@vm0/cli 9.61.0 → 9.62.0

package/index.js

@@ -45,7 +45,7 @@ if (DSN) {
   Sentry.init({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.61.0",
+    release: "9.62.0",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -64,7 +64,7 @@ if (DSN) {
     }
   });
   Sentry.setContext("cli", {
-    version: "9.61.0",
+    version: "9.62.0",
     command: process.argv.slice(2).join(" ")
   });
   Sentry.setContext("runtime", {
@@ -673,7 +673,7 @@ function getConfigPath() {
   return join2(homedir2(), ".vm0", "config.json");
 }
 var infoCommand = new Command6().name("info").description("Display environment and debug information").action(async () => {
-  console.log(chalk4.bold(`VM0 CLI v${"9.61.0"}`));
+  console.log(chalk4.bold(`VM0 CLI v${"9.62.0"}`));
   console.log();
   const config = await loadConfig();
   const hasEnvToken = !!process.env.VM0_TOKEN;
@@ -708,7 +708,7 @@ import chalk6 from "chalk";
 import { readFile as readFile4, rm as rm3 } from "fs/promises";
 import { existsSync as existsSync5 } from "fs";
 import { dirname as dirname2, join as join8 } from "path";
-import { parse as parseYaml2 } from "yaml";
+import { parse as parseYaml3 } from "yaml";
 
 // ../../packages/core/src/variable-expander.ts
 var VARIABLE_PATTERN = /\$\{\{\s*(env|vars|secrets)\.([a-zA-Z_][a-zA-Z0-9_]*)\s*\}\}/g;
@@ -780,20 +780,45 @@ var apiErrorSchema = z2.object({
 });
 
 // ../../packages/core/src/contracts/composes.ts
+import { z as z4 } from "zod";
+
+// ../../packages/core/src/contracts/firewalls.ts
 import { z as z3 } from "zod";
+var firewallPermissionSchema = z3.object({
+  name: z3.string(),
+  description: z3.string().optional(),
+  rules: z3.array(z3.string())
+});
+var firewallApiSchema = z3.object({
+  base: z3.string(),
+  auth: z3.object({
+    headers: z3.record(z3.string(), z3.string())
+  }),
+  permissions: z3.array(firewallPermissionSchema).optional()
+});
+var firewallSchema = z3.object({
+  name: z3.string(),
+  ref: z3.string(),
+  apis: z3.array(firewallApiSchema)
+});
+var experimentalFirewallSchema = z3.array(firewallSchema);
+var firewallConfigSchema = z3.object({
+  name: z3.string().min(1, "Firewall name is required"),
+  description: z3.string().optional(),
+  apis: z3.array(firewallApiSchema).min(1, "Firewall must have at least one API entry"),
+  placeholders: z3.record(z3.string(), z3.string()).optional()
+});
+
+// ../../packages/core/src/contracts/composes.ts
 var c = initContract();
-var composeVersionQuerySchema = z3.string().min(1, "Missing version query parameter").regex(
+var composeVersionQuerySchema = z4.string().min(1, "Missing version query parameter").regex(
   /^[a-f0-9]{8,64}$|^latest$/i,
   "Version must be 8-64 hex characters or 'latest'"
 );
 var AGENT_NAME_REGEX = /^[a-zA-Z0-9][a-zA-Z0-9-]{1,62}[a-zA-Z0-9]$/;
 var VALID_CAPABILITIES = [
-  "volume:read",
-  "volume:write",
-  "artifact:read",
-  "artifact:write",
-  "memory:read",
-  "memory:write",
+  "storage:read",
+  "storage:write",
   "agent:read",
   "agent:write",
   "agent-run:read",
@@ -801,31 +826,26 @@ var VALID_CAPABILITIES = [
   "schedule:read",
   "schedule:write"
 ];
-var firewallPermissionSchema = z3.object({
-  name: z3.string(),
-  description: z3.string().optional(),
-  rules: z3.array(z3.string())
-});
-var agentNameSchema = z3.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
+var agentNameSchema = z4.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
   AGENT_NAME_REGEX,
   "Agent name must start and end with letter or number, and contain only letters, numbers, and hyphens"
 );
-var volumeConfigSchema = z3.object({
-  name: z3.string().min(1, "Volume name is required"),
-  version: z3.string().min(1, "Volume version is required"),
+var volumeConfigSchema = z4.object({
+  name: z4.string().min(1, "Volume name is required"),
+  version: z4.string().min(1, "Volume version is required"),
   /** When true, skip mounting without error if volume doesn't exist */
-  optional: z3.boolean().optional()
+  optional: z4.boolean().optional()
 });
-var agentDefinitionSchema = z3.object({
-  description: z3.string().optional(),
-  framework: z3.string().min(1, "Framework is required"),
-  volumes: z3.array(z3.string()).optional(),
-  environment: z3.record(z3.string(), z3.string()).optional(),
+var agentDefinitionSchema = z4.object({
+  description: z4.string().optional(),
+  framework: z4.string().min(1, "Framework is required"),
+  volumes: z4.array(z4.string()).optional(),
+  environment: z4.record(z4.string(), z4.string()).optional(),
   /**
    * Path to instructions file (e.g., AGENTS.md).
    * Auto-uploaded as volume and mounted at /home/user/.claude/CLAUDE.md
    */
-  instructions: z3.string().min(1, "Instructions path cannot be empty").refine(
+  instructions: z4.string().min(1, "Instructions path cannot be empty").refine(
     (val) => !val.includes("..") && !val.startsWith("/") && !val.startsWith("\\"),
     "Instructions path must be a relative path without '..' segments"
   ).optional(),
@@ -833,13 +853,13 @@ var agentDefinitionSchema = z3.object({
    * Array of GitHub tree URLs for agent skills.
    * Each skill is auto-downloaded and mounted at /home/user/.claude/skills/{skillName}/
    */
-  skills: z3.array(z3.string()).optional(),
+  skills: z4.array(z4.string()).optional(),
   /**
    * Route this agent to a self-hosted runner instead of E2B.
    * When specified, runs will be queued for the specified runner group.
    */
-  experimental_runner: z3.object({
-    group: z3.string().regex(
+  experimental_runner: z4.object({
+    group: z4.string().regex(
       /^[a-z0-9-]+\/[a-z0-9-]+$/,
       "Runner group must be in org/name format (e.g., acme/production)"
     )
@@ -849,17 +869,17 @@ var agentDefinitionSchema = z3.object({
    * CLI input: map format { slack: { permissions: [...] | "all" } }
    * — expanded by CLI to full ExpandedFirewallConfig[] before API call.
    */
-  experimental_firewall: z3.record(
-    z3.string(),
-    z3.object({
-      permissions: z3.union([z3.literal("all"), z3.array(z3.string()).min(1)])
+  experimental_firewall: z4.record(
+    z4.string(),
+    z4.object({
+      permissions: z4.union([z4.literal("all"), z4.array(z4.string()).min(1)])
     })
   ).optional(),
   /**
    * Capabilities that the agent is allowed to use.
    * Validated against VALID_CAPABILITIES at compose time.
    */
-  experimental_capabilities: z3.array(z3.enum(VALID_CAPABILITIES)).refine((arr) => new Set(arr).size === arr.length, {
+  experimental_capabilities: z4.array(z4.enum(VALID_CAPABILITIES)).refine((arr) => new Set(arr).size === arr.length, {
     message: "Duplicate capabilities are not allowed"
   }).optional(),
   /**
@@ -867,66 +887,66 @@ var agentDefinitionSchema = z3.object({
    * - displayName: Human-readable name shown in the UI (preserves original casing).
    * - sound: Communication tone (e.g., "professional", "friendly").
    */
-  metadata: z3.object({
-    displayName: z3.string().optional(),
-    description: z3.string().optional(),
-    sound: z3.string().optional()
+  metadata: z4.object({
+    displayName: z4.string().optional(),
+    description: z4.string().optional(),
+    sound: z4.string().optional()
   }).optional(),
   /**
    * @deprecated Server-resolved field. User input is ignored.
    * @internal
    */
-  image: z3.string().optional(),
+  image: z4.string().optional(),
   /**
    * @deprecated Server-resolved field. User input is ignored.
    * @internal
    */
-  working_dir: z3.string().optional()
+  working_dir: z4.string().optional()
 });
-var agentComposeContentSchema = z3.object({
-  version: z3.string().min(1, "Version is required"),
-  agents: z3.record(z3.string(), agentDefinitionSchema),
-  volumes: z3.record(z3.string(), volumeConfigSchema).optional()
+var agentComposeContentSchema = z4.object({
+  version: z4.string().min(1, "Version is required"),
+  agents: z4.record(z4.string(), agentDefinitionSchema),
+  volumes: z4.record(z4.string(), volumeConfigSchema).optional()
 });
-var expandedFirewallConfigSchema = z3.object({
-  name: z3.string(),
-  ref: z3.string(),
-  description: z3.string().optional(),
-  apis: z3.array(
-    z3.object({
-      base: z3.string(),
-      auth: z3.object({
-        headers: z3.record(z3.string(), z3.string())
+var expandedFirewallConfigSchema = z4.object({
+  name: z4.string(),
+  ref: z4.string(),
+  description: z4.string().optional(),
+  apis: z4.array(
+    z4.object({
+      base: z4.string(),
+      auth: z4.object({
+        headers: z4.record(z4.string(), z4.string())
       }),
-      permissions: z3.array(firewallPermissionSchema).optional()
+      permissions: z4.array(firewallPermissionSchema).optional()
     })
   ),
-  placeholders: z3.record(z3.string(), z3.string()).optional()
+  placeholders: z4.record(z4.string(), z4.string()).optional()
 });
-var agentComposeApiContentSchema = z3.object({
-  version: z3.string().min(1, "Version is required"),
-  agents: z3.record(
-    z3.string(),
+var agentComposeApiContentSchema = z4.object({
+  version: z4.string().min(1, "Version is required"),
+  agents: z4.record(
+    z4.string(),
     agentDefinitionSchema.extend({
-      experimental_firewall: z3.array(expandedFirewallConfigSchema).optional()
+      experimental_firewall: z4.array(expandedFirewallConfigSchema).optional()
     })
   ),
-  volumes: z3.record(z3.string(), volumeConfigSchema).optional()
+  volumes: z4.record(z4.string(), volumeConfigSchema).optional()
 });
-var composeResponseSchema = z3.object({
-  id: z3.string(),
-  name: z3.string(),
-  headVersionId: z3.string().nullable(),
+var composeResponseSchema = z4.object({
+  id: z4.string(),
+  name: z4.string(),
+  headVersionId: z4.string().nullable(),
   content: agentComposeApiContentSchema.nullable(),
-  createdAt: z3.string(),
-  updatedAt: z3.string()
+  createdAt: z4.string(),
+  updatedAt: z4.string()
 });
-var createComposeResponseSchema = z3.object({
-  composeId: z3.string(),
-  name: z3.string(),
-  versionId: z3.string(),
-  action: z3.enum(["created", "existing"]),
-  updatedAt: z3.string()
+var createComposeResponseSchema = z4.object({
+  composeId: z4.string(),
+  name: z4.string(),
+  versionId: z4.string(),
+  action: z4.enum(["created", "existing"]),
+  updatedAt: z4.string()
 });
 var composesMainContract = c.router({
   /**
@@ -938,9 +958,9 @@ var composesMainContract = c.router({
     method: "GET",
     path: "/api/agent/composes",
     headers: authHeadersSchema,
-    query: z3.object({
-      name: z3.string().min(1, "Missing name query parameter"),
-      org: z3.string().optional()
+    query: z4.object({
+      name: z4.string().min(1, "Missing name query parameter"),
+      org: z4.string().optional()
     }),
     responses: {
       200: composeResponseSchema,
@@ -960,7 +980,7 @@ var composesMainContract = c.router({
     method: "POST",
     path: "/api/agent/composes",
     headers: authHeadersSchema,
-    body: z3.object({
+    body: z4.object({
       content: agentComposeApiContentSchema
     }),
     responses: {
@@ -981,8 +1001,8 @@ var composesByIdContract = c.router({
     method: "GET",
     path: "/api/agent/composes/:id",
     headers: authHeadersSchema,
-    pathParams: z3.object({
-      id: z3.string().min(1, "Compose ID is required")
+    pathParams: z4.object({
+      id: z4.string().min(1, "Compose ID is required")
     }),
     responses: {
       200: composeResponseSchema,
@@ -1000,8 +1020,8 @@ var composesByIdContract = c.router({
     method: "DELETE",
     path: "/api/agent/composes/:id",
     headers: authHeadersSchema,
-    pathParams: z3.object({
-      id: z3.string().uuid("Compose ID is required")
+    pathParams: z4.object({
+      id: z4.string().uuid("Compose ID is required")
     }),
     body: c.noBody(),
     responses: {
@@ -1022,14 +1042,14 @@ var composesVersionsContract = c.router({
     method: "GET",
     path: "/api/agent/composes/versions",
     headers: authHeadersSchema,
-    query: z3.object({
-      composeId: z3.string().min(1, "Missing composeId query parameter"),
+    query: z4.object({
+      composeId: z4.string().min(1, "Missing composeId query parameter"),
       version: composeVersionQuerySchema
     }),
     responses: {
-      200: z3.object({
-        versionId: z3.string(),
-        tag: z3.string().optional()
+      200: z4.object({
+        versionId: z4.string(),
+        tag: z4.string().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1038,13 +1058,13 @@ var composesVersionsContract = c.router({
     summary: "Resolve version specifier to full version ID"
   }
 });
-var composeListItemSchema = z3.object({
-  id: z3.string(),
-  name: z3.string(),
-  displayName: z3.string().nullable().optional(),
-  description: z3.string().nullable().optional(),
-  headVersionId: z3.string().nullable(),
-  updatedAt: z3.string()
+var composeListItemSchema = z4.object({
+  id: z4.string(),
+  name: z4.string(),
+  displayName: z4.string().nullable().optional(),
+  description: z4.string().nullable().optional(),
+  headVersionId: z4.string().nullable(),
+  updatedAt: z4.string()
 });
 var composesListContract = c.router({
   /**
@@ -1056,12 +1076,12 @@ var composesListContract = c.router({
     method: "GET",
     path: "/api/agent/composes/list",
     headers: authHeadersSchema,
-    query: z3.object({
-      org: z3.string().optional()
+    query: z4.object({
+      org: z4.string().optional()
     }),
     responses: {
-      200: z3.object({
-        composes: z3.array(composeListItemSchema)
+      200: z4.object({
+        composes: z4.array(composeListItemSchema)
       }),
       400: apiErrorSchema,
       401: apiErrorSchema
@@ -1071,24 +1091,24 @@ var composesListContract = c.router({
 });
 
