  'config': "typed_config";
+  'config'?: "typed_config";
 }
 
 /**
@@ -383,5 +383,5 @@ export interface CommonTlsContext__Output {
    * TLS key log configuration
    */
   'key_log': (_envoy_extensions_transport_sockets_tls_v3_TlsKeyLog__Output | null);
-  'validation_context_type': "validation_context"|"validation_context_sds_secret_config"|"combined_validation_context"|"validation_context_certificate_provider"|"validation_context_certificate_provider_instance";
+  'validation_context_type'?: "validation_context"|"validation_context_sds_secret_config"|"combined_validation_context"|"validation_context_certificate_provider"|"validation_context_certificate_provider_instance";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/DownstreamTlsContext.ts

@@ -187,5 +187,5 @@ export interface DownstreamTlsContext__Output {
    * relevant only for TLSv1.2 and earlier.)
    */
   'disable_stateful_session_resumption': (boolean);
-  'session_ticket_keys_type': "session_ticket_keys"|"session_ticket_keys_sds_secret_config"|"disable_stateless_session_resumption";
+  'session_ticket_keys_type'?: "session_ticket_keys"|"session_ticket_keys_sds_secret_config"|"disable_stateless_session_resumption";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/PrivateKeyProvider.ts

@@ -47,5 +47,5 @@ export interface PrivateKeyProvider__Output {
   /**
    * Private key method provider specific configuration.
    */
-  'config_type': "typed_config";
+  'config_type'?: "typed_config";
 }

packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/Secret.ts

@@ -32,5 +32,5 @@ export interface Secret__Output {
   'session_ticket_keys'?: (_envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys__Output | null);
   'validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext__Output | null);
   'generic_secret'?: (_envoy_extensions_transport_sockets_tls_v3_GenericSecret__Output | null);
-  'type': "tls_certificate"|"session_ticket_keys"|"validation_context"|"generic_secret";
+  'type'?: "tls_certificate"|"session_ticket_keys"|"validation_context"|"generic_secret";
 }

packages/grpc-js-xds/src/generated/envoy/service/discovery/v3/DynamicParameterConstraints.ts

@@ -57,7 +57,7 @@ export interface _envoy_service_discovery_v3_DynamicParameterConstraints_SingleC
    * special configuration based on that key.
    */
   'exists'?: (_envoy_service_discovery_v3_DynamicParameterConstraints_SingleConstraint_Exists__Output | null);
-  'constraint_type': "value"|"exists";
+  'constraint_type'?: "value"|"exists";
 }
 
 /**
@@ -115,5 +115,5 @@ export interface DynamicParameterConstraints__Output {
    * The inverse (NOT) of a set of constraints.
    */
   'not_constraints'?: (_envoy_service_discovery_v3_DynamicParameterConstraints__Output | null);
-  'type': "constraint"|"or_constraints"|"and_constraints"|"not_constraints";
+  'type'?: "constraint"|"or_constraints"|"and_constraints"|"not_constraints";
 }

packages/grpc-js-xds/src/generated/envoy/service/status/v3/PerXdsConfig.ts

@@ -65,5 +65,5 @@ export interface PerXdsConfig__Output {
    * @deprecated
    */
   'client_status': (_envoy_service_status_v3_ClientConfigStatus__Output);
-  'per_xds_config': "listener_config"|"cluster_config"|"route_config"|"scoped_route_config"|"endpoint_config";
+  'per_xds_config'?: "listener_config"|"cluster_config"|"route_config"|"scoped_route_config"|"endpoint_config";
 }

packages/grpc-js-xds/src/generated/envoy/type/http/v3/PathTransformation.ts

@@ -74,7 +74,7 @@ export interface _envoy_type_http_v3_PathTransformation_Operation__Output {
    * Enable merging adjacent slashes.
    */
   'merge_slashes'?: (_envoy_type_http_v3_PathTransformation_Operation_MergeSlashes__Output | null);
-  'operation_specifier': "normalize_path_rfc_3986"|"merge_slashes";
+  'operation_specifier'?: "normalize_path_rfc_3986"|"merge_slashes";
 }
 
 export interface PathTransformation {

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/DoubleMatcher.ts

@@ -31,5 +31,5 @@ export interface DoubleMatcher__Output {
    * If specified, the input double value must be equal to the value specified here.
    */
   'exact'?: (number);
-  'match_pattern': "range"|"exact";
+  'match_pattern'?: "range"|"exact";
 }

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/FilterStateMatcher.ts

@@ -0,0 +1,33 @@
+// Original file: deps/envoy-api/envoy/type/matcher/v3/filter_state.proto
+
+import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
+
+/**
+ * FilterStateMatcher provides a general interface for matching the filter state objects.
+ */
+export interface FilterStateMatcher {
+  /**
+   * The filter state key to retrieve the object.
+   */
+  'key'?: (string);
+  /**
+   * Matches the filter state object as a string value.
+   */
+  'string_match'?: (_envoy_type_matcher_v3_StringMatcher | null);
+  'matcher'?: "string_match";
+}
+
+/**
+ * FilterStateMatcher provides a general interface for matching the filter state objects.
+ */
+export interface FilterStateMatcher__Output {
+  /**
+   * The filter state key to retrieve the object.
+   */
+  'key': (string);
+  /**
+   * Matches the filter state object as a string value.
+   */
+  'string_match'?: (_envoy_type_matcher_v3_StringMatcher__Output | null);
+  'matcher'?: "string_match";
+}

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/ListMatcher.ts

@@ -21,5 +21,5 @@ export interface ListMatcher__Output {
    * If specified, at least one of the values in the list must match the value specified.
    */
   'one_of'?: (_envoy_type_matcher_v3_ValueMatcher__Output | null);
-  'match_pattern': "one_of";
+  'match_pattern'?: "one_of";
 }

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/MetadataMatcher.ts

@@ -25,7 +25,7 @@ export interface _envoy_type_matcher_v3_MetadataMatcher_PathSegment__Output {
    * If specified, use the key to retrieve the value in a Struct.
    */
   'key'?: (string);
-  'segment': "key";
+  'segment'?: "key";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/PathMatcher.ts

@@ -0,0 +1,29 @@
+// Original file: deps/envoy-api/envoy/type/matcher/v3/path.proto
+
+import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
+
+/**
+ * Specifies the way to match a path on HTTP request.
+ */
+export interface PathMatcher {
+  /**
+   * The ``path`` must match the URL path portion of the :path header. The query and fragment
+   * string (if present) are removed in the URL path portion.
+   * For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``.
+   */
+  'path'?: (_envoy_type_matcher_v3_StringMatcher | null);
+  'rule'?: "path";
+}
+
+/**
+ * Specifies the way to match a path on HTTP request.
+ */
+export interface PathMatcher__Output {
+  /**
+   * The ``path`` must match the URL path portion of the :path header. The query and fragment
+   * string (if present) are removed in the URL path portion.
+   * For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``.
+   */
+  'path'?: (_envoy_type_matcher_v3_StringMatcher__Output | null);
+  'rule'?: "path";
+}

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/RegexMatcher.ts

@@ -101,5 +101,5 @@ export interface RegexMatcher__Output {
    * against the full string, not as a partial match.
    */
   'regex': (string);
-  'engine_type': "google_re2";
+  'engine_type'?: "google_re2";
 }

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/StringMatcher.ts

@@ -116,5 +116,5 @@ export interface StringMatcher__Output {
    * [#extension-category: envoy.string_matcher]
    */
   'custom'?: (_xds_core_v3_TypedExtensionConfig__Output | null);
-  'match_pattern': "exact"|"prefix"|"suffix"|"safe_regex"|"contains"|"custom";
+  'match_pattern'?: "exact"|"prefix"|"suffix"|"safe_regex"|"contains"|"custom";
 }

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/StructMatcher.ts

@@ -21,7 +21,7 @@ export interface _envoy_type_matcher_v3_StructMatcher_PathSegment__Output {
    * If specified, use the key to retrieve the value in a Struct.
    */
   'key'?: (string);
-  'segment': "key";
+  'segment'?: "key";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/ValueMatcher.ts

