apple · jglogan · Apr 30, 2026 · Apr 10, 2026 · Apr 20, 2026
diff --git a/Sources/ContainerCommands/Builder/BuilderStart.swift b/Sources/ContainerCommands/Builder/BuilderStart.swift
@@ -272,7 +272,7 @@ extension Application {
             guard let defaultNetwork = try await networkClient.builtin else {
                 throw ContainerizationError(.invalidState, message: "default network is not present")
             }
-            guard case .running(_, _) = defaultNetwork else {
+            guard defaultNetwork.status.phase == "running" else {
                 throw ContainerizationError(.invalidState, message: "default network is not running")
             }
             config.networks = [

diff --git a/Sources/ContainerCommands/Network/NetworkCreate.swift b/Sources/ContainerCommands/Network/NetworkCreate.swift
@@ -74,8 +74,8 @@ extension Application {
                 pluginInfo: NetworkPluginInfo(plugin: self.plugin, variant: self.pluginVariant)
             )
             let networkClient = NetworkClient()
-            let state = try await networkClient.create(configuration: config)
-            print(state.id)
+            let network = try await networkClient.create(configuration: config)
+            print(network.id)
         }
     }
 }
diff --git a/Sources/ContainerCommands/Network/NetworkDelete.swift b/Sources/ContainerCommands/Network/NetworkDelete.swift
@@ -53,7 +53,7 @@ extension Application {
         public mutating func run() async throws {
             let networkClient = NetworkClient()
             let uniqueNetworkNames = Set<String>(networkNames)
-            let networks: [NetworkState]
+            let networks: [NetworkResource]
 
             if all {
                 networks = try await networkClient.list()
@@ -91,7 +91,7 @@ extension Application {
 
             var failed = [String]()
             let _log = log
-            try await withThrowingTaskGroup(of: NetworkState?.self) { group in
+            try await withThrowingTaskGroup(of: NetworkResource?.self) { group in
                 for network in networks {
                     group.addTask {
                         do {

diff --git a/Sources/ContainerCommands/Network/NetworkInspect.swift b/Sources/ContainerCommands/Network/NetworkInspect.swift
@@ -17,7 +17,6 @@
 import ArgumentParser
 import ContainerAPIClient
 import Foundation
-import SwiftProtobuf
 
 extension Application {
     public struct NetworkInspect: AsyncLoggableCommand {
@@ -35,11 +34,7 @@ extension Application {
 
         public func run() async throws {
             let networkClient = NetworkClient()
-            let items = try await networkClient.list().filter {
-                networks.contains($0.id)
-            }.map {
-                PrintableNetwork($0)
-            }
+            let items = try await networkClient.list().filter { networks.contains($0.id) }
             try Output.emit(Output.renderJSON(items))
         }
     }

diff --git a/Sources/ContainerCommands/Network/NetworkList.swift b/Sources/ContainerCommands/Network/NetworkList.swift
@@ -16,10 +16,7 @@
 
 import ArgumentParser
 import ContainerAPIClient
-import ContainerResource
-import ContainerizationExtras
 import Foundation
-import SwiftProtobuf
 
 extension Application {
     public struct NetworkList: AsyncLoggableCommand {
@@ -42,45 +39,7 @@ extension Application {
         public func run() async throws {
             let networkClient = NetworkClient()
             let networks = try await networkClient.list()
-            let items = networks.map { PrintableNetwork($0) }
-            try Output.render(json: items, display: items, format: format, quiet: quiet)
-        }
-    }
-}
-
-extension PrintableNetwork: ListDisplayable {
-    public static var tableHeader: [String] {
-        ["NETWORK", "STATE", "SUBNET"]
-    }
-
-    public var tableRow: [String] {
-        if let status {
-            return [self.id, self.state, status.ipv4Subnet.description]
-        }
-        return [self.id, self.state, "none"]
-    }
-
-    public var quietValue: String {
-        self.id
-    }
-}
-
-public struct PrintableNetwork: Codable, Sendable {
-    let id: String
-    let state: String
-    let config: NetworkConfiguration
-    let status: NetworkStatus?
-
-    public init(_ network: NetworkState) {
-        self.id = network.id
-        self.state = network.state
-        switch network {
-        case .created(let config):
-            self.config = config
-            self.status = nil
-        case .running(let config, let status):
-            self.config = config
-            self.status = status
+            try Output.render(json: networks, display: networks, format: format, quiet: quiet)
         }
     }
 }
diff --git a/Sources/ContainerCommands/Network/NetworkResource+ListDisplayable.swift b/Sources/ContainerCommands/Network/NetworkResource+ListDisplayable.swift
@@ -0,0 +1,31 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the container project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import ContainerResource
+
+extension NetworkResource: ListDisplayable {
+    public static var tableHeader: [String] {
+        ["NETWORK", "STATE", "SUBNET"]
+    }
+
+    public var tableRow: [String] {
+        [id, status.phase, status.ipv4Subnet?.description ?? "none"]
+    }
+
+    public var quietValue: String {
+        id
+    }
+}
diff --git a/Sources/ContainerResource/Network/NetworkConfiguration.swift b/Sources/ContainerResource/Network/NetworkConfiguration.swift
@@ -119,16 +119,8 @@ public struct NetworkConfiguration: Codable, Sendable, Identifiable {
     }
 
