@themoltnet/pi-extension 0.22.5 → 0.23.1

package/dist/index.d.ts

@@ -718,9 +718,8 @@ declare const Task: Type.TObject<{
     acceptedAttemptN: Type.TUnion<[Type.TNumber, Type.TNull]>;
     claimCondition: Type.TUnion<[Type.TUnsafe<ClaimCondition>, Type.TNull]>;
     requiredExecutorTrustLevel: Type.TUnion<[Type.TLiteral<"selfDeclared">, Type.TLiteral<"agentSigned">, Type.TLiteral<"releaseVerifiedTool">, Type.TLiteral<"sandboxAttested">]>;
-    allowedExecutors: Type.TArray<Type.TObject<{
-        provider: Type.TString;
-        model: Type.TString;
+    allowedProfiles: Type.TArray<Type.TObject<{
+        profileId: Type.TString;
     }>>;
     status: Type.TUnion<[Type.TLiteral<"waiting">, Type.TLiteral<"queued">, Type.TLiteral<"dispatched">, Type.TLiteral<"running">, Type.TLiteral<"completed">, Type.TLiteral<"failed">, Type.TLiteral<"cancelled">, Type.TLiteral<"expired">]>;
     queuedAt: Type.TString;
@@ -844,6 +843,12 @@ declare interface TaskReporter {
      * cancellation has been observed. Null until `cancelSignal` aborts.
      */
     readonly cancelReason: string | null;
+    /**
+     * Request local cancellation of the in-flight task. Runtime shutdown uses
+     * this to trip the same executor-facing signal as proposer cancellation,
+     * without waiting for the next server heartbeat.
+     */
+    requestCancel?(reason: string): void;
 }
 
 declare const TaskStatus: Type.TUnion<[Type.TLiteral<"waiting">, Type.TLiteral<"queued">, Type.TLiteral<"dispatched">, Type.TLiteral<"running">, Type.TLiteral<"completed">, Type.TLiteral<"failed">, Type.TLiteral<"cancelled">, Type.TLiteral<"expired">]>;
@@ -902,6 +907,8 @@ export declare interface VmConfig {
     extraAllowedHosts?: string[];
     /** Full sandbox config (vfs shadows, env overrides). */
     sandboxConfig?: SandboxConfig;
+    /** Abort resume/setup work, closing any live VM owned by resumeVm. */
+    signal?: AbortSignal;
 }
 
 export declare interface VmCredentials {

package/dist/index.js

@@ -1674,6 +1674,124 @@ var updateRenderedPack = (options) => (options.client ?? client).patch({
 	}
 });
 /**
+* List runtime profiles for the active team context.
+*/
+var listRuntimeProfiles = (options) => (options?.client ?? client).get({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/runtime-profiles",
+	...options
+});
+/**
+* Create a runtime profile for the active team context.
+*/
+var createRuntimeProfile = (options) => (options?.client ?? client).post({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/runtime-profiles",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options?.headers
+	}
+});
+/**
+* Delete one runtime profile.
+*/
+var deleteRuntimeProfile = (options) => (options.client ?? client).delete({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/runtime-profiles/{profileId}",
+	...options
+});
+/**
+* Get one runtime profile.
+*/
+var getRuntimeProfile = (options) => (options.client ?? client).get({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/runtime-profiles/{profileId}",
+	...options
+});
+/**
+* Update one runtime profile.
+*/
+var updateRuntimeProfile = (options) => (options.client ?? client).patch({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/runtime-profiles/{profileId}",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
+});
+/**
 * List tasks for a team with optional filters.
 */
 var listTasks = (options) => (options.client ?? client).get({
@@ -1788,6 +1906,32 @@ var listTaskAttempts = (options) => (options.client ?? client).get({
 	...options
 });
 /**
+* Claimant intentionally abandons this attempt (e.g. daemon shutdown). The attempt becomes aborted and the task requeues for another claim (or fails when retries are exhausted). Does NOT cancel the task.