@@ -106,5 +106,5 @@ export interface ValueMatcher__Output {
   /**
    * Specifies how to match a value.
    */
-  'match_pattern': "null_match"|"double_match"|"string_match"|"bool_match"|"present_match"|"list_match"|"or_match";
+  'match_pattern'?: "null_match"|"double_match"|"string_match"|"bool_match"|"present_match"|"list_match"|"or_match";
 }

packages/grpc-js-xds/src/generated/envoy/type/metadata/v3/MetadataKey.ts

@@ -22,7 +22,7 @@ export interface _envoy_type_metadata_v3_MetadataKey_PathSegment__Output {
    * If specified, use the key to retrieve the value in a Struct.
    */
   'key'?: (string);
-  'segment': "key";
+  'segment'?: "key";
 }
 
 /**

packages/grpc-js-xds/src/generated/envoy/type/metadata/v3/MetadataKind.ts

@@ -94,5 +94,5 @@ export interface MetadataKind__Output {
    * Host kind of metadata.
    */
   'host'?: (_envoy_type_metadata_v3_MetadataKind_Host__Output | null);
-  'kind': "request"|"route"|"cluster"|"host";
+  'kind'?: "request"|"route"|"cluster"|"host";
 }

packages/grpc-js-xds/src/generated/envoy/type/tracing/v3/CustomTag.ts

@@ -194,5 +194,5 @@ export interface CustomTag__Output {
   /**
    * Used to specify what kind of custom tag.
    */
-  'type': "literal"|"environment"|"request_header"|"metadata";
+  'type'?: "literal"|"environment"|"request_header"|"metadata";
 }

packages/grpc-js-xds/src/generated/google/api/HttpRule.ts

@@ -676,5 +676,5 @@ export interface HttpRule__Output {
    * used with any of the {get|put|post|delete|patch} methods. A custom method
    * can be defined using the 'custom' field.
    */
-  'pattern': "get"|"put"|"post"|"delete"|"patch"|"custom";
+  'pattern'?: "get"|"put"|"post"|"delete"|"patch"|"custom";
 }

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/CheckedExpr.ts

@@ -0,0 +1,90 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
+
+import type { Reference as _google_api_expr_v1alpha1_Reference, Reference__Output as _google_api_expr_v1alpha1_Reference__Output } from '../../../../google/api/expr/v1alpha1/Reference';
+import type { Type as _google_api_expr_v1alpha1_Type, Type__Output as _google_api_expr_v1alpha1_Type__Output } from '../../../../google/api/expr/v1alpha1/Type';
+import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
+import type { SourceInfo as _google_api_expr_v1alpha1_SourceInfo, SourceInfo__Output as _google_api_expr_v1alpha1_SourceInfo__Output } from '../../../../google/api/expr/v1alpha1/SourceInfo';
+
+/**
+ * A CEL expression which has been successfully type checked.
+ */
+export interface CheckedExpr {
+  /**
+   * A map from expression ids to resolved references.
+   * 
+   * The following entries are in this table:
+   * 
+   * - An Ident or Select expression is represented here if it resolves to a
+   * declaration. For instance, if `a.b.c` is represented by
+   * `select(select(id(a), b), c)`, and `a.b` resolves to a declaration,
+   * while `c` is a field selection, then the reference is attached to the
+   * nested select expression (but not to the id or or the outer select).
+   * In turn, if `a` resolves to a declaration and `b.c` are field selections,
+   * the reference is attached to the ident expression.
+   * - Every Call expression has an entry here, identifying the function being
+   * called.
+   * - Every CreateStruct expression for a message has an entry, identifying
+   * the message.
+   */
+  'reference_map'?: ({[key: number]: _google_api_expr_v1alpha1_Reference});
+  /**
+   * A map from expression ids to types.
+   * 
+   * Every expression node which has a type different than DYN has a mapping
+   * here. If an expression has type DYN, it is omitted from this map to save
+   * space.
+   */
+  'type_map'?: ({[key: number]: _google_api_expr_v1alpha1_Type});
+  /**
+   * The checked expression. Semantically equivalent to the parsed `expr`, but
+   * may have structural differences.
+   */
+  'expr'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * The source info derived from input that generated the parsed `expr` and
+   * any optimizations made during the type-checking pass.
+   */
+  'source_info'?: (_google_api_expr_v1alpha1_SourceInfo | null);
+}
+
+/**
+ * A CEL expression which has been successfully type checked.
+ */
+export interface CheckedExpr__Output {
+  /**
+   * A map from expression ids to resolved references.
+   * 
+   * The following entries are in this table:
+   * 
+   * - An Ident or Select expression is represented here if it resolves to a
+   * declaration. For instance, if `a.b.c` is represented by
+   * `select(select(id(a), b), c)`, and `a.b` resolves to a declaration,
+   * while `c` is a field selection, then the reference is attached to the
+   * nested select expression (but not to the id or or the outer select).
+   * In turn, if `a` resolves to a declaration and `b.c` are field selections,
+   * the reference is attached to the ident expression.
+   * - Every Call expression has an entry here, identifying the function being
+   * called.
+   * - Every CreateStruct expression for a message has an entry, identifying
+   * the message.
+   */
+  'reference_map': ({[key: number]: _google_api_expr_v1alpha1_Reference__Output});
+  /**
+   * A map from expression ids to types.
+   * 
+   * Every expression node which has a type different than DYN has a mapping
+   * here. If an expression has type DYN, it is omitted from this map to save
+   * space.
+   */
+  'type_map': ({[key: number]: _google_api_expr_v1alpha1_Type__Output});
+  /**
+   * The checked expression. Semantically equivalent to the parsed `expr`, but
+   * may have structural differences.
+   */
+  'expr': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * The source info derived from input that generated the parsed `expr` and
+   * any optimizations made during the type-checking pass.
+   */
+  'source_info': (_google_api_expr_v1alpha1_SourceInfo__Output | null);
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/Constant.ts

@@ -0,0 +1,134 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
+
+import type { NullValue as _google_protobuf_NullValue, NullValue__Output as _google_protobuf_NullValue__Output } from '../../../../google/protobuf/NullValue';
+import type { Duration as _google_protobuf_Duration, Duration__Output as _google_protobuf_Duration__Output } from '../../../../google/protobuf/Duration';
+import type { Timestamp as _google_protobuf_Timestamp, Timestamp__Output as _google_protobuf_Timestamp__Output } from '../../../../google/protobuf/Timestamp';
+import type { Long } from '@grpc/proto-loader';
+
+/**
+ * Represents a primitive literal.
+ * 
+ * Named 'Constant' here for backwards compatibility.
+ * 
+ * This is similar as the primitives supported in the well-known type
+ * `google.protobuf.Value`, but richer so it can represent CEL's full range of
+ * primitives.
+ * 
+ * Lists and structs are not included as constants as these aggregate types may
+ * contain [Expr][google.api.expr.v1alpha1.Expr] elements which require evaluation and are thus not constant.
+ * 
+ * Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`,
+ * `true`, `null`.
+ */
+export interface Constant {
+  /**
+   * null value.
+   */
+  'null_value'?: (_google_protobuf_NullValue);
+  /**
+   * boolean value.
+   */
+  'bool_value'?: (boolean);
+  /**
+   * int64 value.
+   */
+  'int64_value'?: (number | string | Long);
+  /**
+   * uint64 value.
+   */
+  'uint64_value'?: (number | string | Long);
+  /**
+   * double value.
+   */
+  'double_value'?: (number | string);
+  /**
+   * string value.
+   */
+  'string_value'?: (string);
+  /**
+   * bytes value.
+   */
+  'bytes_value'?: (Buffer | Uint8Array | string);
+  /**
+   * protobuf.Duration value.
+   * 
+   * Deprecated: duration is no longer considered a builtin cel type.
+   * @deprecated
+   */
+  'duration_value'?: (_google_protobuf_Duration | null);
+  /**
+   * protobuf.Timestamp value.
+   * 
+   * Deprecated: timestamp is no longer considered a builtin cel type.
+   * @deprecated
+   */
+  'timestamp_value'?: (_google_protobuf_Timestamp | null);
+  /**
+   * Required. The valid constant kinds.
+   */
+  'constant_kind'?: "null_value"|"bool_value"|"int64_value"|"uint64_value"|"double_value"|"string_value"|"bytes_value"|"duration_value"|"timestamp_value";
+}
+
+/**
+ * Represents a primitive literal.
+ * 
+ * Named 'Constant' here for backwards compatibility.
+ * 
+ * This is similar as the primitives supported in the well-known type
+ * `google.protobuf.Value`, but richer so it can represent CEL's full range of
+ * primitives.
+ * 
+ * Lists and structs are not included as constants as these aggregate types may
+ * contain [Expr][google.api.expr.v1alpha1.Expr] elements which require evaluation and are thus not constant.
+ * 
+ * Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`,
+ * `true`, `null`.
+ */
+export interface Constant__Output {
+  /**
+   * null value.
+   */
+  'null_value'?: (_google_protobuf_NullValue__Output);
+  /**
+   * boolean value.
+   */
+  'bool_value'?: (boolean);
+  /**
+   * int64 value.
+   */
+  'int64_value'?: (string);
+  /**
+   * uint64 value.
+   */
+  'uint64_value'?: (string);
+  /**
+   * double value.
+   */
+  'double_value'?: (number);
+  /**
+   * string value.
+   */
+  'string_value'?: (string);
+  /**
+   * bytes value.
+   */
+  'bytes_value'?: (Buffer);
+  /**
+   * protobuf.Duration value.
+   * 
+   * Deprecated: duration is no longer considered a builtin cel type.
+   * @deprecated
+   */
+  'duration_value'?: (_google_protobuf_Duration__Output | null);
+  /**
+   * protobuf.Timestamp value.
+   * 
+   * Deprecated: timestamp is no longer considered a builtin cel type.
+   * @deprecated
+   */
+  'timestamp_value'?: (_google_protobuf_Timestamp__Output | null);
+  /**
+   * Required. The valid constant kinds.
+   */
+  'constant_kind'?: "null_value"|"bool_value"|"int64_value"|"uint64_value"|"double_value"|"string_value"|"bytes_value"|"duration_value"|"timestamp_value";
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/Decl.ts

