@vm0/runner 2.11.1 → 2.13.0

package/index.js

@@ -5,8 +5,8 @@ import { program } from "commander";
 
 // src/commands/start.ts
 import { Command } from "commander";
-import { writeFileSync } from "fs";
-import { dirname, join } from "path";
+import { writeFileSync as writeFileSync2 } from "fs";
+import { dirname, join as join2 } from "path";
 
 // src/lib/config.ts
 import { z } from "zod";
@@ -187,12 +187,12 @@ async function completeJob(apiUrl, context, exitCode, error) {
 }
 
 // src/lib/executor.ts
-import path4 from "path";
+import path5 from "path";
 
 // src/lib/firecracker/vm.ts
 import { execSync as execSync2, spawn } from "child_process";
-import fs2 from "fs";
-import path from "path";
+import fs3 from "fs";
+import path2 from "path";
 import readline from "readline";
 
 // src/lib/firecracker/client.ts
@@ -205,7 +205,7 @@ var FirecrackerClient = class {
   /**
    * Make HTTP request to Firecracker API
    */
-  async request(method, path5, body) {
+  async request(method, path7, body) {
     return new Promise((resolve, reject) => {
       const bodyStr = body !== void 0 ? JSON.stringify(body) : void 0;
       const headers = {
@@ -218,11 +218,11 @@ var FirecrackerClient = class {
         headers["Content-Length"] = Buffer.byteLength(bodyStr);
       }
       console.log(
-        `[FC API] ${method} ${path5}${bodyStr ? ` (${Buffer.byteLength(bodyStr)} bytes)` : ""}`
+        `[FC API] ${method} ${path7}${bodyStr ? ` (${Buffer.byteLength(bodyStr)} bytes)` : ""}`
       );
       const options = {
         socketPath: this.socketPath,
-        path: path5,
+        path: path7,
         method,
         headers,
         // Disable agent to ensure fresh connection for each request
@@ -356,10 +356,214 @@ var FirecrackerClient = class {
 };
 
