@vm0/runner 2.6.0 → 2.7.0

package/index.js

@@ -37,6 +37,42 @@ var runnerConfigSchema = z.object({
     port: z.number().int().min(1024).max(65535).default(8080)
   }).default({})
 });
+var debugConfigSchema = z.object({
+  name: z.string().default("debug-runner"),
+  group: z.string().default("debug/local"),
+  server: z.object({
+    url: z.string().url().default("http://localhost:3000"),
+    token: z.string().default("debug-token")
+  }).default({}),
+  sandbox: z.object({
+    max_concurrent: z.number().int().min(1).default(1),
+    vcpu: z.number().int().min(1).default(2),
+    memory_mb: z.number().int().min(128).default(2048),
+    poll_interval_ms: z.number().int().min(1e3).default(5e3)
+  }).default({}),
+  firecracker: z.object({
+    binary: z.string().min(1, "Firecracker binary path is required"),
+    kernel: z.string().min(1, "Kernel path is required"),
+    rootfs: z.string().min(1, "Rootfs path is required")
+  }),
+  proxy: z.object({
+    port: z.number().int().min(1024).max(65535).default(8080)
+  }).default({})
+});
+function loadDebugConfig(configPath) {
+  if (!fs.existsSync(configPath)) {
+    throw new Error(`Config file not found: ${configPath}`);
+  }
+  const content = fs.readFileSync(configPath, "utf-8");
+  const raw = yaml.parse(content);
+  const result = debugConfigSchema.safeParse(raw);
+  if (!result.success) {
+    const errors = result.error.errors.map((e) => `  - ${e.path.join(".")}: ${e.message}`).join("\n");
+    throw new Error(`Invalid configuration:
+${errors}`);
+  }
+  return result.data;
+}
 function loadConfig(configPath) {
   if (!fs.existsSync(configPath)) {
     throw new Error(`runner.yaml not found: ${configPath}`);
@@ -142,7 +178,7 @@ import path4 from "path";
 import fs6 from "fs";
 
 // src/lib/firecracker/vm.ts
-import { spawn } from "child_process";
+import { execSync as execSync2, spawn } from "child_process";
 import fs2 from "fs";
 import path from "path";
 import readline from "readline";
@@ -545,13 +581,13 @@ var FirecrackerVM = class {
   state = "created";
   workDir;
   socketPath;
-  vmRootfsPath;
-  // Per-VM copy of rootfs
+  vmOverlayPath;
+  // Per-VM sparse overlay for writes
   constructor(config) {
     this.config = config;
     this.workDir = config.workDir || `/tmp/vm0-vm-${config.vmId}`;
     this.socketPath = path.join(this.workDir, "firecracker.sock");
-    this.vmRootfsPath = path.join(this.workDir, "rootfs.ext4");
+    this.vmOverlayPath = path.join(this.workDir, "overlay.ext4");
   }
   /**
    * Get current VM state
@@ -590,8 +626,12 @@ var FirecrackerVM = class {
       if (fs2.existsSync(this.socketPath)) {
         fs2.unlinkSync(this.socketPath);
       }
-      console.log(`[VM ${this.config.vmId}] Copying rootfs for isolation...`);
-      fs2.copyFileSync(this.config.rootfsPath, this.vmRootfsPath);
+      console.log(`[VM ${this.config.vmId}] Creating sparse overlay file...`);
+      const overlaySize = 2 * 1024 * 1024 * 1024;
+      const fd = fs2.openSync(this.vmOverlayPath, "w");
+      fs2.ftruncateSync(fd, overlaySize);
+      fs2.closeSync(fd);
+      execSync2(`mkfs.ext4 -F -q "${this.vmOverlayPath}"`, { stdio: "ignore" });
       console.log(`[VM ${this.config.vmId}] Setting up network...`);
       this.networkConfig = await createTapDevice(this.config.vmId);
       console.log(`[VM ${this.config.vmId}] Starting Firecracker...`);
@@ -668,19 +708,27 @@ var FirecrackerVM = class {
       mem_size_mib: this.config.memoryMb
     });
     const networkBootArgs = generateNetworkBootArgs(this.networkConfig);
-    const bootArgs = `console=ttyS0 reboot=k panic=1 pci=off ${networkBootArgs}`;
+    const bootArgs = `console=ttyS0 reboot=k panic=1 pci=off init=/sbin/overlay-init ${networkBootArgs}`;
     console.log(`[VM ${this.config.vmId}] Boot args: ${bootArgs}`);
     await this.client.setBootSource({
       kernel_image_path: this.config.kernelPath,
       boot_args: bootArgs
     });
-    console.log(`[VM ${this.config.vmId}] Rootfs: ${this.vmRootfsPath}`);
+    console.log(
+      `[VM ${this.config.vmId}] Base rootfs: ${this.config.rootfsPath}`
+    );
     await this.client.setDrive({
       drive_id: "rootfs",
-      path_on_host: this.vmRootfsPath,
+      path_on_host: this.config.rootfsPath,
       is_root_device: true,
+      is_read_only: true
+    });
+    console.log(`[VM ${this.config.vmId}] Overlay: ${this.vmOverlayPath}`);
+    await this.client.setDrive({
+      drive_id: "overlay",
+      path_on_host: this.vmOverlayPath,
+      is_root_device: false,
       is_read_only: false
-      // Need write access for agent execution
     });
     console.log(
       `[VM ${this.config.vmId}] Network: ${this.networkConfig.tapDevice}`
@@ -770,7 +818,7 @@ var FirecrackerVM = class {
 };
 
 // src/lib/firecracker/guest.ts
-import { exec as exec2, execSync as execSync2 } from "child_process";
+import { exec as exec2, execSync as execSync3 } from "child_process";
 import { promisify as promisify2 } from "util";
 import fs3 from "fs";
 import path2 from "path";
@@ -4891,9 +4939,7 @@ var storedExecutionContextSchema = z4.object({
   encryptedSecrets: z4.string().nullable(),
   // AES-256-GCM encrypted secrets
   cliAgentType: z4.string(),
-  experimentalFirewall: experimentalFirewallSchema.optional(),
-  postCreateCommand: z4.string().nullable().optional()
-  // Lifecycle hook
+  experimentalFirewall: experimentalFirewallSchema.optional()
 });
 var executionContextSchema = z4.object({
   runId: z4.string().uuid(),
@@ -4911,9 +4957,7 @@ var executionContextSchema = z4.object({
   secretValues: z4.array(z4.string()).nullable(),
   cliAgentType: z4.string(),
   // Experimental firewall configuration
