npm - @machinen/runtime - Versions diffs - 0.3.4 → 0.4.0 - Mend

@machinen/runtime 0.3.4 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -128,7 +128,7 @@ interface PhaseLogEvent {
 type LogEvent = ChunkLogEvent | PhaseLogEvent;
 type OnLog = (evt: LogEvent) => void;
-type SnapshotEngine = "criu" | "vmstate";
+type SnapshotEngine = "criu" | "vmstate" | "portable";
 interface AttachOptions {
     /**
@@ -165,7 +165,8 @@ declare function attach(opts: AttachOptions): Promise<VmHandle>;
 interface BootOptions {
     /**
      * Path to a rootfs tarball to boot from (e.g. the output of
-     * `provision()`, or `rootfs-debian-arm64.tar.gz` shipped in releases).
+     * `provision()`, or an arch-specific base rootfs tarball shipped in
+     * releases: `rootfs-debian-arm64.tar.gz` / `rootfs-debian-amd64.tar.gz`).
      * Paired with `cmd` — both required, or neither (test-mode binary
      * boots and snapshot-only restores both skip initramfs packing).
      */
@@ -287,10 +288,10 @@ interface BootOptions {
      *
      * Trade-off vs. `liveMount`: `mount` is copy-into-disk-image (no
      * runtime channel back to the host source dir, snapshots cleanly,
-     * but writes don't propagate to the host); `liveMount` is a live
-     * vsock-FUSE pass-through (writes land on the host, doesn't survive
-     * snapshot/restore). Pick `mount` for inputs the guest may modify
-     * but the host shouldn't see; `liveMount` for shared scratch.
+     * but writes don't propagate to the host); `liveMount` is an in-VMM
+     * virtio-fs pass-through (writes land on the host and restore/fork
+     * re-establish the same guest mount topology). Pick `mount` for inputs the
+     * guest may modify but the host shouldn't see; `liveMount` for shared scratch.
      *
      * See #64 (original `mount`), #78 (`liveMount`), #114 (rootdisk
      * relocation; same shape), #272 (this overlay relocation).
@@ -336,6 +337,14 @@ interface BootOptions {
      * @internal
      */
     _vmstateRestorePath?: string;
+    /**
+     * Vmstate restore: exact root block image from the snapshot bundle.
+     * `boot()` reflink-clones this into a per-VM temp file before
+     * attaching it so the restored guest cannot mutate the bundle.
+     *
+     * @internal
+     */
+    _rootDiskRestorePath?: string;
     /**
      * Host directories exposed to the guest as live-share mounts (#78,
      * #332). Unlike `mount` (copy-once into the boot rootfs), these stay
@@ -345,8 +354,8 @@ interface BootOptions {
      * caches, untrusted guests).
      *
      * Each guest path must live under `/mnt/` (same rule as `mount`).
-     * Repeatable up to 4 entries per VM — each is served by its own
-     * in-VMM virtio-fs device (the VMM wires 4 virtio-fs slots). The
+     * Repeatable up to 5 entries per VM — each is served by its own
+     * in-VMM virtio-fs device (the VMM wires 5 virtio-fs slots). The
      * FUSE opcode handlers run inside the VMM and the guest mounts each
      * share directly with `mount -t virtiofs` — no agent process, no
      * vsock hop. Requires a guest kernel with `CONFIG_VIRTIO_FS` — every
@@ -406,14 +415,28 @@ interface BootOptions {
     kernel?: string;
     /** Path to the guest device-tree blob. Forwarded as `MACHINEN_DTB`. */
     dtb?: string;
+    /**
+     * Opt in to exposing arm64 EL2 / `/dev/kvm` to the guest so the
+     * workload can start its own VMs. This is intentionally off by
+     * default: it requires Linux/arm64 KVM with nested EL2 support, or
+     * macOS 15+ on M3/M4-class Apple Silicon, and provider-level
+     * snapshots of a nested-enabled VM are refused until EL2 vmstate
+     * capture is audited.
+     *
+     * When set, the runtime does a best-effort host preflight and passes
+     * `MACHINEN_NESTED=1` to the VMM. The VMM's backend probe is still
+     * authoritative.
+     */
+    nested?: boolean;
     /**
      * Guest RAM ceiling, in MiB (decimal integer; no unit suffixes). The
-     * VMM reads this as `MACHINEN_MEMORY` (#263 phase A). Defaults to
-     * `min(host_ram_mib / 2, 16384)` with a floor of 512 — sized for
-     * typical dev workloads while leaving the host responsive. The
-     * ceiling is approximately free until the guest touches a page (see
-     * `packages/microvm/docs/memory.md`), so over-provisioning costs
-     * little until phase B's balloon lands and lets it actually shrink.
+     * VMM reads this as `MACHINEN_MEMORY` (#263 phase A). This is the
+     * guest's memory layout limit, not the host memory used right now.
+     * Defaults to `min(host_ram_mib / 2, 4096)` with a floor of 512 — a
+     * modest ceiling for typical dev workloads. The ceiling is
+     * approximately free until the guest touches a page (see
+     * `packages/microvm/docs/memory.md`), but a bigger ceiling still
+     * increases guest metadata and the possible high-water mark.
      *
      * This is documented as a debug knob — most workloads should never
      * need to set it.
@@ -458,16 +481,15 @@ interface BootOptions {
      *
      * Forces `pdeathsig: false` (otherwise the parent's exit kills the
      * VMM, defeating the purpose). Compatible with every other boot
-     * option: gvproxy + live-mount FUSE servers spawn as detached
-     * daemons wrapped through `pdeathsig --watch-pid <vmm>`, and `mount`
-     * (squashfs+ext4 overlay) is fd-passed to the VMM at spawn so the
-     * supervisor holds no live state afterwards.
+     * option: gvproxy is tracked in the registry, live mounts are served
+     * by in-VMM virtio-fs devices, and `mount` (squashfs+ext4 overlay)
+     * is fd-passed to the VMM at spawn so the supervisor holds no live
+     * state afterwards.
      *
      * Cleanup of per-boot reflink disks, bundle dirs, and vsock UDS
      * directories normally happens in the parent's `child.once("exit")`
-     * hook. After detach the parent is gone, so those leak until the
-     * follow-up `machinen gc` / `machinen stop` commands (PR2 of #150)
-     * land. Use `--detached` only when you understand that trade-off.
+     * hook. After detach the parent is gone, so those leak until
+     * `machinen gc` / `machinen stop` reaps them.
      *
      * Reattach with `attach({ name | pid })` from another process —
      * the registry entry stays live, the vsock UDS is still listening.
@@ -534,9 +556,9 @@ declare function validateMemoryMib(mib: number): number;
  *   1. `MACHINEN_VMM` env var (dev-mode override)
  *   2. `require.resolve("@machinen/native-<arch>-<os>")` → `binary` export
  *
- * `@machinen/native-arm64-{darwin,linux}` is the consolidated host-tool
- * package — it carries the VMM, gvproxy, guest ELFs, mke2fs,
- * mksquashfs, and the mount server. Callers can pass an explicit
+ * `@machinen/native-{arm64-darwin,arm64-linux,x64-linux}` is the
+ * consolidated host-tool package — it carries the VMM, gvproxy,
+ * guest ELFs, mke2fs, and mksquashfs. Callers can pass an explicit
  * `binary` to `boot()` to bypass this.
  *
  * @throws {BootError} BOOT_VMM_MISSING | BOOT_VMM_PACKAGE_BROKEN
@@ -595,8 +617,9 @@ declare function warmImageConfigCache(imagePath: string, config: ImageConfig | n
 interface RestoreOptions extends Omit<BootOptions, "snapshot" | "image" | "cmd" | "name"> {
     /**
-     * Snapshot bundle directory produced by `vm.snapshot()`.
-     * Must contain `img/<crius>` and `meta.json`.
+     * Snapshot bundle directory produced by `vm.snapshot()`. Vmstate bundles
+     * contain `state.vmstate`, `rootdisk.img`, and `meta.json`; legacy CRIU
+     * bundles contain `img/<crius>` and `meta.json`.
      */
     snapDir: string;
     /**
@@ -614,19 +637,17 @@ interface RestoreOptions extends Omit<BootOptions, "snapshot" | "image" | "cmd"
      */
     name?: string;
     /**
-     * Opt into lazy-pages restore — bundle is vsock-FUSE-mounted into
-     * the guest read-only and `criu restore --lazy-pages` faults pages
-     * on demand (#266). Default false: the runtime packs the CRIU
-     * image into a tar on `/dev/vdb`, the guest's
-     * `/sbin/machinen-restore` untars it into tmpfs, and CRIU does an
-     * eager load.
+     * Opt into CRIU lazy-pages restore — the CRIU image directory is mounted
+     * into the guest read-only via in-VMM virtio-fs and `criu restore
+     * --lazy-pages` faults pages on demand (#266). Default false: the runtime
+     * packs the CRIU image into a tar on `/dev/vdb`, the guest's
+     * `/sbin/machinen-restore` untars it into tmpfs, and CRIU does an eager
+     * load.
      *
-     * Eager is still the default because lazy bundles a host-side FUSE
-     * server that doesn't compose with `--detach` (#150 phase 3). The
-     * historical second blocker — runaway free-page-reporting under
-     * lazy — is fixed in #290 by the in-tree kernel patch that stops
-     * the buddy allocator from clearing the Reported flag during a
-     * merge.
+     * Eager is still the CRIU default because lazy restore is a specialized
+     * UFFD path. The historical runaway free-page-reporting blocker under
+     * lazy is fixed in #290 by the in-tree kernel patch that stops the buddy
+     * allocator from clearing the Reported flag during a merge.
      */
     lazy?: boolean;
 }
@@ -753,48 +774,34 @@ interface VmHandle {
      */
     writeFile(guestPath: string, contents: Buffer | string, opts?: WriteFileOptions): Promise<void>;
     /**
-     * Freeze this VM with CRIU and write a snapshot bundle into
-     * `opts.outDir`. The bundle is a directory containing:
+     * Write a snapshot bundle into `opts.outDir`.
      *
-     *   <outDir>/img/                ← CRIU image files (pages-*.img,
-     *                                  pagemap-*.img, core-*.img,
-     *                                  dump.log, ...)
-     *   <outDir>/meta.json           ← source name + timestamp +
-     *                                  optional mountDisk pointers
-     *   <outDir>/mount-lower.sqfs    ← squashfs RO lower (only when
-     *                                  the source VM had `mount` set)
-     *   <outDir>/mount-upper.img     ← ext4 RW upper (only when
-     *                                  the source VM had `mount` set)
+     * With the default vmstate engine this is an incremental checkpoint:
+     * the source VM keeps running, the first checkpoint in the VM's
+     * chain carries full sparse RAM + `rootdisk.img`, and later
+     * checkpoints carry RAM/rootdisk delta sections plus full vCPU,
+     * GIC, virtio queue, and virtio-fs backend state. `restore()` walks
+     * parent pointers and materializes a flat vmstate/rootdisk pair
+     * before booting through the normal vmstate restore path.
+     *
+     * With `MACHINEN_SNAPSHOT_ENGINE=criu`, this keeps the historical
+     * process-tree behavior: CRIU image files live under `<outDir>/img/`,
+     * `opts.leaveRunning: true` keeps the source alive, and the default
+     * destructive CRIU snapshot powers the source off after the dump.
+     * With `MACHINEN_SNAPSHOT_ENGINE=portable`, snapshot currently
+     * refuses with an experimental/unsupported-workload error; the
+     * semantic cross-ISA checkpoint implementation has not landed yet.
      *
      * `mount-lower.sqfs` and `mount-upper.img` are reflinked from the
      * runtime's per-VM materialization (#272), so on APFS / btrfs / xfs
      * the snapshot is essentially free space-wise even for a large
      * mount payload — blocks stay shared until either side writes.
      *
-     * The caller must have booted the VM with a scratch disk (`snapshot:
-     * '<path>'` or default auto-allocation) so the guest had `/dev/vdb`
-     * to dump into; otherwise this throws `SNAPSHOT_NO_DISK`.
-     *
-     * Guest contract: the rootfs ships a dump helper callable via
-     * vsock exec — default `/sbin/machinen-dump`, override via
-     * `opts.dumpCmd`. The helper runs `criu dump --leave-running` and
-     * tars the resulting image set out on stdout, which the host
-     * extracts into `<outDir>/img/`. For destructive snapshots (default)
-     * the runtime then issues `/sbin/machinen-poweroff` over vsock to
-     * bring the VMM down; `opts.leaveRunning: true` skips that step
-     * and the source VM keeps running.
+     * `SNAPSHOT_TIMEOUT` if the dump doesn't complete within
+     * `opts.timeoutMs`; `SNAPSHOT_DUMP_FAILED` if the engine reports a
+     * failed/incomplete dump.
      *
-     * `SNAPSHOT_TIMEOUT` if the dump exec doesn't return within
-     * `opts.timeoutMs`; `SNAPSHOT_DUMP_FAILED` if it returns non-zero
-     * or the streamed bundle is empty.
-     *
-     * Supported on both boot-owned and attach handles — attach uses
-     * the `diskPath` stored in the VM registry entry at boot time.
-     *
-     * By default the VM exits as part of the dump (CRIU kills the
-     * dumped tree on success). Pass `opts.leaveRunning: true` to keep
-     * the source VM alive — the workload resumes from the dump point
-     * and the bundle can be restored into a sibling VM (`vm.fork()`).
+     * Supported on both boot-owned and attach handles.
      */
     snapshot(opts: SnapshotOptions): Promise<SnapshotResult>;
     /**
@@ -917,8 +924,7 @@ interface SnapshotOptions {
      */
     dumpCmd?: string;
     /**
-     * Wall-clock ceiling for the dump + shutdown. If the VMM hasn't exited
-     * in this window we SIGKILL it and fail. Default 90s.
+     * Wall-clock ceiling for the dump/checkpoint. Default 90s.
      */
     timeoutMs?: number;
     /**
@@ -928,12 +934,11 @@ interface SnapshotOptions {
      */
     onLog?: OnLog;
     /**
-     * Pass `--leave-running` to `criu dump` so the source workload
-     * survives the snapshot. The VMM stays up after the dump; success
-     * is signalled by the dump exec returning 0 instead of by VMM exit.