 // src/lib/firecracker/network.ts
-import { execSync, exec } from "child_process";
+import { execSync, exec as exec2 } from "child_process";
+import { promisify as promisify2 } from "util";
+
+// src/lib/firecracker/ip-pool.ts
+import { exec } from "child_process";
 import { promisify } from "util";
+import * as fs2 from "fs";
+import * as path from "path";
 var execAsync = promisify(exec);
+var VM0_RUN_DIR = "/var/run/vm0";
+var REGISTRY_FILE_PATH = path.join(VM0_RUN_DIR, "ip-registry.json");
 var BRIDGE_NAME = "vm0br0";
+var IP_PREFIX = "172.16.0.";
+var IP_START = 2;
+var IP_END = 254;
+var LOCK_TIMEOUT_MS = 1e4;
+var LOCK_RETRY_INTERVAL_MS = 100;
+var ALLOCATION_GRACE_PERIOD_MS = 3e4;
+async function ensureRunDir() {
+  if (!fs2.existsSync(VM0_RUN_DIR)) {
+    await execAsync(`sudo mkdir -p ${VM0_RUN_DIR}`);
+    await execAsync(`sudo chmod 777 ${VM0_RUN_DIR}`);
+  }
+}
+async function withLock(fn) {
+  await ensureRunDir();
+  const lockMarker = path.join(VM0_RUN_DIR, "ip-pool.lock.active");
+  const startTime = Date.now();
+  let lockAcquired = false;
+  while (Date.now() - startTime < LOCK_TIMEOUT_MS) {
+    try {
+      fs2.writeFileSync(lockMarker, process.pid.toString(), { flag: "wx" });
+      lockAcquired = true;
+      break;
+    } catch {
+      try {
+        const pidStr = fs2.readFileSync(lockMarker, "utf-8");
+        const pid = parseInt(pidStr, 10);
+        try {
+          process.kill(pid, 0);
+        } catch {
+          fs2.unlinkSync(lockMarker);
+          continue;
+        }
+      } catch {
+      }
+      await new Promise(
+        (resolve) => setTimeout(resolve, LOCK_RETRY_INTERVAL_MS)
+      );
+    }
+  }
+  if (!lockAcquired) {
+    throw new Error(
+      `Failed to acquire IP pool lock after ${LOCK_TIMEOUT_MS}ms`
+    );
+  }
+  try {
+    return await fn();
+  } finally {
+    try {
+      fs2.unlinkSync(lockMarker);
+    } catch {
+    }
+  }
+}
+function readRegistry() {
+  try {
+    if (fs2.existsSync(REGISTRY_FILE_PATH)) {
+      const content = fs2.readFileSync(REGISTRY_FILE_PATH, "utf-8");
+      return JSON.parse(content);
+    }
+  } catch {
+  }
+  return { allocations: {} };
+}
+function writeRegistry(registry) {
+  fs2.writeFileSync(REGISTRY_FILE_PATH, JSON.stringify(registry, null, 2));
+}
+function getAllocations() {
+  const registry = readRegistry();
+  return new Map(Object.entries(registry.allocations));
+}
+function getIPForVm(vmId) {
+  const registry = readRegistry();
+  for (const [ip, allocation] of Object.entries(registry.allocations)) {
+    if (allocation.vmId === vmId) {
+      return ip;
+    }
+  }
+  return void 0;
+}
+async function scanTapDevices() {
+  const tapDevices = /* @__PURE__ */ new Map();
+  try {
+    const { stdout } = await execAsync(
+      `ip link show master ${BRIDGE_NAME} 2>/dev/null || true`
+    );
+    const lines = stdout.split("\n");
+    for (const line of lines) {
+      const match = line.match(/^\d+:\s+(tap[a-f0-9]+):/);
+      if (match && match[1]) {
+        const tapName = match[1];
+        const vmIdPrefix = tapName.substring(3);
+        tapDevices.set(tapName, vmIdPrefix);
+      }
+    }
+  } catch {
+  }
+  return tapDevices;
+}
+function reconcileRegistry(registry, activeTaps) {
+  const reconciled = { allocations: {} };
+  const activeTapNames = new Set(activeTaps.keys());
+  const now = Date.now();
+  for (const [ip, allocation] of Object.entries(registry.allocations)) {
+    const allocatedTime = new Date(allocation.allocatedAt).getTime();
+    const isWithinGracePeriod = now - allocatedTime < ALLOCATION_GRACE_PERIOD_MS;
+    if (activeTapNames.has(allocation.tapDevice)) {
+      reconciled.allocations[ip] = allocation;
+    } else if (isWithinGracePeriod) {
+      reconciled.allocations[ip] = allocation;
+    } else {
+      console.log(
+        `[IP Pool] Removing stale allocation for ${ip} (TAP ${allocation.tapDevice} no longer exists)`
+      );
+    }
+  }
+  return reconciled;
+}
+function findFreeIP(registry) {
+  const allocatedIPs = new Set(Object.keys(registry.allocations));
+  for (let octet = IP_START; octet <= IP_END; octet++) {
+    const ip = `${IP_PREFIX}${octet}`;
+    if (!allocatedIPs.has(ip)) {
+      return ip;
+    }
+  }
+  return null;
+}
+async function allocateIP(vmId) {
+  const tapDevice = `tap${vmId.substring(0, 8)}`;
+  return withLock(async () => {
+    const registry = readRegistry();
+    const ip = findFreeIP(registry);
+    if (!ip) {
+      throw new Error(
+        "No free IP addresses available in pool (172.16.0.2-254)"
+      );
+    }
+    const allocatedCount = Object.keys(registry.allocations).length;
+    const allocatedIPs = Object.keys(registry.allocations).sort();
+    console.log(
+      `[IP Pool] Current state: ${allocatedCount} IPs allocated [${allocatedIPs.join(", ")}], assigning ${ip}`
+    );
+    registry.allocations[ip] = {
+      vmId,
+      tapDevice,
+      allocatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    writeRegistry(registry);
+    console.log(`[IP Pool] Allocated ${ip} for VM ${vmId} (TAP ${tapDevice})`);
+    return ip;
+  });
+}
+async function releaseIP(ip) {
+  return withLock(async () => {
+    const registry = readRegistry();
+    if (registry.allocations[ip]) {
+      const allocation = registry.allocations[ip];
+      delete registry.allocations[ip];
+      writeRegistry(registry);
+      console.log(
+        `[IP Pool] Released ${ip} (was allocated to VM ${allocation.vmId})`
+      );
+    } else {
+      console.log(`[IP Pool] IP ${ip} was not in registry, nothing to release`);
+    }
+  });
+}
+async function cleanupOrphanedAllocations() {
+  return withLock(async () => {
+    console.log("[IP Pool] Cleaning up orphaned allocations...");
+    const registry = readRegistry();
+    const beforeCount = Object.keys(registry.allocations).length;
+    if (beforeCount === 0) {
+      console.log("[IP Pool] No allocations in registry, nothing to clean up");
+      return;
+    }
+    const activeTaps = await scanTapDevices();
+    console.log(
+      `[IP Pool] Found ${activeTaps.size} active TAP device(s) on bridge`
+    );
+    const reconciled = reconcileRegistry(registry, activeTaps);
+    const afterCount = Object.keys(reconciled.allocations).length;
+    if (afterCount !== beforeCount) {
+      writeRegistry(reconciled);
+      console.log(
+        `[IP Pool] Cleaned up ${beforeCount - afterCount} orphaned allocation(s)`
+      );
+    } else {
+      console.log("[IP Pool] No orphaned allocations found");
+    }
+  });
+}
+
+// src/lib/firecracker/network.ts
+var execAsync2 = promisify2(exec2);
+var BRIDGE_NAME2 = "vm0br0";
 var BRIDGE_IP = "172.16.0.1";
 var BRIDGE_NETMASK = "255.255.255.0";
 var BRIDGE_CIDR = "172.16.0.0/24";
@@ -379,11 +583,6 @@ function generateMacAddress(vmId) {
   const b3 = hash & 255;
   return `02:00:00:${b1.toString(16).padStart(2, "0")}:${b2.toString(16).padStart(2, "0")}:${b3.toString(16).padStart(2, "0")}`;
 }
-function generateGuestIp(vmId) {
-  const hash = hashString(vmId);
-  const lastOctet = hash % 253 + 2;
-  return `172.16.0.${lastOctet}`;
-}
 function commandExists(cmd) {
   try {
     execSync(`which ${cmd}`, { stdio: "ignore" });
@@ -395,7 +594,7 @@ function commandExists(cmd) {
 async function execCommand(cmd, sudo = true) {
   const fullCmd = sudo ? `sudo ${cmd}` : cmd;
   try {
-    const { stdout } = await execAsync(fullCmd);
+    const { stdout } = await execAsync2(fullCmd);
     return stdout.trim();
   } catch (error) {
     const execError = error;
@@ -415,33 +614,33 @@ async function getDefaultInterface() {
 }
 async function setupForwardRules() {
   const extIface = await getDefaultInterface();
-  console.log(`Setting up FORWARD rules for ${BRIDGE_NAME} <-> ${extIface}`);
+  console.log(`Setting up FORWARD rules for ${BRIDGE_NAME2} <-> ${extIface}`);
   try {
     await execCommand(
-      `iptables -C FORWARD -i ${BRIDGE_NAME} -o ${extIface} -j ACCEPT`
+      `iptables -C FORWARD -i ${BRIDGE_NAME2} -o ${extIface} -j ACCEPT`
     );
     console.log("FORWARD outbound rule already exists");
   } catch {
     await execCommand(
-      `iptables -I FORWARD -i ${BRIDGE_NAME} -o ${extIface} -j ACCEPT`
+      `iptables -I FORWARD -i ${BRIDGE_NAME2} -o ${extIface} -j ACCEPT`
     );
     console.log("FORWARD outbound rule added");
   }
   try {
     await execCommand(
-      `iptables -C FORWARD -i ${extIface} -o ${BRIDGE_NAME} -m state --state RELATED,ESTABLISHED -j ACCEPT`
+      `iptables -C FORWARD -i ${extIface} -o ${BRIDGE_NAME2} -m state --state RELATED,ESTABLISHED -j ACCEPT`
     );
     console.log("FORWARD inbound rule already exists");
   } catch {
     await execCommand(
-      `iptables -I FORWARD -i ${extIface} -o ${BRIDGE_NAME} -m state --state RELATED,ESTABLISHED -j ACCEPT`
+      `iptables -I FORWARD -i ${extIface} -o ${BRIDGE_NAME2} -m state --state RELATED,ESTABLISHED -j ACCEPT`
     );
     console.log("FORWARD inbound rule added");
   }
 }
 async function bridgeExists() {
   try {
-    await execCommand(`ip link show ${BRIDGE_NAME}`, true);
+    await execCommand(`ip link show ${BRIDGE_NAME2}`, true);
     return true;
   } catch {
     return false;
@@ -449,16 +648,16 @@ async function bridgeExists() {
 }
 async function setupBridge() {
   if (await bridgeExists()) {
-    console.log(`Bridge ${BRIDGE_NAME} already exists`);
+    console.log(`Bridge ${BRIDGE_NAME2} already exists`);
     await setupForwardRules();
     return;
   }
-  console.log(`Creating bridge ${BRIDGE_NAME}...`);
-  await execCommand(`ip link add name ${BRIDGE_NAME} type bridge`);
+  console.log(`Creating bridge ${BRIDGE_NAME2}...`);
+  await execCommand(`ip link add name ${BRIDGE_NAME2} type bridge`);
   await execCommand(
-    `ip addr add ${BRIDGE_IP}/${BRIDGE_NETMASK} dev ${BRIDGE_NAME}`
+    `ip addr add ${BRIDGE_IP}/${BRIDGE_NETMASK} dev ${BRIDGE_NAME2}`
   );
-  await execCommand(`ip link set ${BRIDGE_NAME} up`);
+  await execCommand(`ip link set ${BRIDGE_NAME2} up`);
   await execCommand(`sysctl -w net.ipv4.ip_forward=1`);
   try {
     await execCommand(
@@ -472,7 +671,7 @@ async function setupBridge() {
     console.log("NAT rule added");
   }
   await setupForwardRules();
-  console.log(`Bridge ${BRIDGE_NAME} configured with IP ${BRIDGE_IP}`);
+  console.log(`Bridge ${BRIDGE_NAME2} configured with IP ${BRIDGE_IP}`);
 }
 async function tapDeviceExists(tapDevice) {
   try {
@@ -482,10 +681,34 @@ async function tapDeviceExists(tapDevice) {
     return false;
   }
 }
+async function clearStaleIptablesRulesForIP(ip) {
+  try {
+    const { stdout } = await execAsync2(
+      "sudo iptables -t nat -S PREROUTING 2>/dev/null || true"
+    );
+    const lines = stdout.split("\n");
+    const rulesForIP = lines.filter((line) => line.includes(`-s ${ip}`));
+    if (rulesForIP.length === 0) {
+      return;
+    }
+    console.log(
+      `Clearing ${rulesForIP.length} stale iptables rule(s) for IP ${ip}`
+    );
+    for (const rule of rulesForIP) {
+      const deleteRule = rule.replace("-A ", "-D ");
+      try {
+        await execCommand(`iptables -t nat ${deleteRule}`);
+      } catch {
+      }
+    }
+  } catch {
+  }
+}
 async function createTapDevice(vmId) {
   const tapDevice = `tap${vmId.substring(0, 8)}`;
   const guestMac = generateMacAddress(vmId);
-  const guestIp = generateGuestIp(vmId);
+  const guestIp = await allocateIP(vmId);
+  await clearStaleIptablesRulesForIP(guestIp);
   console.log(`Creating TAP device ${tapDevice} for VM ${vmId}...`);
   await setupBridge();
   if (await tapDeviceExists(tapDevice)) {
@@ -493,7 +716,7 @@ async function createTapDevice(vmId) {
     await deleteTapDevice(tapDevice);
   }
   await execCommand(`ip tuntap add ${tapDevice} mode tap`);
-  await execCommand(`ip link set ${tapDevice} master ${BRIDGE_NAME}`);
+  await execCommand(`ip link set ${tapDevice} master ${BRIDGE_NAME2}`);
   await execCommand(`ip link set ${tapDevice} up`);
   console.log(
     `TAP ${tapDevice} created: guest MAC ${guestMac}, guest IP ${guestIp}`
@@ -506,13 +729,23 @@ async function createTapDevice(vmId) {
     netmask: BRIDGE_NETMASK
   };
 }
-async function deleteTapDevice(tapDevice) {
+async function deleteTapDevice(tapDevice, guestIp) {
   if (!await tapDeviceExists(tapDevice)) {
     console.log(`TAP device ${tapDevice} does not exist, skipping delete`);
-    return;
+  } else {
+    await execCommand(`ip link delete ${tapDevice}`);
+    console.log(`TAP device ${tapDevice} deleted`);
+  }
+  if (guestIp) {
+    try {
+      await execCommand(`ip neigh del ${guestIp} dev ${BRIDGE_NAME2}`, true);
+      console.log(`ARP entry cleared for ${guestIp}`);
+    } catch {
+    }
+  }
+  if (guestIp) {
+    await releaseIP(guestIp);
   }
-  await execCommand(`ip link delete ${tapDevice}`);
-  console.log(`TAP device ${tapDevice} deleted`);
 }
 function generateNetworkBootArgs(config) {
   return `ip=${config.guestIp}::${config.gatewayIp}:${config.netmask}:vm0-guest:eth0:off`;
@@ -537,52 +770,191 @@ function checkNetworkPrerequisites() {
     errors
   };
 }
-async function setupVMProxyRules(vmIp, proxyPort) {
+async function setupVMProxyRules(vmIp, proxyPort, runnerName) {
+  const comment = `vm0:runner:${runnerName}`;
   console.log(
-    `Setting up proxy rules for VM ${vmIp} -> localhost:${proxyPort}`
+    `Setting up proxy rules for VM ${vmIp} -> localhost:${proxyPort} (comment: ${comment})`
   );
   try {
     await execCommand(
-      `iptables -t nat -C PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort}`
+      `iptables -t nat -C PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
     console.log(`Proxy rule for ${vmIp}:80 already exists`);
   } catch {
     await execCommand(
-      `iptables -t nat -A PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort}`
+      `iptables -t nat -A PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
     console.log(`Proxy rule for ${vmIp}:80 added`);
   }
   try {
     await execCommand(
-      `iptables -t nat -C PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort}`
+      `iptables -t nat -C PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
     console.log(`Proxy rule for ${vmIp}:443 already exists`);
   } catch {
     await execCommand(
-      `iptables -t nat -A PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort}`
+      `iptables -t nat -A PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
     console.log(`Proxy rule for ${vmIp}:443 added`);
   }
   console.log(`Proxy rules configured for VM ${vmIp}`);
 }
-async function removeVMProxyRules(vmIp, proxyPort) {
+async function removeVMProxyRules(vmIp, proxyPort, runnerName) {
+  const comment = `vm0:runner:${runnerName}`;
   console.log(`Removing proxy rules for VM ${vmIp}...`);
   try {
     await execCommand(
-      `iptables -t nat -D PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort}`
+      `iptables -t nat -D PREROUTING -s ${vmIp} -p tcp --dport 80 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
     console.log(`Proxy rule for ${vmIp}:80 removed`);
   } catch {
   }
   try {
     await execCommand(
-      `iptables -t nat -D PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort}`
+      `iptables -t nat -D PREROUTING -s ${vmIp} -p tcp --dport 443 -j REDIRECT --to-port ${proxyPort} -m comment --comment "${comment}"`
     );
     console.log(`Proxy rule for ${vmIp}:443 removed`);
   } catch {
   }
   console.log(`Proxy rules cleanup complete for VM ${vmIp}`);
 }
+async function listTapDevices() {
+  try {
+    const result = await execCommand("ip -o link show type tuntap", false);
+    const devices = [];
+    const lines = result.split("\n");
+    for (const line of lines) {
+      const match = line.match(/^\d+:\s+(tap[a-f0-9]{8}):/);
+      if (match && match[1]) {
+        devices.push(match[1]);
+      }
+    }
+    return devices;
+  } catch {
+    return [];
+  }
+}
+async function checkBridgeStatus() {
+  try {
+    const result = await execCommand(`ip -o addr show ${BRIDGE_NAME2}`, false);
+    const ipMatch = result.match(/inet\s+(\d+\.\d+\.\d+\.\d+)/);
+    const upMatch = result.includes("UP") || result.includes("state UP");
+    return {
+      exists: true,
+      ip: ipMatch?.[1] ?? BRIDGE_IP,
+      up: upMatch
+    };
+  } catch {
+    return { exists: false };
+  }
+}
+async function isPortInUse(port) {
+  try {
+    await execCommand(`ss -tln | grep -q ":${port} "`, false);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function listIptablesNatRules() {
+  try {
+    const result = await execCommand("iptables -t nat -L PREROUTING -n", true);
+    const rules = [];
+    const lines = result.split("\n");
+    for (const line of lines) {
+      const match = line.match(
+        /REDIRECT\s+tcp\s+--\s+(172\.16\.0\.\d+)\s+\S+\s+tcp\s+dpt:(\d+)\s+redir\s+ports\s+(\d+)/
+      );
+      if (match && match[1] && match[2] && match[3]) {
+        rules.push({
+          sourceIp: match[1],
+          destPort: parseInt(match[2], 10),
+          redirectPort: parseInt(match[3], 10)
+        });
+      }
+    }
+    return rules;
+  } catch {
+    return [];
+  }
+}
+async function findOrphanedIptablesRules(rules, activeVmIps, expectedProxyPort) {
+  const orphaned = [];
+  for (const rule of rules) {
+    const isActiveVm = activeVmIps.has(rule.sourceIp);
+    const correctPort = rule.redirectPort === expectedProxyPort;
+    if (!isActiveVm || !correctPort) {
+      const portListening = await isPortInUse(rule.redirectPort);
+      if (!portListening) {
+        orphaned.push(rule);
+      }
+    }
+  }
+  return orphaned;
+}
+async function flushBridgeArpCache() {
+  console.log(`Flushing ARP cache on bridge ${BRIDGE_NAME2}...`);
+  try {
+    if (!await bridgeExists()) {
+      console.log("Bridge does not exist, skipping ARP flush");
+      return;
+    }
+    const { stdout } = await execAsync2(
+      `ip neigh show dev ${BRIDGE_NAME2} 2>/dev/null || true`
+    );
+    if (!stdout.trim()) {
+      console.log("No ARP entries on bridge");
+      return;
+    }
+    const lines = stdout.split("\n").filter((line) => line.trim());
+    let cleared = 0;
+    for (const line of lines) {
+      const match = line.match(/^(\d+\.\d+\.\d+\.\d+)\s/);
+      if (match && match[1]) {
+        const ip = match[1];
+        try {
+          await execCommand(`ip neigh del ${ip} dev ${BRIDGE_NAME2}`, true);
+          cleared++;
+        } catch {
+        }
+      }
+    }
+    console.log(`Cleared ${cleared} ARP entries from bridge`);
+  } catch (error) {
+    console.log(
+      `Warning: Could not flush ARP cache: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
+async function cleanupOrphanedProxyRules(runnerName) {
+  const comment = `vm0:runner:${runnerName}`;
+  console.log(`Cleaning up orphaned proxy rules for runner '${runnerName}'...`);
+  try {
+    const rules = await execCommand("iptables -t nat -S PREROUTING", false);
+    const ourRules = rules.split("\n").filter((rule) => rule.includes(comment));
+    if (ourRules.length === 0) {
+      console.log("No orphaned proxy rules found");
+      return;
+    }
+    console.log(`Found ${ourRules.length} orphaned rule(s) to clean up`);
+    for (const rule of ourRules) {
+      const deleteRule = rule.replace("-A ", "-D ");
+      try {
+        await execCommand(`iptables -t nat ${deleteRule}`);
+        console.log(`Deleted orphaned rule: ${rule.substring(0, 80)}...`);
+      } catch {
+        console.log(
+          `Failed to delete rule (may already be gone): ${rule.substring(0, 80)}...`
+        );
+      }
+    }
+    console.log("Orphaned proxy rules cleanup complete");
+  } catch (error) {
+    console.log(
+      `Warning: Could not clean up orphaned rules: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+}
 
