@vm0/cli 9.69.1 → 9.70.1

package/index.js

@@ -45,7 +45,7 @@ if (DSN) {
   Sentry.init({
     dsn: DSN,
     environment: process.env.SENTRY_ENVIRONMENT ?? "production",
-    release: "9.69.1",
+    release: "9.70.1",
     sendDefaultPii: false,
     tracesSampleRate: 0,
     shutdownTimeout: 500,
@@ -64,7 +64,7 @@ if (DSN) {
     }
   });
   Sentry.setContext("cli", {
-    version: "9.69.1",
+    version: "9.70.1",
     command: process.argv.slice(2).join(" ")
   });
   Sentry.setContext("runtime", {
@@ -675,7 +675,7 @@ function getConfigPath() {
   return join2(homedir2(), ".vm0", "config.json");
 }
 var infoCommand = new Command6().name("info").description("Display environment and debug information").action(async () => {
-  console.log(chalk4.bold(`VM0 CLI v${"9.69.1"}`));
+  console.log(chalk4.bold(`VM0 CLI v${"9.70.1"}`));
   console.log();
   const config = await loadConfig();
   const hasEnvToken = !!process.env.VM0_TOKEN;
@@ -867,7 +867,7 @@ var agentDefinitionSchema = z4.object({
     )
   }).optional(),
   /**
-   * VM profile for resource allocation (e.g., "vm0/default", "vm0/browser").
+   * VM profile for resource allocation (e.g., "vm0/default").
    * Determines rootfs image and VM resources (vCPU, memory).
    * Defaults to "vm0/default" when omitted.
    */
@@ -892,16 +892,6 @@ var agentDefinitionSchema = z4.object({
    */
   experimental_capabilities: z4.array(z4.enum(VALID_CAPABILITIES)).refine((arr) => new Set(arr).size === arr.length, {
     message: "Duplicate capabilities are not allowed"
-  }).optional(),
-  /**
-   * Agent metadata for display and personalization.
-   * - displayName: Human-readable name shown in the UI (preserves original casing).
-   * - sound: Communication tone (e.g., "professional", "friendly").
-   */
-  metadata: z4.object({
-    displayName: z4.string().optional(),
-    description: z4.string().optional(),
-    sound: z4.string().optional()
   }).optional()
 });
 var agentComposeContentSchema = z4.object({
@@ -1099,37 +1089,160 @@ var composesListContract = c.router({
 });
 
 // ../../packages/core/src/contracts/runs.ts
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
+
+// ../../packages/core/src/contracts/logs.ts
+import { z as z5 } from "zod";
+var paginationSchema = z5.object({
+  hasMore: z5.boolean(),
+  nextCursor: z5.string().nullable(),
+  totalPages: z5.number()
+});
+var listQuerySchema = z5.object({
+  cursor: z5.string().optional(),
+  limit: z5.coerce.number().min(1).max(100).default(20)
+});
+var c2 = initContract();
+var logStatusSchema = z5.enum([
+  "queued",
+  "pending",
+  "running",
+  "completed",
+  "failed",
+  "timeout",
+  "cancelled"
+]);
+var triggerSourceSchema = z5.enum([
+  "schedule",
+  "web",
+  "slack",
+  "email",
+  "telegram",
+  "github",
+  "cli"
+]);
+var logEntrySchema = z5.object({
+  id: z5.uuid(),
+  sessionId: z5.string().nullable(),
+  agentName: z5.string(),
+  displayName: z5.string().nullable(),
+  orgSlug: z5.string().nullable(),
+  framework: z5.string().nullable(),
+  triggerSource: triggerSourceSchema.nullable(),
+  status: logStatusSchema,
+  createdAt: z5.string(),
+  startedAt: z5.string().nullable(),
+  completedAt: z5.string().nullable()
+});
+var logsListResponseSchema = z5.object({
+  data: z5.array(logEntrySchema),
+  pagination: paginationSchema
+});
+var artifactSchema = z5.object({
+  name: z5.string().nullable(),
+  version: z5.string().nullable()
+});
+var logDetailSchema = z5.object({
+  id: z5.uuid(),
+  sessionId: z5.string().nullable(),
+  agentName: z5.string(),
+  displayName: z5.string().nullable(),
+  framework: z5.string().nullable(),
+  modelProvider: z5.string().nullable(),
+  triggerSource: triggerSourceSchema.nullable(),
+  status: logStatusSchema,
+  prompt: z5.string(),
+  appendSystemPrompt: z5.string().nullable(),
+  error: z5.string().nullable(),
+  createdAt: z5.string(),
+  startedAt: z5.string().nullable(),
+  completedAt: z5.string().nullable(),
+  artifact: artifactSchema
+});
+var logsListContract = c2.router({
+  list: {
+    method: "GET",
+    path: "/api/app/logs",
+    query: listQuerySchema.extend({
+      search: z5.string().optional(),
+      agent: z5.string().optional(),
+      name: z5.string().optional(),
+      org: z5.string().optional(),
+      status: logStatusSchema.optional()
+    }),
+    responses: {
+      200: logsListResponseSchema,
+      401: apiErrorSchema
+    },
+    summary: "List agent run logs with pagination"
+  }
+});
+var logsByIdContract = c2.router({
+  getById: {
+    method: "GET",
+    path: "/api/app/logs/:id",
+    headers: authHeadersSchema,
+    pathParams: z5.object({
+      id: z5.string().uuid("Invalid log ID")
+    }),
+    responses: {
+      200: logDetailSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Get agent run log details by ID"
+  }
+});
+var artifactDownloadResponseSchema = z5.object({
+  url: z5.url(),
+  expiresAt: z5.string()
+});
+var artifactDownloadContract = c2.router({
+  getDownloadUrl: {
+    method: "GET",
+    path: "/api/app/artifacts/download",
+    query: z5.object({
+      name: z5.string().min(1, "Artifact name is required"),
+      version: z5.string().optional()
+    }),
+    responses: {
+      200: artifactDownloadResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Get presigned URL for artifact download"
+  }
+});
 
 // ../../packages/core/src/contracts/orgs.ts
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 
 // ../../packages/core/src/contracts/org-members.ts
-import { z as z5 } from "zod";
-var c2 = initContract();
-var orgRoleSchema = z5.enum(["admin", "member"]);
-var orgMemberSchema = z5.object({
-  userId: z5.string(),
-  email: z5.string(),
+import { z as z6 } from "zod";
+var c3 = initContract();
+var orgRoleSchema = z6.enum(["admin", "member"]);
+var orgMemberSchema = z6.object({
+  userId: z6.string(),
+  email: z6.string(),
   role: orgRoleSchema,
-  joinedAt: z5.string()
+  joinedAt: z6.string()
 });
-var orgMembersResponseSchema = z5.object({
-  slug: z5.string(),
+var orgMembersResponseSchema = z6.object({
+  slug: z6.string(),
   role: orgRoleSchema,
-  members: z5.array(orgMemberSchema),
-  createdAt: z5.string()
+  members: z6.array(orgMemberSchema),
+  createdAt: z6.string()
 });
-var inviteOrgMemberRequestSchema = z5.object({
-  email: z5.string().email()
+var inviteOrgMemberRequestSchema = z6.object({
+  email: z6.string().email()
 });
-var removeOrgMemberRequestSchema = z5.object({
-  email: z5.string().email()
+var removeOrgMemberRequestSchema = z6.object({
+  email: z6.string().email()
 });
-var orgMessageResponseSchema = z5.object({
-  message: z5.string()
+var orgMessageResponseSchema = z6.object({
+  message: z6.string()
 });
-var orgMembersContract = c2.router({
+var orgMembersContract = c3.router({
   /**
    * GET /api/org/members
    * Get org members and status
@@ -1174,7 +1287,7 @@ var orgMembersContract = c2.router({
     method: "POST",
     path: "/api/org/leave",
     headers: authHeadersSchema,
-    body: z5.object({}),
+    body: z6.object({}),
     responses: {
       200: orgMessageResponseSchema,
       401: apiErrorSchema,
@@ -1204,23 +1317,23 @@ var orgMembersContract = c2.router({
 });
 
 // ../../packages/core/src/contracts/orgs.ts
-var c3 = initContract();
-var orgTierSchema = z6.enum(["free", "pro", "max"]);
-var orgSlugSchema = z6.string().min(3, "Org slug must be at least 3 characters").max(64, "Org slug must be at most 64 characters").regex(
+var c4 = initContract();
+var orgTierSchema = z7.enum(["free", "pro", "max"]);
+var orgSlugSchema = z7.string().min(3, "Org slug must be at least 3 characters").max(64, "Org slug must be at most 64 characters").regex(
   /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
   "Org slug must contain only lowercase letters, numbers, and hyphens, and must start and end with an alphanumeric character"
 ).transform((s) => s.toLowerCase());
-var orgResponseSchema = z6.object({
-  id: z6.string(),
-  slug: z6.string(),
-  tier: z6.string().optional(),
+var orgResponseSchema = z7.object({
+  id: z7.string(),
+  slug: z7.string(),
+  tier: z7.string().optional(),
   role: orgRoleSchema.optional()
 });
-var updateOrgRequestSchema = z6.object({
+var updateOrgRequestSchema = z7.object({
   slug: orgSlugSchema,
-  force: z6.boolean().optional().default(false)
+  force: z7.boolean().optional().default(false)
 });
-var orgContract = c3.router({
+var orgContract = c4.router({
   /**
    * GET /api/org
    * Get current user's default org
@@ -1258,7 +1371,7 @@ var orgContract = c3.router({
     summary: "Update org slug"
   }
 });
-var orgDefaultAgentContract = c3.router({
+var orgDefaultAgentContract = c4.router({
   /**
    * PUT /api/orgs/default-agent?org={slug}
    * Set or unset the default agent for an org.
@@ -1269,15 +1382,15 @@ var orgDefaultAgentContract = c3.router({
     method: "PUT",
     path: "/api/orgs/default-agent",
     headers: authHeadersSchema,
-    query: z6.object({
-      org: z6.string().optional()
+    query: z7.object({
+      org: z7.string().optional()
     }),
-    body: z6.object({
-      agentComposeId: z6.uuid().nullable()
+    body: z7.object({
+      agentComposeId: z7.uuid().nullable()
     }),
     responses: {
-      200: z6.object({
-        agentComposeId: z6.uuid().nullable()
+      200: z7.object({
+        agentComposeId: z7.uuid().nullable()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1290,7 +1403,7 @@ var orgDefaultAgentContract = c3.router({
 });
 
 // ../../packages/core/src/contracts/runs.ts
-var c4 = initContract();
+var c5 = initContract();
 var ALL_RUN_STATUSES = [
   "queued",
   "pending",
@@ -1300,101 +1413,105 @@ var ALL_RUN_STATUSES = [
   "timeout",
   "cancelled"
 ];
-var runStatusSchema = z7.enum(ALL_RUN_STATUSES);
-var unifiedRunRequestSchema = z7.object({
+var runStatusSchema = z8.enum(ALL_RUN_STATUSES);
+var unifiedRunRequestSchema = z8.object({
   // High-level shortcuts (mutually exclusive with each other)
-  checkpointId: z7.string().optional(),
-  sessionId: z7.string().optional(),
+  checkpointId: z8.string().optional(),
+  sessionId: z8.string().optional(),
   // Base parameters (can be used directly or overridden after shortcut expansion)
-  agentComposeId: z7.string().optional(),
-  agentComposeVersionId: z7.string().optional(),
-  conversationId: z7.string().optional(),
-  artifactName: z7.string().optional(),
-  artifactVersion: z7.string().optional(),
-  vars: z7.record(z7.string(), z7.string()).optional(),
-  secrets: z7.record(z7.string(), z7.string()).optional(),
-  volumeVersions: z7.record(z7.string(), z7.string()).optional(),
-  memoryName: z7.string().optional(),
+  agentComposeId: z8.string().optional(),
+  agentComposeVersionId: z8.string().optional(),
+  conversationId: z8.string().optional(),
+  artifactName: z8.string().optional(),
+  artifactVersion: z8.string().optional(),
+  vars: z8.record(z8.string(), z8.string()).optional(),
+  secrets: z8.record(z8.string(), z8.string()).optional(),
+  volumeVersions: z8.record(z8.string(), z8.string()).optional(),
+  memoryName: z8.string().optional(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z7.boolean().optional(),
+  debugNoMockClaude: z8.boolean().optional(),
   // Model provider for automatic secret injection
-  modelProvider: z7.string().optional(),
+  modelProvider: z8.string().optional(),
   // Environment validation flag - when true, validates secrets/vars before running
-  checkEnv: z7.boolean().optional(),
+  checkEnv: z8.boolean().optional(),
   // Required
-  prompt: z7.string().min(1, "Missing prompt"),
+  prompt: z8.string().min(1, "Missing prompt"),
   // Optional system prompt to append to the agent's system prompt
-  appendSystemPrompt: z7.string().optional()
+  appendSystemPrompt: z8.string().optional(),
+  // Optional list of tools to disable in Claude CLI (passed as --disallowed-tools)
+  disallowedTools: z8.array(z8.string()).optional(),
+  // How the run was triggered (defaults to "cli" on the server if not provided)
+  triggerSource: triggerSourceSchema.optional()
 });
-var createRunResponseSchema = z7.object({
-  runId: z7.string(),
+var createRunResponseSchema = z8.object({
+  runId: z8.string(),
   status: runStatusSchema,
-  sandboxId: z7.string().optional(),
-  output: z7.string().optional(),
-  error: z7.string().optional(),
-  executionTimeMs: z7.number().optional(),
-  createdAt: z7.string()
+  sandboxId: z8.string().optional(),
+  output: z8.string().optional(),
+  error: z8.string().optional(),
+  executionTimeMs: z8.number().optional(),
+  createdAt: z8.string()
 });
-var getRunResponseSchema = z7.object({
-  runId: z7.string(),
-  agentComposeVersionId: z7.string().nullable(),
+var getRunResponseSchema = z8.object({
+  runId: z8.string(),
+  agentComposeVersionId: z8.string().nullable(),
   status: runStatusSchema,
-  prompt: z7.string(),
-  appendSystemPrompt: z7.string().nullable(),
-  vars: z7.record(z7.string(), z7.string()).optional(),
-  sandboxId: z7.string().optional(),
-  result: z7.object({
-    output: z7.string().optional(),
-    executionTimeMs: z7.number().optional(),
-    agentSessionId: z7.string().optional(),
-    checkpointId: z7.string().optional(),
-    conversationId: z7.string().optional()
+  prompt: z8.string(),
+  appendSystemPrompt: z8.string().nullable(),
+  vars: z8.record(z8.string(), z8.string()).optional(),
+  sandboxId: z8.string().optional(),
+  result: z8.object({
+    output: z8.string().optional(),
+    executionTimeMs: z8.number().optional(),
+    agentSessionId: z8.string().optional(),
+    checkpointId: z8.string().optional(),
+    conversationId: z8.string().optional()
   }).passthrough().optional(),
-  error: z7.string().optional(),
-  createdAt: z7.string(),
-  startedAt: z7.string().optional(),
-  completedAt: z7.string().optional()
+  error: z8.string().optional(),
+  createdAt: z8.string(),
+  startedAt: z8.string().optional(),
+  completedAt: z8.string().optional()
 });
-var runEventSchema = z7.object({
-  sequenceNumber: z7.number(),
-  eventType: z7.string(),
-  eventData: z7.unknown(),
-  createdAt: z7.string()
+var runEventSchema = z8.object({
+  sequenceNumber: z8.number(),
+  eventType: z8.string(),
+  eventData: z8.unknown(),
+  createdAt: z8.string()
 });
-var runResultSchema = z7.object({
-  checkpointId: z7.string(),
-  agentSessionId: z7.string(),
-  conversationId: z7.string(),
-  artifact: z7.record(z7.string(), z7.string()).optional(),
+var runResultSchema = z8.object({
+  checkpointId: z8.string(),
+  agentSessionId: z8.string(),
+  conversationId: z8.string(),
+  artifact: z8.record(z8.string(), z8.string()).optional(),
   // optional when run has no artifact
-  volumes: z7.record(z7.string(), z7.string()).optional(),
-  memory: z7.record(z7.string(), z7.string()).optional()
+  volumes: z8.record(z8.string(), z8.string()).optional(),
+  memory: z8.record(z8.string(), z8.string()).optional()
 });
-var runStateSchema = z7.object({
+var runStateSchema = z8.object({
   status: runStatusSchema,
   result: runResultSchema.optional(),
-  error: z7.string().optional()
+  error: z8.string().optional()
 });
-var eventsResponseSchema = z7.object({
-  events: z7.array(runEventSchema),
-  hasMore: z7.boolean(),
-  nextSequence: z7.number(),
+var eventsResponseSchema = z8.object({
+  events: z8.array(runEventSchema),
+  hasMore: z8.boolean(),
+  nextSequence: z8.number(),
   run: runStateSchema,
-  framework: z7.string()
+  framework: z8.string()
 });
-var runListItemSchema = z7.object({
-  id: z7.string(),
-  agentName: z7.string(),
+var runListItemSchema = z8.object({
+  id: z8.string(),
+  agentName: z8.string(),
   status: runStatusSchema,
-  prompt: z7.string(),
-  appendSystemPrompt: z7.string().nullable(),
-  createdAt: z7.string(),
-  startedAt: z7.string().nullable()
+  prompt: z8.string(),
+  appendSystemPrompt: z8.string().nullable(),
+  createdAt: z8.string(),
+  startedAt: z8.string().nullable()
 });
-var runsListResponseSchema = z7.object({
-  runs: z7.array(runListItemSchema)
+var runsListResponseSchema = z8.object({
+  runs: z8.array(runListItemSchema)
 });
-var runsMainContract = c4.router({
+var runsMainContract = c5.router({
   /**
    * GET /api/agent/runs
    * List agent runs (pending and running by default)
@@ -1403,16 +1520,16 @@ var runsMainContract = c4.router({
     method: "GET",
     path: "/api/agent/runs",
     headers: authHeadersSchema,
-    query: z7.object({
-      status: z7.string().optional(),
+    query: z8.object({
+      status: z8.string().optional(),
       // comma-separated: "pending,running"
-      agent: z7.string().optional(),
+      agent: z8.string().optional(),
       // agent name filter
-      since: z7.string().optional(),
+      since: z8.string().optional(),
       // ISO timestamp
-      until: z7.string().optional(),
+      until: z8.string().optional(),
       // ISO timestamp
-      limit: z7.coerce.number().min(1).max(100).default(50)
+      limit: z8.coerce.number().min(1).max(100).default(50)
     }),
     responses: {
       200: runsListResponseSchema,
@@ -1441,7 +1558,7 @@ var runsMainContract = c4.router({
     summary: "Create and execute agent run"
   }
 });
-var runsByIdContract = c4.router({
+var runsByIdContract = c5.router({
   /**
    * GET /api/agent/runs/:id
    * Get agent run status and results
@@ -1450,8 +1567,8 @@ var runsByIdContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
     responses: {
       200: getRunResponseSchema,
@@ -1462,12 +1579,12 @@ var runsByIdContract = c4.router({
     summary: "Get agent run by ID"
   }
 });
-var cancelRunResponseSchema = z7.object({
-  id: z7.string(),
-  status: z7.literal("cancelled"),
-  message: z7.string()
+var cancelRunResponseSchema = z8.object({
+  id: z8.string(),
+  status: z8.literal("cancelled"),
+  message: z8.string()
 });
-var runsCancelContract = c4.router({
+var runsCancelContract = c5.router({
   /**
    * POST /api/agent/runs/:id/cancel
    * Cancel a pending or running run
@@ -1476,10 +1593,10 @@ var runsCancelContract = c4.router({
     method: "POST",
     path: "/api/agent/runs/:id/cancel",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
-    body: z7.undefined(),
+    body: z8.undefined(),
     responses: {
       200: cancelRunResponseSchema,
       400: apiErrorSchema,
@@ -1490,7 +1607,7 @@ var runsCancelContract = c4.router({
     summary: "Cancel a pending or running run"
   }
 });
-var runEventsContract = c4.router({
+var runEventsContract = c5.router({
   /**
    * GET /api/agent/runs/:id/events
    * Poll for agent run events with pagination
@@ -1499,12 +1616,12 @@ var runEventsContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id/events",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
-    query: z7.object({
-      since: z7.coerce.number().default(-1),
-      limit: z7.coerce.number().default(100)
+    query: z8.object({
+      since: z8.coerce.number().default(-1),
+      limit: z8.coerce.number().default(100)
     }),
     responses: {
       200: eventsResponseSchema,
@@ -1514,50 +1631,50 @@ var runEventsContract = c4.router({
     summary: "Get agent run events"
   }
 });
-var telemetryMetricSchema = z7.object({
-  ts: z7.string(),
-  cpu: z7.number(),
-  mem_used: z7.number(),
-  mem_total: z7.number(),
-  disk_used: z7.number(),
-  disk_total: z7.number()
+var telemetryMetricSchema = z8.object({
+  ts: z8.string(),
+  cpu: z8.number(),
+  mem_used: z8.number(),
+  mem_total: z8.number(),
+  disk_used: z8.number(),
+  disk_total: z8.number()
 });
-var systemLogResponseSchema = z7.object({
-  systemLog: z7.string(),
-  hasMore: z7.boolean()
+var systemLogResponseSchema = z8.object({
+  systemLog: z8.string(),
+  hasMore: z8.boolean()
 });
-var metricsResponseSchema = z7.object({
-  metrics: z7.array(telemetryMetricSchema),
-  hasMore: z7.boolean()
+var metricsResponseSchema = z8.object({
+  metrics: z8.array(telemetryMetricSchema),
+  hasMore: z8.boolean()
 });
-var agentEventsResponseSchema = z7.object({
-  events: z7.array(runEventSchema),
-  hasMore: z7.boolean(),
-  framework: z7.string()
+var agentEventsResponseSchema = z8.object({
+  events: z8.array(runEventSchema),
+  hasMore: z8.boolean(),
+  framework: z8.string()
 });
-var networkLogEntrySchema = z7.object({
-  timestamp: z7.string(),
-  mode: z7.literal("mitm").optional(),
-  action: z7.enum(["ALLOW", "DENY"]).optional(),
-  host: z7.string().optional(),
-  port: z7.number().optional(),
-  rule_matched: z7.string().nullable().optional(),
-  method: z7.string().optional(),
-  url: z7.string().optional(),
-  status: z7.number().optional(),
-  latency_ms: z7.number().optional(),
-  request_size: z7.number().optional(),
-  response_size: z7.number().optional()
+var networkLogEntrySchema = z8.object({
+  timestamp: z8.string(),
+  mode: z8.literal("mitm").optional(),
+  action: z8.enum(["ALLOW", "DENY"]).optional(),
+  host: z8.string().optional(),
+  port: z8.number().optional(),
+  rule_matched: z8.string().nullable().optional(),
+  method: z8.string().optional(),
+  url: z8.string().optional(),
+  status: z8.number().optional(),
+  latency_ms: z8.number().optional(),
+  request_size: z8.number().optional(),
+  response_size: z8.number().optional()
 });
-var networkLogsResponseSchema = z7.object({
-  networkLogs: z7.array(networkLogEntrySchema),
-  hasMore: z7.boolean()
+var networkLogsResponseSchema = z8.object({
+  networkLogs: z8.array(networkLogEntrySchema),
+  hasMore: z8.boolean()
 });
-var telemetryResponseSchema = z7.object({
-  systemLog: z7.string(),
-  metrics: z7.array(telemetryMetricSchema)
+var telemetryResponseSchema = z8.object({
+  systemLog: z8.string(),
+  metrics: z8.array(telemetryMetricSchema)
 });
-var runTelemetryContract = c4.router({
+var runTelemetryContract = c5.router({
   /**
    * GET /api/agent/runs/:id/telemetry
    * Get aggregated telemetry data for a run (legacy combined format)
@@ -1566,8 +1683,8 @@ var runTelemetryContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
     responses: {
       200: telemetryResponseSchema,
@@ -1577,7 +1694,7 @@ var runTelemetryContract = c4.router({
     summary: "Get run telemetry data"
   }
 });
-var runSystemLogContract = c4.router({
+var runSystemLogContract = c5.router({
   /**
    * GET /api/agent/runs/:id/telemetry/system-log
    * Get system log with pagination
@@ -1586,13 +1703,13 @@ var runSystemLogContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/system-log",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
-    query: z7.object({
-      since: z7.coerce.number().optional(),
-      limit: z7.coerce.number().min(1).max(100).default(5),
-      order: z7.enum(["asc", "desc"]).default("desc")
+    query: z8.object({
+      since: z8.coerce.number().optional(),
+      limit: z8.coerce.number().min(1).max(100).default(5),
+      order: z8.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: systemLogResponseSchema,
@@ -1602,7 +1719,7 @@ var runSystemLogContract = c4.router({
     summary: "Get system log with pagination"
   }
 });
-var runMetricsContract = c4.router({
+var runMetricsContract = c5.router({
   /**
    * GET /api/agent/runs/:id/telemetry/metrics
    * Get metrics with pagination
@@ -1611,13 +1728,13 @@ var runMetricsContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/metrics",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
-    query: z7.object({
-      since: z7.coerce.number().optional(),
-      limit: z7.coerce.number().min(1).max(100).default(5),
-      order: z7.enum(["asc", "desc"]).default("desc")
+    query: z8.object({
+      since: z8.coerce.number().optional(),
+      limit: z8.coerce.number().min(1).max(100).default(5),
+      order: z8.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: metricsResponseSchema,
@@ -1627,7 +1744,7 @@ var runMetricsContract = c4.router({
     summary: "Get metrics with pagination"
   }
 });
-var runAgentEventsContract = c4.router({
+var runAgentEventsContract = c5.router({
   /**
    * GET /api/agent/runs/:id/telemetry/agent
    * Get agent events with pagination (for vm0 logs default)
@@ -1636,13 +1753,13 @@ var runAgentEventsContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/agent",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
-    query: z7.object({
-      since: z7.coerce.number().optional(),
-      limit: z7.coerce.number().min(1).max(100).default(5),
-      order: z7.enum(["asc", "desc"]).default("desc")
+    query: z8.object({
+      since: z8.coerce.number().optional(),
+      limit: z8.coerce.number().min(1).max(100).default(5),
+      order: z8.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: agentEventsResponseSchema,
@@ -1652,7 +1769,7 @@ var runAgentEventsContract = c4.router({
     summary: "Get agent events with pagination"
   }
 });
-var runNetworkLogsContract = c4.router({
+var runNetworkLogsContract = c5.router({
   /**
    * GET /api/agent/runs/:id/telemetry/network
    * Get network logs with pagination (for vm0 logs --network)
@@ -1661,13 +1778,13 @@ var runNetworkLogsContract = c4.router({
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/network",
     headers: authHeadersSchema,
-    pathParams: z7.object({
-      id: z7.string().min(1, "Run ID is required")
+    pathParams: z8.object({
+      id: z8.string().min(1, "Run ID is required")
     }),
-    query: z7.object({
-      since: z7.coerce.number().optional(),
-      limit: z7.coerce.number().min(1).max(100).default(5),
-      order: z7.enum(["asc", "desc"]).default("desc")
+    query: z8.object({
+      since: z8.coerce.number().optional(),
+      limit: z8.coerce.number().min(1).max(100).default(5),
+      order: z8.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: networkLogsResponseSchema,
@@ -1677,18 +1794,18 @@ var runNetworkLogsContract = c4.router({
     summary: "Get network logs with pagination"
   }
 });
-var searchResultSchema = z7.object({
-  runId: z7.string(),
-  agentName: z7.string(),
+var searchResultSchema = z8.object({
+  runId: z8.string(),
+  agentName: z8.string(),
   matchedEvent: runEventSchema,
-  contextBefore: z7.array(runEventSchema),
-  contextAfter: z7.array(runEventSchema)
+  contextBefore: z8.array(runEventSchema),
+  contextAfter: z8.array(runEventSchema)
 });
-var logsSearchResponseSchema = z7.object({
-  results: z7.array(searchResultSchema),
-  hasMore: z7.boolean()
+var logsSearchResponseSchema = z8.object({
+  results: z8.array(searchResultSchema),
+  hasMore: z8.boolean()
 });
-var logsSearchContract = c4.router({
+var logsSearchContract = c5.router({
   /**
    * GET /api/logs/search
    * Search agent events across runs using keyword matching
@@ -1697,14 +1814,14 @@ var logsSearchContract = c4.router({
     method: "GET",
     path: "/api/logs/search",
     headers: authHeadersSchema,
-    query: z7.object({
-      keyword: z7.string().min(1),
-      agent: z7.string().optional(),
-      runId: z7.string().optional(),
-      since: z7.coerce.number().optional(),
-      limit: z7.coerce.number().min(1).max(50).default(20),
-      before: z7.coerce.number().min(0).max(10).default(0),
-      after: z7.coerce.number().min(0).max(10).default(0)
+    query: z8.object({
+      keyword: z8.string().min(1),
+      agent: z8.string().optional(),
+      runId: z8.string().optional(),
+      since: z8.coerce.number().optional(),
+      limit: z8.coerce.number().min(1).max(50).default(20),
+      before: z8.coerce.number().min(0).max(10).default(0),
+      after: z8.coerce.number().min(0).max(10).default(0)
     }),
     responses: {
       200: logsSearchResponseSchema,
@@ -1713,39 +1830,39 @@ var logsSearchContract = c4.router({
     summary: "Search agent events across runs"
   }
 });
-var queueEntrySchema = z7.object({
-  position: z7.number(),
-  agentName: z7.string().nullable(),
-  agentDisplayName: z7.string().nullable(),
-  userEmail: z7.string().nullable(),
-  createdAt: z7.string(),
-  isOwner: z7.boolean(),
-  runId: z7.string().nullable(),
-  prompt: z7.string().nullable(),
-  triggerSource: z7.enum(["schedule", "chat", "api"]).nullable(),
-  sessionLink: z7.string().nullable()
+var queueEntrySchema = z8.object({
+  position: z8.number(),
+  agentName: z8.string().nullable(),
+  agentDisplayName: z8.string().nullable(),
+  userEmail: z8.string().nullable(),
+  createdAt: z8.string(),
+  isOwner: z8.boolean(),
+  runId: z8.string().nullable(),
+  prompt: z8.string().nullable(),
+  triggerSource: triggerSourceSchema.nullable(),
+  sessionLink: z8.string().nullable()
 });
-var runningTaskSchema = z7.object({
-  runId: z7.string().nullable(),
-  agentName: z7.string(),
-  agentDisplayName: z7.string().nullable(),
-  userEmail: z7.string(),
-  startedAt: z7.string().nullable(),
-  isOwner: z7.boolean()
+var runningTaskSchema = z8.object({
+  runId: z8.string().nullable(),
+  agentName: z8.string(),
+  agentDisplayName: z8.string().nullable(),
+  userEmail: z8.string(),
+  startedAt: z8.string().nullable(),
+  isOwner: z8.boolean()
 });
-var concurrencyInfoSchema = z7.object({
+var concurrencyInfoSchema = z8.object({
   tier: orgTierSchema,
-  limit: z7.number(),
-  active: z7.number(),
-  available: z7.number()
+  limit: z8.number(),
+  active: z8.number(),
+  available: z8.number()
 });
-var queueResponseSchema = z7.object({
+var queueResponseSchema = z8.object({
   concurrency: concurrencyInfoSchema,
-  queue: z7.array(queueEntrySchema),
-  runningTasks: z7.array(runningTaskSchema),
-  estimatedTimePerRun: z7.number().nullable()
+  queue: z8.array(queueEntrySchema),
+  runningTasks: z8.array(runningTaskSchema),
+  estimatedTimePerRun: z8.number().nullable()
 });
-var runsQueueContract = c4.router({
+var runsQueueContract = c5.router({
   /**
    * GET /api/agent/runs/queue
    * Get org run queue status including concurrency context and queued entries
@@ -1764,19 +1881,19 @@ var runsQueueContract = c4.router({
 });
 