-  experimentalFirewall: experimentalFirewallSchema.optional(),
-  // Lifecycle hook - command to run after working dir creation
-  postCreateCommand: z4.string().nullable().optional()
+  experimentalFirewall: experimentalFirewallSchema.optional()
 });
 var runnersJobClaimContract = c.router({
   claim: {
@@ -6297,19 +6341,11 @@ var agentVersionSchema = z16.object({
   id: z16.string(),
   agent_id: z16.string(),
   version_number: z16.number(),
-  config: z16.unknown(),
-  // Agent YAML configuration
   created_at: timestampSchema
 });
-var publicAgentDetailSchema = publicAgentSchema.extend({
-  config: z16.unknown().optional()
-});
+var publicAgentDetailSchema = publicAgentSchema;
 var paginatedAgentsSchema = createPaginatedResponseSchema(publicAgentSchema);
 var paginatedAgentVersionsSchema = createPaginatedResponseSchema(agentVersionSchema);
-var updateAgentRequestSchema = z16.object({
-  config: z16.unknown()
-  // New agent configuration (creates new version)
-});
 var agentListQuerySchema = listQuerySchema.extend({
   name: z16.string().optional()
 });
@@ -6342,23 +6378,6 @@ var publicAgentByIdContract = c11.router({
     },
     summary: "Get agent",
     description: "Get agent details by ID"
-  },
-  update: {
-    method: "PUT",
-    path: "/v1/agents/:id",
-    pathParams: z16.object({
-      id: z16.string().min(1, "Agent ID is required")
-    }),
-    body: updateAgentRequestSchema,
-    responses: {
-      200: publicAgentDetailSchema,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Update agent",
-    description: "Update agent configuration. Creates a new version if config changes."
   }
 });
 var publicAgentVersionsContract = c11.router({
@@ -6402,12 +6421,12 @@ var publicRunSchema = z17.object({
   completed_at: timestampSchema.nullable()
 });
 var publicRunDetailSchema = publicRunSchema.extend({
-  output: z17.string().nullable(),
   error: z17.string().nullable(),
   execution_time_ms: z17.number().nullable(),
   checkpoint_id: z17.string().nullable(),
   session_id: z17.string().nullable(),
-  artifacts: z17.record(z17.string(), z17.string()).optional(),
+  artifact_name: z17.string().nullable(),
+  artifact_version: z17.string().nullable(),
   volumes: z17.record(z17.string(), z17.string()).optional()
 });
 var paginatedRunsSchema = createPaginatedResponseSchema(publicRunSchema);
@@ -6428,8 +6447,10 @@ var createRunRequestSchema = z17.object({
   // Optional configuration
   variables: z17.record(z17.string(), z17.string()).optional(),
   secrets: z17.record(z17.string(), z17.string()).optional(),
-  artifacts: z17.record(z17.string(), z17.string()).optional(),
-  // artifact_name -> version
+  artifact_name: z17.string().optional(),
+  // Artifact name to mount
+  artifact_version: z17.string().optional(),
+  // Artifact version (defaults to latest)
   volumes: z17.record(z17.string(), z17.string()).optional()
   // volume_name -> version
 });
@@ -6643,51 +6664,6 @@ var paginatedArtifactsSchema = createPaginatedResponseSchema(publicArtifactSchem
 var paginatedArtifactVersionsSchema = createPaginatedResponseSchema(
   artifactVersionSchema
 );
-var createArtifactRequestSchema = z18.object({
-  name: z18.string().min(1).max(100).regex(
-    /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/,
-    "Name must be lowercase alphanumeric with hyphens, not starting or ending with hyphen"
-  )
-});
-var fileEntrySchema = z18.object({
-  path: z18.string(),
-  size: z18.number(),
-  hash: z18.string().optional()
-  // SHA-256 hash of file content
-});
-var prepareUploadRequestSchema = z18.object({
-  files: z18.array(fileEntrySchema),
-  message: z18.string().optional()
-  // Optional commit message
-});
-var presignedUploadSchema2 = z18.object({
-  path: z18.string(),
-  upload_url: z18.string(),
-  // Presigned S3 URL
-  upload_id: z18.string()
-  // For multi-part uploads
-});
-var prepareUploadResponseSchema = z18.object({
-  upload_session_id: z18.string(),
-  files: z18.array(presignedUploadSchema2),
-  expires_at: timestampSchema
-});
-var commitUploadRequestSchema = z18.object({
-  upload_session_id: z18.string(),
-  message: z18.string().optional()
-});
-var downloadResponseSchema = z18.object({
-  version_id: z18.string(),
-  files: z18.array(
-    z18.object({
-      path: z18.string(),
-      size: z18.number(),
-      download_url: z18.string()
-      // Presigned S3 URL
-    })
-  ),
-  expires_at: timestampSchema
-});
 var publicArtifactsListContract = c13.router({
   list: {
     method: "GET",
@@ -6700,20 +6676,6 @@ var publicArtifactsListContract = c13.router({
     },
     summary: "List artifacts",
     description: "List all artifacts in the current scope with pagination"
-  },
-  create: {
-    method: "POST",
-    path: "/v1/artifacts",
-    body: createArtifactRequestSchema,
-    responses: {
-      201: publicArtifactDetailSchema,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      409: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Create artifact",
-    description: "Create a new empty artifact container"
   }
 });
 var publicArtifactByIdContract = c13.router({
@@ -6751,44 +6713,6 @@ var publicArtifactVersionsContract = c13.router({
     description: "List all versions of an artifact with pagination"
   }
 });
-var publicArtifactUploadContract = c13.router({
-  prepareUpload: {
-    method: "POST",
-    path: "/v1/artifacts/:id/upload",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Artifact ID is required")
-    }),
-    body: prepareUploadRequestSchema,
-    responses: {
-      200: prepareUploadResponseSchema,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Prepare artifact upload",
-    description: "Get presigned URLs for direct S3 upload. Returns upload URLs for each file."