 // ../../packages/core/src/contracts/runs.ts
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 
 // ../../packages/core/src/contracts/orgs.ts
-import { z as z4 } from "zod";
+import { z as z5 } from "zod";
 var c2 = initContract();
-var orgTierSchema = z4.enum(["free", "pro", "max"]);
-var orgSlugSchema = z4.string().min(3, "Org slug must be at least 3 characters").max(64, "Org slug must be at most 64 characters").regex(
+var orgTierSchema = z5.enum(["free", "pro", "max"]);
+var orgSlugSchema = z5.string().min(3, "Org slug must be at least 3 characters").max(64, "Org slug must be at most 64 characters").regex(
   /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
   "Org slug must contain only lowercase letters, numbers, and hyphens, and must start and end with an alphanumeric character"
 ).transform((s) => s.toLowerCase());
-var orgResponseSchema = z4.object({
-  id: z4.string(),
-  slug: z4.string(),
-  tier: z4.string().optional()
+var orgResponseSchema = z5.object({
+  id: z5.string(),
+  slug: z5.string(),
+  tier: z5.string().optional()
 });
-var updateOrgRequestSchema = z4.object({
+var updateOrgRequestSchema = z5.object({
   slug: orgSlugSchema,
-  force: z4.boolean().optional().default(false)
+  force: z5.boolean().optional().default(false)
 });
 var orgContract = c2.router({
   /**
@@ -1139,15 +1159,15 @@ var orgDefaultAgentContract = c2.router({
     method: "PUT",
     path: "/api/orgs/default-agent",
     headers: authHeadersSchema,
-    query: z4.object({
-      org: z4.string().optional()
+    query: z5.object({
+      org: z5.string().optional()
     }),
-    body: z4.object({
-      agentComposeId: z4.string().uuid().nullable()
+    body: z5.object({
+      agentComposeId: z5.string().uuid().nullable()
     }),
     responses: {
-      200: z4.object({
-        agentComposeId: z4.string().uuid().nullable()
+      200: z5.object({
+        agentComposeId: z5.string().uuid().nullable()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1169,95 +1189,95 @@ var ALL_RUN_STATUSES = [
   "timeout",
   "cancelled"
 ];
-var runStatusSchema = z5.enum(ALL_RUN_STATUSES);
-var unifiedRunRequestSchema = z5.object({
+var runStatusSchema = z6.enum(ALL_RUN_STATUSES);
+var unifiedRunRequestSchema = z6.object({
   // High-level shortcuts (mutually exclusive with each other)
-  checkpointId: z5.string().optional(),
-  sessionId: z5.string().optional(),
+  checkpointId: z6.string().optional(),
+  sessionId: z6.string().optional(),
   // Base parameters (can be used directly or overridden after shortcut expansion)
-  agentComposeId: z5.string().optional(),
-  agentComposeVersionId: z5.string().optional(),
-  conversationId: z5.string().optional(),
-  artifactName: z5.string().optional(),
-  artifactVersion: z5.string().optional(),
-  vars: z5.record(z5.string(), z5.string()).optional(),
-  secrets: z5.record(z5.string(), z5.string()).optional(),
-  volumeVersions: z5.record(z5.string(), z5.string()).optional(),
-  memoryName: z5.string().optional(),
+  agentComposeId: z6.string().optional(),
+  agentComposeVersionId: z6.string().optional(),
+  conversationId: z6.string().optional(),
+  artifactName: z6.string().optional(),
+  artifactVersion: z6.string().optional(),
+  vars: z6.record(z6.string(), z6.string()).optional(),
+  secrets: z6.record(z6.string(), z6.string()).optional(),
+  volumeVersions: z6.record(z6.string(), z6.string()).optional(),
+  memoryName: z6.string().optional(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z5.boolean().optional(),
+  debugNoMockClaude: z6.boolean().optional(),
   // Model provider for automatic secret injection
-  modelProvider: z5.string().optional(),
+  modelProvider: z6.string().optional(),
   // Environment validation flag - when true, validates secrets/vars before running
-  checkEnv: z5.boolean().optional(),
+  checkEnv: z6.boolean().optional(),
   // Required
-  prompt: z5.string().min(1, "Missing prompt")
+  prompt: z6.string().min(1, "Missing prompt")
 });
-var createRunResponseSchema = z5.object({
-  runId: z5.string(),
+var createRunResponseSchema = z6.object({
+  runId: z6.string(),
   status: runStatusSchema,
-  sandboxId: z5.string().optional(),
-  output: z5.string().optional(),
-  error: z5.string().optional(),
-  executionTimeMs: z5.number().optional(),
-  createdAt: z5.string()
+  sandboxId: z6.string().optional(),
+  output: z6.string().optional(),
+  error: z6.string().optional(),
+  executionTimeMs: z6.number().optional(),
+  createdAt: z6.string()
 });
-var getRunResponseSchema = z5.object({
-  runId: z5.string(),
-  agentComposeVersionId: z5.string().nullable(),
+var getRunResponseSchema = z6.object({
+  runId: z6.string(),
+  agentComposeVersionId: z6.string().nullable(),
   status: runStatusSchema,
-  prompt: z5.string(),
-  vars: z5.record(z5.string(), z5.string()).optional(),
-  sandboxId: z5.string().optional(),
-  result: z5.object({
-    output: z5.string().optional(),
-    executionTimeMs: z5.number().optional(),
-    agentSessionId: z5.string().optional(),
-    checkpointId: z5.string().optional(),
-    conversationId: z5.string().optional()
+  prompt: z6.string(),
+  vars: z6.record(z6.string(), z6.string()).optional(),
+  sandboxId: z6.string().optional(),
+  result: z6.object({
+    output: z6.string().optional(),
+    executionTimeMs: z6.number().optional(),
+    agentSessionId: z6.string().optional(),
+    checkpointId: z6.string().optional(),
+    conversationId: z6.string().optional()
   }).passthrough().optional(),
-  error: z5.string().optional(),
-  createdAt: z5.string(),
-  startedAt: z5.string().optional(),
-  completedAt: z5.string().optional()
+  error: z6.string().optional(),
+  createdAt: z6.string(),
+  startedAt: z6.string().optional(),
+  completedAt: z6.string().optional()
 });
-var runEventSchema = z5.object({
-  sequenceNumber: z5.number(),
-  eventType: z5.string(),
-  eventData: z5.unknown(),
-  createdAt: z5.string()
+var runEventSchema = z6.object({
+  sequenceNumber: z6.number(),
+  eventType: z6.string(),
+  eventData: z6.unknown(),
+  createdAt: z6.string()
 });
-var runResultSchema = z5.object({
-  checkpointId: z5.string(),
-  agentSessionId: z5.string(),
-  conversationId: z5.string(),
-  artifact: z5.record(z5.string(), z5.string()).optional(),
+var runResultSchema = z6.object({
+  checkpointId: z6.string(),
+  agentSessionId: z6.string(),
+  conversationId: z6.string(),
+  artifact: z6.record(z6.string(), z6.string()).optional(),
   // optional when run has no artifact
-  volumes: z5.record(z5.string(), z5.string()).optional(),
-  memory: z5.record(z5.string(), z5.string()).optional()
+  volumes: z6.record(z6.string(), z6.string()).optional(),
+  memory: z6.record(z6.string(), z6.string()).optional()
 });
-var runStateSchema = z5.object({
+var runStateSchema = z6.object({
   status: runStatusSchema,
   result: runResultSchema.optional(),
-  error: z5.string().optional()
+  error: z6.string().optional()
 });
-var eventsResponseSchema = z5.object({
-  events: z5.array(runEventSchema),
-  hasMore: z5.boolean(),
-  nextSequence: z5.number(),
+var eventsResponseSchema = z6.object({
+  events: z6.array(runEventSchema),
+  hasMore: z6.boolean(),
+  nextSequence: z6.number(),
   run: runStateSchema,
-  framework: z5.string()
+  framework: z6.string()
 });
-var runListItemSchema = z5.object({
-  id: z5.string(),
-  agentName: z5.string(),
+var runListItemSchema = z6.object({
+  id: z6.string(),
+  agentName: z6.string(),
   status: runStatusSchema,
-  prompt: z5.string(),
-  createdAt: z5.string(),
-  startedAt: z5.string().nullable()
+  prompt: z6.string(),
+  createdAt: z6.string(),
+  startedAt: z6.string().nullable()
 });
-var runsListResponseSchema = z5.object({
-  runs: z5.array(runListItemSchema)
+var runsListResponseSchema = z6.object({
+  runs: z6.array(runListItemSchema)
 });
 var runsMainContract = c3.router({
   /**
@@ -1268,16 +1288,16 @@ var runsMainContract = c3.router({
     method: "GET",
     path: "/api/agent/runs",
     headers: authHeadersSchema,
-    query: z5.object({
-      status: z5.string().optional(),
+    query: z6.object({
+      status: z6.string().optional(),
       // comma-separated: "pending,running"
-      agent: z5.string().optional(),
+      agent: z6.string().optional(),
       // agent name filter
-      since: z5.string().optional(),
+      since: z6.string().optional(),
       // ISO timestamp
-      until: z5.string().optional(),
+      until: z6.string().optional(),
       // ISO timestamp
-      limit: z5.coerce.number().min(1).max(100).default(50)
+      limit: z6.coerce.number().min(1).max(100).default(50)
     }),
     responses: {
       200: runsListResponseSchema,
@@ -1313,8 +1333,8 @@ var runsByIdContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
     responses: {
       200: getRunResponseSchema,
@@ -1325,10 +1345,10 @@ var runsByIdContract = c3.router({
     summary: "Get agent run by ID"
   }
 });
-var cancelRunResponseSchema = z5.object({
-  id: z5.string(),
-  status: z5.literal("cancelled"),
-  message: z5.string()
+var cancelRunResponseSchema = z6.object({
+  id: z6.string(),
+  status: z6.literal("cancelled"),
+  message: z6.string()
 });
 var runsCancelContract = c3.router({
   /**
@@ -1339,10 +1359,10 @@ var runsCancelContract = c3.router({
     method: "POST",
     path: "/api/agent/runs/:id/cancel",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    body: z5.undefined(),
+    body: z6.undefined(),
     responses: {
       200: cancelRunResponseSchema,
       400: apiErrorSchema,
@@ -1361,12 +1381,12 @@ var runEventsContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id/events",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().default(-1),
-      limit: z5.coerce.number().default(100)
+    query: z6.object({
+      since: z6.coerce.number().default(-1),
+      limit: z6.coerce.number().default(100)
     }),
     responses: {
       200: eventsResponseSchema,
@@ -1376,48 +1396,48 @@ var runEventsContract = c3.router({
     summary: "Get agent run events"
   }
 });
-var telemetryMetricSchema = z5.object({
-  ts: z5.string(),
-  cpu: z5.number(),
-  mem_used: z5.number(),
-  mem_total: z5.number(),
-  disk_used: z5.number(),
-  disk_total: z5.number()
+var telemetryMetricSchema = z6.object({
+  ts: z6.string(),
+  cpu: z6.number(),
+  mem_used: z6.number(),
+  mem_total: z6.number(),
+  disk_used: z6.number(),
+  disk_total: z6.number()
 });
-var systemLogResponseSchema = z5.object({
-  systemLog: z5.string(),
-  hasMore: z5.boolean()
+var systemLogResponseSchema = z6.object({
+  systemLog: z6.string(),
+  hasMore: z6.boolean()
 });
-var metricsResponseSchema = z5.object({
-  metrics: z5.array(telemetryMetricSchema),
-  hasMore: z5.boolean()
+var metricsResponseSchema = z6.object({
+  metrics: z6.array(telemetryMetricSchema),
+  hasMore: z6.boolean()
 });
-var agentEventsResponseSchema = z5.object({
-  events: z5.array(runEventSchema),
-  hasMore: z5.boolean(),
-  framework: z5.string()
+var agentEventsResponseSchema = z6.object({
+  events: z6.array(runEventSchema),
+  hasMore: z6.boolean(),
+  framework: z6.string()
 });
-var networkLogEntrySchema = z5.object({
-  timestamp: z5.string(),
-  mode: z5.literal("mitm").optional(),
-  action: z5.enum(["ALLOW", "DENY"]).optional(),
-  host: z5.string().optional(),
-  port: z5.number().optional(),
-  rule_matched: z5.string().nullable().optional(),
-  method: z5.string().optional(),
-  url: z5.string().optional(),
-  status: z5.number().optional(),
-  latency_ms: z5.number().optional(),
-  request_size: z5.number().optional(),
-  response_size: z5.number().optional()
+var networkLogEntrySchema = z6.object({
+  timestamp: z6.string(),
+  mode: z6.literal("mitm").optional(),
+  action: z6.enum(["ALLOW", "DENY"]).optional(),
+  host: z6.string().optional(),
+  port: z6.number().optional(),
+  rule_matched: z6.string().nullable().optional(),
+  method: z6.string().optional(),
+  url: z6.string().optional(),
+  status: z6.number().optional(),
+  latency_ms: z6.number().optional(),
+  request_size: z6.number().optional(),
+  response_size: z6.number().optional()
 });
-var networkLogsResponseSchema = z5.object({
-  networkLogs: z5.array(networkLogEntrySchema),
-  hasMore: z5.boolean()
+var networkLogsResponseSchema = z6.object({
+  networkLogs: z6.array(networkLogEntrySchema),
+  hasMore: z6.boolean()
 });
-var telemetryResponseSchema = z5.object({
-  systemLog: z5.string(),
-  metrics: z5.array(telemetryMetricSchema)
+var telemetryResponseSchema = z6.object({
+  systemLog: z6.string(),
+  metrics: z6.array(telemetryMetricSchema)
 });
 var runTelemetryContract = c3.router({
   /**
@@ -1428,8 +1448,8 @@ var runTelemetryContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
     responses: {
       200: telemetryResponseSchema,
@@ -1448,13 +1468,13 @@ var runSystemLogContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/system-log",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: systemLogResponseSchema,
@@ -1473,13 +1493,13 @@ var runMetricsContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/metrics",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: metricsResponseSchema,
@@ -1498,13 +1518,13 @@ var runAgentEventsContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/agent",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: agentEventsResponseSchema,
@@ -1523,13 +1543,13 @@ var runNetworkLogsContract = c3.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/network",
     headers: authHeadersSchema,
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: networkLogsResponseSchema,
@@ -1539,16 +1559,16 @@ var runNetworkLogsContract = c3.router({
     summary: "Get network logs with pagination"
   }
 });
-var searchResultSchema = z5.object({
-  runId: z5.string(),
-  agentName: z5.string(),
+var searchResultSchema = z6.object({
+  runId: z6.string(),
+  agentName: z6.string(),
   matchedEvent: runEventSchema,
-  contextBefore: z5.array(runEventSchema),
-  contextAfter: z5.array(runEventSchema)
+  contextBefore: z6.array(runEventSchema),
+  contextAfter: z6.array(runEventSchema)
 });
-var logsSearchResponseSchema = z5.object({
-  results: z5.array(searchResultSchema),
-  hasMore: z5.boolean()
+var logsSearchResponseSchema = z6.object({
+  results: z6.array(searchResultSchema),
+  hasMore: z6.boolean()
 });
 var logsSearchContract = c3.router({
   /**
@@ -1559,14 +1579,14 @@ var logsSearchContract = c3.router({
     method: "GET",
     path: "/api/logs/search",
     headers: authHeadersSchema,
-    query: z5.object({
-      keyword: z5.string().min(1),
-      agent: z5.string().optional(),
-      runId: z5.string().optional(),
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(50).default(20),
-      before: z5.coerce.number().min(0).max(10).default(0),
-      after: z5.coerce.number().min(0).max(10).default(0)
+    query: z6.object({
+      keyword: z6.string().min(1),
+      agent: z6.string().optional(),
+      runId: z6.string().optional(),
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(50).default(20),
+      before: z6.coerce.number().min(0).max(10).default(0),
+      after: z6.coerce.number().min(0).max(10).default(0)
     }),
     responses: {
       200: logsSearchResponseSchema,
@@ -1575,23 +1595,23 @@ var logsSearchContract = c3.router({
     summary: "Search agent events across runs"
   }
 });
-var queueEntrySchema = z5.object({
-  position: z5.number(),
-  agentName: z5.string(),
-  userEmail: z5.string(),
-  createdAt: z5.string(),
-  isOwner: z5.boolean(),
-  runId: z5.string().nullable()
+var queueEntrySchema = z6.object({
+  position: z6.number(),
+  agentName: z6.string(),
+  userEmail: z6.string(),
+  createdAt: z6.string(),
+  isOwner: z6.boolean(),
+  runId: z6.string().nullable()
 });
-var concurrencyInfoSchema = z5.object({
+var concurrencyInfoSchema = z6.object({
   tier: orgTierSchema,
-  limit: z5.number(),
-  active: z5.number(),
-  available: z5.number()
+  limit: z6.number(),
+  active: z6.number(),
+  available: z6.number()
 });
-var queueResponseSchema = z5.object({
+var queueResponseSchema = z6.object({
   concurrency: concurrencyInfoSchema,
-  queue: z5.array(queueEntrySchema)
+  queue: z6.array(queueEntrySchema)
 });
 var runsQueueContract = c3.router({
   /**
@@ -1612,17 +1632,17 @@ var runsQueueContract = c3.router({
 });
 
 // ../../packages/core/src/contracts/storages.ts
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 var c4 = initContract();
-var storageTypeSchema = z6.enum(["volume", "artifact", "memory"]);
-var versionQuerySchema = z6.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional();
-var uploadStorageResponseSchema = z6.object({
-  name: z6.string(),
-  versionId: z6.string(),
-  size: z6.number(),
-  fileCount: z6.number(),
+var storageTypeSchema = z7.enum(["volume", "artifact", "memory"]);
+var versionQuerySchema = z7.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional();
+var uploadStorageResponseSchema = z7.object({
+  name: z7.string(),
+  versionId: z7.string(),
+  size: z7.number(),
+  fileCount: z7.number(),
   type: storageTypeSchema,
-  deduplicated: z6.boolean()
+  deduplicated: z7.boolean()
 });
 var storagesContract = c4.router({
   /**
@@ -1664,8 +1684,8 @@ var storagesContract = c4.router({
     method: "GET",
     path: "/api/storages",
     headers: authHeadersSchema,
-    query: z6.object({
-      name: z6.string().min(1, "Storage name is required"),
+    query: z7.object({
+      name: z7.string().min(1, "Storage name is required"),
       version: versionQuerySchema
     }),
     responses: {
@@ -1683,41 +1703,41 @@ var storagesContract = c4.router({
   }
 });
 var MAX_FILE_SIZE_BYTES = 104857600;
-var fileEntryWithHashSchema = z6.object({
-  path: z6.string().min(1, "File path is required"),
-  hash: z6.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
-  size: z6.number().int().min(0, "Size must be non-negative").max(MAX_FILE_SIZE_BYTES, "File size exceeds 100MB limit")
+var fileEntryWithHashSchema = z7.object({
+  path: z7.string().min(1, "File path is required"),
+  hash: z7.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
+  size: z7.number().int().min(0, "Size must be non-negative").max(MAX_FILE_SIZE_BYTES, "File size exceeds 100MB limit")
 });
-var storageChangesSchema = z6.object({
-  added: z6.array(z6.string()),
-  modified: z6.array(z6.string()),
-  deleted: z6.array(z6.string())
+var storageChangesSchema = z7.object({
+  added: z7.array(z7.string()),
+  modified: z7.array(z7.string()),
+  deleted: z7.array(z7.string())
 });
-var presignedUploadSchema = z6.object({
-  key: z6.string(),
-  presignedUrl: z6.string().url()
+var presignedUploadSchema = z7.object({
+  key: z7.string(),
+  presignedUrl: z7.string().url()
 });
 var storagesPrepareContract = c4.router({
   prepare: {
     method: "POST",
     path: "/api/storages/prepare",
     headers: authHeadersSchema,
-    body: z6.object({
-      storageName: z6.string().min(1, "Storage name is required"),
+    body: z7.object({
+      storageName: z7.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z6.array(fileEntryWithHashSchema),
-      force: z6.boolean().optional(),
-      runId: z6.string().optional(),
+      files: z7.array(fileEntryWithHashSchema),
+      force: z7.boolean().optional(),
+      runId: z7.string().optional(),
       // For sandbox auth
-      baseVersion: z6.string().optional(),
+      baseVersion: z7.string().optional(),
       // For incremental uploads
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z6.object({
-        versionId: z6.string(),
-        existing: z6.boolean(),
-        uploads: z6.object({
+      200: z7.object({
+        versionId: z7.string(),
+        existing: z7.boolean(),
+        uploads: z7.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -1736,22 +1756,22 @@ var storagesCommitContract = c4.router({
     method: "POST",
     path: "/api/storages/commit",
     headers: authHeadersSchema,
-    body: z6.object({
-      storageName: z6.string().min(1, "Storage name is required"),
+    body: z7.object({
+      storageName: z7.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z6.string().min(1, "Version ID is required"),
-      files: z6.array(fileEntryWithHashSchema),
-      runId: z6.string().optional(),
-      message: z6.string().optional()
+      versionId: z7.string().min(1, "Version ID is required"),
+      files: z7.array(fileEntryWithHashSchema),
+      runId: z7.string().optional(),
+      message: z7.string().optional()
     }),
     responses: {
-      200: z6.object({
-        success: z6.literal(true),
-        versionId: z6.string(),
-        storageName: z6.string(),
-        size: z6.number(),
-        fileCount: z6.number(),
-        deduplicated: z6.boolean().optional()
+      200: z7.object({
+        success: z7.literal(true),
+        versionId: z7.string(),
+        storageName: z7.string(),
+        size: z7.number(),
+        fileCount: z7.number(),
+        deduplicated: z7.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1769,26 +1789,26 @@ var storagesDownloadContract = c4.router({
     method: "GET",
     path: "/api/storages/download",
     headers: authHeadersSchema,
-    query: z6.object({
-      name: z6.string().min(1, "Storage name is required"),
+    query: z7.object({
+      name: z7.string().min(1, "Storage name is required"),
       type: storageTypeSchema,
       version: versionQuerySchema
     }),
     responses: {
       // Normal response with presigned URL
-      200: z6.union([
-        z6.object({
-          url: z6.string().url(),
-          versionId: z6.string(),
-          fileCount: z6.number(),
-          size: z6.number()
+      200: z7.union([
+        z7.object({
+          url: z7.string().url(),
+          versionId: z7.string(),
+          fileCount: z7.number(),
+          size: z7.number()
         }),
         // Empty artifact response
-        z6.object({
-          empty: z6.literal(true),
-          versionId: z6.string(),
-          fileCount: z6.literal(0),
-          size: z6.literal(0)
+        z7.object({
+          empty: z7.literal(true),
+          versionId: z7.string(),
+          fileCount: z7.literal(0),
+          size: z7.literal(0)
         })
       ]),
       400: apiErrorSchema,
@@ -1804,16 +1824,16 @@ var storagesListContract = c4.router({
     method: "GET",
     path: "/api/storages/list",
     headers: authHeadersSchema,
-    query: z6.object({
+    query: z7.object({
       type: storageTypeSchema
     }),
     responses: {
-      200: z6.array(
-        z6.object({
-          name: z6.string(),
-          size: z6.number(),
-          fileCount: z6.number(),
-          updatedAt: z6.string()
+      200: z7.array(
+        z7.object({
+          name: z7.string(),
+          size: z7.number(),
+          fileCount: z7.number(),
+          updatedAt: z7.string()
         })
       ),
       401: apiErrorSchema,
@@ -1824,22 +1844,22 @@ var storagesListContract = c4.router({
 });
 
