Scenario

You’re on the network security team for a fintech processing millions of card authorizations per day. Services communicate inside a private network, and auditors require that certain directed service pairs must never be allowed (e.g., db -> api). Your job is to generate the smallest set of allow rules without accidentally over-permitting traffic.

Problem

Implement build_minimized_security_rules(flows, required_isolation).

You are given:

• flows: a list of flows, each flow = [src, dst, protocol, start_port, end_port]
• required_isolation: a list of directed forbidden pairs [src, dst] meaning traffic from src to dst is forbidden

Return a minimized list of allow rules by merging port ranges that share the same (src, dst, protocol) and whose port intervals overlap or are adjacent.

Merging rules

Within the same (src, dst, protocol) group, merge intervals [a,b] and [c,d] if c <= b + 1 (overlap or adjacency). The output intervals must be disjoint and represent the same allowed ports as the input.

Validation (must raise ValueError)

Raise ValueError if any flow:

1. Violates isolation: (src, dst) appears in required_isolation
2. Uses an unsupported protocol (anything other than "tcp" or "udp")
3. Has an invalid port range (not integers, out of [0, 65535], or start_port > end_port)

Examples

Example 1

• Input: flows = [["edge","api","tcp",80,80],["edge","api","tcp",81,90],["edge","api","tcp",443,443]], required_isolation = [["db","api"]]
• Output: [["edge","api","tcp",80,90],["edge","api","tcp",443,443]]
• Explanation: [80,80] and [81,90] are adjacent, so they merge.

Example 2

• Input: flows = [["api","db","tcp",5432,5432],["db","api","tcp",5432,5432]], required_isolation = [["db","api"]]
• Output: ValueError
• Explanation: db -> api is explicitly forbidden.

Notes

• Output order does not matter.
• Do not merge across different src, dst, or protocol.