 // src/lib/firecracker/vm.ts
 var FirecrackerVM = class {
@@ -598,8 +970,8 @@ var FirecrackerVM = class {
   constructor(config) {
     this.config = config;
     this.workDir = config.workDir || `/tmp/vm0-vm-${config.vmId}`;
-    this.socketPath = path.join(this.workDir, "firecracker.sock");
-    this.vmOverlayPath = path.join(this.workDir, "overlay.ext4");
+    this.socketPath = path2.join(this.workDir, "firecracker.sock");
+    this.vmOverlayPath = path2.join(this.workDir, "overlay.ext4");
   }
   /**
    * Get current VM state
@@ -634,15 +1006,15 @@ var FirecrackerVM = class {
       throw new Error(`Cannot start VM in state: ${this.state}`);
     }
     try {
-      fs2.mkdirSync(this.workDir, { recursive: true });
-      if (fs2.existsSync(this.socketPath)) {
-        fs2.unlinkSync(this.socketPath);
+      fs3.mkdirSync(this.workDir, { recursive: true });
+      if (fs3.existsSync(this.socketPath)) {
+        fs3.unlinkSync(this.socketPath);
       }
       console.log(`[VM ${this.config.vmId}] Creating sparse overlay file...`);
       const overlaySize = 2 * 1024 * 1024 * 1024;
-      const fd = fs2.openSync(this.vmOverlayPath, "w");
-      fs2.ftruncateSync(fd, overlaySize);
-      fs2.closeSync(fd);
+      const fd = fs3.openSync(this.vmOverlayPath, "w");
+      fs3.ftruncateSync(fd, overlaySize);
+      fs3.closeSync(fd);
       execSync2(`mkfs.ext4 -F -q "${this.vmOverlayPath}"`, { stdio: "ignore" });
       console.log(`[VM ${this.config.vmId}] Setting up network...`);
       this.networkConfig = await createTapDevice(this.config.vmId);
@@ -792,11 +1164,14 @@ var FirecrackerVM = class {
       this.process = null;
     }
     if (this.networkConfig) {
-      await deleteTapDevice(this.networkConfig.tapDevice);
+      await deleteTapDevice(
+        this.networkConfig.tapDevice,
+        this.networkConfig.guestIp
+      );
       this.networkConfig = null;
     }
-    if (fs2.existsSync(this.workDir)) {
-      fs2.rmSync(this.workDir, { recursive: true, force: true });
+    if (fs3.existsSync(this.workDir)) {
+      fs3.rmSync(this.workDir, { recursive: true, force: true });
     }
     this.client = null;
     this.state = "stopped";
@@ -830,12 +1205,12 @@ var FirecrackerVM = class {
 };
 
 // src/lib/firecracker/guest.ts
-import { exec as exec2, execSync as execSync3 } from "child_process";
-import { promisify as promisify2 } from "util";
-import fs3 from "fs";
-import path2 from "path";
+import { exec as exec3, execSync as execSync3 } from "child_process";
+import { promisify as promisify3 } from "util";
+import fs4 from "fs";
+import path3 from "path";
 import os from "os";
-var execAsync2 = promisify2(exec2);
+var execAsync3 = promisify3(exec3);
 var DEFAULT_SSH_OPTIONS = [
   "-o",
   "StrictHostKeyChecking=no",
@@ -886,7 +1261,7 @@ var SSHClient = class {
     const escapedCommand = command.replace(/'/g, "'\\''");
     const fullCmd = [...sshCmd, `'${escapedCommand}'`].join(" ");
     try {
-      const { stdout, stderr } = await execAsync2(fullCmd, {
+      const { stdout, stderr } = await execAsync3(fullCmd, {
         maxBuffer: 50 * 1024 * 1024,
         // 50MB buffer
         timeout: timeoutMs ?? 3e5
@@ -1033,11 +1408,11 @@ function createVMSSHClient(guestIp, user = "root", privateKeyPath) {
 }
 function getRunnerSSHKeyPath() {
   const runnerKeyPath = "/opt/vm0-runner/ssh/id_rsa";
-  if (fs3.existsSync(runnerKeyPath)) {
+  if (fs4.existsSync(runnerKeyPath)) {
     return runnerKeyPath;
   }
-  const userKeyPath = path2.join(os.homedir(), ".ssh", "id_rsa");
-  if (fs3.existsSync(userKeyPath)) {
+  const userKeyPath = path3.join(os.homedir(), ".ssh", "id_rsa");
+  if (fs4.existsSync(userKeyPath)) {
     return userKeyPath;
   }
   return "";
@@ -1391,8 +1766,8 @@ function getErrorMap() {
   return overrideErrorMap;
 }
 var makeIssue = (params) => {
-  const { data, path: path5, errorMaps, issueData } = params;
-  const fullPath = [...path5, ...issueData.path || []];
+  const { data, path: path7, errorMaps, issueData } = params;
+  const fullPath = [...path7, ...issueData.path || []];
   const fullIssue = {
     ...issueData,
     path: fullPath
@@ -1491,11 +1866,11 @@ var errorUtil;
   errorUtil2.toString = (message) => typeof message === "string" ? message : message === null || message === void 0 ? void 0 : message.message;
 })(errorUtil || (errorUtil = {}));
 var ParseInputLazyPath = class {
-  constructor(parent, value, path5, key) {
+  constructor(parent, value, path7, key) {
     this._cachedPath = [];
     this.parent = parent;
     this.data = value;
-    this._path = path5;
+    this._path = path7;
     this._key = key;
   }
   get path() {
@@ -4954,7 +5329,9 @@ var storedExecutionContextSchema = z4.object({
   encryptedSecrets: z4.string().nullable(),
   // AES-256-GCM encrypted secrets
   cliAgentType: z4.string(),
-  experimentalFirewall: experimentalFirewallSchema.optional()
+  experimentalFirewall: experimentalFirewallSchema.optional(),
+  // Debug flag to force real Claude in mock environments (internal use only)
+  debugNoMockClaude: z4.boolean().optional()
 });
 var executionContextSchema = z4.object({
   runId: z4.string().uuid(),
@@ -4972,7 +5349,9 @@ var executionContextSchema = z4.object({
   secretValues: z4.array(z4.string()).nullable(),
   cliAgentType: z4.string(),
   // Experimental firewall configuration
-  experimentalFirewall: experimentalFirewallSchema.optional()
+  experimentalFirewall: experimentalFirewallSchema.optional(),
+  // Debug flag to force real Claude in mock environments (internal use only)
+  debugNoMockClaude: z4.boolean().optional()
 });
 var runnersJobClaimContract = c.router({
   claim: {
@@ -5255,6 +5634,8 @@ var unifiedRunRequestSchema = z6.object({
   vars: z6.record(z6.string(), z6.string()).optional(),
   secrets: z6.record(z6.string(), z6.string()).optional(),
   volumeVersions: z6.record(z6.string(), z6.string()).optional(),
+  // Debug flag to force real Claude in mock environments (internal use only)
+  debugNoMockClaude: z6.boolean().optional(),
   // Required
   prompt: z6.string().min(1, "Missing prompt")
 });
@@ -6261,43 +6642,137 @@ var scopeContract = c9.router({
   }
 });
 
-// ../../packages/core/src/contracts/sessions.ts
+// ../../packages/core/src/contracts/credentials.ts
 import { z as z14 } from "zod";
 var c10 = initContract();
-var sessionResponseSchema = z14.object({
-  id: z14.string(),
-  agentComposeId: z14.string(),
-  agentComposeVersionId: z14.string().nullable(),
-  conversationId: z14.string().nullable(),
-  artifactName: z14.string().nullable(),
-  vars: z14.record(z14.string(), z14.string()).nullable(),
-  secretNames: z14.array(z14.string()).nullable(),
-  volumeVersions: z14.record(z14.string(), z14.string()).nullable(),
+var credentialNameSchema = z14.string().min(1, "Credential name is required").max(255, "Credential name must be at most 255 characters").regex(
+  /^[A-Z][A-Z0-9_]*$/,
+  "Credential name must contain only uppercase letters, numbers, and underscores, and must start with a letter (e.g., MY_API_KEY)"
+);
+var credentialResponseSchema = z14.object({
+  id: z14.string().uuid(),
+  name: z14.string(),
+  description: z14.string().nullable(),
   createdAt: z14.string(),
   updatedAt: z14.string()
 });
-var agentComposeSnapshotSchema = z14.object({
-  agentComposeVersionId: z14.string(),
-  vars: z14.record(z14.string(), z14.string()).optional(),
-  secretNames: z14.array(z14.string()).optional()
+var credentialListResponseSchema = z14.object({
+  credentials: z14.array(credentialResponseSchema)
+});
+var setCredentialRequestSchema = z14.object({
+  name: credentialNameSchema,
+  value: z14.string().min(1, "Credential value is required"),
+  description: z14.string().max(1e3).optional()
+});
+var credentialsMainContract = c10.router({
+  /**
+   * GET /api/credentials
+   * List all credentials for the current user's scope (metadata only)
+   */
+  list: {
+    method: "GET",
+    path: "/api/credentials",
+    responses: {
+      200: credentialListResponseSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "List all credentials (metadata only)"
+  },
+  /**
+   * PUT /api/credentials
+   * Create or update a credential
+   */
+  set: {
+    method: "PUT",
+    path: "/api/credentials",
+    body: setCredentialRequestSchema,
+    responses: {
+      200: credentialResponseSchema,
+      201: credentialResponseSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Create or update a credential"
+  }
+});
+var credentialsByNameContract = c10.router({
+  /**
+   * GET /api/credentials/:name
+   * Get a credential by name (metadata only)
+   */
+  get: {
+    method: "GET",
+    path: "/api/credentials/:name",
+    pathParams: z14.object({
+      name: credentialNameSchema
+    }),
+    responses: {
+      200: credentialResponseSchema,
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Get credential metadata by name"
+  },
+  /**
+   * DELETE /api/credentials/:name
+   * Delete a credential by name
+   */
+  delete: {
+    method: "DELETE",
+    path: "/api/credentials/:name",
+    pathParams: z14.object({
+      name: credentialNameSchema
+    }),
+    responses: {
+      204: z14.undefined(),
+      401: apiErrorSchema,
+      404: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Delete a credential"
+  }
 });
-var artifactSnapshotSchema2 = z14.object({
-  artifactName: z14.string(),
-  artifactVersion: z14.string()
+
+// ../../packages/core/src/contracts/sessions.ts
+import { z as z15 } from "zod";
+var c11 = initContract();
+var sessionResponseSchema = z15.object({
+  id: z15.string(),
+  agentComposeId: z15.string(),
+  agentComposeVersionId: z15.string().nullable(),
+  conversationId: z15.string().nullable(),
+  artifactName: z15.string().nullable(),
+  vars: z15.record(z15.string(), z15.string()).nullable(),
+  secretNames: z15.array(z15.string()).nullable(),
+  volumeVersions: z15.record(z15.string(), z15.string()).nullable(),
+  createdAt: z15.string(),
+  updatedAt: z15.string()
 });
-var volumeVersionsSnapshotSchema2 = z14.object({
-  versions: z14.record(z14.string(), z14.string())
+var agentComposeSnapshotSchema = z15.object({
+  agentComposeVersionId: z15.string(),
+  vars: z15.record(z15.string(), z15.string()).optional(),
+  secretNames: z15.array(z15.string()).optional()
+});
+var artifactSnapshotSchema2 = z15.object({
+  artifactName: z15.string(),
+  artifactVersion: z15.string()
 });
-var checkpointResponseSchema = z14.object({
-  id: z14.string(),
-  runId: z14.string(),
-  conversationId: z14.string(),
+var volumeVersionsSnapshotSchema2 = z15.object({
+  versions: z15.record(z15.string(), z15.string())
+});
+var checkpointResponseSchema = z15.object({
+  id: z15.string(),
+  runId: z15.string(),
+  conversationId: z15.string(),
   agentComposeSnapshot: agentComposeSnapshotSchema,
   artifactSnapshot: artifactSnapshotSchema2.nullable(),
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
-  createdAt: z14.string()
+  createdAt: z15.string()
 });
-var sessionsByIdContract = c10.router({
+var sessionsByIdContract = c11.router({
   /**
    * GET /api/agent/sessions/:id
    * Get session by ID
@@ -6305,8 +6780,8 @@ var sessionsByIdContract = c10.router({
   getById: {
     method: "GET",
     path: "/api/agent/sessions/:id",
-    pathParams: z14.object({
-      id: z14.string().min(1, "Session ID is required")
+    pathParams: z15.object({
+      id: z15.string().min(1, "Session ID is required")
     }),
     responses: {
       200: sessionResponseSchema,
@@ -6317,7 +6792,7 @@ var sessionsByIdContract = c10.router({
     summary: "Get session by ID"
   }
 });
-var checkpointsByIdContract = c10.router({
+var checkpointsByIdContract = c11.router({
   /**
    * GET /api/agent/checkpoints/:id
    * Get checkpoint by ID
@@ -6325,8 +6800,8 @@ var checkpointsByIdContract = c10.router({
   getById: {
     method: "GET",
     path: "/api/agent/checkpoints/:id",
-    pathParams: z14.object({
-      id: z14.string().min(1, "Checkpoint ID is required")
+    pathParams: z15.object({
+      id: z15.string().min(1, "Checkpoint ID is required")
     }),
     responses: {
       200: checkpointResponseSchema,
@@ -6339,91 +6814,91 @@ var checkpointsByIdContract = c10.router({
 });
 
