@machinen/runtime 0.1.2 → 0.3.0

package/dist/index.js

@@ -1,23 +1,139 @@
-import {
-  BootError,
-  CacheError,
-  ErrorCode,
-  ExecError,
-  FilesError,
-  GvproxyError,
-  MachinenError,
-  MkinitramfsError,
-  MountError,
-  ParseError,
-  ProvisionError,
-  RegistryError,
-  SandboxError,
-  SecretsError,
-  SnapshotError,
-  WinsizeError,
-  formatMachinenError,
-  isMachinenError
-} from "./chunk-6SP6T537.js";
+// src/errors.ts
+var ErrorCode = {
+  // boot — VM lifecycle, binary lookup, config validation
+  BOOT_VMM_MISSING: "BOOT_VMM_MISSING",
+  BOOT_VMM_PACKAGE_BROKEN: "BOOT_VMM_PACKAGE_BROKEN",
+  BOOT_IMAGE_NOT_FOUND: "BOOT_IMAGE_NOT_FOUND",
+  BOOT_SNAPSHOT_NOT_FOUND: "BOOT_SNAPSHOT_NOT_FOUND",
+  BOOT_KERNEL_NOT_FOUND: "BOOT_KERNEL_NOT_FOUND",
+  BOOT_DTB_NOT_FOUND: "BOOT_DTB_NOT_FOUND",
+  BOOT_CMD_WITHOUT_IMAGE: "BOOT_CMD_WITHOUT_IMAGE",
+  BOOT_CMD_MISSING: "BOOT_CMD_MISSING",
+  BOOT_CWD_INVALID: "BOOT_CWD_INVALID",
+  BOOT_MOUNT_INVALID: "BOOT_MOUNT_INVALID",
+  BOOT_MOUNT_HOST_NOT_FOUND: "BOOT_MOUNT_HOST_NOT_FOUND",
+  BOOT_LIVE_MOUNT_OVERRIDE_UNKNOWN: "BOOT_LIVE_MOUNT_OVERRIDE_UNKNOWN",
+  BOOT_PORT_FORWARD_INVALID: "BOOT_PORT_FORWARD_INVALID",
+  BOOT_PORT_FORWARD_CONFLICT: "BOOT_PORT_FORWARD_CONFLICT",
+  BOOT_PORT_FORWARD_NO_GVPROXY: "BOOT_PORT_FORWARD_NO_GVPROXY",
+  BOOT_PORT_FORWARD_IN_USE: "BOOT_PORT_FORWARD_IN_USE",
+  BOOT_PACK_FAILED: "BOOT_PACK_FAILED",
+  BOOT_TIMEOUT: "BOOT_TIMEOUT",
+  BOOT_DETACHED_READINESS_FAILED: "BOOT_DETACHED_READINESS_FAILED",
+  BOOT_MEMORY_INVALID: "BOOT_MEMORY_INVALID",
+  FORK_MEMORY_BACKPRESSURE: "FORK_MEMORY_BACKPRESSURE",
+  // mountdisk — `--mount` squashfs+ext4 overlay (#272)
+  BOOT_MOUNTDISK_TOOL_MISSING: "BOOT_MOUNTDISK_TOOL_MISSING",
+  // exec — vsock command execution
+  EXEC_VSOCK_UNAVAILABLE: "EXEC_VSOCK_UNAVAILABLE",
+  EXEC_AGENT_UNAVAILABLE: "EXEC_AGENT_UNAVAILABLE",
+  EXEC_AGENT_TIMEOUT: "EXEC_AGENT_TIMEOUT",
+  EXEC_NONZERO_EXIT: "EXEC_NONZERO_EXIT",
+  EXEC_PROTOCOL: "EXEC_PROTOCOL",
+  // snapshot — CRIU-based VM snapshotting
+  SNAPSHOT_NO_DISK: "SNAPSHOT_NO_DISK",
+  SNAPSHOT_DUMP_FAILED: "SNAPSHOT_DUMP_FAILED",
+  SNAPSHOT_TIMEOUT: "SNAPSHOT_TIMEOUT",
+  // provision — image builder
+  PROVISION_BASE_NOT_FOUND: "PROVISION_BASE_NOT_FOUND",
+  PROVISION_KERNEL_NOT_FOUND: "PROVISION_KERNEL_NOT_FOUND",
+  PROVISION_DTB_NOT_FOUND: "PROVISION_DTB_NOT_FOUND",
+  PROVISION_ASSETS_DIR_INVALID: "PROVISION_ASSETS_DIR_INVALID",
+  PROVISION_INSTALL_HOOK_FAILED: "PROVISION_INSTALL_HOOK_FAILED",
+  PROVISION_DISK_TOO_SMALL: "PROVISION_DISK_TOO_SMALL",
+  // rootfs-img — tar→ext4 materializer (#114, #120)
+  ROOTFS_IMG_TOOL_MISSING: "ROOTFS_IMG_TOOL_MISSING",
+  // registry / attach
+  REGISTRY_VM_NOT_FOUND: "REGISTRY_VM_NOT_FOUND",
+  REGISTRY_NAME_IN_USE: "REGISTRY_NAME_IN_USE",
+  // files — vsock push/pull
+  FILES_HOST_DIR_NOT_FOUND: "FILES_HOST_DIR_NOT_FOUND",
+  FILES_AGENT_UNAVAILABLE: "FILES_AGENT_UNAVAILABLE",
+  // mount — live-share (--mount-live, #78). Path containment is the
+  // load-bearing piece: any resolver failure means the guest tried to
+  // reach outside the mounted directory.
+  MOUNT_PATH_INVALID: "MOUNT_PATH_INVALID",
+  MOUNT_PATH_ESCAPE: "MOUNT_PATH_ESCAPE",
+  // secrets — vsock KEY=VALUE injection
+  SECRETS_VALUE_INVALID: "SECRETS_VALUE_INVALID",
+  SECRETS_AGENT_UNAVAILABLE: "SECRETS_AGENT_UNAVAILABLE",
+  // winsize — vsock resize forwarder
+  WINSIZE_AGENT_UNAVAILABLE: "WINSIZE_AGENT_UNAVAILABLE",
+  // multiplex — sandbox registry
+  SANDBOX_ID_DUPLICATE: "SANDBOX_ID_DUPLICATE",
+  SANDBOX_ID_UNKNOWN: "SANDBOX_ID_UNKNOWN",
+  // cache — host-side artifact mirror
+  CACHE_BIND_FAILED: "CACHE_BIND_FAILED",
+  // gvproxy — user-mode network bridge
+  GVPROXY_NOT_FOUND: "GVPROXY_NOT_FOUND",
+  GVPROXY_EXPOSE_FAILED: "GVPROXY_EXPOSE_FAILED",
+  GVPROXY_PORT_IN_USE: "GVPROXY_PORT_IN_USE",
+  GVPROXY_INSTALL_FAILED: "GVPROXY_INSTALL_FAILED",
+  GVPROXY_SPAWN_FAILED: "GVPROXY_SPAWN_FAILED",
+  // mkinitramfs — initramfs packer
+  MKINITRAMFS_BUNDLE_INVALID: "MKINITRAMFS_BUNDLE_INVALID",
+  MKINITRAMFS_WORKSPACE_INVALID: "MKINITRAMFS_WORKSPACE_INVALID",
+  MKINITRAMFS_WORKSPACE_TOO_LARGE: "MKINITRAMFS_WORKSPACE_TOO_LARGE",
+  MKINITRAMFS_BASE_EXTRACT_FAILED: "MKINITRAMFS_BASE_EXTRACT_FAILED",
+  MKINITRAMFS_INIT_MISSING: "MKINITRAMFS_INIT_MISSING",
+  // parse — CLI arg parser
+  PARSE_FLAG_UNKNOWN: "PARSE_FLAG_UNKNOWN",
+  PARSE_FLAG_MISSING_VALUE: "PARSE_FLAG_MISSING_VALUE",
+  PARSE_FLAG_DUPLICATE: "PARSE_FLAG_DUPLICATE",
+  PARSE_FLAG_MALFORMED: "PARSE_FLAG_MALFORMED",
+  PARSE_PORT_INVALID: "PARSE_PORT_INVALID"
+};
+var MachinenError = class extends Error {
+  code;
+  retryable;
+  constructor(code, message, opts = {}) {
+    super(message, { cause: opts.cause });
+    this.code = code;
+    this.retryable = opts.retryable ?? false;
+    this.name = new.target.name;
+  }
+};
+var BootError = class extends MachinenError {
+};
+var ExecError = class extends MachinenError {
+};
+var SnapshotError = class extends MachinenError {
+};
+var ProvisionError = class extends MachinenError {
+};
+var RegistryError = class extends MachinenError {
+};
+var FilesError = class extends MachinenError {
+};
+var MountError = class extends MachinenError {
+};
+var SecretsError = class extends MachinenError {
+};
+var WinsizeError = class extends MachinenError {
+};
+var SandboxError = class extends MachinenError {
+};
+var CacheError = class extends MachinenError {
+};
+var GvproxyError = class extends MachinenError {
+};
+var MkinitramfsError = class extends MachinenError {
+};
+var ParseError = class extends MachinenError {
+};
+function isMachinenError(err, code) {
+  return err instanceof MachinenError && (code === void 0 || err.code === code);
+}
+function formatMachinenError(err) {
+  const lines = [`(${err.code}): ${err.message}`];
+  let cur = err.cause;
+  while (cur !== void 0 && cur !== null) {
+    const msg = cur instanceof Error ? cur.message : String(cur);
+    lines.push(`  caused by: ${msg}`);
+    cur = cur instanceof Error ? cur.cause : void 0;
+  }
+  return lines.join("\n");
+}
 
 // src/multiplex.ts
 var Sandboxes = class {
@@ -877,11 +993,17 @@ async function runOnSocket(socket, cmd, opts) {
           buf = buf.subarray(take);
           awaitingBytes -= take;
           if (payloadTag === "O") {
-            stdoutBufs.push(chunk);
-            opts.onStdout?.(chunk);
+            if (opts.onStdout) {
+              opts.onStdout(chunk);
+            } else {
+              stdoutBufs.push(chunk);
+            }
           } else if (payloadTag === "E") {
-            stderrBufs.push(chunk);
-            opts.onStderr?.(chunk);
+            if (opts.onStderr) {
+              opts.onStderr(chunk);
+            } else {
+              stderrBufs.push(chunk);
+            }
           }
           if (awaitingBytes === 0) {
             payloadTag = null;
@@ -1152,19 +1274,19 @@ function connectOnceWithTimeout(udsPath, timeoutMs) {
 import { execFileSync as execFileSync9 } from "child_process";
 import {
   closeSync as closeSync7,
-  existsSync as existsSync17,
+  existsSync as existsSync16,
   mkdirSync as mkdirSync12,
   mkdtempSync as mkdtempSync8,
   openSync as openSync7,
-  readFileSync as readFileSync11,
-  rmSync as rmSync11,
+  readFileSync as readFileSync10,
+  rmSync as rmSync10,
   statSync as statSync11,
   writeFileSync as writeFileSync9,
   writeSync as writeSync6
 } from "fs";
 import { homedir as homedir8, tmpdir as tmpdir8 } from "os";
-import { dirname as dirname9, join as join16, resolve as resolve9 } from "path";
-import debugLib16 from "debug";
+import { dirname as dirname7, join as join16, resolve as resolve9 } from "path";
+import debugLib15 from "debug";
 
 // src/phase-timer.ts
 var PhaseTimer = class {
@@ -1265,7 +1387,7 @@ function reflinkCopy(src, dst) {
 }
 
 // src/vm/attach.ts
-import debugLib15 from "debug";
+import debugLib14 from "debug";
 
 // src/balloon-stats.ts
 import { readFileSync } from "fs";
@@ -1539,15 +1661,6 @@ function writeEntry(entry) {
   }
   debug2("write pid=%d name=%s sock=%s", entry.pid, entry.name ?? "<unset>", entry.socketPath);
 }
-function patchEntry(pid, patch) {
-  const existing = readEntry(pid);
-  if (!existing) {
-    debug2("patch pid=%d skipped (no entry)", pid);
-    return;
-  }
-  const merged = { ...existing, ...patch, pid: existing.pid };
-  writeEntry(merged);
-}
 function removeEntry(pid) {
   debug2("remove pid=%d", pid);
   const root = registryRoot();
@@ -1816,10 +1929,10 @@ function findEntry(query) {
 }
 
 // src/vm/fork.ts
-import { mkdtempSync as mkdtempSync7, rmSync as rmSync10 } from "fs";
+import { mkdtempSync as mkdtempSync7, rmSync as rmSync9 } from "fs";
 import { tmpdir as tmpdir7 } from "os";
 import { join as join15, resolve as resolve8 } from "path";
-import debugLib14 from "debug";
+import debugLib13 from "debug";
 
 // src/host-mem.ts
 import { execFileSync as execFileSync3 } from "child_process";
@@ -1890,17 +2003,17 @@ import { execFileSync as execFileSync8 } from "child_process";
 import { randomBytes as randomBytes4 } from "crypto";
 import {
   closeSync as closeSync6,
-  existsSync as existsSync16,
+  existsSync as existsSync15,
   openSync as openSync6,
   readdirSync as readdirSync7,
-  readFileSync as readFileSync10,
+  readFileSync as readFileSync9,
   statSync as statSync10,
-  unlinkSync as unlinkSync8,
+  unlinkSync as unlinkSync9,
   writeSync as writeSync5
 } from "fs";
 import { tmpdir as tmpdir6 } from "os";
 import { join as join14, resolve as resolve7 } from "path";
-import debugLib13 from "debug";
+import debugLib12 from "debug";
 
 // src/lazy-pagemap.ts
 import { readdirSync as readdirSync3, readFileSync as readFileSync6, writeFileSync as writeFileSync2 } from "fs";
@@ -2180,21 +2293,21 @@ function skipField(buf, pos, wireType) {
 }
 
 // src/vm/boot.ts
-import { spawn as nodeSpawn4 } from "child_process";
+import { spawn as nodeSpawn3 } from "child_process";
 import { randomBytes as randomBytes3 } from "crypto";
 import { once } from "events";
 import {
   closeSync as closeSync5,
-  existsSync as existsSync15,
+  existsSync as existsSync14,
   mkdtempSync as mkdtempSync6,
   openSync as openSync5,
-  rmSync as rmSync9,
-  unlinkSync as unlinkSync7,
+  rmSync as rmSync8,
+  unlinkSync as unlinkSync8,
   writeSync as writeSync4
 } from "fs";
 import { tmpdir as tmpdir5 } from "os";
 import { join as join13, resolve as resolve6 } from "path";
-import debugLib12 from "debug";
+import debugLib11 from "debug";
 