@@ -0,0 +1,266 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
+
+import type { Type as _google_api_expr_v1alpha1_Type, Type__Output as _google_api_expr_v1alpha1_Type__Output } from '../../../../google/api/expr/v1alpha1/Type';
+import type { Constant as _google_api_expr_v1alpha1_Constant, Constant__Output as _google_api_expr_v1alpha1_Constant__Output } from '../../../../google/api/expr/v1alpha1/Constant';
+
+/**
+ * Function declaration specifies one or more overloads which indicate the
+ * function's parameter types and return type, and may optionally specify a
+ * function definition in terms of CEL expressions.
+ * 
+ * Functions have no observable side-effects (there may be side-effects like
+ * logging which are not observable from CEL).
+ */
+export interface _google_api_expr_v1alpha1_Decl_FunctionDecl {
+  /**
+   * Required. List of function overloads, must contain at least one overload.
+   */
+  'overloads'?: (_google_api_expr_v1alpha1_Decl_FunctionDecl_Overload)[];
+}
+
+/**
+ * Function declaration specifies one or more overloads which indicate the
+ * function's parameter types and return type, and may optionally specify a
+ * function definition in terms of CEL expressions.
+ * 
+ * Functions have no observable side-effects (there may be side-effects like
+ * logging which are not observable from CEL).
+ */
+export interface _google_api_expr_v1alpha1_Decl_FunctionDecl__Output {
+  /**
+   * Required. List of function overloads, must contain at least one overload.
+   */
+  'overloads': (_google_api_expr_v1alpha1_Decl_FunctionDecl_Overload__Output)[];
+}
+
+/**
+ * Identifier declaration which specifies its type and optional `Expr` value.
+ * 
+ * An identifier without a value is a declaration that must be provided at
+ * evaluation time. An identifier with a value should resolve to a constant,
+ * but may be used in conjunction with other identifiers bound at evaluation
+ * time.
+ */
+export interface _google_api_expr_v1alpha1_Decl_IdentDecl {
+  /**
+   * Required. The type of the identifier.
+   */
+  'type'?: (_google_api_expr_v1alpha1_Type | null);
+  /**
+   * The constant value of the identifier. If not specified, the identifier
+   * must be supplied at evaluation time.
+   */
+  'value'?: (_google_api_expr_v1alpha1_Constant | null);
+  /**
+   * Documentation string for the identifier.
+   */
+  'doc'?: (string);
+}
+
+/**
+ * Identifier declaration which specifies its type and optional `Expr` value.
+ * 
+ * An identifier without a value is a declaration that must be provided at
+ * evaluation time. An identifier with a value should resolve to a constant,
+ * but may be used in conjunction with other identifiers bound at evaluation
+ * time.
+ */
+export interface _google_api_expr_v1alpha1_Decl_IdentDecl__Output {
+  /**
+   * Required. The type of the identifier.
+   */
+  'type': (_google_api_expr_v1alpha1_Type__Output | null);
+  /**
+   * The constant value of the identifier. If not specified, the identifier
+   * must be supplied at evaluation time.
+   */
+  'value': (_google_api_expr_v1alpha1_Constant__Output | null);
+  /**
+   * Documentation string for the identifier.
+   */
+  'doc': (string);
+}
+
+/**
+ * An overload indicates a function's parameter types and return type, and
+ * may optionally include a function body described in terms of [Expr][google.api.expr.v1alpha1.Expr]
+ * values.
+ * 
+ * Functions overloads are declared in either a function or method
+ * call-style. For methods, the `params[0]` is the expected type of the
+ * target receiver.
+ * 
+ * Overloads must have non-overlapping argument types after erasure of all
+ * parameterized type variables (similar as type erasure in Java).
+ */
+export interface _google_api_expr_v1alpha1_Decl_FunctionDecl_Overload {
+  /**
+   * Required. Globally unique overload name of the function which reflects
+   * the function name and argument types.
+   * 
+   * This will be used by a [Reference][google.api.expr.v1alpha1.Reference] to indicate the `overload_id` that
+   * was resolved for the function `name`.
+   */
+  'overload_id'?: (string);
+  /**
+   * List of function parameter [Type][google.api.expr.v1alpha1.Type] values.
+   * 
+   * Param types are disjoint after generic type parameters have been
+   * replaced with the type `DYN`. Since the `DYN` type is compatible with
+   * any other type, this means that if `A` is a type parameter, the
+   * function types `int<A>` and `int<int>` are not disjoint. Likewise,
+   * `map<string, string>` is not disjoint from `map<K, V>`.
+   * 
+   * When the `result_type` of a function is a generic type param, the
+   * type param name also appears as the `type` of on at least one params.
+   */
+  'params'?: (_google_api_expr_v1alpha1_Type)[];
+  /**
+   * The type param names associated with the function declaration.
+   * 
+   * For example, `function ex<K,V>(K key, map<K, V> map) : V` would yield
+   * the type params of `K, V`.
+   */
+  'type_params'?: (string)[];
+  /**
+   * Required. The result type of the function. For example, the operator
+   * `string.isEmpty()` would have `result_type` of `kind: BOOL`.
+   */
+  'result_type'?: (_google_api_expr_v1alpha1_Type | null);
+  /**
+   * Whether the function is to be used in a method call-style `x.f(...)`
+   * of a function call-style `f(x, ...)`.
+   * 
+   * For methods, the first parameter declaration, `params[0]` is the
+   * expected type of the target receiver.
+   */
+  'is_instance_function'?: (boolean);
+  /**
+   * Documentation string for the overload.
+   */
+  'doc'?: (string);
+}
+
+/**
+ * An overload indicates a function's parameter types and return type, and
+ * may optionally include a function body described in terms of [Expr][google.api.expr.v1alpha1.Expr]
+ * values.
+ * 
+ * Functions overloads are declared in either a function or method
+ * call-style. For methods, the `params[0]` is the expected type of the
+ * target receiver.
+ * 
+ * Overloads must have non-overlapping argument types after erasure of all
+ * parameterized type variables (similar as type erasure in Java).
+ */
+export interface _google_api_expr_v1alpha1_Decl_FunctionDecl_Overload__Output {
+  /**
+   * Required. Globally unique overload name of the function which reflects
+   * the function name and argument types.
+   * 
+   * This will be used by a [Reference][google.api.expr.v1alpha1.Reference] to indicate the `overload_id` that
+   * was resolved for the function `name`.
+   */
+  'overload_id': (string);
+  /**
+   * List of function parameter [Type][google.api.expr.v1alpha1.Type] values.
+   * 
+   * Param types are disjoint after generic type parameters have been
+   * replaced with the type `DYN`. Since the `DYN` type is compatible with
+   * any other type, this means that if `A` is a type parameter, the
+   * function types `int<A>` and `int<int>` are not disjoint. Likewise,
+   * `map<string, string>` is not disjoint from `map<K, V>`.
+   * 
+   * When the `result_type` of a function is a generic type param, the
+   * type param name also appears as the `type` of on at least one params.
+   */
+  'params': (_google_api_expr_v1alpha1_Type__Output)[];
+  /**
+   * The type param names associated with the function declaration.
+   * 
+   * For example, `function ex<K,V>(K key, map<K, V> map) : V` would yield
+   * the type params of `K, V`.
+   */
+  'type_params': (string)[];
+  /**
+   * Required. The result type of the function. For example, the operator
+   * `string.isEmpty()` would have `result_type` of `kind: BOOL`.
+   */
+  'result_type': (_google_api_expr_v1alpha1_Type__Output | null);
+  /**
+   * Whether the function is to be used in a method call-style `x.f(...)`
+   * of a function call-style `f(x, ...)`.
+   * 
+   * For methods, the first parameter declaration, `params[0]` is the
+   * expected type of the target receiver.
+   */
+  'is_instance_function': (boolean);
+  /**
+   * Documentation string for the overload.
+   */
+  'doc': (string);
+}
+
+/**
+ * Represents a declaration of a named value or function.
+ * 
+ * A declaration is part of the contract between the expression, the agent
+ * evaluating that expression, and the caller requesting evaluation.
+ */
+export interface Decl {
+  /**
+   * The fully qualified name of the declaration.
+   * 
+   * Declarations are organized in containers and this represents the full path
+   * to the declaration in its container, as in `google.api.expr.Decl`.
+   * 
+   * Declarations used as [FunctionDecl.Overload][google.api.expr.v1alpha1.Decl.FunctionDecl.Overload] parameters may or may not
+   * have a name depending on whether the overload is function declaration or a
+   * function definition containing a result [Expr][google.api.expr.v1alpha1.Expr].
+   */
+  'name'?: (string);
+  /**
+   * Identifier declaration.
+   */
+  'ident'?: (_google_api_expr_v1alpha1_Decl_IdentDecl | null);
+  /**
+   * Function declaration.
+   */
+  'function'?: (_google_api_expr_v1alpha1_Decl_FunctionDecl | null);
+  /**
+   * Required. The declaration kind.
+   */
+  'decl_kind'?: "ident"|"function";
+}
+
+/**
+ * Represents a declaration of a named value or function.
+ * 
+ * A declaration is part of the contract between the expression, the agent
+ * evaluating that expression, and the caller requesting evaluation.
+ */
+export interface Decl__Output {
+  /**
+   * The fully qualified name of the declaration.
+   * 
+   * Declarations are organized in containers and this represents the full path
+   * to the declaration in its container, as in `google.api.expr.Decl`.
+   * 
+   * Declarations used as [FunctionDecl.Overload][google.api.expr.v1alpha1.Decl.FunctionDecl.Overload] parameters may or may not
+   * have a name depending on whether the overload is function declaration or a
+   * function definition containing a result [Expr][google.api.expr.v1alpha1.Expr].
+   */
+  'name': (string);
+  /**
+   * Identifier declaration.
+   */
+  'ident'?: (_google_api_expr_v1alpha1_Decl_IdentDecl__Output | null);
+  /**
+   * Function declaration.
+   */
+  'function'?: (_google_api_expr_v1alpha1_Decl_FunctionDecl__Output | null);
+  /**
+   * Required. The declaration kind.
+   */
+  'decl_kind'?: "ident"|"function";
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/Expr.ts

