@vm0/cli 9.150.5 → 9.150.6

package/{chunk-USVVSPWL.js → chunk-R2ZGUBEJ.js}

@@ -74083,7 +74083,7 @@ if (DSN) {
   init2({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.150.5",
+    release: "9.150.6",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -74102,7 +74102,7 @@ if (DSN) {
     }
   });
   setContext("cli", {
-    version: "9.150.5",
+    version: "9.150.6",
     command: process.argv.slice(2).join(" ")
   });
   setContext("runtime", {
@@ -95787,6 +95787,7 @@ var MODEL_PROVIDER_TYPES = {
       CLAUDE_CODE_SUBAGENT_MODEL: "$model"
     },
     models: [
+      "anthropic/claude-opus-4.7",
       "anthropic/claude-opus-4.6",
       "anthropic/claude-opus-4.5",
       "anthropic/claude-sonnet-4.6",
@@ -95799,6 +95800,53 @@ var MODEL_PROVIDER_TYPES = {
     ],
     defaultModel: "anthropic/claude-sonnet-4.6"
   },
+  // Codex-framework twin of openrouter-api-key. Same upstream gateway (OpenRouter)
+  // and same API key (shared secretName), but routes through OpenRouter's
+  // OpenAI-compatible endpoint surface for GPT models that codex CLI requires.
+  // Pairing rule: the claude-code entry serves Anthropic Messages API
+  // (/v1/messages); this codex entry serves OpenAI Chat Completions / Responses
+  // (/v1/chat/completions, /v1/responses) under the same /api/v1 prefix.
+  "openrouter-codex": {
+    framework: "codex",
+    secretName: "OPENROUTER_API_KEY",
+    label: "OpenRouter (Codex)",
+    secretLabel: "API key",
+    helpText: "Get your API key at: https://openrouter.ai/settings/keys",
+    environmentMapping: {
+      OPENAI_API_KEY: "$secret",
+      OPENAI_BASE_URL: "https://openrouter.ai/api/v1",
+      OPENAI_MODEL: "$model"
+    },
+    models: [
+      "openai/gpt-5.5",
+      "openai/gpt-5.4",
+      "openai/gpt-5.4-mini"
+    ],
+    defaultModel: "openai/gpt-5.5"
+  },
+  // Codex-framework twin of vercel-ai-gateway. Vercel exposes both
+  // Anthropic Messages and OpenAI Chat Completions / Responses on the same
+  // base URL, distinguished by path. The claude-code entry uses /v1/messages;
+  // this codex entry uses /v1/chat/completions or /v1/responses (codex CLI
+  // picks the path it needs).
+  "vercel-ai-gateway-codex": {
+    framework: "codex",
+    secretName: "VERCEL_AI_GATEWAY_API_KEY",
+    label: "Vercel AI Gateway (Codex)",
+    secretLabel: "API key",
+    helpText: "Get your API key from the Vercel AI Gateway dashboard",
+    environmentMapping: {
+      OPENAI_API_KEY: "$secret",
+      OPENAI_BASE_URL: "https://ai-gateway.vercel.sh/v1",
+      OPENAI_MODEL: "$model"
+    },
+    models: [
+      "openai/gpt-5.5",
+      "openai/gpt-5.4",
+      "openai/gpt-5.4-mini"
+    ],
+    defaultModel: "openai/gpt-5.5"
+  },
   "openai-api-key": {
     framework: "codex",
     secretName: "OPENAI_API_KEY",
@@ -96029,6 +96077,10 @@ function getFirewallBaseUrl(type) {
     return "https://chatgpt.com/backend-api/codex";
   }
   if (getFrameworkForType(type) === "codex") {
+    const overrideBase = getEnvironmentMapping(type)?.OPENAI_BASE_URL;
+    if (overrideBase) {
+      return overrideBase.replace(/\/+$/, "");
+    }
     return "https://api.openai.com/v1/responses";
   }
   const base = (getEnvironmentMapping(type)?.ANTHROPIC_BASE_URL ?? ANTHROPIC_API_BASE).replace(/\/+$/, "");
@@ -96114,6 +96166,25 @@ var MODEL_PROVIDER_FIREWALL_CONFIGS = {
     { name: "Authorization", valuePrefix: "Bearer" },
     "sk-CoffeeSafeLocalCoffeeSafeLocalCo"
   ),
+  // Codex-framework twin of openrouter-api-key. Same key shape as the
+  // claude-code entry; the difference is the firewall base URL — codex
+  // SDK hits OpenAI-compatible paths (/chat/completions, /responses)
+  // under https://openrouter.ai/api/v1, derived from the OPENAI_BASE_URL
+  // mapping by getFirewallBaseUrl.
+  "openrouter-codex": mpFirewall(
+    "openrouter-codex",
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "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"
+  ),
+  // Codex-framework twin of vercel-ai-gateway. Same placeholder format
+  // (Vercel gateway proxies upstream); base URL scoped to /v1 prefix by
+  // getFirewallBaseUrl so codex can use either /chat/completions or
+  // /responses paths the gateway exposes.