-  }
-});
-var publicArtifactCommitContract = c13.router({
-  commitUpload: {
-    method: "POST",
-    path: "/v1/artifacts/:id/commit",
-    pathParams: z18.object({
-      id: z18.string().min(1, "Artifact ID is required")
-    }),
-    body: commitUploadRequestSchema,
-    responses: {
-      200: artifactVersionSchema,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Commit artifact upload",
-    description: "Finalize an upload session and create a new artifact version."
-  }
-});
 var publicArtifactDownloadContract = c13.router({
   download: {
     method: "GET",
@@ -6801,13 +6725,14 @@ var publicArtifactDownloadContract = c13.router({
       // Defaults to current version
     }),
     responses: {
-      200: downloadResponseSchema,
+      302: z18.undefined(),
+      // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
       500: publicApiErrorSchema
     },
     summary: "Download artifact",
-    description: "Get presigned URLs for downloading artifact files. Defaults to current version."
+    description: "Redirect to presigned URL for downloading artifact as tar.gz archive. Defaults to current version."
   }
 });
 
@@ -6841,51 +6766,6 @@ var publicVolumeDetailSchema = publicVolumeSchema.extend({
 });
 var paginatedVolumesSchema = createPaginatedResponseSchema(publicVolumeSchema);
 var paginatedVolumeVersionsSchema = createPaginatedResponseSchema(volumeVersionSchema);
-var createVolumeRequestSchema = z19.object({
-  name: z19.string().min(1).max(100).regex(
-    /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/,
-    "Name must be lowercase alphanumeric with hyphens, not starting or ending with hyphen"
-  )
-});
-var fileEntrySchema2 = z19.object({
-  path: z19.string(),
-  size: z19.number(),
-  hash: z19.string().optional()
-  // SHA-256 hash of file content
-});
-var prepareUploadRequestSchema2 = z19.object({
-  files: z19.array(fileEntrySchema2),
-  message: z19.string().optional()
-  // Optional commit message
-});
-var presignedUploadSchema3 = z19.object({
-  path: z19.string(),
-  upload_url: z19.string(),
-  // Presigned S3 URL
-  upload_id: z19.string()
-  // For multi-part uploads
-});
-var prepareUploadResponseSchema2 = z19.object({
-  upload_session_id: z19.string(),
-  files: z19.array(presignedUploadSchema3),
-  expires_at: timestampSchema
-});
-var commitUploadRequestSchema2 = z19.object({
-  upload_session_id: z19.string(),
-  message: z19.string().optional()
-});
-var downloadResponseSchema2 = z19.object({
-  version_id: z19.string(),
-  files: z19.array(
-    z19.object({
-      path: z19.string(),
-      size: z19.number(),
-      download_url: z19.string()
-      // Presigned S3 URL
-    })
-  ),
-  expires_at: timestampSchema
-});
 var publicVolumesListContract = c14.router({
   list: {
     method: "GET",
@@ -6898,20 +6778,6 @@ var publicVolumesListContract = c14.router({
     },
     summary: "List volumes",
     description: "List all volumes in the current scope with pagination"
-  },
-  create: {
-    method: "POST",
-    path: "/v1/volumes",
-    body: createVolumeRequestSchema,
-    responses: {
-      201: publicVolumeDetailSchema,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      409: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Create volume",
-    description: "Create a new empty volume container"
   }
 });
 var publicVolumeByIdContract = c14.router({
@@ -6949,44 +6815,6 @@ var publicVolumeVersionsContract = c14.router({
     description: "List all versions of a volume with pagination"
   }
 });
-var publicVolumeUploadContract = c14.router({
-  prepareUpload: {
-    method: "POST",
-    path: "/v1/volumes/:id/upload",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Volume ID is required")
-    }),
-    body: prepareUploadRequestSchema2,
-    responses: {
-      200: prepareUploadResponseSchema2,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Prepare volume upload",
-    description: "Get presigned URLs for direct S3 upload. Returns upload URLs for each file."
-  }
-});
-var publicVolumeCommitContract = c14.router({
-  commitUpload: {
-    method: "POST",
-    path: "/v1/volumes/:id/commit",
-    pathParams: z19.object({
-      id: z19.string().min(1, "Volume ID is required")
-    }),
-    body: commitUploadRequestSchema2,
-    responses: {
-      200: volumeVersionSchema,
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema,
-      500: publicApiErrorSchema
-    },
-    summary: "Commit volume upload",
-    description: "Finalize an upload session and create a new volume version."
