@vm0/runner 2.3.2 → 2.4.0

package/index.js

@@ -4816,25 +4816,143 @@ var apiErrorSchema = z3.object({
 });
 
 // ../../packages/core/src/contracts/composes.ts
+import { z as z5 } from "zod";
+
+// ../../packages/core/src/contracts/runners.ts
 import { z as z4 } from "zod";
 var c = initContract();
-var composeVersionQuerySchema = z4.preprocess(
+var firewallRuleSchema = z4.object({
+  domain: z4.string().optional(),
+  ip: z4.string().optional(),
+  /** Terminal rule - value is the action (ALLOW or DENY) */
+  final: z4.enum(["ALLOW", "DENY"]).optional(),
+  /** Action for domain/ip rules */
+  action: z4.enum(["ALLOW", "DENY"]).optional()
+});
+var experimentalFirewallSchema = z4.object({
+  enabled: z4.boolean(),
+  rules: z4.array(firewallRuleSchema).optional(),
+  experimental_mitm: z4.boolean().optional(),
+  experimental_seal_secrets: z4.boolean().optional()
+});
+var runnerGroupSchema = z4.string().regex(
+  /^[a-z0-9-]+\/[a-z0-9-]+$/,
+  "Runner group must be in scope/name format (e.g., acme/production)"
+);
+var jobSchema = z4.object({
+  runId: z4.string().uuid(),
+  prompt: z4.string(),
+  agentComposeVersionId: z4.string(),
+  vars: z4.record(z4.string(), z4.string()).nullable(),
+  secretNames: z4.array(z4.string()).nullable(),
+  checkpointId: z4.string().uuid().nullable()
+});
+var runnersPollContract = c.router({
+  poll: {
+    method: "POST",
+    path: "/api/runners/poll",
+    body: z4.object({
+      group: runnerGroupSchema
+    }),
+    responses: {
+      200: z4.object({
+        job: jobSchema.nullable()
+      }),
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      500: apiErrorSchema
+    },
+    summary: "Poll for pending jobs (long-polling with 30s timeout)"
+  }
+});
+var storageEntrySchema = z4.object({
+  mountPath: z4.string(),
+  archiveUrl: z4.string().nullable()
+});
+var artifactEntrySchema = z4.object({
+  mountPath: z4.string(),
+  archiveUrl: z4.string().nullable(),
+  vasStorageName: z4.string(),
+  vasVersionId: z4.string()
+});
+var storageManifestSchema = z4.object({
+  storages: z4.array(storageEntrySchema),
+  artifact: artifactEntrySchema.nullable()
+});
+var resumeSessionSchema = z4.object({
+  sessionId: z4.string(),
+  sessionHistory: z4.string()
+});
+var storedExecutionContextSchema = z4.object({
+  workingDir: z4.string(),
+  storageManifest: storageManifestSchema.nullable(),
+  environment: z4.record(z4.string(), z4.string()).nullable(),
+  resumeSession: resumeSessionSchema.nullable(),
+  encryptedSecrets: z4.string().nullable(),
+  // AES-256-GCM encrypted secrets
+  cliAgentType: z4.string(),
+  experimentalFirewall: experimentalFirewallSchema.optional()
+});
+var executionContextSchema = z4.object({
+  runId: z4.string().uuid(),
+  prompt: z4.string(),
+  agentComposeVersionId: z4.string(),
+  vars: z4.record(z4.string(), z4.string()).nullable(),
+  secretNames: z4.array(z4.string()).nullable(),
+  checkpointId: z4.string().uuid().nullable(),
+  sandboxToken: z4.string(),
+  // New fields for E2B parity:
+  workingDir: z4.string(),
+  storageManifest: storageManifestSchema.nullable(),
+  environment: z4.record(z4.string(), z4.string()).nullable(),
+  resumeSession: resumeSessionSchema.nullable(),
+  secretValues: z4.array(z4.string()).nullable(),
+  cliAgentType: z4.string(),
+  // Experimental firewall configuration
+  experimentalFirewall: experimentalFirewallSchema.optional()
+});
+var runnersJobClaimContract = c.router({
+  claim: {
+    method: "POST",
+    path: "/api/runners/jobs/:id/claim",
+    pathParams: z4.object({
+      id: z4.string().uuid()
+    }),
+    body: z4.object({}),
+    responses: {
+      200: executionContextSchema,
+      400: apiErrorSchema,
+      401: apiErrorSchema,
+      403: apiErrorSchema,
+      // Job does not belong to user
+      404: apiErrorSchema,
+      409: apiErrorSchema,
+      // Already claimed
+      500: apiErrorSchema
+    },
+    summary: "Claim a pending job for execution"
+  }
+});
+
+// ../../packages/core/src/contracts/composes.ts
+var c2 = initContract();
+var composeVersionQuerySchema = z5.preprocess(
   (val) => val === void 0 || val === null ? void 0 : String(val),
-  z4.string().min(1, "Missing version query parameter").regex(
+  z5.string().min(1, "Missing version query parameter").regex(
     /^[a-f0-9]{8,64}$|^latest$/i,
     "Version must be 8-64 hex characters or 'latest'"
   )
 );
-var agentNameSchema = z4.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
+var agentNameSchema = z5.string().min(3, "Agent name must be at least 3 characters").max(64, "Agent name must be 64 characters or less").regex(
   /^[a-zA-Z0-9][a-zA-Z0-9-]{1,62}[a-zA-Z0-9]$/,
   "Agent name must start and end with letter or number, and contain only letters, numbers, and hyphens"
 );
-var volumeConfigSchema = z4.object({
-  name: z4.string().min(1, "Volume name is required"),
-  version: z4.string().min(1, "Volume version is required")
+var volumeConfigSchema = z5.object({
+  name: z5.string().min(1, "Volume name is required"),
+  version: z5.string().min(1, "Volume version is required")
 });
 var SUPPORTED_APPS = ["github"];
-var appStringSchema = z4.string().regex(
+var appStringSchema = z5.string().regex(
   /^[a-z]+(:(?:latest|dev))?$/,
   "App must be in format 'app' or 'app:tag' (e.g., 'github', 'github:dev')"
 ).refine(
@@ -4844,74 +4962,80 @@ var appStringSchema = z4.string().regex(
   },
   `Unsupported app. Supported apps: ${SUPPORTED_APPS.join(", ")}`
 );
-var agentDefinitionSchema = z4.object({
-  description: z4.string().optional(),
+var agentDefinitionSchema = z5.object({
+  description: z5.string().optional(),
   /**
    * @deprecated Use `apps` field instead for pre-installed tools.
    * This field will be removed in a future version.
    */
-  image: z4.string().optional(),
-  provider: z4.string().min(1, "Provider is required"),
+  image: z5.string().optional(),
+  provider: z5.string().min(1, "Provider is required"),
   /**
    * Array of pre-installed apps/tools for the agent environment.
    * Format: "app" or "app:tag" (e.g., "github", "github:dev", "github:latest")
    * Default tag is "latest" if not specified.
    * Currently supported apps: "github" (includes GitHub CLI)
    */
-  apps: z4.array(appStringSchema).optional(),
-  volumes: z4.array(z4.string()).optional(),
-  working_dir: z4.string().optional(),
+  apps: z5.array(appStringSchema).optional(),
+  volumes: z5.array(z5.string()).optional(),
+  working_dir: z5.string().optional(),
   // Optional when provider supports auto-config
-  environment: z4.record(z4.string(), z4.string()).optional(),
+  environment: z5.record(z5.string(), z5.string()).optional(),
   /**
    * Enable network security mode for secrets.
    * When true, secrets are encrypted into proxy tokens and all traffic
    * is routed through mitmproxy -> VM0 Proxy for decryption.
    * Default: false (plaintext secrets in env vars)
    */
-  experimental_network_security: z4.boolean().optional().default(false),
+  experimental_network_security: z5.boolean().optional().default(false),
   /**
    * Path to instructions file (e.g., AGENTS.md).
    * Auto-uploaded as volume and mounted at /home/user/.claude/CLAUDE.md
    */
-  instructions: z4.string().optional(),
+  instructions: z5.string().optional(),
   /**
    * Array of GitHub tree URLs for agent skills.
    * Each skill is auto-downloaded and mounted at /home/user/.claude/skills/{skillName}/
    */
-  skills: z4.array(z4.string()).optional(),
+  skills: z5.array(z5.string()).optional(),
   /**
    * Route this agent to a self-hosted runner instead of E2B.
    * When specified, runs will be queued for the specified runner group.
    */
-  experimental_runner: z4.object({
-    group: z4.string().regex(
+  experimental_runner: z5.object({
+    group: z5.string().regex(
       /^[a-z0-9-]+\/[a-z0-9-]+$/,
       "Runner group must be in scope/name format (e.g., acme/production)"
     )
-  }).optional()
+  }).optional(),
+  /**
+   * Experimental firewall configuration for network egress control.
+   * Requires experimental_runner to be configured.
+   * When enabled, filters outbound traffic by domain/IP rules.
+   */
+  experimental_firewall: experimentalFirewallSchema.optional()
 });
-var agentComposeContentSchema = z4.object({
-  version: z4.string().min(1, "Version is required"),
-  agents: z4.record(z4.string(), agentDefinitionSchema),
-  volumes: z4.record(z4.string(), volumeConfigSchema).optional()
+var agentComposeContentSchema = z5.object({
+  version: z5.string().min(1, "Version is required"),
+  agents: z5.record(z5.string(), agentDefinitionSchema),
+  volumes: z5.record(z5.string(), volumeConfigSchema).optional()
 });
-var composeResponseSchema = z4.object({
-  id: z4.string(),
-  name: z4.string(),
-  headVersionId: z4.string().nullable(),
+var composeResponseSchema = z5.object({
+  id: z5.string(),
+  name: z5.string(),
+  headVersionId: z5.string().nullable(),
   content: agentComposeContentSchema.nullable(),
-  createdAt: z4.string(),
-  updatedAt: z4.string()
+  createdAt: z5.string(),
+  updatedAt: z5.string()
 });
-var createComposeResponseSchema = z4.object({
-  composeId: z4.string(),
-  name: z4.string(),
-  versionId: z4.string(),
-  action: z4.enum(["created", "existing"]),
-  updatedAt: z4.string()
+var createComposeResponseSchema = z5.object({
+  composeId: z5.string(),
+  name: z5.string(),
+  versionId: z5.string(),
+  action: z5.enum(["created", "existing"]),
+  updatedAt: z5.string()
 });
-var composesMainContract = c.router({
+var composesMainContract = c2.router({
   /**
    * GET /api/agent/composes?name={name}&scope={scope}
    * Get agent compose by name with HEAD version content
@@ -4920,9 +5044,9 @@ var composesMainContract = c.router({
   getByName: {
     method: "GET",
     path: "/api/agent/composes",
-    query: z4.object({
-      name: z4.string().min(1, "Missing name query parameter"),
-      scope: z4.string().optional()
+    query: z5.object({
+      name: z5.string().min(1, "Missing name query parameter"),
+      scope: z5.string().optional()
     }),
     responses: {
       200: composeResponseSchema,
@@ -4941,7 +5065,7 @@ var composesMainContract = c.router({
   create: {
     method: "POST",
     path: "/api/agent/composes",
-    body: z4.object({
+    body: z5.object({
       content: agentComposeContentSchema
     }),
     responses: {
@@ -4953,7 +5077,7 @@ var composesMainContract = c.router({
     summary: "Create or update agent compose version"
   }
 });
-var composesByIdContract = c.router({
+var composesByIdContract = c2.router({
   /**
    * GET /api/agent/composes/:id
    * Get agent compose by ID with HEAD version content
@@ -4961,8 +5085,8 @@ var composesByIdContract = c.router({
   getById: {
     method: "GET",
     path: "/api/agent/composes/:id",
-    pathParams: z4.object({
-      id: z4.string().min(1, "Compose ID is required")
+    pathParams: z5.object({
+      id: z5.string().min(1, "Compose ID is required")
     }),
     responses: {
       200: composeResponseSchema,
@@ -4972,7 +5096,7 @@ var composesByIdContract = c.router({
     summary: "Get agent compose by ID"
   }
 });
-var composesVersionsContract = c.router({
+var composesVersionsContract = c2.router({
   /**
    * GET /api/agent/composes/versions?composeId={id}&version={hash|tag}
    * Resolve a version specifier to a full version ID
@@ -4980,14 +5104,14 @@ var composesVersionsContract = c.router({
   resolveVersion: {
     method: "GET",
     path: "/api/agent/composes/versions",
-    query: z4.object({
-      composeId: z4.string().min(1, "Missing composeId query parameter"),
+    query: z5.object({
+      composeId: z5.string().min(1, "Missing composeId query parameter"),
       version: composeVersionQuerySchema
     }),
     responses: {
-      200: z4.object({
-        versionId: z4.string(),
-        tag: z4.string().optional()
+      200: z5.object({
+        versionId: z5.string(),
+        tag: z5.string().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -4996,12 +5120,12 @@ var composesVersionsContract = c.router({
     summary: "Resolve version specifier to full version ID"
   }
 });
-var composeListItemSchema = z4.object({
-  name: z4.string(),
-  headVersionId: z4.string().nullable(),
-  updatedAt: z4.string()
+var composeListItemSchema = z5.object({
+  name: z5.string(),
+  headVersionId: z5.string().nullable(),
+  updatedAt: z5.string()
 });
-var composesListContract = c.router({
+var composesListContract = c2.router({
   /**
    * GET /api/agent/composes/list?scope={scope}
    * List all agent composes for a scope
@@ -5010,12 +5134,12 @@ var composesListContract = c.router({
   list: {
     method: "GET",
     path: "/api/agent/composes/list",
-    query: z4.object({
-      scope: z4.string().optional()
+    query: z5.object({
+      scope: z5.string().optional()
     }),
     responses: {
-      200: z4.object({
-        composes: z4.array(composeListItemSchema)
+      200: z5.object({
+        composes: z5.array(composeListItemSchema)
       }),
       400: apiErrorSchema,
       401: apiErrorSchema
@@ -5025,83 +5149,83 @@ var composesListContract = c.router({
 });
 