 // src/detached-log.ts
 import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync3 } from "fs";
@@ -2324,7 +2437,7 @@ import { homedir as homedir3, platform as osPlatform3 } from "os";
 import { dirname as dirname4, join as join5 } from "path";
 import debugLib4 from "debug";
 var debug4 = debugLib4("machinen:pdeathsig");
-var PDEATHSIG_VERSION = "v3";
+var PDEATHSIG_VERSION = "v4";
 var warnedNoCompiler = false;
 var installInFlight = /* @__PURE__ */ new Map();
 var PDEATHSIG_C_SOURCE = `// pdeathsig: tiny exec wrapper that arranges for the target to die
@@ -2519,11 +2632,19 @@ static int run_watch_pid_macos(pid_t watch_pid, char **target) {
     // the default disposition would kill the guard before kqueue
     // delivers the event, leaving the target alive and orphaned to
     // PID 1 \u2014 defeating the whole point of the shim.
+    //
+    // SIGUSR1 is included for the vmstate snapshot trigger: the
+    // runtime signals the wrapped VMM's pid, which on macOS is *this*
+    // shim (the watch loop forks). Blocking + kqueue-ing it lets us
+    // forward it to the VMM instead of dying by the default
+    // disposition. The child unblocks the whole mask before execvp,
+    // so the VMM's own SIGUSR1 handler still fires.
     sigset_t mask;
     sigemptyset(&mask);
     sigaddset(&mask, SIGTERM);
     sigaddset(&mask, SIGINT);
     sigaddset(&mask, SIGHUP);
+    sigaddset(&mask, SIGUSR1);
     sigprocmask(SIG_BLOCK, &mask, NULL);
 
     pid_t child = fork();
@@ -2548,7 +2669,7 @@ static int run_watch_pid_macos(pid_t watch_pid, char **target) {
         return reap_then_exit(child, 127);
     }
 
-    struct kevent changes[5];
+    struct kevent changes[6];
     EV_SET(&changes[0], watch_pid, EVFILT_PROC, EV_ADD | EV_ONESHOT,
            NOTE_EXIT, 0, NULL);
     EV_SET(&changes[1], child, EVFILT_PROC, EV_ADD | EV_ONESHOT,
@@ -2556,7 +2677,8 @@ static int run_watch_pid_macos(pid_t watch_pid, char **target) {
     EV_SET(&changes[2], SIGTERM, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL);
     EV_SET(&changes[3], SIGINT,  EVFILT_SIGNAL, EV_ADD, 0, 0, NULL);
     EV_SET(&changes[4], SIGHUP,  EVFILT_SIGNAL, EV_ADD, 0, 0, NULL);
-    if (kevent(kq, changes, 5, NULL, 0, NULL) == -1) {
+    EV_SET(&changes[5], SIGUSR1, EVFILT_SIGNAL, EV_ADD, 0, 0, NULL);
+    if (kevent(kq, changes, 6, NULL, 0, NULL) == -1) {
         perror("pdeathsig: kevent register");
         kill(child, SIGTERM);
         return reap_then_exit(child, 127);
@@ -2581,6 +2703,13 @@ static int run_watch_pid_macos(pid_t watch_pid, char **target) {
         }
         if (n == 0) continue;
         if (ev.filter == EVFILT_SIGNAL) {
+            if ((int)ev.ident == SIGUSR1) {
+                // Vmstate snapshot trigger. Forward to the VMM and
+                // keep watching \u2014 the VMM dumps its whole-VM state
+                // and resumes the guest; it is NOT a shutdown signal.
+                kill(child, SIGUSR1);
+                continue;
+            }
             // Runtime is signaling us (typical: child.kill('SIGTERM')
             // from the Node side, or Ctrl-C). Forward to the target
             // and reap. Keep the original signal so callers that look
@@ -3155,201 +3284,19 @@ function warnGvproxyMissing() {
   );
 }
 
-// src/mount-server-detached.ts
-import { spawn as nodeSpawn2 } from "child_process";
-import { existsSync as existsSync7, readFileSync as readFileSync7, rmSync as rmSync4 } from "fs";
-import { fileURLToPath } from "url";
-import debugLib6 from "debug";
-var debug6 = debugLib6("machinen:mount-server-detached");
-async function spawnDetachedMountServer(opts) {
-  if (!Number.isInteger(opts.vmmPid) || opts.vmmPid <= 0) {
-    throw new MountError(
-      "MOUNT_SERVER_SPAWN_FAILED",
-      `spawnDetachedMountServer: invalid vmmPid ${opts.vmmPid}`
-    );
-  }
-  const resolved = resolveMountServerCommand();
-  const helperArgs = [
-    ...resolved.args,
-    "--uds",
-    opts.udsPath,
-    "--root",
-    opts.rootAbs,
-    "--mode",
-    opts.mode,
-    "--stats",
-    opts.statsPath
-  ];
-  const pdeathsigBin = await ensurePdeathsig();
-  const wrapped = wrapWithPdeathsig(pdeathsigBin, resolved.command, helperArgs, {
-    watchPid: opts.vmmPid
-  });
-  debug6(
-    "spawn uds=%s root=%s mode=%s vmm=%d shim=%s",
-    opts.udsPath,
-    opts.rootAbs,
-    opts.mode,
-    opts.vmmPid,
-    pdeathsigBin ? "yes" : "no"
-  );
-  const child = nodeSpawn2(wrapped.command, wrapped.args, {
-    stdio: ["ignore", "pipe", "pipe"]
-  });
-  child.unref();
-  child.stderr?.on("data", (chunk) => {
-    debug6("stderr: %s", chunk.toString().trimEnd());
-  });
-  child.stdout?.on("data", () => {
-  });
-  await waitForSocketOrExit(child, opts.udsPath);
-  const pid = child.pid;
-  if (pid === void 0 || pid <= 0) {
-    throw new MountError(
-      "MOUNT_SERVER_SPAWN_FAILED",
-      "spawnDetachedMountServer: helper started but pid is unset"
-    );
-  }
-  return makeHandle(child, pid, wrapped.command, opts);
-}
-function makeHandle(child, pid, exe, opts) {
-  let stopped = false;
-  return {
-    pid,
-    exe,
-    bytesServedOnPagesImg: () => readBytesServed(opts.statsPath),
-    stop: async () => {
-      if (stopped) {
-        return;
-      }
-      stopped = true;
-      if (child.exitCode === null && child.signalCode === null) {
-        try {
-          child.kill("SIGTERM");
-        } catch {
-        }
-      }
-      await waitForExit(child, 5e3);
-      for (const path of [opts.statsPath, opts.udsPath]) {
-        try {
-          rmSync4(path, { force: true });
-        } catch {
-        }
-      }
-    }
-  };
-}
-function readBytesServed(statsPath) {
-  try {
-    const raw = readFileSync7(statsPath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (parsed && typeof parsed === "object" && "bytesServedOnPagesImg" in parsed && typeof parsed.bytesServedOnPagesImg === "number") {
-      return parsed.bytesServedOnPagesImg;
-    }
-    return 0;
-  } catch {
-    return 0;
-  }
-}
-async function waitForExit(child, timeoutMs) {
-  if (child.exitCode !== null || child.signalCode !== null) {
-    return;
-  }
-  await new Promise((resolve10) => {
-    const timer = setTimeout(() => {
-      try {
-        child.kill("SIGKILL");
-      } catch {
-      }
-      resolve10();
-    }, timeoutMs);
-    timer.unref();
-    child.once("exit", () => {
-      clearTimeout(timer);
-      resolve10();
-    });
-  });
-}
-async function waitForSocketOrExit(child, udsPath) {
-  const deadline = Date.now() + 3e3;
-  let earlyExitErr = null;
-  const onExit = (code, signal) => {
-    earlyExitErr = new Error(
-      `mount-server helper exited before socket was ready (code=${code} signal=${signal})`
-    );
-  };
-  child.once("exit", onExit);
-  try {
-    while (Date.now() < deadline) {
-      if (existsSync7(udsPath)) {
-        return;
-      }
-      if (earlyExitErr) {
-        throw earlyExitErr;
-      }
-      await new Promise((r) => setTimeout(r, 25));
-    }
-    if (earlyExitErr) {
-      throw earlyExitErr;
-    }
-    try {
-      child.kill("SIGKILL");
-    } catch {
-    }
-    throw new MountError(
-      "MOUNT_SERVER_SPAWN_FAILED",
-      `mount-server helper did not bind ${udsPath} within 3000ms`
-    );
-  } finally {
-    child.removeListener("exit", onExit);
-  }
-}
-var cachedCommand = null;
-function resolveMountServerCommand() {
-  if (cachedCommand) {
-    return cachedCommand;
-  }
-  const override = process.env.MACHINEN_MOUNT_SERVER_BIN;
-  if (override) {
-    if (!existsSync7(override)) {
-      throw new MountError(
-        "MOUNT_SERVER_BIN_MISSING",
-        `MACHINEN_MOUNT_SERVER_BIN=${override} does not exist`
-      );
-    }
-    cachedCommand = override.endsWith(".ts") ? { command: process.execPath, args: ["--import", "tsx", override] } : { command: process.execPath, args: [override] };
-    return cachedCommand;
-  }
-  const distUrl = new URL("./mount-server-bin.js", import.meta.url);
-  const distPath = fileURLToPath(distUrl);
-  if (existsSync7(distPath)) {
-    cachedCommand = { command: process.execPath, args: [distPath] };
-    return cachedCommand;
-  }
-  const srcUrl = new URL("./mount-server-bin.ts", import.meta.url);
-  const srcPath = fileURLToPath(srcUrl);
-  if (existsSync7(srcPath)) {
-    cachedCommand = { command: process.execPath, args: ["--import", "tsx", srcPath] };
-    return cachedCommand;
-  }
-  throw new MountError(
-    "MOUNT_SERVER_BIN_MISSING",
-    `mount-server bin not found at ${distPath} or ${srcPath}. Run pnpm build, or set MACHINEN_MOUNT_SERVER_BIN to an absolute path.`
-  );
-}
-
 // src/rootfs-img.ts
 import { execFileSync as execFileSync5, spawnSync as spawnSync2 } from "child_process";
 import { createHash } from "crypto";
 import {
   closeSync as closeSync2,
-  existsSync as existsSync8,
+  existsSync as existsSync7,
   fsyncSync as fsyncSync2,
   mkdirSync as mkdirSync6,
   mkdtempSync as mkdtempSync2,
   openSync as openSync2,
   readSync,
   renameSync as renameSync3,
-  rmSync as rmSync5,
+  rmSync as rmSync4,
   statSync as statSync4,
   truncateSync,
   unlinkSync as unlinkSync5,
@@ -3357,9 +3304,9 @@ import {
 } from "fs";
 import { createRequire as createRequire2 } from "module";
 import { arch, homedir as homedir5, platform as platform3 } from "os";
-import { dirname as dirname6, join as join7, resolve } from "path";
-import debugLib7 from "debug";
-var debug7 = debugLib7("machinen:rootfs-img");
+import { join as join7, resolve } from "path";
+import debugLib6 from "debug";
+var debug6 = debugLib6("machinen:rootfs-img");
 function rootfsImgCacheDir() {