@@ -0,0 +1,493 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
+
+import type { Constant as _google_api_expr_v1alpha1_Constant, Constant__Output as _google_api_expr_v1alpha1_Constant__Output } from '../../../../google/api/expr/v1alpha1/Constant';
+import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
+import type { Long } from '@grpc/proto-loader';
+
+/**
+ * A call expression, including calls to predefined functions and operators.
+ * 
+ * For example, `value == 10`, `size(map_value)`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Call {
+  /**
+   * The target of an method call-style expression. For example, `x` in
+   * `x.f()`.
+   */
+  'target'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * Required. The name of the function or method being called.
+   */
+  'function'?: (string);
+  /**
+   * The arguments.
+   */
+  'args'?: (_google_api_expr_v1alpha1_Expr)[];
+}
+
+/**
+ * A call expression, including calls to predefined functions and operators.
+ * 
+ * For example, `value == 10`, `size(map_value)`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Call__Output {
+  /**
+   * The target of an method call-style expression. For example, `x` in
+   * `x.f()`.
+   */
+  'target': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * Required. The name of the function or method being called.
+   */
+  'function': (string);
+  /**
+   * The arguments.
+   */
+  'args': (_google_api_expr_v1alpha1_Expr__Output)[];
+}
+
+/**
+ * A comprehension expression applied to a list or map.
+ * 
+ * Comprehensions are not part of the core syntax, but enabled with macros.
+ * A macro matches a specific call signature within a parsed AST and replaces
+ * the call with an alternate AST block. Macro expansion happens at parse
+ * time.
+ * 
+ * The following macros are supported within CEL:
+ * 
+ * Aggregate type macros may be applied to all elements in a list or all keys
+ * in a map:
+ * 
+ * *  `all`, `exists`, `exists_one` -  test a predicate expression against
+ * the inputs and return `true` if the predicate is satisfied for all,
+ * any, or only one value `list.all(x, x < 10)`.
+ * *  `filter` - test a predicate expression against the inputs and return
+ * the subset of elements which satisfy the predicate:
+ * `payments.filter(p, p > 1000)`.
+ * *  `map` - apply an expression to all elements in the input and return the
+ * output aggregate type: `[1, 2, 3].map(i, i * i)`.
+ * 
+ * The `has(m.x)` macro tests whether the property `x` is present in struct
+ * `m`. The semantics of this macro depend on the type of `m`. For proto2
+ * messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the
+ * macro tests whether the property is set to its default. For map and struct
+ * types, the macro tests whether the property `x` is defined on `m`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Comprehension {
+  /**
+   * The name of the iteration variable.
+   */
+  'iter_var'?: (string);
+  /**
+   * The range over which var iterates.
+   */
+  'iter_range'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * The name of the variable used for accumulation of the result.
+   */
+  'accu_var'?: (string);
+  /**
+   * The initial value of the accumulator.
+   */
+  'accu_init'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * An expression which can contain iter_var and accu_var.
+   * 
+   * Returns false when the result has been computed and may be used as
+   * a hint to short-circuit the remainder of the comprehension.
+   */
+  'loop_condition'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * An expression which can contain iter_var and accu_var.
+   * 
+   * Computes the next value of accu_var.
+   */
+  'loop_step'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * An expression which can contain accu_var.
+   * 
+   * Computes the result.
+   */
+  'result'?: (_google_api_expr_v1alpha1_Expr | null);
+}
+
+/**
+ * A comprehension expression applied to a list or map.
+ * 
+ * Comprehensions are not part of the core syntax, but enabled with macros.
+ * A macro matches a specific call signature within a parsed AST and replaces
+ * the call with an alternate AST block. Macro expansion happens at parse
+ * time.
+ * 
+ * The following macros are supported within CEL:
+ * 
+ * Aggregate type macros may be applied to all elements in a list or all keys
+ * in a map:
+ * 
+ * *  `all`, `exists`, `exists_one` -  test a predicate expression against
+ * the inputs and return `true` if the predicate is satisfied for all,
+ * any, or only one value `list.all(x, x < 10)`.
+ * *  `filter` - test a predicate expression against the inputs and return
+ * the subset of elements which satisfy the predicate:
+ * `payments.filter(p, p > 1000)`.
+ * *  `map` - apply an expression to all elements in the input and return the
+ * output aggregate type: `[1, 2, 3].map(i, i * i)`.
+ * 
+ * The `has(m.x)` macro tests whether the property `x` is present in struct
+ * `m`. The semantics of this macro depend on the type of `m`. For proto2
+ * messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the
+ * macro tests whether the property is set to its default. For map and struct
+ * types, the macro tests whether the property `x` is defined on `m`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Comprehension__Output {
+  /**
+   * The name of the iteration variable.
+   */
+  'iter_var': (string);
+  /**
+   * The range over which var iterates.
+   */
+  'iter_range': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * The name of the variable used for accumulation of the result.
+   */
+  'accu_var': (string);
+  /**
+   * The initial value of the accumulator.
+   */
+  'accu_init': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * An expression which can contain iter_var and accu_var.
+   * 
+   * Returns false when the result has been computed and may be used as
+   * a hint to short-circuit the remainder of the comprehension.
+   */
+  'loop_condition': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * An expression which can contain iter_var and accu_var.
+   * 
+   * Computes the next value of accu_var.
+   */
+  'loop_step': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * An expression which can contain accu_var.
+   * 
+   * Computes the result.
+   */
+  'result': (_google_api_expr_v1alpha1_Expr__Output | null);
+}
+
+/**
+ * A list creation expression.
+ * 
+ * Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogenous, e.g.
+ * `dyn([1, 'hello', 2.0])`
+ */
+export interface _google_api_expr_v1alpha1_Expr_CreateList {
+  /**
+   * The elements part of the list.
+   */
+  'elements'?: (_google_api_expr_v1alpha1_Expr)[];
+}
+
+/**
+ * A list creation expression.
+ * 
+ * Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogenous, e.g.
+ * `dyn([1, 'hello', 2.0])`
+ */
+export interface _google_api_expr_v1alpha1_Expr_CreateList__Output {
+  /**
+   * The elements part of the list.
+   */
+  'elements': (_google_api_expr_v1alpha1_Expr__Output)[];
+}
+
+/**
+ * A map or message creation expression.
+ * 
+ * Maps are constructed as `{'key_name': 'value'}`. Message construction is
+ * similar, but prefixed with a type name and composed of field ids:
+ * `types.MyType{field_id: 'value'}`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_CreateStruct {
+  /**
+   * The type name of the message to be created, empty when creating map
+   * literals.
+   */
+  'message_name'?: (string);
+  /**
+   * The entries in the creation expression.
+   */
+  'entries'?: (_google_api_expr_v1alpha1_Expr_CreateStruct_Entry)[];
+}
+
+/**
+ * A map or message creation expression.
+ * 
+ * Maps are constructed as `{'key_name': 'value'}`. Message construction is
+ * similar, but prefixed with a type name and composed of field ids:
+ * `types.MyType{field_id: 'value'}`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_CreateStruct__Output {
+  /**
+   * The type name of the message to be created, empty when creating map
+   * literals.
+   */
+  'message_name': (string);
+  /**
+   * The entries in the creation expression.
+   */
+  'entries': (_google_api_expr_v1alpha1_Expr_CreateStruct_Entry__Output)[];
+}
+
+/**
+ * Represents an entry.
+ */
+export interface _google_api_expr_v1alpha1_Expr_CreateStruct_Entry {
+  /**
+   * Required. An id assigned to this node by the parser which is unique