 // ../../packages/core/src/contracts/storages.ts
-import { z as z8 } from "zod";
-var c5 = initContract();
-var storageTypeSchema = z8.enum(["volume", "artifact", "memory"]);
-var versionQuerySchema = z8.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional();
-var uploadStorageResponseSchema = z8.object({
-  name: z8.string(),
-  versionId: z8.string(),
-  size: z8.number(),
-  fileCount: z8.number(),
+import { z as z9 } from "zod";
+var c6 = initContract();
+var storageTypeSchema = z9.enum(["volume", "artifact", "memory"]);
+var versionQuerySchema = z9.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional();
+var uploadStorageResponseSchema = z9.object({
+  name: z9.string(),
+  versionId: z9.string(),
+  size: z9.number(),
+  fileCount: z9.number(),
   type: storageTypeSchema,
-  deduplicated: z8.boolean()
+  deduplicated: z9.boolean()
 });
-var storagesContract = c5.router({
+var storagesContract = c6.router({
   /**
    * POST /api/storages
    * Upload a storage (tar.gz file)
@@ -1793,7 +1910,7 @@ var storagesContract = c5.router({
     path: "/api/storages",
     headers: authHeadersSchema,
     contentType: "multipart/form-data",
-    body: c5.type(),
+    body: c6.type(),
     responses: {
       200: uploadStorageResponseSchema,
       400: apiErrorSchema,
@@ -1816,15 +1933,15 @@ var storagesContract = c5.router({
     method: "GET",
     path: "/api/storages",
     headers: authHeadersSchema,
-    query: z8.object({
-      name: z8.string().min(1, "Storage name is required"),
+    query: z9.object({
+      name: z9.string().min(1, "Storage name is required"),
       version: versionQuerySchema
     }),
     responses: {
       // Binary response - actual handling done at route level
-      200: c5.otherResponse({
+      200: c6.otherResponse({
         contentType: "application/gzip",
-        body: c5.type()
+        body: c6.type()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1835,41 +1952,41 @@ var storagesContract = c5.router({
   }
 });
 var MAX_FILE_SIZE_BYTES = 104857600;
-var fileEntryWithHashSchema = z8.object({
-  path: z8.string().min(1, "File path is required"),
-  hash: z8.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
-  size: z8.number().int().min(0, "Size must be non-negative").max(MAX_FILE_SIZE_BYTES, "File size exceeds 100MB limit")
+var fileEntryWithHashSchema = z9.object({
+  path: z9.string().min(1, "File path is required"),
+  hash: z9.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
+  size: z9.number().int().min(0, "Size must be non-negative").max(MAX_FILE_SIZE_BYTES, "File size exceeds 100MB limit")
 });
-var storageChangesSchema = z8.object({
-  added: z8.array(z8.string()),
-  modified: z8.array(z8.string()),
-  deleted: z8.array(z8.string())
+var storageChangesSchema = z9.object({
+  added: z9.array(z9.string()),
+  modified: z9.array(z9.string()),
+  deleted: z9.array(z9.string())
 });
-var presignedUploadSchema = z8.object({
-  key: z8.string(),
-  presignedUrl: z8.url()
+var presignedUploadSchema = z9.object({
+  key: z9.string(),
+  presignedUrl: z9.url()
 });
-var storagesPrepareContract = c5.router({
+var storagesPrepareContract = c6.router({
   prepare: {
     method: "POST",
     path: "/api/storages/prepare",
     headers: authHeadersSchema,
-    body: z8.object({
-      storageName: z8.string().min(1, "Storage name is required"),
+    body: z9.object({
+      storageName: z9.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z8.array(fileEntryWithHashSchema),
-      force: z8.boolean().optional(),
-      runId: z8.string().optional(),
+      files: z9.array(fileEntryWithHashSchema),
+      force: z9.boolean().optional(),
+      runId: z9.string().optional(),
       // For sandbox auth
-      baseVersion: z8.string().optional(),
+      baseVersion: z9.string().optional(),
       // For incremental uploads
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z8.object({
-        versionId: z8.string(),
-        existing: z8.boolean(),
-        uploads: z8.object({
+      200: z9.object({
+        versionId: z9.string(),
+        existing: z9.boolean(),
+        uploads: z9.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -1884,27 +2001,27 @@ var storagesPrepareContract = c5.router({
     summary: "Prepare for direct S3 upload"
   }
 });
-var storagesCommitContract = c5.router({
+var storagesCommitContract = c6.router({
   commit: {
     method: "POST",
     path: "/api/storages/commit",
     headers: authHeadersSchema,
-    body: z8.object({
-      storageName: z8.string().min(1, "Storage name is required"),
+    body: z9.object({
+      storageName: z9.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z8.string().min(1, "Version ID is required"),
-      files: z8.array(fileEntryWithHashSchema),
-      runId: z8.string().optional(),
-      message: z8.string().optional()
+      versionId: z9.string().min(1, "Version ID is required"),
+      files: z9.array(fileEntryWithHashSchema),
+      runId: z9.string().optional(),
+      message: z9.string().optional()
     }),
     responses: {
-      200: z8.object({
-        success: z8.literal(true),
-        versionId: z8.string(),
-        storageName: z8.string(),
-        size: z8.number(),
-        fileCount: z8.number(),
-        deduplicated: z8.boolean().optional()
+      200: z9.object({
+        success: z9.literal(true),
+        versionId: z9.string(),
+        storageName: z9.string(),
+        size: z9.number(),
+        fileCount: z9.number(),
+        deduplicated: z9.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -1918,31 +2035,31 @@ var storagesCommitContract = c5.router({
     summary: "Commit uploaded storage"
   }
 });
-var storagesDownloadContract = c5.router({
+var storagesDownloadContract = c6.router({
   download: {
     method: "GET",
     path: "/api/storages/download",
     headers: authHeadersSchema,
-    query: z8.object({
-      name: z8.string().min(1, "Storage name is required"),
+    query: z9.object({
+      name: z9.string().min(1, "Storage name is required"),
       type: storageTypeSchema,
       version: versionQuerySchema
     }),
     responses: {
       // Normal response with presigned URL
-      200: z8.union([
-        z8.object({
-          url: z8.url(),
-          versionId: z8.string(),
-          fileCount: z8.number(),
-          size: z8.number()
+      200: z9.union([
+        z9.object({
+          url: z9.url(),
+          versionId: z9.string(),
+          fileCount: z9.number(),
+          size: z9.number()
         }),
         // Empty artifact response
-        z8.object({
-          empty: z8.literal(true),
-          versionId: z8.string(),
-          fileCount: z8.literal(0),
-          size: z8.literal(0)
+        z9.object({
+          empty: z9.literal(true),
+          versionId: z9.string(),
+          fileCount: z9.literal(0),
+          size: z9.literal(0)
         })
       ]),
       400: apiErrorSchema,
@@ -1954,21 +2071,21 @@ var storagesDownloadContract = c5.router({
     summary: "Get presigned download URL"
   }
 });
-var storagesListContract = c5.router({
+var storagesListContract = c6.router({
   list: {
     method: "GET",
     path: "/api/storages/list",
     headers: authHeadersSchema,
-    query: z8.object({
+    query: z9.object({
       type: storageTypeSchema
     }),
     responses: {
-      200: z8.array(
-        z8.object({
-          name: z8.string(),
-          size: z8.number(),
-          fileCount: z8.number(),
-          updatedAt: z8.string()
+      200: z9.array(
+        z9.object({
+          name: z9.string(),
+          size: z9.number(),
+          fileCount: z9.number(),
+          updatedAt: z9.string()
         })
       ),
       401: apiErrorSchema,
@@ -1980,24 +2097,24 @@ var storagesListContract = c5.router({
 });
 