   return join7(homedir5(), ".cache", "machinen", "rootfs");
 }
@@ -3367,7 +3314,7 @@ function okMarkerPath(imgPath) {
   return `${imgPath}.ok`;
 }
 function markRootfsImageClean(imgPath) {
-  if (!existsSync8(imgPath)) {
+  if (!existsSync7(imgPath)) {
     return;
   }
   const okPath = okMarkerPath(imgPath);
@@ -3380,7 +3327,7 @@ function markRootfsImageClean(imgPath) {
     fd = -1;
     renameSync3(tmp, okPath);
   } catch (err) {
-    debug7("markRootfsImageClean failed img=%s err=%s", imgPath, err.message);
+    debug6("markRootfsImageClean failed img=%s err=%s", imgPath, err.message);
     if (fd >= 0) {
       try {
         closeSync2(fd);
@@ -3395,7 +3342,7 @@ function markRootfsImageClean(imgPath) {
 }
 function ensureRootfsImage(tarPath, opts = {}) {
   const tarAbs = resolve(tarPath);
-  if (!existsSync8(tarAbs)) {
+  if (!existsSync7(tarAbs)) {
     throw new ProvisionError(
       "PROVISION_BASE_NOT_FOUND",
       `ensureRootfsImage: tarball not found at ${tarAbs}`
@@ -3408,10 +3355,10 @@ function ensureRootfsImage(tarPath, opts = {}) {
   opts.onPhase?.("sha256", Date.now() - shaT0);
   const imgPath = join7(cacheDir, `${sha}.img`);
   const okPath = okMarkerPath(imgPath);
-  if (!opts.force && existsSync8(imgPath)) {
-    debug7("cache hit sha=%s img=%s", sha.slice(0, 12), imgPath);
-    if (!existsSync8(okPath)) {
-      debug7("cache hit but no clean marker, will rematerialize img=%s", imgPath);
+  if (!opts.force && existsSync7(imgPath)) {
+    debug6("cache hit sha=%s img=%s", sha.slice(0, 12), imgPath);
+    if (!existsSync7(okPath)) {
+      debug6("cache hit but no clean marker, will rematerialize img=%s", imgPath);
     } else {
       try {
         unlinkSync5(okPath);
@@ -3427,21 +3374,21 @@ function ensureRootfsImage(tarPath, opts = {}) {
             const cur = statSync4(imgPath).size;
             if (opts.sizeBytes > cur) {
               truncateSync(imgPath, opts.sizeBytes);
-              debug7("cache hit grew img=%s from=%d to=%d", imgPath, cur, opts.sizeBytes);
+              debug6("cache hit grew img=%s from=%d to=%d", imgPath, cur, opts.sizeBytes);
             }
           } catch (err) {
-            debug7("cache hit grow failed img=%s err=%s", imgPath, err.message);
+            debug6("cache hit grow failed img=%s err=%s", imgPath, err.message);
           }
           opts.onPhase?.("sparse-extend", Date.now() - truncT0);
         }
         return imgPath;
       }
-      debug7("cache hit unusable, will rematerialize img=%s", imgPath);
+      debug6("cache hit unusable, will rematerialize img=%s", imgPath);
     }
   }
   if (!opts.force) {
     const sibling = siblingPrebakePath(tarAbs);
-    if (sibling && existsSync8(sibling)) {
+    if (sibling && existsSync7(sibling)) {
       const prebakeT0 = Date.now();
       const fast = tryPrebakeFromSibling({
         sibling,
@@ -3469,7 +3416,7 @@ function ensureRootfsImage(tarPath, opts = {}) {
   const stagingImg = join7(stagingDir, "rootfs.img");
   mkdirSync6(stagingTree, { recursive: true });
   try {
-    debug7("materialize sha=%s tar=%s", sha.slice(0, 12), tarAbs);
+    debug6("materialize sha=%s tar=%s", sha.slice(0, 12), tarAbs);
     const extractT0 = Date.now();
     extractTarball(tarAbs, stagingTree);
     opts.onPhase?.("tar-extract", Date.now() - extractT0);
@@ -3477,7 +3424,7 @@ function ensureRootfsImage(tarPath, opts = {}) {
     const multiplier = opts.sizeMultiplier ?? 2.5;
     const minBytes = opts.minSizeBytes ?? 2 * 1024 * 1024 * 1024;
     const sizeBytes = opts.sizeBytes ?? Math.max(minBytes, Math.ceil(treeBytes * multiplier));
-    debug7(
+    debug6(
       "size tree=%d size=%d multiplier=%s explicit=%s",
       treeBytes,
       sizeBytes,
@@ -3500,11 +3447,11 @@ function ensureRootfsImage(tarPath, opts = {}) {
       );
     }
     renameSync3(stagingImg, imgPath);
-    debug7("materialize done sha=%s img=%s sizeBytes=%d", sha.slice(0, 12), imgPath, sizeBytes);
+    debug6("materialize done sha=%s img=%s sizeBytes=%d", sha.slice(0, 12), imgPath, sizeBytes);
     return imgPath;
   } finally {
     try {
-      rmSync5(stagingDir, { recursive: true, force: true });
+      rmSync4(stagingDir, { recursive: true, force: true });
     } catch {
     }
   }
@@ -3515,7 +3462,7 @@ function cachedImageIsUsable(imgPath) {
   }
   const e2fsck = whichFirst(["e2fsck"]);
   if (!e2fsck) {
-    debug7("no e2fsck on PATH; trusting cached img=%s", imgPath);
+    debug6("no e2fsck on PATH; trusting cached img=%s", imgPath);
     return true;
   }
   const r = spawnSync2(e2fsck, ["-fy", imgPath], {
@@ -3524,7 +3471,7 @@ function cachedImageIsUsable(imgPath) {
   if (r.status === 0 || r.status === 1 || r.status === 2) {
     return true;
   }
-  debug7(
+  debug6(
     "e2fsck rejected img=%s status=%s stderr=%s",
     imgPath,
     r.status,
@@ -3595,7 +3542,7 @@ function findKegOnlyE2fs(names, dirs = KEG_ONLY_E2FS_DIRS) {
   for (const dir of dirs) {
     for (const name of names) {
       const candidate = join7(dir, name);
-      if (existsSync8(candidate)) {
+      if (existsSync7(candidate)) {
         return candidate;
       }
     }
@@ -3607,8 +3554,8 @@ function resolveMke2fsEnvOverride() {
   if (!envOverride) {
     return void 0;
   }
-  if (existsSync8(envOverride)) {
-    debug7("resolved via MACHINEN_MKE2FS=%s", envOverride);
+  if (existsSync7(envOverride)) {
+    debug6("resolved via MACHINEN_MKE2FS=%s", envOverride);
     return envOverride;
   }
   throw new ProvisionError(
@@ -3618,12 +3565,11 @@ function resolveMke2fsEnvOverride() {
 }
 var require_2 = createRequire2(import.meta.url);
 function findBundledMke2fs() {
-  const pkg = `@machinen/e2fsprogs-${arch()}-${platform3()}`;
+  const pkg = `@machinen/native-${arch()}-${platform3()}`;
   try {
-    const pkgJson = require_2.resolve(`${pkg}/package.json`);
-    const candidate = join7(dirname6(pkgJson), "bin", "mke2fs");
-    if (existsSync8(candidate)) {
-      return candidate;
+    const mod = require_2(pkg);
+    if (mod.mke2fs && existsSync7(mod.mke2fs)) {
+      return mod.mke2fs;
     }
   } catch {
   }
@@ -3652,7 +3598,7 @@ function tryPrebakeFromSibling(args) {
   const stagingDir = mkdtempSync2(join7(cacheDir, `${sha.slice(0, 12)}-prebake-`));
   const stagingImg = join7(stagingDir, "rootfs.img");
   try {
-    debug7("prebake try sibling=%s sha=%s", sibling, sha.slice(0, 12));
+    debug6("prebake try sibling=%s sha=%s", sibling, sha.slice(0, 12));
     const dstFd = openSync2(stagingImg, "w");
     let gunzipOk = false;
     try {
@@ -3661,7 +3607,7 @@ function tryPrebakeFromSibling(args) {
       });
       gunzipOk = r.status === 0;
       if (!gunzipOk) {
-        debug7(
+        debug6(
           "prebake gunzip failed sibling=%s status=%s stderr=%s",
           sibling,
           r.status,
@@ -3675,7 +3621,7 @@ function tryPrebakeFromSibling(args) {
       return void 0;
     }
     if (!looksLikeExt4(stagingImg)) {
-      debug7("prebake sibling did not yield an ext4 image \u2014 falling back");
+      debug6("prebake sibling did not yield an ext4 image \u2014 falling back");
       return void 0;
     }
     if (sizeBytes !== void 0) {
@@ -3685,14 +3631,14 @@ function tryPrebakeFromSibling(args) {
       }
     }
     renameSync3(stagingImg, imgPath);
-    debug7("prebake done sha=%s img=%s", sha.slice(0, 12), imgPath);
+    debug6("prebake done sha=%s img=%s", sha.slice(0, 12), imgPath);
     return imgPath;
   } catch (err) {
-    debug7("prebake error sibling=%s err=%s", sibling, err.message);
+    debug6("prebake error sibling=%s err=%s", sibling, err.message);
     return void 0;
   } finally {
     try {
-      rmSync5(stagingDir, { recursive: true, force: true });
+      rmSync4(stagingDir, { recursive: true, force: true });
     } catch {
     }
   }
@@ -3727,7 +3673,7 @@ function prebakeRootfsImageFromTree(args) {
   try {
     const mke2fs = resolveMke2fs();
     if (!mke2fs) {
-      debug7("prebake skip: no mke2fs available");
+      debug6("prebake skip: no mke2fs available");
       return;
     }
     mkdirSync6(cacheDir, { recursive: true });
@@ -3735,8 +3681,8 @@ function prebakeRootfsImageFromTree(args) {
     const sha = sha256OfFile(tarPath);
     onPhase?.("prebake.sha256", Date.now() - shaT0);
     const imgPath = join7(cacheDir, `${sha}.img`);
-    if (existsSync8(imgPath)) {
-      debug7("prebake skip: cache already populated sha=%s", sha.slice(0, 12));
+    if (existsSync7(imgPath)) {
+      debug6("prebake skip: cache already populated sha=%s", sha.slice(0, 12));
       return;
     }
     const stagingDir = mkdtempSync2(join7(cacheDir, `${sha.slice(0, 12)}-prebake-tree-`));
@@ -3754,7 +3700,7 @@ function prebakeRootfsImageFromTree(args) {
       );
       onPhase?.("prebake.mke2fs", Date.now() - mkT0);
       if (mk.status !== 0) {
-        debug7(
+        debug6(
           "prebake mke2fs failed status=%s stderr=%s",
           mk.status,
           mk.stderr?.toString().slice(0, 200) ?? ""
@@ -3763,21 +3709,21 @@ function prebakeRootfsImageFromTree(args) {
       }
       renameSync3(stagingImg, imgPath);
       markRootfsImageClean(imgPath);
-      debug7("prebake emitted cache=%s sizeBytes=%d", imgPath, sizeBytes);
+      debug6("prebake emitted cache=%s sizeBytes=%d", imgPath, sizeBytes);
     } finally {
       try {
-        rmSync5(stagingDir, { recursive: true, force: true });
+        rmSync4(stagingDir, { recursive: true, force: true });
       } catch {
       }
     }
   } catch (err) {
-    debug7("prebake error err=%s", err.message);
+    debug6("prebake error err=%s", err.message);
   }
 }
 