+   * in a given expression tree. This is used to associate type
+   * information and other attributes to the node.
+   */
+  'id'?: (number | string | Long);
+  /**
+   * The field key for a message creator statement.
+   */
+  'field_key'?: (string);
+  /**
+   * The key expression for a map creation statement.
+   */
+  'map_key'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * Required. The value assigned to the key.
+   */
+  'value'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * The `Entry` key kinds.
+   */
+  'key_kind'?: "field_key"|"map_key";
+}
+
+/**
+ * Represents an entry.
+ */
+export interface _google_api_expr_v1alpha1_Expr_CreateStruct_Entry__Output {
+  /**
+   * Required. An id assigned to this node by the parser which is unique
+   * in a given expression tree. This is used to associate type
+   * information and other attributes to the node.
+   */
+  'id': (string);
+  /**
+   * The field key for a message creator statement.
+   */
+  'field_key'?: (string);
+  /**
+   * The key expression for a map creation statement.
+   */
+  'map_key'?: (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * Required. The value assigned to the key.
+   */
+  'value': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * The `Entry` key kinds.
+   */
+  'key_kind'?: "field_key"|"map_key";
+}
+
+/**
+ * An identifier expression. e.g. `request`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Ident {
+  /**
+   * Required. Holds a single, unqualified identifier, possibly preceded by a
+   * '.'.
+   * 
+   * Qualified names are represented by the [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression.
+   */
+  'name'?: (string);
+}
+
+/**
+ * An identifier expression. e.g. `request`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Ident__Output {
+  /**
+   * Required. Holds a single, unqualified identifier, possibly preceded by a
+   * '.'.
+   * 
+   * Qualified names are represented by the [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression.
+   */
+  'name': (string);
+}
+
+/**
+ * A field selection expression. e.g. `request.auth`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Select {
+  /**
+   * Required. The target of the selection expression.
+   * 
+   * For example, in the select expression `request.auth`, the `request`
+   * portion of the expression is the `operand`.
+   */
+  'operand'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * Required. The name of the field to select.
+   * 
+   * For example, in the select expression `request.auth`, the `auth` portion
+   * of the expression would be the `field`.
+   */
+  'field'?: (string);
+  /**
+   * Whether the select is to be interpreted as a field presence test.
+   * 
+   * This results from the macro `has(request.auth)`.
+   */
+  'test_only'?: (boolean);
+}
+
+/**
+ * A field selection expression. e.g. `request.auth`.
+ */
+export interface _google_api_expr_v1alpha1_Expr_Select__Output {
+  /**
+   * Required. The target of the selection expression.
+   * 
+   * For example, in the select expression `request.auth`, the `request`
+   * portion of the expression is the `operand`.
+   */
+  'operand': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * Required. The name of the field to select.
+   * 
+   * For example, in the select expression `request.auth`, the `auth` portion
+   * of the expression would be the `field`.
+   */
+  'field': (string);
+  /**
+   * Whether the select is to be interpreted as a field presence test.
+   * 
+   * This results from the macro `has(request.auth)`.
+   */
+  'test_only': (boolean);
+}
+
+/**
+ * An abstract representation of a common expression.
+ * 
+ * Expressions are abstractly represented as a collection of identifiers,
+ * select statements, function calls, literals, and comprehensions. All
+ * operators with the exception of the '.' operator are modelled as function
+ * calls. This makes it easy to represent new operators into the existing AST.
+ * 
+ * All references within expressions must resolve to a [Decl][google.api.expr.v1alpha1.Decl] provided at
+ * type-check for an expression to be valid. A reference may either be a bare
+ * identifier `name` or a qualified identifier `google.api.name`. References
+ * may either refer to a value or a function declaration.
+ * 
+ * For example, the expression `google.api.name.startsWith('expr')` references
+ * the declaration `google.api.name` within a [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and
+ * the function declaration `startsWith`.
+ */
+export interface Expr {
+  /**
+   * Required. An id assigned to this node by the parser which is unique in a
+   * given expression tree. This is used to associate type information and other
+   * attributes to a node in the parse tree.
+   */
+  'id'?: (number | string | Long);
+  /**
+   * A literal expression.
+   */
+  'const_expr'?: (_google_api_expr_v1alpha1_Constant | null);
+  /**
+   * An identifier expression.
+   */
+  'ident_expr'?: (_google_api_expr_v1alpha1_Expr_Ident | null);
+  /**
+   * A field selection expression, e.g. `request.auth`.
+   */
+  'select_expr'?: (_google_api_expr_v1alpha1_Expr_Select | null);
+  /**
+   * A call expression, including calls to predefined functions and operators.
+   */
+  'call_expr'?: (_google_api_expr_v1alpha1_Expr_Call | null);
+  /**
+   * A list creation expression.
+   */
+  'list_expr'?: (_google_api_expr_v1alpha1_Expr_CreateList | null);
+  /**
+   * A map or message creation expression.
+   */
+  'struct_expr'?: (_google_api_expr_v1alpha1_Expr_CreateStruct | null);
+  /**
+   * A comprehension expression.
+   */
+  'comprehension_expr'?: (_google_api_expr_v1alpha1_Expr_Comprehension | null);
+  /**
+   * Required. Variants of expressions.
+   */
+  'expr_kind'?: "const_expr"|"ident_expr"|"select_expr"|"call_expr"|"list_expr"|"struct_expr"|"comprehension_expr";
+}
+
+/**
+ * An abstract representation of a common expression.
+ * 
+ * Expressions are abstractly represented as a collection of identifiers,
+ * select statements, function calls, literals, and comprehensions. All
+ * operators with the exception of the '.' operator are modelled as function
+ * calls. This makes it easy to represent new operators into the existing AST.
+ * 
+ * All references within expressions must resolve to a [Decl][google.api.expr.v1alpha1.Decl] provided at
+ * type-check for an expression to be valid. A reference may either be a bare
+ * identifier `name` or a qualified identifier `google.api.name`. References
+ * may either refer to a value or a function declaration.
+ * 
+ * For example, the expression `google.api.name.startsWith('expr')` references
+ * the declaration `google.api.name` within a [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and
+ * the function declaration `startsWith`.
+ */
+export interface Expr__Output {
+  /**
+   * Required. An id assigned to this node by the parser which is unique in a
+   * given expression tree. This is used to associate type information and other
+   * attributes to a node in the parse tree.
+   */
+  'id': (string);
+  /**
+   * A literal expression.
+   */
+  'const_expr'?: (_google_api_expr_v1alpha1_Constant__Output | null);
+  /**
+   * An identifier expression.
+   */
+  'ident_expr'?: (_google_api_expr_v1alpha1_Expr_Ident__Output | null);
+  /**
+   * A field selection expression, e.g. `request.auth`.
+   */
+  'select_expr'?: (_google_api_expr_v1alpha1_Expr_Select__Output | null);
+  /**
+   * A call expression, including calls to predefined functions and operators.
+   */
+  'call_expr'?: (_google_api_expr_v1alpha1_Expr_Call__Output | null);
+  /**
+   * A list creation expression.
+   */
+  'list_expr'?: (_google_api_expr_v1alpha1_Expr_CreateList__Output | null);
+  /**
+   * A map or message creation expression.
+   */
+  'struct_expr'?: (_google_api_expr_v1alpha1_Expr_CreateStruct__Output | null);
+  /**
+   * A comprehension expression.
+   */
+  'comprehension_expr'?: (_google_api_expr_v1alpha1_Expr_Comprehension__Output | null);
+  /**
+   * Required. Variants of expressions.
+   */
+  'expr_kind'?: "const_expr"|"ident_expr"|"select_expr"|"call_expr"|"list_expr"|"struct_expr"|"comprehension_expr";
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/ParsedExpr.ts