 // ../../packages/core/src/contracts/runs.ts
-import { z as z5 } from "zod";
-var c2 = initContract();
-var runStatusSchema = z5.enum([
+import { z as z6 } from "zod";
+var c3 = initContract();
+var runStatusSchema = z6.enum([
   "pending",
   "running",
   "completed",
   "failed",
   "timeout"
 ]);
-var unifiedRunRequestSchema = z5.object({
+var unifiedRunRequestSchema = z6.object({
   // High-level shortcuts (mutually exclusive with each other)
-  checkpointId: z5.string().optional(),
-  sessionId: z5.string().optional(),
+  checkpointId: z6.string().optional(),
+  sessionId: z6.string().optional(),
   // Base parameters (can be used directly or overridden after shortcut expansion)
-  agentComposeId: z5.string().optional(),
-  agentComposeVersionId: z5.string().optional(),
-  conversationId: z5.string().optional(),
-  artifactName: z5.string().optional(),
-  artifactVersion: z5.string().optional(),
-  vars: z5.record(z5.string(), z5.string()).optional(),
-  secrets: z5.record(z5.string(), z5.string()).optional(),
-  volumeVersions: z5.record(z5.string(), z5.string()).optional(),
+  agentComposeId: z6.string().optional(),
+  agentComposeVersionId: z6.string().optional(),
+  conversationId: z6.string().optional(),
+  artifactName: z6.string().optional(),
+  artifactVersion: z6.string().optional(),
+  vars: z6.record(z6.string(), z6.string()).optional(),
+  secrets: z6.record(z6.string(), z6.string()).optional(),
+  volumeVersions: z6.record(z6.string(), z6.string()).optional(),
   // Required
-  prompt: z5.string().min(1, "Missing prompt")
+  prompt: z6.string().min(1, "Missing prompt")
 });
-var createRunResponseSchema = z5.object({
-  runId: z5.string(),
+var createRunResponseSchema = z6.object({
+  runId: z6.string(),
   status: runStatusSchema,
-  sandboxId: z5.string().optional(),
-  output: z5.string().optional(),
-  error: z5.string().optional(),
-  executionTimeMs: z5.number().optional(),
-  createdAt: z5.string()
-});
-var getRunResponseSchema = z5.object({
-  runId: z5.string(),
-  agentComposeVersionId: z5.string(),
+  sandboxId: z6.string().optional(),
+  output: z6.string().optional(),
+  error: z6.string().optional(),
+  executionTimeMs: z6.number().optional(),
+  createdAt: z6.string()
+});
+var getRunResponseSchema = z6.object({
+  runId: z6.string(),
+  agentComposeVersionId: z6.string(),
   status: runStatusSchema,
-  prompt: z5.string(),
-  vars: z5.record(z5.string(), z5.string()).optional(),
-  sandboxId: z5.string().optional(),
-  result: z5.object({
-    output: z5.string(),
-    executionTimeMs: z5.number()
+  prompt: z6.string(),
+  vars: z6.record(z6.string(), z6.string()).optional(),
+  sandboxId: z6.string().optional(),
+  result: z6.object({
+    output: z6.string(),
+    executionTimeMs: z6.number()
   }).optional(),
-  error: z5.string().optional(),
-  createdAt: z5.string(),
-  startedAt: z5.string().optional(),
-  completedAt: z5.string().optional()
-});
-var runEventSchema = z5.object({
-  sequenceNumber: z5.number(),
-  eventType: z5.string(),
-  eventData: z5.unknown(),
-  createdAt: z5.string()
-});
-var runResultSchema = z5.object({
-  checkpointId: z5.string(),
-  agentSessionId: z5.string(),
-  conversationId: z5.string(),
-  artifact: z5.record(z5.string(), z5.string()).optional(),
+  error: z6.string().optional(),
+  createdAt: z6.string(),
+  startedAt: z6.string().optional(),
+  completedAt: z6.string().optional()
+});
+var runEventSchema = z6.object({
+  sequenceNumber: z6.number(),
+  eventType: z6.string(),
+  eventData: z6.unknown(),
+  createdAt: z6.string()
+});
+var runResultSchema = z6.object({
+  checkpointId: z6.string(),
+  agentSessionId: z6.string(),
+  conversationId: z6.string(),
+  artifact: z6.record(z6.string(), z6.string()).optional(),
   // optional when run has no artifact
-  volumes: z5.record(z5.string(), z5.string()).optional()
+  volumes: z6.record(z6.string(), z6.string()).optional()
 });
-var runStateSchema = z5.object({
+var runStateSchema = z6.object({
   status: runStatusSchema,
   result: runResultSchema.optional(),
-  error: z5.string().optional()
+  error: z6.string().optional()
 });
-var eventsResponseSchema = z5.object({
-  events: z5.array(runEventSchema),
-  hasMore: z5.boolean(),
-  nextSequence: z5.number(),
+var eventsResponseSchema = z6.object({
+  events: z6.array(runEventSchema),
+  hasMore: z6.boolean(),
+  nextSequence: z6.number(),
   run: runStateSchema,
-  provider: z5.string()
+  provider: z6.string()
 });
-var runsMainContract = c2.router({
+var runsMainContract = c3.router({
   /**
    * POST /api/agent/runs
    * Create and execute a new agent run
@@ -5119,7 +5243,7 @@ var runsMainContract = c2.router({
     summary: "Create and execute agent run"
   }
 });
-var runsByIdContract = c2.router({
+var runsByIdContract = c3.router({
   /**
    * GET /api/agent/runs/:id
    * Get agent run status and results
@@ -5127,8 +5251,8 @@ var runsByIdContract = c2.router({
   getById: {
     method: "GET",
     path: "/api/agent/runs/:id",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
     responses: {
       200: getRunResponseSchema,
@@ -5139,7 +5263,7 @@ var runsByIdContract = c2.router({
     summary: "Get agent run by ID"
   }
 });
-var runEventsContract = c2.router({
+var runEventsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/events
    * Poll for agent run events with pagination
@@ -5147,12 +5271,12 @@ var runEventsContract = c2.router({
   getEvents: {
     method: "GET",
     path: "/api/agent/runs/:id/events",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().default(0),
-      limit: z5.coerce.number().default(100)
+    query: z6.object({
+      since: z6.coerce.number().default(0),
+      limit: z6.coerce.number().default(100)
     }),
     responses: {
       200: eventsResponseSchema,
@@ -5162,45 +5286,45 @@ var runEventsContract = c2.router({
     summary: "Get agent run events"
   }
 });
-var telemetryMetricSchema = z5.object({
-  ts: z5.string(),
-  cpu: z5.number(),
-  mem_used: z5.number(),
-  mem_total: z5.number(),
-  disk_used: z5.number(),
-  disk_total: z5.number()
-});
-var systemLogResponseSchema = z5.object({
-  systemLog: z5.string(),
-  hasMore: z5.boolean()
-});
-var metricsResponseSchema = z5.object({
-  metrics: z5.array(telemetryMetricSchema),
-  hasMore: z5.boolean()
-});
-var agentEventsResponseSchema = z5.object({
-  events: z5.array(runEventSchema),
-  hasMore: z5.boolean(),
-  provider: z5.string()
-});
-var networkLogEntrySchema = z5.object({
-  timestamp: z5.string(),
-  method: z5.string(),
-  url: z5.string(),
-  status: z5.number(),
-  latency_ms: z5.number(),
-  request_size: z5.number(),
-  response_size: z5.number()
-});
-var networkLogsResponseSchema = z5.object({
-  networkLogs: z5.array(networkLogEntrySchema),
-  hasMore: z5.boolean()
-});
-var telemetryResponseSchema = z5.object({
-  systemLog: z5.string(),
-  metrics: z5.array(telemetryMetricSchema)
-});
-var runTelemetryContract = c2.router({
+var telemetryMetricSchema = z6.object({
+  ts: z6.string(),
+  cpu: z6.number(),
+  mem_used: z6.number(),
+  mem_total: z6.number(),
+  disk_used: z6.number(),
+  disk_total: z6.number()
+});
+var systemLogResponseSchema = z6.object({
+  systemLog: z6.string(),
+  hasMore: z6.boolean()
+});
+var metricsResponseSchema = z6.object({
+  metrics: z6.array(telemetryMetricSchema),
+  hasMore: z6.boolean()
+});
+var agentEventsResponseSchema = z6.object({
+  events: z6.array(runEventSchema),
+  hasMore: z6.boolean(),
+  provider: z6.string()
+});
+var networkLogEntrySchema = z6.object({
+  timestamp: z6.string(),
+  method: z6.string(),
+  url: z6.string(),
+  status: z6.number(),
+  latency_ms: z6.number(),
+  request_size: z6.number(),
+  response_size: z6.number()
+});
+var networkLogsResponseSchema = z6.object({
+  networkLogs: z6.array(networkLogEntrySchema),
+  hasMore: z6.boolean()
+});
+var telemetryResponseSchema = z6.object({
+  systemLog: z6.string(),
+  metrics: z6.array(telemetryMetricSchema)
+});
+var runTelemetryContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry
    * Get aggregated telemetry data for a run (legacy combined format)
@@ -5208,8 +5332,8 @@ var runTelemetryContract = c2.router({
   getTelemetry: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
     responses: {
       200: telemetryResponseSchema,
@@ -5219,7 +5343,7 @@ var runTelemetryContract = c2.router({
     summary: "Get run telemetry data"
   }
 });
-var runSystemLogContract = c2.router({
+var runSystemLogContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/system-log
    * Get system log with pagination
@@ -5227,13 +5351,13 @@ var runSystemLogContract = c2.router({
   getSystemLog: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/system-log",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: systemLogResponseSchema,
@@ -5243,7 +5367,7 @@ var runSystemLogContract = c2.router({
     summary: "Get system log with pagination"
   }
 });
-var runMetricsContract = c2.router({
+var runMetricsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/metrics
    * Get metrics with pagination
@@ -5251,13 +5375,13 @@ var runMetricsContract = c2.router({
   getMetrics: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/metrics",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: metricsResponseSchema,
@@ -5267,7 +5391,7 @@ var runMetricsContract = c2.router({
     summary: "Get metrics with pagination"
   }
 });
-var runAgentEventsContract = c2.router({
+var runAgentEventsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/agent
    * Get agent events with pagination (for vm0 logs default)
@@ -5275,13 +5399,13 @@ var runAgentEventsContract = c2.router({
   getAgentEvents: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/agent",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: agentEventsResponseSchema,
@@ -5291,7 +5415,7 @@ var runAgentEventsContract = c2.router({
     summary: "Get agent events with pagination"
   }
 });
-var runNetworkLogsContract = c2.router({
+var runNetworkLogsContract = c3.router({
   /**
    * GET /api/agent/runs/:id/telemetry/network
    * Get network logs with pagination (for vm0 logs --network)
@@ -5299,13 +5423,13 @@ var runNetworkLogsContract = c2.router({
   getNetworkLogs: {
     method: "GET",
     path: "/api/agent/runs/:id/telemetry/network",
-    pathParams: z5.object({
-      id: z5.string().min(1, "Run ID is required")
+    pathParams: z6.object({
+      id: z6.string().min(1, "Run ID is required")
     }),
-    query: z5.object({
-      since: z5.coerce.number().optional(),
-      limit: z5.coerce.number().min(1).max(100).default(5),
-      order: z5.enum(["asc", "desc"]).default("desc")
+    query: z6.object({
+      since: z6.coerce.number().optional(),
+      limit: z6.coerce.number().min(1).max(100).default(5),
+      order: z6.enum(["asc", "desc"]).default("desc")
     }),
     responses: {
       200: networkLogsResponseSchema,
@@ -5317,22 +5441,22 @@ var runNetworkLogsContract = c2.router({
 });
 