-     * Used by `vm.fork()` (#216).
+     * CRIU engine only: pass `--leave-running` to `criu dump` so the
+     * source workload survives the snapshot. Vmstate checkpoints are
+     * always non-destructive and ignore this flag.
      *
-     * Default: false (current destructive snapshot behavior).
+     * Default under CRIU: false (destructive CRIU snapshot behavior).
      */
     leaveRunning?: boolean;
     /**
@@ -962,7 +967,7 @@ interface SnapshotResult {
      * bundle. Set by the vmstate engine only; undefined for criu bundles.
      */
     vmstatePath?: string;
-    /** Time from `snapshot()` entry to VMM exit, in milliseconds. */
+    /** Time from `snapshot()` entry to completed bundle, in milliseconds. */
     elapsedMs: number;
     /** Guest console output captured during the dump. */
     consoleLog: string;
@@ -971,13 +976,65 @@ interface SnapshotResult {
  * On-disk shape of the bundle's `meta.json`. Read by `restore()`
  * to reconstruct the source VM's name when registering the fork.
  */
+type VmstateBackend = "hvf" | "kvm" | "unknown";
+interface SnapshotFileIdentity {
+    /** Absolute source path when known on the snapshotting host. */
+    path?: string;
+    /** Logical file size in bytes. */
+    sizeBytes: number;
+    /** SHA-256 over the logical file bytes. */
+    sha256: string;
+}
+interface VmstateSnapshotMeta {
+    /** VMM backend that wrote `state.vmstate`. */
+    sourceBackend?: VmstateBackend;
+    /** Guest CPU architecture captured in `state.vmstate`; restore must match. */
+    guestArch?: "arm64" | "amd64" | "unknown";
+    /** Topology hash from the .vmstate header (guest IPA/GIC/RAM layout). */
+    topologyHash?: string;
+    /** Guest RAM ceiling/layout the source VM booted with; not current host memory use. */
+    memoryCeilingMib?: number;
+    /** Pointer-auth state inferred from SCTLR_EL1 at snapshot time. */
+    guestPauth?: {
+        active?: boolean;
+        sctlrEl1?: string;
+    };
+    /** Exact root block image needed by the resumed guest, a parent-relative delta, or explicit absence. */
+    rootDisk?: ({
+        mode: "block";
+        file: string;
+    } & SnapshotFileIdentity) | {
+        mode: "delta";
+    } | {
+        mode: "none";
+    };
+    /** Kernel image identity when the source boot used an explicit kernel. */
+    kernel?: SnapshotFileIdentity;
+    /** DTB identity when the source boot used an explicit DTB. */
+    dtb?: SnapshotFileIdentity;
+    /** Incremental checkpoint chain metadata for vmstate snapshots. */
+    checkpoint?: {
+        /** New random chain id for this VM's lifetime. */
+        chainId: string;
+        /** Per-chain checkpoint number, starting at 1. */
+        sequence: number;
+        /** Relative path from this bundle to its parent bundle, absent for a base checkpoint. */
+        parent?: string;
+        /** RAM section shape carried by this bundle. */
+        ram: "full" | "delta";
+        /** Rootdisk section shape carried by this bundle. */
+        rootDisk: "full" | "delta" | "none";
+    };
+}
 interface SnapshotMeta {
     /**
      * Which backend wrote this bundle — `"criu"` (process-tree images
-     * under `img/`) or `"vmstate"` (whole-VM `state.vmstate`). `restore()`
-     * also auto-detects from the bundle's contents; this field is the
-     * explicit record. Absent on bundles predating the vmstate engine
-     * (treated as `"criu"`).
+     * under `img/`), `"vmstate"` (whole-VM `state.vmstate`), or the
+     * experimental `"portable"` semantic format. `restore()` auto-detects
+     * CRIU/vmstate from the bundle's contents; portable remains explicit
+     * opt-in so semantic process restore is not confused with exact VM
+     * restore. Absent on bundles predating the vmstate engine (treated as
+     * `"criu"`).
      */
     engine?: SnapshotEngine;
     /** Name passed to `boot({ name })` when the source VM was started. */
@@ -993,6 +1050,8 @@ interface SnapshotMeta {
     sourceImage?: string;
     /** ms epoch when `vm.snapshot()` returned. */
     snappedAt: number;
+    /** Whole-VM `.vmstate` restore invariants. Present on new vmstate bundles. */
+    vmstate?: VmstateSnapshotMeta;
     /**
      * #272: when the source VM was booted with `mount: { host, guest }`,
      * the snapshot bundle includes both halves of the overlay so a
@@ -1092,17 +1151,16 @@ interface ForkOptions extends Omit<RestoreOptions, "snapDir"> {
      */
     onLog?: OnLog;
     /**
-     * Opt into lazy-pages restore for the fork — vsock-FUSE-mounted
-     * bundle + `criu restore --lazy-pages`. Default false: the runtime
-     * packs the CRIU image into a tar on `/dev/vdb` and the guest does
-     * an eager load.
+     * Opt into CRIU lazy-pages restore for the fork — the CRIU image directory
+     * is mounted into the guest read-only via in-VMM virtio-fs and `criu restore
+     * --lazy-pages` faults pages on demand. Default false: the runtime packs the
+     * CRIU image into a tar on `/dev/vdb` and the guest does an eager load.
      *
-     * Lazy keeps fork RSS proportional to the pages the sibling
-     * actually touches, not the full snapshot size. Worth setting when
-     * the source dumped a large heap that the fork will only sample.
-     * Cannot combine with `--detach` (the lazy path needs the host's
-     * FUSE server alive as long as the guest may fault, see #150
-     * phase 3); the runtime falls back to eager in that case.
+     * Lazy keeps fork RSS proportional to the pages the sibling actually
+     * touches, not the full snapshot size. Worth setting when the source dumped
+     * a large heap that the fork will only sample. The CLI currently forces
+     * eager restore for `fork --detach --lazy`; use the runtime API directly if
+     * you need to experiment with that combination.
      */
     lazy?: boolean;
     /**
@@ -1230,6 +1288,14 @@ declare class Supervisor {
     private installWinchHandler;
     private removeWinchHandler;
     private ingest;
+    private ingestAttached;
+    private findDetachSequence;
+    private markCtrlRightBracket;
+    private ingestRemainderAfterDetach;
+    private sendAttachedIfNonEmpty;
+    private sendAttached;
+    private ingestDetached;
+    private handleDetachedLine;
     private handleCommand;
     private doLs;
     private bannerText;
@@ -1342,12 +1408,13 @@ declare const VsockFiles: {
 interface ProvisionOptions {
     /**
      * Path to the base rootfs tarball to start from. Typically the
-     * `rootfs-debian-arm64.tar.gz` produced by
-     * `scripts/build-base-assets.sh` or shipped in a machinen release.
+     * arch-specific rootfs tarball produced by `scripts/build-base-assets.sh`
+     * (`rootfs-debian-arm64.tar.gz` or `rootfs-debian-amd64.tar.gz`) or
+     * shipped in a machinen release.
      *
      * Optional — when omitted, `provision()` resolves it via `resolveBaseRootfs()`
      * (MACHINEN_ASSETS_DIR env override, falling back to the `@machinen/cli`
-     * cache at `~/.machinen/@machinen/runtime@<version>/bases/debian-arm64/`).
+     * cache for the selected guest arch).
      */
     base?: string;
     /**
@@ -1431,11 +1498,11 @@ interface ProvisionResult {
  *
  *   1. `explicit` — the caller-supplied path (resolved against `cwd`).
  *   2. `MACHINEN_ASSETS_DIR` env var — points at a directory laid out like
- *      `scripts/build-base-assets.sh`'s output (contains
- *      `rootfs-debian-arm64.tar.gz`). Same convention `@machinen/cli`
- *      honors for local/dev builds.
+ *      `scripts/build-base-assets.sh`'s output (contains the selected
+ *      arch's rootfs tarball). Same convention `@machinen/cli` honors for
+ *      local/dev builds.
  *   3. `@machinen/cli`'s on-disk cache at
- *      `~/.machinen/@machinen/runtime@<version>/bases/debian-arm64/rootfs.tar.gz`.
+ *      `~/.machinen/@machinen/runtime@<version>/bases/debian-<arch>/rootfs.tar.gz`.
  *      Populated by running `machinen` once against the installed runtime.
  *
  * Throws `ProvisionError` with guidance if none of those turn up a file.
@@ -1445,8 +1512,8 @@ interface ProvisionResult {
  */
 declare function resolveBaseRootfs(explicit?: string, cwd?: string): string;
 /**
- * Resolve the path to the guest kernel Image. Same fallback chain as
- * `resolveBaseRootfs`: explicit → `MACHINEN_ASSETS_DIR/Image-arm64` →
+ * Resolve the path to the guest kernel image. Same fallback chain as
+ * `resolveBaseRootfs`: explicit → `MACHINEN_ASSETS_DIR/<arch kernel>` →
  * `@machinen/cli` cache at `<base>/Image`. Exported for callers that
  * want to pre-check or wire the path into `boot()`.
  *
@@ -1455,14 +1522,15 @@ declare function resolveBaseRootfs(explicit?: string, cwd?: string): string;
  */
 declare function resolveBaseKernel(explicit?: string, cwd?: string): string;
 /**
- * Resolve the path to the guest DTB. Same fallback chain as
+ * Resolve the path to the guest DTB. amd64 guests do not use a DTB unless
+ * the caller passes one explicitly. arm64 follows the same fallback chain as
  * `resolveBaseRootfs`: explicit → `MACHINEN_ASSETS_DIR/virt-arm64.dtb` →
  * `@machinen/cli` cache at `<base>/virt.dtb`.
  *
  * @throws {ProvisionError} PROVISION_DTB_NOT_FOUND |
  *   PROVISION_ASSETS_DIR_INVALID
  */
-declare function resolveBaseDtb(explicit?: string, cwd?: string): string;
+declare function resolveBaseDtb(explicit?: string, cwd?: string): string | undefined;
 /**
  * Boot the base rootfs, run the user install hook, and freeze the
  * resulting filesystem state to a new tarball at `opts.out`.
@@ -1744,6 +1812,14 @@ interface RegistryEntry {
     socketPath: string;
     /** Path to the image the VM was booted from (diagnostic only). */
     imagePath?: string;
+    /**
+     * Host-side path of the root block device currently attached as
+     * `/dev/vda`. Vmstate snapshots need the exact bytes because the
+     * whole-VM state captures RAM/device/vCPU state, not disk blocks.
+     */
+    rootDiskPath?: string;
+    /** Whether the VM intentionally booted without a root block device. */
+    rootDiskMode?: "block" | "none";
     /**
      * Host-side path of the scratch disk attached to the guest. Used by
      * `attach().snapshot()` so an attach-owned handle can find the
@@ -1758,6 +1834,18 @@ interface RegistryEntry {
      * booted without the vmstate engine.
      */
     vmstatePath?: string;
+    /** Per-VM incremental checkpoint chain id. New on every fresh boot/restore. */
+    vmstateChainId?: string;
+    /** Absolute bundle path the next vmstate checkpoint should parent to. */
+    vmstateCheckpointParent?: string;
+    /** Per-chain checkpoint sequence already written by this VM. */
+    vmstateCheckpointSequence?: number;
+    /**
+     * Whether the VM was booted with nested virtualization enabled
+     * (`boot({ nested: true })`). Provider-level snapshots are refused
+     * while EL2 vmstate capture/restore is still being audited.
+     */
+    nested?: boolean;
     /**
      * Absolute path to the snapshot directory this VM was forked from
      * (set by `restore({ snapDir })`). Visible in `ls`; informational.
@@ -1890,7 +1978,10 @@ interface PackBundleOptions {
     bundle: string;
     /** Path to the initramfs cpio to write. */
     out: string;
-    /** Optional base rootfs tarball (rootfs-debian-arm64.tar.gz). */
+    /**
+     * Optional arch-specific base rootfs tarball
+     * (`rootfs-debian-arm64.tar.gz` or `rootfs-debian-amd64.tar.gz`).
+     */
     base?: string;
     /**
      * A single host directory copied into the guest between the base
@@ -2013,6 +2104,10 @@ declare const ErrorCode: {
     readonly BOOT_TIMEOUT: "BOOT_TIMEOUT";
     readonly BOOT_DETACHED_READINESS_FAILED: "BOOT_DETACHED_READINESS_FAILED";
     readonly BOOT_MEMORY_INVALID: "BOOT_MEMORY_INVALID";
+    readonly BOOT_NESTED_VIRT_UNSUPPORTED: "BOOT_NESTED_VIRT_UNSUPPORTED";
+    readonly BOOT_VMSTATE_UNSUPPORTED: "BOOT_VMSTATE_UNSUPPORTED";
+    readonly BOOT_VMSTATE_RESEED_FAILED: "BOOT_VMSTATE_RESEED_FAILED";
+    readonly BOOT_PORTABLE_UNSUPPORTED: "BOOT_PORTABLE_UNSUPPORTED";
     readonly FORK_MEMORY_BACKPRESSURE: "FORK_MEMORY_BACKPRESSURE";
     readonly BOOT_MOUNTDISK_TOOL_MISSING: "BOOT_MOUNTDISK_TOOL_MISSING";
     readonly EXEC_VSOCK_UNAVAILABLE: "EXEC_VSOCK_UNAVAILABLE";
@@ -2023,6 +2118,7 @@ declare const ErrorCode: {
     readonly SNAPSHOT_NO_DISK: "SNAPSHOT_NO_DISK";
     readonly SNAPSHOT_DUMP_FAILED: "SNAPSHOT_DUMP_FAILED";
     readonly SNAPSHOT_TIMEOUT: "SNAPSHOT_TIMEOUT";
+    readonly SNAPSHOT_PORTABLE_UNSUPPORTED: "SNAPSHOT_PORTABLE_UNSUPPORTED";
     readonly PROVISION_BASE_NOT_FOUND: "PROVISION_BASE_NOT_FOUND";
     readonly PROVISION_KERNEL_NOT_FOUND: "PROVISION_KERNEL_NOT_FOUND";
     readonly PROVISION_DTB_NOT_FOUND: "PROVISION_DTB_NOT_FOUND";
@@ -2120,6 +2216,1591 @@ declare function isMachinenError(err: unknown, code?: ErrorCode): err is Machine
  */
 declare function formatMachinenError(err: MachinenError): string;
+/**
+ * Transparent native cross-ISA process image contract.