+  "vercel-ai-gateway-codex": mpFirewall(
+    "vercel-ai-gateway-codex",
+    { name: "Authorization", valuePrefix: "Bearer" },
+    "sk-CoffeeSafeLocalCoffeeSafeLocalCo"
+  ),
   // Placeholder: sk-proj-{156 chars}T3BlbkFJ{156 chars} (typical project key shape)
   // Source: matches turbo/packages/connectors/src/firewalls/openai.generated.ts
   "openai-api-key": mpFirewall(
@@ -96190,6 +96261,8 @@ var modelProviderTypeSchema = external_exports.enum([
   "deepseek-api-key",
   "zai-api-key",
   "vercel-ai-gateway",
+  "openrouter-codex",
+  "vercel-ai-gateway-codex",
   "openai-api-key",
   "codex-oauth-token",
   "azure-foundry",
@@ -104403,17 +104476,229 @@ init_esm_shims();
 
 // ../../packages/api-contracts/src/contracts/webhooks.ts
 init_esm_shims();
+
+// ../../packages/api-contracts/src/contracts/runners.ts
+init_esm_shims();
 var c19 = initContract();
+var runnerGroupSchema = external_exports.string().regex(
+  /^[a-z0-9-]+\/[a-z0-9-]+$/,
+  "Runner group must be in vm0/<name> format (e.g., vm0/production)"
+);
+var jobSchema = external_exports.object({
+  runId: external_exports.uuid(),
+  prompt: external_exports.string(),
+  appendSystemPrompt: external_exports.string().nullable(),
+  agentComposeVersionId: external_exports.string().nullable(),
+  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  checkpointId: external_exports.uuid().nullable(),
+  experimentalProfile: external_exports.string().optional()
+});
+var runnersPollContract = c19.router({
+  poll: {
+    method: "POST",
+    path: "/api/runners/poll",
+    headers: authHeadersSchema,
+    body: external_exports.object({
+      group: runnerGroupSchema,
+      profiles: external_exports.array(external_exports.string()).optional(),
+      heldSessions: external_exports.array(external_exports.string()).max(100).optional()
+    }),
+    responses: {
+      200: external_exports.object({
+        job: jobSchema.nullable()
+      }),
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Poll for pending jobs (long-polling with 30s timeout)"
+  }
+});
+var storageEntrySchema = external_exports.object({
+  name: external_exports.string(),
+  mountPath: external_exports.string(),
+  vasStorageName: external_exports.string(),
+  vasVersionId: external_exports.string(),
+  instructionsTargetFilename: external_exports.string().optional(),
+  archiveUrl: external_exports.string()
+});
+var artifactEntrySchema = external_exports.object({
+  mountPath: external_exports.string(),
+  vasStorageName: external_exports.string(),
+  vasStorageId: external_exports.string(),
+  vasVersionId: external_exports.string(),
+  archiveUrl: external_exports.string(),
+  manifestUrl: external_exports.string().optional()
+});
+var storageManifestSchema = external_exports.object({
+  storages: external_exports.array(storageEntrySchema),
+  artifacts: external_exports.array(artifactEntrySchema)
+});
+var resumeSessionSchema = external_exports.object({
+  sessionId: external_exports.string(),
+  sessionHistory: external_exports.string()
+});
+var secretConnectorMetadataSchema = external_exports.object({
+  sourceType: external_exports.enum(["connector", "model-provider"]),
+  sourceUserId: external_exports.string().optional(),
+  metadataKey: external_exports.string().optional()
+});
+var secretConnectorMetadataMapSchema = external_exports.record(
+  external_exports.string(),
+  secretConnectorMetadataSchema
+);
+var storedExecutionContextSchema = external_exports.object({
+  workingDir: external_exports.string(),
+  storageManifest: storageManifestSchema.nullable(),
+  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  resumeSession: resumeSessionSchema.nullable(),
+  encryptedSecrets: external_exports.string().nullable(),
+  // AES-256-GCM encrypted Record<string, string> (secret name → value)
+  // Maps secret names to OAuth connector types for runtime token refresh (e.g. { "GMAIL_ACCESS_TOKEN": "gmail" })
+  secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
+  // Per-secret refresh metadata, used when a handler needs owner-specific storage (e.g. personal model providers)
+  secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
+  cliAgentType: external_exports.string(),
+  // Debug flag to force real Claude in mock environments (internal use only)
+  debugNoMockClaude: external_exports.boolean().optional(),
+  // Debug flag to force real Codex in mock environments (internal use only)
+  debugNoMockCodex: external_exports.boolean().optional(),
+  // Capture HTTP request headers, request bodies, and response bodies in network logs
+  captureNetworkBodies: external_exports.boolean().optional(),
+  // Dispatch timestamp for E2E timing metrics
+  apiStartTime: external_exports.number().optional(),
+  // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
+  userTimezone: external_exports.string().optional(),
+  // Firewall for proxy-side token replacement (complete config, all permissions)
+  firewalls: firewallsSchema.optional(),
+  // Per-firewall network policies: which permissions are granted + unknownPolicy
+  networkPolicies: networkPoliciesSchema.optional(),
+  // Tools to disable in Claude CLI (passed as --disallowed-tools)
+  disallowedTools: external_exports.array(external_exports.string()).optional(),
+  // Tools to make available in Claude CLI (passed as --tools)
+  tools: external_exports.array(external_exports.string()).optional(),
+  // Settings JSON to pass to Claude CLI (passed as --settings)
+  settings: external_exports.string().optional(),
+  // VM profile for resource allocation (e.g., "vm0/default")
+  experimentalProfile: external_exports.string().optional(),
+  // Feature flags evaluated at job creation time (all switch states for user/org)
+  featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
+  billableFirewalls: external_exports.array(external_exports.string()).optional(),
+  modelUsageProvider: external_exports.string().optional()
+});
+var executionContextSchema = external_exports.object({
+  runId: external_exports.uuid(),
+  prompt: external_exports.string(),
+  appendSystemPrompt: external_exports.string().nullable(),
+  agentComposeVersionId: external_exports.string().nullable(),
+  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  checkpointId: external_exports.uuid().nullable(),
+  sandboxToken: external_exports.string(),
+  // New fields for E2B parity:
+  workingDir: external_exports.string(),
+  storageManifest: storageManifestSchema.nullable(),
+  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
+  resumeSession: resumeSessionSchema.nullable(),
+  secretValues: external_exports.array(external_exports.string()).nullable(),