     private func validate() throws {
-        guard id.isValidNetworkID() else {
+        guard NetworkResource.nameValid(id) else {
             throw ContainerizationError(.invalidArgument, message: "invalid network ID: \(id)")
         }
     }
 }
-
-extension String {
-    /// Ensure that the network ID has the correct syntax.
-    fileprivate func isValidNetworkID() -> Bool {
-        let pattern = #"^[a-z0-9](?:[a-z0-9._-]{0,61}[a-z0-9])?$"#
-        return self.range(of: pattern, options: .regularExpression) != nil
-    }
-}
diff --git a/Sources/ContainerResource/Network/NetworkResource.swift b/Sources/ContainerResource/Network/NetworkResource.swift
@@ -0,0 +1,116 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the container project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import ContainerizationExtras
+import Foundation
+
+/// A network resource, representing a configured virtual network and its runtime status.
+///
+/// `NetworkResource` conforms to `ManagedResource` and separates the network's
+/// intrinsic configuration from its ephemeral runtime status — following the same
+/// config/status split used by Kubernetes and Docker. `config` is persisted;
+/// `status` reflects what the network plugin reports at runtime.
+///
+/// The JSON encoding uses a single `status` object containing a `phase` field
+/// alongside any runtime-allocated address properties, replacing the prior flat
+/// `state`/`status` pair in the CLI output.
+public struct NetworkResource: ManagedResource {
+    /// The network's configuration — its persistent, intrinsic properties.
+    public let config: NetworkConfiguration
+
+    /// The network's current status, including lifecycle phase and any
+    /// runtime-allocated address properties.
+    public let status: NetworkStatus
+
+    // MARK: ManagedResource
+
+    /// The unique identifier for this network. Identical to ``config/id``.
+    public var id: String { config.id }
+
+    /// The user-assigned name for this network. For networks, name and ID are the same.
+    public var name: String { config.id }
+
+    /// The time at which this network was created.
+    public var creationDate: Date { config.creationDate }
+
+    /// Key-value labels for this network.
+    public var labels: ResourceLabels { config.labels }
+
+    /// Returns `true` for a system-managed network that cannot be deleted by the user.
+    public var isBuiltin: Bool { labels.isBuiltin }
+
+    /// Returns `true` if `name` is a syntactically valid network identifier.
+    ///
+    /// Valid network names are lowercase alphanumeric strings of up to 63
+    /// characters, allowing dots, hyphens, and underscores in interior positions.
+    public static func nameValid(_ name: String) -> Bool {
+        let pattern = #"^[a-z0-9](?:[a-z0-9._-]{0,61}[a-z0-9])?$"#
+        return name.range(of: pattern, options: .regularExpression) != nil
+    }
+
+    // MARK: Initialization
+
+    /// Creates a network resource.
+    ///
+    /// - Parameters:
+    ///   - config: The network's intrinsic configuration.
+    ///   - networkStatus: The plugin-reported runtime status, or `nil` if the
+    ///     network is not yet running.
+    public init(config: NetworkConfiguration, networkStatus: NetworkPluginStatus? = nil) {
+        self.config = config
+        self.status = networkStatus.map { NetworkStatus(running: $0) } ?? .created
+    }
+}
+
+// MARK: - Conversion from NetworkState
+
+extension NetworkResource {
+    /// Creates a network resource from a ``NetworkState``.
+    ///
+    /// Used when translating from the internal plugin-protocol type to the
+    /// public API surface type.
+    public init(_ networkState: NetworkState) {
+        switch networkState {
+        case .created(let config):
+            self.init(config: config)
+        case .running(let config, let status):
+            self.init(config: config, networkStatus: status)
+        }
+    }
+}
+
+// MARK: - Codable
+
+extension NetworkResource {
+    enum CodingKeys: String, CodingKey {
+        case id
+        case config
+        case status
+    }
+
+    public func encode(to encoder: Encoder) throws {
+        var container = encoder.container(keyedBy: CodingKeys.self)
+        try container.encode(id, forKey: .id)
+        try container.encode(config, forKey: .config)
+        try container.encode(status, forKey: .status)
+    }
+
+    public init(from decoder: Decoder) throws {
+        let container = try decoder.container(keyedBy: CodingKeys.self)
+        self.config = try container.decode(NetworkConfiguration.self, forKey: .config)
+        self.status = try container.decode(NetworkStatus.self, forKey: .status)
+    }
+}
diff --git a/Sources/ContainerResource/Network/NetworkState.swift b/Sources/ContainerResource/Network/NetworkState.swift
@@ -17,7 +17,7 @@
 import ContainerizationExtras
 import Foundation
 