+ *
+ * This format describes an externally captured Linux process that will be
+ * translated into a target-native process. It intentionally separates raw
+ * source-ISA capture data from target-ISA materialization plans so a restore
+ * implementation cannot accidentally treat source registers, stacks, or mapping
+ * addresses as directly reusable target state.
+ */
+declare const NATIVE_PROCESS_IMAGE_FORMAT_VERSION = 1;
+declare const NATIVE_PROCESS_IMAGE_FILES: {
+    readonly manifest: "native-process.json";
+    readonly mappings: "native-mappings.json";
+    readonly threads: "native-threads.json";
+    readonly resources: "native-resources.json";
+    readonly translation: "native-translation.json";
+    readonly memory: "native-memory.bin";
+};
+declare const nativeProcessImageArchitectures: readonly ["arm64", "amd64"];
+type NativeProcessImageArchitecture = (typeof nativeProcessImageArchitectures)[number];
+declare const nativeProcessImageRefusalCodes: readonly ["active-syscall", "architecture-pair-unsupported", "architecture-unsupported", "blocking-syscall-state-unsupported", "code-location-unknown", "fd-kind-unsupported", "futex-state-unsupported", "inherited-stdio-policy-required", "kernel-state-unsupported", "mapping-ambiguous", "mapping-permission-unsupported", "mapping-unreadable", "pointer-ambiguous", "resource-kind-unsupported", "non-stdio-kernel-state-unsupported", "rseq-state-unsupported", "signal-frame-active", "signal-state-unsupported", "stdin-buffer-state-unsupported", "syscall-argument-state-unsupported", "syscall-restart-unsupported", "target-build-id-mismatch", "target-build-mismatch", "target-code-location-unresolved", "target-callee-saved-state-unsupported", "target-caller-frame-unavailable", "target-code-rva-unmapped", "target-frame-layout-unsupported", "target-frame-register-value-unavailable", "target-module-bytes-missing", "target-module-file-missing", "target-module-missing", "target-module-not-executable", "target-module-range-unreadable", "target-ppoll-syscall-continuation-missing", "target-ppoll-timeout-missing", "target-return-slot-unsupported", "target-resume-execution-unavailable", "target-resume-fault-invalid-code-landing", "target-resume-fault-outside-target-bytes", "target-resume-fault-privileged-instruction", "target-resume-fault-signal-unsupported", "target-resume-fault-timeout", "target-resume-fault-unmodeled-memory", "target-semantic-continuation-missing", "target-sleep-remaining-time-missing", "target-sleep-signal-restart-unsupported", "target-sleep-syscall-continuation-missing", "target-synthetic-signal-restart-unsupported", "target-synthetic-syscall-return-unmodeled", "thread-state-unsupported", "tls-state-unsupported", "return-slot-unreadable", "target-unwind-mismatch", "unwind-fde-missing", "unwind-metadata-missing", "unwind-rule-unsupported", "vdso-policy-unsupported"];
+type NativeProcessImageRefusalCode = (typeof nativeProcessImageRefusalCodes)[number];
+interface NativeProcessImageRefusal {
+    code: NativeProcessImageRefusalCode;
+    message: string;
+    detail?: Record<string, unknown>;
+}
+interface NativeProcessImageRefusals {
+    vocabularyVersion: 1;
+    refusals: NativeProcessImageRefusal[];
+}
+interface NativeProcessImageManifest {
+    formatVersion: 1;
+    kind: "machinen.native-process-image";
+    capture: {
+        method: "external-ptrace-procfs";
+        sourceArch: NativeProcessImageArchitecture;
+        pid?: number;
+        capturedAt?: string;
+    };
+    target: {
+        mode: "native-cross-isa";
+        arch: NativeProcessImageArchitecture;
+        abi: "linux-user";
+    };
+    process: {
+        exe: string;
+        argv: string[];
+        env: Record<string, string>;
+        cwd: string;
+    };
+    refusals: NativeProcessImageRefusals;
+}
+type NativeMemoryMappingKind = "text" | "data" | "heap" | "stack" | "tls" | "vdso" | "vvar" | "file" | "anonymous" | "shared" | "special";
+interface NativeMemoryMapping {
+    id: string;
+    kind: NativeMemoryMappingKind;
+    sourceStart: string;
+    sourceEnd: string;
+    sizeBytes: number;
+    permissions: {
+        read: boolean;
+        write: boolean;
+        execute: boolean;
+        private: boolean;
+        shared: boolean;
+    };
+    file?: {
+        path: string;
+        offset: number;
+        buildId?: string;
+        sha256?: string;
+    };
+    captured?: {
+        file: typeof NATIVE_PROCESS_IMAGE_FILES.memory;
+        offset: number;
+        sizeBytes: number;
+    };
+    target: {
+        materialization: "translate" | "recreate" | "omit" | "refuse";
+        targetStart?: string;
+        reason?: string;
+    };
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeProcessImageMappings {
+    formatVersion: 1;
+    mappings: NativeMemoryMapping[];
+    refusals: NativeProcessImageRefusals;
+}
+interface NativeArm64Registers {
+    arch: "arm64";
+    pc: string;
+    sp: string;
+    pstate: string;
+    x: string[];
+}
+interface NativeAmd64Registers {
+    arch: "amd64";
+    rip: string;
+    rsp: string;
+    rflags: string;
+    rax: string;
+    rbx: string;
+    rcx: string;
+    rdx: string;
+    rsi: string;
+    rdi: string;
+    rbp: string;
+    r8: string;
+    r9: string;
+    r10: string;
+    r11: string;
+    r12: string;
+    r13: string;
+    r14: string;
+    r15: string;
+    fsBase: string;
+    gsBase: string;
+}
+type NativeRegisterState = NativeArm64Registers | NativeAmd64Registers;
+interface NativeThreadState {
+    id: string;
+    lwpid?: number;
+    state: "stopped";
+    stopReason: "ptrace-stop" | "signal-delivery-stop" | "group-stop";
+    stackMapping: string;
+    sourceRegisters: NativeRegisterState;
+    syscall: {
+        state: "outside-syscall" | "inside-syscall" | "restart-block";
+        number?: number;
+        name?: string;
+        arguments?: string[];
+        stackPointer?: string;
+        instructionPointer?: string;
+    };
+    signal: {
+        blocked: string[];
+        pending: string[];
+        activeFrame: boolean;
+        altStack: {
+            state: "disabled" | "enabled" | "unsupported";
+            sp?: string;
+            sizeBytes?: number;
+            refusal?: NativeProcessImageRefusal;
+        };
+    };
+    tls: {
+        threadPointer: string;
+        rseq: {
+            state: "absent" | "captured" | "unsupported";
+            refusal?: NativeProcessImageRefusal;
+        };
+    };
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeProcessImageThreads {
+    formatVersion: 1;
+    threads: NativeThreadState[];
+    refusals: NativeProcessImageRefusals;
+}
+type NativeProcessResourceKind = "argv" | "env" | "cwd" | "exe" | "auxv" | "fd" | "file" | "pipe" | "socket" | "raw-socket" | "pty" | "timer" | "eventfd" | "signal" | "namespace" | "credential" | "futex" | "epoll" | "unknown";
+interface NativeProcessResource {
+    id: string;
+    kind: NativeProcessResourceKind;
+    state: "captured" | "recipe" | "refused" | "unsupported";
+    fd?: number;
+    path?: string;
+    flags?: string[];
+    offset?: number;
+    recipe?: Record<string, unknown>;
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeProcessImageResources {
+    formatVersion: 1;
+    resources: NativeProcessResource[];
+    refusals: NativeProcessImageRefusals;
+}
+interface NativeCodeLocationMapping {
+    id: string;
+    sourceMapping: string;
+    sourceAddress: string;
+    targetAddress?: string;
+    state: "mapped" | "pending" | "refused";
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeThreadTranslation {
+    sourceThreadId: string;
+    state: "pending" | "translated" | "refused";
+    targetRegisters?: NativeRegisterState;
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeMemoryRelocation {
+    mapping: string;
+    offset: number;
+    kind: "pointer" | "code-pointer" | "return-address" | "thread-pointer";
+    sourceValue: string;
+    targetValue?: string;
+    state: "translated" | "ambiguous" | "refused";
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeProcessImageTranslation {
+    formatVersion: 1;
+    mode: "native-cross-isa";
+    sourceArch: NativeProcessImageArchitecture;
+    targetArch: NativeProcessImageArchitecture;
+    codeLocations: NativeCodeLocationMapping[];
+    threads: NativeThreadTranslation[];
+    memoryRelocations: NativeMemoryRelocation[];
+    refusals: NativeProcessImageRefusals;
+}
+interface NativeProcessImageDocuments {
+    rootDir?: string;
+    manifest: NativeProcessImageManifest;
+    mappings: NativeProcessImageMappings;
+    threads: NativeProcessImageThreads;
+    resources: NativeProcessImageResources;
+    translation: NativeProcessImageTranslation;
+}
+interface NativeProcessImageDocumentInput {
+    rootDir?: string;
+    manifest: unknown;
+    mappings: unknown;
+    threads: unknown;
+    resources: unknown;
+    translation: unknown;
+}
+type NativeProcessImageJsonSchema = Record<string, unknown>;
+declare const nativeProcessImageSchemas: {
+    readonly manifest: {
+        readonly $schema: "https://json-schema.org/draft/2020-12/schema";
+        readonly $id: "https://machinen.dev/schemas/native-process-image/manifest.schema.json";
+        readonly title: "Machinen native process image manifest";
+        readonly type: "object";
+        readonly additionalProperties: false;
+        readonly required: readonly ["formatVersion", "kind", "capture", "target", "process", "refusals"];
+        readonly properties: {
+            readonly formatVersion: {
+                readonly const: 1;
+            };
+            readonly kind: {
+                readonly const: "machinen.native-process-image";
+            };
+            readonly capture: {
+                readonly type: "object";
+                readonly additionalProperties: false;
+                readonly required: readonly ["method", "sourceArch"];
+                readonly properties: {
+                    readonly method: {
+                        readonly const: "external-ptrace-procfs";
+                    };
+                    readonly sourceArch: {
+                        readonly enum: readonly ["arm64", "amd64"];
+                    };
+                    readonly pid: {
+                        readonly type: "integer";
+                        readonly minimum: 1;
+                    };
+                    readonly capturedAt: {
+                        readonly type: "string";
+                    };
+                };
+            };
+            readonly target: {
+                readonly type: "object";
+                readonly additionalProperties: false;
+                readonly required: readonly ["mode", "arch", "abi"];
+                readonly properties: {
+                    readonly mode: {
+                        readonly const: "native-cross-isa";
+                    };
+                    readonly arch: {
+                        readonly enum: readonly ["arm64", "amd64"];
+                    };
+                    readonly abi: {
+                        readonly const: "linux-user";
+                    };
+                };
+            };
+            readonly process: {
+                readonly type: "object";
+                readonly additionalProperties: false;
+                readonly required: readonly ["exe", "argv", "env", "cwd"];
+                readonly properties: {
+                    readonly exe: {
+                        readonly type: "string";
+                        readonly minLength: 1;
+                    };
+                    readonly argv: {
+                        readonly type: "array";
+                        readonly items: {
+                            readonly type: "string";
+                        };
+                        readonly minItems: 1;
+                    };
+                    readonly env: {
+                        readonly type: "object";
+                        readonly additionalProperties: {
+                            readonly type: "string";
+                        };
+                    };
+                    readonly cwd: {
+                        readonly type: "string";
+                        readonly minLength: 1;
+                    };
+                };
+            };
+            readonly refusals: NativeProcessImageJsonSchema;
+        };
+    };
+    readonly mappings: {
+        readonly $schema: "https://json-schema.org/draft/2020-12/schema";
+        readonly $id: "https://machinen.dev/schemas/native-process-image/mappings.schema.json";
+        readonly title: "Machinen native process image mappings";
+        readonly type: "object";
+        readonly additionalProperties: false;
+        readonly required: readonly ["formatVersion", "mappings", "refusals"];
+        readonly properties: {
+            readonly formatVersion: {
+                readonly const: 1;
+            };
+            readonly mappings: {
+                readonly type: "array";
+            };
+            readonly refusals: NativeProcessImageJsonSchema;
+        };
+    };
+    readonly threads: {