-  }
-});
 var publicVolumeDownloadContract = c14.router({
   download: {
     method: "GET",
@@ -6999,93 +6827,14 @@ var publicVolumeDownloadContract = c14.router({
       // Defaults to current version
     }),
     responses: {
-      200: downloadResponseSchema2,
+      302: z19.undefined(),
+      // Redirect to presigned URL
       401: publicApiErrorSchema,
       404: publicApiErrorSchema,
       500: publicApiErrorSchema
     },
     summary: "Download volume",
-    description: "Get presigned URLs for downloading volume files. Defaults to current version."
-  }
-});
-
-// ../../packages/core/src/contracts/public/tokens.ts
-import { z as z20 } from "zod";
-var c15 = initContract();
-var publicTokenSchema = z20.object({
-  id: z20.string(),
-  name: z20.string(),
-  token_prefix: z20.string(),
-  // First 12 chars for identification (e.g., "vm0_live_abc")
-  last_used_at: timestampSchema.nullable(),
-  expires_at: timestampSchema,
-  created_at: timestampSchema
-});
-var publicTokenDetailSchema = publicTokenSchema.extend({
-  token: z20.string().optional()
-  // Full token value, only returned on creation
-});
-var paginatedTokensSchema = createPaginatedResponseSchema(publicTokenSchema);
-var createTokenRequestSchema = z20.object({
-  name: z20.string().min(1, "Name is required").max(100, "Name too long"),
-  expires_in_days: z20.number().min(1).max(365).optional()
-  // null for no expiry (default 90 days)
-});
-var publicTokensListContract = c15.router({
-  list: {
-    method: "GET",
-    path: "/v1/tokens",
-    query: listQuerySchema,
-    responses: {
-      200: paginatedTokensSchema,
-      401: publicApiErrorSchema
-    },
-    summary: "List API tokens",
-    description: "List all API tokens for the authenticated user"
-  },
-  create: {
-    method: "POST",
-    path: "/v1/tokens",
-    body: createTokenRequestSchema,
-    responses: {
-      201: publicTokenDetailSchema,
-      // Includes full token value
-      400: publicApiErrorSchema,
-      401: publicApiErrorSchema
-    },
-    summary: "Create API token",
-    description: "Create a new API token. The token value is only returned once on creation."
-  }
-});
-var publicTokenByIdContract = c15.router({
-  get: {
-    method: "GET",
-    path: "/v1/tokens/:id",
-    pathParams: z20.object({
-      id: z20.string()
-    }),
-    responses: {
-      200: publicTokenSchema,
-      // Does NOT include token value
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema
-    },
-    summary: "Get API token",
-    description: "Get details of an API token (does not include the token value)"
-  },
-  delete: {
-    method: "DELETE",
-    path: "/v1/tokens/:id",
-    pathParams: z20.object({
-      id: z20.string()
-    }),
-    responses: {
-      204: z20.undefined(),
-      401: publicApiErrorSchema,
-      404: publicApiErrorSchema
-    },
-    summary: "Revoke API token",
-    description: "Permanently revoke an API token. This action cannot be undone."
+    description: "Redirect to presigned URL for downloading volume as tar.gz archive. Defaults to current version."
   }
 });
 
@@ -7129,9 +6878,6 @@ ARTIFACT_MOUNT_PATH = os.environ.get("VM0_ARTIFACT_MOUNT_PATH", "")
 ARTIFACT_VOLUME_NAME = os.environ.get("VM0_ARTIFACT_VOLUME_NAME", "")
 ARTIFACT_VERSION_ID = os.environ.get("VM0_ARTIFACT_VERSION_ID", "")
 
-# Lifecycle hook - command to execute after working directory creation
-POST_CREATE_COMMAND = os.environ.get("VM0_POST_CREATE_COMMAND", "")
-
 # Construct webhook endpoint URLs
 WEBHOOK_URL = f"{API_URL}/api/webhooks/agent/events"
 CHECKPOINT_URL = f"{API_URL}/api/webhooks/agent/checkpoints"
@@ -8993,7 +8739,7 @@ sys.path.insert(0, "/usr/local/bin/vm0-agent/lib")
 from common import (
     WORKING_DIR, PROMPT, RESUME_SESSION_ID, COMPLETE_URL, RUN_ID,
     EVENT_ERROR_FLAG, HEARTBEAT_URL, HEARTBEAT_INTERVAL, AGENT_LOG_FILE,
-    CLI_AGENT_TYPE, OPENAI_MODEL, POST_CREATE_COMMAND, validate_config
+    CLI_AGENT_TYPE, OPENAI_MODEL, validate_config
 )
 from log import log_info, log_error, log_warn
 from events import send_event
@@ -9103,26 +8849,6 @@ def _run() -> tuple[int, str]:
     except OSError as e:
         raise RuntimeError(f"Failed to create/change to working directory: {WORKING_DIR} - {e}") from e
 
-    # Execute postCreateCommand if specified (lifecycle hook)
-    # This runs after working directory is created but before agent execution
-    if POST_CREATE_COMMAND:
-        log_info(f"Running postCreateCommand: {POST_CREATE_COMMAND}")
-        try:
-            result = subprocess.run(
-                ["/bin/bash", "-c", POST_CREATE_COMMAND],
-                cwd=WORKING_DIR,
-                capture_output=True,
-                text=True
-            )
-            if result.returncode != 0:
-                stderr_output = result.stderr.strip() if result.stderr else "No error output"
-                raise RuntimeError(f"postCreateCommand failed with exit code {result.returncode}: {stderr_output}")
-            if result.stdout:
-                log_info(f"postCreateCommand output: {result.stdout.strip()}")