-public struct NetworkStatus: Codable, Sendable {
+public struct NetworkPluginStatus: Codable, Sendable {
     /// The address allocated for the network if no subnet was specified at
     /// creation time; otherwise, the subnet from the configuration.
     public let ipv4Subnet: CIDRv4
@@ -83,7 +83,7 @@ public enum NetworkState: Codable, Sendable {
     // The network has been configured.
     case created(NetworkConfiguration)
     // The network is running.
-    case running(NetworkConfiguration, NetworkStatus)
+    case running(NetworkConfiguration, NetworkPluginStatus)
 
     public var state: String {
         switch self {

diff --git a/Sources/ContainerResource/Network/NetworkStatus.swift b/Sources/ContainerResource/Network/NetworkStatus.swift
@@ -0,0 +1,69 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the container project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import ContainerizationExtras
+import Foundation
+
+/// The runtime status of a network resource.
+///
+/// `phase` names the current lifecycle stage; the address fields are present
+/// only when `phase` is `"running"` and are `nil` otherwise. Clients should
+/// treat unrecognised `phase` values as unknown forward-compatible stages rather
+/// than treating them as errors.
+public struct NetworkStatus: Codable, Sendable {
+    /// The current lifecycle phase of the network.
+    ///
+    /// Defined values: `"created"` (configured, plugin not yet active) and
+    /// `"running"` (plugin active, subnet and gateway assigned).
+    public let phase: String
+
+    /// The allocated IPv4 subnet. Present only when `phase` is `"running"`.
+    public let ipv4Subnet: CIDRv4?
+
+    /// The IPv4 gateway address. Present only when `phase` is `"running"`.
+    public let ipv4Gateway: IPv4Address?
+
+    /// The allocated IPv6 subnet. Present only when `phase` is `"running"` and
+    /// the network has IPv6 enabled.
+    public let ipv6Subnet: CIDRv6?
+
+    public init(
+        phase: String,
+        ipv4Subnet: CIDRv4? = nil,
+        ipv4Gateway: IPv4Address? = nil,
+        ipv6Subnet: CIDRv6? = nil
+    ) {
+        self.phase = phase
+        self.ipv4Subnet = ipv4Subnet
+        self.ipv4Gateway = ipv4Gateway
+        self.ipv6Subnet = ipv6Subnet
+    }
+}
+
+extension NetworkStatus {
+    /// The status value for a network that is configured but not yet running.
+    public static let created = NetworkStatus(phase: "created")
+
+    /// Creates a running-phase status from a ``NetworkPluginStatus``.
+    init(running networkStatus: NetworkPluginStatus) {
+        self.init(
+            phase: "running",
+            ipv4Subnet: networkStatus.ipv4Subnet,
+            ipv4Gateway: networkStatus.ipv4Gateway,
+            ipv6Subnet: networkStatus.ipv6Subnet
+        )
+    }
+}