 // ../../packages/core/src/contracts/webhooks.ts
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
 var c5 = initContract();
-var agentEventSchema = z7.object({
-  type: z7.string(),
-  sequenceNumber: z7.number().int().nonnegative()
+var agentEventSchema = z8.object({
+  type: z8.string(),
+  sequenceNumber: z8.number().int().nonnegative()
 }).passthrough();
-var artifactSnapshotSchema = z7.object({
-  artifactName: z7.string(),
-  artifactVersion: z7.string()
+var artifactSnapshotSchema = z8.object({
+  artifactName: z8.string(),
+  artifactVersion: z8.string()
 });
-var memorySnapshotSchema = z7.object({
-  memoryName: z7.string(),
-  memoryVersion: z7.string()
+var memorySnapshotSchema = z8.object({
+  memoryName: z8.string(),
+  memoryVersion: z8.string()
 });
-var volumeVersionsSnapshotSchema = z7.object({
-  versions: z7.record(z7.string(), z7.string())
+var volumeVersionsSnapshotSchema = z8.object({
+  versions: z8.record(z8.string(), z8.string())
 });
 var webhookEventsContract = c5.router({
   /**
@@ -1850,15 +1870,15 @@ var webhookEventsContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/events",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      events: z7.array(agentEventSchema).min(1, "events array cannot be empty")
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      events: z8.array(agentEventSchema).min(1, "events array cannot be empty")
     }),
     responses: {
-      200: z7.object({
-        received: z7.number(),
-        firstSequence: z7.number(),
-        lastSequence: z7.number()
+      200: z8.object({
+        received: z8.number(),
+        firstSequence: z8.number(),
+        lastSequence: z8.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1877,15 +1897,15 @@ var webhookCompleteContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/complete",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      exitCode: z7.number(),
-      error: z7.string().optional()
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      exitCode: z8.number(),
+      error: z8.string().optional()
     }),
     responses: {
-      200: z7.object({
-        success: z7.boolean(),
-        status: z7.enum(["completed", "failed"])
+      200: z8.object({
+        success: z8.boolean(),
+        status: z8.enum(["completed", "failed"])
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1904,23 +1924,23 @@ var webhookCheckpointsContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/checkpoints",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      cliAgentType: z7.string().min(1, "cliAgentType is required"),
-      cliAgentSessionId: z7.string().min(1, "cliAgentSessionId is required"),
-      cliAgentSessionHistory: z7.string().min(1, "cliAgentSessionHistory is required"),
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      cliAgentType: z8.string().min(1, "cliAgentType is required"),
+      cliAgentSessionId: z8.string().min(1, "cliAgentSessionId is required"),
+      cliAgentSessionHistory: z8.string().min(1, "cliAgentSessionHistory is required"),
       artifactSnapshot: artifactSnapshotSchema.optional(),
       memorySnapshot: memorySnapshotSchema.optional(),
       volumeVersionsSnapshot: volumeVersionsSnapshotSchema.optional()
     }),
     responses: {
-      200: z7.object({
-        checkpointId: z7.string(),
-        agentSessionId: z7.string(),
-        conversationId: z7.string(),
+      200: z8.object({
+        checkpointId: z8.string(),
+        agentSessionId: z8.string(),
+        conversationId: z8.string(),
         artifact: artifactSnapshotSchema.optional(),
         memory: memorySnapshotSchema.optional(),
-        volumes: z7.record(z7.string(), z7.string()).optional()
+        volumes: z8.record(z8.string(), z8.string()).optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1939,12 +1959,12 @@ var webhookHeartbeatContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/heartbeat",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required")
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required")
     }),
     responses: {
-      200: z7.object({
-        ok: z7.boolean()
+      200: z8.object({
+        ok: z8.boolean()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1972,11 +1992,11 @@ var webhookStoragesContract = c5.router({
     contentType: "multipart/form-data",
     body: c5.type(),
     responses: {
-      200: z7.object({
-        versionId: z7.string(),
-        storageName: z7.string(),
-        size: z7.number(),
-        fileCount: z7.number()
+      200: z8.object({
+        versionId: z8.string(),
+        storageName: z8.string(),
+        size: z8.number(),
+        fileCount: z8.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2006,17 +2026,17 @@ var webhookStoragesIncrementalContract = c5.router({
     contentType: "multipart/form-data",
     body: c5.type(),
     responses: {
-      200: z7.object({
-        versionId: z7.string(),
-        storageName: z7.string(),
-        size: z7.number(),
-        fileCount: z7.number(),
-        incrementalStats: z7.object({
-          addedFiles: z7.number(),
-          modifiedFiles: z7.number(),
-          deletedFiles: z7.number(),
-          unchangedFiles: z7.number(),
-          bytesUploaded: z7.number()
+      200: z8.object({
+        versionId: z8.string(),
+        storageName: z8.string(),
+        size: z8.number(),
+        fileCount: z8.number(),
+        incrementalStats: z8.object({
+          addedFiles: z8.number(),
+          modifiedFiles: z8.number(),
+          deletedFiles: z8.number(),
+          unchangedFiles: z8.number(),
+          bytesUploaded: z8.number()
         }).optional()
       }),
       400: apiErrorSchema,
@@ -2027,34 +2047,34 @@ var webhookStoragesIncrementalContract = c5.router({
     summary: "Upload storage version incrementally from sandbox"
   }
 });
-var metricDataSchema = z7.object({
-  ts: z7.string(),
-  cpu: z7.number(),
-  mem_used: z7.number(),
-  mem_total: z7.number(),
-  disk_used: z7.number(),
-  disk_total: z7.number()
+var metricDataSchema = z8.object({
+  ts: z8.string(),
+  cpu: z8.number(),
+  mem_used: z8.number(),
+  mem_total: z8.number(),
+  disk_used: z8.number(),
+  disk_total: z8.number()
 });
-var sandboxOperationSchema = z7.object({
-  ts: z7.string(),
-  action_type: z7.string(),
-  duration_ms: z7.number(),
-  success: z7.boolean(),
-  error: z7.string().optional()
+var sandboxOperationSchema = z8.object({
+  ts: z8.string(),
+  action_type: z8.string(),
+  duration_ms: z8.number(),
+  success: z8.boolean(),
+  error: z8.string().optional()
 });
-var networkLogSchema = z7.object({
-  timestamp: z7.string(),
-  mode: z7.literal("mitm").optional(),
-  action: z7.enum(["ALLOW", "DENY"]).optional(),
-  host: z7.string().optional(),
-  port: z7.number().optional(),
-  rule_matched: z7.string().nullable().optional(),
-  method: z7.string().optional(),
-  url: z7.string().optional(),
-  status: z7.number().optional(),
-  latency_ms: z7.number().optional(),
-  request_size: z7.number().optional(),
-  response_size: z7.number().optional()
+var networkLogSchema = z8.object({
+  timestamp: z8.string(),
+  mode: z8.literal("mitm").optional(),
+  action: z8.enum(["ALLOW", "DENY"]).optional(),
+  host: z8.string().optional(),
+  port: z8.number().optional(),
+  rule_matched: z8.string().nullable().optional(),
+  method: z8.string().optional(),
+  url: z8.string().optional(),
+  status: z8.number().optional(),
+  latency_ms: z8.number().optional(),
+  request_size: z8.number().optional(),
+  response_size: z8.number().optional()
 });
 var webhookTelemetryContract = c5.router({
   /**
@@ -2065,17 +2085,17 @@ var webhookTelemetryContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/telemetry",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      systemLog: z7.string().optional(),
-      metrics: z7.array(metricDataSchema).optional(),
-      networkLogs: z7.array(networkLogSchema).optional(),
-      sandboxOperations: z7.array(sandboxOperationSchema).optional()
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      systemLog: z8.string().optional(),
+      metrics: z8.array(metricDataSchema).optional(),
+      networkLogs: z8.array(networkLogSchema).optional(),
+      sandboxOperations: z8.array(sandboxOperationSchema).optional()
     }),
     responses: {
-      200: z7.object({
-        success: z7.boolean(),
-        id: z7.string()
+      200: z8.object({
+        success: z8.boolean(),
+        id: z8.string()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2090,21 +2110,21 @@ var webhookStoragesPrepareContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/storages/prepare",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z7.string().min(1, "Storage name is required"),
+      storageName: z8.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z7.array(fileEntryWithHashSchema),
-      force: z7.boolean().optional(),
-      baseVersion: z7.string().optional(),
+      files: z8.array(fileEntryWithHashSchema),
+      force: z8.boolean().optional(),
+      baseVersion: z8.string().optional(),
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z7.object({
-        versionId: z7.string(),
-        existing: z7.boolean(),
-        uploads: z7.object({
+      200: z8.object({
+        versionId: z8.string(),
+        existing: z8.boolean(),
+        uploads: z8.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -2123,23 +2143,23 @@ var webhookStoragesCommitContract = c5.router({
     method: "POST",
     path: "/api/webhooks/agent/storages/commit",
     headers: authHeadersSchema,
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z7.string().min(1, "Storage name is required"),
+      storageName: z8.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z7.string().min(1, "Version ID is required"),
-      files: z7.array(fileEntryWithHashSchema),
-      message: z7.string().optional()
+      versionId: z8.string().min(1, "Version ID is required"),
+      files: z8.array(fileEntryWithHashSchema),
+      message: z8.string().optional()
     }),
     responses: {
-      200: z7.object({
-        success: z7.literal(true),
-        versionId: z7.string(),
-        storageName: z7.string(),
-        size: z7.number(),
-        fileCount: z7.number(),
-        deduplicated: z7.boolean().optional()
+      200: z8.object({
+        success: z8.literal(true),
+        versionId: z8.string(),
+        storageName: z8.string(),
+        size: z8.number(),
+        fileCount: z8.number(),
+        deduplicated: z8.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2154,11 +2174,11 @@ var webhookStoragesCommitContract = c5.router({
 });
 
 // ../../packages/core/src/contracts/cli-auth.ts
-import { z as z8 } from "zod";
+import { z as z9 } from "zod";
 var c6 = initContract();
-var oauthErrorSchema = z8.object({
-  error: z8.string(),
-  error_description: z8.string()
+var oauthErrorSchema = z9.object({
+  error: z9.string(),
+  error_description: z9.string()
 });
 var cliAuthDeviceContract = c6.router({
   /**
@@ -2168,14 +2188,14 @@ var cliAuthDeviceContract = c6.router({
   create: {
     method: "POST",
     path: "/api/cli/auth/device",
-    body: z8.object({}).optional(),
+    body: z9.object({}).optional(),
     responses: {
-      200: z8.object({
-        device_code: z8.string(),
-        user_code: z8.string(),
-        verification_path: z8.string(),
-        expires_in: z8.number(),
-        interval: z8.number()
+      200: z9.object({
+        device_code: z9.string(),
+        user_code: z9.string(),
+        verification_path: z9.string(),
+        expires_in: z9.number(),
+        interval: z9.number()
       }),
       500: oauthErrorSchema
     },
@@ -2190,16 +2210,16 @@ var cliAuthTokenContract = c6.router({
   exchange: {
     method: "POST",
     path: "/api/cli/auth/token",
-    body: z8.object({
-      device_code: z8.string().min(1, "device_code is required")
+    body: z9.object({
+      device_code: z9.string().min(1, "device_code is required")
     }),
     responses: {
       // Success - token issued
-      200: z8.object({
-        access_token: z8.string(),
-        token_type: z8.literal("Bearer"),
-        expires_in: z8.number(),
-        org_slug: z8.string().optional()
+      200: z9.object({
+        access_token: z9.string(),
+        token_type: z9.literal("Bearer"),
+        expires_in: z9.number(),
+        org_slug: z9.string().optional()
       }),
       // Authorization pending
       202: oauthErrorSchema,
@@ -2212,7 +2232,7 @@ var cliAuthTokenContract = c6.router({
 });
 
 // ../../packages/core/src/contracts/auth.ts
-import { z as z9 } from "zod";
+import { z as z10 } from "zod";
 var c7 = initContract();
 var authContract = c7.router({
   /**
@@ -2224,9 +2244,9 @@ var authContract = c7.router({
     path: "/api/auth/me",
     headers: authHeadersSchema,
     responses: {
-      200: z9.object({
-        userId: z9.string(),
-        email: z9.string()
+      200: z10.object({
+        userId: z10.string(),
+        email: z10.string()
       }),
       401: apiErrorSchema,
       404: apiErrorSchema,
@@ -2237,21 +2257,21 @@ var authContract = c7.router({
 });
 
 // ../../packages/core/src/contracts/cron.ts
-import { z as z10 } from "zod";
+import { z as z11 } from "zod";
 var c8 = initContract();
-var cleanupResultSchema = z10.object({
-  runId: z10.string(),
-  sandboxId: z10.string().nullable(),
-  status: z10.enum(["cleaned", "error"]),
-  error: z10.string().optional(),
-  reason: z10.string().optional()
+var cleanupResultSchema = z11.object({
+  runId: z11.string(),
+  sandboxId: z11.string().nullable(),
+  status: z11.enum(["cleaned", "error"]),
+  error: z11.string().optional(),
+  reason: z11.string().optional()
 });
-var cleanupResponseSchema = z10.object({
-  cleaned: z10.number(),
-  errors: z10.number(),
-  results: z10.array(cleanupResultSchema),
-  composeJobsCleaned: z10.number(),
-  composeJobErrors: z10.number()
+var cleanupResponseSchema = z11.object({
+  cleaned: z11.number(),
+  errors: z11.number(),
+  results: z11.array(cleanupResultSchema),
+  composeJobsCleaned: z11.number(),
+  composeJobErrors: z11.number()
 });
 var cronCleanupSandboxesContract = c8.router({
   /**
@@ -2272,28 +2292,28 @@ var cronCleanupSandboxesContract = c8.router({
 });
 
 // ../../packages/core/src/contracts/secrets.ts
-import { z as z11 } from "zod";
+import { z as z12 } from "zod";
 var c9 = initContract();
-var secretNameSchema = z11.string().min(1, "Secret name is required").max(255, "Secret name must be at most 255 characters").regex(
+var secretNameSchema = z12.string().min(1, "Secret name is required").max(255, "Secret name must be at most 255 characters").regex(
   /^[A-Z][A-Z0-9_]*$/,
   "Secret name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_API_KEY)"
 );
-var secretTypeSchema = z11.enum(["user", "model-provider", "connector"]);
-var secretResponseSchema = z11.object({
-  id: z11.string().uuid(),
-  name: z11.string(),
-  description: z11.string().nullable(),
+var secretTypeSchema = z12.enum(["user", "model-provider", "connector"]);
+var secretResponseSchema = z12.object({
+  id: z12.string().uuid(),
+  name: z12.string(),
+  description: z12.string().nullable(),
   type: secretTypeSchema,
-  createdAt: z11.string(),
-  updatedAt: z11.string()
+  createdAt: z12.string(),
+  updatedAt: z12.string()
 });
-var secretListResponseSchema = z11.object({
-  secrets: z11.array(secretResponseSchema)
+var secretListResponseSchema = z12.object({
+  secrets: z12.array(secretResponseSchema)
 });
-var setSecretRequestSchema = z11.object({
+var setSecretRequestSchema = z12.object({
   name: secretNameSchema,
-  value: z11.string().min(1, "Secret value is required"),
-  description: z11.string().max(1e3).optional()
+  value: z12.string().min(1, "Secret value is required"),
+  description: z12.string().max(1e3).optional()
 });
 var secretsMainContract = c9.router({
   /**
@@ -2339,7 +2359,7 @@ var secretsByNameContract = c9.router({
     method: "GET",
     path: "/api/secrets/:name",
     headers: authHeadersSchema,
-    pathParams: z11.object({
+    pathParams: z12.object({
       name: secretNameSchema
     }),
     responses: {
@@ -2358,7 +2378,7 @@ var secretsByNameContract = c9.router({
     method: "DELETE",
     path: "/api/secrets/:name",
     headers: authHeadersSchema,
-    pathParams: z11.object({
+    pathParams: z12.object({
       name: secretNameSchema
     }),
     responses: {
@@ -2372,27 +2392,27 @@ var secretsByNameContract = c9.router({
 });
 
 // ../../packages/core/src/contracts/variables.ts
-import { z as z12 } from "zod";
+import { z as z13 } from "zod";
 var c10 = initContract();
-var variableNameSchema = z12.string().min(1, "Variable name is required").max(255, "Variable name must be at most 255 characters").regex(
+var variableNameSchema = z13.string().min(1, "Variable name is required").max(255, "Variable name must be at most 255 characters").regex(
   /^[A-Z][A-Z0-9_]*$/,
   "Variable name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_VAR)"
 );
-var variableResponseSchema = z12.object({
-  id: z12.string().uuid(),
-  name: z12.string(),
-  value: z12.string(),
-  description: z12.string().nullable(),
-  createdAt: z12.string(),
-  updatedAt: z12.string()
+var variableResponseSchema = z13.object({
+  id: z13.string().uuid(),
+  name: z13.string(),
+  value: z13.string(),
+  description: z13.string().nullable(),
+  createdAt: z13.string(),
+  updatedAt: z13.string()
 });
-var variableListResponseSchema = z12.object({
-  variables: z12.array(variableResponseSchema)
+var variableListResponseSchema = z13.object({
+  variables: z13.array(variableResponseSchema)
 });
-var setVariableRequestSchema = z12.object({
+var setVariableRequestSchema = z13.object({
   name: variableNameSchema,
-  value: z12.string().min(1, "Variable value is required"),
-  description: z12.string().max(1e3).optional()
+  value: z13.string().min(1, "Variable value is required"),
+  description: z13.string().max(1e3).optional()
 });
 var variablesMainContract = c10.router({
   /**
@@ -2438,7 +2458,7 @@ var variablesByNameContract = c10.router({
     method: "GET",
     path: "/api/variables/:name",
     headers: authHeadersSchema,
-    pathParams: z12.object({
+    pathParams: z13.object({
       name: variableNameSchema
     }),
     responses: {
@@ -2457,7 +2477,7 @@ var variablesByNameContract = c10.router({
     method: "DELETE",
     path: "/api/variables/:name",
     headers: authHeadersSchema,
-    pathParams: z12.object({
+    pathParams: z13.object({
       name: variableNameSchema
     }),
     responses: {
@@ -2471,7 +2491,7 @@ var variablesByNameContract = c10.router({
 });
 