 // ../../packages/core/src/contracts/schedules.ts
-import { z as z15 } from "zod";
-var c11 = initContract();
-var scheduleTriggerSchema = z15.object({
-  cron: z15.string().optional(),
-  at: z15.string().optional(),
-  timezone: z15.string().default("UTC")
+import { z as z16 } from "zod";
+var c12 = initContract();
+var scheduleTriggerSchema = z16.object({
+  cron: z16.string().optional(),
+  at: z16.string().optional(),
+  timezone: z16.string().default("UTC")
 }).refine((data) => data.cron && !data.at || !data.cron && data.at, {
   message: "Exactly one of 'cron' or 'at' must be specified"
 });
-var scheduleRunConfigSchema = z15.object({
-  agent: z15.string().min(1, "Agent reference required"),
-  prompt: z15.string().min(1, "Prompt required"),
-  vars: z15.record(z15.string(), z15.string()).optional(),
-  secrets: z15.record(z15.string(), z15.string()).optional(),
-  artifactName: z15.string().optional(),
-  artifactVersion: z15.string().optional(),
-  volumeVersions: z15.record(z15.string(), z15.string()).optional()
+var scheduleRunConfigSchema = z16.object({
+  agent: z16.string().min(1, "Agent reference required"),
+  prompt: z16.string().min(1, "Prompt required"),
+  vars: z16.record(z16.string(), z16.string()).optional(),
+  secrets: z16.record(z16.string(), z16.string()).optional(),
+  artifactName: z16.string().optional(),
+  artifactVersion: z16.string().optional(),
+  volumeVersions: z16.record(z16.string(), z16.string()).optional()
 });
-var scheduleDefinitionSchema = z15.object({
+var scheduleDefinitionSchema = z16.object({
   on: scheduleTriggerSchema,
   run: scheduleRunConfigSchema
 });
-var scheduleYamlSchema = z15.object({
-  version: z15.literal("1.0"),
-  schedules: z15.record(z15.string(), scheduleDefinitionSchema)
-});
-var deployScheduleRequestSchema = z15.object({
-  name: z15.string().min(1).max(64, "Schedule name max 64 chars"),
-  cronExpression: z15.string().optional(),
-  atTime: z15.string().optional(),
-  timezone: z15.string().default("UTC"),
-  prompt: z15.string().min(1, "Prompt required"),
-  vars: z15.record(z15.string(), z15.string()).optional(),
-  secrets: z15.record(z15.string(), z15.string()).optional(),
-  artifactName: z15.string().optional(),
-  artifactVersion: z15.string().optional(),
-  volumeVersions: z15.record(z15.string(), z15.string()).optional(),
+var scheduleYamlSchema = z16.object({
+  version: z16.literal("1.0"),
+  schedules: z16.record(z16.string(), scheduleDefinitionSchema)
+});
+var deployScheduleRequestSchema = z16.object({
+  name: z16.string().min(1).max(64, "Schedule name max 64 chars"),
+  cronExpression: z16.string().optional(),
+  atTime: z16.string().optional(),
+  timezone: z16.string().default("UTC"),
+  prompt: z16.string().min(1, "Prompt required"),
+  vars: z16.record(z16.string(), z16.string()).optional(),
+  secrets: z16.record(z16.string(), z16.string()).optional(),
+  artifactName: z16.string().optional(),
+  artifactVersion: z16.string().optional(),
+  volumeVersions: z16.record(z16.string(), z16.string()).optional(),
   // Resolved agent compose ID (CLI resolves scope/name:version → composeId)
-  composeId: z15.string().uuid("Invalid compose ID")
+  composeId: z16.string().uuid("Invalid compose ID")
 }).refine(
   (data) => data.cronExpression && !data.atTime || !data.cronExpression && data.atTime,
   {
     message: "Exactly one of 'cronExpression' or 'atTime' must be specified"
   }
 );
-var scheduleResponseSchema = z15.object({
-  id: z15.string().uuid(),
-  composeId: z15.string().uuid(),
-  composeName: z15.string(),
-  scopeSlug: z15.string(),
-  name: z15.string(),
-  cronExpression: z15.string().nullable(),
-  atTime: z15.string().nullable(),
-  timezone: z15.string(),
-  prompt: z15.string(),
-  vars: z15.record(z15.string(), z15.string()).nullable(),
+var scheduleResponseSchema = z16.object({
+  id: z16.string().uuid(),
+  composeId: z16.string().uuid(),
+  composeName: z16.string(),
+  scopeSlug: z16.string(),
+  name: z16.string(),
+  cronExpression: z16.string().nullable(),
+  atTime: z16.string().nullable(),
+  timezone: z16.string(),
+  prompt: z16.string(),
+  vars: z16.record(z16.string(), z16.string()).nullable(),
   // Secret names only (values are never returned)
-  secretNames: z15.array(z15.string()).nullable(),
-  artifactName: z15.string().nullable(),
-  artifactVersion: z15.string().nullable(),
-  volumeVersions: z15.record(z15.string(), z15.string()).nullable(),
-  enabled: z15.boolean(),
-  nextRunAt: z15.string().nullable(),
-  createdAt: z15.string(),
-  updatedAt: z15.string()
-});
-var runSummarySchema = z15.object({
-  id: z15.string().uuid(),
-  status: z15.enum(["pending", "running", "completed", "failed", "timeout"]),
-  createdAt: z15.string(),
-  completedAt: z15.string().nullable(),
-  error: z15.string().nullable()
-});
-var scheduleRunsResponseSchema = z15.object({
-  runs: z15.array(runSummarySchema)
-});
-var scheduleListResponseSchema = z15.object({
-  schedules: z15.array(scheduleResponseSchema)
-});
-var deployScheduleResponseSchema = z15.object({
+  secretNames: z16.array(z16.string()).nullable(),
+  artifactName: z16.string().nullable(),
+  artifactVersion: z16.string().nullable(),
+  volumeVersions: z16.record(z16.string(), z16.string()).nullable(),
+  enabled: z16.boolean(),
+  nextRunAt: z16.string().nullable(),
+  createdAt: z16.string(),
+  updatedAt: z16.string()
+});
+var runSummarySchema = z16.object({
+  id: z16.string().uuid(),
+  status: z16.enum(["pending", "running", "completed", "failed", "timeout"]),
+  createdAt: z16.string(),
+  completedAt: z16.string().nullable(),
+  error: z16.string().nullable()
+});
+var scheduleRunsResponseSchema = z16.object({
+  runs: z16.array(runSummarySchema)
+});
+var scheduleListResponseSchema = z16.object({
+  schedules: z16.array(scheduleResponseSchema)
+});
+var deployScheduleResponseSchema = z16.object({
   schedule: scheduleResponseSchema,
-  created: z15.boolean()
+  created: z16.boolean()
   // true if created, false if updated
 });
-var schedulesMainContract = c11.router({
+var schedulesMainContract = c12.router({
   /**
    * POST /api/agent/schedules
    * Deploy (create or update) a schedule
@@ -6459,7 +6934,7 @@ var schedulesMainContract = c11.router({
     summary: "List all schedules"
   }
 });
-var schedulesByNameContract = c11.router({
+var schedulesByNameContract = c12.router({
   /**
    * GET /api/agent/schedules/:name
    * Get schedule by name
@@ -6467,11 +6942,11 @@ var schedulesByNameContract = c11.router({
   getByName: {
     method: "GET",
     path: "/api/agent/schedules/:name",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    query: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    query: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -6487,21 +6962,21 @@ var schedulesByNameContract = c11.router({
   delete: {
     method: "DELETE",
     path: "/api/agent/schedules/:name",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    query: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    query: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
-      204: z15.undefined(),
+      204: z16.undefined(),
       401: apiErrorSchema,
       404: apiErrorSchema
     },
     summary: "Delete schedule"
   }
 });
-var schedulesEnableContract = c11.router({
+var schedulesEnableContract = c12.router({
   /**
    * POST /api/agent/schedules/:name/enable
    * Enable a disabled schedule
@@ -6509,11 +6984,11 @@ var schedulesEnableContract = c11.router({
   enable: {
     method: "POST",
     path: "/api/agent/schedules/:name/enable",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    body: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    body: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -6529,11 +7004,11 @@ var schedulesEnableContract = c11.router({
   disable: {
     method: "POST",
     path: "/api/agent/schedules/:name/disable",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    body: z15.object({
-      composeId: z15.string().uuid("Compose ID required")
+    body: z16.object({
+      composeId: z16.string().uuid("Compose ID required")
     }),
     responses: {
       200: scheduleResponseSchema,
@@ -6543,7 +7018,7 @@ var schedulesEnableContract = c11.router({
     summary: "Disable schedule"
   }
 });
-var scheduleRunsContract = c11.router({
+var scheduleRunsContract = c12.router({
   /**
    * GET /api/agent/schedules/:name/runs
    * List recent runs for a schedule
@@ -6551,12 +7026,12 @@ var scheduleRunsContract = c11.router({
   listRuns: {
     method: "GET",
     path: "/api/agent/schedules/:name/runs",
-    pathParams: z15.object({
-      name: z15.string().min(1, "Schedule name required")
+    pathParams: z16.object({
+      name: z16.string().min(1, "Schedule name required")
     }),
-    query: z15.object({
-      composeId: z15.string().uuid("Compose ID required"),
-      limit: z15.coerce.number().min(0).max(100).default(5)
+    query: z16.object({
+      composeId: z16.string().uuid("Compose ID required"),
+      limit: z16.coerce.number().min(0).max(100).default(5)
     }),
     responses: {
       200: scheduleRunsResponseSchema,
@@ -6568,8 +7043,8 @@ var scheduleRunsContract = c11.router({
 });
 
 // ../../packages/core/src/contracts/public/common.ts
-import { z as z16 } from "zod";
-var publicApiErrorTypeSchema = z16.enum([
+import { z as z17 } from "zod";
+var publicApiErrorTypeSchema = z17.enum([
   "api_error",
   // Internal server error (5xx)
   "invalid_request_error",
@@ -6581,55 +7056,55 @@ var publicApiErrorTypeSchema = z16.enum([
   "conflict_error"
   // Resource conflict (409)
 ]);
-var publicApiErrorSchema = z16.object({
-  error: z16.object({
+var publicApiErrorSchema = z17.object({
+  error: z17.object({
     type: publicApiErrorTypeSchema,
-    code: z16.string(),
-    message: z16.string(),
-    param: z16.string().optional(),
-    doc_url: z16.string().url().optional()
+    code: z17.string(),
+    message: z17.string(),
+    param: z17.string().optional(),
+    doc_url: z17.string().url().optional()
   })
 });
-var paginationSchema = z16.object({
-  has_more: z16.boolean(),
-  next_cursor: z16.string().nullable()
+var paginationSchema = z17.object({
+  has_more: z17.boolean(),
+  next_cursor: z17.string().nullable()
 });
 function createPaginatedResponseSchema(dataSchema) {
-  return z16.object({
-    data: z16.array(dataSchema),
+  return z17.object({
+    data: z17.array(dataSchema),
     pagination: paginationSchema
   });
 }
-var listQuerySchema = z16.object({
-  cursor: z16.string().optional(),
-  limit: z16.coerce.number().min(1).max(100).default(20)
+var listQuerySchema = z17.object({
+  cursor: z17.string().optional(),
+  limit: z17.coerce.number().min(1).max(100).default(20)
 });
-var requestIdSchema = z16.string().uuid();
-var timestampSchema = z16.string().datetime();
+var requestIdSchema = z17.string().uuid();
+var timestampSchema = z17.string().datetime();
 