 // ../../packages/core/src/contracts/storages.ts
-import { z as z6 } from "zod";
-var c3 = initContract();
-var storageTypeSchema = z6.enum(["volume", "artifact"]);
-var versionQuerySchema = z6.preprocess(
+import { z as z7 } from "zod";
+var c4 = initContract();
+var storageTypeSchema = z7.enum(["volume", "artifact"]);
+var versionQuerySchema = z7.preprocess(
   (val) => val === void 0 || val === null ? void 0 : String(val),
-  z6.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional()
+  z7.string().regex(/^[a-f0-9]{8,64}$/i, "Version must be 8-64 hex characters").optional()
 );
-var uploadStorageResponseSchema = z6.object({
-  name: z6.string(),
-  versionId: z6.string(),
-  size: z6.number(),
-  fileCount: z6.number(),
+var uploadStorageResponseSchema = z7.object({
+  name: z7.string(),
+  versionId: z7.string(),
+  size: z7.number(),
+  fileCount: z7.number(),
   type: storageTypeSchema,
-  deduplicated: z6.boolean()
+  deduplicated: z7.boolean()
 });
-var storagesContract = c3.router({
+var storagesContract = c4.router({
   /**
    * POST /api/storages
    * Upload a storage (tar.gz file)
@@ -5348,7 +5472,7 @@ var storagesContract = c3.router({
     method: "POST",
     path: "/api/storages",
     contentType: "multipart/form-data",
-    body: c3.type(),
+    body: c4.type(),
     responses: {
       200: uploadStorageResponseSchema,
       400: apiErrorSchema,
@@ -5370,15 +5494,15 @@ var storagesContract = c3.router({
   download: {
     method: "GET",
     path: "/api/storages",
-    query: z6.object({
-      name: z6.string().min(1, "Storage name is required"),
+    query: z7.object({
+      name: z7.string().min(1, "Storage name is required"),
       version: versionQuerySchema
     }),
     responses: {
       // Binary response - actual handling done at route level
-      200: c3.otherResponse({
+      200: c4.otherResponse({
         contentType: "application/gzip",
-        body: c3.type()
+        body: c4.type()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5388,40 +5512,40 @@ var storagesContract = c3.router({
     summary: "Download storage archive"
   }
 });
-var fileEntryWithHashSchema = z6.object({
-  path: z6.string().min(1, "File path is required"),
-  hash: z6.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
-  size: z6.number().int().min(0, "Size must be non-negative")
+var fileEntryWithHashSchema = z7.object({
+  path: z7.string().min(1, "File path is required"),
+  hash: z7.string().length(64, "Hash must be SHA-256 (64 hex chars)"),
+  size: z7.number().int().min(0, "Size must be non-negative")
 });
-var storageChangesSchema = z6.object({
-  added: z6.array(z6.string()),
-  modified: z6.array(z6.string()),
-  deleted: z6.array(z6.string())
+var storageChangesSchema = z7.object({
+  added: z7.array(z7.string()),
+  modified: z7.array(z7.string()),
+  deleted: z7.array(z7.string())
 });
-var presignedUploadSchema = z6.object({
-  key: z6.string(),
-  presignedUrl: z6.string().url()
+var presignedUploadSchema = z7.object({
+  key: z7.string(),
+  presignedUrl: z7.string().url()
 });
-var storagesPrepareContract = c3.router({
+var storagesPrepareContract = c4.router({
   prepare: {
     method: "POST",
     path: "/api/storages/prepare",
-    body: z6.object({
-      storageName: z6.string().min(1, "Storage name is required"),
+    body: z7.object({
+      storageName: z7.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z6.array(fileEntryWithHashSchema),
-      force: z6.boolean().optional(),
-      runId: z6.string().optional(),
+      files: z7.array(fileEntryWithHashSchema),
+      force: z7.boolean().optional(),
+      runId: z7.string().optional(),
       // For sandbox auth
-      baseVersion: z6.string().optional(),
+      baseVersion: z7.string().optional(),
       // For incremental uploads
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z6.object({
-        versionId: z6.string(),
-        existing: z6.boolean(),
-        uploads: z6.object({
+      200: z7.object({
+        versionId: z7.string(),
+        existing: z7.boolean(),
+        uploads: z7.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -5434,26 +5558,26 @@ var storagesPrepareContract = c3.router({
     summary: "Prepare for direct S3 upload"
   }
 });
-var storagesCommitContract = c3.router({
+var storagesCommitContract = c4.router({
   commit: {
     method: "POST",
     path: "/api/storages/commit",
-    body: z6.object({
-      storageName: z6.string().min(1, "Storage name is required"),
+    body: z7.object({
+      storageName: z7.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z6.string().min(1, "Version ID is required"),
-      files: z6.array(fileEntryWithHashSchema),
-      runId: z6.string().optional(),
-      message: z6.string().optional()
+      versionId: z7.string().min(1, "Version ID is required"),
+      files: z7.array(fileEntryWithHashSchema),
+      runId: z7.string().optional(),
+      message: z7.string().optional()
     }),
     responses: {
-      200: z6.object({
-        success: z6.literal(true),
-        versionId: z6.string(),
-        storageName: z6.string(),
-        size: z6.number(),
-        fileCount: z6.number(),
-        deduplicated: z6.boolean().optional()
+      200: z7.object({
+        success: z7.literal(true),
+        versionId: z7.string(),
+        storageName: z7.string(),
+        size: z7.number(),
+        fileCount: z7.number(),
+        deduplicated: z7.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5465,30 +5589,30 @@ var storagesCommitContract = c3.router({
     summary: "Commit uploaded storage"
   }
 });
-var storagesDownloadContract = c3.router({
+var storagesDownloadContract = c4.router({
   download: {
     method: "GET",
     path: "/api/storages/download",
-    query: z6.object({
-      name: z6.string().min(1, "Storage name is required"),
+    query: z7.object({
+      name: z7.string().min(1, "Storage name is required"),
       type: storageTypeSchema,
       version: versionQuerySchema
     }),
     responses: {
       // Normal response with presigned URL
-      200: z6.union([
-        z6.object({
-          url: z6.string().url(),
-          versionId: z6.string(),
-          fileCount: z6.number(),
-          size: z6.number()
+      200: z7.union([
+        z7.object({
+          url: z7.string().url(),
+          versionId: z7.string(),
+          fileCount: z7.number(),
+          size: z7.number()
         }),
         // Empty artifact response
-        z6.object({
-          empty: z6.literal(true),
-          versionId: z6.string(),
-          fileCount: z6.literal(0),
-          size: z6.literal(0)
+        z7.object({
+          empty: z7.literal(true),
+          versionId: z7.string(),
+          fileCount: z7.literal(0),
+          size: z7.literal(0)
         })
       ]),
       400: apiErrorSchema,
@@ -5499,20 +5623,20 @@ var storagesDownloadContract = c3.router({
     summary: "Get presigned download URL"
   }
 });
-var storagesListContract = c3.router({
+var storagesListContract = c4.router({
   list: {
     method: "GET",
     path: "/api/storages/list",
-    query: z6.object({
+    query: z7.object({
       type: storageTypeSchema
     }),
     responses: {
-      200: z6.array(
-        z6.object({
-          name: z6.string(),
-          size: z6.number(),
-          fileCount: z6.number(),
-          updatedAt: z6.string()
+      200: z7.array(
+        z7.object({
+          name: z7.string(),
+          size: z7.number(),
+          fileCount: z7.number(),
+          updatedAt: z7.string()
         })
       ),
       401: apiErrorSchema,
@@ -5523,20 +5647,20 @@ var storagesListContract = c3.router({
 });
 