 // ../../packages/core/src/contracts/model-providers.ts
-import { z as z13 } from "zod";
+import { z as z14 } from "zod";
 var c11 = initContract();
 var MODEL_PROVIDER_TYPES = {
   "claude-code-oauth-token": {
@@ -2693,7 +2713,7 @@ var MODEL_PROVIDER_TYPES = {
     customModelPlaceholder: "anthropic.claude-sonnet-4-20250514-v1:0"
   }
 };
-var modelProviderTypeSchema = z13.enum([
+var modelProviderTypeSchema = z14.enum([
   "claude-code-oauth-token",
   "anthropic-api-key",
   "openrouter-api-key",
@@ -2704,7 +2724,7 @@ var modelProviderTypeSchema = z13.enum([
   "azure-foundry",
   "aws-bedrock"
 ]);
-var modelProviderFrameworkSchema = z13.enum(["claude-code", "codex"]);
+var modelProviderFrameworkSchema = z14.enum(["claude-code", "codex"]);
 function hasAuthMethods(type2) {
   const config = MODEL_PROVIDER_TYPES[type2];
   return "authMethods" in config;
@@ -2745,41 +2765,41 @@ function getCustomModelPlaceholder(type2) {
   const config = MODEL_PROVIDER_TYPES[type2];
   return "customModelPlaceholder" in config ? config.customModelPlaceholder : void 0;
 }
-var modelProviderResponseSchema = z13.object({
-  id: z13.string().uuid(),
+var modelProviderResponseSchema = z14.object({
+  id: z14.string().uuid(),
   type: modelProviderTypeSchema,
   framework: modelProviderFrameworkSchema,
-  secretName: z13.string().nullable(),
+  secretName: z14.string().nullable(),
   // Legacy single-secret (deprecated for multi-auth)
-  authMethod: z13.string().nullable(),
+  authMethod: z14.string().nullable(),
   // For multi-auth providers
-  secretNames: z13.array(z13.string()).nullable(),
+  secretNames: z14.array(z14.string()).nullable(),
   // For multi-auth providers
-  isDefault: z13.boolean(),
-  selectedModel: z13.string().nullable(),
-  createdAt: z13.string(),
-  updatedAt: z13.string()
+  isDefault: z14.boolean(),
+  selectedModel: z14.string().nullable(),
+  createdAt: z14.string(),
+  updatedAt: z14.string()
 });
-var modelProviderListResponseSchema = z13.object({
-  modelProviders: z13.array(modelProviderResponseSchema)
+var modelProviderListResponseSchema = z14.object({
+  modelProviders: z14.array(modelProviderResponseSchema)
 });
-var upsertModelProviderRequestSchema = z13.object({
+var upsertModelProviderRequestSchema = z14.object({
   type: modelProviderTypeSchema,
-  secret: z13.string().min(1).optional(),
+  secret: z14.string().min(1).optional(),
   // Legacy single secret
-  authMethod: z13.string().optional(),
+  authMethod: z14.string().optional(),
   // For multi-auth providers
-  secrets: z13.record(z13.string(), z13.string()).optional(),
+  secrets: z14.record(z14.string(), z14.string()).optional(),
   // For multi-auth providers
-  selectedModel: z13.string().optional()
+  selectedModel: z14.string().optional()
 });
-var upsertModelProviderResponseSchema = z13.object({
+var upsertModelProviderResponseSchema = z14.object({
   provider: modelProviderResponseSchema,
-  created: z13.boolean()
+  created: z14.boolean()
 });
-var checkSecretResponseSchema = z13.object({
-  exists: z13.boolean(),
-  secretName: z13.string()
+var checkSecretResponseSchema = z14.object({
+  exists: z14.boolean(),
+  secretName: z14.string()
 });
 var modelProvidersMainContract = c11.router({
   list: {
@@ -2814,7 +2834,7 @@ var modelProvidersCheckContract = c11.router({
     method: "GET",
     path: "/api/model-providers/check/:type",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
     responses: {
@@ -2830,7 +2850,7 @@ var modelProvidersByTypeContract = c11.router({
     method: "DELETE",
     path: "/api/model-providers/:type",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
     responses: {
@@ -2847,10 +2867,10 @@ var modelProvidersConvertContract = c11.router({
     method: "POST",
     path: "/api/model-providers/:type/convert",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
-    body: z13.undefined(),
+    body: z14.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       400: apiErrorSchema,
@@ -2866,10 +2886,10 @@ var modelProvidersSetDefaultContract = c11.router({
     method: "POST",
     path: "/api/model-providers/:type/set-default",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
-    body: z13.undefined(),
+    body: z14.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       401: apiErrorSchema,
@@ -2879,15 +2899,15 @@ var modelProvidersSetDefaultContract = c11.router({
     summary: "Set a model provider as default for its framework"
   }
 });
-var updateModelRequestSchema = z13.object({
-  selectedModel: z13.string().optional()
+var updateModelRequestSchema = z14.object({
+  selectedModel: z14.string().optional()
 });
 var modelProvidersUpdateModelContract = c11.router({
   updateModel: {
     method: "PATCH",
     path: "/api/model-providers/:type/model",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       type: modelProviderTypeSchema
     }),
     body: updateModelRequestSchema,
@@ -2902,51 +2922,51 @@ var modelProvidersUpdateModelContract = c11.router({
 });
 
 // ../../packages/core/src/contracts/sessions.ts
-import { z as z14 } from "zod";
+import { z as z15 } from "zod";
 var c12 = initContract();
-var storedChatMessageSchema = z14.object({
-  role: z14.enum(["user", "assistant"]),
-  content: z14.string(),
-  runId: z14.string().optional(),
-  createdAt: z14.string()
+var storedChatMessageSchema = z15.object({
+  role: z15.enum(["user", "assistant"]),
+  content: z15.string(),
+  runId: z15.string().optional(),
+  createdAt: z15.string()
 });
-var sessionResponseSchema = z14.object({
-  id: z14.string(),
-  agentComposeId: z14.string(),
-  conversationId: z14.string().nullable(),
-  artifactName: z14.string().nullable(),
-  secretNames: z14.array(z14.string()).nullable(),
-  chatMessages: z14.array(storedChatMessageSchema).optional(),
-  createdAt: z14.string(),
-  updatedAt: z14.string()
+var sessionResponseSchema = z15.object({
+  id: z15.string(),
+  agentComposeId: z15.string(),
+  conversationId: z15.string().nullable(),
+  artifactName: z15.string().nullable(),
+  secretNames: z15.array(z15.string()).nullable(),
+  chatMessages: z15.array(storedChatMessageSchema).optional(),
+  createdAt: z15.string(),
+  updatedAt: z15.string()
 });
-var sessionListItemSchema = z14.object({
-  id: z14.string(),
-  createdAt: z14.string(),
-  updatedAt: z14.string(),
-  messageCount: z14.number(),
-  preview: z14.string().nullable()
+var sessionListItemSchema = z15.object({
+  id: z15.string(),
+  createdAt: z15.string(),
+  updatedAt: z15.string(),
+  messageCount: z15.number(),
+  preview: z15.string().nullable()
 });
-var agentComposeSnapshotSchema = z14.object({
-  agentComposeVersionId: z14.string(),
-  vars: z14.record(z14.string(), z14.string()).optional(),
-  secretNames: z14.array(z14.string()).optional()
+var agentComposeSnapshotSchema = z15.object({
+  agentComposeVersionId: z15.string(),
+  vars: z15.record(z15.string(), z15.string()).optional(),
+  secretNames: z15.array(z15.string()).optional()
 });
-var artifactSnapshotSchema2 = z14.object({
-  artifactName: z14.string(),
-  artifactVersion: z14.string()
+var artifactSnapshotSchema2 = z15.object({
+  artifactName: z15.string(),
+  artifactVersion: z15.string()
 });
-var volumeVersionsSnapshotSchema2 = z14.object({
-  versions: z14.record(z14.string(), z14.string())
+var volumeVersionsSnapshotSchema2 = z15.object({
+  versions: z15.record(z15.string(), z15.string())
 });
-var checkpointResponseSchema = z14.object({
-  id: z14.string(),
-  runId: z14.string(),
-  conversationId: z14.string(),
+var checkpointResponseSchema = z15.object({
+  id: z15.string(),
+  runId: z15.string(),
+  conversationId: z15.string(),
   agentComposeSnapshot: agentComposeSnapshotSchema,
   artifactSnapshot: artifactSnapshotSchema2.nullable(),
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
-  createdAt: z14.string()
+  createdAt: z15.string()
 });
 var sessionsContract = c12.router({
   /**
@@ -2957,11 +2977,11 @@ var sessionsContract = c12.router({
     method: "GET",
     path: "/api/agent/sessions",
     headers: authHeadersSchema,
-    query: z14.object({
-      agentComposeId: z14.string().min(1, "agentComposeId is required")
+    query: z15.object({
+      agentComposeId: z15.string().min(1, "agentComposeId is required")
     }),
     responses: {
-      200: z14.object({ sessions: z14.array(sessionListItemSchema) }),
+      200: z15.object({ sessions: z15.array(sessionListItemSchema) }),
       401: apiErrorSchema
     },
     summary: "List chat sessions for an agent"
@@ -2976,8 +2996,8 @@ var sessionsByIdContract = c12.router({
     method: "GET",
     path: "/api/agent/sessions/:id",
     headers: authHeadersSchema,
-    pathParams: z14.object({
-      id: z14.string().min(1, "Session ID is required")
+    pathParams: z15.object({
+      id: z15.string().min(1, "Session ID is required")
     }),
     responses: {
       200: sessionResponseSchema,
@@ -2997,20 +3017,20 @@ var sessionMessagesContract = c12.router({
     method: "POST",
     path: "/api/agent/sessions/:id/messages",
     headers: authHeadersSchema,
-    pathParams: z14.object({
-      id: z14.string().min(1, "Session ID is required")
+    pathParams: z15.object({
+      id: z15.string().min(1, "Session ID is required")
     }),
-    body: z14.object({
-      messages: z14.array(
-        z14.object({
-          role: z14.enum(["user", "assistant"]),
-          content: z14.string(),
-          runId: z14.string().optional()
+    body: z15.object({
+      messages: z15.array(
+        z15.object({
+          role: z15.enum(["user", "assistant"]),
+          content: z15.string(),
+          runId: z15.string().optional()
         })
       )
     }),
     responses: {
-      200: z14.object({ success: z14.literal(true) }),
+      200: z15.object({ success: z15.literal(true) }),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
@@ -3027,8 +3047,8 @@ var checkpointsByIdContract = c12.router({
     method: "GET",
     path: "/api/agent/checkpoints/:id",
     headers: authHeadersSchema,
-    pathParams: z14.object({
-      id: z14.string().min(1, "Checkpoint ID is required")
+    pathParams: z15.object({
+      id: z15.string().min(1, "Checkpoint ID is required")
     }),
     responses: {
       200: checkpointResponseSchema,
@@ -3041,29 +3061,29 @@ var checkpointsByIdContract = c12.router({
 });
 
 // ../../packages/core/src/contracts/runners.ts
-import { z as z15 } from "zod";
+import { z as z16 } from "zod";
 var c13 = initContract();
-var runnerGroupSchema = z15.string().regex(
+var runnerGroupSchema = z16.string().regex(
   /^[a-z0-9-]+\/[a-z0-9-]+$/,
   "Runner group must be in org/name format (e.g., acme/production)"
 );
-var jobSchema = z15.object({
-  runId: z15.string().uuid(),
-  prompt: z15.string(),
-  agentComposeVersionId: z15.string().nullable(),
-  vars: z15.record(z15.string(), z15.string()).nullable(),
-  checkpointId: z15.string().uuid().nullable()
+var jobSchema = z16.object({
+  runId: z16.string().uuid(),
+  prompt: z16.string(),
+  agentComposeVersionId: z16.string().nullable(),
+  vars: z16.record(z16.string(), z16.string()).nullable(),
+  checkpointId: z16.string().uuid().nullable()
 });
 var runnersPollContract = c13.router({
   poll: {
     method: "POST",
     path: "/api/runners/poll",
     headers: authHeadersSchema,
-    body: z15.object({
+    body: z16.object({
       group: runnerGroupSchema
     }),
     responses: {
-      200: z15.object({
+      200: z16.object({
         job: jobSchema.nullable()
       }),
       400: apiErrorSchema,
@@ -3073,107 +3093,94 @@ var runnersPollContract = c13.router({
     summary: "Poll for pending jobs (long-polling with 30s timeout)"
   }
 });
-var firewallApiSchema = z15.object({
-  base: z15.string(),
-  auth: z15.object({
-    headers: z15.record(z15.string(), z15.string())
-  }),
-  permissions: z15.array(firewallPermissionSchema).optional()
-});
-var firewallSchema = z15.object({
-  name: z15.string(),
-  ref: z15.string(),
-  apis: z15.array(firewallApiSchema)
-});
-var experimentalFirewallSchema = z15.array(firewallSchema);
-var storageEntrySchema = z15.object({
-  mountPath: z15.string(),
-  archiveUrl: z15.string().nullable()
+var storageEntrySchema = z16.object({
+  mountPath: z16.string(),
+  archiveUrl: z16.string().nullable()
 });
-var artifactEntrySchema = z15.object({
-  mountPath: z15.string(),
-  archiveUrl: z15.string().nullable(),
-  vasStorageName: z15.string(),
-  vasVersionId: z15.string()
+var artifactEntrySchema = z16.object({
+  mountPath: z16.string(),
+  archiveUrl: z16.string().nullable(),
+  vasStorageName: z16.string(),
+  vasVersionId: z16.string()
 });
-var storageManifestSchema = z15.object({
-  storages: z15.array(storageEntrySchema),
+var storageManifestSchema = z16.object({
+  storages: z16.array(storageEntrySchema),
   artifact: artifactEntrySchema.nullable(),
   memory: artifactEntrySchema.nullable()
 });
-var resumeSessionSchema = z15.object({
-  sessionId: z15.string(),
-  sessionHistory: z15.string()
+var resumeSessionSchema = z16.object({
+  sessionId: z16.string(),
+  sessionHistory: z16.string()
 });
-var storedExecutionContextSchema = z15.object({
-  workingDir: z15.string(),
+var storedExecutionContextSchema = z16.object({
+  workingDir: z16.string(),
   storageManifest: storageManifestSchema.nullable(),
-  environment: z15.record(z15.string(), z15.string()).nullable(),
+  environment: z16.record(z16.string(), z16.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
-  encryptedSecrets: z15.string().nullable(),
+  encryptedSecrets: z16.string().nullable(),
   // AES-256-GCM encrypted Record<string, string> (secret name → value)
   // Maps secret names to OAuth connector types for runtime token refresh (e.g. { "GMAIL_ACCESS_TOKEN": "gmail" })
-  secretConnectorMap: z15.record(z15.string(), z15.string()).nullable().optional(),
-  cliAgentType: z15.string(),
+  secretConnectorMap: z16.record(z16.string(), z16.string()).nullable().optional(),
+  cliAgentType: z16.string(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z15.boolean().optional(),
+  debugNoMockClaude: z16.boolean().optional(),
   // Dispatch timestamp for E2E timing metrics
-  apiStartTime: z15.number().optional(),
+  apiStartTime: z16.number().optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
-  userTimezone: z15.string().optional(),
+  userTimezone: z16.string().optional(),
   // Agent metadata for VM0_AGENT_NAME and VM0_AGENT_ORG env vars
-  agentName: z15.string().optional(),
-  agentOrgSlug: z15.string().optional(),
+  agentName: z16.string().optional(),
+  agentOrgSlug: z16.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
-  memoryName: z15.string().optional(),
+  memoryName: z16.string().optional(),
   // Experimental firewall for proxy-side token replacement
   experimentalFirewall: experimentalFirewallSchema.optional(),
   // Experimental capabilities for agent permission enforcement
-  experimentalCapabilities: z15.array(z15.enum(VALID_CAPABILITIES)).optional()
+  experimentalCapabilities: z16.array(z16.enum(VALID_CAPABILITIES)).optional()
 });
-var executionContextSchema = z15.object({
-  runId: z15.string().uuid(),
-  prompt: z15.string(),
-  agentComposeVersionId: z15.string().nullable(),
-  vars: z15.record(z15.string(), z15.string()).nullable(),
-  checkpointId: z15.string().uuid().nullable(),
-  sandboxToken: z15.string(),
+var executionContextSchema = z16.object({
+  runId: z16.string().uuid(),
+  prompt: z16.string(),
+  agentComposeVersionId: z16.string().nullable(),
+  vars: z16.record(z16.string(), z16.string()).nullable(),
+  checkpointId: z16.string().uuid().nullable(),
+  sandboxToken: z16.string(),
   // New fields for E2B parity:
-  workingDir: z15.string(),
+  workingDir: z16.string(),
   storageManifest: storageManifestSchema.nullable(),
-  environment: z15.record(z15.string(), z15.string()).nullable(),
+  environment: z16.record(z16.string(), z16.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
-  secretValues: z15.array(z15.string()).nullable(),
+  secretValues: z16.array(z16.string()).nullable(),
   // AES-256-GCM encrypted Record<string, string> — passed through to mitm-addon for auth resolution
-  encryptedSecrets: z15.string().nullable(),
+  encryptedSecrets: z16.string().nullable(),
   // Maps secret names to OAuth connector types for runtime token refresh
-  secretConnectorMap: z15.record(z15.string(), z15.string()).nullable().optional(),
-  cliAgentType: z15.string(),
+  secretConnectorMap: z16.record(z16.string(), z16.string()).nullable().optional(),
+  cliAgentType: z16.string(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z15.boolean().optional(),
+  debugNoMockClaude: z16.boolean().optional(),
   // Dispatch timestamp for E2E timing metrics
-  apiStartTime: z15.number().optional(),
+  apiStartTime: z16.number().optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
-  userTimezone: z15.string().optional(),
+  userTimezone: z16.string().optional(),
   // Agent metadata
-  agentName: z15.string().optional(),
-  agentOrgSlug: z15.string().optional(),
+  agentName: z16.string().optional(),
+  agentOrgSlug: z16.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
-  memoryName: z15.string().optional(),
+  memoryName: z16.string().optional(),
   // Experimental firewall for proxy-side token replacement
   experimentalFirewall: experimentalFirewallSchema.optional(),
   // Experimental capabilities for agent permission enforcement
-  experimentalCapabilities: z15.array(z15.enum(VALID_CAPABILITIES)).optional()
+  experimentalCapabilities: z16.array(z16.enum(VALID_CAPABILITIES)).optional()
 });
 var runnersJobClaimContract = c13.router({
   claim: {
     method: "POST",
     path: "/api/runners/jobs/:id/claim",
     headers: authHeadersSchema,
-    pathParams: z15.object({
-      id: z15.string().uuid()
+    pathParams: z16.object({
+      id: z16.string().uuid()
     }),
-    body: z15.object({}),
+    body: z16.object({}),
     responses: {
       200: executionContextSchema,
       400: apiErrorSchema,
@@ -3190,13 +3197,13 @@ var runnersJobClaimContract = c13.router({
 });
 