 // ../../packages/core/src/contracts/webhooks.ts
-import { z as z9 } from "zod";
-var c6 = initContract();
-var agentEventSchema = z9.object({
-  type: z9.string(),
-  sequenceNumber: z9.number().int().nonnegative()
+import { z as z10 } from "zod";
+var c7 = initContract();
+var agentEventSchema = z10.object({
+  type: z10.string(),
+  sequenceNumber: z10.number().int().nonnegative()
 }).passthrough();
-var artifactSnapshotSchema = z9.object({
-  artifactName: z9.string(),
-  artifactVersion: z9.string()
+var artifactSnapshotSchema = z10.object({
+  artifactName: z10.string(),
+  artifactVersion: z10.string()
 });
-var memorySnapshotSchema = z9.object({
-  memoryName: z9.string(),
-  memoryVersion: z9.string()
+var memorySnapshotSchema = z10.object({
+  memoryName: z10.string(),
+  memoryVersion: z10.string()
 });
-var volumeVersionsSnapshotSchema = z9.object({
-  versions: z9.record(z9.string(), z9.string())
+var volumeVersionsSnapshotSchema = z10.object({
+  versions: z10.record(z10.string(), z10.string())
 });
-var webhookEventsContract = c6.router({
+var webhookEventsContract = c7.router({
   /**
    * POST /api/webhooks/agent/events
    * Receive agent events from sandbox
@@ -2006,15 +2123,15 @@ var webhookEventsContract = c6.router({
     method: "POST",
     path: "/api/webhooks/agent/events",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required"),
-      events: z9.array(agentEventSchema).min(1, "events array cannot be empty")
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required"),
+      events: z10.array(agentEventSchema).min(1, "events array cannot be empty")
     }),
     responses: {
-      200: z9.object({
-        received: z9.number(),
-        firstSequence: z9.number(),
-        lastSequence: z9.number()
+      200: z10.object({
+        received: z10.number(),
+        firstSequence: z10.number(),
+        lastSequence: z10.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2024,7 +2141,7 @@ var webhookEventsContract = c6.router({
     summary: "Receive agent events from sandbox"
   }
 });
-var webhookCompleteContract = c6.router({
+var webhookCompleteContract = c7.router({
   /**
    * POST /api/webhooks/agent/complete
    * Handle agent run completion (success or failure)
@@ -2033,15 +2150,15 @@ var webhookCompleteContract = c6.router({
     method: "POST",
     path: "/api/webhooks/agent/complete",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required"),
-      exitCode: z9.number(),
-      error: z9.string().optional()
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required"),
+      exitCode: z10.number(),
+      error: z10.string().optional()
     }),
     responses: {
-      200: z9.object({
-        success: z9.boolean(),
-        status: z9.enum(["completed", "failed"])
+      200: z10.object({
+        success: z10.boolean(),
+        status: z10.enum(["completed", "failed"])
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2051,7 +2168,7 @@ var webhookCompleteContract = c6.router({
     summary: "Handle agent run completion"
   }
 });
-var webhookCheckpointsContract = c6.router({
+var webhookCheckpointsContract = c7.router({
   /**
    * POST /api/webhooks/agent/checkpoints
    * Create checkpoint for completed agent run
@@ -2060,23 +2177,23 @@ var webhookCheckpointsContract = c6.router({
     method: "POST",
     path: "/api/webhooks/agent/checkpoints",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required"),
-      cliAgentType: z9.string().min(1, "cliAgentType is required"),
-      cliAgentSessionId: z9.string().min(1, "cliAgentSessionId is required"),
-      cliAgentSessionHistory: z9.string().min(1, "cliAgentSessionHistory is required"),
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required"),
+      cliAgentType: z10.string().min(1, "cliAgentType is required"),
+      cliAgentSessionId: z10.string().min(1, "cliAgentSessionId is required"),
+      cliAgentSessionHistory: z10.string().min(1, "cliAgentSessionHistory is required"),
       artifactSnapshot: artifactSnapshotSchema.optional(),
       memorySnapshot: memorySnapshotSchema.optional(),
       volumeVersionsSnapshot: volumeVersionsSnapshotSchema.optional()
     }),
     responses: {
-      200: z9.object({
-        checkpointId: z9.string(),
-        agentSessionId: z9.string(),
-        conversationId: z9.string(),
+      200: z10.object({
+        checkpointId: z10.string(),
+        agentSessionId: z10.string(),
+        conversationId: z10.string(),
         artifact: artifactSnapshotSchema.optional(),
         memory: memorySnapshotSchema.optional(),
-        volumes: z9.record(z9.string(), z9.string()).optional()
+        volumes: z10.record(z10.string(), z10.string()).optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2086,7 +2203,7 @@ var webhookCheckpointsContract = c6.router({
     summary: "Create checkpoint for agent run"
   }
 });
-var webhookHeartbeatContract = c6.router({
+var webhookHeartbeatContract = c7.router({
   /**
    * POST /api/webhooks/agent/heartbeat
    * Receive heartbeat signals from sandbox
@@ -2095,12 +2212,12 @@ var webhookHeartbeatContract = c6.router({
     method: "POST",
     path: "/api/webhooks/agent/heartbeat",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required")
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required")
     }),
     responses: {
-      200: z9.object({
-        ok: z9.boolean()
+      200: z10.object({
+        ok: z10.boolean()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2110,7 +2227,7 @@ var webhookHeartbeatContract = c6.router({
     summary: "Receive heartbeat from sandbox"
   }
 });
-var webhookStoragesContract = c6.router({
+var webhookStoragesContract = c7.router({
   /**
    * POST /api/webhooks/agent/storages
    * Create a new version of a storage from sandbox
@@ -2126,13 +2243,13 @@ var webhookStoragesContract = c6.router({
     path: "/api/webhooks/agent/storages",
     headers: authHeadersSchema,
     contentType: "multipart/form-data",
-    body: c6.type(),
+    body: c7.type(),
     responses: {
-      200: z9.object({
-        versionId: z9.string(),
-        storageName: z9.string(),
-        size: z9.number(),
-        fileCount: z9.number()
+      200: z10.object({
+        versionId: z10.string(),
+        storageName: z10.string(),
+        size: z10.number(),
+        fileCount: z10.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2142,7 +2259,7 @@ var webhookStoragesContract = c6.router({
     summary: "Upload storage version from sandbox"
   }
 });
-var webhookStoragesIncrementalContract = c6.router({
+var webhookStoragesIncrementalContract = c7.router({
   /**
    * POST /api/webhooks/agent/storages/incremental
    * Create a new version using incremental upload
@@ -2160,19 +2277,19 @@ var webhookStoragesIncrementalContract = c6.router({
     path: "/api/webhooks/agent/storages/incremental",
     headers: authHeadersSchema,
     contentType: "multipart/form-data",
-    body: c6.type(),
+    body: c7.type(),
     responses: {
-      200: z9.object({
-        versionId: z9.string(),
-        storageName: z9.string(),
-        size: z9.number(),
-        fileCount: z9.number(),
-        incrementalStats: z9.object({
-          addedFiles: z9.number(),
-          modifiedFiles: z9.number(),
-          deletedFiles: z9.number(),
-          unchangedFiles: z9.number(),
-          bytesUploaded: z9.number()
+      200: z10.object({
+        versionId: z10.string(),
+        storageName: z10.string(),
+        size: z10.number(),
+        fileCount: z10.number(),
+        incrementalStats: z10.object({
+          addedFiles: z10.number(),
+          modifiedFiles: z10.number(),
+          deletedFiles: z10.number(),
+          unchangedFiles: z10.number(),
+          bytesUploaded: z10.number()
         }).optional()
       }),
       400: apiErrorSchema,
@@ -2183,36 +2300,36 @@ var webhookStoragesIncrementalContract = c6.router({
     summary: "Upload storage version incrementally from sandbox"
   }
 });
-var metricDataSchema = z9.object({
-  ts: z9.string(),
-  cpu: z9.number(),
-  mem_used: z9.number(),
-  mem_total: z9.number(),
-  disk_used: z9.number(),
-  disk_total: z9.number()
+var metricDataSchema = z10.object({
+  ts: z10.string(),
+  cpu: z10.number(),
+  mem_used: z10.number(),
+  mem_total: z10.number(),
+  disk_used: z10.number(),
+  disk_total: z10.number()
 });
-var sandboxOperationSchema = z9.object({
-  ts: z9.string(),
-  action_type: z9.string(),
-  duration_ms: z9.number(),
-  success: z9.boolean(),
-  error: z9.string().optional()
+var sandboxOperationSchema = z10.object({
+  ts: z10.string(),
+  action_type: z10.string(),
+  duration_ms: z10.number(),
+  success: z10.boolean(),
+  error: z10.string().optional()
 });
-var networkLogSchema = z9.object({
-  timestamp: z9.string(),
-  mode: z9.literal("mitm").optional(),
-  action: z9.enum(["ALLOW", "DENY"]).optional(),
-  host: z9.string().optional(),
-  port: z9.number().optional(),
-  rule_matched: z9.string().nullable().optional(),
-  method: z9.string().optional(),
-  url: z9.string().optional(),
-  status: z9.number().optional(),
-  latency_ms: z9.number().optional(),
-  request_size: z9.number().optional(),
-  response_size: z9.number().optional()
+var networkLogSchema = z10.object({
+  timestamp: z10.string(),
+  mode: z10.literal("mitm").optional(),
+  action: z10.enum(["ALLOW", "DENY"]).optional(),
+  host: z10.string().optional(),
+  port: z10.number().optional(),
+  rule_matched: z10.string().nullable().optional(),
+  method: z10.string().optional(),
+  url: z10.string().optional(),
+  status: z10.number().optional(),
+  latency_ms: z10.number().optional(),
+  request_size: z10.number().optional(),
+  response_size: z10.number().optional()
 });
-var webhookTelemetryContract = c6.router({
+var webhookTelemetryContract = c7.router({
   /**
    * POST /api/webhooks/agent/telemetry
    * Receive telemetry data (system log, metrics, network logs, and sandbox operations) from sandbox
@@ -2221,17 +2338,17 @@ var webhookTelemetryContract = c6.router({
     method: "POST",
     path: "/api/webhooks/agent/telemetry",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required"),
-      systemLog: z9.string().optional(),
-      metrics: z9.array(metricDataSchema).optional(),
-      networkLogs: z9.array(networkLogSchema).optional(),
-      sandboxOperations: z9.array(sandboxOperationSchema).optional()
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required"),
+      systemLog: z10.string().optional(),
+      metrics: z10.array(metricDataSchema).optional(),
+      networkLogs: z10.array(networkLogSchema).optional(),
+      sandboxOperations: z10.array(sandboxOperationSchema).optional()
     }),
     responses: {
-      200: z9.object({
-        success: z9.boolean(),
-        id: z9.string()
+      200: z10.object({
+        success: z10.boolean(),
+        id: z10.string()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2241,26 +2358,27 @@ var webhookTelemetryContract = c6.router({
     summary: "Receive telemetry data from sandbox"
   }
 });
-var webhookStoragesPrepareContract = c6.router({
+var webhookStoragesPrepareContract = c7.router({
   prepare: {
     method: "POST",
     path: "/api/webhooks/agent/storages/prepare",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required"),
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z9.string().min(1, "Storage name is required"),
+      storageName: z10.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z9.array(fileEntryWithHashSchema),
-      force: z9.boolean().optional(),
-      baseVersion: z9.string().optional(),
+      files: z10.array(fileEntryWithHashSchema),
+      parentVersionId: z10.string().optional(),
+      force: z10.boolean().optional(),
+      baseVersion: z10.string().optional(),
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z9.object({
-        versionId: z9.string(),
-        existing: z9.boolean(),
-        uploads: z9.object({
+      200: z10.object({
+        versionId: z10.string(),
+        existing: z10.boolean(),
+        uploads: z10.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -2274,28 +2392,29 @@ var webhookStoragesPrepareContract = c6.router({
     summary: "Prepare for direct S3 upload from sandbox"
   }
 });
-var webhookStoragesCommitContract = c6.router({
+var webhookStoragesCommitContract = c7.router({
   commit: {
     method: "POST",
     path: "/api/webhooks/agent/storages/commit",
     headers: authHeadersSchema,
-    body: z9.object({
-      runId: z9.string().min(1, "runId is required"),
+    body: z10.object({
+      runId: z10.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z9.string().min(1, "Storage name is required"),
+      storageName: z10.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z9.string().min(1, "Version ID is required"),
-      files: z9.array(fileEntryWithHashSchema),
-      message: z9.string().optional()
+      versionId: z10.string().min(1, "Version ID is required"),
+      parentVersionId: z10.string().optional(),
+      files: z10.array(fileEntryWithHashSchema),
+      message: z10.string().optional()
     }),
     responses: {
-      200: z9.object({
-        success: z9.literal(true),
-        versionId: z9.string(),
-        storageName: z9.string(),
-        size: z9.number(),
-        fileCount: z9.number(),
-        deduplicated: z9.boolean().optional()
+      200: z10.object({
+        success: z10.literal(true),
+        versionId: z10.string(),
+        storageName: z10.string(),
+        size: z10.number(),
+        fileCount: z10.number(),
+        deduplicated: z10.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -2310,13 +2429,13 @@ var webhookStoragesCommitContract = c6.router({
 });
 
 // ../../packages/core/src/contracts/cli-auth.ts
-import { z as z10 } from "zod";
-var c7 = initContract();
-var oauthErrorSchema = z10.object({
-  error: z10.string(),
-  error_description: z10.string()
+import { z as z11 } from "zod";
+var c8 = initContract();
+var oauthErrorSchema = z11.object({
+  error: z11.string(),
+  error_description: z11.string()
 });
-var cliAuthDeviceContract = c7.router({
+var cliAuthDeviceContract = c8.router({
   /**
    * POST /api/cli/auth/device
    * Initiate device authorization flow
@@ -2324,21 +2443,21 @@ var cliAuthDeviceContract = c7.router({
   create: {
     method: "POST",
     path: "/api/cli/auth/device",
-    body: z10.object({}).optional(),
+    body: z11.object({}).optional(),
     responses: {
-      200: z10.object({
-        device_code: z10.string(),
-        user_code: z10.string(),
-        verification_path: z10.string(),
-        expires_in: z10.number(),
-        interval: z10.number()
+      200: z11.object({
+        device_code: z11.string(),
+        user_code: z11.string(),
+        verification_path: z11.string(),
+        expires_in: z11.number(),
+        interval: z11.number()
       }),
       500: oauthErrorSchema
     },
     summary: "Initiate device authorization flow"
   }
 });
-var cliAuthTokenContract = c7.router({
+var cliAuthTokenContract = c8.router({
   /**
    * POST /api/cli/auth/token
    * Exchange device code for access token
@@ -2346,16 +2465,16 @@ var cliAuthTokenContract = c7.router({
   exchange: {
     method: "POST",
     path: "/api/cli/auth/token",
-    body: z10.object({
-      device_code: z10.string().min(1, "device_code is required")
+    body: z11.object({
+      device_code: z11.string().min(1, "device_code is required")
     }),
     responses: {
       // Success - token issued
-      200: z10.object({
-        access_token: z10.string(),
-        token_type: z10.literal("Bearer"),
-        expires_in: z10.number(),
-        org_slug: z10.string().optional()
+      200: z11.object({
+        access_token: z11.string(),
+        token_type: z11.literal("Bearer"),
+        expires_in: z11.number(),
+        org_slug: z11.string().optional()
       }),
       // Authorization pending
       202: oauthErrorSchema,
@@ -2368,9 +2487,9 @@ var cliAuthTokenContract = c7.router({
 });
 
 // ../../packages/core/src/contracts/auth.ts
-import { z as z11 } from "zod";
-var c8 = initContract();
-var authContract = c8.router({
+import { z as z12 } from "zod";
+var c9 = initContract();
+var authContract = c9.router({
   /**
    * GET /api/auth/me
    * Get current user information
@@ -2380,9 +2499,9 @@ var authContract = c8.router({
     path: "/api/auth/me",
     headers: authHeadersSchema,
     responses: {
-      200: z11.object({
-        userId: z11.string(),
-        email: z11.string()
+      200: z12.object({
+        userId: z12.string(),
+        email: z12.string()
       }),
       401: apiErrorSchema,
       403: apiErrorSchema,
@@ -2394,23 +2513,21 @@ var authContract = c8.router({
 });
 
 // ../../packages/core/src/contracts/cron.ts
-import { z as z12 } from "zod";
-var c9 = initContract();
-var cleanupResultSchema = z12.object({
-  runId: z12.string(),
-  sandboxId: z12.string().nullable(),
-  status: z12.enum(["cleaned", "error"]),
-  error: z12.string().optional(),
-  reason: z12.string().optional()
+import { z as z13 } from "zod";
+var c10 = initContract();
+var cleanupResultSchema = z13.object({
+  runId: z13.string(),
+  sandboxId: z13.string().nullable(),
+  status: z13.enum(["cleaned", "error"]),
+  error: z13.string().optional(),
+  reason: z13.string().optional()
 });
-var cleanupResponseSchema = z12.object({
-  cleaned: z12.number(),
-  errors: z12.number(),
-  results: z12.array(cleanupResultSchema),
-  composeJobsCleaned: z12.number(),
-  composeJobErrors: z12.number()
+var cleanupResponseSchema = z13.object({
+  cleaned: z13.number(),
+  errors: z13.number(),
+  results: z13.array(cleanupResultSchema)
 });
-var cronCleanupSandboxesContract = c9.router({
+var cronCleanupSandboxesContract = c10.router({
   /**
    * GET /api/cron/cleanup-sandboxes
    * Cron job to cleanup sandboxes that have stopped sending heartbeats
@@ -2429,30 +2546,30 @@ var cronCleanupSandboxesContract = c9.router({
 });
 
 // ../../packages/core/src/contracts/secrets.ts
-import { z as z13 } from "zod";
-var c10 = initContract();
-var secretNameSchema = z13.string().min(1, "Secret name is required").max(255, "Secret name must be at most 255 characters").regex(
+import { z as z14 } from "zod";
+var c11 = initContract();
+var secretNameSchema = z14.string().min(1, "Secret name is required").max(255, "Secret name must be at most 255 characters").regex(
   /^[A-Z][A-Z0-9_]*$/,
   "Secret name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_API_KEY)"
 );
-var secretTypeSchema = z13.enum(["user", "model-provider", "connector"]);
-var secretResponseSchema = z13.object({
-  id: z13.uuid(),
-  name: z13.string(),
-  description: z13.string().nullable(),
+var secretTypeSchema = z14.enum(["user", "model-provider", "connector"]);
+var secretResponseSchema = z14.object({
+  id: z14.uuid(),
+  name: z14.string(),
+  description: z14.string().nullable(),
   type: secretTypeSchema,
-  createdAt: z13.string(),
-  updatedAt: z13.string()
+  createdAt: z14.string(),
+  updatedAt: z14.string()
 });
-var secretListResponseSchema = z13.object({
-  secrets: z13.array(secretResponseSchema)
+var secretListResponseSchema = z14.object({
+  secrets: z14.array(secretResponseSchema)
 });
-var setSecretRequestSchema = z13.object({
+var setSecretRequestSchema = z14.object({
   name: secretNameSchema,
-  value: z13.string().min(1, "Secret value is required"),
-  description: z13.string().max(1e3).optional()
+  value: z14.string().min(1, "Secret value is required"),
+  description: z14.string().max(1e3).optional()
 });
-var secretsMainContract = c10.router({
+var secretsMainContract = c11.router({
   /**
    * GET /api/secrets
    * List all secrets for the current user's org (metadata only)
@@ -2487,7 +2604,7 @@ var secretsMainContract = c10.router({
     summary: "Create or update a secret"
   }
 });
-var secretsByNameContract = c10.router({
+var secretsByNameContract = c11.router({
   /**
    * GET /api/secrets/:name
    * Get a secret by name (metadata only)
@@ -2496,7 +2613,7 @@ var secretsByNameContract = c10.router({
     method: "GET",
     path: "/api/secrets/:name",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       name: secretNameSchema
     }),
     responses: {
@@ -2515,11 +2632,11 @@ var secretsByNameContract = c10.router({
     method: "DELETE",
     path: "/api/secrets/:name",
     headers: authHeadersSchema,
-    pathParams: z13.object({
+    pathParams: z14.object({
       name: secretNameSchema
     }),
     responses: {
-      204: c10.noBody(),
+      204: c11.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -2529,29 +2646,29 @@ var secretsByNameContract = c10.router({
 });
 
 // ../../packages/core/src/contracts/variables.ts
-import { z as z14 } from "zod";
-var c11 = initContract();
-var variableNameSchema = z14.string().min(1, "Variable name is required").max(255, "Variable name must be at most 255 characters").regex(
+import { z as z15 } from "zod";
+var c12 = initContract();
+var variableNameSchema = z15.string().min(1, "Variable name is required").max(255, "Variable name must be at most 255 characters").regex(
   /^[A-Z][A-Z0-9_]*$/,
   "Variable name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_VAR)"
 );
-var variableResponseSchema = z14.object({
-  id: z14.uuid(),
-  name: z14.string(),
-  value: z14.string(),
-  description: z14.string().nullable(),
-  createdAt: z14.string(),
-  updatedAt: z14.string()
+var variableResponseSchema = z15.object({
+  id: z15.uuid(),
+  name: z15.string(),
+  value: z15.string(),
+  description: z15.string().nullable(),
+  createdAt: z15.string(),
+  updatedAt: z15.string()
 });
-var variableListResponseSchema = z14.object({
-  variables: z14.array(variableResponseSchema)
+var variableListResponseSchema = z15.object({
+  variables: z15.array(variableResponseSchema)
 });
-var setVariableRequestSchema = z14.object({
+var setVariableRequestSchema = z15.object({
   name: variableNameSchema,
-  value: z14.string().min(1, "Variable value is required"),
-  description: z14.string().max(1e3).optional()
+  value: z15.string().min(1, "Variable value is required"),
+  description: z15.string().max(1e3).optional()
 });
-var variablesMainContract = c11.router({
+var variablesMainContract = c12.router({
   /**
    * GET /api/variables
    * List all variables for the current user's org (includes values)
@@ -2586,7 +2703,7 @@ var variablesMainContract = c11.router({
     summary: "Create or update a variable"
   }
 });
-var variablesByNameContract = c11.router({
+var variablesByNameContract = c12.router({
   /**
    * GET /api/variables/:name
    * Get a variable by name (includes value)
@@ -2595,7 +2712,7 @@ var variablesByNameContract = c11.router({
     method: "GET",
     path: "/api/variables/:name",
     headers: authHeadersSchema,
-    pathParams: z14.object({
+    pathParams: z15.object({
       name: variableNameSchema
     }),
     responses: {
@@ -2614,11 +2731,11 @@ var variablesByNameContract = c11.router({
     method: "DELETE",
     path: "/api/variables/:name",
     headers: authHeadersSchema,
-    pathParams: z14.object({
+    pathParams: z15.object({
       name: variableNameSchema
     }),
     responses: {
-      204: c11.noBody(),
+      204: c12.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -2628,7 +2745,30 @@ var variablesByNameContract = c11.router({
 });
 