+*/
+var abortTaskAttempt = (options) => (options.client ?? client).post({
+	security: [
+		{
+			scheme: "bearer",
+			type: "http"
+		},
+		{
+			name: "X-Moltnet-Session-Token",
+			type: "apiKey"
+		},
+		{
+			in: "cookie",
+			name: "ory_kratos_session",
+			type: "apiKey"
+		}
+	],
+	url: "/tasks/{id}/attempts/{n}/abort",
+	...options,
+	headers: {
+		"Content-Type": "application/json",
+		...options.headers
+	}
+});
+/**
 * Mark an attempt as completed with output.
 */
 var completeTask = (options) => (options.client ?? client).post({
@@ -4696,6 +4840,54 @@ function createRecoveryNamespace(context) {
 	};
 }
 //#endregion
+//#region ../sdk/src/namespaces/runtime-profiles.ts
+function createRuntimeProfilesNamespace(context) {
+	const { client, auth } = context;
+	return {
+		async list(options) {
+			return unwrapResult(await listRuntimeProfiles({
+				client,
+				auth,
+				headers: teamHeaders(options)
+			}));
+		},
+		async create(body, options) {
+			return unwrapResult(await createRuntimeProfile({
+				client,
+				auth,
+				headers: teamHeaders(options),
+				body
+			}));
+		},
+		async get(profileId) {
+			return unwrapResult(await getRuntimeProfile({
+				client,
+				auth,
+				path: { profileId }
+			}));
+		},
+		async update(profileId, body) {
+			return unwrapResult(await updateRuntimeProfile({
+				client,
+				auth,
+				path: { profileId },
+				body
+			}));
+		},
+		async delete(profileId) {
+			const result = await deleteRuntimeProfile({
+				client,
+				auth,
+				path: { profileId }
+			});
+			if (result.error) unwrapResult(result);
+		}
+	};
+}
+function teamHeaders(options) {
+	return options?.teamId ? { "x-moltnet-team-id": options.teamId } : void 0;
+}
+//#endregion
 //#region ../sdk/src/namespaces/signing-requests.ts
 function createSigningRequestsNamespace(context) {
 	const { client, auth } = context;
@@ -4816,6 +5008,17 @@ function createTasksNamespace(context) {
 				body
 			}));
 		},
+		async abortAttempt(id, n, body) {
+			return unwrapResult(await abortTaskAttempt({
+				client,
+				auth,
+				path: {
+					id,
+					n
+				},
+				body
+			}));
+		},
 		async cancel(id, body) {
 			return unwrapResult(await cancelTask({
 				client,
@@ -4999,6 +5202,7 @@ function createAgent(options) {
 		legreffier: createLegreffierNamespace(context),
 		problems: createProblemsNamespace(context),
 		teams: createTeamsNamespace(context),
+		runtimeProfiles: createRuntimeProfilesNamespace(context),
 		tasks: createTasksNamespace(context),
 		client,
 		getToken: () => tokenManager.getToken()
@@ -8310,6 +8514,63 @@ function pruneOldSnapshots(maxCached, currentDir) {
 	});
 }
 //#endregion
+//#region src/abort-utils.ts
+function throwIfAborted(signal, label) {
+	if (!signal?.aborted) return;
+	throw abortError(label, signal);
+}
+function abortError(label, signal) {
+	const reason = signal.reason;
+	const suffix = reason instanceof Error ? reason.message : reason === void 0 ? "aborted" : String(reason);
+	const err = /* @__PURE__ */ new Error(`${label} aborted: ${suffix}`);
+	err.name = "AbortError";
+	return err;
+}
+function cleanupLateResource(resourcePromise, opts) {
+	resourcePromise.then(async (resource) => {
+		try {
+			await opts.cleanup(resource);
+		} catch (err) {
+			opts.onCleanupError?.(err);
+		}
+	}, () => {});
+}
+async function abortableResource(opts) {
+	const { signal } = opts;
+	if (!signal) return opts.promise;
+	throwIfAborted(signal, opts.label);
+	const resourcePromise = Promise.resolve(opts.promise);
+	const abortPromise = new Promise((_, reject) => {
+		const abort = () => {
+			cleanupLateResource(resourcePromise, opts);
+			reject(abortError(opts.label, signal));
+		};
+		signal.addEventListener("abort", abort, { once: true });
+		resourcePromise.then(() => signal.removeEventListener("abort", abort), () => signal.removeEventListener("abort", abort));
+	});
+	return Promise.race([resourcePromise, abortPromise]);
+}
+async function delay(ms, signal, label) {
+	if (!signal) {
+		await new Promise((resolve) => {
+			setTimeout(resolve, ms);
+		});
+		return;
+	}
+	throwIfAborted(signal, label);
+	await new Promise((resolve, reject) => {
+		const listener = () => {
+			clearTimeout(timeout);
+			reject(abortError(label, signal));
+		};
+		const timeout = setTimeout(() => {
+			signal.removeEventListener("abort", listener);
+			resolve();
+		}, ms);
+		signal.addEventListener("abort", listener, { once: true });
+	});
+}
+//#endregion
 //#region src/vm-manager.ts
 /**
 * Memory-backed VFS mount used by the daemon to inject task-context
@@ -8426,23 +8687,33 @@ var BASE_ALLOWED_HOSTS = [
 * surface immediately rather than fall through to cryptic agent
 * errors later.