+        readonly $schema: "https://json-schema.org/draft/2020-12/schema";
+        readonly $id: "https://machinen.dev/schemas/native-process-image/threads.schema.json";
+        readonly title: "Machinen native process image threads";
+        readonly type: "object";
+        readonly additionalProperties: false;
+        readonly required: readonly ["formatVersion", "threads", "refusals"];
+        readonly properties: {
+            readonly formatVersion: {
+                readonly const: 1;
+            };
+            readonly threads: {
+                readonly type: "array";
+                readonly minItems: 1;
+            };
+            readonly refusals: NativeProcessImageJsonSchema;
+        };
+    };
+    readonly resources: {
+        readonly $schema: "https://json-schema.org/draft/2020-12/schema";
+        readonly $id: "https://machinen.dev/schemas/native-process-image/resources.schema.json";
+        readonly title: "Machinen native process image resources";
+        readonly type: "object";
+        readonly additionalProperties: false;
+        readonly required: readonly ["formatVersion", "resources", "refusals"];
+        readonly properties: {
+            readonly formatVersion: {
+                readonly const: 1;
+            };
+            readonly resources: {
+                readonly type: "array";
+            };
+            readonly refusals: NativeProcessImageJsonSchema;
+        };
+    };
+    readonly translation: {
+        readonly $schema: "https://json-schema.org/draft/2020-12/schema";
+        readonly $id: "https://machinen.dev/schemas/native-process-image/translation.schema.json";
+        readonly title: "Machinen native process image translation plan";
+        readonly type: "object";
+        readonly additionalProperties: false;
+        readonly required: readonly ["formatVersion", "mode", "sourceArch", "targetArch", "codeLocations", "threads", "memoryRelocations", "refusals"];
+        readonly properties: {
+            readonly formatVersion: {
+                readonly const: 1;
+            };
+            readonly mode: {
+                readonly const: "native-cross-isa";
+            };
+            readonly sourceArch: {
+                readonly enum: readonly ["arm64", "amd64"];
+            };
+            readonly targetArch: {
+                readonly enum: readonly ["arm64", "amd64"];
+            };
+            readonly codeLocations: {
+                readonly type: "array";
+            };
+            readonly threads: {
+                readonly type: "array";
+            };
+            readonly memoryRelocations: {
+                readonly type: "array";
+            };
+            readonly refusals: NativeProcessImageJsonSchema;
+        };
+    };
+};
+declare class NativeProcessImageValidationError extends Error {
+    readonly errors: string[];
+    constructor(errors: string[]);
+}
+declare function isNativeProcessImageBundle(dir: string): boolean;
+declare function validateNativeProcessImageBundle(dir: string): NativeProcessImageDocuments;
+declare function validateNativeProcessImageDocuments(docs: NativeProcessImageDocumentInput, opts?: {
+    rootDir?: string;
+}): string[];
+declare function assertNativeProcessImageDocuments(docs: NativeProcessImageDocumentInput, opts?: {
+    rootDir?: string;
+}): asserts docs is NativeProcessImageDocuments;
+/** Source-code to target-code mapping for native cross-ISA restore. */
+interface NativeCodeModule {
+    id: string;
+    logicalName: string;
+    path: string;
+    arch?: NativeProcessImageArchitecture;
+    kind: "executable" | "pie-executable" | "shared-object" | "vdso" | "unknown";
+    buildId: string;
+    loadBias: string;
+    textMapping: string;
+}
+interface NativeCodeSymbol {
+    name: string;
+    mapping: string;
+    address: string;
+    sizeBytes?: number;
+    buildId?: string;
+    metadata: "symbol" | "dwarf" | "sidecar";
+    moduleId?: string;
+    relativeAddress?: string;
+}
+interface NativeCodeMapRequest {
+    expectedTargetBuildId: string;
+    targetBuildId: string;
+    sourceSymbols: NativeCodeSymbol[];
+    targetSymbols: NativeCodeSymbol[];
+    requestedLocations: Array<{
+        id: string;
+        symbol: string;
+        sourceAddress?: string;
+    }>;
+    sourceModules?: NativeCodeModule[];
+    targetModules?: NativeCodeModule[];
+}
+interface NativeCodeMapResult {
+    codeLocations: NativeCodeLocationMapping[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function buildNativeCodeMap(request: NativeCodeMapRequest): NativeCodeMapResult;
+/** Active native syscall classification for actual real-utility attempts. */
+type NativeActiveSyscallClass = "outside-syscall" | "sleep-timer" | "poll-timeout" | "fd-blocking" | "restart" | "unknown-active";
+type NativeSleepTimerSyscallPolicy = "refuse" | "defer-target-resume";
+type NativePollTimeoutSyscallPolicy = "refuse" | "defer-target-resume";
+interface NativeActiveSyscallPolicyOptions {
+    sleepTimerPolicy?: NativeSleepTimerSyscallPolicy;
+    pollTimeoutPolicy?: NativePollTimeoutSyscallPolicy;
+    documents?: NativeProcessImageDocuments;
+}
+interface NativeSleepTimerDuration {
+    seconds: string;
+    nanoseconds: number;
+}
+interface NativeModeledSleepTimerRemainingTime extends NativeSleepTimerDuration {
+    state: "modeled";
+    kind: "relative-duration";
+    source: "active-syscall-request-timespec";
+    precision: "requested-duration-upper-bound";
+}
+interface NativeModeledPpollTimeoutRemainingTime extends NativeSleepTimerDuration {
+    state: "modeled";
+    kind: "relative-duration";
+    source: "active-syscall-ppoll-timeout";
+    precision: "requested-duration-upper-bound";
+}
+interface NativeModeledSleepTimerState {
+    kind: "relative-duration";
+    syscallName: string;
+    argumentSource: "proc-syscall" | "registers";
+    clockId?: number;
+    flags?: number;
+    requestPointer: string;
+    remainderPointer?: string;
+    requestedTime: NativeSleepTimerDuration;
+    remainingTime: NativeModeledSleepTimerRemainingTime;
+}
+interface NativeModeledPpollTimeoutState {
+    kind: "relative-duration";
+    syscallName: "ppoll";
+    argumentSource: "proc-syscall" | "registers";
+    fdsPointer: "0x0";
+    nfds: 0;
+    timeoutPointer: string;
+    sigmaskPointer: "0x0";
+    sigsetSize?: string;
+    requestedTime: NativeSleepTimerDuration;
+    remainingTime: NativeModeledPpollTimeoutRemainingTime;
+}
+type NativeSleepTimerModelResult = {
+    state: "modeled";
+    timer: NativeModeledSleepTimerState;
+} | {
+    state: "missing";
+    refusal: NativeProcessImageRefusal;
+};
+type NativePpollTimeoutModelResult = {
+    state: "modeled";
+    timeout: NativeModeledPpollTimeoutState;
+} | {
+    state: "missing";
+    refusal: NativeProcessImageRefusal;
+};
+interface NativeActiveSleepTimerContinuation {
+    threadId: string;
+    syscallClass: Extract<NativeActiveSyscallClass, "sleep-timer">;
+    action: "defer-target-resume";
+    syscall: NativeThreadState["syscall"];
+    metadata: {
+        remainingTime: NativeModeledSleepTimerRemainingTime;
+        sleepTimer: NativeModeledSleepTimerState;
+        policy: "conservative-target-timer-rearm-required";
+    };
+}
+interface NativeActivePpollTimeoutContinuation {
+    threadId: string;
+    syscallClass: Extract<NativeActiveSyscallClass, "poll-timeout">;
+    action: "defer-target-resume";
+    syscall: NativeThreadState["syscall"];
+    metadata: {
+        remainingTime: NativeModeledPpollTimeoutRemainingTime;
+        ppollTimeout: NativeModeledPpollTimeoutState;
+        policy: "conservative-target-ppoll-timeout-rearm-required";
+    };
+}
+type NativeActiveSyscallContinuation = NativeActiveSleepTimerContinuation | NativeActivePpollTimeoutContinuation;
+interface NativeActiveSyscallClassification {
+    threadId: string;
+    state: NativeThreadState["syscall"]["state"];
+    syscallNumber?: number;
+    syscallName?: string;
+    class: NativeActiveSyscallClass;
+    resumable: false;
+    refusal?: NativeProcessImageRefusal;
+    continuation?: NativeActiveSyscallContinuation;
+}
+interface NativeActiveSyscallClassificationResult {
+    classifications: NativeActiveSyscallClassification[];
+    refusals: NativeProcessImageRefusal[];
+    continuations: NativeActiveSyscallContinuation[];
+}
+declare function classifyNativeActiveSyscalls(threads: NativeThreadState[], options?: NativeActiveSyscallPolicyOptions): NativeActiveSyscallClassificationResult;
+declare function classifyNativeThreadSyscall(thread: NativeThreadState, options?: NativeActiveSyscallPolicyOptions): NativeActiveSyscallClassification;
+declare function modelNativePpollTimeoutState(thread: NativeThreadState, documents?: NativeProcessImageDocuments): NativePpollTimeoutModelResult;
+declare function modelNativeSleepTimerState(thread: NativeThreadState, documents?: NativeProcessImageDocuments): NativeSleepTimerModelResult;
+/** Shared descriptors for generated target-native synthetic continuations. */
+declare const NATIVE_SYNTHETIC_SYSCALL_RESTART_EXIT_STATUS = 111;
+declare const NATIVE_SYNTHETIC_SYSCALL_UNMODELED_RETURN_EXIT_STATUS = 112;
+type NativeSyntheticContinuationTargetArch = "amd64";
+type NativeSyntheticContinuationByteSource = "generated-target-native-amd64-syscall-sequence";
+type NativeSyntheticContinuationByteEncoding = "amd64-machine-code";
+type NativeSyntheticContinuationSyscallAbi = "linux-amd64";
+type NativeSyntheticContinuationRegisterSetupAbi = "linux-amd64-syscall";
+type NativeSyntheticContinuationFailureKind = "signal-restart-unsupported" | "syscall-return-unmodeled";
+type NativeSyntheticContinuationFailureExitBucketCondition = "equals-negative-errno" | "restart-like-negative-errno" | "other-negative-errno" | "nonzero-return";
+type NativeSyntheticContinuationRegister = "rax" | "rdi" | "rsi" | "rdx" | "r10" | "r8" | "r9" | "rcx" | "r11";
+type NativeSyntheticContinuationProvenanceSource = "generated-target-native-amd64-syscall-sequence" | "linux-amd64-syscall-abi" | "modeled-source-sleep-timer" | "modeled-source-ppoll-timeout" | "target-caller-frame";
+interface NativeSyntheticSyscallArgumentDescriptor {
+    register: NativeSyntheticContinuationRegister;
+    role: string;
+    value: string;
+    source: NativeSyntheticContinuationProvenanceSource;
+}
+interface NativeSyntheticSyscallDescriptor {
+    abi: NativeSyntheticContinuationSyscallAbi;
+    name: string;
+    number: number;
+    arguments: NativeSyntheticSyscallArgumentDescriptor[];
+}
+interface NativeSyntheticContinuationRegisterSetupDescriptor {
+    abi: NativeSyntheticContinuationRegisterSetupAbi;
+    arguments: NativeSyntheticSyscallArgumentDescriptor[];
+    clobberedBySyscall: NativeSyntheticContinuationRegister[];
+    notes: string[];
+}
+interface NativeSyntheticContinuationStackSetupDescriptor {
+    entryStackPointer: string;
+    stackBytesWrittenByContinuation: number;
+    returnAddress: string;
+    requiresSourceStackBytes: boolean;
+}
+interface NativeSyntheticContinuationFailureExitBucket {
+    exitStatus: number;
+    failureKind: NativeSyntheticContinuationFailureKind;
+    failureReason: string;
+    syscallReturn: {
+        register: "rax";
+        condition: NativeSyntheticContinuationFailureExitBucketCondition;
+        errno?: number;
+        errnoName?: string;
+        errnos?: {
+            errno: number;
+            errnoName: string;
+        }[];
+        errnoRange?: {
+            min: number;
+            max: number;
+        };
+        excludedErrnos?: {
+            errno: number;
+            errnoName: string;
+        }[];
+    };
+}
+interface NativeSyntheticContinuationCompletionDescriptor {
+    mode: string;
+    successExitStatus?: number;
+    /** Legacy single-bucket failure status. Prefer failureExitBuckets for new continuations. */
+    failureExitStatus?: number;
+    /** Legacy single-bucket failure kind. Prefer failureExitBuckets for new continuations. */
+    failureKind?: NativeSyntheticContinuationFailureKind;
+    /** Legacy single-bucket failure reason. Prefer failureExitBuckets for new continuations. */
+    failureReason?: string;
+    failureExitBuckets?: NativeSyntheticContinuationFailureExitBucket[];
+}
+interface NativeSyntheticSyscallContinuationDescriptorRequest {
+    targetArch: NativeSyntheticContinuationTargetArch;
+    entryAddress: string;
+    relativeAddress: string;
+    generatorBuildId: string;
+    bytes: Uint8Array;
+    syscall: Omit<NativeSyntheticSyscallDescriptor, "abi">;
+    registerSetup: NativeSyntheticContinuationRegisterSetupDescriptor;
+    stackSetup: NativeSyntheticContinuationStackSetupDescriptor;
+    completion: NativeSyntheticContinuationCompletionDescriptor;
+}
+interface NativeSyntheticSyscallContinuationDescriptor {
+    kind: "synthetic-syscall-continuation";
+    targetArch: NativeSyntheticContinuationTargetArch;
+    entryAddress: string;
+    relativeAddress: string;
+    byteSource: NativeSyntheticContinuationByteSource;
+    generatorBuildId: string;
+    byteEncoding: NativeSyntheticContinuationByteEncoding;