 // ../../packages/core/src/contracts/model-providers.ts
-import { z as z15 } from "zod";
+import { z as z16 } from "zod";
+var VM0_MODEL_TO_PROVIDER = {
+  "claude-sonnet-4.6": {
+    concreteType: "anthropic-api-key",
+    vendor: "anthropic"
+  },
+  "claude-opus-4.6": {
+    concreteType: "anthropic-api-key",
+    vendor: "anthropic"
+  },
+  "kimi-k2.5": { concreteType: "moonshot-api-key", vendor: "moonshot" },
+  "kimi-k2-thinking-turbo": {
+    concreteType: "moonshot-api-key",
+    vendor: "moonshot"
+  },
+  "kimi-k2-thinking": {
+    concreteType: "moonshot-api-key",
+    vendor: "moonshot"
+  },
+  "glm-5": { concreteType: "zai-api-key", vendor: "zai" },
+  "glm-4.7": { concreteType: "zai-api-key", vendor: "zai" },
+  "glm-4.5-air": { concreteType: "zai-api-key", vendor: "zai" },
+  "MiniMax-M2.1": { concreteType: "minimax-api-key", vendor: "minimax" }
+};
 var MODEL_PROVIDER_TYPES = {
   "claude-code-oauth-token": {
     framework: "claude-code",
@@ -2877,21 +3017,126 @@ var MODEL_PROVIDER_TYPES = {
     defaultModel: "",
     allowCustomModel: true,
     customModelPlaceholder: "anthropic.claude-sonnet-4-20250514-v1:0"
+  },
+  vm0: {
+    framework: "claude-code",
+    label: "VM0 Managed",
+    models: Object.keys(VM0_MODEL_TO_PROVIDER),
+    defaultModel: "claude-sonnet-4.6"
   }
 };
-var modelProviderTypeSchema = z15.enum([
-  "claude-code-oauth-token",
-  "anthropic-api-key",
-  "openrouter-api-key",
-  "moonshot-api-key",
-  "minimax-api-key",
-  "deepseek-api-key",
-  "zai-api-key",
+var HIDDEN_PROVIDER_TYPES = /* @__PURE__ */ new Set([
+  "aws-bedrock",
+  "azure-foundry"
+]);
+function getSelectableProviderTypes() {
+  return Object.keys(MODEL_PROVIDER_TYPES).filter(
+    (type2) => !HIDDEN_PROVIDER_TYPES.has(type2)
+  );
+}
+var ANTHROPIC_API_BASE = "https://api.anthropic.com";
+function getFirewallBaseUrl(type2) {
+  return getEnvironmentMapping(type2)?.ANTHROPIC_BASE_URL ?? ANTHROPIC_API_BASE;
+}
+function mpFirewall(type2, authHeaders, placeholders) {
+  return {
+    name: `model-provider:${type2}`,
+    ref: "__auto__",
+    apis: [
+      {
+        base: getFirewallBaseUrl(type2),
+        auth: { headers: authHeaders },
+        permissions: [{ name: "all", rules: ["ANY /{path*}"] }]
+      }
+    ],
+    placeholders
+  };
+}
+var MODEL_PROVIDER_FIREWALL_CONFIGS = {
+  // Placeholder: sk-ant-api03-{93 word/hyphen chars}AA (108 chars total)
+  // Source: Semgrep regex \Bsk-ant-api03-[\w\-]{93}AA\B
+  //   https://semgrep.dev/blog/2025/secrets-story-and-prefixed-secrets/
+  "anthropic-api-key": mpFirewall(
+    "anthropic-api-key",
+    { "x-api-key": "${{ secrets.ANTHROPIC_API_KEY }}" },
+    {
+      ANTHROPIC_API_KEY: "sk-ant-api03-vm0placeholder0000000000000000000000000000000000000000000000000000000000000000000000000000000AA"
+    }
+  ),
+  // Placeholder: sk-ant-oat01-{93 word/hyphen chars}AA (108 chars total)
+  // Source: same structure as API key; prefix from claude setup-token output
+  //   https://github.com/anthropics/claude-code/issues/18340
+  //   Example: sk-ant-oat01-xxxxx...xxxxx (1-year OAuth token)
+  "claude-code-oauth-token": mpFirewall(
+    "claude-code-oauth-token",
+    { Authorization: "Bearer ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}" },
+    {
+      CLAUDE_CODE_OAUTH_TOKEN: "sk-ant-oat01-vm0placeholder0000000000000000000000000000000000000000000000000000000000000000000000000000000AA"
+    }
+  ),
+  // Placeholder: sk-or-v1-{64 hex chars} (73 chars total)
+  // Source: real key observed in GitHub issue
+  //   https://github.com/continuedev/continue/issues/6191
+  //   Example: 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
+  "openrouter-api-key": mpFirewall(
+    "openrouter-api-key",
+    { Authorization: "Bearer ${{ secrets.OPENROUTER_API_KEY }}" },
+    {
+      OPENROUTER_API_KEY: "sk-or-v1-vm0placeholder00000000000000000000000000000000000000000000000000"
+    }
+  ),
+  // Placeholder: sk-{32 chars} (35 chars total)
+  // Source: no authoritative format documentation found; using generic sk- prefix
+  "moonshot-api-key": mpFirewall(
+    "moonshot-api-key",
+    { Authorization: "Bearer ${{ secrets.MOONSHOT_API_KEY }}" },
+    { MOONSHOT_API_KEY: "sk-vm0placeholder000000000000000000" }
+  ),
+  // Placeholder: eyJ... (JWT-style, variable length)
+  // Source: no authoritative format documentation found; MiniMax docs do not disclose key format
+  //   https://platform.minimax.io/docs/api-reference/api-overview
+  "minimax-api-key": mpFirewall(
+    "minimax-api-key",
+    { Authorization: "Bearer ${{ secrets.MINIMAX_API_KEY }}" },
+    { MINIMAX_API_KEY: "eyvm0placeholder000000000000000000000000000000000000" }
+  ),
+  // Placeholder: sk-{32 hex chars} (35 chars total)
+  // Source: Semgrep regex \bsk-[a-f0-9]{32}\b
+  //   https://semgrep.dev/blog/2025/secrets-story-and-prefixed-secrets/
+  "deepseek-api-key": mpFirewall(
+    "deepseek-api-key",
+    { Authorization: "Bearer ${{ secrets.DEEPSEEK_API_KEY }}" },
+    { DEEPSEEK_API_KEY: "sk-vm0placeholder000000000000000000" }
+  ),
+  // Placeholder: sk-{32 chars} (35 chars total)
+  // Source: no authoritative format documentation found; using generic sk- prefix
+  "zai-api-key": mpFirewall(
+    "zai-api-key",
+    { Authorization: "Bearer ${{ secrets.ZAI_API_KEY }}" },
+    { ZAI_API_KEY: "sk-vm0placeholder000000000000000000" }
+  ),
+  // Placeholder: sk-{32 chars} (35 chars total)
+  // Source: no authoritative format documentation found; Vercel gateway proxies upstream providers
+  "vercel-ai-gateway": mpFirewall(
+    "vercel-ai-gateway",
+    { Authorization: "Bearer ${{ secrets.VERCEL_AI_GATEWAY_API_KEY }}" },
+    { VERCEL_AI_GATEWAY_API_KEY: "sk-vm0placeholder000000000000000000" }
+  )
+};
+var modelProviderTypeSchema = z16.enum([
+  "claude-code-oauth-token",
+  "anthropic-api-key",
+  "openrouter-api-key",
+  "moonshot-api-key",
+  "minimax-api-key",
+  "deepseek-api-key",
+  "zai-api-key",
   "vercel-ai-gateway",
   "azure-foundry",
-  "aws-bedrock"
+  "aws-bedrock",
+  "vm0"
 ]);
-var modelProviderFrameworkSchema = z15.enum(["claude-code"]);
+var modelProviderFrameworkSchema = z16.enum(["claude-code"]);
 function hasAuthMethods(type2) {
   const config = MODEL_PROVIDER_TYPES[type2];
   return "authMethods" in config;
@@ -2912,6 +3157,10 @@ function getSecretsForAuthMethod(type2, authMethod) {
   const method = authMethods[authMethod];
   return method?.secrets;
 }
+function getEnvironmentMapping(type2) {
+  const config = MODEL_PROVIDER_TYPES[type2];
+  return "environmentMapping" in config ? config.environmentMapping : void 0;
+}
 function getModels(type2) {
   const config = MODEL_PROVIDER_TYPES[type2];
   return "models" in config ? config.models : void 0;
@@ -2932,91 +3181,91 @@ function getCustomModelPlaceholder(type2) {
   const config = MODEL_PROVIDER_TYPES[type2];
   return "customModelPlaceholder" in config ? config.customModelPlaceholder : void 0;
 }
-var modelProviderResponseSchema = z15.object({
-  id: z15.uuid(),
+var modelProviderResponseSchema = z16.object({
+  id: z16.uuid(),
   type: modelProviderTypeSchema,
   framework: modelProviderFrameworkSchema,
-  secretName: z15.string().nullable(),
+  secretName: z16.string().nullable(),
   // Legacy single-secret (deprecated for multi-auth)
-  authMethod: z15.string().nullable(),
+  authMethod: z16.string().nullable(),
   // For multi-auth providers
-  secretNames: z15.array(z15.string()).nullable(),
+  secretNames: z16.array(z16.string()).nullable(),
   // For multi-auth providers
-  isDefault: z15.boolean(),
-  selectedModel: z15.string().nullable(),
-  createdAt: z15.string(),
-  updatedAt: z15.string()
+  isDefault: z16.boolean(),
+  selectedModel: z16.string().nullable(),
+  createdAt: z16.string(),
+  updatedAt: z16.string()
 });
-var modelProviderListResponseSchema = z15.object({
-  modelProviders: z15.array(modelProviderResponseSchema)
+var modelProviderListResponseSchema = z16.object({
+  modelProviders: z16.array(modelProviderResponseSchema)
 });
-var upsertModelProviderRequestSchema = z15.object({
+var upsertModelProviderRequestSchema = z16.object({
   type: modelProviderTypeSchema,
-  secret: z15.string().min(1).optional(),
+  secret: z16.string().min(1).optional(),
   // Legacy single secret
-  authMethod: z15.string().optional(),
+  authMethod: z16.string().optional(),
   // For multi-auth providers
-  secrets: z15.record(z15.string(), z15.string()).optional(),
+  secrets: z16.record(z16.string(), z16.string()).optional(),
   // For multi-auth providers
-  selectedModel: z15.string().optional()
+  selectedModel: z16.string().optional()
 });
-var upsertModelProviderResponseSchema = z15.object({
+var upsertModelProviderResponseSchema = z16.object({
   provider: modelProviderResponseSchema,
-  created: z15.boolean()
+  created: z16.boolean()
 });
-var updateModelRequestSchema = z15.object({
-  selectedModel: z15.string().optional()
+var updateModelRequestSchema = z16.object({
+  selectedModel: z16.string().optional()
 });
 
 // ../../packages/core/src/contracts/sessions.ts
-import { z as z16 } from "zod";
-var c12 = initContract();
-var storedChatMessageSchema = z16.object({
-  role: z16.enum(["user", "assistant"]),
-  content: z16.string(),
-  runId: z16.string().optional(),
-  summaries: z16.array(z16.string()).optional(),
-  createdAt: z16.string()
+import { z as z17 } from "zod";
+var c13 = initContract();
+var storedChatMessageSchema = z17.object({
+  role: z17.enum(["user", "assistant"]),
+  content: z17.string(),
+  runId: z17.string().optional(),
+  summaries: z17.array(z17.string()).optional(),
+  createdAt: z17.string()
 });
-var sessionResponseSchema = z16.object({
-  id: z16.string(),
-  agentComposeId: z16.string(),
-  conversationId: z16.string().nullable(),
-  artifactName: z16.string().nullable(),
-  secretNames: z16.array(z16.string()).nullable(),
-  chatMessages: z16.array(storedChatMessageSchema).optional(),
-  createdAt: z16.string(),
-  updatedAt: z16.string()
+var sessionResponseSchema = z17.object({
+  id: z17.string(),
+  agentComposeId: z17.string(),
+  conversationId: z17.string().nullable(),
+  artifactName: z17.string().nullable(),
+  secretNames: z17.array(z17.string()).nullable(),
+  chatMessages: z17.array(storedChatMessageSchema).optional(),
+  createdAt: z17.string(),
+  updatedAt: z17.string()
 });
-var sessionListItemSchema = z16.object({
-  id: z16.string(),
-  createdAt: z16.string(),
-  updatedAt: z16.string(),
-  messageCount: z16.number(),
-  preview: z16.string().nullable()
+var sessionListItemSchema = z17.object({
+  id: z17.string(),
+  createdAt: z17.string(),
+  updatedAt: z17.string(),
+  messageCount: z17.number(),
+  preview: z17.string().nullable()
 });
-var agentComposeSnapshotSchema = z16.object({
-  agentComposeVersionId: z16.string(),
-  vars: z16.record(z16.string(), z16.string()).optional(),
-  secretNames: z16.array(z16.string()).optional()
+var agentComposeSnapshotSchema = z17.object({
+  agentComposeVersionId: z17.string(),
+  vars: z17.record(z17.string(), z17.string()).optional(),
+  secretNames: z17.array(z17.string()).optional()
 });
-var artifactSnapshotSchema2 = z16.object({
-  artifactName: z16.string(),
-  artifactVersion: z16.string()
+var artifactSnapshotSchema2 = z17.object({
+  artifactName: z17.string(),
+  artifactVersion: z17.string()
 });
-var volumeVersionsSnapshotSchema2 = z16.object({
-  versions: z16.record(z16.string(), z16.string())
+var volumeVersionsSnapshotSchema2 = z17.object({
+  versions: z17.record(z17.string(), z17.string())
 });
-var checkpointResponseSchema = z16.object({
-  id: z16.string(),
-  runId: z16.string(),
-  conversationId: z16.string(),
+var checkpointResponseSchema = z17.object({
+  id: z17.string(),
+  runId: z17.string(),
+  conversationId: z17.string(),
   agentComposeSnapshot: agentComposeSnapshotSchema,
   artifactSnapshot: artifactSnapshotSchema2.nullable(),
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
-  createdAt: z16.string()
+  createdAt: z17.string()
 });
-var sessionsContract = c12.router({
+var sessionsContract = c13.router({
   /**
    * GET /api/agent/sessions?agentComposeId=X
    * List chat sessions for an agent
@@ -3025,17 +3274,17 @@ var sessionsContract = c12.router({
     method: "GET",
     path: "/api/agent/sessions",
     headers: authHeadersSchema,
-    query: z16.object({
-      agentComposeId: z16.string().min(1, "agentComposeId is required")
+    query: z17.object({
+      agentComposeId: z17.string().min(1, "agentComposeId is required")
     }),
     responses: {
-      200: z16.object({ sessions: z16.array(sessionListItemSchema) }),
+      200: z17.object({ sessions: z17.array(sessionListItemSchema) }),
       401: apiErrorSchema
     },
     summary: "List chat sessions for an agent"
   }
 });
-var sessionsByIdContract = c12.router({
+var sessionsByIdContract = c13.router({
   /**
    * GET /api/agent/sessions/:id
    * Get session by ID
@@ -3044,8 +3293,8 @@ var sessionsByIdContract = c12.router({
     method: "GET",
     path: "/api/agent/sessions/:id",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      id: z16.string().min(1, "Session ID is required")
+    pathParams: z17.object({
+      id: z17.string().min(1, "Session ID is required")
     }),
     responses: {
       200: sessionResponseSchema,
@@ -3056,7 +3305,7 @@ var sessionsByIdContract = c12.router({
     summary: "Get session by ID"
   }
 });
-var sessionMessagesContract = c12.router({
+var sessionMessagesContract = c13.router({
   /**
    * POST /api/agent/sessions/:id/messages
    * Append chat messages to a session
@@ -3065,20 +3314,20 @@ var sessionMessagesContract = c12.router({
     method: "POST",
     path: "/api/agent/sessions/:id/messages",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      id: z16.string().min(1, "Session ID is required")
+    pathParams: z17.object({
+      id: z17.string().min(1, "Session ID is required")
     }),
-    body: z16.object({
-      messages: z16.array(
-        z16.object({
-          role: z16.enum(["user", "assistant"]),
-          content: z16.string(),
-          runId: z16.string().optional()
+    body: z17.object({
+      messages: z17.array(
+        z17.object({
+          role: z17.enum(["user", "assistant"]),
+          content: z17.string(),
+          runId: z17.string().optional()
         })
       )
     }),
     responses: {
-      200: z16.object({ success: z16.literal(true) }),
+      200: z17.object({ success: z17.literal(true) }),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
@@ -3086,7 +3335,7 @@ var sessionMessagesContract = c12.router({
     summary: "Append chat messages to a session"
   }
 });
-var checkpointsByIdContract = c12.router({
+var checkpointsByIdContract = c13.router({
   /**
    * GET /api/agent/checkpoints/:id
    * Get checkpoint by ID
@@ -3095,8 +3344,8 @@ var checkpointsByIdContract = c12.router({
     method: "GET",
     path: "/api/agent/checkpoints/:id",
     headers: authHeadersSchema,
-    pathParams: z16.object({
-      id: z16.string().min(1, "Checkpoint ID is required")
+    pathParams: z17.object({
+      id: z17.string().min(1, "Checkpoint ID is required")
     }),
     responses: {
       200: checkpointResponseSchema,
@@ -3109,48 +3358,49 @@ var checkpointsByIdContract = c12.router({
 });
 
 // ../../packages/core/src/contracts/chat-threads.ts
-import { z as z17 } from "zod";
-var c13 = initContract();
-var chatThreadListItemSchema = z17.object({
-  id: z17.string(),
-  title: z17.string().nullable(),
-  preview: z17.string().nullable(),
-  createdAt: z17.string(),
-  updatedAt: z17.string()
+import { z as z18 } from "zod";
+var c14 = initContract();
+var chatThreadListItemSchema = z18.object({
+  id: z18.string(),
+  title: z18.string().nullable(),
+  preview: z18.string().nullable(),
+  createdAt: z18.string(),
+  updatedAt: z18.string()
 });
-var storedChatMessageSchema2 = z17.object({
-  role: z17.enum(["user", "assistant"]),
-  content: z17.string(),
-  runId: z17.string().optional(),
-  createdAt: z17.string()
+var storedChatMessageSchema2 = z18.object({
+  role: z18.enum(["user", "assistant"]),
+  content: z18.string(),
+  runId: z18.string().optional(),
+  error: z18.string().optional(),
+  createdAt: z18.string()
 });
-var unsavedRunSchema = z17.object({
-  runId: z17.string(),
-  status: z17.string(),
-  prompt: z17.string(),
-  error: z17.string().nullable()
+var unsavedRunSchema = z18.object({
+  runId: z18.string(),
+  status: z18.string(),
+  prompt: z18.string(),
+  error: z18.string().nullable()
 });
-var chatThreadDetailSchema = z17.object({
-  id: z17.string(),
-  title: z17.string().nullable(),
-  agentComposeId: z17.string(),
-  chatMessages: z17.array(storedChatMessageSchema2),
-  latestSessionId: z17.string().nullable(),
-  unsavedRuns: z17.array(unsavedRunSchema),
-  createdAt: z17.string(),
-  updatedAt: z17.string()
+var chatThreadDetailSchema = z18.object({
+  id: z18.string(),
+  title: z18.string().nullable(),
+  agentComposeId: z18.string(),
+  chatMessages: z18.array(storedChatMessageSchema2),
+  latestSessionId: z18.string().nullable(),
+  unsavedRuns: z18.array(unsavedRunSchema),
+  createdAt: z18.string(),
+  updatedAt: z18.string()
 });
-var chatThreadsContract = c13.router({
+var chatThreadsContract = c14.router({
   create: {
     method: "POST",
     path: "/api/chat-threads",
     headers: authHeadersSchema,
-    body: z17.object({
-      agentComposeId: z17.string().min(1),
-      title: z17.string().optional()
+    body: z18.object({
+      agentComposeId: z18.string().min(1),
+      title: z18.string().optional()
     }),
     responses: {
-      201: z17.object({ id: z17.string(), createdAt: z17.string() }),
+      201: z18.object({ id: z18.string(), createdAt: z18.string() }),
       401: apiErrorSchema
     },
     summary: "Create a new chat thread"
@@ -3159,22 +3409,22 @@ var chatThreadsContract = c13.router({
     method: "GET",
     path: "/api/chat-threads",
     headers: authHeadersSchema,
-    query: z17.object({
-      agentComposeId: z17.string().min(1, "agentComposeId is required")
+    query: z18.object({
+      agentComposeId: z18.string().min(1, "agentComposeId is required")
     }),
     responses: {
-      200: z17.object({ threads: z17.array(chatThreadListItemSchema) }),
+      200: z18.object({ threads: z18.array(chatThreadListItemSchema) }),
       401: apiErrorSchema
     },
     summary: "List chat threads for an agent"
   }
 });
-var chatThreadByIdContract = c13.router({
+var chatThreadByIdContract = c14.router({
   get: {
     method: "GET",
     path: "/api/chat-threads/:id",
     headers: authHeadersSchema,
-    pathParams: z17.object({ id: z17.string() }),
+    pathParams: z18.object({ id: z18.string() }),
     responses: {
       200: chatThreadDetailSchema,
       401: apiErrorSchema,
@@ -3183,17 +3433,17 @@ var chatThreadByIdContract = c13.router({
     summary: "Get chat thread detail with messages"
   }
 });
-var chatThreadRunsContract = c13.router({
+var chatThreadRunsContract = c14.router({
   addRun: {
     method: "POST",
     path: "/api/chat-threads/:id/runs",
     headers: authHeadersSchema,
-    pathParams: z17.object({ id: z17.string() }),
-    body: z17.object({
-      runId: z17.string().min(1)
+    pathParams: z18.object({ id: z18.string() }),
+    body: z18.object({
+      runId: z18.string().min(1)
     }),
     responses: {
-      204: z17.void(),
+      204: z18.void(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
@@ -3202,32 +3452,32 @@ var chatThreadRunsContract = c13.router({
 });
 