 // ../../packages/core/src/contracts/public/agents.ts
-import { z as z17 } from "zod";
-var c12 = initContract();
-var publicAgentSchema = z17.object({
-  id: z17.string(),
-  name: z17.string(),
-  current_version_id: z17.string().nullable(),
+import { z as z18 } from "zod";
+var c13 = initContract();
+var publicAgentSchema = z18.object({
+  id: z18.string(),
+  name: z18.string(),
+  current_version_id: z18.string().nullable(),
   created_at: timestampSchema,
   updated_at: timestampSchema
 });
-var agentVersionSchema = z17.object({
-  id: z17.string(),
-  agent_id: z17.string(),
-  version_number: z17.number(),
+var agentVersionSchema = z18.object({
+  id: z18.string(),
+  agent_id: z18.string(),
+  version_number: z18.number(),
   created_at: timestampSchema
 });
 var publicAgentDetailSchema = publicAgentSchema;
 var paginatedAgentsSchema = createPaginatedResponseSchema(publicAgentSchema);
 var paginatedAgentVersionsSchema = createPaginatedResponseSchema(agentVersionSchema);
 var agentListQuerySchema = listQuerySchema.extend({
-  name: z17.string().optional()
+  name: z18.string().optional()
 });
-var publicAgentsListContract = c12.router({
+var publicAgentsListContract = c13.router({
   list: {
     method: "GET",
     path: "/v1/agents",
@@ -6643,12 +7118,12 @@ var publicAgentsListContract = c12.router({
     description: "List all agents in the current scope with pagination. Use the `name` query parameter to filter by agent name."
   }
 });
-var publicAgentByIdContract = c12.router({
+var publicAgentByIdContract = c13.router({
   get: {
     method: "GET",
     path: "/v1/agents/:id",
-    pathParams: z17.object({
-      id: z17.string().min(1, "Agent ID is required")
+    pathParams: z18.object({
+      id: z18.string().min(1, "Agent ID is required")
     }),
     responses: {
       200: publicAgentDetailSchema,
@@ -6660,12 +7135,12 @@ var publicAgentByIdContract = c12.router({
     description: "Get agent details by ID"
   }
 });
-var publicAgentVersionsContract = c12.router({
+var publicAgentVersionsContract = c13.router({
   list: {
     method: "GET",
     path: "/v1/agents/:id/versions",
-    pathParams: z17.object({
-      id: z17.string().min(1, "Agent ID is required")
+    pathParams: z18.object({
+      id: z18.string().min(1, "Agent ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -6680,9 +7155,9 @@ var publicAgentVersionsContract = c12.router({
 });
 
 // ../../packages/core/src/contracts/public/runs.ts
-import { z as z18 } from "zod";
-var c13 = initContract();
-var publicRunStatusSchema = z18.enum([
+import { z as z19 } from "zod";
+var c14 = initContract();
+var publicRunStatusSchema = z19.enum([
   "pending",
   "running",
   "completed",
@@ -6690,56 +7165,56 @@ var publicRunStatusSchema = z18.enum([
   "timeout",
   "cancelled"
 ]);
-var publicRunSchema = z18.object({
-  id: z18.string(),
-  agent_id: z18.string(),
-  agent_name: z18.string(),
+var publicRunSchema = z19.object({
+  id: z19.string(),
+  agent_id: z19.string(),
+  agent_name: z19.string(),
   status: publicRunStatusSchema,
-  prompt: z18.string(),
+  prompt: z19.string(),
   created_at: timestampSchema,
   started_at: timestampSchema.nullable(),
   completed_at: timestampSchema.nullable()
 });
 var publicRunDetailSchema = publicRunSchema.extend({
-  error: z18.string().nullable(),
-  execution_time_ms: z18.number().nullable(),
-  checkpoint_id: z18.string().nullable(),
-  session_id: z18.string().nullable(),
-  artifact_name: z18.string().nullable(),
-  artifact_version: z18.string().nullable(),
-  volumes: z18.record(z18.string(), z18.string()).optional()
+  error: z19.string().nullable(),
+  execution_time_ms: z19.number().nullable(),
+  checkpoint_id: z19.string().nullable(),
+  session_id: z19.string().nullable(),
+  artifact_name: z19.string().nullable(),
+  artifact_version: z19.string().nullable(),
+  volumes: z19.record(z19.string(), z19.string()).optional()
 });
 var paginatedRunsSchema = createPaginatedResponseSchema(publicRunSchema);
-var createRunRequestSchema = z18.object({
+var createRunRequestSchema = z19.object({
   // Agent identification (one of: agent, agent_id, session_id, checkpoint_id)
-  agent: z18.string().optional(),
+  agent: z19.string().optional(),
   // Agent name
-  agent_id: z18.string().optional(),
+  agent_id: z19.string().optional(),
   // Agent ID
-  agent_version: z18.string().optional(),
+  agent_version: z19.string().optional(),
   // Version specifier (e.g., "latest", "v1", specific ID)
   // Continue session
-  session_id: z18.string().optional(),
+  session_id: z19.string().optional(),
   // Resume from checkpoint
-  checkpoint_id: z18.string().optional(),
+  checkpoint_id: z19.string().optional(),
   // Required
-  prompt: z18.string().min(1, "Prompt is required"),
+  prompt: z19.string().min(1, "Prompt is required"),
   // Optional configuration
-  variables: z18.record(z18.string(), z18.string()).optional(),
-  secrets: z18.record(z18.string(), z18.string()).optional(),
-  artifact_name: z18.string().optional(),
+  variables: z19.record(z19.string(), z19.string()).optional(),
+  secrets: z19.record(z19.string(), z19.string()).optional(),
+  artifact_name: z19.string().optional(),
   // Artifact name to mount
-  artifact_version: z18.string().optional(),
+  artifact_version: z19.string().optional(),
   // Artifact version (defaults to latest)
-  volumes: z18.record(z18.string(), z18.string()).optional()
+  volumes: z19.record(z19.string(), z19.string()).optional()
   // volume_name -> version
 });
 var runListQuerySchema = listQuerySchema.extend({
-  agent_id: z18.string().optional(),
+  agent_id: z19.string().optional(),
   status: publicRunStatusSchema.optional(),
   since: timestampSchema.optional()
 });
-var publicRunsListContract = c13.router({
+var publicRunsListContract = c14.router({
   list: {
     method: "GET",
     path: "/v1/runs",
@@ -6768,12 +7243,12 @@ var publicRunsListContract = c13.router({
     description: "Create and execute a new agent run. Returns 202 Accepted as runs execute asynchronously."
   }
 });
-var publicRunByIdContract = c13.router({
+var publicRunByIdContract = c14.router({
   get: {
     method: "GET",
     path: "/v1/runs/:id",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Run ID is required")
+    pathParams: z19.object({
+      id: z19.string().min(1, "Run ID is required")
     }),
     responses: {
       200: publicRunDetailSchema,
@@ -6785,14 +7260,14 @@ var publicRunByIdContract = c13.router({
     description: "Get run details by ID"
   }
 });
-var publicRunCancelContract = c13.router({
+var publicRunCancelContract = c14.router({
   cancel: {
     method: "POST",
     path: "/v1/runs/:id/cancel",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Run ID is required")
+    pathParams: z19.object({
+      id: z19.string().min(1, "Run ID is required")
     }),
-    body: z18.undefined(),
+    body: z19.undefined(),
     responses: {
       200: publicRunDetailSchema,
       400: publicApiErrorSchema,
@@ -6805,26 +7280,26 @@ var publicRunCancelContract = c13.router({
     description: "Cancel a pending or running execution"
   }
 });
-var logEntrySchema = z18.object({
+var logEntrySchema = z19.object({
   timestamp: timestampSchema,
-  type: z18.enum(["agent", "system", "network"]),
-  level: z18.enum(["debug", "info", "warn", "error"]),
-  message: z18.string(),
-  metadata: z18.record(z18.string(), z18.unknown()).optional()
+  type: z19.enum(["agent", "system", "network"]),
+  level: z19.enum(["debug", "info", "warn", "error"]),
+  message: z19.string(),
+  metadata: z19.record(z19.string(), z19.unknown()).optional()
 });
 var paginatedLogsSchema = createPaginatedResponseSchema(logEntrySchema);
 var logsQuerySchema = listQuerySchema.extend({
-  type: z18.enum(["agent", "system", "network", "all"]).default("all"),
+  type: z19.enum(["agent", "system", "network", "all"]).default("all"),
   since: timestampSchema.optional(),
   until: timestampSchema.optional(),
-  order: z18.enum(["asc", "desc"]).default("asc")
+  order: z19.enum(["asc", "desc"]).default("asc")
 });
-var publicRunLogsContract = c13.router({
+var publicRunLogsContract = c14.router({
   getLogs: {
     method: "GET",
     path: "/v1/runs/:id/logs",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Run ID is required")
+    pathParams: z19.object({
+      id: z19.string().min(1, "Run ID is required")
     }),
     query: logsQuerySchema,
     responses: {
@@ -6837,29 +7312,29 @@ var publicRunLogsContract = c13.router({
     description: "Get unified logs for a run. Combines agent, system, and network logs."
   }
 });
-var metricPointSchema = z18.object({
+var metricPointSchema = z19.object({
   timestamp: timestampSchema,
-  cpu_percent: z18.number(),
-  memory_used_mb: z18.number(),
-  memory_total_mb: z18.number(),
-  disk_used_mb: z18.number(),
-  disk_total_mb: z18.number()
-});
-var metricsSummarySchema = z18.object({
-  avg_cpu_percent: z18.number(),
-  max_memory_used_mb: z18.number(),
-  total_duration_ms: z18.number().nullable()
-});
-var metricsResponseSchema2 = z18.object({
-  data: z18.array(metricPointSchema),
+  cpu_percent: z19.number(),
+  memory_used_mb: z19.number(),
+  memory_total_mb: z19.number(),
+  disk_used_mb: z19.number(),
+  disk_total_mb: z19.number()
+});
+var metricsSummarySchema = z19.object({
+  avg_cpu_percent: z19.number(),
+  max_memory_used_mb: z19.number(),
+  total_duration_ms: z19.number().nullable()
+});
+var metricsResponseSchema2 = z19.object({
+  data: z19.array(metricPointSchema),
   summary: metricsSummarySchema
 });
-var publicRunMetricsContract = c13.router({
+var publicRunMetricsContract = c14.router({
   getMetrics: {
     method: "GET",
     path: "/v1/runs/:id/metrics",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Run ID is required")
+    pathParams: z19.object({
+      id: z19.string().min(1, "Run ID is required")
     }),
     responses: {
       200: metricsResponseSchema2,
@@ -6871,7 +7346,7 @@ var publicRunMetricsContract = c13.router({
     description: "Get CPU, memory, and disk metrics for a run"
   }
 });
-var sseEventTypeSchema = z18.enum([
+var sseEventTypeSchema = z19.enum([
   "status",
   // Run status change
   "output",
@@ -6883,25 +7358,25 @@ var sseEventTypeSchema = z18.enum([
   "heartbeat"
   // Keep-alive
 ]);
-var sseEventSchema = z18.object({
+var sseEventSchema = z19.object({
   event: sseEventTypeSchema,
-  data: z18.unknown(),
-  id: z18.string().optional()
+  data: z19.unknown(),
+  id: z19.string().optional()
   // For Last-Event-ID reconnection
 });
-var publicRunEventsContract = c13.router({
+var publicRunEventsContract = c14.router({
   streamEvents: {
     method: "GET",
     path: "/v1/runs/:id/events",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Run ID is required")
+    pathParams: z19.object({
+      id: z19.string().min(1, "Run ID is required")
     }),
-    query: z18.object({
-      last_event_id: z18.string().optional()
+    query: z19.object({
+      last_event_id: z19.string().optional()
       // For reconnection
     }),
     responses: {
-      200: z18.any(),
+      200: z19.any(),
       // SSE stream - actual content is text/event-stream
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -6913,28 +7388,28 @@ var publicRunEventsContract = c13.router({
 });
 