+    sizeBytes: number;
+    bytesHex: string;
+    byteSha256: string;
+    descriptorSha256: string;
+    generatedTargetBytes: true;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+    syscallAbi: NativeSyntheticContinuationSyscallAbi;
+    syscall: NativeSyntheticSyscallDescriptor;
+    registerSetup: NativeSyntheticContinuationRegisterSetupDescriptor;
+    stackSetup: NativeSyntheticContinuationStackSetupDescriptor;
+    completion: NativeSyntheticContinuationCompletionDescriptor;
+}
+type NativeSyntheticSyscallContinuationDescriptorPayload = Omit<NativeSyntheticSyscallContinuationDescriptor, "descriptorSha256">;
+declare function buildNativeSyntheticSyscallContinuationDescriptor(request: NativeSyntheticSyscallContinuationDescriptorRequest): NativeSyntheticSyscallContinuationDescriptor;
+declare function nativeSyntheticContinuationBytesHex(bytes: Uint8Array): string;
+declare function nativeSyntheticContinuationBytesSha256(bytes: Uint8Array): string;
+declare function nativeSyntheticContinuationDescriptorSha256(descriptor: NativeSyntheticSyscallContinuationDescriptorPayload): string;
+declare function nativeSyntheticRestartLikeErrnos(): {
+    errno: number;
+    errnoName: string;
+}[];
+declare function nativeSyntheticSyscallFailureExitBuckets(syscallName: string): NativeSyntheticContinuationFailureExitBucket[];
+declare function nativeSyntheticExitProcessSuffix(): number[];
+/** Synthetic target-native ppoll timeout syscall continuation generation. */
+declare const NATIVE_SYNTHETIC_PPOLL_SYSCALL_BUILD_ID = "machinen-synthetic-ppoll-syscall-v1";
+declare const NATIVE_SYNTHETIC_PPOLL_SYSCALL_LOGICAL_NAME = "machinen-synthetic-ppoll-syscall";
+declare const NATIVE_SYNTHETIC_PPOLL_SYSCALL_PATH = "machinen.synthetic://ppoll-syscall";
+declare const NATIVE_SYNTHETIC_PPOLL_SYSCALL_BASE = "0x700300000000";
+type NativeSyntheticPpollCompletionMode = "return-to-trampoline" | "exit-process";
+type NativeSyntheticPpollSyscallProvenanceSource = NativeSyntheticContinuationProvenanceSource;
+interface NativeSyntheticPpollSyscallArgumentProvenance extends NativeSyntheticSyscallArgumentDescriptor {
+    register: "rax" | "rdi" | "rsi" | "rdx" | "r10" | "r8";
+    role: "syscall-number" | "fds-pointer" | "nfds" | "timeout-timespec-pointer" | "sigmask-pointer" | "sigset-size";
+    source: NativeSyntheticPpollSyscallProvenanceSource;
+}
+interface NativeSyntheticPpollSyscallRegisterSetupProvenance extends NativeSyntheticContinuationRegisterSetupDescriptor {
+    arguments: NativeSyntheticPpollSyscallArgumentProvenance[];
+    clobberedBySyscall: ["rax", "rcx", "r11"];
+}
+interface NativeSyntheticPpollSyscallStackSetupProvenance extends NativeSyntheticContinuationStackSetupDescriptor {
+    entryStackPointer: "target-caller-frame-stack-pointer";
+    stackBytesWrittenByContinuation: 0;
+    returnAddress: "trampoline-sentinel-return-address" | "not-used-exit-process-completion";
+    requiresSourceStackBytes: false;
+}
+interface NativeSyntheticPpollSyscallCompletionProvenance extends NativeSyntheticContinuationCompletionDescriptor {
+    mode: NativeSyntheticPpollCompletionMode;
+    successExitStatus?: 0;
+    failureExitBuckets?: NativeSyntheticContinuationFailureExitBucket[];
+}
+interface NativeSyntheticPpollSyscallContinuationProvenance extends NativeSyntheticSyscallContinuationDescriptor {
+    generatorBuildId: typeof NATIVE_SYNTHETIC_PPOLL_SYSCALL_BUILD_ID;
+    syscall: NativeSyntheticSyscallContinuationDescriptor["syscall"] & {
+        name: "ppoll";
+        number: 271;
+        arguments: NativeSyntheticPpollSyscallArgumentProvenance[];
+    };
+    embeddedData: {
+        kind: "timespec";
+        offset: number;
+        seconds: string;
+        nanoseconds: number;
+        byteOrder: "little-endian";
+        pointerRegister: "rdx";
+        pointerEncoding: "rip-relative";
+    };
+    registerSetup: NativeSyntheticPpollSyscallRegisterSetupProvenance;
+    stackSetup: NativeSyntheticPpollSyscallStackSetupProvenance;
+    completion: NativeSyntheticPpollSyscallCompletionProvenance;
+}
+interface NativeSyntheticPpollSyscallContinuationRequest {
+    threadId: string;
+    remainingTime: NativeModeledPpollTimeoutRemainingTime;
+    targetAddress?: string;
+    completionMode?: NativeSyntheticPpollCompletionMode;
+}
+interface NativeSyntheticPpollSyscallContinuation {
+    kind: "synthetic-ppoll-syscall";
+    threadId: string;
+    targetArch: "amd64";
+    entryAddress: string;
+    relativeAddress: "0x0";
+    syscall: {
+        name: "ppoll";
+        number: 271;
+        fdsPointer: "0x0";
+        nfds: 0;
+        timeoutPointerEncoding: "rip-relative-timespec";
+        sigmaskPointer: "0x0";
+        sigsetSize: 0;
+    };
+    remainingTime: NativeModeledPpollTimeoutRemainingTime;
+    completionMode: NativeSyntheticPpollCompletionMode;
+    exitStatusOnSuccess?: 0;
+    descriptor: NativeSyntheticSyscallContinuationDescriptor;
+    provenance: NativeSyntheticPpollSyscallContinuationProvenance;
+    timespecOffset: number;
+    sizeBytes: number;
+    bytes: Uint8Array;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+interface NativeSyntheticPpollSyscallContinuationResult {
+    continuation?: NativeSyntheticPpollSyscallContinuation;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function buildNativeSyntheticPpollSyscallContinuation(request: NativeSyntheticPpollSyscallContinuationRequest): NativeSyntheticPpollSyscallContinuationResult;
+/** Synthetic target-native sleep syscall continuation generation. */
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_BUILD_ID = "machinen-synthetic-sleep-syscall-v3";
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_LOGICAL_NAME = "machinen-synthetic-sleep-syscall";
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_PATH = "machinen.synthetic://sleep-syscall";
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_BASE = "0x700200000000";
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_RESTART_EXIT_STATUS = 111;
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_UNMODELED_RETURN_EXIT_STATUS = 112;
+declare const NATIVE_SYNTHETIC_SLEEP_SYSCALL_FAILURE_EXIT_STATUS = 111;
+type NativeSyntheticSleepCompletionMode = "return-to-trampoline" | "exit-process";
+type NativeSyntheticSleepSyscallProvenanceSource = NativeSyntheticContinuationProvenanceSource;
+interface NativeSyntheticSleepSyscallArgumentProvenance extends NativeSyntheticSyscallArgumentDescriptor {
+    register: "rax" | "rdi" | "rsi" | "rdx" | "r10";
+    role: "syscall-number" | "clock-id" | "flags" | "request-timespec-pointer" | "remainder-pointer";
+    source: NativeSyntheticSleepSyscallProvenanceSource;
+}
+interface NativeSyntheticSleepSyscallRegisterSetupProvenance extends NativeSyntheticContinuationRegisterSetupDescriptor {
+    arguments: NativeSyntheticSleepSyscallArgumentProvenance[];
+    clobberedBySyscall: ["rax", "rcx", "r11"];
+}
+interface NativeSyntheticSleepSyscallStackSetupProvenance extends NativeSyntheticContinuationStackSetupDescriptor {
+    entryStackPointer: "target-caller-frame-stack-pointer";
+    stackBytesWrittenByContinuation: 0;
+    returnAddress: "trampoline-sentinel-return-address" | "not-used-exit-process-completion";
+    requiresSourceStackBytes: false;
+}
+interface NativeSyntheticSleepSyscallCompletionProvenance extends NativeSyntheticContinuationCompletionDescriptor {
+    mode: NativeSyntheticSleepCompletionMode;
+    successExitStatus?: 0;
+    failureExitStatus?: typeof NATIVE_SYNTHETIC_SLEEP_SYSCALL_FAILURE_EXIT_STATUS;
+    failureExitBuckets?: NativeSyntheticContinuationFailureExitBucket[];
+}
+interface NativeSyntheticSleepSyscallContinuationProvenance extends NativeSyntheticSyscallContinuationDescriptor {
+    generatorBuildId: typeof NATIVE_SYNTHETIC_SLEEP_SYSCALL_BUILD_ID;
+    syscall: NativeSyntheticSyscallContinuationDescriptor["syscall"] & {
+        name: "clock_nanosleep";
+        number: 230;
+        arguments: NativeSyntheticSleepSyscallArgumentProvenance[];
+    };
+    embeddedData: {
+        kind: "timespec";
+        offset: number;
+        seconds: string;
+        nanoseconds: number;
+        byteOrder: "little-endian";
+        pointerRegister: "rdx";
+        pointerEncoding: "rip-relative";
+    };
+    registerSetup: NativeSyntheticSleepSyscallRegisterSetupProvenance;
+    stackSetup: NativeSyntheticSleepSyscallStackSetupProvenance;
+    completion: NativeSyntheticSleepSyscallCompletionProvenance;
+}
+interface NativeSyntheticSleepSyscallContinuationRequest {
+    threadId: string;
+    remainingTime: NativeModeledSleepTimerRemainingTime;
+    sleepTimer?: NativeModeledSleepTimerState;
+    targetAddress?: string;
+    completionMode?: NativeSyntheticSleepCompletionMode;
+}
+interface NativeSyntheticSleepSyscallContinuation {
+    kind: "synthetic-sleep-syscall";
+    threadId: string;
+    targetArch: "amd64";
+    entryAddress: string;
+    relativeAddress: "0x0";
+    syscall: {
+        name: "clock_nanosleep";
+        number: 230;
+        clockId: 0;
+        flags: 0;
+        requestPointerEncoding: "rip-relative-timespec";
+        remainderPointer: "0x0";
+    };
+    remainingTime: NativeModeledSleepTimerRemainingTime;
+    completionMode: NativeSyntheticSleepCompletionMode;
+    exitStatusOnSuccess?: 0;
+    descriptor: NativeSyntheticSyscallContinuationDescriptor;
+    provenance: NativeSyntheticSleepSyscallContinuationProvenance;
+    timespecOffset: number;
+    sizeBytes: number;
+    bytes: Uint8Array;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+interface NativeSyntheticSleepSyscallContinuationResult {
+    continuation?: NativeSyntheticSleepSyscallContinuation;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function buildNativeSyntheticSleepSyscallContinuation(request: NativeSyntheticSleepSyscallContinuationRequest): NativeSyntheticSleepSyscallContinuationResult;
+/** Real utility module/RVA code-location resolution. */
+interface NativeRealUtilityExecutableRange {
+    relativeStart: string;
+    relativeEnd: string;
+}
+interface NativeRealUtilitySourceModule extends NativeCodeModule {
+    sourceStart: string;
+    sourceEnd: string;
+}
+type NativeRealUtilityTargetContinuationKind = "sleep-timer" | "poll-timeout";
+interface NativeRealUtilityTargetSemanticContinuation {
+    kind: NativeRealUtilityTargetContinuationKind;
+    source: "elf-symbol";
+    symbolName: string;
+    relativeAddress: string;
+    sizeBytes?: number;
+}
+interface NativeRealUtilityTargetModule extends NativeCodeModule {
+    executable?: boolean;
+    executableRanges?: NativeRealUtilityExecutableRange[];
+    semanticContinuations?: NativeRealUtilityTargetSemanticContinuation[];
+}
+interface NativeRealUtilityModuleExpectation {
+    sourcePath?: string;
+    sourceLogicalName?: string;
+    targetModuleId?: string;
+    targetPath?: string;
+    expectedTargetBuildId?: string;
+}
+type NativeRealUtilityContinuationStrategy = "module-rva-equivalence" | "semantic-sleep-timer-symbol" | "synthetic-sleep-syscall" | "synthetic-ppoll-syscall";
+interface NativeRealUtilitySemanticContinuationSelection {
+    kind: NativeRealUtilityTargetContinuationKind;
+    source: NativeRealUtilityTargetSemanticContinuation["source"];
+    symbolName: string;
+    targetRelativeAddress: string;
+    targetAddress: string;
+    sizeBytes?: number;
+}
+type NativeRealUtilitySyntheticContinuationSelection = {
+    kind: "sleep-timer";
+    source: "synthetic-syscall";
+    symbolName: "machinen_synthetic_clock_nanosleep";
+    targetRelativeAddress: "0x0";
+    targetAddress: string;
+    sizeBytes: number;
+    syscall: NativeSyntheticSleepSyscallContinuation["syscall"];
+    completionMode: NativeSyntheticSleepCompletionMode;
+    exitStatusOnSuccess?: 0;
+    descriptor: NativeSyntheticSyscallContinuationDescriptor;
+    provenance: NativeSyntheticSleepSyscallContinuationProvenance;
+} | {
+    kind: "poll-timeout";
+    source: "synthetic-syscall";
+    symbolName: "machinen_synthetic_ppoll";
+    targetRelativeAddress: "0x0";
+    targetAddress: string;
+    sizeBytes: number;
+    syscall: NativeSyntheticPpollSyscallContinuation["syscall"];
+    completionMode: NativeSyntheticPpollCompletionMode;
+    exitStatusOnSuccess?: 0;
+    descriptor: NativeSyntheticSyscallContinuationDescriptor;
+    provenance: NativeSyntheticPpollSyscallContinuationProvenance;
+};
+interface NativeRealUtilityDeferredActiveSyscallLanding {
+    threadId: string;
+    sourceAddress: string;
+    sourceRva: string;
+    targetAddress: string;
+    targetRva: string;
+    strategy: Extract<NativeRealUtilityContinuationStrategy, "semantic-sleep-timer-symbol" | "synthetic-sleep-syscall" | "synthetic-ppoll-syscall">;
+    syscallClass: NativeActiveSyscallContinuation["syscallClass"];
+    action: NativeActiveSyscallContinuation["action"];
+    syscall: NativeActiveSyscallContinuation["syscall"];
+    metadata: NativeActiveSyscallContinuation["metadata"];
+    semanticContinuation?: NativeRealUtilitySemanticContinuationSelection;
+    syntheticContinuation?: NativeRealUtilitySyntheticContinuationSelection;