 // ../../packages/core/src/contracts/runners.ts
-import { z as z18 } from "zod";
-var c14 = initContract();
-var runnerGroupSchema = z18.string().regex(
+import { z as z19 } from "zod";
+var c15 = initContract();
+var runnerGroupSchema = z19.string().regex(
   /^[a-z0-9-]+\/[a-z0-9-]+$/,
   "Runner group must be in org/name format (e.g., acme/production)"
 );
-var jobSchema = z18.object({
-  runId: z18.uuid(),
-  prompt: z18.string(),
-  appendSystemPrompt: z18.string().nullable(),
-  agentComposeVersionId: z18.string().nullable(),
-  vars: z18.record(z18.string(), z18.string()).nullable(),
-  checkpointId: z18.uuid().nullable(),
-  experimentalProfile: z18.string().optional()
+var jobSchema = z19.object({
+  runId: z19.uuid(),
+  prompt: z19.string(),
+  appendSystemPrompt: z19.string().nullable(),
+  agentComposeVersionId: z19.string().nullable(),
+  vars: z19.record(z19.string(), z19.string()).nullable(),
+  checkpointId: z19.uuid().nullable(),
+  experimentalProfile: z19.string().optional()
 });
-var runnersPollContract = c14.router({
+var runnersPollContract = c15.router({
   poll: {
     method: "POST",
     path: "/api/runners/poll",
     headers: authHeadersSchema,
-    body: z18.object({
+    body: z19.object({
       group: runnerGroupSchema,
-      profiles: z18.array(z18.string()).optional()
+      profiles: z19.array(z19.string()).optional()
     }),
     responses: {
-      200: z18.object({
+      200: z19.object({
         job: jobSchema.nullable()
       }),
       400: apiErrorSchema,
@@ -3237,101 +3487,105 @@ var runnersPollContract = c14.router({
     summary: "Poll for pending jobs (long-polling with 30s timeout)"
   }
 });
-var storageEntrySchema = z18.object({
-  mountPath: z18.string(),
-  archiveUrl: z18.string().nullable()
+var storageEntrySchema = z19.object({
+  mountPath: z19.string(),
+  archiveUrl: z19.string().nullable()
 });
-var artifactEntrySchema = z18.object({
-  mountPath: z18.string(),
-  archiveUrl: z18.string().nullable(),
-  vasStorageName: z18.string(),
-  vasVersionId: z18.string()
+var artifactEntrySchema = z19.object({
+  mountPath: z19.string(),
+  archiveUrl: z19.string().nullable(),
+  vasStorageName: z19.string(),
+  vasVersionId: z19.string()
 });
-var storageManifestSchema = z18.object({
-  storages: z18.array(storageEntrySchema),
+var storageManifestSchema = z19.object({
+  storages: z19.array(storageEntrySchema),
   artifact: artifactEntrySchema.nullable(),
   memory: artifactEntrySchema.nullable()
 });
-var resumeSessionSchema = z18.object({
-  sessionId: z18.string(),
-  sessionHistory: z18.string()
+var resumeSessionSchema = z19.object({
+  sessionId: z19.string(),
+  sessionHistory: z19.string()
 });
-var storedExecutionContextSchema = z18.object({
-  workingDir: z18.string(),
+var storedExecutionContextSchema = z19.object({
+  workingDir: z19.string(),
   storageManifest: storageManifestSchema.nullable(),
-  environment: z18.record(z18.string(), z18.string()).nullable(),
+  environment: z19.record(z19.string(), z19.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
-  encryptedSecrets: z18.string().nullable(),
+  encryptedSecrets: z19.string().nullable(),
   // AES-256-GCM encrypted Record<string, string> (secret name → value)
   // Maps secret names to OAuth connector types for runtime token refresh (e.g. { "GMAIL_ACCESS_TOKEN": "gmail" })
-  secretConnectorMap: z18.record(z18.string(), z18.string()).nullable().optional(),
-  cliAgentType: z18.string(),
+  secretConnectorMap: z19.record(z19.string(), z19.string()).nullable().optional(),
+  cliAgentType: z19.string(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z18.boolean().optional(),
+  debugNoMockClaude: z19.boolean().optional(),
   // Dispatch timestamp for E2E timing metrics
-  apiStartTime: z18.number().optional(),
+  apiStartTime: z19.number().optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
-  userTimezone: z18.string().optional(),
+  userTimezone: z19.string().optional(),
   // Agent metadata for VM0_AGENT_NAME, VM0_AGENT_COMPOSE_ID, and VM0_AGENT_ORG env vars
-  agentName: z18.string().optional(),
-  agentComposeId: z18.string().optional(),
-  agentOrgSlug: z18.string().optional(),
+  agentName: z19.string().optional(),
+  agentComposeId: z19.string().optional(),
+  agentOrgSlug: z19.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
-  memoryName: z18.string().optional(),
+  memoryName: z19.string().optional(),
   // Experimental firewall for proxy-side token replacement
   experimentalFirewalls: experimentalFirewallsSchema.optional(),
   // Experimental capabilities for agent permission enforcement
-  experimentalCapabilities: z18.array(z18.enum(VALID_CAPABILITIES)).optional(),
-  // VM profile for resource allocation (e.g., "vm0/default", "vm0/browser")
-  experimentalProfile: z18.string().optional()
+  experimentalCapabilities: z19.array(z19.enum(VALID_CAPABILITIES)).optional(),
+  // Tools to disable in Claude CLI (passed as --disallowed-tools)
+  disallowedTools: z19.array(z19.string()).optional(),
+  // VM profile for resource allocation (e.g., "vm0/default")
+  experimentalProfile: z19.string().optional()
 });
-var executionContextSchema = z18.object({
-  runId: z18.uuid(),
-  prompt: z18.string(),
-  appendSystemPrompt: z18.string().nullable(),
-  agentComposeVersionId: z18.string().nullable(),
-  vars: z18.record(z18.string(), z18.string()).nullable(),
-  checkpointId: z18.uuid().nullable(),
-  sandboxToken: z18.string(),
+var executionContextSchema = z19.object({
+  runId: z19.uuid(),
+  prompt: z19.string(),
+  appendSystemPrompt: z19.string().nullable(),
+  agentComposeVersionId: z19.string().nullable(),
+  vars: z19.record(z19.string(), z19.string()).nullable(),
+  checkpointId: z19.uuid().nullable(),
+  sandboxToken: z19.string(),
   // New fields for E2B parity:
-  workingDir: z18.string(),
+  workingDir: z19.string(),
   storageManifest: storageManifestSchema.nullable(),
-  environment: z18.record(z18.string(), z18.string()).nullable(),
+  environment: z19.record(z19.string(), z19.string()).nullable(),
   resumeSession: resumeSessionSchema.nullable(),
-  secretValues: z18.array(z18.string()).nullable(),
+  secretValues: z19.array(z19.string()).nullable(),
   // AES-256-GCM encrypted Record<string, string> — passed through to mitm-addon for auth resolution
-  encryptedSecrets: z18.string().nullable(),
+  encryptedSecrets: z19.string().nullable(),
   // Maps secret names to OAuth connector types for runtime token refresh
-  secretConnectorMap: z18.record(z18.string(), z18.string()).nullable().optional(),
-  cliAgentType: z18.string(),
+  secretConnectorMap: z19.record(z19.string(), z19.string()).nullable().optional(),
+  cliAgentType: z19.string(),
   // Debug flag to force real Claude in mock environments (internal use only)
-  debugNoMockClaude: z18.boolean().optional(),
+  debugNoMockClaude: z19.boolean().optional(),
   // Dispatch timestamp for E2E timing metrics
-  apiStartTime: z18.number().optional(),
+  apiStartTime: z19.number().optional(),
   // User's timezone preference (IANA format, e.g., "Asia/Shanghai")
-  userTimezone: z18.string().optional(),
+  userTimezone: z19.string().optional(),
   // Agent metadata
-  agentName: z18.string().optional(),
-  agentComposeId: z18.string().optional(),
-  agentOrgSlug: z18.string().optional(),
+  agentName: z19.string().optional(),
+  agentComposeId: z19.string().optional(),
+  agentOrgSlug: z19.string().optional(),
   // Memory storage name (for first-run when manifest.memory is null)
-  memoryName: z18.string().optional(),
+  memoryName: z19.string().optional(),
   // Experimental firewall for proxy-side token replacement
   experimentalFirewalls: experimentalFirewallsSchema.optional(),
   // Experimental capabilities for agent permission enforcement
-  experimentalCapabilities: z18.array(z18.enum(VALID_CAPABILITIES)).optional(),
-  // VM profile for resource allocation (e.g., "vm0/default", "vm0/browser")
-  experimentalProfile: z18.string().optional()
+  experimentalCapabilities: z19.array(z19.enum(VALID_CAPABILITIES)).optional(),
+  // Tools to disable in Claude CLI (passed as --disallowed-tools)
+  disallowedTools: z19.array(z19.string()).optional(),
+  // VM profile for resource allocation (e.g., "vm0/default")
+  experimentalProfile: z19.string().optional()
 });
-var runnersJobClaimContract = c14.router({
+var runnersJobClaimContract = c15.router({
   claim: {
     method: "POST",
     path: "/api/runners/jobs/:id/claim",
     headers: authHeadersSchema,
-    pathParams: z18.object({
-      id: z18.uuid()
+    pathParams: z19.object({
+      id: z19.uuid()
     }),
-    body: z18.object({}),
+    body: z19.object({}),
     responses: {
       200: executionContextSchema,
       400: apiErrorSchema,
@@ -3348,13 +3602,13 @@ var runnersJobClaimContract = c14.router({
 });
 
 // ../../packages/core/src/contracts/schedules.ts
-import { z as z19 } from "zod";
-var c15 = initContract();
-var scheduleTriggerSchema = z19.object({
-  cron: z19.string().optional(),
-  at: z19.string().optional(),
-  loop: z19.object({ interval: z19.number().int().min(0) }).optional(),
-  timezone: z19.string().default("UTC")
+import { z as z20 } from "zod";
+var c16 = initContract();
+var scheduleTriggerSchema = z20.object({
+  cron: z20.string().optional(),
+  at: z20.string().optional(),
+  loop: z20.object({ interval: z20.number().int().min(0) }).optional(),
+  timezone: z20.string().default("UTC")
 }).refine(
   (data) => {
     const triggers = [data.cron, data.at, data.loop].filter(Boolean);
@@ -3364,43 +3618,43 @@ var scheduleTriggerSchema = z19.object({
     message: "Exactly one of 'cron', 'at', or 'loop' must be specified"
   }
 );
-var scheduleRunConfigSchema = z19.object({
-  agent: z19.string().min(1, "Agent reference required"),
-  prompt: z19.string().min(1, "Prompt required"),
-  appendSystemPrompt: z19.string().optional(),
-  vars: z19.record(z19.string(), z19.string()).optional(),
-  secrets: z19.record(z19.string(), z19.string()).optional(),
-  artifactName: z19.string().optional(),
-  artifactVersion: z19.string().optional(),
-  volumeVersions: z19.record(z19.string(), z19.string()).optional()
+var scheduleRunConfigSchema = z20.object({
+  agent: z20.string().min(1, "Agent reference required"),
+  prompt: z20.string().min(1, "Prompt required"),
+  appendSystemPrompt: z20.string().optional(),
+  vars: z20.record(z20.string(), z20.string()).optional(),
+  secrets: z20.record(z20.string(), z20.string()).optional(),
+  artifactName: z20.string().optional(),
+  artifactVersion: z20.string().optional(),
+  volumeVersions: z20.record(z20.string(), z20.string()).optional()
 });
-var scheduleDefinitionSchema = z19.object({
+var scheduleDefinitionSchema = z20.object({
   on: scheduleTriggerSchema,
   run: scheduleRunConfigSchema
 });
-var scheduleYamlSchema = z19.object({
-  version: z19.literal("1.0"),
-  schedules: z19.record(z19.string(), scheduleDefinitionSchema)
+var scheduleYamlSchema = z20.object({
+  version: z20.literal("1.0"),
+  schedules: z20.record(z20.string(), scheduleDefinitionSchema)
 });
-var deployScheduleRequestSchema = z19.object({
-  name: z19.string().min(1).max(64, "Schedule name max 64 chars"),
-  cronExpression: z19.string().optional(),
-  atTime: z19.string().optional(),
-  intervalSeconds: z19.number().int().min(0).optional(),
-  timezone: z19.string().default("UTC"),
-  prompt: z19.string().min(1, "Prompt required"),
-  appendSystemPrompt: z19.string().optional(),
+var deployScheduleRequestSchema = z20.object({
+  name: z20.string().min(1).max(64, "Schedule name max 64 chars"),
+  cronExpression: z20.string().optional(),
+  atTime: z20.string().optional(),
+  intervalSeconds: z20.number().int().min(0).optional(),
+  timezone: z20.string().default("UTC"),
+  prompt: z20.string().min(1, "Prompt required"),
+  appendSystemPrompt: z20.string().optional(),
   // vars and secrets removed - now managed via server-side tables
-  artifactName: z19.string().optional(),
-  artifactVersion: z19.string().optional(),
-  volumeVersions: z19.record(z19.string(), z19.string()).optional(),
+  artifactName: z20.string().optional(),
+  artifactVersion: z20.string().optional(),
+  volumeVersions: z20.record(z20.string(), z20.string()).optional(),
   // Resolved agent compose ID (CLI resolves org/name:version → composeId)
-  composeId: z19.string().uuid("Invalid compose ID"),
+  composeId: z20.string().uuid("Invalid compose ID"),
   // Enable schedule immediately upon creation
-  enabled: z19.boolean().optional(),
+  enabled: z20.boolean().optional(),
   // Per-schedule notification control (AND'd with user global preferences)
-  notifyEmail: z19.boolean().optional(),
-  notifySlack: z19.boolean().optional()
+  notifyEmail: z20.boolean().optional(),
+  notifySlack: z20.boolean().optional()
 }).refine(
   (data) => {
     const triggers = [
@@ -3414,39 +3668,39 @@ var deployScheduleRequestSchema = z19.object({
     message: "Exactly one of 'cronExpression', 'atTime', or 'intervalSeconds' must be specified"
   }
 );
-var scheduleResponseSchema = z19.object({
-  id: z19.uuid(),
-  composeId: z19.uuid(),
-  composeName: z19.string(),
-  orgSlug: z19.string(),
-  userId: z19.string(),
-  name: z19.string(),
-  triggerType: z19.enum(["cron", "once", "loop"]),
-  cronExpression: z19.string().nullable(),
-  atTime: z19.string().nullable(),
-  intervalSeconds: z19.number().nullable(),
-  timezone: z19.string(),
-  prompt: z19.string(),
-  appendSystemPrompt: z19.string().nullable(),
-  vars: z19.record(z19.string(), z19.string()).nullable(),
+var scheduleResponseSchema = z20.object({
+  id: z20.uuid(),
+  composeId: z20.uuid(),
+  composeName: z20.string(),
+  orgSlug: z20.string(),
+  userId: z20.string(),
+  name: z20.string(),
+  triggerType: z20.enum(["cron", "once", "loop"]),
+  cronExpression: z20.string().nullable(),
+  atTime: z20.string().nullable(),
+  intervalSeconds: z20.number().nullable(),
+  timezone: z20.string(),
+  prompt: z20.string(),
+  appendSystemPrompt: z20.string().nullable(),
+  vars: z20.record(z20.string(), z20.string()).nullable(),
   // Secret names only (values are never returned)
-  secretNames: z19.array(z19.string()).nullable(),
-  artifactName: z19.string().nullable(),
-  artifactVersion: z19.string().nullable(),
-  volumeVersions: z19.record(z19.string(), z19.string()).nullable(),
-  enabled: z19.boolean(),
-  notifyEmail: z19.boolean(),
-  notifySlack: z19.boolean(),
-  nextRunAt: z19.string().nullable(),
-  lastRunAt: z19.string().nullable(),
-  retryStartedAt: z19.string().nullable(),
-  consecutiveFailures: z19.number(),
-  createdAt: z19.string(),
-  updatedAt: z19.string()
+  secretNames: z20.array(z20.string()).nullable(),
+  artifactName: z20.string().nullable(),
+  artifactVersion: z20.string().nullable(),
+  volumeVersions: z20.record(z20.string(), z20.string()).nullable(),
+  enabled: z20.boolean(),
+  notifyEmail: z20.boolean(),
+  notifySlack: z20.boolean(),
+  nextRunAt: z20.string().nullable(),
+  lastRunAt: z20.string().nullable(),
+  retryStartedAt: z20.string().nullable(),
+  consecutiveFailures: z20.number(),
+  createdAt: z20.string(),
+  updatedAt: z20.string()
 });
-var runSummarySchema = z19.object({
-  id: z19.uuid(),
-  status: z19.enum([
+var runSummarySchema = z20.object({
+  id: z20.uuid(),
+  status: z20.enum([
     "queued",
     "pending",
     "running",
@@ -3454,22 +3708,22 @@ var runSummarySchema = z19.object({
     "failed",
     "timeout"
   ]),
-  createdAt: z19.string(),
-  completedAt: z19.string().nullable(),
-  error: z19.string().nullable()
+  createdAt: z20.string(),
+  completedAt: z20.string().nullable(),
+  error: z20.string().nullable()
 });
-var scheduleRunsResponseSchema = z19.object({
-  runs: z19.array(runSummarySchema)
+var scheduleRunsResponseSchema = z20.object({
+  runs: z20.array(runSummarySchema)
 });
-var scheduleListResponseSchema = z19.object({
-  schedules: z19.array(scheduleResponseSchema)
+var scheduleListResponseSchema = z20.object({
+  schedules: z20.array(scheduleResponseSchema)
 });
-var deployScheduleResponseSchema = z19.object({
+var deployScheduleResponseSchema = z20.object({
   schedule: scheduleResponseSchema,
-  created: z19.boolean()
+  created: z20.boolean()
   // true if created, false if updated
 });
-var schedulesMainContract = c15.router({
+var schedulesMainContract = c16.router({
   /**
    * POST /api/agent/schedules
    * Deploy (create or update) a schedule
@@ -3507,7 +3761,7 @@ var schedulesMainContract = c15.router({
     summary: "List all schedules"
   }
 });
-var schedulesByNameContract = c15.router({
+var schedulesByNameContract = c16.router({
   /**
    * GET /api/agent/schedules/:name
    * Get schedule by name
@@ -3516,11 +3770,11 @@ var schedulesByNameContract = c15.router({
     method: "GET",
     path: "/api/agent/schedules/:name",
     headers: authHeadersSchema,
-    pathParams: z19.object({
-      name: z19.string().min(1, "Schedule name required")
+    pathParams: z20.object({
+      name: z20.string().min(1, "Schedule name required")
     }),
-    query: z19.object({
-      composeId: z19.string().uuid("Compose ID required")
+    query: z20.object({
+      composeId: z20.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -3538,14 +3792,14 @@ var schedulesByNameContract = c15.router({
     method: "DELETE",
     path: "/api/agent/schedules/:name",
     headers: authHeadersSchema,
-    pathParams: z19.object({
-      name: z19.string().min(1, "Schedule name required")
+    pathParams: z20.object({
+      name: z20.string().min(1, "Schedule name required")
     }),
-    query: z19.object({
-      composeId: z19.string().uuid("Compose ID required")
+    query: z20.object({
+      composeId: z20.string().uuid("Compose ID required")
     }),
     responses: {
-      204: c15.noBody(),
+      204: c16.noBody(),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema
@@ -3553,7 +3807,7 @@ var schedulesByNameContract = c15.router({
     summary: "Delete schedule"
   }
 });
-var schedulesEnableContract = c15.router({
+var schedulesEnableContract = c16.router({
   /**
    * POST /api/agent/schedules/:name/enable
    * Enable a disabled schedule
@@ -3562,11 +3816,11 @@ var schedulesEnableContract = c15.router({
     method: "POST",
     path: "/api/agent/schedules/:name/enable",
     headers: authHeadersSchema,
-    pathParams: z19.object({
-      name: z19.string().min(1, "Schedule name required")
+    pathParams: z20.object({
+      name: z20.string().min(1, "Schedule name required")
     }),
-    body: z19.object({
-      composeId: z19.string().uuid("Compose ID required")
+    body: z20.object({
+      composeId: z20.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -3584,11 +3838,11 @@ var schedulesEnableContract = c15.router({
     method: "POST",
     path: "/api/agent/schedules/:name/disable",
     headers: authHeadersSchema,
-    pathParams: z19.object({
-      name: z19.string().min(1, "Schedule name required")
+    pathParams: z20.object({
+      name: z20.string().min(1, "Schedule name required")
     }),
-    body: z19.object({
-      composeId: z19.string().uuid("Compose ID required")
+    body: z20.object({
+      composeId: z20.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -3599,7 +3853,7 @@ var schedulesEnableContract = c15.router({
     summary: "Disable schedule"
   }
 });
-var scheduleRunsContract = c15.router({
+var scheduleRunsContract = c16.router({
   /**
    * GET /api/agent/schedules/:name/runs
    * List recent runs for a schedule
@@ -3608,12 +3862,12 @@ var scheduleRunsContract = c15.router({
     method: "GET",
     path: "/api/agent/schedules/:name/runs",
     headers: authHeadersSchema,
-    pathParams: z19.object({
-      name: z19.string().min(1, "Schedule name required")
+    pathParams: z20.object({
+      name: z20.string().min(1, "Schedule name required")
     }),
-    query: z19.object({
-      composeId: z19.string().uuid("Compose ID required"),
-      limit: z19.coerce.number().min(0).max(100).default(5)
+    query: z20.object({
+      composeId: z20.string().uuid("Compose ID required"),
+      limit: z20.coerce.number().min(0).max(100).default(5)
     }),
     responses: {
       200: scheduleRunsResponseSchema,
@@ -3626,18 +3880,18 @@ var scheduleRunsContract = c15.router({
 });
 
 // ../../packages/core/src/contracts/realtime.ts
-import { z as z20 } from "zod";
-var c16 = initContract();
-var ablyTokenRequestSchema = z20.object({
-  keyName: z20.string(),
-  ttl: z20.number().optional(),
-  timestamp: z20.number(),
-  capability: z20.string(),
-  clientId: z20.string().optional(),
-  nonce: z20.string(),
-  mac: z20.string()
+import { z as z21 } from "zod";
+var c17 = initContract();
+var ablyTokenRequestSchema = z21.object({
+  keyName: z21.string(),
+  ttl: z21.number().optional(),
+  timestamp: z21.number(),
+  capability: z21.string(),
+  clientId: z21.string().optional(),
+  nonce: z21.string(),
+  mac: z21.string()
 });
-var runnerRealtimeTokenContract = c16.router({
+var runnerRealtimeTokenContract = c17.router({
   /**
    * POST /api/runners/realtime/token
    * Get an Ably token to subscribe to a runner group's job notification channel
@@ -3646,7 +3900,7 @@ var runnerRealtimeTokenContract = c16.router({
     method: "POST",
     path: "/api/runners/realtime/token",
     headers: authHeadersSchema,
-    body: z20.object({
+    body: z21.object({
       group: runnerGroupSchema
     }),
     responses: {
@@ -3659,224 +3913,9 @@ var runnerRealtimeTokenContract = c16.router({
   }
 });
 