+  // AES-256-GCM encrypted Record<string, string> — passed through to mitm-addon for auth resolution
+  encryptedSecrets: external_exports.string().nullable(),
+  // Maps secret names to OAuth connector types for runtime token refresh
+  secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
+  // Per-secret refresh metadata, used when a handler needs owner-specific storage (e.g. personal model providers)
+  secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
+  cliAgentType: external_exports.string(),
+  // Debug flag to force real Claude in mock environments (internal use only)
+  debugNoMockClaude: external_exports.boolean().optional(),
+  // Debug flag to force real Codex in mock environments (internal use only)
+  debugNoMockCodex: external_exports.boolean().optional(),
+  // Capture HTTP request headers, request bodies, and response bodies in network logs
+  captureNetworkBodies: external_exports.boolean().optional(),
+  // Dispatch timestamp for E2E timing metrics
+  apiStartTime: external_exports.number().optional(),
+  // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
+  userTimezone: external_exports.string().optional(),
+  // Firewall for proxy-side token replacement (complete config, all permissions)
+  firewalls: firewallsSchema.optional(),
+  // Per-firewall network policies: which permissions are granted + unknownPolicy
+  networkPolicies: networkPoliciesSchema.optional(),
+  // Tools to disable in Claude CLI (passed as --disallowed-tools)
+  disallowedTools: external_exports.array(external_exports.string()).optional(),
+  // Tools to make available in Claude CLI (passed as --tools)
+  tools: external_exports.array(external_exports.string()).optional(),
+  // Settings JSON to pass to Claude CLI (passed as --settings)
+  settings: external_exports.string().optional(),
+  // VM profile for resource allocation (e.g., "vm0/default")
+  experimentalProfile: external_exports.string().optional(),
+  // Feature flags evaluated at job creation time (all switch states for user/org)
+  featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
+  billableFirewalls: external_exports.array(external_exports.string()).optional(),
+  modelUsageProvider: external_exports.string().optional()
+});
+var runnersJobClaimContract = c19.router({
+  claim: {
+    method: "POST",
+    path: "/api/runners/jobs/:id/claim",
+    headers: authHeadersSchema,
+    pathParams: external_exports.object({
+      id: external_exports.uuid()
+    }),
+    body: external_exports.object({}),
+    responses: {
+      200: executionContextSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      // Job does not belong to user
+      404: apiErrorSchema,
+      409: apiErrorSchema,
+      // Already claimed
+      500: apiErrorSchema
+    },
+    summary: "Claim a pending job for execution"
+  }
+});
+var heartbeatBodySchema = external_exports.object({
+  runnerId: external_exports.uuid(),
+  runnerName: external_exports.string(),
+  group: runnerGroupSchema,
+  profiles: external_exports.array(external_exports.string()),
+  totalVcpu: external_exports.number().int().nonnegative(),
+  totalMemoryMb: external_exports.number().int().nonnegative(),
+  maxConcurrent: external_exports.number().int().nonnegative(),
+  allocatedVcpu: external_exports.number().int().nonnegative(),
+  allocatedMemoryMb: external_exports.number().int().nonnegative(),
+  runningCount: external_exports.number().int().nonnegative(),
+  heldSessions: external_exports.array(external_exports.string()),
+  mode: external_exports.enum(["running", "draining", "stopping"])
+});
+var runnersHeartbeatContract = c19.router({
+  heartbeat: {
+    method: "POST",
+    path: "/api/runners/heartbeat",
+    headers: authHeadersSchema,
+    body: heartbeatBodySchema,
+    responses: {
+      200: external_exports.object({ ok: external_exports.literal(true) }),
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Report runner heartbeat with capacity and state"
+  }
+});
+
+// ../../packages/api-contracts/src/contracts/webhooks.ts
+var c20 = initContract();
 var thirdPartyWebhookErrorSchema = external_exports.object({ error: external_exports.string() });
 var thirdPartyWebhookOkSchema = external_exports.union([
   external_exports.string(),
   external_exports.object({ message: external_exports.literal("pong") })
 ]);
-var webhookClerkContract = c19.router({
+var webhookClerkContract = c20.router({
   post: {
     method: "POST",
     path: "/api/webhooks/clerk",
-    body: c19.type(),
+    body: c20.type(),
     responses: {
       200: thirdPartyWebhookOkSchema,
       401: thirdPartyWebhookErrorSchema
@@ -104421,11 +104706,11 @@ var webhookClerkContract = c19.router({
     summary: "Handle Clerk organization and user webhooks"
   }
 });
-var webhookGithubContract = c19.router({
+var webhookGithubContract = c20.router({
   post: {
     method: "POST",
     path: "/api/webhooks/github",
-    body: c19.type(),
+    body: c20.type(),
     responses: {
       200: thirdPartyWebhookOkSchema,
       400: thirdPartyWebhookErrorSchema,
@@ -104435,11 +104720,11 @@ var webhookGithubContract = c19.router({
     summary: "Handle GitHub App webhooks"
   }
 });
-var webhookStripeContract = c19.router({
+var webhookStripeContract = c20.router({
   post: {
     method: "POST",
     path: "/api/webhooks/stripe",
-    body: c19.type(),
+    body: c20.type(),
     responses: {
       200: thirdPartyWebhookOkSchema,
       401: thirdPartyWebhookErrorSchema,
@@ -104470,7 +104755,54 @@ var artifactSnapshotsSchema2 = external_exports.array(
 var volumeVersionsSnapshotSchema2 = external_exports.object({
   versions: external_exports.record(external_exports.string(), external_exports.string())
 });
-var webhookEventsContract = c19.router({
+var firewallAuthErrorSchema = external_exports.object({
+  error: external_exports.object({
+    message: external_exports.string(),
+    code: external_exports.string(),
+    connectors: external_exports.array(external_exports.string()).optional()
+  })
+});
+var firewallAuthResponseSchema = external_exports.object({
+  headers: external_exports.record(external_exports.string(), external_exports.string()),
+  base: external_exports.string().optional(),
+  query: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  expiresAt: external_exports.number().nullable(),
+  resolvedSecrets: external_exports.array(external_exports.string()),
+  refreshedConnectors: external_exports.array(external_exports.string()),
+  refreshedSecrets: external_exports.array(external_exports.string())
+});
+var webhookFirewallAuthContract = c20.router({
+  /**
+   * POST /api/webhooks/agent/firewall/auth
+   * Resolve firewall auth templates and refresh OAuth tokens on demand.