 // ../../packages/core/src/contracts/webhooks.ts
-import { z as z7 } from "zod";
-var c4 = initContract();
-var agentEventSchema = z7.object({
-  type: z7.string(),
-  sequenceNumber: z7.number().int().positive()
+import { z as z8 } from "zod";
+var c5 = initContract();
+var agentEventSchema = z8.object({
+  type: z8.string(),
+  sequenceNumber: z8.number().int().positive()
 }).passthrough();
-var artifactSnapshotSchema = z7.object({
-  artifactName: z7.string(),
-  artifactVersion: z7.string()
+var artifactSnapshotSchema = z8.object({
+  artifactName: z8.string(),
+  artifactVersion: z8.string()
 });
-var volumeVersionsSnapshotSchema = z7.object({
-  versions: z7.record(z7.string(), z7.string())
+var volumeVersionsSnapshotSchema = z8.object({
+  versions: z8.record(z8.string(), z8.string())
 });
-var webhookEventsContract = c4.router({
+var webhookEventsContract = c5.router({
   /**
    * POST /api/webhooks/agent/events
    * Receive agent events from E2B sandbox
@@ -5544,15 +5668,15 @@ var webhookEventsContract = c4.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/events",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      events: z7.array(agentEventSchema).min(1, "events array cannot be empty")
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      events: z8.array(agentEventSchema).min(1, "events array cannot be empty")
     }),
     responses: {
-      200: z7.object({
-        received: z7.number(),
-        firstSequence: z7.number(),
-        lastSequence: z7.number()
+      200: z8.object({
+        received: z8.number(),
+        firstSequence: z8.number(),
+        lastSequence: z8.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5562,7 +5686,7 @@ var webhookEventsContract = c4.router({
     summary: "Receive agent events from sandbox"
   }
 });
-var webhookCompleteContract = c4.router({
+var webhookCompleteContract = c5.router({
   /**
    * POST /api/webhooks/agent/complete
    * Handle agent run completion (success or failure)
@@ -5570,15 +5694,15 @@ var webhookCompleteContract = c4.router({
   complete: {
     method: "POST",
     path: "/api/webhooks/agent/complete",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      exitCode: z7.number(),
-      error: z7.string().optional()
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      exitCode: z8.number(),
+      error: z8.string().optional()
     }),
     responses: {
-      200: z7.object({
-        success: z7.boolean(),
-        status: z7.enum(["completed", "failed"])
+      200: z8.object({
+        success: z8.boolean(),
+        status: z8.enum(["completed", "failed"])
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5588,7 +5712,7 @@ var webhookCompleteContract = c4.router({
     summary: "Handle agent run completion"
   }
 });
-var webhookCheckpointsContract = c4.router({
+var webhookCheckpointsContract = c5.router({
   /**
    * POST /api/webhooks/agent/checkpoints
    * Create checkpoint for completed agent run
@@ -5596,21 +5720,21 @@ var webhookCheckpointsContract = c4.router({
   create: {
     method: "POST",
     path: "/api/webhooks/agent/checkpoints",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      cliAgentType: z7.string().min(1, "cliAgentType is required"),
-      cliAgentSessionId: z7.string().min(1, "cliAgentSessionId is required"),
-      cliAgentSessionHistory: z7.string().min(1, "cliAgentSessionHistory is required"),
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      cliAgentType: z8.string().min(1, "cliAgentType is required"),
+      cliAgentSessionId: z8.string().min(1, "cliAgentSessionId is required"),
+      cliAgentSessionHistory: z8.string().min(1, "cliAgentSessionHistory is required"),
       artifactSnapshot: artifactSnapshotSchema.optional(),
       volumeVersionsSnapshot: volumeVersionsSnapshotSchema.optional()
     }),
     responses: {
-      200: z7.object({
-        checkpointId: z7.string(),
-        agentSessionId: z7.string(),
-        conversationId: z7.string(),
+      200: z8.object({
+        checkpointId: z8.string(),
+        agentSessionId: z8.string(),
+        conversationId: z8.string(),
         artifact: artifactSnapshotSchema.optional(),
-        volumes: z7.record(z7.string(), z7.string()).optional()
+        volumes: z8.record(z8.string(), z8.string()).optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5620,7 +5744,7 @@ var webhookCheckpointsContract = c4.router({
     summary: "Create checkpoint for agent run"
   }
 });
-var webhookHeartbeatContract = c4.router({
+var webhookHeartbeatContract = c5.router({
   /**
    * POST /api/webhooks/agent/heartbeat
    * Receive heartbeat signals from E2B sandbox
@@ -5628,12 +5752,12 @@ var webhookHeartbeatContract = c4.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/heartbeat",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required")
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required")
     }),
     responses: {
-      200: z7.object({
-        ok: z7.boolean()
+      200: z8.object({
+        ok: z8.boolean()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5643,7 +5767,7 @@ var webhookHeartbeatContract = c4.router({
     summary: "Receive heartbeat from sandbox"
   }
 });
-var webhookStoragesContract = c4.router({
+var webhookStoragesContract = c5.router({
   /**
    * POST /api/webhooks/agent/storages
    * Create a new version of a storage from sandbox
@@ -5658,13 +5782,13 @@ var webhookStoragesContract = c4.router({
     method: "POST",
     path: "/api/webhooks/agent/storages",
     contentType: "multipart/form-data",
-    body: c4.type(),
+    body: c5.type(),
     responses: {
-      200: z7.object({
-        versionId: z7.string(),
-        storageName: z7.string(),
-        size: z7.number(),
-        fileCount: z7.number()
+      200: z8.object({
+        versionId: z8.string(),
+        storageName: z8.string(),
+        size: z8.number(),
+        fileCount: z8.number()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5674,7 +5798,7 @@ var webhookStoragesContract = c4.router({
     summary: "Upload storage version from sandbox"
   }
 });
-var webhookStoragesIncrementalContract = c4.router({
+var webhookStoragesIncrementalContract = c5.router({
   /**
    * POST /api/webhooks/agent/storages/incremental
    * Create a new version using incremental upload
@@ -5691,19 +5815,19 @@ var webhookStoragesIncrementalContract = c4.router({
     method: "POST",
     path: "/api/webhooks/agent/storages/incremental",
     contentType: "multipart/form-data",
-    body: c4.type(),
+    body: c5.type(),
     responses: {
-      200: z7.object({
-        versionId: z7.string(),
-        storageName: z7.string(),
-        size: z7.number(),
-        fileCount: z7.number(),
-        incrementalStats: z7.object({
-          addedFiles: z7.number(),
-          modifiedFiles: z7.number(),
-          deletedFiles: z7.number(),
-          unchangedFiles: z7.number(),
-          bytesUploaded: z7.number()
+      200: z8.object({
+        versionId: z8.string(),
+        storageName: z8.string(),
+        size: z8.number(),
+        fileCount: z8.number(),
+        incrementalStats: z8.object({
+          addedFiles: z8.number(),
+          modifiedFiles: z8.number(),
+          deletedFiles: z8.number(),
+          unchangedFiles: z8.number(),
+          bytesUploaded: z8.number()
         }).optional()
       }),
       400: apiErrorSchema,
@@ -5714,24 +5838,24 @@ var webhookStoragesIncrementalContract = c4.router({
     summary: "Upload storage version incrementally from sandbox"
   }
 });
-var metricDataSchema = z7.object({
-  ts: z7.string(),
-  cpu: z7.number(),
-  mem_used: z7.number(),
-  mem_total: z7.number(),
-  disk_used: z7.number(),
-  disk_total: z7.number()
-});
-var networkLogSchema = z7.object({
-  timestamp: z7.string(),
-  method: z7.string(),
-  url: z7.string(),
-  status: z7.number(),
-  latency_ms: z7.number(),
-  request_size: z7.number(),
-  response_size: z7.number()
-});
-var webhookTelemetryContract = c4.router({
+var metricDataSchema = z8.object({
+  ts: z8.string(),
+  cpu: z8.number(),
+  mem_used: z8.number(),
+  mem_total: z8.number(),
+  disk_used: z8.number(),
+  disk_total: z8.number()
+});
+var networkLogSchema = z8.object({
+  timestamp: z8.string(),
+  method: z8.string(),
+  url: z8.string(),
+  status: z8.number(),
+  latency_ms: z8.number(),
+  request_size: z8.number(),
+  response_size: z8.number()
+});
+var webhookTelemetryContract = c5.router({
   /**
    * POST /api/webhooks/agent/telemetry
    * Receive telemetry data (system log, metrics, and network logs) from sandbox
@@ -5739,16 +5863,16 @@ var webhookTelemetryContract = c4.router({
   send: {
     method: "POST",
     path: "/api/webhooks/agent/telemetry",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
-      systemLog: z7.string().optional(),
-      metrics: z7.array(metricDataSchema).optional(),
-      networkLogs: z7.array(networkLogSchema).optional()
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
+      systemLog: z8.string().optional(),
+      metrics: z8.array(metricDataSchema).optional(),
+      networkLogs: z8.array(networkLogSchema).optional()
     }),
     responses: {
-      200: z7.object({
-        success: z7.boolean(),
-        id: z7.string()
+      200: z8.object({
+        success: z8.boolean(),
+        id: z8.string()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5758,25 +5882,25 @@ var webhookTelemetryContract = c4.router({
     summary: "Receive telemetry data from sandbox"
   }
 });
-var webhookStoragesPrepareContract = c4.router({
+var webhookStoragesPrepareContract = c5.router({
   prepare: {
     method: "POST",
     path: "/api/webhooks/agent/storages/prepare",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z7.string().min(1, "Storage name is required"),
+      storageName: z8.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      files: z7.array(fileEntryWithHashSchema),
-      force: z7.boolean().optional(),
-      baseVersion: z7.string().optional(),
+      files: z8.array(fileEntryWithHashSchema),
+      force: z8.boolean().optional(),
+      baseVersion: z8.string().optional(),
       changes: storageChangesSchema.optional()
     }),
     responses: {
-      200: z7.object({
-        versionId: z7.string(),
-        existing: z7.boolean(),
-        uploads: z7.object({
+      200: z8.object({
+        versionId: z8.string(),
+        existing: z8.boolean(),
+        uploads: z8.object({
           archive: presignedUploadSchema,
           manifest: presignedUploadSchema
         }).optional()
@@ -5789,27 +5913,27 @@ var webhookStoragesPrepareContract = c4.router({
     summary: "Prepare for direct S3 upload from sandbox"
   }
 });
-var webhookStoragesCommitContract = c4.router({
+var webhookStoragesCommitContract = c5.router({
   commit: {
     method: "POST",
     path: "/api/webhooks/agent/storages/commit",
-    body: z7.object({
-      runId: z7.string().min(1, "runId is required"),
+    body: z8.object({
+      runId: z8.string().min(1, "runId is required"),
       // Required for webhook auth
-      storageName: z7.string().min(1, "Storage name is required"),
+      storageName: z8.string().min(1, "Storage name is required"),
       storageType: storageTypeSchema,
-      versionId: z7.string().min(1, "Version ID is required"),
-      files: z7.array(fileEntryWithHashSchema),
-      message: z7.string().optional()
+      versionId: z8.string().min(1, "Version ID is required"),
+      files: z8.array(fileEntryWithHashSchema),
+      message: z8.string().optional()
     }),
     responses: {
-      200: z7.object({
-        success: z7.literal(true),
-        versionId: z7.string(),
-        storageName: z7.string(),
-        size: z7.number(),
-        fileCount: z7.number(),
-        deduplicated: z7.boolean().optional()
+      200: z8.object({
+        success: z8.literal(true),
+        versionId: z8.string(),
+        storageName: z8.string(),
+        size: z8.number(),
+        fileCount: z8.number(),
+        deduplicated: z8.boolean().optional()
       }),
       400: apiErrorSchema,
       401: apiErrorSchema,
@@ -5823,13 +5947,13 @@ var webhookStoragesCommitContract = c4.router({
 });
 