-            log_info("postCreateCommand completed successfully")
-        except subprocess.SubprocessError as e:
-            raise RuntimeError(f"Failed to execute postCreateCommand: {e}") from e
-
     # Set up Codex configuration if using Codex CLI
     # Claude Code uses ~/.claude by default (no configuration needed)
     if CLI_AGENT_TYPE == "codex":
@@ -10277,6 +10003,208 @@ function initProxyManager(config) {
   return globalProxyManager;
 }
 
+// src/lib/metrics/provider.ts
+import {
+  MeterProvider,
+  PeriodicExportingMetricReader
+} from "@opentelemetry/sdk-metrics";
+import { OTLPMetricExporter } from "@opentelemetry/exporter-metrics-otlp-proto";
+import { Resource } from "@opentelemetry/resources";
+import { ATTR_SERVICE_NAME } from "@opentelemetry/semantic-conventions";
+import { metrics } from "@opentelemetry/api";
+var meterProvider = null;
+var initialized = false;
+var enabled = false;
+var _runnerLabel = "";
+function initMetrics(config) {
+  if (initialized) return;
+  initialized = true;
+  _runnerLabel = config.runnerLabel;
+  if (!config.axiomToken) {
+    console.log("[metrics] AXIOM_TOKEN not configured, metrics disabled");
+    return;
+  }
+  const env = config.environment ?? "dev";
+  const exporter = new OTLPMetricExporter({
+    url: "https://api.axiom.co/v1/metrics",
+    headers: {
+      Authorization: `Bearer ${config.axiomToken}`,
+      "X-Axiom-Dataset": `runner-metrics-${env}`
+    }
+  });
+  meterProvider = new MeterProvider({
+    resource: new Resource({
+      [ATTR_SERVICE_NAME]: config.serviceName,
+      "deployment.environment": env,
+      "runner.label": config.runnerLabel
+    }),
+    readers: [
+      new PeriodicExportingMetricReader({
+        exporter,
+        exportIntervalMillis: config.exportIntervalMs ?? 3e4
+      })
+    ]
+  });
+  metrics.setGlobalMeterProvider(meterProvider);
+  enabled = true;
+  console.log(
+    `[metrics] initialized for ${config.serviceName} (${env}), runner: ${config.runnerLabel}`
+  );
+}
+function isMetricsEnabled() {
+  return enabled;
+}
+function getRunnerLabel() {
+  return _runnerLabel;
+}
+function getMeter(name) {
+  return metrics.getMeter(name);
+}
+async function flushMetrics() {
+  if (meterProvider) {
+    await meterProvider.forceFlush();
+  }
+}
+async function shutdownMetrics() {
+  if (meterProvider) {
+    await meterProvider.shutdown();
+  }
+}
+
+// src/lib/metrics/instruments.ts
+var runnerOperationTotal = null;
+var runnerOperationErrorsTotal = null;
+var runnerOperationDuration = null;
+var sandboxOperationTotal = null;
+var sandboxOperationErrorsTotal = null;
+var sandboxOperationDuration = null;
+function getRunnerInstruments() {
+  if (!runnerOperationTotal) {
+    const meter = getMeter("vm0-runner");
+    runnerOperationTotal = meter.createCounter("runner_operation_total", {
+      description: "Total number of runner operations"
+    });
+    runnerOperationErrorsTotal = meter.createCounter(
+      "runner_operation_errors_total",
+      {
+        description: "Total number of runner operation errors"
+      }
+    );
+    runnerOperationDuration = meter.createHistogram(
+      "runner_operation_duration_ms",
+      {
+        description: "Runner operation duration in milliseconds",
+        unit: "ms"
+      }
+    );
+  }
+  return {
+    runnerOperationTotal,
+    runnerOperationErrorsTotal,
+    runnerOperationDuration
+  };
+}
+function getSandboxInstruments() {
+  if (!sandboxOperationTotal) {
+    const meter = getMeter("vm0-runner");
+    sandboxOperationTotal = meter.createCounter("sandbox_operation_total", {
+      description: "Total number of sandbox operations"
+    });
+    sandboxOperationErrorsTotal = meter.createCounter(
+      "sandbox_operation_errors_total",
+      {
+        description: "Total number of sandbox operation errors"
+      }
+    );
+    sandboxOperationDuration = meter.createHistogram(
+      "sandbox_operation_duration_ms",
+      {
+        description: "Sandbox operation duration in milliseconds",
+        unit: "ms"
+      }
+    );
+  }
+  return {
+    sandboxOperationTotal,
+    sandboxOperationErrorsTotal,
+    sandboxOperationDuration
+  };
+}
+function recordRunnerOperation(attrs) {
+  if (!isMetricsEnabled()) return;
+  const {
+    runnerOperationTotal: runnerOperationTotal2,
+    runnerOperationErrorsTotal: runnerOperationErrorsTotal2,
+    runnerOperationDuration: runnerOperationDuration2
+  } = getRunnerInstruments();
+  const labels = {
+    action_type: attrs.actionType,
+    runner_label: getRunnerLabel()
+  };
+  runnerOperationTotal2.add(1, labels);
+  if (!attrs.success) {
+    runnerOperationErrorsTotal2.add(1, labels);
+  }
+  runnerOperationDuration2.record(attrs.durationMs, {
+    ...labels,
+    success: String(attrs.success)
+  });
+}
+function recordSandboxOperation(attrs) {
+  if (!isMetricsEnabled()) return;
+  const {
+    sandboxOperationTotal: sandboxOperationTotal2,
+    sandboxOperationErrorsTotal: sandboxOperationErrorsTotal2,
+    sandboxOperationDuration: sandboxOperationDuration2