+   */
+  resolve: {
+    method: "POST",
+    path: "/api/webhooks/agent/firewall/auth",
+    headers: authHeadersSchema,
+    body: external_exports.object({
+      encryptedSecrets: external_exports.string().min(1),
+      authHeaders: external_exports.record(external_exports.string(), external_exports.string()),
+      authBase: external_exports.string().optional(),
+      authQuery: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+      secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+      secretConnectorMetadataMap: secretConnectorMetadataMapSchema.optional(),
+      vars: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+      forceRefresh: external_exports.boolean().optional()
+    }),
+    responses: {
+      200: firewallAuthResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      424: firewallAuthErrorSchema,
+      502: firewallAuthErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Resolve firewall auth templates"
+  }
+});
+var webhookEventsContract = c20.router({
   /**
    * POST /api/webhooks/agent/events
    * Receive agent events from sandbox
@@ -104497,7 +104829,7 @@ var webhookEventsContract = c19.router({
     summary: "Receive agent events from sandbox"
   }
 });
-var webhookCompleteContract = c19.router({
+var webhookCompleteContract = c20.router({
   /**
    * POST /api/webhooks/agent/complete
    * Handle agent run completion (success or failure)
@@ -104534,7 +104866,7 @@ var webhookCompleteContract = c19.router({
     summary: "Handle agent run completion"
   }
 });
-var webhookCheckpointsContract = c19.router({
+var webhookCheckpointsContract = c20.router({
   /**
    * POST /api/webhooks/agent/checkpoints
    * Create a recoverable checkpoint for an agent run.
@@ -104573,7 +104905,7 @@ var webhookCheckpointsContract = c19.router({
     summary: "Create checkpoint for agent run"
   }
 });
-var webhookCheckpointsPrepareHistoryContract = c19.router({
+var webhookCheckpointsPrepareHistoryContract = c20.router({
   prepare: {
     method: "POST",
     path: "/api/webhooks/agent/checkpoints/prepare-history",
@@ -104596,7 +104928,7 @@ var webhookCheckpointsPrepareHistoryContract = c19.router({
     summary: "Get presigned URL for uploading session history to S3"
   }
 });
-var webhookHeartbeatContract = c19.router({
+var webhookHeartbeatContract = c20.router({
   /**
    * POST /api/webhooks/agent/heartbeat
    * Receive heartbeat signals from sandbox
@@ -104620,7 +104952,7 @@ var webhookHeartbeatContract = c19.router({
     summary: "Receive heartbeat from sandbox"
   }
 });
-var webhookStoragesContract = c19.router({
+var webhookStoragesContract = c20.router({
   /**
    * POST /api/webhooks/agent/storages
    * Create a new version of a storage from sandbox
@@ -104636,7 +104968,7 @@ var webhookStoragesContract = c19.router({
     path: "/api/webhooks/agent/storages",
     headers: authHeadersSchema,
     contentType: "multipart/form-data",
-    body: c19.type(),
+    body: c20.type(),
     responses: {
       200: external_exports.object({
         versionId: external_exports.string(),
@@ -104652,7 +104984,7 @@ var webhookStoragesContract = c19.router({
     summary: "Upload storage version from sandbox"
   }
 });
-var webhookStoragesIncrementalContract = c19.router({
+var webhookStoragesIncrementalContract = c20.router({
   /**
    * POST /api/webhooks/agent/storages/incremental
    * Create a new version using incremental upload
@@ -104670,7 +105002,7 @@ var webhookStoragesIncrementalContract = c19.router({
     path: "/api/webhooks/agent/storages/incremental",
     headers: authHeadersSchema,
     contentType: "multipart/form-data",
-    body: c19.type(),
+    body: c20.type(),
     responses: {
       200: external_exports.object({
         versionId: external_exports.string(),
@@ -104708,7 +105040,7 @@ var sandboxOperationSchema = external_exports.object({
   success: external_exports.boolean(),
   error: external_exports.string().optional()
 });
-var webhookTelemetryContract = c19.router({
+var webhookTelemetryContract = c20.router({
   /**
    * POST /api/webhooks/agent/telemetry
    * Receive telemetry data (system log, metrics, network logs, and sandbox operations) from sandbox
@@ -104737,7 +105069,7 @@ var webhookTelemetryContract = c19.router({
     summary: "Receive telemetry data from sandbox"
   }
 });
-var webhookStoragesPrepareContract = c19.router({
+var webhookStoragesPrepareContract = c20.router({
   prepare: {
     method: "POST",