-// ../../packages/core/src/contracts/logs.ts
-import { z as z21 } from "zod";
-var paginationSchema = z21.object({
-  hasMore: z21.boolean(),
-  nextCursor: z21.string().nullable(),
-  totalPages: z21.number()
-});
-var listQuerySchema = z21.object({
-  cursor: z21.string().optional(),
-  limit: z21.coerce.number().min(1).max(100).default(20)
-});
-var c17 = initContract();
-var logStatusSchema = z21.enum([
-  "queued",
-  "pending",
-  "running",
-  "completed",
-  "failed",
-  "timeout",
-  "cancelled"
-]);
-var logEntrySchema = z21.object({
-  id: z21.uuid(),
-  sessionId: z21.string().nullable(),
-  agentName: z21.string(),
-  displayName: z21.string().nullable(),
-  orgSlug: z21.string().nullable(),
-  framework: z21.string().nullable(),
-  status: logStatusSchema,
-  createdAt: z21.string(),
-  startedAt: z21.string().nullable(),
-  completedAt: z21.string().nullable()
-});
-var logsListResponseSchema = z21.object({
-  data: z21.array(logEntrySchema),
-  pagination: paginationSchema
-});
-var artifactSchema = z21.object({
-  name: z21.string().nullable(),
-  version: z21.string().nullable()
-});
-var logDetailSchema = z21.object({
-  id: z21.uuid(),
-  sessionId: z21.string().nullable(),
-  agentName: z21.string(),
-  displayName: z21.string().nullable(),
-  framework: z21.string().nullable(),
-  status: logStatusSchema,
-  prompt: z21.string(),
-  error: z21.string().nullable(),
-  createdAt: z21.string(),
-  startedAt: z21.string().nullable(),
-  completedAt: z21.string().nullable(),
-  artifact: artifactSchema
-});
-var logsListContract = c17.router({
-  list: {
-    method: "GET",
-    path: "/api/app/logs",
-    query: listQuerySchema.extend({
-      search: z21.string().optional(),
-      agent: z21.string().optional(),
-      name: z21.string().optional(),
-      org: z21.string().optional(),
-      status: logStatusSchema.optional()
-    }),
-    responses: {
-      200: logsListResponseSchema,
-      401: apiErrorSchema
-    },
-    summary: "List agent run logs with pagination"
-  }
-});
-var logsByIdContract = c17.router({
-  getById: {
-    method: "GET",
-    path: "/api/app/logs/:id",
-    headers: authHeadersSchema,
-    pathParams: z21.object({
-      id: z21.string().uuid("Invalid log ID")
-    }),
-    responses: {
-      200: logDetailSchema,
-      401: apiErrorSchema,
-      404: apiErrorSchema
-    },
-    summary: "Get agent run log details by ID"
-  }
-});
-var artifactDownloadResponseSchema = z21.object({
-  url: z21.url(),
-  expiresAt: z21.string()
-});
-var artifactDownloadContract = c17.router({
-  getDownloadUrl: {
-    method: "GET",
-    path: "/api/app/artifacts/download",
-    query: z21.object({
-      name: z21.string().min(1, "Artifact name is required"),
-      version: z21.string().optional()
-    }),
-    responses: {
-      200: artifactDownloadResponseSchema,
-      401: apiErrorSchema,
-      404: apiErrorSchema
-    },
-    summary: "Get presigned URL for artifact download"
-  }
-});
-
-// ../../packages/core/src/contracts/compose-jobs.ts
+// ../../packages/core/src/contracts/connectors.ts
 import { z as z22 } from "zod";
 var c18 = initContract();
-var composeJobStatusSchema = z22.enum([
-  "pending",
-  "running",
-  "completed",
-  "failed"
-]);
-var composeJobResultSchema = z22.object({
-  composeId: z22.string(),
-  composeName: z22.string(),
-  versionId: z22.string(),
-  warnings: z22.array(z22.string())
-});
-var composeJobSourceSchema = z22.enum(["github", "platform", "slack"]);
-var createComposeJobRequestSchema = z22.union([
-  z22.object({
-    githubUrl: z22.url().check(z22.startsWith("https://github.com/")),
-    overwrite: z22.boolean().optional().default(false)
-  }),
-  z22.object({
-    content: z22.record(z22.string(), z22.unknown()),
-    instructions: z22.string().optional()
-  })
-]);
-var composeJobResponseSchema = z22.object({
-  jobId: z22.string(),
-  status: composeJobStatusSchema,
-  githubUrl: z22.string().optional(),
-  source: composeJobSourceSchema.optional(),
-  result: composeJobResultSchema.optional(),
-  error: z22.string().optional(),
-  createdAt: z22.string(),
-  startedAt: z22.string().optional(),
-  completedAt: z22.string().optional()
-});
-var composeJobsMainContract = c18.router({
-  /**
-   * POST /api/compose/jobs
-   * Create a new compose job from GitHub URL or platform content
-   */
-  create: {
-    method: "POST",
-    path: "/api/compose/jobs",
-    headers: authHeadersSchema,
-    body: createComposeJobRequestSchema,
-    responses: {
-      201: composeJobResponseSchema,
-      200: composeJobResponseSchema,
-      // Returned when existing job found (idempotency)
-      400: apiErrorSchema,
-      401: apiErrorSchema
-    },
-    summary: "Create compose job"
-  }
-});
-var composeJobsByIdContract = c18.router({
-  /**
-   * GET /api/compose/jobs/:jobId
-   * Get compose job status and result
-   */
-  getById: {
-    method: "GET",
-    path: "/api/compose/jobs/:jobId",
-    headers: authHeadersSchema,
-    pathParams: z22.object({
-      jobId: z22.uuid()
-    }),
-    responses: {
-      200: composeJobResponseSchema,
-      401: apiErrorSchema,
-      404: apiErrorSchema
-    },
-    summary: "Get compose job status"
-  }
-});
-var webhookComposeCompleteContract = c18.router({
-  /**
-   * POST /api/webhooks/compose/complete
-   * Handle compose job completion from sandbox
-   */
-  complete: {
-    method: "POST",
-    path: "/api/webhooks/compose/complete",
-    headers: authHeadersSchema,
-    body: z22.object({
-      jobId: z22.uuid(),
-      success: z22.boolean(),
-      // Result from CLI compose command
-      result: composeJobResultSchema.optional(),
-      error: z22.string().optional()
-    }),
-    responses: {
-      200: z22.object({
-        success: z22.boolean()
-      }),
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      404: apiErrorSchema
-    },
-    summary: "Handle compose job completion"
-  }
-});
-
-// ../../packages/core/src/contracts/connectors.ts
-import { z as z23 } from "zod";
-var c19 = initContract();
 var CONNECTOR_TYPES_DEF = {
   axiom: {
     label: "Axiom",
@@ -4382,12 +4421,46 @@ var CONNECTOR_TYPES_DEF = {
       authorizationUrl: "https://slack.com/oauth/v2/authorize",
       tokenUrl: "https://slack.com/api/oauth.v2.access",
       scopes: [
+        // Channels
         "channels:read",
         "channels:history",
+        // Messaging
         "chat:write",
+        // Users
         "users:read",
         "users:read.email",
-        "files:read"
+        // Files
+        "files:read",
+        "files:write",
+        // Direct messages (high priority)
+        "im:history",
+        "im:write",
+        // Reactions (high priority)
+        "reactions:read",
+        "reactions:write",
+        // Search (high priority)
+        "search:read",
+        // Private channels (high priority)
+        "groups:read",
+        "groups:history",
+        // Reminders (medium priority)
+        "reminders:read",
+        "reminders:write",
+        // Pins (medium priority)
+        "pins:read",
+        "pins:write",
+        // User groups (medium priority)
+        "usergroups:read",
+        // Multi-person DMs (medium priority)
+        "mpim:history",
+        // Do Not Disturb (low priority)
+        "dnd:read",
+        // Bookmarks (low priority)
+        "bookmarks:read",
+        // Team info (low priority)
+        "team:read",
+        // Custom emoji (low priority)
+        "emoji:read"
       ],
       environmentMapping: {
         SLACK_TOKEN: "$secrets.SLACK_ACCESS_TOKEN"
@@ -4519,6 +4592,23 @@ var CONNECTOR_TYPES_DEF = {
     },
     defaultAuthMethod: "api-token"
   },
+  instantly: {
+    label: "Instantly",
+    helpText: "Connect your Instantly account to manage email campaigns, leads, and outreach sequences",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          INSTANTLY_API_KEY: {
+            label: "API Key",
+            required: true,
+            placeholder: "your-instantly-api-key"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
   jam: {
     label: "Jam",
     helpText: "Connect your Jam account to capture bugs, manage reports, and access debugging telemetry",
@@ -4536,17 +4626,67 @@ var CONNECTOR_TYPES_DEF = {
     },
     defaultAuthMethod: "api-token"
   },
-  jotform: {
-    label: "Jotform",
-    helpText: "Connect your Jotform account to manage forms, submissions, and automate form workflows",
+  jira: {
+    label: "Jira",
+    helpText: "Connect your Jira account to manage projects, issues, sprints, and workflows",
+    authMethods: {
+      "api-token": {
+        label: "API Token",
+        secrets: {
+          JIRA_API_TOKEN: {
+            label: "API Token",
+            required: true
+          },
+          JIRA_DOMAIN: {
+            label: "Jira Domain",
+            required: true,
+            type: "variable",
+            placeholder: "your-domain.atlassian.net"
+          },
+          JIRA_EMAIL: {
+            label: "Jira Email",
+            required: true,
+            type: "variable",
+            placeholder: "your-email@example.com"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  jotform: {
+    label: "Jotform",
+    helpText: "Connect your Jotform account to manage forms, submissions, and automate form workflows",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        helpText: "1. Log in to your [Jotform account](https://www.jotform.com/myaccount/api)\n2. Navigate to **Settings** \u2192 **API**\n3. Click **Create New Key**\n4. Copy your **API Key**",
+        secrets: {
+          JOTFORM_TOKEN: {
+            label: "API Key",
+            required: true
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  kommo: {
+    label: "Kommo",
+    helpText: "Connect your Kommo account to manage leads, contacts, and sales pipelines",
     authMethods: {
       "api-token": {
         label: "API Key",
-        helpText: "1. Log in to your [Jotform account](https://www.jotform.com/myaccount/api)\n2. Navigate to **Settings** \u2192 **API**\n3. Click **Create New Key**\n4. Copy your **API Key**",
         secrets: {
-          JOTFORM_TOKEN: {
+          KOMMO_API_KEY: {
             label: "API Key",
             required: true
+          },
+          KOMMO_SUBDOMAIN: {
+            label: "Subdomain",
+            required: true,
+            type: "variable",
+            placeholder: "your-subdomain"
           }
         }
       }
@@ -4702,6 +4842,27 @@ var CONNECTOR_TYPES_DEF = {
     },
     defaultAuthMethod: "api-token"
   },
+  cronlytic: {
+    label: "Cronlytic",
+    helpText: "Connect your Cronlytic account to monitor cron jobs and scheduled tasks",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          CRONLYTIC_API_KEY: {
+            label: "API Key",
+            required: true
+          },
+          CRONLYTIC_USER_ID: {
+            label: "User ID",
+            required: true,
+            type: "variable"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
   dify: {
     label: "Dify",
     helpText: "Connect your Dify account to build and manage AI-powered workflows, chatbots, and agentic applications",
@@ -5852,6 +6013,40 @@ var CONNECTOR_TYPES_DEF = {
     },
     defaultAuthMethod: "api-token"
   },
+  bitrix: {
+    label: "Bitrix24",
+    helpText: "Connect your Bitrix24 account to manage CRM, tasks, and workflows",
+    authMethods: {
+      "api-token": {
+        label: "Webhook URL",
+        secrets: {
+          BITRIX_WEBHOOK_URL: {
+            label: "Webhook URL",
+            required: true,
+            placeholder: "https://your-domain.bitrix24.com/rest/1/xxx/"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  "brave-search": {
+    label: "Brave Search",
+    helpText: "Connect your Brave Search account to perform privacy-focused web, image, video, and news searches",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          BRAVE_API_KEY: {
+            label: "API Key",
+            required: true,
+            placeholder: "BSAxxxxxxxxxxxxxxxx"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
   "bright-data": {
     label: "Bright Data",
     helpText: "Connect your Bright Data account to scrape websites, manage proxies, and access web data",
@@ -6185,161 +6380,394 @@ var CONNECTOR_TYPES_DEF = {
       "api-token": {
         label: "API Key",
         secrets: {
-          STREAK_TOKEN: {
+          STREAK_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "your-streak-api-key"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  supadata: {
+    label: "Supadata",
+    helpText: "Connect your Supadata account to extract YouTube transcripts, channel data, and video metadata",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          SUPADATA_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "your-supadata-api-key"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  tavily: {
+    label: "Tavily",
+    helpText: "Connect your Tavily account to perform AI-optimized web searches and content extraction",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          TAVILY_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "tvly-..."
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  tldv: {
+    label: "tl;dv",
+    helpText: "Connect your tl;dv account to access meeting recordings, transcripts, and AI-generated notes",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          TLDV_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "your-tldv-api-key"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  twenty: {
+    label: "Twenty",
+    helpText: "Connect your Twenty CRM account to manage contacts, companies, and deals",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          TWENTY_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "your-twenty-api-key"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  youtube: {
+    label: "YouTube",
+    helpText: "Connect your YouTube account to search videos, get channel info, and fetch comments via the Data API",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        helpText: "1. Go to [Google Cloud Console](https://console.cloud.google.com/)\n2. Enable **YouTube Data API v3**\n3. Go to **Credentials** \u2192 **Create Credentials** \u2192 **API Key**\n4. Copy the API key",
+        secrets: {
+          YOUTUBE_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "AIzaSy..."
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  zapier: {
+    label: "Zapier",
+    helpText: "Connect your Zapier account to trigger zaps and use AI Actions (NLA) to automate workflows",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          ZAPIER_TOKEN: {
+            label: "API Key",
+            required: true,
+            placeholder: "your-zapier-api-key"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  zapsign: {
+    label: "ZapSign",
+    helpText: "Connect your ZapSign account to create documents for electronic signature and track signing status",
+    authMethods: {
+      "api-token": {
+        label: "API Token",
+        secrets: {
+          ZAPSIGN_TOKEN: {
+            label: "API Token",
+            required: true,
+            placeholder: "your-zapsign-api-token"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  zendesk: {
+    label: "Zendesk",
+    helpText: "Connect your Zendesk account to manage support tickets, users, organizations, and automate customer support workflows",
+    authMethods: {
+      "api-token": {
+        label: "API Token",
+        helpText: "1. Log in to [Zendesk Admin Center](https://www.zendesk.com/admin/)\n2. Go to **Apps and integrations \u2192 APIs \u2192 Zendesk API**\n3. Enable **Token Access** under the Settings tab\n4. Click **Add API token** and copy the token",
+        secrets: {
+          ZENDESK_API_TOKEN: {
+            label: "API Token",
+            required: true,
+            placeholder: "your-zendesk-api-token"
+          },
+          ZENDESK_EMAIL: {
+            label: "Email",
+            required: true,
+            placeholder: "your-email@company.com",
+            helpText: "The email address associated with your Zendesk account",
+            type: "variable"
+          },
+          ZENDESK_SUBDOMAIN: {
+            label: "Subdomain",
+            required: true,
+            placeholder: "yourcompany",
+            helpText: "Your Zendesk subdomain (e.g. 'yourcompany' from yourcompany.zendesk.com)",
+            type: "variable"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  htmlcsstoimage: {
+    label: "HTML/CSS to Image",
+    helpText: "Connect your HTML/CSS to Image account to generate images from HTML and CSS",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          HCTI_API_KEY: {
+            label: "API Key",
+            required: true
+          },
+          HCTI_USER_ID: {
+            label: "User ID",
+            required: true,
+            type: "variable"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  imgur: {
+    label: "Imgur",
+    helpText: "Connect your Imgur account to upload, manage, and share images",
+    authMethods: {
+      "api-token": {
+        label: "API Token",
+        secrets: {
+          IMGUR_CLIENT_ID: {
+            label: "Client ID",
+            required: true,
+            placeholder: "your-imgur-client-id"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  instagram: {
+    label: "Instagram",
+    helpText: "Connect your Instagram Business account to manage posts, stories, and insights",
+    authMethods: {
+      "api-token": {
+        label: "API Token",
+        secrets: {
+          INSTAGRAM_ACCESS_TOKEN: {
+            label: "Access Token",
+            required: true
+          },
+          INSTAGRAM_BUSINESS_ACCOUNT_ID: {
+            label: "Business Account ID",
+            required: true,
+            type: "variable"
+          }
+        }
+      }
+    },
+    defaultAuthMethod: "api-token"
+  },
+  "prisma-postgres": {
+    label: "Prisma Postgres",
+    helpText: "Connect your Prisma Postgres database to manage schemas, run queries, and access data through Prisma's serverless database platform",
+    authMethods: {
+      "api-token": {
+        label: "API Key",
+        secrets: {
+          PRISMA_POSTGRES_TOKEN: {
             label: "API Key",
             required: true,
-            placeholder: "your-streak-api-key"
+            placeholder: "eyJhbGci..."
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  supadata: {
-    label: "Supadata",
-    helpText: "Connect your Supadata account to extract YouTube transcripts, channel data, and video metadata",
+  discord: {
+    label: "Discord",
+    helpText: "Connect your Discord bot to manage servers, channels, messages, and automate interactions",
     authMethods: {
       "api-token": {
-        label: "API Key",
+        label: "Bot Token",
         secrets: {
-          SUPADATA_TOKEN: {
-            label: "API Key",
+          DISCORD_BOT_TOKEN: {
+            label: "Bot Token",
             required: true,
-            placeholder: "your-supadata-api-key"
+            placeholder: "your-discord-bot-token"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  tavily: {
-    label: "Tavily",
-    helpText: "Connect your Tavily account to perform AI-optimized web searches and content extraction",
+  lark: {
+    label: "Lark",
+    helpText: "Connect your Lark (Feishu) app to manage messages, documents, calendars, and workflows",
     authMethods: {
       "api-token": {
-        label: "API Key",
+        label: "App Credentials",
         secrets: {
-          TAVILY_TOKEN: {
-            label: "API Key",
+          LARK_TOKEN: {
+            label: "App Secret",
             required: true,
-            placeholder: "tvly-..."
+            type: "secret"
+          },
+          LARK_APP_ID: {
+            label: "App ID",
+            required: true,
+            type: "variable"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  tldv: {
-    label: "tl;dv",
-    helpText: "Connect your tl;dv account to access meeting recordings, transcripts, and AI-generated notes",
+  mailsac: {
+    label: "Mailsac",
+    helpText: "Connect your Mailsac account to manage disposable email inboxes for testing",
     authMethods: {
       "api-token": {
         label: "API Key",
         secrets: {
-          TLDV_TOKEN: {
+          MAILSAC_TOKEN: {
             label: "API Key",
             required: true,
-            placeholder: "your-tldv-api-key"
+            placeholder: "your-mailsac-api-key"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  twenty: {
-    label: "Twenty",
-    helpText: "Connect your Twenty CRM account to manage contacts, companies, and deals",
+  minio: {
+    label: "MinIO",
+    helpText: "Connect your MinIO instance to manage S3-compatible object storage buckets and objects",
     authMethods: {
       "api-token": {
-        label: "API Key",
+        label: "Access Credentials",
         secrets: {
-          TWENTY_TOKEN: {
-            label: "API Key",
+          MINIO_TOKEN: {
+            label: "Access Key",
             required: true,
-            placeholder: "your-twenty-api-key"
+            type: "secret"
+          },
+          MINIO_SECRET_TOKEN: {
+            label: "Secret Key",
+            required: true,
+            type: "secret"
+          },
+          MINIO_ENDPOINT: {
+            label: "Endpoint URL",
+            required: true,
+            placeholder: "https://minio.example.com",
+            type: "variable"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  youtube: {
-    label: "YouTube",
-    helpText: "Connect your YouTube account to search videos, get channel info, and fetch comments via the Data API",
+  pdforge: {
+    label: "PDForge",
+    helpText: "Connect your PDForge account to generate PDF documents from templates",
     authMethods: {
       "api-token": {
         label: "API Key",
-        helpText: "1. Go to [Google Cloud Console](https://console.cloud.google.com/)\n2. Enable **YouTube Data API v3**\n3. Go to **Credentials** \u2192 **Create Credentials** \u2192 **API Key**\n4. Copy the API key",
         secrets: {
-          YOUTUBE_TOKEN: {
+          PDFORGE_API_KEY: {
             label: "API Key",
             required: true,
-            placeholder: "AIzaSy..."
+            placeholder: "your-pdforge-api-key"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  zapier: {
-    label: "Zapier",
-    helpText: "Connect your Zapier account to trigger zaps and use AI Actions (NLA) to automate workflows",
+  "discord-webhook": {
+    label: "Discord Webhook",
+    helpText: "Connect a Discord webhook to send messages to channels",
     authMethods: {
       "api-token": {
-        label: "API Key",
+        label: "Webhook URL",
         secrets: {
-          ZAPIER_TOKEN: {
-            label: "API Key",
+          DISCORD_WEBHOOK_URL: {
+            label: "Webhook URL",
             required: true,
-            placeholder: "your-zapier-api-key"
+            placeholder: "https://discord.com/api/webhooks/xxx/xxx"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  zapsign: {
-    label: "ZapSign",
-    helpText: "Connect your ZapSign account to create documents for electronic signature and track signing status",
+  "slack-webhook": {
+    label: "Slack Webhook",
+    helpText: "Connect a Slack incoming webhook to send messages to channels",
     authMethods: {
       "api-token": {
-        label: "API Token",
+        label: "Webhook URL",
         secrets: {
-          ZAPSIGN_TOKEN: {
-            label: "API Token",
+          SLACK_WEBHOOK_URL: {
+            label: "Webhook URL",
             required: true,
-            placeholder: "your-zapsign-api-token"
+            placeholder: "https://hooks.slack.com/services/xxx/xxx/xxx"
           }
         }
       }
     },
     defaultAuthMethod: "api-token"
   },
-  zendesk: {
-    label: "Zendesk",
-    helpText: "Connect your Zendesk account to manage support tickets, users, organizations, and automate customer support workflows",
+  gitlab: {
+    label: "GitLab",
+    helpText: "Connect your GitLab account to manage repositories, issues, merge requests, and CI/CD pipelines",
     authMethods: {
       "api-token": {
-        label: "API Token",
-        helpText: "1. Log in to [Zendesk Admin Center](https://www.zendesk.com/admin/)\n2. Go to **Apps and integrations \u2192 APIs \u2192 Zendesk API**\n3. Enable **Token Access** under the Settings tab\n4. Click **Add API token** and copy the token",
+        label: "Personal Access Token",
         secrets: {
-          ZENDESK_API_TOKEN: {
-            label: "API Token",
-            required: true,
-            placeholder: "your-zendesk-api-token"
-          },
-          ZENDESK_EMAIL: {
-            label: "Email",
-            required: true,
-            placeholder: "your-email@company.com",
-            helpText: "The email address associated with your Zendesk account",
-            type: "variable"
+          GITLAB_TOKEN: {
+            label: "Personal Access Token",
+            required: true
           },
-          ZENDESK_SUBDOMAIN: {
-            label: "Subdomain",
-            required: true,
-            placeholder: "yourcompany",
-            helpText: "Your Zendesk subdomain (e.g. 'yourcompany' from yourcompany.zendesk.com)",
+          GITLAB_HOST: {
+            label: "GitLab Host",
+            required: false,
+            placeholder: "gitlab.com",
             type: "variable"
           }
         }
@@ -6347,17 +6775,17 @@ var CONNECTOR_TYPES_DEF = {
     },
     defaultAuthMethod: "api-token"
   },
-  "prisma-postgres": {
-    label: "Prisma Postgres",
-    helpText: "Connect your Prisma Postgres database to manage schemas, run queries, and access data through Prisma's serverless database platform",
+  wix: {
+    label: "Wix",
+    helpText: "Connect your Wix account to manage sites, collections, and content",
     authMethods: {
       "api-token": {
         label: "API Key",
         secrets: {
-          PRISMA_POSTGRES_TOKEN: {
+          WIX_TOKEN: {
             label: "API Key",
             required: true,
-            placeholder: "eyJhbGci..."
+            placeholder: "your-wix-api-key"
           }
         }
       }
@@ -6366,7 +6794,7 @@ var CONNECTOR_TYPES_DEF = {
   }
 };
 var CONNECTOR_TYPES = CONNECTOR_TYPES_DEF;
-var connectorTypeSchema = z23.enum([
+var connectorTypeSchema = z22.enum([
   "agentmail",
   "ahrefs",
   "atlassian",
@@ -6465,7 +6893,25 @@ var connectorTypeSchema = z23.enum([
   "zapier",
   "zapsign",
   "zendesk",
-  "prisma-postgres"
+  "prisma-postgres",
+  "bitrix",
+  "brave-search",
+  "cronlytic",
+  "discord",
+  "discord-webhook",
+  "gitlab",
+  "htmlcsstoimage",
+  "imgur",
+  "instantly",
+  "instagram",
+  "jira",
+  "kommo",
+  "lark",
+  "mailsac",
+  "minio",
+  "pdforge",
+  "slack-webhook",
+  "wix"
 ]);
 function getConnectorEnvironmentMapping(type2) {
   const config = CONNECTOR_TYPES[type2];
@@ -6519,24 +6965,24 @@ function getScopeDiff(connectorType, storedScopes) {
     storedScopes: stored
   };
 }
-var connectorResponseSchema = z23.object({
-  id: z23.uuid().nullable(),
+var connectorResponseSchema = z22.object({
+  id: z22.uuid().nullable(),
   type: connectorTypeSchema,
-  authMethod: z23.string(),
-  externalId: z23.string().nullable(),
-  externalUsername: z23.string().nullable(),
-  externalEmail: z23.string().nullable(),
-  oauthScopes: z23.array(z23.string()).nullable(),
-  needsReconnect: z23.boolean(),
-  createdAt: z23.string(),
-  updatedAt: z23.string()
+  authMethod: z22.string(),
+  externalId: z22.string().nullable(),
+  externalUsername: z22.string().nullable(),
+  externalEmail: z22.string().nullable(),
+  oauthScopes: z22.array(z22.string()).nullable(),
+  needsReconnect: z22.boolean(),
+  createdAt: z22.string(),
+  updatedAt: z22.string()
 });
-var connectorListResponseSchema = z23.object({
-  connectors: z23.array(connectorResponseSchema),
-  configuredTypes: z23.array(connectorTypeSchema),
-  connectorProvidedSecretNames: z23.array(z23.string())
+var connectorListResponseSchema = z22.object({
+  connectors: z22.array(connectorResponseSchema),
+  configuredTypes: z22.array(connectorTypeSchema),
+  connectorProvidedSecretNames: z22.array(z22.string())
 });
-var connectorsMainContract = c19.router({
+var connectorsMainContract = c18.router({
   list: {
     method: "GET",
     path: "/api/connectors",
@@ -6549,12 +6995,12 @@ var connectorsMainContract = c19.router({
     summary: "List all connectors for the authenticated user"
   }
 });
-var connectorsByTypeContract = c19.router({
+var connectorsByTypeContract = c18.router({
   get: {
     method: "GET",
     path: "/api/connectors/:type",
     headers: authHeadersSchema,
-    pathParams: z23.object({
+    pathParams: z22.object({
       type: connectorTypeSchema
     }),
     responses: {
@@ -6569,11 +7015,11 @@ var connectorsByTypeContract = c19.router({
     method: "DELETE",
     path: "/api/connectors/:type",
     headers: authHeadersSchema,
-    pathParams: z23.object({
+    pathParams: z22.object({
       type: connectorTypeSchema
     }),
     responses: {
-      204: c19.noBody(),
+      204: c18.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -6581,18 +7027,18 @@ var connectorsByTypeContract = c19.router({
     summary: "Disconnect a connector"
   }
 });
-var scopeDiffResponseSchema = z23.object({
-  addedScopes: z23.array(z23.string()),
-  removedScopes: z23.array(z23.string()),
-  currentScopes: z23.array(z23.string()),
-  storedScopes: z23.array(z23.string())
+var scopeDiffResponseSchema = z22.object({
+  addedScopes: z22.array(z22.string()),
+  removedScopes: z22.array(z22.string()),
+  currentScopes: z22.array(z22.string()),
+  storedScopes: z22.array(z22.string())
 });
-var connectorScopeDiffContract = c19.router({
+var connectorScopeDiffContract = c18.router({
   getScopeDiff: {
     method: "GET",
     path: "/api/connectors/:type/scope-diff",
     headers: authHeadersSchema,
-    pathParams: z23.object({ type: connectorTypeSchema }),
+    pathParams: z22.object({ type: connectorTypeSchema }),
     responses: {
       200: scopeDiffResponseSchema,
       401: apiErrorSchema,
@@ -6602,27 +7048,27 @@ var connectorScopeDiffContract = c19.router({
     summary: "Get scope diff for a connector"
   }
 });
-var connectorSessionStatusSchema = z23.enum([
+var connectorSessionStatusSchema = z22.enum([
   "pending",
   "complete",
   "expired",
   "error"
 ]);
-var connectorSessionResponseSchema = z23.object({
-  id: z23.uuid(),
-  code: z23.string(),
+var connectorSessionResponseSchema = z22.object({
+  id: z22.uuid(),
+  code: z22.string(),
   type: connectorTypeSchema,
   status: connectorSessionStatusSchema,
-  verificationUrl: z23.string(),
-  expiresIn: z23.number(),
-  interval: z23.number(),
-  errorMessage: z23.string().nullable().optional()
+  verificationUrl: z22.string(),
+  expiresIn: z22.number(),
+  interval: z22.number(),
+  errorMessage: z22.string().nullable().optional()
 });
-var connectorSessionStatusResponseSchema = z23.object({
+var connectorSessionStatusResponseSchema = z22.object({
   status: connectorSessionStatusSchema,
-  errorMessage: z23.string().nullable().optional()
+  errorMessage: z22.string().nullable().optional()
 });
-var connectorSessionsContract = c19.router({
+var connectorSessionsContract = c18.router({
   /**
    * POST /api/connectors/:type/sessions
    * Create a new connector session for CLI device flow
@@ -6631,10 +7077,10 @@ var connectorSessionsContract = c19.router({
     method: "POST",
     path: "/api/connectors/:type/sessions",
     headers: authHeadersSchema,
-    pathParams: z23.object({
+    pathParams: z22.object({
       type: connectorTypeSchema
     }),
-    body: z23.object({}).optional(),
+    body: z22.object({}).optional(),
     responses: {
       200: connectorSessionResponseSchema,
       400: apiErrorSchema,
@@ -6644,7 +7090,7 @@ var connectorSessionsContract = c19.router({
     summary: "Create connector session for CLI device flow"
   }
 });
-var connectorSessionByIdContract = c19.router({
+var connectorSessionByIdContract = c18.router({
   /**
    * GET /api/connectors/:type/sessions/:sessionId
    * Get connector session status (for CLI polling)
@@ -6653,9 +7099,9 @@ var connectorSessionByIdContract = c19.router({
     method: "GET",
     path: "/api/connectors/:type/sessions/:sessionId",
     headers: authHeadersSchema,
-    pathParams: z23.object({
+    pathParams: z22.object({
       type: connectorTypeSchema,
-      sessionId: z23.uuid()
+      sessionId: z22.uuid()
     }),
     responses: {
       200: connectorSessionStatusResponseSchema,
@@ -6667,19 +7113,19 @@ var connectorSessionByIdContract = c19.router({
     summary: "Get connector session status"
   }
 });
-var computerConnectorCreateResponseSchema = z23.object({
-  id: z23.uuid(),
-  ngrokToken: z23.string(),
-  bridgeToken: z23.string(),
-  endpointPrefix: z23.string(),
-  domain: z23.string()
+var computerConnectorCreateResponseSchema = z22.object({
+  id: z22.uuid(),
+  ngrokToken: z22.string(),
+  bridgeToken: z22.string(),
+  endpointPrefix: z22.string(),
+  domain: z22.string()
 });
-var computerConnectorContract = c19.router({
+var computerConnectorContract = c18.router({
   create: {
     method: "POST",
     path: "/api/connectors/computer",
     headers: authHeadersSchema,
-    body: z23.object({}).optional(),
+    body: z22.object({}).optional(),
     responses: {
       200: computerConnectorCreateResponseSchema,
       400: apiErrorSchema,
@@ -6705,7 +7151,7 @@ var computerConnectorContract = c19.router({
     path: "/api/connectors/computer",
     headers: authHeadersSchema,
     responses: {
-      204: c19.noBody(),
+      204: c18.noBody(),
       401: apiErrorSchema,
       404: apiErrorSchema,
       500: apiErrorSchema
@@ -7057,21 +7503,21 @@ async function expandFirewallConfigs(config, fetchFn) {
 }
 