 // ../../packages/core/src/contracts/schedules.ts
-import { z as z16 } from "zod";
+import { z as z17 } from "zod";
 var c14 = initContract();
-var scheduleTriggerSchema = z16.object({
-  cron: z16.string().optional(),
-  at: z16.string().optional(),
-  loop: z16.object({ interval: z16.number().int().min(0) }).optional(),
-  timezone: z16.string().default("UTC")
+var scheduleTriggerSchema = z17.object({
+  cron: z17.string().optional(),
+  at: z17.string().optional(),
+  loop: z17.object({ interval: z17.number().int().min(0) }).optional(),
+  timezone: z17.string().default("UTC")
 }).refine(
   (data) => {
     const triggers = [data.cron, data.at, data.loop].filter(Boolean);
@@ -3206,41 +3213,41 @@ var scheduleTriggerSchema = z16.object({
     message: "Exactly one of 'cron', 'at', or 'loop' must be specified"
   }
 );
-var scheduleRunConfigSchema = z16.object({
-  agent: z16.string().min(1, "Agent reference required"),
-  prompt: z16.string().min(1, "Prompt required"),
-  vars: z16.record(z16.string(), z16.string()).optional(),
-  secrets: z16.record(z16.string(), z16.string()).optional(),
-  artifactName: z16.string().optional(),
-  artifactVersion: z16.string().optional(),
-  volumeVersions: z16.record(z16.string(), z16.string()).optional()
+var scheduleRunConfigSchema = z17.object({
+  agent: z17.string().min(1, "Agent reference required"),
+  prompt: z17.string().min(1, "Prompt required"),
+  vars: z17.record(z17.string(), z17.string()).optional(),
+  secrets: z17.record(z17.string(), z17.string()).optional(),
+  artifactName: z17.string().optional(),
+  artifactVersion: z17.string().optional(),
+  volumeVersions: z17.record(z17.string(), z17.string()).optional()
 });
-var scheduleDefinitionSchema = z16.object({
+var scheduleDefinitionSchema = z17.object({
   on: scheduleTriggerSchema,
   run: scheduleRunConfigSchema
 });
-var scheduleYamlSchema = z16.object({
-  version: z16.literal("1.0"),
-  schedules: z16.record(z16.string(), scheduleDefinitionSchema)
+var scheduleYamlSchema = z17.object({
+  version: z17.literal("1.0"),
+  schedules: z17.record(z17.string(), scheduleDefinitionSchema)
 });
-var deployScheduleRequestSchema = z16.object({
-  name: z16.string().min(1).max(64, "Schedule name max 64 chars"),
-  cronExpression: z16.string().optional(),
-  atTime: z16.string().optional(),
-  intervalSeconds: z16.number().int().min(0).optional(),
-  timezone: z16.string().default("UTC"),
-  prompt: z16.string().min(1, "Prompt required"),
+var deployScheduleRequestSchema = z17.object({
+  name: z17.string().min(1).max(64, "Schedule name max 64 chars"),
+  cronExpression: z17.string().optional(),
+  atTime: z17.string().optional(),
+  intervalSeconds: z17.number().int().min(0).optional(),
+  timezone: z17.string().default("UTC"),
+  prompt: z17.string().min(1, "Prompt required"),
   // vars and secrets removed - now managed via platform tables
-  artifactName: z16.string().optional(),
-  artifactVersion: z16.string().optional(),
-  volumeVersions: z16.record(z16.string(), z16.string()).optional(),
+  artifactName: z17.string().optional(),
+  artifactVersion: z17.string().optional(),
+  volumeVersions: z17.record(z17.string(), z17.string()).optional(),
   // Resolved agent compose ID (CLI resolves org/name:version → composeId)
-  composeId: z16.string().uuid("Invalid compose ID"),
+  composeId: z17.string().uuid("Invalid compose ID"),
   // Enable schedule immediately upon creation
-  enabled: z16.boolean().optional(),
+  enabled: z17.boolean().optional(),
   // Per-schedule notification control (AND'd with user global preferences)
-  notifyEmail: z16.boolean().optional(),
-  notifySlack: z16.boolean().optional()
+  notifyEmail: z17.boolean().optional(),
+  notifySlack: z17.boolean().optional()
 }).refine(
   (data) => {
     const triggers = [
@@ -3254,38 +3261,38 @@ var deployScheduleRequestSchema = z16.object({
     message: "Exactly one of 'cronExpression', 'atTime', or 'intervalSeconds' must be specified"
   }
 );
-var scheduleResponseSchema = z16.object({
-  id: z16.string().uuid(),
-  composeId: z16.string().uuid(),
-  composeName: z16.string(),
-  orgSlug: z16.string(),
-  userId: z16.string(),
-  name: z16.string(),
-  triggerType: z16.enum(["cron", "once", "loop"]),
-  cronExpression: z16.string().nullable(),
-  atTime: z16.string().nullable(),
-  intervalSeconds: z16.number().nullable(),
-  timezone: z16.string(),
-  prompt: z16.string(),
-  vars: z16.record(z16.string(), z16.string()).nullable(),
+var scheduleResponseSchema = z17.object({
+  id: z17.string().uuid(),
+  composeId: z17.string().uuid(),
+  composeName: z17.string(),
+  orgSlug: z17.string(),
+  userId: z17.string(),
+  name: z17.string(),
+  triggerType: z17.enum(["cron", "once", "loop"]),
+  cronExpression: z17.string().nullable(),
+  atTime: z17.string().nullable(),
+  intervalSeconds: z17.number().nullable(),
+  timezone: z17.string(),
+  prompt: z17.string(),
+  vars: z17.record(z17.string(), z17.string()).nullable(),
   // Secret names only (values are never returned)
-  secretNames: z16.array(z16.string()).nullable(),
-  artifactName: z16.string().nullable(),
-  artifactVersion: z16.string().nullable(),
-  volumeVersions: z16.record(z16.string(), z16.string()).nullable(),
-  enabled: z16.boolean(),
-  notifyEmail: z16.boolean(),
-  notifySlack: z16.boolean(),
-  nextRunAt: z16.string().nullable(),
-  lastRunAt: z16.string().nullable(),
-  retryStartedAt: z16.string().nullable(),
-  consecutiveFailures: z16.number(),
-  createdAt: z16.string(),
-  updatedAt: z16.string()
+  secretNames: z17.array(z17.string()).nullable(),
+  artifactName: z17.string().nullable(),
+  artifactVersion: z17.string().nullable(),
+  volumeVersions: z17.record(z17.string(), z17.string()).nullable(),
+  enabled: z17.boolean(),
+  notifyEmail: z17.boolean(),
+  notifySlack: z17.boolean(),
+  nextRunAt: z17.string().nullable(),
+  lastRunAt: z17.string().nullable(),
+  retryStartedAt: z17.string().nullable(),
+  consecutiveFailures: z17.number(),
+  createdAt: z17.string(),
+  updatedAt: z17.string()
 });
-var runSummarySchema = z16.object({
-  id: z16.string().uuid(),
-  status: z16.enum([
+var runSummarySchema = z17.object({
+  id: z17.string().uuid(),
+  status: z17.enum([
     "queued",
     "pending",
     "running",
@@ -3293,19 +3300,19 @@ var runSummarySchema = z16.object({
     "failed",
     "timeout"
   ]),
-  createdAt: z16.string(),
-  completedAt: z16.string().nullable(),
-  error: z16.string().nullable()
+  createdAt: z17.string(),
+  completedAt: z17.string().nullable(),
+  error: z17.string().nullable()
 });
-var scheduleRunsResponseSchema = z16.object({
-  runs: z16.array(runSummarySchema)
+var scheduleRunsResponseSchema = z17.object({
+  runs: z17.array(runSummarySchema)
 });
-var scheduleListResponseSchema = z16.object({
-  schedules: z16.array(scheduleResponseSchema)
+var scheduleListResponseSchema = z17.object({
+  schedules: z17.array(scheduleResponseSchema)
 });
-var deployScheduleResponseSchema = z16.object({
+var deployScheduleResponseSchema = z17.object({
   schedule: scheduleResponseSchema,
-  created: z16.boolean()
+  created: z17.boolean()
   // true if created, false if updated
 });
 var schedulesMainContract = c14.router({
@@ -3353,11 +3360,11 @@ var schedulesByNameContract = c14.router({
     method: "GET",
     path: "/api/agent/schedules/:name",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      name: z16.string().min(1, "Schedule name required")
+    pathParams: z17.object({
+      name: z17.string().min(1, "Schedule name required")
     }),
-    query: z16.object({
-      composeId: z16.string().uuid("Compose ID required")
+    query: z17.object({
+      composeId: z17.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -3374,11 +3381,11 @@ var schedulesByNameContract = c14.router({
     method: "DELETE",
     path: "/api/agent/schedules/:name",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      name: z16.string().min(1, "Schedule name required")
+    pathParams: z17.object({
+      name: z17.string().min(1, "Schedule name required")
     }),
-    query: z16.object({
-      composeId: z16.string().uuid("Compose ID required")
+    query: z17.object({
+      composeId: z17.string().uuid("Compose ID required")
     }),
     responses: {
       204: c14.noBody(),
@@ -3397,11 +3404,11 @@ var schedulesEnableContract = c14.router({
     method: "POST",
     path: "/api/agent/schedules/:name/enable",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      name: z16.string().min(1, "Schedule name required")
+    pathParams: z17.object({
+      name: z17.string().min(1, "Schedule name required")
     }),
-    body: z16.object({
-      composeId: z16.string().uuid("Compose ID required")
+    body: z17.object({
+      composeId: z17.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -3418,11 +3425,11 @@ var schedulesEnableContract = c14.router({
     method: "POST",
     path: "/api/agent/schedules/:name/disable",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      name: z16.string().min(1, "Schedule name required")
+    pathParams: z17.object({
+      name: z17.string().min(1, "Schedule name required")
     }),
-    body: z16.object({
-      composeId: z16.string().uuid("Compose ID required")
+    body: z17.object({
+      composeId: z17.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -3441,12 +3448,12 @@ var scheduleRunsContract = c14.router({
     method: "GET",
     path: "/api/agent/schedules/:name/runs",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      name: z16.string().min(1, "Schedule name required")
+    pathParams: z17.object({
+      name: z17.string().min(1, "Schedule name required")
     }),
-    query: z16.object({
-      composeId: z16.string().uuid("Compose ID required"),
-      limit: z16.coerce.number().min(0).max(100).default(5)
+    query: z17.object({
+      composeId: z17.string().uuid("Compose ID required"),
+      limit: z17.coerce.number().min(0).max(100).default(5)
     }),
     responses: {
       200: scheduleRunsResponseSchema,
@@ -3458,16 +3465,16 @@ var scheduleRunsContract = c14.router({
 });
 
 // ../../packages/core/src/contracts/realtime.ts
-import { z as z17 } from "zod";
+import { z as z18 } from "zod";
 var c15 = initContract();
-var ablyTokenRequestSchema = z17.object({
-  keyName: z17.string(),
-  ttl: z17.number().optional(),
-  timestamp: z17.number(),
-  capability: z17.string(),
-  clientId: z17.string().optional(),
-  nonce: z17.string(),
-  mac: z17.string()
+var ablyTokenRequestSchema = z18.object({
+  keyName: z18.string(),
+  ttl: z18.number().optional(),
+  timestamp: z18.number(),
+  capability: z18.string(),
+  clientId: z18.string().optional(),
+  nonce: z18.string(),
+  mac: z18.string()
 });
 var runnerRealtimeTokenContract = c15.router({
   /**
@@ -3478,7 +3485,7 @@ var runnerRealtimeTokenContract = c15.router({
     method: "POST",
     path: "/api/runners/realtime/token",
     headers: authHeadersSchema,
-    body: z17.object({
+    body: z18.object({
       group: runnerGroupSchema
     }),
     responses: {
@@ -3492,22 +3499,22 @@ var runnerRealtimeTokenContract = c15.router({
 });
 
 // ../../packages/core/src/contracts/platform.ts
-import { z as z18 } from "zod";
-var paginationSchema = z18.object({
-  hasMore: z18.boolean(),
-  nextCursor: z18.string().nullable()
+import { z as z19 } from "zod";
+var paginationSchema = z19.object({
+  hasMore: z19.boolean(),
+  nextCursor: z19.string().nullable()
 });
-var listQuerySchema = z18.object({
-  cursor: z18.string().optional(),
-  limit: z18.coerce.number().min(1).max(100).default(20)
+var listQuerySchema = z19.object({
+  cursor: z19.string().optional(),
+  limit: z19.coerce.number().min(1).max(100).default(20)
 });
 var c16 = initContract();
-var platformPaginationSchema = z18.object({
-  hasMore: z18.boolean(),
-  nextCursor: z18.string().nullable(),
-  totalPages: z18.number()
+var platformPaginationSchema = z19.object({
+  hasMore: z19.boolean(),
+  nextCursor: z19.string().nullable(),
+  totalPages: z19.number()
 });
-var platformLogStatusSchema = z18.enum([
+var platformLogStatusSchema = z19.enum([
   "queued",
   "pending",
   "running",
@@ -3516,36 +3523,36 @@ var platformLogStatusSchema = z18.enum([
   "timeout",
   "cancelled"
 ]);
-var platformLogEntrySchema = z18.object({
-  id: z18.string().uuid(),
-  sessionId: z18.string().nullable(),
-  agentName: z18.string(),
-  orgSlug: z18.string().nullable(),
-  framework: z18.string().nullable(),
+var platformLogEntrySchema = z19.object({
+  id: z19.string().uuid(),
+  sessionId: z19.string().nullable(),
+  agentName: z19.string(),
+  orgSlug: z19.string().nullable(),
+  framework: z19.string().nullable(),
   status: platformLogStatusSchema,
-  createdAt: z18.string(),
-  startedAt: z18.string().nullable(),
-  completedAt: z18.string().nullable()
+  createdAt: z19.string(),
+  startedAt: z19.string().nullable(),
+  completedAt: z19.string().nullable()
 });
-var platformLogsListResponseSchema = z18.object({
-  data: z18.array(platformLogEntrySchema),
+var platformLogsListResponseSchema = z19.object({
+  data: z19.array(platformLogEntrySchema),
   pagination: platformPaginationSchema
 });
-var artifactSchema = z18.object({
-  name: z18.string().nullable(),
-  version: z18.string().nullable()
+var artifactSchema = z19.object({
+  name: z19.string().nullable(),
+  version: z19.string().nullable()
 });
-var platformLogDetailSchema = z18.object({
-  id: z18.string().uuid(),
-  sessionId: z18.string().nullable(),
-  agentName: z18.string(),
-  framework: z18.string().nullable(),
+var platformLogDetailSchema = z19.object({
+  id: z19.string().uuid(),
+  sessionId: z19.string().nullable(),
+  agentName: z19.string(),
+  framework: z19.string().nullable(),
   status: platformLogStatusSchema,
-  prompt: z18.string(),
-  error: z18.string().nullable(),
-  createdAt: z18.string(),
-  startedAt: z18.string().nullable(),
-  completedAt: z18.string().nullable(),
+  prompt: z19.string(),
+  error: z19.string().nullable(),
+  createdAt: z19.string(),
+  startedAt: z19.string().nullable(),
+  completedAt: z19.string().nullable(),
   artifact: artifactSchema
 });
 var platformLogsListContract = c16.router({
@@ -3553,10 +3560,10 @@ var platformLogsListContract = c16.router({
     method: "GET",
     path: "/api/platform/logs",
     query: listQuerySchema.extend({
-      search: z18.string().optional(),
-      agent: z18.string().optional(),
-      name: z18.string().optional(),
-      org: z18.string().optional(),
+      search: z19.string().optional(),
+      agent: z19.string().optional(),
+      name: z19.string().optional(),
+      org: z19.string().optional(),
       status: platformLogStatusSchema.optional()
     }),
     responses: {
@@ -3571,8 +3578,8 @@ var platformLogsByIdContract = c16.router({
     method: "GET",
     path: "/api/platform/logs/:id",
     headers: authHeadersSchema,
-    pathParams: z18.object({
-      id: z18.string().uuid("Invalid log ID")
+    pathParams: z19.object({
+      id: z19.string().uuid("Invalid log ID")
     }),
     responses: {
       200: platformLogDetailSchema,
@@ -3582,17 +3589,17 @@ var platformLogsByIdContract = c16.router({
     summary: "Get agent run log details by ID"
   }
 });
-var artifactDownloadResponseSchema = z18.object({
-  url: z18.string().url(),
-  expiresAt: z18.string()
+var artifactDownloadResponseSchema = z19.object({
+  url: z19.string().url(),
+  expiresAt: z19.string()
 });
 var platformArtifactDownloadContract = c16.router({
   getDownloadUrl: {
     method: "GET",
     path: "/api/platform/artifacts/download",
-    query: z18.object({
-      name: z18.string().min(1, "Artifact name is required"),
-      version: z18.string().optional()
+    query: z19.object({
+      name: z19.string().min(1, "Artifact name is required"),
+      version: z19.string().optional()
     }),
     responses: {
       200: artifactDownloadResponseSchema,
@@ -3604,41 +3611,41 @@ var platformArtifactDownloadContract = c16.router({
 });
 
 // ../../packages/core/src/contracts/compose-jobs.ts
-import { z as z19 } from "zod";
+import { z as z20 } from "zod";
 var c17 = initContract();
-var composeJobStatusSchema = z19.enum([
+var composeJobStatusSchema = z20.enum([
   "pending",
   "running",
   "completed",
   "failed"
 ]);
-var composeJobResultSchema = z19.object({
-  composeId: z19.string(),
-  composeName: z19.string(),
-  versionId: z19.string(),
-  warnings: z19.array(z19.string())
+var composeJobResultSchema = z20.object({
+  composeId: z20.string(),
+  composeName: z20.string(),
+  versionId: z20.string(),
+  warnings: z20.array(z20.string())
 });
-var composeJobSourceSchema = z19.enum(["github", "platform", "slack"]);
-var createComposeJobRequestSchema = z19.union([
-  z19.object({
-    githubUrl: z19.string().url().startsWith("https://github.com/"),
-    overwrite: z19.boolean().optional().default(false)
+var composeJobSourceSchema = z20.enum(["github", "platform", "slack"]);
+var createComposeJobRequestSchema = z20.union([
+  z20.object({
+    githubUrl: z20.string().url().startsWith("https://github.com/"),
+    overwrite: z20.boolean().optional().default(false)
   }),
-  z19.object({
-    content: z19.record(z19.string(), z19.unknown()),
-    instructions: z19.string().optional()
+  z20.object({
+    content: z20.record(z20.string(), z20.unknown()),
+    instructions: z20.string().optional()
   })
 ]);
-var composeJobResponseSchema = z19.object({
-  jobId: z19.string(),
+var composeJobResponseSchema = z20.object({
+  jobId: z20.string(),
   status: composeJobStatusSchema,
-  githubUrl: z19.string().optional(),
+  githubUrl: z20.string().optional(),
   source: composeJobSourceSchema.optional(),
   result: composeJobResultSchema.optional(),
-  error: z19.string().optional(),
-  createdAt: z19.string(),
-  startedAt: z19.string().optional(),
-  completedAt: z19.string().optional()
+  error: z20.string().optional(),
+  createdAt: z20.string(),
+  startedAt: z20.string().optional(),
+  completedAt: z20.string().optional()
 });
 var composeJobsMainContract = c17.router({
   /**
@@ -3669,8 +3676,8 @@ var composeJobsByIdContract = c17.router({
     method: "GET",
     path: "/api/compose/jobs/:jobId",
     headers: authHeadersSchema,
-    pathParams: z19.object({
-      jobId: z19.string().uuid()
+    pathParams: z20.object({
+      jobId: z20.string().uuid()
     }),
     responses: {
       200: composeJobResponseSchema,
@@ -3689,16 +3696,16 @@ var webhookComposeCompleteContract = c17.router({
     method: "POST",
     path: "/api/webhooks/compose/complete",
     headers: authHeadersSchema,
-    body: z19.object({
-      jobId: z19.string().uuid(),
-      success: z19.boolean(),
+    body: z20.object({
+      jobId: z20.string().uuid(),
+      success: z20.boolean(),
       // Result from CLI compose command
       result: composeJobResultSchema.optional(),
-      error: z19.string().optional()
+      error: z20.string().optional()
     }),
     responses: {
-      200: z19.object({
-        success: z19.boolean()
+      200: z20.object({
+        success: z20.boolean()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -3709,7 +3716,7 @@ var webhookComposeCompleteContract = c17.router({
 });
 