+}
+interface NativeRealUtilityResolvedLocation {
+    threadId: string;
+    sourceModule: NativeRealUtilitySourceModule;
+    targetModule: NativeRealUtilityTargetModule;
+    sourceRva: string;
+    targetRva: string;
+    targetAddress: string;
+    continuationStrategy: NativeRealUtilityContinuationStrategy;
+    codeLocation: NativeCodeLocationMapping;
+    deferredActiveSyscallLanding?: NativeRealUtilityDeferredActiveSyscallLanding;
+    semanticContinuation?: NativeRealUtilitySemanticContinuationSelection;
+    syntheticContinuation?: NativeRealUtilitySyntheticContinuationSelection;
+}
+interface NativeRealUtilityCodeLocationRequest {
+    documents: NativeProcessImageDocuments;
+    targetArch: NativeProcessImageArchitecture;
+    targetModules: NativeRealUtilityTargetModule[];
+    moduleExpectations?: NativeRealUtilityModuleExpectation[];
+    threadIds?: string[];
+    activeSyscallContinuations?: NativeActiveSyscallContinuation[];
+    sleepTimerContinuationStrategy?: "target-symbol" | "synthetic-syscall";
+    pollTimeoutContinuationStrategy?: "refuse" | "synthetic-syscall";
+    syntheticSleepBaseAddress?: string;
+    syntheticPpollBaseAddress?: string;
+    syntheticSleepCompletionMode?: NativeSyntheticSleepCompletionMode;
+    syntheticPpollCompletionMode?: NativeSyntheticPpollCompletionMode;
+}
+interface NativeRealUtilityCodeLocationResult {
+    sourceModules: NativeRealUtilitySourceModule[];
+    targetModules: NativeRealUtilityTargetModule[];
+    resolved: NativeRealUtilityResolvedLocation[];
+    codeLocations: NativeCodeLocationMapping[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function inventoryNativeSourceCodeModules(documents: NativeProcessImageDocuments): NativeRealUtilitySourceModule[];
+declare function resolveNativeRealUtilityCodeLocations(request: NativeRealUtilityCodeLocationRequest): NativeRealUtilityCodeLocationResult;
+/** Stack-frame and continuation translation for native process images. */
+interface NativeStackFrame {
+    id: string;
+    sourceSp: string;
+    sourceReturnAddress: string;
+    sizeBytes: number;
+    metadata: "dwarf" | "sidecar" | "unknown";
+    locals: NativeStackSlot[];
+}
+interface NativeStackSlot {
+    offset: number;
+    kind: "integer" | "pointer" | "code-pointer" | "ambiguous";
+    sourceValue: string;
+    targetValue?: string;
+}
+interface NativeStackTranslationRequest {
+    stackMapping: string;
+    targetStackBase: string;
+    frames: NativeStackFrame[];
+    codeLocations: NativeCodeLocationMapping[];
+}
+interface NativeStackTranslationResult {
+    stackMapping: string;
+    targetStackBase: string;
+    targetStackSizeBytes: number;
+    relocations: NativeMemoryRelocation[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function translateNativeStack(request: NativeStackTranslationRequest): NativeStackTranslationResult;
+/** DWARF/eh-frame based native stack-frame discovery. */
+type NativeUnwindMetadataKind = "dwarf" | "eh-frame";
+type NativeUnwindRegister = "sp" | "x29" | "x30";
+interface NativeUnwindFrameRule {
+    id: string;
+    functionName: string;
+    mapping: string;
+    pcStart: string;
+    pcEnd: string;
+    metadata: NativeUnwindMetadataKind;
+    cfa: {
+        register: Extract<NativeUnwindRegister, "sp" | "x29">;
+        offset: number;
+    };
+    returnAddress: {
+        location: "register";
+        register: Extract<NativeUnwindRegister, "x30">;
+    } | {
+        location: "cfa-relative";
+        offset: number;
+    };
+}
+interface NativeUnwindStackWord {
+    address: string;
+    value: string;
+}
+interface NativeUnwindFrameDiscoveryRequest {
+    threadId: string;
+    stackMapping: string;
+    sourceRegisters: NativeRegisterState;
+    rules: NativeUnwindFrameRule[];
+    stackWords: NativeUnwindStackWord[];
+}
+interface NativeEhFrameTextParseRequest {
+    readelfFrames: string;
+    mapping: string;
+    functionName: string;
+    pc: string;
+    loadBias?: string;
+}
+interface NativeEhFrameTextParseResult {
+    rules: NativeUnwindFrameRule[];
+    refusals: NativeProcessImageRefusal[];
+}
+interface NativeDiscoveredUnwindFrame {
+    id: string;
+    functionName: string;
+    sourcePc: string;
+    sourceSp: string;
+    cfa: string;
+    returnAddress: string;
+    returnAddressSlot?: string;
+    metadata: NativeUnwindMetadataKind;
+    stackFrame: NativeStackFrame;
+}
+interface NativeUnwindFrameDiscoveryResult {
+    frames: NativeDiscoveredUnwindFrame[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function discoverNativeUnwindFrames(request: NativeUnwindFrameDiscoveryRequest): NativeUnwindFrameDiscoveryResult;
+declare function parseNativeEhFrameText(request: NativeEhFrameTextParseRequest): NativeEhFrameTextParseResult;
+declare function nativeUnwindReturnAddressSlot(options: {
+    rule: NativeUnwindFrameRule;
+    sourceRegisters: NativeArm64Registers;
+}): string | undefined;
+/** Target-native unwind matching for real utility continuation planning. */
+type NativeTargetUnwindRegister = "rsp" | "rbp" | "rip" | "rbx" | "r12" | "r13" | "r14" | "r15";
+interface NativeTargetUnwindFrameRule {
+    id: string;
+    functionName: string;
+    mapping: string;
+    pcStart: string;
+    pcEnd: string;
+    metadata: NativeUnwindMetadataKind;
+    cfa: {
+        register: Extract<NativeTargetUnwindRegister, "rsp" | "rbp">;
+        offset: number;
+    };
+    returnAddress: {
+        location: "cfa-relative";
+        offset: number;
+    };
+    calleeSaved?: Array<{
+        register: Exclude<NativeTargetUnwindRegister, "rsp" | "rip">;
+        location: "same-value" | "cfa-relative";
+        offset?: number;
+    }>;
+}
+interface NativeTargetEhFrameTextParseRequest {
+    readelfFrames: string;
+    mapping: string;
+    functionName: string;
+    targetAddress: string;
+    loadBias?: string;
+}
+interface NativeTargetEhFrameTextParseResult {
+    rules: NativeTargetUnwindFrameRule[];
+    refusals: NativeProcessImageRefusal[];
+}
+type NativeTargetCalleeSavedPolicy = "strict" | "record";
+interface NativeTargetUnwindMatchRequest {
+    sourceFrame: NativeDiscoveredUnwindFrame;
+    targetAddress: string;
+    targetRules: NativeTargetUnwindFrameRule[];
+    calleeSavedPolicy?: NativeTargetCalleeSavedPolicy;
+}
+interface NativeTargetCalleeSavedSlot {
+    register: Exclude<NativeTargetUnwindRegister, "rsp" | "rip">;
+    offset: number;
+}
+interface NativeTargetUnwindFrameMatch {
+    sourceFrameId: string;
+    targetRule: NativeTargetUnwindFrameRule;
+    targetAddress: string;
+    targetReturnAddressSlotOffset: number;
+    targetCalleeSavedSlots?: NativeTargetCalleeSavedSlot[];
+    preservesReturnContract: true;
+}
+interface NativeTargetUnwindMatchResult {
+    matches: NativeTargetUnwindFrameMatch[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function parseNativeTargetEhFrameText(request: NativeTargetEhFrameTextParseRequest): NativeTargetEhFrameTextParseResult;
+declare function matchNativeTargetUnwindFrame(request: NativeTargetUnwindMatchRequest): NativeTargetUnwindMatchResult;
+/** Target-native frame-state materialization planning. */
+type NativeTargetFrameStateRegister = Exclude<NativeTargetUnwindRegister, "rsp" | "rip">;
+type NativeTargetFrameStateValueSource = "target-register" | "synthetic-target-caller";
+interface NativeSyntheticTargetCallerFrameStatePolicy {
+    mode: "abi-neutral-sentinel";
+    value?: string;
+}
+interface NativeTargetFrameRegisterValue {
+    register: NativeTargetFrameStateRegister;
+    value: string;
+    source: NativeTargetFrameStateValueSource;
+}
+interface NativeTargetFrameStateRequirement {
+    sourceFrameId: string;
+    targetAddress: string;
+    register: NativeTargetFrameStateRegister;
+    slot: NativeTargetCalleeSavedSlot;
+}
+interface NativeTargetFrameStateMaterialization {
+    requirement: NativeTargetFrameStateRequirement;
+    value: string;
+    valueSource: NativeTargetFrameStateValueSource;
+}
+interface NativeTargetFrameStateMaterializationRequest {
+    targetUnwind: NativeTargetUnwindMatchResult;
+    registerValues?: NativeTargetFrameRegisterValue[];
+    syntheticTargetCaller?: NativeSyntheticTargetCallerFrameStatePolicy;
+}
+interface NativeTargetFrameStateMaterializationResult {
+    requirements: NativeTargetFrameStateRequirement[];
+    materialized: NativeTargetFrameStateMaterialization[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function planNativeTargetFrameStateMaterialization(request: NativeTargetFrameStateMaterializationRequest): NativeTargetFrameStateMaterializationResult;
+/** Safety-ordered planner for first real utility native continuation attempts. */
+type NativeRealUtilityContinuationBoundary = "thread-state" | "resource-boundary" | "mapping-materialization" | "target-code-location" | "source-unwind" | "target-unwind" | "target-frame-state" | "ready";
+interface NativeRealUtilityContinuationRequest {
+    threadRefusals?: NativeProcessImageRefusal[];
+    resourceRefusals?: NativeProcessImageRefusal[];
+    mappingRefusals?: NativeProcessImageRefusal[];
+    codeLocations: NativeCodeLocationMapping[];
+    sourceFrames: NativeDiscoveredUnwindFrame[];
+    sourceFrameRefusals?: NativeProcessImageRefusal[];
+    sourceUnwindRequired?: boolean;
+    targetUnwind?: NativeTargetUnwindMatchResult;
+    targetUnwindMatched?: boolean;
+    targetFrameState?: NativeTargetFrameStateMaterializationResult;
+    targetFrameStateMaterialized?: boolean;
+}
+interface NativeRealUtilityContinuationPlan {
+    state: "ready" | "refused";
+    blockingBoundary: NativeRealUtilityContinuationBoundary;
+    blockingRefusal?: NativeProcessImageRefusal;
+    attemptedResume: false;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+declare function planNativeRealUtilityContinuationAttempt(request: NativeRealUtilityContinuationRequest): NativeRealUtilityContinuationPlan;
+/** Actual captured real-utility continuation gate planner. */
+type NativeActualRealUtilityContinuationBoundary = NativeRealUtilityContinuationBoundary | "target-module-bytes" | "target-caller-frame" | "target-resume-execution";
+interface NativeActualRealUtilityContinuationRequest extends NativeRealUtilityContinuationRequest {
+    targetModuleByteRefusals?: NativeProcessImageRefusal[];
+    targetModuleBytesMaterialized?: boolean;
+    targetCallerFrameRefusals?: NativeProcessImageRefusal[];
+    targetCallerFrameMaterialized?: boolean;
+    targetResumeExecutionRefusals?: NativeProcessImageRefusal[];
+    targetResumeExecutionPlanned?: boolean;
+}
+interface NativeActualRealUtilityContinuationPlan {
+    state: "ready" | "refused";
+    blockingBoundary: NativeActualRealUtilityContinuationBoundary;
+    blockingRefusal?: NativeProcessImageRefusal;
+    attemptedResume: false;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+declare function planNativeActualRealUtilityContinuationAttempt(request: NativeActualRealUtilityContinuationRequest): NativeActualRealUtilityContinuationPlan;
+/** Target module inventory for actual captured real-utility paths. */
+interface NativeActualTargetModuleInventoryRequest {
+    sourceModules: NativeRealUtilitySourceModule[];
+    targetArch: NativeProcessImageArchitecture;
+    targetRoot?: string;
+    explicitTargetModulePath?: string;
+    loadBiasBase?: string;
+}
+interface NativeActualTargetModuleInventoryResult {
+    targetModules: NativeRealUtilityTargetModule[];
+}
+declare function inventoryNativeActualTargetModules(request: NativeActualTargetModuleInventoryRequest): NativeActualTargetModuleInventoryResult;
+/** Synthetic target caller-frame planning for actual native continuations. */
+interface NativeSyntheticTargetCallerFramePolicy {
+    mode: "abi-neutral-sentinel";
+    returnAddress?: string;
+    stackPointer?: string;
+}
+interface NativeSyntheticTargetCallerFrameSlot {
+    register: NativeTargetFrameStateMaterialization["requirement"]["register"];
+    offset: number;
+    value: string;
+    valueSource: NativeTargetFrameStateMaterialization["valueSource"];
+}
+interface NativeSyntheticTargetCallerFrame {
+    id: string;
+    stackPointer: string;
+    returnAddress: string;
+    slots: NativeSyntheticTargetCallerFrameSlot[];
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+interface NativeSyntheticTargetCallerFramePlanRequest {
+    frameState: NativeTargetFrameStateMaterializationResult;
+    policy?: NativeSyntheticTargetCallerFramePolicy;
+}
+interface NativeSyntheticTargetCallerFramePlanResult {
+    state: "planned" | "refused";
+    frame?: NativeSyntheticTargetCallerFrame;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function planNativeSyntheticTargetCallerFrame(request: NativeSyntheticTargetCallerFramePlanRequest): NativeSyntheticTargetCallerFramePlanResult;
+/** Target-native module byte materialization for real utility continuation. */
+interface NativeTargetModuleByteMaterializationRequest {
+    module: NativeRealUtilityTargetModule;
+    targetRoot?: string;
+    relativeStart: string;
+    sizeBytes: number;
+    fileOffset?: number;
+    expectedBuildId?: string;