 // ../../packages/core/src/contracts/user-preferences.ts
-import { z as z24 } from "zod";
-var c20 = initContract();
-var sendModeSchema = z24.enum(["enter", "cmd-enter"]);
-var userPreferencesResponseSchema = z24.object({
-  timezone: z24.string().nullable(),
-  notifyEmail: z24.boolean(),
-  notifySlack: z24.boolean(),
-  pinnedAgentIds: z24.array(z24.string()),
+import { z as z23 } from "zod";
+var c19 = initContract();
+var sendModeSchema = z23.enum(["enter", "cmd-enter"]);
+var userPreferencesResponseSchema = z23.object({
+  timezone: z23.string().nullable(),
+  notifyEmail: z23.boolean(),
+  notifySlack: z23.boolean(),
+  pinnedAgentIds: z23.array(z23.string()),
   sendMode: sendModeSchema
 });
-var updateUserPreferencesRequestSchema = z24.object({
-  timezone: z24.string().min(1).optional(),
-  notifyEmail: z24.boolean().optional(),
-  notifySlack: z24.boolean().optional(),
-  pinnedAgentIds: z24.array(z24.string()).max(4).optional(),
+var updateUserPreferencesRequestSchema = z23.object({
+  timezone: z23.string().min(1).optional(),
+  notifyEmail: z23.boolean().optional(),
+  notifySlack: z23.boolean().optional(),
+  pinnedAgentIds: z23.array(z23.string()).optional(),
   sendMode: sendModeSchema.optional()
 }).refine(
   (data) => data.timezone !== void 0 || data.notifyEmail !== void 0 || data.notifySlack !== void 0 || data.pinnedAgentIds !== void 0 || data.sendMode !== void 0,
@@ -7079,7 +7525,7 @@ var updateUserPreferencesRequestSchema = z24.object({
     message: "At least one preference must be provided"
   }
 );
-var userPreferencesContract = c20.router({
+var userPreferencesContract = c19.router({
   /**
    * GET /api/user/preferences
    * Get current user's preferences
@@ -7115,17 +7561,17 @@ var userPreferencesContract = c20.router({
 });
 
 // ../../packages/core/src/contracts/org-list.ts
-import { z as z25 } from "zod";
-var c21 = initContract();
-var orgListItemSchema = z25.object({
-  slug: z25.string(),
-  role: z25.string()
+import { z as z24 } from "zod";
+var c20 = initContract();
+var orgListItemSchema = z24.object({
+  slug: z24.string(),
+  role: z24.string()
 });
-var orgListResponseSchema = z25.object({
-  orgs: z25.array(orgListItemSchema),
-  active: z25.string().optional()
+var orgListResponseSchema = z24.object({
+  orgs: z24.array(orgListItemSchema),
+  active: z24.string().optional()
 });
-var orgListContract = c21.router({
+var orgListContract = c20.router({
   /**
    * GET /api/org/list
    * List all orgs accessible to the user
@@ -7144,24 +7590,24 @@ var orgListContract = c21.router({
 });
 
 // ../../packages/core/src/contracts/onboarding.ts
-import { z as z26 } from "zod";
-var c22 = initContract();
-var onboardingStatusResponseSchema = z26.object({
-  needsOnboarding: z26.boolean(),
-  isAdmin: z26.boolean(),
-  hasOrg: z26.boolean(),
-  hasModelProvider: z26.boolean(),
-  hasDefaultAgent: z26.boolean(),
-  defaultAgentName: z26.string().nullable(),
-  defaultAgentComposeId: z26.string().nullable(),
-  defaultAgentMetadata: z26.object({
-    displayName: z26.string().optional(),
-    description: z26.string().optional(),
-    sound: z26.string().optional()
+import { z as z25 } from "zod";
+var c21 = initContract();
+var onboardingStatusResponseSchema = z25.object({
+  needsOnboarding: z25.boolean(),
+  isAdmin: z25.boolean(),
+  hasOrg: z25.boolean(),
+  hasModelProvider: z25.boolean(),
+  hasDefaultAgent: z25.boolean(),
+  defaultAgentName: z25.string().nullable(),
+  defaultAgentComposeId: z25.string().nullable(),
+  defaultAgentMetadata: z25.object({
+    displayName: z25.string().optional(),
+    description: z25.string().optional(),
+    sound: z25.string().optional()
   }).nullable(),
-  defaultAgentSkills: z26.array(z26.string())
+  defaultAgentSkills: z25.array(z25.string())
 });
-var onboardingStatusContract = c22.router({
+var onboardingStatusContract = c21.router({
   getStatus: {
     method: "GET",
     path: "/api/onboarding/status",
@@ -7175,31 +7621,31 @@ var onboardingStatusContract = c22.router({
 });
 
 // ../../packages/core/src/contracts/skills.ts
-import { z as z27 } from "zod";
-var c23 = initContract();
-var skillFrontmatterSchema = z27.object({
-  name: z27.string().optional(),
-  description: z27.string().optional(),
-  vm0_secrets: z27.array(z27.string()).optional(),
-  vm0_vars: z27.array(z27.string()).optional()
+import { z as z26 } from "zod";
+var c22 = initContract();
+var skillFrontmatterSchema = z26.object({
+  name: z26.string().optional(),
+  description: z26.string().optional(),
+  vm0_secrets: z26.array(z26.string()).optional(),
+  vm0_vars: z26.array(z26.string()).optional()
 });
-var resolvedSkillSchema = z27.object({
-  storageName: z27.string(),
-  versionHash: z27.string(),
+var resolvedSkillSchema = z26.object({
+  storageName: z26.string(),
+  versionHash: z26.string(),
   frontmatter: skillFrontmatterSchema
 });
-var skillsResolveContract = c23.router({
+var skillsResolveContract = c22.router({
   resolve: {
     method: "POST",
     path: "/api/skills/resolve",
     headers: authHeadersSchema,
-    body: z27.object({
-      skills: z27.array(z27.url()).min(1).max(100)
+    body: z26.object({
+      skills: z26.array(z26.url()).min(1).max(100)
     }),
     responses: {
-      200: z27.object({
-        resolved: z27.record(z27.string(), resolvedSkillSchema),
-        unresolved: z27.array(z27.string())
+      200: z26.object({
+        resolved: z26.record(z26.string(), resolvedSkillSchema),
+        unresolved: z26.array(z26.string())
       }),
       400: apiErrorSchema,
       401: apiErrorSchema
@@ -7209,9 +7655,9 @@ var skillsResolveContract = c23.router({
 });
 
 // ../../packages/core/src/contracts/org-model-providers.ts
-import { z as z28 } from "zod";
-var c24 = initContract();
-var orgModelProvidersMainContract = c24.router({
+import { z as z27 } from "zod";
+var c23 = initContract();
+var orgModelProvidersMainContract = c23.router({
   list: {
     method: "GET",
     path: "/api/org/model-providers",
@@ -7239,16 +7685,16 @@ var orgModelProvidersMainContract = c24.router({
     summary: "Create or update an org-level model provider (admin only)"
   }
 });
-var orgModelProvidersByTypeContract = c24.router({
+var orgModelProvidersByTypeContract = c23.router({
   delete: {
     method: "DELETE",
     path: "/api/org/model-providers/:type",
     headers: authHeadersSchema,
-    pathParams: z28.object({
+    pathParams: z27.object({
       type: modelProviderTypeSchema
     }),
     responses: {
-      204: c24.noBody(),
+      204: c23.noBody(),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema,
@@ -7257,15 +7703,15 @@ var orgModelProvidersByTypeContract = c24.router({
     summary: "Delete an org-level model provider (admin only)"
   }
 });
-var orgModelProvidersSetDefaultContract = c24.router({
+var orgModelProvidersSetDefaultContract = c23.router({
   setDefault: {
     method: "POST",
     path: "/api/org/model-providers/:type/set-default",
     headers: authHeadersSchema,
-    pathParams: z28.object({
+    pathParams: z27.object({
       type: modelProviderTypeSchema
     }),
-    body: z28.undefined(),
+    body: z27.undefined(),
     responses: {
       200: modelProviderResponseSchema,
       401: apiErrorSchema,
@@ -7276,12 +7722,12 @@ var orgModelProvidersSetDefaultContract = c24.router({
     summary: "Set org-level model provider as default (admin only)"
   }
 });
-var orgModelProvidersUpdateModelContract = c24.router({
+var orgModelProvidersUpdateModelContract = c23.router({
   updateModel: {
     method: "PATCH",
     path: "/api/org/model-providers/:type/model",
     headers: authHeadersSchema,
-    pathParams: z28.object({
+    pathParams: z27.object({
       type: modelProviderTypeSchema
     }),
     body: updateModelRequestSchema,
@@ -7297,9 +7743,9 @@ var orgModelProvidersUpdateModelContract = c24.router({
 });
 
 // ../../packages/core/src/contracts/org-secrets.ts
-import { z as z29 } from "zod";
-var c25 = initContract();
-var orgSecretsMainContract = c25.router({
+import { z as z28 } from "zod";
+var c24 = initContract();
+var orgSecretsMainContract = c24.router({
   list: {
     method: "GET",
     path: "/api/org/secrets",
@@ -7327,16 +7773,16 @@ var orgSecretsMainContract = c25.router({
     summary: "Create or update an org-level secret (admin only)"
   }
 });
-var orgSecretsByNameContract = c25.router({
+var orgSecretsByNameContract = c24.router({
   delete: {
     method: "DELETE",
     path: "/api/org/secrets/:name",
     headers: authHeadersSchema,
-    pathParams: z29.object({
+    pathParams: z28.object({
       name: secretNameSchema
     }),
     responses: {
-      204: c25.noBody(),
+      204: c24.noBody(),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema,
@@ -7347,9 +7793,9 @@ var orgSecretsByNameContract = c25.router({
 });
 
 // ../../packages/core/src/contracts/org-variables.ts
-import { z as z30 } from "zod";
-var c26 = initContract();
-var orgVariablesMainContract = c26.router({
+import { z as z29 } from "zod";
+var c25 = initContract();
+var orgVariablesMainContract = c25.router({
   list: {
     method: "GET",
     path: "/api/org/variables",
@@ -7377,16 +7823,16 @@ var orgVariablesMainContract = c26.router({
     summary: "Create or update an org-level variable (admin only)"
   }
 });
-var orgVariablesByNameContract = c26.router({
+var orgVariablesByNameContract = c25.router({
   delete: {
     method: "DELETE",
     path: "/api/org/variables/:name",
     headers: authHeadersSchema,
-    pathParams: z30.object({
+    pathParams: z29.object({
       name: variableNameSchema
     }),
     responses: {
-      204: c26.noBody(),
+      204: c25.noBody(),
       401: apiErrorSchema,
       403: apiErrorSchema,
       404: apiErrorSchema,
@@ -7396,6 +7842,164 @@ var orgVariablesByNameContract = c26.router({
   }
 });
 