 // src/vm/bundle.ts
 import { randomBytes as randomBytes2 } from "crypto";
-import { existsSync as existsSync13, mkdirSync as mkdirSync10, mkdtempSync as mkdtempSync5, rmSync as rmSync8, statSync as statSync8, writeFileSync as writeFileSync7 } from "fs";
+import { existsSync as existsSync12, mkdirSync as mkdirSync10, mkdtempSync as mkdtempSync5, rmSync as rmSync7, statSync as statSync8, writeFileSync as writeFileSync7 } from "fs";
 import { tmpdir as tmpdir4 } from "os";
 import { join as join11, resolve as resolve4 } from "path";
 
@@ -3785,24 +3731,24 @@ import { join as join11, resolve as resolve4 } from "path";
 import { spawnSync as spawnSync3 } from "child_process";
 import {
   cpSync,
-  existsSync as existsSync9,
+  existsSync as existsSync8,
   lstatSync,
   mkdirSync as mkdirSync7,
   mkdtempSync as mkdtempSync3,
   readdirSync as readdirSync4,
-  readFileSync as readFileSync8,
+  readFileSync as readFileSync7,
   readlinkSync as readlinkSync2,
-  rmSync as rmSync6,
+  rmSync as rmSync5,
   statSync as statSync5,
   writeFileSync as writeFileSync5
 } from "fs";
 import { createRequire as createRequire3 } from "module";
 import { arch as osArch2, platform as osPlatform5, tmpdir as tmpdir2 } from "os";
-import { dirname as dirname7, join as join8 } from "path";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import debugLib8 from "debug";
+import { dirname as dirname6, join as join8 } from "path";
+import { fileURLToPath } from "url";
+import debugLib7 from "debug";
 var require_3 = createRequire3(import.meta.url);
-var debug8 = debugLib8("machinen:mkinitramfs");
+var debug7 = debugLib7("machinen:mkinitramfs");
 var DEFAULT_WORKSPACE_EXCLUDES = /* @__PURE__ */ new Set([
   ".git",
   "node_modules",
@@ -3862,7 +3808,7 @@ function newc(name, mode, opts = {}) {
   return out;
 }
 function loadExcludes(path) {
-  const raw = readFileSync8(path, "utf8");
+  const raw = readFileSync7(path, "utf8");
   const out = [];
   for (const line of raw.split("\n")) {
     const stripped = line.split("#", 1)[0].trim();
@@ -3955,7 +3901,7 @@ function* walkRootfs(root, rel, excludes, counts) {
       yield newc(childRel, 16384 | m & 4095);
       yield* walkRootfs(root, childRel, excludes, counts);
     } else if (st.isFile()) {
-      yield newc(childRel, 32768 | m & 4095, { data: readFileSync8(childFull) });
+      yield newc(childRel, 32768 | m & 4095, { data: readFileSync7(childFull) });
     }
   }
 }
@@ -3992,7 +3938,7 @@ function* walkWorkspace(root, rel, mountpoint, excludes, counts) {
       yield newc(arcName, 16384 | m & 4095);
       yield* walkWorkspace(root, childRel, mountpoint, excludes, counts);
     } else if (st.isFile()) {
-      const data = readFileSync8(childFull);
+      const data = readFileSync7(childFull);
       counts.bytes += data.length;
       yield newc(arcName, 32768 | m & 4095, { data });
     }
@@ -4009,7 +3955,7 @@ function packBundle(opts) {
     throw new MkinitramfsError("MKINITRAMFS_BUNDLE_INVALID", `--bundle: missing ${cfgPath}`);
   }
   const needsMerge = Boolean(opts.base) || Boolean(opts.mount);
-  debug8(
+  debug7(
     "packBundle bundle=%s out=%s base=%s mount=%s needsMerge=%s",
     opts.bundle,
     opts.out,
@@ -4025,13 +3971,13 @@ function packBundle(opts) {
       const extractT0 = Date.now();
       const res = spawnSync3("tar", ["-xzf", opts.base, "-C", mergeTmp]);
       if (res.status !== 0) {
-        rmSync6(mergeTmp, { recursive: true, force: true });
+        rmSync5(mergeTmp, { recursive: true, force: true });
         throw new MkinitramfsError(
           "MKINITRAMFS_BASE_EXTRACT_FAILED",
           `tar -xzf ${opts.base} failed: ${res.stderr?.toString() ?? ""}`
         );
       }
-      debug8("base extracted elapsed=%dms", Date.now() - extractT0);
+      debug7("base extracted elapsed=%dms", Date.now() - extractT0);
     }
     if (opts.mount) {
       overlayMount(mergeTmp, opts.mount.host, opts.mount.guest);
@@ -4051,8 +3997,7 @@ function packBundle(opts) {
     }
     appendFinalEntries(parts, {
       initPath: opts.initPath ?? defaultInitPath(),
-      config: patchConfigEnv(readFileSync8(cfgPath), opts.env),
-      fuseAgentPath: opts.fuseAgentPath,
+      config: patchConfigEnv(readFileSync7(cfgPath), opts.env),
       // Always inject the fresh /init AFTER walking the rootfs.
       // `provision()` flows feed the previous run's frozen rootfs back
       // in as `base`, and that capture has /init at root. The walked
@@ -4073,7 +4018,7 @@ function packBundle(opts) {
       execAgentPath: opts.execAgentPath ?? defaultExecAgentPath()
     });
     writeFileSync5(opts.out, Buffer.concat(parts));
-    debug8(
+    debug7(
       "packBundle done files=%d bytes=%d elapsed=%dms",
       counts.files,
       counts.bytes,
@@ -4081,7 +4026,7 @@ function packBundle(opts) {
     );
   } finally {
     if (mergeTmp) {
-      rmSync6(mergeTmp, { recursive: true, force: true });
+      rmSync5(mergeTmp, { recursive: true, force: true });
     }
   }
 }
@@ -4097,7 +4042,7 @@ function patchConfigEnv(config, env) {
 function overlayMount(mergeRoot, hostAbs, guest) {
   const rel = guest.replace(/^\/+/, "");
   const dst = join8(mergeRoot, rel);
-  mkdirSync7(dirname7(dst), { recursive: true });
+  mkdirSync7(dirname6(dst), { recursive: true });
   cpSync(hostAbs, dst, {
     recursive: true,
     force: true,
@@ -4114,13 +4059,12 @@ function packTinyBundle(opts) {
   parts.push(newc(".", 16877));
   appendFinalEntries(parts, {
     initPath: opts.initPath ?? defaultInitPath(),
-    config: patchConfigEnv(readFileSync8(cfgPath), opts.env),
-    fuseAgentPath: opts.fuseAgentPath,
+    config: patchConfigEnv(readFileSync7(cfgPath), opts.env),
     injectInit: true,
     mountGuest: opts.mountGuest
   });
   writeFileSync5(opts.out, Buffer.concat(parts));
-  debug8("packTinyBundle done elapsed=%dms", Date.now() - t0);
+  debug7("packTinyBundle done elapsed=%dms", Date.now() - t0);
 }
 function packRootfs(opts) {
   const counts = { files: 0, bytes: 0 };
@@ -4130,7 +4074,7 @@ function packRootfs(opts) {
   }
   appendFinalEntries(parts, {
     initPath: opts.initPath ?? defaultInitPath(),
-    config: opts.config ? readFileSync8(opts.config) : void 0,
+    config: opts.config ? readFileSync7(opts.config) : void 0,
     injectInit: true
   });
   writeFileSync5(opts.out, Buffer.concat(parts));
@@ -4140,11 +4084,11 @@ function packMinimal(opts) {
   const parts = [
     newc(".", 16877),
     newc("dev", 16877),
-    newc("init", 33261, { data: readFileSync8(initPath) })
+    newc("init", 33261, { data: readFileSync7(initPath) })
   ];
   appendFinalEntries(parts, {
     initPath,
-    config: opts.config ? readFileSync8(opts.config) : void 0,
+    config: opts.config ? readFileSync7(opts.config) : void 0,
     injectInit: true
   });
   writeFileSync5(opts.out, Buffer.concat(parts));
@@ -4180,7 +4124,7 @@ function appendFinalEntries(parts, opts) {
   if (opts.injectInit) {
     let initBytes = null;
     try {
-      initBytes = readFileSync8(opts.initPath);
+      initBytes = readFileSync7(opts.initPath);
     } catch (err) {
       if (process.env.MACHINEN_REQUIRE_FIXTURES !== "0") {
         throw new MkinitramfsError(
@@ -4196,18 +4140,11 @@ function appendFinalEntries(parts, opts) {
   }
   if (opts.execAgentPath) {
     try {
-      const bytes = readFileSync8(opts.execAgentPath);
+      const bytes = readFileSync7(opts.execAgentPath);
       parts.push(newc("exec-agent", 33261, { data: bytes }));
     } catch {
     }
   }
-  if (opts.fuseAgentPath) {
-    try {
-      const bytes = readFileSync8(opts.fuseAgentPath);
-      parts.push(newc("fuse-agent", 33261, { data: bytes }));
-    } catch {
-    }
-  }
   if (opts.config) {
     parts.push(newc("machinen-config.json", 33188, { data: opts.config }));
   }
@@ -4234,24 +4171,22 @@ function resolveGuestPaths() {
   if (cachedGuestPaths) {
     return cachedGuestPaths;
   }
-  const pkgName = `@machinen/vmm-${osArch2()}-${osPlatform5()}`;
+  const pkgName = `@machinen/native-${osArch2()}-${osPlatform5()}`;
   try {
     const mod = require_3(pkgName);
-    if (mod.initPath && mod.fuseAgentPath && mod.execAgentPath && existsSync9(mod.initPath)) {
+    if (mod.initPath && mod.execAgentPath && existsSync8(mod.initPath)) {
       cachedGuestPaths = {
         initPath: mod.initPath,
-        fuseAgentPath: mod.fuseAgentPath,
         execAgentPath: mod.execAgentPath
       };
       return cachedGuestPaths;
     }
   } catch {
   }
-  const here = dirname7(fileURLToPath2(import.meta.url));
+  const here = dirname6(fileURLToPath(import.meta.url));
   const fixtures = join8(here, "..", "..", "microvm", "test-fixtures");
   cachedGuestPaths = {
     initPath: join8(fixtures, "init"),
-    fuseAgentPath: join8(fixtures, "fuse-agent"),
     execAgentPath: join8(fixtures, "exec-agent")
   };
   return cachedGuestPaths;
@@ -4259,9 +4194,6 @@ function resolveGuestPaths() {
 function defaultInitPath() {
   return resolveGuestPaths().initPath;
 }
-function defaultFuseAgentPath() {
-  return resolveGuestPaths().fuseAgentPath;
-}
 function defaultExecAgentPath() {
   return resolveGuestPaths().execAgentPath;
 }
@@ -4357,7 +4289,7 @@ function takeFlag(args, flag) {
   return value;
 }
 function defaultOut() {
-  const here = dirname7(fileURLToPath2(import.meta.url));
+  const here = dirname6(fileURLToPath(import.meta.url));
   return join8(here, "..", "..", "microvm", "test-fixtures", "initramfs.cpio");
 }
 function die(msg) {
@@ -4370,7 +4302,7 @@ import { execFileSync as execFileSync6, spawnSync as spawnSync4 } from "child_pr
 import { createHash as createHash2 } from "crypto";
 import {
   closeSync as closeSync3,
-  existsSync as existsSync10,
+  existsSync as existsSync9,
   fsyncSync as fsyncSync3,
   mkdirSync as mkdirSync8,
   mkdtempSync as mkdtempSync4,
@@ -4379,7 +4311,7 @@ import {
   readdirSync as readdirSync5,
   readlinkSync as readlinkSync3,
   renameSync as renameSync4,
-  rmSync as rmSync7,
+  rmSync as rmSync6,
   statSync as statSync6,
   truncateSync as truncateSync2,
   unlinkSync as unlinkSync6,
@@ -4388,9 +4320,9 @@ import {
 } from "fs";
 import { createRequire as createRequire4 } from "module";
 import { arch as arch2, homedir as homedir6, platform as platform4, tmpdir as tmpdir3 } from "os";
-import { dirname as dirname8, join as join9, resolve as resolve2 } from "path";
-import debugLib9 from "debug";
-var debug9 = debugLib9("machinen:mountdisk-img");
+import { join as join9, resolve as resolve2 } from "path";
+import debugLib8 from "debug";
+var debug8 = debugLib8("machinen:mountdisk-img");
 function mountdiskImgCacheDir() {
   return join9(homedir6(), ".cache", "machinen", "mountdisk");
 }
@@ -4398,7 +4330,7 @@ function okMarkerPath2(imgPath) {
   return `${imgPath}.ok`;
 }
 function markMountDiskImageClean(imgPath) {
-  if (!existsSync10(imgPath)) {
+  if (!existsSync9(imgPath)) {
     return;
   }
   const okPath = okMarkerPath2(imgPath);
@@ -4411,7 +4343,7 @@ function markMountDiskImageClean(imgPath) {
     fd = -1;
     renameSync4(tmp, okPath);
   } catch (err) {
-    debug9("markMountDiskImageClean failed img=%s err=%s", imgPath, err.message);
+    debug8("markMountDiskImageClean failed img=%s err=%s", imgPath, err.message);
     if (fd >= 0) {
       try {
         closeSync3(fd);
@@ -4426,7 +4358,7 @@ function markMountDiskImageClean(imgPath) {
 }
 function ensureMountDiskImage(hostAbs, opts = {}) {
   const hostResolved = resolve2(hostAbs);
-  if (!existsSync10(hostResolved)) {
+  if (!existsSync9(hostResolved)) {
     throw new BootError(
       "BOOT_MOUNT_HOST_NOT_FOUND",
       `ensureMountDiskImage: host directory not found at ${hostResolved}`
@@ -4445,10 +4377,10 @@ function ensureMountDiskImage(hostAbs, opts = {}) {
   opts.onPhase?.("manifest-hash", Date.now() - hashT0);
   const imgPath = join9(cacheDir, `${key}.sqfs`);
   const okPath = okMarkerPath2(imgPath);
-  if (!opts.force && existsSync10(imgPath)) {
-    debug9("cache hit key=%s img=%s", key.slice(0, 12), imgPath);
-    if (!existsSync10(okPath)) {
-      debug9("cache hit but no clean marker \u2014 rematerialising img=%s", imgPath);
+  if (!opts.force && existsSync9(imgPath)) {
+    debug8("cache hit key=%s img=%s", key.slice(0, 12), imgPath);
+    if (!existsSync9(okPath)) {
+      debug8("cache hit but no clean marker \u2014 rematerialising img=%s", imgPath);
     } else {
       try {
         unlinkSync6(okPath);
@@ -4467,7 +4399,7 @@ function ensureMountDiskImage(hostAbs, opts = {}) {
   const stagingDir = mkdtempSync4(join9(cacheDir, `${key.slice(0, 12)}-staging-`));
   const stagingImg = join9(stagingDir, "lower.sqfs");
   try {
-    debug9("materialize key=%s host=%s", key.slice(0, 12), hostResolved);
+    debug8("materialize key=%s host=%s", key.slice(0, 12), hostResolved);
     const mkT0 = Date.now();
     const args = [
       hostResolved,
@@ -4504,11 +4436,11 @@ function ensureMountDiskImage(hostAbs, opts = {}) {
     padTo512Boundary(stagingImg);
     renameSync4(stagingImg, imgPath);
     opts.onPhase?.("staging-rename", Date.now() - renameT0);
-    debug9("materialize done key=%s img=%s", key.slice(0, 12), imgPath);
+    debug8("materialize done key=%s img=%s", key.slice(0, 12), imgPath);
     return { lowerPath: imgPath, key };
   } finally {
     try {
-      rmSync7(stagingDir, { recursive: true, force: true });
+      rmSync6(stagingDir, { recursive: true, force: true });
     } catch {
     }
   }
@@ -4554,8 +4486,8 @@ function resolveMksquashfsEnvOverride() {
   if (!envOverride) {
     return void 0;
   }
-  if (existsSync10(envOverride)) {
-    debug9("resolved via MACHINEN_MKSQUASHFS=%s", envOverride);
+  if (existsSync9(envOverride)) {
+    debug8("resolved via MACHINEN_MKSQUASHFS=%s", envOverride);
     return envOverride;
   }
   throw new BootError(
@@ -4565,12 +4497,11 @@ function resolveMksquashfsEnvOverride() {
 }
 var require_4 = createRequire4(import.meta.url);
 function findBundledMksquashfs() {
-  const pkg = `@machinen/squashfs-tools-${arch2()}-${platform4()}`;
+  const pkg = `@machinen/native-${arch2()}-${platform4()}`;
   try {
-    const pkgJson = require_4.resolve(`${pkg}/package.json`);
-    const candidate = join9(dirname8(pkgJson), "bin", "mksquashfs");
-    if (existsSync10(candidate)) {
-      return candidate;
+    const mod = require_4(pkg);
+    if (mod.mksquashfs && existsSync9(mod.mksquashfs)) {
+      return mod.mksquashfs;
     }
   } catch {
   }
@@ -4587,7 +4518,7 @@ var KEG_ONLY_DIRS = [
 function findKegOnlyMksquashfs() {
   for (const dir of KEG_ONLY_DIRS) {
     const candidate = join9(dir, "mksquashfs");
-    if (existsSync10(candidate)) {
+    if (existsSync9(candidate)) {
       return candidate;
     }
   }
@@ -4697,12 +4628,12 @@ function randomSuffix() {
 
 // src/vm/helpers.ts
 import { randomBytes } from "crypto";
-import { closeSync as closeSync4, existsSync as existsSync11, openSync as openSync4, writeSync as writeSync3 } from "fs";
+import { closeSync as closeSync4, existsSync as existsSync10, openSync as openSync4, writeSync as writeSync3 } from "fs";
 import { createRequire as createRequire5 } from "module";
 import { arch as osArch3, platform as osPlatform6, totalmem as totalmem2 } from "os";
 import { resolve as resolve3 } from "path";
-import debugLib10 from "debug";
-var debug10 = debugLib10("machinen:boot");
+import debugLib9 from "debug";
+var debug9 = debugLib9("machinen:boot");
 var require_5 = createRequire5(import.meta.url);
 var SNAP_SCRATCH_BYTES = 8 * 1024 * 1024 * 1024;
 function allocateSparseFile3(path, sizeBytes) {
@@ -4740,7 +4671,7 @@ function resolveVmmBinary() {
   const envOverride = process.env.MACHINEN_VMM;
   if (envOverride) {
     const abs = resolve3(envOverride);
-    if (!existsSync11(abs)) {
+    if (!existsSync10(abs)) {
       throw new BootError(
         "BOOT_VMM_MISSING",
         `MACHINEN_VMM is set to ${envOverride}, but that file does not exist.`
@@ -4749,13 +4680,13 @@ function resolveVmmBinary() {
     return abs;
   }
   const key = `${osArch3()}-${osPlatform6()}`;
-  const pkgName = `@machinen/vmm-${key}`;
+  const pkgName = `@machinen/native-${key}`;
   try {
     const mod = require_5(pkgName);
-    if (!mod.binary || !existsSync11(mod.binary)) {
+    if (!mod.binary || !existsSync10(mod.binary)) {
       throw new BootError(
         "BOOT_VMM_PACKAGE_BROKEN",
-        `${pkgName} is installed but its binary is missing at ${mod.binary}.`
+        `${pkgName} is installed but its VMM binary is missing at ${mod.binary}.`
       );
     }
     return mod.binary;
@@ -4911,7 +4842,7 @@ function buildGuestHostname(pid, name) {
 }
 async function setGuestHostname(vm, hostname) {
   if (hostname.length === 0 || hostname.includes("'") || hostname.includes("\n") || hostname.includes("\0")) {
-    debug10("setGuestHostname: refusing unsafe hostname %j", hostname);
+    debug9("setGuestHostname: refusing unsafe hostname %j", hostname);
     return;
   }
   try {
@@ -4919,9 +4850,9 @@ async function setGuestHostname(vm, hostname) {
       connectTimeoutMs: 5e3,
       execTimeoutMs: 5e3
     });
-    debug10("setGuestHostname: set pid=%d hostname=%s", vm.pid, hostname);
+    debug9("setGuestHostname: set pid=%d hostname=%s", vm.pid, hostname);
   } catch (err) {
-    debug10(
+    debug9(
       "setGuestHostname: failed pid=%d hostname=%s err=%s",
       vm.pid,
       hostname,
@@ -4932,7 +4863,7 @@ async function setGuestHostname(vm, hostname) {
 
 // src/vm/image-config.ts
 import { execFileSync as execFileSync7 } from "child_process";
-import { existsSync as existsSync12, mkdirSync as mkdirSync9, readFileSync as readFileSync9, statSync as statSync7, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync11, mkdirSync as mkdirSync9, readFileSync as readFileSync8, statSync as statSync7, writeFileSync as writeFileSync6 } from "fs";
 import { homedir as homedir7 } from "os";
 import { join as join10 } from "path";
 function imageConfigCacheDir() {
@@ -4962,9 +4893,9 @@ function warmImageConfigCache(imagePath, config) {
 }
 function readImageConfig(imagePath) {
   const cachePath = imageConfigCachePath(imagePath);
-  if (cachePath && existsSync12(cachePath)) {
+  if (cachePath && existsSync11(cachePath)) {
     try {
-      const raw = readFileSync9(cachePath, "utf8");
+      const raw = readFileSync8(cachePath, "utf8");
       const cached = JSON.parse(raw);
       return cached.config ?? void 0;
     } catch {
@@ -4992,12 +4923,18 @@ function readImageConfig(imagePath) {
 }
 