 */
-async function vmRun(vm, label, command) {
+async function vmRun(vm, label, command, signal) {
 	const wrapped = `set -eu\nset -o pipefail\n${command}`;
+	throwIfAborted(signal, `resume step "${label}"`);
 	const r = await vm.exec([
 		"sh",
 		"-c",
 		wrapped
-	]);
+	], { signal });
 	if (r.exitCode !== 0) {
 		const tail = [r.stderr, r.stdout].filter(Boolean).join("\n").slice(-800);
 		throw new Error(`resume step "${label}" failed (exit ${r.exitCode}):\n${tail}`);
 	}
 }
+function nonErrorMessage(err) {
+	if (typeof err === "string") return err;
+	try {
+		return JSON.stringify(err) ?? "unknown error";
+	} catch {
+		return "unknown error";
+	}
+}
 /**
 * Resume a VM from a checkpoint, inject credentials, configure egress +
 * TLS. Returns the managed VM handle.
 */
 async function resumeVm(config) {
+	throwIfAborted(config.signal, "VM resume");
 	const mainRepo = findMainWorktree();
 	const agentDir = path.join(mainRepo, ".moltnet", config.agentName);
 	const guestWorkspace = path.resolve(config.mountPath);
@@ -8486,24 +8757,33 @@ async function resumeVm(config) {
 	};
 	const resources = config.sandboxConfig?.resources;
 	const workspaceMode = config.workspaceMode ?? "shared_mount";
-	const vm = await VmCheckpoint.load(config.checkpointPath).resume({
-		httpHooks,
-		env: vmEnv,
-		...resources?.memory && { memory: resources.memory },
-		...resources?.cpus && { cpus: resources.cpus },
-		vfs: { mounts: {
-			[guestWorkspace]: workspaceProvider,
-			[GUEST_TASK_SKILLS_MOUNT]: new MemoryProvider()
-		} }
+	const vm = await abortableResource({
+		promise: VmCheckpoint.load(config.checkpointPath).resume({
+			httpHooks,
+			env: vmEnv,
+			...resources?.memory && { memory: resources.memory },
+			...resources?.cpus && { cpus: resources.cpus },
+			vfs: { mounts: {
+				[guestWorkspace]: workspaceProvider,
+				[GUEST_TASK_SKILLS_MOUNT]: new MemoryProvider()
+			} }
+		}),
+		signal: config.signal,
+		label: "VM resume",
+		cleanup: (resumedVm) => resumedVm.close(),
+		onCleanupError: (err) => {
+			const message = err instanceof Error ? err.message : String(err);
+			process.stderr.write(`[vm] aborted resume late vm.close() failed: ${message}\n`);
+		}
 	});
 	try {
-		await vm.exec(`sh -c '
+		await vmRun(vm, "TLS certificates", `
     cp /etc/gondolin/mitm/ca.crt /usr/local/share/ca-certificates/gondolin-mitm.crt
     update-ca-certificates 2>/dev/null
     cat /etc/gondolin/mitm/ca.crt >> /etc/ssl/certs/ca-certificates.crt
-  '`);
-		await vmRun(vm, "DNS resolvers", `printf 'nameserver 8.8.8.8\\nnameserver 1.1.1.1\\n' > /etc/resolv.conf`);
-		await vmRun(vm, "git safe.directory", `git config --system --add safe.directory '*'`);
+  `, config.signal);
+		await vmRun(vm, "DNS resolvers", `printf 'nameserver 8.8.8.8\\nnameserver 1.1.1.1\\n' > /etc/resolv.conf`, config.signal);
+		await vmRun(vm, "git safe.directory", `git config --system --add safe.directory '*'`, config.signal);
 		for (const [i, entry] of (config.sandboxConfig?.resumeCommands ?? []).entries()) {