+}
+interface NativeTargetModuleByteMaterialization {
+    moduleId: string;
+    path: string;
+    buildId: string;
+    relativeStart: string;
+    relativeEnd: string;
+    fileOffset: number;
+    sizeBytes: number;
+    bytes: Uint8Array;
+    sourceTextReusedAsTargetCode: false;
+}
+interface NativeTargetModuleByteMaterializationResult {
+    materialized?: NativeTargetModuleByteMaterialization;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function materializeNativeTargetModuleBytes(request: NativeTargetModuleByteMaterializationRequest): NativeTargetModuleByteMaterializationResult;
+/** Target-native resume landing provenance and instruction-boundary audit. */
+type NativeTargetLandingInstructionBoundaryState = "known-valid" | "known-invalid" | "unknown";
+interface NativeTargetLandingModuleProvenance {
+    id: string;
+    logicalName: string;
+    path: string;
+    buildId: string;
+    loadBias: string;
+}
+interface NativeTargetLandingSectionProvenance {
+    name: string;
+    addressStart: string;
+    addressEnd: string;
+    fileOffsetStart: string;
+    fileOffsetEnd: string;
+    flags: string;
+    executable: boolean;
+    match: "address" | "file-offset";
+}
+interface NativeTargetLandingSymbolProvenance {
+    name: string;
+    address: string;
+    offset: string;
+    sizeBytes?: number;
+    type: string;
+    binding: string;
+    containsLanding: boolean;
+}
+interface NativeTargetLandingFdeProvenance {
+    id: string;
+    functionName: string;
+    pcStart: string;
+    pcEnd: string;
+    metadata: NativeTargetUnwindFrameRule["metadata"];
+}
+interface NativeTargetLandingDisassemblyProvenance {
+    tool: "objdump";
+    addressStart?: string;
+    addressEnd?: string;
+    lines: string[];
+    entryLine?: string;
+    previousLine?: string;
+    nextLine?: string;
+}
+interface NativeTargetLandingInstructionBoundary {
+    state: NativeTargetLandingInstructionBoundaryState;
+    reason: string;
+}
+interface NativeTargetResumeLandingProvenance {
+    id: string;
+    threadId: string;
+    sourceAddress: string;
+    sourceRva: string;
+    targetRva: string;
+    targetAddress: string;
+    targetRelativeAddress: string;
+    continuationStrategy: NativeRealUtilityResolvedLocation["continuationStrategy"];
+    semanticContinuation?: NativeRealUtilityResolvedLocation["semanticContinuation"];
+    syntheticContinuation?: NativeRealUtilityResolvedLocation["syntheticContinuation"];
+    targetFileOffset?: number;
+    targetInstructionBytes?: string;
+    targetModule: NativeTargetLandingModuleProvenance;
+    section?: NativeTargetLandingSectionProvenance;
+    symbol?: NativeTargetLandingSymbolProvenance;
+    fde?: NativeTargetLandingFdeProvenance;
+    disassembly?: NativeTargetLandingDisassemblyProvenance;
+    instructionBoundary: NativeTargetLandingInstructionBoundary;
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeTargetResumeLandingInspectionRequest {
+    location: NativeRealUtilityResolvedLocation;
+    targetBytes?: NativeTargetModuleByteMaterialization;
+    targetUnwindMatches?: NativeTargetUnwindFrameMatch[];
+    readelfSections?: string;
+    readelfSymbols?: string;
+    objdumpDisassembly?: string;
+    disassemblyAddressStart?: string;
+    disassemblyAddressEnd?: string;
+}
+declare function inspectNativeTargetResumeLanding(request: NativeTargetResumeLandingInspectionRequest): NativeTargetResumeLandingProvenance;
+declare function nativeTargetResumeLandingRefusals(provenances: NativeTargetResumeLandingProvenance[]): NativeProcessImageRefusal[];
+/** Target-native resume execution planning for actual utility continuations. */
+type NativeTargetResumeExecutionMode = "planned-not-executed";
+type NativeTargetResumeExecutor = "native-resume-trampoline";
+type NativeTargetResumeExecutionAttemptStatus = "returned" | "faulted" | "exited";
+type NativeTargetResumeFaultBoundary = "target-resume-fault-state";
+interface NativeTargetResumeFaultRegisters {
+    rax?: string;
+    rbx?: string;
+    rcx?: string;
+    rdx?: string;
+    rsi?: string;
+    rdi?: string;
+    rbp?: string;
+    rsp?: string;
+    r8?: string;
+    r9?: string;
+    r10?: string;
+    r11?: string;
+    r12?: string;
+    r13?: string;
+    r14?: string;
+    r15?: string;
+}
+interface NativeTargetResumeFaultClassification {
+    boundary: NativeTargetResumeFaultBoundary;
+    refusal: NativeProcessImageRefusal;
+    signal?: string;
+    faultAddress?: string;
+    targetInstructionPointer?: string;
+    targetInstructionBytes?: string;
+    registers?: NativeTargetResumeFaultRegisters;
+    attemptedResume: true;
+    migrationCompleted: false;
+}
+interface NativeTargetResumeFaultClassificationResult {
+    state: "classified" | "not-faulted" | "unattempted";
+    classification?: NativeTargetResumeFaultClassification;
+    refusals: NativeProcessImageRefusal[];
+}
+interface NativeTargetResumeFaultClassificationOptions {
+    landingProvenance?: NativeTargetResumeLandingProvenance[];
+}
+interface NativeTargetResumeExecutionAttempt {
+    status: NativeTargetResumeExecutionAttemptStatus;
+    targetArch: "amd64";
+    entryAddress: string;
+    stackPointer: string;
+    targetBytesStart: string;
+    targetBytesEnd: string;
+    targetInstructionPointer?: string;
+    targetInstructionBytes?: string;
+    registers?: NativeTargetResumeFaultRegisters;
+    signal?: string;
+    signalNumber?: number;
+    faultAddress?: string;
+    returnValue?: string;
+    exitStatus?: number;
+    instructionPointerInTargetBytes: boolean;
+    attemptedResume: true;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+interface NativeTargetResumeExecutionPlan {
+    mode: NativeTargetResumeExecutionMode;
+    executor: NativeTargetResumeExecutor;
+    targetArch: "amd64";
+    entryAddress: string;
+    stackPointer: string;
+    callerFrameId: string;
+    targetModuleByteModules: string[];
+    attemptedResume: false;
+    sourceTextReusedAsTargetCode: false;
+    sourceIsaEmulationUsed: false;
+    sidecarRuntimeUsed: false;
+}
+interface NativeTargetResumeExecutionPlanRequest {
+    codeLocations: NativeCodeLocationMapping[];
+    targetModuleBytes: NativeTargetModuleByteMaterialization[];
+    callerFrame?: NativeSyntheticTargetCallerFrame;
+}
+interface NativeTargetResumeExecutionPlanResult {
+    state: "planned" | "refused";
+    plan?: NativeTargetResumeExecutionPlan;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function planNativeTargetResumeExecution(request: NativeTargetResumeExecutionPlanRequest): NativeTargetResumeExecutionPlanResult;
+declare function classifyNativeTargetResumeExecutionAttempt(attempt: NativeTargetResumeExecutionAttempt | undefined, options?: NativeTargetResumeFaultClassificationOptions): NativeTargetResumeFaultClassificationResult;
+/** Process memory classification and relocation for native cross-ISA restore. */
+interface NativeMemoryWord {
+    mapping: string;
+    offset: number;
+    sourceValue: string;
+    classification: "integer" | "pointer" | "code-pointer" | "thread-pointer" | "ambiguous";
+    targetValue?: string;
+    proof: "dwarf" | "sidecar" | "symbol" | "policy" | "none";
+}
+interface NativeMemoryTranslationRequest {
+    words: NativeMemoryWord[];
+}
+interface NativeMemoryTranslationResult {
+    relocations: NativeMemoryRelocation[];
+    preservedWords: number;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function translateNativeMemory(request: NativeMemoryTranslationRequest): NativeMemoryTranslationResult;
+/** Debug-metadata guided native memory pointer classification. */
+type NativeDebugMemoryMetadataSource = "dwarf" | "symbol" | "none";
+type NativeDebugMemoryFieldClassification = "integer" | "pointer" | "code-pointer" | "unknown";
+interface NativeDebugMemoryField {
+    name: string;
+    offset: number;
+    sizeBytes: number;
+    sourceValue: string;
+    classification: NativeDebugMemoryFieldClassification;
+    metadata: NativeDebugMemoryMetadataSource;
+}
+interface NativeDebugMemoryObject {
+    id: string;
+    mapping: string;
+    sourceStart: string;
+    mappingOffset?: number;
+    fields: NativeDebugMemoryField[];
+}
+interface NativeDebugAddressTranslation {
+    id: string;
+    sourceStart: string;
+    sourceEnd: string;
+    targetStart: string;
+}
+interface NativeDebugMemoryPointerClassificationRequest {
+    objects: NativeDebugMemoryObject[];
+    addressTranslations: NativeDebugAddressTranslation[];
+    codeLocations?: NativeCodeLocationMapping[];
+}
+interface NativeDebugMemoryPointerClassificationResult {
+    words: NativeMemoryWord[];
+    preservedWords: number;
+    relocatableWords: number;
+    refusals: NativeProcessImageRefusal[];
+}
+declare function classifyNativeDebugMemoryPointers(request: NativeDebugMemoryPointerClassificationRequest): NativeDebugMemoryPointerClassificationResult;
+/** Target mapping materialization planning for native process images. */
+type NativeMappingMaterializationAction = "map-target-file" | "copy-captured-bytes" | "recreate" | "omit" | "refuse";
+interface NativeMappingMaterializationStep {
+    mapping: string;
+    kind: NativeMemoryMapping["kind"];
+    action: NativeMappingMaterializationAction;
+    targetStart?: string;
+    sizeBytes: number;
+    permissions: NativeMemoryMapping["permissions"];
+    targetFile?: {
+        path: string;
+        offset: number;
+        buildId?: string;
+        sha256?: string;
+    };
+    sourceBytes?: {
+        offset: number;
+        sizeBytes: number;
+    };
+    refusal?: NativeProcessImageRefusal;
+}
+interface NativeMappingMaterializationRequest {
+    mappings: NativeMemoryMapping[];
+    memorySizeBytes: number;
+    targetFileBuildIds?: Record<string, string>;
+}
+interface NativeMappingMaterializationResult {
+    steps: NativeMappingMaterializationStep[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function planNativeMappingMaterialization(request: NativeMappingMaterializationRequest): NativeMappingMaterializationResult;
+/** Register/TLS/syscall-state translation rules for native process images. */
+interface NativeRegisterTranslationRequest {
+    sourceArch: NativeProcessImageArchitecture;
+    targetArch: NativeProcessImageArchitecture;
+    threads: NativeThreadState[];
+    continuations: Record<string, NativeContinuationTarget>;
+}
+interface NativeContinuationTarget {
+    sourcePc: string;
+    targetIp: string;
+    targetSp: string;
+    targetTls: string;
+    targetRegisterOverrides?: Partial<Pick<NativeAmd64Registers, "rax" | "rbx" | "rcx" | "rdx" | "rsi" | "rdi" | "rbp" | "r8" | "r9" | "r10" | "r11" | "r12" | "r13" | "r14" | "r15">>;
+}
+interface NativeRegisterTranslationResult {
+    sourceArch: NativeProcessImageArchitecture;
+    targetArch: NativeProcessImageArchitecture;
+    threads: NativeThreadTranslation[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function translateNativeRegisterState(request: NativeRegisterTranslationRequest): NativeRegisterTranslationResult;
+/** Kernel-resource recipes and refusals for native process restore. */
+interface NativeInheritedStdioPolicy {
+    mode: "inherit-output" | "require-explicit";
+}
+interface NativeResourceTranslationRequest {
+    resources: NativeProcessResource[];
+    hostCapabilities?: string[];
+    inheritedStdio?: NativeInheritedStdioPolicy;
+}
+interface NativeResourceTranslationResult {
+    resources: NativeProcessResource[];
+    refusals: NativeProcessImageRefusal[];
+}
+declare function translateNativeResources(request: NativeResourceTranslationRequest): NativeResourceTranslationResult;
 /**
  * Bytes of memory the OS reports as available right now. "Available"
  * is the loose union the kernel exposes:
@@ -2233,4 +3914,4 @@ interface BalloonCounters {
  */
 declare function readBalloonStats(path: string): BalloonCounters | null;
-export { type AttachOptions, type BalloonCounters, BootError, type BootOptions, CacheError, type CheckForkBackpressureOptions, type ChunkLogEvent, DEFAULT_FREE_MEMORY_THRESHOLD, type EnsureMountDiskImageOptions, type EnsureMountDiskImageResult, type EnsureMountDiskUpperOptions, type EnsureMountDiskUpperResult, type EnsureRootfsImageOptions, ErrorCode, ExecError, FilesError, type ForkOptions, type GcResult, GvproxyError, type ImageConfig, type LogEvent, MachinenError, type MachinenErrorOptions, type MemoryStats, MkinitramfsError, MountError, type OnLog, type OnOutputListener, type PackBundleOptions, type PackMinimalOptions, type PackRootfsOptions, type PackTinyBundleOptions, type PackWorkspaceOptions, ParseError, type PhaseLogEvent, type PidStatus, ProvisionError, type ProvisionOptions, type ProvisionResult, type PtyBootOptions, type PtyVmHandle, type RegistryEntry, RegistryError, type RestoreOptions, type RssTarget, type RunGcOptions, STATS_FILE_SIZE, type SandboxEntry, SandboxError, Sandboxes, SecretsError, type SnapshotEngine, SnapshotError, type SnapshotMeta, type SnapshotOptions, type SnapshotResult, Supervisor, type SupervisorOptions, type VmHandle, VsockExec, type VsockExecOptions, type VsockExecPtyHandle, type VsockExecPtyOptions, type VsockExecPtyResult, type VsockExecResult, VsockFiles, type VsockFilesOptions, VsockSecrets, type VsockSecretsOptions, VsockWinsize, type VsockWinsizeOptions, WinsizeError, type WriteFileOptions, _internal, attach, autoSizeMemoryMib, boot, bootPty, bootSnapshotPath, buildMachinenConfig, buildWriteFileCmd, buildWriteFileCmds, checkForkBackpressure, detachedLogRoot, ensureMountDiskImage, ensureMountDiskUpper, ensureRootfsImage, formatMachinenError, isMachinenError, list, markMountDiskImageClean, markRootfsImageClean, measureFirstByte, packBundle as mkinitramfsBundle, cli as mkinitramfsCli, packMinimal as mkinitramfsMinimal, packRootfs as mkinitramfsRootfs, packTinyBundle as mkinitramfsTinyBundle, packWorkspace as mkinitramfsWorkspace, mountdiskImgCacheDir, provision, readBalloonStats, readHostFreeBytes, readHostRssBytes, readHostRssBytesMulti, readHostTotalBytes, registryRoot, resolveBaseDtb, resolveBaseKernel, resolveBaseRootfs, resolveMke2fs, resolveMksquashfs, resolveVmmBinary, restore, rootfsImgCacheDir, runGc, validatePid, warmImageConfigCache, writeBootSnapshot };