 // ../../packages/core/src/contracts/connectors.ts
-import { z as z20 } from "zod";
+import { z as z21 } from "zod";
 var c18 = initContract();
 var CONNECTOR_TYPES_DEF = {
   axiom: {
@@ -6194,7 +6201,7 @@ var CONNECTOR_TYPES_DEF = {
   }
 };
 var CONNECTOR_TYPES = CONNECTOR_TYPES_DEF;
-var connectorTypeSchema = z20.enum([
+var connectorTypeSchema = z21.enum([
   "agentmail",
   "ahrefs",
   "atlassian",
@@ -6322,21 +6329,21 @@ function getConnectorDerivedNames(secretName) {
   }
   return null;
 }
-var connectorResponseSchema = z20.object({
-  id: z20.string().uuid().nullable(),
+var connectorResponseSchema = z21.object({
+  id: z21.string().uuid().nullable(),
   type: connectorTypeSchema,
-  authMethod: z20.string(),
-  externalId: z20.string().nullable(),
-  externalUsername: z20.string().nullable(),
-  externalEmail: z20.string().nullable(),
-  oauthScopes: z20.array(z20.string()).nullable(),
-  createdAt: z20.string(),
-  updatedAt: z20.string()
+  authMethod: z21.string(),
+  externalId: z21.string().nullable(),
+  externalUsername: z21.string().nullable(),
+  externalEmail: z21.string().nullable(),
+  oauthScopes: z21.array(z21.string()).nullable(),
+  createdAt: z21.string(),
+  updatedAt: z21.string()
 });
-var connectorListResponseSchema = z20.object({
-  connectors: z20.array(connectorResponseSchema),
-  configuredTypes: z20.array(connectorTypeSchema),
-  connectorProvidedSecretNames: z20.array(z20.string())
+var connectorListResponseSchema = z21.object({
+  connectors: z21.array(connectorResponseSchema),
+  configuredTypes: z21.array(connectorTypeSchema),
+  connectorProvidedSecretNames: z21.array(z21.string())
 });
 var connectorsMainContract = c18.router({
   list: {
@@ -6356,7 +6363,7 @@ var connectorsByTypeContract = c18.router({
     method: "GET",
     path: "/api/connectors/:type",
     headers: authHeadersSchema,
-    pathParams: z20.object({
+    pathParams: z21.object({
       type: connectorTypeSchema
     }),
     responses: {
@@ -6371,7 +6378,7 @@ var connectorsByTypeContract = c18.router({
     method: "DELETE",
     path: "/api/connectors/:type",
     headers: authHeadersSchema,
-    pathParams: z20.object({
+    pathParams: z21.object({
       type: connectorTypeSchema
     }),
     responses: {
@@ -6383,25 +6390,25 @@ var connectorsByTypeContract = c18.router({
     summary: "Disconnect a connector"
   }
 });
-var connectorSessionStatusSchema = z20.enum([
+var connectorSessionStatusSchema = z21.enum([
   "pending",
   "complete",
   "expired",
   "error"
 ]);
-var connectorSessionResponseSchema = z20.object({
-  id: z20.string().uuid(),
-  code: z20.string(),
+var connectorSessionResponseSchema = z21.object({
+  id: z21.string().uuid(),
+  code: z21.string(),
   type: connectorTypeSchema,
   status: connectorSessionStatusSchema,
-  verificationUrl: z20.string(),
-  expiresIn: z20.number(),
-  interval: z20.number(),
-  errorMessage: z20.string().nullable().optional()
+  verificationUrl: z21.string(),
+  expiresIn: z21.number(),
+  interval: z21.number(),
+  errorMessage: z21.string().nullable().optional()
 });
-var connectorSessionStatusResponseSchema = z20.object({
+var connectorSessionStatusResponseSchema = z21.object({
   status: connectorSessionStatusSchema,
-  errorMessage: z20.string().nullable().optional()
+  errorMessage: z21.string().nullable().optional()
 });
 var connectorSessionsContract = c18.router({
   /**
@@ -6412,10 +6419,10 @@ var connectorSessionsContract = c18.router({
     method: "POST",
     path: "/api/connectors/:type/sessions",
     headers: authHeadersSchema,
-    pathParams: z20.object({
+    pathParams: z21.object({
       type: connectorTypeSchema
     }),
-    body: z20.object({}).optional(),
+    body: z21.object({}).optional(),
     responses: {
       200: connectorSessionResponseSchema,
       400: apiErrorSchema,
@@ -6434,9 +6441,9 @@ var connectorSessionByIdContract = c18.router({
     method: "GET",
     path: "/api/connectors/:type/sessions/:sessionId",
     headers: authHeadersSchema,
-    pathParams: z20.object({
+    pathParams: z21.object({
       type: connectorTypeSchema,
-      sessionId: z20.string().uuid()
+      sessionId: z21.string().uuid()
     }),
     responses: {
       200: connectorSessionStatusResponseSchema,
@@ -6448,19 +6455,19 @@ var connectorSessionByIdContract = c18.router({
     summary: "Get connector session status"
   }
 });
-var computerConnectorCreateResponseSchema = z20.object({
-  id: z20.string().uuid(),
-  ngrokToken: z20.string(),
-  bridgeToken: z20.string(),
-  endpointPrefix: z20.string(),
-  domain: z20.string()
+var computerConnectorCreateResponseSchema = z21.object({
+  id: z21.string().uuid(),
+  ngrokToken: z21.string(),
+  bridgeToken: z21.string(),
+  endpointPrefix: z21.string(),
+  domain: z21.string()
 });
 var computerConnectorContract = c18.router({
   create: {
     method: "POST",
     path: "/api/connectors/computer",
     headers: authHeadersSchema,
-    body: z20.object({}).optional(),
+    body: z21.object({}).optional(),
     responses: {
       200: computerConnectorCreateResponseSchema,
       400: apiErrorSchema,
@@ -6478,605 +6485,187 @@ var computerConnectorContract = c18.router({
       200: connectorResponseSchema,
       401: apiErrorSchema,
       404: apiErrorSchema
-    },
-    summary: "Get computer connector status"
-  },
-  delete: {
-    method: "DELETE",
-    path: "/api/connectors/computer",
-    headers: authHeadersSchema,
-    responses: {
-      204: c18.noBody(),
-      401: apiErrorSchema,
-      404: apiErrorSchema,
-      500: apiErrorSchema
-    },
-    summary: "Delete computer connector and revoke ngrok credentials"
-  }
-});
-
-// ../../packages/core/src/contracts/firewall.ts
-function bearerAuth(secretName) {
-  return { headers: { Authorization: `Bearer \${{ secrets.${secretName} }}` } };
-}
-var FULL_ACCESS_PERMISSION = {
-  name: "full-access",
-  rules: ["ANY /{path+}"]
-};
-function api(base, auth) {
-  return { base, auth, permissions: [FULL_ACCESS_PERMISSION] };
-}
-var FIREWALL_CONFIGS = {
-  ahrefs: {
-    apis: [api("https://api.ahrefs.com", bearerAuth("AHREFS_TOKEN"))]
-  },
-  axiom: {
-    apis: [api("https://api.axiom.co", bearerAuth("AXIOM_TOKEN"))]
-  },
-  airtable: {
-    apis: [api("https://api.airtable.com", bearerAuth("AIRTABLE_TOKEN"))]
-  },
-  github: {
-    apis: [
-      {
-        base: "https://api.github.com",
-        auth: bearerAuth("GITHUB_TOKEN"),
-        permissions: [
-          {
-            name: "repo-read",
-            description: "Read repository metadata, branches, and commits",
-            rules: [
-              "GET /repos/{owner}/{repo}",
-              "GET /repos/{owner}/{repo}/branches",
-              "GET /repos/{owner}/{repo}/branches/{branch}",
-              "GET /repos/{owner}/{repo}/commits",
-              "GET /repos/{owner}/{repo}/commits/{ref}",
-              "GET /repos/{owner}/{repo}/contributors",
-              "GET /repos/{owner}/{repo}/tags",
-              "GET /repos/{owner}/{repo}/releases",
-              "GET /repos/{owner}/{repo}/releases/{release_id}"
-            ]
-          },
-          {
-            name: "contents-read",
-            description: "Read file contents and directory listings",
-            rules: [
-              "GET /repos/{owner}/{repo}/contents/{path+}",
-              "GET /repos/{owner}/{repo}/readme",
-              "GET /repos/{owner}/{repo}/git/trees/{sha}",
-              "GET /repos/{owner}/{repo}/git/blobs/{sha}",
-              "GET /repos/{owner}/{repo}/git/refs/{ref+}"
-            ]
-          },
-          {
-            name: "contents-write",
-            description: "Create, update, and delete file contents",
-            rules: [
-              "PUT /repos/{owner}/{repo}/contents/{path+}",
-              "DELETE /repos/{owner}/{repo}/contents/{path+}",
-              "POST /repos/{owner}/{repo}/git/blobs",
-              "POST /repos/{owner}/{repo}/git/trees",
-              "POST /repos/{owner}/{repo}/git/commits",
-              "POST /repos/{owner}/{repo}/git/refs",
-              "PATCH /repos/{owner}/{repo}/git/refs/{ref+}"
-            ]
-          },
-          {
-            name: "issues-read",
-            description: "Read issues and comments",
-            rules: [
-              "GET /repos/{owner}/{repo}/issues",
-              "GET /repos/{owner}/{repo}/issues/{issue_number}",
-              "GET /repos/{owner}/{repo}/issues/{issue_number}/comments",
-              "GET /repos/{owner}/{repo}/issues/{issue_number}/labels",
-              "GET /repos/{owner}/{repo}/labels"
-            ]
-          },
-          {
-            name: "issues-write",
-            description: "Create and update issues, comments, and labels",
-            rules: [
-              "POST /repos/{owner}/{repo}/issues",
-              "PATCH /repos/{owner}/{repo}/issues/{issue_number}",
-              "POST /repos/{owner}/{repo}/issues/{issue_number}/comments",
-              "PATCH /repos/{owner}/{repo}/issues/comments/{comment_id}",
-              "POST /repos/{owner}/{repo}/issues/{issue_number}/labels",
-              "DELETE /repos/{owner}/{repo}/issues/{issue_number}/labels/{name}"
-            ]
-          },
-          {
-            name: "pull-requests-read",
-            description: "Read pull requests, reviews, and diffs",
-            rules: [
-              "GET /repos/{owner}/{repo}/pulls",
-              "GET /repos/{owner}/{repo}/pulls/{pull_number}",
-              "GET /repos/{owner}/{repo}/pulls/{pull_number}/files",
-              "GET /repos/{owner}/{repo}/pulls/{pull_number}/commits",
-              "GET /repos/{owner}/{repo}/pulls/{pull_number}/reviews",
-              "GET /repos/{owner}/{repo}/pulls/{pull_number}/comments"
-            ]
-          },
-          {
-            name: "pull-requests-write",
-            description: "Create, update, and merge pull requests",
-            rules: [
-              "POST /repos/{owner}/{repo}/pulls",
-              "PATCH /repos/{owner}/{repo}/pulls/{pull_number}",
-              "POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews",
-              "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments",
-              "PUT /repos/{owner}/{repo}/pulls/{pull_number}/merge"
-            ]
-          },
-          {
-            name: "actions-read",
-            description: "Read workflow runs and logs",
-            rules: [
-              "GET /repos/{owner}/{repo}/actions/runs",
-              "GET /repos/{owner}/{repo}/actions/runs/{run_id}",
-              "GET /repos/{owner}/{repo}/actions/runs/{run_id}/jobs",
-              "GET /repos/{owner}/{repo}/actions/workflows",
-              "GET /repos/{owner}/{repo}/actions/workflows/{workflow_id}/runs"
-            ]
-          },
-          {
-            name: "user-read",
-            description: "Read authenticated user profile and related data",
-            rules: [
-              "GET /user",
-              "GET /user/emails",
-              "GET /user/repos",
-              "GET /user/orgs",
-              "GET /user/teams",
-              "GET /user/starred",
-              "GET /user/subscriptions",
-              "GET /users/{username}",
-              "GET /users/{username}/repos",
-              "GET /users/{username}/orgs"
-            ]
-          },
-          {
-            name: "user-write",
-            description: "Update user profile, manage starred repos and email",
-            rules: [
-              "PATCH /user",
-              "POST /user/emails",
-              "DELETE /user/emails",
-              "PUT /user/starred/{owner}/{repo}",
-              "DELETE /user/starred/{owner}/{repo}"
-            ]
-          },
-          {
-            name: "search",
-            description: "Search code, issues, and repositories",
-            rules: [
-              "GET /search/code",
-              "GET /search/issues",
-              "GET /search/repositories",
-              "GET /search/commits"
-            ]
-          }
-        ]
-      }
-    ],
-    placeholders: {
-      GITHUB_TOKEN: "gho_vm0placeholder0000000000000000000000"
-    }
-  },
-  notion: {
-    apis: [
-      api("https://api.notion.com/v1", {
-        headers: {
-          Authorization: "Bearer ${{ secrets.NOTION_TOKEN }}",
-          "Notion-Version": "2022-06-28"
-        }
-      })
-    ]
-  },
-  gmail: {
-    apis: [
-      api(
-        "https://gmail.googleapis.com/gmail/v1/users/me",
-        bearerAuth("GMAIL_TOKEN")
-      )
-    ]
-  },
-  "google-sheets": {
-    apis: [
-      api(
-        "https://sheets.googleapis.com/v4/spreadsheets",
-        bearerAuth("GOOGLE_SHEETS_TOKEN")
-      )
-    ]
-  },
-  "google-docs": {
-    apis: [
-      api(
-        "https://docs.googleapis.com/v1/documents",
-        bearerAuth("GOOGLE_DOCS_TOKEN")
-      )
-    ]
-  },
-  "google-drive": {
-    apis: [
-      api(
-        "https://www.googleapis.com/drive/v3",
-        bearerAuth("GOOGLE_DRIVE_TOKEN")
-      )
-    ]
-  },
-  "google-calendar": {
-    apis: [
-      api(
-        "https://www.googleapis.com/calendar/v3",
-        bearerAuth("GOOGLE_CALENDAR_TOKEN")
-      )
-    ]
-  },
-  "hugging-face": {
-    apis: [api("https://huggingface.co/api", bearerAuth("HUGGING_FACE_TOKEN"))]
-  },
-  hume: {
-    apis: [
-      api("https://api.hume.ai", {
-        headers: { "X-Hume-Api-Key": "${{ secrets.HUME_TOKEN }}" }
-      })
-    ]
-  },
-  heygen: {
-    apis: [
-      api("https://api.heygen.com", {
-        headers: { "x-api-key": "${{ secrets.HEYGEN_TOKEN }}" }
-      })
-    ]
-  },
-  hubspot: {
-    apis: [api("https://api.hubapi.com", bearerAuth("HUBSPOT_TOKEN"))]
-  },
-  slack: {
-    apis: [
-      api("https://slack.com/api", bearerAuth("SLACK_TOKEN")),
-      api("https://files.slack.com", bearerAuth("SLACK_TOKEN"))
-    ],
-    placeholders: {
-      SLACK_TOKEN: "xoxb-0000-0000-vm0placeholder"
-    }
-  },
-  docusign: {
-    apis: [
-      api("https://demo.docusign.net/restapi", bearerAuth("DOCUSIGN_TOKEN")),
-      api("https://na1.docusign.net/restapi", bearerAuth("DOCUSIGN_TOKEN"))
-    ]
-  },
-  dropbox: {
-    apis: [
-      api("https://api.dropboxapi.com/2", bearerAuth("DROPBOX_TOKEN")),
-      api("https://content.dropboxapi.com/2", bearerAuth("DROPBOX_TOKEN"))
-    ]
-  },
-  linear: {
-    apis: [api("https://api.linear.app", bearerAuth("LINEAR_TOKEN"))]
-  },
-  intercom: {
-    apis: [
-      api("https://api.intercom.io", bearerAuth("INTERCOM_TOKEN")),
-      api("https://api.eu.intercom.io", bearerAuth("INTERCOM_TOKEN")),
-      api("https://api.au.intercom.io", bearerAuth("INTERCOM_TOKEN"))
-    ]
-  },
-  jam: {
-    apis: [api("https://api.jam.dev", bearerAuth("JAM_TOKEN"))]
-  },
-  jotform: {
-    apis: [
-      api("https://api.jotform.com", {
-        headers: {
-          APIKEY: "${{ secrets.JOTFORM_TOKEN }}"
-        }
-      }),
-      api("https://eu-api.jotform.com", {
-        headers: {
-          APIKEY: "${{ secrets.JOTFORM_TOKEN }}"
-        }
-      })
-    ]
-  },
-  line: {
-    apis: [api("https://api.line.me", bearerAuth("LINE_TOKEN"))]
-  },
-  make: {
-    apis: [
-      api("https://eu1.make.com/api/v2", {
-        headers: {
-          Authorization: "Token ${{ secrets.MAKE_TOKEN }}"
-        }
-      }),
-      api("https://eu2.make.com/api/v2", {
-        headers: {
-          Authorization: "Token ${{ secrets.MAKE_TOKEN }}"
-        }
-      }),
-      api("https://us1.make.com/api/v2", {
-        headers: {
-          Authorization: "Token ${{ secrets.MAKE_TOKEN }}"
-        }
-      }),
-      api("https://us2.make.com/api/v2", {
-        headers: {
-          Authorization: "Token ${{ secrets.MAKE_TOKEN }}"
-        }
-      })
-    ]
-  },
-  metabase: {
-    apis: [
-      api("https://api.metabase.com", {
-        headers: {
-          "x-api-key": "${{ secrets.METABASE_TOKEN }}"
-        }
-      })
-    ]
-  },
-  clickup: {
-    apis: [api("https://api.clickup.com/api/v2", bearerAuth("CLICKUP_TOKEN"))]
-  },
-  cloudflare: {
-    apis: [
-      api(
-        "https://api.cloudflare.com/client/v4",
-        bearerAuth("CLOUDFLARE_TOKEN")
-      )
-    ]
-  },
-  deel: {
-    apis: [api("https://api.deel.com", bearerAuth("DEEL_TOKEN"))]
-  },
-  deepseek: {
-    apis: [api("https://api.deepseek.com", bearerAuth("DEEPSEEK_TOKEN"))]
-  },
-  dify: {
-    apis: [api("https://api.dify.ai/v1", bearerAuth("DIFY_TOKEN"))]
-  },
-  figma: {
-    apis: [api("https://api.figma.com", bearerAuth("FIGMA_TOKEN"))]
-  },
-  mercury: {
-    apis: [api("https://api.mercury.com", bearerAuth("MERCURY_TOKEN"))]
-  },
-  minimax: {
-    apis: [api("https://api.minimaxi.com/v1", bearerAuth("MINIMAX_TOKEN"))]
-  },
-  reddit: {
-    apis: [api("https://oauth.reddit.com", bearerAuth("REDDIT_TOKEN"))]
-  },
-  strava: {
-    apis: [api("https://www.strava.com/api/v3", bearerAuth("STRAVA_TOKEN"))]
-  },
-  x: {
-    apis: [api("https://api.x.com/2", bearerAuth("X_ACCESS_TOKEN"))]
-  },
-  neon: {
-    apis: [api("https://console.neon.tech/api/v2", bearerAuth("NEON_TOKEN"))]
-  },
-  vercel: {
-    apis: [api("https://api.vercel.com", bearerAuth("VERCEL_TOKEN"))]
-  },
-  sentry: {
-    apis: [api("https://sentry.io/api", bearerAuth("SENTRY_TOKEN"))]
-  },
-  monday: {
-    apis: [api("https://api.monday.com/v2", bearerAuth("MONDAY_TOKEN"))]
-  },
-  canva: {
-    apis: [api("https://api.canva.com/rest/v1", bearerAuth("CANVA_TOKEN"))]
-  },
-  xero: {
-    apis: [api("https://api.xero.com", bearerAuth("XERO_TOKEN"))]
-  },
-  supabase: {
-    apis: [api("https://api.supabase.com/v1", bearerAuth("SUPABASE_TOKEN"))]
-  },
-  todoist: {
-    apis: [api("https://api.todoist.com/rest/v2", bearerAuth("TODOIST_TOKEN"))]
-  },
-  webflow: {
-    apis: [api("https://api.webflow.com/v2", bearerAuth("WEBFLOW_TOKEN"))]
-  },
-  asana: {
-    apis: [api("https://app.asana.com/api/1.0", bearerAuth("ASANA_TOKEN"))]
-  },
-  "meta-ads": {
-    apis: [api("https://graph.facebook.com", bearerAuth("META_ADS_TOKEN"))]
-  },
-  posthog: {
-    apis: [
-      api("https://us.posthog.com/api", bearerAuth("POSTHOG_ACCESS_TOKEN")),
-      api("https://app.posthog.com/api", bearerAuth("POSTHOG_ACCESS_TOKEN"))
-    ]
-  },
-  stripe: {
-    apis: [api("https://api.stripe.com", bearerAuth("STRIPE_TOKEN"))]
-  },
-  productlane: {
-    apis: [
-      api("https://productlane.com/api/v1", bearerAuth("PRODUCTLANE_TOKEN"))
-    ]
-  },
-  openai: {
-    apis: [api("https://api.openai.com", bearerAuth("OPENAI_TOKEN"))]
-  },
-  similarweb: {
-    apis: [
-      api("https://api.similarweb.com", {
-        headers: { "api-key": "${{ secrets.SIMILARWEB_API_KEY }}" }
-      })
-    ]
-  },
-  perplexity: {
-    apis: [api("https://api.perplexity.ai", bearerAuth("PERPLEXITY_TOKEN"))]
-  },
-  plausible: {
-    apis: [api("https://plausible.io/api", bearerAuth("PLAUSIBLE_TOKEN"))]
-  },
-  mailchimp: {
-    apis: Array.from(
-      { length: 21 },
-      (_, i) => api(
-        `https://us${i + 1}.api.mailchimp.com/3.0`,
-        bearerAuth("MAILCHIMP_TOKEN")
-      )
-    )
-  },
-  chatwoot: {
-    apis: [api("https://app.chatwoot.com", bearerAuth("CHATWOOT_TOKEN"))]
-  },
-  resend: {
-    apis: [api("https://api.resend.com", bearerAuth("RESEND_TOKEN"))]
-  },
-  revenuecat: {
-    apis: [api("https://api.revenuecat.com", bearerAuth("REVENUECAT_TOKEN"))]
-  },
-  pdf4me: {
-    apis: [
-      api("https://api.pdf4me.com", {
-        headers: { Authorization: "${{ secrets.PDF4ME_TOKEN }}" }
-      })
-    ]
-  },
-  pdfco: {
-    apis: [
-      api("https://api.pdf.co/v1", {
-        headers: { "x-api-key": "${{ secrets.PDFCO_TOKEN }}" }
-      })
-    ]
-  },
-  apify: {
-    apis: [api("https://api.apify.com/v2", bearerAuth("APIFY_TOKEN"))]
-  },
-  "bright-data": {
-    apis: [api("https://api.brightdata.com", bearerAuth("BRIGHTDATA_TOKEN"))]
-  },
-  browserbase: {
-    apis: [
-      api("https://api.browserbase.com/v1", {
-        headers: { "X-BB-API-Key": "${{ secrets.BROWSERBASE_TOKEN }}" }
-      })
-    ]
-  },
-  fireflies: {
-    apis: [
-      api("https://api.fireflies.ai/graphql", bearerAuth("FIREFLIES_TOKEN"))
-    ]
-  },
-  explorium: {
-    apis: [
-      api("https://api.explorium.ai", {
-        headers: { api_key: "${{ secrets.EXPLORIUM_TOKEN }}" }
-      })
-    ]
-  },
-  firecrawl: {
-    apis: [api("https://api.firecrawl.dev/v1", bearerAuth("FIRECRAWL_TOKEN"))]
-  },
-  scrapeninja: {
-    apis: [
-      api("https://scrapeninja.p.rapidapi.com", {
-        headers: { "X-RapidAPI-Key": "${{ secrets.SCRAPENINJA_TOKEN }}" }
-      })
-    ]
-  },
-  elevenlabs: {
-    apis: [
-      api("https://api.elevenlabs.io", {
-        headers: { "xi-api-key": "${{ secrets.ELEVENLABS_TOKEN }}" }
-      })
-    ]
-  },
-  devto: {
-    apis: [
-      api("https://dev.to/api", {
-        headers: { "api-key": "${{ secrets.DEVTO_TOKEN }}" }
-      })
-    ]
-  },
-  fal: {
-    apis: [api("https://fal.run", bearerAuth("FAL_TOKEN"))]
-  },
-  podchaser: {
-    apis: [api("https://api.podchaser.com", bearerAuth("PODCHASER_TOKEN"))]
-  },
-  pushinator: {
-    apis: [api("https://api.pushinator.com", bearerAuth("PUSHINATOR_TOKEN"))]
-  },
-  qdrant: {
-    apis: [
-      api("https://cloud.qdrant.io", {
-        headers: { "api-key": "${{ secrets.QDRANT_TOKEN }}" }
-      })
-    ]
-  },
-  qiita: {
-    apis: [api("https://qiita.com/api/v2", bearerAuth("QIITA_TOKEN"))]
-  },
-  reportei: {
-    apis: [
-      api("https://app.reportei.com/api/v1", bearerAuth("REPORTEI_TOKEN"))
-    ]
-  },
-  zeptomail: {
-    apis: [
-      api("https://api.zeptomail.com/v1.1", {
-        headers: {
-          Authorization: "Zoho-enczapikey ${{ secrets.ZEPTOMAIL_TOKEN }}"
-        }
-      })
-    ]
-  },
-  runway: {
-    apis: [api("https://api.dev.runwayml.com/v1", bearerAuth("RUNWAY_TOKEN"))]
-  },
-  shortio: {
-    apis: [
-      api("https://api.short.io", {
-        headers: { Authorization: "${{ secrets.SHORTIO_TOKEN }}" }
-      })
-    ]
-  },
-  supadata: {
-    apis: [
-      api("https://api.supadata.ai/v1", {
-        headers: { "x-api-key": "${{ secrets.SUPADATA_TOKEN }}" }
-      })
-    ]
-  },
-  tavily: {
-    apis: [api("https://api.tavily.com", bearerAuth("TAVILY_TOKEN"))]
-  },
-  tldv: {
-    apis: [
-      api("https://pasta.tldv.io", {
-        headers: { "x-api-key": "${{ secrets.TLDV_TOKEN }}" }
-      })
-    ]
-  },
-  twenty: {
-    apis: [api("https://api.twenty.com", bearerAuth("TWENTY_TOKEN"))]
-  },
-  wrike: {
-    apis: [api("https://www.wrike.com/api/v4", bearerAuth("WRIKE_TOKEN"))]
-  },
-  zapier: {
-    apis: [api("https://actions.zapier.com", bearerAuth("ZAPIER_TOKEN"))]
+    },
+    summary: "Get computer connector status"
   },
-  zapsign: {
-    apis: [
-      api("https://api.zapsign.com.br/api/v1", bearerAuth("ZAPSIGN_TOKEN"))
-    ]
+  delete: {
+    method: "DELETE",
+    path: "/api/connectors/computer",
+    headers: authHeadersSchema,
+    responses: {
+      204: c18.noBody(),
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Delete computer connector and revoke ngrok credentials"
   }
-};
-function getFirewallConfig(type2) {
-  const config = FIREWALL_CONFIGS[type2];
-  if (!config) return void 0;
-  return { ...config, name: type2 };
+});
+
+// ../../packages/core/src/firewall-loader.ts
+import { parse as parseYaml } from "yaml";
+
+// ../../packages/core/src/github-url.ts
+function parseGitHubTreeUrl(url) {
+  let normalizedUrl = url;
+  while (normalizedUrl.endsWith("/")) {
+    normalizedUrl = normalizedUrl.slice(0, -1);
+  }
+  const fullPathMatch = normalizedUrl.match(/^https:\/\/github\.com\/(.+)$/);
+  if (!fullPathMatch) {
+    return null;
+  }
+  const fullPath = fullPathMatch[1];
+  const regex = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)(?:\/(.+))?$/;
+  const match = normalizedUrl.match(regex);
+  if (!match) {
+    return null;
+  }
+  const [, owner, repo, branch, pathPart] = match;
+  const resolvedPath = pathPart ?? "";
+  const pathSegments = resolvedPath.split("/").filter(Boolean);
+  const skillName = pathSegments[pathSegments.length - 1] || repo;
+  return {
+    owner,
+    repo,
+    branch,
+    path: resolvedPath,
+    skillName,
+    fullPath
+  };
+}
+function parseGitHubUrl(url) {
+  let normalizedUrl = url;
+  while (normalizedUrl.endsWith("/")) {
+    normalizedUrl = normalizedUrl.slice(0, -1);
+  }
+  const fullPathMatch = normalizedUrl.match(/^https:\/\/github\.com\/(.+)$/);
+  if (!fullPathMatch) {
+    return null;
+  }
+  const fullPath = fullPathMatch[1];
+  const plainMatch = normalizedUrl.match(
+    /^https:\/\/github\.com\/([^/]+)\/([^/]+)$/
+  );
+  if (plainMatch) {
+    return {
+      owner: plainMatch[1],
+      repo: plainMatch[2],
+      branch: null,
+      path: null,
+      fullPath
+    };
+  }
+  const treeMatch = normalizedUrl.match(
+    /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)(?:\/(.+))?$/
+  );
+  if (treeMatch) {
+    return {
+      owner: treeMatch[1],
+      repo: treeMatch[2],
+      branch: treeMatch[3],
+      path: treeMatch[4] ?? null,
+      fullPath
+    };
+  }
+  return null;
+}
+var DEFAULT_SKILLS_OWNER = "vm0-ai";
+var DEFAULT_SKILLS_REPO = "vm0-skills";
+var DEFAULT_SKILLS_BRANCH = "main";
+var DEFAULT_FIREWALLS_OWNER = "vm0-ai";
+var DEFAULT_FIREWALLS_REPO = "vm0-firewalls";
+var DEFAULT_FIREWALLS_BRANCH = "main";
+function resolveSkillRef(input) {
+  const trimmed = input.trim();
+  if (!trimmed) {
+    throw new Error("Skill reference cannot be empty");
+  }
+  if (!trimmed.includes("/") && !trimmed.startsWith("https://")) {
+    return `https://github.com/${DEFAULT_SKILLS_OWNER}/${DEFAULT_SKILLS_REPO}/tree/${DEFAULT_SKILLS_BRANCH}/${trimmed}`;
+  }
+  const parsed = parseGitHubUrl(trimmed);
+  if (!parsed) {
+    throw new Error(
+      `Invalid skill URL: ${trimmed}. Expected a bare skill name (e.g. "slack") or a GitHub URL (https://github.com/{owner}/{repo}[/tree/{branch}[/path]])`
+    );
+  }
+  if (!parsed.branch) {
+    return `https://github.com/${parsed.owner}/${parsed.repo}/tree/${DEFAULT_SKILLS_BRANCH}`;
+  }
+  return trimmed;
+}
+var FIREWALL_NAME_PATTERN = /^[a-zA-Z0-9]([a-zA-Z0-9\-_.]*[a-zA-Z0-9])?$/;
+function resolveFirewallRef(input) {
+  const trimmed = input.trim();
+  if (!trimmed) {
+    throw new Error("Firewall reference cannot be empty");
+  }
+  if (!trimmed.includes("/") && !trimmed.startsWith("https://")) {
+    if (!FIREWALL_NAME_PATTERN.test(trimmed)) {
+      throw new Error(
+        `Invalid firewall name "${trimmed}": must be alphanumeric with hyphens, dots, or underscores`
+      );
+    }
+    return `https://github.com/${DEFAULT_FIREWALLS_OWNER}/${DEFAULT_FIREWALLS_REPO}/tree/${DEFAULT_FIREWALLS_BRANCH}/${trimmed}`;
+  }
+  const parsed = parseGitHubUrl(trimmed);
+  if (!parsed) {
+    throw new Error(
+      `Invalid firewall URL: ${trimmed}. Expected a bare firewall name (e.g. "custom-api") or a GitHub URL (https://github.com/{owner}/{repo}[/tree/{branch}[/path]])`
+    );
+  }
+  if (!parsed.branch) {
+    return `https://github.com/${parsed.owner}/${parsed.repo}/tree/${DEFAULT_FIREWALLS_BRANCH}`;
+  }
+  return trimmed;
+}
+
+// ../../packages/core/src/firewall-loader.ts
+var MAX_RESPONSE_SIZE = 64 * 1024;
+function buildFirewallYamlUrl(ref) {
+  const url = resolveFirewallRef(ref);
+  const parsed = parseGitHubTreeUrl(url);
+  if (!parsed) {
+    throw new Error(`Invalid firewall URL after resolution: ${url}`);
+  }
+  const pathPrefix = parsed.path ? `${parsed.path}/` : "";
+  return `https://raw.githubusercontent.com/${parsed.owner}/${parsed.repo}/${parsed.branch}/${pathPrefix}firewall.yaml`;
+}
+async function fetchFirewallConfig(ref, fetchFn = fetch) {
+  const rawUrl = buildFirewallYamlUrl(ref);
+  const res = await fetchFn(rawUrl);
+  if (!res.ok) {
+    throw new Error(
+      `Failed to fetch firewall config for "${ref}" from ${rawUrl}: ${res.status} ${res.statusText}`
+    );
+  }
+  const contentLength = res.headers.get("content-length");
+  if (contentLength && parseInt(contentLength, 10) > MAX_RESPONSE_SIZE) {
+    throw new Error(
+      `Firewall config "${ref}" exceeds maximum size (${MAX_RESPONSE_SIZE} bytes)`
+    );
+  }
+  const content = await res.text();
+  if (content.length > MAX_RESPONSE_SIZE) {
+    throw new Error(
+      `Firewall config "${ref}" exceeds maximum size (${MAX_RESPONSE_SIZE} bytes)`
+    );
+  }
+  let yamlData;
+  try {
+    yamlData = parseYaml(content);
+  } catch (e) {
+    throw new Error(
+      `Invalid YAML in firewall config "${ref}": ${e instanceof Error ? e.message : String(e)}`
+    );
+  }
+  const result = firewallConfigSchema.safeParse(yamlData);
+  if (!result.success) {
+    const issues = result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+    throw new Error(`Invalid firewall config "${ref}": ${issues}`);
+  }
+  return result.data;
 }
 