 			if (!shouldRunResumeCommand(entry, { workspaceMode })) continue;
 			const { run, retries, backoffMs } = typeof entry === "string" ? {
@@ -8518,34 +8798,67 @@ async function resumeVm(config) {
 			const label = `resumeCommands[${i}]`;
 			let lastErr;
 			for (let attempt = 0; attempt <= retries; attempt++) try {
-				await vmRun(vm, label, run);
+				await vmRun(vm, label, run, config.signal);
 				lastErr = void 0;
 				break;
 			} catch (err) {
 				lastErr = err;
 				if (attempt === retries) break;
-				await new Promise((resolve) => {
-					setTimeout(resolve, (attempt + 1) * backoffMs);
-				});
+				await delay((attempt + 1) * backoffMs, config.signal, label);
 			}
-			if (lastErr) throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
+			if (lastErr) throw lastErr instanceof Error ? lastErr : new Error(nonErrorMessage(lastErr));
 		}
 		const vmSshDir = `${vmAgentDir}/ssh`;
-		await vm.exec(`mkdir -p ${vmAgentDir}/ssh /home/agent/.pi/agent`);
-		if (creds.piAuthJson !== null) await vm.fs.writeFile("/home/agent/.pi/agent/auth.json", creds.piAuthJson, { mode: 384 });
+		await vm.exec(`mkdir -p ${vmAgentDir}/ssh /home/agent/.pi/agent`, { signal: config.signal });
+		if (creds.piAuthJson !== null) await vm.fs.writeFile("/home/agent/.pi/agent/auth.json", creds.piAuthJson, {
+			mode: 384,
+			signal: config.signal
+		});
 		const vmMoltnetJson = rewriteMoltnetJsonPaths(creds.moltnetJson, vmAgentDir, vmSshDir, creds.githubAppPemFilename);
-		await vm.fs.writeFile(`${vmAgentDir}/moltnet.json`, vmMoltnetJson, { mode: 384 });
-		await vm.fs.writeFile(`${vmAgentDir}/env`, creds.agentEnvRaw, { mode: 384 });
+		await vm.fs.writeFile(`${vmAgentDir}/moltnet.json`, vmMoltnetJson, {
+			mode: 384,
+			signal: config.signal
+		});
+		await vm.fs.writeFile(`${vmAgentDir}/env`, creds.agentEnvRaw, {
+			mode: 384,
+			signal: config.signal
+		});
 		if (creds.gitconfig) {
 			const vmSigningKey = `${vmSshDir}/id_ed25519`;
 			const vmGitconfig = creds.gitconfig.replace(/signingKey\s*=\s*.+/g, `signingKey = ${vmSigningKey}`);
-			await vm.fs.writeFile(`${vmAgentDir}/gitconfig`, vmGitconfig, { mode: 420 });
+			await vm.fs.writeFile(`${vmAgentDir}/gitconfig`, vmGitconfig, {
+				mode: 420,
+				signal: config.signal
+			});
 		}
-		if (creds.sshPrivateKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519`, creds.sshPrivateKey, { mode: 384 });
-		if (creds.sshPublicKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519.pub`, creds.sshPublicKey, { mode: 420 });
-		if (creds.allowedSigners) await vm.fs.writeFile(`${vmSshDir}/allowed_signers`, creds.allowedSigners, { mode: 420 });
-		if (creds.githubAppPem && creds.githubAppPemFilename) await vm.fs.writeFile(`${vmAgentDir}/${creds.githubAppPemFilename}`, creds.githubAppPem, { mode: 384 });
-		await vm.exec("chown -R agent:agent /home/agent/.pi /home/agent/.moltnet");
+		if (creds.sshPrivateKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519`, creds.sshPrivateKey, {