     path: "/api/webhooks/agent/storages/prepare",
@@ -104771,7 +105103,7 @@ var webhookStoragesPrepareContract = c19.router({
     summary: "Prepare for direct S3 upload from sandbox"
   }
 });
-var webhookStoragesCommitContract = c19.router({
+var webhookStoragesCommitContract = c20.router({
   commit: {
     method: "POST",
     path: "/api/webhooks/agent/storages/commit",
@@ -104813,7 +105145,7 @@ var webhookUsageEventItemSchema = external_exports.object({
   category: external_exports.string().min(1).max(100),
   quantity: external_exports.number().int().min(0)
 }).strict();
-var webhookUsageEventContract = c19.router({
+var webhookUsageEventContract = c20.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/usage-event",
@@ -104849,8 +105181,8 @@ var zeroRunRequestSchema = unifiedRunRequestSchema.omit({
   agentId: external_exports.string().optional(),
   modelProvider: external_exports.string().optional()
 });
-var c20 = initContract();
-var zeroRunsMainContract = c20.router({
+var c21 = initContract();
+var zeroRunsMainContract = c21.router({
   create: {
     method: "POST",
     path: "/api/zero/runs",
@@ -104869,7 +105201,7 @@ var zeroRunsMainContract = c20.router({
     summary: "Create and execute agent run (zero proxy)"
   }
 });
-var zeroRunsByIdContract = c20.router({
+var zeroRunsByIdContract = c21.router({
   getById: {
     method: "GET",
     path: "/api/zero/runs/:id",
@@ -104887,7 +105219,7 @@ var zeroRunsByIdContract = c20.router({
     summary: "Get agent run by ID (zero proxy)"
   }
 });
-var zeroRunsCancelContract = c20.router({
+var zeroRunsCancelContract = c21.router({
   cancel: {
     method: "POST",
     path: "/api/zero/runs/:id/cancel",
@@ -104906,7 +105238,7 @@ var zeroRunsCancelContract = c20.router({
     summary: "Cancel a pending or running run (zero proxy)"
   }
 });
-var zeroRunsQueueContract = c20.router({
+var zeroRunsQueueContract = c21.router({
   getQueue: {
     method: "GET",
     path: "/api/zero/runs/queue",
@@ -104919,7 +105251,7 @@ var zeroRunsQueueContract = c20.router({
     summary: "Get org run queue status (zero proxy)"
   }
 });
-var zeroRunAgentEventsContract = c20.router({
+var zeroRunAgentEventsContract = c21.router({
   getAgentEvents: {
     method: "GET",
     path: "/api/zero/runs/:id/telemetry/agent",
@@ -104981,7 +105313,7 @@ var runContextResponseSchema = external_exports.object({
   artifact: runContextArtifactSchema.nullable(),
   featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).nullable()
 });
-var zeroRunContextContract = c20.router({
+var zeroRunContextContract = c21.router({
   getContext: {
     method: "GET",
     path: "/api/zero/runs/:id/context",
@@ -104999,7 +105331,7 @@ var zeroRunContextContract = c20.router({
     summary: "Get run execution context snapshot for debugging"
   }
 });
-var zeroRunNetworkLogsContract = c20.router({
+var zeroRunNetworkLogsContract = c21.router({
   getNetworkLogs: {
     method: "GET",
     path: "/api/zero/runs/:id/network",
@@ -105025,7 +105357,7 @@ var zeroRunNetworkLogsContract = c20.router({
 var runRunnerResponseSchema = external_exports.object({
   sandboxReuseResult: sandboxReuseResultSchema.nullable()
 });
-var zeroRunRunnerContract = c20.router({
+var zeroRunRunnerContract = c21.router({
   getRunner: {
     method: "GET",
     path: "/api/zero/runs/:id/runner",
@@ -105043,7 +105375,7 @@ var zeroRunRunnerContract = c20.router({
     summary: "Get runner-level metadata for a run"
   }
 });
-var zeroLogsSearchContract = c20.router({
+var zeroLogsSearchContract = c21.router({
   searchLogs: {
     method: "GET",
     path: "/api/zero/logs/search",
@@ -105143,7 +105475,7 @@ init_esm_shims();
 
 // ../../packages/api-contracts/src/contracts/chat-threads.ts
 init_esm_shims();
-var c21 = initContract();
+var c22 = initContract();
 var attachFileSchema = external_exports.object({
   id: external_exports.string(),
   filename: external_exports.string(),
@@ -105328,7 +105660,7 @@ var modelSelectionRequestSchema = external_exports.object({
   modelProviderId: external_exports.string().uuid(),
   selectedModel: external_exports.string().min(1)
 });
-var chatThreadsContract = c21.router({
+var chatThreadsContract = c22.router({
   create: {
     method: "POST",
     path: "/api/zero/chat-threads",
@@ -105364,7 +105696,7 @@ var chatThreadsContract = c21.router({
     summary: "List chat threads. When agentId is omitted, returns every thread the caller owns scoped by orgId."