 // ../../packages/core/src/contracts/cli-auth.ts
-import { z as z8 } from "zod";
-var c5 = initContract();
-var oauthErrorSchema = z8.object({
-  error: z8.string(),
-  error_description: z8.string()
+import { z as z9 } from "zod";
+var c6 = initContract();
+var oauthErrorSchema = z9.object({
+  error: z9.string(),
+  error_description: z9.string()
 });
-var cliAuthDeviceContract = c5.router({
+var cliAuthDeviceContract = c6.router({
   /**
    * POST /api/cli/auth/device
    * Initiate device authorization flow
@@ -5837,21 +5961,21 @@ var cliAuthDeviceContract = c5.router({
   create: {
     method: "POST",
     path: "/api/cli/auth/device",
-    body: z8.object({}).optional(),
+    body: z9.object({}).optional(),
     responses: {
-      200: z8.object({
-        device_code: z8.string(),
-        user_code: z8.string(),
-        verification_url: z8.string(),
-        expires_in: z8.number(),
-        interval: z8.number()
+      200: z9.object({
+        device_code: z9.string(),
+        user_code: z9.string(),
+        verification_url: z9.string(),
+        expires_in: z9.number(),
+        interval: z9.number()
       }),
       500: oauthErrorSchema
     },
     summary: "Initiate device authorization flow"
   }
 });
-var cliAuthTokenContract = c5.router({
+var cliAuthTokenContract = c6.router({
   /**
    * POST /api/cli/auth/token
    * Exchange device code for access token
@@ -5859,16 +5983,16 @@ var cliAuthTokenContract = c5.router({
   exchange: {
     method: "POST",
     path: "/api/cli/auth/token",
-    body: z8.object({
-      device_code: z8.string().min(1, "device_code is required")
+    body: z9.object({
+      device_code: z9.string().min(1, "device_code is required")
     }),
     responses: {
       // Success - token issued
-      200: z8.object({
-        access_token: z8.string(),
-        refresh_token: z8.string(),
-        token_type: z8.literal("Bearer"),
-        expires_in: z8.number()
+      200: z9.object({
+        access_token: z9.string(),
+        refresh_token: z9.string(),
+        token_type: z9.literal("Bearer"),
+        expires_in: z9.number()
       }),
       // Authorization pending
       202: oauthErrorSchema,
@@ -5881,9 +6005,9 @@ var cliAuthTokenContract = c5.router({
 });
 
 // ../../packages/core/src/contracts/auth.ts
-import { z as z9 } from "zod";
-var c6 = initContract();
-var authContract = c6.router({
+import { z as z10 } from "zod";
+var c7 = initContract();
+var authContract = c7.router({
   /**
    * GET /api/auth/me
    * Get current user information
@@ -5892,9 +6016,9 @@ var authContract = c6.router({
     method: "GET",
     path: "/api/auth/me",
     responses: {
-      200: z9.object({
-        userId: z9.string(),
-        email: z9.string()
+      200: z10.object({
+        userId: z10.string(),
+        email: z10.string()
       }),
       401: apiErrorSchema,
       404: apiErrorSchema,
@@ -5905,20 +6029,20 @@ var authContract = c6.router({
 });
 
 // ../../packages/core/src/contracts/cron.ts
-import { z as z10 } from "zod";
-var c7 = initContract();
-var cleanupResultSchema = z10.object({
-  runId: z10.string(),
-  sandboxId: z10.string().nullable(),
-  status: z10.enum(["cleaned", "error"]),
-  error: z10.string().optional()
-});
-var cleanupResponseSchema = z10.object({
-  cleaned: z10.number(),
-  errors: z10.number(),
-  results: z10.array(cleanupResultSchema)
-});
-var cronCleanupSandboxesContract = c7.router({
+import { z as z11 } from "zod";
+var c8 = initContract();
+var cleanupResultSchema = z11.object({
+  runId: z11.string(),
+  sandboxId: z11.string().nullable(),
+  status: z11.enum(["cleaned", "error"]),
+  error: z11.string().optional()
+});
+var cleanupResponseSchema = z11.object({
+  cleaned: z11.number(),
+  errors: z11.number(),
+  results: z11.array(cleanupResultSchema)
+});
+var cronCleanupSandboxesContract = c8.router({
   /**
    * GET /api/cron/cleanup-sandboxes
    * Cron job to cleanup sandboxes that have stopped sending heartbeats
@@ -5936,48 +6060,48 @@ var cronCleanupSandboxesContract = c7.router({
 });
 