+  } = getSandboxInstruments();
+  const labels = {
+    sandbox_type: "runner",
+    action_type: attrs.actionType
+  };
+  sandboxOperationTotal2.add(1, labels);
+  if (!attrs.success) {
+    sandboxOperationErrorsTotal2.add(1, labels);
+  }
+  sandboxOperationDuration2.record(attrs.durationMs, {
+    ...labels,
+    success: String(attrs.success)
+  });
+}
+
+// src/lib/metrics/timing.ts
+async function withRunnerTiming(actionType, fn) {
+  const startTime = Date.now();
+  let success = true;
+  try {
+    return await fn();
+  } catch (error) {
+    success = false;
+    throw error;
+  } finally {
+    recordRunnerOperation({
+      actionType,
+      durationMs: Date.now() - startTime,
+      success
+    });
+  }
+}
+async function withSandboxTiming(actionType, fn) {
+  const startTime = Date.now();
+  let success = true;
+  try {
+    return await fn();
+  } catch (error) {
+    success = false;
+    throw error;
+  } finally {
+    recordSandboxOperation({
+      actionType,
+      durationMs: Date.now() - startTime,
+      success
+    });
+  }
+}
+
 // src/lib/executor.ts
 function getVmIdFromRunId(runId) {
   return runId.split("-")[0] || runId.substring(0, 8);
@@ -10305,9 +10233,6 @@ function buildEnvironmentVariables(context, apiUrl) {
     envVars.VM0_ARTIFACT_VOLUME_NAME = artifact.vasStorageName;
     envVars.VM0_ARTIFACT_VERSION_ID = artifact.vasVersionId;
   }
-  if (context.postCreateCommand) {
-    envVars.VM0_POST_CREATE_COMMAND = context.postCreateCommand;
-  }
   if (context.resumeSession) {
     envVars.VM0_RESUME_SESSION_ID = context.resumeSession.sessionId;
   }
@@ -10467,11 +10392,12 @@ nameserver 1.1.1.1`;
     `sudo sh -c 'rm -f /etc/resolv.conf && echo "${dnsConfig}" > /etc/resolv.conf'`
   );
 }
-async function executeJob(context, config) {
+async function executeJob(context, config, options = {}) {
   const vmId = getVmIdFromRunId(context.runId);
   let vm = null;
   let guestIp = null;
-  console.log(`[Executor] Starting job ${context.runId} in VM ${vmId}`);
+  const log = options.logger ?? ((msg) => console.log(msg));
+  log(`[Executor] Starting job ${context.runId} in VM ${vmId}`);
   try {
     const workspacesDir = path4.join(process.cwd(), "workspaces");
     const vmConfig = {
@@ -10483,24 +10409,27 @@ async function executeJob(context, config) {
       firecrackerBinary: config.firecracker.binary,
       workDir: path4.join(workspacesDir, `vm0-${vmId}`)
     };
-    console.log(`[Executor] Creating VM ${vmId}...`);
+    log(`[Executor] Creating VM ${vmId}...`);
     vm = new FirecrackerVM(vmConfig);
-    await vm.start();
+    await withSandboxTiming("vm_create", () => vm.start());
     guestIp = vm.getGuestIp();
     if (!guestIp) {
       throw new Error("VM started but no IP address available");
     }
-    console.log(`[Executor] VM ${vmId} started, guest IP: ${guestIp}`);
+    log(`[Executor] VM ${vmId} started, guest IP: ${guestIp}`);
     const privateKeyPath = getRunnerSSHKeyPath();
     const ssh = createVMSSHClient(guestIp, "user", privateKeyPath || void 0);
-    console.log(`[Executor] Waiting for SSH on ${guestIp}...`);
-    await ssh.waitUntilReachable(12e4, 2e3);
-    console.log(`[Executor] SSH ready on ${guestIp}`);
+    log(`[Executor] Waiting for SSH on ${guestIp}...`);
+    await withSandboxTiming(
+      "ssh_wait",
+      () => ssh.waitUntilReachable(12e4, 2e3)
+    );
+    log(`[Executor] SSH ready on ${guestIp}`);
     const firewallConfig = context.experimentalFirewall;
     if (firewallConfig?.enabled) {
       const mitmEnabled = firewallConfig.experimental_mitm ?? false;
       const sealSecretsEnabled = firewallConfig.experimental_seal_secrets ?? false;
-      console.log(
+      log(
         `[Executor] Setting up network security for VM ${guestIp} (mitm=${mitmEnabled}, sealSecrets=${sealSecretsEnabled})`
       );
       await setupVMProxyRules(guestIp, config.proxy.port);
@@ -10513,36 +10442,50 @@ async function executeJob(context, config) {
         await installProxyCA(ssh);
       }
     }
-    console.log(`[Executor] Configuring DNS...`);
+    log(`[Executor] Configuring DNS...`);
     await configureDNS(ssh);
-    console.log(`[Executor] Uploading scripts...`);
-    await uploadScripts(ssh);
-    console.log(`[Executor] Scripts uploaded to ${SCRIPT_PATHS.baseDir}`);
+    log(`[Executor] Uploading scripts...`);
+    await withSandboxTiming("script_upload", () => uploadScripts(ssh));
+    log(`[Executor] Scripts uploaded to ${SCRIPT_PATHS.baseDir}`);
     if (context.storageManifest) {
-      await downloadStorages(ssh, context.storageManifest);
+      await withSandboxTiming(
+        "storage_download",
+        () => downloadStorages(ssh, context.storageManifest)
+      );
     }
     if (context.resumeSession) {
-      await restoreSessionHistory(
-        ssh,
-        context.resumeSession,
-        context.workingDir,
-        context.cliAgentType || "claude-code"
+      await withSandboxTiming(
+        "session_restore",
+        () => restoreSessionHistory(
+          ssh,
+          context.resumeSession,