+// ../../packages/core/src/contracts/zero-agents.ts
+import { z as z30 } from "zod";
+var c26 = initContract();
+var zeroAgentResponseSchema = z30.object({
+  name: z30.string(),
+  agentComposeId: z30.string(),
+  description: z30.string().nullable(),
+  displayName: z30.string().nullable(),
+  sound: z30.string().nullable(),
+  connectors: z30.array(z30.string())
+});
+var zeroAgentRequestSchema = z30.object({
+  description: z30.string().optional(),
+  displayName: z30.string().optional(),
+  sound: z30.string().optional(),
+  connectors: z30.array(z30.string())
+});
+var zeroAgentInstructionsResponseSchema = z30.object({
+  content: z30.string().nullable(),
+  filename: z30.string().nullable()
+});
+var zeroAgentInstructionsRequestSchema = z30.object({
+  content: z30.string()
+});
+var zeroAgentsMainContract = c26.router({
+  create: {
+    method: "POST",
+    path: "/api/zero/agents",
+    headers: authHeadersSchema,
+    body: zeroAgentRequestSchema,
+    responses: {
+      201: zeroAgentResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      422: apiErrorSchema
+    },
+    summary: "Create zero agent"
+  }
+});
+var zeroAgentsByNameContract = c26.router({
+  get: {
+    method: "GET",
+    path: "/api/zero/agents/:name",
+    headers: authHeadersSchema,
+    pathParams: z30.object({ name: z30.string() }),
+    responses: {
+      200: zeroAgentResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Get zero agent by name"
+  },
+  update: {
+    method: "PUT",
+    path: "/api/zero/agents/:name",
+    headers: authHeadersSchema,
+    pathParams: z30.object({ name: z30.string() }),
+    body: zeroAgentRequestSchema,
+    responses: {
+      200: zeroAgentResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      422: apiErrorSchema
+    },
+    summary: "Update zero agent"
+  }
+});
+var zeroAgentInstructionsContract = c26.router({
+  get: {
+    method: "GET",
+    path: "/api/zero/agents/:name/instructions",
+    headers: authHeadersSchema,
+    pathParams: z30.object({ name: z30.string() }),
+    responses: {
+      200: zeroAgentInstructionsResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Get zero agent instructions"
+  },
+  update: {
+    method: "PUT",
+    path: "/api/zero/agents/:name/instructions",
+    headers: authHeadersSchema,
+    pathParams: z30.object({ name: z30.string() }),
+    body: zeroAgentInstructionsRequestSchema,
+    responses: {
+      200: zeroAgentResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      422: apiErrorSchema
+    },
+    summary: "Update zero agent instructions"
+  }
+});
+
+// ../../packages/core/src/contracts/zero-connectors.ts
+import { z as z31 } from "zod";
+var c27 = initContract();
+var zeroConnectorsMainContract = c27.router({
+  list: {
+    method: "GET",
+    path: "/api/zero/connectors",
+    headers: authHeadersSchema,
+    responses: {
+      200: connectorListResponseSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "List all connectors (zero proxy)"
+  }
+});
+var zeroConnectorsByTypeContract = c27.router({
+  delete: {
+    method: "DELETE",
+    path: "/api/zero/connectors/:type",
+    headers: authHeadersSchema,
+    pathParams: z31.object({ type: connectorTypeSchema }),
+    responses: {
+      204: c27.noBody(),
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Disconnect a connector (zero proxy)"
+  }
+});
+var zeroConnectorScopeDiffContract = c27.router({
+  getScopeDiff: {
+    method: "GET",
+    path: "/api/zero/connectors/:type/scope-diff",
+    headers: authHeadersSchema,
+    pathParams: z31.object({ type: connectorTypeSchema }),
+    responses: {
+      200: scopeDiffResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Get scope diff for a connector"
+  }
+});
+
+// ../../packages/core/src/contracts/zero-org.ts
+var c28 = initContract();
+var zeroOrgContract = c28.router({
+  get: {
+    method: "GET",
+    path: "/api/zero/org",
+    headers: authHeadersSchema,
+    responses: {
+      200: orgResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema
+    },
+    summary: "Get current org (zero proxy)"
+  }
+});
+
 // ../../packages/core/src/storage-names.ts
 function getInstructionsStorageName(agentName) {
   return `agent-instructions@${agentName}`;
@@ -7460,6 +8064,10 @@ var STAFF_USER_HASHES = [
   "67a65740246389d7fecf7702f8b7d6914ad38dc5",
   "55651a8b2c85b35ff0629fa3d4718b9476069d0f"
 ];
+var GOOGLE_OAUTH_REVIEWER_EMAIL_HASHES = [
+  "da04f6515e16a883d6e8c4b03932f51ccc362c10"
+  // Google OAuth reviewer
+];
 var FEATURE_SWITCHES = {
   ["pricing" /* Pricing */]: {
     maintainer: "ethan@vm0.ai",
@@ -7523,27 +8131,32 @@ var FEATURE_SWITCHES = {
   ["gmailConnector" /* GmailConnector */]: {
     maintainer: "ethan@vm0.ai",
     enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES
+    enabledUserHashes: STAFF_USER_HASHES,
+    enabledEmailHashes: GOOGLE_OAUTH_REVIEWER_EMAIL_HASHES
   },
   ["googleSheetsConnector" /* GoogleSheetsConnector */]: {
     maintainer: "ethan@vm0.ai",
     enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES
+    enabledUserHashes: STAFF_USER_HASHES,
+    enabledEmailHashes: GOOGLE_OAUTH_REVIEWER_EMAIL_HASHES
   },
   ["googleDocsConnector" /* GoogleDocsConnector */]: {
     maintainer: "ethan@vm0.ai",
     enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES
+    enabledUserHashes: STAFF_USER_HASHES,
+    enabledEmailHashes: GOOGLE_OAUTH_REVIEWER_EMAIL_HASHES
   },
   ["googleDriveConnector" /* GoogleDriveConnector */]: {
     maintainer: "ethan@vm0.ai",
     enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES
+    enabledUserHashes: STAFF_USER_HASHES,
+    enabledEmailHashes: GOOGLE_OAUTH_REVIEWER_EMAIL_HASHES
   },
   ["googleCalendarConnector" /* GoogleCalendarConnector */]: {
     maintainer: "ethan@vm0.ai",
     enabled: false,
-    enabledUserHashes: STAFF_USER_HASHES
+    enabledUserHashes: STAFF_USER_HASHES,
+    enabledEmailHashes: GOOGLE_OAUTH_REVIEWER_EMAIL_HASHES
   },
   ["mercuryConnector" /* MercuryConnector */]: {
     maintainer: "ethan@vm0.ai",
@@ -7634,16 +8247,30 @@ var FEATURE_SWITCHES = {
     maintainer: "ethan@vm0.ai",
     enabled: false,
     enabledUserHashes: STAFF_USER_HASHES
+  },
+  ["showSystemPrompt" /* ShowSystemPrompt */]: {
+    maintainer: "ethan@vm0.ai",
+    enabled: false,
+    enabledUserHashes: STAFF_USER_HASHES
+  },
+  ["vm0ModelProvider" /* Vm0ModelProvider */]: {
+    maintainer: "ethan@vm0.ai",
+    enabled: false,
+    enabledUserHashes: STAFF_USER_HASHES
   }
 };
-async function isFeatureEnabled(key, userId) {
+async function isFeatureEnabled(key, userId, email) {
   const featureSwitch = FEATURE_SWITCHES[key];
   if (featureSwitch.enabled) {
     return true;
   }
   if (userId && featureSwitch.enabledUserHashes?.length) {
     const hash = await sha1(userId);
-    return featureSwitch.enabledUserHashes.includes(hash);
+    if (featureSwitch.enabledUserHashes.includes(hash)) return true;
+  }
+  if (email && featureSwitch.enabledEmailHashes?.length) {
+    const hash = await sha1(email.toLowerCase());
+    if (featureSwitch.enabledEmailHashes.includes(hash)) return true;
   }
   return false;
 }
@@ -7834,7 +8461,7 @@ async function listRuns(params) {
 async function getRunQueue() {
   const config = await getClientConfig();
   const client = initClient2(runsQueueContract, config);
-  const result = await client.getQueue({});
+  const result = await client.getQueue({ headers: {} });
   if (result.status === 200) {
     return result.body;
   }
@@ -8424,8 +9051,8 @@ async function resolveSkills(skillUrls) {
 }
 
 // src/lib/domain/yaml-validator.ts
-import { z as z31 } from "zod";
-var cliAgentNameSchema = z31.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
+import { z as z32 } from "zod";
+var cliAgentNameSchema = z32.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
   /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,62}[a-zA-Z0-9])?$/,
   "Agent name must start and end with letter or number, and contain only letters, numbers, and hyphens"
 );
@@ -8439,7 +9066,7 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
             resolveSkillRef(skillRef);
           } catch (error) {
             ctx.addIssue({
-              code: z31.ZodIssueCode.custom,
+              code: z32.ZodIssueCode.custom,
               message: error instanceof Error ? error.message : `Invalid skill reference: ${skillRef}`,
               path: ["skills", i]
             });
@@ -8449,15 +9076,15 @@ var cliAgentDefinitionSchema = agentDefinitionSchema.superRefine(
     }
   }
 );
-var cliComposeSchema = z31.object({
-  version: z31.string().min(1, "Missing config.version"),
-  agents: z31.record(cliAgentNameSchema, cliAgentDefinitionSchema),
-  volumes: z31.record(z31.string(), volumeConfigSchema).optional()
+var cliComposeSchema = z32.object({
+  version: z32.string().min(1, "Missing config.version"),
+  agents: z32.record(cliAgentNameSchema, cliAgentDefinitionSchema),
+  volumes: z32.record(z32.string(), volumeConfigSchema).optional()
 }).superRefine((config, ctx) => {
   const agentKeys = Object.keys(config.agents);
   if (agentKeys.length === 0) {
     ctx.addIssue({
-      code: z31.ZodIssueCode.custom,
+      code: z32.ZodIssueCode.custom,
       message: "agents must have at least one agent defined",
       path: ["agents"]
     });
@@ -8465,7 +9092,7 @@ var cliComposeSchema = z31.object({
   }
   if (agentKeys.length > 1) {
     ctx.addIssue({
-      code: z31.ZodIssueCode.custom,
+      code: z32.ZodIssueCode.custom,
       message: "Multiple agents not supported yet. Only one agent allowed.",
       path: ["agents"]
     });
@@ -8477,7 +9104,7 @@ var cliComposeSchema = z31.object({
   if (agentVolumes && agentVolumes.length > 0) {
     if (!config.volumes) {
       ctx.addIssue({
-        code: z31.ZodIssueCode.custom,
+        code: z32.ZodIssueCode.custom,
         message: "Agent references volumes but no volumes section defined. Each volume must have explicit name and version.",
         path: ["volumes"]
       });
@@ -8487,7 +9114,7 @@ var cliComposeSchema = z31.object({
       const parts = volDeclaration.split(":");
       if (parts.length !== 2) {
         ctx.addIssue({
-          code: z31.ZodIssueCode.custom,
+          code: z32.ZodIssueCode.custom,
           message: `Invalid volume declaration: ${volDeclaration}. Expected format: volume-key:/mount/path`,
           path: ["agents", agentName, "volumes"]
         });
@@ -8496,7 +9123,7 @@ var cliComposeSchema = z31.object({
       const volumeKey = parts[0].trim();
       if (!config.volumes[volumeKey]) {
         ctx.addIssue({
-          code: z31.ZodIssueCode.custom,
+          code: z32.ZodIssueCode.custom,
           message: `Volume "${volumeKey}" is not defined in volumes section. Each volume must have explicit name and version.`,
           path: ["volumes", volumeKey]
         });
@@ -9695,7 +10322,7 @@ var composeCommand = new Command7().name("compose").description("Create or updat
         options.autoUpdate = false;
       }
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.69.1");
+        await startSilentUpgrade("9.70.1");
       }
       try {
         let result;
@@ -10513,11 +11140,14 @@ var mainRunCommand = new Command8().name("run").description("Run an agent").argu
 ).option(
   "--append-system-prompt <text>",
   "Append text to the agent's system prompt"
+).option(
+  "--disallowed-tools <tools...>",
+  "Tools to disable in Claude CLI (e.g., CronCreate WebSearch)"
 ).option("--verbose", "Show full tool inputs and outputs").option("--check-env", "Validate secrets and vars before running").addOption(new Option2("--debug-no-mock-claude").hideHelp()).addOption(new Option2("--no-auto-update").hideHelp()).action(
   withErrorHandler(
     async (identifier, prompt, options) => {
       if (options.autoUpdate !== false) {
-        await startSilentUpgrade("9.69.1");
+        await startSilentUpgrade("9.70.1");
       }
       const { org, name, version } = parseIdentifier(identifier);
       let composeId;
@@ -10570,6 +11200,7 @@ var mainRunCommand = new Command8().name("run").description("Run an agent").argu
         conversationId: options.conversation,
         modelProvider: options.modelProvider,
         appendSystemPrompt: options.appendSystemPrompt,
+        disallowedTools: options.disallowedTools,
         checkEnv: options.checkEnv || void 0,
         debugNoMockClaude: options.debugNoMockClaude || void 0
       });
@@ -10620,6 +11251,9 @@ var resumeCommand = new Command9().name("resume").description("Resume an agent r
 ).option(
   "--append-system-prompt <text>",
   "Append text to the agent's system prompt"
+).option(
+  "--disallowed-tools <tools...>",
+  "Tools to disable in Claude CLI (e.g., CronCreate WebSearch)"
 ).option("--verbose", "Show full tool inputs and outputs").option("--check-env", "Validate secrets and vars before running").addOption(new Option3("--debug-no-mock-claude").hideHelp()).action(
   withErrorHandler(
     async (checkpointId, prompt, options, command) => {
@@ -10643,6 +11277,7 @@ var resumeCommand = new Command9().name("resume").description("Resume an agent r
         volumeVersions: Object.keys(allOpts.volumeVersion).length > 0 ? allOpts.volumeVersion : void 0,
         modelProvider: options.modelProvider || allOpts.modelProvider,
         appendSystemPrompt: options.appendSystemPrompt || allOpts.appendSystemPrompt,
+        disallowedTools: options.disallowedTools || allOpts.disallowedTools,
         checkEnv: options.checkEnv || allOpts.checkEnv || void 0,
         debugNoMockClaude: options.debugNoMockClaude || allOpts.debugNoMockClaude || void 0
       });
@@ -10686,6 +11321,9 @@ var continueCommand = new Command10().name("continue").description(
 ).option(
   "--append-system-prompt <text>",
   "Append text to the agent's system prompt"
+).option(
+  "--disallowed-tools <tools...>",
+  "Tools to disable in Claude CLI (e.g., CronCreate WebSearch)"
 ).option("--verbose", "Show full tool inputs and outputs").option("--check-env", "Validate secrets and vars before running").addOption(new Option4("--debug-no-mock-claude").hideHelp()).action(
   withErrorHandler(
     async (agentSessionId, prompt, options, command) => {
@@ -10709,6 +11347,7 @@ var continueCommand = new Command10().name("continue").description(
         secrets: loadedSecrets,
         modelProvider: options.modelProvider || allOpts.modelProvider,
         appendSystemPrompt: options.appendSystemPrompt || allOpts.appendSystemPrompt,
+        disallowedTools: options.disallowedTools || allOpts.disallowedTools,
         checkEnv: options.checkEnv || allOpts.checkEnv || void 0,
         debugNoMockClaude: options.debugNoMockClaude || allOpts.debugNoMockClaude || void 0
       });
@@ -12246,7 +12885,7 @@ var cookAction = new Command35().name("cook").description("Quick start: prepare,
   withErrorHandler(
     async (prompt, options) => {
       if (options.autoUpdate !== false) {
-        const shouldExit = await checkAndUpgrade("9.69.1", prompt);
+        const shouldExit = await checkAndUpgrade("9.70.1", prompt);
         if (shouldExit) {
           process.exit(0);
         }
@@ -14188,23 +14827,22 @@ async function handleInteractiveMode() {
   }
   const { modelProviders: configuredProviders } = await listOrgModelProviders();
   const configuredTypes = new Set(configuredProviders.map((p) => p.type));
-  const annotatedChoices = Object.entries(MODEL_PROVIDER_TYPES).map(
-    ([type3, config2]) => {
-      const isConfigured = configuredTypes.has(type3);
-      const isExperimental = hasAuthMethods(type3);
-      let title = config2.label;
-      if (isConfigured) {
-        title = `${title} \u2713`;
-      }
-      if (isExperimental) {
-        title = `${title} ${chalk53.dim("(experimental)")}`;
-      }
-      return {
-        title,
-        value: type3
-      };
+  const annotatedChoices = getSelectableProviderTypes().map((type3) => {
+    const config2 = MODEL_PROVIDER_TYPES[type3];
+    const isConfigured = configuredTypes.has(type3);
+    const isExperimental = hasAuthMethods(type3);
+    let title = config2.label;
+    if (isConfigured) {
+      title = `${title} \u2713`;
     }
-  );
+    if (isExperimental) {
+      title = `${title} ${chalk53.dim("(experimental)")}`;
+    }
+    return {
+      title,
+      value: type3
+    };
+  });
   const typeResponse = await prompts3(
     {
       type: "select",
@@ -14244,7 +14882,9 @@ async function handleInteractiveMode() {
   }
   const config = MODEL_PROVIDER_TYPES[type2];
   console.log();
-  console.log(chalk53.dim(config.helpText));
+  if ("helpText" in config) {
+    console.log(chalk53.dim(config.helpText));
+  }
   console.log();
   if (hasAuthMethods(type2)) {
     const authMethod = await promptForAuthMethod(type2);
@@ -14446,7 +15086,6 @@ function cleanComposeContent(content) {
       cleaned.experimental_capabilities = agent.experimental_capabilities;
     if (agent.experimental_firewalls)
       cleaned.experimental_firewalls = agent.experimental_firewalls;
-    if (agent.metadata) cleaned.metadata = agent.metadata;
     agents[name] = cleaned;
   }
   const result = {
@@ -14598,7 +15237,7 @@ var listCommand9 = new Command65().name("list").alias("ls").description("List al
       );
       return;
     }
-    const nameWidth = Math.max(4, ...data.composes.map((c27) => c27.name.length));
+    const nameWidth = Math.max(4, ...data.composes.map((c29) => c29.name.length));
     const header = ["NAME".padEnd(nameWidth), "VERSION", "UPDATED"].join(
       "  "
     );
@@ -15199,7 +15838,7 @@ async function gatherFrequency(optionFrequency, existingFrequency) {
   if (!isInteractive()) {
     throw new Error("--frequency is required (daily|weekly|monthly|once|loop)");
   }
-  const defaultIndex = existingFrequency ? FREQUENCY_CHOICES.findIndex((c27) => c27.value === existingFrequency) : 0;
+  const defaultIndex = existingFrequency ? FREQUENCY_CHOICES.findIndex((c29) => c29.value === existingFrequency) : 0;
   frequency = await promptSelect(
     "Schedule frequency",
     FREQUENCY_CHOICES,
@@ -15224,7 +15863,7 @@ async function gatherDay(frequency, optionDay, existingDay) {
     throw new Error("--day is required for weekly/monthly");
   }
   if (frequency === "weekly") {
-    const defaultDayIndex = existingDay !== void 0 ? DAY_OF_WEEK_CHOICES.findIndex((c27) => c27.value === existingDay) : 0;
+    const defaultDayIndex = existingDay !== void 0 ? DAY_OF_WEEK_CHOICES.findIndex((c29) => c29.value === existingDay) : 0;
     const day2 = await promptSelect(
       "Day of week",
       DAY_OF_WEEK_CHOICES,
@@ -16674,7 +17313,7 @@ import chalk76 from "chalk";
 var listCommand13 = new Command86().name("list").alias("ls").description("List all connectors and their status").action(
   withErrorHandler(async () => {
     const result = await listConnectors();
-    const connectedMap = new Map(result.connectors.map((c27) => [c27.type, c27]));
+    const connectedMap = new Map(result.connectors.map((c29) => [c29.type, c29]));
     const allTypesRaw = Object.keys(CONNECTOR_TYPES);
     const allTypes = [];
     for (const type2 of allTypesRaw) {
@@ -17043,7 +17682,7 @@ function getProviderChoices() {
     return {
       type: type2,
       label: config.label,
-      helpText: config.helpText,
+      helpText: "helpText" in config ? config.helpText : "",
       secretLabel: "secretLabel" in config ? config.secretLabel : "",
       models: getModels(type2),
       defaultModel: getDefaultModel(type2)
@@ -17235,16 +17874,16 @@ async function handleModelProvider(ctx) {
     const providerType = await step.prompt(
       () => promptSelect(
         "Select provider type:",
-        choices.map((c27) => ({
-          title: c27.label,
-          value: c27.type
+        choices.map((c29) => ({
+          title: c29.label,
+          value: c29.type
         }))
       )
     );
     if (!providerType) {
       process.exit(0);
     }
-    const selectedChoice = choices.find((c27) => c27.type === providerType);
+    const selectedChoice = choices.find((c29) => c29.type === providerType);
     if (selectedChoice?.helpText) {
       for (const line of selectedChoice.helpText.split("\n")) {
         step.detail(chalk82.dim(line));
@@ -17598,13 +18237,13 @@ var upgradeCommand = new Command94().name("upgrade").description("Upgrade vm0 CL
     if (latestVersion === null) {
       throw new Error("Could not check for updates. Please try again later.");
     }
-    if (latestVersion === "9.69.1") {
-      console.log(chalk86.green(`\u2713 Already up to date (${"9.69.1"})`));
+    if (latestVersion === "9.70.1") {
+      console.log(chalk86.green(`\u2713 Already up to date (${"9.70.1"})`));
       return;
     }
     console.log(
       chalk86.yellow(
-        `Current version: ${"9.69.1"} -> Latest version: ${latestVersion}`
+        `Current version: ${"9.70.1"} -> Latest version: ${latestVersion}`
       )
     );
     console.log();
@@ -17631,7 +18270,7 @@ var upgradeCommand = new Command94().name("upgrade").description("Upgrade vm0 CL
     const success = await performUpgrade(packageManager);
     if (success) {
       console.log(
-        chalk86.green(`\u2713 Upgraded from ${"9.69.1"} to ${latestVersion}`)
+        chalk86.green(`\u2713 Upgraded from ${"9.70.1"} to ${latestVersion}`)
       );
       return;
     }
@@ -17705,7 +18344,7 @@ var whoamiCommand = new Command95().name("whoami").description("Show current ide
 
 // src/index.ts
 var program = new Command96();
-program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.69.1");
+program.name("vm0").description("VM0 CLI - Build and run agents with natural language").version("9.70.1");
 program.addCommand(authCommand);
 program.addCommand(infoCommand);
 program.addCommand(composeCommand);