   }
 });
-var chatThreadByIdContract = c21.router({
+var chatThreadByIdContract = c22.router({
   get: {
     method: "GET",
     path: "/api/zero/chat-threads/:id",
@@ -105387,7 +105719,7 @@ var chatThreadByIdContract = c21.router({
       draftAttachments: external_exports.array(persistedAttachmentSchema).nullable().optional()
     }),
     responses: {
-      204: c21.noBody(),
+      204: c22.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
@@ -105399,21 +105731,21 @@ var chatThreadByIdContract = c21.router({
     headers: authHeadersSchema,
     pathParams: external_exports.object({ id: external_exports.string() }),
     responses: {
-      204: c21.noBody(),
+      204: c22.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
     summary: "Delete a chat thread",
-    body: c21.noBody()
+    body: c22.noBody()
   }
 });
-var chatThreadMarkReadContract = c21.router({
+var chatThreadMarkReadContract = c22.router({
   markRead: {
     method: "POST",
     path: "/api/zero/chat-threads/:id/mark-read",
     headers: authHeadersSchema,
     pathParams: external_exports.object({ id: external_exports.string() }),
-    body: c21.noBody(),
+    body: c22.noBody(),
     responses: {
       200: external_exports.object({
         lastReadMessageId: external_exports.string().nullable(),
@@ -105425,37 +105757,37 @@ var chatThreadMarkReadContract = c21.router({
     summary: "Mark a chat thread as read up to the latest message"
   }
 });
-var chatThreadPinContract = c21.router({
+var chatThreadPinContract = c22.router({
   pin: {
     method: "POST",
     path: "/api/zero/chat-threads/:id/pin",
     headers: authHeadersSchema,
     pathParams: external_exports.object({ id: external_exports.string() }),
-    body: c21.noBody(),
+    body: c22.noBody(),
     responses: {
-      204: c21.noBody(),
+      204: c22.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
     summary: "Pin a chat thread to the top of the sidebar"
   }
 });
-var chatThreadUnpinContract = c21.router({
+var chatThreadUnpinContract = c22.router({
   unpin: {
     method: "POST",
     path: "/api/zero/chat-threads/:id/unpin",
     headers: authHeadersSchema,
     pathParams: external_exports.object({ id: external_exports.string() }),
-    body: c21.noBody(),
+    body: c22.noBody(),
     responses: {
-      204: c21.noBody(),
+      204: c22.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
     summary: "Remove the pin from a chat thread"
   }
 });
-var chatThreadRenameContract = c21.router({
+var chatThreadRenameContract = c22.router({
   rename: {
     method: "POST",
     path: "/api/zero/chat-threads/:id/rename",
@@ -105463,14 +105795,14 @@ var chatThreadRenameContract = c21.router({
     pathParams: external_exports.object({ id: external_exports.string() }),
     body: external_exports.object({ title: external_exports.string().min(1) }),
     responses: {
-      204: c21.noBody(),
+      204: c22.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
     summary: "Rename a chat thread (suppresses automated title generation)"
   }
 });
-var chatMessagesContract = c21.router({
+var chatMessagesContract = c22.router({
   send: {
     method: "POST",
     path: "/api/zero/chat/messages",
@@ -105599,7 +105931,7 @@ var chatSearchResponseSchema = external_exports.object({
   results: external_exports.array(chatSearchResultSchema),
   hasMore: external_exports.boolean()
 });
-var chatSearchContract = c21.router({
+var chatSearchContract = c22.router({
   search: {
     method: "GET",
     path: "/api/zero/chat/search",
@@ -105621,7 +105953,7 @@ var chatSearchContract = c21.router({
     summary: "Search chat messages within caller's org (zero proxy)"
   }
 });
-var chatThreadMessagesContract = c21.router({
+var chatThreadMessagesContract = c22.router({
   list: {
     method: "GET",
     path: "/api/zero/chat-threads/:threadId/messages",
@@ -105643,7 +105975,7 @@ var chatThreadMessagesContract = c21.router({
     summary: "Get paginated chat messages for a thread"
   }
 });
-var chatThreadArtifactsContract = c21.router({
+var chatThreadArtifactsContract = c22.router({
   list: {
     method: "GET",
     path: "/api/zero/chat-threads/:threadId/artifacts",
@@ -105793,7 +106125,7 @@ init_esm_shims();
 
 // ../../packages/api-contracts/src/contracts/zero-developer-support.ts
 init_esm_shims();
-var c22 = initContract();
+var c23 = initContract();
 var developerSupportBodySchema = external_exports.object({
   title: external_exports.string().min(1, "Title is required"),
   description: external_exports.string().min(1, "Description is required"),
@@ -105805,7 +106137,7 @@ var consentCodeResponseSchema = external_exports.object({
 var submitResponseSchema = external_exports.object({
   reference: external_exports.string()
 });
-var zeroDeveloperSupportContract = c22.router({
+var zeroDeveloperSupportContract = c23.router({
   submit: {
     method: "POST",
     path: "/api/zero/developer-support",
@@ -105842,7 +106174,7 @@ init_esm_shims();
 
 // ../../packages/api-contracts/src/contracts/zero-computer-use.ts
 init_esm_shims();
-var c23 = initContract();
+var c24 = initContract();
 var registerResponseSchema = external_exports.object({
   id: external_exports.string(),
   domain: external_exports.string(),
@@ -105854,12 +106186,12 @@ var hostResponseSchema = external_exports.object({
   domain: external_exports.string(),
   token: external_exports.string()
 });
-var zeroComputerUseRegisterContract = c23.router({
+var zeroComputerUseRegisterContract = c24.router({
   register: {
     method: "POST",
     path: "/api/zero/computer-use/register",
     headers: authHeadersSchema,
-    body: c23.noBody(),
+    body: c24.noBody(),
     responses: {
       200: registerResponseSchema,
       401: apiErrorSchema,
@@ -105869,14 +106201,14 @@ var zeroComputerUseRegisterContract = c23.router({
     summary: "Register a computer-use host"
   }
 });
-var zeroComputerUseUnregisterContract = c23.router({
+var zeroComputerUseUnregisterContract = c24.router({
   unregister: {
     method: "DELETE",
     path: "/api/zero/computer-use/unregister",
     headers: authHeadersSchema,
-    body: c23.noBody(),
+    body: c24.noBody(),
     responses: {
-      204: c23.noBody(),
+      204: c24.noBody(),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