+			mode: 384,
+			signal: config.signal
+		});
+		if (creds.sshPublicKey) await vm.fs.writeFile(`${vmSshDir}/id_ed25519.pub`, creds.sshPublicKey, {
+			mode: 420,
+			signal: config.signal
+		});
+		if (creds.allowedSigners) await vm.fs.writeFile(`${vmSshDir}/allowed_signers`, creds.allowedSigners, {
+			mode: 420,
+			signal: config.signal
+		});
+		if (creds.githubAppPem && creds.githubAppPemFilename) await vm.fs.writeFile(`${vmAgentDir}/${creds.githubAppPemFilename}`, creds.githubAppPem, {
+			mode: 384,
+			signal: config.signal
+		});
+		await vm.exec("chown -R agent:agent /home/agent/.pi /home/agent/.moltnet", { signal: config.signal });
+		const gitCredHelperPath = `${vmSshDir}/git-credential-moltnet`;
+		const credHelperScript = `#!/bin/sh
+echo "username=x-access-token"
+echo "password=$(moltnet github token --credentials ${vmSshDir}/moltnet.json)"
+`;
+		await vm.fs.writeFile(gitCredHelperPath, credHelperScript, {
+			mode: 493,
+			signal: config.signal
+		});
+		await vmRun(vm, "git credential helper", `git config --global credential.helper ${gitCredHelperPath} && \
+       git config --global url."https://github.com/".insteadOf "git@github.com:"`, config.signal);
 		return {
 			vm,
 			credentials: creds,
@@ -13157,6 +13470,170 @@ function validateRubricWeights(rubric) {
 	return null;
 }
 //#endregion
+//#region ../tasks/src/runtime-profiles.ts
+var RuntimeProfileName = String$1({
+	minLength: 1,
+	maxLength: 100,
+	pattern: "^[a-zA-Z0-9][a-zA-Z0-9_-]{0,99}$"
+});
+var RuntimeProfileEnvName = String$1({
+	minLength: 1,
+	maxLength: 128,
+	pattern: "^[A-Z_][A-Z0-9_]*$"
+});
+var RuntimeProfileToolName = String$1({
+	minLength: 1,
+	maxLength: 128,
+	pattern: "^[a-zA-Z0-9._/-]+$"
+});
+var SandboxResumeCommandWhenSchema = _Object_({ workspaceMode: Optional(_Array_(Union([
+	Literal("shared_mount"),
+	Literal("dedicated_worktree"),
+	Literal("scratch_mount")
+]), {
+	minItems: 1,
+	maxItems: 3
+})) }, { additionalProperties: false });
+var RuntimeProfileSandboxResumeCommand = Union([String$1({
+	minLength: 1,
+	maxLength: 4096
+}), _Object_({
+	run: String$1({
+		minLength: 1,
+		maxLength: 4096
+	}),
+	when: Optional(SandboxResumeCommandWhenSchema),
+	retries: Optional(Integer({
+		minimum: 0,
+		maximum: 5
+	})),
+	retryBackoffMs: Optional(Integer({
+		minimum: 0,
+		maximum: 6e4
+	}))
+}, { additionalProperties: false })]);
+var RuntimeProfileSandbox = _Object_({
+	snapshot: Optional(_Object_({
+		setupCommands: Optional(_Array_(String$1({
+			minLength: 1,
+			maxLength: 4096
+		}), { maxItems: 20 })),
+		allowedHosts: Optional(_Array_(String$1({
+			minLength: 1,
+			maxLength: 255
+		}), { maxItems: 50 })),
+		overlaySize: Optional(String$1({
+			minLength: 2,
+			maxLength: 16,
+			pattern: "^[0-9]+[KMGTP]?$"
+		}))
+	}, { additionalProperties: false })),
+	resumeCommands: Optional(_Array_(RuntimeProfileSandboxResumeCommand, { maxItems: 30 })),
+	vfs: Optional(_Object_({
+		shadow: Optional(_Array_(String$1({
