Dual stack ephemeral IP

[david-crespo]

Closes #9665

Had the robots work on this while I got ready for bed.

API schema diff

Notably this did not require changes to the instance create API, only detach.

--- a/2026012200.0.0-13b2b3/spec.json
+++ b/2026012300.0.0-151f11/spec.json
@@ -7,7 +7,7 @@
       "url": "https://oxide.computer",
       "email": "api@oxide.computer"
     },
-    "version": "2026012200.0.0"
+    "version": "2026012300.0.0"
   },
   "paths": {
     "/device/auth": {
@@ -4602,6 +4602,7 @@
           "instances"
         ],
         "summary": "Detach and deallocate ephemeral IP from instance",
+        "description": "When an instance has both IPv4 and IPv6 ephemeral IPs, the `ip_version` query parameter must be specified to identify which IP to detach.",
         "operationId": "instance_ephemeral_ip_detach",
         "parameters": [
           {
@@ -4615,6 +4616,14 @@
           },
           {
             "in": "query",
+            "name": "ip_version",
+            "description": "The IP version of the ephemeral IP to detach.\n\nRequired when the instance has both IPv4 and IPv6 ephemeral IPs. If only one ephemeral IP is attached, this field may be omitted.",
+            "schema": {
+              "$ref": "#/components/schemas/IpVersion"
+            }
+          },
+          {
+            "in": "query",
             "name": "project",
             "description": "Name or ID of the project",
             "schema": {

[david-crespo]

It would have felt nuts to type all this out by hand but it seems great for the user!

[david-crespo]

Having to do these lookups here and then again during the actual allocation feels like the worst part of this change. I'm looking into what it would take to avoid this by, e.g., resolving the pool here and passing the result into the saga.

[bnaecker]

This all feels kind of susceptible to TOCTTOUs. I don't see a good way around that, with the way we're structuring the DB tables themselves though.

[david-crespo]

I had Claude prototype moving the pool resolution out of the sagas (a not-small +400/-300 change), and it had to touch a lot of parts. It would not be easy to be confident the change is correct. I don't think it's worth doing — we do a bunch more queries inside the saga anyway.

[david-crespo]

Oh also I need to do the whole API schema regen. I left it out so I could use jj diff like a normal person while working on this.

[bnaecker]

Seems good to me. A few vague questions, but shouldn't block integrating this. Thanks for taking this on.

[bnaecker]

This all feels kind of susceptible to TOCTTOUs. I don't see a good way around that, with the way we're structuring the DB tables themselves though.

[david-crespo]

This was initially added to instance_lookup_ephemeral_ip, but that was confusing because that's a lookup function, plus this validation is only relevant when the IP version can be none, which only happens (among calls to instance_lookup_ephemeral_ip) in the detach path. So this logic only needs to happen here. The other paths (instance create and ephemeral IP attach) can also start out without an explicit IP version, but by the time they got to instance_lookup_ephemeral_ip, the IP version has already been resolved.