+export { type AttachOptions, type BalloonCounters, BootError, type BootOptions, CacheError, type CheckForkBackpressureOptions, type ChunkLogEvent, DEFAULT_FREE_MEMORY_THRESHOLD, type EnsureMountDiskImageOptions, type EnsureMountDiskImageResult, type EnsureMountDiskUpperOptions, type EnsureMountDiskUpperResult, type EnsureRootfsImageOptions, ErrorCode, ExecError, FilesError, type ForkOptions, type GcResult, GvproxyError, type ImageConfig, type LogEvent, MachinenError, type MachinenErrorOptions, type MemoryStats, MkinitramfsError, MountError, NATIVE_PROCESS_IMAGE_FILES, NATIVE_PROCESS_IMAGE_FORMAT_VERSION, NATIVE_SYNTHETIC_PPOLL_SYSCALL_BASE, NATIVE_SYNTHETIC_PPOLL_SYSCALL_BUILD_ID, NATIVE_SYNTHETIC_PPOLL_SYSCALL_LOGICAL_NAME, NATIVE_SYNTHETIC_PPOLL_SYSCALL_PATH, NATIVE_SYNTHETIC_SLEEP_SYSCALL_BASE, NATIVE_SYNTHETIC_SLEEP_SYSCALL_BUILD_ID, NATIVE_SYNTHETIC_SLEEP_SYSCALL_FAILURE_EXIT_STATUS, NATIVE_SYNTHETIC_SLEEP_SYSCALL_LOGICAL_NAME, NATIVE_SYNTHETIC_SLEEP_SYSCALL_PATH, NATIVE_SYNTHETIC_SLEEP_SYSCALL_RESTART_EXIT_STATUS, NATIVE_SYNTHETIC_SLEEP_SYSCALL_UNMODELED_RETURN_EXIT_STATUS, NATIVE_SYNTHETIC_SYSCALL_RESTART_EXIT_STATUS, NATIVE_SYNTHETIC_SYSCALL_UNMODELED_RETURN_EXIT_STATUS, type NativeActivePpollTimeoutContinuation, type NativeActiveSleepTimerContinuation, type NativeActiveSyscallClass, type NativeActiveSyscallClassification, type NativeActiveSyscallClassificationResult, type NativeActiveSyscallContinuation, type NativeActiveSyscallPolicyOptions, type NativeActualRealUtilityContinuationBoundary, type NativeActualRealUtilityContinuationPlan, type NativeActualRealUtilityContinuationRequest, type NativeActualTargetModuleInventoryRequest, type NativeActualTargetModuleInventoryResult, type NativeAmd64Registers, type NativeArm64Registers, type NativeCodeLocationMapping, type NativeCodeMapRequest, type NativeCodeMapResult, type NativeCodeModule, type NativeCodeSymbol, type NativeContinuationTarget, type NativeDebugAddressTranslation, type NativeDebugMemoryField, type NativeDebugMemoryFieldClassification, type NativeDebugMemoryMetadataSource, type NativeDebugMemoryObject, type NativeDebugMemoryPointerClassificationRequest, type NativeDebugMemoryPointerClassificationResult, type NativeDiscoveredUnwindFrame, type NativeEhFrameTextParseRequest, type NativeEhFrameTextParseResult, type NativeInheritedStdioPolicy, type NativeMappingMaterializationAction, type NativeMappingMaterializationRequest, type NativeMappingMaterializationResult, type NativeMappingMaterializationStep, type NativeMemoryMapping, type NativeMemoryMappingKind, type NativeMemoryRelocation, type NativeMemoryTranslationRequest, type NativeMemoryTranslationResult, type NativeMemoryWord, type NativeModeledPpollTimeoutRemainingTime, type NativeModeledPpollTimeoutState, type NativeModeledSleepTimerRemainingTime, type NativeModeledSleepTimerState, type NativePollTimeoutSyscallPolicy, type NativePpollTimeoutModelResult, type NativeProcessImageArchitecture, type NativeProcessImageDocumentInput, type NativeProcessImageDocuments, type NativeProcessImageJsonSchema, type NativeProcessImageManifest, type NativeProcessImageMappings, type NativeProcessImageRefusal, type NativeProcessImageRefusalCode, type NativeProcessImageRefusals, type NativeProcessImageResources, type NativeProcessImageThreads, type NativeProcessImageTranslation, NativeProcessImageValidationError, type NativeProcessResource, type NativeProcessResourceKind, type NativeRealUtilityCodeLocationRequest, type NativeRealUtilityCodeLocationResult, type NativeRealUtilityContinuationBoundary, type NativeRealUtilityContinuationPlan, type NativeRealUtilityContinuationRequest, type NativeRealUtilityContinuationStrategy, type NativeRealUtilityDeferredActiveSyscallLanding, type NativeRealUtilityExecutableRange, type NativeRealUtilityModuleExpectation, type NativeRealUtilityResolvedLocation, type NativeRealUtilitySemanticContinuationSelection, type NativeRealUtilitySourceModule, type NativeRealUtilitySyntheticContinuationSelection, type NativeRealUtilityTargetContinuationKind, type NativeRealUtilityTargetModule, type NativeRealUtilityTargetSemanticContinuation, type NativeRegisterState, type NativeRegisterTranslationRequest, type NativeRegisterTranslationResult, type NativeResourceTranslationRequest, type NativeResourceTranslationResult, type NativeSleepTimerDuration, type NativeSleepTimerModelResult, type NativeSleepTimerSyscallPolicy, type NativeStackFrame, type NativeStackSlot, type NativeStackTranslationRequest, type NativeStackTranslationResult, type NativeSyntheticContinuationByteEncoding, type NativeSyntheticContinuationByteSource, type NativeSyntheticContinuationCompletionDescriptor, type NativeSyntheticContinuationFailureExitBucket, type NativeSyntheticContinuationFailureExitBucketCondition, type NativeSyntheticContinuationFailureKind, type NativeSyntheticContinuationProvenanceSource, type NativeSyntheticContinuationRegister, type NativeSyntheticContinuationRegisterSetupAbi, type NativeSyntheticContinuationRegisterSetupDescriptor, type NativeSyntheticContinuationStackSetupDescriptor, type NativeSyntheticContinuationSyscallAbi, type NativeSyntheticContinuationTargetArch, type NativeSyntheticPpollCompletionMode, type NativeSyntheticPpollSyscallArgumentProvenance, type NativeSyntheticPpollSyscallCompletionProvenance, type NativeSyntheticPpollSyscallContinuation, type NativeSyntheticPpollSyscallContinuationProvenance, type NativeSyntheticPpollSyscallContinuationRequest, type NativeSyntheticPpollSyscallContinuationResult, type NativeSyntheticPpollSyscallProvenanceSource, type NativeSyntheticPpollSyscallRegisterSetupProvenance, type NativeSyntheticPpollSyscallStackSetupProvenance, type NativeSyntheticSleepCompletionMode, type NativeSyntheticSleepSyscallArgumentProvenance, type NativeSyntheticSleepSyscallCompletionProvenance, type NativeSyntheticSleepSyscallContinuation, type NativeSyntheticSleepSyscallContinuationProvenance, type NativeSyntheticSleepSyscallContinuationRequest, type NativeSyntheticSleepSyscallContinuationResult, type NativeSyntheticSleepSyscallProvenanceSource, type NativeSyntheticSleepSyscallRegisterSetupProvenance, type NativeSyntheticSleepSyscallStackSetupProvenance, type NativeSyntheticSyscallArgumentDescriptor, type NativeSyntheticSyscallContinuationDescriptor, type NativeSyntheticSyscallContinuationDescriptorPayload, type NativeSyntheticSyscallContinuationDescriptorRequest, type NativeSyntheticSyscallDescriptor, type NativeSyntheticTargetCallerFrame, type NativeSyntheticTargetCallerFramePlanRequest, type NativeSyntheticTargetCallerFramePlanResult, type NativeSyntheticTargetCallerFramePolicy, type NativeSyntheticTargetCallerFrameSlot, type NativeSyntheticTargetCallerFrameStatePolicy, type NativeTargetCalleeSavedPolicy, type NativeTargetCalleeSavedSlot, type NativeTargetEhFrameTextParseRequest, type NativeTargetEhFrameTextParseResult, type NativeTargetFrameRegisterValue, type NativeTargetFrameStateMaterialization, type NativeTargetFrameStateMaterializationRequest, type NativeTargetFrameStateMaterializationResult, type NativeTargetFrameStateRegister, type NativeTargetFrameStateRequirement, type NativeTargetFrameStateValueSource, type NativeTargetLandingDisassemblyProvenance, type NativeTargetLandingFdeProvenance, type NativeTargetLandingInstructionBoundary, type NativeTargetLandingInstructionBoundaryState, type NativeTargetLandingModuleProvenance, type NativeTargetLandingSectionProvenance, type NativeTargetLandingSymbolProvenance, type NativeTargetModuleByteMaterialization, type NativeTargetModuleByteMaterializationRequest, type NativeTargetModuleByteMaterializationResult, type NativeTargetResumeExecutionAttempt, type NativeTargetResumeExecutionAttemptStatus, type NativeTargetResumeExecutionMode, type NativeTargetResumeExecutionPlan, type NativeTargetResumeExecutionPlanRequest, type NativeTargetResumeExecutionPlanResult, type NativeTargetResumeExecutor, type NativeTargetResumeFaultBoundary, type NativeTargetResumeFaultClassification, type NativeTargetResumeFaultClassificationOptions, type NativeTargetResumeFaultClassificationResult, type NativeTargetResumeFaultRegisters, type NativeTargetResumeLandingInspectionRequest, type NativeTargetResumeLandingProvenance, type NativeTargetUnwindFrameMatch, type NativeTargetUnwindFrameRule, type NativeTargetUnwindMatchRequest, type NativeTargetUnwindMatchResult, type NativeTargetUnwindRegister, type NativeThreadState, type NativeThreadTranslation, type NativeUnwindFrameDiscoveryRequest, type NativeUnwindFrameDiscoveryResult, type NativeUnwindFrameRule, type NativeUnwindMetadataKind, type NativeUnwindRegister, type NativeUnwindStackWord, type OnLog, type OnOutputListener, type PackBundleOptions, type PackMinimalOptions, type PackRootfsOptions, type PackTinyBundleOptions, type PackWorkspaceOptions, ParseError, type PhaseLogEvent, type PidStatus, ProvisionError, type ProvisionOptions, type ProvisionResult, type PtyBootOptions, type PtyVmHandle, type RegistryEntry, RegistryError, type RestoreOptions, type RssTarget, type RunGcOptions, STATS_FILE_SIZE, type SandboxEntry, SandboxError, Sandboxes, SecretsError, type SnapshotEngine, SnapshotError, type SnapshotFileIdentity, type SnapshotMeta, type SnapshotOptions, type SnapshotResult, Supervisor, type SupervisorOptions, type VmHandle, type VmstateBackend, type VmstateSnapshotMeta, VsockExec, type VsockExecOptions, type VsockExecPtyHandle, type VsockExecPtyOptions, type VsockExecPtyResult, type VsockExecResult, VsockFiles, type VsockFilesOptions, VsockSecrets, type VsockSecretsOptions, VsockWinsize, type VsockWinsizeOptions, WinsizeError, type WriteFileOptions, _internal, assertNativeProcessImageDocuments, attach, autoSizeMemoryMib, boot, bootPty, bootSnapshotPath, buildMachinenConfig, buildNativeCodeMap, buildNativeSyntheticPpollSyscallContinuation, buildNativeSyntheticSleepSyscallContinuation, buildNativeSyntheticSyscallContinuationDescriptor, buildWriteFileCmd, buildWriteFileCmds, checkForkBackpressure, classifyNativeActiveSyscalls, classifyNativeDebugMemoryPointers, classifyNativeTargetResumeExecutionAttempt, classifyNativeThreadSyscall, detachedLogRoot, discoverNativeUnwindFrames, ensureMountDiskImage, ensureMountDiskUpper, ensureRootfsImage, formatMachinenError, inspectNativeTargetResumeLanding, inventoryNativeActualTargetModules, inventoryNativeSourceCodeModules, isMachinenError, isNativeProcessImageBundle, list, markMountDiskImageClean, markRootfsImageClean, matchNativeTargetUnwindFrame, materializeNativeTargetModuleBytes, measureFirstByte, packBundle as mkinitramfsBundle, cli as mkinitramfsCli, packMinimal as mkinitramfsMinimal, packRootfs as mkinitramfsRootfs, packTinyBundle as mkinitramfsTinyBundle, packWorkspace as mkinitramfsWorkspace, modelNativePpollTimeoutState, modelNativeSleepTimerState, mountdiskImgCacheDir, nativeProcessImageArchitectures, nativeProcessImageRefusalCodes, nativeProcessImageSchemas, nativeSyntheticContinuationBytesHex, nativeSyntheticContinuationBytesSha256, nativeSyntheticContinuationDescriptorSha256, nativeSyntheticExitProcessSuffix, nativeSyntheticRestartLikeErrnos, nativeSyntheticSyscallFailureExitBuckets, nativeTargetResumeLandingRefusals, nativeUnwindReturnAddressSlot, parseNativeEhFrameText, parseNativeTargetEhFrameText, planNativeActualRealUtilityContinuationAttempt, planNativeMappingMaterialization, planNativeRealUtilityContinuationAttempt, planNativeSyntheticTargetCallerFrame, planNativeTargetFrameStateMaterialization, planNativeTargetResumeExecution, provision, readBalloonStats, readHostFreeBytes, readHostRssBytes, readHostRssBytesMulti, readHostTotalBytes, registryRoot, resolveBaseDtb, resolveBaseKernel, resolveBaseRootfs, resolveMke2fs, resolveMksquashfs, resolveNativeRealUtilityCodeLocations, resolveVmmBinary, restore, rootfsImgCacheDir, runGc, translateNativeMemory, translateNativeRegisterState, translateNativeResources, translateNativeStack, validateNativeProcessImageBundle, validateNativeProcessImageDocuments, validatePid, warmImageConfigCache, writeBootSnapshot };