 // src/vm/bundle.ts
-var LIVE_MOUNT_PORT_BASE = 1970;
-function resolveLiveMounts(mounts, cwd, udsDir) {
+var MAX_LIVE_MOUNTS = 5;
+function resolveLiveMounts(mounts, cwd) {
+  if (mounts.length > MAX_LIVE_MOUNTS) {
+    throw new BootError(
+      "BOOT_MOUNT_INVALID",
+      `liveMounts: at most ${MAX_LIVE_MOUNTS} live mounts are supported per VM (got ${mounts.length}) \u2014 the VMM wires ${MAX_LIVE_MOUNTS} virtio-fs slots.`
+    );
+  }
   return mounts.map((m, i) => {
     validateMountGuest(m.guest);
     const hostAbs = resolve4(cwd ?? process.cwd(), m.host);
-    if (!existsSync13(hostAbs)) {
+    if (!existsSync12(hostAbs)) {
       throw new BootError(
         "BOOT_MOUNT_HOST_NOT_FOUND",
         `liveMounts[${i}] host path not found: ${m.host}`
@@ -5012,10 +4949,10 @@ function resolveLiveMounts(mounts, cwd, udsDir) {
     return {
       host: hostAbs,
       guest: normalizeMountGuest(m.guest),
-      port: LIVE_MOUNT_PORT_BASE + i,
-      udsPath: join11(udsDir, `live-mount-${i}.sock`),
-      statsPath: join11(udsDir, `live-mount-${i}-stats.json`),
-      mode: m.mode ?? "rw"
+      mode: m.mode ?? "rw",
+      // Tag is the virtio-fs device's config-space identifier and must
+      // be ≤ 36 bytes (FsConfig.tag). `machinen-lm<i>` stays well under.
+      tag: `machinen-lm${i}`
     };
   });
 }
@@ -5026,7 +4963,7 @@ function buildMachinenConfig(input) {
     cfg.cwd = effectiveCwd;
   }
   if (input.liveMounts.length > 0) {
-    cfg.liveMounts = input.liveMounts.map(({ guest, port }) => ({ guest, port }));
+    cfg.liveMounts = input.liveMounts.map((lm) => ({ guest: lm.guest, tag: lm.tag }));
   }
   return cfg;
 }
@@ -5064,7 +5001,7 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
   const synthBundleDir = join11(tempDir, "bundle");
   const cleanup = () => {
     try {
-      rmSync8(tempDir, { recursive: true, force: true });
+      rmSync7(tempDir, { recursive: true, force: true });
     } catch {
     }
   };
@@ -5080,7 +5017,7 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
   let imageConfig;
   if (opts.image) {
     baseAbs = resolve4(opts.cwd ?? process.cwd(), opts.image);
-    if (!existsSync13(baseAbs)) {
+    if (!existsSync12(baseAbs)) {
       cleanup();
       throw new BootError("BOOT_IMAGE_NOT_FOUND", `image tarball not found: ${baseAbs}`);
     }
@@ -5093,6 +5030,8 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
     effectiveCmd = opts.cmd;
   } else if (typeof opts.snapshot === "string") {
     effectiveCmd = ["/sbin/machinen-restore"];
+  } else if (opts._vmstateRestorePath) {
+    effectiveCmd = ["/sbin/machinen-poweroff"];
   } else if (imageConfig?.cmd) {
     effectiveCmd = imageConfig.cmd;
   }
@@ -5127,7 +5066,7 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
       throw err;
     }
     const hostAbs = resolve4(opts.cwd ?? process.cwd(), opts.mount.host);
-    if (!existsSync13(hostAbs)) {
+    if (!existsSync12(hostAbs)) {
       cleanup();
       throw new BootError(
         "BOOT_MOUNT_HOST_NOT_FOUND",
@@ -5154,8 +5093,7 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
         // sourced from a snapshot bundle) rides on virtio-blk slots
         // 5+6, attached further down in boot().
         mountGuest: mount?.guest ?? opts._restoreMountDisk?.guest,
-        env: effectiveEnv,
-        fuseAgentPath: liveMounts.length > 0 ? defaultFuseAgentPath() : void 0
+        env: effectiveEnv
       });
     } else {
       packBundle({
@@ -5163,8 +5101,7 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
         out: cpioPath,
         base: baseAbs,
         mount,
-        env: effectiveEnv,
-        fuseAgentPath: liveMounts.length > 0 ? defaultFuseAgentPath() : void 0
+        env: effectiveEnv
       });
     }
     packerOpts.onPhase?.("cpio-write", Date.now() - packT0);
@@ -5178,13 +5115,13 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
     if (opts._restoreMountDisk) {
       try {
         const r = opts._restoreMountDisk;
-        if (!existsSync13(r.lowerPath)) {
+        if (!existsSync12(r.lowerPath)) {
           throw new BootError(
             "BOOT_SNAPSHOT_NOT_FOUND",
             `restore: bundle is missing mount-lower at ${r.lowerPath}`
           );
         }
-        if (!existsSync13(r.upperPath)) {
+        if (!existsSync12(r.upperPath)) {
           throw new BootError(
             "BOOT_SNAPSHOT_NOT_FOUND",
             `restore: bundle is missing mount-upper at ${r.upperPath}`
@@ -5231,12 +5168,45 @@ function synthesizeAndPackBundle(opts, mergedGuestEnv, liveMounts, packerOpts) {
 }
 
 // src/vm/snapshot.ts
-import { spawn as nodeSpawn3 } from "child_process";
-import { existsSync as existsSync14, mkdirSync as mkdirSync11, readdirSync as readdirSync6, statSync as statSync9, writeFileSync as writeFileSync8 } from "fs";
+import { spawn as nodeSpawn2 } from "child_process";
+import {
+  copyFileSync as copyFileSync2,
+  existsSync as existsSync13,
+  mkdirSync as mkdirSync11,
+  readdirSync as readdirSync6,
+  statSync as statSync9,
+  unlinkSync as unlinkSync7,
+  writeFileSync as writeFileSync8
+} from "fs";
 import { join as join12, resolve as resolve5 } from "path";
-import debugLib11 from "debug";
-var debugSnapshot = debugLib11("machinen:snapshot");
+import debugLib10 from "debug";
+
+// src/vm/snapshot-engine.ts
+var VMSTATE_FILE = "state.vmstate";
+function resolveSnapshotEngine() {
+  const raw = process.env.MACHINEN_SNAPSHOT_ENGINE;
+  if (raw === void 0 || raw === "") {
+    return "vmstate";
+  }
+  const v = raw.trim().toLowerCase();
+  if (v === "criu" || v === "vmstate") {
+    return v;
+  }
+  throw new Error(
+    `MACHINEN_SNAPSHOT_ENGINE must be "criu" or "vmstate" (got ${JSON.stringify(raw)})`
+  );
+}
+
+// src/vm/snapshot.ts
+var debugSnapshot = debugLib10("machinen:snapshot");
+var debugVmstate = debugLib10("machinen:vmstate");
 async function performSnapshot(ctx, opts) {
+  if (resolveSnapshotEngine() === "vmstate") {
+    return performSnapshotVmstate(ctx, opts);
+  }
+  return performSnapshotCriu(ctx, opts);
+}
+async function performSnapshotCriu(ctx, opts) {
   const baseDumpCmd = opts.dumpCmd ?? "/sbin/machinen-dump";
   const deadlineMs = opts.timeoutMs ?? 9e4;
   const onLog = opts.onLog;
@@ -5278,7 +5248,6 @@ async function performSnapshot(ctx, opts) {
   const imgEntries = readdirSync6(imgDir);
   validateDumpResult(dumpRes, imgEntries, consoleLog, deadlineMs);
   const mountDiskMeta = await reflinkMountOverlay(ctx, snapDir, deadlineMs);
-  await manageLiveMountServers(ctx, leaveRunning, deadlineMs, onLog);
   if (!leaveRunning) {
     phases.start("poweroff");
     await powerOffSourceVm(ctx, deadlineMs);
@@ -5286,15 +5255,15 @@ async function performSnapshot(ctx, opts) {
   }
   phases.end("validation");
   phases.start("finalize");
-  writeSnapshotMeta(ctx, snapDir, mountDiskMeta);
+  writeSnapshotMeta(ctx, snapDir, mountDiskMeta, "criu");
   phases.end("finalize");
   debugSnapshot("snapshot done snapDir=%s imgEntries=%d", snapDir, imgEntries.length);
   phases.flush(debugSnapshot, "snapshot");
-  return { snapDir, imgDir, elapsedMs, consoleLog };
+  return { engine: "criu", snapDir, imgDir, elapsedMs, consoleLog };
 }
-function prepareBundleDir(outDir) {
+function prepareBundleRootDir(outDir) {
   const snapDir = resolve5(outDir);
-  if (existsSync14(snapDir)) {
+  if (existsSync13(snapDir)) {
     if (!statSync9(snapDir).isDirectory()) {
       throw new SnapshotError(
         "SNAPSHOT_DUMP_FAILED",
@@ -5310,12 +5279,16 @@ function prepareBundleDir(outDir) {
   } else {
     mkdirSync11(snapDir, { recursive: true });
   }
+  return snapDir;
+}
+function prepareBundleDir(outDir) {
+  const snapDir = prepareBundleRootDir(outDir);
   const imgDir = join12(snapDir, "img");
   mkdirSync11(imgDir, { recursive: true });
   return { snapDir, imgDir };
 }
 async function runDumpAndExtractTar(ctx, dumpCmd, deadlineMs, onLog, imgDir) {
-  const tarChild = nodeSpawn3("tar", ["-xmf", "-", "-C", imgDir], {
+  const tarChild = nodeSpawn2("tar", ["-xmf", "-", "-C", imgDir], {
     stdio: ["pipe", "ignore", "pipe"]
   });
   let tarStderr = "";
@@ -5461,48 +5434,6 @@ async function reflinkMountOverlay(ctx, snapDir, deadlineMs) {
     upper: upperName
   };
 }
-async function manageLiveMountServers(ctx, leaveRunning, deadlineMs, onLog) {
-  if (!ctx.liveMounts || ctx.liveMounts.length === 0) {
-    return;
-  }
-  if (ctx.stopLiveMountServers) {
-    try {
-      await ctx.stopLiveMountServers();
-    } catch (err) {
-      debugSnapshot(
-        "stopLiveMountServers failed (continuing): %s",
-        err instanceof Error ? err.message : String(err)
-      );
-    }
-  }
-  if (!leaveRunning) {
-    return;
-  }
-  if (ctx.respawnLiveMountServers) {
-    try {
-      await ctx.respawnLiveMountServers();
-    } catch (err) {
-      throw new SnapshotError(
-        "SNAPSHOT_DUMP_FAILED",
-        `vm.snapshot: failed to respawn live-mount servers post-dump: ${err instanceof Error ? err.message : String(err)}`,
-        { cause: err }
-      );
-    }
-  }
-  try {
-    await ctx.execRaw("/sbin/machinen-remount", {
-      connectTimeoutMs: Math.min(deadlineMs, 5e3),
-      execTimeoutMs: 15e3,
-      onStderr: onLog ? (chunk) => onLog({ source: "exec-stderr", cmd: "/sbin/machinen-remount", chunk }) : void 0
-    });
-  } catch (err) {
-    throw new SnapshotError(
-      "SNAPSHOT_DUMP_FAILED",
-      `vm.snapshot: post-dump remount in guest failed: ${err instanceof Error ? err.message : String(err)}`,
-      { cause: err }
-    );
-  }
-}
 async function powerOffSourceVm(ctx, deadlineMs) {
   debugSnapshot("issuing /sbin/machinen-poweroff to bring VMM down");
   ctx.execRaw("/sbin/machinen-poweroff", {
@@ -5525,8 +5456,9 @@ async function powerOffSourceVm(ctx, deadlineMs) {
     clearTimeout(powerOffTimer);
   }
 }
-function writeSnapshotMeta(ctx, snapDir, mountDiskMeta) {
+function writeSnapshotMeta(ctx, snapDir, mountDiskMeta, engine) {
   const meta = {
+    engine,
     sourceName: ctx.sourceName,
     sourceImage: ctx.sourceImage,
     snappedAt: Date.now(),
@@ -5535,7 +5467,11 @@ function writeSnapshotMeta(ctx, snapDir, mountDiskMeta) {
     // snapshotting host that the restoring host has to resolve (or
     // remap via `restore({ liveMounts })`). Recorded only when ctx
     // carried a resolved list (boot-handle path).
-    liveMounts: ctx.liveMounts && ctx.liveMounts.length > 0 ? ctx.liveMounts.map(({ guest, host, mode }) => ({ guest, host, mode })) : void 0
+    liveMounts: ctx.liveMounts && ctx.liveMounts.length > 0 ? ctx.liveMounts.map(({ guest, host, mode }) => ({
+      guest,
+      host,
+      mode
+    })) : void 0
   };
   writeFileSync8(join12(snapDir, "meta.json"), JSON.stringify(meta));
 }
@@ -5555,14 +5491,107 @@ Dump exec exited ${outcome.exitCode} (workload kept running).`;
   }
   return "";
 }
+async function performSnapshotVmstate(ctx, opts) {
+  const t0 = Date.now();
+  const deadlineMs = opts.timeoutMs ?? 9e4;
+  const leaveRunning = opts.leaveRunning === true;
+  if (!ctx.vmstatePath) {
+    throw new SnapshotError(
+      "SNAPSHOT_NO_DISK",
+      "vm.snapshot: this VM was not booted with the vmstate engine.\n  Set MACHINEN_SNAPSHOT_ENGINE=vmstate before `machinen boot` so the\n  VMM installs the SIGUSR1 whole-VM dump handler."
+    );
+  }
+  const snapDir = prepareBundleRootDir(opts.outDir);
+  debugVmstate(
+    "vmstate snapshot start pid=%d snapDir=%s vmstatePath=%s leaveRunning=%s",
+    ctx.pid,
+    snapDir,
+    ctx.vmstatePath,
+    leaveRunning
+  );
+  try {
+    unlinkSync7(ctx.vmstatePath);
+  } catch {
+  }
+  try {
+    await ctx.execRaw("sync; sync /mnt 2>/dev/null; true", {
+      connectTimeoutMs: Math.min(deadlineMs, 5e3),
+      execTimeoutMs: 1e4
+    });
+  } catch (err) {
+    debugVmstate(
+      "pre-snapshot sync failed (continuing): %s",
+      err instanceof Error ? err.message : String(err)
+    );
+  }
+  try {
+    process.kill(ctx.pid, "SIGUSR1");
+  } catch (err) {
+    throw new SnapshotError(
+      "SNAPSHOT_DUMP_FAILED",
+      `vm.snapshot: failed to signal the VMM (pid ${ctx.pid}): ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+  await waitForVmstateFile(ctx.vmstatePath, deadlineMs);
+  const bundleStatePath = join12(snapDir, VMSTATE_FILE);
+  try {
+    copyFileSync2(ctx.vmstatePath, bundleStatePath);
+  } catch (err) {
+    throw new SnapshotError(
+      "SNAPSHOT_DUMP_FAILED",
+      `vm.snapshot: failed to copy the .vmstate into the bundle: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+  const mountDiskMeta = await reflinkMountOverlay(ctx, snapDir, deadlineMs);
+  writeSnapshotMeta(ctx, snapDir, mountDiskMeta, "vmstate");
+  if (!leaveRunning) {
+    await powerOffSourceVm(ctx, deadlineMs);
+  }
+  const elapsedMs = Date.now() - t0;
+  const stateBytes = statSync9(bundleStatePath).size;
+  debugVmstate(
+    "vmstate snapshot done snapDir=%s stateBytes=%d elapsedMs=%d",
+    snapDir,
+    stateBytes,
+    elapsedMs
+  );
+  return {
+    engine: "vmstate",
+    snapDir,
+    vmstatePath: bundleStatePath,
+    elapsedMs,
+    consoleLog: await ctx.errorOutput()
+  };
+}
+async function waitForVmstateFile(path, deadlineMs) {
+  const deadline = Date.now() + deadlineMs;
+  while (Date.now() < deadline) {
+    try {
+      if (statSync9(path).size > 0) {
+        return;
+      }
+    } catch {
+    }
+    await new Promise((r) => setTimeout(r, 100));
+  }
+  throw new SnapshotError(
+    "SNAPSHOT_TIMEOUT",
+    `vm.snapshot: the VMM did not write its .vmstate within ${deadlineMs}ms (${path}).
+  The VM may not have been booted with MACHINEN_SNAPSHOT_ENGINE=vmstate.`
+  );
+}
 