 // ../../packages/core/src/contracts/public/artifacts.ts
-import { z as z19 } from "zod";
-var c14 = initContract();
-var publicArtifactSchema = z19.object({
-  id: z19.string(),
-  name: z19.string(),
-  current_version_id: z19.string().nullable(),
-  size: z19.number(),
+import { z as z20 } from "zod";
+var c15 = initContract();
+var publicArtifactSchema = z20.object({
+  id: z20.string(),
+  name: z20.string(),
+  current_version_id: z20.string().nullable(),
+  size: z20.number(),
   // Total size in bytes
-  file_count: z19.number(),
+  file_count: z20.number(),
   created_at: timestampSchema,
   updated_at: timestampSchema
 });
-var artifactVersionSchema = z19.object({
-  id: z19.string(),
+var artifactVersionSchema = z20.object({
+  id: z20.string(),
   // SHA-256 content hash
-  artifact_id: z19.string(),
-  size: z19.number(),
+  artifact_id: z20.string(),
+  size: z20.number(),
   // Size in bytes
-  file_count: z19.number(),
-  message: z19.string().nullable(),
+  file_count: z20.number(),
+  message: z20.string().nullable(),
   // Optional commit message
-  created_by: z19.string(),
+  created_by: z20.string(),
   created_at: timestampSchema
 });
 var publicArtifactDetailSchema = publicArtifactSchema.extend({
@@ -6944,7 +7419,7 @@ var paginatedArtifactsSchema = createPaginatedResponseSchema(publicArtifactSchem
 var paginatedArtifactVersionsSchema = createPaginatedResponseSchema(
   artifactVersionSchema
 );
-var publicArtifactsListContract = c14.router({
+var publicArtifactsListContract = c15.router({
   list: {
     method: "GET",
     path: "/v1/artifacts",
@@ -6958,12 +7433,12 @@ var publicArtifactsListContract = c14.router({
     description: "List all artifacts in the current scope with pagination"
   }
 });
-var publicArtifactByIdContract = c14.router({
+var publicArtifactByIdContract = c15.router({
   get: {
     method: "GET",
     path: "/v1/artifacts/:id",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Artifact ID is required")
+    pathParams: z20.object({
+      id: z20.string().min(1, "Artifact ID is required")
     }),
     responses: {
       200: publicArtifactDetailSchema,
@@ -6975,12 +7450,12 @@ var publicArtifactByIdContract = c14.router({
     description: "Get artifact details by ID"
   }
 });
-var publicArtifactVersionsContract = c14.router({
+var publicArtifactVersionsContract = c15.router({
   list: {
     method: "GET",
     path: "/v1/artifacts/:id/versions",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Artifact ID is required")
+    pathParams: z20.object({
+      id: z20.string().min(1, "Artifact ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -6993,19 +7468,19 @@ var publicArtifactVersionsContract = c14.router({
     description: "List all versions of an artifact with pagination"
   }
 });
-var publicArtifactDownloadContract = c14.router({
+var publicArtifactDownloadContract = c15.router({
   download: {
     method: "GET",
     path: "/v1/artifacts/:id/download",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Artifact ID is required")
+    pathParams: z20.object({
+      id: z20.string().min(1, "Artifact ID is required")
     }),
-    query: z19.object({
-      version_id: z19.string().optional()
+    query: z20.object({
+      version_id: z20.string().optional()
       // Defaults to current version
     }),
     responses: {
-      302: z19.undefined(),
+      302: z20.undefined(),
       // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -7017,28 +7492,28 @@ var publicArtifactDownloadContract = c14.router({
 });
 
 // ../../packages/core/src/contracts/public/volumes.ts
-import { z as z20 } from "zod";
-var c15 = initContract();
-var publicVolumeSchema = z20.object({
-  id: z20.string(),
-  name: z20.string(),
-  current_version_id: z20.string().nullable(),
-  size: z20.number(),
+import { z as z21 } from "zod";
+var c16 = initContract();
+var publicVolumeSchema = z21.object({
+  id: z21.string(),
+  name: z21.string(),
+  current_version_id: z21.string().nullable(),
+  size: z21.number(),
   // Total size in bytes
-  file_count: z20.number(),
+  file_count: z21.number(),
   created_at: timestampSchema,
   updated_at: timestampSchema
 });
-var volumeVersionSchema = z20.object({
-  id: z20.string(),
+var volumeVersionSchema = z21.object({
+  id: z21.string(),
   // SHA-256 content hash
-  volume_id: z20.string(),
-  size: z20.number(),
+  volume_id: z21.string(),
+  size: z21.number(),
   // Size in bytes
-  file_count: z20.number(),
-  message: z20.string().nullable(),
+  file_count: z21.number(),
+  message: z21.string().nullable(),
   // Optional commit message
-  created_by: z20.string(),
+  created_by: z21.string(),
   created_at: timestampSchema
 });
 var publicVolumeDetailSchema = publicVolumeSchema.extend({
@@ -7046,7 +7521,7 @@ var publicVolumeDetailSchema = publicVolumeSchema.extend({
 });
 var paginatedVolumesSchema = createPaginatedResponseSchema(publicVolumeSchema);
 var paginatedVolumeVersionsSchema = createPaginatedResponseSchema(volumeVersionSchema);
-var publicVolumesListContract = c15.router({
+var publicVolumesListContract = c16.router({
   list: {
     method: "GET",
     path: "/v1/volumes",
@@ -7060,12 +7535,12 @@ var publicVolumesListContract = c15.router({
     description: "List all volumes in the current scope with pagination"
   }
 });
-var publicVolumeByIdContract = c15.router({
+var publicVolumeByIdContract = c16.router({
   get: {
     method: "GET",
     path: "/v1/volumes/:id",
-    pathParams: z20.object({
-      id: z20.string().min(1, "Volume ID is required")
+    pathParams: z21.object({
+      id: z21.string().min(1, "Volume ID is required")
     }),
     responses: {
       200: publicVolumeDetailSchema,
@@ -7077,12 +7552,12 @@ var publicVolumeByIdContract = c15.router({
     description: "Get volume details by ID"
   }
 });
-var publicVolumeVersionsContract = c15.router({
+var publicVolumeVersionsContract = c16.router({
   list: {
     method: "GET",
     path: "/v1/volumes/:id/versions",
-    pathParams: z20.object({
-      id: z20.string().min(1, "Volume ID is required")
+    pathParams: z21.object({
+      id: z21.string().min(1, "Volume ID is required")
     }),
     query: listQuerySchema,
     responses: {
@@ -7095,19 +7570,19 @@ var publicVolumeVersionsContract = c15.router({
     description: "List all versions of a volume with pagination"
   }
 });
-var publicVolumeDownloadContract = c15.router({
+var publicVolumeDownloadContract = c16.router({
   download: {
     method: "GET",
     path: "/v1/volumes/:id/download",
-    pathParams: z20.object({
-      id: z20.string().min(1, "Volume ID is required")
+    pathParams: z21.object({
+      id: z21.string().min(1, "Volume ID is required")
     }),
-    query: z20.object({
-      version_id: z20.string().optional()
+    query: z21.object({
+      version_id: z21.string().optional()
       // Defaults to current version
     }),
     responses: {
-      302: z20.undefined(),
+      302: z21.undefined(),
       // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
@@ -7138,11 +7613,21 @@ var SCRIPT_PATHS = {
   envLoader: "/usr/local/bin/vm0-agent/env-loader.mjs"
 };
 
+// ../../packages/core/src/feature-switch.ts
+var PricingSwitch = {
+  key: "pricing" /* Pricing */,
+  maintainer: "ethan@vm0.ai",
+  enabled: false
+};
+var FEATURE_SWITCHES = {
+  ["pricing" /* Pricing */]: PricingSwitch
+};
+
 // src/lib/scripts/index.ts
 var ENV_LOADER_PATH = "/usr/local/bin/vm0-agent/env-loader.mjs";
 
 // src/lib/proxy/vm-registry.ts
-import fs4 from "fs";
+import fs5 from "fs";
 var DEFAULT_REGISTRY_PATH = "/tmp/vm0-vm-registry.json";
 var VMRegistry = class {
   registryPath;
@@ -7156,8 +7641,8 @@ var VMRegistry = class {
    */
   load() {
     try {
-      if (fs4.existsSync(this.registryPath)) {
-        const content = fs4.readFileSync(this.registryPath, "utf-8");
+      if (fs5.existsSync(this.registryPath)) {
+        const content = fs5.readFileSync(this.registryPath, "utf-8");
         return JSON.parse(content);
       }
     } catch {
@@ -7171,8 +7656,8 @@ var VMRegistry = class {
     this.data.updatedAt = Date.now();
     const content = JSON.stringify(this.data, null, 2);
     const tempPath = `${this.registryPath}.tmp`;
-    fs4.writeFileSync(tempPath, content, { mode: 420 });
-    fs4.renameSync(tempPath, this.registryPath);
+    fs5.writeFileSync(tempPath, content, { mode: 420 });
+    fs5.renameSync(tempPath, this.registryPath);
   }
   /**
    * Register a VM with its IP address
@@ -7247,8 +7732,8 @@ function initVMRegistry(registryPath) {
 
 // src/lib/proxy/proxy-manager.ts
 import { spawn as spawn2 } from "child_process";
-import fs5 from "fs";
-import path3 from "path";
+import fs6 from "fs";
+import path4 from "path";
 
 // src/lib/proxy/mitm-addon-script.ts
 var RUNNER_MITM_ADDON_SCRIPT = `#!/usr/bin/env python3
@@ -7765,11 +8250,11 @@ var ProxyManager = class {
    * Ensure the addon script exists at the configured path
    */
   ensureAddonScript() {
-    const addonDir = path3.dirname(this.config.addonPath);
-    if (!fs5.existsSync(addonDir)) {
-      fs5.mkdirSync(addonDir, { recursive: true });
+    const addonDir = path4.dirname(this.config.addonPath);
+    if (!fs6.existsSync(addonDir)) {
+      fs6.mkdirSync(addonDir, { recursive: true });
     }
-    fs5.writeFileSync(this.config.addonPath, RUNNER_MITM_ADDON_SCRIPT, {
+    fs6.writeFileSync(this.config.addonPath, RUNNER_MITM_ADDON_SCRIPT, {
       mode: 493
     });
     console.log(
@@ -7780,11 +8265,11 @@ var ProxyManager = class {
    * Validate proxy configuration
    */
   validateConfig() {
-    if (!fs5.existsSync(this.config.caDir)) {
+    if (!fs6.existsSync(this.config.caDir)) {
       throw new Error(`Proxy CA directory not found: ${this.config.caDir}`);
     }
-    const caCertPath = path3.join(this.config.caDir, "mitmproxy-ca.pem");
-    if (!fs5.existsSync(caCertPath)) {
+    const caCertPath = path4.join(this.config.caDir, "mitmproxy-ca.pem");
+    if (!fs6.existsSync(caCertPath)) {
       throw new Error(`Proxy CA certificate not found: ${caCertPath}`);
     }
     this.ensureAddonScript();
@@ -8142,7 +8627,7 @@ function buildEnvironmentVariables(context, apiUrl) {
     envVars.VERCEL_PROTECTION_BYPASS = vercelBypass;
   }
   const useMockClaude = process.env.USE_MOCK_CLAUDE;
-  if (useMockClaude) {
+  if (useMockClaude && !context.debugNoMockClaude) {
     envVars.USE_MOCK_CLAUDE = useMockClaude;
   }
   if (context.storageManifest?.artifact) {
@@ -8173,17 +8658,17 @@ function buildEnvironmentVariables(context, apiUrl) {
 }
 