 // ../../packages/core/src/contracts/firewall-expander.ts
@@ -7159,21 +6748,6 @@ function validateBaseUrl(base, serviceName) {
     );
   }
 }
-function resolveFirewallConfig(ref) {
-  const parsed = connectorTypeSchema.safeParse(ref);
-  if (!parsed.success) {
-    throw new Error(
-      `Cannot resolve firewall ref "${ref}": no built-in firewall config with this name`
-    );
-  }
-  const serviceConfig = getFirewallConfig(parsed.data);
-  if (!serviceConfig) {
-    throw new Error(
-      `Firewall ref "${ref}" resolved to "${parsed.data}" but it does not support proxy-side token replacement`
-    );
-  }
-  return serviceConfig;
-}
 function collectAndValidatePermissions(ref, serviceConfig) {
   if (serviceConfig.apis.length === 0) {
     throw new Error(
@@ -7181,15 +6755,15 @@ function collectAndValidatePermissions(ref, serviceConfig) {
     );
   }
   const available = /* @__PURE__ */ new Set();
-  for (const api2 of serviceConfig.apis) {
-    validateBaseUrl(api2.base, serviceConfig.name);
-    if (!api2.permissions || api2.permissions.length === 0) {
+  for (const api of serviceConfig.apis) {
+    validateBaseUrl(api.base, serviceConfig.name);
+    if (!api.permissions || api.permissions.length === 0) {
       throw new Error(
-        `API entry "${api2.base}" in firewall "${serviceConfig.name}" (ref "${ref}") has no permissions`
+        `API entry "${api.base}" in firewall "${serviceConfig.name}" (ref "${ref}") has no permissions`
       );
     }
     const seen = /* @__PURE__ */ new Set();
-    for (const perm of api2.permissions) {
+    for (const perm of api.permissions) {
       if (!perm.name) {
         throw new Error(
           `Firewall "${serviceConfig.name}" (ref "${ref}") has a permission with empty name`
@@ -7202,7 +6776,7 @@ function collectAndValidatePermissions(ref, serviceConfig) {
       }
       if (seen.has(perm.name)) {
         throw new Error(
-          `Duplicate permission name "${perm.name}" in API entry "${api2.base}" of firewall "${serviceConfig.name}" (ref "${ref}")`
+          `Duplicate permission name "${perm.name}" in API entry "${api.base}" of firewall "${serviceConfig.name}" (ref "${ref}")`
         );
       }
       if (perm.rules.length === 0) {
@@ -7219,7 +6793,7 @@ function collectAndValidatePermissions(ref, serviceConfig) {
   }
   return available;
 }
-function expandFirewallConfigs(config) {
+async function expandFirewallConfigs(config, fetchFn) {
   const compose = config;
   if (!compose?.agents) return;
   for (const agent of Object.values(compose.agents)) {
@@ -7227,8 +6801,13 @@ function expandFirewallConfigs(config) {
     if (!configs) continue;
     if (Array.isArray(configs)) continue;
     const expanded = [];
-    for (const [ref, selection] of Object.entries(configs)) {
-      const serviceConfig = resolveFirewallConfig(ref);
+    const entries = Object.entries(configs);
+    const resolvedConfigs = await Promise.all(
+      entries.map(([ref]) => fetchFirewallConfig(ref, fetchFn))
+    );
+    for (let i = 0; i < entries.length; i++) {
+      const [ref, selection] = entries[i];
+      const serviceConfig = resolvedConfigs[i];
       const availablePermissions = collectAndValidatePermissions(
         ref,
         serviceConfig
@@ -7244,10 +6823,10 @@ function expandFirewallConfigs(config) {
         }
       }
       const selectedSet = selection.permissions === "all" ? null : new Set(selection.permissions);
-      const filteredApis = serviceConfig.apis.map((api2) => ({
-        ...api2,
-        permissions: selectedSet ? (api2.permissions ?? []).filter((p) => selectedSet.has(p.name)) : api2.permissions
-      })).filter((api2) => (api2.permissions ?? []).length > 0);
+      const filteredApis = serviceConfig.apis.map((api) => ({
+        ...api,
+        permissions: selectedSet ? (api.permissions ?? []).filter((p) => selectedSet.has(p.name)) : api.permissions
+      })).filter((api) => (api.permissions ?? []).length > 0);
       if (filteredApis.length === 0) continue;
       const entry = {
         name: serviceConfig.name,
@@ -7265,21 +6844,21 @@ function expandFirewallConfigs(config) {
 }
 
 // ../../packages/core/src/contracts/user-preferences.ts
-import { z as z21 } from "zod";
+import { z as z22 } from "zod";
 var c19 = initContract();
-var sendModeSchema = z21.enum(["enter", "cmd-enter"]);
-var userPreferencesResponseSchema = z21.object({
-  timezone: z21.string().nullable(),
-  notifyEmail: z21.boolean(),
-  notifySlack: z21.boolean(),
-  pinnedAgentIds: z21.array(z21.string()),
+var sendModeSchema = z22.enum(["enter", "cmd-enter"]);
+var userPreferencesResponseSchema = z22.object({
+  timezone: z22.string().nullable(),
+  notifyEmail: z22.boolean(),
+  notifySlack: z22.boolean(),
+  pinnedAgentIds: z22.array(z22.string()),
   sendMode: sendModeSchema
 });
-var updateUserPreferencesRequestSchema = z21.object({
-  timezone: z21.string().min(1).optional(),
-  notifyEmail: z21.boolean().optional(),
-  notifySlack: z21.boolean().optional(),
-  pinnedAgentIds: z21.array(z21.string()).max(4).optional(),
+var updateUserPreferencesRequestSchema = z22.object({
+  timezone: z22.string().min(1).optional(),
+  notifyEmail: z22.boolean().optional(),
+  notifySlack: z22.boolean().optional(),
+  pinnedAgentIds: z22.array(z22.string()).max(4).optional(),
   sendMode: sendModeSchema.optional()
 }).refine(
   (data) => data.timezone !== void 0 || data.notifyEmail !== void 0 || data.notifySlack !== void 0 || data.pinnedAgentIds !== void 0 || data.sendMode !== void 0,
@@ -7323,15 +6902,15 @@ var userPreferencesContract = c19.router({
 });
 