 // src/vm/boot.ts
-var debug11 = debugLib12("machinen:boot");
-var vmmDebug = debugLib12("machinen:vmm");
+var debug10 = debugLib11("machinen:boot");
+var vmmDebug = debugLib11("machinen:vmm");
+var vmstateDebug = debugLib11("machinen:vmstate");
+var restoreDebug = debugLib11("machinen:restore");
 async function boot(opts = {}) {
   const bootT0 = Date.now();
   const phases = new PhaseTimer();
-  debug11(
+  debug10(
     "boot entry image=%s cmd=%j name=%s portForward=%d hasSnapshot=%s mount=%s",
     opts.image ?? "<none>",
     opts.cmd ?? null,
@@ -5576,7 +5605,7 @@ async function boot(opts = {}) {
   await validatePortForwardOpts(opts, portForward);
   const binaryInput = opts.binary ?? resolveVmmBinary();
   const binary = resolve6(opts.cwd ?? process.cwd(), binaryInput);
-  if (!existsSync15(binary)) {
+  if (!existsSync14(binary)) {
     throw new BootError("BOOT_VMM_MISSING", `VMM binary not found at ${binary}`);
   }
   if (opts.cmd && !opts.image) {
@@ -5601,21 +5630,31 @@ async function boot(opts = {}) {
   validateKernelDtb(opts, env);
   let { vsockUdsPath, vsockTempDir } = setupVsockBridge(env);
   const { statsFilePath, statsTempDir } = setupStatsFile(env, vsockTempDir);
-  let liveMountsResolved = [];
-  if ((opts.liveMounts ?? []).length > 0) {
+  let vmstateStatePath;
+  if (resolveSnapshotEngine() === "vmstate" && opts.snapshot !== false) {
     if (!vsockTempDir) {
       vsockTempDir = mkdtempSync6(join13(tmpdir5(), "machinen-vsock-"));
     }
-    liveMountsResolved = resolveLiveMounts(opts.liveMounts, opts.cwd, vsockTempDir);
-    for (const lm of liveMountsResolved) {
-      env.MACHINEN_VSOCK = `${env.MACHINEN_VSOCK},out:${lm.port}:${lm.udsPath}`;
+    vmstateStatePath = join13(vsockTempDir, VMSTATE_FILE);
+    env.MACHINEN_SNAPSHOT_PATH = vmstateStatePath;
+  }
+  if (opts._vmstateRestorePath) {
+    env.MACHINEN_RESTORE_PATH = opts._vmstateRestorePath;
+    if ((vmstateDebug.enabled || restoreDebug.enabled) && !env.MACHINEN_VMSTATE_TIMING) {
+      env.MACHINEN_VMSTATE_TIMING = "1";
     }
   }
+  let liveMountsResolved = [];
+  if ((opts.liveMounts ?? []).length > 0) {
+    liveMountsResolved = resolveLiveMounts(opts.liveMounts, opts.cwd);
+    liveMountsResolved.forEach((lm, i) => {
+      env[`MACHINEN_VIRTIOFS_${i}`] = `${lm.tag}:${lm.mode}:${lm.host}`;
+    });
+  }
   let gvStop;
   let gvPid;
   let gvExe;
   let gvSocketDir;
-  const liveMountServers = [];
   let bundleTempDir;
   let mountDiskPaths;
   let perBootMountUpper;
@@ -5624,6 +5663,9 @@ async function boot(opts = {}) {
   if (opts.name && !mergedGuestEnv.MACHINEN_VM_NAME) {
     mergedGuestEnv.MACHINEN_VM_NAME = opts.name;
   }
+  if (vsockUdsPath && !mergedGuestEnv.MACHINEN_VM_HOSTNAME_WAIT) {
+    mergedGuestEnv.MACHINEN_VM_HOSTNAME_WAIT = "1";
+  }
   try {
     phases.start("net-services");
     phases.start("net-services.gvproxy");
@@ -5646,7 +5688,7 @@ async function boot(opts = {}) {
       env.MACHINEN_INITRD = packed.cpioPath;
       mountDiskPaths = packed.mountDisk;
       const packMs = phases.end("initramfs-pack");
-      debug11("initramfs packed cpio=%s elapsed=%dms", packed.cpioPath, packMs ?? -1);
+      debug10("initramfs packed cpio=%s elapsed=%dms", packed.cpioPath, packMs ?? -1);
     }
     phases.start("rootdisk-materialize");
     if (wantsRootDisk) {
@@ -5672,7 +5714,7 @@ async function boot(opts = {}) {
   if (mountDiskPaths) {
     perBootMountUpper = mountDiskPaths.upperPath;
   }
-  const child = nodeSpawn4(wrappedVmm.command, wrappedVmm.args, {
+  const child = nodeSpawn3(wrappedVmm.command, wrappedVmm.args, {
     cwd: opts.cwd,
     env,
     stdio
@@ -5682,7 +5724,7 @@ async function boot(opts = {}) {
   }
   phases.end("vmm-spawn");
   phases.start("first-guest-byte");
-  debug11(
+  debug10(
     "VMM spawned pid=%d binary=%s wrapped=%s elapsedSinceEntry=%dms",
     child.pid ?? -1,
     binary,
@@ -5722,7 +5764,8 @@ async function boot(opts = {}) {
     memoryCeilingMib,
     statsFilePath,
     mountDiskPaths,
-    liveMountsResolved
+    liveMountsResolved,
+    vmstateStatePath
   }) : false;
   installVmExitCleanup({
     child,
@@ -5735,7 +5778,6 @@ async function boot(opts = {}) {
     vsockTempDir,
     statsTempDir,
     gvStop,
-    liveMountServers,
     registered
   });
   const timeoutMs = opts.timeoutMs === void 0 ? 6e4 : opts.timeoutMs;
@@ -5752,22 +5794,12 @@ async function boot(opts = {}) {
       process.stderr.write(chunk);
     });
   }
+  installVmstateTimingRelay(child);
   installFlushPhases(child, phases, onLog);
   const detachedBootChunks = [];
   if (opts.detached) {
     installDetachedBootCapture(child, detachedBootChunks);
   }
-  if (liveMountsResolved.length > 0) {
-    phases.start("net-services.live-mounts");
-    await spawnLiveMountServersForBoot({
-      liveMountsResolved,
-      childPid,
-      child,
-      registered,
-      liveMountServers
-    });
-    phases.end("net-services.live-mounts");
-  }
   const handle = {
     pid: childPid,
     name: vmName,
@@ -5836,20 +5868,16 @@ ${res.stderr}`
       const balloon = statsFilePath ? readBalloonStats(statsFilePath) : null;
       const cur = findEntry({ pid: childPid });
       const lazyTotal = cur?.lazyPagesTotal ?? 0;
-      let bytesServed = 0;
-      for (const server of liveMountServers) {
-        bytesServed += server.bytesServedOnPagesImg();
-      }
-      const pagesServed = Math.floor(bytesServed / 4096);
       return {
         ceilingMib: memoryCeilingMib ?? null,
         hostRssBytes: readHostRssBytes(childPid, statsFilePath),
         balloonInflatedBytes: balloon?.bytesReported ?? 0,
-        lazyPagesPending: Math.max(0, lazyTotal - pagesServed)
+        lazyPagesPending: lazyTotal
       };
     },
     async snapshot(snapshotOpts) {
-      if (!diskAbs) {
+      const engine = resolveSnapshotEngine();
+      if (engine === "criu" && !diskAbs || engine === "vmstate" && !vmstateStatePath) {
         throw new SnapshotError(
           "SNAPSHOT_NO_DISK",
           "vm.snapshot: this VM was booted with `snapshot: false` (no scratch disk attached). Re-boot without that flag \u2014 the runtime will auto-allocate a sparse scratch \u2014 or pass `snapshot: '<path>'`."
@@ -5858,7 +5886,8 @@ ${res.stderr}`
       return performSnapshot(buildBootSnapshotContext(), snapshotOpts);
     },
     async fork(forkOpts) {
-      if (!diskAbs) {
+      const engine = resolveSnapshotEngine();
+      if (engine === "criu" && !diskAbs || engine === "vmstate" && !vmstateStatePath) {
         throw new SnapshotError(
           "SNAPSHOT_NO_DISK",
           "vm.fork: source VM has no scratch disk (booted with `snapshot: false`). Re-boot the source without that flag so it can be snapshotted."
@@ -5884,23 +5913,7 @@ ${res.stderr}`
         upperPath: mountDiskPaths.upperPath
       } : void 0,
       liveMounts: liveMountsForCtx,
-      stopLiveMountServers: liveMountsForCtx ? async () => {
-        await Promise.all(liveMountServers.map((s) => s.stop().catch(() => {
-        })));
-        liveMountServers.length = 0;
-      } : void 0,
-      respawnLiveMountServers: liveMountsForCtx ? async () => {
-        for (const lm of liveMountsResolved) {
-          const fresh = await spawnDetachedMountServer({
-            udsPath: lm.udsPath,
-            rootAbs: lm.host,
-            mode: lm.mode,
-            vmmPid: childPid,
-            statsPath: lm.statsPath
-          });
-          liveMountServers.push(fresh);
-        }
-      } : void 0,
+      vmstatePath: vmstateStatePath,
       execRaw: (cmd, execOpts) => handle.execRaw(cmd, execOpts),
       wait: () => handle.wait(),
       kill: () => handle.kill(),
@@ -5984,12 +5997,12 @@ function prepareScratchDisk(opts, env) {
   }
   if (typeof opts.snapshot === "string") {
     const bundleDisk = resolve6(opts.cwd ?? process.cwd(), opts.snapshot);
-    if (!existsSync15(bundleDisk)) {
+    if (!existsSync14(bundleDisk)) {
       throw new BootError("BOOT_SNAPSHOT_NOT_FOUND", `snapshot image not found: ${bundleDisk}`);
     }
     if (opts.cmd) {
       env.MACHINEN_DISK = bundleDisk;
-      debug11("snap-restore in-place (explicit cmd) path=%s", bundleDisk);
+      debug10("snap-restore in-place (explicit cmd) path=%s", bundleDisk);
       return { diskAbs: bundleDisk, perBootSnapDisk: void 0 };
     }
     const perBoot = join13(
@@ -5998,7 +6011,7 @@ function prepareScratchDisk(opts, env) {
     );
     reflinkCopy(bundleDisk, perBoot);
     env.MACHINEN_DISK = perBoot;
-    debug11("snap-restore reflink-clone src=%s dst=%s", bundleDisk, perBoot);
+    debug10("snap-restore reflink-clone src=%s dst=%s", bundleDisk, perBoot);
     return { diskAbs: perBoot, perBootSnapDisk: perBoot };
   }
   if (!opts.image) {
@@ -6010,20 +6023,20 @@ function prepareScratchDisk(opts, env) {
   );
   allocateSparseFile3(scratchPath, SNAP_SCRATCH_BYTES);
   env.MACHINEN_DISK = scratchPath;
-  debug11("snap-scratch auto path=%s sizeBytes=%d", scratchPath, SNAP_SCRATCH_BYTES);
+  debug10("snap-scratch auto path=%s sizeBytes=%d", scratchPath, SNAP_SCRATCH_BYTES);
   return { diskAbs: scratchPath, perBootSnapDisk: scratchPath };
 }
 function validateKernelDtb(opts, env) {
   if (opts.kernel) {
     const abs = resolve6(opts.cwd ?? process.cwd(), opts.kernel);
-    if (!existsSync15(abs)) {
+    if (!existsSync14(abs)) {
       throw new BootError("BOOT_KERNEL_NOT_FOUND", `kernel not found: ${abs}`);
     }
     env.MACHINEN_KERNEL = abs;
   }
   if (opts.dtb) {
     const abs = resolve6(opts.cwd ?? process.cwd(), opts.dtb);
-    if (!existsSync15(abs)) {
+    if (!existsSync14(abs)) {
       throw new BootError("BOOT_DTB_NOT_FOUND", `dtb not found: ${abs}`);
     }
     env.MACHINEN_DTB = abs;
@@ -6032,7 +6045,7 @@ function validateKernelDtb(opts, env) {
 function setupVsockBridge(env) {
   if (env.MACHINEN_VSOCK) {
     const vsockUdsPath2 = parseVsockUdsPath(env.MACHINEN_VSOCK);
-    debug11(
+    debug10(
       "vsock spec from caller env: %s (uds=%s)",
       env.MACHINEN_VSOCK,
       vsockUdsPath2 ?? "<unparsed>"
@@ -6042,7 +6055,7 @@ function setupVsockBridge(env) {
   const vsockTempDir = mkdtempSync6(join13(tmpdir5(), "machinen-vsock-"));
   const vsockUdsPath = join13(vsockTempDir, "exec.sock");
   env.MACHINEN_VSOCK = `in:1978:${vsockUdsPath}`;
-  debug11("vsock auto uds=%s", vsockUdsPath);
+  debug10("vsock auto uds=%s", vsockUdsPath);
   return { vsockUdsPath, vsockTempDir };
 }
 function setupStatsFile(env, vsockTempDir) {
@@ -6068,7 +6081,7 @@ function setupStatsFile(env, vsockTempDir) {
 }
 async function bringUpGvproxy(opts, binary, env, portForward) {
   if (env.MACHINEN_NET_SOCKET) {
-    debug11("MACHINEN_NET_SOCKET already set \u2014 skipping gvproxy spawn");
+    debug10("MACHINEN_NET_SOCKET already set \u2014 skipping gvproxy spawn");
     return { gvStop: void 0, gvPid: void 0, gvExe: void 0, gvSocketDir: void 0 };
   }
   const gvBin = await ensureGvproxy(binary);
@@ -6079,11 +6092,11 @@ async function bringUpGvproxy(opts, binary, env, portForward) {
         "portForward requires gvproxy, but no gvproxy binary was found. Install gvproxy or point MACHINEN_GVPROXY at one."
       );
     }
-    debug11("gvproxy not found \u2014 booting without networking");
+    debug10("gvproxy not found \u2014 booting without networking");
     warnGvproxyMissing();
     return { gvStop: void 0, gvPid: void 0, gvExe: void 0, gvSocketDir: void 0 };
   }
-  debug11("starting gvproxy bin=%s", gvBin);
+  debug10("starting gvproxy bin=%s", gvBin);
   const gv = await spawnGvproxy(gvBin, { detached: opts.detached });
   env.MACHINEN_NET_SOCKET = gv.socketPath;
   for (const m of portForward) {
@@ -6099,7 +6112,7 @@ async function bringUpGvproxy(opts, binary, env, portForward) {
 function materializeRootdisk(opts, env, phases) {
   if (typeof opts.rootDisk === "string") {
     const rootDiskAbs = resolve6(opts.cwd ?? process.cwd(), opts.rootDisk);
-    if (!existsSync15(rootDiskAbs)) {
+    if (!existsSync14(rootDiskAbs)) {
       throw new BootError("BOOT_IMAGE_NOT_FOUND", `rootDisk image not found: ${rootDiskAbs}`);
     }
     env.MACHINEN_ROOTDISK = rootDiskAbs;
@@ -6131,7 +6144,7 @@ function rollbackPreSpawn(state) {
   for (const dir of [state.bundleTempDir, state.vsockTempDir]) {
     if (dir) {
       try {
-        rmSync9(dir, { recursive: true, force: true });
+        rmSync8(dir, { recursive: true, force: true });
       } catch {
       }
     }
@@ -6139,7 +6152,7 @@ function rollbackPreSpawn(state) {
   for (const file of [state.perBootRootDisk, state.perBootSnapDisk, state.perBootMountUpper]) {
     if (file) {
       try {
-        unlinkSync7(file);
+        unlinkSync8(file);
       } catch {
       }
     }
@@ -6249,6 +6262,10 @@ function registerInRegistry(args) {
       portForward: args.portForward.length > 0 ? args.portForward : void 0,
       memoryCeilingMib: args.memoryCeilingMib,
       statsPath: args.statsFilePath,
+      // Vmstate engine: persist the VMM's whole-VM state-file path so
+      // an attach-owned `vm.snapshot()` / `vm.fork()` can SIGUSR1 the
+      // VMM and pick the .vmstate up. Undefined for criu-engine VMs.
+      vmstatePath: args.vmstateStatePath,
       // #272: persist mount-overlay paths so an attach-owned
       // vm.snapshot()/fork() can reflink the lower+upper into the
       // bundle. Without this, `machinen snapshot <vm>` from
@@ -6259,19 +6276,20 @@ function registerInRegistry(args) {
         upperPath: args.mountDiskPaths.upperPath
       } : void 0,
       // #273: persist live-share mount config so an attach-owned
-      // snapshot/fork can write the same `meta.liveMounts` block
-      // and trigger /sbin/machinen-remount post-dump on
-      // leaveRunning paths. Host UDS / vsock port aren't carried —
-      // those are this process's private state and the attach side
-      // doesn't need them (the source's servers stay listening
-      // through the dump and the re-fork'd fuse-agent reconnects).
-      liveMounts: args.liveMountsResolved.length > 0 ? args.liveMountsResolved.map(({ guest, host, mode }) => ({ guest, host, mode })) : void 0,
+      // snapshot/fork can write the same `meta.liveMounts` block. The
+      // per-mount virtio-fs tag isn't carried — it's re-derived from
+      // the resolved order on restore.
+      liveMounts: args.liveMountsResolved.length > 0 ? args.liveMountsResolved.map(({ guest, host, mode }) => ({
+        guest,
+        host,
+        mode
+      })) : void 0,
       startedAt: Date.now()
     });
-    debug11("registered pid=%d name=%s", args.childPid, args.vmName ?? "<unset>");
+    debug10("registered pid=%d name=%s", args.childPid, args.vmName ?? "<unset>");
     return true;
   } catch (err) {
-    debug11(
+    debug10(
       "registry write failed (best-effort) err=%s",
       err instanceof Error ? err.message : String(err)
     );
@@ -6280,7 +6298,7 @@ function registerInRegistry(args) {
 }
 function installVmExitCleanup(state) {
   state.child.once("exit", (code, signal) => {
-    debug11(
+    debug10(
       "VMM exit pid=%d code=%s signal=%s lifetimeMs=%d",
       state.childPid,
       code,
@@ -6290,7 +6308,7 @@ function installVmExitCleanup(state) {
     for (const file of [state.perBootRootDisk, state.perBootSnapDisk, state.perBootMountUpper]) {
       if (file) {
         try {
-          unlinkSync7(file);
+          unlinkSync8(file);
         } catch {
         }
       }
@@ -6298,7 +6316,7 @@ function installVmExitCleanup(state) {
     for (const dir of [state.bundleTempDir, state.vsockTempDir, state.statsTempDir]) {
       if (dir) {
         try {
-          rmSync9(dir, { recursive: true, force: true });
+          rmSync8(dir, { recursive: true, force: true });
         } catch {
         }
       }
@@ -6306,15 +6324,37 @@ function installVmExitCleanup(state) {
     if (state.gvStop) {
       state.gvStop();
     }
-    for (const server of state.liveMountServers) {
-      void server.stop().catch(() => {
-      });
-    }
     if (state.registered) {
       removeEntry(state.childPid);
     }
   });
 }
+function installVmstateTimingRelay(child) {
+  if (!vmstateDebug.enabled && !restoreDebug.enabled) {
+    return;
+  }
+  const timingDebug = vmstateDebug.enabled ? vmstateDebug : restoreDebug;
+  let carry = "";
+  const flushLine = (line) => {
+    if (line.startsWith("vmstate restore timing ")) {
+      timingDebug("%s", line);
+    }
+  };
+  child.stderr.on("data", (chunk) => {
+    const text = carry + chunk.toString("utf8");
+    const lines = text.split("\n");
+    carry = lines.pop() ?? "";
+    for (const line of lines) {
+      flushLine(line);
+    }
+  });
+  child.once("exit", () => {
+    if (carry) {
+      flushLine(carry);
+      carry = "";
+    }
+  });
+}
 function installFlushPhases(child, phases, onLog) {
   let phasesFlushed = false;
   const flush = () => {
@@ -6323,7 +6363,7 @@ function installFlushPhases(child, phases, onLog) {
     }
     phasesFlushed = true;
     phases.end("first-guest-byte");
-    phases.flush(debug11, "boot");
+    phases.flush(debug10, "boot");
     onLog?.(phases.toEvent("boot"));
   };
   child.stderr.once("data", flush);
@@ -6339,39 +6379,6 @@ function installDetachedBootCapture(child, sink) {
     }
   });
 }
-async function spawnLiveMountServersForBoot(args) {
-  try {
-    for (const lm of args.liveMountsResolved) {
-      const lmHandle = await spawnDetachedMountServer({
-        udsPath: lm.udsPath,
-        rootAbs: lm.host,
-        mode: lm.mode,
-        vmmPid: args.childPid,
-        statsPath: lm.statsPath
-      });
-      args.liveMountServers.push(lmHandle);
-    }
-  } catch (err) {
-    try {
-      args.child.kill("SIGKILL");
-    } catch {
-    }
-    throw err;
-  }
-  if (!args.registered) {
-    return;
-  }
-  try {
-    patchEntry(args.childPid, {
-      liveMountServers: args.liveMountServers.map((h) => ({ pid: h.pid, exe: h.exe }))
-    });
-  } catch (err) {
-    debug11(
-      "registry patch (liveMountServers) failed (best-effort) err=%s",
-      err instanceof Error ? err.message : String(err)
-    );
-  }
-}
 async function gateOnDetachedReadiness(args) {
   const readinessTimeoutMs = args.timeoutMs ?? 6e4;
   let onByte = null;
@@ -6456,14 +6463,17 @@ function makeKill(child) {
 }
 