@@ -105884,7 +106216,7 @@ var zeroComputerUseUnregisterContract = c23.router({
     summary: "Unregister a computer-use host"
   }
 });
-var zeroComputerUseHostContract = c23.router({
+var zeroComputerUseHostContract = c24.router({
   getHost: {
     method: "GET",
     path: "/api/zero/computer-use/host",
@@ -105939,218 +106271,6 @@ init_esm_shims();
 
 // ../../packages/api-contracts/src/contracts/realtime.ts
 init_esm_shims();
-
-// ../../packages/api-contracts/src/contracts/runners.ts
-init_esm_shims();
-var c24 = initContract();
-var runnerGroupSchema = external_exports.string().regex(
-  /^[a-z0-9-]+\/[a-z0-9-]+$/,
-  "Runner group must be in vm0/<name> format (e.g., vm0/production)"
-);
-var jobSchema = external_exports.object({
-  runId: external_exports.uuid(),
-  prompt: external_exports.string(),
-  appendSystemPrompt: external_exports.string().nullable(),
-  agentComposeVersionId: external_exports.string().nullable(),
-  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  checkpointId: external_exports.uuid().nullable(),
-  experimentalProfile: external_exports.string().optional()
-});
-var runnersPollContract = c24.router({
-  poll: {
-    method: "POST",
-    path: "/api/runners/poll",
-    headers: authHeadersSchema,
-    body: external_exports.object({
-      group: runnerGroupSchema,
-      profiles: external_exports.array(external_exports.string()).optional(),
-      heldSessions: external_exports.array(external_exports.string()).max(100).optional()
-    }),
-    responses: {
-      200: external_exports.object({
-        job: jobSchema.nullable()
-      }),
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      500: apiErrorSchema
-    },
-    summary: "Poll for pending jobs (long-polling with 30s timeout)"
-  }
-});
-var storageEntrySchema = external_exports.object({
-  name: external_exports.string(),
-  mountPath: external_exports.string(),
-  vasStorageName: external_exports.string(),
-  vasVersionId: external_exports.string(),
-  instructionsTargetFilename: external_exports.string().optional(),
-  archiveUrl: external_exports.string()
-});
-var artifactEntrySchema = external_exports.object({
-  mountPath: external_exports.string(),
-  vasStorageName: external_exports.string(),
-  vasStorageId: external_exports.string(),
-  vasVersionId: external_exports.string(),
-  archiveUrl: external_exports.string(),
-  manifestUrl: external_exports.string().optional()
-});
-var storageManifestSchema = external_exports.object({
-  storages: external_exports.array(storageEntrySchema),
-  artifacts: external_exports.array(artifactEntrySchema)
-});
-var resumeSessionSchema = external_exports.object({
-  sessionId: external_exports.string(),
-  sessionHistory: external_exports.string()
-});
-var secretConnectorMetadataSchema = external_exports.object({
-  sourceType: external_exports.enum(["connector", "model-provider"]),
-  sourceUserId: external_exports.string().optional(),
-  metadataKey: external_exports.string().optional()
-});
-var secretConnectorMetadataMapSchema = external_exports.record(
-  external_exports.string(),
-  secretConnectorMetadataSchema
-);
-var storedExecutionContextSchema = external_exports.object({
-  workingDir: external_exports.string(),
-  storageManifest: storageManifestSchema.nullable(),
-  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  resumeSession: resumeSessionSchema.nullable(),
-  encryptedSecrets: external_exports.string().nullable(),
-  // AES-256-GCM encrypted Record<string, string> (secret name → value)
-  // Maps secret names to OAuth connector types for runtime token refresh (e.g. { "GMAIL_ACCESS_TOKEN": "gmail" })
-  secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
-  // Per-secret refresh metadata, used when a handler needs owner-specific storage (e.g. personal model providers)
-  secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
-  cliAgentType: external_exports.string(),
-  // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: external_exports.boolean().optional(),
-  // Debug flag to force real Codex in mock environments (internal use only)
-  debugNoMockCodex: external_exports.boolean().optional(),
-  // Capture HTTP request headers, request bodies, and response bodies in network logs
-  captureNetworkBodies: external_exports.boolean().optional(),
-  // Dispatch timestamp for E2E timing metrics
-  apiStartTime: external_exports.number().optional(),
-  // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
-  userTimezone: external_exports.string().optional(),
-  // Firewall for proxy-side token replacement (complete config, all permissions)
-  firewalls: firewallsSchema.optional(),
-  // Per-firewall network policies: which permissions are granted + unknownPolicy
-  networkPolicies: networkPoliciesSchema.optional(),
-  // Tools to disable in Claude CLI (passed as --disallowed-tools)
-  disallowedTools: external_exports.array(external_exports.string()).optional(),
-  // Tools to make available in Claude CLI (passed as --tools)
-  tools: external_exports.array(external_exports.string()).optional(),
-  // Settings JSON to pass to Claude CLI (passed as --settings)
-  settings: external_exports.string().optional(),
-  // VM profile for resource allocation (e.g., "vm0/default")
-  experimentalProfile: external_exports.string().optional(),
-  // Feature flags evaluated at job creation time (all switch states for user/org)
-  featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
-  billableFirewalls: external_exports.array(external_exports.string()).optional(),
-  modelUsageProvider: external_exports.string().optional()
-});
-var executionContextSchema = external_exports.object({
-  runId: external_exports.uuid(),
-  prompt: external_exports.string(),
-  appendSystemPrompt: external_exports.string().nullable(),
-  agentComposeVersionId: external_exports.string().nullable(),
-  vars: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  checkpointId: external_exports.uuid().nullable(),
-  sandboxToken: external_exports.string(),
-  // New fields for E2B parity:
-  workingDir: external_exports.string(),
-  storageManifest: storageManifestSchema.nullable(),
-  environment: external_exports.record(external_exports.string(), external_exports.string()).nullable(),