@@ -0,0 +1,32 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
+
+import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
+import type { SourceInfo as _google_api_expr_v1alpha1_SourceInfo, SourceInfo__Output as _google_api_expr_v1alpha1_SourceInfo__Output } from '../../../../google/api/expr/v1alpha1/SourceInfo';
+
+/**
+ * An expression together with source information as returned by the parser.
+ */
+export interface ParsedExpr {
+  /**
+   * The parsed expression.
+   */
+  'expr'?: (_google_api_expr_v1alpha1_Expr | null);
+  /**
+   * The source info derived from input that generated the parsed `expr`.
+   */
+  'source_info'?: (_google_api_expr_v1alpha1_SourceInfo | null);
+}
+
+/**
+ * An expression together with source information as returned by the parser.
+ */
+export interface ParsedExpr__Output {
+  /**
+   * The parsed expression.
+   */
+  'expr': (_google_api_expr_v1alpha1_Expr__Output | null);
+  /**
+   * The source info derived from input that generated the parsed `expr`.
+   */
+  'source_info': (_google_api_expr_v1alpha1_SourceInfo__Output | null);
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/Reference.ts

@@ -0,0 +1,55 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
+
+import type { Constant as _google_api_expr_v1alpha1_Constant, Constant__Output as _google_api_expr_v1alpha1_Constant__Output } from '../../../../google/api/expr/v1alpha1/Constant';
+
+/**
+ * Describes a resolved reference to a declaration.
+ */
+export interface Reference {
+  /**
+   * The fully qualified name of the declaration.
+   */
+  'name'?: (string);
+  /**
+   * For references to functions, this is a list of `Overload.overload_id`
+   * values which match according to typing rules.
+   * 
+   * If the list has more than one element, overload resolution among the
+   * presented candidates must happen at runtime because of dynamic types. The
+   * type checker attempts to narrow down this list as much as possible.
+   * 
+   * Empty if this is not a reference to a [Decl.FunctionDecl][google.api.expr.v1alpha1.Decl.FunctionDecl].
+   */
+  'overload_id'?: (string)[];
+  /**
+   * For references to constants, this may contain the value of the
+   * constant if known at compile time.
+   */
+  'value'?: (_google_api_expr_v1alpha1_Constant | null);
+}
+
+/**
+ * Describes a resolved reference to a declaration.
+ */
+export interface Reference__Output {
+  /**
+   * The fully qualified name of the declaration.
+   */
+  'name': (string);
+  /**
+   * For references to functions, this is a list of `Overload.overload_id`
+   * values which match according to typing rules.
+   * 
+   * If the list has more than one element, overload resolution among the
+   * presented candidates must happen at runtime because of dynamic types. The
+   * type checker attempts to narrow down this list as much as possible.
+   * 
+   * Empty if this is not a reference to a [Decl.FunctionDecl][google.api.expr.v1alpha1.Decl.FunctionDecl].
+   */
+  'overload_id': (string)[];
+  /**
+   * For references to constants, this may contain the value of the
+   * constant if known at compile time.
+   */
+  'value': (_google_api_expr_v1alpha1_Constant__Output | null);
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/SourceInfo.ts

@@ -0,0 +1,87 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
+
+import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
+
+/**
+ * Source information collected at parse time.
+ */
+export interface SourceInfo {
+  /**
+   * The syntax version of the source, e.g. `cel1`.
+   */
+  'syntax_version'?: (string);
+  /**
+   * The location name. All position information attached to an expression is
+   * relative to this location.
+   * 
+   * The location could be a file, UI element, or similar. For example,
+   * `acme/app/AnvilPolicy.cel`.
+   */
+  'location'?: (string);
+  /**
+   * Monotonically increasing list of character offsets where newlines appear.
+   * 
+   * The line number of a given position is the index `i` where for a given
+   * `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The
+   * column may be derivd from `id_positions[id] - line_offsets[i]`.
+   */
+  'line_offsets'?: (number)[];
+  /**
+   * A map from the parse node id (e.g. `Expr.id`) to the character offset
+   * within source.
+   */
+  'positions'?: ({[key: number]: number});
+  /**
+   * A map from the parse node id where a macro replacement was made to the
+   * call `Expr` that resulted in a macro expansion.
+   * 
+   * For example, `has(value.field)` is a function call that is replaced by a
+   * `test_only` field selection in the AST. Likewise, the call
+   * `list.exists(e, e > 10)` translates to a comprehension expression. The key
+   * in the map corresponds to the expression id of the expanded macro, and the
+   * value is the call `Expr` that was replaced.
+   */
+  'macro_calls'?: ({[key: number]: _google_api_expr_v1alpha1_Expr});
+}
+
+/**
+ * Source information collected at parse time.
+ */
+export interface SourceInfo__Output {
+  /**
+   * The syntax version of the source, e.g. `cel1`.
+   */
+  'syntax_version': (string);
+  /**
+   * The location name. All position information attached to an expression is
+   * relative to this location.
+   * 
+   * The location could be a file, UI element, or similar. For example,
+   * `acme/app/AnvilPolicy.cel`.
+   */
+  'location': (string);
+  /**
+   * Monotonically increasing list of character offsets where newlines appear.
+   * 
+   * The line number of a given position is the index `i` where for a given
+   * `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The
+   * column may be derivd from `id_positions[id] - line_offsets[i]`.
+   */
+  'line_offsets': (number)[];
+  /**
+   * A map from the parse node id (e.g. `Expr.id`) to the character offset
+   * within source.
+   */
+  'positions': ({[key: number]: number});
+  /**
+   * A map from the parse node id where a macro replacement was made to the
+   * call `Expr` that resulted in a macro expansion.
+   * 
+   * For example, `has(value.field)` is a function call that is replaced by a
+   * `test_only` field selection in the AST. Likewise, the call
+   * `list.exists(e, e > 10)` translates to a comprehension expression. The key
+   * in the map corresponds to the expression id of the expanded macro, and the
+   * value is the call `Expr` that was replaced.
+   */
+  'macro_calls': ({[key: number]: _google_api_expr_v1alpha1_Expr__Output});
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/SourcePosition.ts