+          context.workingDir,
+          context.cliAgentType || "claude-code"
+        )
       );
     }
     const envVars = buildEnvironmentVariables(context, config.server.url);
     const envJson = JSON.stringify(envVars);
-    console.log(
+    log(
       `[Executor] Writing env JSON (${envJson.length} bytes) to ${ENV_JSON_PATH}`
     );
     await ssh.writeFile(ENV_JSON_PATH, envJson);
     const systemLogFile = `/tmp/vm0-main-${context.runId}.log`;
     const exitCodeFile = `/tmp/vm0-exit-${context.runId}`;
-    console.log(`[Executor] Running agent via env-loader (background)...`);
     const startTime = Date.now();
-    await ssh.exec(
-      `nohup sh -c 'python3 -u ${ENV_LOADER_PATH}; echo $? > ${exitCodeFile}' > ${systemLogFile} 2>&1 &`
-    );
-    console.log(`[Executor] Agent started in background`);
+    if (options.benchmarkMode) {
+      log(`[Executor] Running command directly (benchmark mode)...`);
+      await ssh.exec(
+        `nohup sh -c '${context.prompt}; echo $? > ${exitCodeFile}' > ${systemLogFile} 2>&1 &`
+      );
+      log(`[Executor] Command started in background`);
+    } else {
+      log(`[Executor] Running agent via env-loader (background)...`);
+      await ssh.exec(
+        `nohup sh -c 'python3 -u ${ENV_LOADER_PATH}; echo $? > ${exitCodeFile}' > ${systemLogFile} 2>&1 &`
+      );
+      log(`[Executor] Agent started in background`);
+    }
     const pollIntervalMs = 2e3;
     const maxWaitMs = 24 * 60 * 60 * 1e3;
     let exitCode = 1;
@@ -10551,25 +10494,35 @@ async function executeJob(context, config) {
       await new Promise((resolve) => setTimeout(resolve, pollIntervalMs));
       const checkResult = await ssh.exec(`cat ${exitCodeFile} 2>/dev/null`);
       if (checkResult.exitCode === 0 && checkResult.stdout.trim()) {
-        exitCode = parseInt(checkResult.stdout.trim(), 10) || 1;
+        const parsed = parseInt(checkResult.stdout.trim(), 10);
+        exitCode = Number.isNaN(parsed) ? 1 : parsed;
         completed = true;
         break;
       }
     }
-    const duration = Math.round((Date.now() - startTime) / 1e3);
+    const durationMs = Date.now() - startTime;
+    const duration = Math.round(durationMs / 1e3);
     if (!completed) {
-      console.log(`[Executor] Agent timed out after ${duration}s`);
+      log(`[Executor] Agent timed out after ${duration}s`);
+      recordRunnerOperation({
+        actionType: "agent_execute",
+        durationMs,
+        success: false
+      });
       return {
         exitCode: 1,
         error: `Agent execution timed out after ${duration}s`
       };
     }
-    console.log(
-      `[Executor] Agent finished in ${duration}s with exit code ${exitCode}`
-    );
+    recordRunnerOperation({
+      actionType: "agent_execute",
+      durationMs,
+      success: exitCode === 0
+    });
+    log(`[Executor] Agent finished in ${duration}s with exit code ${exitCode}`);
     const logResult = await ssh.exec(`tail -100 ${systemLogFile} 2>/dev/null`);
     if (logResult.stdout) {
-      console.log(
+      log(
         `[Executor] Log output (${logResult.stdout.length} chars): ${logResult.stdout.substring(0, 500)}`
       );
     }
@@ -10586,7 +10539,7 @@ async function executeJob(context, config) {
     };
   } finally {
     if (context.experimentalFirewall?.enabled && guestIp) {
-      console.log(`[Executor] Cleaning up network security for VM ${guestIp}`);
+      log(`[Executor] Cleaning up network security for VM ${guestIp}`);
       try {
         await removeVMProxyRules(guestIp, config.proxy.port);
       } catch (err) {
@@ -10595,21 +10548,23 @@ async function executeJob(context, config) {
         );
       }
       getVMRegistry().unregister(guestIp);
-      try {
-        await uploadNetworkLogs(
-          config.server.url,
-          context.sandboxToken,
-          context.runId
-        );
-      } catch (err) {
-        console.error(
-          `[Executor] Failed to upload network logs: ${err instanceof Error ? err.message : "Unknown error"}`
-        );
+      if (!options.benchmarkMode) {
+        try {
+          await uploadNetworkLogs(
+            config.server.url,
+            context.sandboxToken,
+            context.runId
+          );
+        } catch (err) {
+          console.error(
+            `[Executor] Failed to upload network logs: ${err instanceof Error ? err.message : "Unknown error"}`
+          );
+        }
       }
     }
     if (vm) {
-      console.log(`[Executor] Cleaning up VM ${vmId}...`);
-      await vm.kill();
+      log(`[Executor] Cleaning up VM ${vmId}...`);
+      await withSandboxTiming("cleanup", () => vm.kill());
     }
   }
 }
@@ -10656,6 +10611,18 @@ var startCommand = new Command("start").description("Start the runner").option("
     const config = loadConfig(options.config);
     validateFirecrackerPaths(config.firecracker);
     console.log("Config valid");
+    const datasetSuffix = process.env.AXIOM_DATASET_SUFFIX;
+    if (!datasetSuffix) {
+      throw new Error(
+        "AXIOM_DATASET_SUFFIX is required. Set to 'dev' or 'prod'."