 // ../../packages/core/src/contracts/proxy.ts
-import { z as z11 } from "zod";
-var proxyErrorSchema = z11.object({
-  error: z11.object({
-    message: z11.string(),
-    code: z11.enum([
+import { z as z12 } from "zod";
+var proxyErrorSchema = z12.object({
+  error: z12.object({
+    message: z12.string(),
+    code: z12.enum([
       "UNAUTHORIZED",
       "BAD_REQUEST",
       "BAD_GATEWAY",
       "INTERNAL_ERROR"
     ]),
-    targetUrl: z11.string().optional()
+    targetUrl: z12.string().optional()
   })
 });
 
 // ../../packages/core/src/contracts/scopes.ts
-import { z as z12 } from "zod";
-var c8 = initContract();
-var scopeTypeSchema = z12.enum(["personal", "organization", "system"]);
-var scopeSlugSchema = z12.string().min(3, "Scope slug must be at least 3 characters").max(64, "Scope slug must be at most 64 characters").regex(
+import { z as z13 } from "zod";
+var c9 = initContract();
+var scopeTypeSchema = z13.enum(["personal", "organization", "system"]);
+var scopeSlugSchema = z13.string().min(3, "Scope slug must be at least 3 characters").max(64, "Scope slug must be at most 64 characters").regex(
   /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1,2}$/,
   "Scope slug must contain only lowercase letters, numbers, and hyphens, and must start and end with an alphanumeric character"
 ).refine(
   (slug) => !slug.startsWith("vm0"),
   "Scope slug cannot start with 'vm0' (reserved)"
 ).transform((s) => s.toLowerCase());
-var scopeResponseSchema = z12.object({
-  id: z12.string().uuid(),
-  slug: z12.string(),
+var scopeResponseSchema = z13.object({
+  id: z13.string().uuid(),
+  slug: z13.string(),
   type: scopeTypeSchema,
-  displayName: z12.string().nullable(),
-  createdAt: z12.string(),
-  updatedAt: z12.string()
+  displayName: z13.string().nullable(),
+  createdAt: z13.string(),
+  updatedAt: z13.string()
 });
-var createScopeRequestSchema = z12.object({
+var createScopeRequestSchema = z13.object({
   slug: scopeSlugSchema,
-  displayName: z12.string().max(128).optional()
+  displayName: z13.string().max(128).optional()
 });
-var updateScopeRequestSchema = z12.object({
+var updateScopeRequestSchema = z13.object({
   slug: scopeSlugSchema,
-  force: z12.boolean().optional().default(false)
+  force: z13.boolean().optional().default(false)
 });
-var scopeContract = c8.router({
+var scopeContract = c9.router({
   /**
    * GET /api/scope
    * Get current user's scope
@@ -6032,42 +6156,42 @@ var scopeContract = c8.router({
 });
 
 // ../../packages/core/src/contracts/sessions.ts
-import { z as z13 } from "zod";
-var c9 = initContract();
-var sessionResponseSchema = z13.object({
-  id: z13.string(),
-  agentComposeId: z13.string(),
-  agentComposeVersionId: z13.string().nullable(),
-  conversationId: z13.string().nullable(),
-  artifactName: z13.string().nullable(),
-  vars: z13.record(z13.string(), z13.string()).nullable(),
-  secretNames: z13.array(z13.string()).nullable(),
-  volumeVersions: z13.record(z13.string(), z13.string()).nullable(),
-  createdAt: z13.string(),
-  updatedAt: z13.string()
+import { z as z14 } from "zod";
+var c10 = initContract();
+var sessionResponseSchema = z14.object({
+  id: z14.string(),
+  agentComposeId: z14.string(),
+  agentComposeVersionId: z14.string().nullable(),
+  conversationId: z14.string().nullable(),
+  artifactName: z14.string().nullable(),
+  vars: z14.record(z14.string(), z14.string()).nullable(),
+  secretNames: z14.array(z14.string()).nullable(),
+  volumeVersions: z14.record(z14.string(), z14.string()).nullable(),
+  createdAt: z14.string(),
+  updatedAt: z14.string()
 });
-var agentComposeSnapshotSchema = z13.object({
-  agentComposeVersionId: z13.string(),
-  vars: z13.record(z13.string(), z13.string()).optional(),
-  secretNames: z13.array(z13.string()).optional()
+var agentComposeSnapshotSchema = z14.object({
+  agentComposeVersionId: z14.string(),
+  vars: z14.record(z14.string(), z14.string()).optional(),
+  secretNames: z14.array(z14.string()).optional()
 });
-var artifactSnapshotSchema2 = z13.object({
-  artifactName: z13.string(),
-  artifactVersion: z13.string()
+var artifactSnapshotSchema2 = z14.object({
+  artifactName: z14.string(),
+  artifactVersion: z14.string()
 });
-var volumeVersionsSnapshotSchema2 = z13.object({
-  versions: z13.record(z13.string(), z13.string())
+var volumeVersionsSnapshotSchema2 = z14.object({
+  versions: z14.record(z14.string(), z14.string())
 });
-var checkpointResponseSchema = z13.object({
-  id: z13.string(),
-  runId: z13.string(),
-  conversationId: z13.string(),
+var checkpointResponseSchema = z14.object({
+  id: z14.string(),
+  runId: z14.string(),
+  conversationId: z14.string(),
   agentComposeSnapshot: agentComposeSnapshotSchema,
   artifactSnapshot: artifactSnapshotSchema2.nullable(),
   volumeVersionsSnapshot: volumeVersionsSnapshotSchema2.nullable(),
-  createdAt: z13.string()
+  createdAt: z14.string()
 });
-var sessionsByIdContract = c9.router({
+var sessionsByIdContract = c10.router({
   /**
    * GET /api/agent/sessions/:id
    * Get session by ID
@@ -6075,8 +6199,8 @@ var sessionsByIdContract = c9.router({
   getById: {
     method: "GET",
     path: "/api/agent/sessions/:id",
-    pathParams: z13.object({
-      id: z13.string().min(1, "Session ID is required")
+    pathParams: z14.object({
+      id: z14.string().min(1, "Session ID is required")
     }),
     responses: {
       200: sessionResponseSchema,
@@ -6087,7 +6211,7 @@ var sessionsByIdContract = c9.router({
     summary: "Get session by ID"
   }
 });
-var checkpointsByIdContract = c9.router({
+var checkpointsByIdContract = c10.router({
   /**
    * GET /api/agent/checkpoints/:id
    * Get checkpoint by ID
@@ -6095,8 +6219,8 @@ var checkpointsByIdContract = c9.router({
   getById: {
     method: "GET",
     path: "/api/agent/checkpoints/:id",
-    pathParams: z13.object({
-      id: z13.string().min(1, "Checkpoint ID is required")
+    pathParams: z14.object({
+      id: z14.string().min(1, "Checkpoint ID is required")
     }),
     responses: {
       200: checkpointResponseSchema,
@@ -6108,108 +6232,6 @@ var checkpointsByIdContract = c9.router({
   }
 });
 
-// ../../packages/core/src/contracts/runners.ts
-import { z as z14 } from "zod";
-var c10 = initContract();
-var runnerGroupSchema = z14.string().regex(
-  /^[a-z0-9-]+\/[a-z0-9-]+$/,
-  "Runner group must be in scope/name format (e.g., acme/production)"
-);
-var jobSchema = z14.object({
-  runId: z14.string().uuid(),
-  prompt: z14.string(),
-  agentComposeVersionId: z14.string(),
-  vars: z14.record(z14.string(), z14.string()).nullable(),
-  secretNames: z14.array(z14.string()).nullable(),
-  checkpointId: z14.string().uuid().nullable()
-});
-var runnersPollContract = c10.router({
-  poll: {
-    method: "POST",
-    path: "/api/runners/poll",
-    body: z14.object({
-      group: runnerGroupSchema
-    }),
-    responses: {
-      200: z14.object({
-        job: jobSchema.nullable()
-      }),
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      500: apiErrorSchema
-    },
-    summary: "Poll for pending jobs (long-polling with 30s timeout)"
-  }
-});
-var storageEntrySchema = z14.object({
-  mountPath: z14.string(),
-  archiveUrl: z14.string().nullable()
-});
-var artifactEntrySchema = z14.object({
-  mountPath: z14.string(),
-  archiveUrl: z14.string().nullable(),
-  vasStorageName: z14.string(),
-  vasVersionId: z14.string()
-});
-var storageManifestSchema = z14.object({
-  storages: z14.array(storageEntrySchema),
-  artifact: artifactEntrySchema.nullable()
-});
-var resumeSessionSchema = z14.object({
-  sessionId: z14.string(),
-  sessionHistory: z14.string()
-});
-var storedExecutionContextSchema = z14.object({
-  workingDir: z14.string(),
-  storageManifest: storageManifestSchema.nullable(),
-  environment: z14.record(z14.string(), z14.string()).nullable(),
-  resumeSession: resumeSessionSchema.nullable(),
-  encryptedSecrets: z14.string().nullable(),
-  // AES-256-GCM encrypted secrets
-  cliAgentType: z14.string(),
-  experimentalNetworkSecurity: z14.boolean().optional()
-});
-var executionContextSchema = z14.object({
-  runId: z14.string().uuid(),
-  prompt: z14.string(),
-  agentComposeVersionId: z14.string(),
-  vars: z14.record(z14.string(), z14.string()).nullable(),
-  secretNames: z14.array(z14.string()).nullable(),
-  checkpointId: z14.string().uuid().nullable(),
-  sandboxToken: z14.string(),
-  // New fields for E2B parity:
-  workingDir: z14.string(),
-  storageManifest: storageManifestSchema.nullable(),
-  environment: z14.record(z14.string(), z14.string()).nullable(),
-  resumeSession: resumeSessionSchema.nullable(),
-  secretValues: z14.array(z14.string()).nullable(),
-  cliAgentType: z14.string(),
-  // Network security mode flag
-  experimentalNetworkSecurity: z14.boolean().optional()
-});
-var runnersJobClaimContract = c10.router({
-  claim: {
-    method: "POST",
-    path: "/api/runners/jobs/:id/claim",
-    pathParams: z14.object({
-      id: z14.string().uuid()
-    }),
-    body: z14.object({}),
-    responses: {
-      200: executionContextSchema,
-      400: apiErrorSchema,
-      401: apiErrorSchema,
-      403: apiErrorSchema,
-      // Job does not belong to user
-      404: apiErrorSchema,
-      409: apiErrorSchema,
-      // Already claimed
-      500: apiErrorSchema
-    },
-    summary: "Claim a pending job for execution"
-  }
-});
-
 // ../../packages/core/src/contracts/public/common.ts
 import { z as z15 } from "zod";
 var publicApiErrorTypeSchema = z15.enum([
@@ -6285,18 +6307,21 @@ var updateAgentRequestSchema = z16.object({
   config: z16.unknown()
   // New agent configuration (creates new version)
 });
+var agentListQuerySchema = listQuerySchema.extend({
+  name: z16.string().optional()
+});
 var publicAgentsListContract = c11.router({
   list: {
     method: "GET",
     path: "/v1/agents",
-    query: listQuerySchema,
+    query: agentListQuerySchema,
     responses: {
       200: paginatedAgentsSchema,
       401: publicApiErrorSchema,
       500: publicApiErrorSchema
     },
     summary: "List agents",
-    description: "List all agents in the current scope with pagination"
+    description: "List all agents in the current scope with pagination. Use the `name` query parameter to filter by agent name."
   },
   create: {
     method: "POST",
@@ -9551,14 +9576,21 @@ var VMRegistry = class {
   /**
    * Register a VM with its IP address
    */
-  register(vmIp, runId, sandboxToken) {
+  register(vmIp, runId, sandboxToken, options) {
     this.data.vms[vmIp] = {
       runId,
       sandboxToken,
-      registeredAt: Date.now()
+      registeredAt: Date.now(),
+      firewallRules: options?.firewallRules,
+      mitmEnabled: options?.mitmEnabled,
+      sealSecretsEnabled: options?.sealSecretsEnabled
     };
     this.save();
-    console.log(`[VMRegistry] Registered VM ${vmIp} for run ${runId}`);
+    const firewallInfo = options?.firewallRules ? ` with ${options.firewallRules.length} firewall rules` : "";
+    const mitmInfo = options?.mitmEnabled ? ", MITM enabled" : "";
+    console.log(
+      `[VMRegistry] Registered VM ${vmIp} for run ${runId}${firewallInfo}${mitmInfo}`
+    );
   }
   /**
    * Unregister a VM by IP address
@@ -9624,16 +9656,19 @@ mitmproxy addon for VM0 runner-level network security mode.
 