@@ -0,0 +1,50 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
+
+
+/**
+ * A specific position in source.
+ */
+export interface SourcePosition {
+  /**
+   * The soucre location name (e.g. file name).
+   */
+  'location'?: (string);
+  /**
+   * The character offset.
+   */
+  'offset'?: (number);
+  /**
+   * The 1-based index of the starting line in the source text
+   * where the issue occurs, or 0 if unknown.
+   */
+  'line'?: (number);
+  /**
+   * The 0-based index of the starting position within the line of source text
+   * where the issue occurs.  Only meaningful if line is nonzero.
+   */
+  'column'?: (number);
+}
+
+/**
+ * A specific position in source.
+ */
+export interface SourcePosition__Output {
+  /**
+   * The soucre location name (e.g. file name).
+   */
+  'location': (string);
+  /**
+   * The character offset.
+   */
+  'offset': (number);
+  /**
+   * The 1-based index of the starting line in the source text
+   * where the issue occurs, or 0 if unknown.
+   */
+  'line': (number);
+  /**
+   * The 0-based index of the starting position within the line of source text
+   * where the issue occurs.  Only meaningful if line is nonzero.
+   */
+  'column': (number);
+}

packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/Type.ts

@@ -0,0 +1,416 @@
+// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
+
+import type { Empty as _google_protobuf_Empty, Empty__Output as _google_protobuf_Empty__Output } from '../../../../google/protobuf/Empty';
+import type { NullValue as _google_protobuf_NullValue, NullValue__Output as _google_protobuf_NullValue__Output } from '../../../../google/protobuf/NullValue';
+import type { Type as _google_api_expr_v1alpha1_Type, Type__Output as _google_api_expr_v1alpha1_Type__Output } from '../../../../google/api/expr/v1alpha1/Type';
+
+/**
+ * Application defined abstract type.
+ */
+export interface _google_api_expr_v1alpha1_Type_AbstractType {
+  /**
+   * The fully qualified name of this abstract type.
+   */
+  'name'?: (string);
+  /**
+   * Parameter types for this abstract type.
+   */
+  'parameter_types'?: (_google_api_expr_v1alpha1_Type)[];
+}
+
+/**
+ * Application defined abstract type.
+ */
+export interface _google_api_expr_v1alpha1_Type_AbstractType__Output {
+  /**
+   * The fully qualified name of this abstract type.
+   */
+  'name': (string);
+  /**
+   * Parameter types for this abstract type.
+   */
+  'parameter_types': (_google_api_expr_v1alpha1_Type__Output)[];
+}
+
+/**
+ * Function type with result and arg types.
+ */
+export interface _google_api_expr_v1alpha1_Type_FunctionType {
+  /**
+   * Result type of the function.
+   */
+  'result_type'?: (_google_api_expr_v1alpha1_Type | null);
+  /**
+   * Argument types of the function.
+   */
+  'arg_types'?: (_google_api_expr_v1alpha1_Type)[];
+}
+
+/**
+ * Function type with result and arg types.
+ */
+export interface _google_api_expr_v1alpha1_Type_FunctionType__Output {
+  /**
+   * Result type of the function.
+   */
+  'result_type': (_google_api_expr_v1alpha1_Type__Output | null);
+  /**
+   * Argument types of the function.
+   */
+  'arg_types': (_google_api_expr_v1alpha1_Type__Output)[];
+}
+
+/**
+ * List type with typed elements, e.g. `list<example.proto.MyMessage>`.
+ */
+export interface _google_api_expr_v1alpha1_Type_ListType {
+  /**
+   * The element type.
+   */
+  'elem_type'?: (_google_api_expr_v1alpha1_Type | null);
+}
+
+/**
+ * List type with typed elements, e.g. `list<example.proto.MyMessage>`.
+ */
+export interface _google_api_expr_v1alpha1_Type_ListType__Output {
+  /**
+   * The element type.
+   */
+  'elem_type': (_google_api_expr_v1alpha1_Type__Output | null);
+}
+
+/**
+ * Map type with parameterized key and value types, e.g. `map<string, int>`.
+ */
+export interface _google_api_expr_v1alpha1_Type_MapType {
+  /**
+   * The type of the key.
+   */
+  'key_type'?: (_google_api_expr_v1alpha1_Type | null);
+  /**
+   * The type of the value.
+   */
+  'value_type'?: (_google_api_expr_v1alpha1_Type | null);
+}
+
+/**
+ * Map type with parameterized key and value types, e.g. `map<string, int>`.
+ */
+export interface _google_api_expr_v1alpha1_Type_MapType__Output {
+  /**
+   * The type of the key.
+   */
+  'key_type': (_google_api_expr_v1alpha1_Type__Output | null);
+  /**
+   * The type of the value.
+   */
+  'value_type': (_google_api_expr_v1alpha1_Type__Output | null);
+}
+
+// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
+
+/**
+ * CEL primitive types.
+ */
+export const _google_api_expr_v1alpha1_Type_PrimitiveType = {
+  /**
+   * Unspecified type.
+   */
+  PRIMITIVE_TYPE_UNSPECIFIED: 'PRIMITIVE_TYPE_UNSPECIFIED',
+  /**
+   * Boolean type.
+   */
+  BOOL: 'BOOL',
+  /**
+   * Int64 type.
+   * 
+   * Proto-based integer values are widened to int64.
+   */
+  INT64: 'INT64',
+  /**
+   * Uint64 type.
+   * 
+   * Proto-based unsigned integer values are widened to uint64.
+   */
+  UINT64: 'UINT64',
+  /**
+   * Double type.
+   * 
+   * Proto-based float values are widened to double values.
+   */
+  DOUBLE: 'DOUBLE',
+  /**
+   * String type.
+   */
+  STRING: 'STRING',
+  /**
+   * Bytes type.
+   */
+  BYTES: 'BYTES',
+} as const;
+
+/**
+ * CEL primitive types.
+ */
+export type _google_api_expr_v1alpha1_Type_PrimitiveType =
+  /**
+   * Unspecified type.
+   */
+  | 'PRIMITIVE_TYPE_UNSPECIFIED'
+  | 0
+  /**
+   * Boolean type.
+   */
+  | 'BOOL'
+  | 1
+  /**
+   * Int64 type.
+   * 
+   * Proto-based integer values are widened to int64.
+   */
+  | 'INT64'
+  | 2
+  /**
+   * Uint64 type.
+   * 
+   * Proto-based unsigned integer values are widened to uint64.
+   */
+  | 'UINT64'
+  | 3
+  /**
+   * Double type.
+   * 
+   * Proto-based float values are widened to double values.
+   */
+  | 'DOUBLE'
+  | 4
+  /**
+   * String type.
+   */
+  | 'STRING'
+  | 5
+  /**
+   * Bytes type.
+   */
+  | 'BYTES'
+  | 6
+
+/**
+ * CEL primitive types.
+ */
+export type _google_api_expr_v1alpha1_Type_PrimitiveType__Output = typeof _google_api_expr_v1alpha1_Type_PrimitiveType[keyof typeof _google_api_expr_v1alpha1_Type_PrimitiveType]
+
+// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
+
+/**
+ * Well-known protobuf types treated with first-class support in CEL.
+ */
+export const _google_api_expr_v1alpha1_Type_WellKnownType = {
+  /**
+   * Unspecified type.
+   */
+  WELL_KNOWN_TYPE_UNSPECIFIED: 'WELL_KNOWN_TYPE_UNSPECIFIED',
+  /**
+   * Well-known protobuf.Any type.
+   * 
+   * Any types are a polymorphic message type. During type-checking they are
+   * treated like `DYN` types, but at runtime they are resolved to a specific
+   * message type specified at evaluation time.
+   */
+  ANY: 'ANY',
+  /**
+   * Well-known protobuf.Timestamp type, internally referenced as `timestamp`.
+   */
+  TIMESTAMP: 'TIMESTAMP',