 // src/lib/network-logs/network-logs.ts
-import fs6 from "fs";
+import fs7 from "fs";
 function getNetworkLogPath(runId) {
   return `/tmp/vm0-network-${runId}.jsonl`;
 }
 function readNetworkLogs(runId) {
   const logPath = getNetworkLogPath(runId);
-  if (!fs6.existsSync(logPath)) {
+  if (!fs7.existsSync(logPath)) {
     return [];
   }
   try {
-    const content = fs6.readFileSync(logPath, "utf-8");
+    const content = fs7.readFileSync(logPath, "utf-8");
     const lines = content.split("\n").filter((line) => line.trim());
     return lines.map((line) => JSON.parse(line));
   } catch (err) {
@@ -8196,8 +8681,8 @@ function readNetworkLogs(runId) {
 function cleanupNetworkLogs(runId) {
   const logPath = getNetworkLogPath(runId);
   try {
-    if (fs6.existsSync(logPath)) {
-      fs6.unlinkSync(logPath);
+    if (fs7.existsSync(logPath)) {
+      fs7.unlinkSync(logPath);
     }
   } catch (err) {
     console.error(
@@ -8240,7 +8725,7 @@ async function uploadNetworkLogs(apiUrl, sandboxToken, runId) {
 }
 
 // src/lib/vm-setup/vm-setup.ts
-import fs7 from "fs";
+import fs8 from "fs";
 
 // src/lib/scripts/utils.ts
 function getAllScripts() {
@@ -8302,12 +8787,12 @@ async function restoreSessionHistory(ssh, resumeSession, workingDir, cliAgentTyp
   );
 }
 async function installProxyCA(ssh) {
-  if (!fs7.existsSync(PROXY_CA_CERT_PATH)) {
+  if (!fs8.existsSync(PROXY_CA_CERT_PATH)) {
     throw new Error(
       `Proxy CA certificate not found at ${PROXY_CA_CERT_PATH}. Run generate-proxy-ca.sh first.`
     );
   }
-  const caCert = fs7.readFileSync(PROXY_CA_CERT_PATH, "utf-8");
+  const caCert = fs8.readFileSync(PROXY_CA_CERT_PATH, "utf-8");
   console.log(
     `[Executor] Installing proxy CA certificate (${caCert.length} bytes)`
   );
@@ -8388,7 +8873,7 @@ async function executeJob(context, config, options = {}) {
   const log = options.logger ?? ((msg) => console.log(msg));
   log(`[Executor] Starting job ${context.runId} in VM ${vmId}`);
   try {
-    const workspacesDir = path4.join(process.cwd(), "workspaces");
+    const workspacesDir = path5.join(process.cwd(), "workspaces");
     const vmConfig = {
       vmId,
       vcpus: config.sandbox.vcpu,
@@ -8396,7 +8881,7 @@ async function executeJob(context, config, options = {}) {
       kernelPath: config.firecracker.kernel,
       rootfsPath: config.firecracker.rootfs,
       firecrackerBinary: config.firecracker.binary,
-      workDir: path4.join(workspacesDir, `vm0-${vmId}`)
+      workDir: path5.join(workspacesDir, `vm0-${vmId}`)
     };
     log(`[Executor] Creating VM ${vmId}...`);
     vm = new FirecrackerVM(vmConfig);
@@ -8421,7 +8906,7 @@ async function executeJob(context, config, options = {}) {
       log(
         `[Executor] Setting up network security for VM ${guestIp} (mitm=${mitmEnabled}, sealSecrets=${sealSecretsEnabled})`
       );
-      await setupVMProxyRules(guestIp, config.proxy.port);
+      await setupVMProxyRules(guestIp, config.proxy.port, config.name);
       getVMRegistry().register(guestIp, context.runId, context.sandboxToken, {
         firewallRules: firewallConfig?.rules,
         mitmEnabled,
@@ -8592,7 +9077,7 @@ async function executeJob(context, config, options = {}) {
     if (context.experimentalFirewall?.enabled && guestIp) {
       log(`[Executor] Cleaning up network security for VM ${guestIp}`);
       try {
-        await removeVMProxyRules(guestIp, config.proxy.port);
+        await removeVMProxyRules(guestIp, config.proxy.port, config.name);
       } catch (err) {
         console.error(
           `[Executor] Failed to remove VM proxy rules: ${err instanceof Error ? err.message : "Unknown error"}`
@@ -8631,7 +9116,7 @@ function writeStatusFile(statusFilePath, mode, startedAt) {
     updated_at: (/* @__PURE__ */ new Date()).toISOString()
   };
   try {
-    writeFileSync(statusFilePath, JSON.stringify(status, null, 2));
+    writeFileSync2(statusFilePath, JSON.stringify(status, null, 2));
   } catch (err) {
     console.error(
       `Failed to write status file: ${err instanceof Error ? err.message : "Unknown error"}`
@@ -8684,6 +9169,12 @@ var startCommand = new Command("start").description("Start the runner").option("
     }
     console.log("Setting up network bridge...");
     await setupBridge();
+    console.log("Flushing bridge ARP cache...");
+    await flushBridgeArpCache();
+    console.log("Cleaning up orphaned proxy rules...");
+    await cleanupOrphanedProxyRules(config.name);
+    console.log("Cleaning up orphaned IP allocations...");
+    await cleanupOrphanedAllocations();
     console.log("Initializing network proxy...");
     initVMRegistry();
     const proxyManager = initProxyManager({
@@ -8703,7 +9194,7 @@ var startCommand = new Command("start").description("Start the runner").option("
         "Jobs with experimentalFirewall enabled will run without network interception"
       );
     }
-    const statusFilePath = join(dirname(options.config), "status.json");
+    const statusFilePath = join2(dirname(options.config), "status.json");
     const startedAt = /* @__PURE__ */ new Date();
     const state = { mode: "running" };
     const updateStatus = () => {
@@ -8833,32 +9324,493 @@ var startCommand = new Command("start").description("Start the runner").option("
   }
 });
 
-// src/commands/status.ts
+// src/commands/doctor.ts
 import { Command as Command2 } from "commander";
-var statusCommand = new Command2("status").description("Check runner connectivity to API").option("--config <path>", "Config file path", "./runner.yaml").action(async (options) => {
+import { existsSync as existsSync3, readFileSync as readFileSync3, readdirSync as readdirSync2 } from "fs";
+import { dirname as dirname2, join as join3 } from "path";
+
+// src/lib/firecracker/process.ts
+import { readdirSync, readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
+import path6 from "path";
+function parseFirecrackerCmdline(cmdline) {
+  const args = cmdline.split("\0");
+  if (!args[0]?.includes("firecracker")) return null;
+  const sockIdx = args.indexOf("--api-sock");
+  const socketPath = args[sockIdx + 1];
+  if (sockIdx === -1 || !socketPath) return null;
+  const match = socketPath.match(/vm0-([a-f0-9]+)\/firecracker\.sock$/);
+  if (!match?.[1]) return null;
+  return { vmId: match[1], socketPath };
+}
+function parseMitmproxyCmdline(cmdline) {
+  if (!cmdline.includes("mitmproxy") && !cmdline.includes("mitmdump")) {
+    return null;
+  }
+  const args = cmdline.split("\0");
+  const portIdx = args.findIndex((a) => a === "-p" || a === "--listen-port");
+  const portArg = args[portIdx + 1];
+  const port = portIdx !== -1 && portArg ? parseInt(portArg, 10) : void 0;
+  return { port };
+}
+function findFirecrackerProcesses() {
+  const processes = [];
+  const procDir = "/proc";
+  let entries;
+  try {
+    entries = readdirSync(procDir);
+  } catch {
+    return [];
+  }
+  for (const entry of entries) {
+    if (!/^\d+$/.test(entry)) continue;
+    const pid = parseInt(entry, 10);
+    const cmdlinePath = path6.join(procDir, entry, "cmdline");
+    if (!existsSync2(cmdlinePath)) continue;
+    try {
+      const cmdline = readFileSync2(cmdlinePath, "utf-8");
+      const parsed = parseFirecrackerCmdline(cmdline);
+      if (parsed) {
+        processes.push({ pid, ...parsed });
+      }
+    } catch {
+      continue;
+    }
+  }
+  return processes;
+}
+function findProcessByVmId(vmId) {
+  const processes = findFirecrackerProcesses();
+  return processes.find((p) => p.vmId === vmId) || null;
+}
+function isProcessRunning(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function killProcess(pid, timeoutMs = 5e3) {
+  if (!isProcessRunning(pid)) return true;
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    return !isProcessRunning(pid);
+  }
+  const startTime = Date.now();
+  while (Date.now() - startTime < timeoutMs) {
+    if (!isProcessRunning(pid)) return true;
+    await new Promise((resolve) => setTimeout(resolve, 100));
+  }
+  if (isProcessRunning(pid)) {
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch {
+    }
+  }
+  return !isProcessRunning(pid);
+}
+function findMitmproxyProcess() {
+  const procDir = "/proc";
+  let entries;
+  try {
+    entries = readdirSync(procDir);
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!/^\d+$/.test(entry)) continue;
+    const pid = parseInt(entry, 10);
+    const cmdlinePath = path6.join(procDir, entry, "cmdline");
+    if (!existsSync2(cmdlinePath)) continue;
+    try {
+      const cmdline = readFileSync2(cmdlinePath, "utf-8");
+      const parsed = parseMitmproxyCmdline(cmdline);
+      if (parsed) {
+        return { pid, port: parsed.port };
+      }
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
+
+// src/commands/doctor.ts
+var doctorCommand = new Command2("doctor").description("Diagnose runner health, check network, and detect issues").option("--config <path>", "Config file path", "./runner.yaml").action(async (options) => {
   try {
     const config = loadConfig(options.config);
-    console.log(`Checking connectivity to ${config.server.url}...`);
-    console.log(`Runner group: ${config.group}`);
-    await pollForJob(config.server, config.group);
+    const configDir = dirname2(options.config);
+    const statusFilePath = join3(configDir, "status.json");
+    const workspacesDir = join3(configDir, "workspaces");
+    console.log(`Runner: ${config.name}`);
+    let status = null;
+    if (existsSync3(statusFilePath)) {
+      try {
+        status = JSON.parse(
+          readFileSync3(statusFilePath, "utf-8")
+        );
+        console.log(`Mode: ${status.mode}`);
+        if (status.started_at) {
+          const started = new Date(status.started_at);
+          const uptime = formatUptime(Date.now() - started.getTime());
+          console.log(
+            `Started: ${started.toLocaleString()} (uptime: ${uptime})`
+          );
+        }
+      } catch {
+        console.log("Mode: unknown (status.json unreadable)");
+      }
+    } else {
+      console.log("Mode: unknown (no status.json)");
+    }
     console.log("");
-    console.log("\u2713 Runner can connect to API");
-    console.log(`  API: ${config.server.url}`);
-    console.log(`  Group: ${config.group}`);
-    console.log(`  Auth: OK`);
-    process.exit(0);
+    console.log("API Connectivity:");
+    try {
+      await pollForJob(config.server, config.group);
+      console.log(`  \u2713 Connected to ${config.server.url}`);
+      console.log("  \u2713 Authentication: OK");
+    } catch (error) {
+      console.log(`  \u2717 Cannot connect to ${config.server.url}`);
+      console.log(
+        `    Error: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+    console.log("");
+    console.log("Network:");
+    const warnings = [];
+    const bridgeStatus = await checkBridgeStatus();
+    if (bridgeStatus.exists) {
+      console.log(`  \u2713 Bridge ${BRIDGE_NAME2} (${bridgeStatus.ip})`);
+    } else {
+      console.log(`  \u2717 Bridge ${BRIDGE_NAME2} not found`);
+      warnings.push({
+        message: `Network bridge ${BRIDGE_NAME2} does not exist`
+      });
+    }
+    const proxyPort = config.proxy.port;
+    const mitmProc = findMitmproxyProcess();
+    const portInUse = await isPortInUse(proxyPort);
+    if (mitmProc) {
+      console.log(
+        `  \u2713 Proxy mitmproxy (PID ${mitmProc.pid}) on :${proxyPort}`
+      );
+    } else if (portInUse) {
+      console.log(
+        `  \u26A0\uFE0F Proxy port :${proxyPort} in use but mitmproxy process not found`
+      );
+      warnings.push({
+        message: `Port ${proxyPort} is in use but mitmproxy process not detected`
+      });
+    } else {
+      console.log(`  \u2717 Proxy mitmproxy not running`);
+      warnings.push({ message: "Proxy mitmproxy is not running" });
+    }
+    console.log("");
+    const processes = findFirecrackerProcesses();
+    const tapDevices = await listTapDevices();
+    const workspaces = existsSync3(workspacesDir) ? readdirSync2(workspacesDir).filter((d) => d.startsWith("vm0-")) : [];
+    const jobs = [];
+    const statusVmIds = /* @__PURE__ */ new Set();
+    const allocations = getAllocations();
+    if (status?.active_job_ids) {
+      for (const runId of status.active_job_ids) {
+        const vmId = runId.split("-")[0];
+        if (!vmId) continue;
+        statusVmIds.add(vmId);
+        const proc = processes.find((p) => p.vmId === vmId);
+        const ip = getIPForVm(vmId) ?? "not allocated";
+        jobs.push({
+          runId,
+          vmId,
+          ip,
+          hasProcess: !!proc,
+          pid: proc?.pid
+        });
+      }
+    }
+    const ipToVmIds = /* @__PURE__ */ new Map();
+    for (const [ip, allocation] of allocations) {
+      const existing = ipToVmIds.get(ip) ?? [];
+      existing.push(allocation.vmId);
+      ipToVmIds.set(ip, existing);
+    }
+    const maxConcurrent = config.sandbox.max_concurrent;
+    console.log(`Jobs (${jobs.length} active, max ${maxConcurrent}):`);
+    if (jobs.length === 0) {
+      console.log("  No active jobs");
+    } else {
+      console.log("  ID              VM ID       IP              Status");
+      for (const job of jobs) {
+        const shortId = job.runId.substring(0, 12) + "...";
+        const ipConflict = (ipToVmIds.get(job.ip)?.length ?? 0) > 1;
+        let statusText;
+        if (ipConflict) {
+          statusText = "\u26A0\uFE0F IP conflict!";
+        } else if (job.hasProcess) {
+          statusText = `\u2713 Running (PID ${job.pid})`;
+        } else {
+          statusText = "\u26A0\uFE0F No process";
+        }
+        console.log(
+          `  ${shortId}  ${job.vmId}    ${job.ip.padEnd(15)} ${statusText}`
+        );
+      }
+    }
+    console.log("");
+    for (const job of jobs) {
+      if (!job.hasProcess) {
+        warnings.push({
+          message: `Job ${job.vmId} in status.json but no Firecracker process running`
+        });
+      }
+    }
+    for (const [ip, vmIds] of ipToVmIds) {
+      if (vmIds.length > 1) {
+        warnings.push({
+          message: `IP conflict: ${ip} assigned to ${vmIds.join(", ")}`
+        });
+      }
+    }
+    const processVmIds = new Set(processes.map((p) => p.vmId));
+    for (const proc of processes) {
+      if (!statusVmIds.has(proc.vmId)) {
+        warnings.push({
+          message: `Orphan process: PID ${proc.pid} (vmId ${proc.vmId}) not in status.json`
+        });
+      }
+    }
+    for (const tap of tapDevices) {
+      const vmId = tap.replace("tap", "");
+      if (!processVmIds.has(vmId) && !statusVmIds.has(vmId)) {
+        warnings.push({
+          message: `Orphan TAP device: ${tap} (no matching job or process)`
+        });
+      }
+    }
+    for (const ws of workspaces) {
+      const vmId = ws.replace("vm0-", "");
+      if (!processVmIds.has(vmId) && !statusVmIds.has(vmId)) {
+        warnings.push({
+          message: `Orphan workspace: ${ws} (no matching job or process)`
+        });
+      }
+    }
+    const activeVmIps = new Set(jobs.map((j) => j.ip));
+    const iptablesRules = await listIptablesNatRules();
+    const orphanedIptables = await findOrphanedIptablesRules(
+      iptablesRules,
+      activeVmIps,
+      proxyPort
+    );
+    for (const rule of orphanedIptables) {
+      warnings.push({
+        message: `Orphan iptables rule: redirect ${rule.sourceIp}:${rule.destPort} -> :${rule.redirectPort}`
+      });
+    }
+    console.log("Warnings:");
+    if (warnings.length === 0) {
+      console.log("  None");
+    } else {
+      for (const w of warnings) {
+        console.log(`  - ${w.message}`);
+      }
+    }
+    process.exit(warnings.length > 0 ? 1 : 0);
   } catch (error) {
-    console.error("");
-    console.error("\u2717 Runner cannot connect to API");
     console.error(
-      `  Error: ${error instanceof Error ? error.message : "Unknown error"}`
+      `Error: ${error instanceof Error ? error.message : "Unknown error"}`
     );
     process.exit(1);
   }
 });
+function formatUptime(ms) {
+  const seconds = Math.floor(ms / 1e3);
+  const minutes = Math.floor(seconds / 60);
+  const hours = Math.floor(minutes / 60);
+  const days = Math.floor(hours / 24);
+  if (days > 0) return `${days}d ${hours % 24}h`;
+  if (hours > 0) return `${hours}h ${minutes % 60}m`;
+  if (minutes > 0) return `${minutes}m`;
+  return `${seconds}s`;
+}
 