 This addon runs on the runner HOST (not inside VMs) and:
 1. Intercepts all HTTPS requests from VMs
-2. Looks up the source VM's runId from the VM registry
-3. Rewrites requests to go through VM0 Proxy endpoint
-4. Preserves all original headers (including encrypted tokens)
-5. Logs network activity per-run to JSONL files
+2. Looks up the source VM's runId and firewall rules from the VM registry
+3. Evaluates firewall rules (first-match-wins) to ALLOW or DENY
+4. For MITM mode: Rewrites requests to go through VM0 Proxy endpoint
+5. For SNI-only mode: Passes through or blocks without decryption
+6. Logs network activity per-run to JSONL files
 """
 import os
 import json
 import time
 import urllib.parse
-from mitmproxy import http, ctx
+import ipaddress
+import socket
+from mitmproxy import http, ctx, tls
 
 
 # VM0 Proxy configuration from environment
@@ -9716,12 +9751,189 @@ def get_original_url(flow: http.HTTPFlow) -> str:
     return f"{scheme}://{host_with_port}{path}"
 
 
-def request(flow: http.HTTPFlow) -> None:
+# ============================================================================
+# Firewall Rule Matching
+# ============================================================================
+
+def match_domain(pattern: str, hostname: str) -> bool:
+    """
+    Match hostname against domain pattern.
+    Supports exact match and wildcard prefix (*.example.com).
+    """
+    if not pattern or not hostname:
+        return False
+
+    pattern = pattern.lower()
+    hostname = hostname.lower()
+
+    if pattern.startswith("*."):
+        # Wildcard: *.example.com matches sub.example.com, www.example.com
+        # Also matches example.com itself (without subdomain)
+        suffix = pattern[1:]  # .example.com
+        base = pattern[2:]    # example.com
+        return hostname.endswith(suffix) or hostname == base
+
+    return hostname == pattern
+
+
+def match_ip(cidr: str, ip_str: str) -> bool:
     """
-    Intercept request and rewrite to VM0 Proxy.
+    Match IP address against CIDR range.
+    Supports single IPs (1.2.3.4) and ranges (10.0.0.0/8).
+    """
+    if not cidr or not ip_str:
+        return False
+
+    try:
+        # Parse CIDR (automatically handles single IPs as /32)
+        if "/" not in cidr:
+            cidr = f"{cidr}/32"
+        network = ipaddress.ip_network(cidr, strict=False)
+        ip = ipaddress.ip_address(ip_str)
+        return ip in network
+    except ValueError:
+        return False
+
 
-    Identifies the source VM by client IP and looks up the associated
-    runId and sandboxToken from the VM registry.
+def resolve_hostname_to_ip(hostname: str) -> str | None:
+    """Resolve hostname to IP address for IP-based rule matching."""
+    try:
+        return socket.gethostbyname(hostname)
+    except socket.gaierror:
+        return None
+
+
+def evaluate_rules(rules: list, hostname: str, ip_str: str = None) -> tuple[str, str | None]:
+    """
+    Evaluate firewall rules against hostname/IP.
+    Returns (action, matched_rule_description).
+
+    Rule evaluation is first-match-wins (top to bottom).
+
+    Rule formats:
+    - Domain/IP rule: { domain: "*.example.com", action: "ALLOW" }
+    - Terminal rule: { final: "DENY" }
+    """
+    if not rules:
+        return ("ALLOW", None)  # No rules = allow all
+
+    for rule in rules:
+        # Final/terminal rule - value is the action
+        final_action = rule.get("final")
+        if final_action:
+            return (final_action, "final")
+
+        # Domain rule
+        domain = rule.get("domain")
+        if domain and match_domain(domain, hostname):
+            return (rule.get("action", "DENY"), f"domain:{domain}")
+
+        # IP rule
+        ip_pattern = rule.get("ip")
+        if ip_pattern:
+            target_ip = ip_str
+            if not target_ip:
+                target_ip = resolve_hostname_to_ip(hostname)
+            if target_ip and match_ip(ip_pattern, target_ip):
+                return (rule.get("action", "DENY"), f"ip:{ip_pattern}")
+
+    # No rule matched - default deny (zero-trust)
+    return ("DENY", "default")
+
+
+# ============================================================================
+# TLS ClientHello Handler (SNI-only mode)
+# ============================================================================
+
+def tls_clienthello(data: tls.ClientHelloData) -> None:
+    """
+    Handle TLS ClientHello for SNI-based filtering.
+    This is called BEFORE TLS decryption, allowing SNI-only filtering.
+    """
+    client_ip = data.context.client.peername[0] if data.context.client.peername else None
+    if not client_ip:
+        return
+
+    vm_info = get_vm_info(client_ip)
+    if not vm_info:
+        return  # Not a registered VM, let it through
+
+    # If MITM is enabled, let the normal flow handle it
+    if vm_info.get("mitmEnabled", False):
+        return
+
+    # SNI-only mode: check rules based on SNI
+    sni = data.context.client.sni
+    run_id = vm_info.get("runId", "")
+    rules = vm_info.get("firewallRules", [])
+
+    # Auto-allow VM0 API requests - the agent MUST be able to communicate with VM0
+    if API_URL and sni:
+        parsed_api = urllib.parse.urlparse(API_URL)
+        api_hostname = parsed_api.hostname.lower() if parsed_api.hostname else ""
+        sni_lower = sni.lower()
+        if api_hostname and (sni_lower == api_hostname or sni_lower.endswith(f".{api_hostname}")):
+            ctx.log.info(f"[{run_id}] SNI-only auto-allow VM0 API: {sni}")
+            log_network_entry(run_id, {
+                "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
+                "mode": "sni",
+                "action": "ALLOW",
+                "host": sni,
+                "port": 443,
+                "rule_matched": "vm0-api",
+            })
+            data.ignore_connection = True  # Pass through without MITM
+            return
+
+    if not sni:
+        # No SNI, can't determine target - block for security
+        ctx.log.warn(f"[{run_id}] SNI-only: No SNI in ClientHello, blocking")
+        log_network_entry(run_id, {
+            "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
+            "mode": "sni",
+            "action": "DENY",
+            "host": "",
+            "port": 443,
+            "rule_matched": "no-sni",
+        })
+        # Don't set ignore_connection - mitmproxy will attempt MITM handshake
+        # Since VM doesn't have CA cert (SNI-only mode), TLS will fail immediately
+        return
+
+    # Evaluate rules
+    action, matched_rule = evaluate_rules(rules, sni)
+
+    # Log the connection
+    log_network_entry(run_id, {
+        "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
+        "mode": "sni",
+        "action": action,
+        "host": sni,
+        "port": 443,
+        "rule_matched": matched_rule,
+    })
+
+    if action == "ALLOW":
+        # Pass through without MITM - mitmproxy will relay without decryption
+        ctx.log.info(f"[{run_id}] SNI-only ALLOW: {sni} (rule: {matched_rule})")
+        data.ignore_connection = True
+    else:
+        # Block the connection by NOT setting ignore_connection
+        # mitmproxy will attempt MITM handshake, but since VM doesn't have
+        # our CA certificate installed (SNI-only mode), the TLS handshake
+        # will fail immediately with a certificate error.
+        ctx.log.warn(f"[{run_id}] SNI-only DENY: {sni} (rule: {matched_rule})")
+        # Client will see: SSL certificate problem / certificate verify failed
+
+
+# ============================================================================
+# HTTP Request Handler (MITM mode)
+# ============================================================================
+
+def request(flow: http.HTTPFlow) -> None:
+    """
+    Intercept request and apply firewall rules.
+    For MITM mode, rewrites allowed requests to VM0 Proxy.
     """
     # Track request start time
     request_start_times[flow.id] = time.time()
@@ -9738,16 +9950,52 @@ def request(flow: http.HTTPFlow) -> None:
 
     if not vm_info:
         # Not a registered VM, pass through without proxying
-        # This allows non-VM traffic to work normally
         ctx.log.info(f"No VM registration for {client_ip}, passing through")
         return
 
     run_id = vm_info.get("runId", "")
     sandbox_token = vm_info.get("sandboxToken", "")
+    mitm_enabled = vm_info.get("mitmEnabled", False)
+    rules = vm_info.get("firewallRules", [])
 