+  /**
+   * Well-known protobuf.Duration type, internally referenced as `duration`.
+   */
+  DURATION: 'DURATION',
+} as const;
+
+/**
+ * Well-known protobuf types treated with first-class support in CEL.
+ */
+export type _google_api_expr_v1alpha1_Type_WellKnownType =
+  /**
+   * Unspecified type.
+   */
+  | 'WELL_KNOWN_TYPE_UNSPECIFIED'
+  | 0
+  /**
+   * Well-known protobuf.Any type.
+   * 
+   * Any types are a polymorphic message type. During type-checking they are
+   * treated like `DYN` types, but at runtime they are resolved to a specific
+   * message type specified at evaluation time.
+   */
+  | 'ANY'
+  | 1
+  /**
+   * Well-known protobuf.Timestamp type, internally referenced as `timestamp`.
+   */
+  | 'TIMESTAMP'
+  | 2
+  /**
+   * Well-known protobuf.Duration type, internally referenced as `duration`.
+   */
+  | 'DURATION'
+  | 3
+
+/**
+ * Well-known protobuf types treated with first-class support in CEL.
+ */
+export type _google_api_expr_v1alpha1_Type_WellKnownType__Output = typeof _google_api_expr_v1alpha1_Type_WellKnownType[keyof typeof _google_api_expr_v1alpha1_Type_WellKnownType]
+
+/**
+ * Represents a CEL type.
+ */
+export interface Type {
+  /**
+   * Dynamic type.
+   */
+  'dyn'?: (_google_protobuf_Empty | null);
+  /**
+   * Null value.
+   */
+  'null'?: (_google_protobuf_NullValue);
+  /**
+   * Primitive types: `true`, `1u`, `-2.0`, `'string'`, `b'bytes'`.
+   */
+  'primitive'?: (_google_api_expr_v1alpha1_Type_PrimitiveType);
+  /**
+   * Wrapper of a primitive type, e.g. `google.protobuf.Int64Value`.
+   */
+  'wrapper'?: (_google_api_expr_v1alpha1_Type_PrimitiveType);
+  /**
+   * Well-known protobuf type such as `google.protobuf.Timestamp`.
+   */
+  'well_known'?: (_google_api_expr_v1alpha1_Type_WellKnownType);
+  /**
+   * Parameterized list with elements of `list_type`, e.g. `list<timestamp>`.
+   */
+  'list_type'?: (_google_api_expr_v1alpha1_Type_ListType | null);
+  /**
+   * Parameterized map with typed keys and values.
+   */
+  'map_type'?: (_google_api_expr_v1alpha1_Type_MapType | null);
+  /**
+   * Function type.
+   */
+  'function'?: (_google_api_expr_v1alpha1_Type_FunctionType | null);
+  /**
+   * Protocol buffer message type.
+   * 
+   * The `message_type` string specifies the qualified message type name. For
+   * example, `google.plus.Profile`.
+   */
+  'message_type'?: (string);
+  /**
+   * Type param type.
+   * 
+   * The `type_param` string specifies the type parameter name, e.g. `list<E>`
+   * would be a `list_type` whose element type was a `type_param` type
+   * named `E`.
+   */
+  'type_param'?: (string);
+  /**
+   * Type type.
+   * 
+   * The `type` value specifies the target type. e.g. int is type with a
+   * target type of `Primitive.INT`.
+   */
+  'type'?: (_google_api_expr_v1alpha1_Type | null);
+  /**
+   * Error type.
+   * 
+   * During type-checking if an expression is an error, its type is propagated
+   * as the `ERROR` type. This permits the type-checker to discover other
+   * errors present in the expression.
+   */
+  'error'?: (_google_protobuf_Empty | null);
+  /**
+   * Abstract, application defined type.
+   */
+  'abstract_type'?: (_google_api_expr_v1alpha1_Type_AbstractType | null);
+  /**
+   * The kind of type.
+   */
+  'type_kind'?: "dyn"|"null"|"primitive"|"wrapper"|"well_known"|"list_type"|"map_type"|"function"|"message_type"|"type_param"|"type"|"error"|"abstract_type";
+}
+
+/**
+ * Represents a CEL type.
+ */
+export interface Type__Output {
+  /**
+   * Dynamic type.
+   */
+  'dyn'?: (_google_protobuf_Empty__Output | null);
+  /**
+   * Null value.
+   */
+  'null'?: (_google_protobuf_NullValue__Output);
+  /**
+   * Primitive types: `true`, `1u`, `-2.0`, `'string'`, `b'bytes'`.
+   */
+  'primitive'?: (_google_api_expr_v1alpha1_Type_PrimitiveType__Output);
+  /**
+   * Wrapper of a primitive type, e.g. `google.protobuf.Int64Value`.
+   */
+  'wrapper'?: (_google_api_expr_v1alpha1_Type_PrimitiveType__Output);
+  /**
+   * Well-known protobuf type such as `google.protobuf.Timestamp`.
+   */
+  'well_known'?: (_google_api_expr_v1alpha1_Type_WellKnownType__Output);
+  /**
+   * Parameterized list with elements of `list_type`, e.g. `list<timestamp>`.
+   */
+  'list_type'?: (_google_api_expr_v1alpha1_Type_ListType__Output | null);
+  /**
+   * Parameterized map with typed keys and values.
+   */
+  'map_type'?: (_google_api_expr_v1alpha1_Type_MapType__Output | null);
+  /**
+   * Function type.
+   */
+  'function'?: (_google_api_expr_v1alpha1_Type_FunctionType__Output | null);
+  /**
+   * Protocol buffer message type.
+   * 
+   * The `message_type` string specifies the qualified message type name. For
+   * example, `google.plus.Profile`.
+   */
+  'message_type'?: (string);
+  /**
+   * Type param type.
+   * 
+   * The `type_param` string specifies the type parameter name, e.g. `list<E>`
+   * would be a `list_type` whose element type was a `type_param` type
+   * named `E`.
+   */
+  'type_param'?: (string);
+  /**
+   * Type type.
+   * 
+   * The `type` value specifies the target type. e.g. int is type with a
+   * target type of `Primitive.INT`.
+   */
+  'type'?: (_google_api_expr_v1alpha1_Type__Output | null);
+  /**
+   * Error type.
+   * 
+   * During type-checking if an expression is an error, its type is propagated
+   * as the `ERROR` type. This permits the type-checker to discover other
+   * errors present in the expression.
+   */
+  'error'?: (_google_protobuf_Empty__Output | null);
+  /**
+   * Abstract, application defined type.
+   */
+  'abstract_type'?: (_google_api_expr_v1alpha1_Type_AbstractType__Output | null);
+  /**
+   * The kind of type.
+   */
+  'type_kind'?: "dyn"|"null"|"primitive"|"wrapper"|"well_known"|"list_type"|"map_type"|"function"|"message_type"|"type_param"|"type"|"error"|"abstract_type";
+}

packages/grpc-js-xds/src/generated/google/protobuf/FieldOptions.ts

@@ -50,7 +50,6 @@ export interface FieldOptions {
   'weak'?: (boolean);
   'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[];
   '.validate.rules'?: (_validate_FieldRules | null);
-  '.udpa.annotations.sensitive'?: (boolean);
   '.envoy.annotations.deprecated_at_minor_version'?: (string);
   '.udpa.annotations.field_migrate'?: (_udpa_annotations_FieldMigrateAnnotation | null);
   '.envoy.annotations.disallowed_by_default'?: (boolean);
@@ -66,7 +65,6 @@ export interface FieldOptions__Output {
   'weak': (boolean);
   'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[];
   '.validate.rules': (_validate_FieldRules__Output | null);
-  '.udpa.annotations.sensitive': (boolean);
   '.envoy.annotations.deprecated_at_minor_version': (string);
   '.udpa.annotations.field_migrate': (_udpa_annotations_FieldMigrateAnnotation__Output | null);
   '.envoy.annotations.disallowed_by_default': (boolean);