-  resumeSession: resumeSessionSchema.nullable(),
-  secretValues: external_exports.array(external_exports.string()).nullable(),
-  // AES-256-GCM encrypted Record<string, string> — passed through to mitm-addon for auth resolution
-  encryptedSecrets: external_exports.string().nullable(),
-  // Maps secret names to OAuth connector types for runtime token refresh
-  secretConnectorMap: external_exports.record(external_exports.string(), external_exports.string()).nullable().optional(),
-  // Per-secret refresh metadata, used when a handler needs owner-specific storage (e.g. personal model providers)
-  secretConnectorMetadataMap: secretConnectorMetadataMapSchema.nullable().optional(),
-  cliAgentType: external_exports.string(),
-  // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: external_exports.boolean().optional(),
-  // Debug flag to force real Codex in mock environments (internal use only)
-  debugNoMockCodex: external_exports.boolean().optional(),
-  // Capture HTTP request headers, request bodies, and response bodies in network logs
-  captureNetworkBodies: external_exports.boolean().optional(),
-  // Dispatch timestamp for E2E timing metrics
-  apiStartTime: external_exports.number().optional(),
-  // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
-  userTimezone: external_exports.string().optional(),
-  // Firewall for proxy-side token replacement (complete config, all permissions)
-  firewalls: firewallsSchema.optional(),
-  // Per-firewall network policies: which permissions are granted + unknownPolicy
-  networkPolicies: networkPoliciesSchema.optional(),
-  // Tools to disable in Claude CLI (passed as --disallowed-tools)
-  disallowedTools: external_exports.array(external_exports.string()).optional(),
-  // Tools to make available in Claude CLI (passed as --tools)
-  tools: external_exports.array(external_exports.string()).optional(),
-  // Settings JSON to pass to Claude CLI (passed as --settings)
-  settings: external_exports.string().optional(),
-  // VM profile for resource allocation (e.g., "vm0/default")
-  experimentalProfile: external_exports.string().optional(),
-  // Feature flags evaluated at job creation time (all switch states for user/org)
-  featureFlags: external_exports.record(external_exports.string(), external_exports.boolean()).optional(),
-  billableFirewalls: external_exports.array(external_exports.string()).optional(),
-  modelUsageProvider: external_exports.string().optional()
-});
-var runnersJobClaimContract = c24.router({
-  claim: {
-    method: "POST",
-    path: "/api/runners/jobs/:id/claim",
-    headers: authHeadersSchema,
-    pathParams: external_exports.object({
-      id: external_exports.uuid()
-    }),
-    body: external_exports.object({}),
-    responses: {
-      200: executionContextSchema,
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      403: apiErrorSchema,
-      // Job does not belong to user
-      404: apiErrorSchema,
-      409: apiErrorSchema,
-      // Already claimed
-      500: apiErrorSchema
-    },
-    summary: "Claim a pending job for execution"
-  }
-});
-var heartbeatBodySchema = external_exports.object({
-  runnerId: external_exports.uuid(),
-  runnerName: external_exports.string(),
-  group: runnerGroupSchema,
-  profiles: external_exports.array(external_exports.string()),
-  totalVcpu: external_exports.number().int().nonnegative(),
-  totalMemoryMb: external_exports.number().int().nonnegative(),
-  maxConcurrent: external_exports.number().int().nonnegative(),
-  allocatedVcpu: external_exports.number().int().nonnegative(),
-  allocatedMemoryMb: external_exports.number().int().nonnegative(),
-  runningCount: external_exports.number().int().nonnegative(),
-  heldSessions: external_exports.array(external_exports.string()),
-  mode: external_exports.enum(["running", "draining", "stopping"])
-});
-var runnersHeartbeatContract = c24.router({
-  heartbeat: {
-    method: "POST",
-    path: "/api/runners/heartbeat",
-    headers: authHeadersSchema,
-    body: heartbeatBodySchema,
-    responses: {
-      200: external_exports.object({ ok: external_exports.literal(true) }),
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      500: apiErrorSchema
-    },
-    summary: "Report runner heartbeat with capacity and state"
-  }
-});
-
-// ../../packages/api-contracts/src/contracts/realtime.ts
 var c25 = initContract();
 var ablyTokenRequestSchema = external_exports.object({
   keyName: external_exports.string(),
@@ -121817,6 +121937,15 @@ var cronReconcileBillingEntitlementsResponseSchema = external_exports.object({
 var cronTelegramCleanupResponseSchema = external_exports.object({
   deleted: external_exports.number()
 });
+var cronVoiceChatCleanupResponseSchema = external_exports.object({
+  success: external_exports.literal(true),
+  reasonerReset: external_exports.number()
+});
+var cronDrainEmailOutboxResponseSchema = external_exports.object({
+  success: external_exports.literal(true),
+  drained: external_exports.number(),
+  cleaned: external_exports.number()
+});
 var cronAggregateInsightsSkippedResponseSchema = external_exports.object({
   users: external_exports.number(),
   skipped: external_exports.literal(true)
@@ -121878,6 +122007,30 @@ var cronTelegramCleanupContract = c51.router({
     summary: "Delete expired Telegram messages"
   }
 });
+var cronVoiceChatCleanupContract = c51.router({
+  cleanup: {
+    method: "GET",
+    path: "/api/cron/voice-chat-cleanup",
+    headers: authHeadersSchema,
+    responses: {
+      200: cronVoiceChatCleanupResponseSchema,
+      401: apiErrorSchema
+    },
+    summary: "Reset stuck voice-chat reasoners"
+  }
+});
+var cronDrainEmailOutboxContract = c51.router({
+  drain: {
+    method: "GET",
+    path: "/api/cron/drain-email-outbox",
+    headers: authHeadersSchema,
+    responses: {
+      200: cronDrainEmailOutboxResponseSchema,
+      401: apiErrorSchema
+    },
+    summary: "Drain pending email outbox messages"
+  }
+});
 var cronAggregateInsightsContract = c51.router({
   aggregate: {
     method: "GET",
@@ -126787,4 +126940,4 @@ undici/lib/web/fetch/body.js:
 undici/lib/web/websocket/frame.js:
   (*! ws. MIT License. Einar Otto Stangvik <einaros@gmail.com> *)
 */
-//# sourceMappingURL=chunk-USVVSPWL.js.map
+//# sourceMappingURL=chunk-R2ZGUBEJ.js.map