 // src/vm/restore.ts
-var debug12 = debugLib13("machinen:boot");
-var debugRestore = debugLib13("machinen:restore");
+var debug11 = debugLib12("machinen:boot");
+var debugRestore = debugLib12("machinen:restore");
 async function restore(opts) {
   const phases = new PhaseTimer();
   const snapDir = resolve7(opts.snapDir);
+  if (existsSync15(join14(snapDir, VMSTATE_FILE))) {
+    return restoreVmstate(opts, snapDir);
+  }
   const imgDir = join14(snapDir, "img");
   const metaPath = join14(snapDir, "meta.json");
-  if (!existsSync16(imgDir) || !statSync10(imgDir).isDirectory()) {
+  if (!existsSync15(imgDir) || !statSync10(imgDir).isDirectory()) {
     throw new BootError("BOOT_SNAPSHOT_NOT_FOUND", `restore: ${imgDir} not found`);
   }
   const imgEntries = readdirSync7(imgDir);
@@ -6475,50 +6485,21 @@ async function restore(opts) {
   }
   phases.start("snapshot-meta-read");
   let meta = { snappedAt: 0 };
-  if (existsSync16(metaPath)) {
+  if (existsSync15(metaPath)) {
     try {
-      meta = JSON.parse(readFileSync10(metaPath, "utf8"));
+      meta = JSON.parse(readFileSync9(metaPath, "utf8"));
     } catch {
     }
   }
   phases.end("snapshot-meta-read");
-  let resolvedImage;
-  if (opts.image) {
-    resolvedImage = resolve7(opts.cwd ?? process.cwd(), opts.image);
-    if (!existsSync16(resolvedImage)) {
-      throw new BootError("BOOT_IMAGE_NOT_FOUND", `restore: image not found: ${resolvedImage}`);
-    }
-  } else if (meta.sourceImage && existsSync16(meta.sourceImage)) {
-    resolvedImage = meta.sourceImage;
-    debugRestore("using meta.sourceImage path=%s", resolvedImage);
-  } else if (meta.sourceImage) {
-    throw new BootError(
-      "BOOT_IMAGE_NOT_FOUND",
-      `restore: source image not found at ${meta.sourceImage}
-  The snapshot was taken with this rootfs tarball, and CRIU needs
-  it to reopen the process's file-backed memory mappings (e.g.
-  /usr/bin/node, libc, etc).
-  \u2022 copy the tarball to that path on this host, OR
-  \u2022 pass an explicit override via the runtime's restore({ image })
-    or the CLI's \`machinen restore --image <tarball>\`.`
-    );
-  } else {
-    throw new BootError(
-      "BOOT_IMAGE_NOT_FOUND",
-      `restore: no rootfs image available for this bundle.
-  The snapshot's meta.json doesn't record a source image (likely
-  predates the field). Pass the same tarball you booted the
-  source VM with via the runtime's restore({ image }) or the
-  CLI's \`machinen restore --image <tarball>\`.`
-    );
-  }
+  const resolvedImage = resolveRestoreImage(opts, meta);
   const lazyPages = opts.lazy === true;
   let lazyPagesTotal;
   if (lazyPages) {
     phases.start("snapshot-mark-lazy");
     const marked = markPagemapsLazy(imgDir);
     lazyPagesTotal = marked.entriesFlagged + marked.entriesAlreadyLazy;
-    debug12(
+    debug11(
       "lazy-pages mark: files=%d entriesFlagged=%d alreadyLazy=%d",
       marked.filesRewritten,
       marked.entriesFlagged,
@@ -6559,7 +6540,7 @@ async function restore(opts) {
       }
     } catch (err) {
       try {
-        unlinkSync8(scratchPath);
+        unlinkSync9(scratchPath);
       } catch {
       }
       throw new BootError(
@@ -6574,7 +6555,7 @@ async function restore(opts) {
   if (meta.mountDisk) {
     const lowerAbs = join14(snapDir, meta.mountDisk.lower);
     const upperAbs = join14(snapDir, meta.mountDisk.upper);
-    if (!existsSync16(lowerAbs) || !existsSync16(upperAbs)) {
+    if (!existsSync15(lowerAbs) || !existsSync15(upperAbs)) {
       throw new BootError(
         "BOOT_SNAPSHOT_NOT_FOUND",
         `restore: bundle's mount overlay is missing one of:
@@ -6603,31 +6584,18 @@ async function restore(opts) {
     });
   } finally {
     try {
-      unlinkSync8(scratchPath);
+      unlinkSync9(scratchPath);
     } catch {
     }
   }
   phases.end("boot");
-  if (!opts.name && meta.sourceName) {
-    const candidates = [`${meta.sourceName}/${vm.pid}`, `${meta.sourceName}~${vm.pid}`];
-    for (const candidate of candidates) {
-      if (claimName(candidate, vm.pid)) {
-        const cur = findEntry({ pid: vm.pid });
-        if (cur) {
-          writeEntry({ ...cur, name: candidate });
-        }
-        vm.name = candidate;
-        break;
-      }
-    }
-  }
+  autoNameRestoredFork(vm, opts, meta);
   if (lazyPagesTotal !== void 0) {
     const cur = findEntry({ pid: vm.pid });
     if (cur) {
       writeEntry({
         ...cur,
-        lazyPagesTotal,
-        lazyPagesMountRoot: imgDir
+        lazyPagesTotal
       });
     }
   }
@@ -6638,9 +6606,98 @@ async function restore(opts) {
   });
   return vm;
 }
+function resolveRestoreImage(opts, meta) {
+  if (opts.image) {
+    const resolved = resolve7(opts.cwd ?? process.cwd(), opts.image);
+    if (!existsSync15(resolved)) {
+      throw new BootError("BOOT_IMAGE_NOT_FOUND", `restore: image not found: ${resolved}`);
+    }
+    return resolved;
+  }
+  if (meta.sourceImage && existsSync15(meta.sourceImage)) {
+    debugRestore("using meta.sourceImage path=%s", meta.sourceImage);
+    return meta.sourceImage;
+  }
+  if (meta.sourceImage) {
+    throw new BootError(
+      "BOOT_IMAGE_NOT_FOUND",
+      `restore: source image not found at ${meta.sourceImage}
+  The snapshot was taken with this rootfs tarball, and the restore
+  needs it as the guest's base rootfs.
+  \u2022 copy the tarball to that path on this host, OR
+  \u2022 pass an explicit override via the runtime's restore({ image })
+    or the CLI's \`machinen restore --image <tarball>\`.`
+    );
+  }
+  throw new BootError(
+    "BOOT_IMAGE_NOT_FOUND",
+    `restore: no rootfs image available for this bundle.
+  The snapshot's meta.json doesn't record a source image (likely
+  predates the field). Pass the same tarball you booted the
+  source VM with via the runtime's restore({ image }) or the
+  CLI's \`machinen restore --image <tarball>\`.`
+  );
+}
+function autoNameRestoredFork(vm, opts, meta) {
+  if (opts.name || !meta.sourceName) {
+    return;
+  }
+  const candidates = [`${meta.sourceName}/${vm.pid}`, `${meta.sourceName}~${vm.pid}`];
+  for (const candidate of candidates) {
+    if (claimName(candidate, vm.pid)) {
+      const cur = findEntry({ pid: vm.pid });
+      if (cur) {
+        writeEntry({ ...cur, name: candidate });
+      }
+      vm.name = candidate;
+      break;
+    }
+  }
+}
+async function restoreVmstate(opts, snapDir) {
+  const statePath = join14(snapDir, VMSTATE_FILE);
+  const metaPath = join14(snapDir, "meta.json");
+  let meta = { snappedAt: 0 };
+  if (existsSync15(metaPath)) {
+    try {
+      meta = JSON.parse(readFileSync9(metaPath, "utf8"));
+    } catch {
+    }
+  }
+  const resolvedImage = resolveRestoreImage(opts, meta);
+  const effectiveLiveMounts = resolveRestoreLiveMounts(meta.liveMounts, opts.liveMounts);
+  let restoreMountDisk;
+  if (meta.mountDisk) {
+    const lowerAbs = join14(snapDir, meta.mountDisk.lower);
+    const upperAbs = join14(snapDir, meta.mountDisk.upper);
+    if (!existsSync15(lowerAbs) || !existsSync15(upperAbs)) {
+      throw new BootError(
+        "BOOT_SNAPSHOT_NOT_FOUND",
+        `restore: bundle's mount overlay is missing one of:
+  ${lowerAbs}
+  ${upperAbs}`
+      );
+    }
+    restoreMountDisk = { guest: meta.mountDisk.guest, lowerPath: lowerAbs, upperPath: upperAbs };
+  }
+  debugRestore("vmstate restore snapDir=%s state=%s image=%s", snapDir, statePath, resolvedImage);
+  const vm = await boot({
+    ...opts,
+    image: resolvedImage,
+    forkedFrom: snapDir,
+    name: opts.name,
+    liveMounts: effectiveLiveMounts,
+    _restoreMountDisk: restoreMountDisk,
+    _vmstateRestorePath: statePath
+  });
+  autoNameRestoredFork(vm, opts, meta);
+  void setGuestHostname(vm, buildGuestHostname(vm.pid, vm.name)).catch(() => {
+  });
+  return vm;
+}
 