+			minLength: 1,
+			maxLength: 255
+		}), { maxItems: 100 })),
+		shadowMode: Optional(Union([Literal("deny"), Literal("tmpfs")]))
+	}, { additionalProperties: false })),
+	env: Optional(Record(RuntimeProfileEnvName, String$1({ maxLength: 4096 }))),
+	hostExec: Optional(_Object_({ autoApprove: Optional(Literal(false)) }, { additionalProperties: false })),
+	resources: Optional(_Object_({
+		memory: Optional(String$1({
+			minLength: 2,
+			maxLength: 16,
+			pattern: "^[0-9]+[KMG]?$"
+		})),
+		cpus: Optional(Integer({
+			minimum: 1,
+			maximum: 32
+		}))
+	}, { additionalProperties: false }))
+}, {
+	$id: "RuntimeProfileSandbox",
+	additionalProperties: false
+});
+var RuntimeProfileContext = _Object_({
+	slug: String$1({
+		minLength: 1,
+		maxLength: 64,
+		pattern: "^[a-zA-Z0-9_-]+$"
+	}),
+	binding: Union([
+		Literal("skill"),
+		Literal("context_inline"),
+		Literal("prompt_prefix"),
+		Literal("user_inline")
+	]),
+	content: String$1({
+		minLength: 1,
+		maxLength: 65536
+	})
+}, {
+	$id: "RuntimeProfileContext",
+	additionalProperties: false
+});
+var RuntimeProfileRef = _Object_({ profileId: String$1({ format: "uuid" }) }, {
+	$id: "RuntimeProfileRef",
+	additionalProperties: false
+});
+var RuntimeProfileLeaseTtlSec = Integer({
+	minimum: 1,
+	maximum: 86400
+});
+var RuntimeProfileHeartbeatIntervalMs = Integer({
+	minimum: 0,
+	maximum: 36e5
+});
+var RuntimeProfileMaxBatchSize = Integer({
+	minimum: 1,
+	maximum: 1e3
+});
+_Object_({
+	id: String$1({ format: "uuid" }),
+	teamId: String$1({ format: "uuid" }),
+	name: RuntimeProfileName,
+	description: Union([String$1({ maxLength: 4096 }), Null()]),
+	provider: String$1({
+		minLength: 1,
+		maxLength: 100
+	}),
+	model: String$1({
+		minLength: 1,
+		maxLength: 200
+	}),
+	runtimeKind: Literal("gondolin_pi"),
+	sandbox: RuntimeProfileSandbox,
+	sessionStorageMode: Literal("local"),
+	workspaceStorageMode: Literal("local"),
+	sessionTtlSec: Integer({
+		minimum: 1,
+		maximum: 86400
+	}),
+	workspaceTtlSec: Integer({
+		minimum: 1,
+		maximum: 86400
+	}),
+	leaseTtlSec: RuntimeProfileLeaseTtlSec,
+	heartbeatIntervalMs: RuntimeProfileHeartbeatIntervalMs,
+	maxBatchSize: RuntimeProfileMaxBatchSize,
+	requiredEnv: _Array_(RuntimeProfileEnvName, { maxItems: 100 }),
+	requiredTools: _Array_(RuntimeProfileToolName, { maxItems: 100 }),
+	context: _Array_(RuntimeProfileContext, { maxItems: 5 }),
+	revision: Integer({ minimum: 1 }),
+	definitionCid: String$1({
+		minLength: 1,
+		maxLength: 100
+	}),
+	createdByAgentId: Union([String$1({ format: "uuid" }), Null()]),
+	createdByHumanId: Union([String$1({ format: "uuid" }), Null()]),
+	createdAt: String$1({ format: "date-time" }),
+	updatedAt: String$1({ format: "date-time" })
+}, {
+	$id: "RuntimeProfile",
+	additionalProperties: false
+});
+//#endregion
 //#region ../tasks/src/success-criteria.ts
 /**
 * SuccessCriteria — proposer-stated acceptance criteria, evaluated in two
@@ -16848,6 +17325,7 @@ var TaskAttemptStatus = Union([