     # Store info for response handler
     flow.metadata["vm_run_id"] = run_id
     flow.metadata["vm_client_ip"] = client_ip
+    flow.metadata["vm_mitm_enabled"] = mitm_enabled
+
+    # Get target hostname
+    hostname = flow.request.pretty_host.lower()
+
+    # Auto-allow VM0 API requests - the agent MUST be able to communicate with VM0
+    # This is checked before user firewall rules to ensure agent functionality
+    if API_URL:
+        parsed_api = urllib.parse.urlparse(API_URL)
+        api_hostname = parsed_api.hostname.lower() if parsed_api.hostname else ""
+        if api_hostname and (hostname == api_hostname or hostname.endswith(f".{api_hostname}")):
+            ctx.log.info(f"[{run_id}] Auto-allow VM0 API: {hostname}")
+            flow.metadata["firewall_action"] = "ALLOW"
+            flow.metadata["firewall_rule"] = "vm0-api"
+            # Continue to skip rewrite check below
+            flow.metadata["original_url"] = get_original_url(flow)
+            flow.metadata["skip_rewrite"] = True
+            return
+
+    # Evaluate firewall rules
+    action, matched_rule = evaluate_rules(rules, hostname)
+    flow.metadata["firewall_action"] = action
+    flow.metadata["firewall_rule"] = matched_rule
+
+    if action == "DENY":
+        ctx.log.warn(f"[{run_id}] Firewall DENY: {hostname} (rule: {matched_rule})")
+        # Kill the flow and return error response
+        flow.response = http.Response.make(
+            403,
+            b"Blocked by firewall",
+            {"Content-Type": "text/plain"}
+        )
+        return
+
+    # Request is ALLOWED - proceed with processing
 
     # Skip if no API URL configured
     if not API_URL:
@@ -9760,9 +10008,8 @@ def request(flow: http.HTTPFlow) -> None:
         flow.metadata["skip_rewrite"] = True
         return
 
-    # Skip rewriting requests to trusted domains (S3, etc.)
+    # Skip rewriting requests to trusted storage domains (S3, etc.)
     # S3 presigned URLs have signatures that break when proxied
-    host = flow.request.pretty_host.lower()
     TRUSTED_DOMAINS = [
         ".s3.amazonaws.com",
         ".s3-",  # Regional S3 endpoints like s3-us-west-2.amazonaws.com
@@ -9771,8 +10018,8 @@ def request(flow: http.HTTPFlow) -> None:
         ".storage.googleapis.com",
     ]
     for domain in TRUSTED_DOMAINS:
-        if domain in host or host.endswith(domain.lstrip(".")):
-            ctx.log.info(f"[{run_id}] Skipping trusted domain: {host}")
+        if domain in hostname or hostname.endswith(domain.lstrip(".")):
+            ctx.log.info(f"[{run_id}] Skipping trusted storage domain: {hostname}")
             flow.metadata["original_url"] = get_original_url(flow)
             flow.metadata["skip_rewrite"] = True
             return
@@ -9781,7 +10028,13 @@ def request(flow: http.HTTPFlow) -> None:
     original_url = get_original_url(flow)
     flow.metadata["original_url"] = original_url
 
-    ctx.log.info(f"[{run_id}] Proxying: {original_url}")
+    # If MITM is not enabled, just allow the request through without rewriting
+    if not mitm_enabled:
+        ctx.log.info(f"[{run_id}] Firewall ALLOW (no MITM): {hostname}")
+        return
+
+    # MITM mode: rewrite to VM0 Proxy
+    ctx.log.info(f"[{run_id}] Proxying via MITM: {original_url}")
 
     # Parse proxy URL
     parsed = urllib.parse.urlparse(PROXY_URL)
@@ -9822,34 +10075,58 @@ def response(flow: http.HTTPFlow) -> None:
     # Get stored info
     run_id = flow.metadata.get("vm_run_id", "")
     original_url = flow.metadata.get("original_url", flow.request.pretty_url)
+    mitm_enabled = flow.metadata.get("vm_mitm_enabled", False)
+    firewall_action = flow.metadata.get("firewall_action", "ALLOW")
+    firewall_rule = flow.metadata.get("firewall_rule")
 
     # Calculate sizes
     request_size = len(flow.request.content) if flow.request.content else 0
     response_size = len(flow.response.content) if flow.response and flow.response.content else 0
     status_code = flow.response.status_code if flow.response else 0
 
+    # Parse URL for host
+    try:
+        parsed_url = urllib.parse.urlparse(original_url)
+        host = parsed_url.hostname or flow.request.pretty_host
+        port = parsed_url.port or (443 if parsed_url.scheme == "https" else 80)
+    except:
+        host = flow.request.pretty_host
+        port = flow.request.port
+
     # Log network entry for this run
     if run_id:
         log_entry = {
             "timestamp": time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime()),
-            "method": flow.request.method,
-            "url": original_url,
-            "status": status_code,
-            "latency_ms": latency_ms,
-            "request_size": request_size,
-            "response_size": response_size,
+            "mode": "mitm" if mitm_enabled else "filter",
+            "action": firewall_action,
+            "host": host,
+            "port": port,
+            "rule_matched": firewall_rule,
         }
+
+        # Add HTTP details only in MITM mode
+        if mitm_enabled:
+            log_entry.update({
+                "method": flow.request.method,
+                "path": flow.request.path.split("?")[0],  # Path without query
+                "url": original_url,
+                "status": status_code,
+                "latency_ms": latency_ms,
+                "request_size": request_size,
+                "response_size": response_size,
+            })
+
         log_network_entry(run_id, log_entry)
 
     # Log errors to mitmproxy console
     if flow.response and flow.response.status_code >= 400:
         ctx.log.warn(
-            f"[{run_id}] Proxy response {flow.response.status_code}: {original_url}"
+            f"[{run_id}] Response {flow.response.status_code}: {original_url}"
         )
 
 
 # mitmproxy addon registration
-addons = [request, response]
+addons = [tls_clienthello, request, response]
 `;
 
 // src/lib/proxy/proxy-manager.ts
@@ -10087,7 +10364,7 @@ function buildEnvironmentVariables(context, apiUrl) {
       envVars[key] = value;
     }
   }
-  if (context.experimentalNetworkSecurity) {
+  if (context.experimentalFirewall?.experimental_mitm) {
     envVars.NODE_EXTRA_CA_CERTS = "/usr/local/share/ca-certificates/vm0-proxy-ca.crt";
   }
   return envVars;
@@ -10261,13 +10538,22 @@ async function executeJob(context, config) {
     console.log(`[Executor] Waiting for SSH on ${guestIp}...`);
     await ssh.waitUntilReachable(12e4, 2e3);
     console.log(`[Executor] SSH ready on ${guestIp}`);
-    if (context.experimentalNetworkSecurity) {
+    const firewallConfig = context.experimentalFirewall;
+    if (firewallConfig?.enabled) {
+      const mitmEnabled = firewallConfig.experimental_mitm ?? false;
+      const sealSecretsEnabled = firewallConfig.experimental_seal_secrets ?? false;
       console.log(
-        `[Executor] Setting up network security mode for VM ${guestIp}`
+        `[Executor] Setting up network security for VM ${guestIp} (mitm=${mitmEnabled}, sealSecrets=${sealSecretsEnabled})`
       );
       await setupVMProxyRules(guestIp, config.proxy.port);
-      getVMRegistry().register(guestIp, context.runId, context.sandboxToken);
-      await installProxyCA(ssh);
+      getVMRegistry().register(guestIp, context.runId, context.sandboxToken, {
+        firewallRules: firewallConfig?.rules,
+        mitmEnabled,
+        sealSecretsEnabled
+      });
+      if (mitmEnabled) {
+        await installProxyCA(ssh);
+      }
     }
     console.log(`[Executor] Configuring DNS...`);
     await configureDNS(ssh);
@@ -10341,7 +10627,7 @@ async function executeJob(context, config) {
       error: errorMsg
     };
   } finally {
-    if (context.experimentalNetworkSecurity && guestIp) {
+    if (context.experimentalFirewall?.enabled && guestIp) {
       console.log(`[Executor] Cleaning up network security for VM ${guestIp}`);
       try {
         await removeVMProxyRules(guestIp, config.proxy.port);
@@ -10438,7 +10724,7 @@ var startCommand = new Command("start").description("Start the runner").option("
         `Network proxy not available: ${err instanceof Error ? err.message : "Unknown error"}`
       );
       console.warn(
-        "Jobs with experimentalNetworkSecurity enabled will run without network interception"
+        "Jobs with experimentalFirewall enabled will run without network interception"
       );
     }
     const statusFilePath = join(dirname(options.config), "status.json");
@@ -10587,7 +10873,7 @@ var statusCommand = new Command2("status").description("Check runner connectivit
 });
 
 // src/index.ts
-var version = true ? "2.3.2" : "0.1.0";
+var version = true ? "2.4.0" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
 program.addCommand(statusCommand);