-// src/commands/benchmark.ts
+// src/commands/kill.ts
 import { Command as Command3 } from "commander";
+import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync3, rmSync } from "fs";
+import { dirname as dirname3, join as join4 } from "path";
+import * as readline2 from "readline";
+var killCommand = new Command3("kill").description("Force terminate a job and clean up all resources").argument("<job-id>", "Job ID (full runId UUID or short 8-char vmId)").option("--config <path>", "Config file path", "./runner.yaml").option("--force", "Skip confirmation prompt").action(
+  async (jobId, options) => {
+    try {
+      loadConfig(options.config);
+      const configDir = dirname3(options.config);
+      const statusFilePath = join4(configDir, "status.json");
+      const workspacesDir = join4(configDir, "workspaces");
+      const { vmId, runId } = resolveJobId(jobId, statusFilePath);
+      console.log(`Killing job ${vmId}...`);
+      const proc = findProcessByVmId(vmId);
+      const tapDevice = `tap${vmId}`;
+      const workspaceDir = join4(workspacesDir, `vm0-${vmId}`);
+      console.log("");
+      console.log("Resources to clean up:");
+      if (proc) {
+        console.log(`  - Firecracker process (PID ${proc.pid})`);
+      } else {
+        console.log("  - Firecracker process: not found");
+      }
+      console.log(`  - TAP device: ${tapDevice}`);
+      console.log(`  - Workspace: ${workspaceDir}`);
+      if (runId) {
+        console.log(`  - status.json entry: ${runId.substring(0, 12)}...`);
+      }
+      console.log("");
+      if (!options.force) {
+        const confirmed = await confirm("Proceed with cleanup?");
+        if (!confirmed) {
+          console.log("Aborted.");
+          process.exit(0);
+        }
+      }
+      const results = [];
+      if (proc) {
+        const killed = await killProcess(proc.pid);
+        results.push({
+          step: "Firecracker process",
+          success: killed,
+          message: killed ? `PID ${proc.pid} terminated` : `Failed to kill PID ${proc.pid}`
+        });
+      } else {
+        results.push({
+          step: "Firecracker process",
+          success: true,
+          message: "Not running"
+        });
+      }
+      try {
+        await deleteTapDevice(tapDevice);
+        results.push({
+          step: "TAP device",
+          success: true,
+          message: `${tapDevice} deleted`
+        });
+      } catch (error) {
+        results.push({
+          step: "TAP device",
+          success: false,
+          message: error instanceof Error ? error.message : "Unknown error"
+        });
+      }
+      if (existsSync4(workspaceDir)) {
+        try {
+          rmSync(workspaceDir, { recursive: true, force: true });
+          results.push({
+            step: "Workspace",
+            success: true,
+            message: `${workspaceDir} removed`
+          });
+        } catch (error) {
+          results.push({
+            step: "Workspace",
+            success: false,
+            message: error instanceof Error ? error.message : "Unknown error"
+          });
+        }
+      } else {
+        results.push({
+          step: "Workspace",
+          success: true,
+          message: "Not found (already cleaned)"
+        });
+      }
+      if (runId && existsSync4(statusFilePath)) {
+        try {
+          const status = JSON.parse(
+            readFileSync4(statusFilePath, "utf-8")
+          );
+          const oldCount = status.active_jobs;
+          status.active_job_ids = status.active_job_ids.filter(
+            (id) => id !== runId
+          );
+          status.active_jobs = status.active_job_ids.length;
+          status.updated_at = (/* @__PURE__ */ new Date()).toISOString();
+          writeFileSync3(statusFilePath, JSON.stringify(status, null, 2));
+          results.push({
+            step: "status.json",
+            success: true,
+            message: `Updated (active_jobs: ${oldCount} -> ${status.active_jobs})`
+          });
+        } catch (error) {
+          results.push({
+            step: "status.json",
+            success: false,
+            message: error instanceof Error ? error.message : "Unknown error"
+          });
+        }
+      } else {
+        results.push({
+          step: "status.json",
+          success: true,
+          message: "No update needed"
+        });
+      }
+      console.log("");
+      let allSuccess = true;
+      for (const r of results) {
+        const icon = r.success ? "\u2713" : "\u2717";
+        console.log(`  ${icon} ${r.step}: ${r.message}`);
+        if (!r.success) allSuccess = false;
+      }
+      console.log("");
+      if (allSuccess) {
+        console.log(`Job ${vmId} killed successfully.`);
+        process.exit(0);
+      } else {
+        console.log(`Job ${vmId} cleanup completed with errors.`);
+        process.exit(1);
+      }
+    } catch (error) {
+      console.error(
+        `Error: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+      process.exit(1);
+    }
+  }
+);
+function resolveJobId(input, statusFilePath) {
+  if (input.includes("-")) {
+    const vmId = input.split("-")[0];
+    return { vmId: vmId ?? input, runId: input };
+  }
+  if (existsSync4(statusFilePath)) {
+    try {
+      const status = JSON.parse(
+        readFileSync4(statusFilePath, "utf-8")
+      );
+      const match = status.active_job_ids.find((id) => id.startsWith(input));
+      if (match) {
+        return { vmId: input, runId: match };
+      }
+    } catch {
+    }
+  }
+  return { vmId: input, runId: null };
+}
+async function confirm(message) {
+  const rl = readline2.createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve) => {
+    rl.question(`${message} [y/N] `, (answer) => {
+      rl.close();
+      resolve(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+    });
+  });
+}
+
+// src/commands/benchmark.ts
+import { Command as Command4 } from "commander";
 import crypto from "crypto";
 
 // src/lib/timing.ts
@@ -8909,7 +9861,7 @@ function createBenchmarkContext(prompt, options) {
     cliAgentType: options.agentType
   };
 }
-var benchmarkCommand = new Command3("benchmark").description(
+var benchmarkCommand = new Command4("benchmark").description(
   "Run a VM performance benchmark (executes bash command directly)"
 ).argument("<prompt>", "The bash command to execute in the VM").option("--config <path>", "Config file path", "./runner.yaml").option("--working-dir <path>", "Working directory in VM", "/home/user").option("--agent-type <type>", "Agent type", "claude-code").action(async (prompt, options) => {
   const timer = new Timer();
@@ -8949,10 +9901,11 @@ var benchmarkCommand = new Command3("benchmark").description(
 });
 
 // src/index.ts
-var version = true ? "2.11.1" : "0.1.0";
+var version = true ? "2.13.0" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
-program.addCommand(statusCommand);
+program.addCommand(doctorCommand);
+program.addCommand(killCommand);
 program.addCommand(benchmarkCommand);
 program.parse();
 //# sourceMappingURL=index.js.map