+      );
+    }
+    initMetrics({
+      serviceName: "vm0-runner",
+      runnerLabel: config.name,
+      axiomToken: process.env.AXIOM_TOKEN,
+      environment: datasetSuffix
+    });
     const networkCheck = checkNetworkPrerequisites();
     if (!networkCheck.ok) {
       console.error("Network prerequisites not met:");
@@ -10744,7 +10711,10 @@ var startCommand = new Command("start").description("Start the runner").option("
         continue;
       }
       try {
-        const job = await pollForJob(config.server, config.group);
+        const job = await withRunnerTiming(
+          "poll",
+          () => pollForJob(config.server, config.group)
+        );
         if (!job) {
           await new Promise(
             (resolve) => setTimeout(resolve, config.sandbox.poll_interval_ms)
@@ -10753,7 +10723,10 @@ var startCommand = new Command("start").description("Start the runner").option("
         }
         console.log(`Found job: ${job.runId}`);
         try {
-          const context = await claimJob(config.server, job.runId);
+          const context = await withRunnerTiming(
+            "claim",
+            () => claimJob(config.server, job.runId)
+          );
           console.log(`Claimed job: ${context.runId}`);
           activeJobs.add(context.runId);
           updateStatus();
@@ -10792,6 +10765,9 @@ var startCommand = new Command("start").description("Start the runner").option("
       console.log("Stopping network proxy...");
       await getProxyManager().stop();
     }
+    console.log("Flushing metrics...");
+    await flushMetrics();
+    await shutdownMetrics();
     state.mode = "stopped";
     updateStatus();
     console.log("Runner stopped");
@@ -10830,10 +10806,102 @@ var statusCommand = new Command2("status").description("Check runner connectivit
   }
 });
 
+// src/commands/benchmark.ts
+import { Command as Command3 } from "commander";
+import crypto from "crypto";
+
+// src/lib/timing.ts
+var Timer = class {
+  startTime;
+  constructor() {
+    this.startTime = Date.now();
+  }
+  /**
+   * Get elapsed time formatted as [MM:SS.s]
+   */
+  elapsed() {
+    const ms = Date.now() - this.startTime;
+    const totalSeconds = ms / 1e3;
+    const minutes = Math.floor(totalSeconds / 60);
+    const seconds = (totalSeconds % 60).toFixed(1);
+    return `[${String(minutes).padStart(2, "0")}:${seconds.padStart(4, "0")}]`;
+  }
+  /**
+   * Log message with timestamp
+   */
+  log(message) {
+    console.log(`${this.elapsed()} ${message}`);
+  }
+  /**
+   * Get total elapsed time in seconds
+   */
+  totalSeconds() {
+    return (Date.now() - this.startTime) / 1e3;
+  }
+};
+
+// src/commands/benchmark.ts
+function createBenchmarkContext(prompt, options) {
+  return {
+    runId: crypto.randomUUID(),
+    prompt,
+    agentComposeVersionId: "benchmark-local",
+    vars: null,
+    secretNames: null,
+    checkpointId: null,
+    sandboxToken: "benchmark-token-not-used",
+    workingDir: options.workingDir,
+    storageManifest: null,
+    environment: null,
+    resumeSession: null,
+    secretValues: null,
+    cliAgentType: options.agentType
+  };
+}
+var benchmarkCommand = new Command3("benchmark").description(
+  "Run a VM performance benchmark (executes bash command directly)"
+).argument("<prompt>", "The bash command to execute in the VM").option("--config <path>", "Config file path", "./runner.yaml").option("--working-dir <path>", "Working directory in VM", "/home/user").option("--agent-type <type>", "Agent type", "claude-code").action(async (prompt, options) => {
+  const timer = new Timer();
+  try {
+    timer.log("Loading configuration...");
+    const config = loadDebugConfig(options.config);
+    validateFirecrackerPaths(config.firecracker);
+    timer.log("Checking network prerequisites...");
+    const networkCheck = checkNetworkPrerequisites();
+    if (!networkCheck.ok) {
+      console.error("Network prerequisites not met:");
+      for (const error of networkCheck.errors) {
+        console.error(`  - ${error}`);
+      }
+      process.exit(1);
+    }
+    timer.log("Setting up network bridge...");
+    await setupBridge();
+    timer.log(`Executing command: ${prompt}`);
+    const context = createBenchmarkContext(prompt, options);
+    const result = await executeJob(context, config, {
+      benchmarkMode: true,
+      logger: timer.log.bind(timer)
+    });
+    timer.log(`Exit code: ${result.exitCode}`);
+    if (result.error) {
+      timer.log(`Error: ${result.error}`);
+    }
+    timer.log(`Total time: ${timer.totalSeconds().toFixed(1)}s`);
+    process.exit(result.exitCode);
+  } catch (error) {
+    timer.log(
+      `Error: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+    process.exit(1);
+  }
+});
+
 // src/index.ts
-var version = true ? "2.6.0" : "0.1.0";
+var version = true ? "2.7.0" : "0.1.0";
 program.name("vm0-runner").version(version).description("Self-hosted runner for VM0 agents");
 program.addCommand(startCommand);
 program.addCommand(statusCommand);
+program.addCommand(benchmarkCommand);
 program.parse();
 //# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vm0/runner",
-  "version": "2.6.0",
+  "version": "2.7.0",
   "description": "Self-hosted runner for VM0 agents",
   "repository": {
     "type": "git",
@@ -15,6 +15,11 @@
     "."
   ],
   "dependencies": {
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/exporter-metrics-otlp-proto": "^0.52.0",
+    "@opentelemetry/resources": "^1.25.0",
+    "@opentelemetry/sdk-metrics": "^1.25.0",
+    "@opentelemetry/semantic-conventions": "^1.25.0",
     "commander": "^14.0.0",
     "yaml": "^2.3.4",
     "zod": "^3.25.64"