 // ../../packages/core/src/contracts/org-list.ts
-import { z as z22 } from "zod";
+import { z as z23 } from "zod";
 var c20 = initContract();
-var orgListItemSchema = z22.object({
-  slug: z22.string(),
-  role: z22.string()
+var orgListItemSchema = z23.object({
+  slug: z23.string(),
+  role: z23.string()
 });
-var orgListResponseSchema = z22.object({
-  orgs: z22.array(orgListItemSchema),
-  active: z22.string().optional()
+var orgListResponseSchema = z23.object({
+  orgs: z23.array(orgListItemSchema),
+  active: z23.string().optional()
 });
 var orgListContract = c20.router({
   /**
@@ -7352,29 +6931,29 @@ var orgListContract = c20.router({
 });
 
 // ../../packages/core/src/contracts/org-members.ts
-import { z as z23 } from "zod";
+import { z as z24 } from "zod";
 var c21 = initContract();
-var orgRoleSchema = z23.enum(["admin", "member"]);
-var orgMemberSchema = z23.object({
-  userId: z23.string(),
-  email: z23.string(),
+var orgRoleSchema = z24.enum(["admin", "member"]);
+var orgMemberSchema = z24.object({
+  userId: z24.string(),
+  email: z24.string(),
   role: orgRoleSchema,
-  joinedAt: z23.string()
+  joinedAt: z24.string()
 });
-var orgMembersResponseSchema = z23.object({
-  slug: z23.string(),
+var orgMembersResponseSchema = z24.object({
+  slug: z24.string(),
   role: orgRoleSchema,
-  members: z23.array(orgMemberSchema),
-  createdAt: z23.string()
+  members: z24.array(orgMemberSchema),
+  createdAt: z24.string()
 });
-var inviteOrgMemberRequestSchema = z23.object({
-  email: z23.string().email()
+var inviteOrgMemberRequestSchema = z24.object({
+  email: z24.string().email()
 });
-var removeOrgMemberRequestSchema = z23.object({
-  email: z23.string().email()
+var removeOrgMemberRequestSchema = z24.object({
+  email: z24.string().email()
 });
-var orgMessageResponseSchema = z23.object({
-  message: z23.string()
+var orgMessageResponseSchema = z24.object({
+  message: z24.string()
 });
 var orgMembersContract = c21.router({
   /**
@@ -7421,7 +7000,7 @@ var orgMembersContract = c21.router({
     method: "POST",
     path: "/api/org/leave",
     headers: authHeadersSchema,
-    body: z23.object({}),
+    body: z24.object({}),
     responses: {
       200: orgMessageResponseSchema,
       401: apiErrorSchema,
@@ -7451,19 +7030,19 @@ var orgMembersContract = c21.router({
 });
 
 // ../../packages/core/src/contracts/onboarding.ts
-import { z as z24 } from "zod";
+import { z as z25 } from "zod";
 var c22 = initContract();
-var onboardingStatusResponseSchema = z24.object({
-  needsOnboarding: z24.boolean(),
-  hasOrg: z24.boolean(),
-  hasModelProvider: z24.boolean(),
-  hasDefaultAgent: z24.boolean(),
-  defaultAgentName: z24.string().nullable(),
-  defaultAgentComposeId: z24.string().nullable(),
-  defaultAgentMetadata: z24.object({
-    displayName: z24.string().optional(),
-    description: z24.string().optional(),
-    sound: z24.string().optional()
+var onboardingStatusResponseSchema = z25.object({
+  needsOnboarding: z25.boolean(),
+  hasOrg: z25.boolean(),
+  hasModelProvider: z25.boolean(),
+  hasDefaultAgent: z25.boolean(),
+  defaultAgentName: z25.string().nullable(),
+  defaultAgentComposeId: z25.string().nullable(),
+  defaultAgentMetadata: z25.object({
+    displayName: z25.string().optional(),
+    description: z25.string().optional(),
+    sound: z25.string().optional()
   }).nullable()
 });
 var onboardingStatusContract = c22.router({
@@ -7480,17 +7059,17 @@ var onboardingStatusContract = c22.router({
 });
 
 // ../../packages/core/src/contracts/skills.ts
-import { z as z25 } from "zod";
+import { z as z26 } from "zod";
 var c23 = initContract();
-var skillFrontmatterSchema = z25.object({
-  name: z25.string().optional(),
-  description: z25.string().optional(),
-  vm0_secrets: z25.array(z25.string()).optional(),
-  vm0_vars: z25.array(z25.string()).optional()
+var skillFrontmatterSchema = z26.object({
+  name: z26.string().optional(),
+  description: z26.string().optional(),
+  vm0_secrets: z26.array(z26.string()).optional(),
+  vm0_vars: z26.array(z26.string()).optional()
 });
-var resolvedSkillSchema = z25.object({
-  storageName: z25.string(),
-  versionHash: z25.string(),
+var resolvedSkillSchema = z26.object({
+  storageName: z26.string(),
+  versionHash: z26.string(),
   frontmatter: skillFrontmatterSchema
 });
 var skillsResolveContract = c23.router({
@@ -7498,13 +7077,13 @@ var skillsResolveContract = c23.router({
     method: "POST",
     path: "/api/skills/resolve",
     headers: authHeadersSchema,
-    body: z25.object({
-      skills: z25.array(z25.string().url()).min(1).max(100)
+    body: z26.object({
+      skills: z26.array(z26.string().url()).min(1).max(100)
     }),
     responses: {
-      200: z25.object({
-        resolved: z25.record(z25.string(), resolvedSkillSchema),
-        unresolved: z25.array(z25.string())
+      200: z26.object({
+        resolved: z26.record(z26.string(), resolvedSkillSchema),
+        unresolved: z26.array(z26.string())
       }),
       400: apiErrorSchema,
       401: apiErrorSchema
@@ -7541,94 +7120,6 @@ function getSkillStorageName(fullPath) {
   return `agent-skills@${fullPath}`;
 }
 
-// ../../packages/core/src/github-url.ts
-function parseGitHubTreeUrl(url) {
-  let normalizedUrl = url;
-  while (normalizedUrl.endsWith("/")) {
-    normalizedUrl = normalizedUrl.slice(0, -1);
-  }
-  const fullPathMatch = normalizedUrl.match(/^https:\/\/github\.com\/(.+)$/);
-  if (!fullPathMatch) {
-    return null;
-  }
-  const fullPath = fullPathMatch[1];
-  const regex = /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)(?:\/(.+))?$/;
-  const match = normalizedUrl.match(regex);
-  if (!match) {
-    return null;
-  }
-  const [, owner, repo, branch, pathPart] = match;
-  const resolvedPath = pathPart ?? "";
-  const pathSegments = resolvedPath.split("/").filter(Boolean);
-  const skillName = pathSegments[pathSegments.length - 1] || repo;
-  return {
-    owner,
-    repo,
-    branch,
-    path: resolvedPath,
-    skillName,
-    fullPath
-  };
-}
-function parseGitHubUrl(url) {
-  let normalizedUrl = url;
-  while (normalizedUrl.endsWith("/")) {
-    normalizedUrl = normalizedUrl.slice(0, -1);
-  }
-  const fullPathMatch = normalizedUrl.match(/^https:\/\/github\.com\/(.+)$/);
-  if (!fullPathMatch) {
-    return null;
-  }
-  const fullPath = fullPathMatch[1];
-  const plainMatch = normalizedUrl.match(
-    /^https:\/\/github\.com\/([^/]+)\/([^/]+)$/
-  );
-  if (plainMatch) {
-    return {
-      owner: plainMatch[1],
-      repo: plainMatch[2],
-      branch: null,
-      path: null,
-      fullPath
-    };
-  }
-  const treeMatch = normalizedUrl.match(
-    /^https:\/\/github\.com\/([^/]+)\/([^/]+)\/tree\/([^/]+)(?:\/(.+))?$/
-  );
-  if (treeMatch) {
-    return {
-      owner: treeMatch[1],
-      repo: treeMatch[2],
-      branch: treeMatch[3],
-      path: treeMatch[4] ?? null,
-      fullPath
-    };
-  }
-  return null;
-}
-var DEFAULT_SKILLS_OWNER = "vm0-ai";
-var DEFAULT_SKILLS_REPO = "vm0-skills";
-var DEFAULT_SKILLS_BRANCH = "main";
-function resolveSkillRef(input) {
-  const trimmed = input.trim();
-  if (!trimmed) {
-    throw new Error("Skill reference cannot be empty");
-  }
-  if (!trimmed.includes("/") && !trimmed.startsWith("https://")) {
-    return `https://github.com/${DEFAULT_SKILLS_OWNER}/${DEFAULT_SKILLS_REPO}/tree/${DEFAULT_SKILLS_BRANCH}/${trimmed}`;
-  }
-  const parsed = parseGitHubUrl(trimmed);
-  if (!parsed) {
-    throw new Error(
-      `Invalid skill URL: ${trimmed}. Expected a bare skill name (e.g. "slack") or a GitHub URL (https://github.com/{owner}/{repo}[/tree/{branch}[/path]])`
-    );
-  }
-  if (!parsed.branch) {
-    return `https://github.com/${parsed.owner}/${parsed.repo}/tree/${DEFAULT_SKILLS_BRANCH}`;
-  }
-  return trimmed;
-}
-
 // ../../packages/core/src/frameworks.ts
 var SUPPORTED_FRAMEWORKS = ["claude-code", "codex"];
 function isSupportedFramework(framework) {
@@ -7876,7 +7367,7 @@ async function isFeatureEnabled(key, userId) {
 }
 
 // ../../packages/core/src/skill-frontmatter.ts
-import { parse as parseYaml } from "yaml";
+import { parse as parseYaml2 } from "yaml";
 function parseSkillFrontmatter(content) {
   const frontmatterMatch = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
   if (!frontmatterMatch) {
@@ -7886,7 +7377,7 @@ function parseSkillFrontmatter(content) {
   if (!yamlContent) {
     return {};
   }
-  const parsed = parseYaml(yamlContent);
+  const parsed = parseYaml2(yamlContent);
   if (!parsed || typeof parsed !== "object") {
     return {};
   }
@@ -8686,8 +8177,8 @@ async function resolveSkills(skillUrls) {
 }
 
 // src/lib/domain/yaml-validator.ts
-import { z as z26 } from "zod";
-var cliAgentNameSchema = z26.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
+import { z as z27 } from "zod";
+var cliAgentNameSchema = z27.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
   /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,62}[a-zA-Z0-9])?$/,
   "Agent name must start and end with letter or number, and contain only letters, numbers, and hyphens"
 );
@@ -8701,7 +8192,7 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
             resolveSkillRef(skillRef);
           } catch (error) {
             ctx.addIssue({
-              code: z26.ZodIssueCode.custom,
+              code: z27.ZodIssueCode.custom,
               message: error instanceof Error ? error.message : `Invalid skill reference: ${skillRef}`,
               path: ["skills", i]
             });
@@ -8711,15 +8202,15 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
     }
   }
 );
-var cliComposeSchema = z26.object({
-  version: z26.string().min(1, "Missing config.version"),
-  agents: z26.record(cliAgentNameSchema, cliAgentDefinitionSchema),
-  volumes: z26.record(z26.string(), volumeConfigSchema).optional()
+var cliComposeSchema = z27.object({
+  version: z27.string().min(1, "Missing config.version"),
+  agents: z27.record(cliAgentNameSchema, cliAgentDefinitionSchema),
+  volumes: z27.record(z27.string(), volumeConfigSchema).optional()
 }).superRefine((config, ctx) => {
   const agentKeys = Object.keys(config.agents);
   if (agentKeys.length === 0) {
     ctx.addIssue({
-      code: z26.ZodIssueCode.custom,
+      code: z27.ZodIssueCode.custom,
       message: "agents must have at least one agent defined",
       path: ["agents"]
     });
@@ -8727,7 +8218,7 @@ var cliComposeSchema = z26.object({
   }
   if (agentKeys.length > 1) {
     ctx.addIssue({
-      code: z26.ZodIssueCode.custom,
+      code: z27.ZodIssueCode.custom,
       message: "Multiple agents not supported yet. Only one agent allowed.",
       path: ["agents"]
     });
@@ -8739,7 +8230,7 @@ var cliComposeSchema = z26.object({
   if (agentVolumes && agentVolumes.length > 0) {
     if (!config.volumes) {
       ctx.addIssue({
-        code: z26.ZodIssueCode.custom,
+        code: z27.ZodIssueCode.custom,
         message: "Agent references volumes but no volumes section defined. Each volume must have explicit name and version.",
         path: ["volumes"]
       });
@@ -8749,7 +8240,7 @@ var cliComposeSchema = z26.object({
       const parts = volDeclaration.split(":");
       if (parts.length !== 2) {
         ctx.addIssue({
-          code: z26.ZodIssueCode.custom,
+          code: z27.ZodIssueCode.custom,
           message: `Invalid volume declaration: ${volDeclaration}. Expected format: volume-key:/mount/path`,
           path: ["agents", agentName, "volumes"]
         });
@@ -8758,7 +8249,7 @@ var cliComposeSchema = z26.object({
       const volumeKey = parts[0].trim();
       if (!config.volumes[volumeKey]) {
         ctx.addIssue({
-          code: z26.ZodIssueCode.custom,
+          code: z27.ZodIssueCode.custom,
           message: `Volume "${volumeKey}" is not defined in volumes section. Each volume must have explicit name and version.`,
           path: ["volumes", volumeKey]
         });
@@ -9586,7 +9077,7 @@ async function loadAndValidateConfig(configFile) {
   const content = await readFile4(configFile, "utf8");
   let config;
   try {
-    config = parseYaml2(content);
+    config = parseYaml3(content);
   } catch (error) {
     const message = error instanceof Error ? error.message : "Unknown error";
     throw new Error(`Invalid YAML format: ${message}`);
@@ -9855,7 +9346,7 @@ async function finalizeCompose(config, agent, variables, options) {
     process.exit(0);
   }
   mergeSkillVariables(agent, variables);
-  expandFirewallConfigs(config);
+  await expandFirewallConfigs(config);
   if (!options.json) {
     console.log("Uploading compose...");
   }
@@ -9995,7 +9486,7 @@ var composeCommand = new Command7().name("compose").description("Create or updat
         options.autoUpdate = false;
       }
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.61.0");
+        await startSilentUpgrade("9.62.0");
       }
       try {
         let result;
@@ -11166,7 +10657,7 @@ var mainRunCommand = new Command8().name("run").description("Run an agent").argu
   withErrorHandler(
     async (identifier, prompt, options) => {
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.61.0");
+        await startSilentUpgrade("9.62.0");
       }
       const { org, name, version } = parseIdentifier(identifier);
       let composeId;
@@ -11604,7 +11095,7 @@ import path7 from "path";
 // src/lib/storage/storage-utils.ts
 import { readFile as readFile5, writeFile as writeFile4, mkdir as mkdir4 } from "fs/promises";
 import { existsSync as existsSync7 } from "fs";
-import { parse as parseYaml3, stringify as stringifyYaml } from "yaml";
+import { parse as parseYaml4, stringify as stringifyYaml } from "yaml";
 import path6 from "path";
 var CONFIG_DIR = ".vm0";
 var CONFIG_FILE = "storage.yaml";
@@ -11628,7 +11119,7 @@ async function readStorageConfig(basePath = process.cwd()) {
     return null;
   }
   const content = await readFile5(actualPath, "utf8");
-  const config = parseYaml3(content);
+  const config = parseYaml4(content);
   if (!config.type) {
     config.type = "volume";
   }
@@ -12544,7 +12035,7 @@ import chalk35 from "chalk";
 import { readFile as readFile7, mkdir as mkdir6 } from "fs/promises";
 import { existsSync as existsSync10 } from "fs";
 import path13 from "path";
-import { parse as parseYaml4 } from "yaml";
+import { parse as parseYaml5 } from "yaml";
 
 // src/lib/domain/cook-state.ts
 import { homedir as homedir3 } from "os";
@@ -12743,7 +12234,7 @@ async function loadAndValidateConfig2() {
   let config;
   try {
     const content = await readFile7(CONFIG_FILE2, "utf8");
-    config = parseYaml4(content);
+    config = parseYaml5(content);
   } catch (error) {
     if (error instanceof Error) {
       throw new Error("Invalid YAML format", { cause: error });
@@ -12880,7 +12371,7 @@ var cookAction = new Command35().name("cook").description("Quick start: prepare,
   withErrorHandler(
     async (prompt, options) => {
       if (options.autoUpdate !== false) {
-        const shouldExit = await checkAndUpgrade("9.61.0", prompt);
+        const shouldExit = await checkAndUpgrade("9.62.0", prompt);
         if (shouldExit) {
           process.exit(0);
         }
@@ -14849,7 +14340,7 @@ import { Command as Command56 } from "commander";
 import chalk51 from "chalk";
 
 // src/lib/domain/schedule-utils.ts
-import { parse as parseYaml5 } from "yaml";
+import { parse as parseYaml6 } from "yaml";
 function formatRelativeTime2(dateStr) {
   if (!dateStr) return "-";
   const date = new Date(dateStr);
@@ -18019,13 +17510,13 @@ var upgradeCommand = new Command86().name("upgrade").description("Upgrade vm0 CL
     if (latestVersion === null) {
       throw new Error("Could not check for updates. Please try again later.");
     }
-    if (latestVersion === "9.61.0") {
-      console.log(chalk80.green(`\u2713 Already up to date (${"9.61.0"})`));
+    if (latestVersion === "9.62.0") {
+      console.log(chalk80.green(`\u2713 Already up to date (${"9.62.0"})`));
       return;
     }
     console.log(
       chalk80.yellow(
-        `Current version: ${"9.61.0"} -> Latest version: ${latestVersion}`
+        `Current version: ${"9.62.0"} -> Latest version: ${latestVersion}`
       )
     );
     console.log();
@@ -18052,7 +17543,7 @@ var upgradeCommand = new Command86().name("upgrade").description("Upgrade vm0 CL
     const success = await performUpgrade(packageManager);
     if (success) {
       console.log(
-        chalk80.green(`\u2713 Upgraded from ${"9.61.0"} to ${latestVersion}`)
+        chalk80.green(`\u2713 Upgraded from ${"9.62.0"} to ${latestVersion}`)
       );
       return;
     }
@@ -18066,7 +17557,7 @@ var upgradeCommand = new Command86().name("upgrade").description("Upgrade vm0 CL
 
 // src/index.ts
 var program = new Command87();
-program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.61.0");
+program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.62.0");
 program.addCommand(authCommand);
 program.addCommand(infoCommand);
 program.addCommand(composeCommand);