 	Literal("completed"),
 	Literal("failed"),
 	Literal("cancelled"),
+	Literal("aborted"),
 	Literal("timed_out")
 ], { $id: "TaskAttemptStatus" });
 var ExecutorTrustLevel = Union([
@@ -16856,14 +17334,6 @@ var ExecutorTrustLevel = Union([
 	Literal("releaseVerifiedTool"),
 	Literal("sandboxAttested")
 ], { $id: "ExecutorTrustLevel" });
-/** Identifies a (provider, model) daemon pair allowed to claim a task. */
-var ExecutorRef = _Object_({
-	provider: String$1({ minLength: 1 }),
-	model: String$1({ minLength: 1 })
-}, {
-	$id: "ExecutorRef",
-	additionalProperties: false
-});
 var OutputKind = Union([Literal("artifact"), Literal("judgment")], { $id: "OutputKind" });
 var TaskMessageKind = Union([
 	Literal("text_delta"),
@@ -17008,7 +17478,7 @@ _Object_({
 	acceptedAttemptN: Union([Number$1(), Null()]),
 	claimCondition: Union([Unsafe(Ref$1("ClaimCondition")), Null()]),
 	requiredExecutorTrustLevel: ExecutorTrustLevel,
-	allowedExecutors: _Array_(ExecutorRef, { maxItems: 16 }),
+	allowedProfiles: _Array_(RuntimeProfileRef, { maxItems: 16 }),
 	status: TaskStatus,
 	queuedAt: IsoTimestamp,
 	completedAt: Union([IsoTimestamp, Null()]),
@@ -22988,6 +23458,20 @@ async function executePiTask(claimedTask, reporter, opts) {
 			retryable: false
 		}
 	});
+	const makeCancelledOutput = (message) => ({
+		taskId: task.id,
+		attemptN,
+		status: "cancelled",
+		output: null,
+		outputCid: null,
+		usage: finalUsage,
+		durationMs: Date.now() - startTime,
+		error: {
+			code: "task_cancelled",
+			message,
+			retryable: false
+		}
+	});
 	let onTurnEvent;
 	if (opts.makeOnTurnEvent) try {
 		onTurnEvent = opts.makeOnTurnEvent(claimedTask);
@@ -23050,10 +23534,15 @@ async function executePiTask(claimedTask, reporter, opts) {
 				mountPath,
 				workspaceMode: workspace.mode,
 				extraAllowedHosts: opts.extraAllowedHosts,
-				sandboxConfig
+				sandboxConfig,
+				signal: reporter.cancelSignal
 			});
 		} catch (err) {
 			const message = err instanceof Error ? err.message : String(err);
+			if (reporter.cancelSignal.aborted) {
+				await emitError("vm_resume", message, { cancelled: true });
+				return makeCancelledOutput(reporter.cancelReason ?? "Task cancelled during VM resume.");
+			}
 			await emitError("vm_resume", message);
 			return makeFailedOutput("vm_resume_failed", message);
 		}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@themoltnet/pi-extension",
-  "version": "0.22.5",
+  "version": "0.23.1",
   "type": "module",
   "description": "MoltNet pi extension — sandboxed tool execution in Gondolin VMs with MoltNet identity and persistent memory",
   "keywords": [
@@ -36,8 +36,8 @@
     "@earendil-works/gondolin": "^0.9.1",
     "@opentelemetry/api": "^1.9.0",
     "typebox": "^1.2.8",
-    "@themoltnet/agent-runtime": "0.22.4",
-    "@themoltnet/sdk": "0.106.0"
+    "@themoltnet/sdk": "0.108.0",
+    "@themoltnet/agent-runtime": "0.24.0"
   },
   "peerDependencies": {
     "@earendil-works/pi-coding-agent": ">=0.74.0",