 // src/vm/fork.ts
-var debugFork = debugLib14("machinen:fork");
+var debugFork = debugLib13("machinen:fork");
 async function performFork(ctx, opts) {
   await checkForkBackpressure({
     threshold: opts.freeMemoryThreshold ?? DEFAULT_FREE_MEMORY_THRESHOLD
@@ -6666,7 +6723,7 @@ async function performFork(ctx, opts) {
   } catch (err) {
     if (ephemeral) {
       try {
-        rmSync10(snapDir, { recursive: true, force: true });
+        rmSync9(snapDir, { recursive: true, force: true });
       } catch {
       }
     }
@@ -6686,7 +6743,7 @@ async function performFork(ctx, opts) {
   } catch (err) {
     if (ephemeral) {
       try {
-        rmSync10(snapDir, { recursive: true, force: true });
+        rmSync9(snapDir, { recursive: true, force: true });
       } catch {
       }
     }
@@ -6697,7 +6754,7 @@ async function performFork(ctx, opts) {
     void fork.wait().catch(() => {
     }).finally(() => {
       try {
-        rmSync10(snapDir, { recursive: true, force: true });
+        rmSync9(snapDir, { recursive: true, force: true });
         debugFork("fork ephemeral bundle cleaned up snapDir=%s", snapDir);
       } catch (cleanupErr) {
         debugFork(
@@ -6719,7 +6776,7 @@ function measureFirstByte(vm) {
 }
 
 // src/vm/attach.ts
-var debugAttach = debugLib15("machinen:attach");
+var debugAttach = debugLib14("machinen:attach");
 async function attach(opts) {
   debugAttach("attach lookup pid=%s name=%s", opts.pid ?? "<unset>", opts.name ?? "<unset>");
   const entry = findEntry(opts);
@@ -6740,7 +6797,7 @@ async function attach(opts) {
   const stderr = new PassThrough3();
   stdout.end();
   stderr.end();
-  const waitForExit2 = async () => {
+  const waitForExit = async () => {
     while (isAlive(entry.pid)) {
       await new Promise((r) => setTimeout(r, 200));
     }
@@ -6753,7 +6810,7 @@ async function attach(opts) {
     stdout,
     stderr,
     async wait() {
-      return waitForExit2();
+      return waitForExit();
     },
     async kill() {
       if (!isAlive(entry.pid)) {
@@ -6763,7 +6820,7 @@ async function attach(opts) {
         process.kill(entry.pid, "SIGKILL");
       } catch {
       }
-      await waitForExit2();
+      await waitForExit();
     },
     async detach() {
     },
@@ -6806,7 +6863,8 @@ ${res.stderr}`
       };
     },
     async snapshot(snapshotOpts) {
-      if (!entry.diskPath) {
+      const engine = resolveSnapshotEngine();
+      if (engine === "criu" && !entry.diskPath || engine === "vmstate" && !entry.vmstatePath) {
         throw new SnapshotError(
           "SNAPSHOT_NO_DISK",
           "vm.snapshot: this VM was booted with `snapshot: false` (no scratch disk attached). Re-boot without that flag \u2014 the runtime will auto-allocate a sparse scratch \u2014 or pass `snapshot: '<path>'`."
@@ -6815,7 +6873,8 @@ ${res.stderr}`
       return performSnapshot(buildAttachSnapshotContext(), snapshotOpts);
     },
     async fork(forkOpts) {
-      if (!entry.diskPath) {
+      const engine = resolveSnapshotEngine();
+      if (engine === "criu" && !entry.diskPath || engine === "vmstate" && !entry.vmstatePath) {
         throw new SnapshotError(
           "SNAPSHOT_NO_DISK",
           "vm.fork: source VM has no scratch disk (booted with `snapshot: false`)."
@@ -6835,6 +6894,9 @@ ${res.stderr}`
       // bundle exactly like boot-owned snapshots do.
       mountDisk: entry.mountDisk,
       liveMounts: entry.liveMounts,
+      // Vmstate engine: the VMM's whole-VM state-file path, persisted
+      // at boot. performSnapshotVmstate SIGUSR1s the VMM and reads it.
+      vmstatePath: entry.vmstatePath,
       execRaw: (cmd, execOpts) => handle.execRaw(cmd, execOpts),
       wait: () => handle.wait(),
       kill: () => handle.kill(),
@@ -6856,8 +6918,8 @@ var _internal = {
 };
 
 // src/provision.ts
-var debug13 = debugLib16("machinen:provision");
-var vmmDebug2 = debugLib16("machinen:vmm");
+var debug12 = debugLib15("machinen:provision");
+var vmmDebug2 = debugLib15("machinen:vmm");
 var TAR_TO_DISK_CMD = [
   "tar",
   "-C /",
@@ -6917,7 +6979,7 @@ function resolveBaseDtb(explicit, cwd = process.cwd()) {
 function resolveBaseAsset(spec, explicit, cwd) {
   if (explicit) {
     const abs = resolve9(cwd, explicit);
-    if (!existsSync17(abs)) {
+    if (!existsSync16(abs)) {
       throw new ProvisionError(spec.missingCode, `${spec.kind} not found: ${abs}`);
     }
     return abs;
@@ -6925,7 +6987,7 @@ function resolveBaseAsset(spec, explicit, cwd) {
   const assetsDir = process.env.MACHINEN_ASSETS_DIR;
   if (assetsDir) {
     const p = resolve9(assetsDir, spec.assetsDirName);
-    if (!existsSync17(p)) {
+    if (!existsSync16(p)) {
       throw new ProvisionError(
         "PROVISION_ASSETS_DIR_INVALID",
         `MACHINEN_ASSETS_DIR=${assetsDir} does not contain ${spec.assetsDirName}`
@@ -6934,7 +6996,7 @@ function resolveBaseAsset(spec, explicit, cwd) {
     return p;
   }
   const cached = join16(cliCachedBaseDir(), spec.cliCacheName);
-  if (existsSync17(cached)) {
+  if (existsSync16(cached)) {
     return cached;
   }
   throw new ProvisionError(
@@ -6947,7 +7009,7 @@ function resolveBaseAsset(spec, explicit, cwd) {
 }
 function cliCachedBaseDir() {
   const pkgPath = resolve9(import.meta.dirname, "..", "package.json");
-  const version = JSON.parse(readFileSync11(pkgPath, "utf8")).version;
+  const version = JSON.parse(readFileSync10(pkgPath, "utf8")).version;
   return join16(homedir8(), ".machinen", `runtime-v${version}`, "bases", "debian-arm64");
 }
 async function provision(opts) {
@@ -6956,18 +7018,18 @@ async function provision(opts) {
   const kernelAbs = resolveBaseKernel(opts.kernel, cwd);
   const dtbAbs = resolveBaseDtb(opts.dtb, cwd);
   const outAbs = resolve9(cwd, opts.out);
-  mkdirSync12(dirname9(outAbs), { recursive: true });
+  mkdirSync12(dirname7(outAbs), { recursive: true });
   const t0 = Date.now();
   const workDir = mkdtempSync8(join16(tmpdir8(), "machinen-provision-"));
   const diskPath = join16(workDir, "scratch.img");
   const rootDiskPath = join16(workDir, "rootfs.img");
   const udsPath = join16(workDir, "exec.sock");
-  debug13("provision start base=%s out=%s workDir=%s", baseAbs, outAbs, workDir);
+  debug12("provision start base=%s out=%s workDir=%s", baseAbs, outAbs, workDir);
   const phases = new PhaseTimer();
   try {
     const scratchBytes = opts.scratchDiskSizeBytes ?? 1024 * 1024 * 1024;
     allocateSparseFile4(diskPath, scratchBytes);
-    debug13("scratch disk allocated path=%s sizeBytes=%d", diskPath, scratchBytes);
+    debug12("scratch disk allocated path=%s sizeBytes=%d", diskPath, scratchBytes);
     phases.start("rootdisk-prep");
     const cachedImg = ensureRootfsImage(baseAbs, {
       onPhase: (name, ms) => phases.mark(`rootdisk-prep.${name}`, ms)
@@ -6975,7 +7037,7 @@ async function provision(opts) {
     const reflinkT0 = Date.now();
     reflinkCopy(cachedImg, rootDiskPath);
     phases.mark("rootdisk-prep.reflink", Date.now() - reflinkT0);
-    debug13("rootdisk cloned src=%s dst=%s", cachedImg, rootDiskPath);
+    debug12("rootdisk cloned src=%s dst=%s", cachedImg, rootDiskPath);
     markRootfsImageClean(cachedImg);
     phases.end("rootdisk-prep");
     phases.start("boot");
@@ -7021,14 +7083,14 @@ async function provision(opts) {
     const stderrTail = () => Buffer.concat(tailBuf).slice(-TAIL_MAX).toString("utf8");
     try {
       const installT0 = Date.now();
-      debug13("install hook entry");
+      debug12("install hook entry");
       phases.start("install");
       try {
         await opts.install(vm);
       } catch (err) {
         const tail = stderrTail();
         const msg = err instanceof Error ? err.message : String(err);
-        debug13("install hook failed err=%s tailBytes=%d", msg, tail.length);
+        debug12("install hook failed err=%s tailBytes=%d", msg, tail.length);
         throw new ProvisionError(
           "PROVISION_INSTALL_HOOK_FAILED",
           `install hook failed: ${msg}
@@ -7038,8 +7100,8 @@ ${tail}`,
         );
       }
       phases.end("install");
-      debug13("install hook done elapsed=%dms", Date.now() - installT0);
-      debug13("tar / -> /dev/vdb starting");
+      debug12("install hook done elapsed=%dms", Date.now() - installT0);
+      debug12("tar / -> /dev/vdb starting");
       const tarT0 = Date.now();
       phases.start("tar-to-disk");
       const tar = await VsockExec.run(udsPath, TAR_TO_DISK_CMD, {
@@ -7047,7 +7109,7 @@ ${tail}`,
         ...tapExecForLog(TAR_TO_DISK_CMD, opts.onLog)
       });
       phases.end("tar-to-disk");
-      debug13("tar / -> /dev/vdb done exit=%d elapsed=%dms", tar.exitCode, Date.now() - tarT0);
+      debug12("tar / -> /dev/vdb done exit=%d elapsed=%dms", tar.exitCode, Date.now() - tarT0);
       if (tar.exitCode !== 0) {
         throw new ProvisionError(
           "PROVISION_DISK_TOO_SMALL",
@@ -7056,7 +7118,7 @@ Bump scratchDiskSizeBytes. stderr:
 ${tar.stderr}`
         );
       }
-      debug13("requesting guest poweroff");
+      debug12("requesting guest poweroff");
       phases.start("poweroff-wait");
       await VsockExec.run(udsPath, "/sbin/machinen-poweroff", {
         connectTimeoutMs: 2e3,
@@ -7066,7 +7128,7 @@ ${tar.stderr}`
       console.error("provision: waiting for guest exit\u2026");
       await vm.wait();
       phases.end("poweroff-wait");
-      debug13("guest exited");
+      debug12("guest exited");
     } finally {
       clearTimeout(killTimer);
       if (vm.pid > 0) {
@@ -7074,7 +7136,7 @@ ${tar.stderr}`
         });
       }
     }
-    debug13("repack disk tar -> %s starting", outAbs);
+    debug12("repack disk tar -> %s starting", outAbs);
     const repackT0 = Date.now();
     phases.start("repack-targz");
     repackDiskTarToGz(diskPath, outAbs, {
@@ -7083,7 +7145,7 @@ ${tar.stderr}`
       onPhase: (name, ms) => phases.mark(`repack-targz.${name}`, ms)
     });
     phases.end("repack-targz");
-    debug13("repack done elapsed=%dms", Date.now() - repackT0);
+    debug12("repack done elapsed=%dms", Date.now() - repackT0);
     const sizeBytes = statSync11(outAbs).size;
     warmImageConfigCache(
       outAbs,
@@ -7093,8 +7155,8 @@ ${tar.stderr}`
       } : null
     );
     const elapsedMs = Date.now() - t0;
-    debug13("provision complete sizeBytes=%d totalElapsed=%dms", sizeBytes, elapsedMs);
-    phases.flush(debug13, "provision", elapsedMs);
+    debug12("provision complete sizeBytes=%d totalElapsed=%dms", sizeBytes, elapsedMs);
+    phases.flush(debug12, "provision", elapsedMs);
     opts.onLog?.(phases.toEvent("provision", elapsedMs));
     return {
       imagePath: outAbs,
@@ -7103,7 +7165,7 @@ ${tar.stderr}`
     };
   } finally {
     try {
-      rmSync11(workDir, { recursive: true, force: true });
+      rmSync10(workDir, { recursive: true, force: true });
     } catch {
     }
   }
@@ -7154,7 +7216,7 @@ function repackDiskTarToGz(diskPath, outAbs, opts = {}) {
     });
   } finally {
     try {
-      rmSync11(extractDir, { recursive: true, force: true });
+      rmSync10(extractDir, { recursive: true, force: true });
     } catch {
     }
   }